Vous êtes sur la page 1sur 5

SPE 86597

Safety Assessment of Alarm Systems on Offshore Oil and Gas Production Installations
in Norway
Eirik Bjerkebaek and Trond Sigurd Eskedal/Norwegian Petroleum Directorate

Copyright 2004, Society of Petroleum Engineers Inc.


During audits, safety assessments, and investigation of
This paper was prepared for presentation at The Seventh SPE International Conference on
Health, Safety, and Environment in Oil and Gas Exploration and Production held in Calgary,
incidents on petroleum production facilities on the Norwegian
Alberta, Canada, 29–31 March 2004. continental shelf, the NPD has identified alarm systems as a
This paper was selected for presentation by an SPE Program Committee following review of major area of concern with regard to shortcomings in the
information contained in a proposal submitted by the author(s). Contents of the paper, as
presented, have not been reviewed by the Society of Petroleum Engineers and are subject to
safety function in central control rooms (CCR) function. In
correction by the author(s). The material, as presented, does not necessarily reflect any this context the co-function of the alarm system and the CCR-
position of the Society of Petroleum Engineers, its officers, or members. Papers presented at
SPE meetings are subject to publication review by Editorial Committees of the Society of operator is viewed as a main barrier towards serious incidents
Petroleum Engineers. Electronic reproduction, distribution, or storage of any part of this paper
for commercial purposes without the written consent of the Society of Petroleum Engineers is
and accidents – a barrier where physical and non-physical
prohibited. Permission to reproduce in print is restricted to a proposal of not more than 300 functions need to play in concert.
words; illustrations may not be copied. The proposal must contain conspicuous
acknowledgment of where and by whom the paper was presented. Write Librarian, SPE, P.O. Shortcomings of these systems have in several cases
Box 833836, Richardson, TX 75083-3836, U.S.A., fax 01-972-952-9435. contributed to control-room operators, not being able to detect
disturbances and deviations early enough to avoid further
Abstract event escalation and shutdown of the process plant. In some
High quality alarm systems are essential to safe offshore cases the alarm system, by presenting non-useful information
petroleum production. The Norwegian Petroleum Directorate even hinders the ability of the operator to cope adequately
(NPD) has carried out safety assessments of alarm systems on with the situation. Also, poorly designed alarm systems make
seven of the petroleum production installations in Norway. it difficult for the CCR-operators to discover deviations in the
The assessment clearly demonstrates that poor alarm system production process, thus hindering timely and adequate
performance and management represents the greatest human compensatory actions, necessary to maintain high production
factor challenge within control room environments offshore. regularity.
This paper describes and discusses the results from a
Introduction project, which has aimed to involve the operating companies
Recently, the human factor is seen as increasingly important in in a joint effort to improve both existing alarm systems and
targeting higher HSE performance in our industry. HSE- design of new systems. The paper concentrates on the audit
culture and human behaviour has become main themes in results and our experiences with this type of auditing.
programs aiming to reduce risk and harm from petroleum
activities. In the Norwegian Petroleum Industry this change is Scope of project
for instance reflected in sharpened regulatory requirements The project involves all operating companies in Norway, as
pertaining to HSE culture, and human factors analysis in well as the major vendors of safety and automation systems
design. (SAS) for the petroleum industry. It consists of a series of
However, this approach will not be successful if we do not different activities, all aimed at contributing to enhanced alarm
at the same time use human factors expertise in improving the system design and performance by:
quality of the technical and organizational systems that shall
• Developing up to date requirements for control room
facilitate adequate responses and behaviour. Understanding
and alarm system design.
the man-technology-organisation (MTO) interplay is the key
to successful design and operation. • Mapping and auditing the quality and performance of
Investigations of major accidents clearly show that poorly existing alarm systems as well as management of
designed and maintained barrier functions are a prominent these.
factor in almost every disaster and near-miss situation. The • Uncovering major challenges and obstacles with
Milford Haven accident specifically showed how poorly regard to improving existing alarm systems
designed alarm systems and poor alarm system management • Contributing to experience transfer on adequate
can be a major safety risk when the alarm system and solutions and best practices in alarm system design
associated operator response claim to be a key factor in safety and management.
critical functions1. Accordingly the Health and Safety • Initiating and facilitating appropriate change
Executive (HSE) in the UK took several initiatives to improve processes, both at company and industry level, with
alarm system design and management. regard to implementing results from the project.
2 SPE 86597

