2015 trinity dublin - task risk management - hf in process safety
TRANSCRIPT
2
A bit about me
Chemical engineerBSc - Loughborough UniversityPhD - Edinburgh University
19 years working as human factors consultant10 years self-employed
Registered member of the Chartered Institute of Ergonomics and Human Factors (CIEHF)Associate member of Institute of Chemical Engineers (IChemE)
Experience
Predominantly oil, gas, chemical, power and steel industriesHuman factors in major accident safety
Design assessmentsSafety critical task analysisStaffing and organisational change
Clients include Shell, BP, SSE, Centrica, Tata, Syngenta, Total, Maersk etc.
3
Places I have works – UK & Ireland
4
Places I have worked – further afield
5
Projects I have worked on but not visited
6
7
Human factors and safety
Up to 80% of accident causes can be attributed to human failuresAll major accidents involve a number of human failuresHuman factors is concerned with
Understanding the causes of human failuresPreventing human failures
An important part of managing ‘major accident safety’
8
1. Annulus cement
barrier did not isolate
hydrocarbons
Deepwater Horizon
Explosions & Fire
2. Shoe track barriers did not isolate
hydrocarbons
7. Fire and gas system
did not prevent ignition
3. Negative-pressure test
accepted - integrity not established
4. Influx not recognised
until hydrocarbon
s were in riser
5. Well control
response actions failed
6. Diversion of mud
resulted in gas venting
to rig
8. BOP emergency
mode did not seal well
Why?
Initially – did not achieve seal around
drill pipe
Negative pressure test accepted even
though integrity had not been established
Did not follow
agreed test method
Mis-interpreted
data
Crew had preferred method
Operational instruction only broad guidance
Did not recognise
more liquid than
expected
No prediction
available at time
Rig crew expected to know how to perform test
Previous experience
Not aware of specified permit
requirements
Did not realise
constant high
pressure indicated a
problem
Plausible explanation
(bladder effect)
Why?
Why?Why?
Why?Why? Why? Why?
Crew busy with other activities
Influx not recognised until hydrocarbon was present in riser
Instructions required constant
monitoring - did not specify
how
Crew not monitoring
well
Other activities
interacting with pits
Pits not set-up for combined
activities
Mud pit levels not
available to monitor
Why?
Why?Why?
Well control response actions failed to regain control of the
well
Slow to detect the problem
Crew not properly
prepared in required actions
Protocols did not cover
the scenario
Crew had not been trained to
deal with the event
Why?
Why?
Working in silos
14
QRA
HAZOP
Human factors
Problem with working in silos
GenerallyRisks not understood fullyControls less effective and/or efficient
Human factorsConsequence of error not recognised in human factors studiesNon-human factors people make inappropriate assumptions about how humans can failureSolutions/risk controls introduce additional human factors problems.
15
Extracting human factors from HAZOP
Safeguards with human componentMonitoring and controlAlarm responseTraining or procedure???
Safeguard maintenanceTasks considered as potential causes of deviationRecommendations.
16
Issues with HAZOP and human factors
Not a systematic study of human factors Human factors principles not always applied (correctly)HAZOP is already demanding without adding human factorsBut creating good links between HAZOP and human factors could be very beneficial.
17
18
Risk profile
Hazard detail
Engineered Human
Hierarchy Task or activity
1. Instrument2. Alarm3. Trip4. Mechanical
Task risk management
1. HMI2. Deviation response3. Emergency4. Generic competence5. One-off risk assessment6. Automated
Prioritise according to risk of MAHQRA, HAZID
Identify deviations leading to MAHHAZOP, PHR
ALARP
Barriers
Bowtie?
Task Risk Management
Five stage process1. High level screening2. Identify tasks3. Prioritise tasks for analysis4. Analyse the most critical tasks5. Use the findings
19
1. Screening
The parts of the system to focus your effortHazardous ComplexCritical to production
Systems with potential for Major Accident Hazards (MAH) – all tasks are considered to be “safety critical.”
20
1. Screening - hypothetical hazardous plant
Process storage – yesReaction plant – yesPipeline – noWater treatment – partlyInstrument air – no
21
2. Identify tasksPossible approaches
Skip the step – people often want to dive straight into task analysisExisting procedures – assume they cover all tasksStructured brainstorming – process drawing
22
FiltersDuty/standby
PumpsDuty/standby
DP
Alarms
LoLoLo
Hi
Trip
Storage tank
Deliverytanker
Group exercise
2. Identify tasksThis step is very simple – but encourages a systematic approachUses for task lists
‘Gap analysis’ of procedures, training/competence systems;‘On the job’ training programmes;Workload estimates;Managing organisational changes.
