ArticlePDF Available

Fundamental principles of alarm design

  • October 2014
Authors:
Tolga us at Maersk Oil
Tolga us
Niels Jensen at Safepark
Niels Jensen
  • Safepark
Morten Lind at Technical University of Denmark
Morten Lind
Sten Bay Jørgensen at Technical University of Denmark
Sten Bay Jørgensen
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

Traditionally alarms are designed on the basis of empirical guidelines rather than on a sound scientific framework rooted in a theoretical foundation for process and control system design. This paper proposes scientific principles and a methodology for design of alarms based on a functional modeling technique (MFM) which represents a process in terms of its goals, functions and operating requirements. The reasoning capabilities of MFM enable identification of operational situations which threaten to generate an alarm and derivation of potential response scenarios. The design methodology can be applied to any engineering system which can be modeled by MFM. The methodology provides a set of alarms which can facilitate event interpretation and operator support for abnormal situation management. The proposed design methodology provides the information content of the alarms, but does not deal with alarm presentation or display design issues. A hydraulically powered grinding process is employed as an industrially relevant system to show the applicability of the proposed design methodology with promising results.
Figures - uploaded by Sten Bay Jørgensen
Author content
All figure content in this area was uploaded by Sten Bay Jørgensen
Content may be subject to copyright.
Content uploaded by Sten Bay Jørgensen
Author content
All content in this area was uploaded by Sten Bay Jørgensen on Nov 20, 2017
Content may be subject to copyright.
General rights
Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners
and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.
Users may download and print one copy of any publication from the public portal for the purpose of private study or research.
You may not further distribute the material or use it for any profit-making activity or commercial gain
You may freely distribute the URL identifying the publication in the public portal
If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately
and investigate your claim.
Downloaded from orbit.dtu.dk on: Nov 20, 2017
Fundamental Principles of Alarm Design
Us, Tolga; Jensen, Niels; Lind, Morten; Jørgensen, Sten Bay
Published in:
International Journal of Nuclear Safety and Simulation
Publication date:
2011
Link back to DTU Orbit
Citation (APA):
Us, T., Jensen, N., Lind, M., & Jørgensen, S. B. (2011). Fundamental Principles of Alarm Design. International
Journal of Nuclear Safety and Simulation, 2(1), 44-51.
44 Nuclear Safety and Simulation, Vol. 2, Number 1, March 2011
Fundamental principles of alarm design
US Tolga1, JENSEN Niels2, LIND Morten3, and JORGENSEN Sten Bay4
1. Department of Chemical and Biochemical Engineering, Technical University of Denmark, Lyngby DK-2800, Denmark
(tus@maerskoil.com)
2.Safepark Consultancy, Kannikestræde 14, DK-3550, Slangerup, Denmark (niels.jensen@safepark.dk)
3. Department of Electrical Engineering, Technical University of Denmark, , Lyngby DK-2800, Denmark(mli@elektro.dtu.dk)
4. Department of Chemical and Biochemical Engineering, Technical University of Denmark, Lyngby DK-2800, Denmark
(sbj@kt.dtu.dk)
Abstract: Traditionally alarms are designed on the basis of empirical guidelines rather than on a sound
scientific framework rooted in a theoretical foundation for process and control system design. This paper
proposes scientific principles and a methodology for design of alarms based on a functional modeling technique
(MFM) which represents a process in terms of its goals, functions and operating requirements. The reasoning
capabilities of MFM enable identification of operational situations which threaten to generate an alarm and
derivation of potential response scenarios. The design methodology can be applied to any engineering system
which can be modeled by MFM. The methodology provides a set of alarms which can facilitate event
interpretation and operator support for abnormal situation management. The proposed design methodology
provides the information content of the alarms, but does not deal with alarm presentation or display design
issues. A hydraulically powered grinding process is employed as an industrially relevant system to show the
applicability of the proposed design methodology with promising results.
Keyword: alarm design; alarm generation; interpretation; functional modeling
1 Introduction1
Process alarms are used to help operators in coping
with abnormal situations by alerting and informing
them in the event of critical operating plant situations.
According to Abnormal Situation Management
Consortium (ASM) [1], an abnormal situation is
defined as ‘a disturbance or series of disturbances in a
process that cause plant operations to deviate from
their normal operating state’. An alarm system
comprises hardware and software components, which
can signal an alarm state, transmit the signal to the
process automation system, record the signal, and
display a message about the signal to the operator [2].
Alarm systems are an integrated part of modern
automation systems, which are used in facilities such
as nuclear power plants, aircraft cockpits or air traffic
control stations to call the operators’ attention to
important events [3]. When a process variable passes a
limit and/or process equipment is not in a normal state,
a signal is generated. This signal is commonly called
an alarm. Alarm designers develop process alarm
systems assuming that the operator is able to react to
each alarm and correct the underlying cause. Presently
alarms are generally designed based on commonly
Received date: February 17, 2010
(Revised date: February 3, 2011)
accepted guidelines. In the period when alarms were
hardwired, the designers tended to design and install
alarms only when they were really needed because of
their high cost (approximately 1000$ per alarm) [4].
With modern control systems based on advanced ICT
automation technology, it has become easy and cheap
to add alarms on any process input or output.
Consequently too many or irrelevant alarms are often
defined without careful consideration of their
importance for operation and consequences for the
operators workload.
There is accordingly a need for a systematic and
scientifically based methodology for alarm design. A
semantically sound generic alarm definition is first
proposed, and then a functional modeling based
approach to the analysis of the process states from
suitable available sensor signals is briefly presented.
