Transcript Mandated Human Error Controls in the USA and the Impact on

Presenters Name
Australasian
Mandated Human Error Controls in the USA
and the Impact on Control Room Design and Operations
Title of Presentation
Industrial
By Ian Nimmo
President
Automation
and
UC D
ser Centered
Control
Users Group
Conference
S
Design Service
ASM
A member of the ASM® Consortium
Please ensure you have all your equipment with you before
leaving the ring
New strategy to improve profitability &
reduce fixed costs
Having a “Shared Vision”
Engage the entire production organization in
improving reliability, performance and quality
whilst improving the efficiency of people,
equipment & materials.
3 C’s
“Why are you so willing to share state of
the art Best Practices with your
competition”?
Changes in laws & regulations
Accidents drive legislation
1998 refinery incidents & human error
1999 UK H&SE MOC people
Human factors &
Organizational Accidents
Loss of Corporate knowledge
80% of accidents caused by humans
Majority incidents in “Normal” operation
3-12% lost opportunity
Recurring Root Causes of
Accidents
Inadequate Process Hazard Analysis
Use of wrong or poorly designed equipment
Inadequate indication of process conditions
Inadequate management of change process
Lack of a strong mechanical integrity program
Lack of enforcement of Lockout/Tagout
procedures
Warnings from near misses, other accidents
went unheeded
A new approach to Safety
Emphasis on human error
Investigate the worker, blame them
Investigate the error, what made it possible?
Change the workplace
Eliminate weaknesses in systems
More insight to our vision
CCC Employers Safety Plan
The written human factors program and
therefore, the guidance document, must
address the following:
The inclusion of human factors in the Process
Hazards Analysis process;
The consideration of human systems as causal
factors in the incident investigation process for
Major Chemical Accidents or Releases or for an
incident that could reasonably have resulted in a
Major Chemical Accident or Release;
The training of employees in the human factors
program;
Operating procedures;
CCC Employers Safety Plan
The written human factors program and
therefore, the guidance document, must
address the following:
The requirement to conduct a Management of
Change prior to staffing changes for changes in
permanent staffing levels/reorganization in
operations or emergency response. Employees and
their Representatives shall be consulted in such
Management of Changes;
The participation of employees and their
representatives in the development of the written
human factors program;
The development of a program that includes, but
is not limited to, issues such as staffing, shiftwork
and overtime; and
CCC Employers Safety Plan
The written human factors program and
therefore, the guidance document, must
address the following:
The inclusion of a human factors program
description in the Safety Plan.
Together these elements form the
foundation of the human factors
program.
CCC Employers Safety Plan
The initial scope of the human factors program
guidance was limited to the preceding, explicit
requirements for the following three reasons:
Section 450-8.016(B)(1) requires that
stationary sources develop a human factors
program one year following the issuance of
this guidance. Therefore, CCHS
representatives felt that it was vital that the
guidance document be issued as soon as
possible
CCC Employers Safety Plan
The initial scope of the human factors program
guidance was limited to the preceding, explicit
requirements for the following three reasons:
Section 450-8.016(B)(1) requires that
stationary sources develop a human factors
program one year following the issuance of
this guidance. Therefore, CCHS
representatives wanted to identify the basic
components of the program that could
reasonably be implemented within one year.
CCC Employers Safety Plan
The initial scope of the human factors program
guidance was limited to the preceding, explicit
requirements for the following three reasons:
Section 450-8.030 allows for an annual
performance review and evaluation.
Therefore, CCHS representatives felt that
there would be a natural avenue for
reviewing and improving the human factors
program requirements and guidance.
CCC Employers Safety Plan
DEFINITIONS
For the purpose of this guidance document: Human
Factors is defined as “A discipline concerned with
designing machines, operations, and work
environments so that they match human capabilities,
limitations, and needs”.2
Human Factors can be further referred to as
“…environmental, organizational, and job factors, and
human and individual characteristics which influence
behavior at work in a way which can affect health and
safety.”
Human Error is defined as “Departure from acceptable
or desirable practice on the part of an individual that
can result in unacceptable or undesirable results”.
