Presentation to Post-Docs at Trinity College Dublin who were working on the TOSCA project

1. Tel: (+44) 01492 879813 Mob: (+44) 07984 284642
andy@abrisk.co.uk
www.abrisk.co.uk 1
Task Risk Management
Andy Brazier

2. 2
A bit about me
Chemical engineer
BSc - Loughborough University
PhD - Edinburgh University
19 years working as human factors consultant
10 years self-employed
Registered member of the Chartered Institute of
Ergonomics and Human Factors (CIEHF)
Associate member of Institute of Chemical
Engineers (IChemE)

3. Experience
Predominantly oil, gas, chemical, power and
steel industries
Human factors in major accident safety
Design assessments
Safety critical task analysis
Staffing and organisational change
Clients include Shell, BP, SSE, Centrica, Tata,
Syngenta, Total, Maersk etc.
3

4. Places I have works – UK & Ireland
4

5. Places I have worked – further afield
5

6. Projects I have worked on but not visited
6

7. 7
Human factors and safety
Up to 80% of accident causes can be attributed
to human failures
All major accidents involve a number of human
failures
Human factors is concerned with
Understanding the causes of human failures
Preventing human failures
An important part of managing ‘major accident
safety’

8. 8

9. 1. Annulus
cement
barrier did
not isolate
hydrocarbo
ns
Deepwater
Horizon
Explosions
& Fire
2. Shoe
track
barriers
did not
isolate
hydrocarbo
ns
7. Fire and
gas system
did not
prevent
ignition
3.
Negative-
pressure
test
accepted -
integrity
not
established
4. Influx
not
recognised
until
hydrocarbo
ns were in
riser
5. Well
control
response
actions
failed
6. Diversion
of mud
resulted in
gas venting
to rig
8. BOP
emergency
mode did
not seal
well
Why?

11. Initially –
did not
achieve
seal
around
drill pipe
Negative
pressure test
accepted even
though
integrity had
not been
established
Did not
follow
agreed test
method
Mis-
interpreted
data
Crew had
preferred
method
Operationa
l
instruction
only broad
guidance
Did not
recognise
more
liquid than
expected
No
prediction
available
at time
Rig crew
expected to
know how
to perform
test
Previous
experience
Not aware
of specified
permit
requiremen
ts
Did not
realise
constant
high
pressure
indicated
a problem
Plausible
explanatio
n (bladder
effect)
Why?
Why?
Why?
Why?
Why?
Why? Why?

12. Crew busy
with other
activities
Influx not
recognised
until
hydrocarbon
was present in
riser
Instructions
required
constant
monitoring -
did not
specify how
Crew not
monitoring
well
Other
activities
interacting
with pits
Pits not set-up
for combined
activities
Mud pit
levels not
available
to monitor
Why?
Why?Why?

13. Well control
response
actions failed
to regain
control of the
well
Slow to
detect the
problem
Crew not
properly
prepared in
required
actions
Protocols
did not
cover the
scenario
Crew had
not been
trained to
deal with
the event
Why?
Why?

14. Working in silos
14
QRA
HAZOP
Human factors

15. Problem with working in silos
Generally
Risks not understood fully
Controls less effective and/or efficient
Human factors
Consequence of error not recognised in human
factors studies
Non-human factors people make inappropriate
assumptions about how humans can failure
Solutions/risk controls introduce additional human
factors problems.
15

16. Extracting human factors from HAZOP
Safeguards with human component
Monitoring and control
Alarm response
Training or procedure???
Safeguard maintenance
Tasks considered as potential causes of
deviation
Recommendations.
16

17. Issues with HAZOP and human factors
Not a systematic study of human factors
Human factors principles not always applied
(correctly)
HAZOP is already demanding without adding
human factors
But creating good links between HAZOP and
human factors could be very beneficial.
17

18. 18
Risk profile
Hazard detail
Engineered Human
Hierarchy Task or activity
1. Instrument
2. Alarm
3. Trip
4. Mechanical
Task risk
management
1. HMI
2. Deviation response
3. Emergency
4. Generic competence
5. One-off risk assessment
6. Automated
Prioritise according to risk of MAH
QRA, HAZID
Identify deviations leading to MAH
HAZOP, PHR
ALARP
Barriers
Bowtie?

