OECD-CCA Workshop on Human Factors in Chemical Accidents ... · OECD-CCA Workshop on Human Factors in Chemical Accidents and Incidents Discussion Document 1 1 Introduction and Overview

OECD-CCA Workshop on Human Factors in Chemical Accidents and Incidents

8 – 9 May 2007, Potsdam, Germany

Sponsored and hosted by: the Federal Ministry for the Environment of Germany (BMU)

and the Government of Brandenburg

Room AULA Kongresshotel am Templiner See

Am Luftschiffhafen 1 D-14471 Potsdam

Germany

PROCEEDINGS

2 May 2007

TABLE OF CONTENTS

Timetable: ................................................................................................................................... i

Discussion Document............................................................................................................... iv

Abstracts – Full Papers ........................................................................................................... 96 Session I: Types of Human Error, Definition of related Terms 96

I.1 Terms in the Context of Human Factors - Proposed Definitions..................................................... 96 I.2 Accidents: From Human Factors to Organisational Factors ............................................................ 97 I.3 Human Factors Data Traceability and Analysis in MARS .............................................................. 98 I.4 Review of Two Incident Databases from the Canadian Chemical Industry and Discussion of

Human Factors Related Terms/ Parameters, Incident Data and Opportunities................................ 99 I.5 The Use of STORYBUILDER as an Incident Analysis Tool........................................................ 104

Session II: Assessment of Safety Cultures 105 II.1 Challenges and Opportunities of Assessing Safety Culture........................................................... 105 II.2 Diagnosis of Safety Culture: A Replication and Extension Towards Asessing "Safe" Organisational

Change Processes .......................................................................................................................... 113 II.3 Safety Culture Models as the Basis for Improvement ................................................................... 127 II.4 The international safety rating system “ISRS” and the SAMOS interview technique................... 128 II.5 Improving Occupational Safety in The Netherlands...................................................................... 129

Session III: Appropriate Human Factor Competence 130 III.1 What they should have known: Human Factors Competencies in Plant Environments Diagnosis of

Safety............................................................................................................................................. 130 III.2 Inspecting for Human Factors within the German Major Hazards Ordinance – Examples,

Experience and Future Needs ........................................................................................................ 136 III.3 How to learn Human Factor Competencies at Different Organisational Levels............................ 141 III.4 Human Factors related chemical Accidents occurred in Korea ..................................................... 142

Session IV: Interfaces between Safety Systems and Operators 143 IV.1 Human Error Risk Management for Engineering Systems:A methodology for design, safety

assessment, accident investigation and training............................................................................. 143 IV.2 Relevant characteristics of the human system as determining factors for the man-machine-interface

in process plants............................................................................................................................. 144 Session V: Human Factors in Alarm Management 154

V.1 Alarm Management in Process Industries, Aims, Experiences, Benefits ...................................... 154 V.2 Alarms for operators ...................................................................................................................... 158 V.3 Alarm management practices in NOVA Chemicals ...................................................................... 160 V.4 Experience from the ASM Consortium ......................................................................................... 172

Other submitted Abstracts (not presented) 173 X I Quantification of human factors in the process industry – A practical assessment tool ................ 173 X II Development of possibilities to improve Safety Culture ............................................................... 174 X III.1 Trends in Aviation Industry. A perspective to understand human factors requirements and best

practices to process industry.......................................................................................................... 175 X III.2 Prevention of accidents with dangerous chemical products in Brazil............................................ 176 X III.3 HAZOP-based innovative approach in the human factor assessment............................................ 177 X IV.1 Valuation of Human Actions in Probabilistic Safety Assessments for Process Plants .................. 178 X IV.2 Operational safety in process control through ergonomic design of operator work documents .... 179 X V.1 Alarm flooding in control rooms ................................................................................................... 182 X V.2 Managing Fatigue Risk in an evidence-based and systematic Manner.......................................... 184 X V.3 Human Factors Analysis in the Chemical Industry: Insights and Recommendations ................... 186

Annex: List of Participants ................................................................................................... 189

Workshop on Human Factors

i

Timetable: Monday, 7 May 2007

Transfer from Tegel-Airport and Potsdam Main Station (on request as arranged by GFI Umwelt (Consultants for Infrastructure & Environment Ltd.), Bonn, Germany)

16:00 20:00 Lounge Registration, distribution of badges and workshop documents

16:00 18:00 0.251 Meeting of the chairs, speakers, rapporteurs, consultant Roland Fendler (Federal Environment Agency (UBA), Germany)

Tuesday, 8 May 2007 08:00 09:00 Lounge Registration, distribution of badges and workshop documents

GFI Umwelt, Bonn 09:00 09:30 Aula OPENING SESSION: Welcome Director and Professor Wolfgang LOHRER

(Head of Department III 1 Engineering and Products Assessments of the Federal Environment Agency (UBA), Germany)

Prof. Dr. JOCHUM (Chairman of the Commission on Process Safety (KAS), Germany)

Marie-Chantal HUET (Administrator, OECD)

09:30 10:00 Aula D.D. Introduction - Presentation of the Discussion Document Dr. Babette FAHLBRUCH (TÜV NORD Systec GmbH & Co KG, Germany)

10:00 12:45 Aula SESSION I: Types of Human Error, Definition of related Terms Chair: Dr. Jochen UTH (Federal Environment Agency (UBA), Germany) Rapporteur: Jean-Paul LACOURSIERE (University of Sherbrooke, Canada)

10:00 11:15 Presentation 1.1 - 1.5: I.1 Terms in the Context of Human Factors - Proposed Definitions

Dr. Babette FAHLBRUCH (TÜV NORD Systec GmbH & Co KG, Germany)

I.2 Accidents: From Human Factors to Organisational Factors Jean-Christophe LE COZE (INERIS, France)

I.3 Human Factors Data Traceability and Analysis in MARS Daniele BARANZINI (EC, Joint Research Center, Major Accidents Hazards Bureau)

I.4 Review of Two Incident Databases from the Canadian Chemical Industry and Discussion of Human Factors Related Terms/ Parameters, Incident Data and Opportunities Manuel MARTA (NOVA Chemicals Corporation, Canada)

I.5 The Use of STORYBUILDER as an Incident Analysis Tool Joy OH (Ministry of Social Affairs and Employment, The Netherlands)

11:15 11:45 Coffee Break 11:45 12:45 Discussion 12:45 14:15 Lunch


ii

Tuesday, 8 May 2007 14:15 16:30 Aula SESSION II: Assessment of Safety Cultures

Chair: Prof. Dr. Michael BARAM (Boston University Law School, USA) Rapporteur: Daniele BARANZINI/ Maureen WOOD (EU, Joint Research Center, Major Accidents Hazards Bureau)

14:15 15:30 Presentation 2.1 - 2.5 II.1 Challenges and Opportunities of Assessing Safety Culture Prof. Dr. Bernhard

WILPERT (Berlin University of Technology, Germany)

II.2 Diagnosis of Safety Culture: A Replication and Extension Towards Assessing "Safe" Organisational Change Processes Prof. Dr. Gudela GROTE (ETH Zürich, Switzerland)

II.3 Safety Culture Models as the Basis for Improvement P.T.W. HUDSON (Leiden University, The Netherlands)

II.4 The International Safety Rating System “ISRS” and the "SAMOS" Interview Technique Dr. L. ADOLPH (Det Norske Veritas, Germany)

II.5 Improving Occupational Safety in The Netherlands P. VAN WISSEN (Ministry of Social Affairs and Employment, The Netherlands)

15:30 16:30 Discussion 16:30 17:00 Coffee Break 17:00 19:00 Aula SESSION III: Appropriate Human Factor Competence

Chair: Lee ALLFORD (EPSC Manager Operations, UK) Rapporteur: Oliver RAUPACH (TÜV NORD Systec GmbH & Co. KG, Germany)

17:00 18:00 Presentation 3.1 - 3.4 III.1 What they should have known: Human Factors Competencies in Plant

Environments Dr. Günter HORN (Horn Engineering, Germany)

III.2 Inspecting for Human Factors within the German Major Hazards Ordinance: Examples, Experience and Future Needs Dr. Bruno REDDEHASE (State Industrial Inspectorate Hannover, Germany)

III.3 How to Learn Human Factors Competencies at Different Organisational Levels Gesine HOFINGER (Platform "Humans in Complex Work Environments", Germany)

III.4 Human Factors Related Chemical Accidents Occurred in Korea Seung Kyoo PAK (Korea Occupational Safety and Health Agency)

18:00 19:00 Discussion 19:30 0.251 Meeting of Consultant and Rapporteurs 20:00 22:00 Dinner - Reception at the Conference Hotel


iii

Wednesday, 09.05.07 09:00 10:30 Aula SESSION IV: Interfaces between Safety Systems and Operators

Chair: Prof. Dr. Christian JOCHUM (Commission on Process Safety (KAS), Germany) Rapporteur: Roland FENDLER (Federal Environment Agency (UBA), Germany)

09:00 09:45 Presentation 4.1 - 4.2 IV.1 Human Error Risk Management for Engineering Systems: A Methodology for

Design, Safety Assessment, Accident Investigation and Training P.C. CACCIABUE (EC, Joint Research Center, Major Accidents Hazards Bureau)

IV.2 Relevant Characteristics of the Human System as Determining Factors for the Man-Machine-Interface in Process Plants Begoña HERMANN (State Environment Agency Rhineland-Palatinate (LUWG), Germany), Dr. Hasso DRATHEN (Bayer Technology Services, Germany)

09:45 10:30 Discussion 10:30 11:00 Coffee Break 11:00 12:30 Aula SESSION V: Human Factors in Alarm Management

Chair: Dr. Günter HORN (Horn Engineering, Germany) Rapporteur: Mark HAILWOOD (State Institute for Environment, Measurements and Nature Conservation Baden-Württemberg (LUBW), Germany)

11:00 12:00 Presentation 5.1 - 5.4 V.1 Alarm Management in Process Industries: Aims, Experiences, Benefits

Dr. Hasso DRATHEN (Bayer Technology Services, Germany) V.2 Alarms for Operators

Martin HOLLENDER (ABB Corporate Research, Germany) V.3 Alarm Management Practices in NOVA Chemicals

J. WINDHORST (NOVA Chemicals, Canada) V.4 Deploying Best Practice in Managing Abnormal Situations: Experience from the

ASM Consortium P.V. PANDIT (Honeywell Controls, UK)

12:00 12:30 Discussion

12:30 14:30 Lunch 13:00 14:30 0.251 Meeting of Consultant and Raporteurs 14:30 15:30 Aula Conclusions

Co-Chair: Prof. Dr. Christian JOCHUM (Commission on Process Safety, Germany), Roland FENDLER (Federal Environment Agency (UBA), Germany) Rapporteur: Dr. Babette FAHLBRUCH (TÜV NORD Systec GmbH & Co. KG, Germany)

15:30 16:00 Coffee Break 16:00 17:00 Aula Conclusions (continued and end) 18:00 Transfer to Sanssouci Park and Castle Reception by the Government of Brandenburg 17:00 20:00 Transfer to Tegel Airport (on request) GFI Umwelt, Bonn

