Operator Response within Instrumented Safety Functions

in the Chemical, Oil & Gas, and Specialist Industries

Appendix 1: Process for Managing Instrumented Alarm Functions

credited with risk reduction against MAH’s

Assessment /
Review etc..
NOTE 1

Instrumented
alarm function
providing risk
reduction
identified
NOTE 2

Determine integrity
requirements (e.g.
SIL Assessment)

Redesign to reduce
integrity
SIL2 or higher ?
Y requirements on
SIAF NOTE 3
N
Implement /
manage alarm
N in accordance
SIL1? with good
practice, e.g.
OG-46 &
Y BS EN 62682 NOTE 4

RP Implement /
N manage SIAF to
to automate or
BS EN 61511
redesign?
BS EN 62682 NOTE 6
NOTE 5
Y

Redesign and
implement SIF to
good practice (e.g.
BS EN 61511) NOTE 7

End

Figure 1: Process for the management of Instrumented Alarm Functions credited

with risk reduction against MAH’s
Operator Response within Instrumented Safety Functions
in the Chemical, Oil & Gas, and Specialist Industries
Notes to Figure 1:
Note 1: Identification of instrumented alarm functions providing risk reduction could
be from hazard identification, risk assessment (e.g. HAZOP) or from review
of existing plant documentation for legacy plant or installed SIS Review and
Assessment.
Note 2: Any new or existing instrumented alarm function, identified to provide risk
reduction, has to be assessed to determine its risk reduction requirements.
Note that the dutyholder should consider at this early stage if it is
reasonably practicable to automate the response, especially if this relates
to a new design / modification, prior to SIL assessment. See also note 5
below and section below on ‘Preference for Automation’.
Note 3: A risk reduction factor of greater than 100 (i.e. SIL 2) should not be claimed
for a SIAF as this would require human reliability better than normally
achievable. Typically redesign would involve considering automating the
alarm response, reducing the likelihood of the hazard causes, or providing
additional risk reduction measures (considering the normal hierarchy of
control measures). If this cannot be achieved then the SIAF falls outside
the scope of this guidance and additional demonstration that all measures
necessary have been taken will be required.
Note 4: In this case the assessment has indicated that the risk reduction required is
a factor of 10 or less and therefore the alarm function is not a SIAF or a
SIS. The function can be implemented in the normal control system or
other systems as required. However, this alarm function does provide some
risk reduction and therefore, should be implemented to good practice
requirements for a LISIAF – further guidance below.
Note 5: For a SIL1 SIAF, the dutyholder should consider if it is reasonably
practicable to redesign in order to remove the requirements for operator
response, noting the section below on ‘Preference for Automation’.
Note 6: The function should be implemented to good practice requirements for a
SIAF – further guidance below.
Note 7: If it is reasonably practicable to redesign the plant to remove the necessity
for a SIAF, this should be completed. If the function defined is to be
automated, it should be implemented to good practice (e.g. BS EN 61511).

Preference for Automation

1. This preference for automatic systems is often referred to as ‘hierarchy of control
measures’ and good practice typically maximises the use of inherent safety and
the elimination of hazards; the avoidance of risk; the control of risk at source by
the use of physical engineering controls; whilst it minimises the need for:
procedural controls, e.g. to manage manual operation of safety functions, and
personal protective equipment.
(see www.hse.gov.uk/risk/theory/alarp2.htm)
2. Note that an automatic response does not necessarily require immediate plant
‘shutdowns’. The response need only be sufficient to effectively prevent the
hazardous scenario. For example: an automatic response may be to divert
Operator Response within Instrumented Safety Functions
in the Chemical, Oil & Gas, and Specialist Industries
product to another tank in the event of a high level or to initiate a timed shutdown
to allow appropriate operator action to be taken to recover the process before the
hazardous event and shutdown occurs. However, it is always preferable to have
an automatic ‘back stop’ following failure of the operator to recover.
3. For new and modified plant, it will be more likely that it will be reasonably
practicable to automate the response or redesign the plant to remove the
necessity for a SIAF. However, it is acknowledged that for legacy plants, it may
not be reasonably practicable to automate or redesign, or that an automatic
response will generate an overall risk.
4. In any case, the dutyholder should record the decision-making process to
demonstrate where it is not reasonably practicable to automate or redesign.

