Final Report PRAC Project #C8-01 December 1, 2007 – June ... · Final Report Human Factor Design...
Transcript of Final Report PRAC Project #C8-01 December 1, 2007 – June ... · Final Report Human Factor Design...
Final Report
Human Factor Design Issues Relating to Individual Behaviour in Emergency Situations
PRAC Project #C8-01
December 1, 2007 – June 30, 2010
Dr. Paul Amyotte, P. Eng. – Principal Investigator
Department of Process Engineering and Applied Science
Dalhousie University, Halifax, Nova Scotia
June 30, 2010
Summary
A framework was developed to assess and reduce the risk of human error during offshore emergency situations. The risk of human error is a function of the probability of a human error occurring and its consequences. Emergency response on offshore oil and gas production installations is known as the escape, evacuation and rescue process. The tasks that personnel are required to complete during emergency response were identified using a task analysis tool. Literature reviews and expert judgment techniques were used to evaluate the risk of human error for the escape and evacuation phases. A risk reduction methodology was incorporated into the framework to evaluate potential safety measures for reducing the risk for specific tasks. Novel concepts introduced in the work include the incorporation of the hierarchy of controls and the concept of prevention and mitigation safety measures into the procedural HAZOP model. Industry data on human error probabilities during emergency response is required for further validation and calibration of the framework. It is also recommended that a complete analysis be performed for the search and rescue phase of emergency response.
Table of Contents
Introduction I
Objectives, Methodology and Results II
Dissemination V
Conclusions and Recommendations VI
Publications VI
Expenditures of PRAC Funds VI
Employment Summary VIII
References IX
Appendix 1 – PRAC Research Slide
Appendix 2 – QRA Technique Comparison Report
Appendix 3 – Human Error Data Availability Report
Appendix 4 – Report on WOAD
Appendix 5 – Procedural HAZOP Report
Appendix 6 – Empirical Data Solicitation Report
Appendix 7 – Consequence Analysis Report
Appendix 8 – 8th World Congress of Chemical Engineering Presentation
Appendix 9 – Safety Science Publication
Appendix 10 – 44th Annual Loss Prevention Symposium Paper
Appendix 11 – Master of Applied Science Thesis
I
Introduction
Human beings make errors. When these errors are made in one of the world’s harshest work environments, the consequences can be devastating. The risk of human error can be significantly lowered by reducing the frequency of human errors and/or controlling any consequences should an error occur. Only by acting on the belief that human errors are rooted in human factors can the risk of human error be reduced. In other words, workplaces and their attendant procedures must be designed primarily with consideration for the actions of human beings. This requirement is arguably at its most critical level during emergency situations when the potential for human error and the severity of the possible consequences are at their greatest.
The research undertaken is aimed at enhancing the safety of offshore oil and gas operations in Atlantic Canada and eventually worldwide. The scope of the research is emergency scenarios which necessitate taking action to ensure successful personnel escape, evacuation and rescue in response to various initiating events. The focal point of the research is the quantitative determination of the probability and consequences of human error during these emergency actions, as well as the evaluation of any risk reduction measures to determine their reliability. The end-result of the research is an engineering tool designed to employ these human error data in making objective decisions concerning facility design improvements from a human factor perspective.
The overall objectives and results are presented in the main body of the report, while the specific details are presented in the appendices as follows:
Appendix 1 – PRAC Research Slide: A slide developed for PRAC as a summary of the current project
Appendix 2 – QRA Technique Comparison Report: A comparison of quantitative risk assessment (QRA) techniques available for human error probability evaluation
Appendix 3 – Human Error Data Availability Report: A summary of the sources of human error data for offshore emergencies including databases and industry representatives
Appendix 4 – Report on WOAD: A report on the usefulness of the world offshore accident database (WOAD) as a tool for determining human error probabilities for emergency situations
Appendix 5 – Procedural HAZOP Report: A report outlining the procedural hazard and operability study (HAZOP) of offshore escape tasks
Appendix 6 – Empirical Data Solicitation Report: A summary of the efforts to liase with the offshore oil and gas production industry in determining human error probabilities during offshore musters
Appendix 7 – Consequence Analysis Report: A summary of the analyzed consequences of human error during offshore escape
II
Appendix 8 – 8th World Congress of Chemical Engineering Presentation: The presentation of Year 1 research given at the 8th WCCE
Appendix 9 – Safety Science Publication: The paper published in the Safety Science Journal detailing the Year 1 research and results
Appendix 10 – 44th Annual Loss Prevention Symposium Paper: The paper accompanying the presentation given at the 44th LPS detailing the Year 2 research results and direction at the time of the symposium
Appendix 11 – Master of Applied Science Thesis: A detailed description of the research goals, methodology and results for both Year 1 and 2
Objectives, Methodology and Results
The following are the objectives outlined in the project proposal.
YEAR 1: Activity: Use of expert judgment techniques such as HEART and THERP to determine human error probabilities for muster steps based on initiators of man overboard, gas release, and fire and explosion. (NOTE: All activities in Year 1 relate to the muster sequence and these three initiators.) Outcome: Comparison of SLIM-generated human error probabilities with those determined using other available expert judgment techniques such as HEART and THERP. Anticipated Start Date: Month 1
Anticipated End Date: Month 4
YEAR 1: Activity: Review of available empirical data for human performance indicators during offshore platform musters. Outcome: Comparison of expert judgment-generated human error probabilities with available empirical data. Anticipated Start Date: Month 1
Anticipated End Date: Month 4
III
YEAR 1: Activity: Review of possible consequences arising from failure of completion of specific muster steps. Outcome: Qualitative method for assigning consequences to failure of completion of specific muster steps. Anticipated Start Date: Month 5
Anticipated End Date: Month 6
YEAR 1: Activity: Review of, and development work on, quantitative methods for determining consequences of failure to complete specific muster steps. Both expert judgment and empirical approaches will be considered, and emphasis will be placed on dealing with the issue of data uncertainties. Outcome: Quantitative method for determining consequences of failure to complete specific muster steps. Anticipated Start Date: Month 5
Anticipated End Date: Month 8
NOTE: This objective was altered following development of the qualitative method for assigning consequences of failure to complete muster steps. The research team found that there is not sufficient data available within current industry practices to develop a valid quantitative model of consequences. The majority of the safety measures listed in the procedural HAZOP arise from the principles of inherent and procedural safety and there is a lack of reliability data for these measures. Safety measure reliability is an integral component in quantitative consequence modelling. In place of quantitative consequence modelling, incident reports and accident investigations from industry were collected and studied to develop a table of consequence severities for failure to complete each specific muster step.
YEAR 1: Activity: Review of best practices in the offshore industry with respect to risk matrices. Outcome: Risk matrix for concurrent consideration of human error probability and consequence severity, and quantitative ranking of emergency procedure steps in terms of probability of human error and severity of consequences arising from human error. Anticipated Start Date: Month 7
Anticipated End Date: Month 8
YEAR 1: Activity: Review of available risk reduction measures to combat human error during the muster process. Outcome: Hierarchical listing of facility design improvements to minimize human error with respect to both probability and consequence severity. The hierarchy will incorporate inherent safety, passive engineered measures, active engineered measures, and procedural controls. Anticipated Start Date: Month 8
Anticipated End Date: Month 10
IV
YEAR 1: Activity: Development work on decision-making algorithms and feedback-loop mechanisms incorporating appropriate mathematical techniques. Outcome: Scientifically rigorous protocol (based on expert judgment and empirical data) for: (i) selecting the most appropriate risk reduction measures from the developed hierarchy, and (ii) reassessing the risk from human error after incorporating the selected risk reduction measures. Anticipated Start Date: Month 10
Anticipated End Date: Month 12
YEAR 2: Activity: Recasting of Year 1 research in terms of other muster initiators in addition to man overboard, gas release, and fire and explosion (e.g. helicopter accidents and met/ocean events such as icebergs). Outcome: Protocol for extension of Year 1 work to new muster initiating incidents. Anticipated Start Date: Month 13
Anticipated End Date: Month 15
NOTE: This objective was completed for the evacuation phase of the research rather than the escape phase. Namely, a collision scenario was explored for offshore evacuations.
YEAR 2: Activity: Recasting of Year 1 research in terms of other emergency scenarios in addition to muster and escape (e.g. evacuation, survival and rescue). Outcome: Protocol for extension of Year 1 work to new emergency scenarios. Anticipated Start Date: Month 16
Anticipated End Date: Month 18
YEAR 2: Activity: Consolidation of all previous research results with the aim of developing a generalized tool for emergency scenario QRA incorporating human factors. The starting point for this work will be HEPI, which is available to the project team in software form; additional coding will be conducted as required. Outcome: Generalized tool (based on expert judgment and empirical data) for incorporating human factor considerations into emergency quantitative risk assessment (QRA) and for use in design modification and safety measure design. Anticipated Start Date: Month 19
Anticipated End Date: Month 24
A literature review of human reliability analysis and available methods of human error probability evaluation was undertaken. Examples are shown in Appendices 2 – 4. Industry representatives were solicited unsuccessfully with the goal of obtaining muster drill reports and data (see Appendix 6). Human error probability data was estimated previously by DiMattia (2004) and in DiMattia et al. (2005) and Khan et al. (2006) using an expert judgment technique, the success likelihood index methodology (SLIM). Major investigations from previous offshore
V
installation incidents were consulted to determine the severity of consequences of a human error for each task required during the muster (see Appendix 7). A procedural hazard and operability study (HAZOP) was performed for each muster task (see Appendix 5). The procedural HAZOP identifies modes of error, potential consequences and potential safeguards to reduce the risk of human error. A novel concept incorporated into the procedural HAZOP is the classification of safeguards according to the hierarchy of controls (Amyotte et al., 2007) and as potential or mitigation measures. A risk matrix was developed to combine the human error probabilities and consequence severities of each muster task. The risk matrix was used to determine the tolerability of the risk (probability and consequence) of human error for each muster task. The accidental risk assessment methodology for industries (ARAMIS) was used as a risk reduction tool. Potential safeguards identified in the procedural HAZOP were evaluated for their reliability according to ARAMIS instructions. Any safeguards that meet the minimum requirements outlined in ARAMIS were identified on a bow-tie graph for each muster task. The bow-tie graph gives an overall picture of the risk control for each task. A case study of the Ocean Odyssey incident was used for validation of the methodology. Appendix 9 includes a detailed description of the methodology and results for the muster phase.
The developed methodology was extended to evacuation scenarios. Evacuation occurs when personnel leave an installation due to an increasingly severe emergency. The tasks required of personnel during evacuation were identified. Experts in the field of offshore safety were solicited using a survey based on the human error assessment and reduction technique (HEART). The results of the surveys were used to evaluate the human error probabilities for each evacuation task. Calibration was an issue as the human error probabilities evaluated by assessors differed significantly for several tasks. Consequence severities, a procedural HAZOP, the risk matrix and risk reduction were performed in a similar fashion as for the muster phase. A case study of the Ocean Odyssey incident was used for validation. Appendix 11 includes a detailed description of the methodology and results for the evacuation phase.
The research resulted in a comprehensive risk assessment and reduction methodology for offshore emergency situations. Detailed results are given in Appendices 9 – 11.
All Year 1 and Year 2 objectives have been achieved. Due to the lack of available empirical data, the Year 1 objective of a quantitative method for determining consequences of failure was altered and incident reports and investigations were used in place of empirical data. The final product is a tool to incorporate human factor design considerations into offshore emergency scenario QRAs.
Dissemination
The Year 1 deliverables have been published in the peer-reviewed journal Safety Science (vol 48, issue 6) under the title “Human Error Risk Analysis in Offshore Emergencies”. The Year 1 work was also presented at the 8th World Congress of Chemical Engineering in Montreal, August 2009 under the title “Human Behaviour in Emergency Musters”. A combination of the Year 1 and Year 2 work was presented at the 6th Global Congress on Process Safety in San Antonio, March 2010 under the title “A Framework for Human Error Analysis of Emergency Situations.” A Master’s thesis has been completed, detailing primarily the Year 2 work. A manuscript is currently being prepared for submission to a peer-reviewed journal detailing the Year 2 results.
VI
Conclusions and Recommendations
The research has resulted in a tool to identify and reduce the risk of human error during offshore emergencies. Novel concepts introduced with the tool include the incorporation of different types of safety measures (i.e. prevention to reduce probabilities and mitigation to control consequences) into the procedural HAZOP of emergency tasks. The hierarchy of controls has also been introduced into the procedural HAZOP. Safety measures are categorized as inherent, passive engineered, active engineered or procedural safety barriers. The combination of a robust risk reduction methodology (ARAMIS) with risk assessment techniques (HEART and SLIM) has allowed the strengths of both to account for weaknesses within individual techniques. However, calibration of risk assessment techniques is in need of improvement. Industry data on emergency preparedness drills and events is essential for further validation and improvement of the tool.
The following are recommendations for future research:
Gather industry data on emergency procedures and preparedness to validate and calibrate human error probabilities and expert judgment techniques.
Perform a complete analysis of the rescue phase of the EER process in terms of risk assessment and reduction.
Perform further research on the reliability of potential safety measures identified in the procedural HAZOPs that do not meet the minimum requirements outlined by ARAMIS.
Publications
The following publications have resulted from the research:
Peer-Reviewed Journal Articles
Deacon, T., Amyotte, P. and Khan, F. “Human Error Risk Analysis in Offshore Emergencies,” Safety Science Volume 48, 2010 (Appendix 9).
Conference Proceedings & Presentations
Deacon, T., Amyotte, P. and Khan, F. “Human Behaviour in Emergency Musters,” Presentation at the 8th World Congress of Chemical Engineering, Montreal, QC, August 23-27, 2009 (Appendix 8).
Deacon, T., Amyotte, P., Khan, F. and MacKinnon, S. “A Framework for Human Error Analysis of Emergency Situations,” Proceedings of the 6th Global Congress on Process Safety, San Antonio, TX, March 22-24, 2010 (Appendix 10).
VII
Expenditures of PRAC Funds
Section removed for reasons of confidentiality.
VIII
Employment Summary
The following table illustrates the employment created by this project.
Name Position Student
(Yes/
No)
PhD,
Master’s,
Undergrad
Full or
Part Time
Scientific Contributions Made
to the Research
Work-Months
Associated with the Project
Angela Alambets
Research Assistant
Yes Undergrad (BEng)
Part Time
Angela conducted preliminary research on human reliability assessment techniques and sources of human error data.
Four (4) January – April 2008
Kelli McGean
Research Assistant
Yes Undergrad (BEng)
Full Time
Kelli conducted a comprehensive review of the WOAD database for data and case histories to inform the project on human error/human factor considerations.
Four (4) May – August 2008
Travis Deacon
Research Engineer
No Holder of BEng degree
Full Time
Travis was the lead researcher on the project and was primarily responsible for the achievement of the Year 1 deliverables.
Twelve (12) May 2008 – April 2009
Ruth Domaratzki
Research Assistant
Yes Undergrad (BEng)
Part Time
Ruth conducted literature reviewing on human error and human factors.
Four (4) May – August 2009
Travis Deacon
Research Assistant
Yes Master’s (MASc)
Full Time
Again, Travis was the lead researcher on the project. He was primarily responsible for the achievement of the overall project deliverables.
Twelve (12) May 2009 – April 2010
IX
References
Amyotte, P., Goraya, A., Hendershot, D. and Khan, F., “Incorporation of Inherent Safety Principles in Process Safety Management”, Process Safety Progress, 26, 333-344 (2007).
DiMattia, D., “Human Error Probability Index for Offshore Platform Musters”, PhD Thesis, Dalhousie University, Halifax, NS (2004).
DiMattia, D., Khan, F. and Amyotte, P., “Determination of Human Error Probabilities for Offshore Platform Musters”, Journal of Loss Prevention in the Process Industries, 18, 488-501 (2005).
Khan, F., Amyotte, P. and DiMattia, D., “HEPI: A New Tool for Human Error Probability Calculation for Offshore Operation”, Safety Science, 44, 313-334 (2006).
Appendix 1
PRAC Research Slide
Human factor design issues relating to individual behavior in emergency situations
Description: Develop an engineering tool to employ human error data in making objective decisions concerning facility design improvements from a human factor perspective
Theme: Offshore Safety
Objectives:This project will deliver a methodology to evaluate the risk of human error in emergency situations and incorporate safety measures to reduce the risk to a tolerable level. The methodology will also include evaluation of safety systems.
Value / Impact:This technology will address the gap between the perceived and actual risk of complete or partial failure of emergency procedures on offshore installations. It will also deliver a tool to evaluate the reliability of safety measures in place and highlight areas of focus for improvement.
Results / Accomplishment: The deliverables include a generalized engineering tool for incorporating human factor considerations into emergency quantitative risk assessment (QRA)
Choose Muster Initiator
Combine in Risk Matrix
Choose Muster Step
Calculate HEP Assign Consequence Severity
Determine Frequency of Exposure & Potential to Avoid Damage
Use Risk Graph to Determine Required LC
Choose Safety Barriers and Determine LCs
Build Bow‐tie and Determine Overall LC
Yes
Is Risk ALARP?
No
Yes
Muster Step
Analysis Complete
?
No
Appendix 2
QRA Technique Comparison Report
Comparing Three Quantitative Human Reliability
Assessment Techniques with Application to Emergency
Scenarios on Offshore Oil and Gas Platforms Report for the Petroleum Research Atlantic Canada (PRAC) Project on
Human Factor Design Issues Relating to Individual Behaviour in Emergency Situations
Angela Alambets
Department of Process Engineering and Applied Science
Dalhousie University
Halifax, Nova Scotia
March 2008
Executive Summary
This report is a comparison of three different quantitative human reliability assessments, namely the Success Likelihood Index Method (SLIM), the Human Error Assessment and Reduction Technique (HEART), and the Technique for Human Error Rate Prediction (THERP). All of these techniques are expert judgment techniques, which researchers have been forced to develop and employ since the first estimations of human error probability due to a lack of real human error data. The techniques have mainly been used in the Nuclear Power industry, but they can be employed in the context of the offshore oil and gas industry. Each technique uses a different methodology to calculate human error probability, based on the various types of human error, and the environmental and operational conditions that are included in the analysis. Each has advantages and disadvantages which are analyzed and compared in a general sense and in the context of the offshore oil and gas industry. While actual human error probabilities were not generated for the purpose of this report, it is hoped that the comparison and analysis of the three techniques gives justification to the use of SLIM for the generation of human error probabilities for the PRAC project on human factor design issues relating to individual behavior in emergency situations.
Introduction
The purpose of this report is to conduct a comparison of Success Likelihood Index Methodology (SLIM) generated human error probabilities with those determined using other available expert judgment and quantitative human reliability assessment (QRA) techniques including HEART and THERP. While these are not the only techniques available, they have been used in a variety of applications and are well recognized by researchers in the field of human error probability. Each technique will be described as its own entity, and comparisons will be made based on the methodological approach in regards to accuracy, validity, and usefulness (and effective use of resources).
Dino DiMattia (2004) conducted a comparison of these QRA techniques for assessing the human error in emergency musters on offshore oil and gas platforms, with the purpose of validating the use of SLIM in his work. This was a component of his research on human error probabilities, which itself led to the development of the Human Error Probability Index (HEPI) as his thesis. Much of the content of this report reflects and builds upon the research conducted for this thesis in terms of the most appropriate technique for estimating human error probabilities on offshore oil and gas platforms, and its use with HEPI.
Background Information on Human Error in QRA
In order to establish a baseline or criteria for comparison, there first must be an understanding of what a model should theoretically accomplish. It should be able to predict human error in different contexts, and specifically in this context for emergency scenarios on offshore oil and gas platforms. Human error has been defined by Lorenzo (1990) as any human action or lack thereof, which exceeds or fails to achieve some limit of acceptability, where limits of human performance are defined by the system. The ability for a model to accurately depict the probability of such an occurrence and to make this model useful will depend on the way in which each possible error is treated, and the ability to link human error prediction with quantitative risk assessment.
Human error can occur in a number of different ways including errors such as slips or mistakes, which can themselves be interpreted as skill-based slips, rule-based and knowledge-based mistakes, or violations such as purposeful omission or substitution (DiMattia, 2004). Furthermore, human error is dependent on performance shaping factors (PSFs) including the characteristics and complexity of the task, the physical environment, the organizational environment and the operator characteristics. Including PSFs in human reliability assessment (HRA) tools allows for the collection of similar contextual information to be used for identifying error in categories with common features. Due to the number of possible modes of human error, their conditions and causes, human, inherent and process factors, and the more contextual error mechanisms involved in human error estimates, PSFs provide an organized framework of evaluating different circumstances. The comparison that follows will therefore compare the ways in which these different aspects of human error are treated in developing the probability of failure for an HRA.
Success Likelihood Index Method (SLIM)
In the SLIM technique, PSFs are weighted and rated to develop a success likelihood index (SLI) for each muster action, which in turn allows for the estimation of the probability of success (POS) and the human error probability (HEP). This weighting and rating data is obtained by eliciting questionnaires to a number of pre-selected judges based on different muster scenarios.
DiMattia et al. (2005) conducted a simulation that involved three different muster scenarios (man overboard, gas release, and fire and explosion) with 18 different muster actions. They considered six different PSFs including stress, complexity, training, experience, event factors and atmospheric factors. The weighting and rating data was then processed by SLIM.
Expert judgment techniques are employed by providing judges with the opportunity to give subjective opinions and decisions in an objective manner. In the SLIM technique employed by DiMattia et al (2005), 24 judges with different backgrounds and experience participated, with a core review team (CRT) that was selected to help in the determination of muster scenarios, muster actions and PSFs. Specifically, a hierarchical task analysis (HTA) was conducted to develop muster steps that were independent of the muster initiator. A similar technique was used to determine the appropriate PSFs, allowing the judges to review and assess a number of PSFs and then narrow them down to six using a pairwise comparison.
In order to develop the actual human error probabilities, the weight of each PSF is divided by the weight of the sum of all PSF weights for the particular action in order to normalize it, producing the PSF n-weight. The product of the n-weight and the rating gives the success likelihood index (SLI). This can be found for each PSF for a given action and summed for the total SLI for each action. Muster actions with high SLIs will have the highest likelihood of success. Subsequently, a logarithmic relationship of Pontecorvo is used to determine the HEP values for each action in the equation:
Log(POSi) = a(SLIi,m) + b
Where POSi = Probability of success for action i = 1-HEPi
SLIi,m = arithmetic mean of success likelihood index values (from judges data) for action i
a,b = constants
Determination of a and b requires analysis of HEPs for action with the lowest and highest SLI values. These data can then be put into the above equation, and subsequently, the remaining muster action HEPs can be calculated.
One perceived disadvantage of SLIM in terms of error reduction measures is the limited number of PSFs used. In DiMattia’s (2004) study, only 6 PSFs were used, which were deemed the most appropriate out of eleven potential PSFs. As noted in Kirwan et al. (1997), many ergonomists find such PSFs too gross of a measure to give meaning to the scenario. An example is given that an ergonomist may use 300 questions in an interface audit to evaluate an interface, which is reduced to a rating scale of 9 options in the PSF called ‘quality of interface’. Thus, while PSFs are designed in such a way to accommodate the HRA processes in terms of generating estimations of error rates, these PSFs may not be adequate identifiers of error reduction measures. However, if it can be shown that only one PSF can be used in a certain scenario to generate an accurate HEP, identifying that PSF for error reduction purposes may still be useful. This is discussed further in comparison of all three techniques.
An extension of SLIM called the multi-attribute utility decomposition (SLIM-MAUD) was developed by Embrey et al. (1984), based on their previous SLIM work, which attempts to address the issue of potentially more than one PSF accounting for a certain error probability. In the SLIM-MAUD framework a situation is presented with decision alternatives as described by the PSFs, which themselves cannot be optimized simultaneously. This allows for a quantification of importance of each PSF in the given multi-attribute decision problem which can then be compared to other PSFs. However, SLIM-MAUD is a very structured technique (Apostolakis et al., 1988), which is an undesirable attribute in HRA, and the treatment of weightings and ratings is internally inconsistent. The latter concern arises from the potential for alterations in probabilities with the introduction of a new task to a set, and the relative weighting of PSFs as opposed to a normalized weighting. HEPI, as applied with the SLIM framework has identical worst possible to best possible value scales for both weights and ratings (0 to 100) and therefore does not require an elicitation of an ideal PSF rating. Further, as mentioned above, HEPI employs an average PSF value for weightings and ratings from a group of judges, thus avoiding the standardization of PSF weights by equalizing their values.
In the study conducted by DiMattia (2004), the multi-stakeholder team of judges was used to develop weightings and ratings, where MAUD was avoided, but a pairwise comparison was used in its place. Other attempts to improve the predictive nature of SLIM prior to DiMattia’s work showed that both the team and pairwise strategies were important to the accuracy and efficiency of the application of a development index. Particularly, the use of a greater number of judges has been shown to improve the accuracy of the analytic value of averaged probability judgments (Apostolakis et al. 1998), reducing uncertainties and the level of conditional dependence, or joint work.
Nonetheless, the validation of model results is limited due to a lack of empirical data, and this has led to a large amount of assessments focusing on the accuracy of the technique as opposed to its usability. Thus, it is important to note that SLIM has only been used, prior to the development of HEPI, for HRA within probabilistic risk assessments. With the application of HEPI, the hope is that its predictive strengths can more readily be used to reduce error (DiMattia, 2004). Further, it hopes to address the gap between academic research and practical HRAs to contribute to error reduction recommendations.
Human Error Assessment and Reduction Technique (HEART)
The Human Error Assessment and Reduction Technique (HEART) is based on a screening process and reliability calculations which are formulated and extracted from the large number of human factors it considers. It does not have a formal procedure such as SLIM, but instead uses qualitative guidelines to identify sources, classes and strengths of human error. These are shown in Table 4-1 (Kirwan et al., 1988).
HEART uses only a single assessor, as opposed to a more diverse group of judges, significantly increasing the dependency of the result on a single individual. Based on the source or sources of unreliability which applies to the context, as decided by the assessor, they determine the strength of the effect and which factor (or unreliability) should be used in representing the change of a favourable condition to an unfavourable one. The extent of underperformance is predicted for each source of unreliability, based on a decided likely range of human unreliability for each task.
Table 0-1. HEART screening process guidelines
Sources of Human Unreliability
Principal Classes of Error Strength of Effect
Impaired system
Knowledge
Substitution
Omission
Very great, especially if a model or stereotype is violated
Response Time Omission
Substitution Great, if system is unforgiving
Poor or ambiguous system feedback
Omission
Transposition Strong
Significant judgment required of operator
Omission
Substitution
Multiple
Mixed
Measurable
Level of alertness resulting from duties, ill-health, or
environment
Omission
Substitution
Transposition
Comparatively small
The technique uses human reliability values, or basic error probabilities that have been developed for the purpose of conducting an assessment of the likelihood of failure. The failure is associated with an error-producing condition (EPC), which is congruent with the concept of PSFs. The effect of this EPC is calculated by estimating the proportion that exists in the context and multiplying it by the basic task unreliability. Estimates of relative weights for EPCs are made (by the single assessor) and multiplied by the associated effect to give an assessed effect. The assessed effect is multiplied by the unreliability value to determine the probability of failure (POF) (Kirwan, 1996).
Thus, it uses a ‘database’ to allow the assessor to modify the data to make it more specific to the context using the PSFs relevant to that context. A similar technique is used by THERP, as described in the next section.
Specifically, the technique is broken down into five steps. The first step is to classify the tasks into one of the generic categories. However, some of the categories are mutually exclusive and could apply to a number of tasks, requiring the assessor to describe the task and classify it according to that description. While this does not take away from the purpose of the tool, to be a flexible, rapid and conservative quantification method, it does create uncertainties, or inconsistencies as assessors may describe, classify and thus categorize different tasks in different ways (Kirwan, 1996).
The nominal HEP must be assigned to each task. Once this is completed, the EPC for each task must be chosen based on assessor judgment, and using a table provided with the HEART technique. Each EPC has a maximum amount which the nominal amount can be multiplied by to find the associated ‘affect’. This factor is based on analysis of the human performance literature (Kirwan, 1996).
Subsequently, step four is to determine the ‘assessed proportion of affect’ (APOA) for each EPC, essentially the negative influence of each EPC on the task, as a proportion of the maximum affect. The maximum effect and the assessed proportion of affect are congruent to SLIM’s weighting and rating system. The proportion of the maximum is however, assigned with complete discretion of the assessor without any reference documents, introducing further inconsistencies to the HEART technique.
Calculating the task HEP is simple and straightforward, with the formula as follows:
HEP = SUM (EPC HEP)
where EPC HEP = ((Max Effect – 1)*Assessed Proportion of Affect) + 1.
The formula includes a mathematical ‘fix’ to avoid low-maximum-affect EPCs from creating a low overall HEP, thus decreasing it instead of increasing it (Kirwan, 1996).
One of the main advantages of HEART is that it has a large number of human factors for use, providing flexibility and fast analysis. However, one of the fundamental disadvantages of the HEART technique is that with the main basis of error being errors of omission, there is little or no consideration of
errors of commission, violations or tasks where slips may occur; thus, the utility in the context of HRA for emergency scenarios such as muster sequences is limited.
Furthermore, dependence between different factors is not considered in the HEART technique (DiMattia, 2004). There are a number of EPCs, or PSFs, to be chosen from in the technique and their over-utilization can create significantly pessimistic results. This often leads assessors to avoid the use of PSFs when in fact they may be very relevant to the task. In terms of error reduction, this can lead to an over emphasis of certain PSFs, and completely ignoring others (Kirwan et al., 1997), and subsequently to error reduction techniques that may not be effective. Kirwan et al. (1997) speculated that although EPCs were chosen with understanding by the assessors, filtering out erroneous EPCs (for the given application) would improve the consistency of the technique.
Technique for Human Error Rate Prediction (THERP)
THERP is a technique that is taxonomic in nature, using error taxonomy as a significant quantification tool – for example, using terms such as error of omission, wrong timing, wrong sequence, wrong action, in defining human error probability. Taxonomic approaches are experience based, using assessor experience with incident experience to develop the results, thus creating a context-specific and low-resource analysis (Kirwan, 1998). Overall, the THERP technique, like HEART, uses a human error database, with the modification of HEPs using PSFs and dependency consideration (Kirwan, 1996).
The THERP quantification process consists of six key elements. The first step is a decomposition of tasks into elements, using the taxonomic approach described above. What is important to note here is that, since each task may require a breakdown into a number of elements, different assessors will likely decompose tasks at different levels for more complex tasks. However, while most techniques require the assessor to judge the appropriate level of decomposition, the taxonomic approach is used here to make it more specific, and thus, more consistent.
The second step is the assignment of nominal HEPs (or basic HEP, BHEPs) to each element, using reference tables in the THERP handbook which have error descriptors, associated error probabilities and error factors. Supporting documentation is used with these tables to determine the nominal HEP for each task element. The technique provides structure, but is limited in this regard if there is not a descriptor for a particular task element (Kirwan et al., 1997).
The third step is the determination of effects of the PSF on each task, based on the qualitative analysis of the scenario and a list of PSFs the assessor is provided to apply to the scenario. The seriousness of the PSF on the scenario is decided by the assessor, and based on error factors given in the handbook. This step is therefore highly judgmental, as it is based on the assessor’s quantitative assessment and experience (Kirwan et al., 1997).
The fourth step is the calculation of effects of dependence between tasks. THERP uses a model with five different levels of dependence, which the assessor must pick based on their opinion of how the probability of a task is changed based on those tasks before and preceding it. The level of dependency that they choose can lead to different HEPs, while excluding it (which is also a choice of the assessor) from analysis altogether will have a large effect on the overall HEP (Kirwan et al., 1997).
The fifth and sixth steps are to model the data in a Human Reliability Analysis Event Tree, using Boolean algebra, and to quantify the total task HEP. Due to the straightforward and the quantitative nature of event trees, there is low potential for uncertainty to arise from this step (Kirwan et al., 1997). It offers the ability to model various sequences of actions, utilizing an interface with systems analysis techniques to identify tasks or errors which are most critical and have the greatest impact upon success or failure. However, it does not identify root causes or error reduction suggestions, thus limiting the flexibility required to do an effective muster HRA (DiMattia, 2004).
Overall, the technique is very easy to use but there are a few drawbacks to using this technique. While THERP is designed to use dependency and event tree modeling, the assessor decides when to include them to develop model results, or otherwise when it is appropriate to use their own experience. In
the validation study conducted by Kirwan (1997), results showed that the use of both dependency and event trees were limited in use by the 10 assessors involved, which showed that the accuracy of the technique is lower due to the fact that THERP was not applied normatively in the experiment.
The actual modeling component of THERP has been found to be inconsistent, not due to the usage of BHEPs, as these tend to be generally similar, but due to the assigning of error factors (Kirwan, 1997). This and the previous drawback show that, THERP as a model is very dependent on the assessor and therefore has questionable repeatability and accuracy.
Another disadvantage to the THERP technique is that it is not cognitive in nature, although there have been extensions of the THERP event tree model, for example COMET and COGNET that deal more extensively with cognitive behavior as well as other types of behavior.
Comparison
From the Kirwan three-part series paper (Kirwan, 1996 and 1997; Kirwan et al. 1997), THERP and HEART were found to be valid techniques, with reasonable levels of accuracy for most tasks. There were, however, inconsistencies in the way in which judges used the techniques, while some tasks were altogether poorly assessed by most judges. This alludes to a low capability of judges to assess the relevant tasks using the techniques. Also, calibration of the techniques was poor, in that assessors did not know when they were being accurate or inaccurate, which was thought to be caused by a lack of access to real data and a lack of feedback in validating the models.
Furthermore, due to the fact that one assessor must complete the validation for each model, there were questions as to whether the assessors had a greater impact on the performance results than the techniques themselves. Kirwan (1997) postulated that it may be useful, especially for the HEART technique, to provide examples of how to use the technique for assessors, since there is no training module and the technique is open to individual interpretation. While this could present a certain bias, this would also improve the consistency of the technique and reduce the effect of the assessor on the performance results. In the current project, providing these types of examples could also be useful for improving the understanding of design decision makers, if HRA is to be used in reducing human error through changes in offshore design, or of employees who are participants of emergency scenarios and are the culprits of human error and safety managers, if HRA is to be used for making changes in management and emergency procedures.
Identification of outliers in the THERP and HEART techniques showed that there were specific weaknesses regarding tasks involving low probabilities such as administrative controls, and tasks involving errors of commission. The Kirwan (1997) study suggested that further quantification is needed on these error types, but that in the short term, such quantification can be dealt with by the SLIM technique.
As noted in the introduction of this report, PSFs are an effective tool to identify error rates in situations with common features. However, Kirwan (1997) concluded that this does not extend to their utility as error reduction measures. The use of PSFs, while important in describing potential error scenarios, was found to create indefinable error reduction techniques due to the fact that using more than one different PSF could result in the same final HEP. While SLIM was not part of this validation study, the use of PSFs in the technique provides the same potential inconsistency.
The more PSFs that are used, the more complex the quantification becomes. Specifically if SLIM-MAUD is being used, the comparison of PSF importance becomes impractical unless quantification is computerized, in which case empirical data should be used for validation of results. However, most SLIM applications have not used any more than 8 PSFs, while the procedure to be used with the current project (DiMattia, 2004) only used a set of 6 in order to prevent an unwieldy procedure, thus avoiding the potential inconsistency. Further, the pairwise comparison is used in the technique to more directly address this issue.
Kirwan (1997) postulates that other parts of the HRA approach are better suited for error reduction purposes including task analysis and error identification. The SLIM technique does use tabular
hierarchical task analysis to present error modes, causal factors and risk mitigation measures for subsequent risk reduction measures, allowing for the integration of human error into a detailed emergency analysis. This gives the user the ability to use a what-if approach to analyze a number of emergency sequences quite efficiently, by understanding how error probabilities change with different conditions (DiMattia, 2004). The strengthening of root cause analysis is one aspect that is beyond the scope of this report, but will be an important component in the development of the deliverables for the current project.
Table 0-1. Comparison of THERP, HEART and SLIM as QRA techniques.
Criteria THERP HEART SLIM
Accuracy M M M
Validity M M/H M/H
Usefulness M H H
Effective Use of Resources
L/M H M
A comparative summary of the three techniques is shown in Table 6-1, which was adapted from Kirwan et al. (1988) in a study that compared them according to the criteria listed. The criteria and evaluation were based on general model performance factors, but the context of human error was more focused on nuclear power plants. The issues discussed throughout the report articulate the reasons for the results shown in Table 6-1 both in general and for the specific emergency muster context. SLIM performs as well ir better than THERP and HEART in all criteria with the exception of the effective use of resources. This is likely due to the fact that a number of judges are used to develop the final results, which takes time and money.
Conclusions
All three QRA techniques are expert judgment techniques, developed and utilized as such due to the continual lack of available human error data. While validation and accuracy of the techniques would ideally rely on such data, these techniques attempt to calibrate and simulate human error based on the core principles of human error and contextual environmental conditions. Each uses a slightly different methodology, producing results that can be interpreted and used for the reduction of error based on the way that error producing conditions are identified.
While most research conducted thus far focuses on the accuracy and less on the validation of SLIM, the comparative research conducted and presented in this report shows that SLIM is the most appropriate and useful method for the purposes of the current project. Using a limited number of PSFs, the accuracy is increased by avoiding dependence or conditionality of PSFs through pairwise comparison. If deemed necessary SLIM-MAUD can be employed to compare the importance of each PSF for a similar purpose. Furthermore, the reduced number of PSFs in SLIM, as compared to HEART or THERP, allows for a more concrete and clear identification of appropriate error reduction measures, as single PSFs can be identified for specific errors.
Nonetheless, due to the number of tasks, subtasks and task steps incorporated into each PSF, SLIM can be applied to a number of different scenarios and tasks at any level of detail, allowing for its use in various emergency scenarios.
The number of judges used for SLIM also evidently increases the accuracy of results. When there is a level of conditionality between judges the accuracy of results diminishes; thus, ensuring there is a low conditional dependence between judges (ie. they are from different backgrounds and have different experience, but have a good understanding of the given scenarios and the technique itself) and a large number of judges, as was done in the study by DiMattia (2004), the highest possible accuracy is attained. This is compared to the THERP and HEART techniques where either one assessor defines all HEPs and PSFs and thus, gives variable results.
Furthermore, in the case of THERP the assessor is given the choice of including dependency and event tree analysis or instead using his or her own experience. This will either reduce or vary the accuracy of the technique, and reduce the ability to use it in error reduction measures. On the issue of error reduction measures, SLIM uses both hierarchical task analysis and event tree modeling which both lend well to identifying error reduction measures and using a what-if approach to identify different error probabilities in different scenarios.
While the research conducted on all three techniques identifies avenues for improvement, improvements can only be truly substantiated with the collection of real data for the scenarios, or emergency sequences, being modeled. Thus, while this report shows that SLIM is the most appropriate model to use for the purposes of identifying and reducing human error during emergency scenarios on offshore oil and gas platforms, industry must begin to play a role in the recording and collection of data in order to better understand how the techniques truly perform. However, in doing so, the organization itself must recognize that human error is not just a matter of personal performance, but extends to the organizational management. In using the results of such models, the organization can improve on their
managerial practices. By integrating more education for an understanding of human error at various levels of the organization, they will in turn be contributing to an enhanced working environment for their employees and assets.
References Apostolakis, G.E., Bier, V.M. and Mosleh, A. (1988). A critique of recent models for human error rate assessments. Reliability Engineering and System Safety, vol. 22, pp. 1-217. DiMattia, D.G. (2004). Human error probability index for offshore platform musters. PhD Thesis Dalhousie University, Halifax, N.S.
DiMattia, D., Khan, F.I., and Amyotte, P.R. (2005). Determination of human error probabilities for offshore platform musters. Journal of Loss Prevention in the process industries, vol. 18, 488-501.
Embrey, D.E., Humphreys, P.C., Rosa, E.A., Kirwan, B. and Rea K. (1984). SLIM-MAUD: An approach to assessing human error Probabilities using structured expert judgment, Report No. NUREG/CR-3518 (BNL-NUREG-51716), Department of Nuclear Energy, Brookhaven National Laboratory, Upton, New York.
Kirwan, B. (1996). The validation of three human error reliability quantification techniques – THERP, HEART and JHEDI: Part 1 – technique descriptions and validation issues. Applied Ergonomics, vol. 27, pp. 359-373.
Kirwan, B. (1997). The validation of three human error reliability quantification techniques – THERP, HEART and JHEDI: Part III – practical aspects of the usage of the techniques. Applied Ergonomics, vol. 28, pp. 27-39.
Kirwan, B. (1998). Human error identification techniques for risk assessment of high risk systems – part 1: review and evaluation of techniques”, Applied Ergonomics, vol. 29, no.3, pp. 157-177.
Kirwan, B., Embrey, D.E., and Rea, K. (1988). Human reliability assessors guide, Report No. RTS 88/95Q, Safety and Reliability Directorate, Culceth, Warrington, England.
Kirwan, B., Kennedy, R., Taylor-Adams, S., and Lambert, B. (1997). The validation of three human error reliability quantification techniques – THERP, HEART and JHEDI: Part II – results of validation exercise. Applied Ergonomics, vol. 28, pp. 17-25.
Lorenzo, D.K. (1990). A guide to reducing human errors, improving human performance in the chemical industry. The Chemical Manufacturers’ Association, Inc., Washington, DC.
Appendix 3
Human Error Data Availability Report
Sources of Human Error Data and Industry Cooperation
Report for the Petroleum Research Atlantic Canada (PRAC) Project on
Human Factor Design Issues Relating to Individual Behaviour in Emergency Situations
Angela Alambets
Department of Process Engineering and Applied Science
Dalhousie University
Halifax, Nova Scotia
April 2008
Introduction
There has been extensive research conducted on the use of various QRA techniques for estimating human error probabilities (HEPs). The ultimate objective of these techniques is to reduce human error causation and escalation of loss causing incidents. They often rely on expert judgement in various stages of the model development process, or on a single assessor to systematically alter data from a database. These databases may contain both real data from industry and data formulated by the technique developer (Kirwan, 1996), producing probabilities that can be somewhat subjective in nature.
The Success Likelihood Index Method (SLIM), which has been identified as the most appropriate technique for the current study, requires real data for calibration. Further, it uses data developed from a team of judges to calculate the probability of success of various offshore platform emergency scenario actions. By using a large team of judges, as opposed to a single assessor, the technique aims to reduce the subjectivity and increase its accuracy (DiMattia, 2004). Nonetheless, validation studies on this technique allude to insufficient evidence of the technique’s predictive accuracy and consistency (Kirwan, 1996). This reduces the ability of the technique to achieve its ultimate objective, which has led to the need for validation using real human error data; however, this has not been possible due to a lack of such data. While SLIM performs well compared to similar human reliability assessment (HRA) techniques, empirical validation is necessary to truly confirm its accuracy, calling for industry cooperation in the collection and use of real data.
In addition to validation issues, the collection of industry-incident based data can be used to inform the development of HRA techniques, and to better understand and assess risks associated with human error. Developers and assessors of current techniques also do not have feedback on model results, reducing the ability to continually increase preciseness (Kirwan, 1996).
There have been attempts to address the need for industry generated data, including the development of the Worldwide Offshore Accident Databank (WOAD), the Computerised Operators Reliability and Error Data Base (CORE-DATA) and other projects sponsored by the UK Health and Safety Executive (HSE). This report provides a brief examination of these sources for use in the current project, and presents the need for industry cooperation and possible avenues of facilitating that cooperation.
WOAD
WOAD is a database with world wide accident data exclusively from the public domain, collected from the years 1970 to 2003 by Det Norske Veritas Inc., its creator. The database was set up for input via accident forms, which are presented as tables for user interpretation. The accident forms ask for details regarding the cause of the accident, the specific situation and the consequences. For more details regarding the accident forms, the reader is referred to a report by David Bligh, entitled ‘Review of the WOAD as a Quantitative Safety Assessment Tool’ (2007).
A number of limitations to this accident data source were outlined in the report by Bligh (2007). Firstly, it should not be taken as a complete representation of the accidents that have occurred in the offshore industry, as there are geographical areas where accident information is controlled and kept confidential, and there are inconsistencies in reporting standards between countries. Secondly, due to the structure of the accident reporting form, there may be confusion in determining the root cause of the accident. Specifically, the ‘main event’ may be chosen as the event which initiates a more serious chain of events, which occurs last, or as which causes the most damage. Further, a dropdown list is provided to identify the main event and the event chain, which includes fires, explosions, falling loads, loss of buoyancy, collisions, and machinery failure. Since it is unclear how these events could be related to human error, this data may not be useful for the current project. The accident report form does have an ‘accident cause’ section where the option between human and equipment cause is given, although there is no apparent space for a more detailed description. Thirdly, where the SLIM technique uses six different performance shaping factors (PSFs) as environmental conditions influencing human error probabilities, the WOAD identifies some of these as equipment. For example, the sea and weather are classified as pieces of equipment (Bligh, 2007). Therefore, an analysis on human cause should not neglect equipment causes, where equipment is defined as such, since this may potentially be helpful in determining its influence on the event chain. It would, however, be difficult to find the correlation with human error in this case since the accident is defined as an ‘Equipment Cause’.
Regardless of these limitations, for the current project the WOAD should be examined for the frequency of ‘Human Cause’ as opposed to ‘Equipment Cause’. Where human cause is identified, attempts to find correlations with the event chain may be beneficial. Caution should be taken when conducting any such analysis or when making overarching conclusions.
HSE, CORE-DATA
There has been some effort to develop human error databases since the theoretical aspects of human error have become documented and more understood. One of these efforts is the development of the Computer Operator Reliability and Error Database (CORE-DATA), an outcome of a three year project headed by the University of Birmingham which aimed to provide the human reliability community with a usable, accurate and validated databank (Basra et al., 1998). This databank includes approximately 250 human error data points accompanied by qualitative data, as well as 1000 data points in hard copy.
The extent of relevancy to the current project is unknown. While some data points, like those related to permit-to-work, may be less useful, data points on drilling operations or control room issues may be pertinent. Thus, the data taken from this source for the current project will be the discretion of the research team. It is also unclear whether the data points in CORE-DATA are all presented as HEPs or in some other form, and whether the qualitative data includes raw incident data. One study by Kirwan (1996) noted that databases like CORE-DATA are not yet ready to be used to quantify HEPs for probabilistic safety assessment (PSA) purposes but that the inventory of data would still be useful for validation purposes. Investigation will be required on this issue.
