Final Report PRAC Project #C8-01 December 1, 2007 – June ... · Final Report Human Factor Design...

Final Report

Human Factor Design Issues Relating to Individual Behaviour in Emergency Situations

PRAC Project #C8-01

December 1, 2007 – June 30, 2010

Dr. Paul Amyotte, P. Eng. – Principal Investigator

Department of Process Engineering and Applied Science

Dalhousie University, Halifax, Nova Scotia

June 30, 2010

Summary

A framework was developed to assess and reduce the risk of human error during offshore emergency situations. The risk of human error is a function of the probability of a human error occurring and its consequences. Emergency response on offshore oil and gas production installations is known as the escape, evacuation and rescue process. The tasks that personnel are required to complete during emergency response were identified using a task analysis tool. Literature reviews and expert judgment techniques were used to evaluate the risk of human error for the escape and evacuation phases. A risk reduction methodology was incorporated into the framework to evaluate potential safety measures for reducing the risk for specific tasks. Novel concepts introduced in the work include the incorporation of the hierarchy of controls and the concept of prevention and mitigation safety measures into the procedural HAZOP model. Industry data on human error probabilities during emergency response is required for further validation and calibration of the framework. It is also recommended that a complete analysis be performed for the search and rescue phase of emergency response.

Table of Contents

Introduction I

Objectives, Methodology and Results II

Dissemination V

Conclusions and Recommendations VI

Publications VI

Expenditures of PRAC Funds VI

Employment Summary VIII

References IX

Appendix 1 – PRAC Research Slide

Appendix 2 – QRA Technique Comparison Report

Appendix 3 – Human Error Data Availability Report

Appendix 4 – Report on WOAD

Appendix 5 – Procedural HAZOP Report

Appendix 6 – Empirical Data Solicitation Report

Appendix 7 – Consequence Analysis Report

Appendix 8 – 8th World Congress of Chemical Engineering Presentation

Appendix 9 – Safety Science Publication

Appendix 10 – 44th Annual Loss Prevention Symposium Paper

Appendix 11 – Master of Applied Science Thesis

I

Introduction

Human beings make errors. When these errors are made in one of the world’s harshest work environments, the consequences can be devastating. The risk of human error can be significantly lowered by reducing the frequency of human errors and/or controlling any consequences should an error occur. Only by acting on the belief that human errors are rooted in human factors can the risk of human error be reduced. In other words, workplaces and their attendant procedures must be designed primarily with consideration for the actions of human beings. This requirement is arguably at its most critical level during emergency situations when the potential for human error and the severity of the possible consequences are at their greatest.

The research undertaken is aimed at enhancing the safety of offshore oil and gas operations in Atlantic Canada and eventually worldwide. The scope of the research is emergency scenarios which necessitate taking action to ensure successful personnel escape, evacuation and rescue in response to various initiating events. The focal point of the research is the quantitative determination of the probability and consequences of human error during these emergency actions, as well as the evaluation of any risk reduction measures to determine their reliability. The end-result of the research is an engineering tool designed to employ these human error data in making objective decisions concerning facility design improvements from a human factor perspective.

The overall objectives and results are presented in the main body of the report, while the specific details are presented in the appendices as follows:

Appendix 1 – PRAC Research Slide: A slide developed for PRAC as a summary of the current project

Appendix 2 – QRA Technique Comparison Report: A comparison of quantitative risk assessment (QRA) techniques available for human error probability evaluation

Appendix 3 – Human Error Data Availability Report: A summary of the sources of human error data for offshore emergencies including databases and industry representatives

Appendix 4 – Report on WOAD: A report on the usefulness of the world offshore accident database (WOAD) as a tool for determining human error probabilities for emergency situations

Appendix 5 – Procedural HAZOP Report: A report outlining the procedural hazard and operability study (HAZOP) of offshore escape tasks

Appendix 6 – Empirical Data Solicitation Report: A summary of the efforts to liase with the offshore oil and gas production industry in determining human error probabilities during offshore musters

Appendix 7 – Consequence Analysis Report: A summary of the analyzed consequences of human error during offshore escape

II

Appendix 8 – 8th World Congress of Chemical Engineering Presentation: The presentation of Year 1 research given at the 8th WCCE

Appendix 9 – Safety Science Publication: The paper published in the Safety Science Journal detailing the Year 1 research and results

Appendix 10 – 44th Annual Loss Prevention Symposium Paper: The paper accompanying the presentation given at the 44th LPS detailing the Year 2 research results and direction at the time of the symposium

Appendix 11 – Master of Applied Science Thesis: A detailed description of the research goals, methodology and results for both Year 1 and 2

Objectives, Methodology and Results

The following are the objectives outlined in the project proposal.

YEAR 1: Activity: Use of expert judgment techniques such as HEART and THERP to determine human error probabilities for muster steps based on initiators of man overboard, gas release, and fire and explosion. (NOTE: All activities in Year 1 relate to the muster sequence and these three initiators.) Outcome: Comparison of SLIM-generated human error probabilities with those determined using other available expert judgment techniques such as HEART and THERP. Anticipated Start Date: Month 1

Anticipated End Date: Month 4

YEAR 1: Activity: Review of available empirical data for human performance indicators during offshore platform musters. Outcome: Comparison of expert judgment-generated human error probabilities with available empirical data. Anticipated Start Date: Month 1


III

YEAR 1: Activity: Review of possible consequences arising from failure of completion of specific muster steps. Outcome: Qualitative method for assigning consequences to failure of completion of specific muster steps. Anticipated Start Date: Month 5


YEAR 1: Activity: Review of, and development work on, quantitative methods for determining consequences of failure to complete specific muster steps. Both expert judgment and empirical approaches will be considered, and emphasis will be placed on dealing with the issue of data uncertainties. Outcome: Quantitative method for determining consequences of failure to complete specific muster steps. Anticipated Start Date: Month 5


NOTE: This objective was altered following development of the qualitative method for assigning consequences of failure to complete muster steps. The research team found that there is not sufficient data available within current industry practices to develop a valid quantitative model of consequences. The majority of the safety measures listed in the procedural HAZOP arise from the principles of inherent and procedural safety and there is a lack of reliability data for these measures. Safety measure reliability is an integral component in quantitative consequence modelling. In place of quantitative consequence modelling, incident reports and accident investigations from industry were collected and studied to develop a table of consequence severities for failure to complete each specific muster step.

YEAR 1: Activity: Review of best practices in the offshore industry with respect to risk matrices. Outcome: Risk matrix for concurrent consideration of human error probability and consequence severity, and quantitative ranking of emergency procedure steps in terms of probability of human error and severity of consequences arising from human error. Anticipated Start Date: Month 7


YEAR 1: Activity: Review of available risk reduction measures to combat human error during the muster process. Outcome: Hierarchical listing of facility design improvements to minimize human error with respect to both probability and consequence severity. The hierarchy will incorporate inherent safety, passive engineered measures, active engineered measures, and procedural controls. Anticipated Start Date: Month 8


IV

YEAR 1: Activity: Development work on decision-making algorithms and feedback-loop mechanisms incorporating appropriate mathematical techniques. Outcome: Scientifically rigorous protocol (based on expert judgment and empirical data) for: (i) selecting the most appropriate risk reduction measures from the developed hierarchy, and (ii) reassessing the risk from human error after incorporating the selected risk reduction measures. Anticipated Start Date: Month 10


YEAR 2: Activity: Recasting of Year 1 research in terms of other muster initiators in addition to man overboard, gas release, and fire and explosion (e.g. helicopter accidents and met/ocean events such as icebergs). Outcome: Protocol for extension of Year 1 work to new muster initiating incidents. Anticipated Start Date: Month 13


NOTE: This objective was completed for the evacuation phase of the research rather than the escape phase. Namely, a collision scenario was explored for offshore evacuations.

YEAR 2: Activity: Recasting of Year 1 research in terms of other emergency scenarios in addition to muster and escape (e.g. evacuation, survival and rescue). Outcome: Protocol for extension of Year 1 work to new emergency scenarios. Anticipated Start Date: Month 16


YEAR 2: Activity: Consolidation of all previous research results with the aim of developing a generalized tool for emergency scenario QRA incorporating human factors. The starting point for this work will be HEPI, which is available to the project team in software form; additional coding will be conducted as required. Outcome: Generalized tool (based on expert judgment and empirical data) for incorporating human factor considerations into emergency quantitative risk assessment (QRA) and for use in design modification and safety measure design. Anticipated Start Date: Month 19


A literature review of human reliability analysis and available methods of human error probability evaluation was undertaken. Examples are shown in Appendices 2 – 4. Industry representatives were solicited unsuccessfully with the goal of obtaining muster drill reports and data (see Appendix 6). Human error probability data was estimated previously by DiMattia (2004) and in DiMattia et al. (2005) and Khan et al. (2006) using an expert judgment technique, the success likelihood index methodology (SLIM). Major investigations from previous offshore

V

installation incidents were consulted to determine the severity of consequences of a human error for each task required during the muster (see Appendix 7). A procedural hazard and operability study (HAZOP) was performed for each muster task (see Appendix 5). The procedural HAZOP identifies modes of error, potential consequences and potential safeguards to reduce the risk of human error. A novel concept incorporated into the procedural HAZOP is the classification of safeguards according to the hierarchy of controls (Amyotte et al., 2007) and as potential or mitigation measures. A risk matrix was developed to combine the human error probabilities and consequence severities of each muster task. The risk matrix was used to determine the tolerability of the risk (probability and consequence) of human error for each muster task. The accidental risk assessment methodology for industries (ARAMIS) was used as a risk reduction tool. Potential safeguards identified in the procedural HAZOP were evaluated for their reliability according to ARAMIS instructions. Any safeguards that meet the minimum requirements outlined in ARAMIS were identified on a bow-tie graph for each muster task. The bow-tie graph gives an overall picture of the risk control for each task. A case study of the Ocean Odyssey incident was used for validation of the methodology. Appendix 9 includes a detailed description of the methodology and results for the muster phase.

The developed methodology was extended to evacuation scenarios. Evacuation occurs when personnel leave an installation due to an increasingly severe emergency. The tasks required of personnel during evacuation were identified. Experts in the field of offshore safety were solicited using a survey based on the human error assessment and reduction technique (HEART). The results of the surveys were used to evaluate the human error probabilities for each evacuation task. Calibration was an issue as the human error probabilities evaluated by assessors differed significantly for several tasks. Consequence severities, a procedural HAZOP, the risk matrix and risk reduction were performed in a similar fashion as for the muster phase. A case study of the Ocean Odyssey incident was used for validation. Appendix 11 includes a detailed description of the methodology and results for the evacuation phase.

The research resulted in a comprehensive risk assessment and reduction methodology for offshore emergency situations. Detailed results are given in Appendices 9 – 11.

All Year 1 and Year 2 objectives have been achieved. Due to the lack of available empirical data, the Year 1 objective of a quantitative method for determining consequences of failure was altered and incident reports and investigations were used in place of empirical data. The final product is a tool to incorporate human factor design considerations into offshore emergency scenario QRAs.

Dissemination

The Year 1 deliverables have been published in the peer-reviewed journal Safety Science (vol 48, issue 6) under the title “Human Error Risk Analysis in Offshore Emergencies”. The Year 1 work was also presented at the 8th World Congress of Chemical Engineering in Montreal, August 2009 under the title “Human Behaviour in Emergency Musters”. A combination of the Year 1 and Year 2 work was presented at the 6th Global Congress on Process Safety in San Antonio, March 2010 under the title “A Framework for Human Error Analysis of Emergency Situations.” A Master’s thesis has been completed, detailing primarily the Year 2 work. A manuscript is currently being prepared for submission to a peer-reviewed journal detailing the Year 2 results.

VI

Conclusions and Recommendations

The research has resulted in a tool to identify and reduce the risk of human error during offshore emergencies. Novel concepts introduced with the tool include the incorporation of different types of safety measures (i.e. prevention to reduce probabilities and mitigation to control consequences) into the procedural HAZOP of emergency tasks. The hierarchy of controls has also been introduced into the procedural HAZOP. Safety measures are categorized as inherent, passive engineered, active engineered or procedural safety barriers. The combination of a robust risk reduction methodology (ARAMIS) with risk assessment techniques (HEART and SLIM) has allowed the strengths of both to account for weaknesses within individual techniques. However, calibration of risk assessment techniques is in need of improvement. Industry data on emergency preparedness drills and events is essential for further validation and improvement of the tool.

The following are recommendations for future research:

Gather industry data on emergency procedures and preparedness to validate and calibrate human error probabilities and expert judgment techniques.

Perform a complete analysis of the rescue phase of the EER process in terms of risk assessment and reduction.

Perform further research on the reliability of potential safety measures identified in the procedural HAZOPs that do not meet the minimum requirements outlined by ARAMIS.

Publications

The following publications have resulted from the research:

Peer-Reviewed Journal Articles

Deacon, T., Amyotte, P. and Khan, F. “Human Error Risk Analysis in Offshore Emergencies,” Safety Science Volume 48, 2010 (Appendix 9).

Conference Proceedings & Presentations

Deacon, T., Amyotte, P. and Khan, F. “Human Behaviour in Emergency Musters,” Presentation at the 8th World Congress of Chemical Engineering, Montreal, QC, August 23-27, 2009 (Appendix 8).

Deacon, T., Amyotte, P., Khan, F. and MacKinnon, S. “A Framework for Human Error Analysis of Emergency Situations,” Proceedings of the 6th Global Congress on Process Safety, San Antonio, TX, March 22-24, 2010 (Appendix 10).

VII

Expenditures of PRAC Funds

Section removed for reasons of confidentiality.

VIII

Employment Summary

The following table illustrates the employment created by this project.

Name Position Student

(Yes/

No)

PhD,

Master’s,

Undergrad

Full or

Part Time

Scientific Contributions Made

to the Research

Work-Months

Associated with the Project

Angela Alambets

Research Assistant

Yes Undergrad (BEng)

Part Time

Angela conducted preliminary research on human reliability assessment techniques and sources of human error data.

Four (4) January – April 2008

Kelli McGean

Research Assistant


Full Time

Kelli conducted a comprehensive review of the WOAD database for data and case histories to inform the project on human error/human factor considerations.

Four (4) May – August 2008

Travis Deacon

Research Engineer

No Holder of BEng degree

Full Time

Travis was the lead researcher on the project and was primarily responsible for the achievement of the Year 1 deliverables.

Twelve (12) May 2008 – April 2009

Ruth Domaratzki

Research Assistant


Part Time

Ruth conducted literature reviewing on human error and human factors.

Four (4) May – August 2009

Travis Deacon

Research Assistant

Yes Master’s (MASc)

Full Time

Again, Travis was the lead researcher on the project. He was primarily responsible for the achievement of the overall project deliverables.

Twelve (12) May 2009 – April 2010

IX

References

Amyotte, P., Goraya, A., Hendershot, D. and Khan, F., “Incorporation of Inherent Safety Principles in Process Safety Management”, Process Safety Progress, 26, 333-344 (2007).

DiMattia, D., “Human Error Probability Index for Offshore Platform Musters”, PhD Thesis, Dalhousie University, Halifax, NS (2004).

DiMattia, D., Khan, F. and Amyotte, P., “Determination of Human Error Probabilities for Offshore Platform Musters”, Journal of Loss Prevention in the Process Industries, 18, 488-501 (2005).

Khan, F., Amyotte, P. and DiMattia, D., “HEPI: A New Tool for Human Error Probability Calculation for Offshore Operation”, Safety Science, 44, 313-334 (2006).

Appendix 1

PRAC Research Slide

Human factor design issues relating to individual behavior in emergency situations

Description: Develop an engineering tool to employ human error data in making objective decisions concerning facility design improvements from a human factor perspective

Theme: Offshore Safety

Objectives:This project will deliver a methodology to evaluate the risk of human error in emergency situations and incorporate safety measures to reduce the risk to a tolerable level. The methodology will also include evaluation of safety systems.

Value / Impact:This technology will address the gap between the perceived and actual risk of complete or partial failure of emergency procedures on offshore installations. It will also deliver a tool to evaluate the reliability of safety measures in place and highlight areas of focus for improvement.

Results / Accomplishment: The deliverables include a generalized engineering tool for incorporating human factor considerations into emergency quantitative risk assessment (QRA)

Choose Muster Initiator

Combine in Risk Matrix

Choose Muster Step

Calculate HEP Assign Consequence Severity

Determine Frequency of Exposure & Potential to Avoid Damage

Use Risk Graph to Determine Required LC

Choose Safety Barriers and Determine LCs

Build Bow‐tie and Determine Overall LC

Yes

Is Risk ALARP?

No

Yes

Muster Step

Analysis Complete

?

No

Appendix 2

QRA Technique Comparison Report

Comparing Three Quantitative Human Reliability

Assessment Techniques with Application to Emergency

Scenarios on Offshore Oil and Gas Platforms Report for the Petroleum Research Atlantic Canada (PRAC) Project on


Angela Alambets


Dalhousie University

Halifax, Nova Scotia

March 2008

Executive Summary

This report is a comparison of three different quantitative human reliability assessments, namely the Success Likelihood Index Method (SLIM), the Human Error Assessment and Reduction Technique (HEART), and the Technique for Human Error Rate Prediction (THERP). All of these techniques are expert judgment techniques, which researchers have been forced to develop and employ since the first estimations of human error probability due to a lack of real human error data. The techniques have mainly been used in the Nuclear Power industry, but they can be employed in the context of the offshore oil and gas industry. Each technique uses a different methodology to calculate human error probability, based on the various types of human error, and the environmental and operational conditions that are included in the analysis. Each has advantages and disadvantages which are analyzed and compared in a general sense and in the context of the offshore oil and gas industry. While actual human error probabilities were not generated for the purpose of this report, it is hoped that the comparison and analysis of the three techniques gives justification to the use of SLIM for the generation of human error probabilities for the PRAC project on human factor design issues relating to individual behavior in emergency situations.

Introduction

The purpose of this report is to conduct a comparison of Success Likelihood Index Methodology (SLIM) generated human error probabilities with those determined using other available expert judgment and quantitative human reliability assessment (QRA) techniques including HEART and THERP. While these are not the only techniques available, they have been used in a variety of applications and are well recognized by researchers in the field of human error probability. Each technique will be described as its own entity, and comparisons will be made based on the methodological approach in regards to accuracy, validity, and usefulness (and effective use of resources).

Dino DiMattia (2004) conducted a comparison of these QRA techniques for assessing the human error in emergency musters on offshore oil and gas platforms, with the purpose of validating the use of SLIM in his work. This was a component of his research on human error probabilities, which itself led to the development of the Human Error Probability Index (HEPI) as his thesis. Much of the content of this report reflects and builds upon the research conducted for this thesis in terms of the most appropriate technique for estimating human error probabilities on offshore oil and gas platforms, and its use with HEPI.

Background Information on Human Error in QRA

In order to establish a baseline or criteria for comparison, there first must be an understanding of what a model should theoretically accomplish. It should be able to predict human error in different contexts, and specifically in this context for emergency scenarios on offshore oil and gas platforms. Human error has been defined by Lorenzo (1990) as any human action or lack thereof, which exceeds or fails to achieve some limit of acceptability, where limits of human performance are defined by the system. The ability for a model to accurately depict the probability of such an occurrence and to make this model useful will depend on the way in which each possible error is treated, and the ability to link human error prediction with quantitative risk assessment.

Human error can occur in a number of different ways including errors such as slips or mistakes, which can themselves be interpreted as skill-based slips, rule-based and knowledge-based mistakes, or violations such as purposeful omission or substitution (DiMattia, 2004). Furthermore, human error is dependent on performance shaping factors (PSFs) including the characteristics and complexity of the task, the physical environment, the organizational environment and the operator characteristics. Including PSFs in human reliability assessment (HRA) tools allows for the collection of similar contextual information to be used for identifying error in categories with common features. Due to the number of possible modes of human error, their conditions and causes, human, inherent and process factors, and the more contextual error mechanisms involved in human error estimates, PSFs provide an organized framework of evaluating different circumstances. The comparison that follows will therefore compare the ways in which these different aspects of human error are treated in developing the probability of failure for an HRA.

Success Likelihood Index Method (SLIM)

In the SLIM technique, PSFs are weighted and rated to develop a success likelihood index (SLI) for each muster action, which in turn allows for the estimation of the probability of success (POS) and the human error probability (HEP). This weighting and rating data is obtained by eliciting questionnaires to a number of pre-selected judges based on different muster scenarios.

DiMattia et al. (2005) conducted a simulation that involved three different muster scenarios (man overboard, gas release, and fire and explosion) with 18 different muster actions. They considered six different PSFs including stress, complexity, training, experience, event factors and atmospheric factors. The weighting and rating data was then processed by SLIM.

Expert judgment techniques are employed by providing judges with the opportunity to give subjective opinions and decisions in an objective manner. In the SLIM technique employed by DiMattia et al (2005), 24 judges with different backgrounds and experience participated, with a core review team (CRT) that was selected to help in the determination of muster scenarios, muster actions and PSFs. Specifically, a hierarchical task analysis (HTA) was conducted to develop muster steps that were independent of the muster initiator. A similar technique was used to determine the appropriate PSFs, allowing the judges to review and assess a number of PSFs and then narrow them down to six using a pairwise comparison.

In order to develop the actual human error probabilities, the weight of each PSF is divided by the weight of the sum of all PSF weights for the particular action in order to normalize it, producing the PSF n-weight. The product of the n-weight and the rating gives the success likelihood index (SLI). This can be found for each PSF for a given action and summed for the total SLI for each action. Muster actions with high SLIs will have the highest likelihood of success. Subsequently, a logarithmic relationship of Pontecorvo is used to determine the HEP values for each action in the equation:

Log(POSi) = a(SLIi,m) + b

Where POSi = Probability of success for action i = 1-HEPi

SLIi,m = arithmetic mean of success likelihood index values (from judges data) for action i

a,b = constants

Determination of a and b requires analysis of HEPs for action with the lowest and highest SLI values. These data can then be put into the above equation, and subsequently, the remaining muster action HEPs can be calculated.

One perceived disadvantage of SLIM in terms of error reduction measures is the limited number of PSFs used. In DiMattia’s (2004) study, only 6 PSFs were used, which were deemed the most appropriate out of eleven potential PSFs. As noted in Kirwan et al. (1997), many ergonomists find such PSFs too gross of a measure to give meaning to the scenario. An example is given that an ergonomist may use 300 questions in an interface audit to evaluate an interface, which is reduced to a rating scale of 9 options in the PSF called ‘quality of interface’. Thus, while PSFs are designed in such a way to accommodate the HRA processes in terms of generating estimations of error rates, these PSFs may not be adequate identifiers of error reduction measures. However, if it can be shown that only one PSF can be used in a certain scenario to generate an accurate HEP, identifying that PSF for error reduction purposes may still be useful. This is discussed further in comparison of all three techniques.

An extension of SLIM called the multi-attribute utility decomposition (SLIM-MAUD) was developed by Embrey et al. (1984), based on their previous SLIM work, which attempts to address the issue of potentially more than one PSF accounting for a certain error probability. In the SLIM-MAUD framework a situation is presented with decision alternatives as described by the PSFs, which themselves cannot be optimized simultaneously. This allows for a quantification of importance of each PSF in the given multi-attribute decision problem which can then be compared to other PSFs. However, SLIM-MAUD is a very structured technique (Apostolakis et al., 1988), which is an undesirable attribute in HRA, and the treatment of weightings and ratings is internally inconsistent. The latter concern arises from the potential for alterations in probabilities with the introduction of a new task to a set, and the relative weighting of PSFs as opposed to a normalized weighting. HEPI, as applied with the SLIM framework has identical worst possible to best possible value scales for both weights and ratings (0 to 100) and therefore does not require an elicitation of an ideal PSF rating. Further, as mentioned above, HEPI employs an average PSF value for weightings and ratings from a group of judges, thus avoiding the standardization of PSF weights by equalizing their values.

In the study conducted by DiMattia (2004), the multi-stakeholder team of judges was used to develop weightings and ratings, where MAUD was avoided, but a pairwise comparison was used in its place. Other attempts to improve the predictive nature of SLIM prior to DiMattia’s work showed that both the team and pairwise strategies were important to the accuracy and efficiency of the application of a development index. Particularly, the use of a greater number of judges has been shown to improve the accuracy of the analytic value of averaged probability judgments (Apostolakis et al. 1998), reducing uncertainties and the level of conditional dependence, or joint work.

Nonetheless, the validation of model results is limited due to a lack of empirical data, and this has led to a large amount of assessments focusing on the accuracy of the technique as opposed to its usability. Thus, it is important to note that SLIM has only been used, prior to the development of HEPI, for HRA within probabilistic risk assessments. With the application of HEPI, the hope is that its predictive strengths can more readily be used to reduce error (DiMattia, 2004). Further, it hopes to address the gap between academic research and practical HRAs to contribute to error reduction recommendations.

Human Error Assessment and Reduction Technique (HEART)

The Human Error Assessment and Reduction Technique (HEART) is based on a screening process and reliability calculations which are formulated and extracted from the large number of human factors it considers. It does not have a formal procedure such as SLIM, but instead uses qualitative guidelines to identify sources, classes and strengths of human error. These are shown in Table 4-1 (Kirwan et al., 1988).

HEART uses only a single assessor, as opposed to a more diverse group of judges, significantly increasing the dependency of the result on a single individual. Based on the source or sources of unreliability which applies to the context, as decided by the assessor, they determine the strength of the effect and which factor (or unreliability) should be used in representing the change of a favourable condition to an unfavourable one. The extent of underperformance is predicted for each source of unreliability, based on a decided likely range of human unreliability for each task.

Table 0-1. HEART screening process guidelines

Sources of Human Unreliability

Principal Classes of Error Strength of Effect

Impaired system

Knowledge

Substitution

Omission

Very great, especially if a model or stereotype is violated

Response Time Omission

Substitution Great, if system is unforgiving

Poor or ambiguous system feedback

Omission

Transposition Strong

Significant judgment required of operator

Omission

Substitution

Multiple

Mixed

Measurable

Level of alertness resulting from duties, ill-health, or

environment

Omission

Substitution

Transposition

Comparatively small

The technique uses human reliability values, or basic error probabilities that have been developed for the purpose of conducting an assessment of the likelihood of failure. The failure is associated with an error-producing condition (EPC), which is congruent with the concept of PSFs. The effect of this EPC is calculated by estimating the proportion that exists in the context and multiplying it by the basic task unreliability. Estimates of relative weights for EPCs are made (by the single assessor) and multiplied by the associated effect to give an assessed effect. The assessed effect is multiplied by the unreliability value to determine the probability of failure (POF) (Kirwan, 1996).

Thus, it uses a ‘database’ to allow the assessor to modify the data to make it more specific to the context using the PSFs relevant to that context. A similar technique is used by THERP, as described in the next section.

Specifically, the technique is broken down into five steps. The first step is to classify the tasks into one of the generic categories. However, some of the categories are mutually exclusive and could apply to a number of tasks, requiring the assessor to describe the task and classify it according to that description. While this does not take away from the purpose of the tool, to be a flexible, rapid and conservative quantification method, it does create uncertainties, or inconsistencies as assessors may describe, classify and thus categorize different tasks in different ways (Kirwan, 1996).

The nominal HEP must be assigned to each task. Once this is completed, the EPC for each task must be chosen based on assessor judgment, and using a table provided with the HEART technique. Each EPC has a maximum amount which the nominal amount can be multiplied by to find the associated ‘affect’. This factor is based on analysis of the human performance literature (Kirwan, 1996).

Subsequently, step four is to determine the ‘assessed proportion of affect’ (APOA) for each EPC, essentially the negative influence of each EPC on the task, as a proportion of the maximum affect. The maximum effect and the assessed proportion of affect are congruent to SLIM’s weighting and rating system. The proportion of the maximum is however, assigned with complete discretion of the assessor without any reference documents, introducing further inconsistencies to the HEART technique.

Calculating the task HEP is simple and straightforward, with the formula as follows:

HEP = SUM (EPC HEP)

where EPC HEP = ((Max Effect – 1)*Assessed Proportion of Affect) + 1.

The formula includes a mathematical ‘fix’ to avoid low-maximum-affect EPCs from creating a low overall HEP, thus decreasing it instead of increasing it (Kirwan, 1996).

One of the main advantages of HEART is that it has a large number of human factors for use, providing flexibility and fast analysis. However, one of the fundamental disadvantages of the HEART technique is that with the main basis of error being errors of omission, there is little or no consideration of

errors of commission, violations or tasks where slips may occur; thus, the utility in the context of HRA for emergency scenarios such as muster sequences is limited.

Furthermore, dependence between different factors is not considered in the HEART technique (DiMattia, 2004). There are a number of EPCs, or PSFs, to be chosen from in the technique and their over-utilization can create significantly pessimistic results. This often leads assessors to avoid the use of PSFs when in fact they may be very relevant to the task. In terms of error reduction, this can lead to an over emphasis of certain PSFs, and completely ignoring others (Kirwan et al., 1997), and subsequently to error reduction techniques that may not be effective. Kirwan et al. (1997) speculated that although EPCs were chosen with understanding by the assessors, filtering out erroneous EPCs (for the given application) would improve the consistency of the technique.

Technique for Human Error Rate Prediction (THERP)

THERP is a technique that is taxonomic in nature, using error taxonomy as a significant quantification tool – for example, using terms such as error of omission, wrong timing, wrong sequence, wrong action, in defining human error probability. Taxonomic approaches are experience based, using assessor experience with incident experience to develop the results, thus creating a context-specific and low-resource analysis (Kirwan, 1998). Overall, the THERP technique, like HEART, uses a human error database, with the modification of HEPs using PSFs and dependency consideration (Kirwan, 1996).

The THERP quantification process consists of six key elements. The first step is a decomposition of tasks into elements, using the taxonomic approach described above. What is important to note here is that, since each task may require a breakdown into a number of elements, different assessors will likely decompose tasks at different levels for more complex tasks. However, while most techniques require the assessor to judge the appropriate level of decomposition, the taxonomic approach is used here to make it more specific, and thus, more consistent.

The second step is the assignment of nominal HEPs (or basic HEP, BHEPs) to each element, using reference tables in the THERP handbook which have error descriptors, associated error probabilities and error factors. Supporting documentation is used with these tables to determine the nominal HEP for each task element. The technique provides structure, but is limited in this regard if there is not a descriptor for a particular task element (Kirwan et al., 1997).

The third step is the determination of effects of the PSF on each task, based on the qualitative analysis of the scenario and a list of PSFs the assessor is provided to apply to the scenario. The seriousness of the PSF on the scenario is decided by the assessor, and based on error factors given in the handbook. This step is therefore highly judgmental, as it is based on the assessor’s quantitative assessment and experience (Kirwan et al., 1997).

The fourth step is the calculation of effects of dependence between tasks. THERP uses a model with five different levels of dependence, which the assessor must pick based on their opinion of how the probability of a task is changed based on those tasks before and preceding it. The level of dependency that they choose can lead to different HEPs, while excluding it (which is also a choice of the assessor) from analysis altogether will have a large effect on the overall HEP (Kirwan et al., 1997).

The fifth and sixth steps are to model the data in a Human Reliability Analysis Event Tree, using Boolean algebra, and to quantify the total task HEP. Due to the straightforward and the quantitative nature of event trees, there is low potential for uncertainty to arise from this step (Kirwan et al., 1997). It offers the ability to model various sequences of actions, utilizing an interface with systems analysis techniques to identify tasks or errors which are most critical and have the greatest impact upon success or failure. However, it does not identify root causes or error reduction suggestions, thus limiting the flexibility required to do an effective muster HRA (DiMattia, 2004).

Overall, the technique is very easy to use but there are a few drawbacks to using this technique. While THERP is designed to use dependency and event tree modeling, the assessor decides when to include them to develop model results, or otherwise when it is appropriate to use their own experience. In

the validation study conducted by Kirwan (1997), results showed that the use of both dependency and event trees were limited in use by the 10 assessors involved, which showed that the accuracy of the technique is lower due to the fact that THERP was not applied normatively in the experiment.

The actual modeling component of THERP has been found to be inconsistent, not due to the usage of BHEPs, as these tend to be generally similar, but due to the assigning of error factors (Kirwan, 1997). This and the previous drawback show that, THERP as a model is very dependent on the assessor and therefore has questionable repeatability and accuracy.

Another disadvantage to the THERP technique is that it is not cognitive in nature, although there have been extensions of the THERP event tree model, for example COMET and COGNET that deal more extensively with cognitive behavior as well as other types of behavior.

Comparison

From the Kirwan three-part series paper (Kirwan, 1996 and 1997; Kirwan et al. 1997), THERP and HEART were found to be valid techniques, with reasonable levels of accuracy for most tasks. There were, however, inconsistencies in the way in which judges used the techniques, while some tasks were altogether poorly assessed by most judges. This alludes to a low capability of judges to assess the relevant tasks using the techniques. Also, calibration of the techniques was poor, in that assessors did not know when they were being accurate or inaccurate, which was thought to be caused by a lack of access to real data and a lack of feedback in validating the models.

Furthermore, due to the fact that one assessor must complete the validation for each model, there were questions as to whether the assessors had a greater impact on the performance results than the techniques themselves. Kirwan (1997) postulated that it may be useful, especially for the HEART technique, to provide examples of how to use the technique for assessors, since there is no training module and the technique is open to individual interpretation. While this could present a certain bias, this would also improve the consistency of the technique and reduce the effect of the assessor on the performance results. In the current project, providing these types of examples could also be useful for improving the understanding of design decision makers, if HRA is to be used in reducing human error through changes in offshore design, or of employees who are participants of emergency scenarios and are the culprits of human error and safety managers, if HRA is to be used for making changes in management and emergency procedures.

Identification of outliers in the THERP and HEART techniques showed that there were specific weaknesses regarding tasks involving low probabilities such as administrative controls, and tasks involving errors of commission. The Kirwan (1997) study suggested that further quantification is needed on these error types, but that in the short term, such quantification can be dealt with by the SLIM technique.

As noted in the introduction of this report, PSFs are an effective tool to identify error rates in situations with common features. However, Kirwan (1997) concluded that this does not extend to their utility as error reduction measures. The use of PSFs, while important in describing potential error scenarios, was found to create indefinable error reduction techniques due to the fact that using more than one different PSF could result in the same final HEP. While SLIM was not part of this validation study, the use of PSFs in the technique provides the same potential inconsistency.

The more PSFs that are used, the more complex the quantification becomes. Specifically if SLIM-MAUD is being used, the comparison of PSF importance becomes impractical unless quantification is computerized, in which case empirical data should be used for validation of results. However, most SLIM applications have not used any more than 8 PSFs, while the procedure to be used with the current project (DiMattia, 2004) only used a set of 6 in order to prevent an unwieldy procedure, thus avoiding the potential inconsistency. Further, the pairwise comparison is used in the technique to more directly address this issue.

Kirwan (1997) postulates that other parts of the HRA approach are better suited for error reduction purposes including task analysis and error identification. The SLIM technique does use tabular

hierarchical task analysis to present error modes, causal factors and risk mitigation measures for subsequent risk reduction measures, allowing for the integration of human error into a detailed emergency analysis. This gives the user the ability to use a what-if approach to analyze a number of emergency sequences quite efficiently, by understanding how error probabilities change with different conditions (DiMattia, 2004). The strengthening of root cause analysis is one aspect that is beyond the scope of this report, but will be an important component in the development of the deliverables for the current project.

Table 0-1. Comparison of THERP, HEART and SLIM as QRA techniques.

Criteria THERP HEART SLIM

Accuracy M M M

Validity M M/H M/H

Usefulness M H H

Effective Use of Resources

L/M H M

A comparative summary of the three techniques is shown in Table 6-1, which was adapted from Kirwan et al. (1988) in a study that compared them according to the criteria listed. The criteria and evaluation were based on general model performance factors, but the context of human error was more focused on nuclear power plants. The issues discussed throughout the report articulate the reasons for the results shown in Table 6-1 both in general and for the specific emergency muster context. SLIM performs as well ir better than THERP and HEART in all criteria with the exception of the effective use of resources. This is likely due to the fact that a number of judges are used to develop the final results, which takes time and money.

Conclusions

All three QRA techniques are expert judgment techniques, developed and utilized as such due to the continual lack of available human error data. While validation and accuracy of the techniques would ideally rely on such data, these techniques attempt to calibrate and simulate human error based on the core principles of human error and contextual environmental conditions. Each uses a slightly different methodology, producing results that can be interpreted and used for the reduction of error based on the way that error producing conditions are identified.

While most research conducted thus far focuses on the accuracy and less on the validation of SLIM, the comparative research conducted and presented in this report shows that SLIM is the most appropriate and useful method for the purposes of the current project. Using a limited number of PSFs, the accuracy is increased by avoiding dependence or conditionality of PSFs through pairwise comparison. If deemed necessary SLIM-MAUD can be employed to compare the importance of each PSF for a similar purpose. Furthermore, the reduced number of PSFs in SLIM, as compared to HEART or THERP, allows for a more concrete and clear identification of appropriate error reduction measures, as single PSFs can be identified for specific errors.

Nonetheless, due to the number of tasks, subtasks and task steps incorporated into each PSF, SLIM can be applied to a number of different scenarios and tasks at any level of detail, allowing for its use in various emergency scenarios.

The number of judges used for SLIM also evidently increases the accuracy of results. When there is a level of conditionality between judges the accuracy of results diminishes; thus, ensuring there is a low conditional dependence between judges (ie. they are from different backgrounds and have different experience, but have a good understanding of the given scenarios and the technique itself) and a large number of judges, as was done in the study by DiMattia (2004), the highest possible accuracy is attained. This is compared to the THERP and HEART techniques where either one assessor defines all HEPs and PSFs and thus, gives variable results.

Furthermore, in the case of THERP the assessor is given the choice of including dependency and event tree analysis or instead using his or her own experience. This will either reduce or vary the accuracy of the technique, and reduce the ability to use it in error reduction measures. On the issue of error reduction measures, SLIM uses both hierarchical task analysis and event tree modeling which both lend well to identifying error reduction measures and using a what-if approach to identify different error probabilities in different scenarios.

While the research conducted on all three techniques identifies avenues for improvement, improvements can only be truly substantiated with the collection of real data for the scenarios, or emergency sequences, being modeled. Thus, while this report shows that SLIM is the most appropriate model to use for the purposes of identifying and reducing human error during emergency scenarios on offshore oil and gas platforms, industry must begin to play a role in the recording and collection of data in order to better understand how the techniques truly perform. However, in doing so, the organization itself must recognize that human error is not just a matter of personal performance, but extends to the organizational management. In using the results of such models, the organization can improve on their

managerial practices. By integrating more education for an understanding of human error at various levels of the organization, they will in turn be contributing to an enhanced working environment for their employees and assets.

References Apostolakis, G.E., Bier, V.M. and Mosleh, A. (1988). A critique of recent models for human error rate assessments. Reliability Engineering and System Safety, vol. 22, pp. 1-217. DiMattia, D.G. (2004). Human error probability index for offshore platform musters. PhD Thesis Dalhousie University, Halifax, N.S.

DiMattia, D., Khan, F.I., and Amyotte, P.R. (2005). Determination of human error probabilities for offshore platform musters. Journal of Loss Prevention in the process industries, vol. 18, 488-501.

Embrey, D.E., Humphreys, P.C., Rosa, E.A., Kirwan, B. and Rea K. (1984). SLIM-MAUD: An approach to assessing human error Probabilities using structured expert judgment, Report No. NUREG/CR-3518 (BNL-NUREG-51716), Department of Nuclear Energy, Brookhaven National Laboratory, Upton, New York.

Kirwan, B. (1996). The validation of three human error reliability quantification techniques – THERP, HEART and JHEDI: Part 1 – technique descriptions and validation issues. Applied Ergonomics, vol. 27, pp. 359-373.

Kirwan, B. (1997). The validation of three human error reliability quantification techniques – THERP, HEART and JHEDI: Part III – practical aspects of the usage of the techniques. Applied Ergonomics, vol. 28, pp. 27-39.

Kirwan, B. (1998). Human error identification techniques for risk assessment of high risk systems – part 1: review and evaluation of techniques”, Applied Ergonomics, vol. 29, no.3, pp. 157-177.

Kirwan, B., Embrey, D.E., and Rea, K. (1988). Human reliability assessors guide, Report No. RTS 88/95Q, Safety and Reliability Directorate, Culceth, Warrington, England.

Kirwan, B., Kennedy, R., Taylor-Adams, S., and Lambert, B. (1997). The validation of three human error reliability quantification techniques – THERP, HEART and JHEDI: Part II – results of validation exercise. Applied Ergonomics, vol. 28, pp. 17-25.

Lorenzo, D.K. (1990). A guide to reducing human errors, improving human performance in the chemical industry. The Chemical Manufacturers’ Association, Inc., Washington, DC.

Appendix 3

Human Error Data Availability Report

Sources of Human Error Data and Industry Cooperation

Report for the Petroleum Research Atlantic Canada (PRAC) Project on


Angela Alambets



Halifax, Nova Scotia

April 2008

Introduction

There has been extensive research conducted on the use of various QRA techniques for estimating human error probabilities (HEPs). The ultimate objective of these techniques is to reduce human error causation and escalation of loss causing incidents. They often rely on expert judgement in various stages of the model development process, or on a single assessor to systematically alter data from a database. These databases may contain both real data from industry and data formulated by the technique developer (Kirwan, 1996), producing probabilities that can be somewhat subjective in nature.

The Success Likelihood Index Method (SLIM), which has been identified as the most appropriate technique for the current study, requires real data for calibration. Further, it uses data developed from a team of judges to calculate the probability of success of various offshore platform emergency scenario actions. By using a large team of judges, as opposed to a single assessor, the technique aims to reduce the subjectivity and increase its accuracy (DiMattia, 2004). Nonetheless, validation studies on this technique allude to insufficient evidence of the technique’s predictive accuracy and consistency (Kirwan, 1996). This reduces the ability of the technique to achieve its ultimate objective, which has led to the need for validation using real human error data; however, this has not been possible due to a lack of such data. While SLIM performs well compared to similar human reliability assessment (HRA) techniques, empirical validation is necessary to truly confirm its accuracy, calling for industry cooperation in the collection and use of real data.

In addition to validation issues, the collection of industry-incident based data can be used to inform the development of HRA techniques, and to better understand and assess risks associated with human error. Developers and assessors of current techniques also do not have feedback on model results, reducing the ability to continually increase preciseness (Kirwan, 1996).

There have been attempts to address the need for industry generated data, including the development of the Worldwide Offshore Accident Databank (WOAD), the Computerised Operators Reliability and Error Data Base (CORE-DATA) and other projects sponsored by the UK Health and Safety Executive (HSE). This report provides a brief examination of these sources for use in the current project, and presents the need for industry cooperation and possible avenues of facilitating that cooperation.