Subsequently four criteria for classification of plant
situations are defined which will become the basis for
a situation assessment using the reasoning capabilities
of the functional models. In addition a methodology
for state interpretation is presented, before the alarm
design methodology is given. The modeling and alarm
design methodology is illustrated on a hydro powered
flour production system.
Fundamental principles of alarm design
Nuclear Safety and Simulation, Vol. 2, Number 1, March 2011 45
2. Meanings of alarm and functional
modeling
2.1 Definition of alarm
There are many types of definitions of alarm in the
literature. Here an alarm is defined based upon the
following recognition:An alarm is a signal signifying
to an operator that an abnormal state has occurred”.
The signal has double significations:
1) it alerts the operator, arise attention, warn and
give notice , and
2) it indicates danger, malfunction, error condition,
process deviation, and unexpected event
The first signification is on the perceptual level
whereas the second signification is based on the
operators’ expectations, experience (i.e. norms) or
knowledge, and so it is on cognitive level. On this
basis a new definition of alarm is proposed as:“Alarm
is a signal which signifies to the operator that an
abnormal state needs a response.”
Here the term ‘response’ is used to define a required
reaction. The expression ‘abnormal state’ comprises
process deviation, error condition, malfunction, and
neared or overrun limits. The expression ‘abnormal
state’ must be interpreted in terms of functional
concepts. For this purpose the following definition is
applied for ‘abnormal state’ as “An abnormal state is a
state which threatens or prevents the accomplishment
of a goal.”
Thus a generic definition of alarm becomes: “An
alarm is a signal which signifies to the operator that a
response requiring state threatens or prevents the
accomplishment of a goal.”
2.2 From abnormal states to functional modeling
The word ‘normal’ has its roots in the concepts of a
‘norm’. An abnormal situation is accordingly a
situation which does not comply with a norm. Norms
are expressed by criteria for what is good, acceptable,
desirable or required. They can be derived from
specifications of how things ought to be, i.e. from an
intention or purpose. However, norms can also be
defined by referring to an experienced situation
representing how things usually are when they are
acceptable or considered good. In a process life cycle
perspective these two ways of defining norms are
connected because a best practice can be transformed
into requirements and norms. Norms, requirements
and purposes for action can be represented by
‘functional modeling’ [5], which provide concepts for
formalized representation of purposes, goals and
functions of physical designs. Functional concepts are
for the same reasons closely connected to concepts of
failure. It is therefore obvious that functional
modeling can play a central role for development of a
scientific basis for alarm design. Previous approaches
to alarm design have also emphasized the importance
of functional concepts [6,7], however without
suggesting the scientific approach as presented in this
paper.
Larsson [8], Fang and Lind [9] and Gofuku and Tanaka
[10,11] have used a functional modeling method called
Multilevel Flow Modeling (MFM) [12] for fault
diagnosis and counteraction planning. Those works
developed principles for reasoning on system failures
but did neither explicitly consider the problem of
alarm design nor classified development stages of a
safety critical situation.
3. Design principles and methodology
3.1 Semiotics on alarm design and Multilevel Flow
Modeling
The design principle of alarms can be built on basic
principles of sign interpretation from the field of
semiotics and on a functional modeling method MFM.
Semiotics studies deal with ‘signs’ and their
interpretation of any subject from all aspects. In the
present context the branch of semiotics, which
originally deals with the interpretation of signs by
biological organisms, is of particular interest. Morris
[13] developed a theory of sign interpretation which
explains how the meaning of signals received by an
organism interacting with an environment depends on
the phase of the ‘action’. This theory can be applied to
alarm interpretation and has been adopted for this
purpose in combination with functional modeling to
design of human machine interfaces and to intelligent
control [12, 14].
MFM is a modeling methodology which has been
developed to support functional modeling of process
plants involving the interactions of materials, energy
US Tolga , JENSEN Niels, LIND Morten, and JORGENSEN Sten Bay
46 Nuclear Safety and Simulation, Vol. 2, Number 1, March 2011
and information flows [6,7]. Functions are here
represented by elementary flow functions
interconnected to form ‘flow structures’ representing a
particular ‘goal’ oriented perspective of the system.
MFM is founded on fundamental concepts of action
[15] and each of the elementary flow functions can thus
be seen as ‘instances’ of more generic action types [6].
The perspectives represented by the flow structures
are related by ‘means-end relations’ and comprise
together a comprehensive model of the functional
organization of the system. The basic modeling
concepts of MFM include objectives, flow structures,
as set of ‘functional primitives’ (the flow functions
with causal roles) and a set of means-end relations
representing purpose related dependencies between
flow structures. The functions, the flow structures and
the ‘relations’ are interconnected to form a
hyper-graph like structure.
3.2 Example: an overshot water mill
An overshot water mill shown in Fig. 1 is used as an
example of process system to illustrate the principles
and the methodology for alarm design. A water mill
uses a water wheel to drive a mechanical process for
flour or lumber production. The water used by the mill
is diverted from a river along a channel known as the
flume. A sluice gate on the flume is used to control the
amount of water flowing into the mill. The wheel is
rotated by the falling water striking and filling the
buckets of the wheel, making it heavier than the other
empty side. The weight turns the wheel which in turn
rotates the drive shaft with a toothed wheel. By means
of the horizontal toothed wheel, the angle of rotation
changes which in turn rotates the spindle and drives a
runner stone. The runner stone is the upper part of the
millstones which spins above the stationary bed stone
creating the grinding action. The runner stone has a
hole near the centre into which the grain is fed. The
grain is ground between these two stones, moves
through to the outer edge and passes as flour through
the casing. By means of the grinding action, the shells
and the flour are separated. Two intervention
possibilities are assumed to be available to the miller
in this kind of system: (i) changing the water flow rate
to the water wheel by means of the sluice rate, and (ii)
manipulating the feed rate of the grain to the runner
stone.
