title: part 1 - integrating situation awareness into...

“Part 1 - Integrating Situation Awareness into Offshore Emergency Response System Design” Draft for Comment

Copyright 2015: Tom Shephard. This work is the sole property of Tom Shephard.

1


Copyright 2015: Tom Shephard. This work is the sole property of Tom Shephard. Corresponding author email: [email protected]

Title: Part 1 - Integrating Situation Awareness into Offshore Emergency

Response System Design

Author: Tom Shephard

Revision: Draft for comment, October 11, 2015

ABSTRACT

The Oil and Gas industry acknowledges the need to integrate Situation Awareness (SA) into the design, operation and maintenance of offshore drilling and production facilities (OGP Report: 454 (2011), 460 (2012), 464 (2014), SPE (2014) ‘The Human Factor: Process Safety and Culture’). Investigations into catastrophic offshore accidents often cite human error as a primary causal factor. The source of the error resides in faulty technical, organizational and management systems designs. SA design principles are currently employed in other highly hazardous and high consequence industries including air traffic control, rail, healthcare, space programs and military. Oil and Gas industry research into the applicability of SA, initiated in the 1990’s, is now ready to move into the implementation phase. To date, there appears to be no public literature that clearly defines the next step. This document attempts to fill that gap. Part 1 of this three-part manuscript presents the safety case on why SA should be employed in the design of the emergency response system for an offshore drilling and production platform. It also provides an overview of the published SA models for individual and team SA that are employed in this manuscript. Part 2 proposes a suggested project-level methodology that integrates SA principals into the design of an offshore emergency response system design. The approach uses published and widely accepted SA models and design methodologies. The suggest work sequence, project documents and participation by key stakeholders are defined and provided. The process begins in the Front End Engineering phase and progresses into the detailed design and engineering project phase. The author believes the approach, tools and documents are within the capabilities of the larger engineering contractors and Owner/Operating companies. Part 3 provides conclusions and discussions on the suggested processes and deliverables. Potential opportunities are examined, and the potential impact on barrier design, bowtie analysis, HMI design, training and staffing are discussed. Recommendations on next steps are also provided.



2



KEYWORDS

Situation awareness; emergency response; offshore; human factors, team

cognition

1 Introduction and Background

1.1 Introduction

In the US, between 2001 and 2010 the agency that manages offshore production facilities (previously named Minerals Management Service) reported 69 deaths, 1349 injuries and 858 fires on offshore facilities (Sutton 2012). In 1988, a series of incidents and events caused 167 fatalities and the destruction of the Piper Alpha facility (Cullen 1990). On April 20, 2010, a well blowout occurred on the Deepwater Horizon drill platform that was operating in the Gulf of Mexico. The catastrophic gas release, explosions and fires caused 11 fatalities, destroyed the facility and triggered the largest offshore oil spill in US history. Failures in the emergency response system and response team performance were primary contributors (CSB 2010, Skodalen et. al. 2011, Hopkins 2012).

After Piper Alpha and publication of the Cullen report (Cullen 1990), Exploration and Production (E&P)

multinationals, academia and industry organizations initiated research into situational awareness (SA)

and related topics (Flin et. al. 1996, Sneddon et. al. 2006/2013, Taber 2010, Sætrevik & Eid 2013,

Naderpour et al 2014). Positive research results, E&P multinational interest and the continued

occurrence of offshore incidents motivated industry organizations to issue recommendations and a ‘call-

to-action’ to consider SA and human factors in the design of offshore E&P facilities (OGP 2011/2012,

SPE 2014). Early SA adopters are transitioning to the applied development phase beginning with

concept guidelines, a guidebook, and a drilling-crew training template (OGP 2012, Flin et. al. 2008, OPG

2014). In the E & P domain, a methodology that integrates situational awareness into physical,

organizational and operational design of an offshore emergency response system remains new territory.

This manuscript attempts to fill that gap.

SA principles and models are already considered or used in many highly hazardous, high consequence

industries that include aviation (e.g., Sorenson et al, 2011), military (Salmon et al, 2010), command and

control (Stanton et al, 2010), rail (Golightly 2010) and shipping (Chavin et al 2009). Part 1 of this three-

part manuscript (this document) presents the safety basis on why SA should be employed in the design

of the emergency response system for an offshore drilling and production platform, and provides an

overview of the published SA models for individual and team SA adopted in this manuscript.

Part 2 proposes a suggested project-level methodology that integrates SA principals into the design of

an offshore emergency response system design. The approach uses published and widely accepted SA

models and design methodologies. The suggest work sequence, project documents and participation by

key stakeholders are defined and provided. The process begins in the Front End Engineering phase and

progresses into the detailed design and engineering project phase. The author believes the approach,



3



tools and documents are within the capabilities of the larger engineering contractors and

Owner/Operating companies. Part 3 provides conclusions and discussions on the suggested processes

and deliverables. Potential opportunities are examined, and the potential impact on barrier design,

bowtie analysis, HMI design, training and staffing discussed. Recommendations on next steps are also

provided.

