Major accidents in the oil, gas and chemical industries are, by definition, high consequence and include fires, explosions, and toxic releases. They are also, thankfully, relatively infrequent. Here, Martin Anderson writes about his personal experience of regulating the human aspects of health and safety on such major hazard sites.
Despite growing awareness of the significance of human factors in safety, particularly major accident safety, many sites do not address these issues in any detail, or in a structured manner. Their focus is almost exclusively on engineering and hardware aspects, at the expense of ‘people’ issues.
Looking back over several years of regulating human factors, particularly in the major hazard industries, there are three approaches frequently used by organisations to address these issues.
“Is operator error the answer?”
In many accident investigations, the last person to touch the equipment gets the blame. The pilots in the 1989 Kegworth aviation disaster are a good example of this. In this case, following a fire on one of the two engines on a Boeing 737, the pilots shut down the remaining good engine, the aircraft stalled mid-air and crash-landed on the M1, killing 47 people.
The Air Accident Investigation Branch report1 stated that: “If they had taken more time to study the engine instruments it should have been apparent that the No.2 engine indications were normal and that the No.1 engine was behaving erratically.” (AAIB report, No 4/90, section 2.1.1.1). However, the initial symptoms were outside the pilot’s experience and training, and a combination of severity and novelty increased pilot stress, i.e. performance-influencing factors (see panel, p62).
The “Swiss cheese” model of accident causation2 outlines active failures (made by front-line personnel and having an immediate consequence) and latent failures (made by people removed in time and space from operational activities). When the two of these combine an accident is, literally, waiting to happen. For example, failures by front-line personnel may be influenced by training strategies, poor maintenance priorities, inadequate supervision, a failure to undertake effective hazard identification, or inadequate auditing. These latent failures, or underlying causes, lie dormant in the organisation until certain conditions combine to result in a major incident. This model helps illustrate that responsibility for accidents isn’t to be placed solely on the shoulders of individuals or management but should be borne collectively.
The Longford tragedy illustrates this model well. On 25 September 1998, two people were killed in an explosion and fire at the Esso Longford facility in Australia, which led to severe disruption of gas supplies to the State of Victoria. The Royal Commission Report3 into the incident found that the direct cause was failure of an exchanger when hot oil was re-introduced after the vessel became cold, following loss of oil circulation during a major process upset. This led to brittle fracture and the release of hydrocarbon vapour that subsequently ignited, causing explosion and fire.
However, there were many latent failures in this case, particularly in the area of training and competency assurance. A report into lessons learnt from the disaster by Australia’s Institution of Engineers concluded that: “A combination of ineffective management procedures, staffing oversights, communication problems, inadequate hazard assessment, and training shortfalls combined to result in a major plant upset with consequential tragic loss of life.”4
I’m often told by management that sites would be a great deal safer if it wasn’t for those “pesky operators”! So, what can we do about them? The area of human reliability assessment has developed to address this question by identifying potential human performance issues, and the factors that influence performance, so that human reliability can be assured. Usually, this process starts with analysing the tasks that people perform and identifying potential for error using a taxonomy of error types (e.g. task omitted, task partially completed). Sometimes, attempts are made to estimate the likelihood of the potential for error.
Most human reliability assessment techniques and approaches currently available focus on analysing the behaviours of those personnel in direct contact with equipment, plant and technology. However, as we have seen above, it is not necessarily helpful to focus on these individuals. HSG655 addresses this issue by recognising that: “The majority of accidents and incidents are not caused by ‘careless workers’ but by failures in control … which are the responsibility of management.”
Failures – such as inappropriate targets, insufficient resources, and inadequate control systems – can (and do) occur and may have an impact on a whole organisation. Get any of these aspects wrong, and you could be influencing the behaviour of every person on your site. Given that these failures are at the organisational level, individuals at the coalface have little control over them, so it’s clearly not enough just to tell people to be more careful!
Progress has been made in the assessment and management of these systemic, organisational and management failures that influence the direct failures of individuals, but more needs to be done.
“Perhaps we need to review our safety culture?”
Many organisations want to improve their safety culture but is this the right thing to do? Unfortunately, I see many organisations that simply address the culture of front-line staff. ‘Safety culture’ is seen as something front-line operators have, but accidents (particularly major accidents) are largely due to wider organisational and managerial behaviour.
Again, those people that have little influence tend to be targeted – very few cultural interventions consider management culture. Getting the workforce to complete a “safety culture survey” is not the easy option that many companies think it is. The survey is only the start – you have to act on the results, and quickly! And what if you don’t ask the right questions? Most surveys usually focus on personal occupational safety issues and so have little value for those managing major hazard sites. This is not the place for a full discussion, but it should be noted that the causes of personal injuries and ill health are not the same as the precursors to major accidents, such as major fires and explosions, rail crashes or nuclear incidents.
