Alerting Pipeline
Real-time alerting architecture for incident detection and response.
Alert Architecture
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Event │ → │ Alert │ → │ Alert │
│ Detection │ │ Generation │ │ Routing │
└─────────────┘ └─────────────┘ └─────────────┘
│
┌───────────────────────────────┼───────────────────────────────┐
│ │ │
┌──────▼──────┐ ┌────────▼────────┐ ┌──────▼──────┐
│ RTIC │ │ Email/ │ │ SAP PM │
│ Dashboard │ │ SMS │ │ Work Order │
└─────────────┘ └─────────────────┘ └─────────────┘
Alert Severity Model
4-Tier Severity
| Level | Description | Response Time | Notification |
|---|---|---|---|
| Critical | Immediate safety risk | <5 minutes | All channels |
| High | Significant issue | <15 minutes | Dashboard + SMS |
| Medium | Requires attention | <1 hour | Dashboard + Email |
| Low | Informational | Next shift | Dashboard only |
Severity Examples
| Scenario | Severity | Rationale |
|---|---|---|
| Large methane release | Critical | Safety and environmental |
| Active liquid leak | High | Asset damage potential |
| Thermal anomaly | Medium | Equipment degradation |
| Minor fence damage | Low | Security informational |
Alert Correlation
Reducing False Positives
Multi-signal correlation reduces false positive rate:
| Signal Combination | Confidence |
|---|---|
| Single sensor only | 60-70% |
| Two sensors correlated | 80-85% |
| Three+ sensors correlated | 90-95% |
| + Historical baseline | 95%+ |
Correlation Logic
- Temporal: Events within time window
- Spatial: Events within proximity
- Sensor: Confirming signal from different sensor
- Historical: Comparison to baseline
- Asset: Correlation to equipment status
Alert Pipeline Components
Event Detection
- AI model outputs detection with confidence
- Threshold check against severity criteria
- Deduplication against recent events
Alert Generation
- Create alert record with full context
- Attach evidence (images, readings)
- Calculate severity score
- Assign to appropriate queue
Alert Routing
| Route | Trigger | Action |
|---|---|---|
| RTIC Dashboard | All alerts | Real-time display |
| Medium+ | Notification to subscribers | |
| SMS | High+ | Immediate notification |
| SAP PM | Configurable | Work order creation |
| Webhook | Configurable | Custom integration |
SLA Compliance
| Metric | Requirement | Design |
|---|---|---|
| Analytics available | ≤20 minutes | Micro-batch processing |
| Alert generation | <1 minute | Streaming pipeline |
| Dashboard update | <5 seconds | WebSocket push |
| Notification delivery | <1 minute | Queue-based dispatch |
Alert Lifecycle
┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ New │ → │Acknowledged │ → │ In Progress │ → │ Resolved │
└─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘
│ │ │ │
▼ ▼ ▼ ▼
Auto-close Operator Field Closed with
if false + assigns action resolution
Alert Management
Operator Actions
| Action | Description |
|---|---|
| Acknowledge | Claim responsibility |
| Escalate | Route to higher authority |
| Dismiss | Mark as false positive |
| Create Work Order | Generate SAP PM notice |
| Add Notes | Document observations |
| Resolve | Close with resolution |
Escalation Rules
| Condition | Escalation |
|---|---|
| No acknowledgment in 15 min | Notify supervisor |
| Critical unresolved 30 min | Notify management |
| Pattern of similar alerts | Flag for investigation |