SPE 86597
Safety Assessment of Alarm Systems on Offshore Oil and Gas Production Installations
in Norway
Eirik Bjerkebaek and Trond Sigurd Eskedal/Norwegian Petroleum Directorate
Copyright 2004, Society of Petroleum Engineers Inc.
This paper was prepared for presentation at The Seventh SPE International Conference on
Health, Safety, and Environment in Oil and Gas Exploration and Production held in Calgary,
Alberta, Canada, 29–31 March 2004.
This paper was selected for presentation by an SPE Program Committee following review of
information contained in a proposal submitted by the author(s). Contents of the paper, as
presented, have not been reviewed by the Society of Petroleum Engineers and are subject to
correction by the author(s). The material, as presented, does not necessarily reflect any
position of the Society of Petroleum Engineers, its officers, or members. Papers presented at
SPE meetings are subject to publication review by Editorial Committees of the Society of
Petroleum Engineers. Electronic reproduction, distribution, or storage of any part of this paper
for commercial purposes without the written consent of the Society of Petroleum Engineers is
prohibited. Permission to reproduce in print is restricted to a proposal of not more than 300
words; illustrations may not be copied. The proposal must contain conspicuous
acknowledgment of where and by whom the paper was presented. Write Librarian, SPE, P.O.
Box 833836, Richardson, TX 75083-3836, U.S.A., fax 01-972-952-9435.
Abstract
High quality alarm systems are essential to safe offshore
petroleum production. The Norwegian Petroleum Directorate
(NPD) has carried out safety assessments of alarm systems on
seven of the petroleum production installations in Norway.
The assessment clearly demonstrates that poor alarm system
performance and management represents the greatest human
factor challenge within control room environments offshore.
Introduction
Recently, the human factor is seen as increasingly important in
targeting higher HSE performance in our industry. HSE-
culture and human behaviour has become main themes in
programs aiming to reduce risk and harm from petroleum
activities. In the Norwegian Petroleum Industry this change is
for instance reflected in sharpened regulatory requirements
pertaining to HSE culture, and human factors analysis in
design.
However, this approach will not be successful if we do not
at the same time use human factors expertise in improving the
quality of the technical and organizational systems that shall
facilitate adequate responses and behaviour. Understanding
the man-technology-organisation (MTO) interplay is the key
to successful design and operation.
Investigations of major accidents clearly show that poorly
designed and maintained barrier functions are a prominent
factor in almost every disaster and near-miss situation. The
Milford Haven accident specifically showed how poorly
designed alarm systems and poor alarm system management
can be a major safety risk when the alarm system and
associated operator response claim to be a key factor in safety
critical functions1. Accordingly the Health and Safety
Executive (HSE) in the UK took several initiatives to improve
alarm system design and management.
During audits, safety assessments, and investigation of
incidents on petroleum production facilities on the Norwegian
continental shelf, the NPD has identified alarm systems as a
major area of concern with regard to shortcomings in the
safety function in central control rooms (CCR) function. In
this context the co-function of the alarm system and the CCR-
operator is viewed as a main barrier towards serious incidents
and accidents – a barrier where physical and non-physical
functions need to play in concert.
Shortcomings of these systems have in several cases
contributed to control-room operators, not being able to detect
disturbances and deviations early enough to avoid further
event escalation and shutdown of the process plant. In some
cases the alarm system, by presenting non-useful information
even hinders the ability of the operator to cope adequately
with the situation. Also, poorly designed alarm systems make
it difficult for the CCR-operators to discover deviations in the
production process, thus hindering timely and adequate
compensatory actions, necessary to maintain high production
regularity.
This paper describes and discusses the results from a
project, which has aimed to involve the operating companies
in a joint effort to improve both existing alarm systems and
design of new systems. The paper concentrates on the audit
results and our experiences with this type of auditing.