2 Problem Statement

Personnel live and work 24x7 on facilities that drill for and produce highly hazardous materials. The modern offshore production or drilling platform is complex. Deepwater facilities, commonly located several hours from shore by helicopter, employ advanced and often leading edge technologies. Production systems include wells and wellheads, flow-lines, risers, pipelines, processing units to separate oil, gas and produced water, living quarters, electrical buildings, overhead cranes, and sea-floor tethered tendons and mooring lines. Drill rigs and associated operations are even more complex given their greater reliance on human actions to prevent accident events that are unique to drilling operations. The drilling operator must quickly detect and correctly respond to a sudden and unexpected change in well pressure or composition to prevent a blowout.

Production and drilling modules are mounted on a stationary structure (e.g., jack-up or compliant tower) or a floating hull (e.g., spar, semi-submersible and tension leg platforms, and floating production, storage and offloading vessels). Production equipment may reside on the ocean floor. Differences also exist in the emergency response system design, staffing and staff selection process, response team roles, procedures and training, competency requirements and local and corporate cultures. Every facility has Major Accident Events (MAEs) that must be considered in the safety and emergency design of the facility. No two deepwater facilities are exactly alike. Figure 1 provides a few examples. See Norsok (2010) for a complete list of potential MAE’s.

Fireball

Flash FireElectrical

Over Pressure:

Vessel, Piping,

Chem Inj. Tubing

Vapor Cloud

Explosion

Mechanical

Failure

(Shrapnel)

Mooring /

Tendon System

Failure

Chain-Jack

Error / Failure

Hull Stability, Hull/Topsides

Integrity Failure

Arc

Flash

Personnel Safety

Major Accident Events (Examples)

Dropped Objects,

Swinging Loads

(Crane, other)

Jet Fire

Pool Fire

Fire

Explosion

& Shrapnel

Toxic &

Inert gas

Gas

Release

Process Systems

Integrity Failure

Puncture, Leak:

Seal, Valve, Flange

Subsea Isol. Valve

Topsides Dry Tree

Erosion, CorrosionCollision, Pile or Shackle Failure

Water Surge/Current,

Anchor Drag, Rogue Wave

High Wind Load

Hull

Breach

Damage to

Structure or

Essential

Systems

Structural

Damage/Failure

Collision

Corrosion

LNG/Cryo Release

High Wind Load

Rogue Wave

Ballast

Error / Failure

Subsea Pile or

Shackle Failure

Sea Valve

Open

Water-Tight

Door Open

COG Load

Error

Spill:

Oil, Fuel

Chemical

Turret

Failure

Water

Hammer

(Line Failure

Shrapnel)

Piping /

Vessel

Failure (JT

Subcooling)

Projectile:

Pig Trap, Valve Stem,

High Pressure Chem. Inj. Tubing,

Exchr. Tube Bundle

Wind Launched

See

Fire

Gas

Release

Rupture / Fire

Gas Release

Station Keeping

Failure

Hull Flooding - List,

Capsize / Sink

Tendon

Failure

(TLP)

Loss of Buoyancy:

Susea Leak/Blowout

Jet Fire

Pool Fire

BLEVE

Poisoning

Asphyxiation



4



Figure 1 – Example MAE’s Applicable to a Floating Offshore Production Facility.

Offshore drilling or production facilities have emergency response systems in place that provides a pre-determined response to every identified and plausible major accident event. A layered, defense-in-depth approach provides preventive and mitigative type barriers to prevent, control and recover from each MAE. A preventive barrier, e.g. an automated safety shutdown system, is designed to prevent the occurrence of the MAE. Should the MAE occur, one or more mitigative type barriers provide the means to control and recover from the event and limit the opportunities for event escalation. Some preventive barriers (e.g. well control) and many if not most of the mitigative type barriers rely on one more humans to achieve the intended barrier objective.

POSIT 1: Many MAE barriers are acutely dependent on one or more humans-in-the-loop to achieve the intended barrier function.

The Emergency Response Team or ERT, are responsible for performing the majority of these barrier activities. (Non-ERT members on the facility also have barrier responsibilities, e.g., promptly and safely move to an assigned muster station when the muster alarm sounds.) Achieving the barrier objective assumes the ERT can reliably and accurately executes the appropriate procedures, while subjected to considerable time and performance pressure (Sneedon et al. 2006/2013, Woodcock 2012). In this environment, the ERT must rapidly adapt and respond to sudden, high consequence and often highly complex events. The nature of the MAE establishes the ERT response requirements in terms of workload, tempo and the emergency response options.

With preventive type barriers, the defense-in-depth approach assumes barriers are selected to be mutually independent so a single event cannot disable two or more barriers. This independence is not achieved if two or more barriers employ the same personnel to execute essential barrier activities. Response team members are assigned life-critical tasks on many human-dependent barriers. The capacity of the team is limited. Team resources are reduced if a team member is injured by the event, fails to muster (e.g., is missing) or cannot reach their designated response station (Woodcock 2012). The Offshore Installation Manager (OIM) is typically the Person-in-Charge and has the safety of personnel and the environment as top priorities. To the extent that it does not conflict with these priorities, the OIM is also responsible for maintaining the integrity of the facility. OIM activities may include initiating emergency response plan changes and actions, assigning resources, making life-critical decisions and managing the ERT in a way that maintains team coordination and cohesion.

