CAREERS HUMAN FACTORS

tce

Human error:

in the loop
B
OWTIE diagrams are commonly used to investigate gaps in risk management, particularly for major accident risk control. However, these diagrams are typically biased towards technical safety, and do not fully represent human and organisational failure hazards, which are in fact the greatest component of major accident risk. This bias could be addressed by applying a simple set of three human failure cases and a strict observation of the underlying logic of the bowtie technique.

For truly holistic risk management, we must integrate human failure into bowtie diagrams, says Ian Hamilton

what is a bowtie?
Since the 1990s, bowtie diagrams have emerged as a useful tool to represent the possible initiating hazards and consequences of major accident events. They get their name from their shape (see diagram, overleaf), and its generally accepted that they were introduced to the oil and gas industry by Shell, which is thought to be the first to apply the technique to its safety management practices. At the centre of the bowtie is a so-called

top event . This is typically a loss-of-control type event, eg an uncontrolled release of hydrocarbons. On the left side is a set of initiating conditions that can cause the top event. These are referred to as threats .A threat is connected to the top event by a line of defence . Located along this line of defence are various barriers or layers of protection , each of which should be capable of stopping the hazard from propagating to the top event. There can also be sub-threats or escalating conditions that are linked to individual barriers. These are potential failure routes that can compromise the function of the barrier. A very simple example is the hazardous condition of overfilling a tank containing gasoline. The overfilling hazard is the threat condition. There are layers of protection such as safety shut offs that activate to prevent overfill from occurring once the level of fluid in the tank has reached a preferred limit. Should the barriers fail to operate as expected, however, then the tank will overflow, spilling the fuel into the bund area, where a wall provides secondary

august 2012 www.tcetoday.com

39

tce

HUMAN FACTORS
which the safety-critical elements and the hazardous conditions that apply to a process are discussed and agreed. The team then sets about representing the threats, barriers, controls etc, in a set of bowtie diagrams. The diagrams can reveal where threats exist that do not have layers of protection, or where barriers and controls may be weakened by sub-threats or escalating factors. Their simplicity and visual immediacy are real advantages to promoting detailed and open discussion. Nevertheless, there has been a tendency to focus on physical threats and technical safety controls, and to ignore the potential contribution of human failure to the top events or their consequences. This bias is surprising since most evidence sources demonstrate that the root causes of process safety incidents are overwhelmingly down to human and organisational failures. In fact, theres a consensus that human and organisational factors contribute to over 90% of incidents and accidents2,3. This is hardly surprising when you think that in any process plant every operational, inspection and maintenance task is carried out by a skilled technician and the successful outcome relies on error-free performance. But human performance is notoriously unreliable. This is not to say that operators are personally to blame: factors such as bad design, gaps in competence, poor procedures, manpower shortages, and a host of weak management processes can conspire to create the conditions for human failure.

The bow-tie diagram structure

Threat 1 Lines of defence

Threat 2

Consequence 1

Threat 3

Top event

Threat 4

Threat 5 Barriers Subthreat Subthreat Consequence 2 Controls

containment of a spill. This event still represents a loss of control of the process so the top event has now occurred. At this stage the consequence is of relatively low severity but the spill must be cleaned up and recontained. However, should an ignition source be present then the spill of flammable material could escalate into a major explosion and fire. The risk of this high severity consequence is managed through control measures. These are on the right-hand side of the bowtie, along the lines of defence between the top event and the major consequence. They may include things such as covering the flammable liquid with a layer of firesuppressing foam to prevent ignition. Whatever they are, they should be capable of limiting the consequences of the top event. In addition, control measures can also have sub-threats or escalating conditions that undermine their effectiveness, or cause them to fail completely and so the more severe consequences are not prevented.

