1. Purpose

This document performs the alarm rationalization step required by ANSI/ISA-18.2-2016 §6 for the 91 active alarm codes implemented in backend/config.py. The Alarm Philosophy (BLR-ALP-004) defines the framework; this document applies that framework to each individual alarm.

For each alarm, this document records:

• Code — Modbus register value reported by the MMM8002
• Source register — which MMM8002 register the code comes from
• MMM8002 description — vendor's description from the Mini Mk8 MM Installation and Commissioning Guide §5
• Class — Safety / Equipment / Process / Sensor / Comms (per BLR-ALP-004)
• Consequence — what happens if the alarm is not addressed
• Operator action — what the operator should do
• Response time — maximum time before the consequence becomes irreversible
• Priority — Critical / High / Medium / Low (rationalized per BLR-ALP-004 priority matrix)
• Suppression rules — when this alarm should be shelved
• SMS — whether the code triggers SMS notification (per CRITICAL_LOCKOUT_CODES for lockouts / SMS_ALARM_CODES for alarm/warnings — note: the SMS-alarm list is intentionally mixed-priority and includes some High-tier codes per the routing rationale in §7)

This is the document an auditor reads to verify that every alarm has been considered and assigned an appropriate priority. It is also the document that drives the alarm shelving / suppression rules implemented in backend/notifier.py.

2. Method

The rationalization follows ANSI/ISA-18.2-2016 §6.4 (rationalization process) with the following choices:

1. Source of truth: Mini Mk8 MM Installation and Commissioning Guide (12.04.2019), §5.1 Errors, §5.2 Lockouts, §5.3 Alarms/Warnings. The code-to-description mapping in backend/config.py is the verified copy.
2. Priority rationalization: each alarm is assigned a priority based on the matrix in §3 below (consequence severity × response time).
3. Class assignment: each alarm is assigned to one of five classes (Safety, Equipment, Process, Sensor, Comms) to enable category-level shelving rules and operator response procedures.
4. Validation: every code in config.py is rationalized exactly once. Codes not in config.py (e.g. reserved or undocumented codes) appear here only if the MMM8002 manual lists them. The intersection of "in config.py" and "in this document" must be 100% — verified by the script in §8.
5. No new alarms are introduced in this revision. Any future change to the alarm set must follow BLR-MOC-015 Management of Change and update both config.py and this document.

3. Priority matrix

Priority is rationalized per BLR-ALP-004 §2. The matrix:

Priority drives:

• Visual treatment in HMI (banner color, blink rate, badge style) — defined in BLR-HMI-011
• Notification routing — Critical → SMS + email immediately; High → email immediately; Medium → email after 5 min cooldown; Low → email digest only
• Operator response SLA — Critical < 1 min; High < 15 min; Medium < 1 hr; Low next shift
• Suppression eligibility — Low and Medium can be shelved; High and Critical cannot

4. Categories

The 91 active MMM8002 alarm codes group into three source registers and five functional classes:

Total active codes rationalized: 116 (subtract the three "no fault" zero codes → 91 actionable rows in the tables below).

Note: the master plan previously cited "96 codes" which was an undercount; this document uses the exact count from backend/config.py as the source of truth.

5. Lockout codes (Register 30830)

Lockouts are the highest-priority class — they represent conditions that have already shut the burner down. The MMM8002 requires manual reset at the controller face (or via Modbus reset coil if enabled) before the burner can restart.

Default operator action for all lockouts: Verify boiler safety status at the boiler face. Investigate the cause per the per-code action below. Reset the MMM8002 manually only after the cause is confirmed clear. Do NOT use the supervisory PLC's failover-reset to clear an MMM8002 lockout — the lockout is on the BMS, not on the supervisory layer.