For Deepwater facilities, mobilizing resources from external sources often takes hours. In the earliest phase of the emergency, the response is limited to the ERT resources residing on the facility when the event occurs. The likelihood that the event is sufficiently controlled to prevent escalation is a function of the ERT’s actions and responsiveness in the earliest phases of the incident (Flin et al 1996, Gasaway 2013). Complex and concurrent incident events often require a rapid (e.g. non-linear) increase in ERT activity to stay head of or at least keep up with rapidly changing conditions (Gasaway 2013, Hopkins 2012, Perrow 1999). A slow or incorrect response may fail to block escalation pathways that can lead to larger, different and more complex incidents. The most severe consequences from the Piper Alpha and Deep Water Horizon accidents did not occur with the initial event (CSB 2010, Cullen 1990, Hopkins, 2012, National Commission 2011, pg. 121). In both cases, human-dependent barriers failed in the early



5



stages of the incident. The resulting escalations had the greatest impact on the number of casualties (Cullen 1990, CSB 2010) and lead to the largest offshore spill in US History (CSB 2010).

POSIT 2: A human-dependent barrier is a compilation of tasks. Responders must correctly perform every assigned task and do so within a timeframe that achieves the barrier’s intended safety function.

Offshore emergency response takes place under difficult conditions. Most tasks are time-of-the-essence and require a task completion time measured by minutes. For those nearest to danger the response may be seconds, e.g., make a decision to evacuate an area where a toxic or flammable gas alarm is active. Understanding the full nature of the tasks and actions expected from responders and others on the facility should begin with a task analysis. Identifying, clarifying and assessing safety critical tasks is an essential pre-requisite (HSE 2005) to understanding and mitigating factors that are primary contributors to major offshore accidents (CSB 2010, Cullen 1990, OGP 2010, Woodcock 2012). The task analysis is the only meaningful source of information to assess the task workload (mental and physical) and the likelihood that the task can be correctly completed within the time needed to achieve the barrier objective. In most areas of the world (e.g., United States), regulatory statues do not require a task analysis to support the design of the emergency response system. A few Owner/Operators include this requirement in their corporate standards. However, when performed the analysis rigor and depth can vary significantly by operating region and project. Fewer than half of all newly designed offshore facilities perform and use a task analysis to guide the emergency response system design.

POSIT 3: Every barrier task is comprised of task components, all of which are essential to achieving the task (barrier) objective.

Common task components include the task assignee, safety-critical facility features, systems and equipment, and organizational/management systems. The human-in-the-loop tends is the active and intentioned component that employs and directs this system of component in a manner that can achieve the intended task (barrier) objective. A deficiency in any task component can result in a human error that contributes to task and barrier degradation or failure (Dekker 2011, pg. 90-94, HSE 1999, SPE 2014). The ability to eliminate or mitigate such errors, requires a process that correctly and systematically identifies the required components and provides the insight needed to understand how a responder uses, deploys or interacts with each component. The process should also assess the mental and physical workload demands under the expected range of response conditions and working environment to ensure these demands are realistic and achievable. The process described above is relatively uncommon in the Oil and Gas industry.

According to Reason (1990), 70-80% of all catastrophic industrial accidents are caused by human error. According to Dekker (2010), human error is typically not the ultimate root cause of an accident. Instead, the true cause of the accident was the failure to eliminate or mitigate task and environmental conditions that are common contributors to human error (Dekker 2010, HSE 1999, Reason 1990, Woods et al 2010). Given the current industry design practices, this type of ‘design error’ is highly possibly. A common practice when designing human-dependent barriers is to parse the definition, design or development of task components to different organizations who then progress this work at different times in the project cycle. The project-unique work split and development schedule varies by Client, project and regulatory regime. This somewhat fragmented and non-holistic approach is typically not



6



guided by a comprehensive set of task-level basis, requirements and specification documents. The design process itself is a likely contributor to component (task) design errors. Such errors are likely to remain hidden if the Owner/Operator does not have a rigorous training and drills program (i.e., a barrier stress testing) that can reveal this type of design error.

The Owner/Operator typically creates and develops the ERT management systems (soft task components). This often occurs with varied or perhaps no interactive input from those having the greatest knowledge of the facility’s technical systems, safety features and design history, i.e., the EPC contractors. With or without a task analysis, the Owner/Operator determines the response team’s organizational roles and reporting structure, staffing and task assignments, plans, procedures and training, and the equipment, systems and design features needed to support the envisaged response concept and plan.

Engineering, procurement and design (EPC) contractors typically design and procure the physical components with varied input from the Owner/Operator. EPCs also design these systems based on historical practice, risk study results and regulatory/classing agency requirements. In the FEED stage of the project, the EPC contractor typically has very little information on how the Owner/Operator intends to use the equipment and systems at the task level. Physical task components typically include the embedded facility features (e.g. muster stations and evacuation/escape pathways), technical systems (e.g. radios, public address and alarm systems), safety equipment (e.g. life rafts and escape ladders), fire-fighting systems (e.g. firewater and foam monitors) and personal protective equipment (e.g. smoke hoods and air packs).