Scope of project
The project involves all operating companies in Norway, as
well as the major vendors of safety and automation systems
(SAS) for the petroleum industry. It consists of a series of
different activities, all aimed at contributing to enhanced alarm
system design and performance by:
• Developing up to date requirements for control room
and alarm system design.
• Mapping and auditing the quality and performance of
existing alarm systems as well as management of
these.
• Uncovering major challenges and obstacles with
regard to improving existing alarm systems
• Contributing to experience transfer on adequate
solutions and best practices in alarm system design
and management.
• Initiating and facilitating appropriate change
processes, both at company and industry level, with
regard to implementing results from the project.
2 SPE 86597
The project has been carried out by the NPD with assistance
from the Institute of Energy Technology.
New requirements for alarm system design
During the late 1990s it became clear that the existing
Norwegian requirements, together with applicable standards,
on alarm system design failed to ensure that the alarm systems
were designed to provide sufficient and adequate operator
support. Although the NPD developed a methodology for
reviewing implementation of human factors design principles
in CCR design based on the ISO 11064 standard2, the design
solutions still had significant weaknesses. A recently revised
NORSOK standard3 also failed to target what the NPD viewed
as the main issues to ensure improved alarm-system design.
In the UK one of the measures that HSE took after the
Milford Haven accident was to develop and implement new
requirements and guidelines for design and management of
alarm systems. Based on the British experience, the NPD
concluded that a more concise and up-to-date set of
requirements was needed. This involved incorporating new
requirements in the HSE Regulations for the Norwegian
Petroleum Industry4, addressing more closely the functionality
of human-machine interfaces, human factors analysis as basis
for design requirements, and requirements for training and
retraining of operators. It also involved issuing a new set of
specific requirements for alarm system design, as a normative
reference for compliance with the functional requirements in
the Norwegian regulations5. This set of alarm requirements
was based on experience from petroleum and process industry
both on- and offshore, as well as on standards from nuclear
industry6, 7. The new set of alarm system requirements consists
of 43 principles divided into the following topics:
• General management requirements
• Alarm generation
• Alarm structuring
• Alarm prioritisation
• Alarm presentation
• Alarm handling
These new requirements were to be ambitious, but
realistic, in terms of technical feasibility. The major vendors
of alarm systems in Norway were consulted as to whether their
systems could comply. Generally the feedback was positive.
So far the feedback from the operating companies on
application of these requirements is generally positive.
However, the operating companies are still confronted with
vendor’s arguments on system limitations, when aiming at
necessary progress in alarm system development. Experiences
from NPD audits clearly show that a proactive and dedicated
effort from the operating company is necessary to ensure that
vendors put sufficient effort into delivering compliant
solutions. Developing clear alarm philosophies/specifications
as well as project follow-up strategies during the design phase
are important keys to success.
Mapping and auditing of alarm system management
and performance
In order to carry out mapping and auditing, several tools were
developed, based on the new set of regulations and EEMUA
1916. During a period of one year we audited seven offshore
installations run by the different operating companies, and
with both old and new alarm systems from the major vendors.
The different methods used were:
• Operator survey: Questionnaires were distributed to
all CCR-operators on the facilities included in the
study and returned anonymously. The questions
focused on their subjective opinion of the alarm
systems weaknesses and strengths, as well as on
training and retraining. A total of 64 questionnaires (9
per installation) were returned. The questionnaire was
similar to the one used by the HSE, allowing
comparison of data.
• Alarm log analysis: In advance of the audits we
requested alarm logs from the facilities. These were
logs chosen by the companies on an arbitrary basis.
The logs were analysed with respect to performance
indicators, such as average alarm rate and frequency
distribution of alarms.
• Alarm usability survey: During the offshore audit
activity, the CCR-operators were asked to register all
alarms within a given time frame. The registered
alarms were categorised by their importance according
to recognised prioritisation principles.
• Checklist reviews: The audit team used predefined
checklists during interviews with CCR-operators and
management.