WOAD

WOAD is a database with world wide accident data exclusively from the public domain, collected from the years 1970 to 2003 by Det Norske Veritas Inc., its creator. The database was set up for input via accident forms, which are presented as tables for user interpretation. The accident forms ask for details regarding the cause of the accident, the specific situation and the consequences. For more details regarding the accident forms, the reader is referred to a report by David Bligh, entitled ‘Review of the WOAD as a Quantitative Safety Assessment Tool’ (2007).

A number of limitations to this accident data source were outlined in the report by Bligh (2007). Firstly, it should not be taken as a complete representation of the accidents that have occurred in the offshore industry, as there are geographical areas where accident information is controlled and kept confidential, and there are inconsistencies in reporting standards between countries. Secondly, due to the structure of the accident reporting form, there may be confusion in determining the root cause of the accident. Specifically, the ‘main event’ may be chosen as the event which initiates a more serious chain of events, which occurs last, or as which causes the most damage. Further, a dropdown list is provided to identify the main event and the event chain, which includes fires, explosions, falling loads, loss of buoyancy, collisions, and machinery failure. Since it is unclear how these events could be related to human error, this data may not be useful for the current project. The accident report form does have an ‘accident cause’ section where the option between human and equipment cause is given, although there is no apparent space for a more detailed description. Thirdly, where the SLIM technique uses six different performance shaping factors (PSFs) as environmental conditions influencing human error probabilities, the WOAD identifies some of these as equipment. For example, the sea and weather are classified as pieces of equipment (Bligh, 2007). Therefore, an analysis on human cause should not neglect equipment causes, where equipment is defined as such, since this may potentially be helpful in determining its influence on the event chain. It would, however, be difficult to find the correlation with human error in this case since the accident is defined as an ‘Equipment Cause’.

Regardless of these limitations, for the current project the WOAD should be examined for the frequency of ‘Human Cause’ as opposed to ‘Equipment Cause’. Where human cause is identified, attempts to find correlations with the event chain may be beneficial. Caution should be taken when conducting any such analysis or when making overarching conclusions.

HSE, CORE-DATA

There has been some effort to develop human error databases since the theoretical aspects of human error have become documented and more understood. One of these efforts is the development of the Computer Operator Reliability and Error Database (CORE-DATA), an outcome of a three year project headed by the University of Birmingham which aimed to provide the human reliability community with a usable, accurate and validated databank (Basra et al., 1998). This databank includes approximately 250 human error data points accompanied by qualitative data, as well as 1000 data points in hard copy.

The extent of relevancy to the current project is unknown. While some data points, like those related to permit-to-work, may be less useful, data points on drilling operations or control room issues may be pertinent. Thus, the data taken from this source for the current project will be the discretion of the research team. It is also unclear whether the data points in CORE-DATA are all presented as HEPs or in some other form, and whether the qualitative data includes raw incident data. One study by Kirwan (1996) noted that databases like CORE-DATA are not yet ready to be used to quantify HEPs for probabilistic safety assessment (PSA) purposes but that the inventory of data would still be useful for validation purposes. Investigation will be required on this issue.

The UK HSE has been a large affiliate and contributor to CORE-DATA. A report by the HSE on the collection of offshore human error data for offshore drilling operations outlines different data

collection methods and the development of input to CORE-DATA (Basra et al., 1998). This HSE project developed 18 different HEPs by collecting data from observations at drilling rigs, training centers and simulators, as well as from accident reports and, notably expert judgement. Results showed that HEPs could not always be developed from observations of real scenarios and the use of accident reports was often low. The data collected was modified by different PSFs which were outlined in the report (Basra et al., 1998).

Some aspects of the expert judgement technique used for the HSE study were similar in nature to SLIM. For example a team of judges conducted a pairwise comparison, and an analysis was conducted on the level of conditionality and consistency in the results. Due to different issues concerning the use of PSFs, as well as potential inaccuracy or inconsistency of expert judgement techniques used in HSE studies, care should still be exercised in determining which data points from CORE-DATA are used for the current project, based on the way in which they were developed. Nonetheless, this may be the best source for real human error data as of yet.

Industry Co-operation

While efforts have been made by external research bodies to collect relevant human error data to inform HRA techniques, there has been no documented evidence that industry has taken initiative to reduce human error, specifically in terms of collecting relevant data for similar needs. There are a number of ways that industry can contribute to the development of the HRA field, as follows:

Recognize that human error is not solely the result of individual error, but that it is the responsibility of management to incorporate human error education and mitigation into existing safety programs;

Collect relevant human error data during emergency scenarios – both drills and real-time;

Incorporate human error identification into incident investigations; and

Develop a database, or a new component to existing databases, for the continual collection of human error data to make more informed design considerations and decisions regarding employee training.

As part of the current project, the research team must be clear on the objectives developed for industry co-operation. The ultimate goal of the project is to contribute to the reduction of human error on offshore oil and gas platforms – which, in line with the first point above, may take the form of developing new components of safety programs such as education and training of department managers and staff, and changes to technical designs. In order for industry to effectively contribute to the current project it may however, be necessary to have a greater focus on the latter three points, although the first point could be seen as a precursor to these. The latter three points will now be discussed individually and conclusions made on potential project strategy regarding data collection.

1.1 Data collection from observation of emergency scenarios

The observation of real scenarios would be the most valuable component of a data collection program, as it provides real data for HEP development. For the HSE study, there was a 5 step methodology, which began with a hierarchical task analysis (HTA) of the specified event, and identified all of the possible human error modes for that task (Basra et al., 1998). This was necessary in order to know what types of tasks to observe and errors to look for. The HTA was developed and modified by visiting a small on-shore rig, with observations and discussions with personnel. Where emergency scenarios are concerned, the construction of an HTA would already have been conducted for the use of the human error probability index (HEPI) and SLIM. Thus, if observation is deemed a priority for the current project, the tasks outlined in the SLIM framework would be a reference.

Observations of actual events tend to be difficult due to potentially low frequencies of events, and when they do occur, potentially low frequencies of human error. This was experienced in the HSE study (Basra et al., 1998), where a three day observation period of tripping in and tripping out (drill-floor activities) yielded no errors observed. Where such circumstances arise, it was recommended that investigation of human error would be more effective through accident reporting, training simulators and expert judgement techniques. The use of simulators can, however, make HEP determination difficult because stress and weather related PSFs cannot be considered in the analysis and must be dealt with in a different manner. Where uncertainty is prevalent, a statistical analysis should be conducted (Basra et al., 1998).

Although there are difficulties in this collection method, it should be emphasized that the co-operation of industry to allow observers to come in for these purposes would be invaluable for providing real data to the human reliability community. More importantly, due to the topic of the current project, namely human error during emergency scenarios, conducting these types of observations can be made very easy by visiting off-shore rigs on days when emergency drills are planned.

While observations are typically conducted by the human error research team, based on their level of understanding of the relevant material, an alternative may be to have personnel in management positions continually conduct the observations during drills. This would require training to ensure proper recording. However, due to the repetitive nature of emergency scenario drills, it may have substantial long-term benefits in terms of the collection of current data to provide the human error community.

1.2 Data collection from accident investigations and interviews

Accident and incident investigations are often looked to for data collection and analysis of different causation, event chain factors, and consequences, not exclusive to human error data. This data can be

extremely helpful in correlating data and identifying trends, which can ultimately allow for more effective mitigation measures. Although the usefulness of WOAD is left for further interpretation, it has been used effectively do identify trends relating to different error types (Bligh, 2007), which can be used to contribute to enhanced industry awareness to ultimately develop prevention and mitigation techniques for the specific errors.

This type of quantitative analysis on human error would be invaluable to the human error research community. However, as of yet, there has been much difficulty in finding the necessary information due to poor accident reporting structure or simply a lack of emphasis and importance on the role of human error. If these issues were addressed, accident and incident investigations could allow for quantitative analysis.

Industry cooperation would be required in the form of ensuring completion of accident report and incident investigation forms and conducting interviews with all employees involved to question them about their role in the incident and other relevant human error related issues. This could also be conducted with individuals as part of de-briefings after emergency drills have been completed. While the reduction of human error is not meant to be part of data collection, in the long run a training program for all employees could allow employees to record their own errors during a debriefing; this would achieve the collection of data and enhanced awareness about what affects the way they perform their tasks. Thus, employees would take more control over reducing error in performing different tasks.

The development of new reporting formats and proper interviews questions, based on the employee position and incident scenario, precedes their proper use in industry. However, it is the opinion of the author that commitment by industry to use these tools in the appropriate way is absolutely necessary before project resources are spent to develop them.

1.3 Human error database development

The use of information technology, in terms of data collection and dissemination, has been used on offshore platforms for different purposes. While the purposes are unknown to the author, if an accident or safety database does exist, an additional component of human error data collection would be a valuable addition. This would be used to more easily input and disseminate data collected from accident forms and incident investigations for quantitative analysis. It would likely resemble the framework of the human error component of the accident form or incident investigation, thus its development could be integrated with these tools. In addition to providing data for the human error research community, this type of database could be used by the company to show good employee relations, and health and safety for prospective employees.

Conclusions

Existing sources of human error data were presented in this report which could inform the current project. However, as discussed, there are limitations to each of these resources which are similar to limitations seen throughout the human error literature. The lack of real data for HRA techniques will only effectively be addressed if industry takes an active role in the collection of real data during emergency scenarios. This can take the form of observations from external or internal personnel, the revamping of current accident reporting and incident investigation strategies and documents, and the development of a database to more efficiently collect and disseminate this information. Most importantly, individuals in management positions must understand that employees are not solely responsible for errors that occur. Human error will continue to play a causative role of accidents and risk (Kirwan, 1998). Thus, management must take responsibility of incorporating human error mitigation measures into the workplace if reduction of accidents caused or enhanced by human error are to be reduced.

The way in which accident forms and incident investigations are changed will depend on goals developed by the research team; data could be collected using human errors identified in the HTA for SLIM or include errors not addressed in the technique to attempt to gain a better understanding of them. Nonetheless, distinctions must be made on the objectives of data collection. They could take the form of a more educational program, by training offshore personnel on human error to develop a more participatory data collection approach which could potentially influence a reduction in human error from the onset of data collection; or they could be kept independent of employee work for a more representative data set for the validation and development of HRA techniques. Whatever the objective, it is important that industry is available and willing to cooperate, in order to ensure improved accuracy of HRA techniques that will ultimately benefit the industry and its employees.

References

Bligh, David. (2007). Review of the WOAD as a Quantitative Safety Assessment Tool. Process Engineering Department, Dalhousie University. Halifax, N.S. DiMattia, D.G. (2004). Human error probability index for offshore platform musters. PhD Thesis. Dalhousie University, Halifax, N.S. Kirwan, B. (1996). The validation of three human error reliability quantification techniques – THERP, HEART and JHEDI: Part 1 – technique descriptions and validation issues. Applied Ergonomics, vol. 27, pp. 359-373. Kirwan, B. (1998). Human error identification techniques for risk assessment of high risk systems – part 1: review and evaluation of techniques”, Applied Ergonomics, vol. 29, 3, pp. 157-177. Basra, G., Gibson, H., and Kirwan, B. (1998). Offshore technology report - OTO 98 121. Collection of offshore human error probability data. Phase 2, Volume 1. Offshore drilling data. Health and Safety Executive.

Appendix 4

Report on WOAD

REPORT ON WOAD

World Offshore Accident Database

Kelli McGean

Chemical Engineering Co-op Student


Summer Work Term

August 2008

Summary This report deals with the World Offshore Accident Database (WOAD) and the applicability of its data for human error studies especially in the current Human Error Probability Index (HEPI) project. The HEPI project deals with the probability of human error during offshore emergency muster scenarios. This project is the work of a research group based at Dalhousie University in Halifax, Nova Scotia and Memorial University in St. John’s, Newfoundland.

The human error data available in the WOAD was extracted and analyzed for its use both for the current project and any further projects.

It was concluded that the WOAD is not a particularly useful source of data for the current HEPI project, but may be more applicable to further projects if they focus on the original accident cause.

It is recommended that other sources of human error data be investigated for the HEPI project, and that further projects that intend to use the WOAD as a source of data should focus on human error as the initial accident cause.

1.0 Introduction There are numerous serious safety concerns in the offshore oil and gas industry. This is due to many

factors, including harsh marine weather, secluded locations, and volatile petrochemical products. Because

of the risks associated with these factors, many precautions must be taken in order to ensure the safety of

the crew as well as to minimize the damage done to equipment and the environment. However, even

though many precautions are taken, accidents do occur. Each accident that occurs reminds us that the

safety procedures in the offshore industry need to be constantly examined and revised in order to

minimize the risk of future accidents.

One danger in the offshore industry is that humans make mistakes. Due to the harsh work

environment, the consequences of these mistakes can often be more severe than in other industries. These

mistakes can be referred to as a “human error”. Often, these human errors can lead to accidents with

consequences of varying severity. Currently, there is work being done to account for the likelihood of

human error in offshore scenarios in order to prevent further errors and to minimize the consequences

when accidents due to human error do occur.

1.1 Background and Previous Work

The current project, funded by Petroleum Research Atlantic Canada and with researchers at both

Dalhousie and Memorial universities, aims to quantitatively determine the impact of human error during

emergency situations on an offshore facility. This impact is currently being examined in two ways: both

from a probability and a consequence perspective. “Human error”, for the purposes of this report, can be

defined as any human actions that exceed or fail some limit of acceptability (DiMattia et al., 2005). Once

this limit is exceeded, an accident occurs. Human error is influenced by performance shaping factors

(PSFs) which can include the characteristics and complexity of the task, the surrounding environment,

and the operator characteristics (Alambets, 2008).

Work previously completed on the project includes the development of a new method that may be

used to determine the probability of human error in offshore platform musters. The following section

gives a brief summary of the method. For more information, the reader may review the following papers:

“HEPI: A new tool for human error probability calculation of offshore operation” (Khan et al., 2006) and

“Determination of human error probabilities for offshore platform musters” (DiMattia et al, 2005).

1.1.1 HEPI and SLIM

Much of the previous work was completed as a PhD thesis by Dr. Dean DiMattia. His thesis

developed a new HEPI (Human Error Probability Index) based on the SLIM (Success Likelihood Index

Methodology) approach. This project aimed to develop a new human reliability assessment (HRA) tool

that could calculate Human Error Probabilities (HEPs) during offshore platform musters. With the

development of this new HRA tool, it was hoped that industry could better incorporate human factor

considerations into emergency quantitative risk assessments (QRA) and use them for design

modifications and safety measure design.

The SLIM is an expert judgment technique in which PSFs are weighted and rated to estimate the

human error probability. SLIM is an expert judgment technique, which employs a panel of expert judges

who attempt to give subjective opinions in an objective manner. For Dr. DiMattias work, the expert

judges answered questions about three possible offshore emergency scenarios: man overboard, gas

release, and fire and explosion. The study also broke down an offshore platform muster into a series of

steps that were independent of the muster initiator. Using the data collected from the judges, Dr. DiMattia

determined possible HEPs for each separate muster step during the three different emergency scenarios.

For a more in depth overview of the methodology, please see the previously cited papers.

1.2 Purpose

Validation studies on SLIM reveal insufficient evidence of its predictive accuracy and

consistency (Kirwan, 1996). Because of this, the method must be validated with real human error data.

Human error data is not widely available, and the few sources for this type of data have a variety of issues

that may make the data unreliable, as was determined in a report written for the research group, “Sources

for Human Error Data and Industry Cooperation” (Alambets, 2008). One purpose of this report is to

review a possible source of data, the World Offshore Accident Databank (WOAD) for its suitability as a

source of data for the current SLIM work.

Another purpose of this report is to give an overview of the human error related data available in

the WOAD so it may be applied to any further projects with ease.

2.0 WOAD – The World Offshore Accident Database The World Offshore Accident Databank (WOAD) is a collection of data pertaining to accidents that

occurred in the offshore oil and gas industry between 1970 and 2005. Compiled by Det Norske Veritas

Inc, all of the data presented in the WOAD was collected from publically available resources. In order to

create the WOAD, technicians reviewed all publically available accident reports and classified each

incident in a number of predetermined categories.

For this particular report, WOAD 5.1 was used. This version of the WOAD, released in 2008, is the

most current of the databases and contains 5162 accident reports. Previous studies that were conducted for

this research group, particularly “Review of the WOAD as a Quantitative Safety Assessment Tool”

(Bligh, 2007) and “Sources of Human Error Data and Industry Cooperation” (Alambets, 2008) may show

slightly different results than those of this report due to the fact that the authors were using an older

version of the WOAD. “Review of the WOAD as a Quantitative Safety Tool” may also serve an excellent

reference to the reader for general information about WOAD’s functions and capabilities.

2.1 WOAD accident forms and organization

The WOAD is organized in searchable tables known as accident forms. The accident form provides

numerous drop-down lists in which a specific incident may be described. These lists span many

predetermined categories, and can specify the accident cause, damages incurred, the event chain of the

accident, and injuries or fatalities that occurred as a result of the accident. Using a filter that is built into

the software, the user can specify any combination of required criteria for a particular accident and the

WOAD will display only those accidents which fit the criteria.

The WOAD accident forms also contain an area for free text, where the accident may be explained in

more detail. This text often offers the best description of an accident, giving specifics that cannot be

adequately explained using just the predetermined drop-down lists. Unfortunately, the WOAD does not

let the user effectively search this free text.

2.2 Previously determined problems with WOAD data

The WOAD is by no means a comprehensive database of all accidents that have occurred in the

offshore oil and gas industry. Because most of the reports in the WOAD database occurred in the Gulf of

Mexico or the North Sea, there are many geographical areas (such as the Caspian Sea and Southeast Asia)

that are underrepresented. There are no accidents reported from the People’s Republic of China at all. The

underrepresentation of these areas is due to a lack of publicly available information in those parts of the

world (Bligh, 2007).

There is also lack of consistency for accident reporting standards between countries. Because of this,

the detail of the accident forms varies greatly. For those accidents with minimal detail, it is often difficult

to categorize them properly, which makes them less useful for both research and industry purposes.

3.0 The WOAD and Human Error Data As was previously mentioned, the occurrence human error can only be specified in one part of the

WOAD accident form, in the accident cause section. The following sections deal with accidents where the

WOAD technician chose to indicate that the accident may have been caused by human error. The effect of

human error is examined with regards to accident cause, type, and severity. As well, this human error data

is examined for applicability to the SLIM and HEPI work.

3.1 Human Error and Accident Cause

When an accident form in the WOAD is completed, the technician may choose to specify the root

cause of the accident. In the WOAD, there are two main categories for accident causes – one is “Human

Cause”, while the other is “Equipment Cause”. Other than the free text section, this “Human Cause” drop-

down list is the only area in the WOAD where human factors are mentioned. In the WOAD, the

technician has the option of indicating a human cause or an equipment cause for any accident. The

technician may also select both a human and equipment cause simultaneously if the cause of the accident

is more complex, or choose to not indicate a cause if there is no relevant information available.

3.1.1 Accidents caused by human error

In order to begin the evaluation of the WOAD for the current project’s purposes, the accidents

indicated as having a “human cause” were first examined. Of the 5162 accident reports available in the

WOAD, 860 reports fall into the “human cause” category. There are seven subsets of this category,

including Unsafe Procedure, Unsafe Act/No Procedure, Improper Design, Third Party Error, Act of War,

Sabotage, and Other. Table 3.1 shows the number of accident reports in each category.

Table 3.1 Number of Accidents Per Category of Human Error

Human Error Number of Accidents % of total accidents

Unsafe Act/No Procedure 378 44.0

Unsafe Procedure 318 37.0

3rd Party Error 82 9.5

Improper Design 66 7.7

Act of War 7 0.8

Other 6 0.7

Sabotage 3 0.3

Total 860

It is obvious from this table that the most commonly indicated human cause for an accident is

either “Unsafe Acts/No Procedure” or “Unsafe Procedure”, at 44% and 37% of total human error

accidents respectively. In the WOAD, “Unsafe Act/No Procedure” is usually an accident that occurs due

to human error when there is no safety procedure for that particular task already in place. Those accidents

specified to have occurred due to an “Unsafe Procedure”, however, usually occur due to a crew member

not following a previously established safety procedure.

Other moderately common human causes are “3rd Party Errors” (9.5%) and Improper Design

(7.7%). “Third Party Errors” are usually accidents caused when an error is made by the crew of another

vessel, be it a boat or helicopter. These accidents often involve collisions between the offshore unit and

another vessel. Cases of “Improper Design” stem from accidents that are caused due to human error in the

design process. The remaining three categories make up less than 1% each of the total number of human

error accidents and do not have enough description in the WOAD archive to fully understand why they

were indicated as such.

3.1.2 Accidents caused by equipment error

Of the accident reports in the WOAD, 2828 have an indicated equipment cause. This represents

54.8% of total accidents reported in the WOAD. However, equipment error is not the focus of this report

and will not be discussed in detail.

3.1.3 Accidents that have no indicated cause

Sections 3.1.1 and 3.1.2 discussed accidents that have an indicated human or equipment error

cause. While the majority of accidents in the WOAD have an indicated cause, there are 1475 accidents

that do not. This is over 28 percent of accidents in the WOAD database.

There are many reasons that these accidents may not have a specified cause. The most probable

reason is that the information wasn’t available to the WOAD technician when creating the particular

accident form. Because the WOAD is compiled only from publically available resources, the detail of the

data is often not enough to properly indicate what the root cause may be. Other reasons for the cause to

not be indicated are the possibility that the cause was never discovered during the initial accident

investigation, or that the company chose not to indicate a cause in order to avoid placing blame on a

specific person or object. In any case, because over 28% of our data does not have an indicated accident

cause, the usable data becomes less reliable as it is not a full representation of all accidents in the WOAD.

Due to this fact, caution should be exercised when using any of this data as the margin of error is

exaggerated.

3.1.4 Accidents with both a human and equipment cause

As was previously mentioned, it is also possible for a WOAD technician to specify both human

and equipment causes for any particular accident. In the WOAD archive, 381 accidents are specified as

having both a human and an equipment cause. Because human error probabilities can be affected by

factors such as weather, time of day, and stress, it may be useful to examine the data to determine if there

is any link between certain human causes and equipment causes. Table 3.2 displays the number of

accidents that have both human and equipment causes. Only those situations where both human and

equipment causes are represented.

Table 3.2 Frequency of Accidents with combination of Equipment and Human Error Cause

Equipment Cause Unsafe Act/

No Procedure

unsafe procedure

3rd party error

improper design

other

3rd Party Equipment Failure 1 3

electric equipment malfunction 1 1 1

equipment malfunction 60 50 1 31 3

exceeded design criteria 1 1

foundation problem 4

ignition by heat/exhaust 19 10 2 1

ignition by open flame 2 3 7

ignition by cigarette/match 6 1

ignition, electrical 4 8 1

ignition, hand tool sparks 8 8

ignition, lightning

ignition, weld/torch 9 34

ignition, unknown/other 10 13 1

machinery malfunction 1

Other 8 2 1

safety system malfunction 1

structural fail/fatigue 2 3 10

weather, general 16 12 15 5

This table displays some interesting trends. It is to be expected that those incidents in the “Unsafe

Act/No Procedure” and “Unsafe Procedure” category would have the greatest number of incidents that

also have an equipment cause due to the fact that they represent the largest number of human error

accident overall. However, the table shows that a singular equipment cause – “Equipment malfunction” –

represents a very large portion of accidents that also have a human error cause. In fact, it represents the

largest number of incidents in every category except for 3rd party error. Another clearly displayed fact is

that weather (which is classified as an equipment cause in the WOAD) is indicated as a cause in 48

incidents that also have a human cause. This may confirm the idea that human error probabilities are

affected by external factors such as weather.

3.2 Human Error and Accident Type

When a WOAD technician enters data into the accident form, they not only have the option of

indicating the cause of an accident, but also the type of accident that occurred. There are four options in

this category: Accident, Hazardous Situation, Near Miss, and Insignificant. “Accident” is the most severe;

this indicates that an accident actually occurred and there were either personal injuries or equipment

damage. The “Hazardous Situation” category is used to indicate that while an accident did not actually

occur, there was potential for the created situation to lead to a full scale accident. The “Near Miss”

category is used to indicate that while an accident did occur, and there was potential for the accident to

cause major damage, there was no damage to equipment or any injuries to crew. An accident that is

indicated as being “insignificant” usually applies to accidents that did occur but had no potential to cause

either injury or damage to the equipment.

3.2.1 Accident caused by human error

Data from the WOAD was examined and the results can be found in Table 3.3. It was determined

that of the incidents indicated as being caused by human error, 33% of incidents resulted in an accident.

Another 41% of incidents resulted in a hazardous situation but not in a large scale accident. Insignificant

incidents and near misses represented 17.2% and 8.3% respectively.

Table 3.3 Number of Accidents Caused by Human Error per Accident Type

Type of Accident Number of Accidents % of total accidents

Accident 284 33.0

Hazardous Situation 353 41.0

Near Miss 71 8.3

Insignificant 152 17.4

The data relating human error to accident type was examined in more detail by tabulating the

number of each accident type (accident, hazardous situation, near miss, insignificant) that resulted from

each type of human error cause. This data is shown in Table 3.4. The table shows that the more serious

accident types are more numerous for unsafe action/no procedure and unsafe procedure. It is Table 3.5,

however, that shows more valuable information concerning how probable it is for an incident with a

certain human cause to result in a certain accident type. For instance, while accidents only account for

33% of total instances of human error, it is much less likely that an incident caused by an Unsafe Act/No

Procedure will result in an accident (24%) then one that was caused by unsafe procedure (36%). It is also

worthwhile to note that if an incident is caused by 3rd party error, it is much more likely (63.4%) to cause

an accident than average, while incidents caused by improper design are much less likely (24.2%) to do

so. For “Unsafe Act/No Procedure”, “Unsafe Procedure” and “Improper Design”, the data indicates that

the number of hazardous situations caused by these errors is close to the average of 41%. Accidents

caused by 3rd party error, however, are much less likely (22%) to result in a hazardous situation. All types

of human errors have similar probabilities to result in a near miss, and they are close to the average of

8.3%. Incidents caused by 3rd Party Error are less likely than average to result in an insignificant situation

at 7.3%, while all other types of human causes fall close to the average of 17.4%.

Table 3.4 Frequency of Accident Type Per Human Error Cause

Human Error accident hazardous situation near miss insignificant

unsafe act/no procedure 91 173 38 76

unsafe procedure 115 129 17 57

3rd party error 52 18 6 6

improper design 16 32 8 10

Table 3.5 Percentage of Accident type per Human Error Cause

3.1.2 Accidents caused by Equipment error or with no indicated cause

The author also examined the occurrences of each type of accident for those incidents indicated

as not being caused by human error. The results are shown in Table 3.6. According to the WOAD data,

incidents that are not indicated as being a result of human error are more likely to result in accidents, at

45% compared to 33%. The occurrence of hazardous situations remains relatively similar at 42.1%, while

incidents resulting in an insignificant accident fell to 9.5% and those resulting in a near miss fell

significantly to 3.4%.

Table 3.6 Number of Accidents caused by Equipment Error or with no Indicated Cause per Accident Type

Type of Accident Number of Accidents % of total accidents

Accident 1933 44.9

hazardous situation 1811 42.1

near miss 146 3.4

Insignificant 407 9.5

not specified 5 0.1

3.3 Human Error and Accident Severity

When completing an accident form, the WOAD technician has the option of identifying the

severity of the accident consequences. For the purposes of this report, the severity of the consequences

was analyzed in two ways: damage to the equipment and crew injuries or fatalities.

Human Error accident % hazardous situation % near miss % insignificant %

Unsafe Act/No Procedure 24.1 45.8 10.1 20.1

Unsafe Procedure 36.2 40.6 5.3 17.9

3rd Party Error 63.4 22.0 7.3 7.3

Improper Design 24.2 48.5 12.1 15.2

3.3.1 Equipment Damage

As previously mentioned, one measure of accident severity is the resulting damage to the

equipment. The WOAD has five options for this category, including “Insignificant/No Damage”, “Minor

Damage”, “Significant Damage”, “Severe Damage” and “Total Loss”. The following sections outline the

accident severity data for both accidents that were caused by human error and those that were not.

3.3.1.1 Human Error and Equipment damage

Table 3.7 displays the total number of accidents of each level of damage for accidents caused due

to human error. As is evident from this data, over 75% of all accidents caused by human error lead to

insignificant or minor damage to offshore equipment. Another 10% of accidents cause significant

damage, while 10% result in either severe damage to equipment or total loss of equipment.

Table 3.7 Number of Accidents Caused by Human Error Per level of Equipment Damage

Degree of Damage Number of Accidents % of total accidents

Insignificant/No Damage 570 66.3

Minor Damage 103 12.0

Significant Damage 93 10.8

Severe Damage 52 6.0

Total Loss 42 4.9

The data for accidents caused by human error was further broken down in order to examine the likelihood

of each type of damage severity in relation to the different types of human error. This data is displayed in

the following two tables, which show both the number of accidents by damage severity as well as the

percentages of each accident type. Table 3.8 displays the number of incidents for each type of human

error that resulted in each degree of damage. Table 3.9 may be more useful, however, in displaying the

probability that an accident that occurs as a result of each type of human error will result in severe or mild

damage.

Table 3.8 Frequency of Damage Level per Human Error Category

Table 3.9 Percentage of Damage Level per Human Error Category

It is clear from table 3.9 that an accident caused by 3rd party error is much less likely (23.2%) to

result in insignificant damage than all other human causes. Unsafe Procedure results in insignificant

damage 68.9% of the time, which is very close to the average of 66%. Unsafe Acts/No Procedure and

Improper Design result in insignificant damage a slightly higher than average and slightly lower than

average, respectively. Another point to highlight is that accidents caused by 3rd party error are much more

likely to result in severe damage than any other human error, but are less likely to result in total loss than

any other type of human error. All other categories of human error are close to average in the number of

incidents that result in total loss of equipment.

3.3.1.2 Equipment Error or Unknown Cause and Equipment Damage

Table 3.10 shows the number of accidents for each degree of damage for accidents that were not

caused by human error. In comparison to the data from the accidents caused solely by human error, the

Human Error insignificant/ no damage

minor damage

significant damage

severe damage

total loss

Unsafe Act/No Procedure 284 36 25 11 22

Unsafe Procedure 219 41 31 15 12

3rd Party Error 19 17 26 19 1

Improper Design 42 8 10 2 4

Human Error Insignificant/ no damage %

minor damage %

significant damage %

severe damage %

Total loss %

Unsafe Act/No Procedure 75.1 9.5 6.6 2.9 5.8

Unsafe Procedure 68.9 12.9 9.7 4.7 3.8

3rd Party Error 23.2 20.7 31.7 23.2 1.2

Improper Design 63.6 12.1 15.2 3.0 6.1

trend seems to be that accidents not caused by human error have a higher likelihood of causing more

equipment damage. The two most severe categories: “Total Loss” and “Severe Damage” are make up

15.7% of all non-human error accidents, while human error accidents result in these categories close to

10.9% of the time. The more moderate damage category – “Significant Damage” represents 16.3% of all

accidents not caused by human error and only 10.8% indicated as being caused by human error. Accidents

which caused minimal damage – those in the “Minor Damage” or “Insignificant” categories make up 68%

of accidents caused by other errors and 78.2% of accidents that were a result of human error.

Table 3.10 Number of Accidents Caused by Equipment Error or with No Indicated Cause Per Degree of Damage

Degree of Damage Number of Accidents % of total accidents

Insignificant/No Damage 2034 52.0

Minor Damage 624 16.0

Significant Damage 637 16.3

Severe Damage 366 9.4

Total Loss 247 6.3

3.3.2 Fatalities and Injuries

Another way to gauge the severity of an incident is to count the number of injuries to crew as

well as fatalities. The next sections display the effects of human error on the number of fatalities or

injuries that occurred due to an accident.

3.3.2.1 Human Error and Fatalities or Injuries

Table 3.11 displays the number of fatalities and injuries that occurred due to each type of human

error cause.

Table 3.11 Number of Fatalities and Injuries Per Category of Human Error

Human Error fatalities injuries

Unsafe Act/No Procedure 277 231

Unsafe Procedure 156 75

3rd Party Error 0 1

Improper Design 126 3

Act of War 1 1

Other 1 3

Sabotage 0

total 561 354

There is one important fact to be noted when using the data in table 3.11. For three of the human

error causes, a large number of the fatalities or injuries occurred during a few singular accidents. In the

Unsafe Act/No Procedure category, 164 of the 277 fatalities and 60 of the 231 injuries occurred in the

Piper Alpha disaster that occurred in the 1988 in the North Sea. Eighty-one of the fatalities in the category

were caused in another accident involving the capsizing of the Glomar Java Sea drill ship off the coast of

China in 1983. Also, 91 of the 156 fatalities in the Unsafe Procedure category occurred due to the

capsizing of the Seacrest drillship in the Gulf of Thailand in 1989. Finally, 123 of the 126 fatalities due to

improper design occurred in the Alexander Kielland disaster in the North Sea in 1980. While these

accidents do add fatalities and injuries to these categories and should not be disregarded, it is important to

note that they can skew the data if not properly considered. Table 3.12, displays the number of accidents

that were indicated as being caused by each type of human error that resulted in either a fatalities or

injury. Also, table 3.13 displays the percentage of each type of human error accidents that resulted in

either a fatality or an injury. These two tables may be useful in determining how human error affects more

serious accidents.

Table 3.12 Number of Accidents Resulting in fatalities or injuries per human error cause category

Human Error Type number of accidents resulting in fatalities

number of accidents resulting in injuries

Unsafe Act/No Procedure 21 30

Unsafe Procedure 27 28

3rd Party Error 0 1

Improper Design 3 2

Act of War 1 1

Other 1 2

Sabotage 0 0

Table 3.13 Percentage of Human Error Accidents resulting in either a fatality or injury

Human Error % of accidents

Unsafe Act/No Procedure 13.5

Unsafe Procedure 17.3

3rd Party Error 1.2

Improper Design 7.6

Act of War 28.6

Other 50

Sabotage 0

3.3.2.2 Equipment Error or Unknown Cause and Fatalities or Injuries

In previous sections, the report has examined the differences between data that was indicated as

being caused by human error and data that was not. Due to the nature of the WOAD software, there is no

straight forward way to determine the number of accidents that are caused due to non human error related

incidents. Therefore, this comparison has been excluded from the report.

3.4 The WOAD as a source of data for HEPI and SLIM

As was discussed in section 1.1, work has been done in an attempt to quantify human error

probabilities in offshore emergency muster scenarios. This work is outlined in “HEPI: a new tool for

human error probability calculation for offshore operation” (Khan et al., 2006) and “Determination of

human error probabilities for offshore platform musters” (DiMattia et al., 2005). This study uses an expert

judgment technique to elicit human error data for the different muster steps during emergency scenarios.

The expert judgment technique that is the focus of this work is the Success Likelihood Index

Methodology. Because the SLIM technique uses a panel of expert judges to make subjective decisions

about offshore muster scenarios in an objective a manner as possible, the model must be validated with

empirical data. This section of the report reviews the WOAD as a possible source for this empirical data.

3.4.1 Muster Data

The WOAD contains a section that is dedicated to evacuations. The WOAD technician can

choose to specify the type of evacuation, number of crew evacuated, and the mode of evacuation for each

incident. There are three types of evacuations that the WOAD technician may specify: “Successful

Evacuation”, “Unsuccessful Evacuation” and “Mustered – ready to evacuate”. Table 3.14 displays the

number of each type of evacuation for each type of human cause. The “Act of War”, “Sabotage” and

“Other” categories have been excluded from this table due to lack of data. Table 3.15 displays the

percentage occurrence of each evacuation type for each human error cause.

Table 3.14 Frequency of Evacuation Types per category of human error

Human Error Successful evacuation Unsuccessful evacuation Mustered - ready to evacuate

Unsafe act/no procedure 12 7 17

unsafe procedure 16 6 7

3rd party error 2 0 1

improper design 9 1 1

Table 3.15 Percentage of Evacuation Types per category of human error

These preceding tables clearly show that successful evacuations are more common than

unsuccessful evacuations for all types of human error. The Mustered – Ready to evacuate category may

lead to confusion, however, because it may be classified as a success in the context that no evacuation

was required. It is important to note, also, that these classifications apply only to the end result of an

evacuation of a muster and do not tell us what happened during each separate muster step.

3.5 Applicability of WOAD data to SLIM and HEPI

There are issues with the applicability of this data for the SLIM work. It is evident from Table

3.14 that there is a much smaller amount of data relating evacuations to human error than other types of

previously discussed data, which can lead to reliability issues. Also, when searching the WOAD data, the

user can only specify the overall outcome of the evacuation or muster, which doesn’t always adequately

reflect what occurred during each muster step. The only clues we have as to what may have occurred in

each muster step exist in the free text section of the accident form, which is often written with minimal

detail. Because the SLIM work aims to determine the human error probability of each separate muster

step, the WOAD is not detailed enough to supply enough empirical data to validate the accuracy of the

SLIM model. However, since the WOAD is currently the best source of offshore data available, it may be

required to change the methods of offshore muster reporting in order to collect sufficient data for the

project.

4.0 Conclusion While the WOAD is the most comprehensive database of offshore accident reports that exists

today, it is not particularly useful when looking for human error data. This is due to a variety of factors,

Human Error successful evacuation %

Unsuccessful evacuation %

Mustered - ready to evacuate

%

Unsafe act/no procedure 33.3 19.4 47.2

unsafe procedure 55.2 20.7 24.1

3rd party error 66.6 0.0 33.3

improper design 81.8 9.1 9.1

including lack of detailed human error reports, and the fact that there is only one section of the WOAD

devoted to human error.

For the HEPI and SLIM projects, WOAD will not prove to be very useful. While the WOAD

does have some data pertaining to muster situations and human error, there is not enough detail in these

reports to get a good estimate of the probability of human error during each separate muster steps.

The WOAD may be more promising for future projects, depending on their goals. There is a

moderate amount of human error data available, but only for the initial cause of the accident. The level of

detail available in most accident reports is just too low to be used in very specific studies such as HEPI.

Therefore, for the WOAD to be useful in future projects, they should focus on how human error as the

initial accident cause.

5.0 Recommendations 1) For the current HEPI and SLIM projects, different sources of human error data should be explored in detail. This may include other databases and industry reports.

2) If WOAD is used in further research project pertaining to this human error, the project should focus on human error as the initial cause of an accident.

References

Alambets, A. (2008). Comparing three quantitative human reliability assessment techniques with application to emergency scenarios on offshore oil and gas platforms. Process Engineering Department, Dalhousie University, Halifax NS.

Alambets, A. (2008). Sources for human error data and industry cooperation. Process Engineering Department, Dalhousie University, Halifax NS.

Bligh, D. (2007). Review of the WOAD as a Quantitative Safety Assessment Tool. Process Engineering Department, Dalhousie University, Halifax, NS.

DiMattia, D.G., Khan, F.I., & Amyotte, P.R. (2005). Determination of human error probabilities for offshore platform musters. Journal of Loss Prevention in the Process Industries, 18, 488-501.

Khan, F.I., Amyotte, P.R., & DiMattia, D.G. (2006). HEPI: A new tool for human error probability calculation for offshore operation. Safety Science, 44, 313-334.

Kirwan, B. (1996). The validation of three human error reliability quantification techniques – THERP, HEART and JHEDI: Part 1 – technique descriptions and validation issues. Applied Ergonomics, 27, 359-373.

Appendix 5

Procedural HAZOP Report

Procedural HAZOP Analysis of Muster Procedure on Offshore Oil Platforms

Travis Deacon



September 10, 2008

Introduction

Current research is exploring the issue of human reliability during emergency situations in marine environments. This is measured in terms of risk of human error. Risk is a function of the frequency of error and the severity of the consequences of error (Cameron & Raman, 2005). All types of oil platforms are studied. Expert judgement techniques in the assessment of human error probabilities (HEPs) have been reviewed and adapted by the research team. Knowledge of consequences of error during emergencies is also required in assessing the risk of human error.

Procedural HAZOP

The muster procedure has been separated into 18 steps by DiMattia (2004). They are shown in tables 1-18 below in the form of procedural HAZOPs (Cameron & Raman, 2005). Each table describes possible failures, the consequences of each failure, and all possible safeguards. The consequences of failure for each step are assumed to be independent for this analysis. Consequences and safeguards are adapted from Di Mattia (2004) and Marchand (2005). Further research will determine if dependency analysis is required. These safeguards are categorized in terms of the hierarchy of safety (Amyotte et. al, 2007). Literature reviews suggest that tables normally list standard safeguards, with risk reduction recommendations in another column or section. The HAZOP has been modified by separating the safety barriers into prevention barriers and mitigation barriers as defined for bow-tie analysis (Cameron & Raman, 2005). This is done to show the importance of inherent safety in safety management systems. It was also done this way in hopes of using bow-tie models directly in the human factors consequence analysis. Risk mitigation measures will develop from the list of potential safeguards. Prevention barriers are safeguards that prevent failure from occurring through reduction of error probabilities. Mitigation barriers are safeguards that mitigate the consequences when a failure occurs. In this way, risk mitigation measures can be categorized in terms of reduction of frequency of incidents or control of consequences. This will help in rating the value of a particular safety measure in terms of impact and cost to implement. Further work will yield a hierarchical list of design improvements based on these ratings.

