Alarm System Engineering
Alarm System Engineering
Alarm System Engineering
1
1
1
1
]
1
1
1
1
1
]
1
PM
AM
AM
AlarmN
Alarm
Alarm
M
L L
O M M M M M M O M
L L
L L
M
Control A rtsI nc. Alarm System Engineering
Page 21 of 46
The matrix of equation #1 would be inadequate for analysis, as two rows could be
completely independent if one tag always alarmed one minute after another in contrast,
an operator may feel that the two alarms are dependent. To overcome this limitation,
each unity element of the matrix, along with its row neighbors, can be replaced by a
normal distribution as shown in equation #2. Here the standard deviation of the
distribution represents the amount of fuzziness between the alarm events.
) 2 (
00 : 59 : 11 06 / 31 / 12
00 : 01 : 12 06 / 01 / 01
00 : 00 : 12 06 / 01 / 01
0 04 . 0 14 . 0 33 . 0 61 . 0 88 . 0 1 0
0
0 33 . 0 61 . 0 88 . 0 1 88 . 0 61 . 0 0
0 14 . 0 33 . 0 61 . 0 88 . 0 1 88 . 0 0
2
1
1
1
1
1
]
1
1
1
1
1
]
1
1
1
1
1
]
1
PM
AM
AM
AlarmN
Alarm
Alarm
M
L L
O M M M M M M O M
L L
L L
M
Once the matrix has been represented in this form, some sort of algorithm must be
applied to determine which rows are (at least mostly) redundant. As it turns out, this is a
standard problem in linear algebra, and the solution (called Singular Value
Decomposition or SVD) is mostly well-developed.
Its a standard problem because matrices with semi-redundant rows and/or columns are
known to cause problems when the matrix is inverted. Certainly if any rows or columns
of an n by n matrix are redundant, you cant invert the matrix (effectively, this would be
asking to solve n variables use n- m equations). But even mathematicians have long
recognized that the situation is never quite black and white, in that there are often rows or
columns of a matrix that, while not exactly the same, are close to the same. And these
near-redundant rows or columns can play havoc with any results from the matrix
inversion parameter estimates will have large error bounds, LPs will bounce from
constraint to constraint, process controllers will be very sensitive to model mismatch, etc.
Control A rtsI nc. Alarm System Engineering
Page 22 of 46
Almost magically, the SVD techniques will solve these difficulties. Well, not quite
magically, as what SVD does is solves the part of the problem that can be solved. So if
your matrix has n rows, an SVD analysis will find a linear combination of n- m rows that
are independent, and solve for these. Except for two difficulties: 1) as mentioned,
theres never a clean split between the independent and dependent matrix, so theres
some user judgment as to a good value for m 2) you might specify that m rows should be
removed, but SVD wont explicitly remove m of the rows in fact the remaining n-m
rows just contain a linear combination of the original n rows of the matrix.
For our alarm analysis case, the rows of the matrix represent the DCS alarm points, so an
SVD analysis will tell you which combinations of alarms are redundant. But often the
results are ambiguous its always nice when the analysis says that one alarm is
redundant with another alarm, but SVD will also indicate that a group of (say) five alarms
may be just as easily represented by some linear combination of (say) four alarms.
Perhaps this is to be expected, as the problem was set up with a bit of fuzziness, so its
not surprising that the results might be ambiguous as well.
Some other small points of interest. The first is a comment on the scale of the problem.
Its generally best to get a fairly long time period for analysis as you want the data set to
cover a wide variety of plant conditions. If a year of plant data is taken, this represents a
fairly large matrix (525,600 columns at a one- minute sampling) and as each row of the
matrix represents a configured alarm, there might be thousands of rows. Standard
analysis techniques might choke on the size of the matrix, but by and large the elements
of the matrix are mostly zero, and there are analysis techniques (called sparse-matrix
analysis) that can chew through these types of matrices without overloading a computer.
Control A rtsI nc. Alarm System Engineering
Page 23 of 46
The second point is that chattering alarms can be very effective at polluting the data set.
An alarm going off repeatedly will show up as being correlated with a host of other
alarms, but in fact the correlation is not due to any actual process correlation. For this
reason, its best to remove the chattering alarms, either by using the technique shown in
the previous section, or by just fixing the actual alarm.
