2015 trinity dublin - task risk management - hf in process safety

Tel: (+44) 01492 879813 Mob: (+44) 07984 284642andy@abrisk.co.ukwww.abrisk.co.uk 1

Task Risk Management

Andy Brazier

2

A bit about me

Chemical engineerBSc - Loughborough UniversityPhD - Edinburgh University

19 years working as human factors consultant10 years self-employed

Registered member of the Chartered Institute of Ergonomics and Human Factors (CIEHF)Associate member of Institute of Chemical Engineers (IChemE)

Experience

Predominantly oil, gas, chemical, power and steel industriesHuman factors in major accident safety

Design assessmentsSafety critical task analysisStaffing and organisational change

Clients include Shell, BP, SSE, Centrica, Tata, Syngenta, Total, Maersk etc.

3

Places I have works – UK & Ireland

4

Places I have worked – further afield

5

Projects I have worked on but not visited

6

7

Human factors and safety

Up to 80% of accident causes can be attributed to human failuresAll major accidents involve a number of human failuresHuman factors is concerned with

Understanding the causes of human failuresPreventing human failures

An important part of managing ‘major accident safety’

8

1. Annulus cement

barrier did not isolate

hydrocarbons

Deepwater Horizon

Explosions & Fire

2. Shoe track barriers did not isolate

hydrocarbons

7. Fire and gas system

did not prevent ignition

3. Negative-pressure test

accepted - integrity not established

4. Influx not recognised

until hydrocarbon

s were in riser

5. Well control

response actions failed

6. Diversion of mud

resulted in gas venting

to rig

8. BOP emergency

mode did not seal well

Why?

Initially – did not achieve seal around

drill pipe

Negative pressure test accepted even

though integrity had not been established

Did not follow

agreed test method

Mis-interpreted

data

Crew had preferred method

Operational instruction only broad guidance

Did not recognise

more liquid than

expected

No prediction

available at time

Rig crew expected to know how to perform test

Previous experience

Not aware of specified permit

requirements

Did not realise

constant high

pressure indicated a

problem

Plausible explanation

(bladder effect)

Why?

Why?Why?

Why?Why? Why? Why?

Crew busy with other activities

Influx not recognised until hydrocarbon was present in riser

Instructions required constant

monitoring - did not specify

how

Crew not monitoring

well

Other activities

interacting with pits

Pits not set-up for combined

activities

Mud pit levels not

available to monitor

Why?

Why?Why?

Well control response actions failed to regain control of the

well

Slow to detect the problem

Crew not properly

prepared in required actions

Protocols did not cover

the scenario

Crew had not been trained to

deal with the event

Why?

Why?

Working in silos

14

QRA

HAZOP

Human factors

Problem with working in silos

GenerallyRisks not understood fullyControls less effective and/or efficient

Human factorsConsequence of error not recognised in human factors studiesNon-human factors people make inappropriate assumptions about how humans can failureSolutions/risk controls introduce additional human factors problems.

15

Extracting human factors from HAZOP

Safeguards with human componentMonitoring and controlAlarm responseTraining or procedure???

Safeguard maintenanceTasks considered as potential causes of deviationRecommendations.

16

Issues with HAZOP and human factors

Not a systematic study of human factors Human factors principles not always applied (correctly)HAZOP is already demanding without adding human factorsBut creating good links between HAZOP and human factors could be very beneficial.

17

18

Risk profile

Hazard detail

Engineered Human

Hierarchy Task or activity

1. Instrument2. Alarm3. Trip4. Mechanical

Task risk management

1. HMI2. Deviation response3. Emergency4. Generic competence5. One-off risk assessment6. Automated

Prioritise according to risk of MAHQRA, HAZID

Identify deviations leading to MAHHAZOP, PHR

ALARP

Barriers

Bowtie?

Task Risk Management

Five stage process1. High level screening2. Identify tasks3. Prioritise tasks for analysis4. Analyse the most critical tasks5. Use the findings

19

1. Screening

The parts of the system to focus your effortHazardous ComplexCritical to production

Systems with potential for Major Accident Hazards (MAH) – all tasks are considered to be “safety critical.”

20

1. Screening - hypothetical hazardous plant

Process storage – yesReaction plant – yesPipeline – noWater treatment – partlyInstrument air – no

21

2. Identify tasksPossible approaches

Skip the step – people often want to dive straight into task analysisExisting procedures – assume they cover all tasksStructured brainstorming – process drawing

22

FiltersDuty/standby

PumpsDuty/standby

DP

Alarms

LoLoLo

Hi

Trip

Storage tank

Deliverytanker

Group exercise

2. Identify tasksThis step is very simple – but encourages a systematic approachUses for task lists

‘Gap analysis’ of procedures, training/competence systems;‘On the job’ training programmes;Workload estimates;Managing organisational changes.

