Benchmarking Industry Practices for the Use of Alarms as Safeguards and Layers of Protection

Todd Stauffer, P.E. Peter Clarke, PhD, CFSE Presented at the 9th Global Congress on Process Safety (April 30, 2013)
Copyright exida Consulting LLC , 2013

Alarms as Safeguards and Layers of Protection

1979 Three Mile Island (US) 1994 Milford Haven Refinery (UK) 2005 Texas City Refinery (US) 2005 Buncefield Oil Depot (UK) 2010 Belle, WV (US) 2010 Deepwater Horizon (US)

Layers of protection

Contributor to major process safety accidents

Operator response to alarms is critical to plant safety

Copyright 2013 exida consulting LLC

Buncefield Oil Depot (2005)

Tank Overflow leads to Explosion / Fire 1 billion (1.6 billion USD) loss Tank Level gauge failed showing 2/3 full No alarm generated when full High level safety alarm failed to go off

Did not trigger automatic shutoff off feed valves

High level safety alarm
No alarm

Tank Level gauge

No alarm

Challenges in Analysis & Design of Safety Critical Alarms

The Human Factor
Operators PHA Leaders Different personnel look after alarms vs safety
Benchmark Industry Practices Compare to Best Practices
Copyright 2013 exida consulting LLC Best Practice

Benchmarking Survey
Purpose of Survey: To benchmark the current practices used in industry for the management of alarms used as safeguards and/or independent protection layers). Survey Details:
Took place September 24th October 5th, 2012. 225 respondents / 26 questions Demographics
# 1 2 3 Region North America Europe Asia Pacific % of Respondents Industry 30% 25% 18% Oil & Gas Chemical Engr & Consulting % of Respondents 55% 23% 10%

Survey Hazard and Risk Analysis Practices used for Alarms

Process Hazard Analysis (PHA)
Alarms as Safeguards
Hazard and Risk Assessment

Layer of Protection Analysis (LOPA)

Alarms as Independent Protection Layers (IPLs)

Allocation of Safety Functions

Human Machine Interface

Presentation to the Operator
Copyright 2013 exida.com LLC

Design and Engineering

Safeguards IPLs
6

Convergence of Safety and Alarm Management Disciplines

Hazard and Risk Assessment Allocation of Safety Functions Design and Engineering

Excerpt from IEC 61511 Functional Safety Lifecycle

ANSI/ISA-18.2 Alarm Management Lifecycle

Process Safety

IPL Alarms

Alarm Management

Alarm Rationalization
Review existing / potential alarms against alarm criteria in an alarm philosophy document Document alarm purpose / objective (cause, consequence, corrective action, time to respond)

Document design (limit, priority,classification) Record Results in a Master Alarm Database (MADB)
Goal - to create the minimum set of alarms needed keep the plant safe and within normal operating limits

Topics Covered
PHA Number of Alarms Identified as Safeguards, Percent of Cause: Consequence Pairs in a HAZOP Steps to Ensure an Alarm Identified during PHA is valid What is done with PHA results LOPA Where do LOPA Alarms come from Typical / Maximum levels of Risk Reduction Criteria for determining when an alarm is an IPL Ineffective IPL alarms Alarm Management (including Human Machine Interface) Assigning Alarm Priority, Use of Classification Display of IPL Alarms Use of Alarm Response Procedures
May 29, 2013
Copyright 2013 exida.com LLC 10

Number of Alarms Typically Identified as Safeguards or Recommendations in a PHA

Number of Alarms that are Safeguards / Recommendations

24.6% 21.6%

25.1%

15.8%

7.6% > 65% 1.8% None (0) <10 11-50 51-100 101-500 >500

Copyright 2013 exida consulting LLC

Poll Question #1
How many different alarms in your system are typically identified as a Safeguard or Recommendation during a PHA?
1. 2. 3. 4. 5. 6. 7. None (0) < 10 11 to 50 51 to 100 101 to 500 > 500 Dont Know
Copyright 2013 exida.com LLC 12

Use of Hazard & Operability Studies to Identify Alarms as Safeguards

1:1

Cause : Consequence Pair

Alarm

Ref: IEC-61882 Hazard and operability studies (HAZOP studies) Application guide 2001

HAZOP Cause / Consequence Pairs

23.8%
Percent of HAZOP Cause:Consequence Pairs that call for the use of an Alarm

23.1% 19.4% 20.0%

13.8%
< 5% (small minority) 36% 7% 20% > 50% (majority) 3% 33% 15%

Industry Chemical Engineering & Consulting Oil & Gas

<5%

5-15%

16-25%

26-50%

>50%

Significant Variation in PHA Practices

Copyright 2013 exida consulting LLC

What Steps are taken to Ensure an Alarm Identified in a PHA is Valid?