9
5
CCC Employers Safety Plan
to consider human factors in :Process Hazard Analysis
Root cause incident investigation
Operating procedures
Management of Change – staffing cuts
Employee training
Staffing reductions
In the United Kingdom, the Hazardous
Installations Directorate of the Health
and Safety Executive observed that a
number of chemical sites are taking
steps to reduce the staffing levels in
their operating teams.
The author recognizes & acknowledges the work of Entec & H&SE (UK)
Concerned that such reductions could impact
the ability of a site to control abnormal and
emergency conditions, and also have a
negative effect on staff performance through
an impact on workload, fatigue, etc., the HID
sponsored the development of a practical
method that organizations could use to
assess their required staffing levels and the
impact on safety of any reduction in
operations staff.
In developing the methodology HID had the
specific goals of :1) helping companies in the chemical and
allied industries justify appropriate levels of
operations staff by a suitable and sufficient
assessment, and
2) enabling HID inspectors to apply consistent
standards on staffing levels during audits,
inspections, and incident investigations.
The author recognizes & acknowledges the work of Entec & H&SE (UK)
Physical assessment
Aims to identify potential areas of unacceptable risk due
to the way identified scenarios are physically detected,
diagnosed and recovered from
Tests the arrangements for each scenario against six
principles of safe control room operation. It does not
attempt to calculate the number of people required to cope
with a particular scenario
Instead it aims to hunt out potential problems associated
with the staffing arrangements by questioning the reliability
of detection, diagnosis and recovery from hazardous
scenarios in time
Justification of controls in place is required where a
principle of safe operation is found to be infringed
The author recognizes & acknowledges the work of Entec & H&SE (UK)
Change triggers
l Change in control room staff
l Change in control room technical shift support staff
l Change in control room admin shift support staff,
technical day support staff or admin day support
staff
l Change in shift system
l Change in process control hardware
l Change in training and development program
l Change in operating procedures
l Senior management change
The author recognizes & acknowledges the work of Entec & H&SE (UK)
Assessing changes
l Produce an up-to-date baseline assessment of the
existing arrangements
l Define the proposed change, and evaluate it using
the assessment method, modifying the plans until
an equal or better rating is achieved
l Re-assess the arrangements at a suitable time
after implementation (within six months)
The author recognizes & acknowledges the work of Entec & H&SE (UK)
Staffing assessment method
l Key operator performance requirements
– Be able to follow the process, anticipate its behavior
hence select an appropriate control strategy
– Be in a fit state to monitor the process (be awake and
attentive)
– Be willing to take action as and when necessary
– Be able to take action, reliably and within the necessary
time frame
The author recognizes & acknowledges the work of Entec & H&SE (UK)
Staffing assessment method
l Team performance requirements
– Be able to collect and share critical information
about the process and control actions
– Be able to co-ordinate actions
The author recognizes & acknowledges the work of Entec & H&SE (UK)
Two stage approach
l Physical check
l Management appraisal
The author recognizes & acknowledges the work of Entec & H&SE (UK)
Physical assessment select a team and
gather past incident data and evidence
required
Assessment of physical ability to deal with
selected major hazard causing scenarios in
time
Identify and
implement
actions to
satisfy
physical
assessment
No
Scenario details
including time available,
historical data
Acceptable for all
scenarios assessed?
Yes
Ladder assessment select a team and
gather past incident data and evidence
required
Identify and
implement
actions to
satisfy ladder
assessment
Assessment of workload factors allowing
control room to deal with identified
scenarios in time
Evidence
Assessment of knowledge and skills
available for dealing with identified
scenarios in time
Evidence
Assessment of organisational factors
supporting control room operation
Evidence
No
Acceptable for all ladders
assessed?
