Embed Size (px)
Citation preview
Safety Science 44 (2006) 27–36
www.elsevier.com/locate/ssci
Towards proactive monitoringin the petrochemical industry
Catherine M. Burns ¤
Department of Systems Design Engineering, Advanced Interface Design Lab, University of Waterloo,200 University Avenue West, Waterloo Ont., Canada N2L 3G1
Abstract
Unanticipated events can result in severe Wnancial and human losses. The best solution is to haveoperators who can monitor proactively and respond to small changes to maintain the plant in a safestate. This paper examines the requirements for proactive monitoring and proposes ecological inter-face design as one possible way of supporting this behavior. Several examples of ecological graphicsare included for demonstration. 2005 Published by Elsevier Ltd.
Keywords: Petrochemical; Displays; Ecological interface design; Decision support
1. Introduction
* Tel.: +1 519 888 4567; fax: +1 519 746 4791.E-mail address: [email protected]
“For the want of a nail, a shoe was lost;for the want of a shoe, a horse was lost;for the want of a horse, a rider was lost;for the want of a rider, a battle was lost;for the want of a battle, a kingdom was lost,and all for the want of a horse shoe nail.”
(Benjamin Franklin)
0925-7535/$ - see front matter 2005 Published by Elsevier Ltd.doi:10.1016/j.ssci.2005.09.004
28 C.M. Burns / Safety Science 44 (2006) 27–36
If only we had displays that showed us the status of nails on horseshoes. Wistful thoughit is, the simple poem highlights the beneWts of proactive monitoring. A fairly simple andnormal event, a missing nail, has resulted in loss of a horseshoe. The loss of a horseshoe isstill not a horrible situation, unless of course, the horse is lame without the shoe, and therider needed the horse for some speciWc purpose at that time. As the poem extends to lossof a battle and a kingdom, we see the severe consequences and Wnancial losses that extendfrom this simple story on a lack of monitoring.
However, all dedicated riders check their horses’ feet before each ride, and inspect theshoes as part of this check, demonstrating proactive monitoring behavior. They under-stand how complicated it is to maintain a horse, how expensive veterinary bills are, anddisappointing it can be to lose the use of their horse due to lameness. The monitoring ofcomplex systems, such as petrochemical plants, diVers in its details and criticality, but notin terms of objectives. By monitoring proactively, we hope to notice problems while theyare small events, and intervene before there are more drastic consequences such as largerequipment failures, plant destabilization, human injury or loss of production.
The good news about proactive monitoring is that it makes economic sense. In the Weldof human factors or ergonomics sometimes the beneWts are qualitative, related to userexperience and diYcult to quantify in terms of true economic beneWts. EVective monitor-ing, accident prevention and accident reduction has clear and indisputable economic bene-Wts. Fig. 1 shows conceptually how early intervention can keep the plant in a normal state,maintaining production and minimizing the loss of equipment. In contrast, late interven-tion can result in catastrophic losses. A quick way to conWrm this is to determine the costof one lost day, possibly even one lost hour, of production. You do not even need to beginadding in the inevitable costs of equipment damage, human injury, and insurance costs toget a sense of the scale of the costs.
The bad news about proactive monitoring is that we cannot always accomplish it eVec-tively. As plants become more complex and involve more automated systems, the monitor-ing tasks also become more complicated and our operators move further and further “outof the loop” in terms of experience in controlling our plants.
Fig. 1. Early intervention can prevent catastrophic losses.
Plant State
Accident Progression
NormalOperation
Lost Productionor Equipment
CatastrophicLoss
Early action keepsplant in a safe state
Late action results inlosses
No action
Wrong action makesthe situation worse
C.M. Burns / Safety Science 44 (2006) 27–36 29
Reacting proactively means taking a more comprehensive look at the human factors ofsupporting safe operation. It is not enough to study human error and eliminate it; this kindof approach leaves us analyzing the problem after it has occurred. Similarly it is notenough to simply study work Xow and improve its eYciency, while this is a useful pursuit,it can lead us straight into an accident, as eYciently as possible, if performed in isolation ofother approaches. The study of large accidents (e.g. Casey, 1995) has shown us that themost dangerous and costly accidents are also most often the unanticipated ones. In the pet-rochemical industry, the cost of abnormal situations was estimated at $10 billion/yr, in theUS alone (Nimmo, 1995). In managing these unanticipated situations, there are no proce-dures that can be eVectively followed. The operators must think and reason their waythrough the problem.