The last point is to note that this analysis is just a variation of the widely used principal
component analysis (PCA) or partial least squares (PLS) techniques. The major
difference is that these techniques are used to determine the independent dimensions of a
system, here of course the analysis is used to determine the dependent dimensions. And
PCA or PLS also has the same problem that, while computationally elegant, its
sometimes hard to figure out the physical meaning of the resultant matrices.
Once a set of redundant alarms is identified, the question remains of what to do with
them. The easy answer is just to eliminate one or more of the alarms, and this can be
done in one of several ways. The alarm can be disabled of course, or the trip point can be
changed so that the redundant alarm measures a truly unique event. Alternatively, logic
is available on most DCS systems to suppress one alarm when another occurs (this is
know as contact cut-out). Note this logic may not work if the alarms occur too close in
time to each other the DCS may not be able to cut out an alarm if it occurs within the
same second as the primary alarm.
Finally, care must be taken to ensure that the DCS still gives consistent alarm information.
For instance, an analysis might indicate that a low flow alarm always occurs when a
pump trip alarm has occurred, but removing the low flow alarm might not be in the
Control A rtsI nc. Alarm System Engineering
Page 24 of 46
operators best interest. After all, a low flow alarm is a pretty good confirmation that the
pump did actually trip. And if the alarm was automatically cut-out on a pump trip alarm,
then the operator would have to be aware of this logic or else would be left wondering
why the low flow alarm didnt ring when in fact the flow went low.
Cutting out redundant alarms makes more sense when they are in fact measuring the
same phenomenon, such as a set of reactor temperature alarms or a high/high- high alarm
pair. For the reactor temperatures, the justification for the same alarm on different
measurements as this can be more robust in the face of measurement failure. In this case,
however, its simpler and better to use some sort of voting logic so that only one alarm is
set to the operator when some or the entire reactor gets too hot.
Control A rtsI nc. Alarm System Engineering
Page 25 of 46
Chapter 5
Evaluation of Alarm Trip Point Settings
The high and low trip points (i.e., the value of the process measurement at which the
alarm occurs) are generally set either by process designers or plant operators. These
people may have limited information on the dynamic responses of the plant during upset.
The process designer generally only has access to a steady-state simulation and
knowledge of equipment hard constraints. An operator may have only experienced some
upsets a few times, but is probably too busy during an alarm event to question whether
the alarm settings are optimal.
Graphically, the problem may be represented as shown in Figure 5.1. The designer
generally knows the normal operating point of the plant, and what value of the
measurement (PV) which would result in a hazardous condition or equipment constraint.
The alarm trip point value must be chosen somewhere between these two values, and it is
often the case that the offset from the normal operating point is a somewhat arbitrary
fraction of the total range between the normal operating point and the true hazardous
point.
Control A rtsI nc. Alarm System Engineering
Page 26 of 46
Equipment Constraint
Design Normal Operating Point
Alarm Setting
PV
Arbritrary Fraction
Figure 5.1: The alarm setting is usually placed somewhat arbitrarily between the normal
operating point and the actual process constraint.
To determine the best value for an alarm trip point, the following two additional pieces of
information must be obtained:
1. What is the normal variation of the process? Clearly, an alarm trip point should
not be set so that the alarm occurs when the process will naturally return to the
normal operating point.
2. What is the response time of the process, both for an operator to respond to an
alarm, and for the process to respond to the operator actions? More precisely,
how much further past the alarm does the measurement go when an alarm occurs,
and how long does it take to get to the maximal point?
Graphically, this may be represented by the set of diagrams shown in Figure 5.2. The
green region indicates the normal operating range, while the red region indicates the
buffer required to manually control the process back to a safe condition. Note that the
color in both these regions fades at the limits this indicates the statistical nature of the
process, as there is usually not a hard boundary between the different regions.
Control A rtsI nc. Alarm System Engineering
Page 27 of 46
Process Constraint
Alarm Setting
Nominal Operating Point
Measurement
Figure 5.2a: The process has a suitable gap between the normal operating region and the
buffer required to correct the process before an actual process constraint is hit.
Process Constraint
Alarm Setting
Nominal Operating Point
Measurement
Figure 5.2b: The nominal operating point is so close to the process constraint so that
either alarm trip points must be placed in the normal operating region or there is
insufficient time for the plant to respond to an alarm.
