Apply Situation Awareness and Human Cognition Science to ... · integrates Situation Awareness and...

Apply Situation Awareness and

Human Cognition Science to

Safety Critical Functions

-- Introductory Workshop --

.

January 22, 2019

Tom Shephard CAP, PMP

James Reason on Human Error

Human “errors are not random and they take recurrent and

predictable forms. Different errors occur in different situations..”

( Reason 2008 p 37)

“One of the basic rules of error management

is that the best people can make the worst

mistakes.” ( Reason 2008 p 37)

What the experts say….

“The demands that large complex systems operations place

on human performance are mostly cognitive.” (Woods et al 2010, p32)

“...our principle concern is with the human contribution to

system accidents….accident analyses reveal that human

factors dominate the risks to complex systems.” (Reason1990)

“Automation leads to latent errors on the operational level if

not designed according to the cognitive characteristics of the

users.” (Sträter 2005, p169)

60-80% of all major accidents are caused by human error. (Decker 2011, Reason 1990)

1

U.S. CHEMICAL SAFETY AND HAZARD INVESTIGATION BOARD

INVESTIGATION REPORT

VOLUME 3

DRILLING RIG EXPLOSION AND FIRE AT THE

MACONDO WELL (11 Fatalities, 17 Injured, and Serious Environmental Damage)

DEEPWATER HORIZON RIG

MISSISSIPPI CANYON 252, GULF OF MEXICO

KEY ISSUES: APRIL 20, 2010

HUMAN FACTORS

ORGANIZATIONAL LEARNING

SAFETY PERFORMANCE INDICATORS

RISK MANAGEMENT PRACTICES

CORPORATE GOVERNANCE

SAFETY CULTURE

Change? Why?

After the Deepwater Horizon (DWH) accident,

global O&G leaders and industry organizations

issued white papers stating the need to address

SA and cognitive issues and biases in safety-

critical systems. (IOGP 2012, 2014a/c, SPE 2016, OESI 2016, Johnsen 2017, CIEHF 2016)

To-date, this call has not been answered. Existing

industry standards do not define a work process that

adequately achieves this goal.

So let’s think about that….

1. The DWH and other accident reports identified errors

in SA and cognitive design as primary accident

contributors. (CSB 2016)

A reasonable conclusion? Latent design

errors exist in many existing and newly

designed barriers placing their integrity at risk.

2. Existing human barrier design standards do not

adequately address this class of design errors.

True for your facility?

So, why are we here?

2. Through examples, explore a design process that

integrates Situation Awareness and cognition science

into active human barrier design.

3. Review the potential benefits of this approach.

1. Develop a base understanding of Situation Awareness

and the latest science and research on human cognition.

Review a proposed design process that attempts to close

these known, safety-critical gaps.

What will we learn?

Mitigation Barrier - A safety function designed

to control and recover from a hazardous event,

or limit the effects of the event.

Terms Used

Preventive Barrier - A safety function designed to

prevent the occurrence of a hazardous event.

IPL – Independent Layer of Protection, e.g., a

safety function identified in a LOPA.

Active Barrier- safety function

activates only upon detection of a

pre-determined condition or state.

Active Human Barrier – An IPL / barrier that relies on a

human to perform one or more of the Detect, Decide or

Act activities.

Detect DecideAct

(Execute)

Terms Used

Tasks included in all active preventive or mitigation barriers (IPL, excerpted and modified from CCPS 2001, CCPS 2018)

Barrier – General term for preventive and mitigation

barriers, including IPL’s, that are active human

barriers.

Barrier Elements

Barrier

Physical

Elements

Human

Elements

Organizational

Elements

• Displays, alarms

• Radio, signage

• Gas beacon

• Muster area

• Pathway markings

• Operator

• Competency

• Fitness for

service

• Training

• Procedures

• Competency asmt.

Barrier elements are essential components that

must function correctly to achieve the barrier function.

Workshop Roadmap

COMPREHEND

SA-2

PROJECTION

SA-3

PERCEIVE

SA-1

TIME

Conscious and Subconscious Processes

Attributes and Capabilities

Worked Example: IPL: Alarm with manual operator action

Latest science on human cognition Peer-reviewed research

Published books by recognized authors

Situation Awareness (SA) Model First published by Dr. M. Ensley in 1995

Dominant SA model employed globally

Detect DecideAct

(Execute)

Tasks included in all active preventive or mitigation barriers (IPL, excerpted and modified from CCPS 2001, CCPS 2018)

Situation Awareness

Background - Situation Awareness (SA)

These and similar events caused the airline

industry and academia to research this

phenomena.

In both cases the cabin crew were fixated on

a single task and failed to fly the airplane, a

condition described as ‘a loss of situation

awareness’.

UA173 crashed into a Portland neighborhood; the crew failed to

notice declining fuel levels. EA401 crashed in the Florida

everglades; the crew accidentally disengaged the auto-pilot and

failed to notice the slow loss of elevation.

Academic response: In 1995, Dr. Mica Endsley, a PhD researcher

at Texas Tech, published her seminal Situation Awareness model.

Situation awareness (SA) – What is it?