2. Understanding proactive monitoring
From Rasmussen’s work (1983), we know that operators must use diVerent types ofbehavior while operating a complex system. Skill-based behavior is used to make eVectiveand smooth control actions. Rule-based behavior is used to diagnose routine or previ-ously seen situations and determine the proper course of action that matches with the sit-uation. This type of behavior is conWrmed by the research in naturalistic decision-making(Klein, 1989), which argues that operators recognize situations and match to a set ofactions in a very eYcient manner. The third type of behavior proposed by Rasmussen,knowledge-based behavior, describes the operator reasoning that must occur in morediYcult problems where there are no existing procedures or experience base to generate asolution. Rasmussen argues that in these situations people reason in a top-down deduc-tive fashion, from the purposes of the plant to the physical components that they musttake action with in order to aVect a solution (Rasmussen, 1985). This type of reasoningwas observed in Weld studies of electronics troubleshooters (Rasmussen and Jensen, 1974)and became the justiWcation behind the abstraction hierarchy (Rasmussen, 1985). Theabstraction hierarchy is a form of work domain analysis used for generating the informa-tion requirements for ecological interface design (Vicente and Rasmussen, 1992; Burnsand Hajdukiewicz, 2004).
Fig. 2. Stages in proactive monitoring.
DeviationDetection
ProblemPrediction
CompensatoryAction
Effects on PlantState
30 C.M. Burns / Safety Science 44 (2006) 27–36
Proactive monitoring has an element of all three of these kinds of behavior. The Wrst stagein monitoring is deviation detection (Fig. 2). Deviation detection is slightly diVerent fromproblem detection, in that at this stage, no explicit problem exists. Deviation detection is askill-based behavior that we can support through interface design that makes deviations easyto extract. The second stage is problem prediction. Problem prediction could be rule-basedbehavior in typical situations and knowledge-based behavior in unanticipated situations.Problem prediction requires that operators abstract from the current plant state and projectplant outcomes, at least to a level of granularity where they realize that an intervention isnecessary. Finally, operators must take action to compensate for the deviation in a mannerthat will maintain plant safety and production as close to ideal conditions as possible.
3. Supporting proactive monitoring
I have argued that proactive monitoring has three distinct phases, deviation detection,problem prediction, and the taking of compensatory actions and that these three phasesemploy all three of the behaviors identiWed by Rasmussen, skill-, rule-, and knowledge-based behaviors. In this section, I address possible strategies for supporting these threephases of proactive monitoring.
3.1. Deviation detection
To support deviation detection we must design displays that make signiWcant deviationsvisible. One approach is through the design of alarms. In the proactive monitoring casethough, we want operators to respond to relatively small deviations. Responding to thesedeviations requires an understanding of the current plant state and the context of the situ-ation. Ideally, we want operators responding positively before any alarm has been set oV.Alarming deviations at this level would result in the “nuisance” alarm situation. Instead,we want to be supporting an active human decision maker in the supervisory control loop.
Recent research has generated many ideas on how to make deviations salient. Data canbe placed in context with other relevant data, with alarm trip points, and displayed overtime through trend charts that indicate the rate of change of the data, providing elementaryprediction guidance (Burns and Hajdukiewicz, 2004). The polar star graphic, shown on theleft in Fig. 3a, is an example of graphic that uses geometric relationships in order to makedeviations more salient (Coekin, 1969). The mass data display, shown on the right in Fig. 3b,is another tool in situations where operators must monitor a large amount of data andexperimentally has shown fast problem detection times (Zinser and Frischenschlager, 1994).
An important aspect of showing deviations is to clearly show what normal is, then dis-play increasing levels of deviation. The graphic shown in Fig. 4 shows a vessel through sixstages, normal shown in the graphic on the left and the most deviated state shown on theright. This graphic uses normalized temperature to generate the emergent feature of the ver-tical line, making any break from normal, even at a small level visible. The alarming, shownin the last three stages, is an aid but is redundant; the deviation is visible even earlier.
3.2. Problem prediction
Once an operator has detected a deviation they need to determine what aVect that devi-ation will have in the future. This means they must be able to predict the future behavior of
the plant with that component in its current state. They must realize that the componentwill inXuence various other components, processes and the ultimate functioning of theplant.
Ecological interface design (EID) is one possible approach to this problem. EID is builtupon a model of the plant called an abstraction hierarchy. The abstraction hierarchydescribes the purposes of the plant, its basic underlying principles, its processes, and itscomponents. Furthermore, the model connects these levels together with the goal of show-ing operators how components aVect plant outcomes. This kind of a structure should help
Fig. 3. (a) The polar star of Coekin (1969), and (b) the mass data display of Zinser and Frischenschlager (1994),each showing a deviation in one parameter.
Normal Abnormal Situation
Normal Abnormal Situation
(a)
(b)
Fig. 4. Graphic of a vessel showing the development of a deviation, courtesy of Nick Dinadis, Solutions OutsideThe Box.