Process Constraint
Alarm Setting
Nominal Operating Point
Measurement
Figure 5.2c: Here the nominal operating point is far enough away from the process
constraint so that there is a large area to set the alarm trip point.
Control A rtsI nc. Alarm System Engineering
Page 28 of 46
Figure 5.2a represents the ideal case: the alarm is outside the normal operating region,
but still provides adequate warning for the operator to manually control the process.
There is no suitable alarm trip point value for the system shown in Figure 5.2b; either the
alarm must be set so that it occurs when the process is in normal operation (i.e., the
automatic control system can return the process to its nominal operating point without
operator assistance), or inadequate warning will be given.
The system shown in Figure 5.2c is adequate for alarm purposes, but it may also indicate
that the plant is not operating at its most profitable point. There is often a large financial
incentive to operate the plant as close as possible to process constraints, but operational
conservativeness might result in excessive safety margins. It would be useful for an
alarm analysis to indicate whether the nominal operating point may be moved closer to a
constraint while still giving adequate operator warning.
The statistical or stochastic nature of the normal operating and response regions indicates
that any analysis tools and results should also be presented in terms of statistical
probabilities. While the analysis could be carried out using computer simulators or
standard design methods, a more efficient and accurate method is just to mine the current
operating data itself after all, this contains the real plant variation and operator
responses, both of which are hard to emulate in a simulator or design guideline.
First, consider a typical process response for a vessel level immediately before and after
an alarm, as shown in Figure 5.3. For times before the alarm, it can be seen that the
Control A rtsI nc. Alarm System Engineering
Page 29 of 46
measurement averaged the setpoint, with the usual variation around the setpoint. At
some point however, the process does not return to setpoint, but rather continues
increasing until the alarm occurs. Similarly, it can be seen that after alarming, the
measurement continues increasing, achieving some maximal value before again returning
to the normal operating point.
Alarm Value
Setpoint
30
40
50
60
70
80
90
17:02
10 Wed Jan 2007
17:03 17:04
2
L
0
8
5
2
.
P
V
(
%
)
Figure 5.3: A typical response for a process going into and coming out of alarm.
From this portion of the data, one can determine at what point the process started heading
into alarm, how long it took to get there, how far past the alarm did the process go, and
how long did it take to get to the maximal value. Of course, one event is not enough to
draw firm conclusions on the process behaviour (particularly during an upset), but it is
common to find multiple alarm events in a typical data set. Combining the responses
from all the alarm events will result in some general conclusions about the response of
the process during an upset.
Control A rtsI nc. Alarm System Engineering
Page 30 of 46
All this information may be displayed concisely in one chart, which indicates the
probable response of the process as a function of the process measurement. An example
of such a plot is shown as Figure 5.4. Note that Figure 5.3 shows the measurement
(vertical axis) versus the time (horizontal axis). The probability plot of Figure 5.4 has the
measurement as the horizontal axis, with the probability as the left vertical axis and the
time to/from an alarm as the right vertical axis.
0.0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1.0
0
5
10
15
20
25
0 10 20 30 40 50 60 70 80 90 100
P
r
o
b
a
b
i
l
i
t
y
T
i
m
e
(
M
i
n
s
)
2L0852.PV (%)
Figure 5.4: Alarm trip point probability plot.
The probability plot is a distribution-free method as no statistical distribution was
assumed. Assumptions of normality, while perhaps justified during normal operation,
may be suspect during the very non-linear operation of a process upset.
Figure 5.4 contains 4 different curves. These are:
Control A rtsI nc. Alarm System Engineering
Page 31 of 46
1. The probability of the point going into alarm given that a certain PV has been
attained (solid line to the left of the alarm value).
2. The probability that the process will achieve a given PV given that an alarm
has occurred (solid line to the right of the alarm setting).
3. The amount of time the process will take to go into alarm (if it is in fact
heading to an alarm) after achieving a specified PV (dashed line to the left of
the alarm setting).
4. The amount of time taken to attain a specified PV beyond the alarm setting
once an alarm has occurred (dashed line to the right of the alarm setting)
From this plot, the following can be ascertained:
1. Can the alarm be moved closer to the normal operating point without increasing
the amount of "false" alarms?
2. Can the alarm be moved closer to an equipment limit without increasing the
probability of hitting the limit?
3. How much additional time would the operator have to correct the process if the
trip point was moved?
