-
©Copyrighted 2016 – Tom Shephard
1
Situation Awareness Integration into Offshore Emergency
Response Design: Justification and Methods
Chapters 1 -5 (of 7)
Tom Shephard Revision: May 2016
ABSTRACT
The oil and gas industry acknowledges the need to integrate
situation awareness (SA) into the design, operation and maintenance
of offshore drilling and production facilities. Investigations into
catastrophic offshore accidents often cite a lack of situation
awareness as a primary causal factor. SA principles and methods are
employed in other highly hazardous and high-consequence industries
including aviation, military, rail, nuclear, healthcare and
shipping. The oil and gas industry’s research into its
applicability to offshore drilling and production facilities,
initiated in the 1990‘s, confirms it is both applicable and
safety-critical. With that result, operating companies and industry
organizations are moving into the early development and
implementation phase, beginning with white papers and conceptual
guidebooks. A few owner/operators introduced training programs for
offshore drilling crews that include SA-rich training modules.
Efforts to integrate SA into the fundamental design of an offshore
facility are in the embryonic stage. To date, the industry has not
presented or published an engineering process that integrates SA
into the most complex operation in an offshore facility, the
emergency response (ER) and barrier system. This manuscript
presents the case on why such a process is needed, and presents a
prototype methodology to achieve this end. It begins with a
hierarchical task analysis that defines the goal-directed tasks
that comprise the ER system and barrier design. The task sensing,
decision and action functions are defined. M. Endsley’s
often-cited, three-stage SA model is integrated into the sensing
function design. D. Chiappe’s situated SA model (Team SA) guides
the design of the team interactions and communications that are
essential to maintaining Team SA, coordination and cohesion. The
human, physical, organizational and societal elements that enable
each task function, and the performance influencing factors (PIFs)
that degrade SA, are defined. Suggested assessment steps evaluate
the design, eliminate and mitigate PIFs, and verify that task goals
and barrier functions are achievable. The methodology aligns well
with the staged, project-based approach used globally by
organizations that specify and design offshore facilities. The
adopted SA models and the terms and definitions used are briefly
introduced and discussed.
KEYWORDS: Situation awareness; emergency response; offshore;
human factors, oil and gas; drilling and production
-
©Copyrighted 2016 – Tom Shephard
2
1 Purpose and Scope
This manuscript provides the justification for integrating
situation awareness (SA) into offshore emergency response (ER)
system and ER barrier design. It then presents a prototype
methodology designed to achieve this end. Section 3 provides a
brief overview of SA and the individual and Team SA models adopted
in this manuscript. Section 4 describes the ER system and the
human-dependent ER barrier and presents the case on why SA is
uniquely applicable and ultimately essential to their success and
performance. The importance of addressing performance influence
factors that degrade SA and other barrier functions and contribute
to human error is also discussed. Section 5 presents a
project-based methodology that outlines how SA principles and
methods can be holistically integrated into human, physical and
organizational design of the emergency response system and
barriers. Conclusions and recommendations are summarized in Section
6.
2 Introduction
In 1988, a series of incidents and events caused 167 fatalities
and the destruction of the Piper Alpha facility (Cullen 1990). In
US waters, 69 deaths, 1349 injuries and 858 fires occurred on
offshore operating facilities (Sutton 2012). On April 20, 2010, the
Deepwater Horizon drill platform operating in the Gulf of Mexico
experienced a well blowout and an uncontrolled release of
high-pressure oil and gas. The resulting explosions and fires
caused 11 fatalities, destroyed the facility and triggered the
largest offshore oil spill in US history. Failures in the emergency
response system and response team performance were primary
contributors (CSB 2010, Hopkins 2012, National Commission 2011,
Skodalen et. al. 2011).
Situation awareness (SA) principles and models are employed in
many highly hazardous, high-consequence industries that include
aviation (Endsley and Garland 2000, Sorenson et al. 2011), military
(Salmon et al. 2010), command and control (Stanton et al. 2010),
rail (Golightly 2010), nuclear (Carvalho et al. 2012), and shipping
(Chauvin et al. 2009). After Piper Alpha and the publication of the
Cullen report (Cullen 1990), oil and gas multinationals, academia,
and industry initiated research into SA, and its applicability to
offshore facility design and operation (Flin et al. 1996, Crichton
2005, Sneddon et. al. 2006/2013, Taber 2010, Sætrevik & Eid
2013, Naderpour et al. 2014). Positive research results,
owner/operator interests and the continued occurrence of offshore
incidents motivated several industry organizations to issue
recommendations and a ‘call-to-action’ to consider SA and human
factors in the design of offshore drilling and production
facilities (IOGP 2012, SPE 2014). Early SA adopters are
transitioning to the applied development phase beginning with
concept guidelines, a guidebook, and a drilling-crew training
template and guideline (IOGP 2012, Flin et. al. 2008, IOGP
2014a/c). In 2005, owner/operator initiated training programs for
offshore drilling crews that were based on the crew resource
management (CRM) programs that are already widely used in other
industries. CRM includes SA-specific training modules. In the oil
and gas domain, a methodology that integrates SA into the physical,
organizational and operational design of an offshore emergency
response (ER) system remains new territory.
2.1 Barrier Terminology and Definitions
This section introduces the terms and definitions used in this
manuscript. The oil and gas industry uses many definitions for
safety barriers. Sklet (2006) provides the following barrier
definitions employed in this manuscript:
“A barrier function is a function planned to prevent, control or
mitigate events. The barrier can be physical (e.g., a technical
system) or organizational/operational (e.g., the emergency response
plan).”
“A barrier system is a system that has been designed and
implemented to perform one or more barrier functions. A barrier
system describes how a barrier function is realized or executed.
The barrier system
-
©Copyrighted 2016 – Tom Shephard
3
may consist of different types of system elements, e.g.,
physical and technical elements (hardware, software), operational
activities executed by humans, or a combination thereof.”
Preventive, control and mitigation barriers provide
pre-determined responses to each major accident event
(MAE). Offshore facility design uses a defense-in-depth approach
that implements multiple barriers of different
types to address the possibility that one or more barriers fail
for unforeseen reasons. A preventive barrier (e.g.,
an automated safety shutdown system) is designed to prevent the
occurrence of a MAE. Should the MAE occur,
control barriers provide the means to control and recover from
the event, and therefore limit the opportunities
for event escalation. Mitigation barriers are the last line of
defense if the preventive and control barriers fail.
The ER control and mitigation barriers rely fully on humans (the
emergency response team) to achieve the
barrier function.
A control barrier limits the scale, intensity and duration of an
accident event (ISO 13702).
A mitigation barrier limits the potential consequences and
effects caused by the event (ISO 13702).
Barriers are also classified as ‘active’ or ‘passive’.
A passive barrier is continuously available to perform its
barrier function, e.g., a blast wall.
An active barrier requires activation (a trigger event) to
commence its barrier function. Emergency
response barriers are the active type.
Every facility has MAEs that must be considered in the emergency
response system and ER barrier design. No two deepwater facilities
are exactly alike. A major accident event is a plausible and
unplanned event that acutely jeopardizes the safety of personnel,
the environment or the integrity of the facility. Example MAEs
include fire, explosion, toxic or flammable gas release, ship
collision, helicopter crash and medical emergencies. A floating
facility adds additional MAEs (e.g., the facility can sink, capsize
or drift from its intended stationary position). MAEs unique to a
drilling platform include a well blowout and other events that can
lead to an uncontrolled release of hydrocarbons to the platform
topsides (production and living areas) or to the sea. Norsok (2010)
provides a complete list of possible MAEs.
3 Individual and Team Situation Awareness Models
3.1 Individual SA Model For individual SA, the model receiving
the greatest interest from the offshore oil and gas industry was
developed by M.R. Endsley. Endsley (1988 p. 97) defines situation
awareness as “the perception of the elements in the environment
within a volume of time and space, the comprehension of their
meaning, and the projection of their status in the near future.”