Companies often associate ‘safety culture’ with unsafe acts, or complying with rules, so it’s not surprising that the culture approach is often seen by employees as yet another initiative that implies they are the problem. In his recent book, Andrew Hopkins stated that: “[C]reating the right mindset among front-line workers is not a strategy which can be effective in dealing with hazards . . . which can be identified and controlled only by management, using systematic hazard identification procedures.”6
Management style and culture are clearly more important than front-line culture. Inadequate management or organisational culture often leads to:
– bias towards production over safety;
– focus on the short term, with no long-term vision;
– being highly reactive;
– not following actions/initiatives through; and,
– on major hazard sites, a focus on high-frequency, low-consequence events.
When the space shuttle Columbia disintegrated on re-entry to the Earth’s atmosphere in 2003, the subsequent report of the Columbia Accident Investigation Board said: “What we find out from a comparison between Columbia and Challenger is that NASA as an organisation did not learn from its previous mistakes…”7 (This report contains a very thorough discussion of organisational failures and is recommended reading for all health and safety professionals.)
Organisational failures in the Columbia incident included: informal chain of command; a ‘can do’ attitude; scheduling pressures; an emphasis on past success rather than solid engineering analysis (known as “rationalising danger”); and ‘a silent and ineffective safety programme’. This analysis could apply to any number of organisations. The hole in Columbia’s wing was produced not simply by debris but by holes in organisational decision-making. More importantly, the factors that produced the holes in decision-making are not unique to NASA.
A common organisational failure is for one industry to ignore the lessons from another. Now, they may actually be dealing with “rocket science”, but NASA employs the same raw materials as other industries, i.e. human beings. Another Longford, Grangemouth, or Piper Alpha could be prevented if the lessons from NASA are learnt in the oil, gas, and chemical industries, and vice-versa.
Examining culture is a useful approach, but is often misguided. If companies do consider culture, the focus should be on organisational and management culture, not simply the safety culture of front-line operators.
“Maybe we should look at operator behaviours?”
I’ve mentioned operator errors and safety culture, now what about behavioural safety? There has been a large uptake of these behavioural approaches over the past decade and their success varies widely, from reductions in accident rates to no change (some even result in a worse situation than previously – for example, due to employee disillusionment).
For personal injuries and ill health, some of the most common causes are failure to wear PPE, body position, housekeeping (slips, trips), use of the wrong tool, inappropriate use of a tool, and materials handling. Given that many occupational incidents are caused by inappropriate behaviours by individuals, these may all be good candidates for a behavioural safety, or behaviour modification programme.
However, when you look at the causes of major incidents across a range of industries, the causes are different from occupational injuries. For example, at Longford, operators did not have the required process knowledge or easy access to qualified engineering support. These, and the other underlying factors, could not be controlled by individual operators.
The aforementioned Royal Commission Report stated that there were deficiencies in the arrangements for both training and procedures. It is difficult to accept that a traditional behavioural safety intervention would have prevented such a tragedy as Longford, where the underlying causes are clearly outside the control of front-line staff. Increased mindfulness or commitment to safety by the operators at Longford would not have prevented the incident because they did not have the appropriate process knowledge. Behavioural approaches can be useful, but they will have little influence on the control of major accidents and disasters.
Behavioural interventions can demonstrate improvements in, for example, the wearing of PPE, but this is of little relevance if those wearing the PPE do not have the underlying process knowledge to respond appropriately to a developing incident, or if there are insufficient operators available.
Get the basics right first
When I visit companies and enquire about their approach to human factors, many will tell me about their behavioural safety programme, claiming it is addressing ‘human factors’. But these programmes do not address many of the key aspects of human factors. For example, highly motivated and conscientious operators will not necessarily compensate for over-riding production demands, insufficient numbers of personnel, inadequate shift patterns, inadequate process training, unclear roles or responsibilities, inappropriate design, or outsourcing of technical expertise.
Furthermore, improvements in training and procedures will have little impact on unintentional failures (e.g. an operator connecting a flexible hose to valve B when they meant to connect it to valve A). Engineering and hardware solutions are the key here, such as changes to valve design, so that the hose only connects with valve A.
A publication by the Step Change initiative in the offshore oil and gas industry acknowledges that: “[A]ddressing behaviours must not be seen as an alternative to ensuring that adequate engineering design and effective safety management systems are in place.”8 In other words, it is not effective to focus on employee behaviours if you haven’t got the basics right. If you have addressed all of these issues, then congratulations – go ahead and look at individual behaviours. If you haven’t, you have some groundwork to prepare first.