The UK HSE has been a large affiliate and contributor to CORE-DATA. A report by the HSE on the collection of offshore human error data for offshore drilling operations outlines different data
collection methods and the development of input to CORE-DATA (Basra et al., 1998). This HSE project developed 18 different HEPs by collecting data from observations at drilling rigs, training centers and simulators, as well as from accident reports and, notably expert judgement. Results showed that HEPs could not always be developed from observations of real scenarios and the use of accident reports was often low. The data collected was modified by different PSFs which were outlined in the report (Basra et al., 1998).
Some aspects of the expert judgement technique used for the HSE study were similar in nature to SLIM. For example a team of judges conducted a pairwise comparison, and an analysis was conducted on the level of conditionality and consistency in the results. Due to different issues concerning the use of PSFs, as well as potential inaccuracy or inconsistency of expert judgement techniques used in HSE studies, care should still be exercised in determining which data points from CORE-DATA are used for the current project, based on the way in which they were developed. Nonetheless, this may be the best source for real human error data as of yet.
Industry Co-operation
While efforts have been made by external research bodies to collect relevant human error data to inform HRA techniques, there has been no documented evidence that industry has taken initiative to reduce human error, specifically in terms of collecting relevant data for similar needs. There are a number of ways that industry can contribute to the development of the HRA field, as follows:
Recognize that human error is not solely the result of individual error, but that it is the responsibility of management to incorporate human error education and mitigation into existing safety programs;
Collect relevant human error data during emergency scenarios – both drills and real-time;
Incorporate human error identification into incident investigations; and
Develop a database, or a new component to existing databases, for the continual collection of human error data to make more informed design considerations and decisions regarding employee training.
As part of the current project, the research team must be clear on the objectives developed for industry co-operation. The ultimate goal of the project is to contribute to the reduction of human error on offshore oil and gas platforms – which, in line with the first point above, may take the form of developing new components of safety programs such as education and training of department managers and staff, and changes to technical designs. In order for industry to effectively contribute to the current project it may however, be necessary to have a greater focus on the latter three points, although the first point could be seen as a precursor to these. The latter three points will now be discussed individually and conclusions made on potential project strategy regarding data collection.
1.1 Data collection from observation of emergency scenarios
The observation of real scenarios would be the most valuable component of a data collection program, as it provides real data for HEP development. For the HSE study, there was a 5 step methodology, which began with a hierarchical task analysis (HTA) of the specified event, and identified all of the possible human error modes for that task (Basra et al., 1998). This was necessary in order to know what types of tasks to observe and errors to look for. The HTA was developed and modified by visiting a small on-shore rig, with observations and discussions with personnel. Where emergency scenarios are concerned, the construction of an HTA would already have been conducted for the use of the human error probability index (HEPI) and SLIM. Thus, if observation is deemed a priority for the current project, the tasks outlined in the SLIM framework would be a reference.
Observations of actual events tend to be difficult due to potentially low frequencies of events, and when they do occur, potentially low frequencies of human error. This was experienced in the HSE study (Basra et al., 1998), where a three day observation period of tripping in and tripping out (drill-floor activities) yielded no errors observed. Where such circumstances arise, it was recommended that investigation of human error would be more effective through accident reporting, training simulators and expert judgement techniques. The use of simulators can, however, make HEP determination difficult because stress and weather related PSFs cannot be considered in the analysis and must be dealt with in a different manner. Where uncertainty is prevalent, a statistical analysis should be conducted (Basra et al., 1998).
Although there are difficulties in this collection method, it should be emphasized that the co-operation of industry to allow observers to come in for these purposes would be invaluable for providing real data to the human reliability community. More importantly, due to the topic of the current project, namely human error during emergency scenarios, conducting these types of observations can be made very easy by visiting off-shore rigs on days when emergency drills are planned.
While observations are typically conducted by the human error research team, based on their level of understanding of the relevant material, an alternative may be to have personnel in management positions continually conduct the observations during drills. This would require training to ensure proper recording. However, due to the repetitive nature of emergency scenario drills, it may have substantial long-term benefits in terms of the collection of current data to provide the human error community.
1.2 Data collection from accident investigations and interviews
Accident and incident investigations are often looked to for data collection and analysis of different causation, event chain factors, and consequences, not exclusive to human error data. This data can be
extremely helpful in correlating data and identifying trends, which can ultimately allow for more effective mitigation measures. Although the usefulness of WOAD is left for further interpretation, it has been used effectively do identify trends relating to different error types (Bligh, 2007), which can be used to contribute to enhanced industry awareness to ultimately develop prevention and mitigation techniques for the specific errors.
This type of quantitative analysis on human error would be invaluable to the human error research community. However, as of yet, there has been much difficulty in finding the necessary information due to poor accident reporting structure or simply a lack of emphasis and importance on the role of human error. If these issues were addressed, accident and incident investigations could allow for quantitative analysis.
Industry cooperation would be required in the form of ensuring completion of accident report and incident investigation forms and conducting interviews with all employees involved to question them about their role in the incident and other relevant human error related issues. This could also be conducted with individuals as part of de-briefings after emergency drills have been completed. While the reduction of human error is not meant to be part of data collection, in the long run a training program for all employees could allow employees to record their own errors during a debriefing; this would achieve the collection of data and enhanced awareness about what affects the way they perform their tasks. Thus, employees would take more control over reducing error in performing different tasks.
The development of new reporting formats and proper interviews questions, based on the employee position and incident scenario, precedes their proper use in industry. However, it is the opinion of the author that commitment by industry to use these tools in the appropriate way is absolutely necessary before project resources are spent to develop them.
1.3 Human error database development
The use of information technology, in terms of data collection and dissemination, has been used on offshore platforms for different purposes. While the purposes are unknown to the author, if an accident or safety database does exist, an additional component of human error data collection would be a valuable addition. This would be used to more easily input and disseminate data collected from accident forms and incident investigations for quantitative analysis. It would likely resemble the framework of the human error component of the accident form or incident investigation, thus its development could be integrated with these tools. In addition to providing data for the human error research community, this type of database could be used by the company to show good employee relations, and health and safety for prospective employees.
Conclusions
Existing sources of human error data were presented in this report which could inform the current project. However, as discussed, there are limitations to each of these resources which are similar to limitations seen throughout the human error literature. The lack of real data for HRA techniques will only effectively be addressed if industry takes an active role in the collection of real data during emergency scenarios. This can take the form of observations from external or internal personnel, the revamping of current accident reporting and incident investigation strategies and documents, and the development of a database to more efficiently collect and disseminate this information. Most importantly, individuals in management positions must understand that employees are not solely responsible for errors that occur. Human error will continue to play a causative role of accidents and risk (Kirwan, 1998). Thus, management must take responsibility of incorporating human error mitigation measures into the workplace if reduction of accidents caused or enhanced by human error are to be reduced.
The way in which accident forms and incident investigations are changed will depend on goals developed by the research team; data could be collected using human errors identified in the HTA for SLIM or include errors not addressed in the technique to attempt to gain a better understanding of them. Nonetheless, distinctions must be made on the objectives of data collection. They could take the form of a more educational program, by training offshore personnel on human error to develop a more participatory data collection approach which could potentially influence a reduction in human error from the onset of data collection; or they could be kept independent of employee work for a more representative data set for the validation and development of HRA techniques. Whatever the objective, it is important that industry is available and willing to cooperate, in order to ensure improved accuracy of HRA techniques that will ultimately benefit the industry and its employees.
References
Bligh, David. (2007). Review of the WOAD as a Quantitative Safety Assessment Tool. Process Engineering Department, Dalhousie University. Halifax, N.S. DiMattia, D.G. (2004). Human error probability index for offshore platform musters. PhD Thesis. Dalhousie University, Halifax, N.S. Kirwan, B. (1996). The validation of three human error reliability quantification techniques – THERP, HEART and JHEDI: Part 1 – technique descriptions and validation issues. Applied Ergonomics, vol. 27, pp. 359-373. Kirwan, B. (1998). Human error identification techniques for risk assessment of high risk systems – part 1: review and evaluation of techniques”, Applied Ergonomics, vol. 29, 3, pp. 157-177. Basra, G., Gibson, H., and Kirwan, B. (1998). Offshore technology report - OTO 98 121. Collection of offshore human error probability data. Phase 2, Volume 1. Offshore drilling data. Health and Safety Executive.
Appendix 4
Report on WOAD
REPORT ON WOAD
World Offshore Accident Database
Kelli McGean
Chemical Engineering Co-op Student
Dalhousie University
Summer Work Term
August 2008
Summary This report deals with the World Offshore Accident Database (WOAD) and the applicability of its data for human error studies especially in the current Human Error Probability Index (HEPI) project. The HEPI project deals with the probability of human error during offshore emergency muster scenarios. This project is the work of a research group based at Dalhousie University in Halifax, Nova Scotia and Memorial University in St. John’s, Newfoundland.
The human error data available in the WOAD was extracted and analyzed for its use both for the current project and any further projects.
It was concluded that the WOAD is not a particularly useful source of data for the current HEPI project, but may be more applicable to further projects if they focus on the original accident cause.
It is recommended that other sources of human error data be investigated for the HEPI project, and that further projects that intend to use the WOAD as a source of data should focus on human error as the initial accident cause.
1.0 Introduction There are numerous serious safety concerns in the offshore oil and gas industry. This is due to many
factors, including harsh marine weather, secluded locations, and volatile petrochemical products. Because
of the risks associated with these factors, many precautions must be taken in order to ensure the safety of
the crew as well as to minimize the damage done to equipment and the environment. However, even
though many precautions are taken, accidents do occur. Each accident that occurs reminds us that the
safety procedures in the offshore industry need to be constantly examined and revised in order to
minimize the risk of future accidents.
One danger in the offshore industry is that humans make mistakes. Due to the harsh work
environment, the consequences of these mistakes can often be more severe than in other industries. These
mistakes can be referred to as a “human error”. Often, these human errors can lead to accidents with
consequences of varying severity. Currently, there is work being done to account for the likelihood of
human error in offshore scenarios in order to prevent further errors and to minimize the consequences
when accidents due to human error do occur.
1.1 Background and Previous Work
The current project, funded by Petroleum Research Atlantic Canada and with researchers at both
Dalhousie and Memorial universities, aims to quantitatively determine the impact of human error during
emergency situations on an offshore facility. This impact is currently being examined in two ways: both
from a probability and a consequence perspective. “Human error”, for the purposes of this report, can be
defined as any human actions that exceed or fail some limit of acceptability (DiMattia et al., 2005). Once
this limit is exceeded, an accident occurs. Human error is influenced by performance shaping factors
(PSFs) which can include the characteristics and complexity of the task, the surrounding environment,
and the operator characteristics (Alambets, 2008).
Work previously completed on the project includes the development of a new method that may be
used to determine the probability of human error in offshore platform musters. The following section
gives a brief summary of the method. For more information, the reader may review the following papers:
“HEPI: A new tool for human error probability calculation of offshore operation” (Khan et al., 2006) and
“Determination of human error probabilities for offshore platform musters” (DiMattia et al, 2005).
1.1.1 HEPI and SLIM
Much of the previous work was completed as a PhD thesis by Dr. Dean DiMattia. His thesis
developed a new HEPI (Human Error Probability Index) based on the SLIM (Success Likelihood Index
Methodology) approach. This project aimed to develop a new human reliability assessment (HRA) tool
that could calculate Human Error Probabilities (HEPs) during offshore platform musters. With the
development of this new HRA tool, it was hoped that industry could better incorporate human factor
considerations into emergency quantitative risk assessments (QRA) and use them for design
modifications and safety measure design.
The SLIM is an expert judgment technique in which PSFs are weighted and rated to estimate the
human error probability. SLIM is an expert judgment technique, which employs a panel of expert judges
who attempt to give subjective opinions in an objective manner. For Dr. DiMattias work, the expert
judges answered questions about three possible offshore emergency scenarios: man overboard, gas
release, and fire and explosion. The study also broke down an offshore platform muster into a series of
steps that were independent of the muster initiator. Using the data collected from the judges, Dr. DiMattia
determined possible HEPs for each separate muster step during the three different emergency scenarios.
For a more in depth overview of the methodology, please see the previously cited papers.
1.2 Purpose
Validation studies on SLIM reveal insufficient evidence of its predictive accuracy and
consistency (Kirwan, 1996). Because of this, the method must be validated with real human error data.
Human error data is not widely available, and the few sources for this type of data have a variety of issues
that may make the data unreliable, as was determined in a report written for the research group, “Sources
for Human Error Data and Industry Cooperation” (Alambets, 2008). One purpose of this report is to
review a possible source of data, the World Offshore Accident Databank (WOAD) for its suitability as a
source of data for the current SLIM work.
Another purpose of this report is to give an overview of the human error related data available in
the WOAD so it may be applied to any further projects with ease.
2.0 WOAD – The World Offshore Accident Database The World Offshore Accident Databank (WOAD) is a collection of data pertaining to accidents that
occurred in the offshore oil and gas industry between 1970 and 2005. Compiled by Det Norske Veritas
Inc, all of the data presented in the WOAD was collected from publically available resources. In order to
create the WOAD, technicians reviewed all publically available accident reports and classified each
incident in a number of predetermined categories.
For this particular report, WOAD 5.1 was used. This version of the WOAD, released in 2008, is the
most current of the databases and contains 5162 accident reports. Previous studies that were conducted for
this research group, particularly “Review of the WOAD as a Quantitative Safety Assessment Tool”
(Bligh, 2007) and “Sources of Human Error Data and Industry Cooperation” (Alambets, 2008) may show
slightly different results than those of this report due to the fact that the authors were using an older
version of the WOAD. “Review of the WOAD as a Quantitative Safety Tool” may also serve an excellent
reference to the reader for general information about WOAD’s functions and capabilities.
2.1 WOAD accident forms and organization
The WOAD is organized in searchable tables known as accident forms. The accident form provides
numerous drop-down lists in which a specific incident may be described. These lists span many
predetermined categories, and can specify the accident cause, damages incurred, the event chain of the
accident, and injuries or fatalities that occurred as a result of the accident. Using a filter that is built into
the software, the user can specify any combination of required criteria for a particular accident and the
WOAD will display only those accidents which fit the criteria.
The WOAD accident forms also contain an area for free text, where the accident may be explained in
more detail. This text often offers the best description of an accident, giving specifics that cannot be
adequately explained using just the predetermined drop-down lists. Unfortunately, the WOAD does not
let the user effectively search this free text.
2.2 Previously determined problems with WOAD data
The WOAD is by no means a comprehensive database of all accidents that have occurred in the
offshore oil and gas industry. Because most of the reports in the WOAD database occurred in the Gulf of
Mexico or the North Sea, there are many geographical areas (such as the Caspian Sea and Southeast Asia)
that are underrepresented. There are no accidents reported from the People’s Republic of China at all. The
underrepresentation of these areas is due to a lack of publicly available information in those parts of the
world (Bligh, 2007).
There is also lack of consistency for accident reporting standards between countries. Because of this,
the detail of the accident forms varies greatly. For those accidents with minimal detail, it is often difficult
to categorize them properly, which makes them less useful for both research and industry purposes.
3.0 The WOAD and Human Error Data As was previously mentioned, the occurrence human error can only be specified in one part of the
WOAD accident form, in the accident cause section. The following sections deal with accidents where the
WOAD technician chose to indicate that the accident may have been caused by human error. The effect of
human error is examined with regards to accident cause, type, and severity. As well, this human error data
is examined for applicability to the SLIM and HEPI work.
3.1 Human Error and Accident Cause
When an accident form in the WOAD is completed, the technician may choose to specify the root
cause of the accident. In the WOAD, there are two main categories for accident causes – one is “Human
Cause”, while the other is “Equipment Cause”. Other than the free text section, this “Human Cause” drop-
down list is the only area in the WOAD where human factors are mentioned. In the WOAD, the
technician has the option of indicating a human cause or an equipment cause for any accident. The
technician may also select both a human and equipment cause simultaneously if the cause of the accident
is more complex, or choose to not indicate a cause if there is no relevant information available.
3.1.1 Accidents caused by human error
In order to begin the evaluation of the WOAD for the current project’s purposes, the accidents
indicated as having a “human cause” were first examined. Of the 5162 accident reports available in the
WOAD, 860 reports fall into the “human cause” category. There are seven subsets of this category,
including Unsafe Procedure, Unsafe Act/No Procedure, Improper Design, Third Party Error, Act of War,
Sabotage, and Other. Table 3.1 shows the number of accident reports in each category.
Table 3.1 Number of Accidents Per Category of Human Error
Human Error Number of Accidents % of total accidents
Unsafe Act/No Procedure 378 44.0
Unsafe Procedure 318 37.0
3rd Party Error 82 9.5
Improper Design 66 7.7
Act of War 7 0.8
Other 6 0.7
Sabotage 3 0.3
Total 860
It is obvious from this table that the most commonly indicated human cause for an accident is
either “Unsafe Acts/No Procedure” or “Unsafe Procedure”, at 44% and 37% of total human error
accidents respectively. In the WOAD, “Unsafe Act/No Procedure” is usually an accident that occurs due
to human error when there is no safety procedure for that particular task already in place. Those accidents
specified to have occurred due to an “Unsafe Procedure”, however, usually occur due to a crew member
not following a previously established safety procedure.
Other moderately common human causes are “3rd Party Errors” (9.5%) and Improper Design
(7.7%). “Third Party Errors” are usually accidents caused when an error is made by the crew of another
vessel, be it a boat or helicopter. These accidents often involve collisions between the offshore unit and
another vessel. Cases of “Improper Design” stem from accidents that are caused due to human error in the
design process. The remaining three categories make up less than 1% each of the total number of human
error accidents and do not have enough description in the WOAD archive to fully understand why they
were indicated as such.
3.1.2 Accidents caused by equipment error
Of the accident reports in the WOAD, 2828 have an indicated equipment cause. This represents
54.8% of total accidents reported in the WOAD. However, equipment error is not the focus of this report
and will not be discussed in detail.
3.1.3 Accidents that have no indicated cause
Sections 3.1.1 and 3.1.2 discussed accidents that have an indicated human or equipment error
cause. While the majority of accidents in the WOAD have an indicated cause, there are 1475 accidents
that do not. This is over 28 percent of accidents in the WOAD database.
There are many reasons that these accidents may not have a specified cause. The most probable
reason is that the information wasn’t available to the WOAD technician when creating the particular
accident form. Because the WOAD is compiled only from publically available resources, the detail of the
data is often not enough to properly indicate what the root cause may be. Other reasons for the cause to
not be indicated are the possibility that the cause was never discovered during the initial accident
investigation, or that the company chose not to indicate a cause in order to avoid placing blame on a
specific person or object. In any case, because over 28% of our data does not have an indicated accident
cause, the usable data becomes less reliable as it is not a full representation of all accidents in the WOAD.
Due to this fact, caution should be exercised when using any of this data as the margin of error is
exaggerated.
3.1.4 Accidents with both a human and equipment cause
As was previously mentioned, it is also possible for a WOAD technician to specify both human
and equipment causes for any particular accident. In the WOAD archive, 381 accidents are specified as
having both a human and an equipment cause. Because human error probabilities can be affected by
factors such as weather, time of day, and stress, it may be useful to examine the data to determine if there
is any link between certain human causes and equipment causes. Table 3.2 displays the number of
accidents that have both human and equipment causes. Only those situations where both human and
equipment causes are represented.
Table 3.2 Frequency of Accidents with combination of Equipment and Human Error Cause
Equipment Cause Unsafe Act/
No Procedure
unsafe procedure
3rd party error
improper design
other
3rd Party Equipment Failure 1 3
electric equipment malfunction 1 1 1
equipment malfunction 60 50 1 31 3
exceeded design criteria 1 1
foundation problem 4
ignition by heat/exhaust 19 10 2 1
ignition by open flame 2 3 7
ignition by cigarette/match 6 1
ignition, electrical 4 8 1
ignition, hand tool sparks 8 8
ignition, lightning
ignition, weld/torch 9 34
ignition, unknown/other 10 13 1
machinery malfunction 1
Other 8 2 1
safety system malfunction 1
structural fail/fatigue 2 3 10
weather, general 16 12 15 5
This table displays some interesting trends. It is to be expected that those incidents in the “Unsafe
Act/No Procedure” and “Unsafe Procedure” category would have the greatest number of incidents that
also have an equipment cause due to the fact that they represent the largest number of human error
accident overall. However, the table shows that a singular equipment cause – “Equipment malfunction” –
represents a very large portion of accidents that also have a human error cause. In fact, it represents the
largest number of incidents in every category except for 3rd party error. Another clearly displayed fact is
that weather (which is classified as an equipment cause in the WOAD) is indicated as a cause in 48
incidents that also have a human cause. This may confirm the idea that human error probabilities are
affected by external factors such as weather.
3.2 Human Error and Accident Type
When a WOAD technician enters data into the accident form, they not only have the option of
indicating the cause of an accident, but also the type of accident that occurred. There are four options in
this category: Accident, Hazardous Situation, Near Miss, and Insignificant. “Accident” is the most severe;
this indicates that an accident actually occurred and there were either personal injuries or equipment
damage. The “Hazardous Situation” category is used to indicate that while an accident did not actually
occur, there was potential for the created situation to lead to a full scale accident. The “Near Miss”
category is used to indicate that while an accident did occur, and there was potential for the accident to
cause major damage, there was no damage to equipment or any injuries to crew. An accident that is
indicated as being “insignificant” usually applies to accidents that did occur but had no potential to cause
either injury or damage to the equipment.
3.2.1 Accident caused by human error
Data from the WOAD was examined and the results can be found in Table 3.3. It was determined
that of the incidents indicated as being caused by human error, 33% of incidents resulted in an accident.
Another 41% of incidents resulted in a hazardous situation but not in a large scale accident. Insignificant
incidents and near misses represented 17.2% and 8.3% respectively.
Table 3.3 Number of Accidents Caused by Human Error per Accident Type
Type of Accident Number of Accidents % of total accidents
Accident 284 33.0
Hazardous Situation 353 41.0
Near Miss 71 8.3
Insignificant 152 17.4
The data relating human error to accident type was examined in more detail by tabulating the
number of each accident type (accident, hazardous situation, near miss, insignificant) that resulted from
each type of human error cause. This data is shown in Table 3.4. The table shows that the more serious
accident types are more numerous for unsafe action/no procedure and unsafe procedure. It is Table 3.5,
however, that shows more valuable information concerning how probable it is for an incident with a
certain human cause to result in a certain accident type. For instance, while accidents only account for
33% of total instances of human error, it is much less likely that an incident caused by an Unsafe Act/No
Procedure will result in an accident (24%) then one that was caused by unsafe procedure (36%). It is also
worthwhile to note that if an incident is caused by 3rd party error, it is much more likely (63.4%) to cause
an accident than average, while incidents caused by improper design are much less likely (24.2%) to do
so. For “Unsafe Act/No Procedure”, “Unsafe Procedure” and “Improper Design”, the data indicates that
the number of hazardous situations caused by these errors is close to the average of 41%. Accidents
caused by 3rd party error, however, are much less likely (22%) to result in a hazardous situation. All types
of human errors have similar probabilities to result in a near miss, and they are close to the average of
8.3%. Incidents caused by 3rd Party Error are less likely than average to result in an insignificant situation
at 7.3%, while all other types of human causes fall close to the average of 17.4%.
Table 3.4 Frequency of Accident Type Per Human Error Cause
Human Error accident hazardous situation near miss insignificant
unsafe act/no procedure 91 173 38 76
unsafe procedure 115 129 17 57
3rd party error 52 18 6 6
improper design 16 32 8 10
Table 3.5 Percentage of Accident type per Human Error Cause
3.1.2 Accidents caused by Equipment error or with no indicated cause
The author also examined the occurrences of each type of accident for those incidents indicated
as not being caused by human error. The results are shown in Table 3.6. According to the WOAD data,
incidents that are not indicated as being a result of human error are more likely to result in accidents, at
45% compared to 33%. The occurrence of hazardous situations remains relatively similar at 42.1%, while
incidents resulting in an insignificant accident fell to 9.5% and those resulting in a near miss fell
significantly to 3.4%.
Table 3.6 Number of Accidents caused by Equipment Error or with no Indicated Cause per Accident Type
Type of Accident Number of Accidents % of total accidents
Accident 1933 44.9
hazardous situation 1811 42.1
near miss 146 3.4
Insignificant 407 9.5
not specified 5 0.1
3.3 Human Error and Accident Severity
When completing an accident form, the WOAD technician has the option of identifying the
severity of the accident consequences. For the purposes of this report, the severity of the consequences
was analyzed in two ways: damage to the equipment and crew injuries or fatalities.
Human Error accident % hazardous situation % near miss % insignificant %
Unsafe Act/No Procedure 24.1 45.8 10.1 20.1
Unsafe Procedure 36.2 40.6 5.3 17.9
3rd Party Error 63.4 22.0 7.3 7.3
Improper Design 24.2 48.5 12.1 15.2
3.3.1 Equipment Damage
As previously mentioned, one measure of accident severity is the resulting damage to the
equipment. The WOAD has five options for this category, including “Insignificant/No Damage”, “Minor
Damage”, “Significant Damage”, “Severe Damage” and “Total Loss”. The following sections outline the
accident severity data for both accidents that were caused by human error and those that were not.
3.3.1.1 Human Error and Equipment damage
Table 3.7 displays the total number of accidents of each level of damage for accidents caused due
to human error. As is evident from this data, over 75% of all accidents caused by human error lead to
insignificant or minor damage to offshore equipment. Another 10% of accidents cause significant
damage, while 10% result in either severe damage to equipment or total loss of equipment.
Table 3.7 Number of Accidents Caused by Human Error Per level of Equipment Damage
Degree of Damage Number of Accidents % of total accidents
Insignificant/No Damage 570 66.3
Minor Damage 103 12.0
Significant Damage 93 10.8
Severe Damage 52 6.0
Total Loss 42 4.9
The data for accidents caused by human error was further broken down in order to examine the likelihood
of each type of damage severity in relation to the different types of human error. This data is displayed in
the following two tables, which show both the number of accidents by damage severity as well as the
percentages of each accident type. Table 3.8 displays the number of incidents for each type of human
error that resulted in each degree of damage. Table 3.9 may be more useful, however, in displaying the
probability that an accident that occurs as a result of each type of human error will result in severe or mild
damage.
Table 3.8 Frequency of Damage Level per Human Error Category
Table 3.9 Percentage of Damage Level per Human Error Category
It is clear from table 3.9 that an accident caused by 3rd party error is much less likely (23.2%) to
result in insignificant damage than all other human causes. Unsafe Procedure results in insignificant
damage 68.9% of the time, which is very close to the average of 66%. Unsafe Acts/No Procedure and
Improper Design result in insignificant damage a slightly higher than average and slightly lower than
average, respectively. Another point to highlight is that accidents caused by 3rd party error are much more
likely to result in severe damage than any other human error, but are less likely to result in total loss than
any other type of human error. All other categories of human error are close to average in the number of
incidents that result in total loss of equipment.
3.3.1.2 Equipment Error or Unknown Cause and Equipment Damage
Table 3.10 shows the number of accidents for each degree of damage for accidents that were not
caused by human error. In comparison to the data from the accidents caused solely by human error, the
Human Error insignificant/ no damage
minor damage
significant damage
severe damage
total loss
Unsafe Act/No Procedure 284 36 25 11 22
Unsafe Procedure 219 41 31 15 12
3rd Party Error 19 17 26 19 1
Improper Design 42 8 10 2 4
Human Error Insignificant/ no damage %
minor damage %
significant damage %
severe damage %
Total loss %
Unsafe Act/No Procedure 75.1 9.5 6.6 2.9 5.8
Unsafe Procedure 68.9 12.9 9.7 4.7 3.8
3rd Party Error 23.2 20.7 31.7 23.2 1.2
Improper Design 63.6 12.1 15.2 3.0 6.1
trend seems to be that accidents not caused by human error have a higher likelihood of causing more
equipment damage. The two most severe categories: “Total Loss” and “Severe Damage” are make up
15.7% of all non-human error accidents, while human error accidents result in these categories close to
10.9% of the time. The more moderate damage category – “Significant Damage” represents 16.3% of all
accidents not caused by human error and only 10.8% indicated as being caused by human error. Accidents
which caused minimal damage – those in the “Minor Damage” or “Insignificant” categories make up 68%
of accidents caused by other errors and 78.2% of accidents that were a result of human error.
Table 3.10 Number of Accidents Caused by Equipment Error or with No Indicated Cause Per Degree of Damage
Degree of Damage Number of Accidents % of total accidents
Insignificant/No Damage 2034 52.0
Minor Damage 624 16.0
Significant Damage 637 16.3
Severe Damage 366 9.4
Total Loss 247 6.3
3.3.2 Fatalities and Injuries
Another way to gauge the severity of an incident is to count the number of injuries to crew as
well as fatalities. The next sections display the effects of human error on the number of fatalities or
injuries that occurred due to an accident.
3.3.2.1 Human Error and Fatalities or Injuries
Table 3.11 displays the number of fatalities and injuries that occurred due to each type of human
error cause.
Table 3.11 Number of Fatalities and Injuries Per Category of Human Error
Human Error fatalities injuries
Unsafe Act/No Procedure 277 231
Unsafe Procedure 156 75
3rd Party Error 0 1
Improper Design 126 3
Act of War 1 1
Other 1 3
Sabotage 0
total 561 354
There is one important fact to be noted when using the data in table 3.11. For three of the human
error causes, a large number of the fatalities or injuries occurred during a few singular accidents. In the
Unsafe Act/No Procedure category, 164 of the 277 fatalities and 60 of the 231 injuries occurred in the
Piper Alpha disaster that occurred in the 1988 in the North Sea. Eighty-one of the fatalities in the category
were caused in another accident involving the capsizing of the Glomar Java Sea drill ship off the coast of
China in 1983. Also, 91 of the 156 fatalities in the Unsafe Procedure category occurred due to the
capsizing of the Seacrest drillship in the Gulf of Thailand in 1989. Finally, 123 of the 126 fatalities due to
improper design occurred in the Alexander Kielland disaster in the North Sea in 1980. While these
accidents do add fatalities and injuries to these categories and should not be disregarded, it is important to
note that they can skew the data if not properly considered. Table 3.12, displays the number of accidents
that were indicated as being caused by each type of human error that resulted in either a fatalities or
injury. Also, table 3.13 displays the percentage of each type of human error accidents that resulted in
either a fatality or an injury. These two tables may be useful in determining how human error affects more
serious accidents.
Table 3.12 Number of Accidents Resulting in fatalities or injuries per human error cause category
Human Error Type number of accidents resulting in fatalities
number of accidents resulting in injuries
Unsafe Act/No Procedure 21 30
Unsafe Procedure 27 28
3rd Party Error 0 1
Improper Design 3 2
Act of War 1 1
Other 1 2
Sabotage 0 0
Table 3.13 Percentage of Human Error Accidents resulting in either a fatality or injury
Human Error % of accidents
Unsafe Act/No Procedure 13.5
Unsafe Procedure 17.3
3rd Party Error 1.2
Improper Design 7.6
Act of War 28.6
Other 50
Sabotage 0
3.3.2.2 Equipment Error or Unknown Cause and Fatalities or Injuries
In previous sections, the report has examined the differences between data that was indicated as
being caused by human error and data that was not. Due to the nature of the WOAD software, there is no
straight forward way to determine the number of accidents that are caused due to non human error related
incidents. Therefore, this comparison has been excluded from the report.
3.4 The WOAD as a source of data for HEPI and SLIM
As was discussed in section 1.1, work has been done in an attempt to quantify human error
probabilities in offshore emergency muster scenarios. This work is outlined in “HEPI: a new tool for
human error probability calculation for offshore operation” (Khan et al., 2006) and “Determination of
human error probabilities for offshore platform musters” (DiMattia et al., 2005). This study uses an expert
judgment technique to elicit human error data for the different muster steps during emergency scenarios.
The expert judgment technique that is the focus of this work is the Success Likelihood Index
Methodology. Because the SLIM technique uses a panel of expert judges to make subjective decisions
about offshore muster scenarios in an objective a manner as possible, the model must be validated with
empirical data. This section of the report reviews the WOAD as a possible source for this empirical data.
3.4.1 Muster Data
The WOAD contains a section that is dedicated to evacuations. The WOAD technician can
choose to specify the type of evacuation, number of crew evacuated, and the mode of evacuation for each
incident. There are three types of evacuations that the WOAD technician may specify: “Successful
Evacuation”, “Unsuccessful Evacuation” and “Mustered – ready to evacuate”. Table 3.14 displays the
number of each type of evacuation for each type of human cause. The “Act of War”, “Sabotage” and
“Other” categories have been excluded from this table due to lack of data. Table 3.15 displays the
percentage occurrence of each evacuation type for each human error cause.
Table 3.14 Frequency of Evacuation Types per category of human error
Human Error Successful evacuation Unsuccessful evacuation Mustered - ready to evacuate
Unsafe act/no procedure 12 7 17
unsafe procedure 16 6 7
3rd party error 2 0 1
improper design 9 1 1
Table 3.15 Percentage of Evacuation Types per category of human error
These preceding tables clearly show that successful evacuations are more common than
unsuccessful evacuations for all types of human error. The Mustered – Ready to evacuate category may
lead to confusion, however, because it may be classified as a success in the context that no evacuation
was required. It is important to note, also, that these classifications apply only to the end result of an
evacuation of a muster and do not tell us what happened during each separate muster step.
3.5 Applicability of WOAD data to SLIM and HEPI
There are issues with the applicability of this data for the SLIM work. It is evident from Table
3.14 that there is a much smaller amount of data relating evacuations to human error than other types of
previously discussed data, which can lead to reliability issues. Also, when searching the WOAD data, the
user can only specify the overall outcome of the evacuation or muster, which doesn’t always adequately
reflect what occurred during each muster step. The only clues we have as to what may have occurred in
each muster step exist in the free text section of the accident form, which is often written with minimal
detail. Because the SLIM work aims to determine the human error probability of each separate muster
step, the WOAD is not detailed enough to supply enough empirical data to validate the accuracy of the
SLIM model. However, since the WOAD is currently the best source of offshore data available, it may be
required to change the methods of offshore muster reporting in order to collect sufficient data for the
project.
4.0 Conclusion While the WOAD is the most comprehensive database of offshore accident reports that exists
today, it is not particularly useful when looking for human error data. This is due to a variety of factors,
Human Error successful evacuation %
Unsuccessful evacuation %
Mustered - ready to evacuate
%
Unsafe act/no procedure 33.3 19.4 47.2
unsafe procedure 55.2 20.7 24.1
3rd party error 66.6 0.0 33.3
improper design 81.8 9.1 9.1
including lack of detailed human error reports, and the fact that there is only one section of the WOAD
devoted to human error.
For the HEPI and SLIM projects, WOAD will not prove to be very useful. While the WOAD
does have some data pertaining to muster situations and human error, there is not enough detail in these
reports to get a good estimate of the probability of human error during each separate muster steps.
The WOAD may be more promising for future projects, depending on their goals. There is a
moderate amount of human error data available, but only for the initial cause of the accident. The level of
detail available in most accident reports is just too low to be used in very specific studies such as HEPI.
Therefore, for the WOAD to be useful in future projects, they should focus on how human error as the
initial accident cause.
5.0 Recommendations 1) For the current HEPI and SLIM projects, different sources of human error data should be explored in detail. This may include other databases and industry reports.
2) If WOAD is used in further research project pertaining to this human error, the project should focus on human error as the initial cause of an accident.
References
Alambets, A. (2008). Comparing three quantitative human reliability assessment techniques with application to emergency scenarios on offshore oil and gas platforms. Process Engineering Department, Dalhousie University, Halifax NS.
Alambets, A. (2008). Sources for human error data and industry cooperation. Process Engineering Department, Dalhousie University, Halifax NS.
Bligh, D. (2007). Review of the WOAD as a Quantitative Safety Assessment Tool. Process Engineering Department, Dalhousie University, Halifax, NS.
DiMattia, D.G., Khan, F.I., & Amyotte, P.R. (2005). Determination of human error probabilities for offshore platform musters. Journal of Loss Prevention in the Process Industries, 18, 488-501.
Khan, F.I., Amyotte, P.R., & DiMattia, D.G. (2006). HEPI: A new tool for human error probability calculation for offshore operation. Safety Science, 44, 313-334.
Kirwan, B. (1996). The validation of three human error reliability quantification techniques – THERP, HEART and JHEDI: Part 1 – technique descriptions and validation issues. Applied Ergonomics, 27, 359-373.
Appendix 5
Procedural HAZOP Report
Procedural HAZOP Analysis of Muster Procedure on Offshore Oil Platforms
Travis Deacon
Department of Process Engineering and Applied Science
Dalhousie University
September 10, 2008
Introduction
Current research is exploring the issue of human reliability during emergency situations in marine environments. This is measured in terms of risk of human error. Risk is a function of the frequency of error and the severity of the consequences of error (Cameron & Raman, 2005). All types of oil platforms are studied. Expert judgement techniques in the assessment of human error probabilities (HEPs) have been reviewed and adapted by the research team. Knowledge of consequences of error during emergencies is also required in assessing the risk of human error.
Procedural HAZOP
The muster procedure has been separated into 18 steps by DiMattia (2004). They are shown in tables 1-18 below in the form of procedural HAZOPs (Cameron & Raman, 2005). Each table describes possible failures, the consequences of each failure, and all possible safeguards. The consequences of failure for each step are assumed to be independent for this analysis. Consequences and safeguards are adapted from Di Mattia (2004) and Marchand (2005). Further research will determine if dependency analysis is required. These safeguards are categorized in terms of the hierarchy of safety (Amyotte et. al, 2007). Literature reviews suggest that tables normally list standard safeguards, with risk reduction recommendations in another column or section. The HAZOP has been modified by separating the safety barriers into prevention barriers and mitigation barriers as defined for bow-tie analysis (Cameron & Raman, 2005). This is done to show the importance of inherent safety in safety management systems. It was also done this way in hopes of using bow-tie models directly in the human factors consequence analysis. Risk mitigation measures will develop from the list of potential safeguards. Prevention barriers are safeguards that prevent failure from occurring through reduction of error probabilities. Mitigation barriers are safeguards that mitigate the consequences when a failure occurs. In this way, risk mitigation measures can be categorized in terms of reduction of frequency of incidents or control of consequences. This will help in rating the value of a particular safety measure in terms of impact and cost to implement. Further work will yield a hierarchical list of design improvements based on these ratings.
Table 1: Detect alarm HAZOP
Guideword Description Consequence Prevention Barriers Mitigation Barriers
No Operator does not hear alarm/alarm not sounded
Injury/loss of life Entrapment in a
dangerous area, difficult to be rescued
Delay of time to muster
Inherent
Elimination of obstructions near alarms
Minimal number of loud machines on board
Minimal number of electrically dependent alarms
Active Engineered
Alarm systems strategically placed to cover all areas
Redundancy through both audio and visual enunciation
Push-button alarms in strategic locations
Procedural
Personnel equipped with two-way radios
Review of new technology, applications and standards
PM, testing, severe-weather monitoring
Personnel familiarized with alarms
Muster training at infrequent intervals
Enlisting of feedback on alarm effectiveness
CCR operators trained to limit and remove inhibits ASAP
Procedural
Buddy system for new personnel
New personnel identified with different coloured clothing
Experienced personnel trained to assist others as identified
Part of -
Other than -
Late Operator does not hear alarm immediately
Delay of time to muster
Loss of life Loss of critical
time to respond to problems that initiated the alarm
Entrapment in a dangerous area, difficult to be rescued
More -
Early -
Before/After -
Table 2: Identify alarm HAZOP
Guideword Description Consequences Prevention Barriers Mitigation Barriers
No Operator ignores/cannot identify alarm
Delay of time to muster
Loss of life Loss of critical
time to respond to problems that initiated the alarm
Inherent
Elimination of equipment that could drown out alarm
Minimal amount of hazardous materials in each area, preventing danger and false alarms
Minimal number of types of alarm noises to efficiently convey situation
Simple alarm signals Elimination of nuisance
alarms by restricting to control room
Active Engineered
Alarm systems strategically placed to cover all areas
Redundancy through both audio and visual enunciation
Procedural
Review of systems and technological advances
Alarm key next to station bills to help identify alarms
Procedure includes PA announcement ASAP
Personnel equipped with two-way radios
Alarm list provided to all personnel
Competency testing Recordings of alarms
available to refresh memory
Muster training at infrequent intervals, including distinguishing between alarms
Procedural
Buddy system for new personnel
New personnel identified with different coloured clothing
Experienced personnel trained to assist others
Part of Operator realizes an emergency but cannot identify situation
Other than Operator incorrectly identifies alarm
The use of wrong emergency procedures, endangering all personnel on board
Activation of incorrect shut-off systems, delaying time to production start-up, creating a new problem
Late Operator fails to identify alarm within short time
Delay of time to muster
Loss of life Loss of critical
time to respond to problems that initiated the alarm
More -
Early -
Before/After Operator identifies alarm in later step
The use of wrong emergency procedures, endangering all personnel on board
Activation of incorrect shut-off systems, delaying time to production start-up, creating a new problem
Table 3: Act accordingly HAZOP
Guideword Description Consequences Prevention Barriers Mitigation Barriers
No Operator does not act accordingly
Loss of life Loss of expensive
equipment Larger disaster if
wrong processes are implemented
Inherent
Elimination of obstructions near emergency exits
Substitution of hazardous material with safer material
Minimization of similar escape plan options
Simple emergency instructions
Procedural
Small, easy to read instructions for alarm situations provided
PA announcement ASAP after alarm initiation
Personnel equipped with two-way radios
Competency testing Muster training at
infrequent intervals Feedback after training
exercises Behavioural testing to
determine panic potential
Procedural
Buddy system for new personnel
New personnel identified with different coloured clothing
Experienced personnel trained to assist others as identified
Part of -
Other than -
Late Operator takes extended time to gain composure/act accordingly
Loss of life Loss of expensive
equipment
More Operator overcompensates for gravity of situation
Loss of life
Early -
Before/After Operator does not act accordingly until later steps
Loss of expensive equipment
Larger disaster if wrong processes are implemented
Table 4: Ascertain if danger is imminent HAZOP
Guideword Description Consequences Prevention Barriers Mitigation Barriers
No Operator does not take time to ascertain level of danger
Loss of expensive equipment
Larger disaster if wrong processes are implemented
Inherent
Elimination of obstructions near emergency exits
Minimal number of dangerous chemicals/potential hazards in each area
Procedural
Informative warning systems which indicate type and location of muster initiator
Personnel equipped with two-way radios
Muster training that teaches POB to ascertain danger levels
CCR operators trained to issue PA announcements that provide information on the severity of the muster
Competency testing Behavioural testing to
determine panic potential
Inherent
Minimal distance between personnel and personal safety equipment
Machines used instead of humans in areas of higher risk
Simple shut-off valves, kill switches, control systems, etc.