If a task analysis is not performed, every physical component that is essential to the success of a barrier tasks is not necessarily defined. A component that is not identified and defined is not listed in the project’s Safety Critical Elements (SCE) list. SCEs undergo an extensive process to assess equipment integrity, survivability and performance. This process is not applied to task components that are not on this list. To this point, an emergency response board (ERB) used by the OIM to track events, resources and metocean conditions is typically not listed as an SCE as it may ‘simply’ be a white board. New research (Taber 2010) indicates that the ERB may be an essential task component that significantly affects the OIM’s ongoing understanding of events, decision-making and performance. As such, it has a potential life-critical impact.

A bow-tie analysis and set of diagrams is often used to assess and show the preventive and mitigative barriers implemented to prevent, control and recover from each MAE. A diagram may show a SCE (e.g., training) as a mitigation barrier when in fact training is task component, and does not accurately represent a barrier. This point is easily missed if a design team or Owner/Operator does not internalize that a human dependent barrier is actually a construct of tasks, and those tasks are comprised of components that include people, physical (e.g., an SCE) and soft components. Confusion on what constitutes a human-dependent barrier can lead to misrepresenting a barrier on a bowtie diagram.

POSIT 4: As a precursor to sound and correct task decision making and actions, the task assignee must acquire the necessary task (situation) information, comprehend its meaning and project what can occur in the future, near term. This process is commonly referred to as Situation Awareness or SA.



7



Poor situation awareness is a primary contributor to major offshore accidents. Though widely implemented in other highly hazardous, high consequence industries, the Oil and Gas industry has not revised its design practices to integrate SA principals and methods. Endsley (1988, p97) defines situation awareness as “the perception of the elements in the environment within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future.” The Oil and Gas Industry recognizes that poor SA is a frequent causal factor in major offshore accidents (Cullen 1990, CSB 2010, Skogdalen et al 2011). An offshore accident triggers an immediate shift in the ERT member response stations, roles, reporting structure, procedures, communication protocols, priorities, tempo and urgency. “Situational Awareness is clearly most in jeopardy during periods of rapid change and where the confluence of forces make an already complex situation critically so” (Woods et al 2010). “Sudden, unprepared onset makes it difficult for the user to get into the situation” (Sträter, 2005).

To address this issue, the Oil and Gas industry acknowledges the need to implement SA principles and knowledge into offshore facility design for drilling and production operations (OGP 2010/2011/2014, SPE 2014). As noted in Section 1, research in this area has been underway for many years. An early initiative is the development of SA-centric training programs for offshore drilling crews (OGP 2014). Beyond that, it appears that little has been done to change current practice in a way that integrates SA knowledge and principals into the emergency response system design. A review of public literature provides no clear answers on the questions of what should be done, by whom, at what point in a project cycle. These fundamental questions must be answered before an Owner/Operator or EPC contractor will consider changing current practice.

Information presented by an offshore accident can be highly dynamic and therefore subject to frequent and rapid changes. The SA process for individual ERT members and the team as a whole must keep pace with this dynamic environment to maintain an accurate and timely understanding of current conditions and potential threats to personnel. The SA process is impeded if essential information is incomplete, delayed or not organized in way that directly supports the SA process. Sneeden et al. (2006) analyzed a database of 332 incidents in an Owner/Operator’s offshore drilling operations. The study identified 135 incidents that resulted from poor SA. Of these, roughly 65% were attributed to the first phase of SA assessment process, i.e., acquiring and attending to the information required by the task. The remaining incidents in the above-mentioned database were attributed to the other two aspects of SA, comprehension and projecting future events.

POSIT 5: A failure to eliminate or mitigate Performance Shaping Factors (PSF) that degrade the SA process or cause human error contributes to task (barrier) failure.

The term Performance Shaping Factors or PSF is often used to describe environmental, physical and organizational conditions that degrade the SA process and tend to cause human error. Environmental conditions can interfere with the ones ability to acquire information. Background noise and poor audio quality may interfere with a telephone conversation between responders and causes the message receiver to miss or misunderstand conveyed information (Gasaway 2013, pg. 110). Personnel protection equipment makes it difficult to speak and hear over a radio handset if its use was not considered when the equipment was selected. A poorly design evacuation path (blind turns) or the presences of smoke or fire obscures an evacuation pathway so it is not possible to see what lies ahead. These conditions force



8



the individual to make urgent and safety critical decisions on route selection and movement speed, a scenarios that may affect the time needed to complete the muster response process (Skogdagen et al. 2011).

A poorly designed user interface to a technical system increases the time and effort needed to find and access information. This design error contributes to task complexity, increased workload and places a greater demand on a responder’s short term working memory (WM). The type and amount of information one can reliable store and recall from short term working memory can be significantly reduced when highly stressed, fatigued, distracted or fearful (Reason 1990). A task that requires calling up and remembering information from many computer displays may fail given the high likelihood that information is forgotten or incorrectly remembered in the process.