Thursday, 10.05.07 08:00 11:00 Transfer to Tegel Airport (on request) GFI Umwelt, Bonn


iv

Discussion Document (by 16.04.07)

OECD-CCA Workshop on Human Factor in

Chemical Accidents and Incidents

8 − 9 May 2007, Potsdam, Germany

Discussion Document

April 2007 Prepared by:

Babette Fahlbruch

Jörk Dubiel Lutz Neumann Oliver Raupach

TÜV NORD SysTec GmbH & Co. KG

Große Bahnstraße 31 22525 Hamburg

Germany

Under participation of: Peggy Frommann

OECD-CCA Workshop

2

Content:

1 Introduction and Overview...................................................................................1 1.1 General purpose of the workshop .................................................................1 1.2 Overview of workshop objectives ..................................................................2 1.3 Thematic structure of the workshop ..............................................................2 1.4 Introduction to the discussion document .......................................................3 2 Thematic session 1: Types of Human Error, Definition of Related Terms ...........4 2.1 Introduction ...................................................................................................4 2.2 Technical standards ......................................................................................5

2.2.1 Terms relevant for incident investigation and documentation ...............5 2.2.2 Terms relevant for sessions of this workshop .......................................7

2.3 Analysis of accidents and incidents.............................................................11 2.4 Scientific literature from the field of psychology, human factors, organi-

zation studies ..............................................................................................14 2.5 Conclusions.................................................................................................19

2.5.1 Terms relevant for incident investigation and documentation .............19 2.5.2 Terms relevant for sessions of this workshop .....................................21

2.6 Questions ....................................................................................................23 3 Thematic session 2: Assessment of Safety Cultures.........................................24 3.1 Introduction .................................................................................................24 3.2 Official documents.......................................................................................25

3.2.1 General principles by the OECD .........................................................25 3.2.2 Definitions and key elements by the IAEA ..........................................28 3.2.3 Principles by Responsible Care ..........................................................29 3.2.4 Elements of safety culture by the ILK (Internationale Länderkom-

mission Kerntechnik)...........................................................................30 3.2.5 Models on evaluation and classification of safety culture and

safety climate ......................................................................................31 3.3 Scientific literature from the field of psychology, human factors, organi-

zation studies ..............................................................................................38 3.4 Conclusion ..................................................................................................41 3.5 Questions ....................................................................................................44 4 Thematic session 3: Appropriate Human Factors competence .........................45 4.1 Introduction .................................................................................................45 4.2 Types of responsibilities ..............................................................................45 4.3 Identified human factors competency..........................................................46 4.4 Conclusion ..................................................................................................49 4.5 Questions ....................................................................................................50

OECD-CCA Workshop

3

5 Thematic session 4: Interfaces between Safety Systems and Operators..........51 5.1 Introduction .................................................................................................51 5.2 Regulations and technical standards (IEC 61511, VDI/VDE 2180,

NE 31) .........................................................................................................51 5.3 Literature research ......................................................................................56 5.4 Conclusion ..................................................................................................59 5.5 Questions ....................................................................................................60 6 Thematic session 5: Human Factors in alarm management..............................61 6.1 Introduction .................................................................................................61 6.2 Regulation and technical standards ............................................................61 6.3 Scientific literature.......................................................................................66 6.4 Conclusion ..................................................................................................66 6.5 Questions ....................................................................................................70 7 References ........................................................................................................71 8 Annex I ..............................................................................................................79 9 ANNEX II ...........................................................................................................85 10 ANNEX III ......................................................................................................89 10.1 Namur Empfehlung (Namur recommendation) 31 – Most Relevant Re-

commendations...........................................................................................89 10.2 IEC/EN/DIN 61511 - Required Consideration of Human Factors ................91

OECD-CCA Workshop on Human Factors

in Chemical Accidents and Incidents

Discussion Document

1

1 Introduction and Overview

1.1 General purpose of the workshop This OECD-CCA workshop is sponsored and hosted by the Federal Ministry for the Environment of Germany and the Government of the Federal State Brandenburg. 5 Human performance remains a critical element in risk prevention. Analyses of acci-dent data show that human factors play a causal or contributing role in 50-80% of significant accidents (Working Group on Chemical Accidents /1/ according to Gross and Ayres, 1998). The 600K report (dated 2000) of the US Chemical Safety and Hazard Investigation Board showed that among cases for which the cause was 10 known, 49% resulted from mechanical factors and 39% from human factors. Among cases involving mechanical factors, an overwhelming 97% were attributed to general equipment error; 63% of human factors cases were attributed to human errors. A German review on the causes of major accidents reported to the ZEMA database attributed only 25% to human failure /2/. Despite of the different amount of “human 15 contribution” to accidents, it is widely recognised that human failure in industrial op-erations is a major source of risk. In 1997, an OECD Workshop on Human Performance in Chemical Process Safety: “Operating Safety in the context of Chemical Accident Prevention, Preparedness and 20 Response” already took place in Germany1. The purpose of this workshop was to discuss the role of human performance in chemical processes and consider ways to minimise the number of abnormal events. From the OECD Workshop on Lessons Learned from Chemical Accidents and Inci-25 dents (2004) recommendations for a Workshop on Human Errors were drawn2. The 2007 OECD/CCA-Workshop will explore all the aspects of the relationship ’hu-man factors – chemical accident prevention’ with focus on crucial and new human factors issues. The overall objective of the workshop is to explore human factors re-30 lated to management and operation of a hazardous installation, and to share infor-mation on assessment tools for identification of the potential for, analysis and reduc-tion of human errors in the chemical industry, including the small and medium size enterprises. Human action is involved in designing machines, operations and work environments, in managing and operating the facility at all levels (production, pro-35 cessing, use, handling, storage, transport, and disposal of hazardous substances). The objectives are to present the approaches dealing with these issues and to de-velop recommendations for best practices. If best practices cannot be defined, further research and co-operation needs will be identified. 40

1 http://www.olis.oecd.org/olis/1999doc.nsf/LinkTo/env-jm-mono(99)12 2 http://appli1.oecd.org/olis/2005doc.nsf/linkto/env-jm-mono(2005)6



Discussion Document

2

1.2 Overview of workshop objectives The scope of the Workshop includes any fixed installation/facility where hazardous substances are produced, processed, used, handled, stored, transported (i.e. trans-port interfaces including railroad marshalling yards, road terminals, airports, loading and unloading facilities, port areas and pipelines) or disposed of, with the potential for 5 fire, toxic emission, explosion, spill, or other type of accident involving hazardous substances. Other sectors of industrial activity will be considered, in particular with respect to transfer of knowledge and experience (e.g. offshore, nuclear industry, aerospace industry), and the relationship between ’Best Practices’ and the safety procedures in such high risk technologies. 10 A more detailed description of the workshop objectives is as follows:

• Acceptance of definitions to be added to Annex I (Explanation of Terms Used) of the OECD Guiding Principles for Chemical Accident Prevention, Prepared-15 ness and Response3. These harmonised definitions could be used by industry and the authorities in incident investigation, documentation and lessons learnt communication

• Make recommendations on the best ways to assess safety cultures, because the quality of the safety culture of an organisation strongly determines the ef-20 fectiveness of its safety management system

• Make recommendations on appropriate human factors competence taking into account the types of responsibilities involved and the different management and staff levels in organisations (industries, authorities, expert organisations/ consultants) 25

• Make recommendation on the allocation of function at interfaces between safety systems and operators taken

• Make recommendation on alarm management, i.e. the adequate support of the operator in handling alarms including dealing with alarm flooding, suppres-sion and prioritising of alarms etc. 30

The primary focus over the two workshop days will be to understand and to discuss human factors issues under the above mentioned scope.

1.3 Thematic structure of the workshop 35 The Workshop is organized according to the following five thematic sessions. Session 1: Types of Human Error, Definition of Related Terms Session 2: Assessment of Safety Cultures Session 3: Appropriate Human Factors competence 40 Session 4: Interfaces between Safety and Operators Session 5: Human factors in Alarm Management

3 http://www.oecd.org/dataoecd/10/37/2789820.pdf



Discussion Document

3

Speakers have been selected to “set the scene” by describing the current frame-works, methodologies and interventions. These presentations are expected to high-light emerging issues related to the thematic sessions with the aim of focusing dis-cussions and stimulating constructive dialogue among participants. 5 In each session, the speakers’ presentations will be followed by a general discussion where conclusions and recommendations will be drawn. The workshop organizers are appreciative of the considerable contributions of gov-10 ernment and industrial sector experts from Europe, North America, Oceania and Asia involved with chemical accident programs in their respective countries.

1.4 Introduction to the discussion document This discussion document (DD) is based on information extracted from laws, regula-tions and directives from OECD member countries and regions on the analysis of 15 major databases on chemical accidents as well as on a literature research on the relevant topics. The discussion document is charged with achieving the following objectives: 20

• Describe the themes of the sessions • Identify some of the key issues for consideration



Discussion Document

4

2 Thematic session 1: Types of Human Error, Definition of Related Terms

Key objectives to be covered in the session 5 1. Make recommendations about the terminology and definitions to distinguish the

different human factors aspects when analysing and documenting incidents; 2. Define related terms like human error4, human failure, human (un)reliability, hu-

man behaviour, human performance, human contribution, human factors etc. to be include and/or revise in the OECD Guiding Principles; 10

3. Define relevant terms used in the recommendations of the Workshop. 4. Address the different types of human error which can occur at the various

stages of management and operation of a hazardous installation (e.g. design, construction, start-up, processing; handling, storage, shut-down, etc.), and link them to causes; 15

5. Explain how existing tools to investigate the human contribution to accidents and near-misses are used, and how they should be improved;

6. Make recommendations on the improvement of investigation techniques and incidents databases to provide useful and detailed information about different types of human errors and the barriers that were breached in the incident or the 20 safety management system responsible for those barriers;

2.1 Introduction The workshop on lessons learned from chemical accidents recommended further efforts to harmonise terminology across industrial sectors and countries, so that in-25 formation including accident data, data evaluation techniques, investigation method-ologies and communication of lessons learned can be easily shared. Such a recom-mendation also applies to harmonisation of terminology related to human error. Recommendations concerning definitions and terminology used to identify the differ-30 ent types of human error when analysing and documenting chemical accidents and incidents, and communicating lessons learnt will be presented in the following.

4 The translation of the term "human error" in other languages may lead to misinterpretation. Human

error is not just to be considered as a mistake, but also includes errors of judgement and perception, errors due to lack of physical capability or mental capacity, errors brought about due to lack of un-derstanding, or due to confusing or conflicting requirements from the system concerned. It is not re-stricted to operators but may be experienced by all levels within a concern or institution in which in-teractions occur. Human error can occur in management, design, maintenance, inspection, licens-ing, governance and operational capacities. The term "human factors" includes additional aspects of human involvement, in particular human behaviour and ability to promote safety (human factors can be positive or negative while human errors are always negative)



Discussion Document

5

For the preparation of this section of the discussion document the following sources were analysed:

• Technical standards • Selected analysis reports of accident and incidents 5 • Scientific literature from the field of psychology, human factors, organization

studies

2.2 Technical standards Definitions could be identified in documents of the HSE, OECD, VDI, IEC, ISO and 10 Namur. The definitions are either relevant for incident investigation and documenta-tion or for sessions of this workshop.