The three stages in Endsley’s (1995) SA assessment (process and
product), the model adopted for use in this manuscript, include
perception, comprehension and projection.
Perception (SA-1) refers to the acquisition of information that
is perceivable and available to our five senses. Example sources of
SA-1 may include a communication exchange or information acquired
from a technical system, e.g., a radio or control system display.
The accident scene provides visible information (e.g., the location
and state of an injured person or visible damage to equipment). The
ambient environment is a source of additional information (e.g.,
sound, heat, smell and visibility).
Comprehension (SA-2) is the result of combining SA-1 information
with one’s stored experience and knowledge to develop a mental
picture and understanding of what the SA-1 information means.
-
©Copyrighted 2016 – Tom Shephard
4
Projection (SA-3) is the result of combining the SA-2 product
with a deeper level of stored experience and knowledge to project
future outcomes and timing.
With SA-2, the degree of understanding and comprehension
achieved depends on one’s training, experience, knowledge, fitness
(e.g., fatigue), personality and cognitive capabilities. A
responder with limited experience perceives events by matching them
to training scenarios and an understanding of the ER plans and
procedures. A responder with extensive experience has an additional
source of information that can enhance his/her understanding of
what the SA-1 information means.
SA-3 is the ability to understand the meaning of events and
conditions as they change over time and project what may happen in
the future. The time aspect is a critical piece of new information
that guides decisions, establishing priorities, understanding if a
control barrier or task action is effective and if conditions are
deteriorating.
3.2 Team Situation Awareness Model
Several published Team SA models exist that share areas of
commonality and but also have differences (Salas et al. 1995,
Endsley and Robertson 2000, Salmon et al. 2009, Chiappe et al.
2014). Chiappe’s ‘Situated SA’ model, adopted for this manuscript,
defines the essential elements needed to acquire and maintain team
SA. These elements include shared SA (Chiappe et al. 2012), and
compatible, transactive and meta SA (Salmon et al. 2009).
Shared SA (SSA) is the common picture of events shared by two or
more individuals (Chiappe et al. 2014).
Compatible SA refers to the SA needed to execute assigned tasks.
“.. no two individuals working within a collaborative system will
hold exactly the same perspective on a situation. Compatible SA
therefore suggests that, due to factors such as individual roles,
goals, tasks, experience, training and schema, each member of a
collaborative system has a unique level of SA that is required to
satisfy their particular goals” (Salmon et al. 2009, p. 190).
Transactive SA refers to the information exchanges that occur
among personnel, and between personnel and technical systems
(Salmon et al. 2009 pp. 192-193).
Meta SA is the “...awareness of what other agents in the system
know...” (Salmon et al. 2009 p. 220)
Given the numerous hazard events possible on an offshore
facility, owner/operators seek opportunities to
minimize the staffing on the facility so fewer are exposed to
these risks. The varied nature of the possible
hazards requires a team that has a wide range of response
capabilities. To accommodate both objectives,
the organization model for the emergency response team (ERT) is
a smaller organization with roles that are
often specialized in terms of skills, knowledge and expertise.
As such, the team is heterogeneous. The
offshore installation manager (OIM), typically the
person-in-charge, provides centralized command and
control. Team situation awareness (Team SA) encompasses the
enabling actions and attributes that
transform this heterogeneous group of individuals into an
adaptive team that can coordinate and execute
life-critical tasks in a complex, dynamic and stressful
environment. The design of the ERT organization, roles,
procedures, communication protocols and training programs
establish how the ERT interacts in a manner
that achieves the barrier function and is able to adjust if the
OIM makes changes to the ER plan and
priorities (Crichton et al. 2005).
With Shared SA (SSA), no two ERT members typically and
necessarily share a complete and mutually represented picture of
the event in progress. The effort places an unrealistic and
unsustainable cognitive and workload demand on individuals and the
team as a whole. Instead, the design process should identify
-
©Copyrighted 2016 – Tom Shephard
5
the minimum Shared SA needed to achieve and maintain team
cohesiveness, coordination and alignment to team goals. A common
picture begins to develop when the team receives the first
information from the OIM on the response plan, the nature of the
emergency and assignment of team resources. Shared SA contributes
to team actions that are mutually compatible. Crews that remain
together over time develop a greater degree of SSA overlap as they
experience how each member and the team as a whole perform in
different situations (Sneddon et. al. 2006, Cooke et al. 2007).
Cross training and drills aid in creating shared views as team
members gain experience in their assigned roles, and the roles of
others. These activities also contribute to one’s understanding of
who holds specific information and who may request information from
others (Flin et al. 1996).
A product of Transactive SA, an exchange between two responders
provides clues to the sender about what the receiver may be doing.
The exchange also requires less time and effort to convey the same
information when their degree of Shared SA is high (Endsley 1995 p
39). From Chiappe’s Team SA model (Chiappe et al. 2012), the
exchanged or conveyed information is limited to only what is needed
to perform one’s assigned task, and maintain a minimum degree of
shared understanding (Shared SA). Communication protocols, terms
and syntax should be pre-defined and trained-in to minimize the
exchange effort, duration and the likelihood that conveyed
information is correctly understood (Chiappe et al. 2014, Gasaway
2013, Ch. 7). A two-way exchange can improve communication accuracy
but also ties up both parties for the duration of the exchange. Use
of predetermined and mutually understood terminology and code words
can reduce the exchange duration and effort without reducing the
exchange quality. An ER plan may include provisions to engage
external expertise. The exchange is no longer limited to
information that can be conveyed using commonly known terms and
language. The challenge significantly increases when there is a
need to convey complex knowledge between an expert and a novice.
Enabling this capability introduces new terms and requires
additional communication protocols, procedures and training
(Rentsch et al. 2010, Crichton 2005).
The definition for Meta SA used the term agent. ‘Agent’ refers
to the ERT member, technical system or other system components that
possess SA-1 information that can be accessed. With experience, an
ERT member learns where the information resides (e.g. a person,
technical system, incident scene or ambient environment) and when
it may be available. “SA may sometimes involve simply knowing where
in the environment to find a particular piece of information,
rather than remembering what the piece of information is” (Durso
1998, p 3). Stress, excessive workload, frequent interruptions and
other environmental and task conditions common to the MAE
environment reduce the information that one can reliably hold in
working memory (WM). These conditions increase the likelihood that
information stored in WM is forgotten or recalled incorrectly.
Therefore, “Individual operators off-load as much as possible to
limit what they have to do internally…” (Chiappe et al. 2012). Meta
SA also refers to knowing the information that others may need and
when they need it. A responder’s Meta SA is enhanced through
training, procedures, drills and experience.
-
©Copyrighted 2016 – Tom Shephard
6
4 Why Situation Awareness Applies to Offshore Emergency
Response
The section describes the ER system and barrier in terms of
their constituent elements, and then presents the reasoning that
defines why the integration of SA principals and methodologies is
essential to achieving the intended system and barrier
functions.
POSIT 1: The emergency response system and ER barriers are
acutely dependent on one or more humans in the loop to achieve the
intended barrier function.
POSIT 2: Emergency response barriers and operations are a
compilation of tasks. All responders must correctly perform their
assigned tasks within a timeframe that achieves the barrier
function and operational objective.
POSIT 3: The likelihood that a task achieves its intended
function depends on the effectiveness of the design processes used
to define, specify, develop and integrate the human, physical and
organizational elements that comprise the task.
POSIT 4: Task success requires timely and sound decisions. This
can only occur if the task assignee acquires the right information,
comprehends its meaning and understands what may happen next, a
process commonly known as situation awareness or SA.
POSIT 5: A design process that does not eliminate or mitigate
performance-influencing factors that degrade the SA process is a
causal contributor to human error, a known contributor to ER
barrier failure and major accidents.
POSIT 1: The emergency response system and ER barriers are
acutely dependent on one or more humans in the loop to achieve the
intended barrier function.