Table 1: Detect alarm HAZOP

Guideword Description Consequence Prevention Barriers Mitigation Barriers

No Operator does not hear alarm/alarm not sounded

Injury/loss of life Entrapment in a

dangerous area, difficult to be rescued

Delay of time to muster

Inherent

Elimination of obstructions near alarms

Minimal number of loud machines on board

Minimal number of electrically dependent alarms

Active Engineered

Alarm systems strategically placed to cover all areas

Redundancy through both audio and visual enunciation

Push-button alarms in strategic locations

Procedural

Personnel equipped with two-way radios

Review of new technology, applications and standards

PM, testing, severe-weather monitoring

Personnel familiarized with alarms

Muster training at infrequent intervals

Enlisting of feedback on alarm effectiveness

CCR operators trained to limit and remove inhibits ASAP

Procedural

Buddy system for new personnel

New personnel identified with different coloured clothing

Experienced personnel trained to assist others as identified

Part of -

Other than -

Late Operator does not hear alarm immediately


Loss of life Loss of critical

time to respond to problems that initiated the alarm

Entrapment in a dangerous area, difficult to be rescued

More -

Early -

Before/After -

Table 2: Identify alarm HAZOP

Guideword Description Consequences Prevention Barriers Mitigation Barriers

No Operator ignores/cannot identify alarm




Inherent

Elimination of equipment that could drown out alarm

Minimal amount of hazardous materials in each area, preventing danger and false alarms

Minimal number of types of alarm noises to efficiently convey situation

Simple alarm signals Elimination of nuisance

alarms by restricting to control room

Active Engineered

Alarm systems strategically placed to cover all areas

Redundancy through both audio and visual enunciation

Procedural

Review of systems and technological advances

Alarm key next to station bills to help identify alarms

Procedure includes PA announcement ASAP


Alarm list provided to all personnel

Competency testing Recordings of alarms

available to refresh memory

Muster training at infrequent intervals, including distinguishing between alarms

Procedural



Experienced personnel trained to assist others

Part of Operator realizes an emergency but cannot identify situation

Other than Operator incorrectly identifies alarm

The use of wrong emergency procedures, endangering all personnel on board

Activation of incorrect shut-off systems, delaying time to production start-up, creating a new problem

Late Operator fails to identify alarm within short time




More -

Early -

Before/After Operator identifies alarm in later step


Activation of incorrect shut-off systems, delaying time to production start-up, creating a new problem

Table 3: Act accordingly HAZOP


No Operator does not act accordingly

Loss of life Loss of expensive

equipment Larger disaster if

wrong processes are implemented

Inherent

Elimination of obstructions near emergency exits

Substitution of hazardous material with safer material

Minimization of similar escape plan options

Simple emergency instructions

Procedural

Small, easy to read instructions for alarm situations provided

PA announcement ASAP after alarm initiation


Competency testing Muster training at

infrequent intervals Feedback after training

exercises Behavioural testing to

determine panic potential

Procedural




Part of -

Other than -

Late Operator takes extended time to gain composure/act accordingly

Loss of life Loss of expensive

equipment

More Operator overcompensates for gravity of situation

Loss of life

Early -

Before/After Operator does not act accordingly until later steps

Loss of expensive equipment

Larger disaster if wrong processes are implemented

Table 4: Ascertain if danger is imminent HAZOP


No Operator does not take time to ascertain level of danger


Larger disaster if wrong processes are implemented

Inherent

Elimination of obstructions near emergency exits

Minimal number of dangerous chemicals/potential hazards in each area

Procedural

Informative warning systems which indicate type and location of muster initiator


Muster training that teaches POB to ascertain danger levels

CCR operators trained to issue PA announcements that provide information on the severity of the muster

Competency testing Behavioural testing to


Inherent

Minimal distance between personnel and personal safety equipment

Machines used instead of humans in areas of higher risk

Simple shut-off valves, kill switches, control systems, etc.

Active Engineered

Automated shut-down systems when alarm initiated

Procedural



Part of Operator does not take enough time to ascertain imminence of danger

Injury/loss of life Entrapment

within a dangerous area, difficult to be rescued

Decrease in amount of time coworkers have to egress


Other than -

Late -

More Operator takes extended time to ascertain imminence of danger

Injury/loss of life

Entrapment within a dangerous area, difficult to be rescued

Decrease in amount of time coworkers have to egress

Early -

Before/After Operator ascertains danger after mustering



Table 5: Muster if in imminent danger HAZOP

Guideword Description Consequences Prevention barriers Mitigation barriers

No Operator does not muster in imminent danger/fails to muster



Decrease in the amount of time one has to successfully muster

Inherent

Elimination of mud on deck

Minimal space between workers and emergency exits

Passive Engineered

Skid-proof materials on decks

Procedural

Escape plans that outline less hazardous routes

Muster procedure located on opposite side of station bill card

Muster procedure that includes PA announcement updating muster status


Muster training that teaches POB to ascertain and act upon danger levels

CCR operators trained to issue PA announcements with instructions during muster



Procedural



Part of -

Other than -

Late Operator does not muster immediately in imminent danger

More Operator musters even if danger is not imminent



Early -

Before/After Operator musters after making workplace safe, even in imminent danger

Injury/loss of life

Entrapment within a dangerous area, difficult to be rescued


Table 6: Return process equipment to safe state HAZOP


No Operator does not return process equipment to safe state


Personal injury Failure of

machinery in other parts of the platform, more personnel at risk

Decrease in amount of time personnel within the TSR have to escape if machinery involved could pose a catastrophic threat

Damage to systems in other parts of the platform

Inherent

Elimination of gas-powered machinery on board

Minimal number of computers controlling one machine

Simple machinery controls

Passive Engineered

Passive systems to protect individuals in process area from extreme weather/danger (blast walls, wind covers)

Active Engineered

Active safety systems to protect individuals during work activities (i.e. deluge)

Procedural

Proper equipment labels to avoid mistakes in actions while making workplace safe (i.e. wrong valve)


Inexperienced individuals teamed with experienced individuals for a defined period of time

Pre-job safety discussions

Muster training that requires return of process equipment to safe state



Inherent

Minimal inventory of gas and fuel on board

Minimal pressures and amounts of hazardous materials in machines

Active Engineered

Automatic shut-down sequence on alarm initiation

Procedural



Part of Operator does not fully return process equipment to safe state

Other than Operator changes equipment to more unstable state

Late Operator takes excessive time to return process equipment to safe state

More Operator changes process equipment to an unnecessary state

Activation of incorrect shut-off systems, delaying time to production start-up, or possibly creating a new problem

Early -

Before/After Operator returns process equipment to safe state before ascertaining imminence of danger




Table 7: Make workplace as safe as possible in limited time HAZOP


No Operator does not make workplace safe

Endangering other personnel attempting to egress to TSR

Injury

Inherent

Simple fireproof and explosion-resistant doors, easier to close and lock

Simple shut-down procedures for machinery

Passive Engineered

Passive systems to protect individuals in the process area from extreme weather/danger

Active Engineered

Active safety systems to protect individuals during work activities (i.e. deluge)

Procedural

Proper labels on equipment to avoid mistakes


Inexperienced individuals teamed with experienced personnel for a defined period of time

Pre-job safety discussions

Muster training that places individuals in specific tasks requiring making workplace safe



Inherent

Minimal use of toxic, allergenic, hazardous materials on board

Procedural



Part of Operator makes workplace safer, but not as safe as possible with available time in step

Other than Operator makes workplace less safe

Late Operator takes extended time to make workplace safe

Putting oneself at risk if it takes too long to make workplace completely safe




More Operator makes workplace safer than necessary

Early -

Before/After Operator makes workplace safe before ascertaining imminence of danger

Table 8: Listen and follow PA announcements HAZOP


No Operator does not hear/follow PA announcements

Choosing wrong safety procedures, endangering all personnel

Miscommunication between personnel and decrease in time to successfully complete muster

Injury/loss of life

Inherent

Substitution of electrically dependent PA systems with independent sources of power

Minimal machinery that generates significant noise

Simple and short announcements

Simplified use of PA systems

Passive Engineered

Loud machinery enclosed behind soundproof materials

Procedural

PA systems placed to ensure coverage in all areas

PA system design reviews


Limited work during poor weather

Muster training that emphasizes quality PA announcements from CCR

Muster training that uses PA announcements to test POB



Procedural




Part of Operator does not hear full announcement

Other than -

Late Operator does not immediately adhere to announcements

Injury/loss of life

More -

Early -

Before/After -

Table 9: Evaluate potential egress paths and choose route HAZOP


No Operator does not choose egress route/chooses without evaluating paths




Inherent

Short, coherent instructions

Minimal but adequate number of paths to choose, clearly marked throughout path

Simple emergency exit plans

Passive Engineered

Photo-luminescent tape markings in case of power loss

Active Engineered

Illuminated signage and emergency lighting

Procedural


Station bills signage strategically located to show route to TSR

Plastic cards for personnel showing egress routes

Muster training that blocks egress paths forcing route evaluation

Conduction of observations that provide constructive feedback to POB

Individuals trained to recognize danger signs that indicate areas of low tenability



Inherent

Elimination of toxic/hazardous chemicals near paths

Procedural



Experienced personnel trained to assist others as defined

Part of Operator does not evaluate potential for paths to degrade/chooses a safe path but not the safest

Other than -

Late Operator takes excessive time to evaluate potential egress paths

More -

Early -

Before/After -

Table 10: Move along egress route HAZOP


No Operator does not move along egress route




Inherent

Elimination of tripping hazards

Minimal number of centrifuges, heat exchangers and gas compression facilities near walkways and tunnels

Substitution of stairs for elevators

Minimal time that personnel work in secluded areas

Passive Engineered

Open but protected walkways

Egress paths clearly labelled, signage photo-luminescent

Skid-proof materials on decks

Active Engineered

Emergency lighting Procedural



Training to move along process units in a controlled fashion under a simulated compromised situation



Procedural




Part of Operator proceeds but does not complete egress

Other than -

Late Operator moves too slow along egress route

More -

Early -

Before/After -

Table 11: Assess quality of egress route while moving to TSR HAZOP


No Operator does not assess quality of egress route

Issuing wrong procedures to personnel trying to egress

Issuing poor assessment of danger posed to personnel, causing assumption that the situation is less severe than it actually is

Inherent

Simple workplaces, minimizing stress

Short Shifts Active Engineered

Well-ventilated areas to reduce smoke

Warning systems that provide feedback on local area and egress tenability

Procedural


Plastic station bill cards for each individual showing egress route to TSR


Conduction of muster observations that permit constructive feedback to POB

Individuals trained to recognize danger signs that indicate areas are of low tenability



Procedural




Part of Operator partially assesses quality of egress route

Other than -

Late -

More Operator puts too much time and effort into assessing quality of egress route




Early -

Before/After -

Table 12: Choose alternate route if egress path is not tenable HAZOP


No Operator does not choose alternate path if current path is not tenable




Inherent

Minimal number of similar escape routes

Simple egress instructions for each area of the rig

Minimal amount of equipment on/over walkways

Elimination of gas storage facilities near egress routes

Passive Engineered

Non-skid surfaces, walkways clearly marked with photo-luminescent tape

Active Engineered

Emergency lighting Warning systems that

provide feedback on local area and tenability of egress paths

Procedural


Station bill card for each POB showing egress routes

Egress route signage at strategic locations

Muster training that blocks egress paths

Muster observations that permit constructive feedback

Train individuals to recognize signs of low tenability



Procedural

Inexperienced individuals paired with experienced personnel for a defined period of time



Part of -

Other than -

Late Operator does not choose alternate paths before current route becomes unsafe

More Operator repeatedly chooses alternate paths


Early Operator chooses alternate route before current route is not tenable

Before/After -

Table 13: Collect personal survival suit if in accommodations at time of muster HAZOP


No Operator does not collect personal survival suit if in accommodations

Increase in potential injury/loss of life

Minimization of amount of time person has to abandon platform

Inherent

Elimination of material blocking paths to survival suits

Minimal distance between personnel in accommodations and survival suits

Simple, well-fitting suits that are easy to put on and use

Minimal number of redundant fasteners on suits

Simplified safety devices on suits

Procedural


Survival suits placed near exits of accommodations

Individuals trained to ensure immediate muster from accommodations while collecting one survival suit



Procedural

Adequate number of TSR survival suits for all POB

Inexperienced individuals paired with experienced personnel for a defined period of time



Part of -

Other than Operator collects other items instead of survival suit

Late -

More Operator collects multiple survival suits




Early -

Before/After -

Table 14: Assist others if needed or as directed HAZOP

Guideword Description Consequence Prevention barriers Mitigation barriers

No Operator does not assist others in need or as directed

Injury/loss of life Hindering of a

stranded co-worker's ability to successfully complete the muster

Inherent

Elimination of language barriers

First aid kits distributed in every area, dependent on level of hazard

Moderate number of people in each area to reduce congestion

Active Engineered

Warning systems that provide feedback on local area and egress path tenability

Procedural


Muster training that uses situations where POB need assistance


Individuals trained to recognize others that require help during muster



Procedural

Survival suits that protect against explosion and debris as well as cold




Part of Operator begins to assist others but does not complete

Other than Operator hinders others

Late Operator does not assist immediately

More Operator continuously seeks others to assist, attempts to help those who are already being assisted




Early -

Before/After -

Table 15: Register at TSR HAZOP


No Operator does not register at TSR

Miscommunication Unnecessary

rescue attempt, putting more lives at risk

Inherent

Multiple registration stations to minimize line-ups

Minimal number of people in each registry location for ease of evacuation

Active Engineered

Battery operated registry system in case of power failure

Swipe card registration system

Procedural

Signage in TSR reminding all individuals to register immediately

Individual responsible for head count trained to prompt POB to register



Active Engineered

Tracking device on all POB

Procedural




Part of Operator begins registration task but does not complete

Other than -

Late Operator arrives at TSR but does not immediately register

More Operator registers multiple people at TSR

Miscommunication Endangering

personnel who have not yet completed muster Early Operator instructs

someone else to register for operator before they arrive

Before/After -

Table 16: Provide pertinent feedback attained while en route to TSR HAZOP


No Operator does not provide feedback

Implementation of incorrect procedures

Delaying movement of co-workers along egress paths/ endangering co-workers attempting to egress

Procedural

Telephone link to OIM or CCR personnel to provide feedback

Signage in TSR reminding individuals to register upon entry during a muster




Muster training to include opportunities for information transfer in the TSR



Procedural



Part of Operator gives inadequate feedback

Other than -

Late Operator does not provide feedback immediately

More Operator provides excessive feedback

Delaying announcement of instructions over PA

Endangering co-workers attempting to egress

Early -

Before/After -

Table 17: Don personal survival suit or TSR survival suit if instructed to abandon HAZOP


No Operator does not don survival suit if instructed to abandon

Injury/loss of life Decrease in

amount of time it takes to become hypothermic

Loss of protection from elements

Inherent

Substitute survival suits with low-weight models to allow mobility

Minimize number of suits in different sections of each area

Procedural

POB-fitted suits with nametags

Suits stored for easy retrieval

Signage in TSR reminding individuals to register upon entry

Diagrammatic instructions on how to don survival suit in TSR

Written procedure on how to don suit in TSR

Muster procedures designed so that a team approach is taken to donning survival gear, reducing competition for space


Muster training to include donning of survival suits




Part of Operator incorrectly dons survival suit

Other than -

Late Operator dons survival suit later than instructed

Minimization of amount of time to abandon platform

More -

Early Operator dons survival suit during egress/before instructed to abandon




Before/After -

Table 18: Follow OIM's instructions HAZOP


No Operator does not follow OIM's instructions

Endangering co-workers

Decrease in time to escape

Inherent

Elimination of loud machinery around and inside TSR

Multiple exits to helicopter pad, all clear of obstruction

TSR located as close as possible to helicopter pad

Speaker system that can run during a power outage

Simple PA system in case OIM must instruct another individual to make announcements

Procedural

Personnel familiarized with TEMPSC and other survival/evacuation equipment

Checklist in TSR reminding POB of prerequisites prior to evacuation

Conduction of TSR muster observations that permit constructive feedback to POB

Muster training to include opportunities for evacuation staging

Procedural




Part of Operator only partially follows instructions

Other than -

Late Operator follows OIM's instructions at a later moment

More -

Early OIM gives instructions conditional on further instructions, and operator does not wait

Before/After -

Discussion

The majority of potential safeguards during the muster are inherent and procedural. This will lead to difficulty in quantifying failure potentials of these safeguards. Originally, fault tree, event tree and bow-tie logic were reviewed in hopes of using these tools in quantitative consequence analysis. The results of qualitative analysis and a literature review (HSE 2002) suggest that these methods are not well-defined for human error analysis. They are currently under review to determine if they may have a use in quantitative consequence analysis. It may even be helpful to use them simply to show the relationship between muster steps. Literature review for a method to quantify consequences from a human error perspective is ongoing.

Expert judgement may be an option. By rating qualitative descriptions of consequences on a scale of 1 to 5 and eliciting feedback, a relative quantification of consequences can be determined. It may also yield insight into the severity of consequences these consequences. These consequences would be rated in terms of each of health, equipment, egressability, muster initiator and effects on other POB (DiMattia, 2004).

The results of consequence rating could be used in a risk matrix, combined with human error probabilities. One side of the matrix would have the qualified consequences, while the other side would have human error probability ranges. This is necessary for the purpose of the risk matrix. The steps for each muster initiator could be ranked from this matrix by level of risk. Potential problems that could result would be a number of muster steps ranked equally in risk, due to the qualitative ranges of consequences. This would make developing a hierarchy of risk mitigation measures difficult, as there would be many muster step ratings of equal risk. A method of quantifying consequence frequency may control this effect. A bow-tie model developed around the ‘failure to muster’ event may still be useful. However, there are barriers to this type of quantification. An example is the subjectivity of reliability analysis of the safety measures, in particular inherent and passive safety measures. Another barrier is the subjectivity of evaluating the 18 muster steps in terms of an overall ‘failure to muster’ event. It may be more logical to evaluate each muster step individually. Literature is being reviewed in hopes that it will point to a method that produces quantified consequences in a practical form.

Conclusion

Consequences of failure to complete specific muster steps are similar, and most safeguards fall in the inherent and procedural categories of the hierarchy of safety. The next step is further developing this analysis to yield a practical tool to rate consequences and safety barrier performance. Quantification of barriers would be a subjective analysis, with a high degree of uncertainty. Risk matrices can be developed from a qualitative evaluation of consequence severity. Further review will determine the most practical approach to consequence analysis in terms of risk evaluation and mitigation.

References

Amyotte, P., Goraya, A., Hendershot, D., Khan, F., Incorporation of Inherent Safety Principles in Process Safety Management, Process Safety Progress, vol. 26, no. 4 (2007), 333-344.

Cameron, I., Raman, R., Process Systems Risk Management, vol 6, Elsevier Academic Press, San Diego, 2005.

DiMattia, D., Human Error Probability Index for Offshore Platform Musters, PhD Thesis (2004), Dalhousie University.

HSE, “Marine Risk Assessment”, Offshore Technology Report OTO 2001 063 (2002), Health & Safety Executive.

Marchand, N., Co-op work term report (2005), Dalhousie University.

Appendix 6

Empirical Data Solicitation Report

Report on Empirical Data Solicitation Efforts within Atlantic Offshore Oil Industry

Travis Deacon



September 10, 2008

Currently the research team has no empirical data to compare with the human reliability analysis techniques developed for the project. One of the objectives for the PRAC research is to use industry-specific data in human factors modelling. To accomplish this, PRAC representatives gave the team two contacts, one from Husky Energy and one from Petro-Canada. The research team is seeking data to validate the SLIM expert judgement technique used to determine human error probabilities for each of the muster steps as defined by DiMattia (2004). Empirical failure rates for each muster step were sought. These can be Post-drill/incident interviews with POB to determine what steps were most difficult to complete, and where errors occurred. Checking workstations and process equipment to determine if they were made safe would also contribute to collection of error rates.

Petro-Canada was contacted on two occasions, May 29 2008 and July 2 2008. On the first occasion, the representative expressed interest in helping with research but was concerned that Petro-Canada’s FPSO incident and drill reports would be of little use. The representative indicated that if another company determined a method to help the team with empirical data, they would be open to exploring a similar agreement. On the second occasion, they expressed discomfort giving reports to the team that they believe have little relevance to the research, or to have us inspect them to determine what we can use. It was explained that empirical data was part of a request for facility-specific research by PRAC in approving project funding. This would require cooperation with Atlantic industries in searching for data, and PRAC had given Petro-Canada’s contact information for this purpose. They explained that successful/unsuccessful muster reporting is a one- or two-line component in a much larger and more comprehensive emergency scenario drill that would not be useful to us. It was explained that the current project will extend beyond muster scenarios into more general yet plausible scenarios and the data from drill reports would be useful for this as well. They expressed a desire to help with the research, but did not feel that the extent to which the reports would aid would be worth allowing us to read them or Petro-Canada to sensitize them. They explained that if useful information from another operator that the team is in contact with could be found, they would be interested in knowing what kind of information was acquired. This would help Petro-Canada determine how to best help the PRAC research while maintaining the company’s privacy.

Email and telephone messages to the Husky representative were not returned. During the PRAC Offshore Safety Conference, contact was established with another Husky representative. They expressed interest in the human factors research and aiding in it. Journal articles were emailed to the representative that outlined the direction of the project. They replied that a meeting would be set up to discuss Husky’s

participation once they were able to study the journals. Currently, the representative is in contact with the research team at Memorial.

The Worldwide Offshore Accident Database (WOAD; Bligh, 2007) is also being analyzed for potential use in the human factors research. The results of this analysis can be found in a separate report.

References

Bligh, D., Review of the WOAD as a Quantitative Safety Assessment Tool, Co-op work term report (2007), Dalhousie University.


Appendix 7

Consequence Analysis Report

Consequence Analysis and Risk Evaluation of Human Error in Offshore Emergency Situations

Travis Deacon



Nov. 24, 2008

Introduction

The use of emergency procedures is the primary safety barrier in an emergency situation on offshore installations. The importance of shut-down, muster and evacuation can be seen in the inquiries of past disasters in the offshore industry (Moan et al., 1981; Robertson & Wright, 1997; US Coast Guard, 1983; Vinnem, 2007). The objective of this research was to assign a severity value to the consequences of failing to complete specific muster steps based on the given muster initiator. This is done in a consequence table, which, combined with probability data, allows the use of a risk matrix to determine the risk level for each step. It also reveals the areas where consequence control can be most beneficial. The safety measures that affect consequences, known as mitigation barriers, can be incorporated with improved focus using this model. Potential consequences were recorded in a procedural HAZOP. The consequence table developed here relates these potential consequences to specific muster situations. Incident reports and public inquiries from industry were used to rate the consequences.

Consequence Table

When the project was undertaken, a measureable value of the consequences of failure to complete each individual muster step was desired. The lack of muster drill data, as well as information on failure rates of inherent and procedural safety measures, prevents a viable quantitative result. It was then decided that a table assigning a severity value as the consequence of failure to complete a muster step would be the most viable option in pursuing consequence analysis.

The consequences were rated across four categories: effect on individual health, effect on the ability to complete the muster, effect on the severity of the muster initiator and effect on other personnel on board (POB). Table 1 shows the legend of the consequence table, with a description for each category and severity of consequence. This table is adapted from DiMattia (2004).

Table 2: Consequence categories and severity descriptions

Severity Health Egress Muster Initiator Other POB

1 Zero Injury Zero delay Zero effect Zero effect

2

Likely to result in Minor Injury

Slightly delays reaching TSR or completing TSR actions

Raises muster initiator to a level that causes minor delays in reaching TSR

Slightly to Moderately delays others from reaching TSR or completing TSR actions

3

Likely to result in Major Injury

Moderately delays reaching TSR or completing TSR actions

Raises muster initiator to level that causes moderate to long delays in reaching TSR

Prevents others from reaching TSR or completing TSR actions

4 Likely to result in Fatality

Prevents reaching TSR or other safe refuge

Raises muster initiator to severity where muster is no longer possible

Prevents others from reaching TSR or having a dry evacuation

The present work evaluated the consequence severities for three muster initiating events- a man overboard incident, a gas release and a fire and explosion. The consequences are evaluated for each step in the muster. Steps are as determined through hierarchical task analysis (HTA) by DiMattia (2004). Incident reports and accident investigations from the offshore industry were collected as a method of empirical evaluation of consequence severities. Incident reports were particularly useful for the man overboard muster initiator. A collation of incident reports from the UK Continental Shelf from five databases, including WOAD and ORION, was undertaken by Det Norske Veritas (DNV; 2007, 2007a). These reports had very little data, often only one or two sentences describing each incident. Some incident reports did not even specify whether or not the individual who had fallen overboard had survived the incident. Of those who had survived (and several did not), their survival was mainly attributable to a safety harness, life rings thrown out by nearby operators, fast rescue craft (FRC) retrieval or by swimming to the platform leg they had fallen or been washed from and being pulled from the water by nearby operators. The information did, however, reveal two important patterns: the necessity of speed in rescuing the fallen from the water, either by rescue equipment and operators on location at the time of the incident, or by timely activation of and action by the FRC of a nearby standby vessel (SBV), and; the low severity of consequences of failure to complete most of the muster steps, with exception to assisting others as needed (see Table 2). This second observation is based on the assumption that the operator who

has fallen overboard is considered in the ‘Other POB’ consequence category, and that an individual will only have enough time to assist the overboard operator if they witnessed the incident or are nearby.

Events that fall within the muster initiators above or events that have relevant generic data to specific muster steps (failing to don survival suit, for example) were examined for possible causes of negative consequences. They were also compared with other events that had less severe consequences. An example of this method in practice comes from the US Coast Guard report on the Ocean Ranger capsize. While listing is not a muster initiator studied in the present work, the report concluded that many of the deaths were related to hypothermia from exposure to cold water. It was also mentioned that the lack of proper survival suits reduced the casualties’ resistance to hypothermia to a matter of minutes in the water (US Coast Guard, 1983). This was compared to accident investigations of fires and explosions, many of which resulted in a portion of the POB having a wet evacuation (Vinnem, 2007). Combining these two sources show that it is reasonably probable and not overly pessimistic to assign muster step 17 (don personal survival suit if instructed to abandon) a severity of 4 for the health category (see Table 4). In the same way it can be concluded from Robertson & Wright (1997) and the Ocean Odyssey disaster that failure to complete step 13 when applicable can also result in fatalities during a fire and explosion situation (see Table 4). Several POB were delayed in reaching the TSR and, as a result, the emergency lifeboats had already been launched. Previous naval training by one of the POB who had escaped in the emergency lifeboat prompted him to acquire several survival suits and lay them out on the deck in the TSR. Thanks to this action, the late arrivals were able to quickly don survival suits and survived a wet evacuation. The action is exceptional, however, and the fact that individuals’ survival may have hinged upon it shows the importance of both collecting survival suits whenever possible during a high-intensity evacuation and of having a more than adequate supply of suits.

Muster steps 9 through 12 were evaluated equally as a sub-stage of the ‘egress’ stage defined by DiMattia (2004). Incident reports and accident investigations left little distinction between these steps. It was assumed that as the basic movement from starting point to TSR is composed of all of these four steps, consequences of failure to complete each of them would be very similar. Therefore any data yielding a value for one of these four steps was assigned to them all. Piper Alpha and Ocean Odyssey investigations were useful for the gas release and fire and explosion scenarios, as they depict the conditions of both gas releases and fires. The recount of the escape to the lifeboats by the Ocean Odyssey survivors was useful in determining the immediate atmospheric conditions during egress. The air quality and noise level was attributed to difficulties in moving to the TSR. The noise level was also noted to affect the recognition of alarms. The first two steps were shown to have low consequence severities for the gas release and fire and explosion situations. Many POB from the Ocean Odyssey and Alexander L. Kielland did not detect an alarm before beginning to muster. The level of disturbance of the event initiation (the release of gas, an explosion, a severe list) was adequate in causing POB to muster, with some delay (Moan et al., 1981; Robertson & Wright, 1997). The third step, acting accordingly, has been shown to have catastrophic consequences if not completed. One particular situation, the Ekofisk A incident, is an example. What is surmised as panic following a riser rupture resulted in six individuals releasing an emergency escape vessel from its full distance above the sea. Three deaths occurred from this action, as well as an emergency lifeboat being released and incapacitated. This brought danger to the rest of the crew in a potential loss of a dry evacuation opportunity. This is shown in Tables 3 and 4 with a high severity for both the ‘health’ and ‘other POB’ categories (Vinnem, 2007).

Tables 2 through 4 show the consequences of each muster initiator with respect to the individual consequence categories. The overall consequence severity is equal to the highest severity for that step. Reducing the consequence severity of a step includes reducing the category or categories of highest severity. It does not require that all categories be reduced. As an example, to reduce the overall consequence severity from 3 to 2 for step 8 of the fire and explosion scenario, one must reduce the effect on the muster initiator to a severity value of 2. Further reducing this effect would be beneficial, but would not reduce the overall consequence severity unless the effect on egress was also reduced. By using this method of tables as a guide, greater efficiency can be produced when allocating resources to mitigation barrier improvements. Table 5 shows the overall consequence severities for the muster initiators of man overboard, gas release and fire and explosion.

Table 2: Consequence severities for Man Overboard initiator (bolded values show overall severity)

Muster Step Health

Muster Initiator Egress

Other POB Reference

1. Detect alarm 1 1 2 1 DNV,

2007;2007a

2. Identify alarm 1 1 2 1 DNV,

2007;2007a

3. Act Accordingly 1 1 2 1 DNV,

2007;2007a

4. Ascertain if danger is imminent

1 1 1 1 DNV,

2007;2007a

5. Muster if in imminent danger

1 1 1 1 DNV,

2007;2007a

6. Return process equipment to safe state

1 2 1 1 DNV,

2007;2007a

7. Make workplace as safe as possible in limited time

1 1 1 2 DNV,

2007;2007a

8. Listen and follow PA instructions

1 1 1 2 DNV,

2007;2007a

9. Evaluate potential egress paths and choose route

1 1 1 1 DNV,

2007;2007a

10. Move along egress route 1 1 1 1 DNV,

2007;2007a

11. Assess quality of egress route while moving to TSR

1 1 1 1 DNV,

2007;2007a

12. Choose alternate route if egress path is not tenable

1 1 1 1 DNV,

2007;2007a

13. Collect personal survival suit if in accommodations at time of muster

1 1 1 1 DNV,

2007;2007a

14. Assist others if needed or as directed

1 1 1 4 DNV,

2007;2007a

15. Register at TSR 1 1 1 2 DNV,

2007;2007a

Muster Step Health


Other POB Reference

16. Provide pertinent feedback attained while en route to TSR

1 1 1 2 DNV,

2007;2007a

17. Don personal survival suit or TSR survival suit if instructed to abandon

1 1 1 1 DNV,

2007;2007a

18. Follow OIM's instructions 1 1 1 1 DNV,

2007;2007a

Table 3: Consequence severities for Gas Release initiator (bolded values show overall severity)

Muster Step Health


Other POB Reference

1. Detect alarm 1 1 2 1

Moan et al., 1981 (p7,8); Robertson &

Wright, 1997(p3,4)

2. Identify alarm 1 1 2 1

Moan et al., 1981 (p7,8); Robertson &

Wright, 1997(p3,4)

3. Act Accordingly 4 2 1 4 Vinnem, 2007(p94)

4. Ascertain if danger is imminent 3 1 3 1 Vinnem, 2007(p83,89)

5. Muster if in imminent danger 3 1 3 1 Vinnem, 2007(p83,89)

6. Return process equipment to safe state 3 4 3 1 Vinnem, 2007(p

79-95)

7. Make workplace as safe as possible in limited time 1 1 1 3 Moan et al.,

1981(p156-158)

8. Listen and follow PA instructions 1 3 2 1

Robertson & Wright,

1997(p3,4)

9. Evaluate potential egress paths and choose route 3 1 3 1

Robertson & Wright, 1997

(p4,5); Vinnem, 2007(p91)

10. Move along egress route 3 1 3 1 Robertson & Wright, 1997

(p4,5); Vinnem, 2007(p91)

11. Assess quality of egress route while moving to TSR 3 1 3 1


(p4,5); Vinnem, 2007(p91)

12. Choose alternate route if egress path is not tenable 3 1 3 1


(p4,5); Vinnem, 2007(p91)

Muster Step Health


Other POB Reference


3 1 1 1 DNV, 2007;2007a

14. Assist others if needed or as directed 1 1 1 3 DNV,

2007;2007a

15. Register at TSR 1 1 1 3 Robertson &

Wright, 1997(p6,28)

16. Provide pertinent feedback attained while en route to TSR 1 1 1 3


(p4,6); Vinnem, 2007(p87)


4 1 1 1 DNV, 2007;2007a

18. Follow OIM's instructions 3 1 1 1 DNV, 2007;2007a

Table 4: Consequence severities for Fire & Explosion initiator (bolded values show overall severity)

Muster Step Health

Muster Initiator Egress Other POB Reference

1. Detect alarm 1 1 2 1

Moan et al., 1981(p7,8); Robertson &

Wright, 1997(p3,4)

2. Identify alarm 1 1 2 1

Moan et al., 1981(p7,8); Robertson &

Wright, 1997(p3,4)

3. Act Accordingly 4 2 1 4 Vinnem, 2007(p94)

4. Ascertain if danger is imminent 4 3 4 3

Moan et al., 1981(p155-

160);Robertson & Wright, 1997

(p11); Vinnem, 2007(p94)

5. Muster if in imminent danger 4 1 4 3

Robertson & Wright, 1997(p4);

Vinnem, 2007(p84,87-

89,91)


4 4 4 4 Vinnem, 2007(p

79-95)


1 1 1 3 Moan et al.,

1981(p156-158)

8. Listen and follow PA instructions 4 3 3 1

Robertson & Wright, 1997(p3,4)

9. Evaluate potential egress paths and choose route 4 1 4 1

Moan et al., 1981(p155-160);

Robertson &

Muster Step Health

Muster Initiator Egress Other POB Reference

Wright, 1997(p4,6);

Vinnem, 2007(p91)

10. Move along egress route 4 1 4 1

Moan et al., 1981(p155-160);

Robertson & Wright,

1997(p4,6); Vinnem, 2007(p91)


4 1 4 1

Moan et al., 1981(p155-160);

Robertson & Wright, 1997(p4); Vinnem, 2007(p91)


4 1 4 1

Moan et al., 1981(p155-160);

Robertson & Wright,

1997(p4,5); Vinnem, 2007(p91)


4 1 1 1 Robertson &

Wright, 1997(p16,17)


1 1 1 4 Robertson & Wright, 1997 (p7,8,18,19)

15. Register at TSR 1 1 1 3 Robertson &

Wright, 1997(p6,28)


1 1 1 4

Robertson & Wright,

1997(p4,6); Vinnem, 2007(p87)


4 1 1 1

US Coast Guard, 1983(Part I p2-4);

Vinnem, 2007 (p84,91)

18. Follow OIM's instructions 4 1 1 4 US Coast Guard,

1983(Part I p8-10)

Table 5: Consequence Table for all muster initiators

Muster Step MO GR F&E

1. Detect alarm 2 2 2

2. Identify alarm 2 2 2

3. Act Accordingly 2 4 4

4. Ascertain if danger is imminent 1 3 4

5. Muster if in imminent danger 1 3 4


2 4 4


2 3 3

8. Listen and follow PA instructions 2 3 4


1 3 4

10. Move along egress route 1 3 4


1 3 4


1 3 4


1 3 4


4 3 4

15. Register at TSR 2 3 3


2 3 4


1 4 4

18. Follow OIM's instructions 1 3 4

Risk Matrix

The ISO standard 17776 risk matrix has been developed using frequency of event occurrence and severity of consequences as factors (DNV, 2002). The standard matrix, shown in Figure 1, was adapted in this work to include human error probabilities instead of incident frequencies. This caters to the scope, analyzing the risk of human error in emergency situations. The goal of this risk matrix is to determine the risk of failure to complete a muster step by its probability of occurrence and its consequences.

Figure 1: ISO 17776 Risk Matrix (adapted from DNV, 2002)

The ISO standard 17776 is a 5 by 5 risk matrix, using five consequence severities and five frequencies. The frequency terms are descriptive in nature (i.e. event had occurred in operating company, event has occurred at location). These qualitative frequencies can be compared with the frequency index table of the risk ranking matrix developed by IMO (DNV, 2002). The frequency index descriptions are shown in Table 6.

Table 6: Frequency Index definitions for Risk Ranking Matrix (adapted from DNV, 2002)

This table was developed for marine vessels, assuming an average ship life span of 25 years. A pattern can be seen between the definitions and frequencies. For each difference of a factor of 10 in the F values, the definition also changes by a factor of 10. It can therefore be deduced, for example, that an F value of 10-2 occurrences/ship-year is equivalent to “likely to occur once per year in a fleet of 100 ships”. This results in a relation of qualitative descriptions with quantitative probabilities. The relation of these two descriptions requires a base point. The frequency 10-2 occurrences/installation-year was used. This is

defined by the frequency index as “likely to occur once per year in a fleet of 100 ships”, or “100% chance of occurring in the life of four similar ships”. Using the basis of 25 ship-years per ship lifetime from the frequency index, this second definition can be alternately expressed as a 100% chance of occurring in 100 ship-years. Dividing both of these values by the number of ships leaves a 25% chance of occurring in 25 ship-years (i.e. the life of one ship). The result is that a 10-2 occurrence/installation-year frequency is equivalent to a HEP of 0.25. This frequency was also related to frequency D in the ISO standard 17776 risk matrix. Therefore, an error that has occurred several times per year in the operating company is equivalent to a HEP of 0.25. By the same process, frequency C is equivalent to a frequency of 10-3 occurrences/installation-year, or the description “has occurred in operating company”.

The risk matrix is divided into three separate regions: the intolerable region, the tolerable only if risks are as low as reasonably practicable (ALARP) region, and the management for continued improvement region. If a muster step is found in the first region, the risk is too high to allow without reduction measures, regardless. If it is in the second region, only by showing that efforts have been made to reduce the risk and it is no longer practical to further reduce it will it be tolerated. This follows the ALARP principle. The third region shows risks that are broadly acceptable in operations and should be improved upon if it is found to be practical. Cost-benefit analysis can be used as a tool in determining practicability (DNV, 2002). Based on these tolerability criteria, HEP ranges for each region of the risk matrix were determined for each consequence severity value. The risk matrix, combined with the consequence tables and evaluated HEPs for each muster step, show where further safety efforts should be directed. The developed risk matrix is shown below in Figure 2. The matrix is divided into three colour-coded categories.

Monitor for continued improvement

Incorporate risk reducing measures

Intolerable

Consequence Rating

HEP 1 2 3 4

0.001-0.01

0.01-0.1

0.1-0.5

0.5-1 Figure 2: Human Error Risk Matrix

The category ranges were adapted from the ISO 17776 standard risk matrix (DNV, 2002). Consequence severities 4 and 5 were amalgamated from the ISO 17776 risk matrix into severity 4 of the Human Error risk matrix, with an adjustment in tolerability. Frequency B in the ISO 17776 risk matrix was taken to be intolerable for a consequence severity of 4 in the present risk matrix. In other words, it is taken as intolerable that a fatality or wet evacuation has a frequency of occurrence of several times per year in industry. This also translates to a HEP of 0.0025 or higher falling in the intolerable region. This falls in the HEP range 0.001-0.01 in the Human Error risk matrix. This entire region is therefore taken to be intolerable for a consequence severity of 4 as an added safety measure. In a similar fashion, the ISO standard 17776 risk matrix sets the boundary between the intolerable and risk reduction regions for

consequence severity 3 as frequency C, translated to a HEP of 0.025. Again, the entire HEP range of 0.01-0.1 is considered to be in the risk reduction area.

Muster step 6 of the gas release muster initiator will be evaluated as an example. From DiMattia (2004), the HEP for this step in a specified gas release scenario is taken as 0.0782. The overall consequence rating from this step in Table 3 is 4. This combination falls in the intolerable range of the human error risk matrix, as seen in Figure 3.

Consequence Rating

HEP 1 2 3 4

0.001-0.01

0.01-0.1

0.1-0.5

0.5-1 Figure 3: Example-Muster step 6 of gas release scenario

The ideal response is to introduce safety measures that move the risk one category to the left and one category upwards in the risk matrix, or two categories left, into the broadly acceptable region. The severity of the consequence at least must be reduced. Examining Table 3 reveals that the severity of 4 comes from the effect on the muster initiator. Therefore adequate safety measures must be introduced to reduce the effect of failure to complete this step on the muster initiator to a value of 3 or less as a first step. To further reduce the consequences, all three of effect on health, muster initiator and egress must be addressed. Alternatively, for the second risk reduction, safety measures could be introduced to lower the probability of human error to below 0.01. Either of these methods as a second step would bring the risk into the broadly acceptable region. Any combination of methods to move the risk of human error from an intolerable or reduce risk region into a broadly acceptable region is acceptable. Management in industry can use cost-benefit analysis to determine the most appropriate pathway in reducing risk.

Conclusion

The tables presented in this paper are part of a model for human factors assessment of emergency situations on offshore installations. These tools can reveal a picture of the risks associated with emergency situations and how to reduce them. Incident investigations from industry and incident reports from several databases, including WOAD, were used. While these results are taken from past experiences in industry, a more rigorous analysis may be possible with focus on reporting improvements of muster drill results from a human error perspective. Incident report databases provided the necessary information for the man overboard muster initiator. These reports, however, did not have the same level of detail as the incident investigations used for the gas release and fire and explosion muster initiators. There was much less detail in the incident reports than in the incident investigations. An improvement in the muster drill reporting system would significantly increase the quality of data available for consequence analysis. Further work will yield a feedback protocol for choosing the most effective safety measures and re-evaluating the risk for each muster step.

References


DNV. 2002. “Marine Risk Assessment” (Report OTO 2001 063, UK Health and Safety Executive).

DNV. 2007. “Accident Statistics for Fixed Offshore Units on the UK Continental Shelf 1980-2005” (Report RR 566, UK Health and Safety Executive).

DNV. 2007a. “Accident Statistics for Floating Offshore Units on the UK Continental Shelf 1980-2005” (Report RR 567, UK Health and Safety Executive).

Moan, T. et al. 1981. "The Alexander L. Kielland Accident" (Report NOU 1981:11, Norwegian Public Reports).

Robertson, D.H. and Wright, M.J. 1997. "Ocean Odyssey Emergency Evacuation: Analysis of Survivor Experiences" (Report OTO 96 009, UK Health and Safety Executive).

US Coast Guard. 1983. "Marine Casualty Report-Mobile Offshore Unit (MODU) OCEAN RANGER" (Report USCG 0001 HQS 82, US Coast Guard).

Vinnem, Jan E., Offshore Risk Assessment, 2nd ed. 2007. (The Netherlands: Kluwer Academic Publishers), 77-116.

Appendix 8

8th World Congress of Chemical Engineering Presentation (please see separate file)

Appendix 9

Safety Science Publication (please see separate file)

Appendix 10

44th Annual Loss Prevention Symposium Paper

GCPS 2010 __________________________________________________________________________

A Framework for Human Error Analysis of Emergency Situations

Travis Deacon* and Paul Amyotte Department of Process Engineering and Applied Science

Dalhousie University 1360 Barrington St., Halifax, NS B3J 2X4

[email protected] [email protected]

Faisal Khan and Scott MacKinnon Faculty of Engineering and Applied Science

Memorial University St. John's, NL A1B 3X5

[email protected] [email protected]

*Author to whom correspondence should be directed.

Prepared for Presentation at American Institute of Chemical Engineers

2010 Spring Meeting 6th Global Congress on Process Safety

44th Annual Loss Prevention Symposium San Antonio, Texas March 22-24, 2010

Copyright © 2010 by Paul R. Amyotte, Dalhousie University.

All rights reserved.

January 2010 UNPUBLISHED

AIChE shall not be responsible for statements or opinions contained

in papers or printed in its publications.