Active Engineered
Automated shut-down systems when alarm initiated
Procedural
New personnel identified with different coloured clothing
Experienced personnel trained to assist others as identified
Part of Operator does not take enough time to ascertain imminence of danger
Injury/loss of life Entrapment
within a dangerous area, difficult to be rescued
Decrease in amount of time coworkers have to egress
Loss of expensive equipment
Other than -
Late -
More Operator takes extended time to ascertain imminence of danger
Injury/loss of life
Entrapment within a dangerous area, difficult to be rescued
Decrease in amount of time coworkers have to egress
Early -
Before/After Operator ascertains danger after mustering
The use of wrong emergency procedures, endangering all personnel on board
Loss of expensive equipment
Table 5: Muster if in imminent danger HAZOP
Guideword Description Consequences Prevention barriers Mitigation barriers
No Operator does not muster in imminent danger/fails to muster
Injury/loss of life Entrapment
within a dangerous area, difficult to be rescued
Decrease in the amount of time one has to successfully muster
Inherent
Elimination of mud on deck
Minimal space between workers and emergency exits
Passive Engineered
Skid-proof materials on decks
Procedural
Escape plans that outline less hazardous routes
Muster procedure located on opposite side of station bill card
Muster procedure that includes PA announcement updating muster status
Personnel equipped with two-way radios
Muster training that teaches POB to ascertain and act upon danger levels
CCR operators trained to issue PA announcements with instructions during muster
Competency testing Behavioural testing to
determine panic potential
Procedural
New personnel identified with different coloured clothing
Experienced personnel trained to assist others as identified
Part of -
Other than -
Late Operator does not muster immediately in imminent danger
More Operator musters even if danger is not imminent
The use of wrong emergency procedures, endangering all personnel on board
Loss of expensive equipment
Early -
Before/After Operator musters after making workplace safe, even in imminent danger
Injury/loss of life
Entrapment within a dangerous area, difficult to be rescued
Decrease in the amount of time one has to successfully muster
Table 6: Return process equipment to safe state HAZOP
Guideword Description Consequences Prevention barriers Mitigation barriers
No Operator does not return process equipment to safe state
Loss of expensive equipment
Personal injury Failure of
machinery in other parts of the platform, more personnel at risk
Decrease in amount of time personnel within the TSR have to escape if machinery involved could pose a catastrophic threat
Damage to systems in other parts of the platform
Inherent
Elimination of gas-powered machinery on board
Minimal number of computers controlling one machine
Simple machinery controls
Passive Engineered
Passive systems to protect individuals in process area from extreme weather/danger (blast walls, wind covers)
Active Engineered
Active safety systems to protect individuals during work activities (i.e. deluge)
Procedural
Proper equipment labels to avoid mistakes in actions while making workplace safe (i.e. wrong valve)
Personnel equipped with two-way radios
Inexperienced individuals teamed with experienced individuals for a defined period of time
Pre-job safety discussions
Muster training that requires return of process equipment to safe state
Competency testing Behavioural testing to
determine panic potential
Inherent
Minimal inventory of gas and fuel on board
Minimal pressures and amounts of hazardous materials in machines
Active Engineered
Automatic shut-down sequence on alarm initiation
Procedural
New personnel identified with different coloured clothing
Experienced personnel trained to assist others as identified
Part of Operator does not fully return process equipment to safe state
Other than Operator changes equipment to more unstable state
Late Operator takes excessive time to return process equipment to safe state
More Operator changes process equipment to an unnecessary state
Activation of incorrect shut-off systems, delaying time to production start-up, or possibly creating a new problem
Early -
Before/After Operator returns process equipment to safe state before ascertaining imminence of danger
Injury/loss of life Entrapment
within a dangerous area, difficult to be rescued
Decrease in the amount of time one has to successfully muster
Table 7: Make workplace as safe as possible in limited time HAZOP
Guideword Description Consequences Prevention barriers Mitigation barriers
No Operator does not make workplace safe
Endangering other personnel attempting to egress to TSR
Injury
Inherent
Simple fireproof and explosion-resistant doors, easier to close and lock
Simple shut-down procedures for machinery
Passive Engineered
Passive systems to protect individuals in the process area from extreme weather/danger
Active Engineered
Active safety systems to protect individuals during work activities (i.e. deluge)
Procedural
Proper labels on equipment to avoid mistakes
Personnel equipped with two-way radios
Inexperienced individuals teamed with experienced personnel for a defined period of time
Pre-job safety discussions
Muster training that places individuals in specific tasks requiring making workplace safe
Competency testing Behavioural testing to
determine panic potential
Inherent
Minimal use of toxic, allergenic, hazardous materials on board
Procedural
New personnel identified with different coloured clothing
Experienced personnel trained to assist others as identified
Part of Operator makes workplace safer, but not as safe as possible with available time in step
Other than Operator makes workplace less safe
Late Operator takes extended time to make workplace safe
Putting oneself at risk if it takes too long to make workplace completely safe
Injury/loss of life Entrapment
within a dangerous area, difficult to be rescued
Decrease in the amount of time one has to successfully muster
More Operator makes workplace safer than necessary
Early -
Before/After Operator makes workplace safe before ascertaining imminence of danger
Table 8: Listen and follow PA announcements HAZOP
Guideword Description Consequences Prevention barriers Mitigation barriers
No Operator does not hear/follow PA announcements
Choosing wrong safety procedures, endangering all personnel
Miscommunication between personnel and decrease in time to successfully complete muster
Injury/loss of life
Inherent
Substitution of electrically dependent PA systems with independent sources of power
Minimal machinery that generates significant noise
Simple and short announcements
Simplified use of PA systems
Passive Engineered
Loud machinery enclosed behind soundproof materials
Procedural
PA systems placed to ensure coverage in all areas
PA system design reviews
Personnel equipped with two-way radios
Limited work during poor weather
Muster training that emphasizes quality PA announcements from CCR
Muster training that uses PA announcements to test POB
Competency testing Behavioural testing to
determine panic potential
Procedural
Inexperienced individuals teamed with experienced personnel for a defined period of time
New personnel identified with different coloured clothing
Experienced personnel trained to assist others as identified
Part of Operator does not hear full announcement
Other than -
Late Operator does not immediately adhere to announcements
Injury/loss of life
More -
Early -
Before/After -
Table 9: Evaluate potential egress paths and choose route HAZOP
Guideword Description Consequences Prevention barriers Mitigation barriers
No Operator does not choose egress route/chooses without evaluating paths
Injury/loss of life Entrapment in a
dangerous area, difficult to be rescued
Delay of time to muster
Inherent
Short, coherent instructions
Minimal but adequate number of paths to choose, clearly marked throughout path
Simple emergency exit plans
Passive Engineered
Photo-luminescent tape markings in case of power loss
Active Engineered
Illuminated signage and emergency lighting
Procedural
Personnel equipped with two-way radios
Station bills signage strategically located to show route to TSR
Plastic cards for personnel showing egress routes
Muster training that blocks egress paths forcing route evaluation
Conduction of observations that provide constructive feedback to POB
Individuals trained to recognize danger signs that indicate areas of low tenability
Competency testing Behavioural testing to
determine panic potential
Inherent
Elimination of toxic/hazardous chemicals near paths
Procedural
Inexperienced individuals teamed with experienced personnel for a defined period of time
New personnel identified with different coloured clothing
Experienced personnel trained to assist others as defined
Part of Operator does not evaluate potential for paths to degrade/chooses a safe path but not the safest
Other than -
Late Operator takes excessive time to evaluate potential egress paths
More -
Early -
Before/After -
Table 10: Move along egress route HAZOP
Guideword Description Consequences Prevention barriers Mitigation barriers
No Operator does not move along egress route
Injury/loss of life Entrapment in a
dangerous area, difficult to be rescued
Delay of time to muster
Inherent
Elimination of tripping hazards
Minimal number of centrifuges, heat exchangers and gas compression facilities near walkways and tunnels
Substitution of stairs for elevators
Minimal time that personnel work in secluded areas
Passive Engineered
Open but protected walkways
Egress paths clearly labelled, signage photo-luminescent
Skid-proof materials on decks
Active Engineered
Emergency lighting Procedural
Personnel equipped with two-way radios
Muster training that blocks egress paths forcing route evaluation
Training to move along process units in a controlled fashion under a simulated compromised situation
Competency testing Behavioural testing to
determine panic potential
Procedural
Inexperienced individuals teamed with experienced personnel for a defined period of time
New personnel identified with different coloured clothing
Experienced personnel trained to assist others as identified
Part of Operator proceeds but does not complete egress
Other than -
Late Operator moves too slow along egress route
More -
Early -
Before/After -
Table 11: Assess quality of egress route while moving to TSR HAZOP
Guideword Description Consequences Prevention barriers Mitigation barriers
No Operator does not assess quality of egress route
Issuing wrong procedures to personnel trying to egress
Issuing poor assessment of danger posed to personnel, causing assumption that the situation is less severe than it actually is
Inherent
Simple workplaces, minimizing stress
Short Shifts Active Engineered
Well-ventilated areas to reduce smoke
Warning systems that provide feedback on local area and egress tenability
Procedural
Personnel equipped with two-way radios
Plastic station bill cards for each individual showing egress route to TSR
Muster training that blocks egress paths forcing route evaluation
Conduction of muster observations that permit constructive feedback to POB
Individuals trained to recognize danger signs that indicate areas are of low tenability
Competency testing Behavioural testing to
determine panic potential
Procedural
Inexperienced individuals teamed with experienced personnel for a defined period of time
New personnel identified with different coloured clothing
Experienced personnel trained to assist others as identified
Part of Operator partially assesses quality of egress route
Other than -
Late -
More Operator puts too much time and effort into assessing quality of egress route
Injury/loss of life Entrapment in a
dangerous area, difficult to be rescued
Delay of time to muster
Early -
Before/After -
Table 12: Choose alternate route if egress path is not tenable HAZOP
Guideword Description Consequences Prevention barriers Mitigation barriers
No Operator does not choose alternate path if current path is not tenable
Injury/loss of life Entrapment in a
dangerous area, difficult to be rescued
Delay of time to muster
Inherent
Minimal number of similar escape routes
Simple egress instructions for each area of the rig
Minimal amount of equipment on/over walkways
Elimination of gas storage facilities near egress routes
Passive Engineered
Non-skid surfaces, walkways clearly marked with photo-luminescent tape
Active Engineered
Emergency lighting Warning systems that
provide feedback on local area and tenability of egress paths
Procedural
Personnel equipped with two-way radios
Station bill card for each POB showing egress routes
Egress route signage at strategic locations
Muster training that blocks egress paths
Muster observations that permit constructive feedback
Train individuals to recognize signs of low tenability
Competency testing Behavioural testing to
determine panic potential
Procedural
Inexperienced individuals paired with experienced personnel for a defined period of time
New personnel identified with different coloured clothing
Experienced personnel trained to assist others as identified
Part of -
Other than -
Late Operator does not choose alternate paths before current route becomes unsafe
More Operator repeatedly chooses alternate paths
Delay of time to muster
Early Operator chooses alternate route before current route is not tenable
Before/After -
Table 13: Collect personal survival suit if in accommodations at time of muster HAZOP
Guideword Description Consequences Prevention barriers Mitigation barriers
No Operator does not collect personal survival suit if in accommodations
Increase in potential injury/loss of life
Minimization of amount of time person has to abandon platform
Inherent
Elimination of material blocking paths to survival suits
Minimal distance between personnel in accommodations and survival suits
Simple, well-fitting suits that are easy to put on and use
Minimal number of redundant fasteners on suits
Simplified safety devices on suits
Procedural
Personnel equipped with two-way radios
Survival suits placed near exits of accommodations
Individuals trained to ensure immediate muster from accommodations while collecting one survival suit
Competency testing Behavioural testing to
determine panic potential
Procedural
Adequate number of TSR survival suits for all POB
Inexperienced individuals paired with experienced personnel for a defined period of time
New personnel identified with different coloured clothing
Experienced personnel trained to assist others as identified
Part of -
Other than Operator collects other items instead of survival suit
Late -
More Operator collects multiple survival suits
Injury/loss of life Entrapment in a
dangerous area, difficult to be rescued
Delay of time to muster
Early -
Before/After -
Table 14: Assist others if needed or as directed HAZOP
Guideword Description Consequence Prevention barriers Mitigation barriers
No Operator does not assist others in need or as directed
Injury/loss of life Hindering of a
stranded co-worker's ability to successfully complete the muster
Inherent
Elimination of language barriers
First aid kits distributed in every area, dependent on level of hazard
Moderate number of people in each area to reduce congestion
Active Engineered
Warning systems that provide feedback on local area and egress path tenability
Procedural
Personnel equipped with two-way radios
Muster training that uses situations where POB need assistance
Conduction of muster observations that permit constructive feedback to POB
Individuals trained to recognize others that require help during muster
Competency testing Behavioural testing to
determine panic potential
Procedural
Survival suits that protect against explosion and debris as well as cold
Inexperienced individuals teamed with experienced personnel for a defined period of time
New personnel identified with different coloured clothing
Experienced personnel trained to assist others as identified
Part of Operator begins to assist others but does not complete
Other than Operator hinders others
Late Operator does not assist immediately
More Operator continuously seeks others to assist, attempts to help those who are already being assisted
Injury/loss of life Entrapment in a
dangerous area, difficult to be rescued
Delay of time to muster
Early -
Before/After -
Table 15: Register at TSR HAZOP
Guideword Description Consequences Prevention barriers Mitigation barriers
No Operator does not register at TSR
Miscommunication Unnecessary
rescue attempt, putting more lives at risk
Inherent
Multiple registration stations to minimize line-ups
Minimal number of people in each registry location for ease of evacuation
Active Engineered
Battery operated registry system in case of power failure
Swipe card registration system
Procedural
Signage in TSR reminding all individuals to register immediately
Individual responsible for head count trained to prompt POB to register
Competency testing Behavioural testing to
determine panic potential
Active Engineered
Tracking device on all POB
Procedural
Inexperienced individuals teamed with experienced personnel for a defined period of time
New personnel identified with different coloured clothing
Experienced personnel trained to assist others as identified
Part of Operator begins registration task but does not complete
Other than -
Late Operator arrives at TSR but does not immediately register
More Operator registers multiple people at TSR
Miscommunication Endangering
personnel who have not yet completed muster Early Operator instructs
someone else to register for operator before they arrive
Before/After -
Table 16: Provide pertinent feedback attained while en route to TSR HAZOP
Guideword Description Consequences Prevention barriers Mitigation barriers
No Operator does not provide feedback
Implementation of incorrect procedures
Delaying movement of co-workers along egress paths/ endangering co-workers attempting to egress
Procedural
Telephone link to OIM or CCR personnel to provide feedback
Signage in TSR reminding individuals to register upon entry during a muster
Personnel equipped with two-way radios
Individual responsible for head count trained to prompt POB to register
Conduction of muster observations that permit constructive feedback to POB
Muster training to include opportunities for information transfer in the TSR
Competency testing Behavioural testing to
determine panic potential
Procedural
Inexperienced individuals teamed with experienced personnel for a defined period of time
New personnel identified with different coloured clothing
Part of Operator gives inadequate feedback
Other than -
Late Operator does not provide feedback immediately
More Operator provides excessive feedback
Delaying announcement of instructions over PA
Endangering co-workers attempting to egress
Early -
Before/After -
Table 17: Don personal survival suit or TSR survival suit if instructed to abandon HAZOP
Guideword Description Consequences Prevention barriers Mitigation barriers
No Operator does not don survival suit if instructed to abandon
Injury/loss of life Decrease in
amount of time it takes to become hypothermic
Loss of protection from elements
Inherent
Substitute survival suits with low-weight models to allow mobility
Minimize number of suits in different sections of each area
Procedural
POB-fitted suits with nametags
Suits stored for easy retrieval
Signage in TSR reminding individuals to register upon entry
Diagrammatic instructions on how to don survival suit in TSR
Written procedure on how to don suit in TSR
Muster procedures designed so that a team approach is taken to donning survival gear, reducing competition for space
Conduction of muster observations that permit constructive feedback to POB
Muster training to include donning of survival suits
Competency testing Behavioural testing to
determine panic potential
New personnel identified with different coloured clothing
Part of Operator incorrectly dons survival suit
Other than -
Late Operator dons survival suit later than instructed
Minimization of amount of time to abandon platform
More -
Early Operator dons survival suit during egress/before instructed to abandon
Injury/loss of life Entrapment in a
dangerous area, difficult to be rescued
Delay of time to muster
Before/After -
Table 18: Follow OIM's instructions HAZOP
Guideword Description Consequences Prevention barriers Mitigation barriers
No Operator does not follow OIM's instructions
Endangering co-workers
Decrease in time to escape
Inherent
Elimination of loud machinery around and inside TSR
Multiple exits to helicopter pad, all clear of obstruction
TSR located as close as possible to helicopter pad
Speaker system that can run during a power outage
Simple PA system in case OIM must instruct another individual to make announcements
Procedural
Personnel familiarized with TEMPSC and other survival/evacuation equipment
Checklist in TSR reminding POB of prerequisites prior to evacuation
Conduction of TSR muster observations that permit constructive feedback to POB
Muster training to include opportunities for evacuation staging
Procedural
Inexperienced individuals teamed with experienced personnel for a defined period of time
New personnel identified with different coloured clothing
Experienced personnel trained to assist others as identified
Part of Operator only partially follows instructions
Other than -
Late Operator follows OIM's instructions at a later moment
More -
Early OIM gives instructions conditional on further instructions, and operator does not wait
Before/After -
Discussion
The majority of potential safeguards during the muster are inherent and procedural. This will lead to difficulty in quantifying failure potentials of these safeguards. Originally, fault tree, event tree and bow-tie logic were reviewed in hopes of using these tools in quantitative consequence analysis. The results of qualitative analysis and a literature review (HSE 2002) suggest that these methods are not well-defined for human error analysis. They are currently under review to determine if they may have a use in quantitative consequence analysis. It may even be helpful to use them simply to show the relationship between muster steps. Literature review for a method to quantify consequences from a human error perspective is ongoing.
Expert judgement may be an option. By rating qualitative descriptions of consequences on a scale of 1 to 5 and eliciting feedback, a relative quantification of consequences can be determined. It may also yield insight into the severity of consequences these consequences. These consequences would be rated in terms of each of health, equipment, egressability, muster initiator and effects on other POB (DiMattia, 2004).
The results of consequence rating could be used in a risk matrix, combined with human error probabilities. One side of the matrix would have the qualified consequences, while the other side would have human error probability ranges. This is necessary for the purpose of the risk matrix. The steps for each muster initiator could be ranked from this matrix by level of risk. Potential problems that could result would be a number of muster steps ranked equally in risk, due to the qualitative ranges of consequences. This would make developing a hierarchy of risk mitigation measures difficult, as there would be many muster step ratings of equal risk. A method of quantifying consequence frequency may control this effect. A bow-tie model developed around the ‘failure to muster’ event may still be useful. However, there are barriers to this type of quantification. An example is the subjectivity of reliability analysis of the safety measures, in particular inherent and passive safety measures. Another barrier is the subjectivity of evaluating the 18 muster steps in terms of an overall ‘failure to muster’ event. It may be more logical to evaluate each muster step individually. Literature is being reviewed in hopes that it will point to a method that produces quantified consequences in a practical form.
Conclusion
Consequences of failure to complete specific muster steps are similar, and most safeguards fall in the inherent and procedural categories of the hierarchy of safety. The next step is further developing this analysis to yield a practical tool to rate consequences and safety barrier performance. Quantification of barriers would be a subjective analysis, with a high degree of uncertainty. Risk matrices can be developed from a qualitative evaluation of consequence severity. Further review will determine the most practical approach to consequence analysis in terms of risk evaluation and mitigation.
References
Amyotte, P., Goraya, A., Hendershot, D., Khan, F., Incorporation of Inherent Safety Principles in Process Safety Management, Process Safety Progress, vol. 26, no. 4 (2007), 333-344.
Cameron, I., Raman, R., Process Systems Risk Management, vol 6, Elsevier Academic Press, San Diego, 2005.
DiMattia, D., Human Error Probability Index for Offshore Platform Musters, PhD Thesis (2004), Dalhousie University.
HSE, “Marine Risk Assessment”, Offshore Technology Report OTO 2001 063 (2002), Health & Safety Executive.
Marchand, N., Co-op work term report (2005), Dalhousie University.
Appendix 6
Empirical Data Solicitation Report
Report on Empirical Data Solicitation Efforts within Atlantic Offshore Oil Industry
Travis Deacon
Department of Process Engineering and Applied Science
Dalhousie University
September 10, 2008
Currently the research team has no empirical data to compare with the human reliability analysis techniques developed for the project. One of the objectives for the PRAC research is to use industry-specific data in human factors modelling. To accomplish this, PRAC representatives gave the team two contacts, one from Husky Energy and one from Petro-Canada. The research team is seeking data to validate the SLIM expert judgement technique used to determine human error probabilities for each of the muster steps as defined by DiMattia (2004). Empirical failure rates for each muster step were sought. These can be Post-drill/incident interviews with POB to determine what steps were most difficult to complete, and where errors occurred. Checking workstations and process equipment to determine if they were made safe would also contribute to collection of error rates.
Petro-Canada was contacted on two occasions, May 29 2008 and July 2 2008. On the first occasion, the representative expressed interest in helping with research but was concerned that Petro-Canada’s FPSO incident and drill reports would be of little use. The representative indicated that if another company determined a method to help the team with empirical data, they would be open to exploring a similar agreement. On the second occasion, they expressed discomfort giving reports to the team that they believe have little relevance to the research, or to have us inspect them to determine what we can use. It was explained that empirical data was part of a request for facility-specific research by PRAC in approving project funding. This would require cooperation with Atlantic industries in searching for data, and PRAC had given Petro-Canada’s contact information for this purpose. They explained that successful/unsuccessful muster reporting is a one- or two-line component in a much larger and more comprehensive emergency scenario drill that would not be useful to us. It was explained that the current project will extend beyond muster scenarios into more general yet plausible scenarios and the data from drill reports would be useful for this as well. They expressed a desire to help with the research, but did not feel that the extent to which the reports would aid would be worth allowing us to read them or Petro-Canada to sensitize them. They explained that if useful information from another operator that the team is in contact with could be found, they would be interested in knowing what kind of information was acquired. This would help Petro-Canada determine how to best help the PRAC research while maintaining the company’s privacy.
Email and telephone messages to the Husky representative were not returned. During the PRAC Offshore Safety Conference, contact was established with another Husky representative. They expressed interest in the human factors research and aiding in it. Journal articles were emailed to the representative that outlined the direction of the project. They replied that a meeting would be set up to discuss Husky’s
participation once they were able to study the journals. Currently, the representative is in contact with the research team at Memorial.
The Worldwide Offshore Accident Database (WOAD; Bligh, 2007) is also being analyzed for potential use in the human factors research. The results of this analysis can be found in a separate report.
References
Bligh, D., Review of the WOAD as a Quantitative Safety Assessment Tool, Co-op work term report (2007), Dalhousie University.
DiMattia, D., Human Error Probability Index for Offshore Platform Musters, PhD Thesis (2004), Dalhousie University.
Appendix 7
Consequence Analysis Report
Consequence Analysis and Risk Evaluation of Human Error in Offshore Emergency Situations
Travis Deacon
Department of Process Engineering and Applied Science
Dalhousie University
Nov. 24, 2008
Introduction
The use of emergency procedures is the primary safety barrier in an emergency situation on offshore installations. The importance of shut-down, muster and evacuation can be seen in the inquiries of past disasters in the offshore industry (Moan et al., 1981; Robertson & Wright, 1997; US Coast Guard, 1983; Vinnem, 2007). The objective of this research was to assign a severity value to the consequences of failing to complete specific muster steps based on the given muster initiator. This is done in a consequence table, which, combined with probability data, allows the use of a risk matrix to determine the risk level for each step. It also reveals the areas where consequence control can be most beneficial. The safety measures that affect consequences, known as mitigation barriers, can be incorporated with improved focus using this model. Potential consequences were recorded in a procedural HAZOP. The consequence table developed here relates these potential consequences to specific muster situations. Incident reports and public inquiries from industry were used to rate the consequences.
Consequence Table
When the project was undertaken, a measureable value of the consequences of failure to complete each individual muster step was desired. The lack of muster drill data, as well as information on failure rates of inherent and procedural safety measures, prevents a viable quantitative result. It was then decided that a table assigning a severity value as the consequence of failure to complete a muster step would be the most viable option in pursuing consequence analysis.
The consequences were rated across four categories: effect on individual health, effect on the ability to complete the muster, effect on the severity of the muster initiator and effect on other personnel on board (POB). Table 1 shows the legend of the consequence table, with a description for each category and severity of consequence. This table is adapted from DiMattia (2004).
Table 2: Consequence categories and severity descriptions
Severity Health Egress Muster Initiator Other POB
1 Zero Injury Zero delay Zero effect Zero effect
2
Likely to result in Minor Injury
Slightly delays reaching TSR or completing TSR actions
Raises muster initiator to a level that causes minor delays in reaching TSR
Slightly to Moderately delays others from reaching TSR or completing TSR actions
3
Likely to result in Major Injury
Moderately delays reaching TSR or completing TSR actions
Raises muster initiator to level that causes moderate to long delays in reaching TSR
Prevents others from reaching TSR or completing TSR actions
4 Likely to result in Fatality
Prevents reaching TSR or other safe refuge
Raises muster initiator to severity where muster is no longer possible
Prevents others from reaching TSR or having a dry evacuation
The present work evaluated the consequence severities for three muster initiating events- a man overboard incident, a gas release and a fire and explosion. The consequences are evaluated for each step in the muster. Steps are as determined through hierarchical task analysis (HTA) by DiMattia (2004). Incident reports and accident investigations from the offshore industry were collected as a method of empirical evaluation of consequence severities. Incident reports were particularly useful for the man overboard muster initiator. A collation of incident reports from the UK Continental Shelf from five databases, including WOAD and ORION, was undertaken by Det Norske Veritas (DNV; 2007, 2007a). These reports had very little data, often only one or two sentences describing each incident. Some incident reports did not even specify whether or not the individual who had fallen overboard had survived the incident. Of those who had survived (and several did not), their survival was mainly attributable to a safety harness, life rings thrown out by nearby operators, fast rescue craft (FRC) retrieval or by swimming to the platform leg they had fallen or been washed from and being pulled from the water by nearby operators. The information did, however, reveal two important patterns: the necessity of speed in rescuing the fallen from the water, either by rescue equipment and operators on location at the time of the incident, or by timely activation of and action by the FRC of a nearby standby vessel (SBV), and; the low severity of consequences of failure to complete most of the muster steps, with exception to assisting others as needed (see Table 2). This second observation is based on the assumption that the operator who
has fallen overboard is considered in the ‘Other POB’ consequence category, and that an individual will only have enough time to assist the overboard operator if they witnessed the incident or are nearby.
Events that fall within the muster initiators above or events that have relevant generic data to specific muster steps (failing to don survival suit, for example) were examined for possible causes of negative consequences. They were also compared with other events that had less severe consequences. An example of this method in practice comes from the US Coast Guard report on the Ocean Ranger capsize. While listing is not a muster initiator studied in the present work, the report concluded that many of the deaths were related to hypothermia from exposure to cold water. It was also mentioned that the lack of proper survival suits reduced the casualties’ resistance to hypothermia to a matter of minutes in the water (US Coast Guard, 1983). This was compared to accident investigations of fires and explosions, many of which resulted in a portion of the POB having a wet evacuation (Vinnem, 2007). Combining these two sources show that it is reasonably probable and not overly pessimistic to assign muster step 17 (don personal survival suit if instructed to abandon) a severity of 4 for the health category (see Table 4). In the same way it can be concluded from Robertson & Wright (1997) and the Ocean Odyssey disaster that failure to complete step 13 when applicable can also result in fatalities during a fire and explosion situation (see Table 4). Several POB were delayed in reaching the TSR and, as a result, the emergency lifeboats had already been launched. Previous naval training by one of the POB who had escaped in the emergency lifeboat prompted him to acquire several survival suits and lay them out on the deck in the TSR. Thanks to this action, the late arrivals were able to quickly don survival suits and survived a wet evacuation. The action is exceptional, however, and the fact that individuals’ survival may have hinged upon it shows the importance of both collecting survival suits whenever possible during a high-intensity evacuation and of having a more than adequate supply of suits.
Muster steps 9 through 12 were evaluated equally as a sub-stage of the ‘egress’ stage defined by DiMattia (2004). Incident reports and accident investigations left little distinction between these steps. It was assumed that as the basic movement from starting point to TSR is composed of all of these four steps, consequences of failure to complete each of them would be very similar. Therefore any data yielding a value for one of these four steps was assigned to them all. Piper Alpha and Ocean Odyssey investigations were useful for the gas release and fire and explosion scenarios, as they depict the conditions of both gas releases and fires. The recount of the escape to the lifeboats by the Ocean Odyssey survivors was useful in determining the immediate atmospheric conditions during egress. The air quality and noise level was attributed to difficulties in moving to the TSR. The noise level was also noted to affect the recognition of alarms. The first two steps were shown to have low consequence severities for the gas release and fire and explosion situations. Many POB from the Ocean Odyssey and Alexander L. Kielland did not detect an alarm before beginning to muster. The level of disturbance of the event initiation (the release of gas, an explosion, a severe list) was adequate in causing POB to muster, with some delay (Moan et al., 1981; Robertson & Wright, 1997). The third step, acting accordingly, has been shown to have catastrophic consequences if not completed. One particular situation, the Ekofisk A incident, is an example. What is surmised as panic following a riser rupture resulted in six individuals releasing an emergency escape vessel from its full distance above the sea. Three deaths occurred from this action, as well as an emergency lifeboat being released and incapacitated. This brought danger to the rest of the crew in a potential loss of a dry evacuation opportunity. This is shown in Tables 3 and 4 with a high severity for both the ‘health’ and ‘other POB’ categories (Vinnem, 2007).
Tables 2 through 4 show the consequences of each muster initiator with respect to the individual consequence categories. The overall consequence severity is equal to the highest severity for that step. Reducing the consequence severity of a step includes reducing the category or categories of highest severity. It does not require that all categories be reduced. As an example, to reduce the overall consequence severity from 3 to 2 for step 8 of the fire and explosion scenario, one must reduce the effect on the muster initiator to a severity value of 2. Further reducing this effect would be beneficial, but would not reduce the overall consequence severity unless the effect on egress was also reduced. By using this method of tables as a guide, greater efficiency can be produced when allocating resources to mitigation barrier improvements. Table 5 shows the overall consequence severities for the muster initiators of man overboard, gas release and fire and explosion.
Table 2: Consequence severities for Man Overboard initiator (bolded values show overall severity)
Muster Step Health
Muster Initiator Egress
Other POB Reference
1. Detect alarm 1 1 2 1 DNV,
2007;2007a
2. Identify alarm 1 1 2 1 DNV,
2007;2007a
3. Act Accordingly 1 1 2 1 DNV,
2007;2007a
4. Ascertain if danger is imminent
1 1 1 1 DNV,
2007;2007a
5. Muster if in imminent danger
1 1 1 1 DNV,
2007;2007a
6. Return process equipment to safe state
1 2 1 1 DNV,
2007;2007a
7. Make workplace as safe as possible in limited time
1 1 1 2 DNV,
2007;2007a
8. Listen and follow PA instructions
1 1 1 2 DNV,
2007;2007a
9. Evaluate potential egress paths and choose route
1 1 1 1 DNV,
2007;2007a
10. Move along egress route 1 1 1 1 DNV,
2007;2007a
11. Assess quality of egress route while moving to TSR
1 1 1 1 DNV,
2007;2007a
12. Choose alternate route if egress path is not tenable
1 1 1 1 DNV,
2007;2007a
13. Collect personal survival suit if in accommodations at time of muster
1 1 1 1 DNV,
2007;2007a
14. Assist others if needed or as directed
1 1 1 4 DNV,
2007;2007a
15. Register at TSR 1 1 1 2 DNV,
2007;2007a
Muster Step Health
Muster Initiator Egress
Other POB Reference
16. Provide pertinent feedback attained while en route to TSR
1 1 1 2 DNV,
2007;2007a
17. Don personal survival suit or TSR survival suit if instructed to abandon
1 1 1 1 DNV,
2007;2007a
18. Follow OIM's instructions 1 1 1 1 DNV,
2007;2007a
Table 3: Consequence severities for Gas Release initiator (bolded values show overall severity)
Muster Step Health
Muster Initiator Egress
Other POB Reference
1. Detect alarm 1 1 2 1
Moan et al., 1981 (p7,8); Robertson &
Wright, 1997(p3,4)
2. Identify alarm 1 1 2 1
Moan et al., 1981 (p7,8); Robertson &
Wright, 1997(p3,4)
3. Act Accordingly 4 2 1 4 Vinnem, 2007(p94)
4. Ascertain if danger is imminent 3 1 3 1 Vinnem, 2007(p83,89)
5. Muster if in imminent danger 3 1 3 1 Vinnem, 2007(p83,89)
6. Return process equipment to safe state 3 4 3 1 Vinnem, 2007(p
79-95)
7. Make workplace as safe as possible in limited time 1 1 1 3 Moan et al.,
1981(p156-158)
8. Listen and follow PA instructions 1 3 2 1
Robertson & Wright,
1997(p3,4)
9. Evaluate potential egress paths and choose route 3 1 3 1
Robertson & Wright, 1997
(p4,5); Vinnem, 2007(p91)
10. Move along egress route 3 1 3 1 Robertson & Wright, 1997
(p4,5); Vinnem, 2007(p91)
11. Assess quality of egress route while moving to TSR 3 1 3 1
Robertson & Wright, 1997
(p4,5); Vinnem, 2007(p91)
12. Choose alternate route if egress path is not tenable 3 1 3 1
Robertson & Wright, 1997
(p4,5); Vinnem, 2007(p91)
Muster Step Health
Muster Initiator Egress
Other POB Reference
13. Collect personal survival suit if in accommodations at time of muster
3 1 1 1 DNV, 2007;2007a
14. Assist others if needed or as directed 1 1 1 3 DNV,
2007;2007a
15. Register at TSR 1 1 1 3 Robertson &
Wright, 1997(p6,28)
16. Provide pertinent feedback attained while en route to TSR 1 1 1 3
Robertson & Wright, 1997
(p4,6); Vinnem, 2007(p87)
17. Don personal survival suit or TSR survival suit if instructed to abandon
4 1 1 1 DNV, 2007;2007a
18. Follow OIM's instructions 3 1 1 1 DNV, 2007;2007a
Table 4: Consequence severities for Fire & Explosion initiator (bolded values show overall severity)
Muster Step Health
Muster Initiator Egress Other POB Reference
1. Detect alarm 1 1 2 1
Moan et al., 1981(p7,8); Robertson &
Wright, 1997(p3,4)
2. Identify alarm 1 1 2 1
Moan et al., 1981(p7,8); Robertson &
Wright, 1997(p3,4)
3. Act Accordingly 4 2 1 4 Vinnem, 2007(p94)
4. Ascertain if danger is imminent 4 3 4 3
Moan et al., 1981(p155-
160);Robertson & Wright, 1997
(p11); Vinnem, 2007(p94)
5. Muster if in imminent danger 4 1 4 3
Robertson & Wright, 1997(p4);
Vinnem, 2007(p84,87-
89,91)
6. Return process equipment to safe state
4 4 4 4 Vinnem, 2007(p
79-95)
7. Make workplace as safe as possible in limited time
1 1 1 3 Moan et al.,
1981(p156-158)
8. Listen and follow PA instructions 4 3 3 1
Robertson & Wright, 1997(p3,4)
9. Evaluate potential egress paths and choose route 4 1 4 1
Moan et al., 1981(p155-160);
Robertson &
Muster Step Health
Muster Initiator Egress Other POB Reference
Wright, 1997(p4,6);
Vinnem, 2007(p91)
10. Move along egress route 4 1 4 1
Moan et al., 1981(p155-160);
Robertson & Wright,
1997(p4,6); Vinnem, 2007(p91)
11. Assess quality of egress route while moving to TSR
4 1 4 1
Moan et al., 1981(p155-160);
Robertson & Wright, 1997(p4); Vinnem, 2007(p91)
12. Choose alternate route if egress path is not tenable
4 1 4 1
Moan et al., 1981(p155-160);
Robertson & Wright,
1997(p4,5); Vinnem, 2007(p91)
13. Collect personal survival suit if in accommodations at time of muster
4 1 1 1 Robertson &
Wright, 1997(p16,17)
14. Assist others if needed or as directed
1 1 1 4 Robertson & Wright, 1997 (p7,8,18,19)
15. Register at TSR 1 1 1 3 Robertson &
Wright, 1997(p6,28)
16. Provide pertinent feedback attained while en route to TSR
1 1 1 4
Robertson & Wright,
1997(p4,6); Vinnem, 2007(p87)
17. Don personal survival suit or TSR survival suit if instructed to abandon
4 1 1 1
US Coast Guard, 1983(Part I p2-4);
Vinnem, 2007 (p84,91)
18. Follow OIM's instructions 4 1 1 4 US Coast Guard,
1983(Part I p8-10)
Table 5: Consequence Table for all muster initiators
Muster Step MO GR F&E
1. Detect alarm 2 2 2
2. Identify alarm 2 2 2
3. Act Accordingly 2 4 4
4. Ascertain if danger is imminent 1 3 4
5. Muster if in imminent danger 1 3 4
6. Return process equipment to safe state
2 4 4
7. Make workplace as safe as possible in limited time
2 3 3
8. Listen and follow PA instructions 2 3 4
9. Evaluate potential egress paths and choose route
1 3 4
10. Move along egress route 1 3 4
11. Assess quality of egress route while moving to TSR
1 3 4
12. Choose alternate route if egress path is not tenable
1 3 4
13. Collect personal survival suit if in accommodations at time of muster
1 3 4
14. Assist others if needed or as directed
4 3 4
15. Register at TSR 2 3 3
16. Provide pertinent feedback attained while en route to TSR
2 3 4
17. Don personal survival suit or TSR survival suit if instructed to abandon
1 4 4
18. Follow OIM's instructions 1 3 4
Risk Matrix
The ISO standard 17776 risk matrix has been developed using frequency of event occurrence and severity of consequences as factors (DNV, 2002). The standard matrix, shown in Figure 1, was adapted in this work to include human error probabilities instead of incident frequencies. This caters to the scope, analyzing the risk of human error in emergency situations. The goal of this risk matrix is to determine the risk of failure to complete a muster step by its probability of occurrence and its consequences.
Figure 1: ISO 17776 Risk Matrix (adapted from DNV, 2002)
The ISO standard 17776 is a 5 by 5 risk matrix, using five consequence severities and five frequencies. The frequency terms are descriptive in nature (i.e. event had occurred in operating company, event has occurred at location). These qualitative frequencies can be compared with the frequency index table of the risk ranking matrix developed by IMO (DNV, 2002). The frequency index descriptions are shown in Table 6.
Table 6: Frequency Index definitions for Risk Ranking Matrix (adapted from DNV, 2002)
This table was developed for marine vessels, assuming an average ship life span of 25 years. A pattern can be seen between the definitions and frequencies. For each difference of a factor of 10 in the F values, the definition also changes by a factor of 10. It can therefore be deduced, for example, that an F value of 10-2 occurrences/ship-year is equivalent to “likely to occur once per year in a fleet of 100 ships”. This results in a relation of qualitative descriptions with quantitative probabilities. The relation of these two descriptions requires a base point. The frequency 10-2 occurrences/installation-year was used. This is
defined by the frequency index as “likely to occur once per year in a fleet of 100 ships”, or “100% chance of occurring in the life of four similar ships”. Using the basis of 25 ship-years per ship lifetime from the frequency index, this second definition can be alternately expressed as a 100% chance of occurring in 100 ship-years. Dividing both of these values by the number of ships leaves a 25% chance of occurring in 25 ship-years (i.e. the life of one ship). The result is that a 10-2 occurrence/installation-year frequency is equivalent to a HEP of 0.25. This frequency was also related to frequency D in the ISO standard 17776 risk matrix. Therefore, an error that has occurred several times per year in the operating company is equivalent to a HEP of 0.25. By the same process, frequency C is equivalent to a frequency of 10-3 occurrences/installation-year, or the description “has occurred in operating company”.
The risk matrix is divided into three separate regions: the intolerable region, the tolerable only if risks are as low as reasonably practicable (ALARP) region, and the management for continued improvement region. If a muster step is found in the first region, the risk is too high to allow without reduction measures, regardless. If it is in the second region, only by showing that efforts have been made to reduce the risk and it is no longer practical to further reduce it will it be tolerated. This follows the ALARP principle. The third region shows risks that are broadly acceptable in operations and should be improved upon if it is found to be practical. Cost-benefit analysis can be used as a tool in determining practicability (DNV, 2002). Based on these tolerability criteria, HEP ranges for each region of the risk matrix were determined for each consequence severity value. The risk matrix, combined with the consequence tables and evaluated HEPs for each muster step, show where further safety efforts should be directed. The developed risk matrix is shown below in Figure 2. The matrix is divided into three colour-coded categories.
Monitor for continued improvement
Incorporate risk reducing measures
Intolerable
Consequence Rating
HEP 1 2 3 4
0.001-0.01
0.01-0.1
0.1-0.5
0.5-1 Figure 2: Human Error Risk Matrix
The category ranges were adapted from the ISO 17776 standard risk matrix (DNV, 2002). Consequence severities 4 and 5 were amalgamated from the ISO 17776 risk matrix into severity 4 of the Human Error risk matrix, with an adjustment in tolerability. Frequency B in the ISO 17776 risk matrix was taken to be intolerable for a consequence severity of 4 in the present risk matrix. In other words, it is taken as intolerable that a fatality or wet evacuation has a frequency of occurrence of several times per year in industry. This also translates to a HEP of 0.0025 or higher falling in the intolerable region. This falls in the HEP range 0.001-0.01 in the Human Error risk matrix. This entire region is therefore taken to be intolerable for a consequence severity of 4 as an added safety measure. In a similar fashion, the ISO standard 17776 risk matrix sets the boundary between the intolerable and risk reduction regions for
consequence severity 3 as frequency C, translated to a HEP of 0.025. Again, the entire HEP range of 0.01-0.1 is considered to be in the risk reduction area.
Muster step 6 of the gas release muster initiator will be evaluated as an example. From DiMattia (2004), the HEP for this step in a specified gas release scenario is taken as 0.0782. The overall consequence rating from this step in Table 3 is 4. This combination falls in the intolerable range of the human error risk matrix, as seen in Figure 3.
Consequence Rating
HEP 1 2 3 4
0.001-0.01
0.01-0.1
0.1-0.5
0.5-1 Figure 3: Example-Muster step 6 of gas release scenario
The ideal response is to introduce safety measures that move the risk one category to the left and one category upwards in the risk matrix, or two categories left, into the broadly acceptable region. The severity of the consequence at least must be reduced. Examining Table 3 reveals that the severity of 4 comes from the effect on the muster initiator. Therefore adequate safety measures must be introduced to reduce the effect of failure to complete this step on the muster initiator to a value of 3 or less as a first step. To further reduce the consequences, all three of effect on health, muster initiator and egress must be addressed. Alternatively, for the second risk reduction, safety measures could be introduced to lower the probability of human error to below 0.01. Either of these methods as a second step would bring the risk into the broadly acceptable region. Any combination of methods to move the risk of human error from an intolerable or reduce risk region into a broadly acceptable region is acceptable. Management in industry can use cost-benefit analysis to determine the most appropriate pathway in reducing risk.
Conclusion
The tables presented in this paper are part of a model for human factors assessment of emergency situations on offshore installations. These tools can reveal a picture of the risks associated with emergency situations and how to reduce them. Incident investigations from industry and incident reports from several databases, including WOAD, were used. While these results are taken from past experiences in industry, a more rigorous analysis may be possible with focus on reporting improvements of muster drill results from a human error perspective. Incident report databases provided the necessary information for the man overboard muster initiator. These reports, however, did not have the same level of detail as the incident investigations used for the gas release and fire and explosion muster initiators. There was much less detail in the incident reports than in the incident investigations. An improvement in the muster drill reporting system would significantly increase the quality of data available for consequence analysis. Further work will yield a feedback protocol for choosing the most effective safety measures and re-evaluating the risk for each muster step.
References
DiMattia, D., Human Error Probability Index for Offshore Platform Musters, PhD Thesis (2004), Dalhousie University.
DNV. 2002. “Marine Risk Assessment” (Report OTO 2001 063, UK Health and Safety Executive).
DNV. 2007. “Accident Statistics for Fixed Offshore Units on the UK Continental Shelf 1980-2005” (Report RR 566, UK Health and Safety Executive).
DNV. 2007a. “Accident Statistics for Floating Offshore Units on the UK Continental Shelf 1980-2005” (Report RR 567, UK Health and Safety Executive).
Moan, T. et al. 1981. "The Alexander L. Kielland Accident" (Report NOU 1981:11, Norwegian Public Reports).
Robertson, D.H. and Wright, M.J. 1997. "Ocean Odyssey Emergency Evacuation: Analysis of Survivor Experiences" (Report OTO 96 009, UK Health and Safety Executive).
US Coast Guard. 1983. "Marine Casualty Report-Mobile Offshore Unit (MODU) OCEAN RANGER" (Report USCG 0001 HQS 82, US Coast Guard).
Vinnem, Jan E., Offshore Risk Assessment, 2nd ed. 2007. (The Netherlands: Kluwer Academic Publishers), 77-116.
Appendix 8
8th World Congress of Chemical Engineering Presentation (please see separate file)
Appendix 9
Safety Science Publication (please see separate file)
Appendix 10
44th Annual Loss Prevention Symposium Paper
GCPS 2010 __________________________________________________________________________
A Framework for Human Error Analysis of Emergency Situations
Travis Deacon* and Paul Amyotte Department of Process Engineering and Applied Science
Dalhousie University 1360 Barrington St., Halifax, NS B3J 2X4
[email protected] [email protected]
Faisal Khan and Scott MacKinnon Faculty of Engineering and Applied Science
Memorial University St. John's, NL A1B 3X5
[email protected] [email protected]
*Author to whom correspondence should be directed.
Prepared for Presentation at American Institute of Chemical Engineers
2010 Spring Meeting 6th Global Congress on Process Safety
44th Annual Loss Prevention Symposium San Antonio, Texas March 22-24, 2010
Copyright © 2010 by Paul R. Amyotte, Dalhousie University.
All rights reserved.
January 2010 UNPUBLISHED
AIChE shall not be responsible for statements or opinions contained
in papers or printed in its publications.
GCPS 2010 __________________________________________________________________________
Keywords: Human factors, Offshore emergencies, Risk analysis
Abbreviations ALARP As Low As Reasonably Practicable ARAMIS Accidental Risk Assessment Methodology for Industries EER Escape, Evacuation and Rescue FRC Fast-Rescue Craft GEP Generic Error Probability HAZOP Hazard and Operability study HEART Human Error Assessment and Reduction Technique HEP Human Error Probability HRA Human Reliability Analysis HTA Hierarchical Task analysis LC Level of Confidence OIM Offshore Installation Manager OSC On-Scene Commander POB Personnel On Board PSF Performance-Shaping Factor QRA Quantitative Risk Assessment SAR Search And Rescue SBV Stand-By Vessel SLIM Success Likelihood Index Methodology TEMPSC Totally Enclosed Motor Propelled Survival Craft TSR Temporary Safe Refuge
Abstract A framework is presented to identify and evaluate the risks of critical steps in the escape, evacuation and rescue process on offshore installations. A combination of expert judgment techniques and major incident investigations from industry were used to evaluate the risk for the escape and evacuation stages. Risk reduction is also included in this framework via a separate risk assessment technique. This framework can be applied to emergency preparedness for several industries. Dependency and overall time to complete the EER process were not analyzed in this work. Many of the potential safety barriers identified in the framework require further research in order to be incorporated in the risk reduction stage. 1. Introduction Human beings make errors. When these errors are made in one of the world’s harshest work environments, the consequences can be devastating. But human error can be prevented by accounting for its likelihood of occurrence. And if, in spite of our best attempts, a human error still occurs – the severity of the resulting consequences can be reduced. The risk of human error can thus be significantly lowered,
GCPS 2010 __________________________________________________________________________
but only by acting on the belief that human errors are rooted in the science of human factors. Essentially, this means that we must design our workplaces and their attendant procedures with the actions of human beings foremost in our minds. This requirement is arguably at its most critical level during emergency situations when the potential for human error and the severity of the possible consequences are at their greatest. The research undertaken is aimed at enhancing the safety of offshore oil and gas operations in Atlantic Canada and eventually worldwide. The scope of the research is emergency scenarios which necessitate taking action to ensure successful personnel evacuation, survival and rescue in response to various initiating events. This is known as the emergency escape, evacuation and rescue (EER) process. The focal point of the research is the quantitative determination of the probability and consequences of human error during these emergency actions. Previous research by the research team has resulted in a quantitative framework for the escape phase. The current research focuses on the evacuation phase with an introduction to the rescue phase. The end-result of the research is an engineering tool designed to employ these human error data in making objective decisions concerning facility design improvements from a human factor perspective. To date, a list of the steps that personnel must complete during the evacuation and rescue phases has been developed. Also, an analysis of the consequences of human error during the evacuation phase has been developed to show failure modes, potential consequences and their severities and a hierarchical view of useful safety measures. This will improve the focus of risk assessment and reduction on offshore facilities, as recommended by Gurpreet and Kirwan [1].