Good Practice Requirements for LISIAF (PFD > 0.1)

5. The LISIAF shall meet the relevant requirements of good practice for low integrity
instrumented safety functions, e.g. HSE Operational Guidance OG-46, as well as
the relevant requirements of good practice for alarm systems, e.g. BS EN 62682.
This includes:
a. Assignment to a highly managed alarm classification group (LISIAF),
which has appropriate management arrangements in place (to be defined
in the alarm philosophy) to ensure the reliability of the alarm function,
including requirements for shelving, out of service process and
management of change;
b. The wider alarm system within which a LISIAF is implemented should
meet general alarm system performance requirements to ensure that
issues such as alarm flooding, excessive alarm rates etc. to not mask the
LISIAF.
c. Clear, precise and unambiguous specification of and written response to
the LISIAF to include specification of the sensor, annunciator, operator
response and final elements;
d. Independence between the LISIAF and other protection layers also
credited with risk reduction – including the sensor, annunciator, operator
response and final elements;
e. Accurate, accessible, controlled and easily understood engineering
documentation showing the component parts of the LISIAF and how they
are configured;
f. Periodic inspection of the LISIAF, e.g. visual or more detailed inspection to
reveal evidence of deterioration, damage or unexpected modifications;
g. Periodic maintenance of the LISIAF in line with manufacturers
recommendations and general good practice;
h. Periodic testing, at intervals determined by the alarm class requirements,
to ensure that the alarm continues to perform as designed. The testing
procedure should be documented and results recorded to facilitate
monitoring and periodic review.
Operator Response within Instrumented Safety Functions
in the Chemical, Oil & Gas, and Specialist Industries
i. Sufficient training of operators on the required response to alarms,
determined by the alarm class requirements.

Good Practice Requirements for SIAF (< 0.1 PFD)

6. The SIAF shall meet the relevant requirements of good practice for SIS (e.g. BS
EN 61511) as well as the relevant requirements of good practice for alarm
systems, e.g. BS EN 62682. This includes:
a. Assignment to a highly managed alarm classification group (SIAF), which
has appropriate management arrangements in place (to be defined in the
alarm philosophy) to ensure the reliability of the alarm function, including
no inhibiting or shelving permitted unless managed as a SIS defeat,
management of change consistent with other SIS etc.;
b. The wider alarm system within which a SIAF is implemented should meet
general alarm system performance requirements to ensure that issues
such as alarm flooding, excessive alarm rates etc. to not mask the SIAF.
c. The usual SIS lifecycle approach and documentation including
demonstration that the SIS meets the risk reduction requirements
expected of it. Table 1 below provides additional guidance on how to
apply good practice BS EN 61511 to SIAFs.
d. Additional human reliability requirements – these are also included in table
1 below and are based upon the requirements specified for safety related
alarms within EEMUA191 clauses 2.3.3 to 2.3.6 and table 5. Further
interpretation of these requirements is shown in table 2.
Operator Response within Instrumented Safety Functions
in the Chemical, Oil & Gas, and Specialist Industries
Table 1: Application of Good Practice for a SIAF

Lifecycle Phase Sensor, annunciator and Operator Response

final elements
Management of All normal requirements of BS EN 61511 apply, for example
Functional Safety lifecycle, planning, competence, audit and monitoring. This
Clauses 5-7 would include monitoring the performance of the SIAF with
respect to actual demands and failures associated with the
SIAF.