4. How much time does the operator take to correct the process after an alarm
occurs?
For the example shown above, it is apparent that once the PV attained a value of
approximately 55%, the level would always continue increasing until an alarm occurred.
Therefore, lowering the alarm limit to 55 or 60% will not increase the number of
Control A rtsI nc. Alarm System Engineering
Page 32 of 46
nuisance alarms, since once the process reached this value, it (over the given data set
anyway) has always alarmed within a short time.
Of course, lowering the alarm trip point has the advantage of giving operators more
warning time. Figure 5.4 indicates that lowering the alarm limit to 55% would give
approximately five more minutes to respond to the abnormal situation.
The plot also shows that the operators in general were able to prevent the vessel from
overfilling, as the measurement never achieved full range (105%). However, it often
came close to filling going up to 90% about 30% of the time, and taking only about five
minutes to get to this value.
If it is not desired to change the alarm setting, then the probability chart of Figure 5.4
may be used in a predictive mode, with the prediction being the probability that, for a
given measurement, the process is moving to an alarm state. For instance, if the level
measurement is at 40%, an indication could be given to the operator that there is a 50%
chance of the point alarming soon.
This is in some ways a more reasonable way to consider alarms a normal alarm is a
binary interpretation of a continuous process (either the process is in alarm or out of
alarm), but in reality many processes have a continuous transition between the normal
and alarm state. And because the probability chart can be easily generated from just the
Control A rtsI nc. Alarm System Engineering
Page 33 of 46
process and alarm data, it is easy to automate this feature and apply it to all continuous
alarms.
Control A rtsI nc. Alarm System Engineering
Page 34 of 46
Chapter 6
Estimation of Alarm Deadbands
An alarm deadbands is one means of reducing a chattering alarm, and logic for
implementing deadbands is standard on all control systems. An alarm deadband reduces
chattering as the measurement that is in alarm must pass through the deadband before it
clears (and can ring again). Effectively, an alarm deadband is a high-pass amplitude
filter; the alarm will only ring on significant changes in the measurement.
While easy to implement, there appear to be few guidelines as to how to set the value of
the alarm deadband. It has been suggested that the deadband be set as a percent of the
normal operating range; Table 6.1 provides values for different types of measurements.
Measurement Type Deadband
Flow 5%
Temperature 1%
Level 2%
Pressure 2%
Composition 1%
Table 6.1: Industry recommendations for alarm measurement deadbands
Another type of deadband is based on time an alarm is prevented from ringing for a
specified time after it has already rang. This alarm is generally available on digital points,
but may appear on analog points as well. Again, industry recommendations for this are:
Control A rtsI nc. Alarm System Engineering
Page 35 of 46
Measurement Type Delay Time
Flow 15 seconds
Temperature 60 seconds
Level 60 seconds
Pressure 15 seconds
Composition 120 seconds
Table 6.2: Industry recommendations for alarm time deadbands
Given the wide variation in spectrums from even one type of signal, the above should
perhaps not be considered more than an initial estimate. A more complete approach
would be to base the deadband on the actual measurement noise. The problem then
becomes of dividing the signal into two portions: a low frequency process trend, which
indicates the actual movement in the process, and a higher frequency measurement noise,
which is responsible for alarm chattering. And obviously the discussion on sampling
rates is pertinent here sample slow enough and both these portions of signal will be
corrupted.
Dividing a process signal into the process measurement and noise components can often
be done visually to some extent, but here the field of time series analysis (Box and
Jenkins [4]) can be profitably employed to this problem to obtain an elegant solution to
this problem.
Basically, time series analysis is dynamic modeling of systems from a statistical
viewpoint, recognizing that many systems have, at least to some extent, a random
component. It has found wide use in a wide variety of areas, from economics (the
familiar seasonally adjusted economic indicators are an example of time series analysis)
to biological systems (many biological processes take time to complete, and are affected
Control A rtsI nc. Alarm System Engineering
Page 36 of 46
by, say, diurnal cycles) to chemical processing systems (anyone looking at plant data can
see that there appears to be a large random component that plays out through the plant
over time). As control engineers are concerned with dynamic processes, time series
analysis should be an integral part of the control engineers toolkit.
The part of time series analysis of concern to deadband determination is in modeling the
process signal. Traditionally, control engineers consider models to consist of the
relationship between deterministic inputs and output, basically of the form:
G
p
U
1
U
2
U
3
U
m
Y
.