2.2.1 Terms relevant for incident investigation and documentation Error 15 Mismatch between the user's goal and the response of the system. Errors can in-clude navigation errors, syntax errors, conceptual errors, etc” (ISO/TC 159/SC 1/WG 1 N 88, 2006 /99/). Human error 20 “In this regard, it should be recognised that humans will, on occasion, fail and the majority of accidents are in some part attributable to human error, meaning human actions or inactions which unintentionally exploit weaknesses in equipment, proce-dures, systems and/or organisations” (HSE /3/, p.2 in HSG48 /4/) 25 “Human errors are not limited to operator errors but may occur at different points in the hierarchy of the enterprise including, for example, at the level of those responsi-ble for maintenance, management of change or permit to work systems, or at the level supervisors and management. Examples of human failures, in addition to op-erator errors, can involve: problems with transmission of knowledge, especially when 30 experienced specialists retire; the complexity of the system, including process design and engineering; the ageing of plants and related repairs, without adequate mainte-nance and inspection; and the need to cope with changes in organization or technol-ogy, including automation.” (OECD, Guiding Principles for Chemical Accidents Pre-vention, Preparedness and Response /5/, p.135) 35 “Human error / working error / erroneous action / error, i.e. all human actions which exceed defined acceptance limits” (VDI 4006.1, 12.85: Human reliability /6/) “Human error / mistake: Commission or omission which results in unintended conse-40 quence” (IEC 61511, DE /7/) Human failure and human error “A human error is an action or decision which was not intended, which involved a de-viation from an accepted standard and which led to an undesirable outcome’. Human 45 failure refers to errors AND violations (i.e. non-compliance with rules or procedures).” (HSE, 2005, /94/ p. 83 according to HSG48)



Discussion Document

6

Human factors “Human factors refer to environmental, organisational and job factors, and human and individual characteristics, which influences behaviour at work in a way which can effect health and safety” (HSE /3/, p.2 in HSG48 /4/). 5 “The term “human factors” is often used in a negative context (equating it to human error). However, humans are often the only means for effectively responding to ab-normal situations since they have the capability to reason, and then to override automatic reactions of machines. Humans have the capacity to forecast action, inte-grate complex and fuzzy information, and understand how to address unusual situa-10 tions based on experience and training.”(OECD, Guiding Principles for Chemical Ac-cidents Prevention, Preparedness and Response /5/, p.55) “Human factors involve designing machines, operations and work environments so that they match human capabilities, limitations and needs (and, therefore, is broader 15 than concerns related to the man-machine interface). It is based on the study of peo-ple in the work environment (operators, managers, maintenance staff, and others) and of factors that generally influence humans in their relationship with the technical installation (including the individual, the organisation and the technology)” (OECD, Guiding Principles for Chemical Accidents Prevention, Preparedness and Response, 20 /5/, p.179). Human failure “refers to errors made by those at the sharp end of incident causation that have di-rectly triggered the incident” /41/, p. 9. According to the HSE definition it is “ important 25 to remember that human failures are not random; there are patterns to them. […] There are three different types of human failures (unsafe acts) that may lead to major accidents: Intentional errors: 30 Violations differ from the above in that they are intentional (but usually well-mean-ing) failures, such as taking a short-cut or non-compliance with procedures e.g. de-liberate deviations from the rules or procedures. They are rarely wilful (e.g. sabotage) and usually result from an intention to get the job done despite the consequences. Violations may be situational, routine, exceptional or malicious.“ /3/, p. 2f 35 Unintentional errors: Errors (slips/lapses) are “actions that were not as planned” (unintended actions). These can occur during a familiar task e.g. omissions like forgetting to do something, which are particularly relevant to repair, maintenance, calibration or testing. These 40 are unlikely to be eliminated by training and need to be designed out. Mistakes are also errors, but errors of judgement or decision-making (“intended ac-tions are wrong”) - where we do the wrong thing believing it to be right. These can appear in situations where behaviour is based on remembered rules or familiar pro-cedures or unfamiliar situations where decisions are formed from first principles and 45 lead to misdiagnoses or miscalculations. Training is the key to avoiding mistakes.



Discussion Document

7

Human performance “Human performance: All aspects of human action relevant to the safe operation of a hazardous installation, in all phases of the installation from conception and design, through operation, maintenance, decommissioning, and shutdown“(OECD, Guiding Principles for Chemical Accidents Prevention, Preparedness and Response /5/, 5 p.179). Violation “A deliberate breach of rules and procedures.” (HSE Human Factors Briefing Note No. 3, Humans and Risk, /98/ p. 3). 10 “An error that occurs when an action is taken which contravenes known operational rules, restrictions and/or procedures. The definition of violations excludes actions taken to intentionally harm the system, i.e., sabotage.” (HSE, 2005, /94/ p. 83) 15

2.2.2 Terms relevant for sessions of this workshop Alarm “Indication requiring immediate response by the operator. The response may be, for example, manual intervention, increased watchfulness or initiation of further investi-gation. Note: This is a more extended notion of alarm than the VDI/VDE 3699 defini-20 tion, and follows the common usage of English and the use of the term in the context of PCS” (Namur-Worksheet NA 102 /8/, p.6). “warning of existing or approaching danger” (ISO/TC 159/SC 1/WG 1 N 88, 2006 /99/). 25 “Traditionally, alarms were used to provide safety information to plant operators. This included alarms on process conditions that could result in injury to personnel and/or equipment damage, if no action was taken. When computer control systems were introduced into process plants, alarms could be easily added, and they are now used 30 for a much wider range of uses. This includes event logging, indication of process deviations, plant status, abnormal process conditions, etc.” (HSE, 2005, /94/ p. 2) Alarm flooding (alarm shower) “Situation in which alarms occur faster than they can be perceived and processed by 35 the operator” (for “alarm shower” in Namur-Worksheet NA 102 /8/, p.6). “Alarm flooding is a condition where alarms appear on the control panels at a rate faster than the operator can comprehend or deal with. Alarm flooding prevents the operator from determining the cause of the process upset or process emergency and 40 therefore limits the scope for effective and quick emergency response.” (HSE, 2000 /95/) “An alarm “flood” is when operators are presented with too many alarms within a short space of time so that they cannot identify individual alarms and take action 45 upon them. In these circumstances operators will often miss or ignore alarms. Alarm floods often occur during process disturbances e.g. power failure when the informa-tion they supply the operator is most critical.” (HSE, 2005 /94/, p. 2)



Discussion Document

8

Alarm Management “Alarm management systems support the operator in avoiding and controlling ab-normal conditions” (Namur-Worksheet NA 102 /8/, p.6). Alarm rate 5 “Number of alarms that occur per unit of time” (Namur-Worksheet NA 102 /8/, p.6). Behaviour “skill-based behaviour Behavior mostly related to frequent tasks. Only a small degree of conscious thinking 10 activity is required. rule-based behaviour Behaviour mostly related to less-familiar tasks, which are based on the experience and capabilities of the person in question. The behaviour is the result of comparing 15 the information with familiar patterns or rules on an if-then-basis. knowledge-based behaviour Behaviour mostly related to new tasks, whereas familiar patterns and rules cannot be applicated directly. Requires a high degree of conscious thinking.” (VDI 4006 Part 1 20 /6/, p.2) Critical alarm “safety critical alarms are distinguishable from other operational alarms” (HSE, 2005 /94/, p. 1) 25 “For critical (all?) alarms, the expected operator action is documented. The state of all critical alarms is always visible. Critical alarms are tested on some plant-defined frequency.” (HSE, 1998 /96/, p. 217) 30 Ergonomics “The area of ergonomics with the purpose of designing working conditions adapted to human beings. The discipline which deals with the design and handling of machines as well as with working environments so that these match human capabilities and limitations” (VDI 4006 Part 1 /6/, p.3). 35 Human reliability “The capability of human beings to complete a task under given conditions within a defined period of time and within the acceptance limits” (VDI 4006 Part 1 /6/, p.3). 40 Man-machine-system (MMS) “The combinations and the total of interactions between human beings and opera-tional means during the work“ (VDI 4006 Part 1 /6/, p.3). Message 45 “Indication or report of an occurrence i.e. transition from one discrete status to an-other (according to VDI/VDE 3699). Note: The term "message" or "notification" is used in the literature both as a generic and a particular term. In this worksheet, the



Discussion Document

9

term is used for those messages that do not necessitate an immediate response from the operator.”(Namur-Worksheet NA 102 /8/, p.6). Qualification “The existence of physical, mental, and personal qualifications for tasks with specific 5 requirements, whereby it is essential to dispose of capabilities (physical as well as psychological) and skills (behaviour learned and trained) to react according to the requirements” (VDI 4006 Part 1 /6/ p.3). Safety culture 10 “Safety Culture is a term that was first introduced after the Chernobyl disaster in 1986. The safety culture of an organisation is the product of the individual and group values, attitudes, competencies and patterns of behaviour that determine the style and proficiency of an organisation’s health and safety programmes.” (postnote, 2001, /97/ p. 5) 15 “safety culture” is seen as being something that operators have and it has been found, following the investigation of major accidents, that management have not ac-knowledged that the development and maintenance of a safe culture lie within the bounds of their responsibility.” (HSE, 2005, /94/ p.7) 20 “The safety culture of an organisation is the product of individual and group values, attitudes, perceptions, competencies, and patterns of behaviour that determine the commitment to, and the style and proficiency of, an organisation’s health and safety management. Organisations with a positive safety culture are characterised by com-25 munications founded on mutual trust, by shared perceptions of the importance of safety and by confidence in the efficacy of preventive measures.” (HSE, 2005, /94/ p. 59 according to ACSNI, 1993) Safety culture is an amalgamation of values, standards, morals and norms of accept-30 able behaviour. These are aimed at maintaining a self-disciplined approach to the enhancement of safety beyond legislative and regulatory requirements. Therefore, safety culture has to be inherent in the thoughts and actions of all the individuals at every level in an organization. The leadership provided by top management is cru-cial. Safety culture applies to conventional and personal safety as well as nuclear 35 safety. All safety considerations are affected by common points of beliefs, attitudes, behaviour, and cultural differences, closely linked to a shared system of values and standards. (According to INSAG-4 /47/, p. 3) Safety climate 40 “the workforce’s attitudes and perceptions at a given place and time. It is a snapshot of the state of safety providing an indicator of the underlying safety culture of an or-ganisation.” (PRISM, 2003, /91/ p.6) Safety function 45 “function to be implemented by an SIS, other technology safety related system or external risk, reduction facilities, which is intended to achieve or maintain a safe state for the process, with respect to a specific hazardous event



Discussion Document

10

NOTE This term deviates from the definition in IEC 61508-4 to reflect differences in process sector terminology.” (IEC 61511-1, 2003 /7/, p. 25) Safety instrumented system (SIS) “instrumented system used to implement one or more safety instrumented functions. 5 An SIS is composed of any combination of sensor (s), logic solver (s), and final ele-ments (s) (IEC 61511-1, 2003 /7/, p. 25f)

Final elements Logic solver Sensors

NP

PE

NP

PE

PE

NP

PE

Figure 1: Example of SIS architecture (IEC, 61511-1, /7/, p. 25) 10 Task analysis “Analytical process for determining the behavior of persons within a man-machine system. The goal of the task analysis in the framework of the HRA is to decompose action sequences into single steps (action elements) which then in turn are accessi-15 ble for a qualitative and quantitative assessment and representation according to the chosen modeling approach” (VDI 4006 Part 2 /9/ p. 5). “analytical process employed to determine the specific behaviours required of people when operating equipment or doing work (ISO 9241-5:1998). Note: The task analysis 20 is not a risk assessment of the workplace according to legal requirements” (ISO/TC 159/SC 1/WG 1 N 88, 2006). Training “Organized education which is designed to increase and maintain the physical and 25 psychological performance capabilities of human beings” (VDI 4006 Part 1 /6/ p.4). Work load “The entirety of all external conditions and requirements in the working system, which 30 could influence a person physically and/or psychologically (VDI 4006, Part 1 /6/, p.4). Work stress/ external load “sum of those external conditions and demands in the work system which act to dis-turb a person's physiological and/or psychological state” (ISO/TC 159/SC 1/WG 1 N 35 88, 2006).