GCPS 2010 __________________________________________________________________________

Keywords: Human factors, Offshore emergencies, Risk analysis

Abbreviations ALARP As Low As Reasonably Practicable ARAMIS Accidental Risk Assessment Methodology for Industries EER Escape, Evacuation and Rescue FRC Fast-Rescue Craft GEP Generic Error Probability HAZOP Hazard and Operability study HEART Human Error Assessment and Reduction Technique HEP Human Error Probability HRA Human Reliability Analysis HTA Hierarchical Task analysis LC Level of Confidence OIM Offshore Installation Manager OSC On-Scene Commander POB Personnel On Board PSF Performance-Shaping Factor QRA Quantitative Risk Assessment SAR Search And Rescue SBV Stand-By Vessel SLIM Success Likelihood Index Methodology TEMPSC Totally Enclosed Motor Propelled Survival Craft TSR Temporary Safe Refuge

Abstract A framework is presented to identify and evaluate the risks of critical steps in the escape, evacuation and rescue process on offshore installations. A combination of expert judgment techniques and major incident investigations from industry were used to evaluate the risk for the escape and evacuation stages. Risk reduction is also included in this framework via a separate risk assessment technique. This framework can be applied to emergency preparedness for several industries. Dependency and overall time to complete the EER process were not analyzed in this work. Many of the potential safety barriers identified in the framework require further research in order to be incorporated in the risk reduction stage. 1. Introduction Human beings make errors. When these errors are made in one of the world’s harshest work environments, the consequences can be devastating. But human error can be prevented by accounting for its likelihood of occurrence. And if, in spite of our best attempts, a human error still occurs – the severity of the resulting consequences can be reduced. The risk of human error can thus be significantly lowered,

GCPS 2010 __________________________________________________________________________

but only by acting on the belief that human errors are rooted in the science of human factors. Essentially, this means that we must design our workplaces and their attendant procedures with the actions of human beings foremost in our minds. This requirement is arguably at its most critical level during emergency situations when the potential for human error and the severity of the possible consequences are at their greatest. The research undertaken is aimed at enhancing the safety of offshore oil and gas operations in Atlantic Canada and eventually worldwide. The scope of the research is emergency scenarios which necessitate taking action to ensure successful personnel evacuation, survival and rescue in response to various initiating events. This is known as the emergency escape, evacuation and rescue (EER) process. The focal point of the research is the quantitative determination of the probability and consequences of human error during these emergency actions. Previous research by the research team has resulted in a quantitative framework for the escape phase. The current research focuses on the evacuation phase with an introduction to the rescue phase. The end-result of the research is an engineering tool designed to employ these human error data in making objective decisions concerning facility design improvements from a human factor perspective. To date, a list of the steps that personnel must complete during the evacuation and rescue phases has been developed. Also, an analysis of the consequences of human error during the evacuation phase has been developed to show failure modes, potential consequences and their severities and a hierarchical view of useful safety measures. This will improve the focus of risk assessment and reduction on offshore facilities, as recommended by Gurpreet and Kirwan [1].

The escape phase of EER is defined as the time of the initiating event (collision, man overboard, hydrocarbon release, severe list, etc.) to the time of registration at the muster station, or temporary safe refuge (TSR). The evacuation phase begins upon decision of the offshore installation manager (OIM) to evacuate, or upon any individual decision to evacuate the platform. It ends when the individual in question achieves reasonable distance from the platform. The rescue phase is identified as the period of retrieval of individuals from the installation, evacuation equipment or the sea. It is helpful to note that these phases can experience an overlap. For example, rescue operations may retrieve individuals from a sea evacuation before they have had a chance to achieve a reasonable distance from the installation.

The steps involved in the risk assessment and reduction methodology described herein are as follows:

1. Task analysis 2. Scenario identification 3. Human error probability calculation 4. Consequence severity evaluation 5. Procedural hazard and operability study (HAZOP) of steps 6. Determination of tolerability of risk via risk matrix 7. Evaluation of required reliability via risk graph 8. Selection and evaluation of safety barriers 9. Bow-tie analysis

The steps are shown as a flowchart in Figure 1.

GCPS 2010 __________________________________________________________________________

2. Task and scenario analysis The first step of the framework is to break the main goal into the more detailed steps required to achieve this goal. The second step is to identify a range of emergency situations and choose reference scenarios that encompass this range. 2.1 Task analysis

Task analysis is the identification of the steps that personnel on board (POB) must complete during an emergency. This was done through hierarchical task analysis (HTA). In HTA, the main goals are identified and broken down into smaller steps. In this case, the main goals are:

Escape danger (Muster phase) Evacuate installation (Evacuation phase) Rescue POB (Rescue phase)

These phases are further divided into steps that can be evaluated from a human performance perspective. The steps give greater detail about the main goals and can still be evaluated in terms of risk. The probability of human error and plausible consequences can be identified for each step. Safety measures, herein referred to as safety barriers, that reduce the risk for individual steps can also be identified. The probability of human error, combined with the probability of failure on demand for the individual safety barriers, is the probability of failure on demand for a specific step. Figure 2 shows the evacuation and rescue steps identified through hierarchical task analysis. Escape steps have been analyzed by DiMattia [2] and Deacon et al. [3]. The escape phase is not analyzed in detail in the current work. 2.2 Scenario identification

Once the emergency steps are identified, a set of emergency scenarios representing a wide range of plausible situations must be defined. These scenarios include information on performance-shaping factors (PSFs). PSFs are factors that influence the probability of human error for any given step. Examples include operator experience, weather conditions, time of day and individual stress level. 2.2.1 Escape scenarios

Escape scenarios have been defined by DiMattia [2]. Three different escape initiators are used, ranging in severity of consequences. The escape initiators identified were ‘man overboard’, ‘hydrocarbon release’ and ‘fire and explosion’. For each of these initiators, a detailed scenario was identified, incorporating the time of day, the experience of the operator in question, the location of the operator in question relative to the event that led to escape initiation, and the job of the operator at the time of the escape alarm. These three escape initiators with their respective scenarios were used to determine HEPs for each escape step and scenario.

GCPS 2010 __________________________________________________________________________

Figure 1: Flowchart of risk assessment framework.

Choose Scenario


Choose Step





Build Bow-tie and Determine Overall LC

Yes

Is Risk ALARP?

No

Yes

Analysis Complete?

No

Identify Steps

GCPS 2010 __________________________________________________________________________

2.2.2 Evacuation scenarios

Evacuation scenarios are given in Table 1. A man overboard incident does not lead to evacuation of an installation; therefore another incident, collision or impending collision, is analyzed instead. The collision of a platform with a vessel, large object, land, etc. or the impending collision is a scenario that can lead to platform evacuation. The scenarios in Table 1 are used to determine evacuation step human error probabilities (HEPs). As visibility and sea conditions have a significant effect on individual performance during evacuation, the weather and time of day are specified for each scenario. The experience of the operator in question for each scenario is also specified.

3. Human error probability calculation

The most accurate method to determine HEPs is to identify the number of times a failure has occurred while performing the EER step in question and divide it by the total number of times the step has been performed. Unfortunately data does not exist to this extent. HEPs are therefore determined using expert judgment techniques. Escape and evacuation HEPs are discussed. Rescue phase HEPs are not explored in the current work. 3.1 Escape HEPs Escape step HEPs were evaluated by DiMattia [2] using the success likelihood index methodology (SLIM). This is an expert judgment technique that draws from the expertise of several judges. Several PSFs are determined by a panel of judges. The PSFs include stress, experience, atmospheric factors (weather, time of day, etc.), event factors (initiating event, operator’s location, etc.), level of training and the complexity of the task. These PSFs are then rated in terms of their impact on the escape step and scenario. 3.2 Evacuation HEPs

The current work evaluates evacuation HEPs using the human error assessment and reduction technique (HEART). The expert judgment in HEART occurs across three stages. The generic error probability (GEP) of a step is determined. This is the probability that a human error will occur given ‘perfect’ conditions (i.e. no influence of PSFs). Second, relevant PSFs are chosen from a list of 17 possible PSFs in HEART. These PSFs have an associated maximum effect on the probability of error. Finally, the percentage of the maximum effect of the PSF is chosen. The latter two stages combine to determine the overall effect of the PSFs on the GEP. For each step, one GEP and zero to three PSFs are chosen. The inclusion of PSFs into the risk assessment allows for risk assessment of a specific work site and situation. The use of generic data is a common pitfall in risk assessment. If a generic risk assessment is performed, efforts must be made to ensure that the risk assessment encompasses all hazards of each site and job of the facility. Also, this assessment must be validated [4]. While generic assessments can be used as a preliminary study of risk, the framework presented in Figure 1 is designed to be site-specific.

GCPS 2010 __________________________________________________________________________

2.2.3 Instruct personnel on boarding procedure

1.1 Check wind speed, direction and sea state1.2 Instruct personnel and maintain control1.3 Issue sea sickness tablets

1.0 Prepare to evacuate

2.0 Evacuate installation – do one of 2.1-2.5, priority in descending order2.1 Evacuate via bridge link2.2 Evacuate via helicopter

2.2.1 Move to helideck2.2.2 Establish communication with pilot

2.3.9 Close and secure all hatches

2.2.4 Board helicopter2.2.5 Don flight suit, aviation life jacket and secure seatbelt

2.3 Evacuate via TEMPSC (totally enclosed motor propelled survival craft)2.3.1 Ensure sea worthiness of TEMPSC2.3.2 Check compass heading/direction to steer craft2.3.3 Turn helm fully to clear installation on launch2.3.4 Ensure drop zone is clear2.3.5 Instruct personnel on boarding procedure2.3.6 Fasten seat belt2.3.7 Ensure everyone is secure2.3.8 Start air support system

2.4.5 Launch life raft2.4.6 Board life raft

2.3.10 Call command centre/launch master/other lifeboats to confirm launch sequence2.3.11 Release falls/confirm auto-release2.3.12 Launch TEMPSC2.3.13 Engage forward gear and full throttle2.3.14 Steer TEMPSC at vector from platform to rescue area

2.4 Evacuate by life raft

2.5.6 Look for other overboard survivors and rescue opportunities3.0 Initiate search and rescue (SAR)

3.1 Appoint on-scene commander (OSC)3.2 Monitor and coordinate SAR3.3 Locate and rescue survivors

3.3.1 Rescue by helicopter

2.5 Escape directly to sea2.5.1 Ensure survival suit properly sealed, lifejacket fastened2.5.2 Move to lowest nearby platform2.5.3 Assess direction of waves, danger and airborne contaminants2.5.4 Jump away from platform, feet first, avoiding platform legs2.5.5 Swim along side of platform

2.4.7 Cut painter

3.3.1 Rescue by stand-by vessel (SBV)3.3.2 Give medical attention

2.4.8 Paddle clear of danger2.4.9 Stream anchor2.4.10 Maintain sea worthiness of life raft2.4.11 Look for TEMPSC, FRC, other life raft or overboard survivors2.4.12 Attach painter to other life raft or tow craft

2.4.1 Move to life raft muster station2.4.2 Ensure seaworthiness of life raft2.4.3 Secure painter to a strong point2.4.4 Check for life raft instructions and number of personnel accommodated

Figure 2: HTA of evacuation and rescue steps.

GCPS 2010 __________________________________________________________________________

Table 3: Evacuation scenarios.

Evacuation Scenario

Detail Collision Gas Release Fire & Explosion

Situation A jack-up rig collides with a fixed installation during approach; significant damage to platform leg.

A hydrocarbon gas release A fire and explosion

Operator in question 15 years experience 7 years experience 6 months experience

Weather Good weather, calm seas Cold, wet weather Winter storm

Time of day Daylight hours Daylight hours Night time hours

HEART is designed for efficiency of resources, requiring only one expert judge to perform the analysis [5]. In the current work, HEART was adapted into a survey and sent to several expert judges. This was done to determine the precision of HEART when examining different steps. Validation of HEART can be undertaken by case studies and comparisons with generic HEP databases. A generic HEP feasibility study by Gurpreet and Kirwan [1] has resulted in the collection of offshore activity HEPs, including those for lifeboat evacuation procedures. These HEPs are generic in nature but provide an estimate of what the HEP should be. For HEART to be validated, the HEART HEPs must be close to those found in the study. It can be anticipated that the HEART-evaluated HEPs will be more conservative than those found in the feasibility study [1]. There is also potential to use the generic HEP data as a calibration tool for assessors [6].

4. Consequence analysis Risk is a function of the probability of failure on demand and the consequences of failure. Along with the HEPs for each step, the consequences of human error of each step must be identified by their level of severity. Two types of analysis are presented: a consequence analysis, for use with HEPs to determine tolerability of risk, and a procedural HAZOP to determine how errors may occur and to aid in choosing proper risk reduction measures. 4.1 Consequence Severity Evaluation The lack of human error data on emergency drills on offshore installations prevents a quantitative consequence analysis. Investigation reports and public inquiries of major incidents, incident reports from the UK continental shelf and previous research [7] provided the data for consequence analysis in the current work. Incident reports proved useful for man overboard muster initiators. Major incident investigations provided the consequence data for the gas release and fire and explosion muster initiators as well as the evacuation consequences. A study released by the UK Health and Safety Executive [7] also provided data for the evacuation consequences. It is noted that during the escape phase, consequences of failure are dependent on both the escape step and the escape initiator. This is due to the exposure to the immediate danger of the initiator. In the evacuation phase, distance has been achieved between the initiator and the individual and the immediate danger becomes the sea itself. Thus, consequence severities are different for each escape scenario and identical for each evacuation scenario. Consequences

GCPS 2010 __________________________________________________________________________

are evaluated on a severity level from 1 - 4, 1 indicating lowest and 4 indicating highest severity. Table 2 shows the consequence category descriptions for the escape phase [3], as adapted from DiMattia [2].

Table 4: Consequence categories and descriptions.

Severity Health Egress

Muster Initiator Other POB


2

Likely to result in minor injury


Raises muster initiator to level that causes minor delays in reaching TSR

Slightly to moderately delays others from reaching TSR or completing TSR actions

3

Likely to result in major injury

Moderate delays reaching TSR or completing TSR actions



4 Likely to result in fatality


Raises muster initiator to level where muster is no longer possible

Prevents others from having a dry evacuation

Table 2 also applies to the evacuation phase, although only the health and egress categories are explored, where ‘reaching TSR’ is replaced with ‘reaching rescue area’.

In order to reduce the consequence severity of a step in the evacuation phase, measures must be introduced that will lower the severity of harm to the individual in question. For the escape phase, the overall consequence severity is equal to the highest severity of the four categories. In order to reduce the consequence severity for the escape phase, the category (or categories) of highest severity must be reduced through safety barriers. A portion of the consequence table is shown in Table 3. Included are references to the investigations that provide the data for the consequence severity of each step.

4.2 Procedural HAZOP of steps

A validation exercise was performed by Kirwan [6] using HEART to assess the HEPs for 10 tasks. It was determined that different expert judges can arrive at similar HEPs using different GEP/PSF combinations. This observation shows that while the overall HEP is determined, the HEP assessment itself does not provide enough information for a fault tree [6]. A procedural HAZOP is required to ensure that all failure modes for each step are identified. A procedural HAZOP was performed for each phase. Failure modes and their descriptions for each step, as well as potential safeguards, were identified. The procedural HAZOP for the escape phase steps is a modification of work by DiMattia [2]. The procedural HAZOP for the evacuation phase steps is a modification of work by Kennedy [7].

GCPS 2010 __________________________________________________________________________

Table 5: Evacuation steps for totally enclosed motor propelled survival craft (TEMPSC) evacuation.

Evacuation Step Severity Reference

2.3.1 Ensure sea worthiness of TEMPSC

4 [7] (p. 30)

2.3.2 Check compass heading/direction to steer craft

2 [7] (Appendix B); [8](p. 13)

2.3.3 Turn helm fully to clear installation on launch

2 [7] (Appendix B)

2.3.4 Ensure drop zone is clear 4 [7] (Appendix B)


2 [7] (Appendix B)

2.3.6 Fasten seat belt 2 [7] (Appendix B)

2.3.7 Ensure everyone is secure 2 [6] (Appendix B)

2.3.8. Start air support system 3 [7] (Appendix B); [8] (p. 14)

2.3.9 Close and secure all hatches 4 [7] (Appendix B); [9] (p. 124)

2.3.10 Call command centre/launch master/other lifeboats to confirm launch sequence

4 [9](p. 133)

2.3.11 Release falls/confirm auto-release

4 [7] (Appendix B); [10](p. 83);

[11] (p. 162)

2.3.12 Launch TEMPSC 4 [9] (p. 124)

2.3.13 Engage forward gear and full throttle

4 [7] (Appendix

B); [11] (p. 162)

2.3.14 Steer TEMPSC at vector from platform to rescue area

4 [7] (Appendix

B); [11] (p. 162)

GCPS 2010 __________________________________________________________________________

In both cases, safeguards are re-organized into two types: prevention barriers and mitigation barriers. Prevention barriers are measures that reduce the probability of a human error occurring, while mitigation barriers reduce the consequence severity of a human error. Safeguards are also organized in terms of the hierarchy of controls [12]. This is useful for determining the reliability of safeguards at a later stage. Table 4 shows a procedural HAZOP analysis for one of the evacuation steps.

Table 6: Procedural HAZOP for evacuation step 2.3.4 (Ensure drop zone is clear).

Failure Mode Description Consequences Prevention Barriers Mitigation Barriers

Check omitted Coxswain omits or forgets to check for debris in the water

Delayed evacuation

Capsize of/ hole in boat

Injury/death

Active Engineered

Lights to illuminate drop zone during low visibility

Procedural

Warning prompt at helm of TEMPSC

Training/drills that require verbalizing state of drop zone and delaying or aborting launch

Passive Engineered

Boats constructed to withstand severe impacts and absorb shock

Check mistimed Coxswain makes check too early or too late, leaving time for debris to float over or forcing the boat to be committed to the launch

5. Risk Reduction

The next stage of the framework presented in Figure 1 is the risk reduction stage. The overall risk of each EER step is determined by combining the HEPs and consequence severities in a risk matrix. A risk graph is then used to determine a minimum reliability that incorporated safety barriers should have for each step. The procedural HAZOP is used to identify potential prevention or mitigation barriers. These barriers are evaluated to determine if they can be assigned a mathematical reliability. Safety barriers must have a proven record in industry to be assigned a mathematical reliability. Finally, any identified prevention and mitigation barriers with an associated reliability are incorporated into a bow-tie model. The result is an overall picture of the risk, including the effects of safety barriers. The probability of failure on demand of the step is the combination of the HEP and mathematical reliability of any safety barriers that affect that step.

5.1 Risk Matrix

The risk matrix, shown in Figure 3, is a tool that combines the probability of failure on demand and the consequence severity of a step to determine the tolerability of the risk. Tolerability criteria are embedded in the risk matrix to classify a step in one of three risk regions. The ‘broadly acceptable’ region is a risk region where no further risk reduction measures are required. The ‘tolerable if as low as reasonably practicable (ALARP)’ region follows the ALARP principle. If a risk is in this region and it has been shown through cost-benefit analysis that it is not practical to further reduce the risk, it is considered

GCPS 2010 __________________________________________________________________________

tolerable. If further measures can be introduced practically, then the risk should be reduced [13]. Risks in the ‘intolerable’ region must be reduced.

Consequence Rating

Probability 1 2 3 4

0.001-0.01

0.01-0.1

0.1-0.5

0.5-1

Monitor for continued improvement (broadly acceptable)

Incorporate risk reducing measures (tolerable if ALARP)

Intolerable

Figure 3: Risk matrix.

An example is step 3 of the escape phase, ‘act accordingly’. This step identifies the importance of maintaining composure during an emergency. From DiMattia [2], the HEP, or probability of failure on demand, for escape step 3 in a fire and explosion scenario is estimated to be 0.448. From Deacon et al. [3], the consequence severity for a human error during escape step 3 is 4. The risk is therefore in the ‘intolerable’ region of Figure 3 and must be reduced.

5.2 Risk Graph

Many human reliability analysis (HRA) techniques have within them a basic risk reduction mechanism. However, validation studies [6] have suggested that a separate technique be used for the risk reduction stage. Often HRA techniques do not have comprehensive or user friendly risk reduction mechanisms. A second technique, the accidental risk assessment methodology for industries (ARAMIS) [14] is used in the current framework to identify risk reduction measures.

ARAMIS uses a risk graph to determine the level of risk reduction required. This risk reduction is associated with the reliability of any barriers incorporated. Four factors are used to determine the required reliability of barriers:

Consequence severity (C) Frequency of exposure to risk (F) Potential to avoid damage (D) Probability (P)

GCPS 2010 __________________________________________________________________________

Consequence severity is determined from the consequence table, and human error probability is determined from HEART. The value F is either F1 (exposure to risk is less than 10% of operating time)

Human Error Probability

0.1-1 0.01-0.1 0.001-0.01 <0.001

1 2 3 4

P1 P2 P3 P4

C1 X1 --- --- --- ---

D1 X2 a --- --- ---

F1

D2

C2 X3 1 a --- ---

D1

risk F2

analysis

F1 D2

C3 X4 2 1 a ---

D1

F2

F1 D2

C4 X5 3 2 1 a

D1

F2

D2 X6 4 3 2 1

Figure 4: Risk graph.

GCPS 2010 __________________________________________________________________________

or F2 (exposure to risk is more than 10% of operating time). For the current study, all steps are considered to be category F1, assuming that emergency situations occur less than 10% of the facility’s operating time. The potential to avoid damage depends on the particular step. If there is time to correct an error or achieve distance from the consequence, category D1 is used. Otherwise, category D2 is used. Using these four factors and the risk graph shown in Figure 4, the reliability of safety barriers is determined. This is a mathematical reliability known as the level of confidence (LC). A reliability of 1 will reduce the risk by a factor of 10; a reliability of 2 will reduce the risk by a factor of 102 = 100, etc. The LC ranges from 1 to 4, or is identified as ‘a’. An LC of a indicates that safety barriers should be introduced but are not required to have a mathematical reliability. For example, escape step 3 for a fire and explosion scenario is in categories C4 and F1 of Figure 4. It was determined by Deacon et al. [3] that for escape step 3, there is time to correct an error and avoid the consequence. Therefore category D1 is used. This leads to line X4 of the risk graph and, combined with a HEP of 0.448, leads to a total required LC of 2 for safety barriers incorporated to reduce the risk of individuals’ loss of composure.

5.3 Safety Barriers

For a prevention or mitigation barrier to be incorporated into the bow-tie, it must meet certain minimum requirements as defined in the ARAMIS user guide [14]:

Components of safety barriers must be independent from regulation systems (common failures of safety and regulation systems are not acceptable); this criterion is applicable in the case of two systems in place for the same function.

Design of the barriers must be made in compliance with codes and standards, and design must be adapted to the characteristics of the substances and the environment.

Barriers must be of a “proven” concept; i.e. the concept is well known (experienced). Otherwise, it may be necessary to perform on-site tests to determine the quality of the barrier.

Barriers must be tested with a defined frequency. This frequency will be based on the experience of the operators or suppliers.

Barriers must have a schedule of preventative maintenance.

These criteria are used to determine if a potential safety barrier is relevant in the system and can be assigned an LC. If a potential barrier exists but is not a proven concept, further testing can be done to determine a mathematical reliability for the barrier in question.

5.4 Bow-Tie Analysis

A bow-tie is a risk assessment method that uses a fault tree and an event tree centered on a common critical event. A fault tree identifies a critical event and its potential causes (failure modes). An event tree identifies a critical event and the pathway to potential consequences. In the framework presented in Figure 1, the critical event is the failure to complete an EER step. The probability of the critical event is the probability of failure on demand of the step. Failure modes for the fault tree are identified in the procedural HAZOP. Because there is no data for the probability of each failure mode occurring, safety barriers incorporated must have a risk reducing effect on all failure modes for that step. Figure 5 is an example of a bow-tie using escape step 3; ‘act accordingly’ for a fire and explosion scenario.

GCPS 2010 __________________________________________________________________________

No

Late

Tra

inin

g

L

C=

1

Critical Event: Fail Step 3

Consequence 4

More Probability = 0.448*10-1 Probability = 0.0448

Before/After

Figure 5: Bow-tie for escape step 3, ‘act accordingly’.

The four failure modes for this step are shown on the left of Figure 5. The probability of failure on demand of this step (the HEP) is 0.448. A safety barrier that would be effective in this case is a training barrier [3], with an LC of 1. The revised probability of failure on demand is now 0.448*10-LC = 0.448*0.1 = 0.0448. The new HEP/consequence severity combination is still in the ‘intolerable’ region of the risk matrix. The risk graph has identified a required LC of 2; therefore additional safety measures should be incorporated.

6. Discussion

The process of risk assessment has been undertaken for the escape phase and is currently underway for the evacuation phase. Three scenarios are evaluated for each phase to encompass the full range of risk for the EER process. For risk reduction, only one scenario is analyzed for each phase of EER. The highest severity risk scenario for a given step is analyzed. Bringing the risk to a tolerable level for the highest severity scenario will have the same effect on the lower severity scenarios. It is noted that a training and procedures safety barrier is important for all steps. Indeed it may be the only barrier with an associated LC for some steps. However, as this is the least reliable barrier in terms of the hierarchy of controls, efforts should be undertaken to determine an LC for potential barriers identified in the procedural HAZOP. Steps are assumed independent from one another in this study and the overall time taken to achieve the goals of escape and evacuate is not analyzed. The time taken to evacuate a platform can be a critical factor depending on the structural stability [11]. It would be beneficial in future work to perform a dependency analysis.

While the scenarios studied in this undertaking are from the perspective of an offshore environment, this framework can be applied to various fields in industry. Onshore oil operations, nuclear power plants and chemical process facilities all have the potential for emergencies requiring site evacuation. While evacuation itself may simply involve running to achieve a safe distance from the emergency, escape of the facility and rescue operations are more complex. This framework provides a means to evaluate and reduce the risk for these industries as well.

GCPS 2010 __________________________________________________________________________

7. Conclusion and Recommendations

This work presents a framework for human reliability analysis of emergency situations that can supplement a QRA. It is designed via offshore emergencies but can be used in various industries such as the nuclear and process industries. Dependency between steps and overall process time is not evaluated in this work. However, the overall time to achieve the main goals of escape, evacuate and rescue, as well as the effect of failure of one step on later steps should be evaluated as a further study. These two factors may have a significant effect on the EER process. Furthermore, efforts should be made to ensure that more of the potential safety barriers identified in the procedural HAZOP meet the ARAMIS requirements and are incorporated into bow-tie analysis.

8. Acknowledgements

The authors gratefully acknowledge the financial support of Petroleum Research Atlantic Canada (PRAC), the Nova Scotia Department of Energy, and Pengrowth.

9. References

[1] Gurpreet, B. and Kirwan, B., “Collection of offshore human error probability data,” Reliability

Engineering and System Safety, Volume 61, 1998.

[2] DiMattia, D. “Human error probability index for offshore platform musters,” PhD Thesis (2004), Dalhousie University.

[3] Deacon, T., Amyotte, P. and Khan, F., “Human error risk analysis in offshore emergencies,” Safety Science, manuscript submitted and under revision, 2009.

[4] Gadd, S., Keeley, D. and Balmforth, M., “Pitfalls in risk assessment: examples from the UK,” Safety Science, Volume 42, 2004.

[5] Williams, J.C., “Toward an improved evaluation tool for users of HEART,” Proceedings of the international conference on hazard identification, risk analysis, human factors and human reliability in process safety, Orlando, Florida, 15-17 January. AIChE-CCPS, New York, 1992.

[6] Kirwan, B., “The validation of three human reliability quantification techniques – THERP, HEART and JHEDI: Part III – Practical aspects of the usage of the techniques,” Applied Ergonomics, Volume 28, 1997.

GCPS 2010 __________________________________________________________________________

[7] Kennedy, B., “A human factors analysis of evacuation, escape and rescue from offshore installations” (Report OTO 93 004, UK Health and Safety Executive), 1993.

[8] Robertson, D.H. and Wright, M.J., "Ocean Odyssey emergency evacuation: analysis of survivor experiences" (Report OTO 96 009, UK Health and Safety Executive), 1997.

[9] US Coast Guard., "Marine casualty report - mobile offshore unit (MODU) OCEAN RANGER" (Report USCG 0001 HQS 82, US Coast Guard), 1983.

[10] Vinnem, Jan E., Offshore Risk Assessment, 2nd ed. 2007. (The Netherlands: Kluwer Academic Publishers), 77-116.

[11] Moan, T., Nᴂsheim, T., Φveraas, S., Bekkvik, P., Kloster, A., "The Alexander L. Kielland accident" (Report NOU 1981:11, Norwegian Public Reports), 1981.

[12] Amyotte, P., Goraya, A., Hendershot, D., Khan, F., “Incorporation of Inherent Safety Principles in process safety management”, Process Safety Progress, Volume 26, 2007.

[13] DNV, “Marine Risk Assessment” (Report OTO 2001 063, UK Health and Safety Executive), 2002.

[14] Anderson, H., Casal, J., Dandrieux, A., Debray, B., Dianous, V., Duijm, N., Delvosalle, C., Fievez, C., Goossens, L., Gowland, R., Hale, A., Hourtolou, D., Mazzarotta, B., Pipart, A., Planas, E., Prats, F., Salvi, O., Tixier, J., “ARAMIS user guide” (The European Commission Community Research), 2004.

Appendix 11

Master of Applied Science Thesis

Halifax, Nova Scotia May, 2010 © Copyright by Travis J.B. Deacon, 2010

HUMAN ERROR RISK ANALYSIS AND REDUCTION FOR OFFSHORE EMERGENCY SITUATIONS

by

Travis J.B. Deacon

Submitted in partial fulfillment of the requirements

for the degree of

MASTER OF APPLIED SCIENCE Major Subject: Chemical Engineering

at


ii

DALHOUSIE UNIVERSITY

PROCESS ENGINEERING AND APPLIED SCIENCE

The undersigned hereby certify that they have read and recommend to the Faculty of

Graduate Studies for acceptance a thesis entitled “HUMAN ERROR RISK ANALYSIS

AND REDUCTION FOR OFFSHORE EMERGENCY SITUATIONS” by Travis J.B.

Deacon in partial fulfillment of the requirements for the degree of Master of Applied

Science.

Dated: May 19, 2010

Supervisor: _________________________________

Readers: _________________________________

_________________________________

_________________________________

_________________________________

iii

DALHOUSIE UNIVERSITY

DATE: May 19, 2010

AUTHOR: Travis J.B. Deacon

TITLE: Human Error Risk Analysis and Reduction for Offshore Emergency Situations

DEPARTMENT OR SCHOOL: Department of Process Engineering and Applied

Science

DEGREE: Master of

Applied Science

CONVOCATION: October YEAR: 2010

Permission is herewith granted to Dalhousie University to circulate and to have copied for non-commercial purposes, at its discretion, the above title upon the request of individuals or institutions.

_______________________________ Signature of Author

The author reserves other publication rights, and neither the thesis nor extensive extracts from it may be printed or otherwise reproduced without the author’s written permission. The author attests that permission has been obtained for the use of any copyrighted material appearing in the thesis (other than the brief excerpts requiring only proper acknowledgement in scholarly writing), and that all such use is clearly acknowledged.

iv

TABLE OF CONTENTS

LIST OF TABLES vi

LIST OF FIGURES ix

ABBREVIATIONS xi

ACKNOWLEDGEMENTS xiii

ABSTRACT xiv

1 INTRODUCTION 1

1.1 Project Scope 1

1.2 Motivation for the Current Project 6

1.3 Project Objectives 7

2 HUMAN FACTOR RISK ANALYSIS 12

2.1 Human Reliability Analysis (HRA) 12

2.1.1 Task Analysis 12

2.1.2 Types of Error 13

2.1.3 Human Error Probability (HEP) 14

2.2 Expert Judgment 15

2.2.1 Success Likelihood Index Methodology (SLIM) 15

2.2.2 Human Error Assessment and Reduction Technique (HEART) 17

2.2.3 Technique for Human Error Rate Prediction (THERP) 19

2.3 Accidental Risk Assessment Methodology for Industries (ARAMIS) 21

2.4 Hazard and Operability Study (HAZOP) 26

2.5 Bow-Tie Method 27

2.5.1 Fault Tree (FT) Method 28

2.5.2 Event Tree (ET) Method 28

3 ESCAPE RISK ASSESSMENT 30

3.1 Human Error Probability 31

3.2 Consequence Analysis 31

3.2.1 Consequence Table 31

3.2.2 Procedural HAZOP 39

3.3 Risk Estimation 39

4 EVACUATION RISK ASSESSMENT 45

v

4.1 Human Error Probability 46

4.2 Consequence Analysis 56

4.2.1 Consequence Table 56

4.2.2 Procedural HAZOP 59

4.3 Risk Estimation 60

5 RESCUE RISK ASSESSMENT 63

6 RISK REDUCTION 64

6.1 Risk Graph 64

6.2 Safety Barriers 70

6.3 Case Study 77

7 CONCLUSIONS & RECOMMENDATIONS 81

7.1 Conclusions 81

7.2 Recommendations 82

REFERENCES 84

Appendix A Risk Matrices 87

Appendix B Expert Judgment Surveys 90

Appendix C Procedural HAZOP of Evacuation Tasks 117

Appendix D Bow-tie Graphs of Evacuation Tasks 141

vi

LIST OF TABLES 2.1 Error types and performance levels 14

3.1 Escape phase HEPs 32

3.2 Consequence severity descriptions 33

3.3 Consequence severities for MO scenario (adapted from Deacon et al., 2010) 35

3.4 Consequence severities for GR scenario (adapted from Deacon et al., 2010) 36

3.5 Consequence severities for F&E scenario (adapted from Deacon et al., 2010) 37

3.6 Overall consequence severities (adapted from Deacon et al., 2010) 38

3.7 Procedural HAZOP for escape task 1, ‘detect alarm’ (Deacon et al., 2010) 40

3.8 Procedural HAZOP for escape task 15, ‘register at TSR’ (Deacon et al., 2010) 41

3.9 Risk level for escape phase tasks 44

4.1 Comparison of HEART and SLIM 48

4.2 GEP descriptions and associated values 49

4.3 EPC descriptions and associated values 50

4.4 Evacuation scenarios 51

4.5 Assessor GEP and EPC choices 53

4.6 Assessor HEP results 55

4.7 Consequence severity descriptions 56

4.8 Consequence severities 57

4.9 Procedural HAZOP for evacuation task 2.3.4, ‘ensure drop zone is clear’ 59

4.10 Procedural HAZOP for evacuation task 2.3.14, ‘steer TEMPSC at vector from platform rescue area’

60

4.11 Risk level for evacuation tasks 61

6.1 Required LCs for escape phase tasks 66

6.2 LC requirements for evacuation tasks according to survey 1 HEP data set 67

6.3 LC requirements for evacuation tasks according to survey 2 HEP data set 68

6.4 Comparison of required LCs between HEP data sets 69

6.5 Evacuation safety barriers and their associated LCs 72

6.6 Design LCs compared with required LCs for each survey HEP data set 74

6.7 Summary of required, available and actual LCs on Ocean Odyssey 80

A.1 Frequency index definitions for risk ranking matrix (DNV, 2002) 89

vii

C.1 Check wind speed, direction and sea state HAZOP (Step 1.1) 118

C.2 Instruct personnel and maintain control HAZOP (Step 1.2) 119

C.3 Issue sea sickness tablets HAZOP (Step 1.3) 119

C.4 Move to helideck HAZOP (Step 2.2.1) 120

C.5 Establish communication with pilot HAZOP (Step 2.2.2) 120

C.6 Instruct personnel on boarding procedure HAZOP (Step 2.2.3) 121

C.7 Board helicopter HAZOP (Step 2.2.4) 121

C.8 Don flight suit, aviation life jacket and secure seatbelt HAZOP (Step 2.2.5) 122

C.9 Ensure sea-worthiness of TEMPSC HAZOP (Step 2.3.1) 122

C.10 Check compass heading/direction to steer craft HAZOP (Step 2.3.2) 123

C.11 Turn helm fully to clear installation on launch HAZOP (Step 2.3.3) 123

C.12 Ensure drop zone is clear HAZOP (Step 2.3.4) 124

C.13 Instruct personnel on boarding procedure HAZOP (Step 2.3.5) 124

C.14 Fasten seat belt HAZOP (Step 2.3.6) 125

C.15 Ensure everyone is secure HAZOP (Step 2.3.7) 125

C.16 Start air support system HAZOP (Step 2.3.8) 126

C.17 Close and secure all hatches HAZOP (Step 2.3.9) 127

C.18 Call command centre/launch master/other lifeboats to confirm launch sequence HAZOP

(Step 2.3.10)

127

C.19 Release falls/confirm auto-release HAZOP (Step 2.3.11) 128

C.20 Launch TEMPSC HAZOP (Step 2.3.12) 129

C.21 Engage forward gear and full throttle HAZOP (Step 2.3.13) 130

C.22 Steer TEMPSC at vector from platform to rescue area HAZOP (Step 2.3.14) 131

C.23 Move to life raft muster station HAZOP (Step 2.4.1) 131

C.24 Ensure sea-worthiness of life raft HAZOP (Step 2.4.2) 132

C.25 Secure painter to strong point HAZOP (Step 2.4.3) 132

C.26 Check for life raft instructions and number of personnel accommodated HAZOP

(Step 2.4.4)

133

viii

C.27 Launch life raft HAZOP (Step 2.4.5) 133

C.28 Board life raft HAZOP (Step 2.4.6) 134

C.29 Cut painter HAZOP (Step 2.4.7) 134

C.30 Paddle clear of danger HAZOP (Step 2.4.8) 135

C.31 Stream anchor HAZOP (Step 2.4.9) 135

C.32 Maintain sea-worthiness of life raft HAZOP (Step 2.4.10) 136

C.33 Look for TEMPSC, FRC, other life raft or overboard survivors HAZOP (Step 2.4.11) 136

C.34 Attach painter to other life raft or tow craft HAZOP (Step 2.4.12) 136

C.35 Ensure survival suit properly sealed, lifejacket fastened HAZOP (Step 2.5.1) 137

C.36 Move to lowest nearby platform HAZOP (Step 2.5.2) 138

C.37 Assess direction of waves, danger and airborne contaminants HAZOP (Step 2.5.3) 138

C.38 Jump away from platform, feet first, avoiding platform legs HAZOP (Step 2.5.4) 139

C.39 Swim along side of platform HAZOP (Step 2.5.5) 139

C.40 Look for other overboard survivors and rescue opportunities HAZOP (Step 2.5.6) 140

ix

LIST OF FIGURES 1.1 Overview of thesis 2

1.2 Schematic for risk analysis framework 9

2.1 THERP event tree (Swain and Guttman in Embrey, 1994) 22

2.2 Risk Graph 24

2.3 Fault tree (Cameron and Raman, 2005) 28

3.1 Human error risk matrix 43

4.1 HTA of evacuation tasks 46

5.1 HTA of rescue phase tasks (adapted from Kennedy, 1993) 63

6.1 Bow-tie graph for evacuation task 2.3.1, ‘ensure sea-worthiness of TEMPSC’ 76

6.2 Bow-tie graph for evacuation task 2.3.11, ‘release falls/confirm auto-release’ 76

A.1 ISO Standard 17776 risk matrix (DNV, 2002) 88

D.1 Bow-tie for evacuation task 1.2 142

D.2 Bow-tie for evacuation task 2.3.1 142

















x








xi

ABBREVIATIONS

ALARP As Low As Reasonably Practicable

APOA Assess Proportion of Affect

ARAMIS Accidental Risk Assessment Methodology for Industries

BHEP Basic nominal Human Error Probability

EER Escape, Evacuation and Rescue

EPC Error-Producing Condition

ET Event Tree

F&E Fire and Explosion

FPSO Floating Production, Storage and Offloading vessel

FRC Fast-Rescue Craft

FT Fault Tree

GEP Generic Error Probability

GR Gas Release

HAZOP Hazard and Operability study

HEART Human Error Assessment and Reduction Technique

HEP Human Error Probability

HEPI Human Error Probability Index

HRA Human Reliability Analysis

HTA Hierarchical Task Analysis

LC Level of Confidence

MIMAH Identification of Major Accident Hazards

MIRAS Methodology for Reference Accident Scenarios

MO Man Overboard

OIM Offshore Installation Manager

OSC On-Scene Commander

P&ID Piping and Instrumentation Diagram

PA Public Address

PM Preventative Maintenance

POB Personnel On Board

xii

PSF Performance-Shaping Factors

QRA Quantitative Risk Assessment

RAS Reference Accident Scenario

SAR Search And Rescue

SBV Stand-By Vessel

SLIM Success Likelihood Index Methodology

SLI Success Likelihood Index

SMS Safety Management System

TEMPSC Totally Enclosed Motor-Propelled Survival Craft

THERP Technique for Human Error Rate Prediction

TSR Temporary Safe Refuge

xiii

ACKNOWLEDGEMENTS

I would like to thank Dr. Paul Amyotte, Dr. Faisal Khan, Dr. Scott MacKinnon,

Dr. Dean Di Mattia and Dr. Michael Pegg for their technical guidance support as my

supervisory committee. I would also like to thank Dr. Amyotte for his consistent

encouragement and mentorship throughout the duration of this and previous projects. I

thank Petroleum Research Atlantic Canada (PRAC), Pengrowth and the NS Department

of Energy for their financial support.

I thank those who participated in the expert judgment surveys for their feedback.

I would also like to thank my wife Cailin for her encouragement and patience and my

family for their support.

For want of a nail the shoe was lost. For want of a shoe the horse was lost. For want of a horse the rider was lost. For want of a rider the battle was lost. For want of a battle the kingdom was lost. And all for the want of a horseshoe nail. -nursery rhyme

I am only one, but I am one. I cannot do everything, but I can do something. What I can do, I should do and, with the help of God, I will do! -Everett Hale

"There are lots of things I can't control...but then, there are some things I can"-Sydney Crosby

xiv

ABSTRACT

The presented methodology provides a quantitative approach for the assessment and reduction of the risk of human error probabilities during emergency situations. Previous research on the escape phase of the escape, evacuation and rescue (EER) process has resulted in the identification of tasks, the risk of human error and potential risk reduction measures for the escape phase. Tasks that must be completed in the evacuation and rescue phases were identified in the current thesis. Due to a lack of available human error data, a combination of expert judgment techniques and a literature review of previous incidents were used to evaluate the risk of human error for the evacuation phase. ARAMIS was used to evaluate the effectiveness of risk reduction measures. Novel concepts include introducing the hierarchy of controls into the procedural HAZOP and the combination of a human error risk assessment methodology (HEART) with a comprehensive risk reduction methodology (ARAMIS).

1

Chapter 1 INTRODUCTION

This chapter provides the background of the emergency escape, evacuation and

rescue (EER) process on offshore installations. The parameters of the current research

are also identified. Chapter 2 describes in detail the science of human factor analysis.

The concept of human reliability analysis (HRA) is defined. Also, various techniques for

the estimation of human error probabilities (HEPs) are described. Methods for

determining consequences of human error and reducing the risk of human error are

presented. Risk is reduced through safety measures; therefore tools that incorporate

safety measures into risk analysis are also identified in Chapter 2. Chapters 3, 4 and 5

detail the risk assessment of the escape, evacuation and rescue phases of EER,

respectively. Chapter 6 introduces the risk reduction stage into the framework and

provides a case study of the overall process. Conclusions and recommendations are

described in Chapter 7. The outline of this thesis is presented in Figure 1.1.

1.1 Project Scope

Human error is defined as (Kletz, 2001):

A failure to carry out a task in the way intended by the person performing it, in

the way expected by other people or in a way that achieves the desired objective.