The escape phase of EER is defined as the time of the initiating event (collision, man overboard, hydrocarbon release, severe list, etc.) to the time of registration at the muster station, or temporary safe refuge (TSR). The evacuation phase begins upon decision of the offshore installation manager (OIM) to evacuate, or upon any individual decision to evacuate the platform. It ends when the individual in question achieves reasonable distance from the platform. The rescue phase is identified as the period of retrieval of individuals from the installation, evacuation equipment or the sea. It is helpful to note that these phases can experience an overlap. For example, rescue operations may retrieve individuals from a sea evacuation before they have had a chance to achieve a reasonable distance from the installation.
The steps involved in the risk assessment and reduction methodology described herein are as follows:
1. Task analysis 2. Scenario identification 3. Human error probability calculation 4. Consequence severity evaluation 5. Procedural hazard and operability study (HAZOP) of steps 6. Determination of tolerability of risk via risk matrix 7. Evaluation of required reliability via risk graph 8. Selection and evaluation of safety barriers 9. Bow-tie analysis
The steps are shown as a flowchart in Figure 1.
GCPS 2010 __________________________________________________________________________
2. Task and scenario analysis The first step of the framework is to break the main goal into the more detailed steps required to achieve this goal. The second step is to identify a range of emergency situations and choose reference scenarios that encompass this range. 2.1 Task analysis
Task analysis is the identification of the steps that personnel on board (POB) must complete during an emergency. This was done through hierarchical task analysis (HTA). In HTA, the main goals are identified and broken down into smaller steps. In this case, the main goals are:
Escape danger (Muster phase) Evacuate installation (Evacuation phase) Rescue POB (Rescue phase)
These phases are further divided into steps that can be evaluated from a human performance perspective. The steps give greater detail about the main goals and can still be evaluated in terms of risk. The probability of human error and plausible consequences can be identified for each step. Safety measures, herein referred to as safety barriers, that reduce the risk for individual steps can also be identified. The probability of human error, combined with the probability of failure on demand for the individual safety barriers, is the probability of failure on demand for a specific step. Figure 2 shows the evacuation and rescue steps identified through hierarchical task analysis. Escape steps have been analyzed by DiMattia [2] and Deacon et al. [3]. The escape phase is not analyzed in detail in the current work. 2.2 Scenario identification
Once the emergency steps are identified, a set of emergency scenarios representing a wide range of plausible situations must be defined. These scenarios include information on performance-shaping factors (PSFs). PSFs are factors that influence the probability of human error for any given step. Examples include operator experience, weather conditions, time of day and individual stress level. 2.2.1 Escape scenarios
Escape scenarios have been defined by DiMattia [2]. Three different escape initiators are used, ranging in severity of consequences. The escape initiators identified were ‘man overboard’, ‘hydrocarbon release’ and ‘fire and explosion’. For each of these initiators, a detailed scenario was identified, incorporating the time of day, the experience of the operator in question, the location of the operator in question relative to the event that led to escape initiation, and the job of the operator at the time of the escape alarm. These three escape initiators with their respective scenarios were used to determine HEPs for each escape step and scenario.
GCPS 2010 __________________________________________________________________________
Figure 1: Flowchart of risk assessment framework.
Choose Scenario
Combine in Risk Matrix
Choose Step
Calculate HEP Assign Consequence Severity
Determine Frequency of Exposure & Potential to Avoid Damage
Use Risk Graph to Determine Required LC
Choose Safety Barriers and Determine LCs
Build Bow-tie and Determine Overall LC
Yes
Is Risk ALARP?
No
Yes
Analysis Complete?
No
Identify Steps
GCPS 2010 __________________________________________________________________________
2.2.2 Evacuation scenarios
Evacuation scenarios are given in Table 1. A man overboard incident does not lead to evacuation of an installation; therefore another incident, collision or impending collision, is analyzed instead. The collision of a platform with a vessel, large object, land, etc. or the impending collision is a scenario that can lead to platform evacuation. The scenarios in Table 1 are used to determine evacuation step human error probabilities (HEPs). As visibility and sea conditions have a significant effect on individual performance during evacuation, the weather and time of day are specified for each scenario. The experience of the operator in question for each scenario is also specified.
3. Human error probability calculation
The most accurate method to determine HEPs is to identify the number of times a failure has occurred while performing the EER step in question and divide it by the total number of times the step has been performed. Unfortunately data does not exist to this extent. HEPs are therefore determined using expert judgment techniques. Escape and evacuation HEPs are discussed. Rescue phase HEPs are not explored in the current work. 3.1 Escape HEPs Escape step HEPs were evaluated by DiMattia [2] using the success likelihood index methodology (SLIM). This is an expert judgment technique that draws from the expertise of several judges. Several PSFs are determined by a panel of judges. The PSFs include stress, experience, atmospheric factors (weather, time of day, etc.), event factors (initiating event, operator’s location, etc.), level of training and the complexity of the task. These PSFs are then rated in terms of their impact on the escape step and scenario. 3.2 Evacuation HEPs
The current work evaluates evacuation HEPs using the human error assessment and reduction technique (HEART). The expert judgment in HEART occurs across three stages. The generic error probability (GEP) of a step is determined. This is the probability that a human error will occur given ‘perfect’ conditions (i.e. no influence of PSFs). Second, relevant PSFs are chosen from a list of 17 possible PSFs in HEART. These PSFs have an associated maximum effect on the probability of error. Finally, the percentage of the maximum effect of the PSF is chosen. The latter two stages combine to determine the overall effect of the PSFs on the GEP. For each step, one GEP and zero to three PSFs are chosen. The inclusion of PSFs into the risk assessment allows for risk assessment of a specific work site and situation. The use of generic data is a common pitfall in risk assessment. If a generic risk assessment is performed, efforts must be made to ensure that the risk assessment encompasses all hazards of each site and job of the facility. Also, this assessment must be validated [4]. While generic assessments can be used as a preliminary study of risk, the framework presented in Figure 1 is designed to be site-specific.
GCPS 2010 __________________________________________________________________________
2.2.3 Instruct personnel on boarding procedure
1.1 Check wind speed, direction and sea state1.2 Instruct personnel and maintain control1.3 Issue sea sickness tablets
1.0 Prepare to evacuate
2.0 Evacuate installation – do one of 2.1-2.5, priority in descending order2.1 Evacuate via bridge link2.2 Evacuate via helicopter
2.2.1 Move to helideck2.2.2 Establish communication with pilot
2.3.9 Close and secure all hatches
2.2.4 Board helicopter2.2.5 Don flight suit, aviation life jacket and secure seatbelt
2.3 Evacuate via TEMPSC (totally enclosed motor propelled survival craft)2.3.1 Ensure sea worthiness of TEMPSC2.3.2 Check compass heading/direction to steer craft2.3.3 Turn helm fully to clear installation on launch2.3.4 Ensure drop zone is clear2.3.5 Instruct personnel on boarding procedure2.3.6 Fasten seat belt2.3.7 Ensure everyone is secure2.3.8 Start air support system
2.4.5 Launch life raft2.4.6 Board life raft
2.3.10 Call command centre/launch master/other lifeboats to confirm launch sequence2.3.11 Release falls/confirm auto-release2.3.12 Launch TEMPSC2.3.13 Engage forward gear and full throttle2.3.14 Steer TEMPSC at vector from platform to rescue area
2.4 Evacuate by life raft
2.5.6 Look for other overboard survivors and rescue opportunities3.0 Initiate search and rescue (SAR)
3.1 Appoint on-scene commander (OSC)3.2 Monitor and coordinate SAR3.3 Locate and rescue survivors
3.3.1 Rescue by helicopter
2.5 Escape directly to sea2.5.1 Ensure survival suit properly sealed, lifejacket fastened2.5.2 Move to lowest nearby platform2.5.3 Assess direction of waves, danger and airborne contaminants2.5.4 Jump away from platform, feet first, avoiding platform legs2.5.5 Swim along side of platform
2.4.7 Cut painter
3.3.1 Rescue by stand-by vessel (SBV)3.3.2 Give medical attention
2.4.8 Paddle clear of danger2.4.9 Stream anchor2.4.10 Maintain sea worthiness of life raft2.4.11 Look for TEMPSC, FRC, other life raft or overboard survivors2.4.12 Attach painter to other life raft or tow craft
2.4.1 Move to life raft muster station2.4.2 Ensure seaworthiness of life raft2.4.3 Secure painter to a strong point2.4.4 Check for life raft instructions and number of personnel accommodated
Figure 2: HTA of evacuation and rescue steps.
GCPS 2010 __________________________________________________________________________
Table 3: Evacuation scenarios.
Evacuation Scenario
Detail Collision Gas Release Fire & Explosion
Situation A jack-up rig collides with a fixed installation during approach; significant damage to platform leg.
A hydrocarbon gas release A fire and explosion
Operator in question 15 years experience 7 years experience 6 months experience
Weather Good weather, calm seas Cold, wet weather Winter storm
Time of day Daylight hours Daylight hours Night time hours
HEART is designed for efficiency of resources, requiring only one expert judge to perform the analysis [5]. In the current work, HEART was adapted into a survey and sent to several expert judges. This was done to determine the precision of HEART when examining different steps. Validation of HEART can be undertaken by case studies and comparisons with generic HEP databases. A generic HEP feasibility study by Gurpreet and Kirwan [1] has resulted in the collection of offshore activity HEPs, including those for lifeboat evacuation procedures. These HEPs are generic in nature but provide an estimate of what the HEP should be. For HEART to be validated, the HEART HEPs must be close to those found in the study. It can be anticipated that the HEART-evaluated HEPs will be more conservative than those found in the feasibility study [1]. There is also potential to use the generic HEP data as a calibration tool for assessors [6].
4. Consequence analysis Risk is a function of the probability of failure on demand and the consequences of failure. Along with the HEPs for each step, the consequences of human error of each step must be identified by their level of severity. Two types of analysis are presented: a consequence analysis, for use with HEPs to determine tolerability of risk, and a procedural HAZOP to determine how errors may occur and to aid in choosing proper risk reduction measures. 4.1 Consequence Severity Evaluation The lack of human error data on emergency drills on offshore installations prevents a quantitative consequence analysis. Investigation reports and public inquiries of major incidents, incident reports from the UK continental shelf and previous research [7] provided the data for consequence analysis in the current work. Incident reports proved useful for man overboard muster initiators. Major incident investigations provided the consequence data for the gas release and fire and explosion muster initiators as well as the evacuation consequences. A study released by the UK Health and Safety Executive [7] also provided data for the evacuation consequences. It is noted that during the escape phase, consequences of failure are dependent on both the escape step and the escape initiator. This is due to the exposure to the immediate danger of the initiator. In the evacuation phase, distance has been achieved between the initiator and the individual and the immediate danger becomes the sea itself. Thus, consequence severities are different for each escape scenario and identical for each evacuation scenario. Consequences
GCPS 2010 __________________________________________________________________________
are evaluated on a severity level from 1 - 4, 1 indicating lowest and 4 indicating highest severity. Table 2 shows the consequence category descriptions for the escape phase [3], as adapted from DiMattia [2].
Table 4: Consequence categories and descriptions.
Severity Health Egress
Muster Initiator Other POB
1 Zero Injury Zero delay Zero effect Zero effect
2
Likely to result in minor injury
Slightly delays reaching TSR or completing TSR actions
Raises muster initiator to level that causes minor delays in reaching TSR
Slightly to moderately delays others from reaching TSR or completing TSR actions
3
Likely to result in major injury
Moderate delays reaching TSR or completing TSR actions
Raises muster initiator to level that causes moderate to long delays in reaching TSR
Prevents others from reaching TSR or completing TSR actions
4 Likely to result in fatality
Prevents reaching TSR or other safe refuge
Raises muster initiator to level where muster is no longer possible
Prevents others from having a dry evacuation
Table 2 also applies to the evacuation phase, although only the health and egress categories are explored, where ‘reaching TSR’ is replaced with ‘reaching rescue area’.
In order to reduce the consequence severity of a step in the evacuation phase, measures must be introduced that will lower the severity of harm to the individual in question. For the escape phase, the overall consequence severity is equal to the highest severity of the four categories. In order to reduce the consequence severity for the escape phase, the category (or categories) of highest severity must be reduced through safety barriers. A portion of the consequence table is shown in Table 3. Included are references to the investigations that provide the data for the consequence severity of each step.
4.2 Procedural HAZOP of steps
A validation exercise was performed by Kirwan [6] using HEART to assess the HEPs for 10 tasks. It was determined that different expert judges can arrive at similar HEPs using different GEP/PSF combinations. This observation shows that while the overall HEP is determined, the HEP assessment itself does not provide enough information for a fault tree [6]. A procedural HAZOP is required to ensure that all failure modes for each step are identified. A procedural HAZOP was performed for each phase. Failure modes and their descriptions for each step, as well as potential safeguards, were identified. The procedural HAZOP for the escape phase steps is a modification of work by DiMattia [2]. The procedural HAZOP for the evacuation phase steps is a modification of work by Kennedy [7].
GCPS 2010 __________________________________________________________________________
Table 5: Evacuation steps for totally enclosed motor propelled survival craft (TEMPSC) evacuation.
Evacuation Step Severity Reference
2.3.1 Ensure sea worthiness of TEMPSC
4 [7] (p. 30)
2.3.2 Check compass heading/direction to steer craft
2 [7] (Appendix B); [8](p. 13)
2.3.3 Turn helm fully to clear installation on launch
2 [7] (Appendix B)
2.3.4 Ensure drop zone is clear 4 [7] (Appendix B)
2.3.5 Instruct personnel on boarding procedure
2 [7] (Appendix B)
2.3.6 Fasten seat belt 2 [7] (Appendix B)
2.3.7 Ensure everyone is secure 2 [6] (Appendix B)
2.3.8. Start air support system 3 [7] (Appendix B); [8] (p. 14)
2.3.9 Close and secure all hatches 4 [7] (Appendix B); [9] (p. 124)
2.3.10 Call command centre/launch master/other lifeboats to confirm launch sequence
4 [9](p. 133)
2.3.11 Release falls/confirm auto-release
4 [7] (Appendix B); [10](p. 83);
[11] (p. 162)
2.3.12 Launch TEMPSC 4 [9] (p. 124)
2.3.13 Engage forward gear and full throttle
4 [7] (Appendix
B); [11] (p. 162)
2.3.14 Steer TEMPSC at vector from platform to rescue area
4 [7] (Appendix
B); [11] (p. 162)
GCPS 2010 __________________________________________________________________________
In both cases, safeguards are re-organized into two types: prevention barriers and mitigation barriers. Prevention barriers are measures that reduce the probability of a human error occurring, while mitigation barriers reduce the consequence severity of a human error. Safeguards are also organized in terms of the hierarchy of controls [12]. This is useful for determining the reliability of safeguards at a later stage. Table 4 shows a procedural HAZOP analysis for one of the evacuation steps.
Table 6: Procedural HAZOP for evacuation step 2.3.4 (Ensure drop zone is clear).
Failure Mode Description Consequences Prevention Barriers Mitigation Barriers
Check omitted Coxswain omits or forgets to check for debris in the water
Delayed evacuation
Capsize of/ hole in boat
Injury/death
Active Engineered
Lights to illuminate drop zone during low visibility
Procedural
Warning prompt at helm of TEMPSC
Training/drills that require verbalizing state of drop zone and delaying or aborting launch
Passive Engineered
Boats constructed to withstand severe impacts and absorb shock
Check mistimed Coxswain makes check too early or too late, leaving time for debris to float over or forcing the boat to be committed to the launch
5. Risk Reduction
The next stage of the framework presented in Figure 1 is the risk reduction stage. The overall risk of each EER step is determined by combining the HEPs and consequence severities in a risk matrix. A risk graph is then used to determine a minimum reliability that incorporated safety barriers should have for each step. The procedural HAZOP is used to identify potential prevention or mitigation barriers. These barriers are evaluated to determine if they can be assigned a mathematical reliability. Safety barriers must have a proven record in industry to be assigned a mathematical reliability. Finally, any identified prevention and mitigation barriers with an associated reliability are incorporated into a bow-tie model. The result is an overall picture of the risk, including the effects of safety barriers. The probability of failure on demand of the step is the combination of the HEP and mathematical reliability of any safety barriers that affect that step.
5.1 Risk Matrix
The risk matrix, shown in Figure 3, is a tool that combines the probability of failure on demand and the consequence severity of a step to determine the tolerability of the risk. Tolerability criteria are embedded in the risk matrix to classify a step in one of three risk regions. The ‘broadly acceptable’ region is a risk region where no further risk reduction measures are required. The ‘tolerable if as low as reasonably practicable (ALARP)’ region follows the ALARP principle. If a risk is in this region and it has been shown through cost-benefit analysis that it is not practical to further reduce the risk, it is considered
GCPS 2010 __________________________________________________________________________
tolerable. If further measures can be introduced practically, then the risk should be reduced [13]. Risks in the ‘intolerable’ region must be reduced.
Consequence Rating
Probability 1 2 3 4
0.001-0.01
0.01-0.1
0.1-0.5
0.5-1
Monitor for continued improvement (broadly acceptable)
Incorporate risk reducing measures (tolerable if ALARP)
Intolerable
Figure 3: Risk matrix.
An example is step 3 of the escape phase, ‘act accordingly’. This step identifies the importance of maintaining composure during an emergency. From DiMattia [2], the HEP, or probability of failure on demand, for escape step 3 in a fire and explosion scenario is estimated to be 0.448. From Deacon et al. [3], the consequence severity for a human error during escape step 3 is 4. The risk is therefore in the ‘intolerable’ region of Figure 3 and must be reduced.
5.2 Risk Graph
Many human reliability analysis (HRA) techniques have within them a basic risk reduction mechanism. However, validation studies [6] have suggested that a separate technique be used for the risk reduction stage. Often HRA techniques do not have comprehensive or user friendly risk reduction mechanisms. A second technique, the accidental risk assessment methodology for industries (ARAMIS) [14] is used in the current framework to identify risk reduction measures.
ARAMIS uses a risk graph to determine the level of risk reduction required. This risk reduction is associated with the reliability of any barriers incorporated. Four factors are used to determine the required reliability of barriers:
Consequence severity (C) Frequency of exposure to risk (F) Potential to avoid damage (D) Probability (P)
GCPS 2010 __________________________________________________________________________
Consequence severity is determined from the consequence table, and human error probability is determined from HEART. The value F is either F1 (exposure to risk is less than 10% of operating time)
Human Error Probability
0.1-1 0.01-0.1 0.001-0.01 <0.001
1 2 3 4
P1 P2 P3 P4
C1 X1 --- --- --- ---
D1 X2 a --- --- ---
F1
D2
C2 X3 1 a --- ---
D1
risk F2
analysis
F1 D2
C3 X4 2 1 a ---
D1
F2
F1 D2
C4 X5 3 2 1 a
D1
F2
D2 X6 4 3 2 1
Figure 4: Risk graph.
GCPS 2010 __________________________________________________________________________
or F2 (exposure to risk is more than 10% of operating time). For the current study, all steps are considered to be category F1, assuming that emergency situations occur less than 10% of the facility’s operating time. The potential to avoid damage depends on the particular step. If there is time to correct an error or achieve distance from the consequence, category D1 is used. Otherwise, category D2 is used. Using these four factors and the risk graph shown in Figure 4, the reliability of safety barriers is determined. This is a mathematical reliability known as the level of confidence (LC). A reliability of 1 will reduce the risk by a factor of 10; a reliability of 2 will reduce the risk by a factor of 102 = 100, etc. The LC ranges from 1 to 4, or is identified as ‘a’. An LC of a indicates that safety barriers should be introduced but are not required to have a mathematical reliability. For example, escape step 3 for a fire and explosion scenario is in categories C4 and F1 of Figure 4. It was determined by Deacon et al. [3] that for escape step 3, there is time to correct an error and avoid the consequence. Therefore category D1 is used. This leads to line X4 of the risk graph and, combined with a HEP of 0.448, leads to a total required LC of 2 for safety barriers incorporated to reduce the risk of individuals’ loss of composure.
5.3 Safety Barriers
For a prevention or mitigation barrier to be incorporated into the bow-tie, it must meet certain minimum requirements as defined in the ARAMIS user guide [14]:
Components of safety barriers must be independent from regulation systems (common failures of safety and regulation systems are not acceptable); this criterion is applicable in the case of two systems in place for the same function.
Design of the barriers must be made in compliance with codes and standards, and design must be adapted to the characteristics of the substances and the environment.
Barriers must be of a “proven” concept; i.e. the concept is well known (experienced). Otherwise, it may be necessary to perform on-site tests to determine the quality of the barrier.
Barriers must be tested with a defined frequency. This frequency will be based on the experience of the operators or suppliers.
Barriers must have a schedule of preventative maintenance.
These criteria are used to determine if a potential safety barrier is relevant in the system and can be assigned an LC. If a potential barrier exists but is not a proven concept, further testing can be done to determine a mathematical reliability for the barrier in question.
5.4 Bow-Tie Analysis
A bow-tie is a risk assessment method that uses a fault tree and an event tree centered on a common critical event. A fault tree identifies a critical event and its potential causes (failure modes). An event tree identifies a critical event and the pathway to potential consequences. In the framework presented in Figure 1, the critical event is the failure to complete an EER step. The probability of the critical event is the probability of failure on demand of the step. Failure modes for the fault tree are identified in the procedural HAZOP. Because there is no data for the probability of each failure mode occurring, safety barriers incorporated must have a risk reducing effect on all failure modes for that step. Figure 5 is an example of a bow-tie using escape step 3; ‘act accordingly’ for a fire and explosion scenario.
GCPS 2010 __________________________________________________________________________
No
Late
Tra
inin
g
L
C=
1
Critical Event: Fail Step 3
Consequence 4
More Probability = 0.448*10-1 Probability = 0.0448
Before/After
Figure 5: Bow-tie for escape step 3, ‘act accordingly’.
The four failure modes for this step are shown on the left of Figure 5. The probability of failure on demand of this step (the HEP) is 0.448. A safety barrier that would be effective in this case is a training barrier [3], with an LC of 1. The revised probability of failure on demand is now 0.448*10-LC = 0.448*0.1 = 0.0448. The new HEP/consequence severity combination is still in the ‘intolerable’ region of the risk matrix. The risk graph has identified a required LC of 2; therefore additional safety measures should be incorporated.
6. Discussion
The process of risk assessment has been undertaken for the escape phase and is currently underway for the evacuation phase. Three scenarios are evaluated for each phase to encompass the full range of risk for the EER process. For risk reduction, only one scenario is analyzed for each phase of EER. The highest severity risk scenario for a given step is analyzed. Bringing the risk to a tolerable level for the highest severity scenario will have the same effect on the lower severity scenarios. It is noted that a training and procedures safety barrier is important for all steps. Indeed it may be the only barrier with an associated LC for some steps. However, as this is the least reliable barrier in terms of the hierarchy of controls, efforts should be undertaken to determine an LC for potential barriers identified in the procedural HAZOP. Steps are assumed independent from one another in this study and the overall time taken to achieve the goals of escape and evacuate is not analyzed. The time taken to evacuate a platform can be a critical factor depending on the structural stability [11]. It would be beneficial in future work to perform a dependency analysis.
While the scenarios studied in this undertaking are from the perspective of an offshore environment, this framework can be applied to various fields in industry. Onshore oil operations, nuclear power plants and chemical process facilities all have the potential for emergencies requiring site evacuation. While evacuation itself may simply involve running to achieve a safe distance from the emergency, escape of the facility and rescue operations are more complex. This framework provides a means to evaluate and reduce the risk for these industries as well.
GCPS 2010 __________________________________________________________________________
7. Conclusion and Recommendations
This work presents a framework for human reliability analysis of emergency situations that can supplement a QRA. It is designed via offshore emergencies but can be used in various industries such as the nuclear and process industries. Dependency between steps and overall process time is not evaluated in this work. However, the overall time to achieve the main goals of escape, evacuate and rescue, as well as the effect of failure of one step on later steps should be evaluated as a further study. These two factors may have a significant effect on the EER process. Furthermore, efforts should be made to ensure that more of the potential safety barriers identified in the procedural HAZOP meet the ARAMIS requirements and are incorporated into bow-tie analysis.
8. Acknowledgements
The authors gratefully acknowledge the financial support of Petroleum Research Atlantic Canada (PRAC), the Nova Scotia Department of Energy, and Pengrowth.
9. References
[1] Gurpreet, B. and Kirwan, B., “Collection of offshore human error probability data,” Reliability
Engineering and System Safety, Volume 61, 1998.
[2] DiMattia, D. “Human error probability index for offshore platform musters,” PhD Thesis (2004), Dalhousie University.
[3] Deacon, T., Amyotte, P. and Khan, F., “Human error risk analysis in offshore emergencies,” Safety Science, manuscript submitted and under revision, 2009.
[4] Gadd, S., Keeley, D. and Balmforth, M., “Pitfalls in risk assessment: examples from the UK,” Safety Science, Volume 42, 2004.
[5] Williams, J.C., “Toward an improved evaluation tool for users of HEART,” Proceedings of the international conference on hazard identification, risk analysis, human factors and human reliability in process safety, Orlando, Florida, 15-17 January. AIChE-CCPS, New York, 1992.
[6] Kirwan, B., “The validation of three human reliability quantification techniques – THERP, HEART and JHEDI: Part III – Practical aspects of the usage of the techniques,” Applied Ergonomics, Volume 28, 1997.
GCPS 2010 __________________________________________________________________________
[7] Kennedy, B., “A human factors analysis of evacuation, escape and rescue from offshore installations” (Report OTO 93 004, UK Health and Safety Executive), 1993.
[8] Robertson, D.H. and Wright, M.J., "Ocean Odyssey emergency evacuation: analysis of survivor experiences" (Report OTO 96 009, UK Health and Safety Executive), 1997.
[9] US Coast Guard., "Marine casualty report - mobile offshore unit (MODU) OCEAN RANGER" (Report USCG 0001 HQS 82, US Coast Guard), 1983.
[10] Vinnem, Jan E., Offshore Risk Assessment, 2nd ed. 2007. (The Netherlands: Kluwer Academic Publishers), 77-116.
[11] Moan, T., Nᴂsheim, T., Φveraas, S., Bekkvik, P., Kloster, A., "The Alexander L. Kielland accident" (Report NOU 1981:11, Norwegian Public Reports), 1981.
[12] Amyotte, P., Goraya, A., Hendershot, D., Khan, F., “Incorporation of Inherent Safety Principles in process safety management”, Process Safety Progress, Volume 26, 2007.
[13] DNV, “Marine Risk Assessment” (Report OTO 2001 063, UK Health and Safety Executive), 2002.
[14] Anderson, H., Casal, J., Dandrieux, A., Debray, B., Dianous, V., Duijm, N., Delvosalle, C., Fievez, C., Goossens, L., Gowland, R., Hale, A., Hourtolou, D., Mazzarotta, B., Pipart, A., Planas, E., Prats, F., Salvi, O., Tixier, J., “ARAMIS user guide” (The European Commission Community Research), 2004.
Appendix 11
Master of Applied Science Thesis
Halifax, Nova Scotia May, 2010 © Copyright by Travis J.B. Deacon, 2010
HUMAN ERROR RISK ANALYSIS AND REDUCTION FOR OFFSHORE EMERGENCY SITUATIONS
by
Travis J.B. Deacon
Submitted in partial fulfillment of the requirements
for the degree of
MASTER OF APPLIED SCIENCE Major Subject: Chemical Engineering
at
Dalhousie University
ii
DALHOUSIE UNIVERSITY
PROCESS ENGINEERING AND APPLIED SCIENCE
The undersigned hereby certify that they have read and recommend to the Faculty of
Graduate Studies for acceptance a thesis entitled “HUMAN ERROR RISK ANALYSIS
AND REDUCTION FOR OFFSHORE EMERGENCY SITUATIONS” by Travis J.B.
Deacon in partial fulfillment of the requirements for the degree of Master of Applied
Science.
Dated: May 19, 2010
Supervisor: _________________________________
Readers: _________________________________
_________________________________
_________________________________
_________________________________
iii
DALHOUSIE UNIVERSITY
DATE: May 19, 2010
AUTHOR: Travis J.B. Deacon
TITLE: Human Error Risk Analysis and Reduction for Offshore Emergency Situations
DEPARTMENT OR SCHOOL: Department of Process Engineering and Applied
Science
DEGREE: Master of
Applied Science
CONVOCATION: October YEAR: 2010
Permission is herewith granted to Dalhousie University to circulate and to have copied for non-commercial purposes, at its discretion, the above title upon the request of individuals or institutions.
_______________________________ Signature of Author
The author reserves other publication rights, and neither the thesis nor extensive extracts from it may be printed or otherwise reproduced without the author’s written permission. The author attests that permission has been obtained for the use of any copyrighted material appearing in the thesis (other than the brief excerpts requiring only proper acknowledgement in scholarly writing), and that all such use is clearly acknowledged.
iv
TABLE OF CONTENTS
LIST OF TABLES vi
LIST OF FIGURES ix
ABBREVIATIONS xi
ACKNOWLEDGEMENTS xiii
ABSTRACT xiv
1 INTRODUCTION 1
1.1 Project Scope 1
1.2 Motivation for the Current Project 6
1.3 Project Objectives 7
2 HUMAN FACTOR RISK ANALYSIS 12
2.1 Human Reliability Analysis (HRA) 12
2.1.1 Task Analysis 12
2.1.2 Types of Error 13
2.1.3 Human Error Probability (HEP) 14
2.2 Expert Judgment 15
2.2.1 Success Likelihood Index Methodology (SLIM) 15
2.2.2 Human Error Assessment and Reduction Technique (HEART) 17
2.2.3 Technique for Human Error Rate Prediction (THERP) 19
2.3 Accidental Risk Assessment Methodology for Industries (ARAMIS) 21
2.4 Hazard and Operability Study (HAZOP) 26
2.5 Bow-Tie Method 27
2.5.1 Fault Tree (FT) Method 28
2.5.2 Event Tree (ET) Method 28
3 ESCAPE RISK ASSESSMENT 30
3.1 Human Error Probability 31
3.2 Consequence Analysis 31
3.2.1 Consequence Table 31
3.2.2 Procedural HAZOP 39
3.3 Risk Estimation 39
4 EVACUATION RISK ASSESSMENT 45
v
4.1 Human Error Probability 46
4.2 Consequence Analysis 56
4.2.1 Consequence Table 56
4.2.2 Procedural HAZOP 59
4.3 Risk Estimation 60
5 RESCUE RISK ASSESSMENT 63
6 RISK REDUCTION 64
6.1 Risk Graph 64
6.2 Safety Barriers 70
6.3 Case Study 77
7 CONCLUSIONS & RECOMMENDATIONS 81
7.1 Conclusions 81
7.2 Recommendations 82
REFERENCES 84
Appendix A Risk Matrices 87
Appendix B Expert Judgment Surveys 90
Appendix C Procedural HAZOP of Evacuation Tasks 117
Appendix D Bow-tie Graphs of Evacuation Tasks 141
vi
LIST OF TABLES 2.1 Error types and performance levels 14
3.1 Escape phase HEPs 32
3.2 Consequence severity descriptions 33
3.3 Consequence severities for MO scenario (adapted from Deacon et al., 2010) 35
3.4 Consequence severities for GR scenario (adapted from Deacon et al., 2010) 36
3.5 Consequence severities for F&E scenario (adapted from Deacon et al., 2010) 37
3.6 Overall consequence severities (adapted from Deacon et al., 2010) 38
3.7 Procedural HAZOP for escape task 1, ‘detect alarm’ (Deacon et al., 2010) 40
3.8 Procedural HAZOP for escape task 15, ‘register at TSR’ (Deacon et al., 2010) 41
3.9 Risk level for escape phase tasks 44
4.1 Comparison of HEART and SLIM 48
4.2 GEP descriptions and associated values 49
4.3 EPC descriptions and associated values 50
4.4 Evacuation scenarios 51
4.5 Assessor GEP and EPC choices 53
4.6 Assessor HEP results 55
4.7 Consequence severity descriptions 56
4.8 Consequence severities 57
4.9 Procedural HAZOP for evacuation task 2.3.4, ‘ensure drop zone is clear’ 59
4.10 Procedural HAZOP for evacuation task 2.3.14, ‘steer TEMPSC at vector from platform rescue area’
60
4.11 Risk level for evacuation tasks 61
6.1 Required LCs for escape phase tasks 66
6.2 LC requirements for evacuation tasks according to survey 1 HEP data set 67
6.3 LC requirements for evacuation tasks according to survey 2 HEP data set 68
6.4 Comparison of required LCs between HEP data sets 69
6.5 Evacuation safety barriers and their associated LCs 72
6.6 Design LCs compared with required LCs for each survey HEP data set 74
6.7 Summary of required, available and actual LCs on Ocean Odyssey 80
A.1 Frequency index definitions for risk ranking matrix (DNV, 2002) 89
vii
C.1 Check wind speed, direction and sea state HAZOP (Step 1.1) 118
C.2 Instruct personnel and maintain control HAZOP (Step 1.2) 119
C.3 Issue sea sickness tablets HAZOP (Step 1.3) 119
C.4 Move to helideck HAZOP (Step 2.2.1) 120
C.5 Establish communication with pilot HAZOP (Step 2.2.2) 120
C.6 Instruct personnel on boarding procedure HAZOP (Step 2.2.3) 121
C.7 Board helicopter HAZOP (Step 2.2.4) 121
C.8 Don flight suit, aviation life jacket and secure seatbelt HAZOP (Step 2.2.5) 122
C.9 Ensure sea-worthiness of TEMPSC HAZOP (Step 2.3.1) 122
C.10 Check compass heading/direction to steer craft HAZOP (Step 2.3.2) 123
C.11 Turn helm fully to clear installation on launch HAZOP (Step 2.3.3) 123
C.12 Ensure drop zone is clear HAZOP (Step 2.3.4) 124
C.13 Instruct personnel on boarding procedure HAZOP (Step 2.3.5) 124
C.14 Fasten seat belt HAZOP (Step 2.3.6) 125
C.15 Ensure everyone is secure HAZOP (Step 2.3.7) 125
C.16 Start air support system HAZOP (Step 2.3.8) 126
C.17 Close and secure all hatches HAZOP (Step 2.3.9) 127
C.18 Call command centre/launch master/other lifeboats to confirm launch sequence HAZOP
(Step 2.3.10)
127
C.19 Release falls/confirm auto-release HAZOP (Step 2.3.11) 128
C.20 Launch TEMPSC HAZOP (Step 2.3.12) 129
C.21 Engage forward gear and full throttle HAZOP (Step 2.3.13) 130
C.22 Steer TEMPSC at vector from platform to rescue area HAZOP (Step 2.3.14) 131
C.23 Move to life raft muster station HAZOP (Step 2.4.1) 131
C.24 Ensure sea-worthiness of life raft HAZOP (Step 2.4.2) 132
C.25 Secure painter to strong point HAZOP (Step 2.4.3) 132
C.26 Check for life raft instructions and number of personnel accommodated HAZOP
(Step 2.4.4)
133
viii
C.27 Launch life raft HAZOP (Step 2.4.5) 133
C.28 Board life raft HAZOP (Step 2.4.6) 134
C.29 Cut painter HAZOP (Step 2.4.7) 134
C.30 Paddle clear of danger HAZOP (Step 2.4.8) 135
C.31 Stream anchor HAZOP (Step 2.4.9) 135
C.32 Maintain sea-worthiness of life raft HAZOP (Step 2.4.10) 136
C.33 Look for TEMPSC, FRC, other life raft or overboard survivors HAZOP (Step 2.4.11) 136
C.34 Attach painter to other life raft or tow craft HAZOP (Step 2.4.12) 136
C.35 Ensure survival suit properly sealed, lifejacket fastened HAZOP (Step 2.5.1) 137
C.36 Move to lowest nearby platform HAZOP (Step 2.5.2) 138
C.37 Assess direction of waves, danger and airborne contaminants HAZOP (Step 2.5.3) 138
C.38 Jump away from platform, feet first, avoiding platform legs HAZOP (Step 2.5.4) 139
C.39 Swim along side of platform HAZOP (Step 2.5.5) 139
C.40 Look for other overboard survivors and rescue opportunities HAZOP (Step 2.5.6) 140
ix
LIST OF FIGURES 1.1 Overview of thesis 2
1.2 Schematic for risk analysis framework 9
2.1 THERP event tree (Swain and Guttman in Embrey, 1994) 22
2.2 Risk Graph 24
2.3 Fault tree (Cameron and Raman, 2005) 28
3.1 Human error risk matrix 43
4.1 HTA of evacuation tasks 46
5.1 HTA of rescue phase tasks (adapted from Kennedy, 1993) 63
6.1 Bow-tie graph for evacuation task 2.3.1, ‘ensure sea-worthiness of TEMPSC’ 76
6.2 Bow-tie graph for evacuation task 2.3.11, ‘release falls/confirm auto-release’ 76
A.1 ISO Standard 17776 risk matrix (DNV, 2002) 88
D.1 Bow-tie for evacuation task 1.2 142
D.2 Bow-tie for evacuation task 2.3.1 142
D.3 Bow-tie for evacuation task 2.3.3 143
D.4 Bow-tie for evacuation task 2.3.4 143
D.5 Bow-tie for evacuation task 2.3.8 144
D.6 Bow-tie for evacuation task 2.3.9 144
D.7 Bow-tie for evacuation task 2.3.10 145
D.8 Bow-tie for evacuation task 2.3.11 146
D.9 Bow-tie for evacuation task 2.3.12 147
D.10 Bow-tie for evacuation task 2.3.13 147
D.11 Bow-tie for evacuation task 2.3.14 148
D.12 Bow-tie for evacuation task 2.4.2 148
D.13 Bow-tie for evacuation task 2.4.3 149
D.14 Bow-tie for evacuation task 2.4.5 149
D.15 Bow-tie for evacuation task 2.4.6 150
D.16 Bow-tie for evacuation task 2.4.7 150
D.17 Bow-tie for evacuation task 2.4.8 151
D.18 Bow-tie for evacuation task 2.4.9 152
x
D.19 Bow-tie for evacuation task 2.4.10 152
D.20 Bow-tie for evacuation task 2.4.11 153
D.21 Bow-tie for evacuation task 2.4.12 153
D.22 Bow-tie for evacuation task 2.5.2 154
D.23 Bow-tie for evacuation task 2.5.4 154
D.24 Bow-tie for evacuation task 2.5.5 155
D.25 Bow-tie for evacuation task 2.5.6 155
xi
ABBREVIATIONS
ALARP As Low As Reasonably Practicable
APOA Assess Proportion of Affect
ARAMIS Accidental Risk Assessment Methodology for Industries
BHEP Basic nominal Human Error Probability
EER Escape, Evacuation and Rescue
EPC Error-Producing Condition
ET Event Tree
F&E Fire and Explosion
FPSO Floating Production, Storage and Offloading vessel
FRC Fast-Rescue Craft
FT Fault Tree
GEP Generic Error Probability
GR Gas Release
HAZOP Hazard and Operability study
HEART Human Error Assessment and Reduction Technique
HEP Human Error Probability
HEPI Human Error Probability Index
HRA Human Reliability Analysis
HTA Hierarchical Task Analysis
LC Level of Confidence
MIMAH Identification of Major Accident Hazards
MIRAS Methodology for Reference Accident Scenarios
MO Man Overboard
OIM Offshore Installation Manager
OSC On-Scene Commander
P&ID Piping and Instrumentation Diagram
PA Public Address
PM Preventative Maintenance
POB Personnel On Board
xii
PSF Performance-Shaping Factors
QRA Quantitative Risk Assessment
RAS Reference Accident Scenario
SAR Search And Rescue
SBV Stand-By Vessel
SLIM Success Likelihood Index Methodology
SLI Success Likelihood Index
SMS Safety Management System
TEMPSC Totally Enclosed Motor-Propelled Survival Craft
THERP Technique for Human Error Rate Prediction
TSR Temporary Safe Refuge
xiii
ACKNOWLEDGEMENTS
I would like to thank Dr. Paul Amyotte, Dr. Faisal Khan, Dr. Scott MacKinnon,
Dr. Dean Di Mattia and Dr. Michael Pegg for their technical guidance support as my
supervisory committee. I would also like to thank Dr. Amyotte for his consistent
encouragement and mentorship throughout the duration of this and previous projects. I
thank Petroleum Research Atlantic Canada (PRAC), Pengrowth and the NS Department
of Energy for their financial support.
I thank those who participated in the expert judgment surveys for their feedback.
I would also like to thank my wife Cailin for her encouragement and patience and my
family for their support.
For want of a nail the shoe was lost. For want of a shoe the horse was lost. For want of a horse the rider was lost. For want of a rider the battle was lost. For want of a battle the kingdom was lost. And all for the want of a horseshoe nail. -nursery rhyme
I am only one, but I am one. I cannot do everything, but I can do something. What I can do, I should do and, with the help of God, I will do! -Everett Hale
"There are lots of things I can't control...but then, there are some things I can"-Sydney Crosby
xiv
ABSTRACT
The presented methodology provides a quantitative approach for the assessment and reduction of the risk of human error probabilities during emergency situations. Previous research on the escape phase of the escape, evacuation and rescue (EER) process has resulted in the identification of tasks, the risk of human error and potential risk reduction measures for the escape phase. Tasks that must be completed in the evacuation and rescue phases were identified in the current thesis. Due to a lack of available human error data, a combination of expert judgment techniques and a literature review of previous incidents were used to evaluate the risk of human error for the evacuation phase. ARAMIS was used to evaluate the effectiveness of risk reduction measures. Novel concepts include introducing the hierarchy of controls into the procedural HAZOP and the combination of a human error risk assessment methodology (HEART) with a comprehensive risk reduction methodology (ARAMIS).
1
Chapter 1 INTRODUCTION
This chapter provides the background of the emergency escape, evacuation and
rescue (EER) process on offshore installations. The parameters of the current research
are also identified. Chapter 2 describes in detail the science of human factor analysis.
The concept of human reliability analysis (HRA) is defined. Also, various techniques for
the estimation of human error probabilities (HEPs) are described. Methods for
determining consequences of human error and reducing the risk of human error are
presented. Risk is reduced through safety measures; therefore tools that incorporate
safety measures into risk analysis are also identified in Chapter 2. Chapters 3, 4 and 5
detail the risk assessment of the escape, evacuation and rescue phases of EER,
respectively. Chapter 6 introduces the risk reduction stage into the framework and
provides a case study of the overall process. Conclusions and recommendations are
described in Chapter 7. The outline of this thesis is presented in Figure 1.1.
1.1 Project Scope
Human error is defined as (Kletz, 2001):
A failure to carry out a task in the way intended by the person performing it, in
the way expected by other people or in a way that achieves the desired objective.
Human factors are defined by DiMattia (2004) as:
Environmental and organizational and job factors, system design, task attributes
and human characteristics that influence behaviour and affect health and safety.
The scope of the current work is the EER process on offshore oil and gas
installations. These installations may be drill platforms or floating production, storage
and offloading vessels (FPSOs).
The EER process is composed of three phases:
Escape (or muster) – defined as the interval beginning at the initiating event of the
EER process due to an incident and ending at the registration at a temporary safe
refuge (TSR) and the decision of the offshore installation manager (OIM) to
abandon or to not abandon the installation.
2
Figure 1.1. Overview of thesis.
Evacuation – defined as the interval beginning from the decision of the OIM or an
individual to evacuate the installation into the sea or a transport vessel and ending
upon retrieval by search and rescue (SAR) personnel.
Rescue (or recovery) – defined as the interval beginning from the initiation of a
SAR and ending when all personnel have been recovered or the SAR operation
has been called off.
It must be noted that these phases have an overlap. If an individual, during escape,
decides to evacuate to the sea instead of continuing to the TSR, the escape phase has
effectively ended for that individual and the evacuation phase has begun. If
Chapter 7 Conclusions and recommendations
Chapter 6 Description of risk reduction methodology and case study
Chapter 5 Task analysis of rescue phase of EER
Chapter 4 Risk assessment of evacuation phase of EER
Chapter 3 Risk assessment of escape phase of EER
Chapter 2 Description of human factor risk analysis techniques
Chapter 1 Introduction to HRA framework, scope, motivation and objectives
3
communication is established with nearby vessels, a SAR may be initiated while
personnel are in the escape phase. Initiating SAR during the escape phase may reduce
wait time for a helicopter evacuation or the time personnel spend waiting to be rescued
while in the evacuation phase. Indeed, the later steps of the evacuation phase coincide
with the rescue phase, as seen in Chapters 4 and 5.
Each phase of the EER is evaluated separately. The escape phase has been
evaluated in part by DiMattia (2004), DiMattia et al. (2005), Khan et al. (2006) and
Deacon et al. (2010). It is evaluated using three different escape-initiating scenarios: man
overboard, hydrocarbon release and fire and explosion. These scenarios encompass the
range of severity of offshore incidents. The evacuation phase is presented in its entirety
in the current thesis. The three different evacuation-initiating scenarios are identified: a
collision or impending collision of the installation with the surrounding environment or
another vessel, a hydrocarbon release and a fire and explosion. A man overboard
situation does not lead to the evacuation of an installation and is therefore not considered.
The rescue phase is evaluated in part in this work.
An analysis of the steps required to complete the escape phase is presented by
DiMattia (2004). When the decision is made to abandon the platform, either by the OIM
at the TSR or by an individual who deems that evacuation is the safer option, a second
choice must be made. There are several means of evacuating an offshore installation. In
preparing for evacuation, personnel must check the weather conditions (direction and
speed of wind, intensity of waves, etc.). Personnel with authority for the EER process
must keep others in as controlled and informed a state as possible. Sea sickness tablets
can be issued to personnel in case of separation during movement to evacuation stations.
One option for evacuation is a bridge link to another installation. Individuals
cross above the water on a connecting bridge from the abandoning installation to a
nearby, safer installation.
Another non-sea means of evacuation is helicopter evacuation. In helicopter
evacuation, personnel must move to the installation helideck and establish
communication with the approaching pilot. An orderly boarding procedure ensues, with
passengers donning aviation survival equipment and fastening seatbelts. Overloading of
4
the helicopter should be avoided. Affected by weather conditions and visibility from
smoke, helicopter evacuation is not always an option.