In the potentially confusing, complex and resource-constrained ER environment, responders will likely need to choose between conflicting task priorities. Consciously or unconsciously, a decision is made on where to direct one’s attention. Humans have one ‘attention’ resource. The responder must correctly select where to direct their attention and maintain it long enough to complete the SA assessment process, a pre-condition to sound decision making and taking the appropriate actions. Many conditions can cause a responder to unconsciously divert their attention away from a higher priority task, or dart between tasks in a manner that makes it very difficult to maintain SA and complete a multi-step task. This type of PSF is unique to individual attention management. By evolution, human tendency is to unconsciously and automatically divert attention to a nearby conversation or a sudden and loud noise, or to a person walking towards them. Locating an incident command center within a poorly designed control room can expose a stressed and potentially overloaded responder to many sources of distractions and interruptions that may make it more difficult to complete a complicated or tedious task. Externally paced tasks, common to emergency response, “cause work-induced stress” (Booher 2003).

Overly complex tasks, difficult problems and excessive workload can trigger undesirable behaviors that degrade SA and decision-making, and increase the potential for mental (cognitive) errors. These conditions can cause a responder to fixate on a single task (i.e., cognitive lockup and tunnel vision, Dekker 2006) and thereby diverts the effort away from a task that has a higher priority. Essential information may be ignored when it is not consistent with one’s current theory of an evolving event (i.e. confirmation bias, OGP 2011, Hopkins 2012, Woods et al. 2010.) A responder is more likely to commit a plan continuation error, a circumstance when someone choses to continue a nearly complete task that is no longer appropriate or safe (OGP 2011, Hopkins 2012, Endsley and Jones 2012 Section 3, Dekker2006, Section 14). Under stress, one’s ability to accurately perceive the passing of time becomes distorted (Dekker 2006 pg. 143).

A responder’s perception of organizational priorities and societal expectations can unconsciously and incorrectly prioritize tasks in terms of which are attended to first. From the investigation of the Piper Alpha disaster, Bea (2009) argues that a failure to consider organizational and societal elements is a critical error because the true risk is significantly underestimating.

“The investigative report stated that the majority of the causes of this failure (80 per cent or more) were

firmly rooted in human, organizational and institutional malfunctions.” “The human, organizational and

institutional causes are termed ‘extrinsic”. “Because the neglected extrinsic factors are actually

fundamental to system performance, expected risks were under-predicted by factors of 100 or more. These



9



findings are consistent with a large body of research that highlights the role of ‘extrinsic’ factors in large-

scale system failures…”

POSIT 6: If the above Posits are true, the likelihood that a human-dependent MAE barrier will reliably achieve the intended barrier function under all plausible scenarios is, at best, uncertain.

The Oil and Gas industry has not yet responded to the need to integrate individual and team SA into the emergency response design. Modern offshore facilities are rapidly increasing in size, operational flexibility, expected facility life, use of new technologies and using existing technologies in new ways. These facilities are moving farther into sea-lanes, and into deeper waters and more severe extreme ambient environments (e.g., the arctic). Well pressure and temperatures are dramatically increasing. Then next facility is often markedly more complex that its predecessor. The ability to maintain situation awareness when drilling ever-deeper wells in increasingly complex geologic structures is a major challenge. The need to understand and design systems that allow personnel to acquire and maintain situation awareness is pressing. The same is true for addressing human factors issues that can degrade SA and the responder’s ability to correctly and reliably perform life-critical MAE barrier tasks.

Recent events have also helped to temper the belief that we know and fully understand the risks that can occur on an offshore facility. Viable response plans are often not created to address unforeseen hazards and event. The tether release scenario that caused the catastrophic loss of Chevron Typhoon tension leg platform had never occurred before and was therefore unforeseen. The Deepwater Horizon team (and the industry) was unaware that a previously unknown mechanism can cause the BOP shear ram barrier function to fail, and that the planned spill response barrier would also fail (CSB 2010, National Commission 2011). The Owner/Operator and rig operator’s failure to maintain barrier components (intentionally disabled the general alarm and automated gas detection shutdown systems) and the failure of many human-dependent barriers contributed to the loss of life and the largest offshore spill in US history (Hopkins 2012, CSB 2010, National Commission 2011). For all but the largest multi-nationals, major accidents of this type are potential corporate extinction events.

Fully automated barriers (e.g., automated shutdown systems) are currently designed to internationally recognized standards (IEC 61508, IEC 61511). The integrity of the technical systems governed by these standards is verified and the design process validated to ensure it achieves the expected level of performance and reliability. Integrity calculations consider soft components, e.g., maintenance intervals and test procedures. Environmental conditions, interfaces to other systems and the design of the human interface to the system receive considerable attention. The same level of design control and rigor is not applied to a human-dependent MAE barrier that is credited for similar levels of risk reduction in a risk assessment process. Design deficiencies will exist, many of which will be hidden. Their impact on task and barrier integrity and performance will be unknown.

