Paper Ref: S1710_P0585

3rd International Conference on Integrity, Reliability and Failure, Porto/Portugal, 20-24 July 2009

HAZOP BASED ALARM AND CRITICAL ALARM

SYSTEM DESIGN
Tetsuo Fuchino1) and Yukiyasu Shimada2)
1)
Chemical Engineering Department, Tokyo Institute of Technology, Tokyo, Japan,
Email: fuchino@chemeng.titech.ac.hp
2)
Chemical Safety Research Gr., National Institute of Occupational Safety and Health, Tokyo, Japan
Email: shimada@s.jniosh.go.jp

SYNOPSIS
The process alarms and critical alarms are corresponding to the second and the third layers of
Independent Protection Layers (IPLs) in chemical processes, and the logicality in their design
affects consistency of overall IPLs design. The purpose of a process alarm is informing an
operator of an abnormal process condition, and requires the operator to identify and cancel the
cause of deviations from the normal condition. The critical alarm alerts an operator of the
critical process condition, and requires the operator to prevent or mitigate the expected
process upsets. However, in the current engineering procedure, the process alarms and the
critical alarms are designed for individual hazard scenario captured in Process Hazard
Analysis (PHA) such as Hazard and Operability Study (HAZOP) for the detailed engineering
phase, and the number of alarm points is increased inconsistently. It prevents the operators to
identify the causes of any abnormal deviations from process alarms, and to recognize the
expected process upsets from the critical alarms, in operation. This is one of the major reasons
for the alarm flooding issue, and for the inconsistency of IPLs design. In this study, we
propose a design method of process alarm and critical alarm on the basis of HAZOP. To
overcome the above mentioned current engineering problem, we dissociate the mitigation
information from HAZOP log, and a method to choose the consistent alarm points from
alternative ones by considering all the hazard scenarios simultaneously is developed.
1. Introduction
The safety of chemical process plants is designed through Independent Protection Layers
(IPLs) (Center for Chemical Process Safety, 1993). Chemical process plants treat flammable
materials, and they have potential hazard. An initiating event would lead an abnormal process
deviation, and the process deviation would draw a hazardous event. Furthermore, the
hazardous event would finally lead up to an impact and/or disaster. On the basis of the
anatomy of incident, the IPLs are considered not to propagate the initial event to the impact,
and consist of the following eight layers.
IPL1: Process Design
IPL2: Basic Controls, Process Alarms, and Operator Supervision
IPL3: Critical Alarms, Operator Supervision, and Manual Intervention
IPL4: Automatic Action SIS (Safety Instrument System) or ESD (Emergency Shutdown)
IPL5: Physical Protection (Relief Devices)
IPL6: Physical Protection (Containment Dikes)
IPL7: Plant Emergency Response
IPL8: Community Emergency Response
The first layer is to design inherently safety for process in concept, and the second to fifth
layers are proactive protection layers. Released impact is kept in the process area by the sixth
-1-