The project has been carried out by the NPD with assistance installations run by the different operating companies, and
from the Institute of Energy Technology. with both old and new alarm systems from the major vendors.
The different methods used were:
New requirements for alarm system design
• Operator survey: Questionnaires were distributed to
During the late 1990s it became clear that the existing
all CCR-operators on the facilities included in the
Norwegian requirements, together with applicable standards,
study and returned anonymously. The questions
on alarm system design failed to ensure that the alarm systems
focused on their subjective opinion of the alarm
were designed to provide sufficient and adequate operator
systems weaknesses and strengths, as well as on
support. Although the NPD developed a methodology for
training and retraining. A total of 64 questionnaires (9
reviewing implementation of human factors design principles
per installation) were returned. The questionnaire was
in CCR design based on the ISO 11064 standard2, the design
similar to the one used by the HSE, allowing
solutions still had significant weaknesses. A recently revised
comparison of data.
NORSOK standard3 also failed to target what the NPD viewed
as the main issues to ensure improved alarm-system design. • Alarm log analysis: In advance of the audits we
In the UK one of the measures that HSE took after the requested alarm logs from the facilities. These were
Milford Haven accident was to develop and implement new logs chosen by the companies on an arbitrary basis.
requirements and guidelines for design and management of The logs were analysed with respect to performance
alarm systems. Based on the British experience, the NPD indicators, such as average alarm rate and frequency
concluded that a more concise and up-to-date set of distribution of alarms.
requirements was needed. This involved incorporating new • Alarm usability survey: During the offshore audit
requirements in the HSE Regulations for the Norwegian activity, the CCR-operators were asked to register all
Petroleum Industry4, addressing more closely the functionality alarms within a given time frame. The registered
of human-machine interfaces, human factors analysis as basis alarms were categorised by their importance according
for design requirements, and requirements for training and to recognised prioritisation principles.
retraining of operators. It also involved issuing a new set of • Checklist reviews: The audit team used predefined
specific requirements for alarm system design, as a normative checklists during interviews with CCR-operators and
reference for compliance with the functional requirements in management.
the Norwegian regulations5. This set of alarm requirements • Observations in the CCR: During the offshore visit the
was based on experience from petroleum and process industry audit team spent time in the CCR observing the
both on- and offshore, as well as on standards from nuclear pattern of alarm presentation and alarm handling, and
industry6, 7. The new set of alarm system requirements consists verifying how company alarm system management
of 43 principles divided into the following topics: requirements were implemented in practice.
• General management requirements
• Alarm generation Results
• Alarm structuring Alarm system management
Alarm system management includes factors that affect
• Alarm prioritisation
alarm system performance as well as factors that affect the
• Alarm presentation
quality of expected operator response to alarms, e.g. training,
• Alarm handling and procedures.
These new requirements were to be ambitious, but Alarm system philosophy and specification
realistic, in terms of technical feasibility. The major vendors The alarm systems and their functionality were generally
of alarm systems in Norway were consulted as to whether their not based on a documented and available alarm philosophy for
systems could comply. Generally the feedback was positive. the company or installation. Several of the systems consisted
So far the feedback from the operating companies on of elements from different vendors, without an integrated
application of these requirements is generally positive. system philosophy. In these cases system configuration and
However, the operating companies are still confronted with alarm presentation had to a large extent been determined by
vendor’s arguments on system limitations, when aiming at the SAS vendor.
necessary progress in alarm system development. Experiences Management of change and non-conformances
from NPD audits clearly show that a proactive and dedicated With respect to the importance of the alarm system to
effort from the operating company is necessary to ensure that safety and production rates, one would expect clear-cut
vendors put sufficient effort into delivering compliant systems and practice for managing changes in the alarm
solutions. Developing clear alarm philosophies/specifications systems. The audits clearly showed an inadequate attention
as well as project follow-up strategies during the design phase towards this issue. Documentation of changes to alarm limits
are important keys to success. was of varying quality, especially regarding justification for
change and documentation availability.
Mapping and auditing of alarm system management Disabling of alarms is often necessary during certain
and performance modes of operation (e.g. start up), during instrument faults and
In order to carry out mapping and auditing, several tools were during testing of safety systems. Management of such
developed, based on the new set of regulations and EEMUA disabling is an important aspect of alarm system performance.
1916. During a period of one year we audited seven offshore If the alarm with its associated operator response is regarded
SPE 86597 3