3 An Overview of Individual and Team Situational Awareness

3.1 Individual Situational Awareness

In an emergency, the information presented to a responder can change quickly. The ability to rapidly acquire and comprehend this information affects the responsiveness of the individual and the ERT overall. SA exists in individuals and collectively in teams (e.g., Team SA). For individual SA, the model



10



receiving the greatest interest from the offshore E&P industry was developed by M.R. Endsley. Endsley’s model, adopted for use in this manuscript, defines three elements that are deemed essential to achieving situation awareness (Endsley 1995):

Perception (SA-1) refers to the acquisition of information in the environment that is perceivable and available to our senses. Possible sources of SA-1 may include a communication exchange (e.g., verbal or visual) and information acquired from a technical system (e.g., radio or control system display). The accident scene provides visible information (e.g., the location and state of an injured person or visible damage to equipment) and information that can be acquired from the ambient environment (e.g., smell, sound, heat and visibility).

Comprehension (SA-2) is the result of combining SA-1 information with one’s stored experience and knowledge to develop a mental picture and comprehension of what the SA-1 information means.

Projection (SA-3) is the result of combining the SA-2 product with a deeper level of stored experience and knowledge to project future outcomes (near term) and timing.

The relevance of SA becomes clearer when examined from a task perspective. Human-centered activities can be organized as goal-directed tasks that invoke several activities, i.e., information gathering and assessment (SA), decision-making, and actions taken to implement a decision. The task design process identifies essential task decision(s) and decision implementation options that can achieve the task goal. The SA-1 information and the SA-2/SA-3 comprehension and projection needed to guide these activities can now be defined. The sources of SA-1 information, and the factors that support or interfere with the SA-2 and SA-3 process, can also be defined.

3.2 Team Situation Awareness

Given the many and varied hazard events possible on an offshore facility, Owner/Operators seek opportunities to reduce the number of personnel on the facility so fewer are exposed to these risks. The varied nature of the hazards requires a team that has a wide range of response capabilities. To accommodate both objectives, the organization model for the ERT is a smaller organization and roles that roles that tend to be specialized in terms of skills, knowledge and expertise. As such, the team is heterogeneous. The Offshore installation Manager (OIM), typically the person-in-charge, provides centralized command and control. The term Team Situation Awareness or Team SA encompasses the enabling actions and attributes that transforms a heterogeneous group of individuals into an adaptive team that can coordinate and execute life-critical tasks in a complex, dynamic and stressful environment. The design of the team organization, roles, procedures, communication protocols and training programs establish how the ERT interacts, functions as a team and remains aligned to team goals and OIM-designated priorities.

There are several Team SA models and team descriptions (Salas et al. 1995, Endsley 1995, Salmon et al. 2009, Chiappe 2014), each having differences and areas of commonality. Chiappe’s (2012) ‘Situated SA’ model, adopted for this manuscript, defines the essential elements needed to acquire and maintain team SA, Shared SA (Chiappe 2012) and Compatible, Meta and Transactive SA (Salmon et al. 2009).

Shared SA or SSA refers to a common picture of events that is shared by two or more individuals. This shared understanding is referred to as Shared Situation Awareness or SSA (Chiappe 2014). No two ERT



11



members typically and necessarily share a complete and mutually represented picture. The effort to do so would place an unrealistic and unsustainable cognitive and workload demand on individuals and the team as a whole. Instead, the design process identifies the minimum SSA needed to achieve team cohesion, coordination and alignment to team goals. A common picture begins to develop when the team receives the first information from the OIM on the response plan, the nature of the emergency and assignment of team resources. SSA contributes to intra-team actions that are mutually compatible. Crews that remain together over time develop a greater degree of SSA overlap as they experience how the each member and the team as a whole perform in different situations (Sneddon et. al. 2006, Cooke et al. 2007). Cross training and drills contribute to shared views as each gains experience in their assigned roles. It aids in developing shared understandings of who holds specific information resides and who may need or request specific information (Flin et al 1996).

Barrier activation triggers a trained ERT response that is designed to achieve the barrier objective. Tasks triggered by this event (typically performed by two or more ERT members) have individual task goals that must mutually align to the higher-level barrier goal. Through training and drills, ERT members share a basic understanding of how their actions collectively contribute to achieving the barrier objective. Each should have a basic awareness of how their actions support the barrier goal and the actions of others. Endsley’s three-part SA model discussed earlier applies to teamwork tasks and activities needed to maintain Team SA. All facility personnel (including non-responders) are expected to acquire and comprehend the information needed to guide their assigned teamwork tasks. The task analysis discussed in Posit 2 is a first step in a longer process that can define the ‘minimum-shared picture’ and the teamwork tasks needed to maintain team coordination, cohesion and effectiveness.

Compatible SA is the SA one needs to execute his/her assigned tasks. “.. no two individuals working within a collaborative system will hold exactly the same perspective on a situation. Compatible SA therefore suggests that, due to factors such as individual roles, goals, tasks, experience, training and schema, each member of a collaborative system has a unique level of SA that is required to satisfy their particular goals” (Salmon et al. 2009, pg. 190).