The ERT is responsible for performing the ER response and
barrier activities. Non-ERT members on the facility also have
barrier responsibilities, e.g., promptly and safely move to an
assigned muster station when the muster alarm sounds. Achieving the
barrier function assumes the ERT reliably executes the appropriate
barrier actions when subjected to considerable time and performance
pressure (Sneedon et al. 2006/2013, Woodcock and Au 2013). In this
environment, the responder must rapidly adapt and respond to
sudden, high-consequence and often highly complex events. The
nature of the MAE establishes the ERT response in terms of
workload, tempo and the emergency response options.
Multiple ERT members are assigned life-critical tasks on many
human-dependent barriers. The capacity of the team is fixed, and
may have insufficient resources if concurrent MAEs or escalations
occur. Capacity and capability are also reduced if an essential
person (a role that does not have a fully trained backup) becomes a
victim of the event or is unable to reach the designated response
station (Woodcock and Au 2013). The offshore installation manager
(OIM) is typically the person in charge, with responsibility for
the safety of personnel, the environment and the integrity of the
facility, in that order. The OIM initiates the response plan,
assigns resources, set priorities, makes life-critical decisions
and manages the team in a manner that maintains team cohesion,
focus and coordination.
For deepwater facilities, mobilizing resources from external
sources often takes hours. In the earliest phase of the emergency,
the first hours of the response are typically limited to the ERT on
the facility. The likelihood that the event is sufficiently
controlled to prevent an escalation is a function of the ERT’s
actions and responsiveness in the earliest phases of the incident
(Flin et al. 1996, Gasaway 2013).
-
©Copyrighted 2016 – Tom Shephard
7
Complex and concurrent events may require a rapid uptick in ERT
activity to keep pace with rapidly changing conditions (Gasaway
2013, Hopkins 2012, Perrow 1999). Humans tend to underestimate this
aspect of an accident (Reason 1990 p 92) and therefore do not
adjust the pace of their emergency response accordingly. A slow or
incorrect response may fail to block an escalation pathway that can
lead to a larger, different or more complex event. Severe
consequences from the Piper Alpha (fatalities) and Deepwater
Horizon (blowout and spill) accidents did not occur with the
initial event (Cullen 1990, CSB 2010, Hopkins 2012, National
Commission 2011 p 121). In both cases, human-dependent barriers
failed in the early stages of the accident event. The resulting
escalations had the greatest impact on the number of casualties
(Cullen 1990) and led to the largest offshore spill in US history
(CSB 2010).
POSIT 2: Emergency response barriers and operations are a
compilation of tasks. All responders must correctly perform their
assigned tasks within a timeframe that achieves the barrier
function and operational objective.
Identifying, clarifying and assessing barrier tasks is a
pre-requisite (HSE 2005) to understanding and mitigating factors
that are primary contributors to major offshore accidents (CSB
2010, Cullen 1990, IOGP 2012, Woodcock and Au 2012). Most emergency
response tasks are time-critical and require a task completion time
that may be measured in minutes. For those nearest to danger, a few
seconds may be all the time available to assess and decide whether
to transit an area with an active toxic gas alarm or select a
longer, alternative route to reach a safe location. Understanding
the full nature of the tasks and actions expected from responders
and others on the facility should begin with a task analysis. The
analysis provides the information needed to assess the task
workload (mental and physical) and the likelihood that the task can
be correctly completed within the time needed to achieve the
barrier function. In the US and most areas of the world, regulatory
statutes do not require a task analysis to support the design of
the emergency response system. Some owner/operators include this
requirement in corporate design standards, though many do not.
Consequently, the design of ER systems in many newly designed
facilities will not be based on a task analysis.
POSIT 3: The likelihood that a task achieves its intended
function depends on the effectiveness of the processes used to
define, specify, develop and integrate the human, physical and
organizational elements that comprise the task.
Figure 1 represents the task in its simplest form.
Figure 1 - Functions of an Active, Independent Protection
Layer
(excerpted and modified from CCPS 2001)
Every emergency response barrier activates a minimum core team
of four or more responders, each executing multiple tasks in an
integrated and coordinated manner. Like an automated barrier, the
ER barrier is also the active type. To activate the barrier
function, an ERT member must detect the barrier trigger condition
and notify the other responders engaged in the barrier function.
Unlike the automated barrier, a human performs the sensor, decision
and action functions shown in Figure 1.
Sensor
instrument,
mechanical,
human
Decision
logic solver, relay,
mechanical device,
human
Action
Instrument,
mechanical,
human
-
©Copyrighted 2016 – Tom Shephard
8
The three task functions in Figure 1 are comprised of or
affected by the elements shown in Figure 2.
Figure 2 - Task Elements (excerpted and modified from Bea et al.
2009)
Physical elements encompass the physical equipment and facility
features that are essential to and employed in the barrier system.
Example elements include technical systems and equipment, purposely
designed rooms and reporting areas (temporary refuge and incident
command center), and facility features (e.g., escape routes and
muster areas).
Human elements encompass the emergency responders and their
experience and expertise, cognitive skills, fitness for work,
attitude, readiness, teamwork, trust, etc. They also include
personnel who do not have ERT roles, (i.e. non-essential personnel
or NEPs). NEP have assigned barrier tasks, e.g. respond to a muster
alarm by promptly and safely transiting to the designated safety
location and report-in so the ERT can assess the status and
location of all personnel.
Organizational elements encompass the emergency response plans;
procedures; communications protocols, staffing, and staff
assignments; reporting structure; training programs; and competency
assurance systems.
Societal elements are influencers that may affect a responder’s
decisions and actions. Examples include laws and regulations,
public opinion, news media, trade unions, education systems, labor
and economic forces. A responder’s emotions and actions can be
affected by other societal elements such as legal actions, media
attention, corporate safety culture or the perceived consequence if
an emergency response action does not comply with company
procedures and expectations. In this regard, societal elements can
also be performance-influencing factors.
In a human-centered barrier, the task assignee is the active and
intentioned human element that employs and directs a system of
physical and organizational elements in a manner that can achieve
the ER barrier function and operation objective. A deficiency in
the design of any task element can lead to task and barrier
degradation or failure (Dekker 2011 pp 90-94, HSE 1999, Reason 1990
pp 201-211, SPE 2014). The responder and organizational elements
are designed to perform the required sensor, logic and action
functions. The sensor and action functions typically employ
physical elements (e.g., radios, safety equipment and alarm
systems). The organizational elements (e.g., ER plans, procedures
and training) define how the responder is expected to perform
assigned tasks and use each physical element. Humans are
influenced, consciously and unconsciously, by societal elements
(Bea 2009). The likelihood that a responder correctly uses and
applies task elements in a manner that achieves the task goal and
barrier is a reflection of the element’s fitness to the task, the
task environment, and the responder’s capabilities such as
knowledge, training and experience.
-
©Copyrighted 2016 – Tom Shephard
9
POSIT 4: Task success requires timely and sound decisions. This
can only occur if the task assignee acquires the right information,
comprehends its meaning and understands what may happen next, a
cognitive process commonly known as situation awareness or SA.
An offshore accident triggers an immediate shift in the roles,
physical reporting station, reporting structure, procedures,
communication protocols, priorities, tempo and urgency of the ERT
members. “Situational Awareness is clearly most in jeopardy during
periods of rapid change and where the confluence of forces makes an
already complex situation critically so” (Woods et al. 2010).
“Sudden, unprepared onset makes it difficult for the user to get
into the situation” (Sträter 2005).
The oil and gas industry recognizes that poor SA is a primary
causal factor in major offshore accidents (Cullen 1990, CSB 2010,
Skogdalen et al. 2011). Sneedon et al. (2006) analyzed a database
of 332 incidents in an owner/operator’s offshore drilling
operations. The study identified 135 incidents that resulted from
poor SA. Of these, 67% were attributed to the first phase of SA
assessment process, i.e., acquiring and comprehending the
information (SA-1) needed to support task decision-making and
execution. The remaining incidents were attributed to the other two
aspects of SA, i.e., comprehension or SA-2 (20%) and projecting
future events or SA-3 (13%). Though widely implemented in other
highly hazardous and high-consequence industries, SA principles and
methods are not currently integrated into the mainstream design
processes that produce today’s offshore facilities.