as safety critical, procedurised compensatory measures shall alarms per ten minutes. Six of the alarm systems produced
be in place. Our audits clearly showed that this is a poorly alarm rates above the rate set as manageable in the EEMUA
attended management issue. The quality of the procedures that 191. The operators’ estimation of alarm rates in the
regulate alarm disabling and the practice of such procedures questionnaire was 3.3 alarms per 10 minutes (range 1,7 – 5.8),
was often poor. In several cases it proved difficult to obtain a which corresponds well with recorded rates in the arbitrarily
quick overview over current disabling and compensatory chosen measurement periods.
measures. Only two of the seven installations had satisfactory In a tripp or shutdown situation the recorded numbers of
management of alarm disabling. alarms during the first minute of the event ranged from 33 to
CCR-operator training 399. The large variation is mainly due to differences in the
None of the audited installations could document a severity of the upset causing a tripp. However, all situations
systematic approach to training and re-training pertaining to caused rates that are unacceptable in terms of introducing a
understanding and operation of the alarm system. Only one of significantly higher risk that important alarms are overlooked,
the installations had developed a simulator usable for operator misunderstood, or given an inadequate operator response. This
training and drilling relevant for handling of production conclusion is supported by the questionnaire data, showing
disturbances and crisis intervention. However, this simulator that 70% of the operators experience that alarm rates are to
was not part of the current training scheme. Some of the high to allow adequate alarm handling in upset situations.
operators had received formal training as part of Alarms that are not relevant in the specific situation
commissioning of the CCR and alarm system. Presently represent a major fraction of the alarms. Both irrelevant
however, different schemes for “on-the-job training” were repetitive alarms and standing alarms were common. In the
common practice. questionnaires, 32% of the respondents answered that more
With high regularity and production goals for the plants, an than ca every second alarm was repetitive, which corresponds
“on-the-job” training scheme will often suffer from nicely to the figures from the recordings. Figure 1 shows
insufficient opportunities and resources for training on crisis recordings from one case where the alarm rate was
intervention. unacceptably high during 90 minutes of normal operation.
Performance monitoring and improvement
There was little sign of management focus on determining
weaknesses and improving performance in the alarm systems. 60
60% of the CCR-operators held the view that too little effort
was put into alarm system improvement. Routines for 50
mapping and evaluation of the quality of the alarm systems
were missing in all companies. Performance criteria for the
Alarms/minute

40
system had not been set. Consequently, none of the companies
carried out systematic evaluation of how their systems
function as a safety barrier and operator support tool. The 30
companies system for following up deviations, incidents and
unwanted conditions had to very little extent been used to 20
register and follow up human error types e.g. mistakes, slips
and other conditions that relate to CCR-operation. 10
Lately, increased focus on cost margins and increased
production cause many offshore process plants to be operated 0
close to their design limits. This increases the necessity of
optimal CCR-performance. In this case the general lack of
focus on corrective measures related to the alarm system and Figure 1. Alarm rates sampled during 2,5 hours of normal
CCR-operator response and behaviour patterns not only operation on one installation.
affects the safety level, it also affects production rates and
regularity. A few non-critical alarms caused this situation. During this
time period, one alarm was presented more than 700 times,
Alarm system performance and 3 other alarms presented ca 250 times each.
Alarm rates Alarm signal filtering was a feature of all the systems.
The results from the audits showed that unacceptably high However, there was considerable variation in how this
average alarm rates was the main consequence of poor alarm functionality was implemented and optimised. None of the
system management. According to the EEMUA 1916 less than systems presented alarms based on binary logics and
one alarm per 10 minutes is acceptable during normal algorithms. It should also be noted that none of the companies
operation, one alarm per 5 minutes is manageable, while more could present data showing the number of different alarms that
than 1 alarm per minute is very likely to be unacceptable. In the system is designed to generate. The average of CCR-
an upset situation, the corresponding rates for acceptable and operators estimation of the number of alarms was relatively
unacceptable rates are 1 and ten alarms per minute high and ca 50% of the operators responded that there were to
respectively. many alarms in the systems. This clearly indicates a need for a
Analysis of the alarm registration samples showed that systematic review of all the alarms, to decide which can be
alarm rates during normal operation ranged from 1 to 20 removed.
4 SPE 86597