23
3. Prioritise tasks for analysisPossible approaches
‘Gut feel,’ experience or ‘normal’ risk assessmentHAZOP, Process Hazard Review (PHR) etc.Scoring system (see OTO 092 1999 – HSE)
24
Hazardousness of systemIgnition/energy sourcesChanging configurationError vulnerabilityImpact on safety devicesOverall criticality
Low Medium High
1 2 3 1 2 3 1 2 3 1 2 3 1 2 30-3 4-8 9-15
3. Prioritise tasks for analysisBenefits of scoring tasks at stage 2
ObjectiveDemonstration of why tasks were selected for analysis – safety reports/casesHighlight ‘anomalies’ without carrying out a detailed task analysis
25
Microsoft Excel Worksheet
4. Analyse the most critical tasksTask analysis is tried and tested – but negative perceptions
Time and effortOnly doing it to keep the regulator happy
Discoveries from every analysis - if done ‘properly’
26
27
Connect tanker to delivery
point
27272727272727
Transfer fuel from road-tanker to storage
Preconditions•Delivery from approved supplier•Tanker located in unloading bay
Transfer fuel using
tanker’s pump
Disconnect tanker from
delivery point
Confirm tanker is OK
to offload
Connect earth to tanker
Connect vapour
recovery hose
Connect delivery
hose between tanker & delivery
point
Open valves Check for leaks
Start tanker’s pump
Standby & monitor
throughout
When complete, stop pump and close
valves
4. Analyse the most critical tasksGroup exercise – use a data projector
People share experiences and concernsAccept procedure may not reflect realityBuy in to new methodsAn excellent training exercise for people involved
Human error analysisLook at the task with ‘new eyes’Identify where issues have been ‘glossed over’
28
Consider consequence for each step if
Omitted (not carried out)IncompletePerformed on the wrong objectMistimed (too early or late)Carried out at the wrong speed (too fast or slow)Carried out for the wrong duration (too long or too short)Performed in the wrong direction.
29
30303030
Task Step Possible error Existing risk control measuresConsequence Additional
measures
30
Connect earth to tanker
Action omitted -
Potential for static discharge to act as source of ignition
Failure to achieve an earth before starting transfer.
Standard practice for all tanker operations.
Consider installing interlocked earth connection.Earth
connection readily available.
5. Use the findings‘Engineer out’ error potential
New projects – human factors integration planDesign reviews and system modifications
ProceduresHigh criticality – print, follow and sign every timeMedium criticality – reference proceduresLow criticality – generic procedures and guidance
How do you manage the risks the risks of critical tasks that are performed frequently?Competence system
How to perform tasksUnderstanding the risks
31
5. Use the findings
Continuous review – proactive and reactiveConsider all stages when examining failures
1. Why is a task missing from the list?2. Why was criticality not assessed correctly?3. Was the task analysis correct?4. Were the findings used?
32
Differential tasks vs activities
Safety Critical Task (SCT)There is a clear start and finishThere are discrete stepsA change of status occurs
Safety Critical Activity (SCA) where the critical aspects are:
Timing (when to perform the task)Tools and equipment to be usedInformation presentationDecision making
33
Examples of SCT
Node start-up and shutdownStarting main items of equipment
Stopping same equipment often simpler
Remove, calibrate and replace relief valve or bursting diskLeak or pressure test.
34
Examples of SCA & how to address
Control/optimise process Human Machine Interfaces (EEMUA 191/201)
Emergency responseEmergency planning/staffing assessment
Routine maintenance/inspection Planning and schedulingCompetence of personnel, permit to work
One-off tasks (e.g. temporary repair)Risk assessment and management of change.
35
SCT or SCA depends on circumstance
Changing operating modeManual stop or tripCheck/calibrate transmitterFunction test tripMaintain process equipment
Contractor management
Prepare plant for maintenanceNormal shutdown?
36
Conclusions
Linking human factors with other process safety activities has great benefits
Linking all process safety activities should be the aim
Differentiating SCT and SCA helps clarify the way forwardNeeds to be continuous and iterative
Changing the approach to human factors is not the only requirementProcess safety studies need to be modified to provide better date for human factors studies.
37
38