19. Task Risk Management
Five stage process
1. High level screening
2. Identify tasks
3. Prioritise tasks for analysis
4. Analyse the most critical tasks
5. Use the findings
19

20. 1. Screening
The parts of the system to focus your effort
Hazardous
Complex
Critical to production
Systems with potential for Major Accident
Hazards (MAH) – all tasks are considered to be
“safety critical.”
20

21. 1. Screening - hypothetical hazardous
plant
Process storage – yes
Reaction plant – yes
Pipeline – no
Water treatment – partly
Instrument air – no
21

22. 2. Identify tasks
Possible approaches
Skip the step – people often want to dive straight into
task analysis
Existing procedures – assume they cover all tasks
Structured brainstorming – process drawing
22
Filters
Duty/standby
Pumps
Duty/standby
DP
Alarms
Lo
LoLo
Hi
Trip
Storage
tank
Delivery
tanker
Group exercise

23. 2. Identify tasks
This step is very simple – but encourages a
systematic approach
Uses for task lists
‘Gap analysis’ of procedures, training/competence
systems;
‘On the job’ training programmes;
Workload estimates;
Managing organisational changes.
23

24. 3. Prioritise tasks for analysis
Possible approaches
‘Gut feel,’ experience or ‘normal’ risk assessment
HAZOP, Process Hazard Review (PHR) etc.
Scoring system (see OTO 092 1999 – HSE)
24
Hazardousness of system
Ignition/energy sources
Changing configuration
Error vulnerability
Impact on safety devices
Overall criticality
Low Medium High
1 2 3
1 2 3
1 2 3
1 2 3
1 2 3
0-3 4-8 9-15

25. 3. Prioritise tasks for analysis
Benefits of scoring tasks at stage 2
Objective
Demonstration of why tasks were selected for
analysis – safety reports/cases
Highlight ‘anomalies’ without carrying out a detailed
task analysis
25
Microsoft Excel
Worksheet

26. 4. Analyse the most critical tasks
Task analysis is tried and tested – but negative
perceptions
Time and effort
Only doing it to keep the regulator happy
Discoveries from every analysis - if done ‘properly’
26

27. 27
Connect
tanker to
delivery
point
27272727272727
Transfer
fuel from
road-
tanker to
storage
Preconditions
•Delivery from
approved
supplier
•Tanker located
in unloading
bay
Transfer
fuel using
tanker’s
pump
Disconnect
tanker
from
delivery
point
Confirm
tanker is
OK to
offload
Connect
earth to
tanker
Connect
vapour
recovery
hose
Connect
delivery
hose
between
tanker &
delivery
point
Open valves
Check for
leaks
Start
tanker’s
pump
Standby &
monitor
throughout
When
complete,
stop pump
and close
valves

28. 4. Analyse the most critical tasks
Group exercise – use a data projector
People share experiences and concerns
Accept procedure may not reflect reality
Buy in to new methods
An excellent training exercise for people involved
Human error analysis
Look at the task with ‘new eyes’
Identify where issues have been ‘glossed over’
28

29. Consider consequence for each step if
Omitted (not carried out)
Incomplete
Performed on the wrong object
Mistimed (too early or late)
Carried out at the wrong speed (too fast or slow)
Carried out for the wrong duration (too long or
too short)
Performed in the wrong direction.
29

30. 30303030
Task Step Possible error
Existing risk
control measures
Consequence
Additional
measures
30
Conne
ct
earth
to
tanker
Action
omitted -
Potential
for static
discharge
to act as
source of
ignition
Failure to
achieve an
earth
before
starting
transfer.
Standard
practice
for all
tanker
operations
.
Consider
installing
interlocke
d earth
connectio
n.
Earth
connectio
n readily
available.

31. 5. Use the findings
‘Engineer out’ error potential
New projects – human factors integration plan
Design reviews and system modifications
Procedures
High criticality – print, follow and sign every time
Medium criticality – reference procedures
Low criticality – generic procedures and guidance
How do you manage the risks the risks of critical
tasks that are performed frequently?
Competence system
How to perform tasks
Understanding the risks
31

32. 5. Use the findings
Continuous review – proactive and reactive
Consider all stages when examining failures
1. Why is a task missing from the list?
2. Why was criticality not assessed correctly?
3. Was the task analysis correct?
4. Were the findings used?
32

33. Differential tasks vs activities
Safety Critical Task (SCT)
There is a clear start and finish
There are discrete steps
A change of status occurs
Safety Critical Activity (SCA) where the critical
aspects are:
Timing (when to perform the task)
Tools and equipment to be used
Information presentation
Decision making
33

34. Examples of SCT
Node start-up and shutdown
Starting main items of equipment
Stopping same equipment often simpler
Remove, calibrate and replace relief valve or
bursting disk
Leak or pressure test.
34

35. Examples of SCA & how to address
Control/optimise process
Human Machine Interfaces (EEMUA 191/201)
Emergency response
Emergency planning/staffing assessment
Routine maintenance/inspection
Planning and scheduling
Competence of personnel, permit to work
One-off tasks (e.g. temporary repair)
Risk assessment and management of change.
35

36. SCT or SCA depends on circumstance
Changing operating mode
Manual stop or trip
Check/calibrate transmitter
Function test trip
Maintain process equipment
Contractor management
Prepare plant for maintenance
Normal shutdown?
36

37. Conclusions
Linking human factors with other process safety
activities has great benefits
Linking all process safety activities should be the aim
Differentiating SCT and SCA helps clarify the
way forward
Needs to be continuous and iterative
Changing the approach to human factors is not the
only requirement
Process safety studies need to be modified to provide
better date for human factors studies.
37

38. 38