Endsley’s definition for SA: “the perception of the elements

in the environment within a volume of time and space, the

comprehension of their meaning, and the projection of their

status in the near future” (Endsley, 1988, p 97)

Employed in many

high risk industries:

Process industries: Endsley’s SA model is widely referenced.

Implementation is progressing slowly. Early adopters: training

programs (drilling), abnormal situation management. (ASM).

Common applications: Display and work process design,

workflow integration, training programs.

Endsley’s Three Element SA Model (Endsley 1995)

• Perception (SA-1) refers to the acquisition of information

that is perceivable and available to our five senses.

• Comprehension (SA-2) is the product of combining SA-1

information with one’s stored knowledge and experience to

develop an understanding (mental picture) of what the

information means.

• Projection (SA-3) is the product of using one’s expertise

and understanding of the current situation (SA-2) to predict

how conditions may change in the future, near term.

Time is an essential aspect of SA

“A critical part of SA is often understanding how much

time is available until some event occurs or some

action must be taken”. (Endsely 2012, p19)

“The rate at which information changes is that part of

SA….that allows for the projection of future situations.” (Endsely 2012, p19)

So let’s look at an approach that integrates

SA into the barrier design process

IPL / Barrier Model Adapted from Figure 2.1, Endsley 2012 p15

Define Barrier

Decisions

Define SA-1

Requirements

& Sources

Define SA-2

Requirements

Define SA-3

Requirements

Barrier Function LOPA,

HAZOP, etc.

Integrate

Requirements into

Barrier Elements

Detect DecideAct

(Execute)

COMPREHEND

SA-2

PROJECTION

SA-3

PERCEIVE

SA-1

Basic Design Process Integrate SA into

Active Human Barrier

(Endsley 2012 p72)

(Endsley 2012 p72)

Start with barrier decisions

“Technology should be organized around the way users

process information and make decisions.” (Endsley 2012)

Specifying barrier decisions:

– Provides the basis to determine the ‘detect’ stage

information requirements (SA-1) (Endsley 2012 p 72)

The ‘decision’ aspect of human barrier design is often

overlooked!

– Works to reveal the minimum experience (SA-2) and

expertise (SA-3) needed to make those decisions.

Barrier ‘Decide’ Function

• A primary contributor to barrier failure.

• Often the dominant contributor to barrier response time. Hicks Law: Response time = b*Log2 (n+1) where ‘n’ is the number of decisions (Hicks 1952)

• Typically the most cognitively demanding aspect of an

active human barrier.

• Cognitive demand (workload) and barrier response time

increases when:

– The SA-1 input information changes rapidly

– Goal conflicts exist, e.g., production vs safety (Strater 2005, p51, Woods et al 2010, p88)

– Barrier requires several or complex decisions

What Decisions are Required?

- What is my action on the activation alarm? (SA-2)

- Is the alarm valid? (SA-2)

- Do I have sufficient understanding to act? (SA-2)

- Initiate the ‘act’ response now or wait? (SA-2/3)

‘Decide’ function may be the primary

contributor to barrier response time

Specify decision requirements……

After all decisions are defined, we can now

define the ‘Detect’ requirements.

Decisions define the ‘detect’ SA data needs

PERCEIVE

SA-1

COMPREHEND

SA-2

Specify:

Minimum

capability to

anticipate what

may happen

next, near term

PROJECT

SA-3

Identify IPL/Barrier activator:

e.g., an IPL alarm

Identify information needed to

support decisions and actions: Instrument readings

Verbal input, e.g., radio, face-to-face

Other sensory inputs, e.g., smell, tactile

Identify the SA-1 info sources: DCS HMI

Field operator

CCTV camera

Environment: wind, fog, cold, darkness

Specify:

Minimum

comprehension

needed to

support

decisions and

actions

The SA-2 and SA-3 requirements define the required

Operator competencies:

• Procedural knowledge

• Technical knowledge

• Minimum experience and expertise

This new, barrier-specific information is then integrated

into the barrier’s Organizational Elements:

• Procedures

• Operator Training

• Competency Assessment

Decisions define the ‘Detect’ SA data needs

Let’s look at an example, a preventive active

human IPL:

...On alarm, initiate a manual operator action.

FYI…cognitively, this type of barrier tends to be less

complex than mitigation-type active human barrier.

LOPA-designated IPLs:

- IPL 1: PSV-1005

- IPL 2:PAHH-1006 alarm, operator manually

closes FV-1001 (full closed)

Example: IPL alarm, manual operator response

VAPOR

OUT

LIQUID

OUT

E-1

LV-1001

PV-1001

FV-1001

F

FT-1001

PSV-1005

LC

1001

PAHH

1006

FC

1001

ZI

1001

PC

1001

FLARE

ZT 1001

IPL Trigger

Alarm

IPL Valve

Gas-liquid separator

* LV-1001/ PV-1000 sized for full

flow if FV-1001 fails open

LT

IPL 1 – Alarm with manual operator response

• Maximum response time: 15 minutes

• RRF: 10

• Barrier function: on alarm, operator manually closes the

inlet valve FV-1001 (DCS controlled)

• Barrier system elements:

- Human: CCR Operator, verified competency, etc.

- Organizational: procedures, training, competency assmt.