• Observations in the CCR: During the offshore visit the
audit team spent time in the CCR observing the
pattern of alarm presentation and alarm handling, and
verifying how company alarm system management
requirements were implemented in practice.
Results
Alarm system management
Alarm system management includes factors that affect
alarm system performance as well as factors that affect the
quality of expected operator response to alarms, e.g. training,
and procedures.
Alarm system philosophy and specification
The alarm systems and their functionality were generally
not based on a documented and available alarm philosophy for
the company or installation. Several of the systems consisted
of elements from different vendors, without an integrated
system philosophy. In these cases system configuration and
alarm presentation had to a large extent been determined by
the SAS vendor.
Management of change and non-conformances
With respect to the importance of the alarm system to
safety and production rates, one would expect clear-cut
systems and practice for managing changes in the alarm
systems. The audits clearly showed an inadequate attention
towards this issue. Documentation of changes to alarm limits
was of varying quality, especially regarding justification for
change and documentation availability.
Disabling of alarms is often necessary during certain
modes of operation (e.g. start up), during instrument faults and
during testing of safety systems. Management of such
disabling is an important aspect of alarm system performance.
If the alarm with its associated operator response is regarded
SPE 86597
as safety critical, procedurised compensatory measures shall
be in place. Our audits clearly showed that this is a poorly
attended management issue. The quality of the procedures that
regulate alarm disabling and the practice of such procedures
was often poor. In several cases it proved difficult to obtain a
quick overview over current disabling and compensatory
measures. Only two of the seven installations had satisfactory
management of alarm disabling.
CCR-operator training
None of the audited installations could document a
systematic approach to training and re-training pertaining to
understanding and operation of the alarm system. Only one of
the installations had developed a simulator usable for operator
training and drilling relevant for handling of production
disturbances and crisis intervention. However, this simulator
was not part of the current training scheme. Some of the
operators had received formal training as part of
commissioning of the CCR and alarm system. Presently
however, different schemes for “on-the-job training” were
common practice.
With high regularity and production goals for the plants, an
“on-the-job” training scheme will often suffer from
insufficient opportunities and resources for training on crisis
intervention.
Performance monitoring and improvement
There was little sign of management focus on determining
weaknesses and improving performance in the alarm systems.
60% of the CCR-operators held the view that too little effort
was put into alarm system improvement. Routines for
mapping and evaluation of the quality of the alarm systems
were missing in all companies. Performance criteria for the
system had not been set. Consequently, none of the companies
carried out systematic evaluation of how their systems
function as a safety barrier and operator support tool. The
companies system for following up deviations, incidents and
unwanted conditions had to very little extent been used to
register and follow up human error types e.g. mistakes, slips
and other conditions that relate to CCR-operation.
Lately, increased focus on cost margins and increased
production cause many offshore process plants to be operated
close to their design limits. This increases the necessity of
optimal CCR-performance. In this case the general lack of
focus on corrective measures related to the alarm system and
CCR-operator response and behaviour patterns not only
affects the safety level, it also affects production rates and
regularity.
Alarm system performance
Alarm rates
The results from the audits showed that unacceptably high
average alarm rates was the main consequence of poor alarm
system management. According to the EEMUA 1916 less than
one alarm per 10 minutes is acceptable during normal
operation, one alarm per 5 minutes is manageable, while more
than 1 alarm per minute is very likely to be unacceptable. In
an upset situation, the corresponding rates for acceptable and
unacceptable rates are 1 and ten alarms per minute
respectively.
Analysis of the alarm registration samples showed that
alarm rates during normal operation ranged from 1 to 20
3
alarms per ten minutes. Six of the alarm systems produced
alarm rates above the rate set as manageable in the EEMUA
191. The operators’ estimation of alarm rates in the
questionnaire was 3.3 alarms per 10 minutes (range 1,7 – 5.8),
which corresponds well with recorded rates in the arbitrarily
chosen measurement periods.
