Using Alarms As An Independent Layer of Protection (IPL) in the Safety Life Cycle

Alarms and operator response are one of the first layers of protection in preventing a plant upset from escalating into a hazardous event. The paper discusses how to evaluate and maximize the risk reduction (or minimize the probability of failure on demand) of this layer of protection when it is considered as part of a layer of protection analysis (LOPA) for the purpose of performing the Safety Integrity Level (SIL) selection of a Safety Instrumented Instrumented Function (SIF).

The characteristics of a valid layer of protection (Specific, Auditable, Independent and Dependable) will be reviewed to examine how each applies to alarms and operator response.  Considerations for how to assign probability of failure on demand (PFD) will be discussed, including the key factors that contribute to it (e.g., operator’s time to respond, training, human factors, and the reliability of the alarm annunciation / system response).  The effect of alarm system performance issues (such as nuisance alarms and alarm floods) on operator dependability (and probability of failure on demand) will be reviewed. Key recommendations will be drawn from the ISA-18.2 standard “Management of Alarm Systems for the Process Industries”. Also will be considered the ANSI / ISA 84.00.01-2004 (IEC-61511) standard requirements and the current best practices in the process industry.

The purpose of an alarm is to notify the operator of an equipment malfunction, process deviation or abnormal condition that requires a response.  Alarms help the operator keep the process within normal operating conditions. They also play a significant role in maintaining plant safety, providing a means of risk reduction (layer of protection) to prevent the occurrence of harm from a process hazard.

Unlike other layers of protection, such as a relief valve or safety instrumented system (SIS), the operator’s response to an alarm is not an automatic action but instead is a manual action which is subject to human error. Because of the inherent unreliability of human behavior, many safety practitioners struggle when determining the credit that can be taken for the alarm in a layer of protection analysis (LOPA). Some practitioners are very conservative taking no credit (a risk reduction factor =1.0), while others are very optimistic taking risk reduction > 10 (equivalent to SIL 1 or greater). Since the operator response to an alarm should never be the last line of defense in preventing significant harm, it is often used in conjunction with a safety instrumented function (SIF).  In this scenario the credit taken for the alarm layer has a direct impact on the required safety integrity level (SIL) for the SIF.  

When alarms fail as a layer of protection, catastrophic accidents, such as Milford Haven (UK), Texas City (USA), and Buncefield (UK) can be the result. At the Buncefield Oil Depot, a failure of a tank level sensor prevented its associated high level alarm from being annunciated to the operator. As the level in the tank reached its ‘ultimate’ high level, a second protection layer, an independent safety switch, failed to trigger an alarm to notify the operator and failed to initiate a trip which would have automatically shut off the incoming flow. The tank overflow and ensuing fire resulted in a £1 billion (1.6 billion USD) loss [1].  

This paper provides considerations for how to determine the risk reduction (and probability of failure on demand) provided by an operator response to alarm when it is identified in a LOPA. These alarms will be referred to in this paper as safety IPL alarms.

The paper also provides recommendations on how to ensure that the targeted or expected risk reduction is delivered in practice for alarms identified as IPLs or as safeguards from a HAZOP.

Operator response to alarms (safety IPL alarms) can be used to reduce risk as part of a layer of protection analysis.  In order to accurately estimate their risk reduction credit, it is important to understand the design of the system, the operator’s environment and the alarm management practices and procedures that will be used during operation.

The paper will show also that reliability of the hardware (sensor, logic solver, HMI, final element) provides a lower limit for the probability of failure on demand for a safety IPL alarm. The example calculations yielded a hardware contribution of .045 and .024 for BPCS and SIL-rated hardware respectively. This means that it is impossible for a safety IPL alarm to achieve a PFD of 0.01 (equivalent to SIL 2) even with perfect operator reliability. It also means that it is important to validate the reliability of the hardware that is being used as part of a safety IPL alarm. The selection of SIL-rated hardware can improve performance, but in general the PFD for a safety IPL alarm is dominated by the operator’s ability to detect, diagnose and respond to the alarm correctly and within the required time.

It will be discussed that a primary factor in the operator’s reliability is the performance of the alarm system itself. Consequently additional criteria will be proposed for evaluating whether an alarm is a valid IPL. In addition to being Specific, Auditable, Independent and Dependable, the following criteria address the performance of the alarm system and help ensure a well-functioning alarm system is provided for the operator.

The alarm must be proven to be valid when it is first proposed / identified.

The alarm system must be rationalized.

Alarm system performance must be measured and proven to be adequate

If the alarm system has not gone through rationalization and / or its performance has not been proven to be acceptable based on comparison to metrics established in ISA-18.2, then it is recommended that a PFD of no less than 0.5 be used for a Safety IPL alarm. Certainly it would be inappropriate to claim a PFD of 0.1 in a LOPA (risk reduction factor of 10) if the operator is subjected to nuisance alarms, alarm floods and is not provided with alarm response procedures. In some cases it may be more appropriate to eliminate any credit altogether unless the above criteria have been met.