Discuss / Document the operators response Discuss / Document whether the operator has sufficient time to respond Define the basis for the alarm limit Verify that the alarm is independent from the cause Discuss/ Document operator training relative to the alarm Verify the operator response does not place him / her in danger Discuss / Document alarm mechanical integrity requirements
May 29, 2013

Copyright 2012 exida.com LLC

15

Steps to Ensure an Alarm Identified in a PHA is Valid and Effective

When an alarm is identified as a safeguard or recommendation during a PHA,what steps are typically taken to ensure that it is a valid and effective alarm?
90.0% 80.0% 70.0% 60.0% % of Responses 50.0% 40.0% 30.0% 20.0% 10.0% 0.0% Discuss / document the operators response (action) to the alarm 83.5% Discuss / document whether the operator has sufficient time to respond 70.6%
Best Practice Best Practice Best Practice Best Practice

Define the basis for the alarm setpoint (limit) 64.7%

Verify that the alarm is independent from the cause 62.9%

Discuss / document operator training relative to the alarm 52.4%

Verify the Discuss / operator document alarm response does mechanical not place him / integrity her in danger requirements 47.1% 34.1%

None

Series1

2.9%

Copyright 2013 exida consulting LLC

Regulatory Interest OSHAs (US) Refinery NEP Program

Audit procedures for calibration, inspection, testing and maintenance Possible violations Claim an ineffective alarm as a safeguard Design does not comply with RAGAGEP (Good Engineering Practice) Failure to inspect and test per required frequency Changes were made without invoking MOC Alarm function not described in operating procedures

Poll Question #2
Would you spend extra time during a PHA to do the following ?
Discuss / Document the operators response Discuss / Document whether the operator has sufficient time to respond Verify that the alarm is independent from the cause Verify the operator response does not place him / her in danger
Copyright 2013 exida.com LLC 18

Taking Care of Alarms during a PHA - PHAx

Enter Alarm Design Info (Helps verify alarm is valid and can be used for Rationalization)

Easy to identify alarms in the HAZOP Results

HAZOP PHA
Spreadsheet

PHA Results- what is done with the requirements for alarms identified as safeguards or recommendation
After the PHA or HAZOP has been completed, what is done with the requirements for alarms identified as safeguards or recommendations? Check all that apply.
70.0% 60.0% 50.0% 40.0% 30.0% 20.0% 10.0% 0.0%
Best Practice

They are transferred They are available automatically to a They are extracted Master Alarm Management of for review during manually by Database so that Change (MOC) alarm reviewing all PHA rationalization and process is initiated they are available reports design during alarm rationalization and design 59.3% 51.5% 42.5% 27.5%

They are automatically extracted into a spreadsheet

None

Response Percent

18.6%

5.4%

Copyright 2013 exida consulting LLC

Origin of IPL Alarms in a LOPA

What percentage of the alarms that are considered during a Layer of Protection Analysis (LOPA) were identified during a PHA

33.6%
Best Practice

22.6% 17.5% 12.4% Poor PHA Practices

All (approximately 100%)

75- 99%

50 - 74%

<50%

All IPLs are Safeguards, but not all Safeguards are IPLs
Copyright 2013 exida consulting LLC

Origin of IPL Alarms in a LOPA By Region

Percentage of LOPA Alarms identified during a PHA - by Region
100%
Poor PHA Practices

90% 80% 70% 60% 50% 40% 30% 20% 10% 0%

Poor PHA Practices

<50% 50 - 74% 75- 99% All (approximately 100%)

North America

Europe

Asia Pacific

PHA Practices differ by Region of the World Copyright 2013 exida consulting LLC

Poll Question #3
What % of alarms considered during a LOPA were identified during a PHA?
1. 2. 3. 4. 5. All (approximately 100%) 75 to 99% 50 to 74% < 50% Dont Know