Discussion Document

11

2.3 Analysis of accidents and incidents In the reports no definitions of human errors were identified, but the following classifi-cations. 5 In the MARS5 database which is used by both EU and OECD member countries to report industrial accidents in the MARS standard format and to exchange accidents information 603 events are reported, about 40% classified are as “Cause Human”. The single descriptions do not result in a useful classification, because their variation is too broad and results in about 70 different causes (see table 6 in the annex for the 10 descriptions). A comparable picture shows the German database ZEMA: 502 events are reported, 124 with “cause is human error”. Descriptions are similar to those in the MARS data-base. 15 The Chemical Safety and Hazard Investigation Board (CSB) of the United States of America is an independent federal agency charged with investigating industrial chemical accidents. The CSB conducts root cause investigations of chemical acci-dents at fixed industrial facilities. CSB-reports are available in the internet, but with-20 out selection functions according to causes. Three reports on events with a human contribution are summarized in the annex as an example. The U.S. Nuclear Regulatory Commission (NRC) collects data from its own inspec-tion reports and from Licensee Event Reports (LERs), which are submitted by the 25 operators of the nuclear power plants and other nuclear facilities. NRC uses this in-formation to assess training procedures, organizational processes, human-system interface, communication, and inspections. Using defined criteria, NRC sorts the de-scriptions of human performance issues into the following eight categories and codes them: 30

1. Training 2. Procedures and Reference Documents 3. Fitness for Duty 4. Oversight 6 5. Problem Identification & Resolution 35 6. Communication 7. Human-System Interface and Environment 8. Work Planning and Practices

Each category is further divided into areas, and each area contains a series of details 40 that describe the human performance issue (updated January 2006) See the table 7 in the annex for a listing of the possible codes.

5 Major Accident Hazards Bureau (MAHB), http://mahbsrv.jrc.it/

6 Oversight as the activity that managers carry out to prevent things being over-looked.



Discussion Document

12

The HSE suggest a classification scheme for human failures in which a differentiation between action errors, checking errors, information retrieval errors, information com-munication errors, selection, planning errors, and violations is made HSE, 2004 /93/, p.5f): 5 Action Errors A1 Operation too long / short A2 Operation mistimed A3 Operation in wrong direction A4 Operation too little / too much 10 A5 Operation too fast / too slow A6 Misalign A7 Right operation on wrong object A8 Wrong operation on right object A9 Operation omitted 15 A10 Operation incomplete A11 Operation too early / late Checking Errors C1 Check omitted C2 Check incomplete 20 C3 Right check on wrong object C4 Wrong check on right object C5 Check too early / late Information Retrieval Errors R1 Information not obtained 25 R2 Wrong information obtained R3 Information retrieval incomplete R4 Information incorrectly interpreted Information Communication Errors I1 Information not communicated 30 I2 Wrong information communicated I3 Information communication incomplete I4 Information communication unclear Selection Errors S1 Selection omitted 35 S2 Wrong selection made Planning Errors P1 Plan omitted P2 Plan incorrect Violations 40 V1 Deliberate actions



Discussion Document

13

The Health & Safety Laboratory (HSL) of the United Kingdom published a report on the causes of major incidents (HSL /10/). One of the main findings points to the im-portance of organizational factors: “The literature on the control of human factors in the major hazard industry points to a focus on organizational factors (via safety cul-ture) more than individual behaviours.”(HSL /10/, p. iv) or “The numerous case stud-5 ies and analyses of incident reports show that human error influenced by human and organisational factors are implicated as a cause of incidents in the major hazard sec-tor. It is recognised that controls on human and organisational factors are even more important than technology because significant improvements have been made to en-sure increasingly inherent safety of machinery, technology and equipment (e.g. Lee 10 /11/).” (HSL /10/, p. 4). In the report it was highlighted that a complex chain of events including factor from organisation, individual and technology existed for the majority of accidents. This combination of events resulted in the incident. Key factors that contributed to the ac-15 cidents were:

• Poor management practices, e.g. inadequate supervision • Pressure to meet production targets • Inadequate safety management system • Failure to learn lessons from previous incidents 20 • Communication issues e.g. between shifts, between personnel and manage-

ment etc. • Inadequate reporting systems • Complacency • Violation/non-compliance behaviour 25 • Inadequate training e.g. emergency response, fire and safety • Lack of competency • Excessive working hours resulting in mental fatigue • Inadequate procedures • Modification/ updates to equipment without operator knowledge and /or re-30

vised risk assessments • Inadequate / insufficient maintenance • Maintenance errors

Similar factors were identified ten years before in a HSE-report on the contribution of 35 attitudinal and management factors to risk in the chemical industry (HSE CRR 81 /12/): Although there was little detail in the accident reports on underlying causes, as the reports were focussed on the immediate causes, some main human factors is-sues could be identified as contributing:

• Maintenance errors 40 • Inadequate procedures • Inadequate job planning • Inadequate risk assessment • Inadequate training of staff • Unsafe working condoned by supervisors / managers 45 • Inadequate control and monitoring of staff by managers • Inadequate monitoring of contractors working on site



Discussion Document

14

A review on documented methods / instrument for event analysis showed the follow-ing picture /13/: The majority of the evaluated methods (Change Analysis, ASSET – Assessment of Safety Significant Events Teams, CREAM – Cognitive Reliability and Error Analysis Method, HPES – Human Performance Enhancement System, MORT – Management Oversight and Risk Tree , SOL – Safety through Organizational 5 Learning, STEP – Sequentially Timed Event Plotting, TOR – Technique of Opera-tions and Review) cover intermediate causes as well as underlying mechanism. Al-though there are some differences according to the causal categories, the above mentioned main human factors issues are taken into account in the methods, except in Change Analysis and STEP, which have no categories or classification scheme for 10 causes.

2.4 Scientific literature from the field of psychology, human fac-tors, organization studies

15 In the literature there are various definitions of human errors as the following exam-ples show: “The fundamental semantic problem is that the term “human error“ has at least three different denotations, so that it can mean either the cause of something, the event 20 itself (the action), or the outcome of the action.” /14/, p.1:

• “Human error “as cause: “The oil spill was caused by human error”. Here the focus is on the action (the “human error“) as the alleged cause of the observed outcome (the oil spill). 25

• “Human error “as event or action: “I forgot to check the water level“. Here the

focus is on the action or process itself, whereas the outcome or the conse-quence is not considered. […]

30 • „Human error “as consequence: “I made the error of putting salt in the coffee“.

Here the focus is on the outcome, although the linguistic description is of the action. […] A more serious example is the use of the term “latent human er-ror“. This implies, wrongly, that one or more “human errors” are hidden some-where in the system in the system and that they have yet to manifest them-35 selves. The intended meaning is rather that the system hides one or more la-tent consequences of a “human error” that already have occurred“ /14/, p.1. In industry usually, only errors having non acceptable consequences (i.e. outside the field of safety operations, as defined by procedures, instructions and safety analyses) are labelled ‘errors’ On the other hand, psychologists define 40 error as an erroneous act, whatever its consequences, or the level at which it is detected and recovered. /15/, S. 112.

“Rasmussen, Duncan, and Leplat (1987) defined human errors as an act that is counterproductive with respect to the person’s (private or subjective) intentions or 45 goals. A group of experts at the OECD defined human error as behaviour, or its ef-fects, which lead a system to exceed acceptable limits (Nicolet, 1987). For Mashour (1974), error is the deviation of actual performance from the desired performance of



Discussion Document

15

criterion. Kruglanski and Ajzen (1983) described error as the type of experience a person might have following an encountered inconsistency between a given hy-pothesis, conclusion, or inference, and a firmly held belief.” /16/, p. 420. “Human error is a feature of human activity: it describes that type of activity that 5 causes the controlled system to diverge further than the tolerated field of variation […]. Human error is an ambiguous expression that must not lead to a uni-causal conception of error but encourage the search for the multiple determining factors in its production. The goal of the analysis of human error will be to discover these de-termining factors.” /17/, p.126. 10 “How are faults and errors defined? Basically they are defined as causes of unfulfilled purposes […] human errors can be compared with intermittent faults in an electronic system. For such faults, you will often stick to the deterministic explanation and look for external causes such as noise interference. “ /18/, p.98 15 “If a system performs less satisfactorily than it normally does - because of a human act - the cause will very likely be identified as a human error.” /19/, p.827 “We define an error as the integrated accidental causation of an accident, injury, or 20 death, whether or not there are multiple contributions, systems, error types, or per-sons involved.” /20/, p. 279. “There are three elements to an action- theory- based definition of an error: (a) errors only appear in goal- oriented action; (b) an error implies non-attainment of a goal; (c) 25 an error should have been potentially avoidable (cf. Frese & Peters, 1988; Norman, 1984; Rasmussen, 1987c, Reason, 1987b, 1990).” /21/, p.313. “Defining error as a ‘failure of planned actions to achieve their desired goal’ […] /22/, p. 4 according to /23/. 30 “Errors represent the mental or physical activities of individuals that fail to achieve their intended outcome.” /24/, p. 1. “…error can be defined as action or inaction leading to deviation from team or or-35 ganisational interventions.” /25/, p. 781. “Any action (or inaction) that potentially or actually results in negative system effects given the situation that other possibilities were available. This includes any deviation from operating procedures, good working practice or intentions. There are several 40 benefits of this definition. First, the definition of human error is neural with regard to any question of blame. Second, an error does not need to involve any system conse-quences. This is in concordance with the principle that an error should be judged on the basis of the underlying processes and not the product. Third, an action or inaction can only be labelled as an error if another alternative was available. Finally, the defi-45 nition accepts several different criteria or standards to which the performance can be compared, namely the standards operating procedures, good working practice or simply the actor’s intentions.” /26/, p. 22