Setting SIS All normal requirements of BS EN 61511 apply, however it

Requirements should be noted that when a PFD is assumed within a SIL
Clauses 8-9 assessment for a SIAF, the PFD applies to the full safety
function, i.e. sensor, annunciator, operator response and final
elements.
During SIL assessment, a SIAF or LISIAF should only be
considered as an independent layer of protection if all its
components (sensor, annunciator, operator response and final
elements) are independent.

Safety In addition to the normal The operator response should

Requirements requirements of BS EN be specified in accordance with
Specification 61511, the SRS should EEMUA 191 special criteria for
(SRS) specify the alarm sensor, human reliability (Table 5):
Clause 10 alarm annunciator and final  5 – Alarm Response defined
element(s) required to  6 – Alarm Response
achieve functional safety. simplicity

The SRS should include The SRS should specify the

requirements to identify and operator response (or link to the
take account of common specific alarm response
cause failures associated procedure) to achieve functional
with the SIAF sensors, alarm safety (i.e. alarm should be
annunciator and final effective).
elements.
The SIAF including the alarm
setting should be specified to
ensure that there is sufficient
time for operator response in
both normal and abnormal
operating conditions (see also
figure 2).

The SRS should include

requirements to identify and take
account of common cause
failures associated with the SIAF
operator response.
Operator Response within Instrumented Safety Functions
in the Chemical, Oil & Gas, and Specialist Industries
Lifecycle Phase Sensor, annunciator and Operator Response
final elements
Design & In addition to the normal A PFD for the operator response
Implementation requirements of BS EN part of the SIAF should be
Clauses 11-15 61511, the sensor, determined (BS EN 61511
annunciator and final clause 11.9.2) based upon the
elements should be designed level of compliance with the
in accordance with BS EN EEMUA191 special criteria. The
61511 and EEMUA 191 basis for the PFD selected
special criteria: should be recorded, for example
 2 – Alarm Annunciator by making an assessment of the
 3 – Alarm Priority EEMUA 191 special criteria
 4 – Alarm Visibility against the level of compliance
 7 – Information achieved. If all criteria are only
just achieved, then the PFD for
A PFD calculation should be the operator response should
completed (BS EN 61511 tend towards 0.1, however if the
clause 11.9) for the sensor, criteria are fully achieved to a
annunciator and final high standard, then a low PFD
elements. This should be towards 0.01 can be selected.
combined with the PFD of the
operator response (see right) The level of demonstration
to give the overall achieved should be proportionate to the
PFD. level of risk reduction claimed
against the criteria.
All of the SIAF components
(sensor, annunciator and Note – There may be other
final elements) should have human factors considerations
sufficient independence, and required. Where PFDs tending
fault tolerance as described towards 0.01 are used it is
in BS EN 61511. recommended to seek further
input from HF colleagues to
ensure that the HF aspects are
adequately robust for that claim
to be valid.
Operator Response within Instrumented Safety Functions
in the Chemical, Oil & Gas, and Specialist Industries
Lifecycle Phase Sensor, annunciator and Operator Response
final elements
Operation, All normal requirements The operator response should
Maintenance and apply but noting that they be operated in accordance with
Proof Test should be applied to the SIAF EEMUA 191 special criteria:
Clause16 sensor, annunciator and final  1 – Operator training
elements.
The operator response should
be ‘maintained’ in accordance
with EEMUA 191 special criteria:
 8 – Operator Performance

This will necessitate periodic

validation of the operator training
(completed for criteria 1) and
performance (criteria 8).
Measures should be taken to
demonstrate that this is
scheduled and completed at an
appropriate interval.