Copyright 2013 exida.com LLC

23

Typical Level of Risk Reduction (RRF) Taken for a Safety IPL Alarm
What level of risk reduction (RRF) do you typically take for a Safety IPL alarm

Avg. Probability of Failure on Demand (PFD) = 1 / RRF

43.0%

20.0% 14.8% 10.4%

Quantitative LOPA

SIL 1

3.0% 10.0 >10.0

1.0 (no risk reduction)

Up to 2.0

2.0 - 9.9

Copyright 2013 exida consulting LLC

Typical Level of Risk Reduction - By Region

Typical Risk Reduction (RRF) for a Safety IPL Alarm - by Region
100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% North America Europe Asia Pacific
Copyright 2013 exida consulting LLC Risk Reduction Factor (RRF)

>10.0 10.0 2.0 - 9.9 Up to 2.0 1.0 (no risk reduction)

Typical Level of Risk Reduction - By Industry

Typical Risk Reduction (RRF) for a Safety IPL Alarm - by Industry
100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%
Risk Reduction Factor (RRF)

>10.0 10.0

2.0 - 9.9 Up to 2.0 1.0 (no risk reduction)

Chemical

Engineering & Consulting

Oil & Gas

Copyright 2013 exida consulting LLC

Poll Question #4
What risk reduction factor (RRF) do you typically take for a Safety IPL Alarm
1. 2. 3. 4. 5. 6. 1.0 (no risk reduction) Up to 2.0 Between 2.0 and 9.9 10.0 > 10.0 Dont Know

Copyright 2013 exida.com LLC

27

Maximum Level of Risk Reduction (RRF) Taken for a Safety IPL alarm
In your experience, what is the maximum level of risk reduction (RRF) that has been taken for a Safety IPL alarm?

48.1% SIL 1 SIL 2

8.1%

11.9%

10.4%

10.4% 2.2%

1.0 (no risk reduction)

Up to 2.0

2.0 - 9.9

10.0

100.0

>100.0

Copyright 2013 exida consulting LLC

What Criteria is used to determine whether an alarm can be an IPL?

The alarm is independent from the cause of the upset The alarm is auditable (proof-tested at appropriate frequency) The operators have been trained on the alarms cause, consequence, and corrective action The alarm is specifically designed to prevent the defined consequences There is not more than one alarm credited with risk reduction per layer of protection The alarm is dependable (based on calculating its PFD) Alarm system performance is measured and determined to be acceptable All alarms in the system have been rationalized
May 29, 2013
Copyright 2012 exida.com LLC 29

Considerations for Determining When an Alarm can be an IPL (Credited with Risk Reduction)
What considerations are used to determine whether an alarm can be credited with risk reduction
80.0% 70.0% 60.0% 50.0% 40.0% 30.0% 20.0% 10.0% 0.0% The operators The alarm is have been specifically The alarm is trained on the designed to auditable (proof causes, potential prevent the tested at consequences, consequences appropriate and corrective under frequency) actions for the consideration by alarm the operator The alarm is Alarm system dependable performance (# (based on of alarms / per calculating the hour, nuisance All alarms in the Probability of alarms, alarm system (safety Failure on floods) is and non-safety) Demand for the measured and have been annunciation of determined to rationalized the alarm and be acceptable successful according to ISAoperator 18.2 or EEMUA response) 191 guidelines 42.7% 38.9% 32.1%
Best Practice Best Practice Best Practice Best Practice Best Practice Best Practice Best Practice Best Practice

The alarm is completely independent from the cause of the upset

There is not more than one alarm credited with risk reduction per layer of protection

Series1

73.3%

67.9%

63.4%

Copyright 2013 exida consulting LLC

59.5%

48.9%

Frequency that IPL alarms are Found to be Ineffective

How often do you find that an alarm identified as an IPL is not valid, or is ineffective (does not provide the level of risk reduction expected)?