3.3 MFM model of a water mill
The process alarm design is based on the MFM model
of the water mill as shown in Fig. 2. The main skeleton
of an MFM model is its “objective tree”. Figure 3
shows the objective tree of the example MFM model.
The flow structure S3 as shown both in Figs. 2 and 3
represents the functions involved in supplying water
to the water wheel, where the water is transported
through the sluice (represented by tr7) into the buckets
(represented as a sink si4).
When the water flow is achieved then O3 is fulfilled
and the water wheel is moving. Thus (following the
“producer-product relation” connecting S3 with so2)
the energy in the water is converted to rotational
energy represented by the flow functions so2, tr4 and
si3. Furthermore, when O2 is achieved rotational
energy is available for the grinding, which is
represented by the flow function bl1 in the grain
structure S1. The supply of grain is represented by
source so1 and the transport tr1 and the flour produced
is transported to the consumer (si2).
The fulfillment of main objective (O1) depends on the
fulfillment of all other objectives. The objective O3 is
independent while O2 depends on O3. The objective
tree as shown schematically in Fig. 4 is a hierarchy. In
general however it may be a heterarchy with multiple
top goals and sub-goals.
Fig. 1 The overshot water mill.
Fundamental principles of alarm design
Nuclear Safety and Simulation, Vol. 2, Number 1, March 2011 47
Fig. 2 A simple MFM model for the overshot water mill.
Fig.3 The objective tree for the water mill.
3.4 Flow function circumstances
To enable reasoning for state assessment it is suitable
to define four ‘condition types’ related to the flow
functions. The first two are originally proposed by
Paasen and Wieringa [16] and Petersen [12], and they are
the enabling and establishing circumstances which
relate to normal operation. The other two are related to
abnormal operation: abnormal and failed
circumstances.
3.4.1 Enabling circumstances
Enabling circumstances enable flow functions in the
flow structures. A flow function is enabled when it has
the full potential to contribute to the achievement of its
corresponding objective. When a flow function is
enabled, it is however not yet interacting with its
adjacent flow functions. Consequently, the flow
functions in the corresponding flow structures are not
yet integrated to be able to achieve their corresponding
objectives. Figure 4 demonstrates the enabled
functions in the corresponding flow structures. Certain
system circumstances must be present for each flow
function to be enabled. The set of circumstances
which enables the flow functions are labeled as Nnxy
for x = flow function type (source: so, sink: si,
transport: tr, barrier: ba, storage: st, balance: bl), y =
function number (1, 2, 3...) and n = condition number
(1, 2, 3…).
Fig. 4 MFM model of water mill with flow functions enabled
3.4.2 Establishing circumstances
A flow function is established when its state supports
and ensures the achievement of its corresponding
objective [16]. When a flow function is established, it is
interacting with its adjacent flow functions.
Accordingly, a flow structure is established when its
flow functions are connected. As can be seen from Fig.
5, in this state, the flow functions are connected, and
the MFM relations and the objectives are fulfilled. The
set of circumstances which establish the flow
functions is labeled as Snxy in analogy with the
enabling circumstances. When flow functions are
established, they are interacting and dependent of their
adjacent functions and MFM relations.
US Tolga , JENSEN Niels, LIND Morten, and JORGENSEN Sten Bay
48 Nuclear Safety and Simulation, Vol. 2, Number 1, March 2011
Fig. 5 MFM model of water mill with flow functions enabled
and established. Additionally a specific threat is also shown
with flow functions in gray.
3.4.3 Disturbing circumstances
A flow function is disturbed when its state may
threaten the achievement of its corresponding
objective. When a flow function is disturbed, it has the
potential to disturb its adjacent flow functions.
Accordingly, it can disturb the integration of the flow
functions in the flow structure. This will threaten the
achievement of the corresponding objective. Such
disturbing system circumstances are called ‘threats’.
The set of abnormal system circumstances which
disturbs the flow functions are labeled as Tnxy. For
example T1so1 represents one of the disturbing
circumstances in the set of circumstances which
disturb the source function so1. In Fig. 5, the effect of
a disturbing condition on the source function so1
(T1so1) in the flow structure S1 is illustrated. When
T1so1 occurs, it disturbs the source function so1 and its
relation to the adjacent flow function tr1 (dotted lines).
When so1 is disturbed, it has the potential to disturb its
adjacent flow functions tr1, bl1, tr2, si1, tr3, si2 and
their MFM relations (both grey). If the integration of
the flow functions is disturbed, the state of so1 will
threaten the achievement of its corresponding
objective O1 (shown in grey). A threat occurs when a
flow function is threatened to be brought outside of the
intentional operation limits. For every Tnxy, the
corresponding threat type must be identified. A given
threat T1so1 can cause the source function so1 to be
outside its state constraint. Rossig, et al., presents a
methodology for identification of threats in HAZOP
studies [17, 18].
3.4.4 Disabling circumstances
A flow function is disabled when its state immediately
threatens and may prevent the achievement of its
corresponding objective. When a flow function is
disabled, it disturbs its adjacent flow functions,
relations and the integration of flow functions.
Consequently, it immediately threatens the
achievement of the corresponding objective.
