Академический Документы
Профессиональный Документы
Культура Документы
Safety Assessment of Alarm Systems on Offshore Oil and Gas Production Installations
in Norway
Eirik Bjerkebaek and Trond Sigurd Eskedal/Norwegian Petroleum Directorate
The project has been carried out by the NPD with assistance installations run by the different operating companies, and
from the Institute of Energy Technology. with both old and new alarm systems from the major vendors.
The different methods used were:
New requirements for alarm system design
• Operator survey: Questionnaires were distributed to
During the late 1990s it became clear that the existing
all CCR-operators on the facilities included in the
Norwegian requirements, together with applicable standards,
study and returned anonymously. The questions
on alarm system design failed to ensure that the alarm systems
focused on their subjective opinion of the alarm
were designed to provide sufficient and adequate operator
systems weaknesses and strengths, as well as on
support. Although the NPD developed a methodology for
training and retraining. A total of 64 questionnaires (9
reviewing implementation of human factors design principles
per installation) were returned. The questionnaire was
in CCR design based on the ISO 11064 standard2, the design
similar to the one used by the HSE, allowing
solutions still had significant weaknesses. A recently revised
comparison of data.
NORSOK standard3 also failed to target what the NPD viewed
as the main issues to ensure improved alarm-system design. • Alarm log analysis: In advance of the audits we
In the UK one of the measures that HSE took after the requested alarm logs from the facilities. These were
Milford Haven accident was to develop and implement new logs chosen by the companies on an arbitrary basis.
requirements and guidelines for design and management of The logs were analysed with respect to performance
alarm systems. Based on the British experience, the NPD indicators, such as average alarm rate and frequency
concluded that a more concise and up-to-date set of distribution of alarms.
requirements was needed. This involved incorporating new • Alarm usability survey: During the offshore audit
requirements in the HSE Regulations for the Norwegian activity, the CCR-operators were asked to register all
Petroleum Industry4, addressing more closely the functionality alarms within a given time frame. The registered
of human-machine interfaces, human factors analysis as basis alarms were categorised by their importance according
for design requirements, and requirements for training and to recognised prioritisation principles.
retraining of operators. It also involved issuing a new set of • Checklist reviews: The audit team used predefined
specific requirements for alarm system design, as a normative checklists during interviews with CCR-operators and
reference for compliance with the functional requirements in management.
the Norwegian regulations5. This set of alarm requirements • Observations in the CCR: During the offshore visit the
was based on experience from petroleum and process industry audit team spent time in the CCR observing the
both on- and offshore, as well as on standards from nuclear pattern of alarm presentation and alarm handling, and
industry6, 7. The new set of alarm system requirements consists verifying how company alarm system management
of 43 principles divided into the following topics: requirements were implemented in practice.
• General management requirements
• Alarm generation Results
• Alarm structuring Alarm system management
Alarm system management includes factors that affect
• Alarm prioritisation
alarm system performance as well as factors that affect the
• Alarm presentation
quality of expected operator response to alarms, e.g. training,
• Alarm handling and procedures.
These new requirements were to be ambitious, but Alarm system philosophy and specification
realistic, in terms of technical feasibility. The major vendors The alarm systems and their functionality were generally
of alarm systems in Norway were consulted as to whether their not based on a documented and available alarm philosophy for
systems could comply. Generally the feedback was positive. the company or installation. Several of the systems consisted
So far the feedback from the operating companies on of elements from different vendors, without an integrated
application of these requirements is generally positive. system philosophy. In these cases system configuration and
However, the operating companies are still confronted with alarm presentation had to a large extent been determined by
vendor’s arguments on system limitations, when aiming at the SAS vendor.
necessary progress in alarm system development. Experiences Management of change and non-conformances
from NPD audits clearly show that a proactive and dedicated With respect to the importance of the alarm system to
effort from the operating company is necessary to ensure that safety and production rates, one would expect clear-cut
vendors put sufficient effort into delivering compliant systems and practice for managing changes in the alarm
solutions. Developing clear alarm philosophies/specifications systems. The audits clearly showed an inadequate attention
as well as project follow-up strategies during the design phase towards this issue. Documentation of changes to alarm limits
are important keys to success. was of varying quality, especially regarding justification for
change and documentation availability.
Mapping and auditing of alarm system management Disabling of alarms is often necessary during certain
and performance modes of operation (e.g. start up), during instrument faults and
In order to carry out mapping and auditing, several tools were during testing of safety systems. Management of such
developed, based on the new set of regulations and EEMUA disabling is an important aspect of alarm system performance.