Modification All normal requirements apply, however during modification,

Clause 17 consideration should be given to automation if reasonably
practicable.
Operator Response within Instrumented Safety Functions
in the Chemical, Oil & Gas, and Specialist Industries
Table 2: Special Requirements for SIAF

No. Criteria from EEMUA HSE Comments

191 (Table 5)
1 The operator should be Duty holders should be able to demonstrate
trained in the implementation of relevant elements of their
management of the competence management system (CMS) for each
specific plant failure that specific SIL rated operator response.
the alarm indicates. Note that the EEMUA 191 criteria requires training
in the ‘specific plant failure’ and therefore the
competence demonstration should be developed for
each scenario that the SIAF is protecting against.
Therefore, the role of the operator should be clearly
defined in the SRS functional safety requirements
description.
The CMS should include structured training and
assessment as necessary and formal demonstration
of competence (i.e. recorded).

2 The alarm presentation This requirement (along with criteria 3 & 4 and the
arrangement should more general requirements of overall SIS integrity
make the claimed alarm and independence) will generally require that the
very obvious to the alarm is annunciated on an annunciator which is
operator and suitably independent from other protection layers
distinguishable from and has the top priority reserved for SIAF’s.
other alarms.
A typical approach would be to use an independent
hardwired annunciator, i.e. outside of the basic
process control system (BPCS), although other
solutions may be possible.
3 The alarm should be The operator should be able to very quickly
classified at the highest distinguish between safety critical (i.e. ≥SIL1)
priority in the system. alarms and other alarms.

Note that the operator should be able to distinguish

SIS alarms that rely upon specific operator action
from those that alert that an automatic action has
occurred and just require checking that it has been
successful.
Operator Response within Instrumented Safety Functions
in the Chemical, Oil & Gas, and Specialist Industries
No. Criteria from EEMUA HSE Comments
191 (Table 5)
4 The alarm should It should not be possible for the alarm to be masked
remain on view to the or hidden. This will generally require that such
operator for the whole of alarms are separated from other (non-SIL rated)
the time it is active. alarms.

In this context, claims of continuous manning of a

particular control panel should also be
substantiated, including arrangements to ensure the
availability of competent cover for rest breaks,
illness, other duties etc. Alarm status should be
included in shift handover to ensure operator
situational awareness of oncoming shift.

However, the use of several operators to achieve

the operator sub-system does not imply that the
reliability claimed can be factored-up accordingly
(i.e. ‘1-out-of-2 operators’) due to issues of
systematic dependencies.

Note, if remote alarming facilities are employed (e.g.

pagers), then these will have to be considered as
part of the SIS and therefore meet the more general
requirements for SIS described in good practice
such as BS EN 61511.
Operator Response within Instrumented Safety Functions
in the Chemical, Oil & Gas, and Specialist Industries
No. Criteria from EEMUA HSE Comments
191 (Table 5)
5 The operator should Note the use of the word ‘clear’ – this will therefore
have a clear written require it to be quickly identifiable and separate
alarm response from (or easily distinguishable within) other alarm
procedure for the alarm. response manuals.

A typical approach is to develop unique job aides

(e.g. step by step ‘grab cards’) for each SIAF which
are readily available at points of use.

The alarm response instruction (ARI) can be on

screen rather than being a hardcopy document,
though onscreen ARI’s should not hide/block the
view of other critical information to the CRO. The
limitations of on-screen ARIs needs to be
considered as part of the operator response (e.g.
does the operator need to use the ARI in one or
more locations remote from the screen where it is
displayed). Also, the onscreen function will need to
be considered as part of the SIS and meet the
associated requirements (e.g. independence,
integrity, etc.)

The information may require initial actions as well

as follow up checks (e.g. immediately close valve
XV123, and confirm flow to tank T456 is ceased).
Measures should be taken to ensure that alarm
responses are completed by ensuring that
responders are not distracted.

Note, that a full description of the function

requirements (sensor to final actuator) is required
because it will define the full extent of the SIS
equipment with the SRS.