Transactive SA is the information exchanges that occur between personnel and between personnel and a technical system (Salmon et al. 2009, pg. 192-193). An exchange between personnel provides clues to the sender on what the receiver may be doing. From Chaippe’s (2012) Team SA model, the exchanged or conveyed information is limited to only what is needed to perform one’s assigned task and maintain the expected minimum level of shared understanding (Shared SA). Communication protocols, terms and syntax should be pre-defined and trained-in to minimize the exchange effort, duration and the likelihood that conveyed information is correctly understood (Chiappe 2014, Gasaway 2013, Ch. 7). Communications between persons having a greater level of Shared SA require less communication time (Endsley 1995 p 39). A two-way exchange can improve communication accuracy but also ties up both parties for the duration of the exchange. Use of predetermined and mutually understood terminology and code words can reduce the duration and effort needed without reducing the quality of the exchange. An ER plan may include provisions to engage external expertise. This may require an exchange of knowledge between an expert and a novice in that field. Enabling this capability requires a different set of communication protocols, procedures and training (Rentsch et al. 2010).

Meta SA is the “...awareness of what other agents in the system knows... (Salmon et al. 2009, pg. 220). The term ‘agent’ refers to an ERT member, technical system or other system element that contains SA-1



12



information that is available for access. With experience, the team learns where the information resides (e.g., a person, system or the ambient environment) and when it may be available. “SA may sometimes involve simply knowing where in the environment to find a particular piece of information, rather than remembering what the piece of information is” (Durso 1998, pg. 3). Stress, excessive workload, frequent interruptions and other environmental and task conditions common to the MAE environment (i.e., PSFs) reduce the information that one can reliably hold in working memory (WM). These conditions increase the likelihood that information stored in WM is forgotten or recalled incorrectly. “..Individual operators off-load as much as possible to limit what they have to do internally…” Chiappe et al. 2012. Meta SA also refers to knowing who and when others need information that one holds. ERT member’s Meta SA is enhanced through training, procedures and drills.



13



References Bea, R., Mitroff, I., Faber, D., Foster, H., Roberts, K.H., (2009) A New Approach to Risk: The Implications of E3, Risk

Management (2009) 11, 30-43.doi:10.1057/rm.2008.12

Booher, R.H. (2003), Handbook of Systems Integration, Hoboken, N.J.: Wiley and Sons Inc.

Chiappe, D., Rorie, R. C., Mogan, C. A., Vu, Kim-Phuong (2014) A Situated Approach to Acquisition of Shared SA in Team

Contexts, Theoretical Issues in Ergonomic Science, 2014, Vol 15, No 1, 69-87

Chiappe, D., Strybel, T., Vu, Kim-Phuong (2012) Mechanisms for the Acquisition of Shared SA in Situated Agents, Theoretical

Issues in Ergonomic Science, 2014, Vol 13, No 6, 625-647

Chauvin, C., Closterman, J.P., Hoc, J.M., 2009, Impact of Training Programs on Decision-Making and Situation Awareness of

Trainee Watch Officers, Safety Science, 47 (9) 1222-1231

Cooke, N.J., et al., (2007) Team Cognition in Experienced Command and Control Teams, Journal of Experimental Psychology,

Applied, 13, 146-157

CSB (2010) Investigation Report Volumes 1 & 2, Explosion and Fire at the Macondo Well, Report No. 2010-10-I-OS 6/5/2014

Crichton, M.T., Lauche, K., Flin, R., (2005) Incident Command Skills in the Management of an Oil Industry Drilling Incident: a

Case Study, Journal of Contingencies and Crisis Management, September 2005, Vol 13, No 3

Cullen, Lord W.G. (1990) The Public Inquiry into the Piper Alpha Disaster, Volumes 1 and 2, Department of Energy (UK)

Decker, S., (2010) The Field Guide to Understanding Human Error, Surrey UK, Ashgate Publishing Ltd., reprint 2010

Decker, S., (2011) Drift into Failure, From Hunting Broken Components to Understanding Complex Systems, Surrey UK,

Ashgate Publishing Ltd., reprint 2011

Durso, F., et al. (1998), Situation Awareness as a Predictor of Performance in En Route Air Traffic Controllers, Air Traffic

Quarterly, 6 (1), 1-20

Endsley, M. R. (1988) Situation Awareness Global Assessment Technique (SAGAT), Proceedings of the National Aerospace and

Electronics Conference (NAECON), 23-27 May 1988, Dayton, Oh, New Hour IEEE, 789-795

Endsley, M. R. (1995) Toward a Theory of Situational Awareness in Dynamic Systems, Human Factors, 37(1) pp 32-64

Endsley, M.R., Jones, D.G., (2012) Designing for Situation Awareness: An approach to User-Centered Design, 2nd Edition,

CRC Press

Flin, R., O’Connor P., Crichton, M., Slaven, G., Stewart, K., (1996) Emergency Decision Making in the Offshore Oil and Gas

Industry, Human Factors 38(2) 262-277

Flin, R., Slaven, G., Stewart, K., (2008) Safety at the Sharp End, Ashgate Publishing

Gasaway, Richard B (2013) Situational Awareness for Emergency Response, Penn Well Corporation (Fire Engineering Series)

Golightly, D., Wilson, J.R., Lowe, E., Sharples, S., (2010) The Role of Situation Awareness for Understanding Signaling and

