The Real World Impact of ISA 18 The Real World Impact of ISA 18.2 on Process Industries Kevin Brown Matrikon Inc.

Agenda Introduction What is Alarm Management What is a Lack of Alarm Management OH&S & Legislation An Example Plant Incident Demystifying Standards & Guidelines ISA 18.2 Compliance Alarm Management Lifecycle Steps to Compliance Questions Operators on alert Operator response, alarm standards, protection layers keys to safe plants Intech, September 2009

Kevin Brown - Introduction Manager – North America Alarm Management Team 4.5 years at Matrikon Completed projects from upgrades to $2.8 MM Audits Alarm Philosophy development Facilitate alarm rationalization Spent 20 years in plants in process control Experience with different computer control systems Bailey, Taylor, Advant, GE, Allen Bradley, Metso, TDC3000 Experience with Historians Simsci, MOPS, OSI PI DMZ network design and setup

Matrikon Alarm Management Matrikon has 20 years experience and is the Global Leader in the deployment of Enterprise Wide Alarm Monitoring Solutions with the world’s leading companies,…innovation, safety, commitment to value and high ethical standards

Company Overview Complete Solution Provider Global Presence Other 150+ R&D 100+ Consultants 275+ 550 employees 300+ consultants with extensive domain expertise Complete services, from planning to execution Global Presence 18 offices 17 Partners Strong Presence in Toronto (25 Consultants) TSE: MTK Who is Matrikon

What is Alarm Management? “Process by which alarms are engineered, monitored, and managed to ensure safe, reliable operations”

What is Alarm Management?

What is Alarm Management? Alarm Management is a Core Layer of Protection. COMMUNITY RESPONSE PLANT EMERGENCY RESPONSE PHYSICAL PROTECTION / CONTAINMENT PHYSICAL PROTECTION / RELIEF DEVICES SIS ALARM MANAGEMENT BASIC CONTROLS PROCESS DESIGN

What else is Alarm Management? Continuous lifecycle Plant maintenance/reliability Good process control Outcome of a risk assessment Related to equipment failure A form of Enhanced/Advanced Control Abnormal Situation Management It has been “widely ignored” for a long time Continuous lifecycle. Alarm management is a lifecycle process, based on continuous improvement. If the alarms and associated equipment are not regularly maintained/improved then the system performance will degrade over time. Plant maintenance/reliability. Is absolutely critical. Poor practices can result in chattering alarms, ineffective instruments, false alarms, and safety issues. Good process control. Poorly controlled loops result in too many operator actions, chattering alarms etc. Outcome of a risk assessment. Every task you undertake should be subject to a risk assessment, including determining the requirement to use an alarm to minimse the risk potential. This is simply good engineering practise. Related to Equipment Failure. Too much emphasis is put into safety systems, pressure relief valves etc. Remember they fail too – everything fails at some stage. Two recent incidents in Australia involved an explosion is a vessel that lacked the correct PRV’s, another involved both redundant safety system processes rebooting simultaneously. Enhanced/Advanced Control. There has been significant development is smart alarming techniques such as state-based alarming, model-based alarming, and predictive alarming. Abnormal Situation Management. All about allowing the operator enough time and resources to prevent a unusual event from occuring. ASM consortium has done a lot of research into graphics, control systems, and alarm systems for ASM. It has been “widely ignored” for a long time. Many sites the operators ignore the alarms as the systems are unusable in their current state. I have been to chemical plants, coal prep plants, a refinery, power station where this is the case. To me this is inexcusable.

What is a Lack of Alarm Management?

What is a Lack of Alarm Management? Example: Texas City Oil Refinery 2005. Precursors: - Maintenance cut by 25% - Only one Control Room Operator for the whole plant - Failed level switches - Level transmitter reading incorrectly – no alarm - Workers within exclusion zone - Decided against installing safety flares Outcomes: - 15 people killed - Could have spent a couple of $m but ended up costing $1.6b - Oil Refining industry are now relatively proactive in AM (Ref.) http://www.texascityexplosion.com/ Root Cause for industrial disasters. There have been a number of recent examples in Asia Pacific in the last ten years, but one of the most controversial was the Texas City Oil Refinery Explosion in 2005. Disaster that killed 15 and injured 170 people. Old poorly maintained plant when it was purchased. Maintenance cut by 25%. Only one CRoom operator for the whole plant – 14 poorly designed screens (was two operators). Failed level switches. Level transmitter reading incorrectly – no alarm Workers within exclusion zone. Decided against installing safety flares. Liquid eneterd vapour space, overflowed from a twoer Could have spent a couple of $m but ended up costing $1.6B. Oil and gas industry are now relatively proactive in AM. $$$$ Abnornal Situations cost industry millions of dollars every year.