human failure in bowties

Some teams do attempt to include human failures in their bowtie diagrams. Often this is achieved by creating a generic threat called human error and then placing barriers along the line of defence such as training, competence, procedure, and supervision. But this isnt convincing or meaningful as a solution. It sets human failure apart from the other safety critical elements in the diagram, and it fails to acknowledge the potential relationship between human failures and the top event or the functioning of the barriers and control measures. To address this weakness three simple cases for human failure can be included in the diagram: case 1 specific human failures in the performance of safety critical activities can be included as threat conditions. This must be based on a proper understanding of the type and consequences of human failure in safety critical activities. For example, errors in tasks that routinely cause loss of containment such as pigging, flange removal, sampling and temporary connections could be considered as human failure threats in a bowtie. These have the

bowties in risk management

Current good practice in risk assessment demands that all hazards with the potential to cause major accidents should be identified and that measures should be put in place to control the risk of top events and their most severe consequences. This is a compliance demonstration1, and the bowtie technique can play a valuable role in identifying hazardous conditions and investigating any gaps in the layers of protection between hazards and top events, and the top events and their consequences. The bowtie diagram is typically compiled by safety and engineering specialists following a workshop or review meeting in

Theres a consensus that human and organisational factors contribute to over 90% of incidents and accidents.
40

www.tcetoday.com august 2012

potential to lead directly to a top event like an uncontrolled release. Their inclusion should prompt a valuable discussion of which barrier measures are needed to control this risk. case 2 you could include specific human failures in the performance of safety critical tasks that have the potential to disrupt the successful functioning of a barrier system. For example, undetected errors in the performance of a maintenance task could mean that an automatic shut-off or other protection system fails to function when required. This case would be included as an escalating condition linked to a barrier. It should then prompt the requirement to identify suitable barriers that can be added to this sub-threats line of defence that links it to the barrier. For example, a suitable barrier might be a requirement for simulation and testing following maintenance, especially if this can be a pre-condition for re-commissioning. This would be a practical engineering check. Alternatively, additional supervisory checks might be required on completion of the work. case 3 you could include specific human failures in the performance of safety critical tasks related to the function of control measures. This will typically mean examining the requirements for people to perform emergency response actions to limit the consequences of a top event but it should also consider latent failures in safety-critical inspection and maintenance tasks that could compromise the function of an automated control measure. For instance, maintenance work may have necessitated the deactivation of fire or gas detectors necessary for the operation of a safety control. A failure to reinstate the detectors could mean that the control measure fails to operate. For each of these cases, the key to the successful integration of human failure within bowtie diagrams is safety-critical task analysis (SCTA). Using SCTA the team can investigate the specific types of failure in the performance of safety-critical operational and maintenance tasks that can introduce specific threat conditions of types 1, 2 or 3. To achieve this, a human factors review and analysis of safety critical tasks is needed, as this will provide the input data for the bowtie. There are numerous good sources of guidance on SCTA4,5. By following this method and applying the simple human factors cases described here, your bowtie diagrams will represent more thoroughly the range of possible failure modes and lead to holistic risk management. tce Ian Hamilton (ian.hamilton@erm.com) is human factors team global head, at Environmental Resources Management. Acknowledgements: Martyn Ramsden, Rob Steer and Sandra Lovell for their help and guidance.

Can we help you to find new ways to optimise your process?

Certainly.

Find out how your process compares to the industry average by taking our quick online benchmarking survey. The survey allows you to access your performance in key areas including plant intelligence, instrumentation and control and gives you the first step towards identifying potential areas for improvements. To take part, visit www.howdoyoumeasureupabb.com or use a smartphone to scan the QR code below.

references
1. Guidance on Risk Assessment for Offshore installations, HSE Offshore Information Sheet No 3/2006 (www.hse.gov.uk/ offshore/sheet32006.pdf ). 2. Collins, A and Keeley, D, Loss of Containment Analysis, HSL 2003/07, Health & Safety Laboratory, 2003. 3. McGillivray, A and Hare, J, Offshore Hydrocarbon releases 2001 2008, Health & Safety Laboratory, 2008. 4. Jackson, A, A Human Factors Roadmap for the Management of Major Accident Hazards, HSE Guidance (www.hse.gov.uk/ humanfactors/resources/hf-roadmap.pdf ). 5. Energy Institute, Guidance on Human Factors Safety Critical Task Analysis, 1st edition, Energy Institute, London, March 2011 (www.energyinstpubs.org.uk/tfiles/1340532761/1699.pdf ).
august 2012 www.tcetoday.com
CE_How_do_you_measure_up2_90x260.indd 1

41

17/07/2012 15:10