Alarm Management for Humans Dealing with Alarm Inflation and Overload

1
Alarm Management for Humans Dealing with Alarm
Inflation and Overload

• Garry MitchelAtomic Energy of Canada Limited
• Canada
• (Presentation 48)

2
Alarm Management for Humans

• Annunciation Systems
• Experience gt Challenges
• Solutions Alarm Processing
• - CANDU Annunciation Message List System
• - Alarm Analysis Tools
• Alarm Design vs Alarm Inflation
• Advanced CANDU Reactor Annunciation

3
Main Control Room
Annunciation
Soft Wall Displays
Backup Safety Panels
Main Operator Console
Shift Interrogation Console
4
Original Design vs Experience

• Original DesignPrimary (Message List) Backup
  (Window Tiles)
• Alert users to changes, faults
• Point to supporting information
• - e.g. Alarm response procedures
• Design philosophy Single-alarm, Single
  response.
• Common deficiencies
• Alarm flooding (100s /hour in upset)
• Inappropriate to context (e.g. outage)
• Distracting alarms (e.g. chattering, horn)
• Cryptic messages (inconsistent syntax, abbrevs)
• Designers afterthoughts
• 1000s of different messages

5
Experience gt Challenges

• Breakdown in annunciation support during
  transients and outages
• Acceptance of workarounds
• Regression to tiles or to indications only,
  during upsets
• One-by-one jumpering of inappropriate alarms
  during outages
• Challenges  
• Process the flow (or flood!) of alarm
  information risk-prioritized set of information
• Improve alarm design - pre-defined for
  post-processing
• Too many alarms Fight Inflation

6
Solutions - Types of Plant Changes

• Faults - problems to be addressed
• Process disturbances.boiler level low
• Status - feedback on expected plant changes
• Changes in statemoderator purification
  isolated
• Automatic actions.CSDVs tripped closed
• One requires action, other is information

7
Solutions Alarm Processing

• Existing Alarm Suite
• Typically message list and window tiles
• Need to review allocation primary vs backup
• 1000s of messages, added-to over the years
• Need Human Factors Design Guides
• Panel layout, display design, annunciation
• Message consistency , syntax, format, abbrev
• Alarm ID, Pointers to response procedures
• Good example work done at Gentilly-2, mid-1990s
• Need to move beyond single-alarm-single-response
  
• CANDU Annunciation Message List System (CAMLS)

8
CAMLS Alarm Processing

• Data into InformationAnnunciation modes
• (operating regions) of the plant
• (3 dimensions reactor power, heat-sink state,
  turbine state)
• Dynamic alarm prioritization for each
  modePriority fn (consequence, time response)
• Expected-But-Failed-to-Occur (annunciate
  unexpected failures)

9
CAMLS Alarm Processing

• Reduce the Floods and Annoyances
• Cause-consequence conditioning
• (pump trip causes low flow)
• Mode conditioning
• Remove alarms not relevant for the mode
• E.g. nuisance alarms in outages
• Function-based conditioning
• High-level alarm suppresses lower-level children
• Coalescing
• Audible Alerting and Acknowledgement (Horn)
• for new Faults, not Status messages
• audible alerts to new Faults suppressed for a
  selectable period.

10
CAMLS Alarm Processing

• Support Operator Action
• Electronic Links to Alarm Response Information
• allows staff to focus on interpretation and
  mitigation
• User-Configurable Alarm Views
• Console-based annunciation displays
• Locally-filtered views of Fault, Status, History
• E.g. simple chrono-list as specified by IEC 62241
• Integrated with overall Plant Display System

11
CAMLS Implementation in MCR
12

• Faults - Problems to be Addressed
• Highest Priority alarms always visible
• Ordered By Priority, Grouped in Colours
• Backshaded Alarms Need Acknowledgement
• Alarms Removed When Return to Normal and
  Acknowledged

• Status - Successful Changes of Plant State
• Ordered by Time, newest at top
• Coloured by Category of Change - Component Level,
  Plant Event,Plant Mode
• No Operator Acknowledgement

13
(No Transcript)
14
Alarm Analysis- Challenges, Tools

• Its a lot of Work
• Typical, several-1000 message list
• Can be 1000 hours
• 80-90 pass with analysts, plant procedures
• 10-20 tune-up by plant personnel
• CANDU Alarm and Analysis Tool (CAAT)
• Quantify Annunciation modes vs power, heat-sink
  state
• Group alarms, establish relationships, priorities
  
• Priority fn (consequence, time response)
• (variation of Risk Probability x Consequence)
• Function-based conditioning
• considers alarms as health indicators of
  functions
• consequence to plant of loss of function

15
Alarm Design vs Alarm Inflation

• - Alarm- Threshold-single-response approach
  inadequate
• Better up-front alarm design is needed to
  Design for post-processing
• (priority, relationships, functional
  importance)
• Capture the rationale
• Limit number of alarm messages (fight
  inflation)
• Enforce consistency across systems
• (annunciation police)
• Separate the Streams (primary list, backup
  window tile, offline diagnostic, fuel handling,
  etc - who needs to see this, under what
  conditions?)

16
Advanced CANDU Reactor Annunciation

• CAMLS is implemented within AECL Advanced
  Control Centre Information System (ACCIS) and its
  Plant Display System
• ACCIS is
• a generic display, monitoring and supervisory
  control system
• primary platform for MCR information display, and
  distribution of plant information in real time
  outside the control room environment.
• Outside MCR, SMART CANDU suite links historical
  data and predictive models, for System Health
  Monitoring and Plant Life Management.

17
Main Control Room
Annunciation
Soft Wall Displays
Backup Safety Panels
Main Operator Console
Shift Interrogation Console
18
Summary of Benefits

• Improved safety awareness and support in all
  plant states
• improved detection of problems
• improved diagnosis of trip/upset factors
• Reduced OMA costs
• equipment damage avoided
• Significant Event Report administration avoided
• reduced demand on staffing
• Improved production
• unplanned outages avoided
• reduced duration of plant shutdown after trips

19
(No Transcript)