Moreover, it has also the potential to disable its
adjacent flow functions and relations. Accordingly, if
it starts to disable its adjacent flow functions, it will
also disable the integration of the flow functions in the
corresponding flow structure. This will prevent the
achievement of the corresponding objective. Such
disabling circumstances are called ‘failures’. The set
of abnormal system circumstances which disables the
flow functions as Fnxy in the MFM model as shown in
Fig.6, where F1so2, represents one of the disabling
circumstances (for so2) in the set of circumstances
which disable the source function so2. When F1so2
occurs, it will disable so2 and its relation to the
adjacent flow function tr4. This is shown by the
double lines ‘// on so2 in Fig. 6. When so2 is disabled,
it immediately disturbs and may disable all the
adjacent functions and MFM relations in S2.
Fig. 6 MFM model of water mill showing the effect of F1so2 on
the enabled and established MFM model. The flow functions
which are disturbed by the failure are painted black.
Fundamental principles of alarm design
Nuclear Safety and Simulation, Vol. 2, Number 1, March 2011 49
The flow functions disturbed by Fso2 are painted black
and the disturbed MFM relations are shown by dotted
lines. Since the integration of the flow functions in S2
is disturbed, Fso2 immediately threatens the
achievement of the corresponding objective O2. Since
O2 is threatened and si3 influences bl1 (through a
producer-product relation), it will disturb the
integration of the flow functions in S1 which will also
threaten the achievement of O1. In Fig. 6, the
threatened and potentially prevented objectives and all
the disturbed and potentially disabled flow functions
are painted black. The disturbed and potentially
disabled MFM relations are shown by dotted lines.
The impact of Fnxy on a flow function depends on the
type of the flow function and the nature of the
disabling condition.
3.5 Signals and their interpretations
When abnormal states occur, they can threaten or
prevent the accomplishment of the system goal. Thus,
an agent must perceive and interpret these abnormal
circumstances to recommend intervention. The
supervisory control agent assesses the state of the
system caused by events in order to produce or
maintain the state of affairs according to the available
system information, goals and possible courses of
action[14]. In Fig.7, the signal generation by an event,
the perception of these signals by the agent, the
interpretation process and the possible intervention are
illustrated.
Fig.7 Interpretation of event signals and consequential
intervention.
In the principles of alarm design, the interpretation
consists of three consecutive phases. The agent
perceives signals from the system and the
environment. The perceived signals are classified into
four types of circumstances (N-enabling,
S-establishing, T-disturbing, F-disabling) for each
flow function in the MFM model. This is the first
phase of interpretation shown in Fig.7. In the second
phase of interpretation, the state of the main function
of each objective is investigated. The main functions
are the focal points for the interpretation of abnormal
states within the flow structures in Phase-2. For
example, in the water mill MFM model (Fig.3), the
main functions are (in red circles) tr3, si3 and tr8.
In Phase-2, the success of the interpretation process is
directly dependent on the agent’s reasoning ability,
capacity and knowledge about the system. In complex
systems, the agent may have many events to perceive
and interpret. Thus automatic reasoning support is
essential when the control agent is a human operator.
After the state of each objective in a given MFM
model is known, the third interpretation phase is
completed with respect to the main goal in the MFM
model. In this phase, the state of the goal (the main
objective e.g. O1 in Fig.2) is investigated by its
corresponding main function. The potential inter flow
structure propagations can be derived by reasoning
about the means-end relations in the model (e.g.
condition and producer-product relations).
4 Alarm Design
An alarm “signifies a response requiring state which
threatens or prevents the accomplishment of a goal of
a purposeful system”. Thus the circumstances
confirmed during interpretation as corresponding to
objective ‘will be under threat’, ‘is under threat’, ‘will
fail’ or ‘is failed’ are considered as alarms, as listed in
Table 1.
Tabl e 1: Notation for alarm types
related to goal Oi (i = 1, 2, 3…).
In modern control system alarms are generally
classified in categories such as message or warning,
alarm and emergency, depending on the time available
for operator intervention before automatic action takes
US Tolga , JENSEN Niels, LIND Morten, and JORGENSEN Sten Bay
50 Nuclear Safety and Simulation, Vol. 2, Number 1, March 2011
over. The categories “will be under threat” and “under
threat” used in Table 1 corresponds to ‘alarm’, while
the categories “will fail” and “failed” corresponds to
‘emergency’.
The full propagation potential (from so3 in S3 to st1 in
S1) of Tso3:lovol is shown in Fig.8. As seen in the
potential propagation path in Fig.8, there are three
intervention possibilities labeled as C3, C2 and C1
which mediates si3, so2 and tr1, respectively.
Fig.8 Propagation of an abnormal condition Tso3: lovol with
three intervention possibilities. Alarm types are shown on the
right hand side while intervention possibilities C1, C2 and C3.
The above methodology leads to a procedure and set
of rules for reasoning based alarm generation and
suggested intervention generation. On this basis the
systematic alarm design procedure will be
summarized as below:
(1) Develop a Multilevel Flow Modeling (MFM) of
the given process including explanation of
objectives, causal relations and, description of
flow functions,
(2) Identify the objective tree (heterarchy) from the
MFM model,
(3) Identify enabling-N and establishing-S
circumstances for each MFM flow function and
structure,
(4) Identify disturbing-T and disabling-F
circumstances for each MFM flow function and
structure,
(5) Identify the main function for each objective
concerning the means-end relations,
(6) Identify possible intervention possibilities
together with their descriptions,
(7) Identify fixed alarm contents for every objective,
(8) Identify the criticality of the given system,
through consequence propagation in dependence
of the prediction horizon, and
(9) Apply the procedures and rules for alarm
generation following the alarm design principles.
