examination of events that occur during an alarm flood examination
TRANSCRIPT
Examination of Events that Occur During an Alarm Flood –
Their Impact on Safety and Proper Corrective Action
Global Congress on Process SafetyApril 2015
Presenter
Dustin Beebe, P.E.• Graduated from Arkansas with B.S. in Chemical
Engineering• Joined ProSys in 1996• Earned Professional Engineer designation in
2001• Became CEO of ProSys in 2009
Alarm Floods Impact
• Operator Errors• Product Quality or Production Issues• Loss of Layer of Protection Analysis (LOPA) Integrity• Equipment Damage• Safety and Environmental Consequences
Alarm Floods and Associated Incidents
An alarm flood is like a near miss. You never know when it hides a critical process alarm with a potential incident to follow...
Operator Response to a Single Alarm
1. Operator hears/sees alarm.2. Operator silences alarm.3. Operator goes to appropriate display for alarm.4. Operator acknowledges alarm.5. Operator diagnoses issues.6. Operator makes necessary changes.7. Operator monitors variables to determine if
changes are working.8. Repeat steps 5 through 8.
Operator Response to a Flood
• How burdensome would it be to address 10 alarms in 10 minutes?
• What about 100 or 1000 alarms?• Would the operator be set up to fail under
these conditions?
Findings after Incident Reviews
• The Chemical Safety Board (CSB) have cited alarm floods as being significant contributing factors to incidents.
• The Engineering Equipment and Materials Users Association (EEMUA) came to the same conclusion after analyzing major incidents around the world in 2013.
• Therefore, the connection of alarm floods to incidents has been well documented for many years.
The Cost of Errors
Average Dollar Loss per Major Incident by Cause
0 25 50 75 100
Mechanical Failure
Operational Error
Unknown
Process upset
Natural Hazard
Design error
Sabotage / arson
Millions of DollarsSource J & H Marsh & McLennan, Inc.
The Cost of Operator Errors
• The American Society for Metals (ASM) estimates total loss due to operator error is $8B per year.
• Errors cause 42% of unscheduled shutdowns.
• 70% of process incidents occur during start-up or shutdown.
ASM Consortium Claims
• Cost of production disruptions is estimated to be ~3% to 8% of capacity.
• Cost of Lost Production due to accidents - $10B.
Loss of LOPA Integrity
• Tied to operator response.• Operator is expected to react to specific alarms in
a prescribed manner.• During an alarm flood, there is no guarantee that
the operator will respond the designated way.• Could invalidate LOPA Integrity.• LOPA Teams should consider alarm floods.
Equipment Damage
ASM Consortium Reports• Cost of equipment repair, replacement,
environmental fines, casualty compensation, investigation and litigation – estimated to cost another $10B.
Equipment Damage
Three Mile Island • During first few minutes… more than 100
alarms went off… and no system for suppressing the unimportant signals so that operators could concentrate on the significant alarms.… Little attention had been paid to the interaction between humans and machines until the accident.
–The President’s Commission on the Accident at TMI
Safety/Environmental Consequences
Deepwater Horizon • 11 lives lost and ~3.2 million bbls of oil discharged
into the Gulf of Mexico.• Up to 20 sensors glowing magenta on console….
she hesitated… she did not sound the general master alarm…. instead she began pressing buttons that told the system that the bridge crew was aware of the alarms… She commented…”It was a lot to take in”…. ”there was a lot going on.”
Safety/Environmental Consequences
• Her supervisor was on the bridge. The supervisor said that he kept trying to silence alarms so that he could think about what to do next.
• “I don’t think anybody was trained for the massive detector alarms that were going off that night.”
Safety/Environmental Consequences
Texaco Milford-Haven explosion • 26 injuries and $76M in damage• Investigation found that the operators were
hampered by:• Lack of good overview graphics.• Excessive alarm rate of one every 2 or 3 seconds for 5
hours before the incident. • The operators experienced 275 alarms in 10.7 minutes
before the explosion.
Corrective Actions
• Well thought-out alarm philosophy document• Dynamic Alarm Rationalization – more than one
process state• Skids should be rationalized and conform to alarm
philosophy.
• Dynamic alarm software that is properly implemented
• Performance meets ISA 18.2 standards
Conclusion
• Bad things happen during alarm floods.• Launches operator into a no-win situation.• Justification is available – see examples.• Not all dynamic alarm management is the same.• If your dynamic alarm management is no longer
providing results, contact an expert for an independent opinion.
Connect with ProSys
For more information on alarm management, click here.