Information presented by an offshore accident can be highly
dynamic and therefore subject to frequent and rapid change. The SA
process for individual ERT members and the team as a whole must
keep pace with this dynamic environment to maintain an accurate
picture of events (the situation) and the threats to personnel, the
environment and the facility. The SA process is impeded if
essential information is incomplete, delayed or not organized in
way that directly supports the SA process. It is also impeded if a
responder is not able to perceive and comprehend this
information.
The temporal (time) attributes of a task should be identified
and well understood. The OIM and the ERT must identify, track and
implement time-sensitive activities. SA includes an awareness of
time and time-sensitive activities (e.g., ‘How long should this
take?’, ‘what time has passed?’, ‘how long can I wait?’ or ‘is it
now the right time to initiate this action?’). There is a clear
need to provide task elements (tools and devices) that support the
ERT as a whole, and particularly the OIM’s ability to maintain an
active awareness of time, upcoming future actions and the time at
which those actions must occur.
A passive barrier function, (e.g., passive fire protection or a
firewall) is designed to provide the barrier function for a limited
period. Many ER barriers also rely on secondary support system
(e.g., a back-up power system) that provides temporary power if the
primary systems fail. The OIMs planning for many MAEs must always
allow for the 5 to 11 minutes of time needed to fully evacuate the
facility (IOGP 2010 Table 2.2) and move escape vessels away from
the facility if control and recovery measures fail. The ERT must
remain aware of these and many other time constraints when planning
and executing emergency operations and ER barrier tasks.
Safety-critical ER tasks are also time-critical.
POSIT 5: A design process that does not eliminate or mitigate
performance-influencing factors that degrade the SA process is a
causal contributor to human error, a known contributor to ER
barrier failure and major accidents.
The term performance influencing factors (PIFs) is often used to
describe and encompass the full range of human, environmental,
physical, organizational and societal factors that can degrade the
SA process and contributes to human error, both conditions that can
lead to task and barrier failure or degraded performance. Table 1
provides examples of common PIFs.
-
©Copyrighted 2016 – Tom Shephard
10
Table 1 – Examples of Performance Influencing Factors
Task workload Concurrent, complex and sustained vigilance
tasks.
Task urgency Significant time pressure, e.g., a rapidly evolving
or immediately life-threatening incident is pressing the response
team pace to keep up and get ahead of this event.
Task complexity Complex task sequencing. Must closely coordinate
actions with others.
SA and cognition High demand on short-term working memory. Task
information is incomplete, conflicting or ambiguous. Complex
decisions. Task goal conflicts.
Temporal demands Tracking life-critical time and timing events.
Prospective memory tasks.
Display design Display content, design and presentation does not
support the task
Ergonomics Equipment not appropriate for the intended tasks or
use environment.
Physical demands Task requires physical strength and sustained
endurance. Awkward positions.
Health & emotions Stress, fitness, sleep and fatigue,
confidence
Competency Inadequate training, experience, knowledge of the
necessary personality traits.
Teamwork Limited experience working with team members. Not
familiar with team member experience, capabilities, accents
(language), idiosyncrasies or expectations.
Organizational factors Deficiencies in plans and procedures,
staffing, training or use of external resources.
Societal factors Failure to consider the effect of “governance,
laws and regulatory regimes, and social, demographic and economic
forces…” (Bea et al. 2009) on personnel and organizational
elements.
Reason (1990 p 201) states, “...our principle concern is with
the human contribution to system accidents, because accident
analyses reveal that human factors dominate the risks to complex
systems.” The ability to eliminate or mitigate such errors requires
a process that systematically identifies all required elements and
provides insight on how the responder is likely to use, deploy and
interact with each element. The process should also understand what
drives human performance (and error), and assess the mental and
physical workload demands under the expected range of response
conditions and working environment to ensure these demands are
realistic and reliably achievable.
Tasks success is at risk if one or more ERT members are unable
to complete a task in a timely manner because the responder’s
mental or physical workload exceeds his/her capability. Workload
increases when tasks are urgent and complex. Many initiating events
or an event escalation can trigger many simultaneous ER barriers, a
condition that can lead to excessive workload. In this confusing,
complex and resource-constrained ER environment, responders must
prioritize safety-critical tasks in what may be a highly dynamic
environment (Woods et al. 2010 pp. 125-128). The OIM and others may
be confronted by an ‘either-or’ decision to minimize the risk to
personnel or act on a perceived management expectation to ‘do
everything possible’ to save the facility from damage or
destruction.
A poorly designed user interface to a technical system increases
the time and effort needed to find access and comprehend SA-1
information. According to Woods et al. (2010 pp. 151-153),
“...demands for monitoring, attentional control, information and
communication among team members (including human machine
communication) all tend to go up with the unusualness (situations
at or beyond margins of normality or beyond textbook situations),
tempo and criticality of situations. If there are workload or other
burdens associated with using a computer interface or with
interacting with an autonomous or intelligent agent, these burdens
tend to be concentrated at the very times when the practitioner can
least afford new tasks, new memory demands, or diversions of his or
her attention away from the job at hand…” Poor interface design
contributes to task complexity, increases workload and places a
greater demand on a responder’s short-term working memory (SWM).
The type and amount of information one can reliably store and
recall from SWM can be significantly reduced when highly stressed,
fatigued, distracted or fearful (Reason 1990). A task that requires
calling up and remembering information from many computer displays
may fail given the high likelihood that information is forgotten or
incorrectly remembered.
-
©Copyrighted 2016 – Tom Shephard
11
Consciously or unconsciously, a decision is made on where a
responder directs his/her attention. Humans have one ‘attention’
resource. The responder must correctly select where to direct
his/her attention and maintain it long enough to complete the SA
assessment process, a pre-condition to sound decision making and
taking the appropriate actions. Many conditions can cause a
responder to unconsciously divert attention from a higher priority
task (Flin et al. 2008) or dart between tasks in a manner that
makes it very difficult to maintain SA and complete a multi-step
task (thematic vagabonding, Reason 2010 p. 93). Driven by
evolution, the human tendency is to unconsciously and automatically
divert one’s attention to a nearby conversation, a sudden or loud
noise, or in the direction of a person walking toward them (Gasaway
2013 p. 160). Locating an incident command center within a poorly
designed control room exposes a stressed and potentially overloaded
responder to many sources of distractions and interruptions
(Woodcock and Au 2013) making it more difficult to complete a
complex or multi-step task (Reason 1990 p. 72).
Externally paced tasks, a condition common to the emergency
response environment, can “cause work-induced stress” (Booher
2003). Stress, complex tasks, difficult decisions and excessive
workload can trigger undesirable behaviors that degrade SA and
decision-making, and increase the potential for mental (cognitive)
errors (Sneedon et al. 2006). These conditions can cause a
responder to fixate on a single task (i.e., cognitive lockup and
tunnel vision, Dekker 2006) delaying a high priority task.
Essential information may be ignored if it is not consistent with
one’s current theory of an evolving event (i.e., confirmation bias,
IOGP 2012, Hopkins 2012, Woods et al. 2010, Reason 1990, SPE 2014).
Under stress, a responder is more likely to commit a plan
continuation error, a circumstance when someone chooses to continue
a nearly complete task that is no longer appropriate or safe (IOGP
2012, Hopkins 2012, Endsley and Jones 2012 Section 3, Dekker 2006,
Section 14).
A feeling of isolation from home events (Sneedon et al. 2006),
lack of sleep and the disorientation that can occur when one is
suddenly woken from a deep sleep can degrade SA. Owner/operator
staffing decisions and crew rotation practice affect these areas.
An individual is “probably unfit to continue working on safety
critical tasks” (IOGP 2014b) if he/she had little sleep in the last
48 hours.