Alarm Management: It’s about Safety! Documented financial losses estimated at $1.5 billion OSHA leveraged fines for this incident exceeded $87MM

An Example Plant Incident

An Example Plant Incident Plant is unstable, getting towards end of 12hr shift Tank containing hot material reaches HH level Trip on HH level interlock was disabled to replace the instrument and inadvertently not re-enabled Operator misses the alarm because he/she is overloaded and there is an alarm flood High level safety switches that trip the incoming pump have not been tested for over two years and fail to operate Tank overflows and severely burns worker below Let’s look at AM in terms of the Swiss Cheese Risk Model originally developed by James Reason. Each hole in the cheese is symbolic of a potential pathway to employee exposure. We therefore need to establish a number of measures to reduce any potential for exposure.  Plant is unstable, getting towards end of 12hr shift. OPERATIONAL Tank containing hot material reaches HH level. PROCESS Trip on HH level interlock was disabled to replace the instrument and inadvertently not re-enabled (poor MOC). Operator misses the alarm because he/she is overloaded and there is an alarm flood. AM High level safety switches that trip the incoming pump have not been tested for over two years and fail to operate. MAINT Tank overflows and severely burns worker below. INCIDENT

Possible Outcome Employee Impact Possible Injury Potential Fatality Flow-on Family/Community effects Employer Impact Operational Downtime/Loss of Production Investigation by the relevant authority Expert Witness in Court 1st Question to Employer: “Did you comply with an ISA Standards or Internationally accepted Standard”? 2nd Question to Employer: “Did you follow known, good engineering practice”? In recent cases there has been more use of expert witnesses. What would an expert witness say in this case? Employer Impact Responsibilities Employers, irrespective of the size of the business, have the responsibility for the day-to-day health, safety and welfare of their employees and visitors to their workplace. This duty of care is set out in the OHS legislation of the various Australian States and Territories. As well as Companies, individuals from Supervisor level to CEO level have been prosecuted for breaches in OH&S regulations in Australia. Court Case After 2nd Question. An Emplyer can not use the following excuses “I do not have the people” or “I wasn’t aware that such an accepted standard existed.” This could be a published AS, IEC, or other standard, a draft standard, or even a published report/standard from a relevant authority. Expert Witness. AS61508/AS61511 is a published Australia standard for Safety Systems. EEMUA has been out since 1999 and is a well recognised Global Defacto standard for Alarm Systems. ISA 18.02 is in draft format, has been well publicized, and compliments AS 61508/11 as an alarm system lifecycle standard. I have interviewed the operators who in the past have repeatedly complained about the state of the alarm system. The alarm KPIs exceed what is deemed “Very unlikely to be acceptable” in EEMUA 191 and exceeds the ‘Maximum manageable” in ISA 18.02. MOC is very poor etc etc. The safety function level switches had not been tested for over two years. Do I need to say any more? Google “workplace prosecutions” Inadequate guarding and interlocks on a rolling mill caused a crushing injury to an employees hand. The company was fined $220k and the Director $16,500. Depending on the hierarchy of the above Company, the Production Manager/Supt, General Manager, and maybe Engineering Manager could be held accountable.

Key Features ISA 18.2

Key Features – ISA 18.2 Large focus on an Alarm System Lifecycle Clear Alarm System Performance KPIs Section on compliance Alarm Philosophy – what must be included Alarm System requirements Specification Identification Rationalization Advanced Methods Less examples are given Complimentary to EEMUA 191 Due for Release by the end of 2009. Basically tells you what you need to do.

Matrikon & ISA 18.2 Participation Section Leadership Sub-Committees Mike Brown Jeff Gould Michael Marvan Alan Armour Section Leadership Operations Maintenance Management of Change Sub-Committees Monitoring & Assessment Audit Analysis (Annex) ISA’s Committee Website: http://www.isa.org/MSTemplate.cfm?MicrositeID=165&CommitteeID=4627 Due for Release by the end of 2009. Basically tells you what you need to do.

ISA 18.2 Alarm Performance KPIs

Industry Benchmarks: Room to Improve! ISA 144 5 10 80/15/5 1 Oil & Gas 1200 50 220 25/40/35 6 PetroChem 1500 100 180 25/40/35 9 Power 2000 65 350 25/40/35 8 Other 900 35 180 25/40/35 5 Average Alarms per Day Standing (stale) Alarms Peak Alarms per 10 Minutes Average Alarms/ 10 Minute Interval Distribution % (Low/Med/High)

