1. Field of the Invention
The present invention relates to an alarm management system for process control systems such as nuclear power plants and, more particularly, to a system which improves the strength of the evidence of an abnormality expressed by an abnormality indicator, which organizes the abnormality indicators and corresponding abnormality messages within a local priority by plant function and which includes a hybrid parallel-serial alarm message presentation method, in which variable wording abnormality indication messages appear in spatially dedicated locations to produce a disturbance board. The alarm messages within each function of the plant take the form of goal violation, process disturbance and process unavailability messages.
2. Description of the Related Art
Fault management, the identification of and response to abnormal conditions, is a major component of a human's role in many complex technological environments such as process control, flight decks and air traffic control. Operational history design reviews and evaluation studies have shown a large number of major deficiencies with traditional systems particularly with respect to the operator's role. These deficiencies are rarely due to a lack of alarm data; rather, they are the result of problems in finding and integrating the relevant data out of a much larger set. In other words, the alarm problem is an example of the significance of data problem.
The significance of data problem represents an inability to find, integrate, or interpret the "right" data at the "right" time (e.g., critical information is not detected among the ambient data load, or not assembled from data distributed over time or space, or not looked for due to misunderstandings or erroneous assumptions). This problem occurs in situations where a large amount of porentially relevant data must be sifted to find the significant subset for the current context. In other words, most information handling problems are not due to a lack of data but rather due to an overabundance of unorganized data.
Operational staff members in dynamic process environments must detect, evaluate and respond to abnormal conditions. Traditionally, operators must sift through large numbers of what are traditionally called "alarm" messages to find and identify the abnormal conditions that are indicated by "alarms". Conventional alarm systems complicate the operators task by producing alarm signals which are triggered when signals cross thresholds crossing type events which provide weak evidence with respect to underlying abnormal conditions. The alarms are organized according to system thereby requiring that the operator understand the relationships between components in various systems and the multiple functions they perform to determine whether the triggering events indicate an abnormality. Conventional alarm systems presentation methods range from completely parallel to totally serial. The parallel presentation systems complicate the operators task because the number of alarms presented can overwhelm the operator with messages, even though they there are advantages to presenting all the alarms at once. On the other hand, the serial presentation systems limit the number of messages yet complicate the operators integration problem because the operator must scan a long list of alarms one page at a time to ferret out the relevant ones. The task of the operators in interpreting the evidence provided by these weak "alarms" is difficult because (a) the meaning of a particular alarm message depends on context, for example, plant mode, message history and the status of other messages and (b) the individual alarm messages must be selected and integrated to assess process status since each message is only a partial and indirect indicator of an abnormality. Operator performance literature is full of cases where operators failed to correctly find, integrate, and interpret typical alarm messages in order to identify and respond to disturbances.
Failure to recognize the above-discussed problems has led to computerized alarm systems which fail to improve or even exacerbate alarm system deficiencies because of a proliferation of types and degrees of "alarm" messages.
FIG. 1 illustrates the conventional approach for alarm systems used in nuclear power plants. The nuclear power plant is monitored by devices such as a level sensor 10, a flow sensor 12 and a valve position sensor 14. The outputs produced by these indicators are evaluated by signal monitoring units 16 which include threshold or set point detectors 18-22. Each detector 18-22 monitors a single sensor and produces an "alarm" signal that provides weak evidence of an abnormality. For example, an alarm in this type of system might signal that a valve is closed. Under one set of plant conditions, this valve position may be abnormal, i.e., no flow even when the system of which the valve is a part should be on. Under other conditions, it may not indicate an abnormality. The alarm signals are generally organized along system lines that reflect how components are arranged and reach display 24 grouped according to such systems, as illustrated in FIG. 1. The display 24 consists of backlit annunciator tiles each having a fixed wording message, and presents all of the "alarms" in parallel according to the system groupings. Each time a monitored piece of equipment crosses a threshold, a title is turned on or off indicating that the threshold was crossed. In such a system there is a problem in integrating these kinds of alarms into an overall understanding of plant state. The parallel presentation via the tiles allows the operator the possibility to get a "picture" of the operation of the entire system, yet it can overwhelm the operator when a major system disturbance occurs.
FIG. 2 illustrates in block diagram form one prior art attempt to tackle the alarm organization and presentation problem presented by the system illustrated in FIG. 1. In this system, once the "alarm" signals are produces (triggered) by the threshold detectors 16, they are organized into two or more groups in an absolute prioritization scheme by a dedicated prioritizer 26 which can be a computer. All the alarms for the system being monitored are sorted at the same time into the predetermined groups based on arbitrary assumptions and judgments made by the system designer, at the time of alarm system design, which generally do not hold for all possible plant conditions. The fixed organization based on plant systems is inadequate because the significance of this type at alarm signal is context dependent, as in the system of FIG. 1. Once the alarms are organized they all are presented on either a parallel display 28 including an arbitrarily limited number of backlit tiles or on a serial display 30. A plant system oriented presentation grouping arrangement of the backlit tiles effectively limits the number of alarms presented to the operator at one time but does not reduce the total number of alarms presented or increase the strength of the evidence of an abnormality. This system, by allocating the "lesser important" alarms to the serial display, makes the alarm system less sensitive to small disturbances since they must be searched for by the operator using the serial display 30.
FIG. 3 illustrates another attempt to solve not only the alarm organization and presentation problem but the problem associated with the strength of evidence of each alarm with respect to underlying abnormalities. The threshold detectors 16 produce the "alarm" signals which are applied to filter logic 32. The filter logic 32 can be any type of logic system which analyzes the old alarms to produce new alarms which increase the strength of the evidence of an abnormality. For example, the filter logic 32 could combine all the sensor signals for a tank to produce a new alarm which indicates that the tank level is about to cause a problem, thereby providing an indication of a pending actual abnormality. The logic can be dedicated logic circuits such as AND and OR gates. The new alarms thus produced are assigned one of two priority values by a two level prioritizer 34 in dependence on severity and are then applied to a system segregation filter 36. The filter 36 sorts all alarms by plant system and changes the color of the particular alarming system from green to yellow (priority level 2) or red (priority level 1) on a system summary display 38 which displays plant schematic diagrams. At the same time, the filter 36 also generates and displays an alarm message on serial display 40. That is, the system of FIG. 3 produces alarms on both displays 38 and 40. When an operator sees a particular sensor flashing, for example, red, on the summary display unit 38, the operator must go to the serial display unit 40 to determine the specific alarm from that priority class for that plant system that triggered the indication in the schematic diagram. This system, even though it may reduce the number of alarms indications by creating "new alarms", nevertheless suffers from the same problems as a serial system since the operator must scan a list of alarm messages to determine the meaning of a flashing symbol on a schematic system diagram.