In a tripp or shutdown situation the recorded numbers of
alarms during the first minute of the event ranged from 33 to
399. The large variation is mainly due to differences in the
severity of the upset causing a tripp. However, all situations
caused rates that are unacceptable in terms of introducing a
significantly higher risk that important alarms are overlooked,
misunderstood, or given an inadequate operator response. This
conclusion is supported by the questionnaire data, showing
that 70% of the operators experience that alarm rates are to
high to allow adequate alarm handling in upset situations.
Alarms that are not relevant in the specific situation
represent a major fraction of the alarms. Both irrelevant
repetitive alarms and standing alarms were common. In the
questionnaires, 32% of the respondents answered that more
than ca every second alarm was repetitive, which corresponds
nicely to the figures from the recordings. Figure 1 shows
recordings from one case where the alarm rate was
unacceptably high during 90 minutes of normal operation.
60
50
Alarms/minute
40
30
20
10
0
Figure 1. Alarm rates sampled during 2,5 hours of normal
operation on one installation.
A few non-critical alarms caused this situation. During this
time period, one alarm was presented more than 700 times,
and 3 other alarms presented ca 250 times each.
Alarm signal filtering was a feature of all the systems.
However, there was considerable variation in how this
functionality was implemented and optimised. None of the
systems presented alarms based on binary logics and
algorithms. It should also be noted that none of the companies
could present data showing the number of different alarms that
the system is designed to generate. The average of CCR-
operators estimation of the number of alarms was relatively
high and ca 50% of the operators responded that there were to
many alarms in the systems. This clearly indicates a need for a
systematic review of all the alarms, to decide which can be
removed.
4 SPE 86597
Alarm structuring and prioritisation
Most of the alarm systems demonstrated the ability to
present selective alarm lists (e.g. by system or plant area).
However, none of the systems were based on recognised
principles for alarm prioritisation. Managers with alarm
system responsibility, as well as CCR-operators showed a
general lack of understanding of the concept of prioritisation,
including how to develop prioritisation rules. On some
installations they claimed to have alarm priorities , but these
reflected different alarm categories (i.e. warning alarm, fault
alarm and action alarm) not the criticality of the alarm.
Alarm suppression is a useful tool for improving operator
performance. Suppression is here defined as omitting the
alarm from presentation to operator, but still having the alarm
available in the system for other purposes – e.g. alarm log
analyses. However, this feature had not been implemented to
any significant extent in the systems we reviewed.
Alarm presentation
There was considerable variation in the design of alarm
displays on operator VDUs and wall panels. While fire and
gas alarms always were presented separately to facilitate
overview, other critical alarms (e.g. alarm from other safety
critical equipment, and critical process alarms) were not
presented with similar clarity. Only 25% of the CCR-operators
experience that the alarm systems presents them with a
sufficiently clear presentation of safety critical alarms.
Alarm text quality was generally poor. Incomprehensible
and inconsistent use of abbreviations, wrong sequencing of the
information elements within an alarm text, and
incomprehensible alarms related to SAS function (system
alarms) were major contributors to alarm interpretation
difficulties. The important human factors principle of
presenting the most important information (i.a. tag and alarm
description) first was generally not adhered to (e.g. time and
date information was given first in many cases).
The use of colours in VDUs did generally not reflect alarm
criticality, as would be expected from the lack of alarm
prioritisation. According to human factors principles, red and
yellow should be reserved for important alarms. These colours
were however also used for a number of other information
purposes. All the alarm systems have considerable
improvement potential in terms of compliance with recognised
principles of alarm presentation.
Alarm handling
Alarm handling during normal operation generally
occurred according to recognised principles for alarm
handling. Improvement measures that should be considered
are improving navigation between alarm screens and process
screens, and increased use of manual alarm suppression
(shelving). Feedback from the operators clearly indicates that
alarm handling is poor during upset situations. 75% for the
respondents answer that the alarm rates are too high to
perceive the alarm information and perform adequate alarm
handling, and 65% respond that they quite often have to
acknowledge alarms without understanding their content. This
is reflected in Figure 2. These results underscores another
finding from the audits, which is the need for improvement of
rules and practice pertaining to how responsibilities and tasks
are divided between the CCR-operators during process
disturbances and emergency situation.
