Approaches to integrating human factors in Seveso II safety cases Rob Cotterill DNV Consulting

Approaches to integrating human factors in Seveso II safety cases

Rob Cotterill

DNV Consulting

PRISM Seminar, BratislavaSlide 2

• 300 offices in 100 countries• 5,500 employees – qualified professionals, technical specialists and

consultants

DNV’s worldwide network

London

DNV Principal Offices

AberdeenOslo

GothenburgStockholm

EssenMilan

Piraeus

DubaiMumbai

Singapore

Shanghai

Seoul

Kobe

Rio de Janeiro

Houston

New York

Stockport


• Development and implementation of safety management systems

• Identification and assessment of the risks from major hazards

• Innovative safety cases• Human factors of major accident prevention• Behavioural safety/culture change• Environmental performance improvement

DNV and Safety Management


The risk management agenda

Societal

Economic Legal

Political

AssetsImage

Product People

Business Risks

INTERNALLYDRIVEN

“Shareholders”

EXTERNALLY DRIVEN

EXTERNALLY DRIVEN


Top Ten HF Issues Organisational change and transition management Staffing levels and workload Training and competence Fatigue from shiftwork and overtime Procedures HF in risk assessment and investigations Communications HF in design (e.g. control rooms) Organisational culture Maintenance error


Understanding human failure

Errors

Skill based

Mistakes

Violations

Knowledge based

Lapses

Slips

Rule based

Exceptional

Situational

Routine

Human errors are not random


HF approaches to risk assessment

• Method 1: HF in the Safety Case– Top down approach

– All human operations

– Part of Seveso safety case

• Method 2: HF in major accident hazards– Bottom up approach

– Concentrating on MAH scenarios

– Implemented into safety case


Method 1: HF in the Safety Case

• Part of overall COMAH assessment:– Descriptive Elements

– Predictive elements

– MAPP & SMS

– Technical elements

– Emergency response

– Source information

• HF aspects in several elements – Supporting appendix of HF information

– Referred to in all relevant sections


Human factors Appendix

• Description of the human factors assessment of the plant

• Aim:– To demonstrate that human factors issues have been taken

account in the risk assessment

– To show that their potential effect has been considered as a contributor to the overall risk levels arising from the day to day operation


Human factors Appendix

• Identification and consideration of specific human factors issues that have led to major incidents in the past.

• Application of task analysis and human error identification techniques for the assessment of safety critical operations and maintenance tasks.

• Identification of the potential for violations of procedures to increase risk levels on site.

• Organised according to key human factors issues :– Identification of potential for human failures.

– Demonstration of control measures.

– Justification of the reliance on human reliability.


Data collection

• Review of MAH tables.• Site tour including discussion of activities in the following areas:

– Fuel receipts.– Tank farms.– Interceptors.– Tanker loading bays.

• Interviews with:– Terminal manager.– Operations staff.– Maintenance manager.– Security staff.

• Demonstration of operations in the control room.• Review of site held documentation including:

– Safety management system.– Key risk control systems.– Site HAZOP.


Error Analysis: Sherpa techniqueAction Error Consequences S/E

CritSafeguard/Recovery

1. Tanker loading – Entering the Loading Bays

Drive up to loading bay.

Collide with another vehicle/equipment on the way to theloading bays.

Damage to equipment tanker.Loss of product from loadedtanker

Y Training of tanker drivers.Site speed limit.Traffic management around the loading bays.

Collide with loading bay. Potential damage to loadingbay including deliverysystems and pipe work.

Y Training of tanker drivers.Site speed limit.Parking alignment indicators.

Enter bay closed forMaintenance

Potential injury toMaintainers

Y "No Entry" paddle, traffic cone &Signage

Enter wrong loading bay. Product not available ortop/bottom loading notavailable.

N Loading bays and fuelling arms arenumbered, matching driverInstructions

Enter restricted area beforeloading bay required has beenvacated.

Potential for hazard due toengine running.

Y Driver training.Observation of bays on CCTV.Behavioural observations.