- Physical : DCS, Alarm summary, PAHH-1006, FC-1001,

FV-1001 with position feedback at HMI (full range)

• Barrier type: Active human-technical barrier (preventive)

Ex. Specify ‘Detect’ and ‘Decide’ Requirements

Specify IPL decisions

1. Is PAHH-1006 valid?

- Good transmitter

signal?

- Valid for current

mode of operation?

2. Required response?

3. Initiate the response

now or wait?

4. Did the response

achieved the expected

safe state?

COMPREHEND

SA-2

PERCEIVE

SA-1

PROJECT

SA-3

Detect DecideAct

(Execute)

The hazard this IPL

prevents (nature, severity)

IPL function / act response,

response time, ‘safe

position’ of FV-1001 .

Current vs applicable mode

Time remaining / needed to

complete the response.

Task priority if this IPL

occurs simultaneous to

other IPL or P1 alarms.

IPL activator:PAHH-1006

Required Info:

PI-1006 indication and

fault status

Current & appl. mode

PAHH-1006 time stamp

FC/FV-1001 indication

& fault status

PC/PV-1002 indication

& fault status

Info source:

DCS

Mode: Memory

Knock-on

process

affects

Possible

safe actions

to limit

production

impact

Next step?

Implement Requirements into Barrier Elements

What does that mean?

Specify how each is integrated into the barrier’s Physical,

Organizational and Human elements.

Define how the SA-1, 2 and 3 requirement are integrated

into the barrier design.

SA-1 Recommendations

Physical Elements: DCS Displays

1. Consider presenting all SA-1 info on a single

display.

Implement Requirements into Barrier Elements

Organizational Elements: Training

Consider training on the conventions used to display and

group SA-1 information in support of operator decisions and

actions.

2. Consider a display convention that instantly identifies

PAHH-1006 as the IPL activator alarm.

IPL activator:PAHH-1006

Required Info:

PI-1006 indication and

fault status

Current operating mode

FC/FV-1001 indication

and fault status

PAHH-1006 time stamp

PC/PV-1002 indication

and fault status

Info source:

DCS (all except mode)

Current mode –memory

Physical Elements: DCS Displays

1. Consider adding a ‘Time Remaining’ timer on

the SA-1 display to advise the operator on

the time remaining to complete the ‘act’

response.

SA-2 Level Recommendations:

2. From the main SA-1 display, consider providing hot-links

to the IPL-specific procedures.

The hazard this IPL prevents

(nature, severity)

Expected IPL response to

PAHH-1006, response time,

FV-1001 ‘safe position’.


Time available / needed to





SA-2 Level Recommendations

Organizational Elements

Training:

1. Consider IPL-specific training on the required IPL

decisions, actions, response time, valve ‘safe-state’

position.

2. Consider training on time management and

maintaining awareness of pending, time-sensitive IPL

actions. (Endsley 2012 p256)


(nature, severity)










SA-2 Level Recommendations – continued:

Organizational Elements: Procedures

Consider an IPL-specific procedure covering:(Stanton 2010 Ch4)

- Hazard prevented by this IPL.

- Required decisions, actions, response time,

applicable mode, FV-1001 safe-state criteria.

- State the minimum operator competency (e.g., SA-2

and SA-3 requirements.(Endsley 2012 p242-3)


(nature, severity)










SA-3 Level Recommendations


Training: Consider training on the expected and

permitted safe actions that may be taken to limit

production knock-on effects of the IPL.

Procedures: Consider creating a general practice

standard to clarify the expected and permitted operator

actions that may be taken to limit production

disturbances caused by the manual IPL activation

Other SA-Related Recommendations

Organizational Elements: Competency Assessment

Consider assessing the operator’s knowledge, experience

and performance against the stated requirement, including

the SA requirements.

Potential Approach Benefits

Approach Benefits

Specifying all decisions provides:

• Clarification on the required decisions, expected and

implied.

• Insight into decision complexity (affects barrier response

time)

• The basis to identify the ‘Detect’ phase information (SA-1)

needs.

• The basis for defining the SA-2 and SA-3 requirements

(Input to Human and Organizational elements).

Approach Benefits

The defined decisions and SA-1 information provides

the design input needed to:

• Identify SA-1 info sources, e.g., technical system,

verbal (radio, telephone) or the ambient environment.

• Design the appropriate displays

• Guide the physical layout design of equipment and

understand the use conditions and requirements.

• Identify a need to integrate data from several systems.

Workshop stage 2…..

……a cognitive-centric, ‘first-principles’ approach

to active human barrier design.

Conscious

and

Subconscious

Processes

Human Cognition

…..the collective product of interdependent and very

different subsystems:

• Endocrine system (freeze, fight, flight response)

Most are automatic and hidden from our

view. Only a few are observable!

• Conscious processes (Attention)

• Sensory receptors and pre-processing

• Subconscious processes

Understanding Human Cognition

Prior to the mid-1990’s, science provided few

opportunities to examine and confirm the base nature

and functioning of the hidden side of human cognition.

This is especially true for subconscious processes that

dominate how we experience and interact with the

world around us.


This changed in the 1990’s with the

advent of the fMRI machine. It allowed

researchers to look into the mind and

watch these processes in real-time

This new area of research greatly expanded our

understanding of how the mind works by providing accurate

insights into cognitive functions that were previously hidden.