Alarm system usefulness
Although many of the results presented above indicated
poor alarm system performance, the results from the
questionnaires give a more complex picture. Ca 70% of the
operators replied that the alarm system gave very good or
adequate support, both during normal operation and upset
situations. The questionnaire results also show that there is a
link between perception of goodness of alarm system
performance and the operators understanding of the system
and its alarms.
80
70
60
50
40
30
20
10
0
Very good Adequate Bad Very Bad
Normal operation Upset situation
Figure 2: Distribution of operators answer to the question of how
their alarm system supported their functions.
When asked to estimate the usefulness of a “normal” alarm
array, the operators were more positive than the results from
the recordings. Only 10% of the alarms required action from
the operators and almost 50% were useful or non-useful
information. A large part of this latter fraction may possibly be
deleted, resulting in a considerable improvement of alarm
rates.
Differences between alarm systems in the
Norwegian and British hazardous industries
The survey results show only minor differences between alarm
system performances in the two sectors. The main conclusion
is thus that major weaknesses and challenges related to alarm
systems are quite similar in both countries. This finding
presents us with a special opportunity for collaboration and
experience sharing in moving forwards with improvements of
the alarm systems and how they are operated.
Conclusions and further work
The results from the audits clearly demonstrates that the
design and management of the alarm systems is poor, and that
their safety critical function in a crisis situation when the
operator is in most need of a well functioning system, may be
seriously impaired. Poor alarm systems draw operators
attention away from tasks that are critical in order to return to
safe state – the alarm system is running the operator, instead of
the operator running the plan.
Our conclusion is based on a sample of seven out of several
ten-folds alarm systems on the continental shelf. However the
other systems are designed and operated by the same parties
that are responsible for those we audited. There is therefore
reason to believe that the major findings in our study also hold
for the majority of the systems in use.
SPE 86597 5

In conclusion, the major areas for improvement are:

Increased management attention to alarm system –
operator function.
Improving alarm system management, including:
philosophies, performance objectives, performance
monitoring, procedures for management of change and
operator training.
Improving alarm system performance both as
reduction in alarm rates and improved alarm
presentation and handling.

The NPD has therefore sent a letter to all the operating

companies to make sure that the results from the audits are
known. Furthermore, the NPD requested that the companies
carry out mappings and evaluation of the alarm systems that
were not included in the NPD report, and that similar tools are
used for this purpose. The NPD will take initiatives to ensure
that these mappings are carried out according to plans and that
adequate improvement measures are carried out. Ensuring
opportunities for experience transfer between the operating
companies will be an important future activity, an activity that
should also include engineering companies and alarm
system vendors.

References
1. Health and Safety Executive, (1997) The explosion and fires at the
Texaco Refinery, Milford Haven, 24 July 1994: A report of the
investigation by the Health and Safety Executive into the
explosion and fires on the Pembroke Cracking Company Plant
at the Texaco Refinery, Milford Haven on 24 July 1994.
2. NPD, (2003) Human Factors Assessment Method for Control
rooms.
3. NORSOK (2001) Standard I-CR-002 Safety and automation
systems (SAS) (Rev. 2).
4. NPD (2002) Regulations relating to health, environment and
safety in the petroleum activities.
5. NPD (2001) YA 711 Principles for design of alarm systems.
6. EEMUA (1991) Alarm Systems: A Guide to Design, Management
and Procurement The Engineering Equipment and Materials
Users association (EEMUA) publication no 191.
7. Institute of Energy Technology (2000) Requirement specification
for the HAMBO alarm system, IFE/HRF-2000/1141.