Throughout this paper the water mill has been used as
illustrative example. By using the methods presented
above the alarms for every objective also has been
identified. These alarms contain the information
contents for any alarm generated during the
interpretation process. The results are most reasonable.
The state of the flow functions in the model is easily
identified. These alarm design principles also have
been investigated on a more realistic industrially
inspired example, i.e. an industrial heat pump on a
distillation column. The investigation also in this case
produced most promising results.
5. Discussion and Conclusion
The principles and methodology given in this paper
enable an engineer to approach a systematic alarm
design upon a scientific basis. The alarm design
methodology proposed in this paper can be applied to
any engineering system which can be consistently
modeled by MFM. The most crucial aspect of the
methodology is the interpretation procedure which is
performed by the alarm system to support an operator.
This interpretation exploits the reasoning capabilities
of the MFM models. Several rules can be applied to
predict the propagation of disturbing circumstances on
a given path by using causal relations [12]. By the
reasoning system the propagation of abnormal
circumstances can be qualitatively predicted and
classified by the proposed alarm design. Moreover, to
deal with branching propagation paths, additional
rules can be designed for the interpretation process.
This alarm design methodology can form an improved
basis for diagnosis and counteraction planning [8-10,12].
Changing the alarm sensitivity in an abnormal
situation can be used for ‘alarm suppression’. When
many alarms are presented to the operator, the alarm
sensitivity can be decreased to reveal the overall
situation in the plant. That will eventually decrease the
number of alarms. In addition, by increasing the alarm
Fundamental principles of alarm design
Nuclear Safety and Simulation, Vol. 2, Number 1, March 2011 51
sensitivity, an operator can obtain an idea of how far
the present abnormal situation can propagate.
While developing the alarm design principles, it was
assumed that the state of each flow function could be
identified. The larger the number of flow function
states which can be identified, the more reliable the
interpretation becomes. As illustrated in both cases
and especially in the heat pump case, in engineering
systems it is not economically practical to measure the
state of each flow function.
On the other hand, the qualitative reasoning
capabilities of MFM will reduce the need for
measuring the state of all flow functions. However
qualitative reasoning will have a limitation that the
alarms are more uncertain when measurements are
located far (in terms of propagation path) from the root
cause. For highly safety critical cases quantitative
mathematical models may be combined with MFM to
predict the states of observable critical flow functions,
when necessary.
The MFM modeling enables a qualitative
representation of a system on several levels of
means-end abstraction. When large industrial systems
such as oil refineries and power plants are considered,
a network of objectives for these systems can be
developed. Thereafter MFM models can be developed
for each objective in the network. Next, specific
alarms can be designed for each objective. By this
method, the proposed alarm design principles can be
used systematically at different abstraction levels.
This will enable the operators to cope efficiently with
critical abnormal situations affecting the overall
operation of large industrial plants or system
networks.
References
[1] ABNORMAL SITUATION MANAGEMENT
CONSORTIUM: A Joint Research and Development
Consortium ,2008, URL: www.asmconsortium.com
[2] DUNN, D.G., and SANDS, N.P.: ISA-SP18Alarm
System Management and Design Guide, Presented at ISA
EXPO 2005, McCormick Place Lakeside Center,
Chicago, Illinois, October 25-27, 2005.
[3] ENDSLEY, M.R., BOLTE, B., and JONES, D.G.:
Designing for Situation Awareness An Approach to
User-Centered Design, Taylor & Francis, New York,
2003, 149-150
[4] KATZEL, J.: Managing Alarms, Control Engineering,
Vol. 54(2), 2007, 50-54
[5] LIND, M.: Diagnosis using Multilevel Flow Models -
Diagnostic Strategies for the P96 demonstrator. Tech.
Report, ESPRIT project P96, Technical Report, 1988
[6] LIND, M.: Modeling Goals and Functions of Complex
Industrial Plant, Applied Artificial Intelligence, 8(2) 1994,
259-283
[7] LIND, M.: The Why, What and How of Functional
Modeling, Proc. of ISSNP 2007, Tsuruga Japan, July
2007
[8] LARSSON, J. E.: Diagnostic reasoning strategies for
means-end models. Automatica, 30(5), 1994, 775-787
[9] FANG, M, and LIND, M.: Model based reasoning using
MFM. Proc. Pacific-Asian Conference on Expert
Systems (PACES), Huangshan, China, 1995
[10] GOFUKU, A., and TANAKA, Y.: Application of
derivation technique of Possible Counter Actions to an
Oil Refinery Plant, Proc. 4´th IJCAI Workshop on
Engineering Problems for Qualitative Reasoning, 77-83,
Stockholm, 1999
[11] GOFUKU, A. and TANADA, Y.: Display of diagnostic
information based on display intention. Proceedings of
Symposium on Analysis, Design & Evaluation of
Human-Machine Systems (HMS 2001) 9. 385-9, 2001
[12] PETERSEN, J.: Knowledge Based Support for Situation
Assessment in Human Supervisory Control, PhD thesis,
Department of Automation, Technical University of
Denmark, 2000.
[13] MORRIS, C.: Signification and Significance, The MIT
Press, Cambridge Massachussets, USA, 1964.