Human factors are defined by DiMattia (2004) as:

Environmental and organizational and job factors, system design, task attributes

and human characteristics that influence behaviour and affect health and safety.

The scope of the current work is the EER process on offshore oil and gas

installations. These installations may be drill platforms or floating production, storage

and offloading vessels (FPSOs).

The EER process is composed of three phases:

Escape (or muster) – defined as the interval beginning at the initiating event of the

EER process due to an incident and ending at the registration at a temporary safe

refuge (TSR) and the decision of the offshore installation manager (OIM) to

abandon or to not abandon the installation.

2

Figure 1.1. Overview of thesis.

Evacuation – defined as the interval beginning from the decision of the OIM or an

individual to evacuate the installation into the sea or a transport vessel and ending

upon retrieval by search and rescue (SAR) personnel.

Rescue (or recovery) – defined as the interval beginning from the initiation of a

SAR and ending when all personnel have been recovered or the SAR operation

has been called off.

It must be noted that these phases have an overlap. If an individual, during escape,

decides to evacuate to the sea instead of continuing to the TSR, the escape phase has

effectively ended for that individual and the evacuation phase has begun. If

Chapter 7 Conclusions and recommendations

Chapter 6 Description of risk reduction methodology and case study

Chapter 5 Task analysis of rescue phase of EER

Chapter 4 Risk assessment of evacuation phase of EER

Chapter 3 Risk assessment of escape phase of EER

Chapter 2 Description of human factor risk analysis techniques

Chapter 1 Introduction to HRA framework, scope, motivation and objectives

3

communication is established with nearby vessels, a SAR may be initiated while

personnel are in the escape phase. Initiating SAR during the escape phase may reduce

wait time for a helicopter evacuation or the time personnel spend waiting to be rescued

while in the evacuation phase. Indeed, the later steps of the evacuation phase coincide

with the rescue phase, as seen in Chapters 4 and 5.

Each phase of the EER is evaluated separately. The escape phase has been

evaluated in part by DiMattia (2004), DiMattia et al. (2005), Khan et al. (2006) and

Deacon et al. (2010). It is evaluated using three different escape-initiating scenarios: man

overboard, hydrocarbon release and fire and explosion. These scenarios encompass the

range of severity of offshore incidents. The evacuation phase is presented in its entirety

in the current thesis. The three different evacuation-initiating scenarios are identified: a

collision or impending collision of the installation with the surrounding environment or

another vessel, a hydrocarbon release and a fire and explosion. A man overboard

situation does not lead to the evacuation of an installation and is therefore not considered.

The rescue phase is evaluated in part in this work.

An analysis of the steps required to complete the escape phase is presented by

DiMattia (2004). When the decision is made to abandon the platform, either by the OIM

at the TSR or by an individual who deems that evacuation is the safer option, a second

choice must be made. There are several means of evacuating an offshore installation. In

preparing for evacuation, personnel must check the weather conditions (direction and

speed of wind, intensity of waves, etc.). Personnel with authority for the EER process

must keep others in as controlled and informed a state as possible. Sea sickness tablets

can be issued to personnel in case of separation during movement to evacuation stations.

One option for evacuation is a bridge link to another installation. Individuals

cross above the water on a connecting bridge from the abandoning installation to a

nearby, safer installation.

Another non-sea means of evacuation is helicopter evacuation. In helicopter

evacuation, personnel must move to the installation helideck and establish

communication with the approaching pilot. An orderly boarding procedure ensues, with

passengers donning aviation survival equipment and fastening seatbelts. Overloading of

4

the helicopter should be avoided. Affected by weather conditions and visibility from

smoke, helicopter evacuation is not always an option.

If bridge link and helicopter evacuations are not possible, there are several options

for sea evacuation. The first is via totally enclosed motor propelled survival craft

(TEMPSC) evacuation. TEMPSCs are engine-powered and are the best equipped of the

sea evacuation methods to achieve a safe distance from the abandoned installation.

Checks are performed upon arrival at the TEMPSC station to ensure that the selected

craft is in good condition for launch. The boat coxswain must perform checks on the

orientation of the craft and the direction it should be steered to avoid installation legs and

achieve a safe distance from the installation. Before boarding, personnel check the drop

zone below the TEMPSC to ensure that no debris or danger exists between the craft and

its entrance point with the sea. Personnel are then instructed on an orderly boarding

procedure before boarding and fastening their seat belts. A check is performed to ensure

that everyone’s seatbelt is properly fastened. Next, the air support system is activated.

The air support system must not be activated before completing previous actions, as the

noise output of the air support system can hinder checks. All hatches and plugs are

closed and secured to ensure no water ingress on contact with the sea. The command

centre and other evacuating/rescue personnel are contacted to announce launch of the

TEMPSC. The TEMPSC falls are released and the TEMPSC is steered, at full power and

in forward gear, perpendicular and away from the installation towards a designated

rescue area.

Another sea evacuation vessel is the life raft. Life rafts are non-motor propelled

means of evacuation. Once personnel arrive at the life raft platform, any life rafts used

are inspected to determine the adequacy of their condition. The life raft is secured to a

strong point on the platform. Life raft instructions are checked, as well as the capacity of

the life raft. It is important that the life raft not become overloaded. Personnel then

board the life raft. When all have boarded, the line to the platform is cut and personnel

begin paddling clear of the installation. When a safe distance is achieved, the sea anchor

is released. While waiting to be rescued, personnel must maintain the condition of the

life raft to the best of their abilities. They must also monitor the sea for rescue vessels,

other life boats or overboard survivors to rescue. When another life boat or rescue vessel

5

is found, a tow line is attached to the vessels to group them together or to fasten the life

raft to a rescue vessel for personnel transfer.

If egress to an evacuation vessel cannot be accomplished, personnel may be

forced to escape directly to the sea. Escaping directly to the sea should occur only when

vessel evacuation is not feasible. Survival times are relatively short for personnel in the

water. It is especially important for personnel to wear a properly sealed survival suit if

the escape is directly into the sea. It is estimated that many people would not survive for

longer than an hour in most water conditions in the North Atlantic without survival

equipment (Robertson and Simpson, 1996). Before leaving the installation, personnel

should ensure that their survival suit is properly sealed and that a lifejacket is donned and

fastened. To minimize the shock of impact from falling or jumping, personnel should

enter the sea from the lowest platform. The direction of the waves and any airborne

contaminants should be assessed. Knowing wave and contaminant directions can prevent

exposure to unnecessary dangers, such as being washed violently against the installation.

Direct-to-sea evacuation can be accomplished by jumping from the platform, sliding

down a chute or climbing down a covered ladder. Whichever method is chosen,

personnel should enter the water feet first. Upon entering the water, personnel should

swim along the side of the platform toward the outer circumference of the installation,

constantly searching for rescue opportunities.

The rescue phase begins with the appointment of an on-scene commander (OSC)

a person of authority to maintain morale and organization. This person (or persons)

monitors and coordinates search and rescue efforts. Helicopters can be used to rescue

personnel, either from the water or from the installation, as described above. An

individual is lowered in a winch to the personnel in the water (in a vessel or in the sea

itself). Individuals are raised into the helicopter one at a time. A fast-rescue craft (FRC)

from a stand-by vessel (SBV) can also be used. An SBV is a nearby vessel equipped to

provide search and rescue should an evacuation occur. A smaller craft, the FRC is

released from the SBV to retrieve individuals from the sea or vessels. Once rescued,

personnel arrive at the SBV or other safe haven and medical attention is given as

necessary.

6

1.2 Motivation for the Current Project

Offshore installations in the North Atlantic are considered among the harshest

work environments in the world today. Human performance during emergencies in

offshore environments can have a major effect on the results of an EER process. Piper

Alpha, Ocean Odyssey and Alexander Kielland are just a few of the incidents that reflect

the impact of human performance during offshore emergency situations. A human

factors study by Gurpreet and Kirwan (1997) of offshore davit launching revealed the

need for identifying the relative risk of human error. Knowing the importance of actions

relative to one another can lead to a more efficient prioritization of risk reduction

measures. It has been suggested that human reliability analysis tools for the EER process

should be improved (Khan et al., 2006). Greater human reliability can be achieved

through a human factors analysis of the EER process. Risk is a function of the

probability of an incident occurring and its associated consequences. In the current work,

the incident in question is a human error during an offshore emergency. The risk of

human error is measured in terms of a human error probability (HEP), determined for

each step, and the severity of the consequences associated with the step.

Previous research by the research team in the form of a PhD thesis introduced an

index for determining EER escape phase human error probabilities using expert judgment

techniques (DiMattia, 2004). The doctoral work also included a consequence analysis

and risk reduction mechanism. Expert judgment was used to determine the consequence

severities and the percentage reduction of risk for each safety measure incorporated. Of

the risk reduction method, DiMattia (2004) states:

It is recognized that this approach to risk re-rating is subjective in nature and can lead to

differences in interpretation. Empirical data are required for a more rigorous treatment

of risk reduction measures.

The current work focuses on an empirical approach to consequence analysis and the use

of a risk reduction tool.

Many human error expert judgment techniques incorporate risk reduction theory.

However, the main focus of these techniques is to estimate HEPs. Risk reduction is

either an add-on or theoretically inherent to the technique. Issues of clarity and

comprehensiveness arise from these less detailed risk reduction methods. It has been

7

recommended that a separate risk reduction technique be used after HEPs have been

estimated (Kirwan, 1997). The current work incorporates the accidental risk assessment

methodology for industries (ARAMIS; Anderson et al., 2004) as an analysis of safety

measures.

Another issue noted in the literature is the lack of organizational factors methods

in offshore quantitative risk assessments (QRAs; Aven et al., 2006). Safety culture at all

levels of an organization has an effect on performance. ARAMIS incorporates a safety

audit exercise that affects the reliability of safety measures according to the quality of the

organizational safety culture (Anderson et al., 2004).

1.3 Project Objectives

The problem statement for this MASc Thesis is as follows:

To develop a method to systematically assess and reduce the risk of human error in emergency situations. A framework for the identification, assessment and reduction of the risk of human

error during offshore emergency situations is presented in this work. The framework can

be used to evaluate emergency situations from various industries, including the nuclear,

manufacturing and chemical processing industries. The framework provides a detailed

breakdown of tasks to be completed during emergency situations, as well as an individual

analysis of the risk of human error of each task. Finally, risk reduction measures are

evaluated and introduced, with a graphical and mathematical representation of their effect

on the risk.

The goals of the current work are as follows:

1. To further the work in the field of human reliability analysis,

2. To reduce the gap between real and perceived risk with respect to emergency

preparedness,

3. To provide a user-friendly HRA tool to evaluate and reduce the risk of human

error in emergency situations, and

4. To assess risk and identify risk reduction measures for human error in offshore

emergency situations.

The HEP and consequence severity for each EER step are determined empirically.

8

The following is a list of tasks to prepare in a risk assessment (Gadd et al., 2004):

1. Define the scope of the assessment 2. Define the depth of the assessment 3. Identify and allocate the quantity of resources to be used

After the preparation stage, the following tasks are completed in performing the risk

assessment (Gadd et al., 2004):

1. Identify hazards 2. Identify possible consequences 3. Estimate likelihood of incident occurring 4. Estimate risk of incident occurring 5. Evaluate risk for tolerability and potential for reduction 6. Record findings

The framework presented in the current thesis is a more detailed description of the

performance of a risk assessment:

10. Task analysis 11. Scenario identification 12. Human error probability calculation 13. Consequence severity evaluation 14. Procedural hazard and operability study (HAZOP) of steps 15. Determination of tolerability of risk via risk matrix 16. Evaluation of required reliability via risk graph 17. Selection and evaluation of safety barriers for level of confidence (LC) 18. Bow-tie analysis

If a risk is shown to be tolerable under the ‘as low as reasonably practicable’

(ALARP) principle, then steps 7-9 need not be performed for the given task. The

framework is presented in Figure 1.2.

A hierarchical task analysis (HTA) of the EER process was performed by the research

team. The escape phase HTA is presented in DiMattia (2004). The evacuation and

rescue phases are analyzed in the current work. Several emergency scenarios, or specific

situations, are defined. The combination of these scenarios encompasses the range of risk

severity encountered for the facility in question. HEPs are empirically determined using

9

Figure 1.2. Schematic for risk analysis framework.

an expert-judgment technique. HEPs can be calculated by dividing the number of

failures to complete a given task by the total number of times that task is attempted over

Identify Tasks

Choose Scenario


Choose Step





Build Bow-tie and Determine Overall LC

Yes

Is Risk ALARP?

No

Yes

Analysis Complete?

No

10

an identified period of time. This is the simplest and most ideal method for determining a

HEP. However, in most cases, data does not exist for this method. Additionally, for the

formula to be effective, the failure data for any task would have to be determined for

every unique workstation and work environment. In cases where a QRA is being

performed before a work site is constructed, it is impossible to collect historic data.

The accuracy of HEPs using historic data relies heavily on the robustness of the

collected data. Efforts have been made to collect HEP data for certain tasks (Kirwan et

al., 1998; Gurpreet and Kirwan, 1997). These HEPs are generic in nature and, while

alone they do not provide an accurate HEP estimate for any site-specific QRA, they

provide a good reference for HEP estimation and calibration of expert judgment

techniques (Kirwan et al., 1990).

Consequences are also determined and expressed as a measurable value. These

consequences are usually expressed as a unit in a range of severities, or as qualitative

descriptions of different severities. Consequence severities for the current work are

determined using a literature review of major offshore incident investigations from

industry. Consequence severities for the escape phase are dependent on the initiating

event due to proximity to event-related dangers. For example, consequence severities for

any given step may be more severe for a fire and explosion scenario due to fires and

extreme heat along the egress paths. For the same step in a gas release scenario, egress

paths may not be exposed to as much danger. However, consequence severities are

independent of the initiating event for the evacuation phase. At the evacuation phase of

the EER process, distance has been achieved from the initiating event. The immediate

dangers are the sea and weather conditions. Personnel who evacuate to the sea are

exposed to the motion of the waves. Wave motion can induce sea sickness in personnel

and has the potential to wash evacuation equipment violently against the installation.

Depending on the strength and frequency of the waves, survival craft can be damaged

and even incapacitated. Rescue phase consequence severities are not evaluated in the

current work.

Consequence severities and HEPs are combined in a risk matrix. The risk matrix

is a table that determines the tolerability of a risk based on its associated probability of

critical event occurring and its consequence severity. In the current work, the risk graph

11

of ARAMIS is used alongside the risk matrix to determine the total required reliability of

safety measures associated with a given EER step. The required reliabilities are related

to the tolerability criteria in the risk graph. Combining HEPs, consequence severities and

two other parameters unique to the risk graph reveals the total required reliability of EER

step safety measures. Once the required reliability of safety measures are determined, the

mathematical reliability of any potential safety measures is evaluated using ARAMIS. A

procedural hazard and operability study (HAZOP) is undertaken to determine potential

error modes and safety measures. Safety measures identified in the HAZOP are

evaluated for their robustness and reliability. Any safety measures that have an

associated mathematical reliability can be used in the risk reduction exercise.

Risk re-calculation is undertaken using bow-tie graphs. A bow-tie graph is a

combination of a fault tree and an event tree centred on the same critical event. In the

current work, the critical event is a human error for the EER step in question. Failure

modes are identified in the fault tree section of the bow-tie. Any safety measures that can

reduce the HEP are included in the fault tree. Consequence severities are identified in the

event tree section of the bow-tie. Any safety measures that can mitigate the

consequences should an error occur are included in the event tree. Once all safety

measures and their mathematical reliabilities are incorporated into the bow-tie, the risk

can be re-calculated.

12

Chapter 2 HUMAN FACTOR RISK ANALYSIS

This chapter provides a description of the science of human factor risk analysis.

Human reliability analysis (HRA) is also described. Several expert judgment techniques

for performing HRA are described and evaluated for their potential application to the

EER process. This chapter also discusses the concepts of hazard and risk. Hazard is the

existing potential for harm or loss. Risk is the likelihood and degree of harm or loss

(Cameron and Raman, 2005). Thus a hazard is identified first, followed by the risk of the

hazard moving from a potential occurrence to an actual occurrence. This movement of

the hazard from possibility to reality is called a critical event.

2.1 Human Reliability Analysis (HRA)

Human reliability analysis (HRA) is used to evaluate human performance for

given tasks. Thus, the risk of human error can be determined. In many HRA techniques,

human error is analyzed as though the reliability of a piece of equipment were being

considered (Reason, 1990).

2.1.1 Task Analysis

Task analysis forms the base of human reliability analysis. There are several task

analysis methodologies. The methodologies can focus either on human action or human

cognition. The goal of task analysis is to identify the steps that must be completed to

achieve an end goal. A task analysis can be completed during the design phase of a

facility to identify error-producing design configurations. Task analysis can also be

undertaken during facility operation to identify and reduce risk areas (Embrey, 1994).

Hierarchical task analysis (HTA) is an action-oriented technique. The principle of

HTA is that goals are broken down into a hierarchy of operations and plans. Operations

are the actions that must be completed and plans are the conditions that must exist to

complete the actions. In HTA, the first step is to identify the end goals. The end goals

are then broken down into smaller steps that must be completed to achieve the end goals.

Steps can be action- or cognition-oriented, such as closing a valve or deciding which

13

valve to close. Steps can be broken down several times until a detailed list is available.

Each step must be specific enough to be analyzed for its human error probability (HEP;

Embrey, 1994).

There are several advantages to the use of HTA (Embrey, 1994):

Allows simple task descriptions and economy of resources

Allows focus on safety-critical tasks

If used during the design stage, allows objectives to be analyzed before equipment

is specified

Allows collaboration between analyst and operators who will be responsible for

the tasks

Provides an effective starting point for error analysis

Allows analyst to choose level of task decomposition for which data are available

There are also disadvantages to using HTA (Embrey, 1994):

Practice required to develop the skill necessary to accurately perform HTA

Secondary methods required to analyze complex decision-making or diagnostic

tasks

Time commitment required of busy individuals to perform HTA (supervisors,

operators, analysts, etc.)

2.1.2 Types of Error

There are several types of error relating to the performance level of an individual.

Slips and lapses are errors of a skill-based level. Rule-based errors and knowledge-based

errors follow from their respective levels (Reason, 1990).

Where slips and lapses of attention are concerned, the intention is correct but the

action is not. In this case an action can be an act or lack thereof, and is considered a skill-

based error. Where mistakes are concerned, the act follows the intention, but the

intention is not correct. An operator, either aware or unaware, lacks the knowledge of the

proper action, resulting in a knowledge-based error. Mismatches occur when a task is

beyond the physical or mental ability of the operator in question. This is another example

of a skill-based error. Non-compliance, also called an error of violation, relates to a

14

decision to ignore instructions or accepted practice. This can occur when an operator

believes that the instructions are incorrect or that circumstances require a different action,

and is a rule-based error (Kletz, 2001).

Table 2.1 summarizes the types of errors and their related performance levels.

Table 2.7: Error types and performance levels.

Error Type Performance Level

Slips and Lapses Skill-based

Mistakes Knowledge-based

Mismatches Skill-based

Non-compliances/Violations Rule-based

2.1.3 Human Error Probability (HEP)

A human error probability (HEP) is the probability that a human error is made if a

group of people attempt a similar task. It is not related to the probability of an individual

human error (Kletz, 2001). Human error is defined in Chapter 1. The EER process is

itself a protection layer to mitigate the consequences of a critical event (e.g. a

hydrocarbon release). The human error probability, combined with the probability of

failure of any safety devices, represents the probability of failure of the EER protection

layer at any given step. As such, reliability data for a site’s EER protection layer can be

included in an overall quantitative risk assessment (QRA) of the facility. HEPs are

determined either using expert judgment or empirically using the formula:

HEP = (Number of errors)/(Number of attempts) (2.1)

Often there is insufficient data for the use of Equation (2.1). In such cases, expert

judgment is used to estimate HEPs.

15

2.2 Expert Judgment

Expert judgment follows the principle that factors, called performance-shaping

factors (PSFs), influence the ability to complete an action. When using an expert

judgment technique, there is potential for an evaluator to alter their values and choices to

obtain a more desirable outcome (Kletz, 2001). Steps to avoid the consequences of such

tendencies should be taken when performing expert judgment. Three common expert

judgment techniques are now described.

2.2.1 Success Likelihood Index Methodology (SLIM)

The success likelihood index methodology (SLIM) was originally developed for

the nuclear processing industry. Since its introduction it has also been used in the

chemical process and transport industries. PSFs are the most relevant assessment in

SLIM. In fact, errors can be classified by the PSFs that influence them, rather than vice-

versa as is done in other HRA techniques (Embrey, 1994). SLIM is a resource-intensive

method that uses a number of assessors in a structured manner (Reason, 1990).

The performance of SLIM is as follows (Embrey, 1994):

Group similar PSF-related actions

Decide on relevant PSFs

Rate each action in terms of PSFs

Assign relative weights to PSFs

Calculate success likelihood indices (SLIs)

Convert SLIs to probabilities

Perform sensitivity analysis

Actions that are potentially influenced by the same PSF are classified together.

Closing a valve, opening a valve and fastening devices to equipment may all be

influenced by the same set of PSFs. These actions are classified together (Embrey,

1994).

The assessors choose which PSFs to include in the HEP evaluation. Examples

include stress, level of training or complexity of the action (Embrey, 1994). Unlike other

methods, PSFs themselves have no associated quantifiable effect at this stage.

16

The chosen PSFs are rated by each assessor. For each action, the relevant PSFs

are evaluated separately. A rating scale from 1 (normally the most ideal condition) to 9

(normally the least ideal condition) is used (Embrey, 1994). Assessors rate PSFs based

on specified scenarios (Reason, 1990).

PSFs may also be weighted according to their influence on human reliability for a

set of actions. If it is known that different PSFs for an action do not have equal influence

over the human reliability for that action, weights are used. This is an optional step that

must only be completed by assessors when real knowledge exists of the weighted values.

The weighting of all the PSFs for a given action sum to unity (Embrey, 1994).

The success likelihood index (SLI) is calculated using the formula:

SLIj = ∑RijWi (2.2)

Where i is the PSF in question, j is the task in question, R is the original rating and

W is the weight. The rating of each PSF is converted to the relative rating, a value

between 0 and 1, using the formula:

RR = (1 - │R - IP│)/(4 + │5-IP│) (2.3)

where RR is the relative rating and IP is the ideal value for the rating. The relative

rating and weighting (if applicable) are multiplied for each PSF. The results are then

summed to determine the SLI for a given action (Embrey, 1994).

Conversion of SLIs to HEPs requires calibration. If enough actions in the group

being evaluated have known HEPs, linear regression analysis can be used to determine

the equation of a line of best fit for the HEP data. The actions with unknown HEPs can

then be determined by substituting their SLIs into the linear equation.

If insufficient HEP data exist, then SLIs are converted to HEPs using the formula:

log(HEP) = A*SLI + B (2.4)

where A and B are constants that must be determined. Equation (2.4) requires that

only two actions in the group under evaluation have a known SLI and HEP. Incorporating

17

the SLI and HEP into the above equation for each of the two steps, the assessor can solve

for A and B. Once A and B are determined, the SLIs for all actions with unknown HEPs

are incorporated into the above equation to determine the HEPs (Embrey, 1994).

The SLIM technique requires empirical data of known HEPs in order to be

calibrated (Embrey, 1994). This step is crucial as Equation 2.4 is sensitive to the

constants A and B. This equation has received much criticism and SLIM applications

have experienced some negative results in validation studies (Reason, 1990). It is

recommended by Kirwan (1997b) that further validation of SLIM takes place, as it has

high potential to be a useful HRA technique. The escape phase HEPs for the offshore

EER process have been estimated by DiMattia (2004) using SLIM.

2.2.2 Human Error Assessment and Reduction Technique (HEART)

The human error assessment and reduction technique (HEART) has enjoyed

increasing use in the UK over the last two decades (Kirwan et al., 1996). Developed by

Williams (1988), HEART is a more industry-generic risk assessment tool than its

predecessors (Kirwan, 1996). The technique includes its own quasi-database of error

probabilities.

The performance of HEART is as follows (Kirwan, 1996):

Assign step to a generic error category

Choose generic error probability

Determine any PSFs that apply to the step

Determine the weight of each applicable PSF on the step

Calculate the overall HEP

HEART includes eight generic error categories, each with a qualitative

description and an error probability range. The first step in HEART is to classify an

action into one of these categories. It is understood that an action may satisfy the

qualitative description of multiple categories. To avoid confusion (and pessimistic

results), an assessor begins with the lowest-probability description and works towards the

highest-probability description. The first category that the action satisfies is considered

the generic error category for that action (Williams, 1988).

18

The premise of HEART is that each action has an associated generic error

probability (GEP). Given no error-influencing conditions (i.e. the ‘perfect’ situation), an

action will have a basic probability of error. Each generic error category has a

recommended GEP as well as a range of acceptable GEP values. The assessor chooses

which value to use (Williams, 1988).

A second premise of HEART is that no PSF exists that will decrease the overall

probability of error. Third, rarely in industry will multiple PSFs combine to influence

human reliability for a given action (Williams, 1988). This last point is a more unique

property of HEART, and lends the technique to generate pessimistic results (Kirwan et

al., 1996). An extensive list of potential PSFs, named error-producing conditions (EPCs)

in HEART, is available. It is recommended in the technique that the assessor take a

conservative approach to assigning PSFs. It is also noted in the technique’s description

that certain generic error categories already account for specific EPCs. This is an open-

ended statement that leaves the assessor to decide which EPCs to use and which the

generic error category accounts for. Each EPC has an associated quantitative maximum

effect on the GEP (Williams, 1988).

Once the EPCs are chosen, their weight on the action in question is determined.

This is called the assessed proportion of affect (APOA). The assessed proportion of

affect is a multiplier value between 0 and 1. Each chosen EPC has an APOA (Williams,

1988).

The APOA and EPC are combined in the following formula:

EPC Multiplier = (Maximum effect – 1)*APOA + 1 (2.5)

The resultant value of Equation (2.5) is the EPC in question’s multiplier. The

sum of the EPC multipliers is multiplied by the chosen GEP. The final result is the

overall HEP for the action in question (Williams, 1988).

HEART is intended to be a flexible technique. This is observed when examining

the generic error categories. A given action may fall into multiple GEP categories.

Qualitative descriptions (e.g. at speed) may vary slightly in the assessor’s mind (Kirwan,

1996). This can lead to inconsistency between assessors when choosing GEPs and EPCs.

19

However, despite these inconsistencies, assessors can arrive at similar HEPs (Kirwan et

al., 1996).

An advantage of HEART is that it is designed for single-assessor use, making it a

resource-efficient HRA technique. There exists no formal training for the use of

HEART, and this may contribute to the inconsistency of assessors’ choices. There is also

a lack of instruction in HEART documentation regarding determination of the APOAs

(Kirwan, 1996). HEART has also been demonstrated to have low accuracy when

evaluating errors where a wrong act is committed, or for slips and rule violations

(Kirwan, 1997a). Included in HEART is an inherent risk reduction framework. If a HEP

is too high, then the assessor can determine what steps need to be taken to bring the

action into a lower GEP category (Williams, 1988).

2.2.3 Technique for Human Error Rate Prediction (THERP)

The Technique for Human Error Rate Prediction (THERP) is an expert judgment

technique described by Swain and Guttermann (1983). THERP is the oldest established

human error analysis technique. Originally developed for military applications, it was

adapted for use in the nuclear power industry (Embrey, 1994). THERP has been subject

to the most criticism of the HRA techniques, yet has also received praise and use

(Reason, 1990).

An advantage of THERP is that it contains an internal database of human error,

which is altered by assessors to evaluate specific scenarios. THERP requires assessor

training to use and is a time and resource-intensive method (Kirwan, 1996).

The performance of THERP is as follows (Kirwan, 1996):

Decompose task into steps

Assign generic HEPs to each step

Determine the effects of relevant PSFs on each element

Calculate the effect of dependence between steps

Model a Human Reliability Analysis Event Tree

Quantify the total step HEP

20

It is noted that THERP uses an additional task analysis step, where individual

assessors determine the breakdown of steps into elements. Different assessors can break

steps into different elements for evaluation.

THERP uses a generic human error probability called the basic nominal human

error probability (BHEP). The BHEPs are included in THERP’s internal database. As

the name suggests, a BHEP is the basic probability of a human error for an action,

without examining situational factors. The BHEP is based on the type of action (Kirwan,

1996). BHEPs are found in the THERP operating manual. Each generic HEP has a

qualitative description and a quantitative value. These qualitative descriptions are

detailed and add robustness to THERP (Kirwan, 1996). THERP evaluations consider

human error both alone and in conjunction with any equipment or procedures that are

relevant for a given action (Reason, 1990).

PSFs are chosen and their effects on the HEP are evaluated qualitatively by the

assessor. Each PSF has an associated maximum value. A fraction of the maximum value

is multiplied by the generic HEP determined from the previous step. The fraction of the

maximum multiplier is decided by the assessor based on the relevance the PSF has on the

action in question. PSF selection and evaluation is a source of inconsistency between

assessors, as this step is based on the expertise and experience of the individual assessor

(Kirwan, 1996). However, a validation study by Kirwan et al. (1997) demonstrated that

even with variation of usage by assessors, quantitative HEP values can be consistent.

Dependency between actions is also evaluated in THERP, a step that is not used

in all techniques. The HEP of an action may be influenced by the outcome of a previous

action. In such case, the relationship between the actions in question must be determined.

Dependency analysis allows for more realistic HEP values (Kirwan, 1996).

Event trees are described in Section 2.5.2. They are used in THERP to determine

the overall HEP of a given action. The action and relevant procedures or equipment are

placed on the event tree, each with their probabilities of failure. The action and each

procedure or piece of equipment are considered individual nodes. Probability of success

and probability of failure for each node sum to unity. The failure probabilities are

multiplied to determine the final HEP for the action in question. Figure 2.1 is an example

of a THERP event tree.

21

Criticisms of THERP include unreliability of generic probabilities derived from

expert judgment and limited functionality with external error modes. The validity of

THERP is considered as questionable outside of use by the technique’s authors and

immediate collaborators. Revisions to THERP include a more time-dependent approach

to error determination. This approach is based on simulation data in an attempt to

improve the robustness of the technique. The revisions also allow for increased detail for

cognitive errors, such as misdiagnosis, or ‘right action on wrong object’ errors (Reason,

1990).

2.3 Accidental Risk Assessment Methodology for Industries (ARAMIS)

The accidental risk assessment methodology for industries (ARAMIS) is a risk

assessment and reduction tool developed in response to the Seveso II directive (Anderson

et al., 2004). ARAMIS includes both comprehensive risk assessment and reduction tools

within its methodology. It is itself a combination of deterministic and probabilistic risk

assessment techniques.

Many QRA techniques represent risk as a function of the frequency of a critical

event and its consequences. ARAMIS uses three items: the frequency of a critical event,

the intensity of the critical event and the vulnerability of the element in question. The

element can be a process plant and its surrounding area, warehouse, office building, etc.

The severity of a critical event is defined as the product of its intensity and frequency of

occurrence. The damage caused by a critical event is the product of its intensity and the

element in question’s vulnerability. The risk of a critical event is the product of its

frequency, intensity and the vulnerability of the element in question. One of the main

premises of ARAMIS is that the probability of a critical event is a function of the

probability or frequency of an initiator and the reliability and efficiency of any relevant

safety barriers (Salvi and Debray, 2006).

22

Figure 2.1: THERP event tree (Swain and Guttman in Embrey, 1994).

The following steps are performed in ARAMIS (Salvi and Debray, 2006):

Identify major accident hazards

Identify and assess quality of safety barriers

Evaluate safety management efficiency

Identify reference accident scenarios (RASs)

Assess and map the severity (frequency and intensity) of RASs

S1 F1 = 10-2

.99 Correct Pair of Switches

10-2 Wrong Pair of Switches

A

.9999 Take Action

10-4 No action until alarm (3 people)

.999 Take Action

10-3 Failure to initiate action within 2 minutes after alarm

10-2 Wrong pair of switches

.99 Correct pair of switches

F2 = 10-6S2

F3 ≤ 10-5

Step not done in time

FT = F 1+ F2 + F3 ≈ 10-2

23

Evaluate and map the vulnerability of the element’s surroundings

The identification of major accident hazards (MIMAH) occurs through the use of

bow-tie diagrams (see Section 2.5). MIMAH is a systematic method used to identify

potential hazards (Salvi and Debray, 2006).

Requirements for safety barriers are determined using a risk graph. The risk

graph is used to set clear risk reduction goals and to prioritize risk reduction. The risk

graph includes four parameters: the consequence severity of a critical event, the total

time an element is exposed to the risk, the potential for recovery and the frequency or

probability of occurrence of the critical event (Salvi and Debray, 2006). The risk graph is

shown in Figure 2.2.

The four parameters C, F, D and Human Error Probability act together to determine

the reliability (in ARAMIS, the level of confidence) required of safety barriers to bring

the risk into a tolerable if as low as reasonably practicable (ALARP) region. The

parameter C is the consequence severity of the critical event, F is the frequency of

exposure to the risk (F1 constitutes an exposure equal to at least ten percent of the total

operating time, F2 is an exposure of less than ten percent of the operating time), D is the

potential to avoid damage should the critical event occur, X is the resultant row from the

values of C, F and D and Human Error Probability is the estimated HEP. A risk is

ALARP if it can be shown that reasonable effort has been taken to ensure that it is as low

as practicality allows. Cost-benefit analysis can be used to show that to further reduce

the risk a small amount, costs would be unreasonably high; see for example Salvi and

Debray (2006) and DNV (2002). There are four types of safety barriers: inherent,

passive, active and procedural. Inherent safety barriers prevent a critical event from

occurring. Passive, active and procedural barriers either reduce the probability of a

critical event occurring or control its consequences. All passive, active and procedural

barriers have an associated level of confidence (LC). This is the mathematical reliability

of the safety barrier. A barrier with an LC of x will reduce the risk of a critical event by a

factor of 10-x. Active barriers also have an efficiency and response time. The efficiency

of an active barrier is the degree to which it limits the probability of the critical event or

24

Human Error Probability

0.1-1

0.01-0.1

0.001-0.01 <0.001

1 2 3 4

P1 P2 P3 P4

C1 X1 --- --- --- ---

D1 X2 a --- --- ---

F1

D2

C2 X3 1 a --- ---

D1

Risk F2

Analysis

F1 D2

C3 X4 2 1 a ---

D1

F2

F1 D2

C4 X5 3 2 1 A

D1

F2

D2 X6 4 3 2 1

Figure 2.2: Risk Graph (Anderson et al., 2004).

the severity of the consequences. The response time is the time it takes to achieve full

operation of the active barrier once it is strained.

A premise of ARAMIS is that safety culture and management have an effect on

risk control. An audit is performed of the elements involved in the life-cycle of a safety

barrier (e.g. design, installation, maintenance, etc.). An audit of the safety culture is

25

performed through employee surveys. These two audits are used to adjust the level of

confidence of the safety barrier to a more inclusive value. One advantage of this method

is that it identifies areas where safety management systems can be improved (Salvi and

Debray, 2006). Another advantage is that by including a company/plant’s safety culture

in the risk evaluation, the gap between real and perceived risk can be reduced.

Reference accident scenarios are described using the methodology for reference

accident scenarios (MIRAS) in ARAMIS. Reference accident scenarios are developed

from the major accident hazards identified by MIMAH (Anderson et al., 2004).

The elements defined in each reference accident scenario include (Anderson et al.,

2004):

Safety systems involved

Safety management system (SMS)

Frequency or probability of occurrence of the reference accident

Consequence severity of the reference accident

Major accident hazards are assessed for their frequency of occurrence and

consequence severities.

After each RAS is defined, the severity (frequency and intensity) is assessed and

mapped. The frequency and intensity of each RAS is evaluated to determine a severity

index. The severity index is a rating of the effects of a critical event, ignoring the

vulnerability of the element in question. The severity index is determined from the major

hazards and associated dangerous phenomena identified for a RAS using MIMAH in a

previous step. Effects of dangerous phenomena include (Anderson et al., 2004):

Thermal radiation (continuous or instantaneous)

Blast effects

Missiles

Toxic effects

Each of these effects has an associated threshold level outlined in the ARAMIS

user guide (Anderson et al., 2004). The severity index relates to varying levels of

consequence severity. The severity index is also a function of distance from the point of

the critical event in question. Severity mapping shows a picture of the severity of a

critical event in relation to its radius.

26

The vulnerability of the area surrounding the project site is also evaluated. The

vulnerability of an area is determined by evaluating its targets: human, environment and

material. Vulnerability mapping provides a complement to severity mapping in

determining consequences (Anderson et al., 2004).

2.4 Hazard and Operability Study (HAZOP)

A hazard and operability study (HAZOP) is a hazard identification technique

based on the use of guidewords to systematically identify all hazards. It is not limited to

process hazards, but can also be applied to procedures and other operations (Cameron and

Raman, 2005). In the current work, a procedural HAZOP of the EER process is

considered.

HAZOP is one of the most common tools in hazard identification and risk

assessment. It is performed at the design stage of a facility or when major changes are to

be implemented. It is done in the early stages of a facility to ensure that the design and

subsequent procedures account for any and all relevant hazards in the facility’s operation.

It is more cost-efficient to invest in a HAZOP to predict potential problems than it is to

discover problems during operation. It is also more likely that hazards identified at the

design stage will be rectified in a timely and efficient manner. A HAZOP is performed

by a varied group of facility personnel to ensure a thorough examination of all of the

facilities’ functions. An individual experienced in the HAZOP technique and group

facilitation leads the HAZOP (Cameron and Raman, 2005).

The goals of HAZOP are as follows (Cameron and Raman, 2005):

Identify all possible deviations from intended operation of each facility

system/subsystem

Determine the consequences of the deviations

Develop design and procedural safeguards to control the consequences

When a process facility is concerned, such as an offshore drilling installation or a

floating production, storage and offloading vessel (FPSO), the HAZOP examines the

entire design and function of the facility. The review team examines the facility layout

plans as well as piping and instrumentation diagrams (P&IDs).

27

For a procedural HAZOP, each task in a procedure, as well as any equipment

involved in the procedure, are examined. Intentions of each task and interaction with

equipment are assessed for potential deviations. The consequences are determined and

safeguards in the form of facility, equipment or procedural design changes are suggested.

The following are steps for a HAZOP (Cameron and Raman, 2005):

Choose element (pipeline, piece of equipment or procedure)

Identify guideword set

Apply each guideword to element in turn

Identify all potential causes of any deviation

Identify all potential consequences (immediate and delayed) of each deviation

Identify all possible safeguards (existing and potential)

Document results

Repeat until all elements have been examined

Perform a HAZOP overview of the layout and function of the facility

HAZOP is widely used as an industry standard in identifying hazards for a

facility. Indeed, hazards that are not identified in a HAZOP have been encountered

during the operation phase of a facility. Hazardous situations that have not been

experienced before or that are outside of the knowledge of the review team may not be

identified by a HAZOP (Cameron and Raman, 2005).

2.5 Bow-Tie Method

A bow-tie is composed of a fault tree and an event tree connected at the same

critical event. It can give an overall picture of risk reduction, incorporating both failure

modes leading to a critical event and the consequences that ensue (Cameron and Raman,

2005). Bow-ties are demonstrated in Chapter 6.

2.5.1 Fault Tree (FT) Method

A fault tree is a diagram that relates a critical event to its causes. The critical

event is chosen first. Next, the assessor identifies the immediate causes of the critical

event. The events that lead to each of the immediate causes are identified until all

contributing factors have been identified. Fault trees use ‘and’ and ‘or’ gates to relate

28

contributors, or nodes, to the critical event. Probabilities can be associated with each

node. Probabilities from ‘and’ gates are multiplied together and probabilities from ‘or’

gates are summed to determine the overall probability of the critical event. In other

words, all events under an ‘and’ gate must occur in order for its related critical event to

occur. In the case of an ‘or’ gate, only one of the events leading to the critical event must

occur (Cameron and Raman, 2005). Figure 2.3 is an example of a fault tree.

Figure 2.3: Fault tree (Cameron and Raman, 2005).

2.5.2 Event Tree (ET) Method

An event tree is a diagram that relates a critical event to its consequences. The

critical event is chosen first. Potential safeguards are evaluated in turn to determine the

outcome of the critical event. Safeguards are examined as nodes in the order in which

they are stressed. In most cases, the safeguards are evaluated on a pass/fail basis. In

certain cases, however, there can be multiple options relating to partial operation of a

safeguard. The consequence severity of a critical event varies depending on any

safeguards that are included in the analysis. The critical event itself has an associated

probability of failure (see Section 2.5.1). Each safeguard has a probability of failure.

The probability of failure (or success, depending on which situation is being evaluated) of

each safeguard is combined with the probability of the critical event to determine the

overall probability of each outcome (Cameron and Raman, 2005). Figure 2.1 is an

example of an event tree. The critical event, A, is divided into its causes, F. The

Ammonia tank overfilled

OR

Level Indicator Fails

Local operator fails to isolate

29

probabilities related to the causes are combined to determine the probability of the critical

event.

30

Chapter 3 ESCAPE RISK ASSESSMENT

The first phase of the EER process is the escape, or muster, phase. The goal of

the escape phase is to achieve distance from the EER-initiating event and to gather at a

designated safe area. For many onshore facilities, whether they are oil and gas

processing, chemical processing or even office buildings, the escape phase and the

evacuation phase are combined. In such cases, evacuation is the act of leaving the

building and gathering at a designated safe area, similar to the escape phase. In offshore

environments, evacuation is a more complex and involved process. In either case,

individuals in the escape phase must maintain composure and move safely away from the

critical event toward a designated safe area, or temporary safe refuge (TSR). DiMattia

(2004) has divided the offshore escape phase into several sub-phases: awareness,

evaluation, egress and recovery. In the awareness phase, individuals identify alarms and

maintain composure. In the evaluation phase, individuals determine the urgency of the

situation. If there is time, there are secondary tasks to be completed during evaluation.

In the case of offshore installation escape, this includes making the work area safe for

egress and returning process equipment to a safe state to avoid escalation of the

emergency. In the egress sub-phase, movement to the TSR is accomplished. During this

time, individuals must listen for PA announcements detailing the emergency, where on

the installation to avoid, where to gather, what evacuation equipment to use, and other

information relevant to the situation. Individuals may be required to provide assistance to

others trying to egress or gather safety equipment. In the recovery sub-phase, individuals

register at the TSR, provide feedback on the situation to persons in charge and follow any

instructions given. For onshore buildings, the TSR is usually outdoors and away from

facilities. For offshore installations, the TSR is on the installation. Therefore, extra tasks

in the recovery sub-phase, including donning survival equipment in case of evacuation,

are required (DiMattia, 2004).

31

3.1 Human Error Probability

HEP analysis of the escape phase has been performed by DiMattia (2004). The

escape phase tasks, scenarios and subsequent HEPs were determined using SLIM. The

identified escape-initiating scenarios encompass the full range of severity for offshore

emergencies. They include a man overboard (MO), gas release (GR) and fire and

explosion (F&E) scenario. The result is an index tool that can be used to evaluate escape

phase HEPs for any defined scenario, the human error probability index (HEPI).

