2. 2
A bit about me
Chemical engineer
BSc - Loughborough University
PhD - Edinburgh University
19 years working as human factors consultant
10 years self-employed
Registered member of the Chartered Institute of
Ergonomics and Human Factors (CIEHF)
Associate member of Institute of Chemical
Engineers (IChemE)
3. Experience
Predominantly oil, gas, chemical, power and
steel industries
Human factors in major accident safety
Design assessments
Safety critical task analysis
Staffing and organisational change
Clients include Shell, BP, SSE, Centrica, Tata,
Syngenta, Total, Maersk etc.
3
7. 7
Human factors and safety
Up to 80% of accident causes can be attributed
to human failures
All major accidents involve a number of human
failures
Human factors is concerned with
Understanding the causes of human failures
Preventing human failures
An important part of managing ‘major accident
safety’
9. 1. Annulus
cement
barrier did
not isolate
hydrocarbo
ns
Deepwater
Horizon
Explosions
& Fire
2. Shoe
track
barriers
did not
isolate
hydrocarbo
ns
7. Fire and
gas system
did not
prevent
ignition
3.
Negative-
pressure
test
accepted -
integrity
not
established
4. Influx
not
recognised
until
hydrocarbo
ns were in
riser
5. Well
control
response
actions
failed
6. Diversion
of mud
resulted in
gas venting
to rig
8. BOP
emergency
mode did
not seal
well
Why?
10.
11. Initially –
did not
achieve
seal
around
drill pipe
Negative
pressure test
accepted even
though
integrity had
not been
established
Did not
follow
agreed test
method
Mis-
interpreted
data
Crew had
preferred
method
Operationa
l
instruction
only broad
guidance
Did not
recognise
more
liquid than
expected
No
prediction
available
at time
Rig crew
expected to
know how
to perform
test
Previous
experience
Not aware
of specified
permit
requiremen
ts
Did not
realise
constant
high
pressure
indicated
a problem
Plausible
explanatio
n (bladder
effect)
Why?
Why?
Why?
Why?
Why?
Why? Why?
12. Crew busy
with other
activities
Influx not
recognised
until
hydrocarbon
was present in
riser
Instructions
required
constant
monitoring -
did not
specify how
Crew not
monitoring
well
Other
activities
interacting
with pits
Pits not set-up
for combined
activities
Mud pit
levels not
available
to monitor
Why?
Why?Why?
13. Well control
response
actions failed
to regain
control of the
well
Slow to
detect the
problem
Crew not
properly
prepared in
required
actions
Protocols
did not
cover the
scenario
Crew had
not been
trained to
deal with
the event
Why?
Why?
15. Problem with working in silos
Generally
Risks not understood fully
Controls less effective and/or efficient
Human factors
Consequence of error not recognised in human
factors studies
Non-human factors people make inappropriate
assumptions about how humans can failure
Solutions/risk controls introduce additional human
factors problems.
15
16. Extracting human factors from HAZOP
Safeguards with human component
Monitoring and control
Alarm response
Training or procedure???
Safeguard maintenance
Tasks considered as potential causes of
deviation
Recommendations.
16
17. Issues with HAZOP and human factors
Not a systematic study of human factors
Human factors principles not always applied
(correctly)
HAZOP is already demanding without adding
human factors
But creating good links between HAZOP and
human factors could be very beneficial.
17
18. 18
Risk profile
Hazard detail
Engineered Human
Hierarchy Task or activity
1. Instrument
2. Alarm
3. Trip
4. Mechanical
Task risk
management
1. HMI
2. Deviation response
3. Emergency
4. Generic competence
5. One-off risk assessment
6. Automated
Prioritise according to risk of MAH
QRA, HAZID
Identify deviations leading to MAH
HAZOP, PHR
ALARP
Barriers
Bowtie?
19. Task Risk Management
Five stage process
1. High level screening
2. Identify tasks
3. Prioritise tasks for analysis
4. Analyse the most critical tasks
5. Use the findings
19
20. 1. Screening
The parts of the system to focus your effort
Hazardous
Complex
Critical to production
Systems with potential for Major Accident
Hazards (MAH) – all tasks are considered to be
“safety critical.”
20
21. 1. Screening - hypothetical hazardous
plant
Process storage – yes
Reaction plant – yes
Pipeline – no
Water treatment – partly
Instrument air – no
21
22. 2. Identify tasks
Possible approaches
Skip the step – people often want to dive straight into
task analysis
Existing procedures – assume they cover all tasks
Structured brainstorming – process drawing
22
Filters
Duty/standby
Pumps
Duty/standby
DP
Alarms
Lo
LoLo
Hi
Trip
Storage
tank
Delivery
tanker
Group exercise
23. 2. Identify tasks
This step is very simple – but encourages a
systematic approach
Uses for task lists
‘Gap analysis’ of procedures, training/competence
systems;
‘On the job’ training programmes;
Workload estimates;
Managing organisational changes.
23
24. 3. Prioritise tasks for analysis
Possible approaches
‘Gut feel,’ experience or ‘normal’ risk assessment
HAZOP, Process Hazard Review (PHR) etc.