U
Yes
Review and
continuously
improve
End
Peer review
The author recognizes & acknowledges the work of Entec & H&SE (UK)
Physical check
l Focus on demanding situations
– incident detection
•
•
Evaluating—Information Processing (thinking and/or
interpretation);
– diagnosis
•
•
– recoveries
Sensing,
Perception
and/or
Discrimination
Evaluating
Analysis,
Thinking
and/or
Interpretation
Internal Feedback
Assessing
External Feedback
In
it
Ev iat
en ing
t
Intervention Activities
In
it
Ev iat
en ing
t
(Signals,
Instructions,
Environment)
Acting—Physical and/or Verbal Response; and
Assessing—Information Processing (thinking and/or
interpretation).
Orienting
External
Inputs from
Process
Orienting—Sensing, Perception, and/or Discrimination;
Acting
Physical
and/or
Verbal
Response
Outputs to
Process
(SP, OP%,
Manual
Adjustments)
Physical check : six principles
l1 There should be continuous supervision of the process
by skilled operators
l2 Distractions should be minimized
– such as answering phones, talking to people in the
control room, nuisance alarms
l3 Information required for diagnosis and recovery should
be accessible, correct and intelligible
l4 Communication links between the control room and
field should be reliable
l5 Staff required to assist in diagnosis and recovery
should be available with sufficient time to attend when
required
l6 Operating staff should be allowed to concentrate on
recovering the plant to a safe state
The author recognizes & acknowledges the work of Entec & H&SE (UK)
Physical check : appraisal
l Could a principle be infringed?
l
Define how it will be infringed
l What measures are in place to compensate
for the infringement?
l
Are the measures adequate?
The author recognizes & acknowledges the work of Entec & H&SE (UK)
P1
Fail
Fail
Fail
Fail
There should be continuous supervision
Fail
of the process by skilled operators
The author recognizes & acknowledges the work of Entec & H&SE (UK)
Physical check : example evidence
l Calculations of the time available to respond to
process incidents
l Data from previous incidents and/or observations
from ‘real time’ exercises
– e.g. to gauge the time for operators to perform tasks
l Reliability assessments for critical equipment
l Alarm records
The author recognizes & acknowledges the work of Entec & H&SE (UK)
Impact of Protection System
UN-SAFE
Incident
Impact
of
Initiating
Event
Trip
Emergency Alarm
SAFE
Loss
Quality
High Alarm
Operator
diagnostic time
Time
Process Safety Time
Trip from SIS
Emergency
Profit
FTT
High FTT= Fault Tolerance Time
120
Explosion
Gas Concentration (Percentage of LEL)
Lower Explosive Limit (LEL)
100
Actual Gas
Concentration
80
Actual trip point
Normal
operating Level
60
Error
Measured Gas
Concentration
Set trip point
Gas concentration
prior to fault
40
20
Fault
Occurs
Sampling
Delay
Sensor
Delay
Error
Delay
Shut Down
System
Delay
0
0
10
20
30
40
50
60
Time after onset of fault (Seconds)
70
80
Physical check : scenarios
l
Worst case scenarios
– requiring implementation of the off-site
emergency plan
l Incidents which could escalate without
intervention to contain the problem on site
l Lesser incidents requiring control room
reaction to prevent the process becoming
unsafe
The author recognizes & acknowledges the work of Entec & H&SE (UK)
Physical check : defining scenarios
l Who is controlling the process and their
starting locations
l Who is available to support the incident, and
their starting locations
l The parameters that determine the time
available to the operations team for detection,
diagnosis and recovery
– process conditions, leak point, wind direction,
release rate, time of day, need to be defined.
The author recognizes & acknowledges the work of Entec & H&SE (UK)
Case study example of physical assessment output
Scenario
#
1
Scenario
Description
Flange leak of
toxic gas, wind
direction towards
the road, at night
Pass/Fail ?
Trees failed on
Fail
1, 2,
(detection)
Suggested improvement
Actions
Trees 1 & 2
implement man down alarm which contacts
security if 2 audible alarms are not
acknowledged (identified by area HAZOP). Need
to ensure reliability of man down alarm
assess costs/benefits of cameras to assist
plant monitoring;
assess the costs & benefits of having a mimic
of the DCS screens in the site main
continuously manned control room;
alternatively introduce a second operator to
the area who stays in the field.