This new knowledge of human

cognition offers designers a first

principles approach to task, display

and user interface design.

The findings from this work are well established and

available to apply and guide the design of safety-critical

tasks and technical system interfaces.

Mental Model (MM) – Long term memory structures and

content, e.g., events, how things work, relationships, facial

recognition, language, etc. MM stores prototype

representations (schemata) and action sequences (scripts). (Endsley 2012 p 21-2)

Terms and Definitions

Working Memory (WM) – Seat of conscious processing, e.g.,

attention, reasoning, decision making, and guiding behavior.

It has a core executive function, scratch pad, limited temporary

memory store (< 20 sec.) for general and sensory data. Access to

MM and sensory data. (Reason 1990 p 32-3)

Heuristic – “a simple procedure that helps find adequate,

though often imperfect, answers to difficult questions” (Kahneman 2011 p98)

FFF – Freeze, Fight, Flight (Endocrine system response)

COGNITIVE CAPABILITIES AND TRAITS

SUBCONSCIOUS PROCESSES CONSCIOUS PROCESSES and ATTENTION

Always active: controls 95% of daily activities

(Mlodinow 2012, p34, Kahneman 2011)

Active only when called: ~ 5% of daily activities (Mlodinow 2012, p34, Kahneman 2011)

Recognition/reaction time: Fast e.g., 200 milliseconds. (Sträter 2005, p119/126-7, Carter 2014 p 121)

Skill examples: driving or recognize a face.

Slow: Fractional seconds to minutes. (Carter 2014 p 121)

Executive Mode: A recognition engine that continuously compares input stimulus to one’s MM seeking a match.

If match, automatically selects associated schema/action response. If not, calls a conscious process to resolve. (Endsley 2012 p22-3, Kahneman 2011 p11, 24)

Linear, sequential processing cycles. (Reason 2008, p12)

Realized by Working memory (WM) - essential to all conscious processes. WM comprises: executive workspace, short term data store (<20 seconds), access to MM and pre-processed sensory data. (Mlodinow 2012, p64, Carter 2014 p157)

Normal operation:

- Automatic, continuous, and effortless. (Kahneman 2011, p20)

- Open loop, positive feedback only. (Sträter 2005, p118)

- Highly effortful, Lazy tendencies. (Kahneman 2011, p21, Ch3)

- Closed loop, negative feedback. (Sträter 2005, p118)

- Runs concurrent to subconscious processes. (Reason 1990, p132-4)

Attention resource: Captured for brief periods (~< 25 milliseconds) that go unnoticed by conscious processes.

Attention activated by: - Consciously called and directed (Reason 1990, p132, Kahneman 2011, p105)

- Subconscious call, e.g., no mental model match found, FFF activation, (Kahneman 2011, p 24, 35)

Observability: Most functions are hidden (Mlodinow 2012)

Recognition product perceived as intuition or ‘gut feel’. (Kahneman 2011 p 11)

Partially. General visibility into the object of one’s directed attention, decisions, results, some conscious processes. (Reason 2008, p 12)

Hidden subconscious-controlled/influenced activities, e.g., memory call criteria, effects of emotions, subconscious priming, goals/ beliefs, etc.. (Kahneman 2011 p103, Reaso n 1990 p11-2)

SUBCONCIOUS PROCESSES CONSCIOUS PROCESSES and ATTENTION RESOURCE

Memory call criteria:

Initially seeks a similarity match: like-with-like. If no clear solution, seeks the most frequently used (frequency gambling). (Sträter 2005, p110, Reason 2008, p12 -25, Reason 1990 p98, 130-147)

Default: see subconscious

With effort and focus, able to:

- Modify memory call criteria (Reason 1990, p131, 2008, p12) - Assess/accept/reject memory call results (Reason 1990, p131 2008, p12)

Decision: None (See ‘Executive Mode’)

Analytical: Limited. Some intuitive ability to guestimate averages, but not sums. No statistical capability. (Kahneman 2011 p 92-3)

Yes. Powerful analytical and decision capability. Max

throughput of 10 bits/second (binary decision)(Reason 2008, p12)

Caveat: Subject to hidden biases, potentially inappropriate short-cuts, memory/execution induced errors, etc. (Kahneman 2011)

Validate response before acting: No (Impulsive behavior) (Sträter 2005, p118,-9 Kahneman 2011 p 85-6)

Yes, but only with focused effort. Otherwise:

- Does not automatically check input data /decision validity or check to see if essential info is missing (Kahneman 2011 p46, 84, 86, 99, 105)

- Tends to limit validity checks to confirming information only, i.e., confirmation bias (Kahneman 2011 p 80-2, 105

Ability to detect risk: None (Sylvestre 2017 p69-71) Yes, but only if activated and tasked. (Sylvestre 2017 p69-71)

Ability to detect danger: Fast, continuous, automatic. (Sylvestre 2017 p69-71)

Sudden danger activates FFF response.

Limited, if activated and tasked. (Sylvestre 2017 p69-71)

FFF response may delay conscious process activation.