.
.
Figure 7.1: A traditional model relates an output Y
t
to one or more inputs U
t
through the
dynamic model G
p
.
The model G
p
might be used for different purposes, such as designing a controller or
inferring the properties of some stream from known measurements. But for our purposes,
there are no defined inputs and we need to explicitly account for the noise characteristics
of the measurement (after all, if theres no noise, theres no need for a deadband).
Hence time series analysis is well suited for the task at hand. The input to the time series
model isnt a known, deterministic input U
t
, but rather an unknown random signal input
series a
t
. The advantage of using a random signal is that you dont have to have a
measurement of it its determined (along with its properties like the variance or
distribution) from the measurement Y
t
and the model fitting routine. And the process
Control A rtsI nc. Alarm System Engineering
Page 37 of 46
model is basically the same as a traditional dynamic model in that it has poles and zeros
and model order and all the other stuff.
Of course, the terminology is different, but for our purposes a signal can be well
represented by something called an autoregressive- integrated-moving average (ARIMA)
model of the form:
t
d
t
a
B
B
y
) (
) (
Here
t
y is the value of the process measurement at time t,
t
a is a white noise process with
variance
2
a
. The numerator (i.e. zeros) of the transfer function, termed ) ( B , is
polynomial of order p and are the moving average part. The autoregressive part is the
denominator (i.e., poles) and is written as ) (B and is of order q. B is the backwards
shift operator (i.e.,
1
t t
y By ). The term (which is the integrating part) equals 1-B, and
if the exponent d on this term is greater than zero, then it mean that the signal doesnt
have a constant mean. This is important for alarms if the signal had a constant mean,
then it wouldnt go into alarm as the process would drift around some stable value
(generally the setpoint).
Perhaps confusing, but a time series model can represent a wide range of signals with just
a few parameters. Figure 7.2 shows three variations on the above equation, which are all
generated from the same series a
t
.
Control A rtsI nc. Alarm System Engineering
Page 38 of 46
Figure 7.2a: Random Walk simulated disturbance:
t
t
a
y
Figure 7.2b: Integrated Auto Regressive trend:
) 8 . 0 1 (
1
z
a
y
t
t
Figure 7.2c: Integrated Moving Average trend:
t
t
a z
y
) 5 . 0 1 (
1
Control A rtsI nc. Alarm System Engineering
Page 39 of 46
As shown in Figure 7.2, for many processes the actual process movement can be
represented by the denominator of the ARIMA model, while the numerator models the
higher frequency noise (either measurement noise or high frequency process noise). If
this is the case, then the series consisting only of the numerator (i.e. high frequency
components) given by:
t t
a B z ) (
will represent the portion of the signal which is causing the chattering. Now for a little bit
of time series math. The prediction of the numerator portion l time periods in the future
if represented as ) (
~
l z
t
and is defined, along with 1 probability limits by (Box and
Jenkins, [4]):
a
l
j
j t l t
s u l z z
2 / 1
1
1
2
2 /
1 ) (
~
'
+ t
where
2 /
u is the deviate exceeded by a proportion 2 / of the unit Normal distribution,
and
a
s is an estimate of the actual process variance
2
a
. For an invertible moving average
process, the maximum bounds will be given by:
a
p
j
j
s u
2 / 1
1
2
2 /
1
'
+ t
If the moving average is not invertible, the maximum bounds may be higher, but they can
be easily calculated once the MA parameters are known.
Control A rtsI nc. Alarm System Engineering
Page 40 of 46
The deadband should be set so that the prediction of the high frequency noise lies within
the deadband. For 3-sigma limits, and assuming the moving average term is of order 2,
the above reduces to:
a
s deadband
2 / 1 2
2
2
) 1 ( 95 . 2 + +
The above equation is all you really need to know. It says that the deadband will be a
function of the noise variance (as expected the larger the noise, the larger the deadband)
modified by some terms to account for the fact that the signal isnt pure white noise, but
is probably colored.
Fortunately, theres lots of code for building an ARIMA model lying around (MATLAB
for instance has a time series module), so its not necessary to delve into non- linear least
squares optimization routines to figure out the model parameters. Just enter the
measurement data, and the program will calculate the terms in the above equation.