38.9%

26.0% 17.6%
>65%

14.5%

4.6%

Never Infrequently Sometimes Frequently (0% of the time) (< 1% of the Safety (between 1 to 5 % (> 5% of the Safety IPL Alarms) of the Safety IPL IPL Alarms) Alarms)
Copyright 2013 exida consulting LLC

Unknown

Consequences of Ineffective IPL Alarms

Ripple Effect - impacts risk reduction requirements for other IPLs (e.g. SIL requirements for each SIF in the SIS) Actual Risk Reduction could be < Tolerable Risk

Ineffective IPL Alarms

Copyright 2013 exida consulting LLC

UNDER-PROTECTED

Assigning Priority to IPL Alarms

What statement best describe how the priority of Safety IPL alarms are assigned
35.0% 30.0% 25.0% 20.0% 15.0% 10.0%
Best Practice Best Practice

5.0% 0.0% Based on company defined risk matrix, taking into consideration consequence to economic, safety, environmental and Public Image aspects Series1 30.2%

Based on the ultimate consequence defined in the HAZOP / PHA

Based on the direct & immediate consequence Automatically set (assuming all other to the highest layers of protection priority allowed in operate as the system (e.g. expected) and the Critical, amount of time Emergency, etc) available for the operator to respond 21.7% 17.1%

Not Applicable

Based on the assumption that the associated SIF and other associated IPLs fail

22.5%

4.7%

3.9%

Copyright 2013 exida consulting LLC

Alarm Classification
Do you classify alarms?
No 20%

Yes 80%

Classification: A method for grouping alarms that have common sets of requirements (testing, training, MOC, reporting)
Copyright 2013 exida consulting LLC

Practices for Display of Safety IPL Alarms through the HMI

What statement(s) best describes your current practice for display of Safety IPL alarms?
70.0% 60.0% 50.0% 40.0% 30.0% 20.0% 10.0% 0.0%

64.1%

31.3%

21.4%

20.6%

18.3%

They are annunciated through the same HMI as the BPCS Series1 64.1%

They are annunciated through hardwired light boxes or panel boards 31.3%

They are annunciated The are They are part of through light annunciated boxes or panel a standalone through system boards and the dedicated HMIs same HMI as the BPCS 21.4% 20.6% 18.3%

Copyright 2013 exida consulting LLC

Use of Alarm Response Procedures

Alarm Response Procedures for Safety IPL alarms % Format Paper manuals 74% % 54%

(Yes) - Provided

(No) - Not Provided

26%

On screen display called up in context 28% within the HMI Call up files or displays on a dedicated 18% computer (other than the HMI)

Contents of Alarm Response Procedure

Likely cause(s) of the alarm Potential Consequences of Inaction Corrective Action that is required to prevent the consequence Time available to respond Confirmation / Verification of the alarm condition
Copyright 2013 exida consulting LLC

Example - DeltaV Alarm Help

Alarm Help: Accessible from the faceplate, alarm list and banner

Immediate access to Cause, Consequence, Corrective Action and Time to Respond helps improve operator response

Alarm Response Procedures can be created from the results of rationalization using SILAlarm

Conclusions & Recommendations

PHA
Improve the rigor and thoroughness of PHAs When an alarm is identified as a safeguard verify that it is valid and effective

LOPA
Ensure that IPL alarms meet the criteria established as industry best practices Choose risk reduction levels wisely

HMI
Increase Use of / Access to Alarm Response Procedures by Operators
Copyright 2013 exida consulting LLC

Conclusions & Recommendations (Contd)

Alarm Management
Leverage PHA / LOPA Results during Alarm Rationalization Follow ISA-18.2 recommendations for Alarm Prioritization

General
Increase familiarity with ISA-18.2 Apply industry best practices rigorously and consistently Compare Your Company Practices to Actual Industry Practices (Benchmarks) Industry Best Practices
Copyright 2013 exida consulting LLC Best Practice

References used as Best Practices

Hartmann, H., Scharpf, E., and Thomas, H., Practical SIL Target Selection: Risk Analysis per the IEC 61511 Safety Lifecycle, exida, Sellersville, PA, (2012). CCPS. Guidelines for Safe and Reliable Instrumented Protective Systems. Center for Chemical Process Safety. New York, NY. (2007). CCPS. Layer of Protection Analysis: Simplified Process Risk Assessment. Center for Chemical Process Safety. New York, NY. (2001). Stauffer, T. and Clarke, P., Using Alarms as a Layer of Protection, AIChE 8th Global Congress on Process Safety, Houston, TX (2012). ANSI/ISA 18.00.02-2009 Management of Alarm Systems for the Process Industries.
Best Practice

Copyright 2013 exida.com LLC

41

Questions ?
To download a copy of the whitepaper: click here