1916. During a period of one year we audited seven offshore If the alarm with its associated operator response is regarded
SPE 86597 3
as safety critical, procedurised compensatory measures shall alarms per ten minutes. Six of the alarm systems produced
be in place. Our audits clearly showed that this is a poorly alarm rates above the rate set as manageable in the EEMUA
attended management issue. The quality of the procedures that 191. The operators’ estimation of alarm rates in the
regulate alarm disabling and the practice of such procedures questionnaire was 3.3 alarms per 10 minutes (range 1,7 – 5.8),
was often poor. In several cases it proved difficult to obtain a which corresponds well with recorded rates in the arbitrarily
quick overview over current disabling and compensatory chosen measurement periods.
measures. Only two of the seven installations had satisfactory In a tripp or shutdown situation the recorded numbers of
management of alarm disabling. alarms during the first minute of the event ranged from 33 to
CCR-operator training 399. The large variation is mainly due to differences in the
None of the audited installations could document a severity of the upset causing a tripp. However, all situations
systematic approach to training and re-training pertaining to caused rates that are unacceptable in terms of introducing a
understanding and operation of the alarm system. Only one of significantly higher risk that important alarms are overlooked,
the installations had developed a simulator usable for operator misunderstood, or given an inadequate operator response. This
training and drilling relevant for handling of production conclusion is supported by the questionnaire data, showing
disturbances and crisis intervention. However, this simulator that 70% of the operators experience that alarm rates are to
was not part of the current training scheme. Some of the high to allow adequate alarm handling in upset situations.
operators had received formal training as part of Alarms that are not relevant in the specific situation
commissioning of the CCR and alarm system. Presently represent a major fraction of the alarms. Both irrelevant
however, different schemes for “on-the-job training” were repetitive alarms and standing alarms were common. In the
common practice. questionnaires, 32% of the respondents answered that more
With high regularity and production goals for the plants, an than ca every second alarm was repetitive, which corresponds
“on-the-job” training scheme will often suffer from nicely to the figures from the recordings. Figure 1 shows
insufficient opportunities and resources for training on crisis recordings from one case where the alarm rate was
intervention. unacceptably high during 90 minutes of normal operation.
Performance monitoring and improvement
There was little sign of management focus on determining
weaknesses and improving performance in the alarm systems. 60
60% of the CCR-operators held the view that too little effort
was put into alarm system improvement. Routines for 50
mapping and evaluation of the quality of the alarm systems
were missing in all companies. Performance criteria for the
Alarms/minute
40
system had not been set. Consequently, none of the companies
carried out systematic evaluation of how their systems
function as a safety barrier and operator support tool. The 30
companies system for following up deviations, incidents and
unwanted conditions had to very little extent been used to 20
register and follow up human error types e.g. mistakes, slips
and other conditions that relate to CCR-operation. 10
Lately, increased focus on cost margins and increased
production cause many offshore process plants to be operated 0
close to their design limits. This increases the necessity of
optimal CCR-performance. In this case the general lack of
focus on corrective measures related to the alarm system and Figure 1. Alarm rates sampled during 2,5 hours of normal
CCR-operator response and behaviour patterns not only operation on one installation.
affects the safety level, it also affects production rates and
regularity. A few non-critical alarms caused this situation. During this
time period, one alarm was presented more than 700 times,
Alarm system performance and 3 other alarms presented ca 250 times each.
Alarm rates Alarm signal filtering was a feature of all the systems.
The results from the audits showed that unacceptably high However, there was considerable variation in how this
average alarm rates was the main consequence of poor alarm functionality was implemented and optimised. None of the
system management. According to the EEMUA 1916 less than systems presented alarms based on binary logics and
one alarm per 10 minutes is acceptable during normal algorithms. It should also be noted that none of the companies
operation, one alarm per 5 minutes is manageable, while more could present data showing the number of different alarms that
than 1 alarm per minute is very likely to be unacceptable. In the system is designed to generate. The average of CCR-
an upset situation, the corresponding rates for acceptable and operators estimation of the number of alarms was relatively
unacceptable rates are 1 and ten alarms per minute high and ca 50% of the operators responded that there were to
respectively. many alarms in the systems. This clearly indicates a need for a
Analysis of the alarm registration samples showed that systematic review of all the alarms, to decide which can be
alarm rates during normal operation ranged from 1 to 20 removed.
4 SPE 86597
References
1. Health and Safety Executive, (1997) The explosion and fires at the
Texaco Refinery, Milford Haven, 24 July 1994: A report of the
investigation by the Health and Safety Executive into the
explosion and fires on the Pembroke Cracking Company Plant
at the Texaco Refinery, Milford Haven on 24 July 1994.
2. NPD, (2003) Human Factors Assessment Method for Control
rooms.
3. NORSOK (2001) Standard I-CR-002 Safety and automation
systems (SAS) (Rev. 2).
4. NPD (2002) Regulations relating to health, environment and
safety in the petroleum activities.
5. NPD (2001) YA 711 Principles for design of alarm systems.
6. EEMUA (1991) Alarm Systems: A Guide to Design, Management
and Procurement The Engineering Equipment and Materials
Users association (EEMUA) publication no 191.
7. Institute of Energy Technology (2000) Requirement specification
for the HAMBO alarm system, IFE/HRF-2000/1141.