SUBCONCIOUS PROCESSES CONSCIOUS PROCESSES and ATTENTION RESOURCE

Access to raw sensory data ~11 mil. BPS: No

Access to pre-processed sensory data: Yes, all senses.

Max input data rate: 16-50 BPS (Mlodinow 2012, p33)

Perceives sensory inputs @ ~100-200ms lag with access more data than conscious processes. (Carter 2014, p79)

Raw data: No

Pre-processed data: Yes, all senses

Max input data rate: See subconscious

Working memory can store a few bits of sensor data for <20 seconds . Perceived data has ~300-400ms lag.

Span of control: Once learned, has full automatic control of all skill and habit routines. (Sträter 2005, p118)

Note: Skills and habits fully automated within 2-6 months of continued repetition. Prior to that, control is a sliding mix of conscious/subconscious processes.

Initially a skill or habit begins as a consciously

controlled activity. (Reason 2008 p 13-14, Kahneman 2011 p 35)

Observation: This information makes it abundantly clear

that human error is systematic; cognitive errors are seldom

random.

Ability to self-monitor, self-correct: None (Kahneman 2011, 41-2, 105)

Yes, if activated and tasked.

Provides the only means to monitor and modify one’s performance, decisions, emotional state and behavior. (Kahneman 2011, p24, 41, Sträter 2005, p119)

The human response to a safety-critical

task depends on which mind responds….

…..conscious or subconscious…

..each provides different

answers and responses.

Conscious processing is only possible

because humans have the ability

to direct and focus this powerful resource.

Attention: Essential to Conscious Cognition

• Normally a subconscious process. However a conscious

process can direct and focus this resource for a period of

time.

• All conscious processing takes place within a single

set of cognitive resources collectively referred to as

Attention.

Attention:

Attention: Essential to Conscious Cognition

• One’s attention resource is limited: (Reason 2008, p 42)

– Capability is degraded by internal or external factors that

negatively affects working memory, e g , short term

memory store capacity or duration.

– Capacity: Attention may be consciously directed to an

intended object or task, or subconsciously and

automatically directed to an unintended task ,e.g., an

external distraction.

Any unintended misdirection of this limited resource

means less remains available for safety-critical tasks.

Conditions that Degrade Attentional Performance:

• All conditions that negatively affect Working Memory. (IOGP 2014b)

• Attention capture …more on this later

• Poor attention management (Misdirected attention)

• Maintaining one’s self-control (consumes) (Kahneman 2011, 39-42)

– Forcing a physical or mental work-pace above one’s

‘normal’ pace

– Maintaining one’s emotional state or behavior in the

presence of internal or external stress-inducing condition

• Workload exceeds capacity (increased errors, error types)

Unmitigated conditions that degrade

or inappropriately divert one’s Attention

places the barrier function at risk!

Factors that degrade Working Memory (WM)

• Factors that introduced WM execution errors

– Interruptions and distractions

– Poor display design, eg, scattered info or display clutter

• Known factors that degrade working memory capacity and

retention duration:

– Fatigue, lack of sleep

– High Stress, fear

– Problems at home (internal distraction)

• Factors that increase stress/anxiety

– Excessive workload

– Urgency

Working Memory (WM) Errors

Recall: conscious processes are step-wise and sequential.

• Data from memory is forgotten or misremembered

• Forget to remember a pending future task, i.e.,

prospective memory (Reason 1990, 107)

• Lose track of time / poor time management.

• Place losing - What step am I in? (Reason 2008, p 33)

• Lose track of task priorities and safety-critical objectives

Memory errors can occur in the Detect, Decide, or Act phase.

This can lead to a wide range of human barrier failure scenarios.

WM error types…..

1. Complete the SA evaluation described earlier.

2. Evaluate the ‘decide’ (and ‘act’) functions against known

cognitive limitations, errors sources and inherent bias.

3. Recommend changes to barrier elements to ‘designed-out’

the likely source of a safety-critical cognitive error.

Suggested process to apply this information

4. Evaluate the recommendations against existing project

standards to confirm feasibility. Revise as needed.

5. Review recommendations with Operations to confirm

viability and acceptance. Select / reject / revise as needed

to finalize the design.

Example Solutions to Address Cognitive Issues

Physical Elements, e.g., technical system

• Memory aids

• Time tracking and management aids

• Decision aids

• Execution aids


• Training

• Procedures

• Competency assessments

See examples at the end of this presentation.

Note: This type of evaluation applies to any detect, decide or act

phase activity having a cognitive demand that is known to be

problematic, e.g. , high reliance on short-term memory, complex

decisions or the need to track time or manage concurrent tasks.

Worked Examples

Evaluate several ‘decisions’ for possible cognitive

issues that may cause the barrier to fail

Recall the SA analysis result

Detect DecideAct

(Execute)

Req’d data Source

- IPL ‘Response Time’ remaining .

- Remaining actions to complete IPL

DCS display: Timer .

WM / Attention:

- Recall future action

- Monitor time passage

- Manage concurrent tasks

Decision 3: Initiate the response now or wait?

Cognitive error / IPL failure risk

1) Forget to execute the IPL response

2) Late response: Not monitoring time passage / Time Remaining timer

3) Late response: Busy with other tasks IPL at risk: Yes. 1) Potential failure to execute the IPL 2) Potential failure to execute the IPL on time

Evaluate: Decision 3 for potential cognitive errors.

