Dr Andrew Fowler investigates how the potential for human failure is present throughout the entire lifecycle of a plant – from design right through to decommissioning – and determines the workability of instructions and emergency plans within this context.
Much has been written on the subject of human factors and their role in the causation of major accident hazards, and the regulatory authorities and relevant industry bodies have emphasised the importance of human factors on process safety at high-hazard sites. The net effect is that human factors are now part of the overall health and safety agenda for the majority of companies, and have led to notable efforts in designing out potential issues.
Reason, in his publication Human error,1 identifies that when considering human behaviour, organisations tend to focus on operational errors when, in fact, we should be taking a more holistic view, since humans have an involvement in all components of the lifecycle process. He says: “Rather than being the main instigators of an accident, operators tend to be inheritors of system defects created by poor design, incorrect installation, faulty maintenance and bad management decisions. Their part is usually that of adding the final garnish to a lethal brew, whose ingredients have been long in the cooking.”
Whether it is in the design of a piece of equipment, the commissioning of plant, operation, maintenance, or decommissioning, the impact of human behaviour cannot be ignored. It often comes to the fore when something in the process goes wrong, either in normal routines or in an emergency. Precautionary controls used throughout the lifecycle range from simple operating instructions to highly-complex automatic systems. Even fully-automated plants are not immune, since they are designed, built and maintained by humans. Automated control systems are only reliable if the correct maintenance and testing is accomplished.
Let’s take a look at a plant’s lifecycle step by step:
Design
Chemical and all other types of processing plants are designed by humans (as is any software used to perform the task) so there is the potential for error at any stage. There are several criteria to be addressed, which, if left unchecked, could directly or indirectly contribute to a major accident. Considerations include:
If the design of the plant is fundamentally flawed, then the potential for a major accident can only be accelerated as we move through the lifecycle.
Construction
If a piece of equipment has been incorrectly specified, then the construction of the plant is flawed. If the construction engineers employed do not appreciate the importance of using a specific part, and use equipment or components that are not precisely as per specifications, this can have an impact on safety. Just how much depends on the substances to be processed or contained, at which stage in the process, and whether suitable containment measures have been implemented in the event of a release. A release may not occur for several years, but incorrect specification or substitution of a specified component with a different product may cause cracking, or a build-up of pressure over time.
Similarly, design integrity can be compromised if corners are cut to save time. This could be as a result of unrealistic deadlines placed upon personnel by senior management, a genuine belief that the method used is better than the one prescribed, or a number of other reasons.
Operation
Just as the designer must understand the plant’s functionality, so too must the operators understand the role they play in the safe running of the plant. A competent plant designer will have taken steps to ensure safety of operation, even in the event of a process failure. However, operators should be made aware of why they have been instructed to perform tasks in a particular manner or order, and the consequences of not following instructions in terms of plant safety.
The safe operating procedures therefore need to be more than just a list of steps. They need to be written in such a way that not only fulfils the design intent but also so that the operators who actually operate the plant understand them. For example, if an operator has to close a valve on the ground floor, then open one on a higher level, and then open another valve on the ground level, it is likely that both valves will be operated on the ground level before the valve at the higher level is opened. If it is critical that the valves must be operated in the right sequence, it is better to alter the design and layout rather than just stipulating the sequence in the procedure.
The rule must be that if it needs to be operated in a certain manner then design it that way, at least for those operations that are critical. An audit should then be carried out to ensure that operations are completed according to safe procedure. The critical elements of the procedure should also be highlighted and operators trained, so that they understand exactly why the process needs to be operated in a specific way.
Another area that benefits greatly from planning is the necessary operations that are required in the case of an emergency. If a process needs to be stopped in an emergency, do the operators clearly understand what needs to be done, why, and how? Are they able to quickly reach the decision on what is necessary? Has an assessment of the alarms, etc. been carried out to enable them to quickly recognise the problem, and take the correct and appropriate response? These issues need to be assessed, defined, and tested at regular intervals.
Although most emergencies require dynamic risk assessment, a lot can be accomplished by planning before the event. If the worst were to happen, resulting in a loss of containment of a hazardous substance and subsequent fire, explosion, or toxic release, then a rapid, effective response can be achieved if it has been anticipated and planned for. For example, it is possible to determine the effects of a worst-case fire. With this type of information, the means of fighting the fire can be deployed at suitable locations and used effectively by trained and competent personnel, resulting in the quick termination of the emergency.