6
(diagnosis
&
recovery)
Tree 6
implement E-stop in control room (identified
by area HAZOP);
assess costs/benefits of automated isolation
valves;
assess costs/benefits of cameras to assist
plant monitoring;
alternatively introduce a second operator to
the area who stays in the field.
The author recognizes & acknowledges the work of Entec & H&SE (UK)
Management Appraisal
Ladder assessment elements
l Human and Management Factors that influence
operator performance
l They are assessed using ladders
l Each ladder is an anchored rating scale ranging
from poor practice at the bottom to best practice
at the top
l Team members work through guidance questions
for each ladder and use support material as
evidence
The author recognizes & acknowledges the work of Entec & H&SE (UK)
Ladders
l Situational awareness
l Team working
l Alertness and fatigue (Working pattern, Health)
l Training & development
l Roles and responsibilities
l Willingness to act
l Management of procedures
l Management of change
l Continuous improvement
l Management of safety
The author recognizes & acknowledges the work of Entec & H&SE (UK)
Ladders : rules
l Start from the bottom rung and work upwards
l If the arrangements fulfill the requirements defined in
the rung, go on to the next rung
l If the arrangements do not fully fulfill the
requirements of the next rung, the plant/unit is
rated as matching the rung below
l The plant/unit cannot be rated above a rung that is
partially fulfilled
– even if the arrangements fulfill higher rungs, the
rating sits below the lowest incomplete rung
The author recognizes & acknowledges the work of Entec & H&SE (UK)
Situation Awareness
A
There is high level of continuity in the Operator(s) tasks during critical process events, i.e. Operators
are not required to perform tasks that significantly disrupt their concentration on the process, and they
are able to delay / bring forward other activities in order to minimize distractions.
B
During critical process activities that demand the operator’s attention, they are not disturbed
unnecessarily by other activities such as mustering, site alarms, telephone/ radio communications,
permit raising, issuing of interlock keys, visitors etc..
C
In upset and emergency conditions all relevant Operators and Supervisor can gauge accurately and
reliably the condition and behavior of the plant within the available time, without disturbing each other
or blocking each other’s access to information.
D
The presentation of information makes it straightforward for Operators to gauge accurately and
reliably within the available time the condition and behavior of the plant in normal and upset /
emergency conditions, without reliance on support.
X
It is possible for operators to keep track of the process during upset / emergency conditions if they
work hard to gather all relevant information from control room displays / log books. There can be times
when they rely on other operators/ field operators relaying key information to them.
Y
Information about the process and plant condition is adequate for operators to be confident they can
monitor ‘smooth’ running
Z
Operators find it difficult to keep track of the process even in smooth conditions. This may be due to
insufficient information, unreliability of sensors or displays, or they can’t attend to the process because
of other tasks they are required to perform, or distractions
The author recognizes & acknowledges the work of Entec & H&SE (UK)
Ladders : guidance questions for “Situation Awareness”
l Operators?
– Any critical situations when you were uncertain about the process state?
– Have you delayed actions to get more information about the process?
– Have you misdiagnosed a situation?
– What do you do to make shift handover easier for the shift coming on to
understand the plant condition?
– How would you like to improve the screens (e.g. presentation, more
trends, refresh rate, ability to adapt displays)?
– How frequently are you disturbed in the middle of tracking the
process?
– Can you schedule activities so as to concentrate on particular
tasks?
– Can you block non critical radio/telephone communication if required?
– Have there been critical situations when you have been uncertain of the
location or activity of field operators?
The author recognizes & acknowledges the work of Entec & H&SE (UK)
Ladders : guidance questions for “Situation Awareness”
l Management?
– How are process conditions monitored?
– Are there any guidelines as to what to monitor and
how often?
– How is a shift handover managed to maintain
situational awareness?
l Documents?
– Logbooks
– Incident reports which demonstrate action was taken
later than could have been
– Operating procedures
– Training and development program
The author recognizes & acknowledges the work of Entec & H&SE (UK)
Grade
Case study example
(training & development)
Anchor
Rationale
W
All CR operators ………
X
New operators receive full, formal induction
training followed by assessment on the
process during normal operation and major
hazard scenario’s
Control room operator felt that the control room was
here, however please see comments below.