layer, and emergency response of inside and outside is designed at the seventh and eighth
layers. From the view point of engineering design, the safety design is carried out by the
proactive protection layers, and logicality and exhaustively through the second to fifth layers
are very important.
Other than Guidelines for Safety Automation of Chemical Processes from Center for
Chemical Process Safety (CCPS), several descriptive papers and standards focused on the
fourth IPL design have been released. Drake (Drake, 1994) reviewed IPLs, and introduced a
framework for Risk based Safety Instrument System (SIS) integrity evaluation. ANSI/ISAS84.01-1996 (Instrument Society of America, 1996) standardizes steps to determine necessary
SIS and to determine their Safety Integrity Levels (SIL). Dowell (Dowell 1998) proposed to
determine SIL from Layer of Protection Analysis (LOPA). These standard and papers aim to
decide SIL of SIS based on the hazard scenarios from initial events to impact evens identified
by Process Hazard Analysis (PHA) represented by HAZOP (HAZard and OPerability study)
(Chemical Industry Safety and Health Council of the Chemical Industries Association,
(1981)). Required reliability of SIS is calculated from frequency of the initial event, failure
probabilities of the recovery operations and the operator intervention operations designed in
the second and third IPLs and failure probability of relief devices of the fifth IPL. The SIL of
SIS and/or necessity of any modification for other IPLs design are decided from the required
reliability of respective hazard scenario. However, to consider the operational failure in
design of SIS, the process alarms and critical alarms consistent with recovery operations and
operator intervention operations should be designed on the basis of PHA beforehand.
The second and third IPLs are layers to prevent occurrence of impact events by operators
response. In these layers, process alarms inform an operator an abnormal process condition,
and the operator is required to cancel the deviations from the normal condition by recovery
operations. Unfortunately, if the process abnormal deviations were not canceled, the critical
alarms would alert an operator of the critical process condition, and require the operator to
intervene and to prevent or mitigate the expected process upsets; i.e. partially or totally
shutdown the plant manually. To perform the proper recovery operation for an abnormal
process condition, the operator must know the cause of the deviations, so that the process
alarms should be designed to be able to identify the cause of the deviations from all the
hazard scenarios captured by PHA. As same as the process alarm, to perform proper operator
intervention for a critical process condition, the operator must predict a hazardous event
caused by the critical process condition, so that the critical alarms should be designed to be
able to specify the hazardous event caused by the critical process condition from all the
expected hazardous events in the hazard scenarios captured by PHA. However, according to
the current engineering procedure, the process alarms and the critical alarms are designed for
individual hazard scenario at the detailed engineering phase, and the relations between hazard
scenarios are not considered. As a result, the number of alarm points is increased, and only
the abnormity would be informed to operator without identifying the cause of deviations. It
makes IPLs inconsistent, and also makes operators response impossible. Recently, alarm
flooding phenomena becomes serious in operating plants, and Instrumentation Systems and
Automation Society (ISA) published a handbook (Hollifield and Habibi, 2007) for this issue.
This handbook pointed out that the rationalization of alarm is the solution, and that the PHA
teams recommend exceeding number of alarm points inconsistently. The function of PHA is
categorized into three, i.e. hazard identification, hazard evaluation and mitigation. In
performing HAZOP, a mitigation plan including alarm installation recommendation is
provided respective for a hazard scenario. That is why the relations between hazard scenarios

-2-

have not been considered in designing alarm, and the operators response could not be
designed.
In this study, to overcome the above mentioned problem of process and critical alarm design
problem, we dissociate the function of recommending mitigation plan from HAZOP. All the
hazard scenarios are identified priori to designing process alarms and critical alarms, and
initial events, deviations, propagated deviations and hazard events of these hazard scenarios
are recorded as HAZOP log. On the basis of this modified HAZOP log, method to design
process alarms configurations and the critical alarms configurations, which enable operators
identifying the causes of deviations and predicting hazardous events caused by the critical
process conditions, is developed. The developed method is explained by using case study of
HDS (Hydro Desulfuration) process. In the next section, HDS process and its modified
HAZOP log defined here are briefly explained. The design method of process alarm and
critical alarm is explained while performing alarm design of HDS process.
2. Problem Definition
FIC
5203

Fuel Gas

H2 Make-Up

FCV-5203

To Flare

From Recycle Gas Compressor

PCV-5054

PCV-5156

TIC

FIC
5201

Diesel

5228

5202

PIC

FCV-5202A/B

H-201

LIC
5223

D-201

FIC

Reactor
PIC
5203

PCV-5203

5201

Feed Surge
Drum

R-201

Reactor Charge
Furnace

Fuel Gas
TIC
5227

FCV-5201A/B
To Stripper

P-201A
Feed Pump

TCV-5227

E-201
To Sewer

Low
Temperature
Combined Feed
E-203
Exchanger
E-202
High Temperature
Reactor Effluent-Stripper
To High Pressure
Combined Feed Exchanger
Feed Exchanger
Separator