DiMattia (2004) identified 18 tasks to be completed in the escape phase of EER. Several

PSFs were determined using a core group of assessors. The PSFs chosen for evaluation

were:

Stress level

Operator training

Operator experience level

Complexity of the task in question

Event factors – properties of the initiating event

Atmospheric factors – weather, environment, etc.

Once the PSFs were chosen, they were weighted and rated by a wider group of

assessors according to SLIM. The final evaluation for each of the three escape phase

scenarios is shown in Table 3.1. Escape task 13 was not evaluated by assessors.

3.2 Consequence Analysis

Risk is a function of the probability of a critical event and its consequences. An

analysis of the consequences of a critical event is essential in gathering information about

its risk. Analysis can either lead to qualitative descriptions of consequences or

quantitative values where applicable.

3.2.1 Consequence Table

Each of the tasks identified by DiMattia (2004) has been analyzed for its

consequences. There are four categories of consequences for the escape phase. They are

the effect of human error on: personnel health, the quality of egress, the severity of the

32

escape-initiating incident in question, and other personnel on board (POB). Consequence

severities range from 1 - 4, as shown in Table 3.2.

Table 3.1: Escape phase HEPs.

Muster Step HEP

MO GR F&E 1. Detect alarm 0.00499 0.0308 0.396

2. Identify alarm 0.00398 0.0293 0.386

3. Act Accordingly 0.00547 0.0535 0.448

4. Ascertain if danger is imminent

0.00741 0.0765 0.465


0.00589 0.0706 0.416


0.00866 0.0782 0.474


0.00903 0.0835 0.489


0.00507 0.0605 0.420


0.00718 0.0805 0.476

10. Move along egress route 0.00453 0.0726 0.405


0.00677 0.0788 0.439


0.00869 0.1000 0.500


- - -


0.01010 0.0649 0.358

15. Register at TSR 0.00126 0.0100 0.200


0.00781 0.0413 0.289


0.00517 0.0260 0.199

18. Follow OIM's instructions 0.00570 0.0208 0.210

33

Table 3.2: Consequence severity descriptions.

Severity Health Egress Muster

Initiator Other POB


2

Likely to result in Minor Injury


Raises muster initiator to level that causes minor delays in reaching TSR

Slightly to Moderately delays others from reaching TSR or completing TSR actions

3

Likely to result in Major Injury

Moderately delays reaching TSR or completing TSR actions





Raises muster initiator to severity where muster is no longer possible

Prevents others from reaching TSR or having a dry evacuation

Consequence severities for each task were determined empirically by analyzing

major investigations from similar past incidents. The man overboard, gas release, and

fire and explosion scenarios identified by DiMattia (2004) were evaluated separately.

Each of the four consequence categories was evaluated. The overall consequence

severity for an escape task is equal to the highest consequence severity of its individual

categories. For example, escape task 17, ‘don personal survival suit or TSR survival suit

if instructed to abandon’, has a health consequence severity of 4 and ‘muster initiator’,

‘egress’ and ‘other POB’ consequence severities of 1 for a fire and explosion scenario.

Therefore, the overall consequence severity is 4.

Man overboard consequences were determined primarily using incident report

data from the UK continental shelf (UKCS). Reports on the UKCS from five databases,

including the worldwide offshore accident database (WOAD) and ORION were collected

34

by Det Norske Veritas (DNV 2007a, 2007b). The reports provided little data on the

results of the escape phase or any rescue operations. Survival in these reports is mainly

attributed to: promptness of reaction of nearby personnel or fast-rescue craft (FRC), the

individual swimming to a platform leg to be retrieved by other personnel, or a safety

harness that had been attached to the individual prior to falling overboard. Two

important points were identified through analysis of these reports. First, timeliness is

essential in rescuing individuals who have fallen overboard. Nearby personnel may throw

life rings or pull the individual from the water. Also, an FRC may be deployed for

retrieval. Second, in terms of the escape phase of the EER process, human error during a

man overboard initiator has negligible consequences. An exception is task 14, ‘assist

others as needed or if directed’.

Consequence severities for the gas release and fire and explosion scenarios were

determined using major incident investigations from industry, such as the Ocean Odyssey

(Robertson and Wright, 1997) and Piper Alpha (Vinnem, 2007) incidents. The

investigations used were for incidents comparable to the gas release and fire explosion

scenarios evaluated by DiMattia (2004) and Deacon et al. (2010). Incidents with

different initiators that provided relevant information were also included. An example is

the Ocean Ranger investigation (US Coast Guard, 1983). While listing or capsizing was

not evaluated as a scenario in the current work, details about the survivability of

individuals provided in the Ocean Ranger report are relevant in any scenario where

individuals must enter the water. Thus, the consequences of escape step 17, ‘don

personal survival suit if instructed to abandon’, were determined using the Ocean Ranger

report (US Coast Guard, 1983). Tables 3.3 - 3.5 show the consequence severities for

each category and scenario. Table 3.6 shows a comparison of overall consequence

severities between scenarios (Deacon et al., 2010). Each task has been identified

according to the skill (S), rule (R) or knowledge (K) performance levels as described by

DiMattia (2004).

35

Table 3.3: Consequence severities for MO scenario (adapted from Deacon et al., 2010).

Escape Task Health

(H)

Muster Initiator

(MI)

Egress (E)

Other POB

(OPOB)

Overall Rating (OR)

Reference

1. Detect alarm (S) 1 1 2 1 2 DNV (2007a,

2007b)

2. Identify alarm (R) 1 1 2 1 2 DNV (2007a,

2007b)

3. Act accordingly (S) 1 1 2 1 2 DNV (2007a,

2007b)

4. Ascertain if danger is imminent (K) 1 1 1 1 1

DNV (2007a, 2007b)

5. Muster if in imminent danger (R) 1 1 1 1 1 DNV (2007a,

2007b)

6. Return process equipment to safe state (K) 1 2 1 1 2

DNV (2007a, 2007b)

7. Make workplace as safe as possible in limited time (K) 1 1 1 2 2

DNV (2007a, 2007b)

8. Listen and follow PA instructions (K) 1 1 1 2 2

DNV (2007a, 2007b)

9. Evaluate potential egress paths and choose route (K) 1 1 1 1 1

DNV (2007a, 2007b)

10. Move along egress route (K) 1 1 1 1 1 DNV (2007a,

2007b)

11. Assess quality of egress route while moving to TSR (K) 1 1 1 1 1

DNV (2007a, 2007b)

12. Choose alternate route if egress path is not tenable (K) 1 1 1 1 1

DNV (2007a, 2007b)

13. Collect personal survival suit if in accommodations at time of muster (R)

1 1 1 1 1 DNV (2007a,

2007b)

14. Assist others if needed or as directed (K) 1 1 1 4 4

DNV (2007a, 2007b)

15. Register at TSR (R) 1 1 1 2 2 DNV (2007a,

2007b)

16. Provide pertinent feedback attained while en route to TSR (K) 1 1 1 2 2

DNV (2007a, 2007b)

17. Don personal survival suit or TSR survival suit if instructed to abandon (R)

1 1 1 1 1 DNV (2007a,

2007b)

18. Follow OIM's instructions (R) 1 1 1 1 1 DNV (2007a,

2007b)

36

Table 3.4: Consequence severities for GR scenario (adapted from Deacon et al., 2010).

Escape Task H MI E OPOB OR Reference

1. Detect alarm (S) 1 1 2 1 2

Robertson & Wright(1997;

p3,4),Moan et al. (1981; p7,8)

2. Identify alarm (R) 1 1 2 1 2

Robertson & Wright(1997; p3,4), Moan et al. (1981;

p7,8)

3. Act accordingly (S) 4 2 1 4 4 Vinnem(2007; p94)


Vinnem(2007; p83,89)

5. Muster if in imminent danger (R) 3 1 3 1 3

Vinnem(2007; p83,89)

6. Return process equipment to safe state (K) 3 4 3 1 4

Vinnem(2007; p 79-95)

7. Make workplace as safe as possible in limited time (K) 1 1 1 3 3

Moan et al. (1981; p156-158)


Robertson & Wright(1997; p3,4)


Vinnem(2007; p91), Robertson &

Wright(1997; p4,5)

10. Move along egress route (K) 3 1 3 1 3


Wright(1997; p4,5)

11. Assess quality of egress route while moving to TSR (K) 3 1 3 1 3


Wright(1997; p4,5)

12. Choose alternate route if egress path is not tenable (K) 3 1 3 1 3


Wright(1997; p4,5) 13. Collect personal survival suit if in accommodations at time of muster (R)

3 1 1 1 3 DNV (2007a,

2007b)


DNV (2007a, 2007b)

15. Register at TSR (R) 1 1 1 3 3 Robertson & Wright(1997;

p6,28) 16. Provide pertinent feedback attained while en route to TSR (K)

1 1 1 3 3 Vinnem(2007; p87),



4 1 1 1 4 DNV (2007a,

2007b)

18. Follow OIM's instructions (R) 3 1 1 1 3

DNV (2007a, 2007b)

37

Table 3.5: Consequence severities for F&E scenario (adapted from Deacon et al., 2010).

Escape Task H MI E OPOB OR Reference

1. Detect alarm (S) 1 1 2 1 2 Robertson & Wright(1997; p3,4), Moan et al. (1981;

p7,8)

2. Identify alarm (R) 1 1 2 1 2 Robertson & Wright(1997; p3,4), Moan et al. (1981;

p7,8)

3. Act accordingly (S) 4 2 1 4 4 Vinnem(2007; p94)


Vinnem(2007; p94), Robertson & Wright(1997; p11), Moan et al. (1981;

p155-160)

5. Muster if in imminent danger (R) 4 1 4 3 4

Vinnem(2007; p84,87-89,91), Robertson &

Wright(1997; p4)

6. Return process equipment to safe state (K) 4 4 4 4 4 Vinnem(2007; p79-95)

7. Make workplace as safe as possible in limited time (K)

1 1 1 3 3 Moan et al. (1981; p156-

158)




3(p4,6), Moan et al. (1981; p155-160)

10. Move along egress route (K) 4 1 4 1 4

Robertson & Wright(1997; p4,6), Moan et al. (1981;

p155-160) 11. Assess quality of egress route while moving to TSR (K)

4 1 4 1 4 Robertson & Wright(1997;

p4), Moan et al. (1981; p155-160)

12. Choose alternate route if egress path is not tenable (K)

4 1 4 1 4

Vinnem(2007; p91), Robertson & Wright(1997; p4,5), Moan et al. (1981;

p155-160)


4 1 1 1 4 Robertson & Wright(1997;

p16,17)


Robertson & Wright(1997; p7,8,18,19)

15. Register at TSR (R) 1 1 1 3 3 Robertson & Wright(1997;

p6,28)

16. Provide pertinent feedback attained while en route to TSR (K)

1 1 1 4 4 Vinnem(2007; p87),



4 1 1 1 4 US Coast Guard (1983;

Part I p2-4), Vinnem(2007; p84,91)

18. Follow OIM's instructions (R) 4 1 1 4 4

US Coast Guard (1983; Part I p8-10)

38

Table 3.6: Overall consequence severities (adapted from Deacon et al., 2010).

Escape Task MO GR F&E

1. Detect alarm (S) 2 2 2

2. Identify alarm (R) 2 2 2

3. Act accordingly (S) 2 4 4

4. Ascertain if danger is imminent (K) 1 3 4

5. Muster if in imminent danger (R) 1 3 4

6. Return process equipment to safe state (K)

2 4 4

7. Make workplace as safe as possible in limited time (K)

2 3 3

8. Listen and follow PA instructions (K)

2 3 4

9. Evaluate potential egress paths and choose route (K)

1 3 4

10. Move along egress route (K) 1 3 4

11. Assess quality of egress route while moving to TSR (K)

1 3 4

12. Choose alternate route if egress path is not tenable (K)

1 3 4


1 3 4

14. Assist others if needed or as directed (K)

4 3 4

15. Register at TSR (R) 2 3 3

16. Provide pertinent feedback attained while en route to TSR (K)

2 3 4


1 4 4

18. Follow OIM's instructions (R) 1 3 4

To reduce the consequence severity for a particular task, the highest consequence

category must be reduced. This can be a single category or multiple categories. For

example, escape task 12, ‘choose alternate route if egress path is not tenable’ of the fire

and explosion scenario has a consequence severity of 4 for the health and egress

categories. In order to reduce the overall consequence severity for task 12, the

consequences of both the health and egress categories must be reduced.

3.2.2 Procedural HAZOP

39

A procedural HAZOP, discussed in Chapter 2, was used to evaluate potential

causes of human error, called failure modes. Potential consequences are also identified

via a procedural HAZOP. Safeguards to protect against failure modes or consequences

are included. The procedural HAZOPs for two of the escape tasks are shown in Tables

3.7 and 3.8. They were adapted from DiMattia (2004) and are found in Deacon et al.

(2010). A notable addition is the division of safeguards into prevention barriers and

mitigation barriers, as per the bow-tie concept discussed in Chapter 2. The following

HAZOP guidewords are addressed:

No – the required action or diagnosis is not attempted or completed

Part of – the required action or diagnosis is attempted and only partially

completed

Other than – a different action or diagnosis other than the one required is

completed

Late – the required action or diagnosis is completed after an extended amount of

time

More – the required action or diagnosis is completed to a further extent than

necessary, exposing personnel to unnecessary risk

Early – the required action or diagnosis is prematurely completed

Before/After – the required action or diagnosis is completed out of sync with

other critical tasks

The potential safeguards identified by the procedural HAZOP are evaluated in the

risk reduction stage to determine their reliability and effect on the risk of the task in

question (see Chapter 6).

3.3 Risk Estimation

The tolerability of risk for EER tasks is determined using a risk matrix. The

International Organization for Standardization (ISO) standard 17776 risk matrix (DNV,

2002) is

40

Table 3.7: Procedural HAZOP for escape task 1, 'detect alarm' (Deacon et al., 2010).

Guideword Description Consequence Prevention Barriers Mitigation Barriers

No Operator does not hear alarm/alarm not sounded

Injury/loss of life

Entrapment in a dangerous area; difficult to be rescued


Inherent Elimination of obstructions

near alarms Minimal number of loud

machines on board Minimal number of

electrically dependent alarms

Active Engineered Alarm systems strategically

placed to cover all areas Redundancy through both

audio and visual enunciation Push-button alarms in

strategic locations

Procedural Personnel equipped with two-

way radios Review of new technology,

applications and standards Preventative maintenance

(PM), testing, severe-weather monitoring

Personnel familiarized with alarms

Muster training at infrequent intervals

Enlisting of feedback on alarm effectiveness

CCR operators trained to limit and remove inhibits immediately

Procedural Buddy system

for new personnel



Part of -

Other than -

Late Operator does not hear alarm immediately


Loss of life Loss of

critical time to respond to problems that initiated the alarm

Entrapment in a dangerous area; difficult to be rescued

More -

Early -

Before/After -

41

Table 3.8: Procedural HAZOP for escape task 15, 'register at TSR' (Deacon et al., 2010).

Guideword Description Consequences Prevention

barriers Mitigation

barriers

No Operator does not register at TSR

Miscommunication Unnecessary rescue

attempt, putting more lives at risk

Inherent Multiple

registration stations to minimize line-ups

Minimal number of people in each registry location for ease of evacuation

Active Engineered Battery

operated registry system in case of power failure

Swipe card registration system

Procedural Signage in TSR

reminding all individuals to register immediately


Competency testing

Behavioural testing to determine panic potential

Active Engineered Tracking

device on all POB

Procedural Inexperienced

individuals teamed with experienced personnel for a defined period of time



Part of Operator begins registration task but does not complete

Other than -

Late Operator arrives at TSR but does not immediately register

More Operator registers multiple people at TSR

Miscommunication Endangering

personnel who have not yet completed muster

Early Operator instructs someone else to register for operator before they arrive

Before/After -

42

shown in Appendix A. The ISO standard 17776 matrix incorporates the qualitative

frequency of occurrence of a critical event.

Frequency of critical event categories has been converted to probability of critical

event in Deacon et al., (2010). This was done through comparison with the quantitative

risk ranking matrix developed by IMO (DNV, 2002; see Appendix A).

The risk matrix is used to identify the level of risk of a critical event. The

consequence table is incorporated with probabilities of occurrence of the critical event in

question. The probabilities of occurrence are divided into four ranges to create a 4x4 risk

matrix. These ranges are adapted from the ISO 17776 risk matrix and the IMO risk

ranking matrix. The risk is reduced in the risk matrix by lowering the probability so that

the risk moves to a lower region, lowering the consequence so that the risk moves to a

lower region, or both. Figure 3.1 is the risk matrix used in the current work (Deacon et

al., 2010).

If a risk is in the ‘broadly acceptable’ region, the current safety measures are

adequate in controlling the risk. Monitoring for opportunities for continued improvement

should be undertaken regularly. The second region is the ‘tolerable if as low as

reasonably practicable (ALARP)’ region. In this region, if further risk reduction

measures provide minor results and are financially debilitating, then the risk is considered

tolerable. Cost-benefit analysis can be used to show that a risk is ALARP. The third

region is the ‘intolerable’ region. Tasks with risk in this region are considered

unacceptable and must either have the risk reduced to at least the ‘tolerable if ALARP’

region or the task should be discontinued.

The HEPs and consequence severities for the escape phase of EER were

combined in the human error risk matrix by Deacon et al. (2010). The overall

consequence severity for each escape phase task and escape scenario (DiMattia, 2004)

were evaluated. The risk category for each escape phase task of the fire and explosion

scenario is shown in Table 3.9.

43

Consequence Rating

HEP 1 2 3 4

0.001-0.01

0.01-0.1

0.1-0.5

0.5-1

Broadly Acceptable

Tolerable if ALARP

Intolerable Figure 3.2: Human error risk matrix.

The next step is risk reduction analysis for high risk tasks. The current work uses

a risk graph to identify the required reliability of incorporated safety measures to reduce

high risk tasks to a ‘tolerable if ALARP’ level. The risk reduction mechanism is

discussed further in Chapter 6. It is assumed that by preparing for the most severe

scenario (i.e. a fire and explosion scenario), less severe scenarios are also accounted for.

Therefore, only the fire and explosion scenario is evaluated for risk reduction for the

escape phase.

44

Table 3.9: Risk level for escape phase tasks for fire and explosion scenario.

Escape Task HEP Consequence Risk Level

1. Detect alarm 0.396 2 ALARP

2. Identify alarm 0.386 2 ALARP

3. Act accordingly 0.448 4 Intolerable

4. Ascertain if danger is imminent 0.465 4 Intolerable

5. Muster if in imminent danger 0.416 4 Intolerable


0.474 4 Intolerable


0.489 3 ALARP


0.420 4 Intolerable


0.476 4 Intolerable

10. Move along egress route 0.405 4 Intolerable

11. Asses quality of egress route while moving to TSR

0.439 4 Intolerable


0.500 4 Intolerable


- 4 -


0.358 4 Intolerable

15. Register at TSR 0.200 3 ALARP


0.289 4 Intolerable


0.199 4 Intolerable

18. Follow OIM's instructions 0.210 4 Intolerable

45

Chapter 4 EVACUATION RISK ASSESSMENT

The second phase of the EER process is evacuation. Evacuation is the movement

away from the facility until a reasonably safe distance is achieved. For onshore

buildings, the escape and evacuation phases can be combined. Onshore buildings include

oil and gas processing, chemical processing, residential or commercial buildings, etc.

Often the safe refuge for onshore buildings is a safe distance for evacuation. Offshore

installations, however, include a separate mode of movement once the escape phase is

complete.

Offshore evacuation can occur by walking across a bridge link to a nearby

facility, by helicopter, or by movement through the sea. Some installations are connected

to others by a bridge that allows individual movement between installations. Movement

from an evacuating installation to a neighbouring installation via a bridge link is similar

to the movement to a TSR from an escape initiator (see Chapter 3). Bridge link

evacuation is the most ideal form of leaving an offshore installation. A second choice is

air evacuation by helicopter. Individuals must move to the helipad and communicate

with the incoming pilot, maintaining composure to avoid injury or equipment damage

during evacuation.

If bridge link or helicopter evacuations are not available, then evacuation must

occur by sea. If possible, a totally enclosed motor-propelled survival craft (TEMPSC)

should be used. The advantage of a TEMPSC is the added engine power for moving

through the sea and away from the installation. A coxswain must be designated for each

TEMPSC. Individuals move to the TEMPSC, prepare it to be dropped into the water,

inform rescue personnel of launch, and move towards a designated rescue area. Life

boats with paddles can also be used. Evacuation with life boats can prove more difficult

than with TEMPSCs, especially in harsh sea conditions. If possible, life boat personnel

should scan the sea for overboard survivors to aid or other lifeboats to attach to. If no

other means are available, individuals can also jump directly into the sea. It is important

to move to the lowest platform possible before attempting a jump. Individuals must also

46

assess the potential for any contaminants in the area and jump feet-first, away from the

platform into the water. Survival suits are essential for direct-to-sea evacuation, and

individuals must scan the sea for any rescue opportunity.

4.1 Human Error Probability

Hierarchical task analysis (HTA) was used to identify the tasks required for

evacuation of an offshore oil and gas processing installation. HTA is described in

Chapter 2. The research team combined technical knowledge of the offshore evacuation

process with a previous analysis of the offshore EER process in the UK (Kennedy, 1993).

The HTA of evacuation tasks is shown in Figure 4.1.

1.0 Prepare to evacuate

1.1 Check wind speed, direction and sea state

1.2 Instruct personnel and maintain control

1.3 Issue sea sickness tablets

2.0 Evacuate installation – do one of 2.1-2.5; priority in descending order

2.1 Evacuate via bridge link

2.2 Evacuate via helicopter

2.2.1 Move to helideck

2.2.2 Establish communication with pilot


2.2.4 Board helicopter

2.2.5 Don flight suit, aviation life jacket and secure seatbelt

2.3 Evacuate via TEMPSC (totally enclosed motor-propelled survival craft)

2.3.1 Ensure sea-worthiness of TEMPSC



2.3.4 Ensure drop zone is clear


2.3.6 Fasten seat belt

2.3.7 Ensure everyone is secure

2.3.8 Start air support system




2.3.12 Launch TEMPSC



47

2.4 Evacuate by life raft

2.4.1 Move to life raft muster station

2.4.2 Ensure sea-worthiness of life raft

2.4.3 Secure painter to a strong point

2.4.4 Check for life raft instructions and number of personnel accommodated

2.4.5 Launch life raft

2.4.6 Board life raft

2.4.7 Cut painter

2.4.8 Paddle clear of danger

2.4.9 Stream anchor

2.4.10 Maintain sea-worthiness of life raft 2.4.11 Look for TEMPSC, fast rescue craft (FRC), other life raft or overboard survivors

2.4.12 Attach painter to other life raft or tow craft

2.5 Escape directly to sea

2.5.1 Ensure survival suit properly sealed, lifejacket fastened

2.5.2 Move to lowest nearby platform

2.5.3 Assess direction of waves, danger and airborne contaminants

2.5.4 Jump away from platform, feet first, avoiding platform legs

2.5.5 Swim along side of platform

2.5.6 Look for other overboard survivors and rescue opportunities Figure 4.1: HTA of evacuation tasks.

The HEPs for the escape phase were evaluated using the success likelihood index

methodology (SLIM). The HEPs for the evacuation phase were evaluated using the

human error assessment and reduction technique (HEART; Williams, 1988). HEART is

described in detail in Chapter 2. It was determined that the evacuation sub-phase

‘evacuate via bridge link’ is similar in analysis to the escape phase, in particular the

‘egress’ sub-phase. As a result, the bridge link evacuation sub-phase is considered

evaluated in Chapter 3 with the ‘egress’ escape sub-phase.

HEART was chosen for expert judgment due to its current use in the UK, positive

results in validation exercises (Kirwan et al., 1996), and its efficiency of resources (one

expert judge required). A secondary result of the current work is an analysis of the

feasibility of using HEART as part of a comprehensive risk assessment and reduction

technique. Table 4.1 shows a comparison between HEART and SLIM.

48

Table 4.1: Comparison of HEART and SLIM.

SLIM HEART

Resource-intensive (multiple assessors required)

Calibrated

Assessor data combines for robust results

Statistical analysis avoids pessimism, less conservative

Resource-efficient (one assessor required)

No calibration

Different assessors can have different results

Pessimistic (yields high HEP easily)

The research team developed a survey from HEART to solicit experts in the area

of offshore evacuation. Solicited assessors included offshore evacuation training

personnel and experts in the field of offshore safety. The survey is divided into two parts,

a GEP (generic error probability) survey and an EPC (error-producing condition) survey.

The GEP solicitation survey gives assessors a list of the HEART qualitative GEP

descriptions. The associated nominal probabilities of error were not included.

Quantitative values were omitted to reduce the assessor bias of choosing GEPs and EPCs

to arrive within a pre-determined range of values. Sample tasks for each qualitative GEP

description were included as a guide for assessors. One aspect of HEART is that a given

task may satisfy multiple GEP categories. The methodology accounts for this property.

Individuals choose the lowest GEP category applicable to the task being evaluated. For

ease of use purposes, GEPs were ranked from 1-8, 1 being GEP category H and 8 being

GEP category A, to minimize confusion for assessors. The following instructions were

given to assessors:

Choose evacuation task.

Begin with GEP 1, comparing task to GEP description.

As soon as a task satisfies a GEP description, stop.

49

The surveys used, with full instructions are given in Appendix B. Table 4.2 shows the

list of GEPs considered.

Table 4.2: GEP descriptions and associated values.

GEP Description GEP Value (Range)

A Totally unfamiliar, at speed, no idea of consequences 0.55

(0.35-0.97)

B Shift/restore system to new/original state, single attempt, no supervision/procedures

0.26 (0.14-0.42)

C Complex task requiring high level of comprehension and skill

0.16 (0.12-0.28)

D Fairly simple task performed rapidly or given little attention

0.09 (0.06-0.13)

E Routine, highly-practiced, rapid task requiring little skill

0.02 (0.007-0.045)

F Restore/shift system to new/original state, following procedures, with checking

0.003 (0.0008-0.007)

G

Familiar, well-designed routine task performed several times per hour, performed to highest possible standards by highly motivated, trained and experienced person totally aware of consequences of failure, with time to correct potential error but with no significant job aids

0.0004 (0.00008-0.009)

H Respond correctly to system command with automated/augmented supervisory system providing accurate interpretation of system stage

0.00002 (0-0.0009)

Each GEP has a nominal value with an acceptable range of values in parentheses.

For all purposes of the current work, the nominal values were used. The second part of

50

the survey is the EPC and APOA (assessed proportion of affect) evaluation. The

assessors were given 17 qualitative descriptions of EPCs and asked to choose 0-3 EPCs

for each task. The limit of three EPCs is both an effort to reduce HEART’s pessimistic

tendency (Kirwan et al., 1996) and as part of the principle that multiple EPCs do not

often combine to increase risk (Williams, 1988). The EPCs considered are shown in

Table 4.3.

Table 4.3: EPC descriptions and associated values.

EPC Description Maximum

Effect Multiplier

1 Unfamiliarity with a situation which is potentially important, but occurs infrequently, or which is novel

17

2 Shortage of time available for error detection and correction 11

3 Low signal-to-noise ratio 10

4 Means of supressing/overriding information/features that is too easily accessible

9

5 No means of conveying spatial and functional information to operators in a form that they can readily assimilate

8

6 Mismatch between operator's model of the world and that of the designer

8

7 No obvious means of reversing an unintented action 8

8 A channel-capacity overload, particularly one that is caused by simultaneous presentation of non-redundant information

6

9 A need to unlearn a technique and apply one that uses an opposing philosophy

6

10 A need to transfer specific knowledge from task to task without loss

5.5

11 Ambiguity in the required performance standards 5

12 A mismatch between perceived and real risk 4

13 Poor, ambiguous or mismatched system feedback 4

14 No clear, direct and timely confirmation of an intended action from the portion of the system over which control is to be exerted

4

15 Operator inexperience 3

16 An impoverished quality of information conveyed by procedures and person-person interaction

3

17 Little or no independent checking/testing of output 3

51

The maximum effect multiplier of each EPC is associated with an APOA of 1.

The APOA is chosen to determine the fraction of the maximum effect multiplier that is

multiplied with the GEP. Three evacuation scenarios of increasing severity were

identified for the assessors. The scenarios are shown in Table 4.4.

Table 4.4: Evacuation scenarios.

Abandonment Scenario


Situation A jack-up rig collides with a fixed installation during approach; significant damage to platform leg.

A hydrocarbon gas release

A fire and explosion

Operator in question

15 years experience 7 years experience 6 months experience

Weather Good weather, calm seas

Cold, wet weather Winter storm

Time of day Daylight hours Daylight hours Night-time hours

The assessors used the scenario descriptions to evaluate the APOA of each EPC

separately for each evacuation scenario. For a given task, the EPC/APOA evaluation is

conducted as follows:

Choose evacuation task.

Choose 0-3 EPCs.

Evaluate each EPC based on the three evacuation scenarios.

EPCs are determined by the task itself. Regardless of the scenario, EPCs are chosen for

their potential to affect a task. APOAs are determined by the situation. APOAs are the

magnitude of the effect of EPCs. As the severity of a situation increases, it can be

expected that the magnitude of the EPCs, the APOAs, also increases.

52

The completed surveys were analyzed quantitatively. The associated values for

each GEP and EPC chosen were used to evaluate the HEP for each evacuation task. Each

completed survey resulted in an independent set of HEP data.

Several experts were solicited and two complete surveys were obtained for

analysis. As there were not a sufficient number of completed surveys, a statistical

analysis of HEP results was not performed in the current work. However, a full HRA

analysis was performed for each survey result. The two survey results were compared in

the current work to obtain a picture of the importance of consistency in the HEART

technique. The risk reduction stage of the HRA analysis is shown in Chapter 6. A

discussion of the importance of calibration and consistency is also given in Chapter 6.

Table 4.5 shows survey responses of the two assessors. The GEPs were chosen

from Table 4.2 and the EPCs were chosen from Table 4.3. Assessors were allowed to

choose between 0 and 3 EPCs. A < - >‘ indicates that no EPC was chosen. While SLIM

is a more robust and statistically involved technique, the low resources required for

HEART make it a potentially useful technique in risk assessment. It has also received

support from validation exercises (Kirwan, 1996; Kirwan et al., 1996; Kirwan, 1997a;

Kirwan, 1997b).

HEPs for each task were determined by first combining the survey results in

Table 4.5 with Equation (2.5) and Table 4.3, and then by multiplying the EPC multiplier

by the associated nominal GEP value (Table 4.2) from the survey results. As an example,

for task 1.1, participant 1 chose GEP E (0.02), EPC 2 (11) and EPC 3 (10). For all three

evacuation scenarios the assessor chose an APOA of 0.5 for EPC 2 and 0.3 for EPC 3.

From equation 2.5, the EPC multiplier for EPC 2 is 6 and EPC 3 is 3.7. The GEP is

multiplied by the EPC multipliers to obtain the HEP. Therefore, the HEP for task 1.1 is

0.02 * 6 * 3.7 = 0.444. Table 4.6 shows the HEPs evaluated from the surveys.

53

Table 4.5: Assessor GEP and EPC choices.

Muster Step Survey 1 Survey 2

GEP EPC 1 EPC 2 EPC 3 GEP EPC 1 EPC 2 EPC 3 1.1 Check wind speed, direction and sea state

E 2 3 - E 15 17 -


C 16 15 11 D 1 10 11

1.3 Issue sea sickness tablets

E 12 2 - H - - -

2.2.1 Move to helideck E 12 6 16 H - - - 2.2.2 Establish communication with pilot

E 2 3 - F 1 - -


C 16 1 12 G - - -

2.2.4 Board helicopter E - - - H - - - 2.2.5 Don flight suit, aviation life jacket and secure seatbelt

E 12 16 2 F - - -

2.3.1 Ensure-sea worthiness of TEMPSC

C 6 15 11 F - - -


E 2 3 - D 11 - -


C 13 15 2 E - - -


E 1 2 - G - - -


C 16 2 15 G - - -

2.3.6 Fasten seat belt E 2 12 - G - - - 2.3.7 Ensure everyone is secure

C 2 12 - F - - -

2.3.8. Start air support system

D 15 16 2 E - - -


E 11 12 2 G - - -


E 12 2 3 E - - -


E 12 15 - A 1 8 12

2.3.12 Launch TEMPSC C - - - B 1 8 12 2.3.13 Engage forward gear and full throttle

C 15 - - E - - -


D 15 - - B 15 - -

2.4.1 Move to life raft muster station

E 12 1 - G - - -


C 15 2 - H - - -

2.4.3 Secure painter to strong point

E 2 12 - G - - -

2.4.4 Check for life raft instructions and number of personnel accommodated

E 2 16 - E - - -

2.4.5 Launch life raft E - - - G - - -

54

Muster Step Survey 1 Survey 2

GEP EPC 1 EPC 2 EPC 3 GEP EPC 1 EPC 2 EPC 3 2.4.6 Board life raft E - - - B 15 - - 2.4.7 Cut painter E 2 15 - G - - - 2.4.8 Paddle clear of danger

A - - - A - - -

2.4.9 Stream anchor E 2 12 16 H - - - 2.4.10 Maintain sea-worthiness of life raft

C 15 - - E - - -

2.4.11 Look for TEMPSC, FRC, other life raft or overboard survivors

E 2 11 16 G - - -


D 15 - - E - - -

2.5.1 Ensure survival suit properly sealed, lifejacket fastened

E 12 2 - F - - -


D 15 2 - E - - -

2.5.3 Assess direction of waves, danger and airborne contaminants

C 15 2 - F - - -


E 15 - - D - - -


A 15 - - B - - -

2.5.6 Look for other overboard survivors and rescue opportunities

E 15 2 - B - - -

There were fewer EPCs chosen in survey 2 than in survey 1. It is important to

note that different GEP/EPC/APOA combinations can lead to similar HEPs (Kirwan et

al., 1996), such as those for tasks 2.3.14 and 2.5.4. In task 2.5.4, for example, one

assessor chose GEP D and no EPCs, while the other chose GEP E with EPC 15. The

resultant HEPs differ by a factor of 2, which is negligible when considering such small

numbers. However, resultant HEPs differ greatly between surveys for other tasks, such

as task 2.5.3. Indeed one assessor’s results suggest that the probability of error is certain

while the other assessor’s results suggest that it is very unlikely. The consequences of the

discrepancy between survey results are discussed in Section 4.3 and Chapter 6.

55

Table 4.6: Assessor HEP results.

Evacuation Step Collision HEP GR HEP F&E HEP S1* S2* S1 S2 S1 S2

1.1 Check wind speed, direction and sea state 0.444 0.039 0.444 0.039 0.444 0.180 1.2 Instruct personnel and maintain control 1.000 1.000 1.000 1.000 1.000 1.000 1.3 Issue sea sickness tablets 0.280 0.000 0.280 0.000 0.280 0.000 2.2.1 Move to helideck 0.234 0.000 0.450 0.000 0.450 0.000 2.2.2 Establish communication with pilot 0.392 0.013 0.770 0.027 1.000 0.051 2.2.3 Instruct personnel on boarding procedure 1.000 0.000 1.000 0.000 1.000 0.000 2.2.4 Board helicopter 0.020 0.000 0.020 0.000 0.020 0.000 2.2.5 Don flight suit, aviation life jacket and secure seatbelt

0.784 0.003 0.784 0.003 0.784 0.003

2.3.1 Ensure sea-worthiness of TEMPSC 1.000 0.003 1.000 0.003 1.000 0.003 2.3.2 Check compass heading/direction to steer craft 0.168 0.270 0.276 0.342 0.438 0.450 2.3.3 Turn helm fully to clear installation on launch 1.000 0.020 1.000 0.020 1.000 0.020 2.3.4 Ensure drop zone is clear 1.000 0.000 1.000 0.000 1.000 0.000 2.3.5 Instruct personnel on boarding procedure 1.000 0.000 1.000 0.000 1.000 0.000 2.3.6 Fasten seat belt 0.168 0.000 0.168 0.000 0.168 0.000 2.3.7 Ensure everyone is secure 1.000 0.003 1.000 0.003 1.000 0.003 2.3.8. Start air support system 1.000 0.020 1.000 0.020 1.000 0.020 2.3.9 Close and secure all hatches 0.510 0.000 0.510 0.000 0.510 0.000 2.3.10 Call command centre/launch master/other lifeboats to confirm launch sequence

0.868 0.020 1.000 0.020 1.000 0.020

2.3.11 Release falls/confirm auto-release 0.112 1.000 0.112 1.000 0.112 1.000 2.3.12 Launch TEMPSC 0.160 1.000 0.160 1.000 0.160 1.000 2.3.13 Engage forward gear and full throttle 0.320 0.020 0.320 0.020 0.320 0.020 2.3.14 Steer TEMPSC at vector from platform to rescue area

0.180 0.260 0.180 0.260 0.180 0.780

2.4.1 Move to life raft muster station 0.504 0.000 0.504 0.000 0.504 0.000 2.4.2 Ensure sea-worthiness of life raft 1.000 0.000 1.000 0.000 1.000 0.000 2.4.3 Secure painter to strong point 0.448 0.000 0.448 0.000 0.448 0.000 2.4.4 Check for life raft instructions and number of personnel accommodated

0.308 0.020 0.308 0.020 0.308 0.020

2.4.5 Launch life raft 0.020 0.000 0.020 0.000 0.020 0.000 2.4.6 Board life raft 0.020 0.520 0.020 0.520 0.020 0.520 2.4.7 Cut painter 0.336 0.000 0.336 0.000 0.336 0.000 2.4.8 Paddle clear of danger 0.550 0.550 0.550 0.550 0.550 0.550 2.4.9 Stream anchor 0.700 0.000 0.700 0.000 0.700 0.000 2.4.10 Maintain sea-worthiness of life raft 0.352 0.020 0.352 0.020 0.352 0.020 2.4.11 Look for TEMPSC, FRC, other life raft or overboard survivors

1.000 0.000 1.000 0.000 1.000 0.000

2.4.12 Attach painter to other life raft or tow craft 0.198 0.020 0.198 0.020 0.198 0.020 2.5.1 Ensure survival suit properly sealed, lifejacket fastened

0.280 0.003 0.280 0.003 0.280 0.003

2.5.2 Move to lowest nearby platform 1.000 0.020 1.000 0.020 1.000 0.020 2.5.3 Assess direction of waves, danger and airborne contaminants

1.000 0.003 1.000 0.003 1.000 0.003


0.052 0.090 0.052 0.090 0.052 0.090

2.5.5 Swim along side of platform 1.000 0.260 1.000 0.260 1.000 0.260 2.5.6 Look for other overboard survivors and rescue opportunities

0.560 0.260 0.560 0.260 0.560 0.260

*S1 – Survey results from participant 1 *S2 – Survey results from participant 2

56

4.2 Consequence Analysis

Consequence analysis for the evacuation phase of the EER process was performed

in a similar manner to the escape phase. A consequence table and procedural HAZOP are

now presented.

4.2.1 Consequence Table

Consequence severities were determined using major incident investigations in

the offshore oil and gas processing industry. Many incidents investigations that provided

data for the escape phase also provide data for the evacuation phase. There is only one

consequence category in the evacuation phase: the effect of human error on the health of

the individual or group of individuals involved in the task. Table 4.7 shows the

consequence severity levels for the evacuation phase and Table 4.8 shows the

consequence severities for each of the identified evacuation tasks.

Table 4.7: Consequence severity descriptions.

Severity Description 1 Zero Injury 2 Likely to result in Minor Injury

3 Likely to result in Major Injury


One important difference to note between the escape phase consequence severities

and the evacuation phase consequence severities is that the EER initiator has minimal

effect on the consequences for the evacuation phase. The opposite is true for the escape

phase. In the escape phase, operators must move away from the EER-initiating event to a

place of safety. Movement and other muster actions are affected by the EER initiator due

to its proximity. For the evacuation phase, distance has been achieved from the EER

initiator and a place of temporary safety is located. Any additional risk to evacuation

from the EER initiator may come in the form of smoke and debris from the installation.

57

Table 4.8: Consequence severities.

Evacuation Step Severity Reference

1.1 Check wind speed, direction and sea state 2 Kennedy, 1993 (Appendix B)

1.2 Instruct personnel and maintain control 4 Kennedy, 1993

(Appendix B); Vinnem, 2007 (p94)

1.3 Issue sea sickness tablets 2

Kennedy, 1993 (Appendix B);

Robertson & Wright, 1997 (p14)

2.2.1 Move to helideck 2 Kennedy, 1993 (Appendix B)

2.2.2 Establish communication with pilot 2 Kennedy, 1993 (Appendix B)

2.2.3 Instruct personnel on boarding procedure 2 Kennedy, 1993 (Appendix B)

2.2.4 Board helicopter 2 Kennedy, 1993 (Appendix B)

2.2.5 Don flight suit, aviation life jacket and secure seatbelt 1 Kennedy, 1993 (Appendix B)

2.3.1 Ensure sea-worthiness of TEMPSC 4 Kennedy, 1993 (p30)

2.3.2 Check compass heading/direction to steer craft 2



2.3.3 Turn helm fully to clear installation on launch 2 Kennedy, 1993 (Appendix B)

2.3.4 Ensure drop zone is clear 4 Kennedy, 1993 (Appendix B)

2.3.5 Instruct personnel on boarding procedure 2 Kennedy, 1993 (Appendix B)

2.3.6 Fasten seat belt 2 Kennedy, 1993 (Appendix B)

2.3.7 Ensure everyone is secure 2 Kennedy, 1993 (Appendix B)

2.3.8. Start air support system 3



2.3.9 Close and secure all hatches 4

Kennedy, 1993 (Appendix B); US Coast Guard, 1983

(p124) 2.3.10 Call command centre/launch master/other lifeboats to confirm launch sequence

4 U.S. Coast Guard, 1983

(p133)

2.3.11 Release falls/confirm auto-release 4

Kennedy, 1993 (Appendix B); Vinnem,

2007 (p83); Moan et. al, 1981 (p162)

2.3.12 Launch TEMPSC 4 US Coast Guard, 1983

(p124)

2.3.13 Engage forward gear and full throttle 4 Kennedy, 1993

(Appendix B); Moan et. al, 1981 (p162)

2.3.14 Steer TEMPSC at vector from platform to rescue area 4 Kennedy, 1993


2.4.1 Move to life raft muster station 2 Kennedy, 1993 (Appendix B)

58

Evacuation Step Severity Reference 2.4.2 Ensure sea-worthiness of life raft 4 Kennedy, 1993 (p30)

2.4.3 Secure painter to strong point 4

Kennedy, 1993 (Appendix B); U.S. Coast Guard, 1983

(p67) 2.4.4 Check for life raft instructions and number of personnel accommodated

2 Kennedy, 1993 (Appendix B)

2.4.5 Launch life raft 4 US Coast Guard, 1983

(p149)

2.4.6 Board life raft 4 Kennedy, 1993 (Appendix B)

2.4.7 Cut painter 4 Kennedy, 1993


2.4.8 Paddle clear of danger 4 U.S. Coast Guard, 1983

(p134); Moan et. al, 1981 (p162)

2.4.9 Stream anchor 4 Kennedy, 1993 (Appendix B)

2.4.10 Maintain sea-worthiness of life raft 4

Kennedy, 1993 (Appendix B); U.S. Coast Guard, 1983

(pp62-63)

2.4.11 Look for TEMPSC, FRC, other life raft or overboard survivors 4 U.S. Coast Guard, 1983

(p67)

2.4.12 Attach painter to other life raft or tow craft 4 U.S. Coast Guard, 1983

(pp62,63,67)

2.5.1 Ensure survival suit properly sealed, lifejacket fastened 2 Robertson & Wright,

1997 (p18)

2.5.2 Move to lowest nearby platform 4 Vinnem, 2007 (p83);

Moan et. al, 1981 (p143)

2.5.3 Assess direction of waves, danger and airborne contaminants 2 Robertson & Wright,

1997 (p18)

2.5.4 Jump away from platform, feet first, avoiding platform legs 3 Robertson & Wright,

1997 (p18)

2.5.5 Swim along side of platform 4 U.S. Coast Guard, 1983

(p134); Moan et. al, 1981 (p162)

2.5.6 Look for other overboard survivors and rescue opportunities 4 Vinnem, 2007 (p84)

The most relevant factors in performing an evacuation are weather and sea conditions.

