In the control technology of process plants, e.g. in the chemical industry, pharmaceutical industry or the oil/gas industry, automation systems are routinely used which generate a large number of alarm notifications and forward them to a plant operator in the case of non-compliant operating events of the process plant, such as pressure drops, temperature increases or the like. In specific situations, e.g. if a process plant is shut down or specific key components of the process plant are selected, this can cause a flood of system-generated alarms which can no longer be controlled or managed by the operator, thereby possibly resulting in serious accidents.
It is also apparent that the alarm notifications which are generated in a process plant have specific interdependencies. For example, specific non-compliant operating events directly result in the generation of a first alarm, whose occurrence is then inevitably linked to a flood of so-called secondary alarms (report flood). Such secondary alarms do not give the operator any real additional information content but can no longer be controlled in some circumstances, thereby resulting in undesired plant shutdowns and even in serious accidents in the worst case.
A concrete example of the occurrence of such secondary alarms relates to a failure of the network card in an automation device which is part of a process plant. In this context, an alarm indicating the failure of the network connection for the automation device is generated immediately. Since the automation device cannot subsequently transmit any data, e.g. temperature data or pressure data, to the rest of the process plant as a result of the cessation of its network connection, a whole series of secondary alarms is then (subsequently) generated which indicate that the cited data is missing or invalid. However, as mentioned above, such secondary alarms do not provide any additional information for the operator, in particular since they disappear together with their cause when the original source of the error, i.e. the faulty network connection in the present case, is cleared.
International associations such as e.g. NAMUR or EEMUA are therefore calling for solutions, in the control technology of process plants, which are capable of activating or deactivating specific alarms depending on the plant state and the combination of outstanding alarms (so-called dynamic alarm processing). This is intended to bring about a reduction in the overall quantity of alarms and therefore allow plant dependability to be re-established generally.
In connection with this, the prior art discloses the initial filtering of alarms directly at the alarm source, i.e. at process level, by incorporating a corresponding logic. In the case of such a solution, it is considered disadvantageous in particular that error traceability is no longer provided. Alarms which are filtered at the source cannot be archived and are therefore not available for subsequent analyses or statistical evaluations at process control level.
In addition, so-called alarm management systems are disclosed in the form of designated independent systems for the alarm handling of process plants. Since these work in a standalone manner and independently of the control system of the process plant, they demand corresponding additional attention from the plant operator. Furthermore, such independent systems do not offer the convenience of a solution which is integrated into the plant operation and are moreover unable automatically to allow for changes in the plant control technology, since separate data storage and separate engineering are involved in particular.