Certainly the control room is not far from here but
requires further training and assessment on major
hazard scenario’s specifically for new operators to
fully achieve this rung.
Y
There is an initial run through of major
hazard scenario procedures by peers.
Area supervisor’s view of where the control
room sat. New operators do go through a
lengthy, structured training program where they
shadow experienced operators initially and then
run the plant with the back-up of an experienced
operator. The assessment is based on
performance during the period in which the new
operator initially takes charge with back-up and
the first few weeks when he is in charge alone. If
his performance is considered satisfactory by
his trainer (experienced operator) and area
supervisor, he is accepted into the operations
team.
Therefore the control room is not far from the
next level up.
Z
There is no evidence of a structured training
and development program for CR operators.
Initial training is informally by peers.
The author recognizes & acknowledges the work of Entec & H&SE (UK)
Case study example (training & development)
Grade
Anchor
A
Process/procedure/staffing changes are
assessed for required changes to operator
training and development programs. Training
and assessment is provided and the success of
the change is reviewed after implementation.
B
All CR operators receive simulator or desktop
exercise training and assessment on major
hazard scenarios on a regular basis as part of a
structured training and development program.
C
There is a minimum requirement for a ‘covering’
operator based on time per month spent as a
CR operator to ensure sufficient familiarity.
Their training and development programs
incorporate this requirement.
D
Each CR operator has a training and
development plan to progress through
structured, assessed skill steps combining work
experience and paper based learning and
training sessions. Training needs are identified
and reviewed regularly and actions taken to
fulfill needs.
W
All CR operators receive refresher training and
assessment on major hazard scenario
procedures on a regular, formal basis.
Rationale
Control room operator felt that the control room was here,
however please see comments below. Certainly the control
room is not far from here but requires further training and
assessment on major hazard scenario’s specifically for new
authorrung.
recognizes & acknowledges the work of Entec & H&SE (UK)
operators to fully achieveThethis
Ladders : examples of evidence
l Situational awareness

Logbooks, incident reports which demonstrate action was taken later than it
could have been, operating procedures, training and development program
l Teamworking
 Operating procedures, definitions of roles and responsibilities, job
descriptions for control room staff and support staff, training and development
program
l Alertness and fatigue
 Shift cycle and pattern (planned and actual which includes overtime and shift
swaps), annualized hours sheets, examples of delayed reactions from historical
incidents, absence records, evidence of health monitoring
l Training and development
 Training and development plans for control room staff and support staff,
evidence of needs assessment, evidence of a structured skill step progression
program
The author recognizes & acknowledges the work of Entec & H&SE (UK)
Ladders : examples of evidence
l
Roles and responsibilities
– Job descriptions for control room staff and support staff, structured
assessment of core competencies required, skill step progression program which
shows evidence of core competencies
l
Willingness/Attitude
– Cost data associated with recovery actions, training records, operating
procedures
l
Management of operating procedures
– Operating procedures showing date issued, author, approver, version
number, quality manual detailing how procedures are managed, procedure audit
results
l
Management of change
– Procedures for managing change, equipment, procedures and
organizational, organizational change policy document, evidence of review after
implementing change, evidence of change (equipment and organizational) being risk
assessed
The author recognizes & acknowledges the work of Entec & H&SE (UK)
Case study example of ladder assessment output
Element
A
B
C
D
E
F
G
V W X
Y
Z
Situation Awareness
Team working
Alertness & fatigue (work pattern)
Alertness & fatigue (health)
Training & development
Roles & responsibilities
Willingness
Management of op. procedures
Management of change
Continuous improvement of safety
Management of safety
The author recognizes & acknowledges the work of Entec & H&SE (UK)
Workplace designed to
optimize people & technology
Control building location

Selecting an architect
Control building design

Using standards & regulations
What goes with all this?


Situation awareness
Alertness/Efficiency
UC D S
ser Centered
Design Service
User Centered Design Services, LLC
www.mycontrolroom.com