23

3. Prioritise tasks for analysisPossible approaches

‘Gut feel,’ experience or ‘normal’ risk assessmentHAZOP, Process Hazard Review (PHR) etc.Scoring system (see OTO 092 1999 – HSE)

24

Hazardousness of systemIgnition/energy sourcesChanging configurationError vulnerabilityImpact on safety devicesOverall criticality

Low Medium High

1 2 3 1 2 3 1 2 3 1 2 3 1 2 30-3 4-8 9-15

3. Prioritise tasks for analysisBenefits of scoring tasks at stage 2

ObjectiveDemonstration of why tasks were selected for analysis – safety reports/casesHighlight ‘anomalies’ without carrying out a detailed task analysis

25

Microsoft Excel Worksheet

4. Analyse the most critical tasksTask analysis is tried and tested – but negative perceptions

Time and effortOnly doing it to keep the regulator happy

Discoveries from every analysis - if done ‘properly’

26

27

Connect tanker to delivery

point

27272727272727

Transfer fuel from road-tanker to storage

Preconditions•Delivery from approved supplier•Tanker located in unloading bay

Transfer fuel using

tanker’s pump

Disconnect tanker from

delivery point

Confirm tanker is OK

to offload

Connect earth to tanker

Connect vapour

recovery hose

Connect delivery

hose between tanker & delivery

point

Open valves Check for leaks

Start tanker’s pump

Standby & monitor

throughout

When complete, stop pump and close

valves

4. Analyse the most critical tasksGroup exercise – use a data projector

People share experiences and concernsAccept procedure may not reflect realityBuy in to new methodsAn excellent training exercise for people involved

Human error analysisLook at the task with ‘new eyes’Identify where issues have been ‘glossed over’

28

Consider consequence for each step if

Omitted (not carried out)IncompletePerformed on the wrong objectMistimed (too early or late)Carried out at the wrong speed (too fast or slow)Carried out for the wrong duration (too long or too short)Performed in the wrong direction.

29

30303030

Task Step Possible error Existing risk control measuresConsequence Additional

measures

30

Connect earth to tanker

Action omitted -

Potential for static discharge to act as source of ignition

Failure to achieve an earth before starting transfer.

Standard practice for all tanker operations.

Consider installing interlocked earth connection.Earth

connection readily available.

5. Use the findings‘Engineer out’ error potential

New projects – human factors integration planDesign reviews and system modifications

ProceduresHigh criticality – print, follow and sign every timeMedium criticality – reference proceduresLow criticality – generic procedures and guidance

How do you manage the risks the risks of critical tasks that are performed frequently?Competence system

How to perform tasksUnderstanding the risks

31

5. Use the findings

Continuous review – proactive and reactiveConsider all stages when examining failures

1. Why is a task missing from the list?2. Why was criticality not assessed correctly?3. Was the task analysis correct?4. Were the findings used?

32

Differential tasks vs activities

Safety Critical Task (SCT)There is a clear start and finishThere are discrete stepsA change of status occurs

Safety Critical Activity (SCA) where the critical aspects are:

Timing (when to perform the task)Tools and equipment to be usedInformation presentationDecision making

33

Examples of SCT

Node start-up and shutdownStarting main items of equipment

Stopping same equipment often simpler

Remove, calibrate and replace relief valve or bursting diskLeak or pressure test.

34

Examples of SCA & how to address

Control/optimise process Human Machine Interfaces (EEMUA 191/201)

Emergency responseEmergency planning/staffing assessment

Routine maintenance/inspection Planning and schedulingCompetence of personnel, permit to work

One-off tasks (e.g. temporary repair)Risk assessment and management of change.

35

SCT or SCA depends on circumstance

Changing operating modeManual stop or tripCheck/calibrate transmitterFunction test tripMaintain process equipment

Contractor management

Prepare plant for maintenanceNormal shutdown?

36

Conclusions

Linking human factors with other process safety activities has great benefits

Linking all process safety activities should be the aim

Differentiating SCT and SCA helps clarify the way forwardNeeds to be continuous and iterative

Changing the approach to human factors is not the only requirementProcess safety studies need to be modified to provide better date for human factors studies.

37

38