When highly stressed one’s ability to accurately perceive the
passing of time becomes distorted (Dekker 2006 p. 143). “Failures
of prospective memory – forgetting to remember to carry out
intended actions at the appointed time – are among the most common
forms of human fallibility” (Reason 1990 p. 107). Prospective
memory “…constitutes one of the more vulnerable parts of the memory
system...” (Reason 1990).
Environmental conditions can interfere with one’s ability to
acquire information. Background noise and poor audio quality may
interfere with a telephone conversation between responders and
cause the message receiver to miss or misunderstand conveyed
information (Gasaway 2013 p 110). Incorrectly selected personal
protective equipment can interfere with a responder’s ability to
speak and hear when using the specified communication equipment in
the performance of a task. A poorly designed evacuation pathway
(blind turns) or the presence of smoke across the path obscures the
view of what lies ahead. Both can trigger urgent and
safety-critical decisions on route selection, movement speed, and
evacuation and escape options. Such conditions affect the safety of
the evacuation and muster process, and can delay the overall
emergency response if the muster process is delayed (Skogdagen et
al. 2011).
The perception of organizational priorities and societal
expectations may cause a responder to unconsciously and incorrectly
prioritize tasks affecting which are attended to first. From the
investigation of the Piper Alpha disaster, Bea (2009) argues that a
failure to consider organizational and societal elements is a
critical error because the true risk is significantly
underestimated.
“The investigative report stated that the majority of the causes
of this failure (80 per cent or more) were firmly
rooted in human, organizational and institutional malfunctions.”
“The human, organizational and institutional
causes are termed ‘extrinsic”. “Because the neglected extrinsic
factors are actually fundamental to system
performance, expected risks were under-predicted by factors of
100 or more. These findings are consistent with a
large body of research that highlights the role of ‘extrinsic’
factors in large-scale system failures…” (Bea 2009).
-
©Copyrighted 2016 – Tom Shephard
12
5 A Process to Integrate SA into ER System and Barrier
Design
5.1 Integrating SA into the ER Task
Barrier performance requires a process that holistically designs
and integrates all elements that comprise the task sensor, decision
and action functions. SA is the product of the sensor function.
From POSIT 3, a design error can exist in any element or the
integration of elements that comprise the task functions. Reliable
and timely task performance begins with a correct ‘sensor’ function
design. This is achieved by integrating Endsley’s 3-stage SA model,
discussed in Section 3.2, into the sensor function as indicated in
Figure 3.
Figure 3 – Human ‘Sensor’ Function
Figure 3 defines the SA needed to guide the decisions and
actions that are unique to this task. Populating this form defines
the SA-1 information and its sources, and the required
comprehension (SA-2) and temporal insight (SA-3). This provides a
new and important source of design information used to guide the
selection, definition and development of the human, physical, and
organizational elements that contribute to each phase of the SA
assessment process. This information, when considered in the design
process, should reduce the design errors that degrade the SA
assessment process (POSIT 3) and contribute to other types of human
errors. The same is true for organizational design input, e.g., the
SA-3 capabilities may indicate a task that requires a significant
level of experience and expertise. The design process can now
identify and address the performance-influencing factors that
negatively and positively affect each stage of the SA process
(POSIT 5). In this representation, societal elements identify
aspects that act as performance-influencing factors.
Adding decision and action functions to Figure 3 produces Figure
4. This begins to integrate the information that fully defines a
barrier task. The task goals, defined in the task analysis process
provide the basis for understanding the required decisions and the
subsequent task actions. Task actions typically employ or rely on
one or more physical elements, which can now be defined. A full
understanding of how physical and organizational elements are
applied and used provides valuable input into the element selection
and design process, and into the training program.
-
©Copyrighted 2016 – Tom Shephard
13
Figure 4 – SA Centric Task
Insert Figure 3
sensor
Insert Figure 3
sensor
Identify: required task actions and
acceptable task options
Identify: physical and organizational
elements, performance-influencing factors
ACTIONSDECISIONS
Identify: required decisions and
available decision options
Identify: organizational elements,
performance-influencing factors
Task Boundary
SA-1
Information
The content presented in Figure 4 provides new information to
designers that may reveal unacceptable physical and cognitive
demands placed on the responder. The responder’s performance in
task decisions and actions are affected by the selection, design
and integration of the elements used to implement these functions
(POSIT 3). A design error that can degrade individual or Team SA
can be introduced in any of these design activities or elements. To
complete a fully defined goal-directed specification (GDTS), Figure
4 is combined with additional information to create Figure 5.
Figure 5 – Goal-Directed Task Specification (GDTS)
The barrier information is entered or referenced. A unique task
ID is entered, giving this a unique document number. Many tasks are
employed in every ER barrier function, e.g., those assigned to a
core group of responders who have assigned tasks with every barrier
function.
A target task response time is entered. This entry depends on
the nature of the task. Achieving the barrier function within the
designated response time means the tasks that contribute to this
time must be collectively completed within this period. Many tasks
have more easily defined desired response time, e.g. tasks that
make
-
©Copyrighted 2016 – Tom Shephard
14
up a muster operation. An on-demand task may require an
immediate response to an ERT member’s request. This type of task
may interrupt a task already in progress, i.e., the responder faces
an immediate task priority decision. Other tasks may repeat
periodically, e.g., an ongoing activity to monitor production or
drilling processes to ensure they remain in a safety state. The
time entered may be the period between cycle completions. This type
of activity may be prone to falling behind if one’s workload
exceeds his/her capacity.
From POSIT 5, many task attributes affect SA and contribute to
human error. Assigning high-level task attribute ratings provides a
simple means to flag the more challenging tasks and task traits
that should be addressed in the design process. Below are suggested
task attributes. From POSIT 5, increasing workload (cognitive and
physical) can degrade SA. Workload increases with increasing task
urgency and complexity.
Task urgency indicates how quickly the task must be completed
given the expected barrier response time. ‘High’ may mean the task
must be completed in five minutes or less, or immediately activated
and progressed upon receiving the task activation signal or an ad
hoc request.
Task complexity indicates the cognitive demands of the task. A
‘high’ rating may identify a task that places considerable demand
on short-term working memory or invokes complex decisions. The task
may require continuous attention to monitor and report on rapidly
changing SA-1 information, or may require coordination with other
tasks. It may indicate a high reliance on prospective memory or the
need to accurately track the passing of time, both areas of known
human limitations.
Physical effort is the physical exertion required to execute the
task. ‘High’ may indicate a task action that requires significant
physical strength, is performed under severe ambient conditions or
an awkward physical position, or requires unusual endurance if the
task repeats or continues over time.
Consequence is the impact if the task is not successfully
completed within the defined response time. ‘High’ may mean
multiple casualties. A task that can delay or provide incorrect
essential information to the OIM used to develop, track, adjust and
manage the response plan and ERT actions has this potential.
The team coordinating and communication fields identify the
information that is exchanged between parties and the direction of
the information flow. For the input field, the task ID of the task
that provides the information is entered. If this task provides
information to another responder, the task ID of the receiving task
is entered. These fields are only used to identify exchanges of
clearly defined information that is essential SA-1 information for
the receiver and required to coordinate inter-dependent tasks with
others.
5.1.1 Team Interactions, Inter-dependency and Team SA
The Team SA elements discussed in Section 3.3 define the ‘glue’
that contributes to team coordination and cohesion. Communications
(transactive SA) is the means to achieve and maintain intra-team
coordination and a minimum shared understanding of events (Shared
SA). Members develop meta SA through experience and training
exercises that help each to understand how ERT members respond to
their assigned roles, knowledge that may help with work efficiency
and responsiveness. Team SA is significantly affected by the
organizational and human elements, e.g., the ER plans;
communication protocols; training and drills; and the attitude,
attribute and experiences of the responders (human elements). The
design of physical systems (e.g., technical systems and displays)
must consider these exchanges, and address the
performance-influencing factors that can interfere with their use
under all expected conditions. The barrier element design should
consider each of these when defining and determining how each
element is designed and implemented.