From
Stripper Feed-Bottom
Exchanger

Figure 1 Process Flow Diagram of Hydro Desulfurization Process

In this study, the location of all the process alarms and critical alarms is to be decided on the
basis of HAZOP results, so that premised no alarms is yet designed. It means that HAZOP
study is performed for PFD (Process Flow Diagram). Figure 1 shows the PFD of HDS process
around reactor. The purpose of this process is to convert organic sulfur in diesel oil to
hydrogen sulfide, and to remove. In this process, diesel oil is received in Feed Surge Drum,
and is pumped up by Feed Pump after removed gaseous and aqueous components. The
pressurized diesel oil is mixed with make-up and recycled hydrogen, and heated up by two
heat exchangers and Reactor Charged Furnace. The Reactor converts organic sulfur to

-3-

hydrogen sulfide on fixed bet catalyst. The heat of reactor effluent is recovered by three heat
exchangers, and the effluent is fed to the High Pressure Separator. Based on the PFD, HAZOP
study is assumed to be performed.
To carry out HAZOP study, the process is divided into several arias, which is called study
nodes. The study node from Feed Surge Drum to Reactor feed oil line is concerned as the
scope of alarm design here. A part of modified HAZOP log sheet as shown in Table 1 is
applied.
Table 1 Modified HAZOP Log Sheet
Potential Causes
Deviation

Consequences

No Description No

No Flow

Mechanical
failure of
Feed Pump
(P-201)

Severity M.A.R.T.1)
Intermediate
Posible
Deviation
Impact
(1) Level of D201 is high
Process
Minor
Long
(2) Overflow in
malfunction
D-201 and inflow
to flare line
Reverse flow
None
None
through pump
mini flow line

Description

Level of Feed Surge Drum (D-201)

rises and overflows. If inflow from
upstream is continued, there can be
inflow to flare line. Process
malfunction occurs
Reverse flow to D-201 through
Pump mini flow line. Hydrogen can
also reverse to D-201.
Furnace tube is overheated because
Feed oil to Reactor Charge Furnace
Tube
(H-201) is lost and there is only High temperature rupture and
Severe
hydrogen flow inside. If this
at H-201 tube
fire inside
continues long time, tube ruptures
H-201
and fire break out inside H-201
Stop of
Desulfuration in Reactor(R-201) is
None
desulfuratio Minor
stopped because of lack of Feed Oil
n
Insufficient heat exchange in
Low temperature
Process
Reactant Effluent Feed
Minor
of feed flow to
malfunction
Exchange(E-202) causes
stripper
malfunction in Stripper (outside of
Level of High Pressure Separator
Level of High
Process
Minor
lowers and process malfunction
Pressure
malfunction
occurs
Separator is low

Short

Insufficient

Insufficient

Immediate

The conventional HAZOP sheet records the description of potential causes and consequences,
and mitigation. In the modified HAZOP log sheet, the record of the recommended mitigation
is eliminated, and the intermediate deviations and possible impacts are explicitly recorded to
consider the propagation of abnormity in design of process and critical alarms. Moreover, the
severity of the possible impact and the Maximum Available Response Time (MART) for each
consequence are to be recorded to take into account the operators responses. The severity is
categorized in to four ranks; i.e. Non, Minor, Major and Severe, and MART is categorized
into also four ranks; i.e. Insufficient, Immediate, Short and Long here. Although, the
consequences for the first possible cause are listed in Table 1, total eighteen possible causes
are identified for the concerning study node as shown in Table 2. The same HAZOP log
format is applied for the rest of sixteen possible causes here, but it is skipped here. Based on
the modified HAZOP log sheet for PFD design, the process and critical alarms are to be
designed.