Discussion Document

16

“Human error is considered here as any action or failure to act by a human being in the process of his activity, which violates understood standards or acceptable boundaries of behaviour (Kotik and Yemelyanov, 1985; Miller and Swain, 1986) The notion of error is not necessarily associated with guilt, the consequences of the error or the presence or absence of intention.” /27/, p. 2437. 5 “[…] errors as phenomena which are closely related to the correct execution of the respective action, i.e., the two are regarded as two sides of the same coin (e.g., Rea-son, 1979; Fromkin, 1980; Wehner & Stadler, in press). As a consequence, and in contrast to other disciplines such as engineering, psychological error research deals 10 with both, the description and causal analysis of errors, with their phenotype and genotype (cf. Becker et al., 1994).” /28/, p. 5. “[…] any human action that exceeds some limit of acceptability (i.e. an out- of- toler-ance action) where the limits of human performance are defined by the system.” /29/ 15 “Errors are connected with goals and purposes. An individual is always aiming to-wards some objective and has not yet got there. As soon as he achieves one objec-tive he turns his attention to another one thereby deliberately perpetuating or recre-ating a state of error […] error can be defined as a transgression of a rule.” /30/, p. 20 727. “Errors are, basically, defined as being human acts which are judged by somebody to deviate from some kind of reference act. This reference, however, is not stable but depends on the circumstances of the judgement. […] In consequence, the perception 25 of an act as being an error depends on the identity of the judge and the point in time of judgement. That is the concept of ´human error´ is subjective and varies with time. In addition the definition of error appears to be changing with the nature of the work environment in question” /31/. 30 “...departure from acceptable or desirable practice on the part of an individual that can result in unacceptable or undesirable results” /32/, p. 538; /33/, p. 432. “[…] human errors as instances of man- machine misfits, i.e., instances when human variability is not within the span acceptable for successful task performance. Varia-35 tions in performance become human errors only in an ´unkind´ environment which does not allow immediate correction. This means that to characterize human ´errors´, one has to determine the variability of human behaviour and there acceptance limits for variation which hold for the work situation. Generally, human errors are defined in terms of faulty, external task element and data are collected correspondingly.” /34/, p. 40 82). “[…] any failure in a system may be seen as human error” /35/, p.10.



Discussion Document

17

To organize these different understandings and perspectives on human error and human factors it is suggested to classify them according to task, action, conse-quences and organizational aspects: 1. Task related definitions 5 Omission: „failure to act at all“, „what is not done”, „failing to do the right thing” /16/, p. 419; /36/, p. 126; (AHRQ, 2007 according to Reason 1990, 2000) Commission: „the correct function at the wrong time“, „what is done”, „doing some-thing wrong” /16/, p. 419; /36/, p. 126; (AHRQ, 2007) 2. Action related definitions 10 Terms: slips, lapses, mistakes „Errors as failure of planned actions to achieve their desired ends.“ /37/, p.71. „The plan is adequate, but the action fail to go as planned.” /37/, p. 71. „The actions may conform exactly to the plan, but the plan is inadequate to achieve its intended outcome.” /37/, p. 71. 15 3. Consequence related definitions Violation: “deviation from safe operating practice“ /22/, p. 6, “the failure to apply a good rule” /22/, p. 6 according to /38/) Mismatch: „errors considered as occurrences of man- task mismatches” /39/, p. 53. 20 4. Definitions related to organizational aspects Terms: latent failures, performance shaping factors (PSFs), general failure types „Errors as described by Reason relates to the difference in the active or latent nature of error“ /22/, p. 4 25 „Active errors occur at the point of contact between a human and some aspect of a larger system (eg, a human-machine interface). They are generally readily apparent (eg, pushing an incorrect button, ignoring a warning light) and almost always involve someone at the frontline. Latent errors (or latent conditions), in contrast, refer to less apparent failures of organization or design that contributed to the occurrence of er-30 rors or allowed them to cause harm” (AHRQ, 2007 according to Reason 1990, 2000) “Unsafe acts and situations do not just occur. They are generated by mechanism act-ing in an organisation. …Sometimes those mechanisms result from decisions taken high in the organisation, thereby causing many unsafe acts. … These mechanisms are called General Failure Types (GFTs).” 11 GFTs were identified as follows /40/, 35 p.151:

• hardware defects • inappropriate design • poor maintenance management • poor operating procedures 40 • error- enforcing conditions • poor housekeeping • incompatible goals • communication failures • organizational failures 45 • inadequate training • inadequate defences



Discussion Document

18

Reason /38/, /37/ suggested a widely accepted model on human error which he de-fines “as the failure of planned actions to achieve their desired ends – without the intervention of some unforeseeable event” (p. 71). In this definition are three ele-ments: 1.) a plan or intention including the goal and how to achieve it; 2) a sequence of actions initiated by that plan and 3.) the extent to which these actions are suc-5 cessful in achieving that goal. Table 1: Summary of the principal error types according to Reason /38/

Human Failure

Errors Violations

Slips Mistakes Misvention Mispliance

Attentional

slips of ac-

tion

Lapses of

memory

Rule-

based

mistakes

Knowledge-

based mis-

takes

10 As the following explanations of the different human failure types show most of the above mentioned terms and definitions can be subsumed under Reason’s model.

• Slips The plan is adequate, but the actions fail to go as planned 15

• Attentional slips of action are related to observable actions and associated with attentional or perceptual failures

• Lapses of memory are more internal events and generally involve failures of memory 20

• Mistakes The actions conform to the plan, but the plan is inadequate to achieve the goal. The failure lies at a higher level, the mental processes go wrong

• Rule-based mistake misapplication of good mental rules or the application of bad mental rules 25

• Knowledge-based mistakes occur when there are no prepackaged solutions and problem solutions have to identified on line

• Violations the failure to apply a good rule 30

• Misvention behaviour that involves both a deviation from appropriate safety procedures and errors leading to unsafe outcome

• Mispliance behaviour that involves mistaken compliance with inappropriate or inaccurate 35 operating procedures, leading to an unsafe outcome



Discussion Document

19

2.5 Conclusions If the different terms like human error, human failure, human factors etc should be defined it seems reasonable to order them in a hierarchic model like the one of Rea-son described above. 5 Summarizing the background for this thematic session the following additional terms and definitions are identified as important for integration in the glossary of the OECD Guiding Principles:

2.5.1 Terms relevant for incident investigation and documentation 10

1. Error of omission which are „failure to act at all“, „what is not done” and „failing to do the right thing” /16/, p. 421; /36/, p. 126; (AHRQ, 2007) can be subsumed under slips (of action) 15

2. Error of commission which are „the correct function at the wrong time“, „what is done” and „doing something wrong” /16/, p.421; /36/, p. 126; (AHRQ, 2007) can be subsumed under lapses (of memory) 20

3. Human error “In this regard, it should be recognised that humans will, on occasion, fail and the majority of accidents are in some part attributable to human error, meaning human actions or inactions which unintentionally exploit weaknesses in equipment, procedures, systems and/or organisations” (HSE /3/, p.2 in HSG48 25 /4/) Unintentional errors: slips/lapses are “actions that were not as planned” (unintended actions). These can occur during a familiar task e.g. omissions like forgetting to do something, which are particularly relevant to repair, maintenance, calibration 30 or testing. These are unlikely to be eliminated by training and need to be de-signed out /41/. Mistakes are also errors, but errors of judgement or decision-making (“in-tended actions are wrong”) - where we do the wrong thing believing it to be right. These can appear in situations where behaviour is based on remem-35 bered rules or familiar procedures or unfamiliar situations where decisions are formed from first principles and lead to misdiagnoses or miscalculations. Train-ing is the key to avoiding mistakes /41/. Intentional errors: Violations differ from the above in that they are intentional (but usually well-40 meaning) failures, such as taking a short-cut or non-compliance with proce-dures e.g. deliberate deviations from the rules or procedures. They are rarely wilful (e.g. sabotage) and usually result from an intention to get the job done despite the consequences. Violations may be situational, routine, exceptional or malicious.“ /3/, p. 2f 45



Discussion Document

20

4. Active error which relates to human error: „ […] active failures are made by those at the sharp end of incident causation (e.g. control room operators, maintenance personnel, the pilot who shuts down the perfectly healthy engine in the inci-dent description). Failures made at the sharp end generally lead to direct con-5 sequences and the one making the failure is therefore also likely to experience the consequences” /41/, p.11, according to /38/.

5. Latent Error which are mainly organizational errors: „Latent errors … are made at the blunt 10 end by those whose activities are removed in both time and sharp end of inci-dent causation (e.g. high level decision makers, designers, the CAA in the in-cident description). These latent failures create the conditions for active fail-ures to be made” /41/, p.11, according to /38/. 15

6. Organizational culture “a pattern of basic assumptions-invented, discovered, or developed by a given group as it learns to cope with its problems of external adaptation and internal integration that has worked well enough to be considered valid and therefore to be thought to new members as the correct way to perceive, think, and feel 20 in relation to those problems” (Schein, 1985, p.9).

7. Qualification “The existence of physical, mental, and personal qualifications for tasks with specific requirements, whereby it is essential to dispose of capabilities (physi-25 cal as well as psychological) and skills (behaviour learned and trained) to re-act according to the requirements” /6/, p.3.

8. Safety culture Safety culture is an amalgamation of values, standards, morals and norms of 30 acceptable behaviour. These are aimed at maintaining a self-disciplined ap-proach to the enhancement of safety beyond legislative and regulatory re-quirements. Therefore, safety culture has to be inherent in the thoughts and actions of all the individuals at every level in an organization. The leadership provided by top management is crucial. Safety culture applies to conventional 35 and personal safety as well as nuclear safety. All safety considerations are af-fected by common points of beliefs, attitudes, behaviour, and cultural differ-ences, closely linked to a shared system of values and standards. (According to INSAG-4 /47/, p. 3) 40

9. Safety climate “the workforce’s attitudes and perceptions at a given place and time. It is a snapshot of the state of safety providing an indicator of the underlying safety culture of an organisation.” (PRISM, 2003, /91/, p.6) 45

10. Training “Organized education which is designed to increase and maintain the physical and psychological performance capabilities of human beings” /6/, p.4.



Discussion Document

21

11. Work load “The entirety of all external conditions and requirements in the working sys-tem, which could influence a person physically and/or psychologically /6/, p.4.

12. Work stress 5 “sum of those external conditions and demands in the work system which act to disturb a person's physiological and/or psychological state” (ISO/TC 159/SC 1/WG 1 N 88, 2006).

2.5.2 Terms relevant for sessions of this workshop 10 13. Alarm

“Indication requiring immediate response by the operator” for reasons of safety. “The response may be, for example, manual intervention, increased watchfulness or initiation of further investigation.” (according to Namur-Work-sheet NA 102 /8/, p.6). 15

14. Alarm flooding “Situation in which alarms occur faster than they can be perceived and proc-essed by the operator” according to /8/, p.6.

15. Alarm Management “Alarm management systems support the operator in avoiding and controlling 20 abnormal conditions” /8/, p.6.