Omit to switch offunnecessary electrical itemsbefore entering bay.

Potential hazard. Y Driver training.Isolation of electrical systems.Behavioural observations


High potential human error operations

• Road tanker loading

• Recovery from a compartment overfill (contained).

• Recovery from an overfill resulting in product spillage.

• Fuel receipts

• Filling COC tank.

• Operations tasks in and around the tank farm.

• Pump inspection.

• Inspection of loading bays.

• Testing of Fire pumps.


Demonstration of existing control measures

• Risk ranking of human errors– Linking human errors to MAH scenarios

– Identifying severity of consequence & likelihood

• Implementation of Control Measures and Safeguards – Driver training

– Behavioural observations

– Maintenance control (PtW)

– Vehicle / equipment inspections

– Etc.


Method 2: HF in major accident hazards

• COMAH (Seveso II) compliance…demonstration of:– Evaluation of potential human error

– Effectiveness of human interventions required to maintain control

• Establish awareness of human factors:– Line Management

– Engineering design

• Technology transfer:– Develop internal HF assessment methodology

– Apply to all types of activities on site

– Suitable for use by non-HF professionals

– Complement other risk assessment techniques


Incorporate relevant results into Safety Report

Major Accident Hazard scenarios identified from

COMAH Safety Report

Task inventory & criticality assessment

Observational data

Identify critical tasks

Error analysisTask analysis (HTA & concurrent)

Qualitatively assess critical tasks and potential errors

Staffing assessment

Alarm & Procedure checklists

Evaluate the safeguards

Identify risk control strategies

Before Assessment

Assessment

After Assessment

Human Factors Method to Support COMAH


Procedure Checklist

A. Procedure Design

Is the procedure of an appropriate length?

BP Procedures are kept as concise as possible whilst still conveying all the necessary information. The length of the procedure has been designed with the context of use in mind.

S Procedures are generally of a usable length, but may not be sensitive to the context of use.

P Length of procedures makes them very difficult to use. No account taken of context of use.


Alarm checklist

Engineering Equipment and Materials Users Association (EEMUA), 1999, Alarm Systems: A Guide to Design, Management and Procurement. EEMUA Publication No. 191. The Engineering Equipment and Materials Users Association: London

Auditory alarms

Can all auditory alarms be heard from all parts of the plant that the operator may be, even when wearing ear protection?

BP An assessment has been performed to ensure that all alarms can be heard from all parts of the plant. When wearing ear protection, another operator is available to deal with alarms.

S No problems have been reported with alarm audibility throughout the plant. When wearing ear protection, another operator is available to deal with alarms. No assessment has been performed.

P Certain alarms cannot be heard from certain parts of the plant, or when wearing ear protection.


Concurrent Task Analysis

Task No Task Step 1 2 3 4 5 6 7 8 9 10 11 12

1 Charge to Vessel 1 A P X X A A A A P A A

2 Transfer to Vessel 2 A P X X A A A A P A A

3 Add additions A A P P A A A A P A A

4 Sample to lab for approval

X X S P X X X X X X X

5 Set up suplhuric acid sotz container

X X P S X X X X X X X

6 Transfer to Vessel 3 A A P X X A A A P A A

Critical (HTA) Tasks ...which of these tasks can be performed concurrently?

Make Monomer Charge Monomer


Staffing assessment

B1 Are all safety- critical processes

covered by a reliable automated shutdown

device?

No Yes

No

C1 Are all safety- critical failures

covered by a reliable audi ble al arm?

No

D1 Would the alar ms be effec tive in alerting

an oper ator fr om elsewhere?

Yes

E1 Are there enough personnel elsewhere to attend to the alar m

AND will they be availabl e given the nature of their jobs?

F1 Do the summoned personnel have basic

competency to recover the situati on?

Yes

Yes No

Staffing adequacy level 0


No

G1 Could the summoned personnel recover the situati on considering the time required to attend?

No


Yes

Yes

No

Yes

Assumption: even if the operator is onl y

called away for a short, ti me, s/he could

be delayed unexpectedl y.