C.M. Burns / Safety Science 44 (2006) 27–36 31
32 C.M. Burns / Safety Science 44 (2006) 27–36
with the plant prediction problem. The deviation occurs at the lowest levels with compo-nent level changes, but the operator must predict the inXuence of these deviations onplant outcomes (Fig. 5). A display designed with these connections should help with thisproblem.
Fig. 6 shows an ecological display concept that was originally designed by Vicente andRasmussen (1992). In this situation, not only is tank volume shown, but also Xow in andout of the tank. As a problem develops, in this case, inadequate product Xow into the tank,the operator can see that the Xows on the tank are now unbalanced and the tank will beginto lose volume. This graphic was designed from an ecological design process.
The graphic in Fig. 7 shows the information for a heat exchanger. Heat exchangers areoften used twice in most plants, providing heating at one stage in the process and coolingin a diVerent process stage. Loss of a heat exchanger therefore results in the loss of twofunctions, heating and cooling. In Fig. 7, the heat exchanger is shown working normally onthe left, and deteriorating to a condition with little heat transfer on the right. The problem
Fig. 5. The abstraction hierarchy provides a model for problem prediction.
Purpose
Principles
Processes
Components
Physical Form
Deviation
Prediction of effect onPlant Outcomes
Fig. 6. Providing graphics that can aid problem prediction.
Problem: Inflow exceeds outflowPrediction: Tank will lose volume
Problem CorrectedInflow and Outflow Balanced
VolumeVolume
Inflow Inflow
Outflow
C.M. Burns / Safety Science 44 (2006) 27–36 33
can be predicted from the change in the energy balance lines from angled (in this case in thenormal condition) to nearly right angles showing a loss of heat transfer. A simple sample ofhow this is shown in the abstraction hierarchy model for this kind of a component isincluded on the far right.
Current research with EID has suggested that this approach can lead to good controlstrategies by operators as well as good problem solving skills (Vicente, 2002). The work hasnot particularly addresses the problem prediction situation and this is an area for furtherstudy. There has been some research on how EID may inXuence mental models, which is astart in this direction (St-Cyr and Burns, 2002). The research to date suggests that EIDstrengthens the association between components and plant purposes.
3.3. Compensatory action
In taking compensatory action, we are asking operators to solve a second predictionproblem. At the point in time that they are considering the deviation they must actuallyanticipate two possible future states. The Wrst state they must predict is that state thatoccurs if they take no action. The second state they must predict is the state that will occurif they take a certain action (Fig. 8). They must correctly anticipate whether action x will
Fig. 7. Showing loss of two functions, heating and cooling.
Temp in (shell)
Temp out (shell)
Temp in (tube) Temp out (tube)
Temp in (shell)
Temp out (shell)
Temp in (tube) Temp out (tube)
1
1
2
Heat exchanger
HeatingCooling
Energy Balance
Plant Purpose
Fig. 8. The two future states that must be correctly anticipated in the proactive monitoring problem.
DeviatingComponent
Plant State1
OperatorIntervention
Plant State2
PossibleAlternatives
34 C.M. Burns / Safety Science 44 (2006) 27–36
exacerbate or alleviate the given problem. If we look again at Fig. 1, they must be able tolook ahead and determine the various endpoints that are possible.
Framed as fundamentally the same problem and the prediction problem, the solution tosupporting compensatory action is also similar. A structure similar to that used in EIDdesign should support this phase of monitoring as well, Fig. 9. Again in this case we wantthe operator to identify the correct component, based on its potential positive inXuence onplant outcomes.
Fig. 10 shows an example of a graphic that does this, again developed by Vicente andRasmussen (1992). In this graphic, the reXection of various lines can be used to indicatewhere a component should be set to balance the system correctly. In this way, the appropri-ate compensatory action is visible.
3.4. Evidence of EID support for proactive monitoring
Because there have been no direct studies in this area, the ability of EID to support proac-tive monitoring is indirect. There are several key indicators though, that suggest that it shouldbe a good approach in this area, when coupled with eVective visual display of the EID.
Fig. 9. Supporting compensatory action with EID.
Purpose
Principles
Processes
Components
Physical Form
Deviation
Prediction of effect onPlant Outcomes
Action
Prediction of effect onCompensatory Action
Fig. 10. An example of an ecological graphic that shows how proper compensatory actions can be made visible.