[14] LIND, M.: Semiotics and Intelligent Control,
Proceedings IFIP WG8.1 Working Conference
Organizational Semiotics: Evolving a science of
information systems. Montreal, Canada. July 24-26, 2001
[15] VON WRIGHT, G. H.: Norm and Action, Routledge &
Kegan Paul, London, 1963
[16] PAASSEN, M.M., and WIERINGA, P.P.: Describing
Process Mode Changes with Multilevel Flow Models,
Proceedings of the Fifth International Workshop on
Functional Modeling of Complex Technical Systems,
ISBN 0-9652669-5-8, 27-39, Paris-Troyes, France, 1997
[17] ROSSING, N.L., LIND, M., JENSEN, N., and
JORGENSEN, S.B.: A goal based methodology for
HAZOP analysis, IJNS Vol.1, No.2, 2010
[18] ROSSING, N.L., LIND, M., JENSEN, N., and
JORGENSEN, S.B.: A functional HAZOP methodology,
Comp.Chem.Eng. Vol. 34, 244-253, 2010
... Incorporating similar information to operational knowledge proposed in (Gofuku and Tanaka, 1997), Us et al. (2011) suggest an alarm design method based on MFM. External conditions and disturbances for individual functions of the system are used to identify points of mitigation and early warnings for arising alarms, creating a dependency structure of possible faults. ...
... The proposed alarm system considers only alarms associated with the modelled function of the plant and incorporates the consequence reasoning to predict alarms that will soon be triggered due to the propagation through the plant. (Us et al., 2011) Zhang (2015) has presented the most recent set of propagation rules for MFM models and applied it to the di- agnosis of a nuclear power plant. The work also explores the adaptation of the model or its links to the process to accommodate different modes of operation as previously pointed out by Larsson et al. (2004). ...
Toward Comprehensive Decision Support Using Multilevel Flow Modeling
Article
  • Jan 2019
The complexity of modern industrial plants poses significant challenges for the design of effective operator interfaces. Although established practices can significantly reduce the frequency of alarms, operators often cannot resolve the failure cascades commonly occurring during emergency situations. Automating control rooms by incorporating design and operation knowledge about the systems can significantly improve operator efficacy. Intelligent support systems should reduce the amount of information and provide more context to the operators. The operators focus should be shifted from information acquisition to taking informed decisions about mitigation steps. This contribution gives a brief review of the development of Multilevel Flow Modeling (MFM) and its application to provide operators with decision support and situation awareness, focusing on implementations directly utilising the knowledge represented in MFM. Finally, current efforts toward a comprehensive intelligent human machine interface for operators are outlined.
View
... The concept of threat introduced here is related to the countermeasures provided by the designer. Threats can also be defined in an operational context in relation to the evaluation of dynamic situations e.g. in the management of alarms [15] but will not be addressed here. Fig. 6. ...
... The concept of threat introduced here is related to the countermeasures provided by the designer. Threats can also be defined in an operational context in relation to the evaluation of dynamic situations e.g. in the management of alarms [15] but will not be addressed here.Fig. 6. Means-end relations used to represent connections between countermeasures (the means) and threats (the undesirable ends). ...
Modeling Safety Barriers and Defense in Depth with Multilevel Flow Modeling
Article
Full-text available
The barrier concept plays a central role in design and operation of safety critical processes. In plant design barriers are provided as means of prevention to avoid critical process conditions which may be harmful to the environment. In plant operations barriers may be established and maintained through control actions in order to limit the consequences of critical plant events The barrier concept has had a significant practical value for industry by guiding the design thinking of safety engineers. The provision of material barriers preventing the release of radioactive materials from the reactor core to the environment is accordingly a basic principle of nuclear safety design. The application of barriers is furthermore an integral part of the defence in depth principle applied by nuclear industry. Here several barriers are combined with reliability techniques such as redundancy and diversity to create systems with a high level of safety. Chemical industries apply similar techniques for protection of the environment against the release of toxic materials. The paper explores different ways barriers can be represented in Multilevel Flow Modeling (MFM). One of the existing flow functions in MFM is a barrier function. It is shown that other barrier types can be represented and that their combination into barrier chains may be used to analyze and design levels of safety in automated processes. Suggestion for further research on barrier modeling with MFM are included.
View
... To prevent the accidents in a factory, a key method to be taken is to effectively monitor the certain physical values (temperature of the environment or equipment such as transformers, cable connectors, leakage detection, radiation check, intrusion notification, etc.). Additional recent data analytics capabilities include event stream processing and complex event processing in critical operating plant situations [14]. An abnormal situation or anomaly is defined as a disturbance or series of disturbances in a process that cause plant operations to deviate from their normal operating or overrun limits. ...
Alarm detection and monitoring in industrial environment using hybrid wireless sensor network
Article
Full-text available
  • Mar 2019
Cyber-physical production systems, relying on the latest development of computer science, information and communication technologies, manufacturing science and technology are leading the way to a new industrial age, defined by the fourth industrial revolution. In this paper we present alarm detection in the industrial environment using a hybrid wireless sensor network (HWSN). As wireless static sensors are highly limited in terms of sensing, computation, communication, battery life, and the actions they can perform, our framework includes an autonomous mobile robot as an integral part of HWSN. We propose the mobile robot navigation technique based on sensor nodes as tags attached in the robot’s environment to define a target point for a mobile robot inspection task. The experimental scenarios presented in this paper are provided to illustrate the effectiveness of alarm detection using the wireless sensor network with mobile robot inspection.