Its even possible to automate the above, as its a relatively simple calculation and no
plant tests are required. In fact, this may be preferable as the noise characteristics of a
process may change when it goes into alarm, so that the best data set for determining the
deadband may be when the process the alarms are occurring.
Control A rtsI nc. Alarm System Engineering
Page 41 of 46
Chapter 7
Controller Performance Evaluation Using Alarms
There is a wide body of theoretical literature, and several commercial software packages,
for assessing the performance of industrial controllers. At first glance, controller
performance might appear as simple as determining how close the measurement is to
setpoint, but this has long been recognized to be a flawed metric as it does not account for
the level of disturbances that the controller was fighting during the time the data was
gathered. If one were just to consider the setpoint tracking ability, a poor controller on a
process with few disturbances might look better than a good controller on a noisy process.
For this reason, controller performance theory, and controller performance software,
generally employs algorithms that compare the error variance of the actual system to that
which would have been obtained if some optimal controller had been applied to the
system. In that way, the effect of the disturbances cancel out, and youre left with an
index that is scale independent. Of course, the complicated part is determining what the
error variance of the optimal controller would be, without actually designing and
applying one, and indeed without any plant tests at all. But its (theoretically at least)
possible to do this with a few statistical insights and a bit of time series analysis, and the
commercial software packages wrap all this to hide the messy details from the user.
But comparing your controller to an optimal controller may be over-kill for many
processes. In a lot of cases, tracking a setpoint isnt critical (which may require excessive
Control A rtsI nc. Alarm System Engineering
Page 42 of 46
movement on the part of the manipulated variable), but rather its sufficient to just keep
the measurement in some range. And the acceptable range is often the alarm limits.
In this case, a simple and more direct indication of controller performance is to consider
the controller output at the time of the alarm (Figure 7.1). The assumption here is that an
alarm should occur only when operator intervention is required i.e., that the control
system cannot bring the system back to its nominal point automatically. If the output is
not saturated when the alarm occurred, this would indicate that the controller is not acting
fast enough, and should be retuned or replaced with a faster controller (such as a
deadtime-compensated one).
0
2
4
6
8
10
12
14
0
1
0
2
0
3
0
4
0
5
0
6
0
7
0
8
0
9
0
1
0
0
Output (%)
P
e
r
c
e
n
t
o
f
O
c
c
u
r
r
e
n
c
e
s
Figure 7.1: Histogram of the controller output at the time of an alarm.
The converse of this logic may also be true, in that non-saturated controllers at the alarm
time may indicate that the alarm setting is poor, as the alarm occurred when the process
Control A rtsI nc. Alarm System Engineering
Page 43 of 46
was still within its operating range. In this case, the alarm trip point should be re-
evaluated, as discussed previously.
Control A rtsI nc. Alarm System Engineering
Page 44 of 46
Chapter 8
Conclusions
Management of alarm systems can be accomplished with knowledge of the process flow
sheet, plus some standard management tools. To properly engineer an alarm system
however, historized values of the alarm events and process measurements are required, in
addition to some moderately advanced statistical and matrix techniques.
Fortunately, most plants already have the necessary informational infrastructure to supply
the necessary data. In addition, the mathematical techniques are moderate extensions to a
control engineers existing toolset, so their use and interpretation can be easily
accomplished. These techniques give greater insight into the performance of an alarm
system and give an indication of the proper setting for the parameters associated with an
alarm.
Control A rtsI nc. Alarm System Engineering
Page 45 of 46
Nomenclature
t
a = white noise driving force
B = backwards shift operator
a
s = estimate of
2
a
t
y = process measurement at time t
t
z = noise part of measurement at time t
) (
~
l z
t
= prediction of noise l periods in the future
= 1-B
= autoregressive term
= moving average term
2
a
= variance of
t
a
2 /
u = deviate exceeded by a proportion 2 / of the unit Normal distribution
Control A rtsI nc. Alarm System Engineering
Page 46 of 46
References
[1] EEMUA, Alarm Systems A Guide to Design, Management, and Procurement,
191:99, 1999.
[2] Abnormal Situation Management Consortium, www.ASMConsortium.org
[3] ISA, Management if Alarm Systems in the Process Industries, Draft 18.02,
Instrument Society of America, 2007
[4] Box, G.E., and Jenkins, G.M., Time Series Analysis forecasting and control,
Revised Edition, Holden Day, 1976