Scoring system (see OTO 092 1999 – HSE)
24
Hazardousness of system
Ignition/energy sources
Changing configuration
Error vulnerability
Impact on safety devices
Overall criticality
Low Medium High
1 2 3
1 2 3
1 2 3
1 2 3
1 2 3
0-3 4-8 9-15
25. 3. Prioritise tasks for analysis
Benefits of scoring tasks at stage 2
Objective
Demonstration of why tasks were selected for
analysis – safety reports/cases
Highlight ‘anomalies’ without carrying out a detailed
task analysis
25
Microsoft Excel
Worksheet
26. 4. Analyse the most critical tasks
Task analysis is tried and tested – but negative
perceptions
Time and effort
Only doing it to keep the regulator happy
Discoveries from every analysis - if done ‘properly’
26
27. 27
Connect
tanker to
delivery
point
27272727272727
Transfer
fuel from
road-
tanker to
storage
Preconditions
•Delivery from
approved
supplier
•Tanker located
in unloading
bay
Transfer
fuel using
tanker’s
pump
Disconnect
tanker
from
delivery
point
Confirm
tanker is
OK to
offload
Connect
earth to
tanker
Connect
vapour
recovery
hose
Connect
delivery
hose
between
tanker &
delivery
point
Open valves
Check for
leaks
Start
tanker’s
pump
Standby &
monitor
throughout
When
complete,
stop pump
and close
valves
28. 4. Analyse the most critical tasks
Group exercise – use a data projector
People share experiences and concerns
Accept procedure may not reflect reality
Buy in to new methods
An excellent training exercise for people involved
Human error analysis
Look at the task with ‘new eyes’
Identify where issues have been ‘glossed over’
28
29. Consider consequence for each step if
Omitted (not carried out)
Incomplete
Performed on the wrong object
Mistimed (too early or late)
Carried out at the wrong speed (too fast or slow)
Carried out for the wrong duration (too long or
too short)
Performed in the wrong direction.
29
30. 30303030
Task Step Possible error
Existing risk
control measures
Consequence
Additional
measures
30
Conne
ct
earth
to
tanker
Action
omitted -
Potential
for static
discharge
to act as
source of
ignition
Failure to
achieve an
earth
before
starting
transfer.
Standard
practice
for all
tanker
operations
.
Consider
installing
interlocke
d earth
connectio
n.
Earth
connectio
n readily
available.
31. 5. Use the findings
‘Engineer out’ error potential
New projects – human factors integration plan
Design reviews and system modifications
Procedures
High criticality – print, follow and sign every time
Medium criticality – reference procedures
Low criticality – generic procedures and guidance
How do you manage the risks the risks of critical
tasks that are performed frequently?
Competence system
How to perform tasks
Understanding the risks
31
32. 5. Use the findings
Continuous review – proactive and reactive
Consider all stages when examining failures
1. Why is a task missing from the list?
2. Why was criticality not assessed correctly?
3. Was the task analysis correct?
4. Were the findings used?
32
33. Differential tasks vs activities
Safety Critical Task (SCT)
There is a clear start and finish
There are discrete steps
A change of status occurs
Safety Critical Activity (SCA) where the critical
aspects are:
Timing (when to perform the task)
Tools and equipment to be used
Information presentation
Decision making
33
34. Examples of SCT
Node start-up and shutdown
Starting main items of equipment
Stopping same equipment often simpler
Remove, calibrate and replace relief valve or
bursting disk
Leak or pressure test.
34
35. Examples of SCA & how to address
Control/optimise process
Human Machine Interfaces (EEMUA 191/201)
Emergency response
Emergency planning/staffing assessment
Routine maintenance/inspection
Planning and scheduling
Competence of personnel, permit to work
One-off tasks (e.g. temporary repair)
Risk assessment and management of change.
35
36. SCT or SCA depends on circumstance
Changing operating mode
Manual stop or trip
Check/calibrate transmitter
Function test trip
Maintain process equipment
Contractor management
Prepare plant for maintenance
Normal shutdown?
36
37. Conclusions
Linking human factors with other process safety
activities has great benefits
Linking all process safety activities should be the aim
Differentiating SCT and SCA helps clarify the
way forward
Needs to be continuous and iterative
Changing the approach to human factors is not the
only requirement
Process safety studies need to be modified to provide
better date for human factors studies.
37
So to close I will just summarise the four steps of the process.
Identify tasks associated with the system. Consider operations, maintenance and dealing with situations that arise
Rank tasks on the list into priorities, with the highest being the ones where we are more likely to learn the most from carrying out task analysis. We should not be analysing easy tasks
Analyse the tasks, but make sure this is done properly involving the right people and being systematic. It is much better to complete a small number of analyses really well than to do a large number badly
Finally use the findings. Otherwise, we have essentially wasted our time.
I suggest the first of the four stages of task risk management is to generate a comprehensive list of tasks for the system where we wish to apply task analysis. My experience is that this is rarely done because people want to dive straight into analysing specific tasks.