16. Alarm Priority “Classification of alarms according to their importance (e.g. seriousness of consequences and urgency)” /8/, p.6.

17. Alarm rate 25 “Number of alarms that occur per unit of time” /8/, p.6.

18. Behaviour skill-based behaviour “Behavior mostly related to frequent tasks. Only a small degree of conscious thinking activity is required.” 30 rule-based behaviour “Behaviour mostly related to less-familiar tasks, which are based on the ex-perience and capabilities of the person in question. The behaviour is the result of comparing the information with familiar patterns or rules on a if-then-basis.” knowledge-based behaviour 35 “Behaviour mostly related to new tasks, whereas familiar patterns and rules cannot be applicated directly. Requires a high degree of conscious thinking” /6/, p.2.

19. Critical alarm “Safety critical alarms are distinguishable from other operational alarms. For 40 critical alarms, the expected operator action is documented. The state of all critical alarms is always visible. Critical alarms are tested on some plant-de-fined frequency.” (according to HSE, 1998 /96/, p. 217)

20. Human reliability Which refers to the absence of human errors: The capability of human beings 45 to complete a task under given conditions within a defined period of time and within the acceptance limits. /6/.



Discussion Document

22

21. Ergonomics

“The area of ergonomics with the purpose of designing working conditions adapted to human beings. The discipline which deals with the design and handling of machines as well as with working environments so that these 5 match human capabilities and limitations” /6/, p.3.

22. Man-machine-system (MMS) “The combinations and the total of interactions between human beings and operational means during the work“ /6/, p.3.

23. Message 10 “Indication or report of an occurrence i.e. transition from one discrete status to another (according to VDI/VDE 3699). Note: The term "message" or "notifica-tion" is used in the literature both as a generic and a particular term. In this worksheet, the term is used for those messages that do not necessitate an immediate response from the operator”. /8/, p.6. 15

24. Performance shaping factors In modelling human performance for PRA, it is necessary to consider those factors that have the most effect on performance. …Some of these perform-ance shaping factors (PSFs) are external to the person and some are internal. The external PSFs include the entire work environment, especially the equip-20 ment design and the written procedures or oral instructions. The internal PSFs represent the individual characteristics of the person – his skills, motivations, and the expectations that influence his performance. /42/, p.2-5

25. Safety function “function to be implemented by an SIS, other technology safety related system 25 or external risk, reduction facilities, which is intended to achieve or maintain a safe state for the process, with respect to a specific hazardous event

26. Safety instrumented system (SIS) “instrumented system used to implement one or more safety instrumented functions. An SIS is composed of any combination of sensor (s), logic solver 30 (s), and final elements (s) (according IEC 61511-1, 2003 /7/, p. 25f)

27. Safety life cycle “necessary activities involved in the implementation of safety instrumented function(s) occurring during a period of time that starts at the concept phase of a project and finishes when all of the safety instrumented functions are no 35 longer available for use

28. Task analysis “Analytical process employed to determine the specific behaviours required of people when operating equipment or doing work (ISO 9241-5:1998). Note: The task analysis is not a risk assessment of the workplace according to legal re-40 quirements” (ISO/TC 159/SC 1/WG 1 N 88, 2006).



Discussion Document

23

In addressing the different types of human error which can occur at the various stages of management and operation of a hazardous installation (e.g. design, con-struction, start-up, processing; handling, storage, shut-down, etc.) it seems sensible to use an empirical proofed classification like the GFT-model which covers the fac-tors addressed in the HSE /3,12/ and HSL /10/ reports discussed above: 5

• hardware defects • inappropriate design • poor maintenance management • poor operating procedures • error- enforcing conditions 10 • poor housekeeping • incompatible goals • communication failures • organizational failures • inadequate training 15 • inadequate defences

Beside the analysis of the different accident-databases and explanation of existing tools and their possible improvements is given by the above mentioned HSE /3, 12/ and HSL /10/ reports. In these reports important factors contributing either as inter-20 mediate or underlying causes are identified, but also the problem that not all reports are detailed enough. For this problem it is suggested to classify both kinds of causal factors in the future. A coding scheme could be linked to the list of factors from the above mentioned reports. As tools to identify underlying causes one of the reviewed methods could be used. 25

2.6 Questions 1. Is a hierarchical model of terms related to human factors/error for the definition

useful? 2. Are the definitions suitable/ useful in regard to event-analysis and reporting? 30 3. Are relevant definitions missing? 4. Are the definitions and the system for incident analysis suitable as a basis for

testing and further amending in a working group to be considered for reports to MARS?

35



Discussion Document

24

3 Thematic session 2: Assessment of Safety Cultures Key objectives to be covered in the session

• Describe methodologies and instruments which allow to assess safety cultures 5 as well as how to improve them;

• Define basic requirements of these methodologies/ instruments, e.g. require-ments related to the dimensions/key elements to be assessed as well as structures and/or groups to be included;

• Explain the use of safety culture assessment to improve safety; 10 • Make recommendations on the best ways to assess safety cultures;

3.1 Introduction The main focus in this session is the prevention and mitigation of chemical accidents, i.e. the process safety, not the prevention of occupational accidents, i.e. workplace 15 safety. Therefore definitions of safety culture and safety climate are discussed, ways to characterize and differentiate safety culture are described and possibilities to as-sess or evaluate safety culture and safety climate are presented. The question how to improve safety culture is not part of this document. 20 The OECD Guiding Principles /5/ highlights the importance of safety cultures and in-clude several recommendations concerning the different elements of a safety culture. Presently, there are no recommendations on methodologies to assess existing safety cultures and how they can be improved. The topics to be addressed under this item include: Review the existing, and as far as possible well proven, approaches to as-25 sess safety cultures; define the likely key elements of these methodologies; and make recommendations on how progress of safety cultures assessment should be addressed. Reference to the relevant sections of the OECD Guidance on Safety Per-formance Indicators /43/ should be made. 30 In spite of its wide diffusion and use, the term safety culture is still vague in its under-standing and theoretical underpinnings - ranging from cognitive characteristics of the members of an organization to a more comprehensive notion including also behav-iour not only of the members of a given organization but of all actors in the system understood in its wider sense: individual organization members, work teams, organ-35 izational features and units, extra-organizational environment, technology. A growing consensus emerges that safety culture ought to be conceived as a holistic and inte-grating concept. /44/. Safety culture should be seen as an aspect of the organiza-tional culture in which safety is a critical factor in the norms, values and attidudes of every staff member. The mostly referred model in this regard is the model of Schein 40 (1985). He defines the culture of an organization as “a pattern of basic assumptions-invented, discovered, or developed by a given group as it learns to cope with its problems of external adaptation and internal integration-that has worked well enough to be considered valid and therefore to be thought to new members as the correct way to perceive, think, and feel in relation to those problems” (p.9). With respect to 45 the empirical approach and the question about the practical relevance can both con-cepts be equated.



Discussion Document

25

Because there are many problems in the assessment of safety culture, but a huge body of references of safety climate tools /90/, also some links to safety climate are drawn. According to Olive, O’Connor and Mannan /56/ both phrases: safety culture and safety climate can be used to describe the underlying safety attitude of an or-5 ganization. The authors argued that “safety climate generally refers to the attitude the people in the organization have towards safety. […] Culture can be viewed as the background influence on the organization, while climate is the foreground. As a re-sult, safety climate changes more quickly and more readily than safety culture. In the aftermath of a significant accident, it is the climate of an organization, rather than the 10 culture, that will undergo immediate modification.” /56/, p. 133. For the preparation of this section of the discussion document the following sources were analysed: 15

• Official documents by the OECD, IAEA, Responsible Care, ILK, and HSE • Scientific literature from the field of psychology, human factors, organization

studies

3.2 Official documents 20 Documents taken into account were OECD Guiding Principles for Chemical Accident Prevention, Preparedness and response /5/, OECD Guidance on Safety Perform-ance Indicators /43/, several publications of the IAEA /45, 46, 47, 48/ as well as the Responsible Care Fundamental Features /49/, a report from HSE /50, 51/ and a statement from a German consulting commission in the nuclear field /52/. 25

3.2.1 General principles by the OECD The OECD formulates in its Guiding Principles for Chemical Accident Prevention, Preparedness and Response /5/ general principles for safety culture addressing im-plementation and enhancement of safety culture: 30

• Establishment and promotion of corporate safety culture, reflected in a corpo-rate Safety Policy. Effective safety culture as an essential element of safety management Values, attitudes and behaviour of senior management and the communica-35 tion of these throughout the organisation determine the safety culture.

Additional a bottom-up commitment through the active application of safety policies by all employees is necessary

An essential element of safety culture is the belief that all accidents are pre-ventable. 40

Comprehensive rules concerning the roles, rights and obligations of all those concerned with the assurance and maintenance of safety are necessary.

Safety considerations should be incorporated into: planning, design, con-struction and commissioning of installations; operating policies and pro-cedures, including organisation and personnel arrangements; maintenance; 45 temporary shutdowns; monitoring and assessment of safety; and decom-missioning, closure and demolition of hazardous installations.



Discussion Document

26

• Clearly-stated and visible commitment to safety in an enterprise, directed at having all employees act appropriately with regard to safety, i.e.: clear and visible management interest in safety performance through per-sonal involvement

good communication on safety issues among and between management 5 and other employees

positive feedback concerning actions taken to increase safety quick response to remedy identified faults financial and career incentives for good safety performance participation of employees at all levels in developing and reviewing safety 10 management procedures

timely investigations of all accidents and relevant near-misses, and rapid dissemination of the findings of the investigations

• Initiative and alertness in the interest of safety should be encouraged: Guard against complacency or structural/procedural shortcomings 15 “Error tolerance”; no focus on assessing blame or punishing errors, atmos-phere of co-operation and openness in which employees feel comfortable about discussing errors and near-misses in order to improve learning, but nevertheless appropriate responsibility and accountability is required

Employees and their representatives should be provided with opportunities 20 to participate in the development and review of procedures

• Management should take all appropriate actions to ensure that all employees are aware of their roles and responsibilities with respect to safety, and have the necessary skills, training, education, support and resources. Management should ensure that all safety procedures are disseminated, well-known and 25 understood by all employees.

• Management and other employees should not become complacent; continu-ous efforts are needed to maintain safety.

• Enhancement of safety culture by management through an open attitude to-wards the public with respect to safety issues. 30

According to the safety policy the following principles are stated:

• A clear and meaningful written statement of Safety Policy agreed, promul-gated and applied throughout the enterprise, reflecting the corporate safety culture, containing the overall aims and principles with respect to chemical 35 safety At the top of a hierarchy of documentation related to chemical safety at an enterprise

Addressing accident prevention, preparedness and response, including the elements of the safety management system 40

Protecting the safety and health of all persons involved in, or who may be af-fected by, the production, process, handling, use, storage, disposal or elimi-nation of hazardous substances, as well as to safeguard the environment and property.

Reviewed regularly and amended, as appropriate, in light of experience 45 gained and any relevant changes in technologies, laws and regulations.

• Consultancy with and involving of employees at all levels for the safety policy



Discussion Document

27

• Independence of employees responsible for the development of corporate safety policies from production management with direct access to top man-agement.