Known cognitive issues / biases that can create these errors:

• Prospective memory failure (forget to remember)

• Task switch errors - a known cognitive bias that may delay

a the switch between tasks

• Human limitations in time tracking (accuracy & awareness)

Evaluate: Decision 3 for potential cognitive errors.

A decision to delay the response creates a new task that

must now be remembered so it will be completed at the

right time in the future. (Prospective Memory task).

Assessment

Decision 3, Cognitive Error 1

This type of error can occur with any

active human IPL / barrier.

Prospective memory errors “are among the most common

forms of human fallibility”. (Reason 1990 p 107)

Recommendations: Physical Elements: SA-1 Display

1. Consider adding a re-alarm function that alarms if the ‘act’

response is not achieved within ‘x’ minutes from the

‘Response Time’ timer expiration. (A reminder function.) (Wickens 2015)

2. Consider automatic initiation of the IPL act response if

FV-1001 is not at the required safe state when the

‘Response Time’ timer expires.

Recommendations


The potential error - the Operator loses track of time,

and fails to monitor the ‘Time Remaining’ timer.

Assessment


Time Tracking: Cognitive Limitations

The human mind is not ideally equipped to reliably and

accurately track time, or start / stop an activity at a specific

time in the future….

…must address in the design!

SUBCONSCIOUS CONSCIOUS / ATTENTION

Response: Optimal for a 10-20 sec. horizon

Track event sequence: Yes

Clock time: None

Elapsed time: Limited. With experience one’s MM provides the ‘gist’ on when a future event may occur, e.g. fast or slow. This improves with expertise (SA-2/3)

Awareness of time passage also varies with mood, age, situation, etc.

Event sequence: Yes, subject to WM

limitations *

Clock time: Yes, subject to attention limitations, i.e., can accurately track time for periods < 30 seconds, then progressively less reliable. *

Elapsed time: See subconscious

*Time tracking consumes attention resources, e.g., attention capture or divided attention degrades clock-time tracking.


1. Consider the re-alarm function recommended for

cognitive error 1.

2. Consider automatic initiation of the IPL act response

recommended for cognitive error 1.

Assessment


The longer response time allows the operator to switch to

other tasks prior to completing the IPL response.

Assessment


The cognitive risk is the potential for a ‘task switch error’

error. This type of error may delay a timely switch back to

this safety-critical task.

Task Switching Errors

• A general tendency to resist a switch to a

different task, even if it is a higher priority. (Sträter 2005, p50)

• “When deciding to perform a task with drastic effects...the

human is usually reluctant to undertake the task.” (Sträter 2005, p50)

• Plan continuation error - a strong resistance to change

tasks when nearing completion on an existing task. (Sträter 2005, p50)

• If progressing two tasks simultaneously (a high mental

load) the more cognitively demanding task may be dropped

even though it may be higher priority. (Sträter 2005, p51-52, Wickens 2015)

• Under high mental load, a switch may fail to occur due to

attention capture and cognitive tunneling. (Wickens 2015)

Task Switch Errors

A timely switch to a higher priority task may fail to

occur or be delayed 30% of the time. (Wickens et. al. 2015)

Ambiguity or under-specification of relative task

priorities (training, procedures, plant culture, etc.)

further decreases the likelihood of a timely switch to a

higher priority task. (Wickens et. al. 2015)

Recommendations

Decision 3, Cognitive Error # 3


1. Consider the re-alarm function recommended for

cognitive error 1.

2. Consider automatic initiation of the IPL act response

recommended for cognitive error 1.

Recommendations

Decision 3, Cognitive Error # 3


Training:

Task Switch Resistance: Consider training to increase operator

awareness and recognition of task switch errors (types and

nature) and situations when each is the most likely to occur.

Procedure General:

Task Priority: Consider adding clear guidance on response

priorities under different situations, e.g., priority when

concurrent alarms occur: a human IPL and high priority

(HAZOP) alarm, or a human IPL and a process alarm that can

lead to a facility shutdown. (Sanders 1993, p74)

Req’d data

Source

PC/PV-1006 status/position

FC/FV-1001 status/position.

IPL ‘Time Remaining’ timer

DCS displays: process & instrument data

.

WM/Attention fully engaged in the analysis

The potential cognitive errors are possible with ‘Attention Capture’ and a ‘plan

continuation / task switch type error.

Evaluate: Decision 3, Scenario 1 for potential

cognitive errors

Scenario 1: Operator spends too much time attempting to resolve the condition that activated the PAHH.

Cognitive error, IPL failure risk

Operator focused on resolving the condition that activated the PAHH delaying Act response. Cog. risk:

1) Attention capture (internal) 2) Task switch error - plan continuation error

IPL at risk: Yes. 1) Potential failure to complete the IPL. 2) Potential failure to complete the IPL response on time.

Assessment

Decision 3, Scenario 1, Error 1

Scenario: Operate attempts to troubleshoot and resolve

the conditions that activated the IPL PAHH.

……..Why would an operator do this? If successful, it

eliminates the need for the IPL action!