Control in Rail Operations, Theoretical Issues in Ergonomic Science 11 (1) 84-98

Hopkins, A. (2012), Disastrous Decisions: The Human and Organizational Causes of the Gulf of Mexico Blowout, CCH

Australia Ltd

HSE, (1999), Reducing Error and Influencing Behavior, 1999, HSE Books

HSE, (2005) The Offshore Installations (Safety Case) Regulations 2005, UK S.I. 2005/3117, 2005

IEC, (2003), Functional safety - Safety instrumented systems for the process industry sector - Part 1: Framework, definitions, system, hardware and software requirements, IEC -61511-1:2003, International Electrotechnical Commission,

IEC, (2010), Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems, International Electrotechnical Commission, IEC -61508-1:2010

Naderpour, M., Lu, J., Zhang, G., (2014) A Situation Risk Awareness Approach for Process Systems Safety, Safety Science, April

2014, V 64, pp 173-189

National Commission on the BP Deepwater Horizon Oil Spill and Offshore Drilling (2011), Deep Water the Gulf Oil Disaster

and the Future of Offshore Drilling, Report to the President, January 2011

Norsok (2010) Risk and Emergency Preparedness Assessment, Z-013, Oct 2010, 3rd Ed, Standards Norway

OGP (2011) Human Factors Engineering in Projects, London: International Association of Oil and Gas Producers, OGP Report

No 454, 8/2011,



14



OGP (2012) Cognitive Issues Associated with Process Safety and Environmental Incidents, London: International Association of

Oil and Gas Producers, OGP Report No 460, 7/2012

OGP (2014) Crew Resource Management for Well Operations Team, International Association of Oil and Gas Producers, OGP

Report No 501, April 2014

Perrow, Charles (1999) Normal Accidents: Living with High-Risk Technologies Princeton University Press, 1999

Reason, J. (1990) Human Error, Cambridge: Cambridge University Press

Rentsch, J., Mello, A., Delise, L., (2010), Collaboration and Meaning Analysis Process in Intense Problem Solving Teams,

Theoretical Issues in Ergonomic Science, 11, 287-303

Salas, E., Prince, C., Baker, P.D., Shresthal, L. (1995), Situation Awareness in Team Performance: Implications for Measurement

and Training. Human Factors, 37, pp. 123-36

Sætrevik, B., Eid., J., (2013) The “Similarity Index” of Shared Mental Models and Situational Awareness in Field Studies,

Journal of Cognitive Engineering and Decision Making, Human Factors and Ergonomic Society, 2013, pp.1-18

Salmon, P.M., Stanton, N.A., Walker, G. H., Jenkins, D.P., (2009) Distributed Situation Awareness, Theory Measurement and

Application to Team work, Ashgate Publishing Co., England

Salmon, P.M., Stanton, N.A., Walker, G. H., Jenkins, D.P., (2010) Is It Really Better to Share? Distributed Situation Awareness

and Its Implication for System Design, Theoretical Issues in Ergonomic Science 11 (1 & 2) 58-83

Skogdalen, J.E., Khorsandi, J., Vinnen, J.E., (2011), Looking Back and Forward – Evacuation, Escape and Rescue (EER) from

the Deepwater Horizon Rig, Deepwater Horizon Study Group Working Paper – January 2011

Sneddon, A., Mearns, K., & Flin, R. (2006) Situation Awareness and Safety in Offshore Drill Crews, Cogn Tech Work, 8 pp 255-

267

Sneddon, A., Mearns, K., & Flin, R. (2013) Stress, Fatigue, Situation Awareness and Safety in Offshore Drill Crews, Safety

Science, 2013, Vol 56, pp 80-88

Sorenson, L, Stanton, N.A., Banks, A.P., (2011) Back to SA School: Contrasting Three Approaches to Situation Awareness in the

Cockpit, Theoretical Issues in Ergonomic Science 12 (6) 451-471

SPE 2014, The Human Factor; Process Safety and Culture, SPE Technical Report, Society of Petroleum Engineers, March 2014

Stanton, N.A., (2010) Situation Awareness: Where Have We Been, Where Are We Now, and Where Are We Going?, Theoretical

Issues in Ergonomic Science 11 (1 & 2) 1-6

Sutton, I. S., (2012) Offshore Safety Management, Sutton Technical Books, 2012

Sträter, O. (2005) Cognition and Safety: An Integrated Approach to Systems Design and Assessment, Ashgate Publishing Ltd, 1st

Ed

Taber, Michael John, (2010), Human Systems Integration and Situational Awareness in Microworlds: An Examination of

Emergency Response Within the Offshore Command and Control System, PhD Thesis, Dalhousie University, Halifax, Nova

Scotia, December 2010

Woodcock, B., Au, Zachary, (2012) Human Factors Issues in the Management of Emergency Response at High Hazard

Installations, Journal of Loss Prevention in the Process Industries, 26 (2013) 547 -557

Woods, D.D., Dekker, S., Cook, R., Johannsen, L., Sarter, N., (2010) Behind Human Error, Ashgate Publishing, 2nd Ed.

title: part 1 - integrating situation awareness into...

Documents