• Widely communication of the safety policy, the intent should be understood and appreciated by all employees 5

• Management and other employees should co-operate to comply with the en-terprise’s Safety Policy and meet its safety goals. Complementary roles of management and labour Employees at all levels should be motivated and educated/trained to recog-nise safety as a top priority and its continuing improvement 10

Labour and their representatives should co-operate with management in promoting chemical safety and should be provided with effective means to do so.

• The Safety Policy should be made accessible to the public. • Safety programmes for all sites conforming to the enterprise’s safety policy 15

and addressing safety concerns and requirements specific to that site. Responsibility for day-to-day management of safety in the hands of line management at individual installations

Line management should respond to proposals and suggestions of labour related to safety matters 20

Senior management should provide the necessary support to line manage-ment for safety-related decisions and actions

• Development and implementation of a safety policy should be co-ordinated and integrated with the enterprise’s activities relating to other aspects of occu-pational safety, health and environmental protection 25 Efforts towards the integrated management of safety, health and environ-ment (SHE) throughout the regular business operations of an enterprise

Safety management as an integral part of total quality management (TQM) The integration of management systems for environmental, health and safety issues, and the development of enterprise-wide procedures applica-30 ble to all sites, lead to improvements in safety

In the Guidance on Safety Performance Indicators /43/, outcome indicators for the safety policy, safety goals and objectives and safety leadership were formulated:

• “Extent to which the Safety Policy has been received and understood by: em-35 ployees, other persons working at the enterprise (contractors, etc.); relevant external stakeholders (suppliers, customers, potentially affected public, etc” /43/, p.30.

• “Extent to which safety goals and objectives have been achieved. • Extent to which safety goals and objectives are reviewed and updated in rela-40

tion to the established procedures.” /43/, p.32. • “Extent employees follow established procedures related to safety. • Extent employees consider management a trusted source of information on:

chemical risk at the facility; and safety related information. • Extent management is involved in safety activities, e.g.: management visibility 45

in daily operations …; number of meetings held periodically … with safety as a substantial item on the agenda.



Discussion Document

28

• Extent suggestions and complaints from employees result in improvement in safety.

• Amount of money or other resource spent per year for safety; relative to other expenditures. …

• Correlation between amount spent on safety and the level of risk at the instal-5 lation (as measured by, for example, a risk assessment).” /43/, p.34.

3.2.2 Definitions and key elements by the IAEA Coined in the aftermath of Chernobyl as an explanatory concept for the accident by the IAEA, safety culture has now caught the imagination of virtually all hazard indus-10 tries: chemical process industries, civil and military aviation or space research, rail-way systems, petrochemical and pharmaceutical industries, medicine. Thus, the ma-jority of definitions, concepts and instruments still are from the nuclear filed. In 1991 the INSAG /45/ defined safety culture as follows: “Safety culture is that as-15 sembly of characteristics and attitudes in organizations and individuals which estab-lishes that, as an overriding priority, nuclear plant safety issues receive the attention warranted by their significance.” /45/, p.1. In 1998 the IAEA /46/ continued and widened its definition to behaviour: “Safety cul-20 ture is also an amalgamation of values, standards, morals and standards of ac-ceptable behaviour. These are aimed at maintaining a self-disciplined approach to the enhancement of safety beyond legislative and regulatory requirements. There-fore, safety culture has to be inherent in the thoughts and actions of all the individuals at every level in an organization. The leadership provided by top management is cru-25 cial.” /46/, p. 3. According to INSAG /46/ the major components of safety culture are commitments on different levels: 30 1. Policy level commitment:

• Statement of safety policy • Management structures • Resources • Self-regulation 35

2. Managers’ commitment • Definition of responsibilities • Definition and control of safety practices • Qualifications and training • Rewards and sanctions 40 • Audit, review and comparison

3. Individuals’ commitment • Questioning attitude • Rigorous and prudent approach • Communication 45



Discussion Document

29

To provide practical and pragmatic guidelines on the development of safety culture, key issues in safety culture were defined by INSAG (/47/, p. 5ff). For the following key issues questions were derived to provide some simple diagnostic tool: Commit-ment to safety and to the strengthening of safety culture, use of procedures, conser-vative decision making, a reporting culture, challenging unsafe acts and conditions, 5 the learning organization and underpinning issues like communication, clear priorities and organization (for the full text, see Annex II) Safety culture is furthermore seen as a process with different levels. The efforts made to enhance safety culture can result in improved organization, analyses, antici-10 pation and work processes. A strong safety culture can lead to more effective work and a sense of accountability among managers and employees. In promoting an im-proved safety culture, overall different approaches were taken: an approach empha-sizing the use of behavioral sciences or the quality management system approach to enhancing safety performance. 15 Many features of a strong safety culture have long been recognized as ‘good practices’ in numerous areas of safety activities in high hazard industries. Recently there has been increased emphasis on a systematic approach to the development of an improved safety culture as well as on the contribution of behavioral sciences to 20 developing good safety practices. Change in culture is both a ‘top-down’ and a ‘bot-tom-up’ approach, but consistent and visible leadership from the top is essential. “Technical specialists, human factors specialists, operating personnel and manage-ment must work together to develop a common understanding across their various functions. This is in itself a learning process and, as such, a characteristic of a good 25 safety culture. Continuous learning and improvement processes play a central role in developing and maintaining a good safety culture.” /47/, p. 4f.

There are differences in the understanding of organizations according to the concept of safety culture and to the actions necessary to influence it in a positive way. This diversity may reflect different levels of awareness of the safety impact of human be-30 havior and attitudes even in highly technical organizations.

3.2.3 Principles by Responsible Care The Responsible Care Fundamental Features /49/ state as follows:

• Formal commitment by each company to a set of guiding principles, signed by 35 the Chief Executive Officer

• Series of codes, guidance notes and checklists to help companies fulfill their commitment

• Development of indicators against which improvements in performance can be measured 40

• Open communication on health, safety and environmental matters with inter-ested parties, both inside and outside the industry

• Opportunities for companies to share views and exchange experiences on im-plementing Responsible Care

• Consideration of how best to encourage all member companies to commit 45 themselves to, and participate in, Responsible Care

• Procedures for verifying that member companies have implemented the measurable or practical elements of Responsible Care



Discussion Document

30

3.2.4 Elements of safety culture by the ILK (Internationale Länderkom-mission Kerntechnik)

A German consulting commission ILK (Internationale Länderkommission Kerntechnik) /52/ in the nuclear field defines the elements of safety culture in its statement on the regulator’s management of the licensee self-assessment of safety 5 culture, which exceed the number of elements stated before:

• Top management commitment to safety • Visible leadership • High priority to safety • Systematic approach to safety 10 • Strategic business importance of safety • Absence of safety versus production conflict • Relationship to regulators and other external organizations • Proactive and long term perspective • Management of change 15 • Quality of documentation and procedures • Compliance with regulations and procedures • Sufficient and competent staff • Proper resource allocation • Knowledge in work science, including health and safety and man-technology-or-20

ganization (MTO) • Clear roles and responsibilities

• Clearly organized team work • Openness and communication 25 • Motivation and job satisfaction • Involvement of all employees • Good working conditions (time, work load, stress ) • Housekeeping • Measurement of safety performance 30 • Organizational Learning

In the statement also some examples for safety culture indicators are written down: “Accountability for safety is clear

• Managers have specific safety goals to achieve 35 • Rewards reflect achievement • Employees involved in safety improvements • Team appraisals include safety achievement

Safety is learning driven • Program exists for feeding back lessons from operating experience 40 • Familiarity with learning processes • Process exists for dealing with repeated events • Process to prevent mistakes through strengthening defense in depth • Mistakes may be a learning opportunity

High priority to safety 45 • Safety resources adequate for workloads • Safety concerns can be raised openly and safety behaviors are actively

supported



Discussion Document

31

• Teamwork among departments is encouraged Clear leadership for safety

• Top managers dedicate time and efforts to improve safety • Training in safety culture is available and used by managers • Management/workforce interaction frequency 5 • Level of personal accountability for safety

Style of management • Clear standards and expectations • Managers reinforce expected behaviors” /52/.

10 The commission suggests to conduct a self-assessment each 2-3 years and after a significant organizational change.

3.2.5 Models on evaluation and classification of safety culture and safety climate 15

The HSE published in the Offshore Technology Report 1999/063 /90/ a summary guide to safety climate tools. The guide should serve to provide summary information on questionnaire-based tools for measuring the safety climate of organizations and to determine the most useful and necessary scales and items. In the report the follow-ing recommendations for the assessment of safety climate are given: 20 • Preparation is essential before launching into the use of a climate survey tool.

Any tool is unlikely to work well - or may even have a negative effect - if senior management put insufficient effort into preparation, do not commit to act on find-ings (whatever they are) and fail to involve the entire workforce throughout the process. 25

• Recipients of the questionnaire need to know why the survey is being done and how the results will be used.

• It is essential that there is a rapid, but realistic, post-survey implementation plan. Some visible results need to be achieved as soon as possible after completion of the survey. 30

• The results of the survey need to be fed back to the surveyed group as rapidly as possible.

• Issues or areas of weakness identified by the survey need to be discussed with the respondents to clarify the details of their concerns.

• After clarification, a plan of action should be developed to address the most sig-35 nificant weaknesses. The plan may include behaviour modification programmes.

• During implementation of the action plan, some form of monitoring needs to be in place to check progress. The results of the monitoring programme should be fed back to the employees concerned.

• Repeat climate surveys should not be undertaken before an action plan to ad-40 dress weaknesses from the first survey has been implemented. (/90/, p. 11f.)

According to items and scales, the following core safety climate item sets were identi-fied: • Training and competence 45 • Job security and job satisfaction • Pressure for production



Discussion Document

32

• Communications • Perceptions of personal involvement in health and safety • Accidents/ incidents/ near misses • Perception of organisational/management commitment to health & safety – gen-

eral and specific 5 • Merits of the health and safety procedures/ instructions/ rules • Rule breaking • Workforce view on state of safety/ culture • Assessment of safety levels 10 Furthermore, there are more sets of items, which could be included in an assess-ment: • Planning for emergencies • Maintenance • Task allocation and human factor design 15 • Work pressures • Work environment • Individual competence, capacities, health and skills • Procedures • Safety priorities 20 • Management/structural (including decision making and team working) According to the IAEA (1998) three stages of development of safety culture seem to emerge. The characteristics of each stage provide organizations with a basis for self-diagnosis. 25

Stage I: Safety based solely on rules and regulations Safety is seen as an external requirement and not as an aspect of conduct that will help the organization to succeed. The external requirements are those of national governments, regional authorities, or regulatory bodies. “There is little awareness of behavioral and attitudinal aspects of safety performance, and no willingness to con-30 sider such issues. Safety is seen very much as a technical issue; mere compliance with rules and regulations is considered adequate. For an organization which relies predominantly on rules, the following characteristics may be observed:

• Problems are not anticipated; the organization reacts to each one as it occurs. • Communication between departments and functions is poor. 35 • Departments and functions behave as semi-autonomous units and there is lit-

tle collaboration and shared decision making among them. • The decisions taken by departments and functions concentrate upon little

more than the need to comply with rules. • People who make mistakes are simply blamed for their failure to comply with 40

the rules. • Conflicts are not resolved; departments and functions compete with one an-

other. • The role of management is seen as endorsing the rules, pushing employees

and expecting results. 45



Discussion Document

33

• There is not much listening or learning inside or outside the organization, which adopts a defensive posture when criticized.