Potential risk: The Operator becomes fixated on resolving the

process condition…lose track of the pending IPL response.

(Attention Capture: Internal)

Attention Capture

Attention Capture – Internal preoccupation Reason 2008 p42

• Excessive workload-induced tunnel vision (ignores

information)

• Intended intense focus (lose awareness of surroundings)

• Problems at home (Misdirected attention)

• Fear, FFF activation (Re-directed attention, loss of focus)

.

Attention Capture – External distractions Reason 2008 p42

• Interruptions: 2-way radio call, ambient conversations

• Sudden distractions: explosion, panicky voices, smell toxic

gas

Attention Management Error Types

Attention capture can lead to ……

• Block out other external inputs, Loss of Situation Awareness

.

• Change blindness: failure to see what is not looked for

(tunnel vision) (Kahneman 2011, p23)

• Execution errors, e.g., place losing, forget or

misremember information in WM (Reason 2008, p32-3)

• Strong habit intrusion: Automatically perform a familiar task

sequence that is not appropriate to the current (though

similar) task; 40% of all absent-minded slips. (Reason 2008 p42 )

• Automatic withdrawal of attention from a more urgent task (Reason 2008, p42)

Recommendations: Physical Elements: Displays

Consider adding the 1) re-alarm function and 2) automatic

initiation of the IPL act response recommended in the earlier

example.

Recommendations


Organizational Elements:

Training: Consider adding attention management training to

increase operator awareness and recognition of Attention

Capture errors (types and nature), and when each type is the

most likely to occur

Procedure: Consider adding the Task Priority

recommendations from the earlier example. (Emphasis on

safety over production!)

Recommendations


Approach Benefits

Potential Benefits of the Cognitive Evaluation

and Corrective Process

• Proposes a process that is purposely created to identify

and correct design flaws that are cognitive in nature and

known contributors to human error.

• By its nature, this is a first-principles approach to human

interface design.

• The approach holistically integrates human cognition

design solutions into the appropriate barrier element.

• Builds on the results of the SA assessment to reveal

potentially unrealistic cognitive demands that warrant

further evaluation.

This concludes the workshop.

Thank You!

Author Bio – Tom Shephard CAP, PMP

• A passionate seeker of best practice tools & methods

• 37 years - Operating and engineering companies: O&G,

refining, midstream, terminals and pipeline

• Technical safety department: Management and member

• Functional safety lead on many projects

• Automation project manager / project Lead

• Corporate standards and practice development

• Certified Automation Professional (CAP)

• Certified Project Management Professional (PMP)

• A lifetime of hands-on safety work. All project phases and activities.

Recently retired: Wood Group Mustang

References (Page 1 of 2)

Carter, R., Aldridge, S., Page, M., Parker, S., 2014, The Human Brain Book, 2nd Ed, DK Publishing, New York

CCPS, 2001. Layer of protection analysis simplified process risk assessment, New York, Center for Chemical Process Safety of the American

Institute of Chemical Engineers

CCPS, 2018. Bow ties in risk management, a concept book for process safety, New Jersey, John Wiley & Sons Inc., Center for Chemical Process

Safety of the American Institute of Chemical Engineers

CIEHF 2016, Human barriers in barrier management, a white paper by the Chartered Institute of Ergonomics and Human Factors, 12/2016, CIEHF

CSB, 2016. Investigation report volumes 3, drilling rig explosion and fire at the Macondo well, Report No. 2010-10-I-OS 4/12/2016

Endsley, M. R., 1988. Situation awareness global assessment technique (SAGAT), Proceedings of the National Aerospace and Electronics

Conference (NAECON), 23-27 May 1988, Dayton, Oh, New Hour IEEE, 789-795

Endsley, M. R., 1995. Toward a theory of situational awareness in dynamic systems, Human Factors, 37(1) pp 32-64

Endsley, M.R., Garland, Daniel J. (Editors), 2008. Situation Awareness Analysis and Measurement, CRC Press

Endsley, M.R., Jones, D.G., 2012. Designing for situation awareness: An approach to user-centered design, 2nd Edition, CRC Press

Hick, W.E., 1952, On the rate of gain of information, Quarterly Journal of Experimental Psychology, 4:1, 11-26

IOGP, 2012. Cognitive issues associated with process safety and environmental incidents, London: International Association of Oil and Gas

Producers, IOGP Report No 460, 7/2012

IOGP, 2014a. Crew resource management for well operations team, International Association of Oil and Gas Producers, IOGP Report No 501, April

2014

IOGP, 2014c. Guidelines for implementing well operations crew resource management training, International Association of Oil and Gas Producers,

IOGP Report No 502, 12/2014

Johnsen, SO, Kilskar, SS, Fossum, KR, (2017) Missing focus on human factors – organizational and cognitive ergonomics – in the safety

management for the petroleum industry, J. Risk and Reliability, V231(4) pp 400-410, Proc. IMechE Part O

Kahneman, Daniel, 2011, Thinking, Fast and Slow, Farrar, Straus and Giroux

Mlodinow, Leonard, 2012, Subliminal: How Your Unconscious Mind Rules Your Behavior, Vintage Books (Div of Random House Inc.), 1st Edition