-4-

Table 2 Possible Causes for Node from Feed Surge Drum to Reactor
Number
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

Description
Mechanical failure of Feed Pump (P-201)
Feed Surge Drum (D-201) level controller (LIC-5223)
stop because of D-201 feed flow controller failure.
P-201 outlet flow control valve (FCV-5201A) failure
P-201 outlet flow control valve (FCV-5201B) failure
Bypass valve for start-up operation close by mistake
Air fin cooler partially plugged because of water
injection failure stop
Reactor (R-201) head plugged
LIC-5223 controller failure and FCV-5201A/B close
LIC-5223 controller failure or FCV-5201A bypass
valve open by mistake
LIC-5223 controller failure or FCV-5201B bypass
valve open by mistake
P-201A/B run simultaneously
D-201 pressure regulation controller (PIC-5201)
failure and pressure increased
D-201 pressure regulation controller (PIC-5201)
failure and pressure decreased
R-201 feed temperature controller (TIC-5228) failure
and fuel pressure regulation valve (PCV-5203) full
High Temperature Combined Feed Exchanger (E-203)
bypass three way valve (TCV-5227) open by mistake
Air fin cooler (C-204) failure stop
Reactor Charge Furnace (H-201) heat duty shortage
Water incorporation into oil because of D-201 aqueous
surface rise at boot.

3. Alarm Design
3.1 Process Alarm Design
An initial event in process makes an abnormal process condition, and it propagate through
the process. An initial event would activate plural process alarms, and one process alarm
would be activated by plural initial events. Therefore, it is impossible to design each process
alarm to identify occurrence of respective potential initial events. However, in operation
plants, when an initial event occurred, although some process alarms would be activated
according to propagation of abnormal process condition, others would not be activated. The
well experienced operators should identify the cause of abnormal process condition from such
a pattern recognition of activating alarms. Consequently, designing consistent process alarms
is to configure total alarms so that a different alarm set would be activated for respective
initial event. In this study, the following two steps are applied to design process alarm.
(1) Enumerate the deviation and the intermediate deviation of process parameters respective
for all potential causes. These deviations and intermediate deviations are analyzed in
HAZOP and recorded in the modified HAZOP log sheet as shown in Table 1. These
process parameters become candidates of process alarms.
(2) Add priorities to the process parameters for each potential causes according to
propagation of abnormal process condition. The process parameter, which is closest to an
initial event is highest. The priorities for a process parameter are different from initial
events.
-5-

(3) Optimize the configuration of all process alarms so that a different alarm set would be
activated for respective initial event.
Table 3 Result of Process Alarm Configuration
Alarm
Locations
Code
A
Exit of P201S
B
FCV5201A Line
C
FCV5201B Line
D
Start-up bypass
E

C-204

Reactor(R-201)

G
H
I
J
K
L
M
N
O
P

Variables
Low Pressure
No flow
No flow
Flow Detectoin
Stop of Water
injection
Pressure difference
High
More flow
More flow
Flow Detectoin
High Pressure
Low Pressure
High Temperature

FCV-5201A Line
FCV-5201B Line
Exit of P-201A
D-201
D-201
Furnace exit Line
By-pass line exit at
High Temperature
E-203
C-204
High Temperature
Furnace exit Line Low Temperature
Boot interface at
Level High
D201

The optimization problem of the third step becomes so called knapsack problem, and
several approaches can be considered; i.e. mixed integer linear programming (MILP),
evolutionary method and trial and error method. In the HDS process case, we adopted trial
and error approach.

A larm s

Table 4 Process Alarm Activation Pattern

A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P

Potential Causes
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

-6-

The result of the process alarm design for the HDS process case is as shown in Table 3.
Sixteen alarms (A to P) are configured. These alarms are designed so that a different alarm set
would be activated for respective initial event as shown in Table 4. The Table 4 shows the
activating alarms for respective potential causes (1 to 18) by circles. The blank circles express
the alarms which would be activated by the initial events directly, and the painted out circles
express the alarms which would activated according to the propagation of abnormal process
condition. It is obvious that the patterns of activation for each potential causes are different
for each other. Therefore, it becomes possible to consider operators response to cancel the
process abnormal condition.
3.2 Critical Alarm Design
The purpose of the critical alarm is to require operators responses, even if operators cannot
identify a cause of abnormal conditions. To determine the critical alarm configurations,
necessity and feasibility of operators response should be evaluated based on the seriousness
of hazardous situations, and time margin for operators actions. In this study, the priority of
the critical alarms is defined as shown in Table 5 by using Severity and M.A.R.T. of
modified HAZOP log sheet as shown in Table 1. The priority is categorized into three levels;
i.e. Emergency, High and Low here.
Table 5 Critical Alarm Priority