If bridge link and helicopter evacuations are not possible, there are several options
for sea evacuation. The first is via totally enclosed motor propelled survival craft
(TEMPSC) evacuation. TEMPSCs are engine-powered and are the best equipped of the
sea evacuation methods to achieve a safe distance from the abandoned installation.
Checks are performed upon arrival at the TEMPSC station to ensure that the selected
craft is in good condition for launch. The boat coxswain must perform checks on the
orientation of the craft and the direction it should be steered to avoid installation legs and
achieve a safe distance from the installation. Before boarding, personnel check the drop
zone below the TEMPSC to ensure that no debris or danger exists between the craft and
its entrance point with the sea. Personnel are then instructed on an orderly boarding
procedure before boarding and fastening their seat belts. A check is performed to ensure
that everyone’s seatbelt is properly fastened. Next, the air support system is activated.
The air support system must not be activated before completing previous actions, as the
noise output of the air support system can hinder checks. All hatches and plugs are
closed and secured to ensure no water ingress on contact with the sea. The command
centre and other evacuating/rescue personnel are contacted to announce launch of the
TEMPSC. The TEMPSC falls are released and the TEMPSC is steered, at full power and
in forward gear, perpendicular and away from the installation towards a designated
rescue area.
Another sea evacuation vessel is the life raft. Life rafts are non-motor propelled
means of evacuation. Once personnel arrive at the life raft platform, any life rafts used
are inspected to determine the adequacy of their condition. The life raft is secured to a
strong point on the platform. Life raft instructions are checked, as well as the capacity of
the life raft. It is important that the life raft not become overloaded. Personnel then
board the life raft. When all have boarded, the line to the platform is cut and personnel
begin paddling clear of the installation. When a safe distance is achieved, the sea anchor
is released. While waiting to be rescued, personnel must maintain the condition of the
life raft to the best of their abilities. They must also monitor the sea for rescue vessels,
other life boats or overboard survivors to rescue. When another life boat or rescue vessel
5
is found, a tow line is attached to the vessels to group them together or to fasten the life
raft to a rescue vessel for personnel transfer.
If egress to an evacuation vessel cannot be accomplished, personnel may be
forced to escape directly to the sea. Escaping directly to the sea should occur only when
vessel evacuation is not feasible. Survival times are relatively short for personnel in the
water. It is especially important for personnel to wear a properly sealed survival suit if
the escape is directly into the sea. It is estimated that many people would not survive for
longer than an hour in most water conditions in the North Atlantic without survival
equipment (Robertson and Simpson, 1996). Before leaving the installation, personnel
should ensure that their survival suit is properly sealed and that a lifejacket is donned and
fastened. To minimize the shock of impact from falling or jumping, personnel should
enter the sea from the lowest platform. The direction of the waves and any airborne
contaminants should be assessed. Knowing wave and contaminant directions can prevent
exposure to unnecessary dangers, such as being washed violently against the installation.
Direct-to-sea evacuation can be accomplished by jumping from the platform, sliding
down a chute or climbing down a covered ladder. Whichever method is chosen,
personnel should enter the water feet first. Upon entering the water, personnel should
swim along the side of the platform toward the outer circumference of the installation,
constantly searching for rescue opportunities.
The rescue phase begins with the appointment of an on-scene commander (OSC)
a person of authority to maintain morale and organization. This person (or persons)
monitors and coordinates search and rescue efforts. Helicopters can be used to rescue
personnel, either from the water or from the installation, as described above. An
individual is lowered in a winch to the personnel in the water (in a vessel or in the sea
itself). Individuals are raised into the helicopter one at a time. A fast-rescue craft (FRC)
from a stand-by vessel (SBV) can also be used. An SBV is a nearby vessel equipped to
provide search and rescue should an evacuation occur. A smaller craft, the FRC is
released from the SBV to retrieve individuals from the sea or vessels. Once rescued,
personnel arrive at the SBV or other safe haven and medical attention is given as
necessary.
6
1.2 Motivation for the Current Project
Offshore installations in the North Atlantic are considered among the harshest
work environments in the world today. Human performance during emergencies in
offshore environments can have a major effect on the results of an EER process. Piper
Alpha, Ocean Odyssey and Alexander Kielland are just a few of the incidents that reflect
the impact of human performance during offshore emergency situations. A human
factors study by Gurpreet and Kirwan (1997) of offshore davit launching revealed the
need for identifying the relative risk of human error. Knowing the importance of actions
relative to one another can lead to a more efficient prioritization of risk reduction
measures. It has been suggested that human reliability analysis tools for the EER process
should be improved (Khan et al., 2006). Greater human reliability can be achieved
through a human factors analysis of the EER process. Risk is a function of the
probability of an incident occurring and its associated consequences. In the current work,
the incident in question is a human error during an offshore emergency. The risk of
human error is measured in terms of a human error probability (HEP), determined for
each step, and the severity of the consequences associated with the step.
Previous research by the research team in the form of a PhD thesis introduced an
index for determining EER escape phase human error probabilities using expert judgment
techniques (DiMattia, 2004). The doctoral work also included a consequence analysis
and risk reduction mechanism. Expert judgment was used to determine the consequence
severities and the percentage reduction of risk for each safety measure incorporated. Of
the risk reduction method, DiMattia (2004) states:
It is recognized that this approach to risk re-rating is subjective in nature and can lead to
differences in interpretation. Empirical data are required for a more rigorous treatment
of risk reduction measures.
The current work focuses on an empirical approach to consequence analysis and the use
of a risk reduction tool.
Many human error expert judgment techniques incorporate risk reduction theory.
However, the main focus of these techniques is to estimate HEPs. Risk reduction is
either an add-on or theoretically inherent to the technique. Issues of clarity and
comprehensiveness arise from these less detailed risk reduction methods. It has been
7
recommended that a separate risk reduction technique be used after HEPs have been
estimated (Kirwan, 1997). The current work incorporates the accidental risk assessment
methodology for industries (ARAMIS; Anderson et al., 2004) as an analysis of safety
measures.
Another issue noted in the literature is the lack of organizational factors methods
in offshore quantitative risk assessments (QRAs; Aven et al., 2006). Safety culture at all
levels of an organization has an effect on performance. ARAMIS incorporates a safety
audit exercise that affects the reliability of safety measures according to the quality of the
organizational safety culture (Anderson et al., 2004).
1.3 Project Objectives
The problem statement for this MASc Thesis is as follows:
To develop a method to systematically assess and reduce the risk of human error in emergency situations. A framework for the identification, assessment and reduction of the risk of human
error during offshore emergency situations is presented in this work. The framework can
be used to evaluate emergency situations from various industries, including the nuclear,
manufacturing and chemical processing industries. The framework provides a detailed
breakdown of tasks to be completed during emergency situations, as well as an individual
analysis of the risk of human error of each task. Finally, risk reduction measures are
evaluated and introduced, with a graphical and mathematical representation of their effect
on the risk.
The goals of the current work are as follows:
1. To further the work in the field of human reliability analysis,
2. To reduce the gap between real and perceived risk with respect to emergency
preparedness,
3. To provide a user-friendly HRA tool to evaluate and reduce the risk of human
error in emergency situations, and
4. To assess risk and identify risk reduction measures for human error in offshore
emergency situations.
The HEP and consequence severity for each EER step are determined empirically.
8
The following is a list of tasks to prepare in a risk assessment (Gadd et al., 2004):
1. Define the scope of the assessment 2. Define the depth of the assessment 3. Identify and allocate the quantity of resources to be used
After the preparation stage, the following tasks are completed in performing the risk
assessment (Gadd et al., 2004):
1. Identify hazards 2. Identify possible consequences 3. Estimate likelihood of incident occurring 4. Estimate risk of incident occurring 5. Evaluate risk for tolerability and potential for reduction 6. Record findings
The framework presented in the current thesis is a more detailed description of the
performance of a risk assessment:
10. Task analysis 11. Scenario identification 12. Human error probability calculation 13. Consequence severity evaluation 14. Procedural hazard and operability study (HAZOP) of steps 15. Determination of tolerability of risk via risk matrix 16. Evaluation of required reliability via risk graph 17. Selection and evaluation of safety barriers for level of confidence (LC) 18. Bow-tie analysis
If a risk is shown to be tolerable under the ‘as low as reasonably practicable’
(ALARP) principle, then steps 7-9 need not be performed for the given task. The
framework is presented in Figure 1.2.
A hierarchical task analysis (HTA) of the EER process was performed by the research
team. The escape phase HTA is presented in DiMattia (2004). The evacuation and
rescue phases are analyzed in the current work. Several emergency scenarios, or specific
situations, are defined. The combination of these scenarios encompasses the range of risk
severity encountered for the facility in question. HEPs are empirically determined using
9
Figure 1.2. Schematic for risk analysis framework.
an expert-judgment technique. HEPs can be calculated by dividing the number of
failures to complete a given task by the total number of times that task is attempted over
Identify Tasks
Choose Scenario
Combine in Risk Matrix
Choose Step
Calculate HEP Assign Consequence Severity
Determine Frequency of Exposure & Potential to Avoid Damage
Use Risk Graph to Determine Required LC
Choose Safety Barriers and Determine LCs
Build Bow-tie and Determine Overall LC
Yes
Is Risk ALARP?
No
Yes
Analysis Complete?
No
10
an identified period of time. This is the simplest and most ideal method for determining a
HEP. However, in most cases, data does not exist for this method. Additionally, for the
formula to be effective, the failure data for any task would have to be determined for
every unique workstation and work environment. In cases where a QRA is being
performed before a work site is constructed, it is impossible to collect historic data.
The accuracy of HEPs using historic data relies heavily on the robustness of the
collected data. Efforts have been made to collect HEP data for certain tasks (Kirwan et
al., 1998; Gurpreet and Kirwan, 1997). These HEPs are generic in nature and, while
alone they do not provide an accurate HEP estimate for any site-specific QRA, they
provide a good reference for HEP estimation and calibration of expert judgment
techniques (Kirwan et al., 1990).
Consequences are also determined and expressed as a measurable value. These
consequences are usually expressed as a unit in a range of severities, or as qualitative
descriptions of different severities. Consequence severities for the current work are
determined using a literature review of major offshore incident investigations from
industry. Consequence severities for the escape phase are dependent on the initiating
event due to proximity to event-related dangers. For example, consequence severities for
any given step may be more severe for a fire and explosion scenario due to fires and
extreme heat along the egress paths. For the same step in a gas release scenario, egress
paths may not be exposed to as much danger. However, consequence severities are
independent of the initiating event for the evacuation phase. At the evacuation phase of
the EER process, distance has been achieved from the initiating event. The immediate
dangers are the sea and weather conditions. Personnel who evacuate to the sea are
exposed to the motion of the waves. Wave motion can induce sea sickness in personnel
and has the potential to wash evacuation equipment violently against the installation.
Depending on the strength and frequency of the waves, survival craft can be damaged
and even incapacitated. Rescue phase consequence severities are not evaluated in the
current work.
Consequence severities and HEPs are combined in a risk matrix. The risk matrix
is a table that determines the tolerability of a risk based on its associated probability of
critical event occurring and its consequence severity. In the current work, the risk graph
11
of ARAMIS is used alongside the risk matrix to determine the total required reliability of
safety measures associated with a given EER step. The required reliabilities are related
to the tolerability criteria in the risk graph. Combining HEPs, consequence severities and
two other parameters unique to the risk graph reveals the total required reliability of EER
step safety measures. Once the required reliability of safety measures are determined, the
mathematical reliability of any potential safety measures is evaluated using ARAMIS. A
procedural hazard and operability study (HAZOP) is undertaken to determine potential
error modes and safety measures. Safety measures identified in the HAZOP are
evaluated for their robustness and reliability. Any safety measures that have an
associated mathematical reliability can be used in the risk reduction exercise.
Risk re-calculation is undertaken using bow-tie graphs. A bow-tie graph is a
combination of a fault tree and an event tree centred on the same critical event. In the
current work, the critical event is a human error for the EER step in question. Failure
modes are identified in the fault tree section of the bow-tie. Any safety measures that can
reduce the HEP are included in the fault tree. Consequence severities are identified in the
event tree section of the bow-tie. Any safety measures that can mitigate the
consequences should an error occur are included in the event tree. Once all safety
measures and their mathematical reliabilities are incorporated into the bow-tie, the risk
can be re-calculated.
12
Chapter 2 HUMAN FACTOR RISK ANALYSIS
This chapter provides a description of the science of human factor risk analysis.
Human reliability analysis (HRA) is also described. Several expert judgment techniques
for performing HRA are described and evaluated for their potential application to the
EER process. This chapter also discusses the concepts of hazard and risk. Hazard is the
existing potential for harm or loss. Risk is the likelihood and degree of harm or loss
(Cameron and Raman, 2005). Thus a hazard is identified first, followed by the risk of the
hazard moving from a potential occurrence to an actual occurrence. This movement of
the hazard from possibility to reality is called a critical event.
2.1 Human Reliability Analysis (HRA)
Human reliability analysis (HRA) is used to evaluate human performance for
given tasks. Thus, the risk of human error can be determined. In many HRA techniques,
human error is analyzed as though the reliability of a piece of equipment were being
considered (Reason, 1990).
2.1.1 Task Analysis
Task analysis forms the base of human reliability analysis. There are several task
analysis methodologies. The methodologies can focus either on human action or human
cognition. The goal of task analysis is to identify the steps that must be completed to
achieve an end goal. A task analysis can be completed during the design phase of a
facility to identify error-producing design configurations. Task analysis can also be
undertaken during facility operation to identify and reduce risk areas (Embrey, 1994).
Hierarchical task analysis (HTA) is an action-oriented technique. The principle of
HTA is that goals are broken down into a hierarchy of operations and plans. Operations
are the actions that must be completed and plans are the conditions that must exist to
complete the actions. In HTA, the first step is to identify the end goals. The end goals
are then broken down into smaller steps that must be completed to achieve the end goals.
Steps can be action- or cognition-oriented, such as closing a valve or deciding which
13
valve to close. Steps can be broken down several times until a detailed list is available.
Each step must be specific enough to be analyzed for its human error probability (HEP;
Embrey, 1994).
There are several advantages to the use of HTA (Embrey, 1994):
Allows simple task descriptions and economy of resources
Allows focus on safety-critical tasks
If used during the design stage, allows objectives to be analyzed before equipment
is specified
Allows collaboration between analyst and operators who will be responsible for
the tasks
Provides an effective starting point for error analysis
Allows analyst to choose level of task decomposition for which data are available
There are also disadvantages to using HTA (Embrey, 1994):
Practice required to develop the skill necessary to accurately perform HTA
Secondary methods required to analyze complex decision-making or diagnostic
tasks
Time commitment required of busy individuals to perform HTA (supervisors,
operators, analysts, etc.)
2.1.2 Types of Error
There are several types of error relating to the performance level of an individual.
Slips and lapses are errors of a skill-based level. Rule-based errors and knowledge-based
errors follow from their respective levels (Reason, 1990).
Where slips and lapses of attention are concerned, the intention is correct but the
action is not. In this case an action can be an act or lack thereof, and is considered a skill-
based error. Where mistakes are concerned, the act follows the intention, but the
intention is not correct. An operator, either aware or unaware, lacks the knowledge of the
proper action, resulting in a knowledge-based error. Mismatches occur when a task is
beyond the physical or mental ability of the operator in question. This is another example
of a skill-based error. Non-compliance, also called an error of violation, relates to a
14
decision to ignore instructions or accepted practice. This can occur when an operator
believes that the instructions are incorrect or that circumstances require a different action,
and is a rule-based error (Kletz, 2001).
Table 2.1 summarizes the types of errors and their related performance levels.
Table 2.7: Error types and performance levels.
Error Type Performance Level
Slips and Lapses Skill-based
Mistakes Knowledge-based
Mismatches Skill-based
Non-compliances/Violations Rule-based
2.1.3 Human Error Probability (HEP)
A human error probability (HEP) is the probability that a human error is made if a
group of people attempt a similar task. It is not related to the probability of an individual
human error (Kletz, 2001). Human error is defined in Chapter 1. The EER process is
itself a protection layer to mitigate the consequences of a critical event (e.g. a
hydrocarbon release). The human error probability, combined with the probability of
failure of any safety devices, represents the probability of failure of the EER protection
layer at any given step. As such, reliability data for a site’s EER protection layer can be
included in an overall quantitative risk assessment (QRA) of the facility. HEPs are
determined either using expert judgment or empirically using the formula:
HEP = (Number of errors)/(Number of attempts) (2.1)
Often there is insufficient data for the use of Equation (2.1). In such cases, expert
judgment is used to estimate HEPs.
15
2.2 Expert Judgment
Expert judgment follows the principle that factors, called performance-shaping
factors (PSFs), influence the ability to complete an action. When using an expert
judgment technique, there is potential for an evaluator to alter their values and choices to
obtain a more desirable outcome (Kletz, 2001). Steps to avoid the consequences of such
tendencies should be taken when performing expert judgment. Three common expert
judgment techniques are now described.
2.2.1 Success Likelihood Index Methodology (SLIM)
The success likelihood index methodology (SLIM) was originally developed for
the nuclear processing industry. Since its introduction it has also been used in the
chemical process and transport industries. PSFs are the most relevant assessment in
SLIM. In fact, errors can be classified by the PSFs that influence them, rather than vice-
versa as is done in other HRA techniques (Embrey, 1994). SLIM is a resource-intensive
method that uses a number of assessors in a structured manner (Reason, 1990).
The performance of SLIM is as follows (Embrey, 1994):
Group similar PSF-related actions
Decide on relevant PSFs
Rate each action in terms of PSFs
Assign relative weights to PSFs
Calculate success likelihood indices (SLIs)
Convert SLIs to probabilities
Perform sensitivity analysis
Actions that are potentially influenced by the same PSF are classified together.
Closing a valve, opening a valve and fastening devices to equipment may all be
influenced by the same set of PSFs. These actions are classified together (Embrey,
1994).
The assessors choose which PSFs to include in the HEP evaluation. Examples
include stress, level of training or complexity of the action (Embrey, 1994). Unlike other
methods, PSFs themselves have no associated quantifiable effect at this stage.
16
The chosen PSFs are rated by each assessor. For each action, the relevant PSFs
are evaluated separately. A rating scale from 1 (normally the most ideal condition) to 9
(normally the least ideal condition) is used (Embrey, 1994). Assessors rate PSFs based
on specified scenarios (Reason, 1990).
PSFs may also be weighted according to their influence on human reliability for a
set of actions. If it is known that different PSFs for an action do not have equal influence
over the human reliability for that action, weights are used. This is an optional step that
must only be completed by assessors when real knowledge exists of the weighted values.
The weighting of all the PSFs for a given action sum to unity (Embrey, 1994).
The success likelihood index (SLI) is calculated using the formula:
SLIj = ∑RijWi (2.2)
Where i is the PSF in question, j is the task in question, R is the original rating and
W is the weight. The rating of each PSF is converted to the relative rating, a value
between 0 and 1, using the formula:
RR = (1 - │R - IP│)/(4 + │5-IP│) (2.3)
where RR is the relative rating and IP is the ideal value for the rating. The relative
rating and weighting (if applicable) are multiplied for each PSF. The results are then
summed to determine the SLI for a given action (Embrey, 1994).
Conversion of SLIs to HEPs requires calibration. If enough actions in the group
being evaluated have known HEPs, linear regression analysis can be used to determine
the equation of a line of best fit for the HEP data. The actions with unknown HEPs can
then be determined by substituting their SLIs into the linear equation.
If insufficient HEP data exist, then SLIs are converted to HEPs using the formula:
log(HEP) = A*SLI + B (2.4)
where A and B are constants that must be determined. Equation (2.4) requires that
only two actions in the group under evaluation have a known SLI and HEP. Incorporating
17
the SLI and HEP into the above equation for each of the two steps, the assessor can solve
for A and B. Once A and B are determined, the SLIs for all actions with unknown HEPs
are incorporated into the above equation to determine the HEPs (Embrey, 1994).
The SLIM technique requires empirical data of known HEPs in order to be
calibrated (Embrey, 1994). This step is crucial as Equation 2.4 is sensitive to the
constants A and B. This equation has received much criticism and SLIM applications
have experienced some negative results in validation studies (Reason, 1990). It is
recommended by Kirwan (1997b) that further validation of SLIM takes place, as it has
high potential to be a useful HRA technique. The escape phase HEPs for the offshore
EER process have been estimated by DiMattia (2004) using SLIM.
2.2.2 Human Error Assessment and Reduction Technique (HEART)
The human error assessment and reduction technique (HEART) has enjoyed
increasing use in the UK over the last two decades (Kirwan et al., 1996). Developed by
Williams (1988), HEART is a more industry-generic risk assessment tool than its
predecessors (Kirwan, 1996). The technique includes its own quasi-database of error
probabilities.
The performance of HEART is as follows (Kirwan, 1996):
Assign step to a generic error category
Choose generic error probability
Determine any PSFs that apply to the step
Determine the weight of each applicable PSF on the step
Calculate the overall HEP
HEART includes eight generic error categories, each with a qualitative
description and an error probability range. The first step in HEART is to classify an
action into one of these categories. It is understood that an action may satisfy the
qualitative description of multiple categories. To avoid confusion (and pessimistic
results), an assessor begins with the lowest-probability description and works towards the
highest-probability description. The first category that the action satisfies is considered
the generic error category for that action (Williams, 1988).
18
The premise of HEART is that each action has an associated generic error
probability (GEP). Given no error-influencing conditions (i.e. the ‘perfect’ situation), an
action will have a basic probability of error. Each generic error category has a
recommended GEP as well as a range of acceptable GEP values. The assessor chooses
which value to use (Williams, 1988).
A second premise of HEART is that no PSF exists that will decrease the overall
probability of error. Third, rarely in industry will multiple PSFs combine to influence
human reliability for a given action (Williams, 1988). This last point is a more unique
property of HEART, and lends the technique to generate pessimistic results (Kirwan et
al., 1996). An extensive list of potential PSFs, named error-producing conditions (EPCs)
in HEART, is available. It is recommended in the technique that the assessor take a
conservative approach to assigning PSFs. It is also noted in the technique’s description
that certain generic error categories already account for specific EPCs. This is an open-
ended statement that leaves the assessor to decide which EPCs to use and which the
generic error category accounts for. Each EPC has an associated quantitative maximum
effect on the GEP (Williams, 1988).
Once the EPCs are chosen, their weight on the action in question is determined.
This is called the assessed proportion of affect (APOA). The assessed proportion of
affect is a multiplier value between 0 and 1. Each chosen EPC has an APOA (Williams,
1988).
The APOA and EPC are combined in the following formula:
EPC Multiplier = (Maximum effect – 1)*APOA + 1 (2.5)
The resultant value of Equation (2.5) is the EPC in question’s multiplier. The
sum of the EPC multipliers is multiplied by the chosen GEP. The final result is the
overall HEP for the action in question (Williams, 1988).
HEART is intended to be a flexible technique. This is observed when examining
the generic error categories. A given action may fall into multiple GEP categories.
Qualitative descriptions (e.g. at speed) may vary slightly in the assessor’s mind (Kirwan,
1996). This can lead to inconsistency between assessors when choosing GEPs and EPCs.
19
However, despite these inconsistencies, assessors can arrive at similar HEPs (Kirwan et
al., 1996).
An advantage of HEART is that it is designed for single-assessor use, making it a
resource-efficient HRA technique. There exists no formal training for the use of
HEART, and this may contribute to the inconsistency of assessors’ choices. There is also
a lack of instruction in HEART documentation regarding determination of the APOAs
(Kirwan, 1996). HEART has also been demonstrated to have low accuracy when
evaluating errors where a wrong act is committed, or for slips and rule violations
(Kirwan, 1997a). Included in HEART is an inherent risk reduction framework. If a HEP
is too high, then the assessor can determine what steps need to be taken to bring the
action into a lower GEP category (Williams, 1988).
2.2.3 Technique for Human Error Rate Prediction (THERP)
The Technique for Human Error Rate Prediction (THERP) is an expert judgment
technique described by Swain and Guttermann (1983). THERP is the oldest established
human error analysis technique. Originally developed for military applications, it was
adapted for use in the nuclear power industry (Embrey, 1994). THERP has been subject
to the most criticism of the HRA techniques, yet has also received praise and use
(Reason, 1990).
An advantage of THERP is that it contains an internal database of human error,
which is altered by assessors to evaluate specific scenarios. THERP requires assessor
training to use and is a time and resource-intensive method (Kirwan, 1996).
The performance of THERP is as follows (Kirwan, 1996):
Decompose task into steps
Assign generic HEPs to each step
Determine the effects of relevant PSFs on each element
Calculate the effect of dependence between steps
Model a Human Reliability Analysis Event Tree
Quantify the total step HEP
20
It is noted that THERP uses an additional task analysis step, where individual
assessors determine the breakdown of steps into elements. Different assessors can break
steps into different elements for evaluation.
THERP uses a generic human error probability called the basic nominal human
error probability (BHEP). The BHEPs are included in THERP’s internal database. As
the name suggests, a BHEP is the basic probability of a human error for an action,
without examining situational factors. The BHEP is based on the type of action (Kirwan,
1996). BHEPs are found in the THERP operating manual. Each generic HEP has a
qualitative description and a quantitative value. These qualitative descriptions are
detailed and add robustness to THERP (Kirwan, 1996). THERP evaluations consider
human error both alone and in conjunction with any equipment or procedures that are
relevant for a given action (Reason, 1990).
PSFs are chosen and their effects on the HEP are evaluated qualitatively by the
assessor. Each PSF has an associated maximum value. A fraction of the maximum value
is multiplied by the generic HEP determined from the previous step. The fraction of the
maximum multiplier is decided by the assessor based on the relevance the PSF has on the
action in question. PSF selection and evaluation is a source of inconsistency between
assessors, as this step is based on the expertise and experience of the individual assessor
(Kirwan, 1996). However, a validation study by Kirwan et al. (1997) demonstrated that
even with variation of usage by assessors, quantitative HEP values can be consistent.
Dependency between actions is also evaluated in THERP, a step that is not used
in all techniques. The HEP of an action may be influenced by the outcome of a previous
action. In such case, the relationship between the actions in question must be determined.
Dependency analysis allows for more realistic HEP values (Kirwan, 1996).
Event trees are described in Section 2.5.2. They are used in THERP to determine
the overall HEP of a given action. The action and relevant procedures or equipment are
placed on the event tree, each with their probabilities of failure. The action and each
procedure or piece of equipment are considered individual nodes. Probability of success
and probability of failure for each node sum to unity. The failure probabilities are
multiplied to determine the final HEP for the action in question. Figure 2.1 is an example
of a THERP event tree.
21
Criticisms of THERP include unreliability of generic probabilities derived from
expert judgment and limited functionality with external error modes. The validity of
THERP is considered as questionable outside of use by the technique’s authors and
immediate collaborators. Revisions to THERP include a more time-dependent approach
to error determination. This approach is based on simulation data in an attempt to
improve the robustness of the technique. The revisions also allow for increased detail for
cognitive errors, such as misdiagnosis, or ‘right action on wrong object’ errors (Reason,
1990).
2.3 Accidental Risk Assessment Methodology for Industries (ARAMIS)
The accidental risk assessment methodology for industries (ARAMIS) is a risk
assessment and reduction tool developed in response to the Seveso II directive (Anderson
et al., 2004). ARAMIS includes both comprehensive risk assessment and reduction tools
within its methodology. It is itself a combination of deterministic and probabilistic risk
assessment techniques.
Many QRA techniques represent risk as a function of the frequency of a critical
event and its consequences. ARAMIS uses three items: the frequency of a critical event,
the intensity of the critical event and the vulnerability of the element in question. The
element can be a process plant and its surrounding area, warehouse, office building, etc.
The severity of a critical event is defined as the product of its intensity and frequency of
occurrence. The damage caused by a critical event is the product of its intensity and the
element in question’s vulnerability. The risk of a critical event is the product of its
frequency, intensity and the vulnerability of the element in question. One of the main
premises of ARAMIS is that the probability of a critical event is a function of the
probability or frequency of an initiator and the reliability and efficiency of any relevant
safety barriers (Salvi and Debray, 2006).
22
Figure 2.1: THERP event tree (Swain and Guttman in Embrey, 1994).
The following steps are performed in ARAMIS (Salvi and Debray, 2006):
Identify major accident hazards
Identify and assess quality of safety barriers
Evaluate safety management efficiency
Identify reference accident scenarios (RASs)
Assess and map the severity (frequency and intensity) of RASs
S1 F1 = 10-2
.99 Correct Pair of Switches
10-2 Wrong Pair of Switches
A
.9999 Take Action
10-4 No action until alarm (3 people)
.999 Take Action
10-3 Failure to initiate action within 2 minutes after alarm
10-2 Wrong pair of switches
.99 Correct pair of switches
F2 = 10-6S2
F3 ≤ 10-5
Step not done in time
FT = F 1+ F2 + F3 ≈ 10-2
23
Evaluate and map the vulnerability of the element’s surroundings
The identification of major accident hazards (MIMAH) occurs through the use of
bow-tie diagrams (see Section 2.5). MIMAH is a systematic method used to identify
potential hazards (Salvi and Debray, 2006).
Requirements for safety barriers are determined using a risk graph. The risk
graph is used to set clear risk reduction goals and to prioritize risk reduction. The risk
graph includes four parameters: the consequence severity of a critical event, the total
time an element is exposed to the risk, the potential for recovery and the frequency or
probability of occurrence of the critical event (Salvi and Debray, 2006). The risk graph is
shown in Figure 2.2.
The four parameters C, F, D and Human Error Probability act together to determine
the reliability (in ARAMIS, the level of confidence) required of safety barriers to bring
the risk into a tolerable if as low as reasonably practicable (ALARP) region. The
parameter C is the consequence severity of the critical event, F is the frequency of
exposure to the risk (F1 constitutes an exposure equal to at least ten percent of the total
operating time, F2 is an exposure of less than ten percent of the operating time), D is the
potential to avoid damage should the critical event occur, X is the resultant row from the
values of C, F and D and Human Error Probability is the estimated HEP. A risk is
ALARP if it can be shown that reasonable effort has been taken to ensure that it is as low
as practicality allows. Cost-benefit analysis can be used to show that to further reduce
the risk a small amount, costs would be unreasonably high; see for example Salvi and
Debray (2006) and DNV (2002). There are four types of safety barriers: inherent,
passive, active and procedural. Inherent safety barriers prevent a critical event from
occurring. Passive, active and procedural barriers either reduce the probability of a
critical event occurring or control its consequences. All passive, active and procedural
barriers have an associated level of confidence (LC). This is the mathematical reliability
of the safety barrier. A barrier with an LC of x will reduce the risk of a critical event by a
factor of 10-x. Active barriers also have an efficiency and response time. The efficiency
of an active barrier is the degree to which it limits the probability of the critical event or
24
Human Error Probability
0.1-1
0.01-0.1
0.001-0.01 <0.001
1 2 3 4
P1 P2 P3 P4
C1 X1 --- --- --- ---
D1 X2 a --- --- ---
F1
D2
C2 X3 1 a --- ---
D1
Risk F2
Analysis
F1 D2
C3 X4 2 1 a ---
D1
F2
F1 D2
C4 X5 3 2 1 A
D1
F2
D2 X6 4 3 2 1
Figure 2.2: Risk Graph (Anderson et al., 2004).
the severity of the consequences. The response time is the time it takes to achieve full
operation of the active barrier once it is strained.
A premise of ARAMIS is that safety culture and management have an effect on
risk control. An audit is performed of the elements involved in the life-cycle of a safety
barrier (e.g. design, installation, maintenance, etc.). An audit of the safety culture is
25
performed through employee surveys. These two audits are used to adjust the level of
confidence of the safety barrier to a more inclusive value. One advantage of this method
is that it identifies areas where safety management systems can be improved (Salvi and
Debray, 2006). Another advantage is that by including a company/plant’s safety culture
in the risk evaluation, the gap between real and perceived risk can be reduced.
Reference accident scenarios are described using the methodology for reference
accident scenarios (MIRAS) in ARAMIS. Reference accident scenarios are developed
from the major accident hazards identified by MIMAH (Anderson et al., 2004).
The elements defined in each reference accident scenario include (Anderson et al.,
2004):
Safety systems involved
Safety management system (SMS)
Frequency or probability of occurrence of the reference accident
Consequence severity of the reference accident
Major accident hazards are assessed for their frequency of occurrence and
consequence severities.
After each RAS is defined, the severity (frequency and intensity) is assessed and
mapped. The frequency and intensity of each RAS is evaluated to determine a severity
index. The severity index is a rating of the effects of a critical event, ignoring the
vulnerability of the element in question. The severity index is determined from the major
hazards and associated dangerous phenomena identified for a RAS using MIMAH in a
previous step. Effects of dangerous phenomena include (Anderson et al., 2004):
Thermal radiation (continuous or instantaneous)
Blast effects
Missiles
Toxic effects
Each of these effects has an associated threshold level outlined in the ARAMIS
user guide (Anderson et al., 2004). The severity index relates to varying levels of
consequence severity. The severity index is also a function of distance from the point of
the critical event in question. Severity mapping shows a picture of the severity of a
critical event in relation to its radius.
26
The vulnerability of the area surrounding the project site is also evaluated. The
vulnerability of an area is determined by evaluating its targets: human, environment and
material. Vulnerability mapping provides a complement to severity mapping in
determining consequences (Anderson et al., 2004).
2.4 Hazard and Operability Study (HAZOP)
A hazard and operability study (HAZOP) is a hazard identification technique
based on the use of guidewords to systematically identify all hazards. It is not limited to
process hazards, but can also be applied to procedures and other operations (Cameron and
Raman, 2005). In the current work, a procedural HAZOP of the EER process is
considered.
HAZOP is one of the most common tools in hazard identification and risk
assessment. It is performed at the design stage of a facility or when major changes are to
be implemented. It is done in the early stages of a facility to ensure that the design and
subsequent procedures account for any and all relevant hazards in the facility’s operation.
It is more cost-efficient to invest in a HAZOP to predict potential problems than it is to
discover problems during operation. It is also more likely that hazards identified at the
design stage will be rectified in a timely and efficient manner. A HAZOP is performed
by a varied group of facility personnel to ensure a thorough examination of all of the
facilities’ functions. An individual experienced in the HAZOP technique and group
facilitation leads the HAZOP (Cameron and Raman, 2005).
The goals of HAZOP are as follows (Cameron and Raman, 2005):
Identify all possible deviations from intended operation of each facility
system/subsystem
Determine the consequences of the deviations
Develop design and procedural safeguards to control the consequences
When a process facility is concerned, such as an offshore drilling installation or a
floating production, storage and offloading vessel (FPSO), the HAZOP examines the
entire design and function of the facility. The review team examines the facility layout
plans as well as piping and instrumentation diagrams (P&IDs).
27
For a procedural HAZOP, each task in a procedure, as well as any equipment
involved in the procedure, are examined. Intentions of each task and interaction with
equipment are assessed for potential deviations. The consequences are determined and
safeguards in the form of facility, equipment or procedural design changes are suggested.
The following are steps for a HAZOP (Cameron and Raman, 2005):
Choose element (pipeline, piece of equipment or procedure)
Identify guideword set
Apply each guideword to element in turn
Identify all potential causes of any deviation
Identify all potential consequences (immediate and delayed) of each deviation
Identify all possible safeguards (existing and potential)
Document results
Repeat until all elements have been examined
Perform a HAZOP overview of the layout and function of the facility
HAZOP is widely used as an industry standard in identifying hazards for a
facility. Indeed, hazards that are not identified in a HAZOP have been encountered
during the operation phase of a facility. Hazardous situations that have not been
experienced before or that are outside of the knowledge of the review team may not be
identified by a HAZOP (Cameron and Raman, 2005).
2.5 Bow-Tie Method
A bow-tie is composed of a fault tree and an event tree connected at the same
critical event. It can give an overall picture of risk reduction, incorporating both failure
modes leading to a critical event and the consequences that ensue (Cameron and Raman,
2005). Bow-ties are demonstrated in Chapter 6.
2.5.1 Fault Tree (FT) Method
A fault tree is a diagram that relates a critical event to its causes. The critical
event is chosen first. Next, the assessor identifies the immediate causes of the critical
event. The events that lead to each of the immediate causes are identified until all
contributing factors have been identified. Fault trees use ‘and’ and ‘or’ gates to relate
28
contributors, or nodes, to the critical event. Probabilities can be associated with each
node. Probabilities from ‘and’ gates are multiplied together and probabilities from ‘or’
gates are summed to determine the overall probability of the critical event. In other
words, all events under an ‘and’ gate must occur in order for its related critical event to
occur. In the case of an ‘or’ gate, only one of the events leading to the critical event must
occur (Cameron and Raman, 2005). Figure 2.3 is an example of a fault tree.
Figure 2.3: Fault tree (Cameron and Raman, 2005).
2.5.2 Event Tree (ET) Method
An event tree is a diagram that relates a critical event to its consequences. The
critical event is chosen first. Potential safeguards are evaluated in turn to determine the
outcome of the critical event. Safeguards are examined as nodes in the order in which
they are stressed. In most cases, the safeguards are evaluated on a pass/fail basis. In
certain cases, however, there can be multiple options relating to partial operation of a
safeguard. The consequence severity of a critical event varies depending on any
safeguards that are included in the analysis. The critical event itself has an associated
probability of failure (see Section 2.5.1). Each safeguard has a probability of failure.
The probability of failure (or success, depending on which situation is being evaluated) of
each safeguard is combined with the probability of the critical event to determine the
overall probability of each outcome (Cameron and Raman, 2005). Figure 2.1 is an
example of an event tree. The critical event, A, is divided into its causes, F. The
Ammonia tank overfilled
OR
Level Indicator Fails
Local operator fails to isolate
29
probabilities related to the causes are combined to determine the probability of the critical
event.
30
Chapter 3 ESCAPE RISK ASSESSMENT
The first phase of the EER process is the escape, or muster, phase. The goal of
the escape phase is to achieve distance from the EER-initiating event and to gather at a
designated safe area. For many onshore facilities, whether they are oil and gas
processing, chemical processing or even office buildings, the escape phase and the
evacuation phase are combined. In such cases, evacuation is the act of leaving the
building and gathering at a designated safe area, similar to the escape phase. In offshore
environments, evacuation is a more complex and involved process. In either case,
individuals in the escape phase must maintain composure and move safely away from the
critical event toward a designated safe area, or temporary safe refuge (TSR). DiMattia
(2004) has divided the offshore escape phase into several sub-phases: awareness,
evaluation, egress and recovery. In the awareness phase, individuals identify alarms and
maintain composure. In the evaluation phase, individuals determine the urgency of the
situation. If there is time, there are secondary tasks to be completed during evaluation.
In the case of offshore installation escape, this includes making the work area safe for
egress and returning process equipment to a safe state to avoid escalation of the
emergency. In the egress sub-phase, movement to the TSR is accomplished. During this
time, individuals must listen for PA announcements detailing the emergency, where on
the installation to avoid, where to gather, what evacuation equipment to use, and other
information relevant to the situation. Individuals may be required to provide assistance to
others trying to egress or gather safety equipment. In the recovery sub-phase, individuals
register at the TSR, provide feedback on the situation to persons in charge and follow any
instructions given. For onshore buildings, the TSR is usually outdoors and away from
facilities. For offshore installations, the TSR is on the installation. Therefore, extra tasks
in the recovery sub-phase, including donning survival equipment in case of evacuation,
are required (DiMattia, 2004).
31
3.1 Human Error Probability
HEP analysis of the escape phase has been performed by DiMattia (2004). The
escape phase tasks, scenarios and subsequent HEPs were determined using SLIM. The
identified escape-initiating scenarios encompass the full range of severity for offshore
emergencies. They include a man overboard (MO), gas release (GR) and fire and
explosion (F&E) scenario. The result is an index tool that can be used to evaluate escape
phase HEPs for any defined scenario, the human error probability index (HEPI).
DiMattia (2004) identified 18 tasks to be completed in the escape phase of EER. Several
PSFs were determined using a core group of assessors. The PSFs chosen for evaluation
were:
Stress level
Operator training
Operator experience level
Complexity of the task in question
Event factors – properties of the initiating event
Atmospheric factors – weather, environment, etc.
Once the PSFs were chosen, they were weighted and rated by a wider group of
assessors according to SLIM. The final evaluation for each of the three escape phase
scenarios is shown in Table 3.1. Escape task 13 was not evaluated by assessors.
3.2 Consequence Analysis
Risk is a function of the probability of a critical event and its consequences. An
analysis of the consequences of a critical event is essential in gathering information about
its risk. Analysis can either lead to qualitative descriptions of consequences or
quantitative values where applicable.
3.2.1 Consequence Table
Each of the tasks identified by DiMattia (2004) has been analyzed for its
consequences. There are four categories of consequences for the escape phase. They are
the effect of human error on: personnel health, the quality of egress, the severity of the
32
escape-initiating incident in question, and other personnel on board (POB). Consequence
severities range from 1 - 4, as shown in Table 3.2.
Table 3.1: Escape phase HEPs.
Muster Step HEP
MO GR F&E 1. Detect alarm 0.00499 0.0308 0.396
2. Identify alarm 0.00398 0.0293 0.386
3. Act Accordingly 0.00547 0.0535 0.448
4. Ascertain if danger is imminent
0.00741 0.0765 0.465
5. Muster if in imminent danger
0.00589 0.0706 0.416
6. Return process equipment to safe state
0.00866 0.0782 0.474
7. Make workplace as safe as possible in limited time
0.00903 0.0835 0.489
8. Listen and follow PA instructions
0.00507 0.0605 0.420
9. Evaluate potential egress paths and choose route
0.00718 0.0805 0.476
10. Move along egress route 0.00453 0.0726 0.405
11. Assess quality of egress route while moving to TSR
0.00677 0.0788 0.439
12. Choose alternate route if egress path is not tenable
0.00869 0.1000 0.500
13. Collect personal survival suit if in accommodations at time of muster
- - -
14. Assist others if needed or as directed
0.01010 0.0649 0.358
15. Register at TSR 0.00126 0.0100 0.200
16. Provide pertinent feedback attained while en route to TSR
0.00781 0.0413 0.289
17. Don personal survival suit or TSR survival suit if instructed to abandon
0.00517 0.0260 0.199
18. Follow OIM's instructions 0.00570 0.0208 0.210
33
Table 3.2: Consequence severity descriptions.
Severity Health Egress Muster
Initiator Other POB
1 Zero Injury Zero delay Zero effect Zero effect
2
Likely to result in Minor Injury
Slightly delays reaching TSR or completing TSR actions
Raises muster initiator to level that causes minor delays in reaching TSR
Slightly to Moderately delays others from reaching TSR or completing TSR actions
3
Likely to result in Major Injury
Moderately delays reaching TSR or completing TSR actions
Raises muster initiator to level that causes moderate to long delays in reaching TSR
Prevents others from reaching TSR or completing TSR actions
4 Likely to result in Fatality
Prevents reaching TSR or other safe refuge
Raises muster initiator to severity where muster is no longer possible
Prevents others from reaching TSR or having a dry evacuation
Consequence severities for each task were determined empirically by analyzing
major investigations from similar past incidents. The man overboard, gas release, and
fire and explosion scenarios identified by DiMattia (2004) were evaluated separately.
Each of the four consequence categories was evaluated. The overall consequence
severity for an escape task is equal to the highest consequence severity of its individual
categories. For example, escape task 17, ‘don personal survival suit or TSR survival suit
if instructed to abandon’, has a health consequence severity of 4 and ‘muster initiator’,
‘egress’ and ‘other POB’ consequence severities of 1 for a fire and explosion scenario.
Therefore, the overall consequence severity is 4.
Man overboard consequences were determined primarily using incident report
data from the UK continental shelf (UKCS). Reports on the UKCS from five databases,
including the worldwide offshore accident database (WOAD) and ORION were collected
34
by Det Norske Veritas (DNV 2007a, 2007b). The reports provided little data on the
results of the escape phase or any rescue operations. Survival in these reports is mainly
attributed to: promptness of reaction of nearby personnel or fast-rescue craft (FRC), the
individual swimming to a platform leg to be retrieved by other personnel, or a safety
harness that had been attached to the individual prior to falling overboard. Two
important points were identified through analysis of these reports. First, timeliness is
essential in rescuing individuals who have fallen overboard. Nearby personnel may throw
life rings or pull the individual from the water. Also, an FRC may be deployed for
retrieval. Second, in terms of the escape phase of the EER process, human error during a
man overboard initiator has negligible consequences. An exception is task 14, ‘assist
others as needed or if directed’.
Consequence severities for the gas release and fire and explosion scenarios were
determined using major incident investigations from industry, such as the Ocean Odyssey
(Robertson and Wright, 1997) and Piper Alpha (Vinnem, 2007) incidents. The
investigations used were for incidents comparable to the gas release and fire explosion
scenarios evaluated by DiMattia (2004) and Deacon et al. (2010). Incidents with
different initiators that provided relevant information were also included. An example is
the Ocean Ranger investigation (US Coast Guard, 1983). While listing or capsizing was
not evaluated as a scenario in the current work, details about the survivability of
individuals provided in the Ocean Ranger report are relevant in any scenario where
individuals must enter the water. Thus, the consequences of escape step 17, ‘don
personal survival suit if instructed to abandon’, were determined using the Ocean Ranger
report (US Coast Guard, 1983). Tables 3.3 - 3.5 show the consequence severities for
each category and scenario. Table 3.6 shows a comparison of overall consequence
severities between scenarios (Deacon et al., 2010). Each task has been identified
according to the skill (S), rule (R) or knowledge (K) performance levels as described by
DiMattia (2004).
35
Table 3.3: Consequence severities for MO scenario (adapted from Deacon et al., 2010).