A core group of responders is typically engaged in every barrier
function (Woodcock and Au 2013, Tabor 2010, Flin et al. 1996). Each
must correctly execute many tasks, in coordination with others, to
achieve the barrier function. The nature of an accident (e.g., a
fire or medical emergency) activates additional responders having
event-specific skills and training. Pre-defined communications
between responders represent inter-dependency
-
©Copyrighted 2016 – Tom Shephard
15
between tasks and responders. The nature of the inter-dependency
can contribute to increased task complexity, workload,
interruptions (e.g. stop a task to respond to an on-demand request)
and challenge responders with changing priorities and overall task
management. From POSIT 5 these conditions can degrade or interfere
with the individual SA process, and contribute to other types of
human error. The assessment process, discussed in later paragraphs,
should consider the effect of these interactions and the
performance-influencing factors that can interfere with these
interactions.
5.2 Defining a Prototype SA-Focused Design and Implementation
Process
Changes to traditional design processes are needed to
holistically integrate SA methods and principles into the design of
an offshore emergency response system. Posits 3, 4 and 5 provide
the background and justifications for changing how a human-centered
barrier task is designed and specified, and for integrating SA
methods and principles into the design process. To be successful
given today’s compressed project cycles, the appropriate work must
also be performed at the right time in the project cycle. Figure 6
proposes a holistic design methodology that should achieve both
objectives. A new facility progresses through a series of discrete
project phases that concludes with the installation and startup of
a new facility. The proposed design process begins in an early
design phase often referred to as the front-end engineering and
design (FEED) phase. In this phase, the widest range of design
options is possible. Sufficient design information is available to
perform one of many process hazard analysis studies, i.e. the
hazard identification study or HAZID.
Figure 6 – Project Based Approach to Integrate SA into ER
Design
Owner/Operator ER PhilosophyProposed ER Team Organization
Muster & ER Station Location PlanTypical ER Response &
Mgmt.
Plans
SCE ListEvac., Escape & Rescue PlansMuster & ER Station
Design &
ProvisioningCommunications Equipment Plan
Preliminary ER Mgmt. Plans & ProceduresER Staffing Plan
& Organization
Facility Layout DrawingsEER Plan Drawings
Muster & ER Response Station Design
Muster & ER Response Station DesignProvisioning of ER
Stations
EER Plan Dwgs & Equipment Human Factors Design Data
PPE List and Performance DataFormal Safety Assessment StudiesSCE
List & Performance StandardsHMI Display & Alarm System
Design
Develop Initial Goal-Directed Task Sheets(Workshop)
Draft GDTA
Major Accident Events (List)
Draft GDTS
Update input documents. Draft/update
SCE performance
standards
Project Phase: Front-End Engineering
Design (FEED)
3
Update GDTA(Workshop)
6
7
Project Phase: Detailed Engineering, Procurement &
Design
Updated GDTA
Update GDTS(Workshop)
Updated GDTS
Assessments
Recommendations
Finalize Organizational Development & Implementation
8
Update Input
documents
Update
LEGENDER – Emergency Response
EER – Evacuation, Escape RescueGDTA – Goal-Directed Task
AnalysisGDTS – Goal-Directed Task SheetHMI – Human Machine
InterfaceSCE – Safety Critical Elements
Implement Approved Changes
Recommendations
Hazard Identification Study (HAZID)
1
Develop Initial Goal-Directed Task Analysis
(Interview/review)
2
Assessments
4
5
Implement Approved Changes
9
Issue Final GDTS & GDTS
10
-
©Copyrighted 2016 – Tom Shephard
16
Step 1.0, the HAZID process, identifies the MAEs that must be
addressed in the facility and emergency response system design.
This process is common to all offshore projects. The scope of this
process should be expanded (or a post-HAZID activity performed) to
define the ER barrier function, response time and trigger event or
condition.
Step 2, a preliminary task analysis, identifies the
goal-directed tasks that comprise the barrier functions that
respond to the MAEs identified in Step 1. A hierarchical task
analysis (HTA) described by Shepherd (2001) is the proposed method
for performing this study. (HTA, more common to Norwegian- and
UK-based offshore projects, is less commonly used in other regions
and countries.) The proposed form of the study is an interview
process (Shepherd and Marshall 2005). A task analyst interviews key
members of the proposed ER team and other experts from the
owner/operator organization. The analyst collects and organizes the
information into the format suggested by Shepherd (2001). The
process does not directly address cognitive processes. Because SA
is a cognitive process, the HTA process is modified to define the
task information and decisions to understand the cognitive
challenge placed on the responder and understand how the task goal
is achieved. Tasks and task goals should also be framed to
encompass the most dynamic information, a task attribute that
presents a significant challenge to the responder (Endsley and
Jones 2012, chapters 5 and 6).
The HTA process can be time consuming. It can be adjusted to
frame task goals at levels of detail (higher or lower) that reflect
the time and resources available to participate in the study. Task
goals that are later found to encompass too many decisions or
actions can be reassessed using the HTA process of ‘re-describing’,
a process that parses a high-level goal into several constituent
tasks and goals that are more appropriate to the design process.
Critical to this process, the operating company provides the ER
operating and organizational design experience and expertise. The
suggested role of the analyst:
Conducts the goal-directed task analysis (GDTA) interviews.
Formats the interview results into the HTA format.
Requests clarifications as needed to close gaps and resolve
discrepancies. Review the preliminary task analysis with the OIM to
confirm content.
Issue the product of the task analysis to the study participants
for review and approval. Alternatively, this team reviews the
results in a workshop format.
Step 3 generates the preliminary task specifications (GDTS)
described in Section 5.1. A suggested approach, the
task analyst pre-populates specifications with the information,
gathered from Step 2, in the form indicated in
Figure 5. In a workshop format, the sheets are reviewed by the
Step 2 study team. The suggested objectives for
the workshop:
Identify tasks that may be inadequately framed. Return to Step 2
as needed.
Review the presented information for general appropriateness and
correctness.
Populate the missing information if known.
To reduce the workshop duration, it may be effective to move the
primary review of the specialized tasks
outside of the workshop format. For this group of tasks, the
owner/operator’s experts in medical or fire
response can review and make recommended changes beforehand. The
updated sheets are then reviewed in
the workshop.
-
©Copyrighted 2016 – Tom Shephard
17
In Step 4, the EPC and owner/operator assess the output from
Steps 2 and 3. A checklist approach may be the
most efficient approach given the typical constraints on an
offshore project, e.g., truncated project schedules
and the often-limited availability of the operations personnel.
From Bea’s (2009) assessment of the Piper Alpha
accident, 80% or more of the failures were “firmly rooted in
human, organizational and institutional
malfunctions.” Many of those malfunctions were attributed to the
ERT, and especially the OIM. The task
specification provides a new and rich source of information to
better understand the unique challenges in each
task, and identify the cognitive aspects that are the most
vulnerable to performance-influencing factors that
degrade SA and responder performance. The assessment may
identify tasks that are not appropriately framed
or adequately defined, and should be revisited in the HTA
process. Table 2, below, identifies the organization
that may be best suited to assessing each element.
Table 2 – Proposed Organization to Assess ER Elements (Steps 4
& 8)
Task Element
Proposed Assessor
Owner / Operator
EPC Contractor
Human Elements
Physical Elements
Organizational Elements
Societal Elements: Reviewed in organizational and human factors
assessments
Situation awareness is intrinsically tied to the task decision
and action functions. A process that assesses the viability and
efficacy of these functions may help to identify issues that can
affect the SA process, while directly working to assess the
effectiveness and potential reliability of the task and its
contribution to achieving the ER response or barrier function.
Sklet (2006) defines the following barrier attributes. The scope of
the assessment should verify that the collection of tasks that make
up the barrier system achieves the defined barrier function.
Functionality/effectiveness: “The barrier
functionality/effectiveness is the ability to perform a specified
function under given technical, environmental and operational
conditions.”
Reliability/availability: “The barrier reliability/availability
is the ability to perform a function with an actual functionality
and response time while needed, or on demand.”
Response time: “The response time of a safety barrier is the
time from when a deviation occurs that should have activated a
safety barrier, to the fulfilment of the specified barrier
function.”