MART

None
Long
Short
Immediate
Insufficient

No Alarm

Minor
Low
Low
High
High

Severity
Major
Severe
Low
High
High
High
Emergency
Emergency
No Alarm,but SIS is necessary

Table 6 Result of Critical Alarm Configuration

Code
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r

Place
D-201
D-201
D-201
D-201 Boot
Feed Pump Line
Reactor Charge Furnace Tube
FCV-5201A Line
FCV-5201B Line
FCV-5201A Line
FCV-5201B Line
Reeactor(R-201)
R-201 Exit
Reactor Charge Furnace Tube
D-202
Feed Line to T-202 from E-202
Both Lines of FCV-5201A/B
Start-up Bypass
Exit of C-204

-7-

Parameter
Level High
Level Low
Pressure High
Level High
Pressure High
Temperature High
More Flow
More Flow
Less Flow
Less Flow
Pressure Difference
Temperature High
Temperature Low
Level Low
Temperature Low
More Flow
Flow Detection
Temparature High

Priority
Low
High
Low
Low
Low
Emergency
High
High
Low
Low
Low
Low
Low
Low
Low
Low
Low
Low

The priority for all the consequence in modified HAZOP log sheet are decided, and then the
location and the deviation of process variables to be detected is designed. Basically,
intermediate deviation which directly leads to possible impacts will be favorable for the
variable to detect, but in case that there is no intermediate deviation, the process variable
which would be deviated from normal process condition by the initial event should be
selected. The result of the critical alarms for HDS process case is as shown in Table 6.
Conclusion
Safety of chemical process plants is provided through Independent Protection Layers (IPLs)
design. The process alarms and critical alarms are corresponding to the second and the third
layers of IPLs, and the logicality in their design affects consistency of overall IPLs design.
This study proposed a method to design configuration of process and critical alarms on the
basis of a result of HAZOP. In the current engineering procedure, the process and critical
alarms are designed for individual hazard scenario captured in HAZOP for the detailed
engineering phase, and the number of alarm points is increased inconsistently. To overcome
this current engineering problem, we dissociate the mitigation information from HAZOP log,
and a method to optimize the consistent alarm points from alternative ones by considering all
the hazard scenarios simultaneously is developed. The proposed design method and its
performance is illustrated through the case study of HDS process around the reactor. It
becomes possible to relate the process and critical alarms with operators response, and to
design IPLs consistently.
REFERENCES
Center for Chemical Process Safety (CCPS), "Guidelines for Safety Automation of Chemical
Processes," Americah Institute of Chemical Engineers, New York, (1993)
Drake, Elisbeth M., "Determining Integrity Levels for Safety Interlock System," Center for
Chemical Process Safety (CCPS) Proceedings of International Symposium & Workshop on
Process Safety Automation, American Institute of Chemical Engineers, Houston, (1994)
Instrument Society of America (ISA), "Application of Safety Instrumented Systems to the
Process Industries, ANSI/ISA-S84.01-1996," Instrument Society of America, North Carolina
(1996)
Dowell, Arthur M., "Layer of Protection Analysis for Determining Safety Integrity Level,"
ISA Transactions, 37, PP155-165 (1998)
A Guide to Hazard and Operability Studies, Chemical Industry Safety and Health Council of
the Chemical Industries Association (1981).
Hollifield, B. R. and E. Habibi, "Alarm Management: Seven Effective Methods for Optimum
Performance," Instrument Scociety of America (2007)

-8-