Indeed, most tasks in the evacuation phase are completed at the edge of an installation,

within a vessel, or while in the sea. Sea conditions have a major effect on water-based

evacuation modes. An individual who evacuates directly to the sea is at the mercy of

wave movements and water temperature. A life raft with paddles is also heavily

influenced by the motions of the sea. Motor-propelled life boats can move through the

sea, but experience great difficulty in doing so under harsh sea conditions. All three

modes may be vulnerable to being washed up against or under the installation and

receiving severe damage. Weather conditions and smoke from an installation have a

59

major effect on the ability to perform a helicopter evacuation. A helicopter evacuation,

more ideal than evacuation by sea, can only be performed if a helicopter can safely arrive

at and depart from the installation helipad.

4.2.2 Procedural HAZOP

The procedural HAZOP for the current work is an adaptation of a work developed

by Kennedy (1993). Samples from the procedural HAZOP are shown in Tables 4.9 and

4.10. The full procedural HAZOP of the evacuation phase is found in Appendix C.

Table 4.9: Procedural HAZOP for evacuation task 2.3.4, 'ensure drop zone is clear'.

Failure Mode

Description Consequences Prevention Barriers Mitigation Barriers

Check omitted

Coxswain omits or forgets to check for debris in the water

Delayed evacuation


Injury/death

Active Engineered


Procedural



Passive Engineered


Check mistimed

Coxswain makes check too early or too late, leaving time for debris to float over or forcing the boat to be committed to the launch

60

Table 4.8: Procedural HAZOP for evacuation task 2.3.14, 'steer TEMPSC at vector from platform to rescue area'. Failure Mode


Action in wrong direction

TEMPSC steered in wrong direction /under platform

Damage to TEMPSC

Injury/Death Delay in

rescue

Active Engineered

Reliable compass, GPS with luminous display for night navigation

Procedural

Instructions at helm of course to be steered and distance to rescue area

Training/drills during day and night to give coxswain experience of actions required

Active Engineered

Independently powered GPS locator on each TEMPSC

Action too little

Not enough distance from platform achieved

Exposure to debris from installation

Damage to TEMPSC

Injury Action too much

Too much distance achieved, away from rescue area

Delay in rescue

4.3 Risk Estimation

The risk matrix in Figure 3.1 is used for the evacuation phase. HEPs determined

from the expert judgment surveys were combined with the data from the consequence

table to determine the tolerability of the risk according to Figure 3.1. Table 4.11 shows

the risk level for each evacuation task. A comparison of the tolerability of risk for each

HEP data set is shown. Tasks in the intolerable region of the risk matrix are further

explored for risk reduction in Chapter 6.

Risk levels are highest for water evacuation modes. The results from both

assessors suggest that the risk of human error during helicopter evacuation is at a

tolerable level. It is important to note that the risk analysis results from both assessors

error evaluations generally agree when the risk of a task is considered intolerable.

61

Table 4.9: Risk level for evacuation tasks.

Evacuation Step Survey 1 Survey 2 1.1 Check wind speed, direction and sea state ALARP ALARP 1.2 Instruct personnel and maintain control Intolerable Intolerable 1.3 Issue sea sickness tablets ALARP Broadly Acceptable 2.2.1 Move to helideck ALARP Broadly Acceptable 2.2.2 Establish communication with pilot ALARP Broadly Acceptable 2.2.3 Instruct personnel on boarding procedure ALARP Broadly Acceptable 2.2.4 Board helicopter Broadly Acceptable Broadly Acceptable 2.2.5 Don flight suit, aviation life jacket and secure seatbelt Broadly Acceptable Broadly Acceptable 2.3.1 Ensure sea-worthiness of TEMPSC Intolerable Intolerable/ALARP 2.3.2 Check compass heading/direction to steer craft ALARP ALARP 2.3.3 Turn helm fully to clear installation on launch ALARP Broadly Acceptable 2.3.4 Ensure drop zone is clear Intolerable Intolerable/ALARP 2.3.5 Instruct personnel on boarding procedure ALARP Broadly Acceptable 2.3.6 Fasten seat belt Broadly Acceptable Broadly Acceptable 2.3.7 Ensure everyone is secure ALARP Broadly Acceptable 2.3.8. Start air support system Intolerable ALARP 2.3.9 Close and secure all hatches Intolerable Intolerable/ALARP 2.3.10 Call command centre/launch master/other lifeboats to confirm launch sequence

Intolerable Intolerable

2.3.11 Release falls/confirm auto-release Intolerable Intolerable 2.3.12 Launch TEMPSC Intolerable Intolerable 2.3.13 Engage forward gear and full throttle Intolerable Intolerable 2.3.14 Steer TEMPSC at vector from platform to rescue area Intolerable Intolerable 2.4.1 Move to life raft muster station ALARP Broadly Acceptable 2.4.2 Ensure sea-worthiness of life raft Intolerable Intolerable/ALARP 2.4.3 Secure painter to strong point Intolerable Intolerable/ALARP 2.4.4 Check for life raft instructions and number of personnel accommodated

ALARP Broadly Acceptable

2.4.5 Launch life raft Intolerable Intolerable/ALARP 2.4.6 Board life raft Intolerable Intolerable 2.4.7 Cut painter Intolerable Intolerable/ALARP 2.4.8 Paddle clear of danger Intolerable Intolerable 2.4.9 Stream anchor Intolerable Intolerable/ALARP 2.4.10 Maintain sea-worthiness of life raft Intolerable Intolerable 2.4.11 Look for TEMPSC, FRC, other life raft or overboard survivors

Intolerable Intolerable/ALARP

2.4.12 Attach painter to other life raft or tow craft Intolerable Intolerable 2.5.1 Ensure survival suit properly sealed, lifejacket fastened ALARP Broadly Acceptable 2.5.2 Move to lowest nearby platform Intolerable Intolerable 2.5.3 Assess direction of waves, danger and airborne contaminants

ALARP Broadly Acceptable


ALARP ALARP

2.5.5 Swim along side of platform Intolerable Intolerable 2.5.6 Look for other overboard survivors and rescue opportunities

Intolerable Intolerable

However, the consistency may be more attributable to the evaluated consequence

severities. Indeed if a task has a consequence severity of 4 and a HEP of at least 10-3, it is

considered intolerable. HEP results from survey 2 are below 10-3 for some tasks, and

62

thus fall below the bounds of the risk graph. The smaller the HEP numbers become, the

more difficult it can be to achieve an accurate estimate of risk for decision-making.

Therefore, it is assumed that a task with a consequence severity of 4 and a HEP of less

than 10-3 may alternatively be considered ALARP. Risks that fall below the bounds of

the risk matrix are denoted by the ‘intolerable/ALARP’ combined category in Table 4.11.

The next step is to evaluate potential safety measures identified in the procedural

HAZOP in a risk reduction mechanism. Chapter 6 describes the risk reduction

mechanism and the results of the current work. Chapter 6 also further discusses the

impact of differing HEP data sets on risk analysis.

63

Chapter 5 RESCUE RISK ASSESSMENT

The tasks of the rescue phase of the EER process are outlined in this Chapter.

The rescue phase was outlined by Kennedy (1993) using HTA and was adapted for the

current work. At the beginning of the rescue phase, an on-scene commander (OSC) is

designated to organize and co-ordinate search and rescue (SAR) efforts. In locating and

rescuing survivors, multiple methods are used. Helicopters can be used to retrieve

personnel from the sea, water craft or the helipad of the installation being evacuated.

Alternatively, a fast-rescue (FRC) craft can be deployed from a nearby stand-by vessel

(SBV) to retrieve personnel from the sea or water craft. In either case, retrieved

individuals are returned to the SBV, nearby installations or other rescue vessels. These

areas are called ‘safe havens’. It is at safe havens where injured individuals receive

medical treatment. Figure 5.1 shows the rescue phase tasks.

3.0 Initiate search and rescue (SAR)

3.1 Appoint on-scene commander (OSC)

3.2 Monitor and coordinate SAR

3.3 Locate and rescue survivors

3.3.1 Rescue by helicopter

3.3.1 Rescue by stand-by vessel (SBV)

3.3.2 Give medical attention Figure 5.1: HTA of rescue phase tasks (adapted from Kennedy, 1993).

The rescue phase tasks are not discussed further in the current work. It is

recommended that future research explore the risk of human error during the rescue

phase of the EER process.

64

Chapter 6 RISK REDUCTION

Any risks that fall in to the ‘intolerable’ region of the risk matrix (see Figure 3.1)

must be either reduced or the task itself should be discontinued. Risk reduction in the

current methodology is undertaken with the accidental risk assessment methodology for

industries (ARAMIS). Within ARAMIS there exist both risk assessment and risk

reduction mechanisms. The risk reduction mechanism includes an evaluation of potential

barriers to critical events as well as an evaluation of the safety culture of the organization

and safety management system planned for/implemented at the facility.

Tasks that fall in the ‘intolerable’ region of the risk matrix are evaluated for the

required level of confidence (LC) of safety barriers to adequately reduce the risk. The

required LC of safety barriers is determined by combining the HEP, consequence

severity, overall frequency of exposure to the risk and potential for individuals to correct

an error or avoid injury or damage to equipment in a risk graph. Potential safety barriers,

identified from the procedural HAZOP, are evaluated for their LC according to ARAMIS

(Anderson et al., 2004). The total LC of risk reduction measures for any given task is the

sum of the LCs of all applicable safety barriers. The required LC is then compared with

the LCs of any safety barriers applicable to the task in question. Safety barriers, their

associated LCs, the HEP and consequence severity of each task are combined in a bow-

tie graph to obtain an overall picture of the risk reduction effectiveness.

6.1 Risk Graph

Table 3.9 shows the results of the risk evaluation for the escape phase. Table 4.11

shows the results of the risk evaluation for the evacuation phase. For risk reduction, only

those tasks considered in the ‘intolerable’ region of the risk matrix are considered. The

risk graph, shown in Figure 2.2, is used to determine the total required level of

confidence of the safety barriers for each task. The consequence severity and HEP for

each task of the escape and evacuation phases are shown in Chapters 3 and 4,

respectively for the evacuation phase. The potential to avoid damage and the overall time

of exposure to the risk of each critical event are discussed in the current chapter. Each

65

critical event (failure to complete an EER task) is limited to the time when the EER

process is underway. Through examination of incident reports, the overall exposure to

each critical event was determined to occur less than 10% of the total operating time,

coinciding with a frequency exposure level F1. The potential to avoid damage is

analyzed for each task separately, as the nature of the task and the surrounding

environment must be taken into account.

Table 6.1 shows the required LCs of a fire and explosion scenario, described by

DiMattia (2004) for the escape phase. The required LCs for the escape phase were

determined by Deacon et al. (2010). Note that only tasks that fall in the ‘intolerable’

region of the risk matrix are shown. Those tasks that have an LC category of ‘a’ or < - >

according to the risk graph are not shown, as there is no defined requirement for safety

barriers for such tasks.

Tables 6.2 and 6.3 show the required LCs of a fire and explosion scenario for the

evacuation phase using the data from surveys 1 and 2, respectively. The required LC is

shown for each HEP data set in order to analyze any contrast between the two. Note that

only tasks that fall in the ‘intolerable’ region of the risk matrix are shown, and that the

consequence severity, frequency of exposure and potential to avoid damage categories

remain unchanged between Tables 6.2 and 6.3.

An example of the process using evacuation tasks 2.4.10 and 2.4.12 is as follows. Each

task has an evaluated consequence severity of 4, or ‘error likely to result in fatality’. As

mentioned, the frequency of exposure to the risk occurs less than 10% of the operating

time, a value of F1. For task 2.4.10, ‘maintain sea-worthiness of life raft’, failure to

complete the task will result in the raft sinking or capsizing, causing personnel to enter

the water and possibly become entangled with the life raft. There is little possibility to

avoid negative consequences should an error occur for this task. Therefore, the potential

to avoid damage is considered level D2. Should an error occur while attempting to attach

the painter to another craft, rescue is delayed but personnel remain in the life raft and can

66

Table 6.1: Required LCs for escape phase tasks for fire and explosion scenario.

Escape Task Consequence Exposure frequency

Possibility to avoid Damage

HEP LC

3. Act accordingly 4 1 1 0.448 2 4. Ascertain if danger is imminent

4 1 2 0.465 3


4 1 2 0.416 3


4 1 2 0.474 3


3 1 1 0.489 1


4 1 1 0.42 2


4 1 2 0.476 3

10. Move along egress route

4 1 2 0.405 3


4 1 2 0.439 3


4 1 2 0.5 3


4 1 2 0.358 3


4 1 1 0.289 2


4 1 2 0.199 2

18. Follow OIM's instructions

4 1 1 0.21 1

67

Table 6.2: LC requirements for evacuation tasks for fire and explosion scenario according to survey 1 HEP data set.

Evacuation Task Consequence Exposure frequency

Potential to avoid damage

HEP LC


4 1 1 1.000 2


4 1 1 1.000 2


2 1 2 1.000 1

2.3.4 Ensure drop zone is clear 4 1 2 1.000 3 2.3.8. Start air support system 3 1 1 1.000 1 2.3.9 Close and secure all hatches

4 1 1 0.510 2


4 1 1 1.000 2


4 1 2 0.112 3

2.3.12 Launch TEMPSC 4 1 2 0.160 3 2.3.13 Engage forward gear and full throttle

4 1 2 0.320 3


4 1 2 0.180 3


4 1 1 1.000 2


4 1 2 0.448 3

2.4.5 Launch life raft 4 1 2 0.020 2 2.4.6 Board life raft 4 1 2 0.020 2 2.4.7 Cut painter 4 1 2 0.336 3 2.4.8 Paddle clear of danger 4 1 2 0.550 3 2.4.9 Stream anchor 4 1 2 0.700 3 2.4.10 Maintain sea-worthiness of life raft

4 1 2 0.352 3


4 1 1 1.000 2


4 1 1 0.198 2


4 1 1 1.000 2


3 1 2 0.052 1


4 1 2 1.000 3


4 1 1 0.560 2

68

Table 6.3: LC requirements for evacuation tasks for fire and explosion scenario according to survey 2 HEP data set.

Evacuation Task Consequence Exposure frequency

Potential to avoid damage

HEP LC


4 1 1 1.000 2


4 1 1 0.020 1


4 1 2 1.000 3

2.3.12 Launch TEMPSC 4 1 2 1.000 3 2.3.13 Engage forward gear and full throttle

4 1 2 0.020 2


4 1 2 0.780 3

2.4.6 Board life raft 4 1 2 0.520 3 2.4.8 Paddle clear of danger 4 1 2 0.550 3 2.4.10 Maintain sea worthiness of life raft

4 1 2 0.020 2


4 1 1 0.020 1


4 1 1 0.020 1


3 1 2 0.090 1


4 1 2 0.260 3


4 1 1 0.260 2

attempt task 2.4.12 again. Time consumed adds to the danger of the situation, but

personnel have not aggravated their situation. Therefore the potential to avoid damage

for task 2.4.12 is considered level D1. Combining these data in the risk graph with the

HEP from the survey 2 data set for each task (0.020 for both) yields a required LC of 2

for task 2.4.10 and a required LC of 1 for task 2.4.12.

Required LCs range from 1 – 3 for the ‘intolerable’ risk tasks evaluated in the

escape and evacuation phases. It is important to note that the discrepancy between

survey results has a significant effect on the required LC for several tasks. Indeed, some

tasks, such as evacuation task 2.3.1, have a numerical value for an LC requirement when

69

evaluated using the HEP data set from survey 1, while they do not have specific

requirements when evaluated using the HEP data set from survey 2. Table 6.4 shows a

comparison of the two results. An ‘a’ indicates that there is no LC requirement for safety

barriers, a < - > indicates that no safety barrier is required.

Table 6.4: Comparison of required LCs between HEP data sets.

Evacuation Task Survey 1 Survey 2 1.2 Instruct personnel and maintain control

2 3


2 a


1 a

2.3.4 Ensure drop zone is clear 3 a 2.3.8. Start air support system 1 a 2.3.9 Close and secure all hatches 2 - 2.3.10 Call command centre/launch master/other lifeboats to confirm launch sequence

2 1


3 3

2.3.12 Launch TEMPSC 3 3 2.3.13 Engage forward gear and full throttle

3 2


3 3


2 -

2.4.3 Secure painter to strong point 3 a 2.4.5 Launch life raft 2 a 2.4.6 Board life raft 2 3 2.4.7 Cut painter 3 a 2.4.8 Paddle clear of danger 3 3 2.4.9 Stream anchor 3 a 2.4.10 Maintain sea-worthiness of life raft

3 2


2 -


2 1

2.5.2 Move to lowest nearby platform 2 1 2.5.4 Jump away from platform, feet first, avoiding platform legs

1 1

2.5.5 Swim along side of platform 3 3 2.5.6 Look for other overboard survivors and rescue opportunities

2 2

70

Table 6.4 reveals a discrepancy in LC requirements for several evacuation phase

tasks. The discrepancy between HEP data sets was not as evident from the risk matrix

results in Table 4.11. The risk graph results reveal the importance of consistency in

determining HEPs. The results of the risk matrix for each survey agreed with relative

consistency. This can be attributed to the combination of single and multiple fatality

categories of the ISO 17776 risk matrix and considering a single fatality to be intolerable

for both categories. Many of the tasks that are in the ‘intolerable’ region may be

attributed so because of their high consequence. However, the risk graph identifies

inconsistencies of required LCs for several tasks. For some tasks, the results from survey

1’s HEPs require a higher LC than for those of survey 2. For other tasks, the opposite is

true. There are two consequences to choosing one set of results over the other. First,

some tasks may be assumed to be adequately managed when in reality they require more

reduction efforts. Second, resources may be allotted to the risk reduction of tasks that are

already adequately managed. In both cases, resources are not being used efficiently. One

survey cannot be considered to have more weight than the other, and as neither

participant has had calibration, one result cannot be chosen over the other, nor can they

be combined in any way.

The statistical analysis properties of SLIM, while much more resource-intensive,

may provide a more accurate HEP result. Averaging the HEART results of several

additional valid participants may increase the validity of HEART in the current

methodology. However, the expected advantage of HEART is that it is resource-

efficient. Utilizing more expert judges would nullify any advantage in the resource-

efficiency of HEART, and may favour the statistical analysis of SLIM.

6.2 Safety Barriers

Potential safety barriers for each task are outlined in the procedural HAZOP

analyses. Examples of procedural HAZOPs are shown in Chapter 3 and Chapter 4. The

complete procedural HAZOP of the escape phase is found in Deacon et al. (2010). The

complete procedural HAZOP of the evacuation phase is shown in Appendix C. Not

every safety barrier identified in the procedural HAZOP is used in the risk reduction

calculations. Each potential safety barrier must be evaluated to determine if it can be

71

assigned a level of confidence. For a safety barrier to qualify for an associated LC, it

must meet the following requirements (Anderson et al., 2004):

The safety barrier must not rely on regulation system performance

All applicable codes and standards must be met, and the safety barrier must be

adapted to the characteristics of its environment

Testing at regular intervals must be in effect

Preventative maintenance must be performed regularly

If a safety barrier meets these requirements, it can then be assigned an LC. The design

LC of a barrier ranges from 1 – 4, with increasing reliability. An LC of 4 is rarely

encountered (Anderson et al., 2004). The LCs of safety barriers typically follow the

principles of the hierarchy of controls (Khan and Amyotte, 2003).

Safety barriers for the escape phase are evaluated in Deacon et al. (2010). One of

the available safety barriers for the evacuation phase is a ‘training’ barrier. The training

barrier is considered procedural in nature and depends on human action to function. A

human action safety barrier in ARAMIS, ‘operator answer with stress,’ is assigned an LC

of 1 where the individual is under considerable stress. The evacuation training barrier is

assigned an LC of 1 in keeping with the ‘operator answer with stress’ description in

ARAMIS (Anderson et al., 2004).

Table 6.5 shows the design LC of any applicable safety barriers for the evacuation

tasks. A ‘-‘ indicates that a safety barrier with an associated LC is not available. The

safety barriers are chosen from the procedural HAZOP (see Chapter 4). Safety barriers in

the procedural HAZOP that are not shown in the above table do not meet the minimum

requirements to be assigned an LC. Active barriers (GPS locator, beacons, auto-check

system) were assigned an LC of 1, while passive barriers (reinforced floor, shock

absorbers) were assigned an LC of 2. Training as a procedural barrier was also assigned

72

Table 6.5: Evacuation safety barriers and their associated LCs. Evacuation Task Barrier 1 LC Barrier 2 LC Total LC 1.2 Instruct personnel and maintain control

Training 1 - - 1


Training 1 Auto-check

system 1 2


Training 1 - - 1


Training 1 Shock

absorbers 2 3

2.3.8. Start air support system

Training 1 - - 1


Training 1 - - 1


Training 1 GPS, sound

and light beacons

1 2


Training 1 Shock

absorbers 2 3

2.3.12 Launch TEMPSC Training 1 Shock

absorbers 2 3


Training 1 - - 1


Training 1 GPS locator 1 2


Training 1 - - 1


Training 1 - - 1

2.4.5 Launch life raft Training 1 - - 1

2.4.6 Board life raft Training 1 Reinforced

floor 2 3

2.4.7 Cut painter Training 1 - - 1 2.4.8 Paddle clear of danger Training 1 GPS locator 1 2 2.4.9 Stream anchor Training 1 - - 1 2.4.10 Maintain sea-worthiness of life raft

Training 1 - - 1


Training 1 Light and

sound beacon 1 2


Training 1 - - 1


Training 1 - - 1


Training 1 - - 1


Training 1 - - 1


Training 1 GPS locator and beacon

1 2

an LC of 1. Requirements for the escape phase training and procedures barrier (Deacon

et al., 2010) and the evacuation phase training and procedures barrier differ.

73

The evacuation training barrier is only applicable if it includes the following:

Drills including verbalization of weather and sea conditions

Drills including completion and verbalization of every evacuation task in various

scenarios, with personnel feedback

Written prompts and instructions at all evacuation stations

Drills with measurement equipment (compass heading, etc.)

Different coloured suits for identification of personnel in command (coxswain,

OIM, etc.)

High stress training for coping while maintaining command

Behavioural testing to determine panic potential

Checklist of orders to issue for personnel in command

Card on boarding procedure of all evacuation vessels for all personnel

Written and illustrated boarding procedure at all evacuation stations

Training for coxswains to correctly orient TEMPSC under minimal visibility

Prompts inside vessels to fasten seatbelt, await instructions

Drills that complete certain tasks out of order (e.g. starting air support system

before ensuring everyone secure) to show consequences

Two-way radios for all personnel

Photo-luminescent pathways

Evacuation checklist and evacuation route maps for all personnel

The concept of training and performing drills in various situations (night/day, windy,

rainy, clear) for various scenarios helps prepare personnel for real emergencies. It is

understood that tasks involving movement through the sea may place personnel in

unnecessary risk during evacuation drills. It is more acceptable to perform such tasks in a

controlled environment, so long as they are performed. If the abovementioned

requirements are met in an offshore facility’s training and procedures, then the ‘training’

barrier can be given an LC of 1. If one or more of these requirements do not exist, the

‘training’ barrier should not be given an associated LC.

74

Table 6.6 is a comparison of the total design LCs of the safety barriers with the

required LC from each HEP survey data set.

Table 6.6: Design LCs compared with required LCs for each HEP survey data set.

Evacuation Step LC from barriers

Survey 1 Survey 2


1 2 3


2 2 a


1 1 a

2.3.4 Ensure drop zone is clear 3 3 a 2.3.8. Start air support system 1 1 a 2.3.9 Close and secure all hatches 1 2 - 2.3.10 Call command centre/launch master/other lifeboats to confirm launch sequence

2 2 1


3 3 3

2.3.12 Launch TEMPSC 3 3 3 2.3.13 Engage forward gear and full throttle

1 3 2


2 3 3


1 2 -

2.4.3 Secure painter to strong point 1 3 a 2.4.5 Launch life raft 1 2 a 2.4.6 Board life raft 3 2 3 2.4.7 Cut painter 1 3 a 2.4.8 Paddle clear of danger 2 3 3 2.4.9 Stream anchor 1 3 a 2.4.10 Maintain sea-worthiness of life raft

1 3 2


2 2 -


1 2 1

2.5.2 Move to lowest nearby platform 1 2 1 2.5.4 Jump away from platform, feet first, avoiding platform legs

1 1 1

2.5.5 Swim along side of platform 1 3 3 2.5.6 Look for other overboard survivors and rescue opportunities

2 2 2

There are several tasks in Table 6.6 (tasks 1.2, 2.4.10, 2.5.5) where the total LC from the

identified safety barriers is below the LC requirements determined from both HEP data

set results. The two surveys are in agreement that more safety barriers are needed for

75

those tasks. In other cases (tasks 2.3.12, 2.5.6), the total design LC meets the LC

requirements for both HEP data set results. In some instances there is a discrepancy

between survey results in the required LC for a task, but the total LC is equal to that of

the more pessimistic LC requirement. Finally, for some tasks (tasks 2.3.10, 2.4.6), the

total LC is sufficient according to the results of one survey but not the other. This third

case reveals an issue. In the first instance, it is determined that the analyzed safety

barriers are insufficient. In the second instance, it is determined that the total design LC

is sufficient. However, in the third instance, no conclusion can be made. Further

research efforts involving the application and calibration of HEART may reduce the

discrepancy between future HEP data sets and reduce the occurrence of disagreeing

results.

Once the design LCs are determined, a safety audit must be performed. A safety

audit addresses the state of the safety culture on the facility. An index value is developed

from the safety audit and multiplied by the LCs to determine their actual value. Safety

audits are necessary in performing risk reduction analysis, as this step can help reduce the

gap between real and perceived risk at a facility. A safety audit is not performed in the

current work, as a specific facility would be required. For illustrative purposes, the

design LCs are used in the analysis. Figures 6.1 and 6.2 are examples of bow-ties for two

of the evacuation tasks. The bow-tie graphs for the entire evacuation phase are shown in

Appendix D. Note that in order for a prevention barrier, such as the training barrier, to be

implemented, it must protect against the occurrence of all failure modes in order to

reduce the HEP. If the probability of each individual failure mode occurring were

known, then prevention barriers that protect against some but not all failure modes could

be included. Successful mitigation barriers reduce the consequence severity depending

on the critical event considered. For example, if an auto-check mechanism detects that

the TEMPSC is not sea-worthy before launch, then the situation is remedied before injury

76 Check omitted

Tra

inin

g

LC

=1

Consequence 1

Critical Event: Fail Task 2.3.1

Aut

omat

ic

C

heck

M

echa

nism

LC

=1

Probability = HEP*10-1*0.9 = HEP*0.09

Check incomplete Probability = HEP*10‐1

Consequence 4

Probability = HEP*10-1*10‐1 = HEP*10-2

Figure 6.1: Bow-tie graph for evacuation task 2.3.1, ‘ensure sea-worthiness of TEMPSC’.

Action too early

Tra

inin

g

LC

=1

Consequence 3


Sho

ck

abso

rber

s

LC

=2


Action too late Probability = HEP*10‐1

Consequence 4

Action too little

Probability = HEP*10-1*10‐2

= HEP*10-3 Figure 6.3: Bow-tie graph for evacuation task 2.3.11, ‘release falls/confirm auto-release’.

77

occurs. The consequence severity of evacuation task 2.3.1 is effectively reduced from 4

to 1. For task 2.3.11, shock absorbers may prevent the TEMPSC from being

compromised or an individual from experiencing a fatal injury. However, serious injury

is nonetheless likely. The consequence severity is reduced from 4 to 3 with the inclusion

of shock absorbers.

6.3 Case Study

The emergency scenario risk assessment and reduction methodology is presented

in Chapters 3 through 6 . A validation of the methodology via case study is presented in

the current section. The Ocean Odyssey evacuation incident is evaluated.

On September 22, 1988, the Ocean Odyssey drilling rig experienced a

hydrocarbon release, which led to explosions and fires on the installation. The Ocean

Odyssey was stationed off the coast of Aberdeen at the time. At the time of the incident

there were 67 individuals on board. One individual perished while the remaining

evacuated, either by one of two TEMPSCs or jumping directly into the sea. A radio

operator began evacuation but returned to the radio room to coordinate evacuation efforts

and perished. Evacuating personnel were rescued by the installation’s stand-by vessel

and a vessel that was in the area at the time of evacuation. Survivor accounts suggest that

conditions on the installation were deteriorating in the days leading up to and on the day

of the incident. Hot work activities had ceased on the day of the incident and

announcements were made about which boats to use should evacuation occur. However,

many individuals kept their routines until the time of the incident. This prevalent attitude

was attributed to the long-term deterioration of the installation and well conditions

(Robertson and Wright, 1997).

A case study of the methodology of the escape phase of the Ocean Odyssey is

found in Deacon et al. (2010). The current work presents an analysis of the evacuation

phase. The EER initiator was a fire and explosion. Evacuation tasks 2.3.1, ‘ensure sea-

worthiness of TEMPSC’, and 2.3.11, ‘release falls/confirm auto-release’, are discussed.

From Tables 6.2 and 6.3, an error for task 2.3.1 has a consequence severity (C) of

4. All EER tasks have a frequency of exposure (F) of 1. Task 2.3.1 has a potential to

78

avoid damage (D) of 1, indicating that personnel have enough time to avoid the

consequences of an error. In reality, an error did occur on the Ocean Odyssey during task

2.3.1. In one TEMPSC, it was noted by survivors that drain plugs were not fitted until

the TEMPSC began its descent. This error was rectified before proceeding further

(Robertson and Wright, 1997). Survey 1 results estimate a HEP of 1.0 and survey 2

results estimate a HEP of 0.003. As a result, survey 1 leads to a required LC of 2 and

survey 2 leads to a required LC of ‘a’, or no defined LC required. Clearly, rectification

of this error was a result of individuals noticing and drawing attention to the lack of drain

plugs. Confusion was high and organization was lacking at the time (Robertson and

Wright, 1997). It cannot be expected that an individual will simply notice an error and

successfully take charge during such conditions. Safety barriers available include the

aforementioned training barrier with an LC of 1, and an automated pressure-check system

to determine if the TEMPSC is completely sealed. The latter barrier is an active safety

barrier with detection, diagnosis and action subsystems. The detection subsystem is the

automated pressure-check system, while the diagnosis and subsequent action are human

subsystems. The global LC of the active barrier is equal to the lowest LC of its three

subsystems. For demonstrative purposes, the global, or overall, LC of the active barrier

is set at 1.

Similarly, the required LC resulting from both surveys is 3 for task 2.3.11.

Individuals on the Ocean Odyssey experienced difficulty when releasing the falls of the

TEMPSC after contact with the sea. There was no means of confirmation of release aside

from opening hatches and manually checking. It is noted that fall release hooks at the

time were difficult to release in harsh sea conditions without opening hatches and

manually releasing them. An error occurred in releasing the falls hooks on one of the

evacuating TEMPSCs. One of the falls hooks had not been released before the coxswain

attempted to manoeuvre the boat away from the installation. As a result, the TEMPSC

swung back towards the installation, and it is believed to have made contact with the

platform leg (Robertson and Wright, 1997). The HEP data set results from survey 1

estimate a HEP of 0.112 for task 2.3.11 and the results from survey 2 estimate a HEP of

1.0. Despite the noticeable discrepancy of HEPs, the required LC for both cases is 3. A

training prevention barrier to reduce the probability of the TEMPSC hooks being released

79

too early or too late is available. Another safety barrier is a shock absorber mitigation

barrier to maintain sea-worthiness of the TEMPSC should a free-fall or impact with the

platform leg occur. As mentioned previously, the training barrier has an associated LC of

1. The shock absorbers, a passive safety barrier which for evaluation purposes is

compared to the functionality of a blast wall (i.e. absorbing damage), is given a design

LC of 2, similar to a blast wall (Anderson et al., 2004). Combining the design LCs of

these two barriers results in an overall LC of 3, equal to the required LC determined by

the risk graph.

For both tasks 2.3.1 and 2.3.11, the LCs of the available safety barriers meet the

higher LC requirements of the two surveys. There is no mention of a pressure-check

system on the TEMPSCs; it was human detection that recovered from the original error.

Thus it is assumed that no such active barrier existed on the Ocean Odyssey. Some of the

aforementioned requirements of the training barrier in order to assign it an LC of 1 were

also not present. Personnel in command were not easily identifiable from others. It is

believed that one of the coxswains had succumbed to the stress of the situation and was

replaced by another crew member. The preparation time for the TEMPSC launch was

chaotic, relatively unorganized and filled with confusion (Robertson and Wright, 1997).

While individual action at key points (taking over for the coxswain, opening the

TEMPSC to release the hooks, noticing and rectifying the absence of drain plugs) moved

the evacuation process along, the lack of important training barrier requirements nullifies

any associated LC. Therefore, there is no associated LC for the safety barriers for task

2.3.1 of the Ocean Odyssey incident. There is no indication of damage to one of the

TEMPSCs from being washed against a platform leg; it is debatable whether or not

contact had actually occurred. From accounts on the quality of the TEMPSCs (Robertson

and Wright, 1997), as well as the lack of indication of any reinforcement against impact,

no LC for the shock absorber barrier is considered for the Ocean Odyssey incident.

The summary of the analysis is shown in Table 6.7. A < - > indicates that no LC

existed. The variable ‘HEP’ is the evaluated HEP for each task. The required LC

considered is the higher of the two HEP data set results.

80

Table 6.7: Summary of required, available and actual LCs on Ocean Odyssey.

Ocean Odyssey

Task C F D Required LC

Actual LC

Potential LC

Probability of consequence occurring

2.3.1 4 1 1 2 - 2 HEP

2.3.11 4 1 2 3 - 3 HEP

Potential

Task C F D Required LC

Actual LC

Potential LC

Probability of consequence occurring

2.3.1 4 1 1 2 2 2 HEP*10-2

2.3.11 4 1 2 3 3 3 HEP*10-3

The design LCs of the available safety barriers in the current work meet the evaluated LC

requirements for tasks 2.3.1 and 2.3.11. However, these safety barriers cannot be

assumed to have been in effect for the Ocean Odyssey installation. The analysis of

Robertson and Wright (1997) revealed deficiencies in the TEMPSC evacuation stage.

81

Chapter 7 CONCLUSIONS & RECOMMENDATIONS

A methodology for the assessment and reduction of human error in emergency

situations has been presented in the current work. This Chapter identifies the main

conclusions drawn from the current work and outlines recommendations for future works.

7.1 Conclusions

The emergency escape, evacuation and rescue process was analyzed using

hierarchical task analysis. The result was a list of tasks that operators must accomplish

during the EER process. The escape phase was evaluated in two parts, by Di Mattia

(2004) and Deacon et al. (2010). Di Mattia (2004) identified escape phase tasks and

HEPs. Deacon et al. (2010) evaluated escape phase consequences, identified potential

safety barriers and introduced a comprehensive risk reduction tool. Evacuation and

rescue phase tasks were identified in the present thesis. An expert judgment technique,

HEART, was used to estimate the probability of human error for each of the evacuation

tasks. Experts in the field of offshore safety were solicited using expert judgment

surveys. Results were analyzed for HEPs. Consequence severities were analyzed using

reports and investigations from previous incidents in industry. A risk matrix was

developed from the ISO standard 17776 risk matrix. The HEPs and consequence

severities were combined in the developed risk matrix to evaluate the tolerability of the

risk. Risks determined to be intolerable were evaluated further using the risk reduction

strategy developed in ARAMIS. The required level of confidence of safety barriers for

evacuation tasks were evaluated using the risk graph. Potential failure modes,

consequences and safety barriers were identified in a procedural HAZOP. These

potential safety barriers were evaluated to determine if a level of confidence can be

associated. A case study of the Ocean Odyssey was used to test the validity and

demonstrate the use of the methodology.

The human error probabilities were evaluated using SLIM for the escape phase

tasks and HEART for the evacuation phase tasks. Evaluating the risk with the most

effective human error probability technique increases the value of the risk reduction stage

82

of the methodology. Two data sets resulted from the use of HEART for the evacuation

tasks. The HEPs from the data sets conflicted and the use of HEART for the proposed

risk assessment and reduction methodology remains inconclusive. Proper calibration and

further documentation on the use of HEART may improve the expert judgment

technique’s reliability. In the current state, however, the statistical analysis of SLIM is

favoured for the proposed methodology.

The risk assessment and reduction methodology presented in the current work can

reduce the gap between real and perceived risk in terms of emergency preparedness, and

increase the effectiveness of allocated resources for safety management. The presented

method is a means of assessing and reducing the risk of human error during emergency

situations. Risk reduction measures were identified for offshore emergency situations.

However, many potential risk reduction measures do not currently meet the criteria

described by ARAMIS (Anderson et al., 2004) to be included in risk reduction

calculations. Novel concepts in the current work include the combination of a human

error risk assessment methodology (HEART) with a comprehensive risk reduction

methodology (ARAMIS) to form a complete risk assessment and reduction tool. The

introduction of the hierarchy of controls (Khan and Amyotte, 2003) and the principle of

prevention and mitigation safeguards into the procedural HAZOP is also a novel idea.

These two additions facilitate the transition of safety measures from potential safety

barriers in the procedural HAZOP to safety barriers evaluated by ARAMIS and assigned

a design LC.

7.2 Recommendations

Further research is recommended as follows:

1. Further validate and document the use of HEART for emergency scenarios

through calibration and comparison with other expert judgment techniques and

known human reliability data.

2. Further research into potential safety barriers that do not currently meet minimum

requirements to be assigned an LC, with the goal to satisfy these minimum

requirements. Currently there are many potential safety barriers that do not meet

83

the criteria defined in ARAMIS, reducing the effectiveness of the technique and

the knowledge of risk reduction measures.

3. Perform a dependency analysis of EER tasks and time constraint study on the

EER process. The performance of early EER tasks may have an effect on the

probability of error for later tasks. The EER process is also an urgent process and

major fatalities can occur within minutes if evacuation is delayed (Moan et al.,

1981).

4. Perform HEP, consequence and risk reduction analysis for the rescue phase of

EER.

84

References

Anderson, H., Casal, J., Dandrieux, A., Debray, B., Dianous, V., Duijm, N., Delvosalle, C., Fievez, C., Goossens, L., Gowland, R., Hale, A., Hourtolou, D., Mazzarotta, B., Pipart, A., Planas, E., Prats, F., Salvi, O., Tixier, J., 2004. “ARAMIS user guide” (The European Commission Community Research). Cameron, I., Raman, R.. Process Systems Risk Management, vol. 6. 2005. (San Diego, CA: Elsevier Academic Press). Deacon, T., Amyotte, P. and Khan, F. 2010. “Human Error Risk Analysis in Offshore Emergencies,” Safety Science 48 803-818. DiMattia, D. Human Error Probability Index for Offshore Platform Musters, PhD Thesis (2004), Dalhousie University. DiMattia, D., Khan, F., Amyotte, P. 2005. “Determination of human error probabilities for offshore platform musters,” Journal of Loss Prevention in the Process Industries 18 488-501. DNV. 2002. “Marine Risk Assessment” (Report OTO 2001 063, UK Health and Safety Executive). DNV. 2007a. “Accident Statistics for Fixed Offshore Units on the UK Continental Shelf 1980-2005” (Report RR 566, UK Health and Safety Executive). DNV. 2007b. “Accident Statistics for Floating Offshore Units on the UK Continental Shelf 1980-2005” (Report RR 567, UK Health and Safety Executive). Embrey, D., Guidelines for Preventing Human Error in Process Safety. 1994. (New York, NY: American Institute of Chemical Engineers). Khan, F. and Amyotte, P. 2003. “How to make inherent safety practice a reality,” The Canadian Journal of Chemical Engineering, 81 2-16. Khan, F., Amyotte, P., DiMattia, D. 2006. “HEPI: A new tool for human error probability calculation for offshore operation,” Safety Science 44 313-334.

85

Kennedy, B. 1993. “A human factors analysis of evacuation, escape and rescue from offshore installations” (Report OTO 93 004, UK Health and Safety Executive). Kirwan, B. 1996. “The Validation of Three Human Reliability Quantification Techniques – THERP, HEART and JHEDI: Part 1 – Technique Descriptions and Validation Issues,” Applied Ergonomics, 27 359-373. Kirwan, B. 1997a. “The Validation of Three Human Reliability Quantification Techniques – THERP, HEART and JHEDI: Part 3 – Practical aspects of the usage of the techniques,” Applied Ergonomics, 28 27-39. Kirwan, B. 1997b. “Validation of Human Reliability Assessment Techniques: Part 2 – Validation Results,” Safety Science, 27 43-75. Kirwan, B., Kennedy, R., Taylor-Adams, S., Lambert, B. 1996. “The Validation of Three Human Reliability Quantification Techniques – THERP, HEART and JHEDI: Part 2 – Results of Validation Exercise,” Applied Ergonomics, 28 17-25. Kletz, T., An Engineer’s View of Human Error, 3rd ed. 2001. (Rugby, Warwickshire: Institution of Chemical Engineers). Moan, T., Nᴂsheim, T., Φveraas, S., Bekkvik, P., Kloster, A., 1981. "The Alexander L. Kielland accident" (Report NOU 1981:11, Norwegian Public Reports). Reason, J. Human Error. 1990. (New York, NY: Cambridge University Press). Robertson, D. and Simpson, M. 1996. “Review of Probable Survival Times for Immersion in the North Sea” (Report OTO 95 038, UK Health and Safety Executive). Robertson, D.H. and Wright, M.J. 1997. "Ocean Odyssey Emergency Evacuation: Analysis of Survivor Experiences" (Report OTO 96 009, UK Health and Safety Executive). Salvi, O. and Debray, B. 2006. “A Global View on ARAMIS, a Risk Assessment Methodology for Industries in the Framework of the SEVESO II Directive,” Journal of Hazardous Materials, 30 187-199. Swain, A. and Gutterman, H. Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications. NUREG/CR 1278. 1983. (Albuquerque, Sandia National Laboratories).