Robustness: “Barrier robustness is the ability to resist given
accident loads and function as specified during accident
sequences.”
Trigger event or condition: “The trigger event or condition is
the event or condition that triggers the activation of a
barrier.”
To that end, the assessment should address the following as a
minimum.
Barrier functions are clearly defined.
Each barrier task is correctly framed and the appropriate task
goal defined.
The barrier and task trigger is clear and easily detected given
the defined environmental, cognitive and physical conditions.
Task sensor, decision and action functions are defined.
The human, physical, organizational and societal elements that
comprise the task are defined.
-
©Copyrighted 2016 – Tom Shephard
18
The SA-1 information and level of SA-2 comprehension and SA-3
projection capability needed to support the task decision and guide
task actions are appropriately defined.
Physical elements are assessed (ergonomically and cognitively)
to confirm they are suitable for the defined use and use
conditions.
Task functions (sensor, decisions and actions) are achievable,
and can be performed reliably given the assigned staff and staff
competencies, the indicated physical, organizational and societal
elements, and the remaining performance-influencing factors.
Performance-influencing factors are assessed and, to the extent
possible and practical, eliminated or mitigated in accordance with
ALARP (as low as reasonably practicable) principles.
The collection of tasks that make up the barrier system can
reliably achieve the barrier function within the defined barrier
response time.
Table 3 includes examples of published assessment tools and
methods that may be appropriate. Operator/owners may have existing
tools and methods that are suitable. The content of the task
specification indicated in Figure 5 and the overall approach
proposed in Figure 6 may warrant a set of assessment tools and
processes that are specifically adapted to these processes and
products.
Table 3 - Assessment Tools and Methodologies
Assessment Focus Source Methodology
Task framing and SA design Endsley & Jones (2012) Task
Analysis and SA design principles
SA performance influencing factors Endsley & Jones (2012) SA
design principles
General task understanding SINTEF (2011) CRIOP (checklist 4)
Procedures SINTEF (2011) CRIOP (checklist 5)
Training & competency SINTEF (2011) CRIOP (checklist 6)
Human error IE (2011) Workshop
Organizational systems HSE (2008) Barrier failure assessment
General human factors engineering screening
IOGP (2011) Human factors HAZOP
Task complexity Peng & Zhizhong (2012) Evaluate task
complexity
Team SA Chatzimichailidou et al.
(2015) Guidelines
Human factors assessment HSE (2000)
Human error risk assessment Deacon et al. (2010) Human factors
HAZOP & risk
assessment
Organizational systems Flin et al. (2008) General principle
descriptions
General task design Booher (2003) General design principles
Task transition design Booher (2003) General design
principles
Cognitive and technical system display assessment
Booher (2003) General design principles
Staffing EI April 2004 CRR348/2000 methodology
Human error, performance-influencing factors
HSE (1999) Checklist
-
©Copyrighted 2016 – Tom Shephard
19
In Step 5, the approved changes from Step 4 are implemented or
transferred to the detailed design phase of the project for
follow-up and implementation. The GDTS should be updated
accordingly. This step should also consider the use of the ALARP
process to consider and implement additional recommendations that
are appropriate and cost effective. The EPC will have the likely
responsibility for implementing changes to the physical systems and
equipment, e.g., display systems and display design, facility
features, communications equipment, supporting systems, etc. The
owner/operator is responsible for the human and organizational
changes.
Steps 6 to 10 are performed in the detailed engineering phase of
the project. During this period, the detailed design and
engineering work is progressed and finalized. The early phases
begin by updating and confirming the preliminary design work
performed in FEED.
In Step 6, the task analysis is reviewed and, where needed,
further detailed. Barrier tasks are reviewed to confirm they can
achieve the barrier function, and that they align with the
owner/operator’s human and organizational plans. This step may be
more effective if performed in a workshop format.
In preparation for the Step 7 (the task specification workshop),
the EPC contractor may be the appropriate organization to update
the FEED task analysis with the latest information. The purpose of
this step is to further detail and confirm that task goals are:
appropriately framed and defined, and
achieve the barrier function within the defined barrier response
time.
In Step 7, The GDTS are updated in a workshop process. The final
documents are then issued for design and use. To the extent
possible and practicable, all task elements should be called out
using unique tag, document and program numbers, a practice that
creates a traceable design process and may enhance the efficacy of
the assessment process.
The Step 8 assessment may be more rigorous than that employed in
Step 4. The objective of the assessments may be similar to those
discussed earlier. An ALARP assessment should be performed when
required by regulatory or client requirements. Approved
recommendations are implemented in Step 9. As required, the GDTS
are updated to reflect the final design. The requirements for the
ER barrier system are now fully specified. The updated task
assessment (GDTA) and task specifications (GDTS) are issued so the
contributing organizations can complete their implementation. In
Step 10, the owner/operator implements the human and organizational
elements accordingly. The value of this package of information is
that all organizations are now working with a common set of design
information, an approach that works to reduce or eliminate the
class of design errors that can occur when multiple organizations
contribute to a safety-critical system.
6 Comparative Study of the Proposed Approach to Existing
Practice (Future)
In a future issue of this manuscript, this section will compare
the presented approach against the more advanced industry and
regulatory practices employed in the UK and Norway.
7 Conclusions and Futher Development (Future)
In a future issue of this manuscript, this section will draw
conclusions from the comparative study. If warranted, this section
will also define additional research and development to progress
and mature the methods presented in this manuscript.
-
©Copyrighted 2016 – Tom Shephard
20
References
Bea, R., Mitroff, I., Faber, D., Foster, H., Roberts, K.H.,
2009. A new approach to risk: the implications of E3, Risk
Management (2009)
11, 30-43.doi:10.1057/rm.2008.12
Booher, R.H., 2003. Handbook of systems integration, Hoboken,
N.J.: Wiley and Sons Inc.
Carvalho, P., Benchekroun, T., Gomes, J., 2012. Analysis of
information exchange activities to actualize and validate situation
awareness
during shift changeovers in nuclear power plants, Human Factors
and Ergonomics in Manufacturing & Services Industries, 2012,
Vol 22
(2) 130-144
CCPS, 2001. Layer of protection analysis simplified process risk
assessment, New York, Center for Chemical Process Safety of the
American Institute of Chemical Engineers
Chatzimichailidou, M. M., Neville, A. S., Dokas, I. M., 2015.
The concept of risk situation awareness provision: Towards a new
approach
for assessing DSA about the threats and vulnerabilities of
complex socio-technical systems, Safety Science, 79 (2015)
126-138
Chauvin, C., Closterman, J.P., Hoc, J.M., 2009, Impact of
training programs on decision-making and situation awareness of
trainee watch
officers, Safety Science, 47 (9) 1222-1231
Chiappe, D., Rorie, R. C., Mogan, C. A., Vu, Kim-Phuong, 2014. A
situated approach to acquisition of shared SA in team contexts,
Theoretical Issues in Ergonomic Science, 2014, Vol 15, No 1,
69-87
Chiappe, D., Strybel, T., Vu, Kim-Phuong (2012) Mechanisms for
the acquisition of shared SA in situated agents, Theoretical Issues
in
Ergonomic Science, 2014, Vol 13, No 6, 625-647
Cooke, N.J., et al., 2007. Team cognition in experienced command
and control teams, Journal of Experimental Psychology, Applied,
13,
146-157
Crichton, M.T., Lauche, K., Flin, R., 2005. Incident command
skills in the management of an oil industry drilling incident: a
case study,
Journal of Contingencies and Crisis Management, September 2005,
Vol 13, No 3
CSB, 2010. Investigation report volumes 1 & 2, explosion and
fire at the Macondo well, Report No. 2010-10-I-OS 6/5/2014 Cullen,
Lord W.G., 1990. The public inquiry into the piper alpha disaster,
volumes 1 and 2, Department of Energy (UK)
Deacon, T., Amyotte, P. R., Khan, F. I., Human error risk
analysis in offshore emergencies, Safety Science, 48 (2010)
803-818
Decker, S., 2006. The field guide to understanding human error,
Surrey UK, Ashgate Publishing Ltd., reprint 2010
Decker, S., 2011. Drift into failure, from hunting broken
components to understanding complex systems, Surrey UK, Ashgate
Publishing
Ltd., reprint 2011
Durso, F., et al., 1998. Situation awareness as a predictor of
performance in en route air traffic controllers, Air Traffic
Quarterly, 6 (1), 1-
20
EI, 2004. Safe staffing arrangements – user guide for
CRR348/2001 methodology: practical application of Entec/HSE process
operations
staffing assessment methodology and its extension to automated
plant and/or equipment, Energy Institute, London, April 2004
EI, 2011. Guidance on human factors safety critical task
analysis, Energy Institute London, 1st Ed, March 2011
Endsley, M. R., 1988. Situation awareness global assessment
technique (SAGAT), Proceedings of the National Aerospace and
Electronics
Conference (NAECON), 23-27 May 1988, Dayton, Oh, New Hour IEEE,
789-795
Endsley, M. R., 1995. Toward a theory of situational awareness
in dynamic systems, Human Factors, 37(1) pp 32-64
Endsley, M.R., Robertson, M., 2000. Training for situation
awareness in individuals and teams. In: Endsley M., Garland D.