6 The required operator The operator response includes any judgements /

response should be decision-making to be completed as well as the
simple, obvious and actions subsequently required.
invariant. Decision-making should be kept to a minimum and,
where necessary, informed by clearly-defined
criteria.
If a dutyholder identifies the need for complex
operator response then Human Factors Specialist
support will be required and demonstrating that the
function and integrity of the SIS will fall outside the
approach within this guidance.
Operator Response within Instrumented Safety Functions
in the Chemical, Oil & Gas, and Specialist Industries
No. Criteria from EEMUA HSE Comments
191 (Table 5)
7 The operator interface This would include appropriate labelling,
should be designed to functionality of the annunciator and any equipment
make all information associated with carrying out the response.
relevant to management Reliance should not be placed on other electronic
of the specific plant systems (e.g. computers) that are not of sufficient
failure easily accessible. integrity (e.g. for electronic documents).

Note – EEMUA201 also provides guidance on

operator interfaces and control room layout and
design
8 The claimed operator In this context, audit goes well beyond a typical
performance should safety management system audit (although formal
have been audited. auditing of management systems will also be
required).
This criterion aims to demonstrate that actual
operator performance, in terms of reliability and
response time, matches the claims for risk reduction
ON AN ONGOING BASIS.

The following techniques should be considered to

validate assumptions about operator performance
under a range of abnormal, upset and emergency
conditions:
a. Revalidation that criteria 1-7 above remain in
place, including operator training and
competence.
b. Simulation of scenarios using a process
simulator;
c. Exercises of scenarios by manipulating process
inputs (e.g. this could be achieved during the
proof test);
d. Walk/talk-through procedures;
e. Desk-top exercises (what-if etc.);
f. Loss of power tests, communications checks
etc.
g. Other measures as deemed necessary to
achieve the purpose defined above.

Note that a range of measures are likely to be

necessary and should be proportionate to the level
of risk reduction claimed. For example, exercises
often have only limited validity because they test
only one of many shift operators in an artificial
situation.
Operator Response within Instrumented Safety Functions
in the Chemical, Oil & Gas, and Specialist Industries
Note 5

Operator Response within Instrumented Safety Functions in the Chemical, Oil & Gas, and
Specialist Industries
Figure 2: Response Time Considerations

Time pressure is a crucial factor that can influence operator performance when responding to safety-critical alarms. COMAH establishments
should be asked to demonstrate, on a case-by-case basis, that all sub-tasks associated with responding to an alarm (see below) can be
completed effectively within the actual time available for response i.e. from when the alarm is activated to when the process goes beyond the
point of no return. This is especially important when risk reduction is claimed for operator response as part of a SIL1 system (SIAF).

Alarm Activated

Time available for response, assuming worst-case scenario

Alarm Observed Diagnosis and Planning Action

The operator must be available to respond. Operators should know how to respond and understand the The extent and nature of
Claims of continuous manning, or that operators consequences of failing to respond. They should be trained the action required, and
can be alerted by other means (e.g. alarm and assessed in managing the specific failure that the alarm any associated ‘what-ifs’
pagers), should be challenged. indicates (1) and be regularly re-assessed and re-trained should be fully explored.
(using simulators if possible).
Alarms should be: For example, carrying out
 obvious and distinguishable from other Decision-making associated with a SIL1 operator response the required action might
should be kept to a minimum. The response should be involve communication
alarms (2)*
simple, obvious and invariant (6). The operator should have with a field operator, who is
 classified at the highest priority (3) then required to travel to a
 remain on view whilst active (4) access to a clear, written response for each SIL1 alarm (5)
e.g. a hard-copy grab-card, readily available at point-of-use. remote part of the plant to
These cards may also include confirmatory and follow-up identify and operate a
The operator interface should be designed to manual valve.
support management of the plant failure (7) actions in the event that initial response has been
unsuccessful.

Time required for response (all sub-tasks)

Time

* Numbers in brackets denote the relevant ‘human reliability’ criteria from EEMUA 191, as summarised in Table 2 above.
All criteria relating to operator performance should be actively monitored and audited (8)