86

US Coast Guard. 1983. "Marine Casualty Report-Mobile Offshore Unit (MODU) OCEAN RANGER" (Report USCG 0001 HQS 82, US Coast Guard). Willaims, J., “A data-based method for assessing and reducing human error to improve operational performance,” IEEE Proceedings, 4th Conference on Human Factors, New York, 1988.

87

Appendix A

Risk Matrices

88

Consequence Increasing Probability

Severity Rating

People Assets Environment Reputation A B C D E

Rarely occurred

in industry

Happened several

times per year in

industry

Has occurred in operating company

Happened several

times per year in

operating company

Happened several

times per year in location

0 Zero injury

Zero damage

Zero effect Zero impact

Manage for continued

Improvement 1 Slight

injury Slight

damage Slight effect Slight impact

2 Minor injury

Minor damage

Minor effect Limited impact

3 Major injury

Local damage

Local effect Considerable impact

4 Single fatality

Major damage

Major effect Major national impact

Incorporate risk reducing measures

Intolerable

5 Multiple fatalities

Extensive damage

Massive effect Major international

impact

Figure A.1: ISO standard 17776 risk matrix (DNV, 2002).

89

Table A.1: Frequency index definitions for risk ranking matrix (DNV, 2002).

FI Frequency Definition F

(per ship year)

7 Frequent Likely to occur once per month on one ship 10

5 Reasonably probable Likely to occur once per year on a fleet of 10 ships, i.e. likely to occur several times during a ship’s life

0.1

3 Remote Likely to occur once per year on a fleet of 1000 ships, i.e. 10% chance of occurring in the life of 4 similar ships

10-3

1 Extremely remote Likely to occur once in 100 years in a fleet of 1000 ships, i.e. 1% chance of occurring in the life of 40 similar ships

10-5

90

Appendix B

Expert Judgment Surveys

91

Consent Form

Introduction

We invite you to take part in a research study being conducted by Travis Deacon who is a graduate student at Dalhousie University, as part of his Master’s of Applied Science. Your participation in this study is voluntary and you may withdraw from the study at any time. The study is described below. This description tells you about the risks, inconvenience, or discomfort which you might experience. Participating in the study might not benefit you, but we might learn things that will benefit others. You should discuss any questions you have about this study with Travis Deacon.

Purpose of the Study

The purpose of this study is to develop a tool to assess and reduce the risk of human error during emergency evacuation of offshore installations. The risk includes the probability of a human error occurring and the consequences of that error. We are using an expert judgement tool to estimate the probability of human error for each task involved in evacuating an offshore platform.

Study Design

If you choose to participate, it will include rating each of 40 evacuation tasks using the rating scale given to you. We will use these ratings to determine the human error probabilities for each task. We will also compare results from different participants to determine the user-friendliness of the technique.

Who can participate in the study

You may participate in this study if you have any level of background in offshore emergency procedures. This includes offshore emergency training instructors, operators that have participated in offshore evacuations or musters, and safety personnel responsible for offshore emergency preparedness. If you currently or did previously fit into one or more of these categories, then you may participate in this study.

Who will be conducting the research

The main investigator in this research is Travis Deacon, a graduate student at Dalhousie University. He is under the supervision of Dr. Paul Amyotte (Dalhousie University), Dr. Scott MacKinnon (Memorial University) and Dr. Faisal Khan (Memorial University).

What you will be asked to do

If you agree to participate, you will be asked to rate 40 offshore evacuation tasks using the given 8-point rating scale. You will also be asked to choose from a list of external factors that may influence evacuation performance and rate their effect on an individual on a scale of 1 to 10. Your

92

answers can be typed into the survey using Microsoft Word. This process can be done at your leisure over a period of 45 days. As the results will be compared, please do not discuss your results with others. Once completed, you are asked to email the surveys to Travis Deacon at [email protected].

Possible Risks and Discomforts

There is minimal expected risk or discomfort in participating in this survey.

Possible Benefits

While there are no expected personal benefits to this survey, it will help in the process of evaluating the risk during offshore evacuations, as well as highlighting the tasks that are highest priority for risk reduction efforts. This research will result in a generic tool that aims to help risk assessors evaluate human error for offshore emergency procedures.

Confidentiality and Anonymity

Potential participants will be solicited by forward of this survey from the main investigator’s contacts in industry. Should you decide to participate, you need only to inform the main investigator through completion and submission of the survey via his email address. By submitting a completed or partially completed survey to the main investigator, you are consenting to the use of the data supplied in the surveys. At no time will participant identities be revealed by the research team to anyone aside from the main investigator and his supervisors. Participants will have direct contact with the main investigator or Director of Research Ethics at Dalhousie University should they have questions. Should you choose to participate in this survey, you will not be identified in any reports or publications that follow from it.

Results will be kept in a computer file that does not identify individuals. A separate file that links individual names to survey results will be kept until receipt of all completed surveys and confirmation that there are no matters in the completed survey requiring follow-up. A list of participants will be kept on computer file should the need arise to contact participants during analysis of the results. The main investigator and supervisors will have access to this information, which will be locked in an office when not in use. The results will be kept on computer file at Dalhousie University for 5 years following publication. Following this time, the record will be deleted.

Questions

Should you have any questions about the procedure or the study in general, please contact Travis Deacon, graduate student, Department of Process Engineering and Applied Science at Dalhousie University, at (902) 220-0794, [email protected]. Any new information that may affect your decision to participate in this study will be forwarded to you if it develops.

93

Problems or concerns

If you have any difficulties with, or wish to voice concern about, any aspect of your participation in this study, you may contact Patricia Lindley, Director of Dalhousie University’s Office of Human Research Ethics Administration, for assistance at (902) 494-1462, [email protected]

Generic Error Probability (GEP) evaluation form

The following is a list of steps identified for the evacuation procedure. These are the steps that operators must be able to complete to achieve successful evacuation of a platform. Some steps must be performed by a designated operator (i.e. coxswain, muster captain). 1.0 Prepare to evacuate 1.1 Check wind speed, direction and sea state 1.2 Instruct personnel and maintain control 1.3 Issue sea sickness tablets 2.0 Evacuate installation – do one of 2.1-2.5, priority in descending order 2.1 Evacuate via bridge link 2.2 Evacuate via helicopter 2.2.1 Move to helideck 2.2.2 Establish communication with pilot 2.2.3 Instruct personnel on boarding procedure 2.2.4 Board helicopter 2.2.5 Don flight suit, aviation life jacket and secure seatbelt 2.3 Evacuate via TEMPSC 2.3.1 Ensure sea worthiness of TEMPSC 2.3.2 Check compass heading/direction to steer craft 2.3.3 Turn helm fully to clear installation on launch

2.3.4 Ensure drop zone is clear 2.3.5 Instruct personnel on boarding procedure 2.3.6 Fasten seat belt 2.3.7 Ensure everyone is secure

2.3.8. Start air support system 2.3.9 Close and secure all hatches


2.3.11 Release falls/confirm auto-release 2.3.12 Launch TEMPSC

2.3.13 Engage forward gear and full throttle 2.3.14 Steer TEMPSC at vector from platform to rescue area 2.4 Evacuate by life raft 2.4.1 Move to life raft muster station

2.4.2 Ensure seaworthiness of life raft 2.4.3 Secure painter to a strong point

2.4.4 Check for life raft instructions and number of personnel accommodated 2.4.5 Launch life raft 2.4.6 Board life raft 2.4.7 Cut painter 2.4.8 Paddle clear of danger

94

2.4.9 Stream anchor 2.4.10 Maintain sea worthiness of life raft 2.4.11 Look for TEMPSC, FRC, other life raft or overboard survivors 2.4.12 Attach painter to other life raft or tow craft 2.5 Escape directly to sea 2.5.1 Ensure survival suit properly sealed, lifejacket fastened 2.5.2 Move to lowest nearby landing of platform 2.5.3 Assess direction of waves, danger and airborne contaminants

2.5.4 Jump away from platform, feet first, avoiding platform legs 2.5.5 Swim along side of platform 2.5.6 Look for other overboard survivors and rescue opportunities Evacuation step 2.1 will not be explored in this study. The tasks are evaluated using an eight-point rating scale (called the GEP number), with 1 signifying a low probability of error and 8 signifying very high probability of error. To do this, choose the first reasonable generic task description from the table below. A diagram is shown below, and an example of a task for each generic description is provided where possible for reference. At the end of each evacuation method there is an opportunity to suggest additional tasks for that method (see, for example, 1.x after 1.3). Consider each step independently. The GEP for evacuation step 1.1 should not influence the GEP for evacuation step 1.2 or any other. This is an individual exercise and the results will be compared, so please do not collaborate. If you have any questions, please contact Travis Deacon at [email protected], (902) 220-0794.

As an example, the task of ‘closing a valve at the end of a task’ is evaluated. First it is compared with GEP 1, ‘respond correctly to system command even with automated/augmented supervisory system providing accurate interpretation of system stage’. This is not the case, as this is part of a procedure and not a system command. It does not fit GEP 2 unless it were to be performed several times per hour. It does, however, fit GEP 3. It is a shift of a device to a new or original state, it is a procedure, and there is likely checking. It is the first GEP that is a reasonable description.

Choose Step Does it fit description 1?

Does it fit description 2?

Record in survey

Etc.

Yes Yes

No No

95

GEP Generic Description Example Task

1 Respond correctly to system command even with automated/augmented supervisory system providing accurate interpretation of system stage

Press the illuminated button from a series of buttons on a panel

2 Familiar, well-designed routine task performed several times per hour, performed to highest possible standards by highly motivated, trained and experienced person totally aware with consequences of failure, with time to correct potential error but with no significant job aids

Navigate a car through a 4-way intersection. Multiple lanes in each direction with pavement markings.

3 Restore/shift system/device to a new or its original state, following procedures, with checking

Close a valve at the end of a task

4 Routine, highly-practiced, rapid task requiring little skill

Install a bearing correctly during a maintenance operation

5 Fairly simple task performed rapidly or given little attention

Unlock a combination lock in one attempt

6 Complex task requiring high level of comprehension and skill

Find 15 defects in an electrical unit within 3 hours

7 Shift/restore system to a new or its original state, single attempt, no supervision/procedures

Perform 10 numerical calculations in a row without time to correct mistakes

8 Totally unfamiliar, at speed, no idea of consequences

Evacuation Step: 1.1. Check wind speed, direction and sea state

GEP - Work from 1-8 and insert number of the first definition that is plausible:

Comments - Type in comments or recommendations here (e.g. why you chose that GEP):

Evacuation Step: 1.2. Instruct personnel and maintain control



96

Evacuation Step: 1.3. Issue sea sickness tablets



Evacuation Step: 1.x. If you believe there is a step that should be added to this section, please identify

it and where it should be placed



Evacuation Step: 1.xx. If you believe there is a step that should be added to this section, please

identify it and where it should be placed



Evacuation Step: 2.2.1. Move to helideck



Evacuation Step: 2.2.2. Establish communication with pilot



Evacuation Step: 2.2.3. Instruct personnel on boarding procedure



Evacuation Step: 2.2.4. Board helicopter



Evacuation Step: 2.2.5 Don flight suit, aviation life jacket and secure seatbelt



Evacuation Step: 2.2.x. If you believe there is a step that should be added to this section, please


97



Evacuation Step: 2.2.xx. If you believe there is a step that should be added to this section, please




Evacuation Step: 2.3.1. Ensure seaworthiness of TEMPSC



Evacuation Step: 2.3.2 Check compass heading/direction to steer craft



Evacuation Step: 2.3.3. Turn helm fully to clear installation on launch



Evacuation Step: 2.3.4.Ensure drop zone is clear






Evacuation Step: 2.3.6. Fasten seatbelt



Evacuation Step: 2.3.7. Ensure everyone is secure


98


Evacuation Step: 2.3.8. Start air support system



Evacuation Step: 2.3.9. Close and secure all hatches



Evacuation Step: 2.3.10. Call command centre/launch master/other lifeboats to confirm launch sequence



Evacuation Step: 2.3.11. Release falls/confirm auto-release



Evacuation Step: 2.3.12. Launch TEMPSC



Evacuation Step: 2.3.13. Engage forward gear and full throttle



Evacuation Step: 2.3.14. Steer TEMPSC at vector from platform to rescue area







99





Evacuation Step: 2.4.1. Move to life raft muster station



Evacuation Step: 2.4.2. Ensure seaworthiness of liferaft



Evacuation Step: 2.4.3. Secure painter to a strong point



Evacuation Step: 2.4.4. Check for liferaft instructions and number of POB accommodated



Evacuation Step: 2.4.5. Launch liferaft



Evacuation Step: 2.4.6. Board liferaft



Evacuation Step: 2.4.7. Cut painter



Evacuation Step: 2.4.8. Paddle clear of danger


100


Evacuation Step: 2.4.9. Stream anchor



Evacuation Step: 2.4.10. Maintain seaworthiness of liferaft



Evacuation Step: 2.4.11. Search for TEMPSC, FRC, other liferaft or overboard survivors



Evacuation Step: 2.4.12. Attach painter to other liferaft or tow craft











Evacuation Step: 2.5.1. Ensure survival suit properly sealed, life jacket fastened



Evacuation Step: 2.5.2. Move to lowest nearby landing of platform



101

Evacuation Step: 2.5.3. Assess direction of waves, danger and airborne contaminants



Evacuation Step: 2.5.4. Jump away from platform feet first, avoiding platform legs



Evacuation Step: 2.5.5. Swim along side of platform



Evacuation Step: 2.5.6. Look for other overboard survivors and rescue opportunities











Thank-you for your participation in this survey. Please email the completed form to [email protected] with the subject line ‘Evacuation form’. If you would like further information on the results of this study, please indicate in the body of the email.

Error-Producing Condition (EPC) evaluation form The following is a list of steps identified for the evacuation procedure. These are the steps that operators must be able to complete to achieve successful evacuation of a platform. Some steps must be performed by a designated operator (i.e. coxswain, muster captain).

102

1.0 Prepare to evacuate 1.1 Check wind speed, direction and sea state 1.2 Instruct personnel and maintain control 1.3 Issue sea sickness tablets 2.0 Evacuate installation – do one of 2.1-2.5, priority in descending order 2.1 Evacuate via bridge link 2.2 Evacuate via helicopter 2.2.1 Move to helideck 2.2.2 Establish communication with pilot 2.2.3 Instruct personnel on boarding procedure 2.2.4 Board helicopter 2.2.5 Don flight suit, aviation life jacket and secure seatbelt 2.3 Evacuate via TEMPSC 2.3.1 Ensure sea worthiness of TEMPSC 2.3.2 Check compass heading/direction to steer craft 2.3.3 Turn helm fully to clear installation on launch

2.3.4 Ensure drop zone is clear 2.3.5 Instruct personnel on boarding procedure 2.3.6 Fasten seat belt 2.3.7 Ensure everyone is secure

2.3.8. Start air support system 2.3.9 Close and secure all hatches


2.3.11 Release falls/confirm auto-release 2.3.12 Launch TEMPSC

2.3.13 Engage forward gear and full throttle 2.3.14 Steer TEMPSC at vector from platform to rescue area 2.4 Evacuate by life raft 2.4.1 Move to life raft muster station

2.4.2 Ensure seaworthiness of life raft 2.4.3 Secure painter to a strong point

2.4.4 Check for life raft instructions and number of personnel accommodated 2.4.5 Launch life raft 2.4.6 Board life raft 2.4.7 Cut painter 2.4.8 Paddle clear of danger 2.4.9 Stream anchor 2.4.10 Maintain sea worthiness of life raft 2.4.11 Look for TEMPSC, FRC, other life raft or overboard survivors 2.4.12 Attach painter to other life raft or tow craft 2.5 Escape directly to sea 2.5.1 Ensure survival suit properly sealed, lifejacket fastened 2.5.2 Move to lowest nearby landing of platform 2.5.3 Assess direction of waves, danger and airborne contaminants

2.5.4 Jump away from platform, feet first, avoiding platform legs 2.5.5 Swim along side of platform 2.5.6 Look for other overboard survivors and rescue opportunities

103

Evacuation step 2.1 will not be explored in this study. Consider each step. Choose between 0 and 3 EPCs that you believe an operator can be susceptible to for that step, 1-17, corresponding to the generic description in the EPC chart above. Then rate the impact the EPC will have on each of the three scenarios defined below, from 0-10 (0 meaning no or negligible impact, 10 meaning the EPC will severely affect the operator’s performance). A diagram of the process is shown below. There is also space to insert comments or suggestions. Consider each step independently. The EPCs, if any, for evacuation step 1.1 should not influence the EPC(s) for evacuation step 1.2 or any other. This is an individual exercise and the results will be compared, so please do not collaborate. If you have any questions, please contact Travis Deacon at [email protected], (902) 220-0794. As an example, the task of ‘closing the valve at the end of a task’ is evaluated. EPC 8, which could be in the form of a distraction to the operator, is a potential factor. If this occurs during normal operation with no other activities in the area, then the weight of this EPC would be 0. However, if there are several work activities being performed in the work station of which the operator must be constantly aware and cautious, such as non-scheduled maintenance or repairs, the EPC will be more important, perhaps with a rating of 6.

Choose Scenario

Choose & Record 0-3 EPCs

Weight magnitude of effect of EPCs from 0-10

Choose Step

104

EPC Description

1 Unfamiliarity with a situation which is potentially important, but occurs infrequently, or which is novel

2 Shortage of time available for error detection and correction 3 Low signal-to-noise ratio 4 Means of suppressing/overriding information/features that is too easily accessible 5 No means of conveying spatial and functional information to operators in a form that they

can readily assimilate 6 Mismatch between operator's model of the world and that of the designer 7 No obvious means of reversing an unintended action 8 A channel-capacity overload, particularly one that is caused by simultaneous presentation

of non-redundant information 9 A need to unlearn a technique and apply one that uses an opposing philosophy

10 The need to transfer specific knowledge from task to task without loss 11 Ambiguity in the required performance standards 12 A mismatch between perceived and real risk 13 Poor, ambiguous or mismatched system feedback 14 No clear, direct and timely confirmation of an intended action from the portion of the

system over which control is to be exerted 15 Operator inexperience 16 An impoverished quality of information conveyed by procedures and person-person

interaction 17 Little or no independent checking/testing of output

Abandonment Scenario


Situation A jack-up rig collides with a fixed installation during approach, significant damage to platform leg.

A hydrocarbon gas release

A fire and explosion

Operator in question

15 years experience 7 years experience 6 months experience

Weather Good weather, calm seas

Cold, wet weather Winter storm

Time of day Daylight hours Daylight hours Night time hours

Evacuation Step: 1.1. Check wind speed, direction and sea state

105

EPC 1 - Weight (out of 10) - Collision Gas release Fire & Explosion



Comments - Type in comments or recommendations here (e.g. why you chose these EPCs, or chose none):

Evacuation Step: 1.2. Instruct personnel and maintain control





Evacuation Step: 1.3. Issue sea sickness tablets





Evacuation Step: 1.x. If you believe there is a step that should be added to this section, please identify

it and where it should be placed





Evacuation Step: 1.xx. If you believe there is a step that should be added to this section, please





106


Evacuation Step: 2.2.1. Move to helideck





Evacuation Step: 2.2.2. Establish communication with pilot










Evacuation Step: 2.2.4. Board helicopter





Evacuation Step: 2.2.5 Don flight suit, aviation life jacket and secure seatbelt


107
















Evacuation Step: 2.3.1. Ensure seaworthiness of TEMPSC





Evacuation Step: 2.3.2 Check compass heading/direction to steer craft




108


Evacuation Step: 2.3.3. Turn helm fully to clear installation on launch





Evacuation Step: 2.3.4.Ensure drop zone is clear










Evacuation Step: 2.3.6. Fasten seatbelt





Evacuation Step: 2.3.7. Ensure everyone is secure


109




Evacuation Step: 2.3.8. Start air support system





Evacuation Step: 2.3.9. Close and secure all hatches





Evacuation Step: 2.3.10. Call command centre/launch master/other lifeboats to confirm launch sequence





Evacuation Step: 2.3.11. Release falls/confirm auto-release





110

Evacuation Step: 2.3.12. Launch TEMPSC





Evacuation Step: 2.3.13. Engage forward gear and full throttle





Evacuation Step: 2.3.14. Steer TEMPSC at vector from platform to rescue area















111



Evacuation Step: 2.4.1. Move to life raft muster station





Evacuation Step: 2.4.2. Ensure seaworthiness of life raft





Evacuation Step: 2.4.3. Secure painter to a strong point





Evacuation Step: 2.4.4. Check for life raft instructions and number of POB accommodated





Evacuation Step: 2.4.5. Launch life raft

112





Evacuation Step: 2.4.6. Board life raft





Evacuation Step: 2.4.7. Cut painter





Evacuation Step: 2.4.8. Paddle clear of danger





Evacuation Step: 2.4.9. Stream anchor




113


Evacuation Step: 2.4.10. Maintain seaworthiness of life raft





Evacuation Step: 2.4.11. Search for TEMPSC, FRC, other life raft or overboard survivors





Evacuation Step: 2.4.12. Attach painter to other life raft or tow craft













114





Evacuation Step: 2.5.1. Ensure survival suit properly sealed, life jacket fastened





Evacuation Step: 2.5.2. Move to lowest nearby landing of platform





Evacuation Step: 2.5.3. Assess direction of waves, danger and airborne contaminants





Evacuation Step: 2.5.4. Jump away from platform feet first, avoiding platform legs




115


Evacuation Step: 2.5.5. Swim along side of platform





Evacuation Step: 2.5.6. Look for other overboard survivors and rescue opportunities

















116

Thank-you for your participation in this survey. Please email the completed form to [email protected] with the subject line ‘Evacuation form’. If you would like further information on the results of this study, please indicate in the body of the email.

117

Appendix C

Procedural HAZOP of Evacuation Tasks

118

Table C.1: Check wind speed, direction & sea state HAZOP (Step 1.1). Failure Mode Description Consequences Prevention

Barriers Mitigation Barriers

Information not obtained

Coxswain assumes they know this information already

Safer option missed/ ignored

Unnecessary exposure to danger

Procedural

Written prompts at boat station and inside TEMPSC


Training with measuring equipment and interpreting conditions

Active Engineered

Enter parameters in a program. Alarm indicating failure to input parameters (or incorrect direction, etc.)

Wrong information obtained

Coxswain misinterprets readings

Procedural


Training with measuring equipment and interpreting conditions

Active Engineered

Enter parameters in a program. Alarm indicating failure to input parameters (or incorrect direction, etc.)

119

Table C.10: Instruct personnel and maintain control HAZOP (Step 1.2).

Failure Mode

Description Consequences Prevention Barriers

Mitigation Barriers

Information not transmitted

OIM/coxswains do not instruct personnel and maintain control

Panic/irrational behaviour within personnel

Procedural

Cox/OIM should have orders to be given on a checklist card

Personnel in command trained to cope with a high level of stress while maintaining command

Procedural

Uniforms/survival suits with different colours for personnel in command

Table C.3: Issue sea sickness tablets HAZOP (Step 1.3).

Failure Mode Description Consequences Prevention Barriers

Mitigation Barriers

Action omitted

Sea sickness tablets not issued

Reduced morale, sea sickness

Procedural

Drills including the issue of sea sickness tablets

120

Table C.4: Move to helideck HAZOP (Step 2.2.1).


Mitigation Barriers


Movement away from helideck

Delayed evacuation time

Injury

Procedural

Regular training with different scenarios requiring movement to helideck

Checklist and flowchart to aid OIM and coxswains in decision-making

Action too late

Too much time taken to decide

Table C.5: Establish communication with pilot HAZOP (Step 2.2.2).



No contact made with pilot

Erratic boarding, overload of helicopter

Procedural

Training/drills that include communication with pilot and loading of helicopter

121

Table C.6: Instruct personnel on boarding procedure HAZOP (Step 2.2.3). Failure Mode


Mitigation Barriers


No communication between personnel and pilot

Disorderly/dangerous behaviour while boarding helicopter

Erratic boarding, overload of helicopter

Procedural

Evacuation training/drills that include instructing personnel in various scenarios

Procedural

All personnel should have card with correct boarding procedure

Boarding procedure written and illustrated at helideck

Wrong information transmitted

Miscommunication between personnel and pilot

Table C.7: Board helicopter HAZOP (Step 2.2.4).

Failure Mode


Wrong action on right object

Incorrect procedure used to board helicopter

Delayed evacuation

Injury

Active Engineered

Lighted helicopter entrance

Procedural

Training/drills using low light and visibility

Written and diagrammatic instructions on helideck

122

Table C.8: Don flight suit, aviation life jacket and secure seatbelt HAZOP (Step 2.2.5).

Failure Mode


Action omitted

Individual does not perform any of these actions

Reduced buoyancy

Injury

Inherent

Reversible equipment with minimum number of straps, harnesses, buckles

Procedural

Familiarize all personnel with use of this equipment and test regularly through drills


Flight suit, aviation life jacket or seatbelt becomes twisted

Action too little

Individual does not perform at least one of these actions, or does not perform them to adequate tightness

Table C.9: Ensure sea-worthiness of TEMPSC HAZOP (Step 2.3.1).


Mitigation Barriers

Check omitted Personnel do not check structural integrity of TEMPSC/engine or that drain plugs have been fitted

Boat fails to launch

Boat damaged during launch

Boat sinks Loss of life

Procedural

Written and diagrammatic prompts in and around boats

Active Engineered

Automated check system on start-up of TEMPSC

Check incomplete

Personnel omit steps in checking TEMPSC

123

Table C.10: Check compass heading/direction to steer craft HAZOP (Step 2.3.2).


Mitigation Barriers


Coxswain assumes orientation without checking/compass fails

TEMPSC steered under rig/away from rescue area

Exposure to unnecessary danger

Procedural

Written prompts/checklist at TEMPSC and inside boat

Drills that include verbalization of compass heading

Passive Engineered

Backup compass in case of failure


Coxswain misreads compass

Table C.11: Turn helm fully to clear installation on launch HAZOP (Step 2.3.3).

Failure Mode


Action omitted

TEMPSC not oriented to clear installation

May steer under installation, exposing personnel to unnecessary danger

Damage to boat/injury

Procedural

Written and diagrammatic prompts

Training/drills that require coxswain to correctly orient TEMPSC with no outside visibility

Passive Engineered

TEMPSCs fitted with props/weights to automatically align away from installation on descent


124

Table C.12: Ensure drop zone is clear HAZOP (Step 2.3.4).

Failure Mode


Check omitted

Coxswain omits or forgets to check for debris in the water

Delayed evacuation


Injury/death

Active Engineered


Procedural



Passive Engineered


Check mistimed

Coxswain makes check too early or too late, leaving time for debris to float over or forcing the boat to be committed to the launch

Table C.13: Instruct personnel on boarding procedure HAZOP (Step 2.3.5).



No organization in boarding of TEMPSC

More weight on one side of TEMPSC, causing instability

TEMPSC moves away from installation with more difficulty

Procedural

Reminder on outside of TEMPSC of need for balance

Training/drills that emphasize proper boat loading and consequences of improper distribution

Passive Engineered

Self-stabilizing weights within the walls of the TEMPSC

Wrong information transmitted

Coxswain does not give proper boarding instructions

125

Table C.14: Fasten seat belt HAZOP (Step 2.3.6).


Mitigation Barriers

Action omitted

Seatbelt not fastened

Injury Active Engineered

Seat belts that require little strength and tactile efficiency to fasten and tighten

Procedural

Prompt at seat to fasten seat belt

Action too little

Seatbelt not fastened to adequate tightness

Table C.15: Ensure everyone is secure HAZOP (Step 2.3.7).


Check omitted

Coxswain does not ensure that personnel are secure

High noise levels, personnel may not be secure

Injury

Procedural

Written prompt and checklist for starting air support system next to engine ignition

Training/drills that require fastening seat belts, starting air support system and engine

Drills that purposely complete these steps out of order to show consequences

Check mistimed

Air support system started before check

126

Table C.16: Start air support system HAZOP (Step 2.3.8).


Action omitted

System not switched on

Smoke ingress causing injury, engine stall and delay

Procedural

Written prompt and checklist for starting air support system next to engine ignition

Training/drills that require fastening seat belts, starting air support system and engine

Drills that purposely complete these steps out of order to show consequences

Inherent

Engine connected to air supply system, will not turn over until air flow at a defined rate

Action too late/early

System switched on before ensuring everyone is secure or after engine on and idling

Personnel may not be secure

Injury

Action too little

Air valve not fully opened

Smoke ingress causing injury, engine stall and delay


Engine not switched on

127

Table C.17: Close and secure all hatches HAZOP (Step 2.3.9).

Failure Mode


Action omitted

Hatches are not closed

Exposure to heat and smoke

Water ingress, capsize

Inherent

Minimal number of hatches to close and secure

Procedural

Training/drills that require securing hatches


Bottom half of hatch secured before top half, lesser quality seal

Water ingress, capsize

Inherent

Minimal effort required to close hatches

Procedural

Training/drills that require securing hatches

Inherent

Hatches that seal perfectly regardless of order the sections are closed in

Table C.18: Call command centre/launch master/other lifeboats to confirm launch sequence HAZOP (Step 2.3.10).


Mitigation Barriers

Action omitted

Launch not confirmed

Rescuers unaware of launched TEMPSC

Delay in rescue

Procedural

Prompt at helm of TEMPSC to confirm launch sequence

Active Engineered

Flashing lights and high-frequency sound beacon on TEMPSC

GPS locator on TEMPSC

128

Table C.19: Release falls/confirm auto-release HAZOP (Step 2.3.11).

Failure Mode


Action too early

Release activated before completing previous steps

TEMPSC may drop to water if it is designed to release from height

TEMPSC (if designed to be lowered to water) may hang away from installation, preventing personnel from entering/ exiting

Death

Inherent

Release placed so as not to inadvertently activate it

Procedural

Training/drills in lowering the TEMPSC to the water

Passive Engineered

TEMPSC constructed to withstand multiple high impacts and absorb shock

Action too late

Delay in activating release

Delay in evacuation

Injury

Active Engineered

Release status indicators

Procedural


Passive Engineered


Action too little

Release not fully activated

129

Table C.20: Launch TEMPSC HAZOP (Step 2.3.12).

Failure Mode


Action too early

Release operated before other checks/actions

Long drop, personnel unprepared for impact

Injury Death

Inherent

Release placed so as not to inadvertently activate it

Passive Engineered

Window to see status of TEMPSC

Active Engineered

Height above sea level indicators

Procedural


Passive Engineered


Action too late

Release operated after delay

TEMPSC washed against installation, capsizes

Injury Death

Passive Engineered

Window to see status of TEMPSC

Active Engineered

Release status indicators

Procedural


Action too little

Release not fully activated

130

Table C.21: Engage forward gear and full throttle HAZOP (Step 2.3.13).


Mitigation Barriers


Reverse gear engaged

Delay in movement from installation

Injury Damage to

TEMPSC, washed against installation

Passive Engineered

Dual action required to engage reverse throttle to prevent accidental engagement

Action too early

Full throttle engaged before TEMPSC released from fall wires

Procedural

Drills and training to practice timing of engaging gear and throttle, moving away from installation immediately on release

Action too late

Full throttle not engaged immediately after fall release

131

Table C.22: Steer TEMPSC at vector from installation to rescue area HAZOP (Step 2.3.14).

Failure Mode



TEMPSC steered in wrong direction /under installation

Damage to TEMPSC


rescue

Active Engineered


Procedural

Instructions at helm of course to be steered and distance to rescue area

Training/drills during day and night to give coxswain experience of actions required

Active Engineered

Independently powered GPS locator on each TEMPSC

Action too little

Not enough distance from installation achieved


Damage to TEMPSC



Delay in rescue

Table C.23: Move to life raft muster station HAZOP (Step 2.4.1).


Mitigation Barriers


Movement away from helideck


Injury

Procedural

Regular training with different scenarios requiring movement to helideck

Checklist and flowchart to aid OIM and coxswains in decision-making

Action too late


132

Table C.24: Ensure sea-worthiness of life raft HAZOP (Step 2.4.2). Failure Mode Description Consequences Prevention

Barriers Mitigation Barriers

Check omitted Personnel do not check structural integrity of life raft

Raft fails to launch

Raft damaged during launch

Raft sinks Loss of life

Procedural

Written and diagrammatic prompts in and around rafts

Check incomplete

Personnel omit steps in checking life raft

Table C.25: Secure painter to strong point HAZOP (Step 2.4.3).

Failure Mode


Action omitted

Life raft canister not attached to platform

Loss of life raft

Passive Engineered

Painter pre-anchored with hydrostatic release

Procedural

Training/drills involving launch of life rafts

Prompt on life raft canister and personal checklist

133

Table C.26: Check for life raft instructions and number of personnel accommodated HAZOP (Step 2.4.4).



Instructions not checked for number of persons accommodated or painter length

Capacity of life raft exceeded

Exposure of POB to danger of sinking

Unaware of how much painter must be pulled out before raft will inflate

Procedural

Training/drills involving the launch of life rafts requiring personnel to know the capacity of the raft

Prompts on life raft canister and personal checklist

Active Engineered

Life raft designed to inflate on impact

Procedural

Capacity of life raft shown on outside and inside walls of raft

Table C.27: Launch life raft HAZOP (Step 2.4.5).

Failure Mode


Action too much

Life raft canister handled incorrectly

Life raft does not fully inflate

Active Engineered

Automatic life raft deployment system

Procedural

Training/drills involving launching life raft

Checklist at life raft station giving instructions on launch

Active Engineered

Life raft designed to inflate on impact

Action too little

Life raft painter not pulled out to full extent

134

Table C.28: Board life raft HAZOP (Step 2.4.6). Failure Mode


Mitigation Barriers


Personnel jump into life raft from an excessive height

Damage/sinking of life raft

Passive Engineered

Chute slide and personnel descent devices to access raft

Procedural

Training/drills involving proper life raft boarding techniques

Passive Engineered

Reinforced floor in life raft

Table C.29: Cut painter HAZOP (Step 2.4.7).

Failure Mode


Action too early

Painter cut before all possible POB have boarded

POB left behind

Procedural

POB provided with 2-way radios to announce departure/ check for nearby POB

Action too late

Painter cut after POB have boarded and experience a delay

Exposure to debris and danger from installation

Passive Engineered

Simple one-hand use clip release requiring little motor variability

Procedural

Training/drills in safe situations requiring cutting the painter

Written and illustrated instructions at point of attachment

Action omitted

Painter not cut

135

Table C.30: Paddle clear of danger HAZOP (Step 2.4.8).

Failure Mode



Life raft steered in wrong direction /under installation

Damage to life raft


rescue

Active Engineered


Procedural

Instructions inside life raft of course to be steered and distance to rescue area

Training/drills during day and night to give POB experience of actions required

Active Engineered

Independently powered GPS locator on each life raft

Action too little

Not enough distance from installation achieved


Damage to life raft



Delay in rescue

Table C.31: Stream anchor HAZOP (Step 2.4.9).

Failure Mode


Action omitted

Anchor not used Life raft may drift away from search area or under installation

Passive Engineered

Ready assembled anchor as integral part of life raft underside

Procedural

Training/drills requiring deployment of anchor

Action too late

Anchor used after delay

136

Table C.32: Maintain sea-worthiness of life raft HAZOP (Step 2.4.10).

Failure Mode


Action omitted

Floor not inflated, leaks not repaired, water not baled

Deteriorating conditions inside life raft

Sinking of life raft

Procedural

Instructions inside life raft, all equipment clearly labelled and easy to use

Training/drills involving maintaining integrity of life raft

Table C.33: Look for TEMPSC, FRC, other life raft or overboard survivors HAZOP (Step 2.4.11).

Failure Mode


Action omitted

No lookouts posted, no pyrotechnics to alert rescue craft

Life raft may go unnoticed

Procedural

Prompt in life raft to post lookouts and rotate duty

Training/drills involving POB making contact with rescue craft

Active Engineered

Flashing lights and high frequency sound beacon on life raft

Table C.34: Attach painter to other life raft or tow craft HAZOP (Step 2.4.12).


Mitigation Barriers

Action omitted

Painter not attached to other craft

Life raft will continue to drift, away from rescue area or under installation

Passive Engineered

Simple single-hand use clip requiring little motor variability

Action too little

Painter attached but not fully secured

137

Table C.35: Ensure survival suit properly sealed, lifejacket fastened HAZOP (Step 2.5.1).

Failure Mode


Action omitted

Survival suit not properly sealed or lifejacket not adequately fastened

Loss of buoyancy in water

Death

Passive Engineered

Simple single-hand use equipment requiring little motor variability

Procedural

Training/drills that stress the importance of fastening equipment properly, including immersion in a controlled water environment

Action too little

Action too early

Survival suit and lifejacket fastened during escape phase

High body temperature, decreased mobility during escape

Delay in escape

Procedural

Training/drills that stress the importance of donning equipment at the proper time, including muster drills while wearing survival equipment

Inherent

Egress paths, ladders, etc designed for mobility with survival suits and life jackets

Tasks designed to require little motor variability

Action too late

Survival suit sealed after ingress of water

Loss of buoyancy

Injury

Procedural


138

Table C.36: Move to lowest nearby platform HAZOP (Step 2.5.2).


Mitigation Barriers


POB do not move to lowest nearby platform

Injury/Death from jumping

Procedural

Regular training with different scenarios requiring movement to low platforms

Checklist and map to aid POB

Signs posted at edges of all platforms indicating whether or not they should be used to jump into the sea

Photo-luminescent marked pathways to platforms of safe heights

Action too late



Table C.37: Assess direction of waves, danger and airborne contaminants HAZOP (Step 2.5.3).


Mitigation Barriers


POB do not assess environment before jumping

Safer option missed/ ignored

Unnecessary exposure to danger

Procedural

Prompts at platforms



POB misinterpret conditions

Procedural


139

Table C.38: Jump away from platform, feet first, avoiding legs HAZOP (Step 2.5.4).

Failure Mode


Action too little

POB do not jump away from platform or avoid legs

Injury Inherent

Platforms built to clear legs on jumping or falling

Passive Engineered

Chute designed to drop personnel into water feet-first

Action too early

POB jump before sealing survival suit and fastening lifejacket

Water ingress

Injury

Procedural


Table C.39: Swim alongside of platform HAZOP (Step 2.5.5).

Failure Mode



POB swim under installation


rescue Exposure to

debris from installation

Procedural

Training/drills in controlled environment simulating day and night to give POB experience of actions required

Active Engineered

Independently powered GPS locator on each survival suit Action too

little Not enough distance from installation achieved

140

Table C.40: Look for other overboard survivors and rescue opportunities HAZOP (Step 2.5.6).

Failure Mode


Action omitted

No lookouts posted, no pyrotechnics to alert rescue craft

POB may go unnoticed

Procedural

Training/drills involving POB making contact with rescue craft in a controlled environment

Active Engineered

Flashing lights, GPS locator and high frequency sound beacon on survival suits

141

Appendix D

Bow-tie Graphs of Evacuation Tasks

142Info not transmitted

Tra

inin

g

L

C=

1

Critical Event: Fail Task 1.2

Consequence 4

Probability = HEP*10‐1 Probability = HEP*10‐1

Figure D.1: Bow-tie for evacuation task 1.2.

Check omitted

Tra

inin

g

LC

=1

Consequence 1


Aut

omat

ic

C

heck

M

echa

nism

LC

=1



Consequence 4


Figure D.2: Bow-tie for evacuation task 2.3.1.

143

Action omitted

Tra

inin

g

LC

=1


Consequence 2

Action in wrong direction Probability = HEP*10‐1

Probability = HEP*10‐1


Check omitted

Tra

inin

g

L

C=

1

Consequence 3


Sho

ck

abso

rber

s

L

C =

2


Check mistimed Probability = HEP*10‐1

Consequence 4


FigureD.4: Bow-tie for evacuation task 2.3.4.

Action omitted

Tra

inin

g L

C=

1

144Action too early


Consequence 3

Action too little





Action omitted

Tra

inin

g

LC

=1


Consequence 4

Wrong action on right object Probability = HEP*10‐1



145Action omitted

Tra

inin

g

LC

=1

Consequence 3


GP

S, l

ight

s

and

soun

d

be

acon

L

C =

1



Consequence 4



Action too early

Tra

inin

g

L

C=

1

Consequence 3


Sho

ck

abso

rber

s

LC

=2



Consequence 4

146Action too little


= HEP*10-3 Figure D.8: Bow-tie for evacuation task 2.3.11.

147

Action too early

Tra

inin

g

LC

=1

Consequence 3


Sho

ck

abso

rber

s

LC

=2



Consequence 4

Action too little




Tra

inin

g

L

C=

1

Action too late

Critical Event:

Fail Task 2.3.13 Consequence 4

Action too early




148Action too much

Tra

inin

g

LC

=1

Consequence 3


GP

S

Loc

ator

LC

=1


Action too little


Consequence 4




Check omitted

Tra

inin

g

L

C=

1


Consequence 4




149Action omitted

Tra

inin

g

L

C=

1


Consequence 4



Action too much

Tra

inin

g

L

C=

1


Consequence 4

Action too little Probability = HEP*10‐1



150

Tra

inin

g

L

C=

1

Consequence 3



Rei

nfor

ced

F

loor

L

C=

2



Consequence 4



Action omitted

Tra

inin

g

LC

=1

Action too late


Consequence 4

Action too early





Tra

inin

g

LC

=1

Consequence 3


GP

S

Loc

ator

LC

=1


Action too much


Consequence 4




Action omitted

Tra

inin

g

L

C=

1


Consequence 4




152Action omitted

Tra

inin

g

L

C=

1


Consequence 4



Action omitted

Tra

inin

g

LC

=1

Consequence 3


GP

S, l

ight

s

and

soun

d

be

acon

L

C =

1



Consequence 4



153Action omitted

Tra

inin

g

L

C=

1


Consequence 4

Action too little Probability = HEP*10‐1



Action too late

Tra

inin

g

LC

=1


Consequence 4





Tra

inin

g

L

C=

1


Consequence 3

Action too early Probability = HEP*10‐1



Action too little

Tra

inin

g

LC

=1


Consequence 4




155

Action omitted

Tra

inin

g

L

C=

1

Consequence 3


GP

S

Loc

ator

L

C=

1



Consequence 4



Final Report PRAC Project #C8-01 December 1, 2007 – June ... · Final Report Human Factor Design...

Documents

Transcript of Final Report PRAC Project #C8-01 December 1, 2007 – June ... · Final Report Human Factor Design...