“Morning comes whether you set the alarm or not.” — Ursula K. Le Guin
Late one evening a few months after we moved into our offices on Cherokee Street, the alarm went off. My home is nearby, and I got there within a couple of minutes to discover that one of the doors had been smashed in. The thieves were long gone and a laptop computer was stolen. The thieves left the charger behind. The police—six of them—arrived about 10 minutes later. We watched the video recording of the break-in several times and eventually the police left, never to be heard from again.
It was nothing like the movies.
I learned that security cameras don’t prevent thefts but do allow you to watch them over and over. It cost more to repair the door than to replace the computer, which had been backed up and so was no great loss.
How Much Credit for Alarms?
Several people have recently posed the question to us about how much credit they could take for their alarms. At their most fundamental, alarms detect an unsafe condition and then generate a warning—a horn, siren, or klaxon, a flashing light, or both. At their most fundamental, there should be no credit for alarms. A horn, siren, or klaxon just make noise. Noise and flashing lights do not correct unsafe conditions, so there should be no credit for noise and flashing lights.
The value of alarms is not in the noise and flashing lights, but in the response the noise and flashing lights prompt.
How Much Credit for Responses?
It is not enough for an alarm to prompt a response. The response must be effective. The alarm in our offices prompted a response. I arrived within a couple minutes, the police arrived 10 minutes later. We examined evidence and concluded, yes there had been a break-in. A smash and grab that lasted less than 10 seconds. Our response was not effective.
For a response to be effective, there must be enough time for the response. The response itself must be able to return conditions to a safe state. To take credit for the response, you must be able to evaluate whether there is enough time and whether the response will be sufficient to return to conditions to a safe state. That means that you must know what the response is. There can be no credit for an alarm that prompts a vague, undefined response. “The operator will figure it out,” is just another way of saying that you don’t know what should be done. No credit.
What if you know exactly what the operator should do to respond to an alarm and you have determined that they have enough time to detect alarm, to decide how to respond to the alarm, to respond, and for their response to take effect? Then, all they have to be is perfect. Since no one is perfect, there is some probability that their response will fail.
What could cause the failure of a response to an alarm? The sensor could fail to detect the unsafe condition. The noise or flashing light could fail. The operator could be incapacitated, unable to respond. Or their response to the alarm could be incorrectly executed. Given all this, the best we can hope for is that an alarm will prompt an effective response 9 times out of 10, an average probability of failure on demand (PFDAVG) of 0.1. And that assumes that sensors and alarms are routinely proof tested, that the response is well defined and documented, and that all operators who may be required to respond are well trained on that response.
What About Multiple Alarms?
The risk reduction associated with a PFDAVG of 0.1 is a factor of 10. What if that risk reduction is not enough? How about another alarm?
Before considering a second or third alarm, it is important to put them in the context of alarm failures. Typically, additional alarms mean that there are more sensors for detecting the unsafe conditions. Great. Are there also independent means for making noise or flashing lights? Are there independent operators to respond to these independent alarms, so the incapacitation of one has no impact on the effectiveness of the other. (If the second operator is going to come to the aid of the incapacitated operator, then clearly there is an impact.) Is the division of responsibility clearly defined? Only if all of these are in place is it appropriate to consider taking credit for a second alarm.
Most likely, however, you will discover that it is simply not appropriate to take credit for more than one alarm, if any credit at all is to be taken for alarms.
What About Automated Responses?
There are safety functions where not only the detection of the unsafe condition is instrumented, but the response to the unsafe condition is automated. Most people think of these as interlocks, permissives, or in the case of safety instrumented systems, safety instrumented functions (SIFs). Some people, though, call these alarms. The amount of credit to take for these instrumented functions is a different subject entirely. It is possible in the case of SIFs, though, for risk reduction to be much higher than a factor of 10, depending on the redundancy of the equipment and the frequency at which it is tested. That is a subject of a different discussion.
Not the Movies
In the movies, alarms prompt an immediate response. Well-trained responders react with precision to a situation that they understand perfectly. If their response is unsuccessful, it is because the equipment failed them.
It’s a cliché, but real life is not the movies. Improving the equipment will improve the PFDAVG of an alarm, but ultimately the success of an alarm depends on the success of the people responding and people are imperfect. Limit the amount of credit you take for risk reduction based on a human response to what that imperfection can provide.