View
... [5] Multilevel Flow Modelling (MFM) provides an abstract representation of an industrial process as a decomposition of connected mass and energy flows [6]. MFM methodology has been proposed as a versatile process representation to analyze causal patterns in a plant [7]. Inoue et al. [8] propose to use MFM for counter action planning in unknown emergency situations. ...
Identifying Causality from Alarm Observations
Conference Paper
Full-text available
  • Nov 2017
The complexity of modern industrial plants poses significant challenges for the design of effective alarm systems. Rigorous alarm management is recommended to ensure that the operators get useful information from the alarm system, rather than being overloaded with irrelevant state information. Alarm management practices have been shown to significantly reduce the frequency of alarms in industrial process plants. These practices help focusing the operators' attention on actually critical situations. However, they cannot resolve the cascades of critical situations frequently occurring during emergency situations. Multilevel flow modelling (MFM) has been proposed as a way of representing knowledge about the industrial process and infer causes and consequences of deviations throughout the system. The method enables the identification of causes and consequences of alarm situations based on an abstracted model of the mass and energy flows in the system. The application of MFM for root cause analysis based alarm grouping has been demonstrated and can be extended to reason about the direction of causality considering the entirety of the alarms present in the system for more comprehensive decision support. This contribution presents the foundation for combining the cause and consequence propagation of multiple observations from the system based on an MFM model. The proposed logical reasoning matches actually observed alarms to the propagation analysis in MFM to distinguish plausible causes and consequences. This extended analysis results in causal paths from likely root causes to tentative consequences, providing the operator with a comprehensive tool to not only identify but also rank the criticality of a large number of concurrent alarms in the system.
View
... To prevent the accidents in factory, a key method to be taken is to effectively monitor the certain physical values (changing temperature of the environment or equipment such as transformers, cable connectors, etc.). Additional recent data analytics capabilities include event stream processing and complex event processing in critical operating plant situations [9]. An abnormal situation or anomaly is defined as a disturbance or series of disturbances in a process that cause plant operations to deviate from their normal operating or overrun limits. ...
Wireless Sensor Network Based Alarm Detection and Monitoring of Cyber-Physical System with Mobile Robot Inspection
Chapter
Full-text available
  • Jan 2019
The cyber-physical systems has been an evergrowing terminology in today’s evolving Industry 4.0, combining improved information technology and automation solutions, data and physical elements and the ability to connect devices to one another using wireless sensor networks. In this paper we present alarm detection and monitoring system using the wireless sensor network (WSN) with the mobile robot inspection. An abnormal event could happen in any uncertain time, so we need more sensor nodes in industrial environment to set alarm precisely if abnormal event happen. Our framework includes the autonomous robot (agent) as an integral part of wireless sensor network and the mobile robot travels to the positions, where the alarm was detected to investigate. The aim of our work was to develop alarm detection system that could help in different factory to install reliable alarm detection systems with localizing and monitoring capability within a relatively lower cost. As such, it could be replicated anywhere including complex event processing. © 2019, Springer International Publishing AG, part of Springer Nature.
View
... One group of application includes situation assessment and fault diagnosis for decision support of control room operators. This research includes root cause analysis [20,22,25,31,38] alarm design [43] and alarm analysis and filtering [17,18,37]. MFM is also proposed for on-line risk monitoring [30,[45][46][47] and for risk analysis of processes in the design phase [41,44]. ...
View
... Cauvin et al. [23] used causal graphs and models to interpret the root causes of alarms. Dashlstrand [35], Souza et al. [92], Larsson et al. [73], and Tolga et al. [103] introduced multilevel flow models or fuzzy neural networks to analyze root causes of alarms. Kezunovic and Guan [64] used fuzzy reasoning Petri-nets techniques to diagnose the root cause of alarms. ...
An Overview of Industrial Alarm Systems: Main Causes for Alarm Overloading, Research Status, and Open Problems
Article
Full-text available
  • Sep 2015
Alarm systems play critically important roles for the safe and efficient operation of modern industrial plants. However, most existing industrial alarm systems suffer from poor performance, noticeably having too many alarms to be handled by operators in control rooms. Such alarm overloading is extremely detrimental to the important role played by alarm systems. This paper provides an overview of industrial alarm systems. Four main causes are identified as the culprits for alarm overloading, namely, chattering alarms due to noise and disturbance, alarm variables incorrectly configured, alarm design isolated from related variables, and abnormality propagation owing to physical connections. Industrial examples from a large-scale thermal power plant are provided as supportive evidences. The current research status for industrial alarm systems is summarized by focusing on existing studies related to these main causes. Eight fundamental research problems to be solved are formulated for the complete lifecycle of alarm variables including alarm configuration, alarm design, and alarm removal.
View
Alarm management optimization in chemical installations based on adapted HAZOP reports
Article
Most current alarm systems used in chemical installations show poor performance due to alarm flooding. This study focuses on alarm management systems optimization using the deviation propagation relationship hidden in the hazard and operability study (HAZOP) report, which can be transformed into a critical information source for alarm optimization management. More concretely, this means matching the alarm tag number with the process deviations in the deviation column, possible cause column, and consequence column. Furthermore, a backtracking method and a reasoning method were established to identify the initial alarm and associated alarms. Besides, a root fault diagnosis was carried out. A method of detecting hardware faults and unreasonable alarm thresholds is established using alarm causality corresponding to the deviation causality and associated alarm generation-skipping tracing method. According to the severity of the consequence corresponding to the deviation, a determined alarm priority method is constructed. The results show that the deviation propagation relationship in the HAZOP report is clear, and the topological relationship is easy to build based on the deviation propagation relationship. With comprehensive and in-depth HAZOP analysis reports in China, the alarm management optimization technology based on adapted HAZOP reports shows good prospects for application and promotion.