Escape Task Health
(H)
Muster Initiator
(MI)
Egress (E)
Other POB
(OPOB)
Overall Rating (OR)
Reference
1. Detect alarm (S) 1 1 2 1 2 DNV (2007a,
2007b)
2. Identify alarm (R) 1 1 2 1 2 DNV (2007a,
2007b)
3. Act accordingly (S) 1 1 2 1 2 DNV (2007a,
2007b)
4. Ascertain if danger is imminent (K) 1 1 1 1 1
DNV (2007a, 2007b)
5. Muster if in imminent danger (R) 1 1 1 1 1 DNV (2007a,
2007b)
6. Return process equipment to safe state (K) 1 2 1 1 2
DNV (2007a, 2007b)
7. Make workplace as safe as possible in limited time (K) 1 1 1 2 2
DNV (2007a, 2007b)
8. Listen and follow PA instructions (K) 1 1 1 2 2
DNV (2007a, 2007b)
9. Evaluate potential egress paths and choose route (K) 1 1 1 1 1
DNV (2007a, 2007b)
10. Move along egress route (K) 1 1 1 1 1 DNV (2007a,
2007b)
11. Assess quality of egress route while moving to TSR (K) 1 1 1 1 1
DNV (2007a, 2007b)
12. Choose alternate route if egress path is not tenable (K) 1 1 1 1 1
DNV (2007a, 2007b)
13. Collect personal survival suit if in accommodations at time of muster (R)
1 1 1 1 1 DNV (2007a,
2007b)
14. Assist others if needed or as directed (K) 1 1 1 4 4
DNV (2007a, 2007b)
15. Register at TSR (R) 1 1 1 2 2 DNV (2007a,
2007b)
16. Provide pertinent feedback attained while en route to TSR (K) 1 1 1 2 2
DNV (2007a, 2007b)
17. Don personal survival suit or TSR survival suit if instructed to abandon (R)
1 1 1 1 1 DNV (2007a,
2007b)
18. Follow OIM's instructions (R) 1 1 1 1 1 DNV (2007a,
2007b)
36
Table 3.4: Consequence severities for GR scenario (adapted from Deacon et al., 2010).
Escape Task H MI E OPOB OR Reference
1. Detect alarm (S) 1 1 2 1 2
Robertson & Wright(1997;
p3,4),Moan et al. (1981; p7,8)
2. Identify alarm (R) 1 1 2 1 2
Robertson & Wright(1997; p3,4), Moan et al. (1981;
p7,8)
3. Act accordingly (S) 4 2 1 4 4 Vinnem(2007; p94)
4. Ascertain if danger is imminent (K) 3 1 3 1 3
Vinnem(2007; p83,89)
5. Muster if in imminent danger (R) 3 1 3 1 3
Vinnem(2007; p83,89)
6. Return process equipment to safe state (K) 3 4 3 1 4
Vinnem(2007; p 79-95)
7. Make workplace as safe as possible in limited time (K) 1 1 1 3 3
Moan et al. (1981; p156-158)
8. Listen and follow PA instructions (K) 1 3 2 1 3
Robertson & Wright(1997; p3,4)
9. Evaluate potential egress paths and choose route (K) 3 1 3 1 3
Vinnem(2007; p91), Robertson &
Wright(1997; p4,5)
10. Move along egress route (K) 3 1 3 1 3
Vinnem(2007; p91), Robertson &
Wright(1997; p4,5)
11. Assess quality of egress route while moving to TSR (K) 3 1 3 1 3
Vinnem(2007; p91), Robertson &
Wright(1997; p4,5)
12. Choose alternate route if egress path is not tenable (K) 3 1 3 1 3
Vinnem(2007; p91), Robertson &
Wright(1997; p4,5) 13. Collect personal survival suit if in accommodations at time of muster (R)
3 1 1 1 3 DNV (2007a,
2007b)
14. Assist others if needed or as directed (K) 1 1 1 3 3
DNV (2007a, 2007b)
15. Register at TSR (R) 1 1 1 3 3 Robertson & Wright(1997;
p6,28) 16. Provide pertinent feedback attained while en route to TSR (K)
1 1 1 3 3 Vinnem(2007; p87),
Robertson & Wright(1997; p4,6)
17. Don personal survival suit or TSR survival suit if instructed to abandon (R)
4 1 1 1 4 DNV (2007a,
2007b)
18. Follow OIM's instructions (R) 3 1 1 1 3
DNV (2007a, 2007b)
37
Table 3.5: Consequence severities for F&E scenario (adapted from Deacon et al., 2010).
Escape Task H MI E OPOB OR Reference
1. Detect alarm (S) 1 1 2 1 2 Robertson & Wright(1997; p3,4), Moan et al. (1981;
p7,8)
2. Identify alarm (R) 1 1 2 1 2 Robertson & Wright(1997; p3,4), Moan et al. (1981;
p7,8)
3. Act accordingly (S) 4 2 1 4 4 Vinnem(2007; p94)
4. Ascertain if danger is imminent (K) 4 3 4 3 4
Vinnem(2007; p94), Robertson & Wright(1997; p11), Moan et al. (1981;
p155-160)
5. Muster if in imminent danger (R) 4 1 4 3 4
Vinnem(2007; p84,87-89,91), Robertson &
Wright(1997; p4)
6. Return process equipment to safe state (K) 4 4 4 4 4 Vinnem(2007; p79-95)
7. Make workplace as safe as possible in limited time (K)
1 1 1 3 3 Moan et al. (1981; p156-
158)
8. Listen and follow PA instructions (K) 4 3 3 1 4
Robertson & Wright(1997; p3,4)
9. Evaluate potential egress paths and choose route (K) 4 1 4 1 4
3(p4,6), Moan et al. (1981; p155-160)
10. Move along egress route (K) 4 1 4 1 4
Robertson & Wright(1997; p4,6), Moan et al. (1981;
p155-160) 11. Assess quality of egress route while moving to TSR (K)
4 1 4 1 4 Robertson & Wright(1997;
p4), Moan et al. (1981; p155-160)
12. Choose alternate route if egress path is not tenable (K)
4 1 4 1 4
Vinnem(2007; p91), Robertson & Wright(1997; p4,5), Moan et al. (1981;
p155-160)
13. Collect personal survival suit if in accommodations at time of muster (R)
4 1 1 1 4 Robertson & Wright(1997;
p16,17)
14. Assist others if needed or as directed (K) 1 1 1 4 4
Robertson & Wright(1997; p7,8,18,19)
15. Register at TSR (R) 1 1 1 3 3 Robertson & Wright(1997;
p6,28)
16. Provide pertinent feedback attained while en route to TSR (K)
1 1 1 4 4 Vinnem(2007; p87),
Robertson & Wright(1997; p4,6)
17. Don personal survival suit or TSR survival suit if instructed to abandon (R)
4 1 1 1 4 US Coast Guard (1983;
Part I p2-4), Vinnem(2007; p84,91)
18. Follow OIM's instructions (R) 4 1 1 4 4
US Coast Guard (1983; Part I p8-10)
38
Table 3.6: Overall consequence severities (adapted from Deacon et al., 2010).
Escape Task MO GR F&E
1. Detect alarm (S) 2 2 2
2. Identify alarm (R) 2 2 2
3. Act accordingly (S) 2 4 4
4. Ascertain if danger is imminent (K) 1 3 4
5. Muster if in imminent danger (R) 1 3 4
6. Return process equipment to safe state (K)
2 4 4
7. Make workplace as safe as possible in limited time (K)
2 3 3
8. Listen and follow PA instructions (K)
2 3 4
9. Evaluate potential egress paths and choose route (K)
1 3 4
10. Move along egress route (K) 1 3 4
11. Assess quality of egress route while moving to TSR (K)
1 3 4
12. Choose alternate route if egress path is not tenable (K)
1 3 4
13. Collect personal survival suit if in accommodations at time of muster (R)
1 3 4
14. Assist others if needed or as directed (K)
4 3 4
15. Register at TSR (R) 2 3 3
16. Provide pertinent feedback attained while en route to TSR (K)
2 3 4
17. Don personal survival suit or TSR survival suit if instructed to abandon (R)
1 4 4
18. Follow OIM's instructions (R) 1 3 4
To reduce the consequence severity for a particular task, the highest consequence
category must be reduced. This can be a single category or multiple categories. For
example, escape task 12, ‘choose alternate route if egress path is not tenable’ of the fire
and explosion scenario has a consequence severity of 4 for the health and egress
categories. In order to reduce the overall consequence severity for task 12, the
consequences of both the health and egress categories must be reduced.
3.2.2 Procedural HAZOP
39
A procedural HAZOP, discussed in Chapter 2, was used to evaluate potential
causes of human error, called failure modes. Potential consequences are also identified
via a procedural HAZOP. Safeguards to protect against failure modes or consequences
are included. The procedural HAZOPs for two of the escape tasks are shown in Tables
3.7 and 3.8. They were adapted from DiMattia (2004) and are found in Deacon et al.
(2010). A notable addition is the division of safeguards into prevention barriers and
mitigation barriers, as per the bow-tie concept discussed in Chapter 2. The following
HAZOP guidewords are addressed:
No – the required action or diagnosis is not attempted or completed
Part of – the required action or diagnosis is attempted and only partially
completed
Other than – a different action or diagnosis other than the one required is
completed
Late – the required action or diagnosis is completed after an extended amount of
time
More – the required action or diagnosis is completed to a further extent than
necessary, exposing personnel to unnecessary risk
Early – the required action or diagnosis is prematurely completed
Before/After – the required action or diagnosis is completed out of sync with
other critical tasks
The potential safeguards identified by the procedural HAZOP are evaluated in the
risk reduction stage to determine their reliability and effect on the risk of the task in
question (see Chapter 6).
3.3 Risk Estimation
The tolerability of risk for EER tasks is determined using a risk matrix. The
International Organization for Standardization (ISO) standard 17776 risk matrix (DNV,
2002) is
40
Table 3.7: Procedural HAZOP for escape task 1, 'detect alarm' (Deacon et al., 2010).
Guideword Description Consequence Prevention Barriers Mitigation Barriers
No Operator does not hear alarm/alarm not sounded
Injury/loss of life
Entrapment in a dangerous area; difficult to be rescued
Delay of time to muster
Inherent Elimination of obstructions
near alarms Minimal number of loud
machines on board Minimal number of
electrically dependent alarms
Active Engineered Alarm systems strategically
placed to cover all areas Redundancy through both
audio and visual enunciation Push-button alarms in
strategic locations
Procedural Personnel equipped with two-
way radios Review of new technology,
applications and standards Preventative maintenance
(PM), testing, severe-weather monitoring
Personnel familiarized with alarms
Muster training at infrequent intervals
Enlisting of feedback on alarm effectiveness
CCR operators trained to limit and remove inhibits immediately
Procedural Buddy system
for new personnel
New personnel identified with different coloured clothing
Experienced personnel trained to assist others as identified
Part of -
Other than -
Late Operator does not hear alarm immediately
Delay of time to muster
Loss of life Loss of
critical time to respond to problems that initiated the alarm
Entrapment in a dangerous area; difficult to be rescued
More -
Early -
Before/After -
41
Table 3.8: Procedural HAZOP for escape task 15, 'register at TSR' (Deacon et al., 2010).
Guideword Description Consequences Prevention
barriers Mitigation
barriers
No Operator does not register at TSR
Miscommunication Unnecessary rescue
attempt, putting more lives at risk
Inherent Multiple
registration stations to minimize line-ups
Minimal number of people in each registry location for ease of evacuation
Active Engineered Battery
operated registry system in case of power failure
Swipe card registration system
Procedural Signage in TSR
reminding all individuals to register immediately
Individual responsible for head count trained to prompt POB to register
Competency testing
Behavioural testing to determine panic potential
Active Engineered Tracking
device on all POB
Procedural Inexperienced
individuals teamed with experienced personnel for a defined period of time
New personnel identified with different coloured clothing
Experienced personnel trained to assist others as identified
Part of Operator begins registration task but does not complete
Other than -
Late Operator arrives at TSR but does not immediately register
More Operator registers multiple people at TSR
Miscommunication Endangering
personnel who have not yet completed muster
Early Operator instructs someone else to register for operator before they arrive
Before/After -
42
shown in Appendix A. The ISO standard 17776 matrix incorporates the qualitative
frequency of occurrence of a critical event.
Frequency of critical event categories has been converted to probability of critical
event in Deacon et al., (2010). This was done through comparison with the quantitative
risk ranking matrix developed by IMO (DNV, 2002; see Appendix A).
The risk matrix is used to identify the level of risk of a critical event. The
consequence table is incorporated with probabilities of occurrence of the critical event in
question. The probabilities of occurrence are divided into four ranges to create a 4x4 risk
matrix. These ranges are adapted from the ISO 17776 risk matrix and the IMO risk
ranking matrix. The risk is reduced in the risk matrix by lowering the probability so that
the risk moves to a lower region, lowering the consequence so that the risk moves to a
lower region, or both. Figure 3.1 is the risk matrix used in the current work (Deacon et
al., 2010).
If a risk is in the ‘broadly acceptable’ region, the current safety measures are
adequate in controlling the risk. Monitoring for opportunities for continued improvement
should be undertaken regularly. The second region is the ‘tolerable if as low as
reasonably practicable (ALARP)’ region. In this region, if further risk reduction
measures provide minor results and are financially debilitating, then the risk is considered
tolerable. Cost-benefit analysis can be used to show that a risk is ALARP. The third
region is the ‘intolerable’ region. Tasks with risk in this region are considered
unacceptable and must either have the risk reduced to at least the ‘tolerable if ALARP’
region or the task should be discontinued.
The HEPs and consequence severities for the escape phase of EER were
combined in the human error risk matrix by Deacon et al. (2010). The overall
consequence severity for each escape phase task and escape scenario (DiMattia, 2004)
were evaluated. The risk category for each escape phase task of the fire and explosion
scenario is shown in Table 3.9.
43
Consequence Rating
HEP 1 2 3 4
0.001-0.01
0.01-0.1
0.1-0.5
0.5-1
Broadly Acceptable
Tolerable if ALARP
Intolerable Figure 3.2: Human error risk matrix.
The next step is risk reduction analysis for high risk tasks. The current work uses
a risk graph to identify the required reliability of incorporated safety measures to reduce
high risk tasks to a ‘tolerable if ALARP’ level. The risk reduction mechanism is
discussed further in Chapter 6. It is assumed that by preparing for the most severe
scenario (i.e. a fire and explosion scenario), less severe scenarios are also accounted for.
Therefore, only the fire and explosion scenario is evaluated for risk reduction for the
escape phase.
44
Table 3.9: Risk level for escape phase tasks for fire and explosion scenario.
Escape Task HEP Consequence Risk Level
1. Detect alarm 0.396 2 ALARP
2. Identify alarm 0.386 2 ALARP
3. Act accordingly 0.448 4 Intolerable
4. Ascertain if danger is imminent 0.465 4 Intolerable
5. Muster if in imminent danger 0.416 4 Intolerable
6. Return process equipment to safe state
0.474 4 Intolerable
7. Make workplace as safe as possible in limited time
0.489 3 ALARP
8. Listen and follow PA instructions
0.420 4 Intolerable
9. Evaluate potential egress paths and choose route
0.476 4 Intolerable
10. Move along egress route 0.405 4 Intolerable
11. Asses quality of egress route while moving to TSR
0.439 4 Intolerable
12. Choose alternate route if egress path is not tenable
0.500 4 Intolerable
13. Collect personal survival suit if in accommodations at time of muster
- 4 -
14. Assist others if needed or as directed
0.358 4 Intolerable
15. Register at TSR 0.200 3 ALARP
16. Provide pertinent feedback attained while en route to TSR
0.289 4 Intolerable
17. Don personal survival suit or TSR survival suit if instructed to abandon
0.199 4 Intolerable
18. Follow OIM's instructions 0.210 4 Intolerable
45
Chapter 4 EVACUATION RISK ASSESSMENT
The second phase of the EER process is evacuation. Evacuation is the movement
away from the facility until a reasonably safe distance is achieved. For onshore
buildings, the escape and evacuation phases can be combined. Onshore buildings include
oil and gas processing, chemical processing, residential or commercial buildings, etc.
Often the safe refuge for onshore buildings is a safe distance for evacuation. Offshore
installations, however, include a separate mode of movement once the escape phase is
complete.
Offshore evacuation can occur by walking across a bridge link to a nearby
facility, by helicopter, or by movement through the sea. Some installations are connected
to others by a bridge that allows individual movement between installations. Movement
from an evacuating installation to a neighbouring installation via a bridge link is similar
to the movement to a TSR from an escape initiator (see Chapter 3). Bridge link
evacuation is the most ideal form of leaving an offshore installation. A second choice is
air evacuation by helicopter. Individuals must move to the helipad and communicate
with the incoming pilot, maintaining composure to avoid injury or equipment damage
during evacuation.
If bridge link or helicopter evacuations are not available, then evacuation must
occur by sea. If possible, a totally enclosed motor-propelled survival craft (TEMPSC)
should be used. The advantage of a TEMPSC is the added engine power for moving
through the sea and away from the installation. A coxswain must be designated for each
TEMPSC. Individuals move to the TEMPSC, prepare it to be dropped into the water,
inform rescue personnel of launch, and move towards a designated rescue area. Life
boats with paddles can also be used. Evacuation with life boats can prove more difficult
than with TEMPSCs, especially in harsh sea conditions. If possible, life boat personnel
should scan the sea for overboard survivors to aid or other lifeboats to attach to. If no
other means are available, individuals can also jump directly into the sea. It is important
to move to the lowest platform possible before attempting a jump. Individuals must also
46
assess the potential for any contaminants in the area and jump feet-first, away from the
platform into the water. Survival suits are essential for direct-to-sea evacuation, and
individuals must scan the sea for any rescue opportunity.
4.1 Human Error Probability
Hierarchical task analysis (HTA) was used to identify the tasks required for
evacuation of an offshore oil and gas processing installation. HTA is described in
Chapter 2. The research team combined technical knowledge of the offshore evacuation
process with a previous analysis of the offshore EER process in the UK (Kennedy, 1993).
The HTA of evacuation tasks is shown in Figure 4.1.
1.0 Prepare to evacuate
1.1 Check wind speed, direction and sea state
1.2 Instruct personnel and maintain control
1.3 Issue sea sickness tablets
2.0 Evacuate installation – do one of 2.1-2.5; priority in descending order
2.1 Evacuate via bridge link
2.2 Evacuate via helicopter
2.2.1 Move to helideck
2.2.2 Establish communication with pilot
2.2.3 Instruct personnel on boarding procedure
2.2.4 Board helicopter
2.2.5 Don flight suit, aviation life jacket and secure seatbelt
2.3 Evacuate via TEMPSC (totally enclosed motor-propelled survival craft)
2.3.1 Ensure sea-worthiness of TEMPSC
2.3.2 Check compass heading/direction to steer craft
2.3.3 Turn helm fully to clear installation on launch
2.3.4 Ensure drop zone is clear
2.3.5 Instruct personnel on boarding procedure
2.3.6 Fasten seat belt
2.3.7 Ensure everyone is secure
2.3.8 Start air support system
2.3.9 Close and secure all hatches
2.3.10 Call command centre/launch master/other lifeboats to confirm launch sequence
2.3.11 Release falls/confirm auto-release
2.3.12 Launch TEMPSC
2.3.13 Engage forward gear and full throttle
2.3.14 Steer TEMPSC at vector from platform to rescue area
47
2.4 Evacuate by life raft
2.4.1 Move to life raft muster station
2.4.2 Ensure sea-worthiness of life raft
2.4.3 Secure painter to a strong point
2.4.4 Check for life raft instructions and number of personnel accommodated
2.4.5 Launch life raft
2.4.6 Board life raft
2.4.7 Cut painter
2.4.8 Paddle clear of danger
2.4.9 Stream anchor
2.4.10 Maintain sea-worthiness of life raft 2.4.11 Look for TEMPSC, fast rescue craft (FRC), other life raft or overboard survivors
2.4.12 Attach painter to other life raft or tow craft
2.5 Escape directly to sea
2.5.1 Ensure survival suit properly sealed, lifejacket fastened
2.5.2 Move to lowest nearby platform
2.5.3 Assess direction of waves, danger and airborne contaminants
2.5.4 Jump away from platform, feet first, avoiding platform legs
2.5.5 Swim along side of platform
2.5.6 Look for other overboard survivors and rescue opportunities Figure 4.1: HTA of evacuation tasks.
The HEPs for the escape phase were evaluated using the success likelihood index
methodology (SLIM). The HEPs for the evacuation phase were evaluated using the
human error assessment and reduction technique (HEART; Williams, 1988). HEART is
described in detail in Chapter 2. It was determined that the evacuation sub-phase
‘evacuate via bridge link’ is similar in analysis to the escape phase, in particular the
‘egress’ sub-phase. As a result, the bridge link evacuation sub-phase is considered
evaluated in Chapter 3 with the ‘egress’ escape sub-phase.
HEART was chosen for expert judgment due to its current use in the UK, positive
results in validation exercises (Kirwan et al., 1996), and its efficiency of resources (one
expert judge required). A secondary result of the current work is an analysis of the
feasibility of using HEART as part of a comprehensive risk assessment and reduction
technique. Table 4.1 shows a comparison between HEART and SLIM.
48
Table 4.1: Comparison of HEART and SLIM.
SLIM HEART
Resource-intensive (multiple assessors required)
Calibrated
Assessor data combines for robust results
Statistical analysis avoids pessimism, less conservative
Resource-efficient (one assessor required)
No calibration
Different assessors can have different results
Pessimistic (yields high HEP easily)
The research team developed a survey from HEART to solicit experts in the area
of offshore evacuation. Solicited assessors included offshore evacuation training
personnel and experts in the field of offshore safety. The survey is divided into two parts,
a GEP (generic error probability) survey and an EPC (error-producing condition) survey.
The GEP solicitation survey gives assessors a list of the HEART qualitative GEP
descriptions. The associated nominal probabilities of error were not included.
Quantitative values were omitted to reduce the assessor bias of choosing GEPs and EPCs
to arrive within a pre-determined range of values. Sample tasks for each qualitative GEP
description were included as a guide for assessors. One aspect of HEART is that a given
task may satisfy multiple GEP categories. The methodology accounts for this property.
Individuals choose the lowest GEP category applicable to the task being evaluated. For
ease of use purposes, GEPs were ranked from 1-8, 1 being GEP category H and 8 being
GEP category A, to minimize confusion for assessors. The following instructions were
given to assessors:
Choose evacuation task.
Begin with GEP 1, comparing task to GEP description.
As soon as a task satisfies a GEP description, stop.
49
The surveys used, with full instructions are given in Appendix B. Table 4.2 shows the
list of GEPs considered.
Table 4.2: GEP descriptions and associated values.
GEP Description GEP Value (Range)
A Totally unfamiliar, at speed, no idea of consequences 0.55
(0.35-0.97)
B Shift/restore system to new/original state, single attempt, no supervision/procedures
0.26 (0.14-0.42)
C Complex task requiring high level of comprehension and skill
0.16 (0.12-0.28)
D Fairly simple task performed rapidly or given little attention
0.09 (0.06-0.13)
E Routine, highly-practiced, rapid task requiring little skill
0.02 (0.007-0.045)
F Restore/shift system to new/original state, following procedures, with checking
0.003 (0.0008-0.007)
G
Familiar, well-designed routine task performed several times per hour, performed to highest possible standards by highly motivated, trained and experienced person totally aware of consequences of failure, with time to correct potential error but with no significant job aids
0.0004 (0.00008-0.009)
H Respond correctly to system command with automated/augmented supervisory system providing accurate interpretation of system stage
0.00002 (0-0.0009)
Each GEP has a nominal value with an acceptable range of values in parentheses.
For all purposes of the current work, the nominal values were used. The second part of
50
the survey is the EPC and APOA (assessed proportion of affect) evaluation. The
assessors were given 17 qualitative descriptions of EPCs and asked to choose 0-3 EPCs
for each task. The limit of three EPCs is both an effort to reduce HEART’s pessimistic
tendency (Kirwan et al., 1996) and as part of the principle that multiple EPCs do not
often combine to increase risk (Williams, 1988). The EPCs considered are shown in
Table 4.3.
Table 4.3: EPC descriptions and associated values.
EPC Description Maximum
Effect Multiplier
1 Unfamiliarity with a situation which is potentially important, but occurs infrequently, or which is novel
17
2 Shortage of time available for error detection and correction 11
3 Low signal-to-noise ratio 10
4 Means of supressing/overriding information/features that is too easily accessible
9
5 No means of conveying spatial and functional information to operators in a form that they can readily assimilate
8
6 Mismatch between operator's model of the world and that of the designer
8
7 No obvious means of reversing an unintented action 8
8 A channel-capacity overload, particularly one that is caused by simultaneous presentation of non-redundant information
6
9 A need to unlearn a technique and apply one that uses an opposing philosophy
6
10 A need to transfer specific knowledge from task to task without loss
5.5
11 Ambiguity in the required performance standards 5
12 A mismatch between perceived and real risk 4
13 Poor, ambiguous or mismatched system feedback 4
14 No clear, direct and timely confirmation of an intended action from the portion of the system over which control is to be exerted
4
15 Operator inexperience 3
16 An impoverished quality of information conveyed by procedures and person-person interaction
3
17 Little or no independent checking/testing of output 3
51
The maximum effect multiplier of each EPC is associated with an APOA of 1.
The APOA is chosen to determine the fraction of the maximum effect multiplier that is
multiplied with the GEP. Three evacuation scenarios of increasing severity were
identified for the assessors. The scenarios are shown in Table 4.4.
Table 4.4: Evacuation scenarios.
Abandonment Scenario
Detail Collision Gas Release Fire & Explosion
Situation A jack-up rig collides with a fixed installation during approach; significant damage to platform leg.
A hydrocarbon gas release
A fire and explosion
Operator in question
15 years experience 7 years experience 6 months experience
Weather Good weather, calm seas
Cold, wet weather Winter storm
Time of day Daylight hours Daylight hours Night-time hours
The assessors used the scenario descriptions to evaluate the APOA of each EPC
separately for each evacuation scenario. For a given task, the EPC/APOA evaluation is
conducted as follows:
Choose evacuation task.
Choose 0-3 EPCs.
Evaluate each EPC based on the three evacuation scenarios.
EPCs are determined by the task itself. Regardless of the scenario, EPCs are chosen for
their potential to affect a task. APOAs are determined by the situation. APOAs are the
magnitude of the effect of EPCs. As the severity of a situation increases, it can be
expected that the magnitude of the EPCs, the APOAs, also increases.
52
The completed surveys were analyzed quantitatively. The associated values for
each GEP and EPC chosen were used to evaluate the HEP for each evacuation task. Each
completed survey resulted in an independent set of HEP data.
Several experts were solicited and two complete surveys were obtained for
analysis. As there were not a sufficient number of completed surveys, a statistical
analysis of HEP results was not performed in the current work. However, a full HRA
analysis was performed for each survey result. The two survey results were compared in
the current work to obtain a picture of the importance of consistency in the HEART
technique. The risk reduction stage of the HRA analysis is shown in Chapter 6. A
discussion of the importance of calibration and consistency is also given in Chapter 6.
Table 4.5 shows survey responses of the two assessors. The GEPs were chosen
from Table 4.2 and the EPCs were chosen from Table 4.3. Assessors were allowed to
choose between 0 and 3 EPCs. A < - >‘ indicates that no EPC was chosen. While SLIM
is a more robust and statistically involved technique, the low resources required for
HEART make it a potentially useful technique in risk assessment. It has also received
support from validation exercises (Kirwan, 1996; Kirwan et al., 1996; Kirwan, 1997a;
Kirwan, 1997b).
HEPs for each task were determined by first combining the survey results in
Table 4.5 with Equation (2.5) and Table 4.3, and then by multiplying the EPC multiplier
by the associated nominal GEP value (Table 4.2) from the survey results. As an example,
for task 1.1, participant 1 chose GEP E (0.02), EPC 2 (11) and EPC 3 (10). For all three
evacuation scenarios the assessor chose an APOA of 0.5 for EPC 2 and 0.3 for EPC 3.
From equation 2.5, the EPC multiplier for EPC 2 is 6 and EPC 3 is 3.7. The GEP is
multiplied by the EPC multipliers to obtain the HEP. Therefore, the HEP for task 1.1 is
0.02 * 6 * 3.7 = 0.444. Table 4.6 shows the HEPs evaluated from the surveys.
53
Table 4.5: Assessor GEP and EPC choices.
Muster Step Survey 1 Survey 2
GEP EPC 1 EPC 2 EPC 3 GEP EPC 1 EPC 2 EPC 3 1.1 Check wind speed, direction and sea state
E 2 3 - E 15 17 -
1.2 Instruct personnel and maintain control
C 16 15 11 D 1 10 11
1.3 Issue sea sickness tablets
E 12 2 - H - - -
2.2.1 Move to helideck E 12 6 16 H - - - 2.2.2 Establish communication with pilot
E 2 3 - F 1 - -
2.2.3 Instruct personnel on boarding procedure
C 16 1 12 G - - -
2.2.4 Board helicopter E - - - H - - - 2.2.5 Don flight suit, aviation life jacket and secure seatbelt
E 12 16 2 F - - -
2.3.1 Ensure-sea worthiness of TEMPSC
C 6 15 11 F - - -
2.3.2 Check compass heading/direction to steer craft
E 2 3 - D 11 - -
2.3.3 Turn helm fully to clear installation on launch
C 13 15 2 E - - -
2.3.4 Ensure drop zone is clear
E 1 2 - G - - -
2.3.5 Instruct personnel on boarding procedure
C 16 2 15 G - - -
2.3.6 Fasten seat belt E 2 12 - G - - - 2.3.7 Ensure everyone is secure
C 2 12 - F - - -
2.3.8. Start air support system
D 15 16 2 E - - -
2.3.9 Close and secure all hatches
E 11 12 2 G - - -
2.3.10 Call command centre/launch master/other lifeboats to confirm launch sequence
E 12 2 3 E - - -
2.3.11 Release falls/confirm auto-release
E 12 15 - A 1 8 12
2.3.12 Launch TEMPSC C - - - B 1 8 12 2.3.13 Engage forward gear and full throttle
C 15 - - E - - -
2.3.14 Steer TEMPSC at vector from platform to rescue area
D 15 - - B 15 - -
2.4.1 Move to life raft muster station
E 12 1 - G - - -
2.4.2 Ensure sea-worthiness of life raft
C 15 2 - H - - -
2.4.3 Secure painter to strong point
E 2 12 - G - - -
2.4.4 Check for life raft instructions and number of personnel accommodated
E 2 16 - E - - -
2.4.5 Launch life raft E - - - G - - -
54
Muster Step Survey 1 Survey 2
GEP EPC 1 EPC 2 EPC 3 GEP EPC 1 EPC 2 EPC 3 2.4.6 Board life raft E - - - B 15 - - 2.4.7 Cut painter E 2 15 - G - - - 2.4.8 Paddle clear of danger
A - - - A - - -
2.4.9 Stream anchor E 2 12 16 H - - - 2.4.10 Maintain sea-worthiness of life raft
C 15 - - E - - -
2.4.11 Look for TEMPSC, FRC, other life raft or overboard survivors
E 2 11 16 G - - -
2.4.12 Attach painter to other life raft or tow craft
D 15 - - E - - -
2.5.1 Ensure survival suit properly sealed, lifejacket fastened
E 12 2 - F - - -
2.5.2 Move to lowest nearby platform
D 15 2 - E - - -
2.5.3 Assess direction of waves, danger and airborne contaminants
C 15 2 - F - - -
2.5.4 Jump away from platform, feet first, avoiding platform legs
E 15 - - D - - -
2.5.5 Swim along side of platform
A 15 - - B - - -
2.5.6 Look for other overboard survivors and rescue opportunities
E 15 2 - B - - -
There were fewer EPCs chosen in survey 2 than in survey 1. It is important to
note that different GEP/EPC/APOA combinations can lead to similar HEPs (Kirwan et
al., 1996), such as those for tasks 2.3.14 and 2.5.4. In task 2.5.4, for example, one
assessor chose GEP D and no EPCs, while the other chose GEP E with EPC 15. The
resultant HEPs differ by a factor of 2, which is negligible when considering such small
numbers. However, resultant HEPs differ greatly between surveys for other tasks, such
as task 2.5.3. Indeed one assessor’s results suggest that the probability of error is certain
while the other assessor’s results suggest that it is very unlikely. The consequences of the
discrepancy between survey results are discussed in Section 4.3 and Chapter 6.
55
Table 4.6: Assessor HEP results.
Evacuation Step Collision HEP GR HEP F&E HEP S1* S2* S1 S2 S1 S2
1.1 Check wind speed, direction and sea state 0.444 0.039 0.444 0.039 0.444 0.180 1.2 Instruct personnel and maintain control 1.000 1.000 1.000 1.000 1.000 1.000 1.3 Issue sea sickness tablets 0.280 0.000 0.280 0.000 0.280 0.000 2.2.1 Move to helideck 0.234 0.000 0.450 0.000 0.450 0.000 2.2.2 Establish communication with pilot 0.392 0.013 0.770 0.027 1.000 0.051 2.2.3 Instruct personnel on boarding procedure 1.000 0.000 1.000 0.000 1.000 0.000 2.2.4 Board helicopter 0.020 0.000 0.020 0.000 0.020 0.000 2.2.5 Don flight suit, aviation life jacket and secure seatbelt
0.784 0.003 0.784 0.003 0.784 0.003
2.3.1 Ensure sea-worthiness of TEMPSC 1.000 0.003 1.000 0.003 1.000 0.003 2.3.2 Check compass heading/direction to steer craft 0.168 0.270 0.276 0.342 0.438 0.450 2.3.3 Turn helm fully to clear installation on launch 1.000 0.020 1.000 0.020 1.000 0.020 2.3.4 Ensure drop zone is clear 1.000 0.000 1.000 0.000 1.000 0.000 2.3.5 Instruct personnel on boarding procedure 1.000 0.000 1.000 0.000 1.000 0.000 2.3.6 Fasten seat belt 0.168 0.000 0.168 0.000 0.168 0.000 2.3.7 Ensure everyone is secure 1.000 0.003 1.000 0.003 1.000 0.003 2.3.8. Start air support system 1.000 0.020 1.000 0.020 1.000 0.020 2.3.9 Close and secure all hatches 0.510 0.000 0.510 0.000 0.510 0.000 2.3.10 Call command centre/launch master/other lifeboats to confirm launch sequence
0.868 0.020 1.000 0.020 1.000 0.020
2.3.11 Release falls/confirm auto-release 0.112 1.000 0.112 1.000 0.112 1.000 2.3.12 Launch TEMPSC 0.160 1.000 0.160 1.000 0.160 1.000 2.3.13 Engage forward gear and full throttle 0.320 0.020 0.320 0.020 0.320 0.020 2.3.14 Steer TEMPSC at vector from platform to rescue area
0.180 0.260 0.180 0.260 0.180 0.780
2.4.1 Move to life raft muster station 0.504 0.000 0.504 0.000 0.504 0.000 2.4.2 Ensure sea-worthiness of life raft 1.000 0.000 1.000 0.000 1.000 0.000 2.4.3 Secure painter to strong point 0.448 0.000 0.448 0.000 0.448 0.000 2.4.4 Check for life raft instructions and number of personnel accommodated
0.308 0.020 0.308 0.020 0.308 0.020
2.4.5 Launch life raft 0.020 0.000 0.020 0.000 0.020 0.000 2.4.6 Board life raft 0.020 0.520 0.020 0.520 0.020 0.520 2.4.7 Cut painter 0.336 0.000 0.336 0.000 0.336 0.000 2.4.8 Paddle clear of danger 0.550 0.550 0.550 0.550 0.550 0.550 2.4.9 Stream anchor 0.700 0.000 0.700 0.000 0.700 0.000 2.4.10 Maintain sea-worthiness of life raft 0.352 0.020 0.352 0.020 0.352 0.020 2.4.11 Look for TEMPSC, FRC, other life raft or overboard survivors
1.000 0.000 1.000 0.000 1.000 0.000
2.4.12 Attach painter to other life raft or tow craft 0.198 0.020 0.198 0.020 0.198 0.020 2.5.1 Ensure survival suit properly sealed, lifejacket fastened
0.280 0.003 0.280 0.003 0.280 0.003
2.5.2 Move to lowest nearby platform 1.000 0.020 1.000 0.020 1.000 0.020 2.5.3 Assess direction of waves, danger and airborne contaminants
1.000 0.003 1.000 0.003 1.000 0.003
2.5.4 Jump away from platform, feet first, avoiding platform legs
0.052 0.090 0.052 0.090 0.052 0.090
2.5.5 Swim along side of platform 1.000 0.260 1.000 0.260 1.000 0.260 2.5.6 Look for other overboard survivors and rescue opportunities
0.560 0.260 0.560 0.260 0.560 0.260
*S1 – Survey results from participant 1 *S2 – Survey results from participant 2
56
4.2 Consequence Analysis
Consequence analysis for the evacuation phase of the EER process was performed
in a similar manner to the escape phase. A consequence table and procedural HAZOP are
now presented.
4.2.1 Consequence Table
Consequence severities were determined using major incident investigations in
the offshore oil and gas processing industry. Many incidents investigations that provided
data for the escape phase also provide data for the evacuation phase. There is only one
consequence category in the evacuation phase: the effect of human error on the health of
the individual or group of individuals involved in the task. Table 4.7 shows the
consequence severity levels for the evacuation phase and Table 4.8 shows the
consequence severities for each of the identified evacuation tasks.
Table 4.7: Consequence severity descriptions.
Severity Description 1 Zero Injury 2 Likely to result in Minor Injury
3 Likely to result in Major Injury
4 Likely to result in Fatality
One important difference to note between the escape phase consequence severities
and the evacuation phase consequence severities is that the EER initiator has minimal
effect on the consequences for the evacuation phase. The opposite is true for the escape
phase. In the escape phase, operators must move away from the EER-initiating event to a
place of safety. Movement and other muster actions are affected by the EER initiator due
to its proximity. For the evacuation phase, distance has been achieved from the EER
initiator and a place of temporary safety is located. Any additional risk to evacuation
from the EER initiator may come in the form of smoke and debris from the installation.
57
Table 4.8: Consequence severities.
Evacuation Step Severity Reference
1.1 Check wind speed, direction and sea state 2 Kennedy, 1993 (Appendix B)
1.2 Instruct personnel and maintain control 4 Kennedy, 1993
(Appendix B); Vinnem, 2007 (p94)
1.3 Issue sea sickness tablets 2
Kennedy, 1993 (Appendix B);
Robertson & Wright, 1997 (p14)
2.2.1 Move to helideck 2 Kennedy, 1993 (Appendix B)
2.2.2 Establish communication with pilot 2 Kennedy, 1993 (Appendix B)
2.2.3 Instruct personnel on boarding procedure 2 Kennedy, 1993 (Appendix B)
2.2.4 Board helicopter 2 Kennedy, 1993 (Appendix B)
2.2.5 Don flight suit, aviation life jacket and secure seatbelt 1 Kennedy, 1993 (Appendix B)
2.3.1 Ensure sea-worthiness of TEMPSC 4 Kennedy, 1993 (p30)
2.3.2 Check compass heading/direction to steer craft 2
Kennedy, 1993 (Appendix B);
Robertson & Wright, 1997 (p13)
2.3.3 Turn helm fully to clear installation on launch 2 Kennedy, 1993 (Appendix B)
2.3.4 Ensure drop zone is clear 4 Kennedy, 1993 (Appendix B)
2.3.5 Instruct personnel on boarding procedure 2 Kennedy, 1993 (Appendix B)
2.3.6 Fasten seat belt 2 Kennedy, 1993 (Appendix B)
2.3.7 Ensure everyone is secure 2 Kennedy, 1993 (Appendix B)
2.3.8. Start air support system 3
Kennedy, 1993 (Appendix B);
Robertson & Wright, 1997 (p14)
2.3.9 Close and secure all hatches 4
Kennedy, 1993 (Appendix B); US Coast Guard, 1983
(p124) 2.3.10 Call command centre/launch master/other lifeboats to confirm launch sequence
4 U.S. Coast Guard, 1983
(p133)
2.3.11 Release falls/confirm auto-release 4
Kennedy, 1993 (Appendix B); Vinnem,
2007 (p83); Moan et. al, 1981 (p162)
2.3.12 Launch TEMPSC 4 US Coast Guard, 1983
(p124)
2.3.13 Engage forward gear and full throttle 4 Kennedy, 1993
(Appendix B); Moan et. al, 1981 (p162)
2.3.14 Steer TEMPSC at vector from platform to rescue area 4 Kennedy, 1993
(Appendix B); Moan et. al, 1981 (p162)
2.4.1 Move to life raft muster station 2 Kennedy, 1993 (Appendix B)
58
Evacuation Step Severity Reference 2.4.2 Ensure sea-worthiness of life raft 4 Kennedy, 1993 (p30)
2.4.3 Secure painter to strong point 4
Kennedy, 1993 (Appendix B); U.S. Coast Guard, 1983
(p67) 2.4.4 Check for life raft instructions and number of personnel accommodated
2 Kennedy, 1993 (Appendix B)
2.4.5 Launch life raft 4 US Coast Guard, 1983
(p149)
2.4.6 Board life raft 4 Kennedy, 1993 (Appendix B)
2.4.7 Cut painter 4 Kennedy, 1993
(Appendix B); Moan et. al, 1981 (p162)
2.4.8 Paddle clear of danger 4 U.S. Coast Guard, 1983
(p134); Moan et. al, 1981 (p162)
2.4.9 Stream anchor 4 Kennedy, 1993 (Appendix B)
2.4.10 Maintain sea-worthiness of life raft 4
Kennedy, 1993 (Appendix B); U.S. Coast Guard, 1983
(pp62-63)
2.4.11 Look for TEMPSC, FRC, other life raft or overboard survivors 4 U.S. Coast Guard, 1983
(p67)
2.4.12 Attach painter to other life raft or tow craft 4 U.S. Coast Guard, 1983
(pp62,63,67)
2.5.1 Ensure survival suit properly sealed, lifejacket fastened 2 Robertson & Wright,
1997 (p18)
2.5.2 Move to lowest nearby platform 4 Vinnem, 2007 (p83);
Moan et. al, 1981 (p143)
2.5.3 Assess direction of waves, danger and airborne contaminants 2 Robertson & Wright,
1997 (p18)
2.5.4 Jump away from platform, feet first, avoiding platform legs 3 Robertson & Wright,
1997 (p18)
2.5.5 Swim along side of platform 4 U.S. Coast Guard, 1983
(p134); Moan et. al, 1981 (p162)
2.5.6 Look for other overboard survivors and rescue opportunities 4 Vinnem, 2007 (p84)
The most relevant factors in performing an evacuation are weather and sea conditions.
Indeed, most tasks in the evacuation phase are completed at the edge of an installation,
within a vessel, or while in the sea. Sea conditions have a major effect on water-based
evacuation modes. An individual who evacuates directly to the sea is at the mercy of
wave movements and water temperature. A life raft with paddles is also heavily
influenced by the motions of the sea. Motor-propelled life boats can move through the
sea, but experience great difficulty in doing so under harsh sea conditions. All three
modes may be vulnerable to being washed up against or under the installation and
receiving severe damage. Weather conditions and smoke from an installation have a
59
major effect on the ability to perform a helicopter evacuation. A helicopter evacuation,
more ideal than evacuation by sea, can only be performed if a helicopter can safely arrive
at and depart from the installation helipad.
4.2.2 Procedural HAZOP
The procedural HAZOP for the current work is an adaptation of a work developed
by Kennedy (1993). Samples from the procedural HAZOP are shown in Tables 4.9 and
4.10. The full procedural HAZOP of the evacuation phase is found in Appendix C.
Table 4.9: Procedural HAZOP for evacuation task 2.3.4, 'ensure drop zone is clear'.
Failure Mode
Description Consequences Prevention Barriers Mitigation Barriers
Check omitted
Coxswain omits or forgets to check for debris in the water
Delayed evacuation
Capsize of/ hole in boat
Injury/death
Active Engineered
Lights to illuminate drop zone during low visibility
Procedural
Warning prompt at helm of TEMPSC
Training/drills that require verbalizing state of drop zone and delaying or aborting launch
Passive Engineered
Boats constructed to withstand severe impacts and absorb shock
Check mistimed
Coxswain makes check too early or too late, leaving time for debris to float over or forcing the boat to be committed to the launch
60
Table 4.8: Procedural HAZOP for evacuation task 2.3.14, 'steer TEMPSC at vector from platform to rescue area'. Failure Mode
Description Consequences Prevention Barriers Mitigation Barriers
Action in wrong direction
TEMPSC steered in wrong direction /under platform
Damage to TEMPSC
Injury/Death Delay in
rescue
Active Engineered
Reliable compass, GPS with luminous display for night navigation
Procedural
Instructions at helm of course to be steered and distance to rescue area
Training/drills during day and night to give coxswain experience of actions required
Active Engineered
Independently powered GPS locator on each TEMPSC
Action too little
Not enough distance from platform achieved
Exposure to debris from installation
Damage to TEMPSC
Injury Action too much
Too much distance achieved, away from rescue area
Delay in rescue
4.3 Risk Estimation
The risk matrix in Figure 3.1 is used for the evacuation phase. HEPs determined
from the expert judgment surveys were combined with the data from the consequence
table to determine the tolerability of the risk according to Figure 3.1. Table 4.11 shows
the risk level for each evacuation task. A comparison of the tolerability of risk for each
HEP data set is shown. Tasks in the intolerable region of the risk matrix are further
explored for risk reduction in Chapter 6.
Risk levels are highest for water evacuation modes. The results from both
assessors suggest that the risk of human error during helicopter evacuation is at a
tolerable level. It is important to note that the risk analysis results from both assessors
error evaluations generally agree when the risk of a task is considered intolerable.
61
Table 4.9: Risk level for evacuation tasks.