Compensatory Action Required Compensatory Action Taken
C.M. Burns / Safety Science 44 (2006) 27–36 35
The Wrst key factor is that EID has been shown, several times and in several ways toimprove the diagnosis of faults (e.g. Pawlak and Vicente, 1996; Vicente et al., 1996; Vicente,2002). The fault diagnosis problem is the reverse of the prediction problem shown in Fig. 4or 6 since in this case operators detect a problem with plant outcomes and must determinethe faulty component. Although the process is the reverse, it draws on the same set of con-nections. An approach that strengthens the understanding how plant outcomes are relatedto component behavior should aid in proactive monitoring. Information search studies(e.g. Xu et al., 1999; Burns, 2000) and a mental model study (St-Cyr and Burns, 2002) bothsupport this idea that EID does strengthen these connections.
There is evidence as well that EID improves control strategies (Pawlak and Vicente,1996). In studies of actual control behavior EID operators generate smoother and morestable control trajectories even under changing conditions (Hajdukiewicz and Vicente,2002). This suggests that they are indeed learning the inXuence of their control actions onplant outcomes and choosing these control actions eVectively. This suggests that EIDshould support the taking of compensatory action that will keep the plant in an acceptablestate.
4. Conclusion
In conclusion, there are many advantages to supporting proactive monitoring by theoperators of complex plants. The beneWts include basic plant safety as well as bottom lineplant economics. Taking preventative action earlier is better in all situations.
Supporting proactive monitoring must use an approach that makes the connectionsbetween plant outcomes and component behaviors clear. Operators must be able to detectsmall deviations and predict the inXuence of these deviations on future plant states. Theymust also be able to select compensatory actions that will change this future and keep theplant in a safe and productive state. EID is an approach that seems to match well with thisproblem and is founded on strengthening an operator’s understanding of the eVect of plantcomponents on plant outcomes.
Acknowledgement
This writing of this paper was supported by the Natural Sciences and EngineeringResearch Council, Canada.
References
Burns, C.M., 2000. Errors in searching for abstraction hierarchy information. In: Proceedings of the IEA 2000/HFES 2000 Congress, pp. 270–273.
Burns, C.M., Hajdukiewicz, J.R., 2004. Ecological interface design. Taylor and Francis Group. CRC Press, BocaRaton, FL.
Casey, S., 1995. Set Phases on Stun. Aegean Publishing, Santa Barbara, CA.Coekin, J.A., 1969. A versatile presentation of parameters for rapid recognition of total state. In: Proceedings of
the IEE International Symposium on Man–Machine. Cambridge, England: IEE.Hajdukiewicz, J.R., Vicente, K.J., 2002. Designing for adaptation to novelty and change: functional information,
emergent feature graphics, and higher-level control. Human Factors 44, 592–610.Klein, G.A., 1989. Recognition-primed decisions. In: Rouse, W.B. (Ed.), Advances in Man–machine Systems
Research, vol. 5. JAI Press, Greenwich, CT, pp. 47–92.Nimmo, I., 1995. Adequately address abnormal situation management. Chemical Engineering Progress 91, 36–45.
36 C.M. Burns / Safety Science 44 (2006) 27–36
Pawlak, W.S., Vicente, K.J., 1996. Inducing eVective operator control through ecological interface design. Interna-tional Journal of Human–Computer Studies 44, 653–688.
Rasmussen, J., Jensen, A., 1974. Mental procedures in real-life tasks: a case study of electronic trouble shooting.Ergonomics 17, 293–307.
Rasmussen, J., 1983. Skills, rules, knowledge; signals, signs, and symbols, and other distinctions in human perfor-mance models. IEEE Transactions on Systems, Man and Cybernetics 13, 257–266.
Rasmussen, J., 1985. The role of hierarchical knowledge representation in decision making and system manage-ment. IEEE Transactions on Systems, Man and Cybernetics 15, 234–243.
St-Cyr, O., Burns, C.M., 2002. Mental models and ecological interface design: An experimental investigation. In:Proceedings of the 46th Annual Meeting of the Human Factors and Ergonomics Society, pp. 270–274.
Vicente, K.J., Rasmussen, J., 1992. Ecological interface design: theoretical foundations. IEEE Transactions onSystems, Man, and Cybernetics 22 (4), 589–606.
Vicente, K.J., 2002. Ecological interface design: progress and challenges. Human Factors 44, 62–78.Vicente, K.J., Moray, N., Lee, J.D., Rasmussen, J., Jones, B.G., Brock, R., Djemil, T., 1996. Evaluation of a Ran-
kine cycle display for nuclear power plant monitoring and diagnosis. Human Factors 38, 506–521.Xu, W., DainoV, M.J., Mark, L.S., 1999. Facilitate complex search tasks in hypertext by externalizing functional
properties of work domain. International Journal of Human–Computer Interaction 11, 201–229.Zinser, K., Frischenschlager, F., 1994. Multimedia’s push into power. IEEE Spectrum(July), 44–48.
