Examination of Events that Occur During an Alarm Flood –

Their Impact on Safety and Proper Corrective Action

Global Congress on Process SafetyApril 2015

Presenter

Dustin Beebe, P.E.• Graduated from Arkansas with B.S. in Chemical

Engineering• Joined ProSys in 1996• Earned Professional Engineer designation in

2001• Became CEO of ProSys in 2009

Alarm Floods Impact

• Operator Errors• Product Quality or Production Issues• Loss of Layer of Protection Analysis (LOPA) Integrity• Equipment Damage• Safety and Environmental Consequences

Alarm Floods and Associated Incidents

An alarm flood is like a near miss. You never know when it hides a critical process alarm with a potential incident to follow...

Operator Response to a Single Alarm

1. Operator hears/sees alarm.2. Operator silences alarm.3. Operator goes to appropriate display for alarm.4. Operator acknowledges alarm.5. Operator diagnoses issues.6. Operator makes necessary changes.7. Operator monitors variables to determine if

changes are working.8. Repeat steps 5 through 8.

Operator Response to a Flood

• How burdensome would it be to address 10 alarms in 10 minutes?

• What about 100 or 1000 alarms?• Would the operator be set up to fail under

these conditions?

Findings after Incident Reviews

• The Chemical Safety Board (CSB) have cited alarm floods as being significant contributing factors to incidents.

• The Engineering Equipment and Materials Users Association (EEMUA) came to the same conclusion after analyzing major incidents around the world in 2013.

• Therefore, the connection of alarm floods to incidents has been well documented for many years.

The Cost of Errors

Average Dollar Loss per Major Incident by Cause

0 25 50 75 100

Mechanical Failure

Operational Error

Unknown

Process upset

Natural Hazard

Design error

Sabotage / arson

Millions of DollarsSource J & H Marsh & McLennan, Inc.

The Cost of Operator Errors

• The American Society for Metals (ASM) estimates total loss due to operator error is $8B per year.

• Errors cause 42% of unscheduled shutdowns.

• 70% of process incidents occur during start-up or shutdown.

ASM Consortium Claims

• Cost of production disruptions is estimated to be ~3% to 8% of capacity.

• Cost of Lost Production due to accidents - $10B.

ASM Consortium - Effect of Incidents

Loss of LOPA Integrity

• Tied to operator response.• Operator is expected to react to specific alarms in

a prescribed manner.• During an alarm flood, there is no guarantee that

the operator will respond the designated way.• Could invalidate LOPA Integrity.• LOPA Teams should consider alarm floods.

Equipment Damage

ASM Consortium Reports• Cost of equipment repair, replacement,

environmental fines, casualty compensation, investigation and litigation – estimated to cost another $10B.

Equipment DamageN

um

be

r of

Tot

al A

larm

s

Equipment Damage

Three Mile Island • During first few minutes… more than 100

alarms went off… and no system for suppressing the unimportant signals so that operators could concentrate on the significant alarms.… Little attention had been paid to the interaction between humans and machines until the accident.

–The President’s Commission on the Accident at TMI

Safety/Environmental Consequences

Deepwater Horizon • 11 lives lost and ~3.2 million bbls of oil discharged

into the Gulf of Mexico.• Up to 20 sensors glowing magenta on console….

she hesitated… she did not sound the general master alarm…. instead she began pressing buttons that told the system that the bridge crew was aware of the alarms… She commented…”It was a lot to take in”…. ”there was a lot going on.”

Safety/Environmental Consequences

• Her supervisor was on the bridge. The supervisor said that he kept trying to silence alarms so that he could think about what to do next.

• “I don’t think anybody was trained for the massive detector alarms that were going off that night.”

Safety/Environmental Consequences

Texaco Milford-Haven explosion • 26 injuries and $76M in damage• Investigation found that the operators were

hampered by:• Lack of good overview graphics.• Excessive alarm rate of one every 2 or 3 seconds for 5

hours before the incident. • The operators experienced 275 alarms in 10.7 minutes

before the explosion.

Corrective Actions

• Well thought-out alarm philosophy document• Dynamic Alarm Rationalization – more than one

process state• Skids should be rationalized and conform to alarm

philosophy.

• Dynamic alarm software that is properly implemented

• Performance meets ISA 18.2 standards

Conclusion

• Bad things happen during alarm floods.• Launches operator into a no-win situation.• Justification is available – see examples.• Not all dynamic alarm management is the same.• If your dynamic alarm management is no longer

providing results, contact an expert for an independent opinion.

Connect with ProSys

For more information on alarm management, click here.