Evacuation Step Survey 1 Survey 2 1.1 Check wind speed, direction and sea state ALARP ALARP 1.2 Instruct personnel and maintain control Intolerable Intolerable 1.3 Issue sea sickness tablets ALARP Broadly Acceptable 2.2.1 Move to helideck ALARP Broadly Acceptable 2.2.2 Establish communication with pilot ALARP Broadly Acceptable 2.2.3 Instruct personnel on boarding procedure ALARP Broadly Acceptable 2.2.4 Board helicopter Broadly Acceptable Broadly Acceptable 2.2.5 Don flight suit, aviation life jacket and secure seatbelt Broadly Acceptable Broadly Acceptable 2.3.1 Ensure sea-worthiness of TEMPSC Intolerable Intolerable/ALARP 2.3.2 Check compass heading/direction to steer craft ALARP ALARP 2.3.3 Turn helm fully to clear installation on launch ALARP Broadly Acceptable 2.3.4 Ensure drop zone is clear Intolerable Intolerable/ALARP 2.3.5 Instruct personnel on boarding procedure ALARP Broadly Acceptable 2.3.6 Fasten seat belt Broadly Acceptable Broadly Acceptable 2.3.7 Ensure everyone is secure ALARP Broadly Acceptable 2.3.8. Start air support system Intolerable ALARP 2.3.9 Close and secure all hatches Intolerable Intolerable/ALARP 2.3.10 Call command centre/launch master/other lifeboats to confirm launch sequence
Intolerable Intolerable
2.3.11 Release falls/confirm auto-release Intolerable Intolerable 2.3.12 Launch TEMPSC Intolerable Intolerable 2.3.13 Engage forward gear and full throttle Intolerable Intolerable 2.3.14 Steer TEMPSC at vector from platform to rescue area Intolerable Intolerable 2.4.1 Move to life raft muster station ALARP Broadly Acceptable 2.4.2 Ensure sea-worthiness of life raft Intolerable Intolerable/ALARP 2.4.3 Secure painter to strong point Intolerable Intolerable/ALARP 2.4.4 Check for life raft instructions and number of personnel accommodated
ALARP Broadly Acceptable
2.4.5 Launch life raft Intolerable Intolerable/ALARP 2.4.6 Board life raft Intolerable Intolerable 2.4.7 Cut painter Intolerable Intolerable/ALARP 2.4.8 Paddle clear of danger Intolerable Intolerable 2.4.9 Stream anchor Intolerable Intolerable/ALARP 2.4.10 Maintain sea-worthiness of life raft Intolerable Intolerable 2.4.11 Look for TEMPSC, FRC, other life raft or overboard survivors
Intolerable Intolerable/ALARP
2.4.12 Attach painter to other life raft or tow craft Intolerable Intolerable 2.5.1 Ensure survival suit properly sealed, lifejacket fastened ALARP Broadly Acceptable 2.5.2 Move to lowest nearby platform Intolerable Intolerable 2.5.3 Assess direction of waves, danger and airborne contaminants
ALARP Broadly Acceptable
2.5.4 Jump away from platform, feet first, avoiding platform legs
ALARP ALARP
2.5.5 Swim along side of platform Intolerable Intolerable 2.5.6 Look for other overboard survivors and rescue opportunities
Intolerable Intolerable
However, the consistency may be more attributable to the evaluated consequence
severities. Indeed if a task has a consequence severity of 4 and a HEP of at least 10-3, it is
considered intolerable. HEP results from survey 2 are below 10-3 for some tasks, and
62
thus fall below the bounds of the risk graph. The smaller the HEP numbers become, the
more difficult it can be to achieve an accurate estimate of risk for decision-making.
Therefore, it is assumed that a task with a consequence severity of 4 and a HEP of less
than 10-3 may alternatively be considered ALARP. Risks that fall below the bounds of
the risk matrix are denoted by the ‘intolerable/ALARP’ combined category in Table 4.11.
The next step is to evaluate potential safety measures identified in the procedural
HAZOP in a risk reduction mechanism. Chapter 6 describes the risk reduction
mechanism and the results of the current work. Chapter 6 also further discusses the
impact of differing HEP data sets on risk analysis.
63
Chapter 5 RESCUE RISK ASSESSMENT
The tasks of the rescue phase of the EER process are outlined in this Chapter.
The rescue phase was outlined by Kennedy (1993) using HTA and was adapted for the
current work. At the beginning of the rescue phase, an on-scene commander (OSC) is
designated to organize and co-ordinate search and rescue (SAR) efforts. In locating and
rescuing survivors, multiple methods are used. Helicopters can be used to retrieve
personnel from the sea, water craft or the helipad of the installation being evacuated.
Alternatively, a fast-rescue (FRC) craft can be deployed from a nearby stand-by vessel
(SBV) to retrieve personnel from the sea or water craft. In either case, retrieved
individuals are returned to the SBV, nearby installations or other rescue vessels. These
areas are called ‘safe havens’. It is at safe havens where injured individuals receive
medical treatment. Figure 5.1 shows the rescue phase tasks.
3.0 Initiate search and rescue (SAR)
3.1 Appoint on-scene commander (OSC)
3.2 Monitor and coordinate SAR
3.3 Locate and rescue survivors
3.3.1 Rescue by helicopter
3.3.1 Rescue by stand-by vessel (SBV)
3.3.2 Give medical attention Figure 5.1: HTA of rescue phase tasks (adapted from Kennedy, 1993).
The rescue phase tasks are not discussed further in the current work. It is
recommended that future research explore the risk of human error during the rescue
phase of the EER process.
64
Chapter 6 RISK REDUCTION
Any risks that fall in to the ‘intolerable’ region of the risk matrix (see Figure 3.1)
must be either reduced or the task itself should be discontinued. Risk reduction in the
current methodology is undertaken with the accidental risk assessment methodology for
industries (ARAMIS). Within ARAMIS there exist both risk assessment and risk
reduction mechanisms. The risk reduction mechanism includes an evaluation of potential
barriers to critical events as well as an evaluation of the safety culture of the organization
and safety management system planned for/implemented at the facility.
Tasks that fall in the ‘intolerable’ region of the risk matrix are evaluated for the
required level of confidence (LC) of safety barriers to adequately reduce the risk. The
required LC of safety barriers is determined by combining the HEP, consequence
severity, overall frequency of exposure to the risk and potential for individuals to correct
an error or avoid injury or damage to equipment in a risk graph. Potential safety barriers,
identified from the procedural HAZOP, are evaluated for their LC according to ARAMIS
(Anderson et al., 2004). The total LC of risk reduction measures for any given task is the
sum of the LCs of all applicable safety barriers. The required LC is then compared with
the LCs of any safety barriers applicable to the task in question. Safety barriers, their
associated LCs, the HEP and consequence severity of each task are combined in a bow-
tie graph to obtain an overall picture of the risk reduction effectiveness.
6.1 Risk Graph
Table 3.9 shows the results of the risk evaluation for the escape phase. Table 4.11
shows the results of the risk evaluation for the evacuation phase. For risk reduction, only
those tasks considered in the ‘intolerable’ region of the risk matrix are considered. The
risk graph, shown in Figure 2.2, is used to determine the total required level of
confidence of the safety barriers for each task. The consequence severity and HEP for
each task of the escape and evacuation phases are shown in Chapters 3 and 4,
respectively for the evacuation phase. The potential to avoid damage and the overall time
of exposure to the risk of each critical event are discussed in the current chapter. Each
65
critical event (failure to complete an EER task) is limited to the time when the EER
process is underway. Through examination of incident reports, the overall exposure to
each critical event was determined to occur less than 10% of the total operating time,
coinciding with a frequency exposure level F1. The potential to avoid damage is
analyzed for each task separately, as the nature of the task and the surrounding
environment must be taken into account.
Table 6.1 shows the required LCs of a fire and explosion scenario, described by
DiMattia (2004) for the escape phase. The required LCs for the escape phase were
determined by Deacon et al. (2010). Note that only tasks that fall in the ‘intolerable’
region of the risk matrix are shown. Those tasks that have an LC category of ‘a’ or < - >
according to the risk graph are not shown, as there is no defined requirement for safety
barriers for such tasks.
Tables 6.2 and 6.3 show the required LCs of a fire and explosion scenario for the
evacuation phase using the data from surveys 1 and 2, respectively. The required LC is
shown for each HEP data set in order to analyze any contrast between the two. Note that
only tasks that fall in the ‘intolerable’ region of the risk matrix are shown, and that the
consequence severity, frequency of exposure and potential to avoid damage categories
remain unchanged between Tables 6.2 and 6.3.
An example of the process using evacuation tasks 2.4.10 and 2.4.12 is as follows. Each
task has an evaluated consequence severity of 4, or ‘error likely to result in fatality’. As
mentioned, the frequency of exposure to the risk occurs less than 10% of the operating
time, a value of F1. For task 2.4.10, ‘maintain sea-worthiness of life raft’, failure to
complete the task will result in the raft sinking or capsizing, causing personnel to enter
the water and possibly become entangled with the life raft. There is little possibility to
avoid negative consequences should an error occur for this task. Therefore, the potential
to avoid damage is considered level D2. Should an error occur while attempting to attach
the painter to another craft, rescue is delayed but personnel remain in the life raft and can
66
Table 6.1: Required LCs for escape phase tasks for fire and explosion scenario.
Escape Task Consequence Exposure frequency
Possibility to avoid Damage
HEP LC
3. Act accordingly 4 1 1 0.448 2 4. Ascertain if danger is imminent
4 1 2 0.465 3
5. Muster if in imminent danger
4 1 2 0.416 3
6. Return process equipment to safe state
4 1 2 0.474 3
7. Make workplace as safe as possible in limited time
3 1 1 0.489 1
8. Listen and follow PA instructions
4 1 1 0.42 2
9. Evaluate potential egress paths and choose route
4 1 2 0.476 3
10. Move along egress route
4 1 2 0.405 3
11. Assess quality of egress route while moving to TSR
4 1 2 0.439 3
12. Choose alternate route if egress path is not tenable
4 1 2 0.5 3
14. Assist others if needed or as directed
4 1 2 0.358 3
16. Provide pertinent feedback attained while en route to TSR
4 1 1 0.289 2
17. Don personal survival suit or TSR survival suit if instructed to abandon
4 1 2 0.199 2
18. Follow OIM's instructions
4 1 1 0.21 1
67
Table 6.2: LC requirements for evacuation tasks for fire and explosion scenario according to survey 1 HEP data set.
Evacuation Task Consequence Exposure frequency
Potential to avoid damage
HEP LC
1.2 Instruct personnel and maintain control
4 1 1 1.000 2
2.3.1 Ensure sea-worthiness of TEMPSC
4 1 1 1.000 2
2.3.3 Turn helm fully to clear installation on launch
2 1 2 1.000 1
2.3.4 Ensure drop zone is clear 4 1 2 1.000 3 2.3.8. Start air support system 3 1 1 1.000 1 2.3.9 Close and secure all hatches
4 1 1 0.510 2
2.3.10 Call command centre/launch master/other lifeboats to confirm launch sequence
4 1 1 1.000 2
2.3.11 Release falls/confirm auto-release
4 1 2 0.112 3
2.3.12 Launch TEMPSC 4 1 2 0.160 3 2.3.13 Engage forward gear and full throttle
4 1 2 0.320 3
2.3.14 Steer TEMPSC at vector from platform to rescue area
4 1 2 0.180 3
2.4.2 Ensure sea-worthiness of life raft
4 1 1 1.000 2
2.4.3 Secure painter to strong point
4 1 2 0.448 3
2.4.5 Launch life raft 4 1 2 0.020 2 2.4.6 Board life raft 4 1 2 0.020 2 2.4.7 Cut painter 4 1 2 0.336 3 2.4.8 Paddle clear of danger 4 1 2 0.550 3 2.4.9 Stream anchor 4 1 2 0.700 3 2.4.10 Maintain sea-worthiness of life raft
4 1 2 0.352 3
2.4.11 Look for TEMPSC, FRC, other life raft or overboard survivors
4 1 1 1.000 2
2.4.12 Attach painter to other life raft or tow craft
4 1 1 0.198 2
2.5.2 Move to lowest nearby platform
4 1 1 1.000 2
2.5.4 Jump away from platform, feet first, avoiding platform legs
3 1 2 0.052 1
2.5.5 Swim along side of platform
4 1 2 1.000 3
2.5.6 Look for other overboard survivors and rescue opportunities
4 1 1 0.560 2
68
Table 6.3: LC requirements for evacuation tasks for fire and explosion scenario according to survey 2 HEP data set.
Evacuation Task Consequence Exposure frequency
Potential to avoid damage
HEP LC
1.2 Instruct personnel and maintain control
4 1 1 1.000 2
2.3.10 Call command centre/launch master/other lifeboats to confirm launch sequence
4 1 1 0.020 1
2.3.11 Release falls/confirm auto-release
4 1 2 1.000 3
2.3.12 Launch TEMPSC 4 1 2 1.000 3 2.3.13 Engage forward gear and full throttle
4 1 2 0.020 2
2.3.14 Steer TEMPSC at vector from platform to rescue area
4 1 2 0.780 3
2.4.6 Board life raft 4 1 2 0.520 3 2.4.8 Paddle clear of danger 4 1 2 0.550 3 2.4.10 Maintain sea worthiness of life raft
4 1 2 0.020 2
2.4.12 Attach painter to other life raft or tow craft
4 1 1 0.020 1
2.5.2 Move to lowest nearby platform
4 1 1 0.020 1
2.5.4 Jump away from platform, feet first, avoiding platform legs
3 1 2 0.090 1
2.5.5 Swim along side of platform
4 1 2 0.260 3
2.5.6 Look for other overboard survivors and rescue opportunities
4 1 1 0.260 2
attempt task 2.4.12 again. Time consumed adds to the danger of the situation, but
personnel have not aggravated their situation. Therefore the potential to avoid damage
for task 2.4.12 is considered level D1. Combining these data in the risk graph with the
HEP from the survey 2 data set for each task (0.020 for both) yields a required LC of 2
for task 2.4.10 and a required LC of 1 for task 2.4.12.
Required LCs range from 1 – 3 for the ‘intolerable’ risk tasks evaluated in the
escape and evacuation phases. It is important to note that the discrepancy between
survey results has a significant effect on the required LC for several tasks. Indeed, some
tasks, such as evacuation task 2.3.1, have a numerical value for an LC requirement when
69
evaluated using the HEP data set from survey 1, while they do not have specific
requirements when evaluated using the HEP data set from survey 2. Table 6.4 shows a
comparison of the two results. An ‘a’ indicates that there is no LC requirement for safety
barriers, a < - > indicates that no safety barrier is required.
Table 6.4: Comparison of required LCs between HEP data sets.
Evacuation Task Survey 1 Survey 2 1.2 Instruct personnel and maintain control
2 3
2.3.1 Ensure sea-worthiness of TEMPSC
2 a
2.3.3 Turn helm fully to clear installation on launch
1 a
2.3.4 Ensure drop zone is clear 3 a 2.3.8. Start air support system 1 a 2.3.9 Close and secure all hatches 2 - 2.3.10 Call command centre/launch master/other lifeboats to confirm launch sequence
2 1
2.3.11 Release falls/confirm auto-release
3 3
2.3.12 Launch TEMPSC 3 3 2.3.13 Engage forward gear and full throttle
3 2
2.3.14 Steer TEMPSC at vector from platform to rescue area
3 3
2.4.2 Ensure sea-worthiness of life raft
2 -
2.4.3 Secure painter to strong point 3 a 2.4.5 Launch life raft 2 a 2.4.6 Board life raft 2 3 2.4.7 Cut painter 3 a 2.4.8 Paddle clear of danger 3 3 2.4.9 Stream anchor 3 a 2.4.10 Maintain sea-worthiness of life raft
3 2
2.4.11 Look for TEMPSC, FRC, other life raft or overboard survivors
2 -
2.4.12 Attach painter to other life raft or tow craft
2 1
2.5.2 Move to lowest nearby platform 2 1 2.5.4 Jump away from platform, feet first, avoiding platform legs
1 1
2.5.5 Swim along side of platform 3 3 2.5.6 Look for other overboard survivors and rescue opportunities
2 2
70
Table 6.4 reveals a discrepancy in LC requirements for several evacuation phase
tasks. The discrepancy between HEP data sets was not as evident from the risk matrix
results in Table 4.11. The risk graph results reveal the importance of consistency in
determining HEPs. The results of the risk matrix for each survey agreed with relative
consistency. This can be attributed to the combination of single and multiple fatality
categories of the ISO 17776 risk matrix and considering a single fatality to be intolerable
for both categories. Many of the tasks that are in the ‘intolerable’ region may be
attributed so because of their high consequence. However, the risk graph identifies
inconsistencies of required LCs for several tasks. For some tasks, the results from survey
1’s HEPs require a higher LC than for those of survey 2. For other tasks, the opposite is
true. There are two consequences to choosing one set of results over the other. First,
some tasks may be assumed to be adequately managed when in reality they require more
reduction efforts. Second, resources may be allotted to the risk reduction of tasks that are
already adequately managed. In both cases, resources are not being used efficiently. One
survey cannot be considered to have more weight than the other, and as neither
participant has had calibration, one result cannot be chosen over the other, nor can they
be combined in any way.
The statistical analysis properties of SLIM, while much more resource-intensive,
may provide a more accurate HEP result. Averaging the HEART results of several
additional valid participants may increase the validity of HEART in the current
methodology. However, the expected advantage of HEART is that it is resource-
efficient. Utilizing more expert judges would nullify any advantage in the resource-
efficiency of HEART, and may favour the statistical analysis of SLIM.
6.2 Safety Barriers
Potential safety barriers for each task are outlined in the procedural HAZOP
analyses. Examples of procedural HAZOPs are shown in Chapter 3 and Chapter 4. The
complete procedural HAZOP of the escape phase is found in Deacon et al. (2010). The
complete procedural HAZOP of the evacuation phase is shown in Appendix C. Not
every safety barrier identified in the procedural HAZOP is used in the risk reduction
calculations. Each potential safety barrier must be evaluated to determine if it can be
71
assigned a level of confidence. For a safety barrier to qualify for an associated LC, it
must meet the following requirements (Anderson et al., 2004):
The safety barrier must not rely on regulation system performance
All applicable codes and standards must be met, and the safety barrier must be
adapted to the characteristics of its environment
Testing at regular intervals must be in effect
Preventative maintenance must be performed regularly
If a safety barrier meets these requirements, it can then be assigned an LC. The design
LC of a barrier ranges from 1 – 4, with increasing reliability. An LC of 4 is rarely
encountered (Anderson et al., 2004). The LCs of safety barriers typically follow the
principles of the hierarchy of controls (Khan and Amyotte, 2003).
Safety barriers for the escape phase are evaluated in Deacon et al. (2010). One of
the available safety barriers for the evacuation phase is a ‘training’ barrier. The training
barrier is considered procedural in nature and depends on human action to function. A
human action safety barrier in ARAMIS, ‘operator answer with stress,’ is assigned an LC
of 1 where the individual is under considerable stress. The evacuation training barrier is
assigned an LC of 1 in keeping with the ‘operator answer with stress’ description in
ARAMIS (Anderson et al., 2004).
Table 6.5 shows the design LC of any applicable safety barriers for the evacuation
tasks. A ‘-‘ indicates that a safety barrier with an associated LC is not available. The
safety barriers are chosen from the procedural HAZOP (see Chapter 4). Safety barriers in
the procedural HAZOP that are not shown in the above table do not meet the minimum
requirements to be assigned an LC. Active barriers (GPS locator, beacons, auto-check
system) were assigned an LC of 1, while passive barriers (reinforced floor, shock
absorbers) were assigned an LC of 2. Training as a procedural barrier was also assigned
72
Table 6.5: Evacuation safety barriers and their associated LCs. Evacuation Task Barrier 1 LC Barrier 2 LC Total LC 1.2 Instruct personnel and maintain control
Training 1 - - 1
2.3.1 Ensure sea-worthiness of TEMPSC
Training 1 Auto-check
system 1 2
2.3.3 Turn helm fully to clear installation on launch
Training 1 - - 1
2.3.4 Ensure drop zone is clear
Training 1 Shock
absorbers 2 3
2.3.8. Start air support system
Training 1 - - 1
2.3.9 Close and secure all hatches
Training 1 - - 1
2.3.10 Call command centre/launch master/other lifeboats to confirm launch sequence
Training 1 GPS, sound
and light beacons
1 2
2.3.11 Release falls/confirm auto-release
Training 1 Shock
absorbers 2 3
2.3.12 Launch TEMPSC Training 1 Shock
absorbers 2 3
2.3.13 Engage forward gear and full throttle
Training 1 - - 1
2.3.14 Steer TEMPSC at vector from platform to rescue area
Training 1 GPS locator 1 2
2.4.2 Ensure sea-worthiness of life raft
Training 1 - - 1
2.4.3 Secure painter to strong point
Training 1 - - 1
2.4.5 Launch life raft Training 1 - - 1
2.4.6 Board life raft Training 1 Reinforced
floor 2 3
2.4.7 Cut painter Training 1 - - 1 2.4.8 Paddle clear of danger Training 1 GPS locator 1 2 2.4.9 Stream anchor Training 1 - - 1 2.4.10 Maintain sea-worthiness of life raft
Training 1 - - 1
2.4.11 Look for TEMPSC, FRC, other life raft or overboard survivors
Training 1 Light and
sound beacon 1 2
2.4.12 Attach painter to other life raft or tow craft
Training 1 - - 1
2.5.2 Move to lowest nearby platform
Training 1 - - 1
2.5.4 Jump away from platform, feet first, avoiding platform legs
Training 1 - - 1
2.5.5 Swim along side of platform
Training 1 - - 1
2.5.6 Look for other overboard survivors and rescue opportunities
Training 1 GPS locator and beacon
1 2
an LC of 1. Requirements for the escape phase training and procedures barrier (Deacon
et al., 2010) and the evacuation phase training and procedures barrier differ.
73
The evacuation training barrier is only applicable if it includes the following:
Drills including verbalization of weather and sea conditions
Drills including completion and verbalization of every evacuation task in various
scenarios, with personnel feedback
Written prompts and instructions at all evacuation stations
Drills with measurement equipment (compass heading, etc.)
Different coloured suits for identification of personnel in command (coxswain,
OIM, etc.)
High stress training for coping while maintaining command
Behavioural testing to determine panic potential
Checklist of orders to issue for personnel in command
Card on boarding procedure of all evacuation vessels for all personnel
Written and illustrated boarding procedure at all evacuation stations
Training for coxswains to correctly orient TEMPSC under minimal visibility
Prompts inside vessels to fasten seatbelt, await instructions
Drills that complete certain tasks out of order (e.g. starting air support system
before ensuring everyone secure) to show consequences
Two-way radios for all personnel
Photo-luminescent pathways
Evacuation checklist and evacuation route maps for all personnel
The concept of training and performing drills in various situations (night/day, windy,
rainy, clear) for various scenarios helps prepare personnel for real emergencies. It is
understood that tasks involving movement through the sea may place personnel in
unnecessary risk during evacuation drills. It is more acceptable to perform such tasks in a
controlled environment, so long as they are performed. If the abovementioned
requirements are met in an offshore facility’s training and procedures, then the ‘training’
barrier can be given an LC of 1. If one or more of these requirements do not exist, the
‘training’ barrier should not be given an associated LC.
74
Table 6.6 is a comparison of the total design LCs of the safety barriers with the
required LC from each HEP survey data set.
Table 6.6: Design LCs compared with required LCs for each HEP survey data set.
Evacuation Step LC from barriers
Survey 1 Survey 2
1.2 Instruct personnel and maintain control
1 2 3
2.3.1 Ensure sea-worthiness of TEMPSC
2 2 a
2.3.3 Turn helm fully to clear installation on launch
1 1 a
2.3.4 Ensure drop zone is clear 3 3 a 2.3.8. Start air support system 1 1 a 2.3.9 Close and secure all hatches 1 2 - 2.3.10 Call command centre/launch master/other lifeboats to confirm launch sequence
2 2 1
2.3.11 Release falls/confirm auto-release
3 3 3
2.3.12 Launch TEMPSC 3 3 3 2.3.13 Engage forward gear and full throttle
1 3 2
2.3.14 Steer TEMPSC at vector from platform to rescue area
2 3 3
2.4.2 Ensure sea-worthiness of life raft
1 2 -
2.4.3 Secure painter to strong point 1 3 a 2.4.5 Launch life raft 1 2 a 2.4.6 Board life raft 3 2 3 2.4.7 Cut painter 1 3 a 2.4.8 Paddle clear of danger 2 3 3 2.4.9 Stream anchor 1 3 a 2.4.10 Maintain sea-worthiness of life raft
1 3 2
2.4.11 Look for TEMPSC, FRC, other life raft or overboard survivors
2 2 -
2.4.12 Attach painter to other life raft or tow craft
1 2 1
2.5.2 Move to lowest nearby platform 1 2 1 2.5.4 Jump away from platform, feet first, avoiding platform legs
1 1 1
2.5.5 Swim along side of platform 1 3 3 2.5.6 Look for other overboard survivors and rescue opportunities
2 2 2
There are several tasks in Table 6.6 (tasks 1.2, 2.4.10, 2.5.5) where the total LC from the
identified safety barriers is below the LC requirements determined from both HEP data
set results. The two surveys are in agreement that more safety barriers are needed for
75
those tasks. In other cases (tasks 2.3.12, 2.5.6), the total design LC meets the LC
requirements for both HEP data set results. In some instances there is a discrepancy
between survey results in the required LC for a task, but the total LC is equal to that of
the more pessimistic LC requirement. Finally, for some tasks (tasks 2.3.10, 2.4.6), the
total LC is sufficient according to the results of one survey but not the other. This third
case reveals an issue. In the first instance, it is determined that the analyzed safety
barriers are insufficient. In the second instance, it is determined that the total design LC
is sufficient. However, in the third instance, no conclusion can be made. Further
research efforts involving the application and calibration of HEART may reduce the
discrepancy between future HEP data sets and reduce the occurrence of disagreeing
results.
Once the design LCs are determined, a safety audit must be performed. A safety
audit addresses the state of the safety culture on the facility. An index value is developed
from the safety audit and multiplied by the LCs to determine their actual value. Safety
audits are necessary in performing risk reduction analysis, as this step can help reduce the
gap between real and perceived risk at a facility. A safety audit is not performed in the
current work, as a specific facility would be required. For illustrative purposes, the
design LCs are used in the analysis. Figures 6.1 and 6.2 are examples of bow-ties for two
of the evacuation tasks. The bow-tie graphs for the entire evacuation phase are shown in
Appendix D. Note that in order for a prevention barrier, such as the training barrier, to be
implemented, it must protect against the occurrence of all failure modes in order to
reduce the HEP. If the probability of each individual failure mode occurring were
known, then prevention barriers that protect against some but not all failure modes could
be included. Successful mitigation barriers reduce the consequence severity depending
on the critical event considered. For example, if an auto-check mechanism detects that
the TEMPSC is not sea-worthy before launch, then the situation is remedied before injury
76 Check omitted
Tra
inin
g
LC
=1
Consequence 1
Critical Event: Fail Task 2.3.1
Aut
omat
ic
C
heck
M
echa
nism
LC
=1
Probability = HEP*10-1*0.9 = HEP*0.09
Check incomplete Probability = HEP*10‐1
Consequence 4
Probability = HEP*10-1*10‐1 = HEP*10-2
Figure 6.1: Bow-tie graph for evacuation task 2.3.1, ‘ensure sea-worthiness of TEMPSC’.
Action too early
Tra
inin
g
LC
=1
Consequence 3
Critical Event: Fail Task 2.3.11
Sho
ck
abso
rber
s
LC
=2
Probability = HEP*10-1*0.99 = HEP*0.099
Action too late Probability = HEP*10‐1
Consequence 4
Action too little
Probability = HEP*10-1*10‐2
= HEP*10-3 Figure 6.3: Bow-tie graph for evacuation task 2.3.11, ‘release falls/confirm auto-release’.
77
occurs. The consequence severity of evacuation task 2.3.1 is effectively reduced from 4
to 1. For task 2.3.11, shock absorbers may prevent the TEMPSC from being
compromised or an individual from experiencing a fatal injury. However, serious injury
is nonetheless likely. The consequence severity is reduced from 4 to 3 with the inclusion
of shock absorbers.
6.3 Case Study
The emergency scenario risk assessment and reduction methodology is presented
in Chapters 3 through 6 . A validation of the methodology via case study is presented in
the current section. The Ocean Odyssey evacuation incident is evaluated.
On September 22, 1988, the Ocean Odyssey drilling rig experienced a
hydrocarbon release, which led to explosions and fires on the installation. The Ocean
Odyssey was stationed off the coast of Aberdeen at the time. At the time of the incident
there were 67 individuals on board. One individual perished while the remaining
evacuated, either by one of two TEMPSCs or jumping directly into the sea. A radio
operator began evacuation but returned to the radio room to coordinate evacuation efforts
and perished. Evacuating personnel were rescued by the installation’s stand-by vessel
and a vessel that was in the area at the time of evacuation. Survivor accounts suggest that
conditions on the installation were deteriorating in the days leading up to and on the day
of the incident. Hot work activities had ceased on the day of the incident and
announcements were made about which boats to use should evacuation occur. However,
many individuals kept their routines until the time of the incident. This prevalent attitude
was attributed to the long-term deterioration of the installation and well conditions
(Robertson and Wright, 1997).
A case study of the methodology of the escape phase of the Ocean Odyssey is
found in Deacon et al. (2010). The current work presents an analysis of the evacuation
phase. The EER initiator was a fire and explosion. Evacuation tasks 2.3.1, ‘ensure sea-
worthiness of TEMPSC’, and 2.3.11, ‘release falls/confirm auto-release’, are discussed.
From Tables 6.2 and 6.3, an error for task 2.3.1 has a consequence severity (C) of
4. All EER tasks have a frequency of exposure (F) of 1. Task 2.3.1 has a potential to
78
avoid damage (D) of 1, indicating that personnel have enough time to avoid the
consequences of an error. In reality, an error did occur on the Ocean Odyssey during task
2.3.1. In one TEMPSC, it was noted by survivors that drain plugs were not fitted until
the TEMPSC began its descent. This error was rectified before proceeding further
(Robertson and Wright, 1997). Survey 1 results estimate a HEP of 1.0 and survey 2
results estimate a HEP of 0.003. As a result, survey 1 leads to a required LC of 2 and
survey 2 leads to a required LC of ‘a’, or no defined LC required. Clearly, rectification
of this error was a result of individuals noticing and drawing attention to the lack of drain
plugs. Confusion was high and organization was lacking at the time (Robertson and
Wright, 1997). It cannot be expected that an individual will simply notice an error and
successfully take charge during such conditions. Safety barriers available include the
aforementioned training barrier with an LC of 1, and an automated pressure-check system
to determine if the TEMPSC is completely sealed. The latter barrier is an active safety
barrier with detection, diagnosis and action subsystems. The detection subsystem is the
automated pressure-check system, while the diagnosis and subsequent action are human
subsystems. The global LC of the active barrier is equal to the lowest LC of its three
subsystems. For demonstrative purposes, the global, or overall, LC of the active barrier
is set at 1.
Similarly, the required LC resulting from both surveys is 3 for task 2.3.11.
Individuals on the Ocean Odyssey experienced difficulty when releasing the falls of the
TEMPSC after contact with the sea. There was no means of confirmation of release aside
from opening hatches and manually checking. It is noted that fall release hooks at the
time were difficult to release in harsh sea conditions without opening hatches and
manually releasing them. An error occurred in releasing the falls hooks on one of the
evacuating TEMPSCs. One of the falls hooks had not been released before the coxswain
attempted to manoeuvre the boat away from the installation. As a result, the TEMPSC
swung back towards the installation, and it is believed to have made contact with the
platform leg (Robertson and Wright, 1997). The HEP data set results from survey 1
estimate a HEP of 0.112 for task 2.3.11 and the results from survey 2 estimate a HEP of
1.0. Despite the noticeable discrepancy of HEPs, the required LC for both cases is 3. A
training prevention barrier to reduce the probability of the TEMPSC hooks being released
79
too early or too late is available. Another safety barrier is a shock absorber mitigation
barrier to maintain sea-worthiness of the TEMPSC should a free-fall or impact with the
platform leg occur. As mentioned previously, the training barrier has an associated LC of
1. The shock absorbers, a passive safety barrier which for evaluation purposes is
compared to the functionality of a blast wall (i.e. absorbing damage), is given a design
LC of 2, similar to a blast wall (Anderson et al., 2004). Combining the design LCs of
these two barriers results in an overall LC of 3, equal to the required LC determined by
the risk graph.
For both tasks 2.3.1 and 2.3.11, the LCs of the available safety barriers meet the
higher LC requirements of the two surveys. There is no mention of a pressure-check
system on the TEMPSCs; it was human detection that recovered from the original error.
Thus it is assumed that no such active barrier existed on the Ocean Odyssey. Some of the
aforementioned requirements of the training barrier in order to assign it an LC of 1 were
also not present. Personnel in command were not easily identifiable from others. It is
believed that one of the coxswains had succumbed to the stress of the situation and was
replaced by another crew member. The preparation time for the TEMPSC launch was
chaotic, relatively unorganized and filled with confusion (Robertson and Wright, 1997).
While individual action at key points (taking over for the coxswain, opening the
TEMPSC to release the hooks, noticing and rectifying the absence of drain plugs) moved
the evacuation process along, the lack of important training barrier requirements nullifies
any associated LC. Therefore, there is no associated LC for the safety barriers for task
2.3.1 of the Ocean Odyssey incident. There is no indication of damage to one of the
TEMPSCs from being washed against a platform leg; it is debatable whether or not
contact had actually occurred. From accounts on the quality of the TEMPSCs (Robertson
and Wright, 1997), as well as the lack of indication of any reinforcement against impact,
no LC for the shock absorber barrier is considered for the Ocean Odyssey incident.
The summary of the analysis is shown in Table 6.7. A < - > indicates that no LC
existed. The variable ‘HEP’ is the evaluated HEP for each task. The required LC
considered is the higher of the two HEP data set results.
80
Table 6.7: Summary of required, available and actual LCs on Ocean Odyssey.
Ocean Odyssey
Task C F D Required LC
Actual LC
Potential LC
Probability of consequence occurring
2.3.1 4 1 1 2 - 2 HEP
2.3.11 4 1 2 3 - 3 HEP
Potential
Task C F D Required LC
Actual LC
Potential LC
Probability of consequence occurring
2.3.1 4 1 1 2 2 2 HEP*10-2
2.3.11 4 1 2 3 3 3 HEP*10-3
The design LCs of the available safety barriers in the current work meet the evaluated LC
requirements for tasks 2.3.1 and 2.3.11. However, these safety barriers cannot be
assumed to have been in effect for the Ocean Odyssey installation. The analysis of
Robertson and Wright (1997) revealed deficiencies in the TEMPSC evacuation stage.
81
Chapter 7 CONCLUSIONS & RECOMMENDATIONS
A methodology for the assessment and reduction of human error in emergency
situations has been presented in the current work. This Chapter identifies the main
conclusions drawn from the current work and outlines recommendations for future works.
7.1 Conclusions
The emergency escape, evacuation and rescue process was analyzed using
hierarchical task analysis. The result was a list of tasks that operators must accomplish
during the EER process. The escape phase was evaluated in two parts, by Di Mattia
(2004) and Deacon et al. (2010). Di Mattia (2004) identified escape phase tasks and
HEPs. Deacon et al. (2010) evaluated escape phase consequences, identified potential
safety barriers and introduced a comprehensive risk reduction tool. Evacuation and
rescue phase tasks were identified in the present thesis. An expert judgment technique,
HEART, was used to estimate the probability of human error for each of the evacuation
tasks. Experts in the field of offshore safety were solicited using expert judgment
surveys. Results were analyzed for HEPs. Consequence severities were analyzed using
reports and investigations from previous incidents in industry. A risk matrix was
developed from the ISO standard 17776 risk matrix. The HEPs and consequence
severities were combined in the developed risk matrix to evaluate the tolerability of the
risk. Risks determined to be intolerable were evaluated further using the risk reduction
strategy developed in ARAMIS. The required level of confidence of safety barriers for
evacuation tasks were evaluated using the risk graph. Potential failure modes,
consequences and safety barriers were identified in a procedural HAZOP. These
potential safety barriers were evaluated to determine if a level of confidence can be
associated. A case study of the Ocean Odyssey was used to test the validity and
demonstrate the use of the methodology.
The human error probabilities were evaluated using SLIM for the escape phase
tasks and HEART for the evacuation phase tasks. Evaluating the risk with the most
effective human error probability technique increases the value of the risk reduction stage
82
of the methodology. Two data sets resulted from the use of HEART for the evacuation
tasks. The HEPs from the data sets conflicted and the use of HEART for the proposed
risk assessment and reduction methodology remains inconclusive. Proper calibration and
further documentation on the use of HEART may improve the expert judgment
technique’s reliability. In the current state, however, the statistical analysis of SLIM is
favoured for the proposed methodology.
The risk assessment and reduction methodology presented in the current work can
reduce the gap between real and perceived risk in terms of emergency preparedness, and
increase the effectiveness of allocated resources for safety management. The presented
method is a means of assessing and reducing the risk of human error during emergency
situations. Risk reduction measures were identified for offshore emergency situations.
However, many potential risk reduction measures do not currently meet the criteria
described by ARAMIS (Anderson et al., 2004) to be included in risk reduction
calculations. Novel concepts in the current work include the combination of a human
error risk assessment methodology (HEART) with a comprehensive risk reduction
methodology (ARAMIS) to form a complete risk assessment and reduction tool. The
introduction of the hierarchy of controls (Khan and Amyotte, 2003) and the principle of
prevention and mitigation safeguards into the procedural HAZOP is also a novel idea.
These two additions facilitate the transition of safety measures from potential safety
barriers in the procedural HAZOP to safety barriers evaluated by ARAMIS and assigned
a design LC.
7.2 Recommendations
Further research is recommended as follows:
1. Further validate and document the use of HEART for emergency scenarios
through calibration and comparison with other expert judgment techniques and
known human reliability data.
2. Further research into potential safety barriers that do not currently meet minimum
requirements to be assigned an LC, with the goal to satisfy these minimum
requirements. Currently there are many potential safety barriers that do not meet
83
the criteria defined in ARAMIS, reducing the effectiveness of the technique and
the knowledge of risk reduction measures.
3. Perform a dependency analysis of EER tasks and time constraint study on the
EER process. The performance of early EER tasks may have an effect on the
probability of error for later tasks. The EER process is also an urgent process and
major fatalities can occur within minutes if evacuation is delayed (Moan et al.,
1981).
4. Perform HEP, consequence and risk reduction analysis for the rescue phase of
EER.
84
References
Anderson, H., Casal, J., Dandrieux, A., Debray, B., Dianous, V., Duijm, N., Delvosalle, C., Fievez, C., Goossens, L., Gowland, R., Hale, A., Hourtolou, D., Mazzarotta, B., Pipart, A., Planas, E., Prats, F., Salvi, O., Tixier, J., 2004. “ARAMIS user guide” (The European Commission Community Research). Cameron, I., Raman, R.. Process Systems Risk Management, vol. 6. 2005. (San Diego, CA: Elsevier Academic Press). Deacon, T., Amyotte, P. and Khan, F. 2010. “Human Error Risk Analysis in Offshore Emergencies,” Safety Science 48 803-818. DiMattia, D. Human Error Probability Index for Offshore Platform Musters, PhD Thesis (2004), Dalhousie University. DiMattia, D., Khan, F., Amyotte, P. 2005. “Determination of human error probabilities for offshore platform musters,” Journal of Loss Prevention in the Process Industries 18 488-501. DNV. 2002. “Marine Risk Assessment” (Report OTO 2001 063, UK Health and Safety Executive). DNV. 2007a. “Accident Statistics for Fixed Offshore Units on the UK Continental Shelf 1980-2005” (Report RR 566, UK Health and Safety Executive). DNV. 2007b. “Accident Statistics for Floating Offshore Units on the UK Continental Shelf 1980-2005” (Report RR 567, UK Health and Safety Executive). Embrey, D., Guidelines for Preventing Human Error in Process Safety. 1994. (New York, NY: American Institute of Chemical Engineers). Khan, F. and Amyotte, P. 2003. “How to make inherent safety practice a reality,” The Canadian Journal of Chemical Engineering, 81 2-16. Khan, F., Amyotte, P., DiMattia, D. 2006. “HEPI: A new tool for human error probability calculation for offshore operation,” Safety Science 44 313-334.
85
Kennedy, B. 1993. “A human factors analysis of evacuation, escape and rescue from offshore installations” (Report OTO 93 004, UK Health and Safety Executive). Kirwan, B. 1996. “The Validation of Three Human Reliability Quantification Techniques – THERP, HEART and JHEDI: Part 1 – Technique Descriptions and Validation Issues,” Applied Ergonomics, 27 359-373. Kirwan, B. 1997a. “The Validation of Three Human Reliability Quantification Techniques – THERP, HEART and JHEDI: Part 3 – Practical aspects of the usage of the techniques,” Applied Ergonomics, 28 27-39. Kirwan, B. 1997b. “Validation of Human Reliability Assessment Techniques: Part 2 – Validation Results,” Safety Science, 27 43-75. Kirwan, B., Kennedy, R., Taylor-Adams, S., Lambert, B. 1996. “The Validation of Three Human Reliability Quantification Techniques – THERP, HEART and JHEDI: Part 2 – Results of Validation Exercise,” Applied Ergonomics, 28 17-25. Kletz, T., An Engineer’s View of Human Error, 3rd ed. 2001. (Rugby, Warwickshire: Institution of Chemical Engineers). Moan, T., Nᴂsheim, T., Φveraas, S., Bekkvik, P., Kloster, A., 1981. "The Alexander L. Kielland accident" (Report NOU 1981:11, Norwegian Public Reports). Reason, J. Human Error. 1990. (New York, NY: Cambridge University Press). Robertson, D. and Simpson, M. 1996. “Review of Probable Survival Times for Immersion in the North Sea” (Report OTO 95 038, UK Health and Safety Executive). Robertson, D.H. and Wright, M.J. 1997. "Ocean Odyssey Emergency Evacuation: Analysis of Survivor Experiences" (Report OTO 96 009, UK Health and Safety Executive). Salvi, O. and Debray, B. 2006. “A Global View on ARAMIS, a Risk Assessment Methodology for Industries in the Framework of the SEVESO II Directive,” Journal of Hazardous Materials, 30 187-199. Swain, A. and Gutterman, H. Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications. NUREG/CR 1278. 1983. (Albuquerque, Sandia National Laboratories).
86
US Coast Guard. 1983. "Marine Casualty Report-Mobile Offshore Unit (MODU) OCEAN RANGER" (Report USCG 0001 HQS 82, US Coast Guard). Willaims, J., “A data-based method for assessing and reducing human error to improve operational performance,” IEEE Proceedings, 4th Conference on Human Factors, New York, 1988.
87
Appendix A
Risk Matrices
88
Consequence Increasing Probability
Severity Rating
People Assets Environment Reputation A B C D E
Rarely occurred
in industry
Happened several
times per year in
industry
Has occurred in operating company
Happened several
times per year in
operating company
Happened several
times per year in location
0 Zero injury
Zero damage
Zero effect Zero impact
Manage for continued
Improvement 1 Slight
injury Slight
damage Slight effect Slight impact
2 Minor injury
Minor damage
Minor effect Limited impact
3 Major injury
Local damage
Local effect Considerable impact
4 Single fatality
Major damage
Major effect Major national impact
Incorporate risk reducing measures
Intolerable
5 Multiple fatalities
Extensive damage
Massive effect Major international
impact
Figure A.1: ISO standard 17776 risk matrix (DNV, 2002).
89
Table A.1: Frequency index definitions for risk ranking matrix (DNV, 2002).
FI Frequency Definition F
(per ship year)
7 Frequent Likely to occur once per month on one ship 10
5 Reasonably probable Likely to occur once per year on a fleet of 10 ships, i.e. likely to occur several times during a ship’s life
0.1
3 Remote Likely to occur once per year on a fleet of 1000 ships, i.e. 10% chance of occurring in the life of 4 similar ships
10-3
1 Extremely remote Likely to occur once in 100 years in a fleet of 1000 ships, i.e. 1% chance of occurring in the life of 40 similar ships
10-5
90
Appendix B
Expert Judgment Surveys
91
Consent Form
Introduction
We invite you to take part in a research study being conducted by Travis Deacon who is a graduate student at Dalhousie University, as part of his Master’s of Applied Science. Your participation in this study is voluntary and you may withdraw from the study at any time. The study is described below. This description tells you about the risks, inconvenience, or discomfort which you might experience. Participating in the study might not benefit you, but we might learn things that will benefit others. You should discuss any questions you have about this study with Travis Deacon.
Purpose of the Study
The purpose of this study is to develop a tool to assess and reduce the risk of human error during emergency evacuation of offshore installations. The risk includes the probability of a human error occurring and the consequences of that error. We are using an expert judgement tool to estimate the probability of human error for each task involved in evacuating an offshore platform.
Study Design
If you choose to participate, it will include rating each of 40 evacuation tasks using the rating scale given to you. We will use these ratings to determine the human error probabilities for each task. We will also compare results from different participants to determine the user-friendliness of the technique.
Who can participate in the study
You may participate in this study if you have any level of background in offshore emergency procedures. This includes offshore emergency training instructors, operators that have participated in offshore evacuations or musters, and safety personnel responsible for offshore emergency preparedness. If you currently or did previously fit into one or more of these categories, then you may participate in this study.
Who will be conducting the research
The main investigator in this research is Travis Deacon, a graduate student at Dalhousie University. He is under the supervision of Dr. Paul Amyotte (Dalhousie University), Dr. Scott MacKinnon (Memorial University) and Dr. Faisal Khan (Memorial University).
What you will be asked to do
If you agree to participate, you will be asked to rate 40 offshore evacuation tasks using the given 8-point rating scale. You will also be asked to choose from a list of external factors that may influence evacuation performance and rate their effect on an individual on a scale of 1 to 10. Your
92
answers can be typed into the survey using Microsoft Word. This process can be done at your leisure over a period of 45 days. As the results will be compared, please do not discuss your results with others. Once completed, you are asked to email the surveys to Travis Deacon at [email protected].
Possible Risks and Discomforts
There is minimal expected risk or discomfort in participating in this survey.
Possible Benefits
While there are no expected personal benefits to this survey, it will help in the process of evaluating the risk during offshore evacuations, as well as highlighting the tasks that are highest priority for risk reduction efforts. This research will result in a generic tool that aims to help risk assessors evaluate human error for offshore emergency procedures.
Confidentiality and Anonymity
Potential participants will be solicited by forward of this survey from the main investigator’s contacts in industry. Should you decide to participate, you need only to inform the main investigator through completion and submission of the survey via his email address. By submitting a completed or partially completed survey to the main investigator, you are consenting to the use of the data supplied in the surveys. At no time will participant identities be revealed by the research team to anyone aside from the main investigator and his supervisors. Participants will have direct contact with the main investigator or Director of Research Ethics at Dalhousie University should they have questions. Should you choose to participate in this survey, you will not be identified in any reports or publications that follow from it.