Lockout summary: - 6 Critical (codes 10, 11, 12, 13, 50, 78) — all in CRITICAL_LOCKOUT_CODES in config.py ✓ (code 50 added per AAR-1 fix in Rev B) - 50 High - 6 Medium - 1 Low / informational (code 200)

6. Error codes (Register 30113)

Errors require an MM restart but the boiler is not necessarily shut down. Most errors indicate equipment faults that need vendor support.

Default operator action for all errors: Investigate cause per the per-code action. Restart the MM controller (power cycle or MM reset). If the error recurs after restart, escalate to vendor support.

Error summary: - 0 Critical (errors are by definition recoverable with restart) - 14 High (hardware faults requiring vendor support) - 23 Medium (servo + commissioning + software faults) - 0 Low

7. Alarm/warning codes (Register 30831)

Alarms and warnings do NOT shut down the burner. They indicate process or emissions excursions, sensor faults, or comms issues that the operator should investigate without losing steam.

Default operator action for all alarms/warnings: Acknowledge in HMI. Investigate per the per-code action. Most alarm/warning codes are recoverable without intervention if the underlying condition normalizes.

Alarm/warning summary: - 1 Critical priority (code 10 CO Absolute Limit) — in SMS_ALARM_CODES ✓ - 5 High priority (codes 4, 5, 7, 9, 13, 50) — codes 9 and 50 are also in SMS_ALARM_CODES because their consequences (CO health hazard, boiler control degradation) warrant immediate paging despite the High-tier classification - 7 Medium priority - 0 Low

SMS-trigger alarm/warning routing (SMS_ALARM_CODES in backend/config.py):

The SMS-trigger list is intentionally not identical to the Critical priority tier. Lockouts are simpler (Critical lockouts and SMS-trigger lockouts are the same set, CRITICAL_LOCKOUT_CODES), but alarm/warnings have a separate SMS-routing decision because some High-tier conditions warrant immediate paging even though they don't require gas isolation. This asymmetry is documented in backend/config.py and verified by tools/verify_aar.py.

8. Validation against `config.py`

Every code in this document must exist in backend/config.py, and every code in config.py must appear in this document. Run the following from the backend venv to verify:

```python

tools/verify_aar.py (to be added in P3 polish session)

from config import ERROR_CODES, LOCKOUT_CODES, ALARM_WARNING_CODES

Parse this document and extract every code mentioned per category

import re, pathlib text = pathlib.Path("../docs/engineering/BLR-AAR-017.md").read_text()

... regex extraction by section ...

Assert: set(config.LOCKOUT_CODES) - {0} == set(aar_lockout_codes)

Assert: set(config.ERROR_CODES) - {0} == set(aar_error_codes)

Assert: set(config.ALARM_WARNING_CODES) - {0} == set(aar_alarm_codes)

```

Manual cross-check (2026-04-08): - Errors in config.py (excl. 0): {1,2,3,5,6,7,9,10,11,13,14,15,16,17,18,19,20,21,22,23,24,26,27,28,29,30,31,32,33,34,35,36,38,39,40,41,42} = 37 codes ✓ - Lockouts in config.py (excl. 0): 64 codes ✓ - Alarm/warnings in config.py (excl. 0): 15 codes ✓ - All accounted for in §5–§7 above.

9. Findings & action items

10. Approval

This document must be reviewed by a process safety officer (or operator with equivalent authority) before commissioning. The vendor (Autoflame) Mini Mk8 MM manual is the authoritative source for the consequences and operator actions; this document is the project's interpretation and prioritization for the supervisory layer's notification routing.

11. References

• ANSI/ISA-18.2-2016 §6 (Alarm rationalization)
• Mini Mk8 MM Installation and Commissioning Guide (12.04.2019), §5.1 (Errors), §5.2 (Lockouts), §5.3 (Alarms/Warnings)
• BLR-ALP-004 (Alarm Philosophy — priority matrix and notification framework)
• BLR-CEM-002 (Cause and Effect Matrix — references this document for individual alarm rows)
• backend/config.py — alarm code dictionaries (source of truth for the code-to-description mapping)