Although large advances have been made in engineering and safety management systems, major accidents are still occurring due to failures in these aspects. It is therefore not appropriate to conclude that we have ‘solved’ engineering causes of accidents, nor to assume that no further focus on management systems is required.
We must also be aware that exaggerated claims may sometimes be made for behavioural interventions – either in their success at reducing personal occupational incidents, or their impact on major disasters.
Behavioural approaches focus on observable behaviours, may draw attention away from process safety issues, and fail to address significant impacts of management behaviour. We have seen how management and organisational factors have a large influence on accidents and incidents, either directly or through their impact on the behaviours of employees. It is these management decisions that are usually excluded from behavioural safety approaches.
The role of organisational factors is increasingly important, with changes in industry such as mergers, acquisitions, restructuring, outsourcing and downsizing. These changes are driven by tough competition, deregulation and internationalism, and require a deeper understanding of how organisational factors are linked to accidents (especially major hazards). These changes can result in loss of in-house expertise, inconsistent standards, loss of corporate memory, dependence on outsourced functions, reduced employee motivation, changes in risk tolerance, and a change in safety management philosophy.
Cultural or behavioural interventions will only be successful if engineering, technical, and systems aspects are in place and adequately managed. Before any of these approaches are attempted, therefore, companies should ensure that they have satisfied the following conditions:
– HAZOPs, or other suitable assessments, have been completed to identify all hazards;
– The hierarchy of control has been applied to prevent the realisation of identified hazards, or minimise their consequences should they occur;
– Accurate operating procedures are available for all eventualities, including process upsets and emergencies (e.g. detailing the specific response to critical alarms);
– Operators are fully prepared to deal with all conditions, including process abnormalities. This will include identification of training needs, training, assessment, rehearsal and re-assessment. This training should not just provide the minimum knowledge required to operate the plant but also include underlying knowledge of the process, so that operators can ‘troubleshoot’, i.e. identify and respond to abnormal situations as they develop. This will help manage ‘residual risk’ arising from hazards that were not identified, or effectively addressed;
– The site has the required engineering, operating, and maintenance capability and experience (including appropriate staffing levels);
– Lessons have been learnt from site, company, and industry experience;
– Succession planning ensures that corporate knowledge is retained; and
– Safety management arrangements and risk control measures have been reviewed to ensure that they remain usable and relevant.
Only when the above issues have been satisfactorily addressed can it be considered that accidents may be due to the behaviours of individual s
aff.
Conclusions
The situation as it exists at the moment is anomalous: on the one hand, industry increasingly recognises that incidents have underlying causes distant from the person who is directly involved; on the other, resources and initiatives to prevent such incidents are often targeted at front-line staff who have the least control over those underlying causes.
Addressing the behaviours of front-line personnel, whether through human reliability assessment, safety culture, or behavioural safety approaches, is only part of the story. Safety professionals should be aware that all of these approaches have limitations. Consideration should be given to all three aspects in the HSE’s definition of human factors, i.e. the job, the organisation, AND the individual.
References
1 Air Accidents Investigation Branch: No:4/90 502831
– available from www.aaib.gov.uk/sites/aaib/publications/ formal_reports/no_4_90_502831.cfm
2 Reason, J (1990): Human Error, Cambridge University Press, ISBN 0521314194
3 Dawson, D & Brooks, B (1999): Report of the Longford Royal Commission: The Esso Longford Gas Plant Accident. Melbourne, Government Printer for the State of Victoria
4 Nicol, J (2001): Have Australia’s major hazard facilities learnt from the Longford disaster?: An evaluation of the impact of the 1998 ESSO Longford explosion on the petrochemical industry in 2001, The Institution of Engineers, Australia, ISBN 085825 738 6
5 HSE (1999): Successful health and safety management (HSG65), HSE Books, ISBN 0 7176 1276 7
6 Hopkins, A (2005): Safety, culture and risk: The organisational causes of disasters, CCH Australia Ltd, ISBN 1 921022 25 6 (www.cch.com.au)
7 Columbia Accident Investigation Board (2003) – available as a free download at www.caib.nasa.gov/news/report/default.html
8 Step Change (2000): Changing minds: a practical guide for behavioural change in the oil and gas industry
9 HSE (1999): Reducing error and influencing behaviour (HSG48), HSE Books, ISBN 0 7176 2452 8
Fire Safety in 2023 eBook
SHP's sister site, IFSEC Insider has released its annual Fire Safety Report for 2023, keeping you up to date with the biggest news and prosecution stories from around the industry.
Chapters include important updates such as the Fire Safety (England) Regulations 2022 and an overview of the new British Standard for the digital management of fire safety information.
Plus, explore the growing risks of lithium-ion battery fires and hear from experts in disability evacuation and social housing.