When I do get people to accept that the starting point for our analysis should be a list of tasks they often want to simply use the list of existing procedures. However, my experience is that most organisations have not developed procedures in a very systematic fashion, and more often than not is that procedures do not exists for tasks that should be our highest priority for task analysis.
I have found that a structured brain-storm is usually the best, asking people to work systematically through their system to identify tasks. A drawing can be particularly useful. For example, working left to right on this drawing I can see that operationally we need to receive material from a tanker, manage stock levels in the tank, changeover filters when the online one gets blocked and changeover pumps if the online fails. Also, I know we will need some system start-up and shutdown procedures. From a maintenance perspective I can see that we need to change or clean filter elements, repair the pump, calibrate instruments and test trip functions.
This step is very simple, and perhaps that is why people will often want to skip it. But by starting at this point people start to think more systematically, and are less inclined to pluck tasks from thin air for analysis. Also, the lists are very useful in their own right. They can be used for gap analyses.
At one of my clients we used a macro to convert the lists into training packages that grouped tasks into modules that were printed out as a workbook that was given to trainees. Also, it is very useful to know what tasks people are doing when looking at this like workload or when managing change.
Step 2 of the process is to review the list and prioritise the tasks that should be analysed first. These should be the tasks where there is interaction with major hazards and where there is potential for human failure. In other words, where are we going to get the most benefit from carrying out task analysis.
I find that peoples gut feel for which tasks are most critical is fairly unreliable. They usually choose tasks that they are familiar with, and often reassure themselves that there is not an issue with certain tasks because they have a procedure. My experience also is that both standard health and safety risk assessments and process safety analyses such as HAZOP are rarely much use, largely because the approaches taken to human factors are unsystematic.
I have had most success with a simple scoring system. The basis for this was presented in an HSE report in 1999. I have adapted it through experience, but the basic principle is that each task is scored between 0 and 3 against five criteria. Add up the scores for a total. The ones with the highest score are the most critical and hence the highest priority for task analysis.
Having used this method a lot over the last few years I am fully confident that, whilst it is relatively quick and easy to do, the output is very useful. It ensures a degree of objectivity and is particularly useful for demonstrating that you understand human factors risks, which you can refer to in a safety report or case if you are a COMAH site, offshore establishment etc.
An additional benefit of the scoring system is that it can highlight anomalies in the way you manage human factors risks without going through the time and effort of carrying out a full task analysis. For example one of the scores asks about the vulnerability to error. If you score highly on that criteria it is suggesting that constant vigilance is required. Given that we know humans are not great at vigilance this score can prompt you to consider whether the current task method is safe or whether arrangements need to be changed. Another score is about overriding safety devices. Again, if you score this high it prompts you to consider whether it is appropriate that a task requires safety devices to be overridden.
Step 3 is analysing the tasks that had the highest score in step 2. I’m not planning to talk much about this today because I think it is very much a standard technique for anyone working in human factors. But I would point out that a lot of people have a negative perception because they can see how long it takes per task and think they have to analyse every task. That is why the first 2 steps in the process are so important. Also, it doesn’t help that a lot of people only engage with task analysis because someone says they have to.
My experience is that every time we have done a task analysis properly we have learnt something.
Properly means involving the right people, putting procedures aside, keeping to a good structure and carrying out a human error analysis. This last bit can be a bit of a drag, but it is very interesting how often new issues come to light when you look back at the analysis you have just completed. Recently we analysed how to test a trip function. We had accepted that overrides would be required, but when we looked at the potential errors we realised there was a significant vulnerability. As a result we concluded that a completely different method was required.
The fourth stage is probably the most important, and it is to actual do something with the findings. Unfortunately it is often be overlooked. I suspect because a lot of people have got involve because they have been told they have to do it.
We should always be asking ourselves how risks can be engineered out. This is relatively straightforward when we are involved in the design stage for new projects, although task analysis often carried out too late to make fundamental changes. This is a factor where the 4 step process can help because you can develop task lists and criticality ranking very early on, and so ensure that human factors issues are integrated into the project plan.
One outcome is invariably the development of new or improved procedures. The detailed task analysis can give us the steps to include in the procedure, but the criticality rating also gives us a guide to what type of procedure should be provided and how it should be used in practice. This requires a buy in to the idea that the same does not fit all for procedures and it is unreasonable to expect people to follow procedures for every task. Equally, for most companies the idea that a procedure must printed, followed and signed every time certain tasks are performed is a new one, which takes some time to accept.
Although I stand by the basic guidance based on criticality, I have come across quite a number of situations where people are performing some of the most critical tasks on a very regular basis. People are often tempted to try and re-score the task, but I think this is not acceptable. The correct approach is to engineer the task so that its hazard or vulnerability to error is reduced. But this is not always possible.
I would suggest the solution requires a much better understanding of competence. But if we have completed our task analyses correctly a lot of the information needed to define competence requirements has already been recorded.
Another aspect of using the output is making sure the process remain live. That means revisiting all 4 steps. For example, if there is an issue with a task there should be a number of question you ask. Was the task on the list and if not why. What criticality was it assigned and does the incident suggest this was incorrect? Was the task analysis correct and if not why? And were the findings implemented effectively.