Alarm Management Lifecycle

Alarm Management Lifecycle Philosophy Identification Rationalization Detailed Design Implementation Operation Maintenance Monitoring & Assessment Management of Change Audit Philosophy Audit Rationalization Identification Detailed Design Implementation Maintenance Operation Management of Change Monitoring & Assessment D C E A J B G H F I Scope Conformance to this Standard Definition of terms and acronyms Alarm System Models Limited to computer based alarm systems Process sensors and final control elements are excluded Safety instrumented systems are excluded Except for the alarms generated from SIS systems Process data and event data are excluded Philosophy Alarm philosophy documents the site approach to alarm management Includes the definitions and principles Details of the practices and procedures for each of the remaining life cycle stages Alarm management without a written philosophy Often result in backsliding to pre-improvement performance The philosophy provides a lasting reference to sustain an effective alarm system Identification Many methods utilized Process hazard analysis Incident investigations Important step in the life cycle Methods are not detailed in SP18 Except the identification of alarms from routine monitoring This stage in the life cycle is a holding point for possible alarms to be processed in the next stage Rationalization Reconciling each individual alarm Against the principles and requirements of the alarm philosophy Documenting the alarm to support the other stages of the life cycle Possible alarm is reviewed to document the rationale for the alarm As well as the operator action, response time, and consequence of deviation Critical to improve alarm clarity for the operator Consequences and the response time have been documented assign the alarm a priority based on a matrix of consequences and priorities. This matrix is defined by the alarm philosophy. Based on the consequences and the safety, regulatory, or policy requirements, the alarm can be classified into design requirement categories capturing such needs as alarm response documentation, alarm retention, and secondary notification requirements like paging or email. Design Basic configuration of alarms Human machine interface (HMI) for alarms Advanced methods of alarm management Should be control system specific Usually separate from the alarm philosophy Nuisance alarms and stale alarms can be eliminated with good basic configuration practices Implementation & Training Stage where the design is put into service Training for the operator included Initial testing of the alarm system functions One step in addressing alarm clarity Operation Alarm is in service Reporting abnormal conditions to the operator Maintenance Process measurement instrument may need maintenance Other components may need repair Repair frequency can be scheduled or determined by monitoring Periodic testing is a maintenance function During the maintenance stage, the alarm is not in operation. Monitoring & Assessment Periodic collection and analysis of data from alarms Without monitoring Almost impossible to maintain an effective alarm system Should take place frequently (daily or weekly) Primary method to detect problems nuisance alarms, stale alarms, and alarm flood Management of Change Structured process of approval and authorization Make additions, modifications, and deletions of alarms from the system Change process should feed back to the identification stage To maintain consistency with the alarm philosophy Audit Periodic audit of the alarm system and the processes detailed in the alarm philosophy May determine the need to modify processes, the philosophy, the design guidance Organization’s discipline to follow the processes may need improvement

Entering the Lifecycle - Philosophy Audit Rationalization Identification Detailed Design Implementation Maintenance Operation Management of Change Monitoring & Assessment D C E A J B G H F I Greenfield or Brownfield sites Objectives of the alarm system Design it correctly and keep it there Start with Alarm Philosophy (A) Lifecylcle entry point for new installations. Can be used as the basis for the alarm system requirements specifications.

Entering the Lifecycle - Monitoring & Assessment Audit J Philosophy A Management of Change I B Identification Focus on quantitative analysis to determine gaps Follow Maintenance & MOC paths to resolve C Rationalization D Detailed Design E Implementation Start with Monitoring & Assessment (H) Begin monitoring the existing alarm system and assessing performance. Problem alarms can be identified and addressed through maintenance or management of change. The monitoring data can be used in a benchmark assessment. Monitoring & Assessment H F Operation G Maintenance

Monitoring & Assessment Audit Audit J Philosophy A Management of Change I Identification B Rationalization C D Design E Implementation Monitoring & Assessment H F Operation G Maintenance

ISA 18.2 Compliance

Alarm Management is now a Compliance Issue Compliance: ANSI / ISA SP18.2 Similar to ANSI/ISA S84.01: nationally recognized standard qualifies as a nationally recognized standard for safety systems such that OSHA recognizes as “recognized and generally accepted engineering practice” Not a requirement to meet OSHA 1910.119 PSM requirements but bears substantial weight with regard to implementing safety/alarm systems burden of proof is on the User to demonstrate that they have followed generally accepted engineering practice Ensures that alarm and events information is accurate, available and effective….always. Results in Improved safety Process integrity Increased plant uptime Reduction of nuisance alarms - “noise” Better troubleshooting

ISA 18.2 Compliance. Section 4.1: Conformance Guidance To conform to this standard, it must be shown that each of the requirements in the normative clauses has been satisfied. Section: 4.2 Existing Systems (Grandfathering Clause) For existing alarm systems designed and constructed in accordance with codes, standards, and/or practices prior to the issue of this standard, the owner/operator shall determine that the equipment is designed, maintained, inspected, tested, and operated in a safe manner.

Historical Findings Industry estimate: $10 Billion per year from abnormal situations Incident costs from $100K-$1 Million per plant per year Refineries suffer a major incident once every three years costing $80M Insurance companies show industry claims >$2.2 Billion per year due to equipment damage (North America) ASM Consortium Findings

Personal Observations. Many process plants in North America are not doing enough Alarms form part of your plant’s layer of protection There will be more prosecutions for OH&S breaches

What Steps Can You Take? Senior Management Sponsorship Purchase ISA 18.02 Undertake an audit of your alarm system. Minimum do Monitoring and Assessment Prepare a Philosophy Document and then Functional Specifications Prepare a Strategic Plan Just Do it

Questions?