Results will be kept in a computer file that does not identify individuals. A separate file that links individual names to survey results will be kept until receipt of all completed surveys and confirmation that there are no matters in the completed survey requiring follow-up. A list of participants will be kept on computer file should the need arise to contact participants during analysis of the results. The main investigator and supervisors will have access to this information, which will be locked in an office when not in use. The results will be kept on computer file at Dalhousie University for 5 years following publication. Following this time, the record will be deleted.
Questions
Should you have any questions about the procedure or the study in general, please contact Travis Deacon, graduate student, Department of Process Engineering and Applied Science at Dalhousie University, at (902) 220-0794, [email protected]. Any new information that may affect your decision to participate in this study will be forwarded to you if it develops.
93
Problems or concerns
If you have any difficulties with, or wish to voice concern about, any aspect of your participation in this study, you may contact Patricia Lindley, Director of Dalhousie University’s Office of Human Research Ethics Administration, for assistance at (902) 494-1462, [email protected]
Generic Error Probability (GEP) evaluation form
The following is a list of steps identified for the evacuation procedure. These are the steps that operators must be able to complete to achieve successful evacuation of a platform. Some steps must be performed by a designated operator (i.e. coxswain, muster captain). 1.0 Prepare to evacuate 1.1 Check wind speed, direction and sea state 1.2 Instruct personnel and maintain control 1.3 Issue sea sickness tablets 2.0 Evacuate installation – do one of 2.1-2.5, priority in descending order 2.1 Evacuate via bridge link 2.2 Evacuate via helicopter 2.2.1 Move to helideck 2.2.2 Establish communication with pilot 2.2.3 Instruct personnel on boarding procedure 2.2.4 Board helicopter 2.2.5 Don flight suit, aviation life jacket and secure seatbelt 2.3 Evacuate via TEMPSC 2.3.1 Ensure sea worthiness of TEMPSC 2.3.2 Check compass heading/direction to steer craft 2.3.3 Turn helm fully to clear installation on launch
2.3.4 Ensure drop zone is clear 2.3.5 Instruct personnel on boarding procedure 2.3.6 Fasten seat belt 2.3.7 Ensure everyone is secure
2.3.8. Start air support system 2.3.9 Close and secure all hatches
2.3.10 Call command centre/launch master/other lifeboats to confirm launch sequence
2.3.11 Release falls/confirm auto-release 2.3.12 Launch TEMPSC
2.3.13 Engage forward gear and full throttle 2.3.14 Steer TEMPSC at vector from platform to rescue area 2.4 Evacuate by life raft 2.4.1 Move to life raft muster station
2.4.2 Ensure seaworthiness of life raft 2.4.3 Secure painter to a strong point
2.4.4 Check for life raft instructions and number of personnel accommodated 2.4.5 Launch life raft 2.4.6 Board life raft 2.4.7 Cut painter 2.4.8 Paddle clear of danger
94
2.4.9 Stream anchor 2.4.10 Maintain sea worthiness of life raft 2.4.11 Look for TEMPSC, FRC, other life raft or overboard survivors 2.4.12 Attach painter to other life raft or tow craft 2.5 Escape directly to sea 2.5.1 Ensure survival suit properly sealed, lifejacket fastened 2.5.2 Move to lowest nearby landing of platform 2.5.3 Assess direction of waves, danger and airborne contaminants
2.5.4 Jump away from platform, feet first, avoiding platform legs 2.5.5 Swim along side of platform 2.5.6 Look for other overboard survivors and rescue opportunities Evacuation step 2.1 will not be explored in this study. The tasks are evaluated using an eight-point rating scale (called the GEP number), with 1 signifying a low probability of error and 8 signifying very high probability of error. To do this, choose the first reasonable generic task description from the table below. A diagram is shown below, and an example of a task for each generic description is provided where possible for reference. At the end of each evacuation method there is an opportunity to suggest additional tasks for that method (see, for example, 1.x after 1.3). Consider each step independently. The GEP for evacuation step 1.1 should not influence the GEP for evacuation step 1.2 or any other. This is an individual exercise and the results will be compared, so please do not collaborate. If you have any questions, please contact Travis Deacon at [email protected], (902) 220-0794.
As an example, the task of ‘closing a valve at the end of a task’ is evaluated. First it is compared with GEP 1, ‘respond correctly to system command even with automated/augmented supervisory system providing accurate interpretation of system stage’. This is not the case, as this is part of a procedure and not a system command. It does not fit GEP 2 unless it were to be performed several times per hour. It does, however, fit GEP 3. It is a shift of a device to a new or original state, it is a procedure, and there is likely checking. It is the first GEP that is a reasonable description.
Choose Step Does it fit description 1?
Does it fit description 2?
Record in survey
Etc.
Yes Yes
No No
95
GEP Generic Description Example Task
1 Respond correctly to system command even with automated/augmented supervisory system providing accurate interpretation of system stage
Press the illuminated button from a series of buttons on a panel
2 Familiar, well-designed routine task performed several times per hour, performed to highest possible standards by highly motivated, trained and experienced person totally aware with consequences of failure, with time to correct potential error but with no significant job aids
Navigate a car through a 4-way intersection. Multiple lanes in each direction with pavement markings.
3 Restore/shift system/device to a new or its original state, following procedures, with checking
Close a valve at the end of a task
4 Routine, highly-practiced, rapid task requiring little skill
Install a bearing correctly during a maintenance operation
5 Fairly simple task performed rapidly or given little attention
Unlock a combination lock in one attempt
6 Complex task requiring high level of comprehension and skill
Find 15 defects in an electrical unit within 3 hours
7 Shift/restore system to a new or its original state, single attempt, no supervision/procedures
Perform 10 numerical calculations in a row without time to correct mistakes
8 Totally unfamiliar, at speed, no idea of consequences
Evacuation Step: 1.1. Check wind speed, direction and sea state
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 1.2. Instruct personnel and maintain control
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
96
Evacuation Step: 1.3. Issue sea sickness tablets
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 1.x. If you believe there is a step that should be added to this section, please identify
it and where it should be placed
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 1.xx. If you believe there is a step that should be added to this section, please
identify it and where it should be placed
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.2.1. Move to helideck
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.2.2. Establish communication with pilot
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.2.3. Instruct personnel on boarding procedure
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.2.4. Board helicopter
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.2.5 Don flight suit, aviation life jacket and secure seatbelt
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.2.x. If you believe there is a step that should be added to this section, please
identify it and where it should be placed
97
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.2.xx. If you believe there is a step that should be added to this section, please
identify it and where it should be placed
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.3.1. Ensure seaworthiness of TEMPSC
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.3.2 Check compass heading/direction to steer craft
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.3.3. Turn helm fully to clear installation on launch
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.3.4.Ensure drop zone is clear
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.3.5. Instruct personnel on boarding procedure
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.3.6. Fasten seatbelt
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.3.7. Ensure everyone is secure
GEP - Work from 1-8 and insert number of the first definition that is plausible:
98
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.3.8. Start air support system
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.3.9. Close and secure all hatches
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.3.10. Call command centre/launch master/other lifeboats to confirm launch sequence
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.3.11. Release falls/confirm auto-release
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.3.12. Launch TEMPSC
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.3.13. Engage forward gear and full throttle
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.3.14. Steer TEMPSC at vector from platform to rescue area
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.3.x. If you believe there is a step that should be added to this section, please
identify it and where it should be placed
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
99
Evacuation Step: 2.3.xx. If you believe there is a step that should be added to this section, please
identify it and where it should be placed
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.4.1. Move to life raft muster station
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.4.2. Ensure seaworthiness of liferaft
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.4.3. Secure painter to a strong point
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.4.4. Check for liferaft instructions and number of POB accommodated
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.4.5. Launch liferaft
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.4.6. Board liferaft
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.4.7. Cut painter
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.4.8. Paddle clear of danger
GEP - Work from 1-8 and insert number of the first definition that is plausible:
100
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.4.9. Stream anchor
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.4.10. Maintain seaworthiness of liferaft
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.4.11. Search for TEMPSC, FRC, other liferaft or overboard survivors
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.4.12. Attach painter to other liferaft or tow craft
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.4.x. If you believe there is a step that should be added to this section, please
identify it and where it should be placed
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.4.xx. If you believe there is a step that should be added to this section, please
identify it and where it should be placed
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.5.1. Ensure survival suit properly sealed, life jacket fastened
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.5.2. Move to lowest nearby landing of platform
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
101
Evacuation Step: 2.5.3. Assess direction of waves, danger and airborne contaminants
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.5.4. Jump away from platform feet first, avoiding platform legs
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.5.5. Swim along side of platform
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.5.6. Look for other overboard survivors and rescue opportunities
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.5.x. If you believe there is a step that should be added to this section, please
identify it and where it should be placed
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Evacuation Step: 2.6.xx. If you believe there is a step that should be added to this section, please
identify it and where it should be placed
GEP - Work from 1-8 and insert number of the first definition that is plausible:
Comments - Type in comments or recommendations here (e.g. why you chose that GEP):
Thank-you for your participation in this survey. Please email the completed form to [email protected] with the subject line ‘Evacuation form’. If you would like further information on the results of this study, please indicate in the body of the email.
Error-Producing Condition (EPC) evaluation form The following is a list of steps identified for the evacuation procedure. These are the steps that operators must be able to complete to achieve successful evacuation of a platform. Some steps must be performed by a designated operator (i.e. coxswain, muster captain).
102
1.0 Prepare to evacuate 1.1 Check wind speed, direction and sea state 1.2 Instruct personnel and maintain control 1.3 Issue sea sickness tablets 2.0 Evacuate installation – do one of 2.1-2.5, priority in descending order 2.1 Evacuate via bridge link 2.2 Evacuate via helicopter 2.2.1 Move to helideck 2.2.2 Establish communication with pilot 2.2.3 Instruct personnel on boarding procedure 2.2.4 Board helicopter 2.2.5 Don flight suit, aviation life jacket and secure seatbelt 2.3 Evacuate via TEMPSC 2.3.1 Ensure sea worthiness of TEMPSC 2.3.2 Check compass heading/direction to steer craft 2.3.3 Turn helm fully to clear installation on launch
2.3.4 Ensure drop zone is clear 2.3.5 Instruct personnel on boarding procedure 2.3.6 Fasten seat belt 2.3.7 Ensure everyone is secure
2.3.8. Start air support system 2.3.9 Close and secure all hatches
2.3.10 Call command centre/launch master/other lifeboats to confirm launch sequence
2.3.11 Release falls/confirm auto-release 2.3.12 Launch TEMPSC
2.3.13 Engage forward gear and full throttle 2.3.14 Steer TEMPSC at vector from platform to rescue area 2.4 Evacuate by life raft 2.4.1 Move to life raft muster station
2.4.2 Ensure seaworthiness of life raft 2.4.3 Secure painter to a strong point
2.4.4 Check for life raft instructions and number of personnel accommodated 2.4.5 Launch life raft 2.4.6 Board life raft 2.4.7 Cut painter 2.4.8 Paddle clear of danger 2.4.9 Stream anchor 2.4.10 Maintain sea worthiness of life raft 2.4.11 Look for TEMPSC, FRC, other life raft or overboard survivors 2.4.12 Attach painter to other life raft or tow craft 2.5 Escape directly to sea 2.5.1 Ensure survival suit properly sealed, lifejacket fastened 2.5.2 Move to lowest nearby landing of platform 2.5.3 Assess direction of waves, danger and airborne contaminants
2.5.4 Jump away from platform, feet first, avoiding platform legs 2.5.5 Swim along side of platform 2.5.6 Look for other overboard survivors and rescue opportunities
103
Evacuation step 2.1 will not be explored in this study. Consider each step. Choose between 0 and 3 EPCs that you believe an operator can be susceptible to for that step, 1-17, corresponding to the generic description in the EPC chart above. Then rate the impact the EPC will have on each of the three scenarios defined below, from 0-10 (0 meaning no or negligible impact, 10 meaning the EPC will severely affect the operator’s performance). A diagram of the process is shown below. There is also space to insert comments or suggestions. Consider each step independently. The EPCs, if any, for evacuation step 1.1 should not influence the EPC(s) for evacuation step 1.2 or any other. This is an individual exercise and the results will be compared, so please do not collaborate. If you have any questions, please contact Travis Deacon at [email protected], (902) 220-0794. As an example, the task of ‘closing the valve at the end of a task’ is evaluated. EPC 8, which could be in the form of a distraction to the operator, is a potential factor. If this occurs during normal operation with no other activities in the area, then the weight of this EPC would be 0. However, if there are several work activities being performed in the work station of which the operator must be constantly aware and cautious, such as non-scheduled maintenance or repairs, the EPC will be more important, perhaps with a rating of 6.
Choose Scenario
Choose & Record 0-3 EPCs
Weight magnitude of effect of EPCs from 0-10
Choose Step
104
EPC Description
1 Unfamiliarity with a situation which is potentially important, but occurs infrequently, or which is novel
2 Shortage of time available for error detection and correction 3 Low signal-to-noise ratio 4 Means of suppressing/overriding information/features that is too easily accessible 5 No means of conveying spatial and functional information to operators in a form that they
can readily assimilate 6 Mismatch between operator's model of the world and that of the designer 7 No obvious means of reversing an unintended action 8 A channel-capacity overload, particularly one that is caused by simultaneous presentation
of non-redundant information 9 A need to unlearn a technique and apply one that uses an opposing philosophy
10 The need to transfer specific knowledge from task to task without loss 11 Ambiguity in the required performance standards 12 A mismatch between perceived and real risk 13 Poor, ambiguous or mismatched system feedback 14 No clear, direct and timely confirmation of an intended action from the portion of the
system over which control is to be exerted 15 Operator inexperience 16 An impoverished quality of information conveyed by procedures and person-person
interaction 17 Little or no independent checking/testing of output
Abandonment Scenario
Detail Collision Gas Release Fire & Explosion
Situation A jack-up rig collides with a fixed installation during approach, significant damage to platform leg.
A hydrocarbon gas release
A fire and explosion
Operator in question
15 years experience 7 years experience 6 months experience
Weather Good weather, calm seas
Cold, wet weather Winter storm
Time of day Daylight hours Daylight hours Night time hours
Evacuation Step: 1.1. Check wind speed, direction and sea state
105
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 1.2. Instruct personnel and maintain control
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 1.3. Issue sea sickness tablets
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 1.x. If you believe there is a step that should be added to this section, please identify
it and where it should be placed
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 1.xx. If you believe there is a step that should be added to this section, please
identify it and where it should be placed
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
106
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.2.1. Move to helideck
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.2.2. Establish communication with pilot
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.2.3. Instruct personnel on boarding procedure
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.2.4. Board helicopter
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.2.5 Don flight suit, aviation life jacket and secure seatbelt
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
107
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.2.x. If you believe there is a step that should be added to this section, please
identify it and where it should be placed
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.2.xx. If you believe there is a step that should be added to this section, please
identify it and where it should be placed
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.3.1. Ensure seaworthiness of TEMPSC
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.3.2 Check compass heading/direction to steer craft
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
108
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.3.3. Turn helm fully to clear installation on launch
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.3.4.Ensure drop zone is clear
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.3.5. Instruct personnel on boarding procedure
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.3.6. Fasten seatbelt
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.3.7. Ensure everyone is secure
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
109
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.3.8. Start air support system
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.3.9. Close and secure all hatches
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.3.10. Call command centre/launch master/other lifeboats to confirm launch sequence
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.3.11. Release falls/confirm auto-release
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
110
Evacuation Step: 2.3.12. Launch TEMPSC
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.3.13. Engage forward gear and full throttle
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.3.14. Steer TEMPSC at vector from platform to rescue area
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.3.x. If you believe there is a step that should be added to this section, please
identify it and where it should be placed
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.3.xx. If you believe there is a step that should be added to this section, please
identify it and where it should be placed
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
111
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.4.1. Move to life raft muster station
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.4.2. Ensure seaworthiness of life raft
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.4.3. Secure painter to a strong point
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.4.4. Check for life raft instructions and number of POB accommodated
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.4.5. Launch life raft
112
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.4.6. Board life raft
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.4.7. Cut painter
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.4.8. Paddle clear of danger
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.4.9. Stream anchor
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
113
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.4.10. Maintain seaworthiness of life raft
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.4.11. Search for TEMPSC, FRC, other life raft or overboard survivors
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.4.12. Attach painter to other life raft or tow craft
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.4.x. If you believe there is a step that should be added to this section, please
identify it and where it should be placed
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.4.xx. If you believe there is a step that should be added to this section, please
identify it and where it should be placed
114
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.5.1. Ensure survival suit properly sealed, life jacket fastened
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.5.2. Move to lowest nearby landing of platform
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.5.3. Assess direction of waves, danger and airborne contaminants
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.5.4. Jump away from platform feet first, avoiding platform legs
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
115
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.5.5. Swim along side of platform
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.5.6. Look for other overboard survivors and rescue opportunities
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.5.x. If you believe there is a step that should be added to this section, please
identify it and where it should be placed
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
Evacuation Step: 2.5.xx. If you believe there is a step that should be added to this section, please
identify it and where it should be placed
EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 2 - Weight (out of 10) - Collision Gas release Fire & Explosion
EPC 3 - Weight (out of 10) - Collision Gas release Fire & Explosion
Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):
116
Thank-you for your participation in this survey. Please email the completed form to [email protected] with the subject line ‘Evacuation form’. If you would like further information on the results of this study, please indicate in the body of the email.
117
Appendix C
Procedural HAZOP of Evacuation Tasks
118
Table C.1: Check wind speed, direction & sea state HAZOP (Step 1.1). Failure Mode Description Consequences Prevention
Barriers Mitigation Barriers
Information not obtained
Coxswain assumes they know this information already
Safer option missed/ ignored
Unnecessary exposure to danger
Procedural
Written prompts at boat station and inside TEMPSC
Drills including verbalization of weather and sea conditions
Training with measuring equipment and interpreting conditions
Active Engineered
Enter parameters in a program. Alarm indicating failure to input parameters (or incorrect direction, etc.)
Wrong information obtained
Coxswain misinterprets readings
Procedural
Drills including verbalization of weather and sea conditions
Training with measuring equipment and interpreting conditions
Active Engineered
Enter parameters in a program. Alarm indicating failure to input parameters (or incorrect direction, etc.)
119
Table C.10: Instruct personnel and maintain control HAZOP (Step 1.2).
Failure Mode
Description Consequences Prevention Barriers
Mitigation Barriers
Information not transmitted
OIM/coxswains do not instruct personnel and maintain control
Panic/irrational behaviour within personnel
Procedural
Cox/OIM should have orders to be given on a checklist card
Personnel in command trained to cope with a high level of stress while maintaining command
Procedural
Uniforms/survival suits with different colours for personnel in command
Table C.3: Issue sea sickness tablets HAZOP (Step 1.3).
Failure Mode Description Consequences Prevention Barriers
Mitigation Barriers
Action omitted
Sea sickness tablets not issued
Reduced morale, sea sickness
Procedural
Drills including the issue of sea sickness tablets
120
Table C.4: Move to helideck HAZOP (Step 2.2.1).
Failure Mode Description Consequences Prevention Barriers
Mitigation Barriers
Action in wrong direction
Movement away from helideck
Delayed evacuation time
Injury
Procedural
Regular training with different scenarios requiring movement to helideck
Checklist and flowchart to aid OIM and coxswains in decision-making
Action too late
Too much time taken to decide
Table C.5: Establish communication with pilot HAZOP (Step 2.2.2).
Failure Mode Description Consequences Prevention Barriers Mitigation Barriers
Information not transmitted
No contact made with pilot
Erratic boarding, overload of helicopter
Procedural
Training/drills that include communication with pilot and loading of helicopter
121
Table C.6: Instruct personnel on boarding procedure HAZOP (Step 2.2.3). Failure Mode
Description Consequences Prevention Barriers
Mitigation Barriers
Information not transmitted
No communication between personnel and pilot
Disorderly/dangerous behaviour while boarding helicopter
Erratic boarding, overload of helicopter
Procedural
Evacuation training/drills that include instructing personnel in various scenarios
Procedural
All personnel should have card with correct boarding procedure
Boarding procedure written and illustrated at helideck
Wrong information transmitted
Miscommunication between personnel and pilot
Table C.7: Board helicopter HAZOP (Step 2.2.4).
Failure Mode
Description Consequences Prevention Barriers Mitigation Barriers
Wrong action on right object
Incorrect procedure used to board helicopter
Delayed evacuation
Injury
Active Engineered
Lighted helicopter entrance
Procedural
Training/drills using low light and visibility
Written and diagrammatic instructions on helideck
122
Table C.8: Don flight suit, aviation life jacket and secure seatbelt HAZOP (Step 2.2.5).
Failure Mode
Description Consequences Prevention Barriers Mitigation Barriers
Action omitted
Individual does not perform any of these actions
Reduced buoyancy
Injury
Inherent
Reversible equipment with minimum number of straps, harnesses, buckles
Procedural
Familiarize all personnel with use of this equipment and test regularly through drills
Wrong action on right object
Flight suit, aviation life jacket or seatbelt becomes twisted
Action too little
Individual does not perform at least one of these actions, or does not perform them to adequate tightness
Table C.9: Ensure sea-worthiness of TEMPSC HAZOP (Step 2.3.1).
Failure Mode Description Consequences Prevention Barriers
Mitigation Barriers
Check omitted Personnel do not check structural integrity of TEMPSC/engine or that drain plugs have been fitted
Boat fails to launch
Boat damaged during launch
Boat sinks Loss of life
Procedural
Written and diagrammatic prompts in and around boats
Active Engineered
Automated check system on start-up of TEMPSC
Check incomplete
Personnel omit steps in checking TEMPSC
123
Table C.10: Check compass heading/direction to steer craft HAZOP (Step 2.3.2).
Failure Mode Description Consequences Prevention Barriers
Mitigation Barriers
Information not obtained
Coxswain assumes orientation without checking/compass fails
TEMPSC steered under rig/away from rescue area
Exposure to unnecessary danger
Procedural
Written prompts/checklist at TEMPSC and inside boat
Drills that include verbalization of compass heading
Passive Engineered
Backup compass in case of failure
Wrong information obtained
Coxswain misreads compass
Table C.11: Turn helm fully to clear installation on launch HAZOP (Step 2.3.3).
Failure Mode
Description Consequences Prevention Barriers Mitigation Barriers
Action omitted
TEMPSC not oriented to clear installation
May steer under installation, exposing personnel to unnecessary danger
Damage to boat/injury
Procedural
Written and diagrammatic prompts
Training/drills that require coxswain to correctly orient TEMPSC with no outside visibility
Passive Engineered
TEMPSCs fitted with props/weights to automatically align away from installation on descent
Action in wrong direction
124
Table C.12: Ensure drop zone is clear HAZOP (Step 2.3.4).
Failure Mode
Description Consequences Prevention Barriers Mitigation Barriers
Check omitted
Coxswain omits or forgets to check for debris in the water
Delayed evacuation
Capsize of/ hole in boat
Injury/death
Active Engineered
Lights to illuminate drop zone during low visibility
Procedural
Warning prompt at helm of TEMPSC
Training/drills that require verbalizing state of drop zone and delaying or aborting launch
Passive Engineered
Boats constructed to withstand severe impacts and absorb shock
Check mistimed
Coxswain makes check too early or too late, leaving time for debris to float over or forcing the boat to be committed to the launch
Table C.13: Instruct personnel on boarding procedure HAZOP (Step 2.3.5).
Failure Mode Description Consequences Prevention Barriers Mitigation Barriers
Information not transmitted
No organization in boarding of TEMPSC
More weight on one side of TEMPSC, causing instability
TEMPSC moves away from installation with more difficulty
Procedural
Reminder on outside of TEMPSC of need for balance
Training/drills that emphasize proper boat loading and consequences of improper distribution
Passive Engineered
Self-stabilizing weights within the walls of the TEMPSC
Wrong information transmitted
Coxswain does not give proper boarding instructions
125
Table C.14: Fasten seat belt HAZOP (Step 2.3.6).
Failure Mode Description Consequences Prevention Barriers
Mitigation Barriers
Action omitted
Seatbelt not fastened
Injury Active Engineered
Seat belts that require little strength and tactile efficiency to fasten and tighten
Procedural
Prompt at seat to fasten seat belt
Action too little
Seatbelt not fastened to adequate tightness
Table C.15: Ensure everyone is secure HAZOP (Step 2.3.7).
Failure Mode Description Consequences Prevention Barriers Mitigation Barriers
Check omitted
Coxswain does not ensure that personnel are secure
High noise levels, personnel may not be secure
Injury
Procedural
Written prompt and checklist for starting air support system next to engine ignition
Training/drills that require fastening seat belts, starting air support system and engine
Drills that purposely complete these steps out of order to show consequences
Check mistimed
Air support system started before check
126
Table C.16: Start air support system HAZOP (Step 2.3.8).
Failure Mode Description Consequences Prevention Barriers Mitigation Barriers
Action omitted
System not switched on
Smoke ingress causing injury, engine stall and delay
Procedural
Written prompt and checklist for starting air support system next to engine ignition
Training/drills that require fastening seat belts, starting air support system and engine
Drills that purposely complete these steps out of order to show consequences
Inherent
Engine connected to air supply system, will not turn over until air flow at a defined rate
Action too late/early
System switched on before ensuring everyone is secure or after engine on and idling
Personnel may not be secure
Injury
Action too little
Air valve not fully opened
Smoke ingress causing injury, engine stall and delay
Wrong action on right object
Engine not switched on
127
Table C.17: Close and secure all hatches HAZOP (Step 2.3.9).
Failure Mode
Description Consequences Prevention Barriers Mitigation Barriers
Action omitted
Hatches are not closed
Exposure to heat and smoke
Water ingress, capsize
Inherent
Minimal number of hatches to close and secure
Procedural
Training/drills that require securing hatches
Wrong action on right object
Bottom half of hatch secured before top half, lesser quality seal
Water ingress, capsize
Inherent
Minimal effort required to close hatches
Procedural
Training/drills that require securing hatches
Inherent
Hatches that seal perfectly regardless of order the sections are closed in
Table C.18: Call command centre/launch master/other lifeboats to confirm launch sequence HAZOP (Step 2.3.10).
Failure Mode Description Consequences Prevention Barriers
Mitigation Barriers
Action omitted
Launch not confirmed
Rescuers unaware of launched TEMPSC
Delay in rescue
Procedural
Prompt at helm of TEMPSC to confirm launch sequence
Active Engineered
Flashing lights and high-frequency sound beacon on TEMPSC
GPS locator on TEMPSC
128
Table C.19: Release falls/confirm auto-release HAZOP (Step 2.3.11).
Failure Mode
Description Consequences Prevention Barriers Mitigation Barriers
Action too early
Release activated before completing previous steps
TEMPSC may drop to water if it is designed to release from height
TEMPSC (if designed to be lowered to water) may hang away from installation, preventing personnel from entering/ exiting
Death
Inherent
Release placed so as not to inadvertently activate it
Procedural
Training/drills in lowering the TEMPSC to the water
Passive Engineered
TEMPSC constructed to withstand multiple high impacts and absorb shock
Action too late
Delay in activating release
Delay in evacuation
Injury
Active Engineered
Release status indicators
Procedural
Training/drills in lowering the TEMPSC to the water
Passive Engineered
TEMPSC constructed to withstand multiple high impacts and absorb shock
Action too little
Release not fully activated
129
Table C.20: Launch TEMPSC HAZOP (Step 2.3.12).
Failure Mode
Description Consequences Prevention Barriers Mitigation Barriers
Action too early
Release operated before other checks/actions
Long drop, personnel unprepared for impact
Injury Death
Inherent
Release placed so as not to inadvertently activate it
Passive Engineered
Window to see status of TEMPSC
Active Engineered
Height above sea level indicators
Procedural
Training/drills in lowering the TEMPSC to the water
Passive Engineered
TEMPSC constructed to withstand multiple high impacts and absorb shock
Action too late
Release operated after delay
TEMPSC washed against installation, capsizes
Injury Death
Passive Engineered
Window to see status of TEMPSC
Active Engineered
Release status indicators
Procedural
Training/drills in lowering the TEMPSC to the water
Action too little
Release not fully activated
130
Table C.21: Engage forward gear and full throttle HAZOP (Step 2.3.13).
Failure Mode Description Consequences Prevention Barriers
Mitigation Barriers
Action in wrong direction
Reverse gear engaged
Delay in movement from installation
Injury Damage to
TEMPSC, washed against installation
Passive Engineered
Dual action required to engage reverse throttle to prevent accidental engagement
Action too early
Full throttle engaged before TEMPSC released from fall wires
Procedural
Drills and training to practice timing of engaging gear and throttle, moving away from installation immediately on release
Action too late
Full throttle not engaged immediately after fall release
131
Table C.22: Steer TEMPSC at vector from installation to rescue area HAZOP (Step 2.3.14).
Failure Mode
Description Consequences Prevention Barriers Mitigation Barriers
Action in wrong direction
TEMPSC steered in wrong direction /under installation
Damage to TEMPSC
Injury/Death Delay in
rescue
Active Engineered
Reliable compass, GPS with luminous display for night navigation
Procedural
Instructions at helm of course to be steered and distance to rescue area
Training/drills during day and night to give coxswain experience of actions required
Active Engineered
Independently powered GPS locator on each TEMPSC
Action too little
Not enough distance from installation achieved
Exposure to debris from installation
Damage to TEMPSC
Injury Action too much
Too much distance achieved, away from rescue area
Delay in rescue
Table C.23: Move to life raft muster station HAZOP (Step 2.4.1).
Failure Mode Description Consequences Prevention Barriers
Mitigation Barriers
Action in wrong direction
Movement away from helideck
Delayed evacuation time
Injury
Procedural
Regular training with different scenarios requiring movement to helideck
Checklist and flowchart to aid OIM and coxswains in decision-making
Action too late
Too much time taken to decide
132
Table C.24: Ensure sea-worthiness of life raft HAZOP (Step 2.4.2). Failure Mode Description Consequences Prevention
Barriers Mitigation Barriers
Check omitted Personnel do not check structural integrity of life raft
Raft fails to launch
Raft damaged during launch
Raft sinks Loss of life
Procedural
Written and diagrammatic prompts in and around rafts
Check incomplete
Personnel omit steps in checking life raft
Table C.25: Secure painter to strong point HAZOP (Step 2.4.3).
Failure Mode
Description Consequences Prevention Barriers Mitigation Barriers
Action omitted
Life raft canister not attached to platform
Loss of life raft
Passive Engineered
Painter pre-anchored with hydrostatic release
Procedural
Training/drills involving launch of life rafts
Prompt on life raft canister and personal checklist
133
Table C.26: Check for life raft instructions and number of personnel accommodated HAZOP (Step 2.4.4).
Failure Mode Description Consequences Prevention Barriers Mitigation Barriers
Information not obtained
Instructions not checked for number of persons accommodated or painter length
Capacity of life raft exceeded
Exposure of POB to danger of sinking
Unaware of how much painter must be pulled out before raft will inflate
Procedural
Training/drills involving the launch of life rafts requiring personnel to know the capacity of the raft
Prompts on life raft canister and personal checklist
Active Engineered
Life raft designed to inflate on impact
Procedural
Capacity of life raft shown on outside and inside walls of raft
Table C.27: Launch life raft HAZOP (Step 2.4.5).
Failure Mode
Description Consequences Prevention Barriers Mitigation Barriers
Action too much
Life raft canister handled incorrectly
Life raft does not fully inflate
Active Engineered
Automatic life raft deployment system
Procedural
Training/drills involving launching life raft
Checklist at life raft station giving instructions on launch
Active Engineered
Life raft designed to inflate on impact
Action too little
Life raft painter not pulled out to full extent
134
Table C.28: Board life raft HAZOP (Step 2.4.6). Failure Mode
Description Consequences Prevention Barriers
Mitigation Barriers
Wrong action on right object
Personnel jump into life raft from an excessive height
Damage/sinking of life raft
Passive Engineered
Chute slide and personnel descent devices to access raft
Procedural
Training/drills involving proper life raft boarding techniques
Passive Engineered
Reinforced floor in life raft
Table C.29: Cut painter HAZOP (Step 2.4.7).
Failure Mode
Description Consequences Prevention Barriers Mitigation Barriers
Action too early
Painter cut before all possible POB have boarded
POB left behind
Procedural
POB provided with 2-way radios to announce departure/ check for nearby POB
Action too late
Painter cut after POB have boarded and experience a delay
Exposure to debris and danger from installation
Passive Engineered
Simple one-hand use clip release requiring little motor variability
Procedural
Training/drills in safe situations requiring cutting the painter
Written and illustrated instructions at point of attachment
Action omitted
Painter not cut
135
Table C.30: Paddle clear of danger HAZOP (Step 2.4.8).
Failure Mode
Description Consequences Prevention Barriers Mitigation Barriers
Action in wrong direction
Life raft steered in wrong direction /under installation
Damage to life raft
Injury/Death Delay in
rescue
Active Engineered
Reliable compass, GPS with luminous display for night navigation
Procedural
Instructions inside life raft of course to be steered and distance to rescue area
Training/drills during day and night to give POB experience of actions required
Active Engineered
Independently powered GPS locator on each life raft
Action too little
Not enough distance from installation achieved
Exposure to debris from installation
Damage to life raft
Injury Action too much
Too much distance achieved, away from rescue area
Delay in rescue
Table C.31: Stream anchor HAZOP (Step 2.4.9).
Failure Mode
Description Consequences Prevention Barriers Mitigation Barriers
Action omitted
Anchor not used Life raft may drift away from search area or under installation
Passive Engineered
Ready assembled anchor as integral part of life raft underside
Procedural
Training/drills requiring deployment of anchor
Action too late
Anchor used after delay
136
Table C.32: Maintain sea-worthiness of life raft HAZOP (Step 2.4.10).
Failure Mode
Description Consequences Prevention Barriers Mitigation Barriers
Action omitted
Floor not inflated, leaks not repaired, water not baled
Deteriorating conditions inside life raft
Sinking of life raft
Procedural
Instructions inside life raft, all equipment clearly labelled and easy to use
Training/drills involving maintaining integrity of life raft
Table C.33: Look for TEMPSC, FRC, other life raft or overboard survivors HAZOP (Step 2.4.11).
Failure Mode
Description Consequences Prevention Barriers Mitigation Barriers
Action omitted
No lookouts posted, no pyrotechnics to alert rescue craft
Life raft may go unnoticed
Procedural
Prompt in life raft to post lookouts and rotate duty
Training/drills involving POB making contact with rescue craft
Active Engineered
Flashing lights and high frequency sound beacon on life raft
Table C.34: Attach painter to other life raft or tow craft HAZOP (Step 2.4.12).
Failure Mode Description Consequences Prevention Barriers
Mitigation Barriers
Action omitted
Painter not attached to other craft
Life raft will continue to drift, away from rescue area or under installation
Passive Engineered
Simple single-hand use clip requiring little motor variability
Action too little
Painter attached but not fully secured
137
Table C.35: Ensure survival suit properly sealed, lifejacket fastened HAZOP (Step 2.5.1).
Failure Mode
Description Consequences Prevention Barriers Mitigation Barriers
Action omitted
Survival suit not properly sealed or lifejacket not adequately fastened
Loss of buoyancy in water
Death
Passive Engineered
Simple single-hand use equipment requiring little motor variability
Procedural
Training/drills that stress the importance of fastening equipment properly, including immersion in a controlled water environment
Action too little
Action too early
Survival suit and lifejacket fastened during escape phase
High body temperature, decreased mobility during escape
Delay in escape
Procedural
Training/drills that stress the importance of donning equipment at the proper time, including muster drills while wearing survival equipment
Inherent
Egress paths, ladders, etc designed for mobility with survival suits and life jackets
Tasks designed to require little motor variability
Action too late
Survival suit sealed after ingress of water
Loss of buoyancy
Injury
Procedural
Training/drills that stress the importance of fastening equipment properly, including immersion in a controlled water environment
138
Table C.36: Move to lowest nearby platform HAZOP (Step 2.5.2).
Failure Mode Description Consequences Prevention Barriers
Mitigation Barriers
Action in wrong direction
POB do not move to lowest nearby platform
Injury/Death from jumping
Procedural
Regular training with different scenarios requiring movement to low platforms
Checklist and map to aid POB
Signs posted at edges of all platforms indicating whether or not they should be used to jump into the sea
Photo-luminescent marked pathways to platforms of safe heights
Action too late
Too much time taken to decide
Delayed evacuation time
Table C.37: Assess direction of waves, danger and airborne contaminants HAZOP (Step 2.5.3).
Failure Mode Description Consequences Prevention Barriers
Mitigation Barriers
Information not obtained
POB do not assess environment before jumping
Safer option missed/ ignored
Unnecessary exposure to danger
Procedural
Prompts at platforms
Drills including verbalization of weather and sea conditions
Wrong information obtained
POB misinterpret conditions
Procedural
Drills including verbalization of weather and sea conditions
139
Table C.38: Jump away from platform, feet first, avoiding legs HAZOP (Step 2.5.4).
Failure Mode
Description Consequences Prevention Barriers Mitigation Barriers
Action too little
POB do not jump away from platform or avoid legs
Injury Inherent
Platforms built to clear legs on jumping or falling
Passive Engineered
Chute designed to drop personnel into water feet-first
Action too early
POB jump before sealing survival suit and fastening lifejacket
Water ingress
Injury
Procedural
Training/drills that stress the importance of fastening equipment properly, including immersion in a controlled water environment
Table C.39: Swim alongside of platform HAZOP (Step 2.5.5).
Failure Mode
Description Consequences Prevention Barriers Mitigation Barriers
Action in wrong direction
POB swim under installation
Injury/Death Delay in
rescue Exposure to
debris from installation
Procedural
Training/drills in controlled environment simulating day and night to give POB experience of actions required
Active Engineered
Independently powered GPS locator on each survival suit Action too
little Not enough distance from installation achieved
140
Table C.40: Look for other overboard survivors and rescue opportunities HAZOP (Step 2.5.6).
Failure Mode
Description Consequences Prevention Barriers Mitigation Barriers
Action omitted
No lookouts posted, no pyrotechnics to alert rescue craft
POB may go unnoticed
Procedural
Training/drills involving POB making contact with rescue craft in a controlled environment
Active Engineered
Flashing lights, GPS locator and high frequency sound beacon on survival suits
141
Appendix D
Bow-tie Graphs of Evacuation Tasks
142Info not transmitted
Tra
inin
g
L
C=
1
Critical Event: Fail Task 1.2
Consequence 4
Probability = HEP*10‐1 Probability = HEP*10‐1
Figure D.1: Bow-tie for evacuation task 1.2.
Check omitted
Tra
inin
g
LC
=1
Consequence 1
Critical Event: Fail Task 2.3.1
Aut
omat
ic
C
heck
M
echa
nism
LC
=1
Probability = HEP*10-1*0.9 = HEP*0.09
Check incomplete Probability = HEP*10‐1
Consequence 4
Probability = HEP*10-1*10‐1 = HEP*10-2
Figure D.2: Bow-tie for evacuation task 2.3.1.
143
Action omitted
Tra
inin
g
LC
=1
Critical Event: Fail Task 2.3.3
Consequence 2
Action in wrong direction Probability = HEP*10‐1
Probability = HEP*10‐1
Figure D.3: Bow-tie for evacuation task 2.3.3.
Check omitted
Tra
inin
g
L
C=
1
Consequence 3
Critical Event: Fail Task 2.3.4
Sho
ck
abso
rber
s
L
C =
2
Probability = HEP*10-1*0.99 = HEP*0.099
Check mistimed Probability = HEP*10‐1
Consequence 4
Probability = HEP*10-1*10‐2 = HEP*10-3
FigureD.4: Bow-tie for evacuation task 2.3.4.
Action omitted
Tra
inin
g L
C=
1
144Action too early
Critical Event: Fail Task 2.3.8
Consequence 3
Action too little
Probability = HEP*10‐1
Probability = HEP*10‐1
Wrong action on right object
Figure D.5: Bow-tie for evacuation task 2.3.8.
Action omitted
Tra
inin
g
LC
=1
Critical Event: Fail Task 2.3.9
Consequence 4
Wrong action on right object Probability = HEP*10‐1
Probability = HEP*10‐1
Figure D.6: Bow-tie for evacuation task 2.3.9.
145Action omitted
Tra
inin
g
LC
=1
Consequence 3
Critical Event: Fail Task 2.3.10
GP
S, l
ight
s
and
soun
d
be
acon
L
C =
1
Probability = HEP*10-1*0.9 = HEP*0.09
Probability = HEP*10‐1
Consequence 4
Probability = HEP*10-1*10‐1 = HEP*10-2
Figure D.7: Bow-tie for evacuation task 2.3.10.
Action too early
Tra
inin
g
L
C=
1
Consequence 3
Critical Event: Fail Task 2.3.11
Sho
ck
abso
rber
s
LC
=2
Probability = HEP*10-1*0.99 = HEP*0.099
Action too late Probability = HEP*10‐1
Consequence 4
146Action too little
Probability = HEP*10-1*10‐2
= HEP*10-3 Figure D.8: Bow-tie for evacuation task 2.3.11.
147
Action too early
Tra
inin
g
LC
=1
Consequence 3
Critical Event: Fail Task 2.3.12
Sho
ck
abso
rber
s
LC
=2
Probability = HEP*10-1*0.99 = HEP*0.099
Action too late Probability = HEP*10‐1
Consequence 4
Action too little
Probability = HEP*10-1*10‐2
= HEP*10-3 Figure D.9: Bow-tie for evacuation task 2.3.12.
Action in wrong direction
Tra
inin
g
L
C=
1
Action too late
Critical Event:
Fail Task 2.3.13 Consequence 4
Action too early
Probability = HEP*10‐1
Probability = HEP*10‐1
Figure D.10: Bow-tie for evacuation task 2.3.13.
148Action too much
Tra
inin
g
LC
=1
Consequence 3
Critical Event: Fail Task 2.3.14
GP
S
Loc
ator
LC
=1
Probability = HEP*10-1*0.9 = HEP*0.09
Action too little
Probability = HEP*10‐1
Consequence 4
Action in wrong direction
Probability = HEP*10-1*10‐1
= HEP*10-2 Figure D.11: Bow-tie for evacuation task 2.3.14.
Check omitted
Tra
inin
g
L
C=
1
Critical Event: Fail Task 2.4.2
Consequence 4
Check incomplete Probability = HEP*10‐1
Probability = HEP*10‐1
Figure D.12: Bow-tie for evacuation task 2.4.2.
149Action omitted
Tra
inin
g
L
C=
1
Critical Event: Fail Task 2.4.3
Consequence 4
Probability = HEP*10‐1 Probability = HEP*10‐1
Figure D.13: Bow-tie for evacuation task 2.4.3.
Action too much
Tra
inin
g
L
C=
1
Critical Event: Fail Task 2.4.5
Consequence 4
Action too little Probability = HEP*10‐1
Probability = HEP*10‐1
Figure D.14: Bow-tie for evacuation task 2.4.5.
150
Tra
inin
g
L
C=
1
Consequence 3
Wrong action on right object
Critical Event: Fail Task 2.4.6
Rei
nfor
ced
F
loor
L
C=
2
Probability = HEP*10-1*0.99 = HEP*0.099
Probability = HEP*10‐1
Consequence 4
Probability = HEP*10-1*10‐2 = HEP*10-3
Figure D.15: Bow-tie for evacuation task 2.4.6.
Action omitted
Tra
inin
g
LC
=1
Action too late
Critical Event: Fail Task 2.4.7
Consequence 4
Action too early
Probability = HEP*10‐1
Probability = HEP*10‐1
Figure D.16: Bow-tie for evacuation task 2.4.7.
151Action too little
Tra
inin
g
LC
=1
Consequence 3
Critical Event: Fail Task 2.4.8
GP
S
Loc
ator
LC
=1
Probability = HEP*10-1*0.9 = HEP*0.09
Action too much
Probability = HEP*10‐1
Consequence 4
Action in wrong direction
Probability = HEP*10-1*10‐1
= HEP*10-2 Figure D.17: Bow-tie for evacuation task 2.4.8.
Action omitted
Tra
inin
g
L
C=
1
Critical Event: Fail Task 2.4.9
Consequence 4
Action too late Probability = HEP*10‐1
Probability = HEP*10‐1
Figure D.18: Bow-tie for evacuation task 2.4.9.
152Action omitted
Tra
inin
g
L
C=
1
Critical Event: Fail Task 2.4.10
Consequence 4
Probability = HEP*10‐1 Probability = HEP*10‐1
Figure D.19: Bow-tie for evacuation task 2.4.10.
Action omitted
Tra
inin
g
LC
=1
Consequence 3
Critical Event: Fail Task 2.4.11
GP
S, l
ight
s
and
soun
d
be
acon
L
C =
1
Probability = HEP*10-1*0.9 = HEP*0.09
Probability = HEP*10‐1
Consequence 4
Probability = HEP*10-1*10‐1 = HEP*10-2
Figure D.20: Bow-tie for evacuation task 2.4.11.
153Action omitted
Tra
inin
g
L
C=
1
Critical Event: Fail Task 2.4.12
Consequence 4
Action too little Probability = HEP*10‐1
Probability = HEP*10‐1
Figure D.21: Bow-tie for evacuation task 2.4.12.
Action too late
Tra
inin
g
LC
=1
Critical Event: Fail Task 2.5.2
Consequence 4
Action in wrong direction Probability = HEP*10‐1
Probability = HEP*10‐1
Figure D.22: Bow-tie for evacuation task 2.5.2.
154Action too little
Tra
inin
g
L
C=
1
Critical Event: Fail Task 2.5.4
Consequence 3
Action too early Probability = HEP*10‐1
Probability = HEP*10‐1
Figure D.23: Bow-tie for evacuation task 2.5.4.
Action too little
Tra
inin
g
LC
=1
Critical Event: Fail Task 2.5.5
Consequence 4
Action in wrong direction Probability = HEP*10‐1
Probability = HEP*10‐1
Figure D.24: Bow-tie for evacuation task 2.5.5.
155
Action omitted
Tra
inin
g
L
C=
1
Consequence 3
Critical Event: Fail Task 2.5.6
GP
S
Loc
ator
L
C=
1
Probability = HEP*10-1*0.9 = HEP*0.09
Probability = HEP*10‐1
Consequence 4
Probability = HEP*10-1*10‐1 = HEP*10-2
Figure D.25: Bow-tie for evacuation task 2.5.6.