View
View
Functional Modeling Methodology of Complex System and Its Application in Safety Assessment Dissertation submitted to China University of Petroleum, Beijing in partial fulfillment of the requirements for the degree of Doctor of Engineering
Thesis
Full-text available
  • Dec 2014
Process safety is of considerable concern for society, in order to reduce the risk for major accidents with severe consequences for human lives and economy. The accidents also demonstrated process complexity as a major challenge, for process safety. Presently process safety is evaluated using qualitative methods which rely upon careful bookkeeping for reevaluation when process modifications and improvements are considered. Consequently it is desirable to develop a more systematic modeling methodology which may be applied for safety assessment and which conveniently may be reused when necessary. A representative qualitative modeling framework is Multilevel Flow Modeling (MFM) which is based on functional modeling. It has been suggested that MFM can deal with the complexity of design and operation of process engineering systems with a promising application future. The purpose of the PhD project is to develop innovative modeling methods for automated analysis and evaluation of safety in industrial processes, especially in oil and gas industry. Validation of functional models is a key issue dealt with in the thesis. The thesis conducts in-depth research on modeling, reasoning, validation and safety analysis applications in the MFM modeling framework. On the basis of an abstraction hierarchy theory, the foundation of MFM theory is introduced and an MFM modeling procedure is proposed for preventing the modeler from making errors. Dynamic simulator of a three phase separation process is established. By following the proposed modeling procedure, an MFM model is built for the first time. The modeling of the assumed thermodynamic gas-liquid phase equilibrium in the separator is discussed as well. The case study demonstrates the applied modelling procedure and also the strength of MFM for modeling of a real technical oil and gas process. Based on the existing research of reasoning rules of MFM, a new reasoning strategy of extended MFM based on roles is proposed. The reasoning strategy is applied for an “untraditional” HAZOP study. The case study shows that the study extends the MFM model expression and reasoning ability. By including roles the discrimination between different types of causes for failure is improved. To deal with the MFM model validation problem, a scientific-based validation method is proposed. With the application of the method for validation of the proposed MFM model for the three phase separation process, the qualitative confidence of the model is assured. To systematically identify cause and evaluate the potential effect of a failure, an integrated qualitative and quantitative modeling framework for HAZOP studies that uses MFM with a knowledge-based reasoning system, together with a risk matrix, and quantitative dynamic simulation for verification and validation risks has been proposed. The integrated framework is successfully applied to a realistic three-phase separation process system. The results demonstrate the importance of the formulation of MFM models to represent the physical system for acquisition of HAZOP knowledge in the qualitative part of the overall methodology. From this point of view, the quantitative analysis based on the dynamic simulation complements and enhances the MFM model based process safety analysis of the system in particular with regard to the transient dynamics of the system. The integrated methodology could be best suitable for FEED (Front End Engineering Design) stage of process development.
View
View
A functional HAZOP methodology
Article
Full-text available
A HAZOP methodology is presented where a functional plant model assists in a goal oriented decomposition of the plant purpose into the means of achieving the purpose. This approach leads to nodes with simple functions from which the selection of process and deviation variables follow directly. The functional HAZOP methodology lends itself directly for implementation into a computer aided reasoning tool to perform root cause and consequence analysis. Such a tool can facilitate finding causes and/or consequences far away from the site of the deviation. A functional HAZOP assistant is proposed and investigated in a HAZOP study of an industrial scale Indirect Vapor Recompression Distillation pilot Plant (IVaRDiP) at DTU-Chemical and Biochemical Engineering. The study shows that the functional HAZOP methodology provides a very efficient paradigm for facilitating HAZOP studies and for enabling reasoning to reveal potential hazards in safety critical operations.
View
Modeling Goals and Functions of Complex Industrial Plant
Article
Full-text available
  • Apr 1994
The purpose of this paper is to describe a modeling methodology called multilevel flow modeling (MFM), which the author has developed for the representation of goals and functions of complex industrial plants. The idea of the methodology is to apply functional concepts to represent a plant at multiple interrelated levels of abstraction. MFM is currently used in supervisory control applications for aiding the operator in diagnosis and planning. It is also used in the conceptual analysis and synthesis of control systems. The paper provides an introduction to the basic concepts of MFM, details two modeling examples, and describes the object-oriented tool Abstractions used for the implementation of MFM models and for diagnosis and planning applications. Finally, the paper presents a review of the use of MFM in previous and ongoing international projects.
View
View
View
View
View
Diagnostic reasoning strategies for means-end models
Article
This paper describes three diagnostic methods for use with industrial processes. They are measurement validation, alarm analysis and fault diagnosis. Measurement validation means consistency checking of sensor and measurement values using any redundancy of instrumentation. Alarm analysis is the analysis of multiple alarm situations to find which alarms are directly connected to primary faults and which alarms are consequential effects of the primary ones. Finally, fault diagnosis is a search for the causes of and remedies for faults. The three methods use multilevel flow models (MFM), to describe the target process. They have been implemented in the programming tool G2, and successfully tested on simulations of two processes.
View
Model based reasoning using MFM
  • Jan 1995
  • M Fang
FANG, M, and LIND, M.: Model based reasoning using MFM. Proc. Pacific-Asian Conference on Expert Systems (PACES), Huangshan, China, 1995
  • Jan 1963
  • G H Von Wright
VON WRIGHT, G. H.: Norm and Action, Routledge & Kegan Paul, London, 1963