One of the strongest factors influencing behaviour is the employees’ attitude towards the organisation, and their role in particular. Staff motivation and equipment ownership are key elements in effective process safety management programmes. It has been shown that the more a team or individual employee feels they have ownership of an area of plant or piece of equipment, the more reliable it is and the more likely it is to be operated and maintained in the correct manner – which brings us on to maintenance.
Maintenance
It is ironic that, in some cases, more effort is spent on issuing permits to ensure that a piece of plant or equipment is safe for a maintenance person to work on than is focused on the actual maintenance process itself. If maintenance is undertaken incorrectly it can result in the original design intent being compromised or lost, which could result in a potentially hazardous situation.
For example, in the case of a routine pump change, we could assume that most maintenance personnel would replace the existing pump with a model that has the same size motor and gives the same rate of flow, etc. However, depending on the properties of the material, the most important criterion might, in fact, be the pump internals. If these are replaced incorrectly, there could be a loss-of-containment event in the future. For an innocuous material this might not prove critical, but if the substance released is toxic or flammable, it is a far more serious matter.
It is therefore important that, following maintenance, the plant, process or equipment is compliant with the design and that the maintenance personnel understand the criticality of the process.
Decommissioning
Throughout the entire lifecycle robust, systematic thought must be given to the problems and their solutions. Various techniques, such as task analysis, have been developed to assess operations involving humans; this rigour should not stop with the cessation of operations.
Indeed, decommissioning can present much greater risks due to the lack of availability of personnel with direct knowledge and experience of the plant and processes. Isolation, drain-down and cleanout operations need to be carefully planned, and the accuracy of system drawings and documentation should not be assumed.
These issues are not easily dealt with, requiring in-depth systematic and ongoing assessment. For example, existing risk-assessment procedures may not be wholly suitable for decommissioning work as they are often focused on chemical processes. Often, it is good practice to develop a special decommissioning risk analysis that uses detailed guidewords suitable for decommissioning work. Once developed, there should be additional training in the new approach for both employees and contractors, supported by additional safety checks of ongoing works.
Mixtures and residues inside process plant will undoubtedly have unknown safety properties, so they will require appropriate testing and analysis before removal schemes are developed.
Determining criticality
To determine the criticality of a process, plant or equipment – in terms of both safety and business – a full, risk-based analysis of all aspects of the plant needs to be undertaken by a competent person. The analysis of historic reliability data and assessment of equipment against KPIs in terms of process safety should form the basis of the study. What the safety professional should be looking for is equipment and processes that will have the greatest overall impact in the event of a failure.
This can be accomplished at all stages of the lifecycle by systematic assessment, but each stage has its own peculiarities. What is critical in normal operations is different in emergency situations, which, in turn, are different from maintenance and decommissioning. In normal operations, the critical elements are those that essentially prevent a loss of containment. In emergency situations, generally the loss of containment has occurred, so it is the control and mitigation elements that are critical in leading to termination of the event, or preventing it from escalating.
In maintenance operations, the critical elements lie not only in making the system safe for the maintenance personnel to carry out their tasks but also in ensuring that, following maintenance, the system is put back to the design intent.
In decommissioning, the critical elements are essentially ensuring that the hazardous materials are removed completely. This can be particularly difficult, since materials may be lurking in pockets that are difficult to clear, or hazardous residues may be present.
Summary
In all stages of the process safety lifecycle, human factors play an important part in ensuring the control and management of major accident hazards. However, the key principles of hazard identification, risk evaluation, and incorporation of risk-control measures if the hazards cannot be eliminated ensure that problems can be considered in advance and practicable solutions found.
Reference
1 Reason, J (1990): Human error, Cambridge University Press
Dr Andrew Fowler is principal consultant at HFL Risk Services Ltd.
The Safety Conversation with SHP (previously the Safety and Health Podcast) aims to bring you the latest news, insights and legislation updates in the form of interviews, discussions and panel debates from leading figures within the profession.
Find us on Apple Podcasts, Spotify and Google Podcasts, subscribe and join the conversation today!