(eds) Situation
Awareness Analysis and Measurement. Lawrence Erlbaum, Mahwah pp
349-367
Endsley, M.R., Jones, D.G., 2012. Designing for situation
awareness: An approach to user-centered design, 2nd Edition, CRC
Press
Flin, R., O’Connor P., Crichton, M., Slaven, G., Stewart, K.,
1996. Emergency decision making in the offshore oil and gas
industry,
Human Factors 38(2) 262-277
Flin, R., Slaven, G., Stewart, K., 2008. Safety at the sharp
end, Ashgate Publishing
Gasaway, Richard B (2013) Situational awareness for emergency
response, Penn Well Corporation (Fire Engineering Series)
Golightly, D., Wilson, J.R., Lowe, E., Sharples, S., 2010. The
role of situation awareness for understanding signaling and control
in rail
operations, Theoretical Issues in Ergonomic Science 11 (1)
84-98
Hopkins, A., 2012. Disastrous decisions: the human and
organizational causes of the Gulf of Mexico blowout, CCH Australia
Ltd
HSE, 1999. Reducing error and influencing behavior, 1999, HSG48,
HSE Books
HSE, 2005. The offshore installations (safety case) regulations
2005, UK S.I. 2005/3117, 2005
IOGP 2010. Risk assessment data directory, evacuation, escape
and rescue, London: International Association of Oil and Gas
Producers,
IOGP Report No 434-19, 3/2010
IOGP, 2011. Human factors engineering in projects, London:
International Association of Oil and Gas Producers, IOGP Report No
454,
8/2011
-
©Copyrighted 2016 – Tom Shephard
21
IOGP, 2012. Cognitive issues associated with process safety and
environmental incidents, London: International Association of Oil
and
Gas Producers, IOGP Report No 460, 7/2012
IOGP, 2014a. Crew resource management for well operations team,
International Association of Oil and Gas Producers, IOGP Report
No
501, April 2014
IOGP, 2014b. Assessing risks from operator fatigue,
International Association of Oil and Gas Producers, IOGP Report No
492, 2014
IOGP, 2014c. Guidelines for implementing well operations crew
resource management training, International Association of Oil and
Gas
Producers, IOGP Report No 502, 12/2014
ISO 13702, 2015. Petroleum and natural gas Industries – control
and mitigation of fires and explosions on offshore production
installations
–requirements and guidelines
Naderpour, M., Lu, J., Zhang, G., 2014. A situation risk
awareness approach for process systems Safety, safety Science,
April 2014, V 64,
pp 173-189
National Commission on the BP Deepwater Horizon Oil Spill and
Offshore Drilling 2011. Deep water the gulf oil disaster and the
future
of offshore drilling, report to the president, January 2011
Norsok, 2010. Risk and emergency preparedness assessment, Z-013,
Oct 2010, 3rd Ed, Standards Norway
Peng, L., Zhizhong, L., 2012, Task complexity: a review and
conceptual framework, International Journal of Industrial
Economics, 42
(2012) 553-568
Perrow, Charles, 1999. Normal accidents: living with high-risk
technologies, Princeton University Press, 1999
Reason, J., 1990. Human Error, Cambridge: Cambridge University
Press
Rentsch, J., Mello, A., Delise, L., 2010. Collaboration and
meaning analysis process in intense problem solving teams,
Theoretical Issues
in Ergonomic Science, 11, 287-303
Salas, E., Prince, C., Baker, P.D., Shresthal, L., 1995.
Situation awareness in team performance: implications for
measurement and training.
Human Factors, 37, pp. 123-36
Sætrevik, B., Eid., J., 2013. The “similarity index” of shared
mental models and situational awareness in field studies, Journal
of Cognitive
Engineering and Decision Making, Human Factors and Ergonomic
Society, 2013, pp.1-18
Salmon, P.M., Stanton, N.A., Walker, G. H., Jenkins, D.P., 2009.
Distributed situation awareness, theory measurement and application
to
teamwork, Ashgate Publishing Co., England
Salmon, P.M., Stanton, N.A., Walker, G. H., Jenkins, D.P., 2010.
Is it really better to share? distributed situation awareness and
its
implication for system design, Theoretical Issues in Ergonomic
Science 11 (1 & 2) 58-83
Shepherd, Andrew, 2001. Hierarchical task analysis, CRC
Press
Shepherd, A., Marshall, E., 2005. Timelines and task
specification in designing for human factors in railway operations,
Applied
Ergonomics 36, pp 719-727
SINTEF, 2011. CRIOP: A scenario method for crisis intervention
and operability analysis, SINTEF Technology and Society, Report
SINTEF A4312, 2011-03-07
Sklet, S., 2006. Safety barriers: definition, classification and
performance, Journal of Loss Prevention in the Process Industries,
19 (2006),
pp 494-506
Skogdalen, J.E., Khorsandi, J., Vinnen, J.E., 2011. Looking back
and forward – evacuation, escape and rescue (EER) from the
Deepwater
Horizon Rig, Deepwater Horizon Study Group Working Paper –
January 2011
Sneddon, A., Mearns, K., & Flin, R., 2006. Situation
awareness and safety in offshore drill crews, Cogn Tech Work, 8 pp
255-267
Sneddon, A., Mearns, K., & Flin, R., 2013. Stress, fatigue,
situation awareness and safety in offshore drill crews, Safety
Science, 2013,
Vol 56, pp 80-88
Sorenson, L, Stanton, N.A., Banks, A.P., 2011. Back to SA
school: contrasting three approaches to situation awareness in the
cockpit,
Theoretical Issues in Ergonomic Science 12 (6) 451-471
SPE, 2014. The human factor; process safety and culture, SPE
Technical Report, Society of Petroleum Engineers, March 2014
Stanton, N.A., 2010. Situation awareness: where have we been,
where are we now, and where are we going?, Theoretical Issues
in
Ergonomic Science 11 (1 & 2) 1-6
Sutton, I. S., 2012. Offshore safety management, Sutton
Technical Books, 2012
Sträter, O., 2005. Cognition and safety: an integrated approach
to systems design and assessment, Ashgate Publishing Ltd, 1st
Ed
Taber, Michael John, 2010. Human systems integration and
situational awareness in microworlds: an examination of emergency
Response
within the offshore command and control system, PhD Thesis,
Dalhousie University, Halifax, Nova Scotia, December 2010
Woodcock, B., Au, Zachary, 2012. Human factors issues in the
management of emergency response at high hazard installations,
Journal of
Loss Prevention in the Process Industries, 26 (2013) 547
-557
Woods, D.D., Dekker, S., Cook, R., Johannsen, L., Sarter, N.,
2010. Behind human error, Ashgate Publishing, 2nd Ed.