Data requirements

A1 - COMAH report; Training records; Roster pattern; Break pattern. B1 - COMAH report; Critical instruments list; Recent reliability test data; Design basis documentation (hardwired or sof tware to appropriate SIL); Incident/ Accident data. C1/C2 - COMAH report; Critical instruments list; Recent reliability test data. D1/D2 - Alarm ev aluation; Task analysis. E1/E2 - Roster pattern; Break pattern; Operator experience; Common-mode f ailure data; Incident/ Accident data. F1/F2 - Training records; Procedure ev aluation; Ev ent based procedures; Emergency Procedures. G1 - Operator experience; Incident simulation response times; Incident/Accident data.

Go to Questi on

B2, Diagram 2

A1 Are all ongoing safety-critical

processes constantl y attended by a

competent operator?

Figure 5: Staffing Level Decision Flow Diagram 1


C2 Are all safety- critical failures

covered by a reliable audi ble al arm?

No

D2 Would the alar ms be effec tive in alerting

an oper ator fr om elsewhere?

Yes

E2 Are there enough personnel elsewhere to attend to the alar m

AND will they be availabl e given the nature of their jobs?

F2 Do the summoned personnel have basic competency to recover

the situati on?

Yes

Yes No

G2 Could the summoned personnel recover the situati on considering the time required to attend?

No

Yes

No

Yes







Staffi ng or control measures i n place are likel y to be inadequate. Immediate measures shoul d be taken to improve staffing or control measures.


Staffi ng or control measures may be insufficient. I f there is a reliance on trips, slam shuts, or other fail-safe mechanisms, reliability must be justified. Staffing levels should be considered to ensure that essential monitoring, control and incident r esponse activiti es can be conducted.

Staffi ng or control measures a re likel y to be adequate. Monitoring sys tems shoul d be established to ensure that staffing remains adequate.

No

Take one top- level task anal ysis stage or area of responsi bility

Health & Safety Executive, 2001, Assessing the safety of staffing arrangements for process operators in the chemical and allied industries. Contract Research Report (CRR) 348/2001. HSE Books. See http://www.hse.gov.uk/research/frameset/crr/index.htm.


Example: Automated continuous plant

• General control room duties difficult to assess• Selected a manual task, and looked at links to control room

activities– e.g., communications, data entry & decision making

• Example – taking sample of reactor contents– Error: fail to close circulation valve on sample cooler– Consequence:

• Unrepresentative sample taken - status of reactor unknown• Potential runaway reaction

– Recommendations:• Ensure all operators understand importance of sampling• Improve labelling of valves• Investigate linking valves to sample point


Example: Design phase of new plant

• Multi-disciplinary team established during design phase• Applied methodology to proposed design:

– Identified how plant will operate– Identified design problems before too late– Identified manning levels– Most importantly…ensured employee involvement

• Example – connect road tanker to off-load point– Error: driver connects to wrong point– Consequence:

• Incompatible substance into storage tank - exothermic reaction– Recommendations:

• Tanker drivers not allowed on site unaccompanied• 2 x paperwork checks• Off-load points locked


Method 1: Bottom up approach

• Pros:

– identifies main activities

– Covers many activities

– Quick

– Low manpower requirements

• Cons:

– Can be superficial

– Hard to find people when you need them

– Might miss certain root causes


Method 2: top down approach

• Pros:

– Very thorough

– Based on severity of MAH scenario

– Involves workers and supervisors

– High face validity

– Information rapidly gathered

• Cons:

– Time consuming

– Significant commitment from all involved

– Understanding of error mechanisms is required


Conclusions

• Human errors are predictable• Task analysis approach helps identify causes and

consequences.• Complexity of operation should drive HEA

– More complex plant requires more complex process

• Commitment of time and people required for any aproach.


difference that counts: DNV CONSULTING

Safeguarding life, property and the environment

Any Questions? Jakýkoliv otázky?

[email protected]

Documents

Approaches to integrating human factors in Seveso II safety cases Rob Cotterill DNV Consulting