Alarm structuring and prioritisation Alarm system usefulness


Most of the alarm systems demonstrated the ability to Although many of the results presented above indicated
present selective alarm lists (e.g. by system or plant area). poor alarm system performance, the results from the
However, none of the systems were based on recognised questionnaires give a more complex picture. Ca 70% of the
principles for alarm prioritisation. Managers with alarm operators replied that the alarm system gave very good or
system responsibility, as well as CCR-operators showed a adequate support, both during normal operation and upset
general lack of understanding of the concept of prioritisation, situations. The questionnaire results also show that there is a
including how to develop prioritisation rules. On some link between perception of goodness of alarm system
installations they claimed to have alarm priorities , but these performance and the operators understanding of the system
reflected different alarm categories (i.e. warning alarm, fault and its alarms.
alarm and action alarm) not the criticality of the alarm.
Alarm suppression is a useful tool for improving operator
performance. Suppression is here defined as omitting the 80
alarm from presentation to operator, but still having the alarm 70
available in the system for other purposes – e.g. alarm log 60
analyses. However, this feature had not been implemented to 50
any significant extent in the systems we reviewed. 40
Alarm presentation 30
20
There was considerable variation in the design of alarm
10
displays on operator VDUs and wall panels. While fire and
0
gas alarms always were presented separately to facilitate
Very good Adequate Bad Very Bad
overview, other critical alarms (e.g. alarm from other safety
critical equipment, and critical process alarms) were not
Normal operation Upset situation
presented with similar clarity. Only 25% of the CCR-operators
experience that the alarm systems presents them with a Figure 2: Distribution of operators answer to the question of how
sufficiently clear presentation of safety critical alarms. their alarm system supported their functions.
Alarm text quality was generally poor. Incomprehensible
and inconsistent use of abbreviations, wrong sequencing of the When asked to estimate the usefulness of a “normal” alarm
information elements within an alarm text, and array, the operators were more positive than the results from
incomprehensible alarms related to SAS function (system the recordings. Only 10% of the alarms required action from
alarms) were major contributors to alarm interpretation the operators and almost 50% were useful or non-useful
difficulties. The important human factors principle of information. A large part of this latter fraction may possibly be
presenting the most important information (i.a. tag and alarm deleted, resulting in a considerable improvement of alarm
description) first was generally not adhered to (e.g. time and rates.
date information was given first in many cases).
The use of colours in VDUs did generally not reflect alarm Differences between alarm systems in the
criticality, as would be expected from the lack of alarm Norwegian and British hazardous industries
prioritisation. According to human factors principles, red and The survey results show only minor differences between alarm
yellow should be reserved for important alarms. These colours system performances in the two sectors. The main conclusion
were however also used for a number of other information is thus that major weaknesses and challenges related to alarm
purposes. All the alarm systems have considerable systems are quite similar in both countries. This finding
improvement potential in terms of compliance with recognised presents us with a special opportunity for collaboration and
principles of alarm presentation. experience sharing in moving forwards with improvements of
Alarm handling the alarm systems and how they are operated.
Alarm handling during normal operation generally
occurred according to recognised principles for alarm Conclusions and further work
handling. Improvement measures that should be considered The results from the audits clearly demonstrates that the
are improving navigation between alarm screens and process design and management of the alarm systems is poor, and that
screens, and increased use of manual alarm suppression their safety critical function in a crisis situation when the
(shelving). Feedback from the operators clearly indicates that operator is in most need of a well functioning system, may be
alarm handling is poor during upset situations. 75% for the seriously impaired. Poor alarm systems draw operators
respondents answer that the alarm rates are too high to attention away from tasks that are critical in order to return to
perceive the alarm information and perform adequate alarm safe state – the alarm system is running the operator, instead of
handling, and 65% respond that they quite often have to the operator running the plan.
acknowledge alarms without understanding their content. This Our conclusion is based on a sample of seven out of several
is reflected in Figure 2. These results underscores another ten-folds alarm systems on the continental shelf. However the
finding from the audits, which is the need for improvement of other systems are designed and operated by the same parties
rules and practice pertaining to how responsibilities and tasks that are responsible for those we audited. There is therefore
are divided between the CCR-operators during process reason to believe that the major findings in our study also hold
disturbances and emergency situation. for the majority of the systems in use.
SPE 86597 5

In conclusion, the major areas for improvement are:


Increased management attention to alarm system –
operator function.
Improving alarm system management, including:
philosophies, performance objectives, performance
monitoring, procedures for management of change and
operator training.
Improving alarm system performance both as
reduction in alarm rates and improved alarm
presentation and handling.

The NPD has therefore sent a letter to all the operating


companies to make sure that the results from the audits are
known. Furthermore, the NPD requested that the companies
carry out mappings and evaluation of the alarm systems that
were not included in the NPD report, and that similar tools are
used for this purpose. The NPD will take initiatives to ensure
that these mappings are carried out according to plans and that
adequate improvement measures are carried out. Ensuring
opportunities for experience transfer between the operating
companies will be an important future activity, an activity that
should also include engineering companies and alarm
system vendors.

References
1. Health and Safety Executive, (1997) The explosion and fires at the
Texaco Refinery, Milford Haven, 24 July 1994: A report of the
investigation by the Health and Safety Executive into the
explosion and fires on the Pembroke Cracking Company Plant
at the Texaco Refinery, Milford Haven on 24 July 1994.
2. NPD, (2003) Human Factors Assessment Method for Control
rooms.
3. NORSOK (2001) Standard I-CR-002 Safety and automation
systems (SAS) (Rev. 2).
4. NPD (2002) Regulations relating to health, environment and
safety in the petroleum activities.
5. NPD (2001) YA 711 Principles for design of alarm systems.
6. EEMUA (1991) Alarm Systems: A Guide to Design, Management
and Procurement The Engineering Equipment and Materials
Users association (EEMUA) publication no 191.
7. Institute of Energy Technology (2000) Requirement specification
for the HAMBO alarm system, IFE/HRF-2000/1141.

Centres d'intérêt liés