OESI, 12/2016, Human factors and ergonomics in offshore drilling and production: the implications for drilling safety, Ocean Energy Safety Institute

References (Page 2 of 2)

OESI, 12/2016, Human factors and ergonomics in offshore drilling and production: the implications for drilling safety, Ocean Energy Safety Institute

Reason, J., 1990. Human Error, Cambridge: Cambridge University Press

Reason, James, 2008. The Human Contribution, Unsafe Acts, Accidents and Heroic Recoveries, Ashgate Publishing Ltd,

Sanders. Mark S., McCormick, Ernest J, 1993, Human Factors in Engineering and Design, McGraw-Hill Inc, 7th Ed

SPE, 2014. The human factor; process safety and culture, SPE Technical Report, Society of Petroleum Engineers, March 2014

Stanton, N.A., Salmon, P., Jenkins, D., Walker, G., 2010. Human Factors in the Design and Evaluation of Central Control Room Operations, CRC

Press, Taylor and Francis Group, 2010

Sträter, O., 2005. Cognition and safety: an integrated approach to systems design and assessment, Ashgate Publishing Ltd, 1st Ed

Sylvestre, Christian, 2017, Third Generation Safety: The Missing Piece, ISBN 978-0-648 1200-0-1, National Library of Australia Cataloging-in-

Publication entry

Wickens, C. D., et.al., (2015), Discrete task switching in overload; a meta-analyses and a model, Int. J. Human-Computer Studies (2015),

http://dx.doi.org/10.1016/j.ijhcs.2015.01.002

Woods, D.D., Dekker, S., Cook, R., Johannsen, L., Sarter, N., 2010. Behind Human Error, Ashgate Publishing, 2nd Ed

Workload Issues

Conditions that increase workload…….

• Inadequate experience or training (Stanton et al 2010, p132)

• Poorly designed / degraded workspace / environment (Stanton et al 2010, p142)

• Poorly design user interface displays (Stanton et al 2010, p131)

• A poorly designed task that:

– Has underspecified, incorrect or incomplete procedures (Stanton et al

2010, p131)

– Is overly complex cognitively or physically (Stanton et al 2010, p131)

– Does not allow adequate time to complete tasks (Stanton et al 2010, p132)

– Does not adequately consider operator capabilities (Stanton et al 2010, p131)

“Mental workload is….a multidimensional construct that is

characterized by the task (e.g., complexity, demands) and the

individual involved (e.g., skill, experience, training)” (Stanton et al 2010, p128)

Workload Error Types

Task workload that exceeds one’s cognitive capacity

increases the likelihood:

– Saturated attention resource….unintended deferment

to non-observable subconscious processes

– Task switch failure

– Tunnel vision

– Increases stress and fatigue (cognitive affects) (Stanton et al

2010, p128)

– Procedural shortcuts, e.g., ignore important

information (Stanton et al 2010, p128)

– Reduced situation awareness (Stanton et al 2010, p140)

Decision Aids (Reason 2008, p242)

• Direct attention to important aspects that should be consider

in the decision / analysis space

• Minimize ‘availability bias’, i.e., an impulsive leap to a readily

available problem/solution set.

• Supplement incomplete or incorrect working knowledge, e.g.,

procedural/technical knowledge

• Tools to prevent an incorrect narrowing of a decision or

analysis frame (bounded rationality / keyhole effect)

Example Aids to Support Cognitive Processes

Execution Aids: (Reason 2008, p242)

• Tools to track the current step in a required sequence (place holding)

• Tools to progress an analytical operation, e.g., mathematical, ‘Is this

going sour?’, etc.

Memory Aids:

• Augment prospective memory: Prompts to guide the ‘what’ and ‘when’ of

a future task (Reason 2008, p242)

• Augment working memory, e.g., reduce the need to hold many

information items in WM to progress a task.

Time Tracking Aids:

• ‘Time Remaining’ countdown timer (e.g., IPL response time)

• ‘Time Since Event’ count-up timer (e.g., general time tracking, planning

information)

Example Aids to Support Cognitive Processes

Procedures (Stanton 2010, Ch4)

• Increase clarity in areas of ambiguity that have hidden

negative effects on decision processes and behavior, e.g.,

response priorities, production vs safety

• Ensure procedures clearly identified the expected actions if

confronted with situational (concurrent) issues that require

choosing between plans of action or the next task selected.

• Develop procedures that do not include flaws that are

known error contributors, e.g., awareness that isolated

steps at the end of a procedure tend to be omitted.

Addressing Cognitive Issues in Organizational

Elements

Training (Reason 2008, p242)

• Awareness training: Enhance awareness of hidden

cognitive biases and heuristics that can negatively affect

performance

• Error training: Develop training processes that allow the

trainee to explore and learn from mental model/cognitive

error detection and self-correction (Reason 2008, p 245)

• Execution skills and mental model development (Reason 2008, p 245)

• Attention management: increase awareness of attentional

errors and their potential contribution to a safety-critical

error.

Addressing Cognitive Issues in Organizational

Elements

Apply Situation Awareness and Human Cognition Science to ... · integrates Situation Awareness and...

Documents

Transcript of Apply Situation Awareness and Human Cognition Science to ... · integrates Situation Awareness and...