• Safety is viewed as a required nuisance. • Regulators, customers, suppliers and contractors are treated cautiously or in

an adversarial manner. 5 • Short term profits are seen as all-important. • People are viewed as ‘system components’— they are defined and valued

solely in terms of what they do. • There is an adversarial relationship between management and employees. • There is little or no awareness of work or business processes. 10 • People are rewarded for obedience and results, regardless of long term con-

sequences.” /47/, p. 5f.

Stage II – Good safety performance becomes an organizational goal The management perceives safety performance as important even in the absence of regulatory pressure. Although there is growing awareness of behavioral issues, this 15 aspect is largely missing from safety management methods, which focus on technical and procedural solutions. Safety performance is dealt with in terms of targets or goals. The organization begins to question why safety performance reaches a pla-teau and is willing to learn from other organizations. The following characterizes the second stage: 20

• “The organization concentrates primarily on day to day matters. There is little in the way of strategy.

• Management encourages cross-departmental and cross-functional teams and communication.

• Senior managers function as a team and begin to co-ordinate departmental 25 and functional decisions.

• Decisions are often centered on cost and function. • Management’s response to mistakes is to put more controls in place via pro-

cedures and retraining. There is a little less blaming. • Conflict is disturbing and is discouraged in the name of teamwork. 30 • The role of management is seen as applying management techniques, such

as management by objectives. • The organization is somewhat open about learning from other companies, es-

pecially techniques and best practices. • Safety, cost and productivity are seen as detracting from one another. Safety 35

is thought to imply higher cost and reduced production. • The organization’s relationship with regulators, customers, suppliers and con-

tractors is distant rather than close; there is a cautious approach where trust has to be earned.

• It is important to meet or exceed short term profit goals. People are rewarded 40 for exceeding goals regardless of the long term results or consequences.

• The relationship between employees and management is adversarial, with lit-tle trust or respect demonstrated.

• There is growing awareness of the impact of cultural issues in the workplace. It is not understood why added controls do not yield the expected results in 45 safety performance.” /47/, p.6.



Discussion Document

34

Stage III – Safety performance can always be improved Continuous improvement is seen as important and applied to safety performance. There is a strong emphasis on soft skills as communications, training, and manage-ment style. People understand the impact of behavioral issues on safety. The level of awareness of behavioral and attitudinal issues is high, and measures are being taken 5 to improve behavior. The stage is characterized by:

• “The organization begins to act strategically with a focus on the longer term as well as awareness of the present. It anticipates problems and deals with their causes before they happen.

• People recognize and state the need for collaboration between departments 10 and functions. They receive management support, recognition and the re-sources they need for collaborative work.

• People are aware of work or business processes in the organization and help managers to manage them.

• Decisions are made in the full knowledge of their safety impact on work or 15 business processes as well as on departments and functions.

• There is no goal conflict between safety and production performance, so that safety is not jeopardized in pursuit of production targets.

• Almost all mistakes are viewed in terms of work process variability. It is more important to understand what has happened than to find someone to blame. 20 This understanding is used to modify the work process.

• The existence of conflict is recognized and dealt with by trying to find mutually beneficial solutions.

• Management’s role is seen as coaching people to improve business perform-ance. 25

• Learning from others both inside and outside the organization is valued. Time is made available and devoted to adapting such knowledge to improve busi-ness performance.

• Safety and production are seen as interdependent. • Collaborative relationships are developed between the organization and regu-30

lators, suppliers, customers and contractors. • Short term performance is measured and analyzed so that changes can be

made which improve long term performance. • People are respected and valued for their contribution. • The relationship between management and employees is respectful and sup-35

portive. • People are aware of the impact of cultural issues, and these are factors con-

sidered in key decisions. • The organization rewards not only those who ‘produce’ but also those who

support the work of others. People are also rewarded for improving processes 40 as well as results.” /47/, p. 7f.

For the U.K. HSE Offshore Technology Report 2000/049 the Keil Centre devel-oped a safety culture maturity model /50/, which has five developmental stages, i.e. two more as the model of the IAEA /46/. The elements differ mainly in the way that 45 the elements of the safety culture maturity model take more the employees’ perspec-tive into account. The described elements are:



Discussion Document

35

• Management commitment and visibility • Communication • Productivity versus safety • Learning organization • Safety resources 5 • Participation • Shared perceptions about safety • Trust • Industrial relations and job satisfaction • Training 10

Following assumptions are the basis of the model: “Cultural or behavioural ap-proaches to safety improvement are their most effective when the technical and sys-tem aspects of safety are performing adequately and the majority of accidents ap-pear due to behavioural or cultural factors.” The safety culture maturity model is 15 therefore only of relevance to organisations that fulfil a number of specific criteria. These include:

• An adequate Safety Management System • Technical failures are not causing the majority of accidents • The company is compliant with health and safety law 20 • Safety is not driven by the avoidance of prosecution but by the desire to pre-

vent accidents The five stages of the model are described below and shown in figure1: 25 Level One: Emerging Safety is defined in terms of technical and procedural solutions and compliance with regulations. The safety department is perceived to have primary responsibility for safety. Many accidents are seen as unavoidable and as part of the job. Most frontline staff are uninterested in safety. 30 Level Two: Managing The organization's accident rate is average for its industrial sector but they tend to have more serious accidents than average. Management time and effort is put into accident prevention. Safety is defined in terms of adherence to rules and procedures 35 and engineering controls. Accidents are seen as preventable. Managers perceive that the majority of accidents are solely caused by the unsafe behavior of front-line staff. Safety performance is measured in terms of lagging indicators such as LTI and safety incentives are based on reduced LTI rates. 40 Level Three: Involving Accident rates are relatively low, but they have reached a plateau. The organization is convinced that the involvement of the frontline employee in health and safety is critical, if future improvements are going to be achieved. Managers recognize that a wide range of factors cause accidents and the root causes often originate from man-45 agement decisions. A significant proportion of frontline employees are willing to work with management to improve health and safety. The majority of staff accepts



Discussion Document

36

personal responsibility for their own health and safety. Safety performance is actively monitored and the data is used effectively. Level Four: Cooperating The majority of staff in the organization is convinced that health and safety is impor-tant from both a moral and economic point of view. Managers and frontline staff rec-5 ognize that a wide range of factors cause accidents and the root causes are likely to come back to management decisions. Frontline staff accept personal responsibility for their own and others health and safety. The organization puts significant effort into proactive measures to prevent accidents. Safety performance is actively monitored using all data available. Non-work accidents are also monitored and a healthy life-10 style is promoted. Level Five Continuous improvement The prevention of all injuries or harm to employees (both at work and at home) is a core company value. The organization has had a sustained period (years) without a 15 recordable accident or high potential incident, but there is no feeling of complacency. They live with the paranoia that their next accident is just around the corner. The or-ganization uses a range of indicators to monitor performance but it is not perform-ance-driven, as it has confidence in its safety processes. The organization is con-stantly striving to be better and find better ways of improving hazard control mecha-20 nisms. All employees share the belief that health and safety is a critical aspect of their job and accept that the prevention of non-work injuries is important. The com-pany invests considerable effort in promoting health and safety at home. /50/.

25 Figure 1: Safety Culture maturity model. HSE Offshore Technology Report 2000/049.

Safety culture maturity model

Emerging Level 1

Managing Level 2

Involving Level 3

Cooperating Level 4

Continually improving Level 5

Improving safety culture

Increasing consistency

Develop management commitment

Realise the impor-tance of frontline staff anddevelop personalresponsibility

Engage all staff todevelop cooperationand commitment to improving safety

Develop con-sistency and fight complacency



Discussion Document

37

In: “A review of safety culture and safety climate literature for the development of the safety culture inspection toolkit” /51/ key indicators for the rail industry (HMRI) were recommended: leadership, two-way communication, employee involvement, learning culture and attitude towards blame 5



Discussion Document

38

3.3 Scientific literature from the field of psychology, human fac-tors, organization studies

There is a huge body on literature on safety culture, safety climate and its assess-ment. The following selection is based on either process industry specific references or on literature which exceed the official documents. 5 Because safety-management is not enough Kadri and Jones /53/ propose an ap-proach that will help organizations to self-assess the state of the process safety cul-ture in their organizations. Safety culture improvement can be reached by creation of awareness about safety culture themes, by adaptation of process safety culture 10 themes to company experience, by use of suggested indicators to identify specific areas of improvement, by development of a strategic improvement plan to strengthen and sustain the safety culture process. There assessment is mainly vice versa, i.e. they propose indicators that show a decrease in safety culture: 15 “Indicators that you are not maintaining a sense of vulnerability

• You assume your safety systems are good enough • You treat critical alarms as operating indicators • You allow backlogs in preventative maintenance of critical equipment • Lessons from related industry disasters are not routinely discussed at all lev-20

els in the organization • Actions are not taken where similar deficiencies have been identified

Indicators that you are allowing normalization of deviance • You allow systems to operate outside design safe operating limits without de-

tailed risk assessment 25 • You allow deviations from established procedures without management of

change (MOC) review and approval • Wilful, conscious violation of an established procedure is tolerated without

evaluating the consequences for the persons involved • Staff cannot be counted on to strictly follow procedures when supervision is 30

not around to monitor compliance Indicators that appropriate and timely hazard/risk assessment are not being done

• Availability of experienced resources for risk assessment is limited • The recommendations from risk assessment are not meaningful • The recommendations from risk assessment are not implemented in a timely 35

manner • The actions taken differ from the intent of the original recommendations • Bases for rejecting risk assessment recommendations are mostly subjective

judgment or based on previous experience and observation Indicators that safety role is not independent and unassailable 40

• People monitoring safety-related decisions are not sufficient technically quali-fied and independent

• Key process safety management positions have been downgraded over time • Recommendations for safety improvements are resisted on the grounds of

costs or schedule impact 45 • No system in place to ensure an independent review of major safety-related

problems



Discussion Document

39

• Audits conducted by people not technically competent and are regarded as negative or punitive

Indicators that open and frank communication at all levels is not happening • The bearer of “bad news” is viewed as “not a team player” • Safety related questioning “rewarded” by requiring the suggestor proves that 5

he/she is correct • Critical safety-related news that circumvents official channels is not welcomed • Communication become altered, with the message softened, as they move up

through the management chain • Employees cannot speak freely to anyone else about their honest safety con-10

cerns, without fear of career reprisals” (p. 19) Wilpert et al. /54/ introduce key elements for safety culture, which show clearly an organizational psychology perspective:

• Commitment on all levels of the organisation from the whole staff 15 • Questioning attitude • Systemic thinking • Role model of managers and supervisors • Professional identity • Treatment of errors (failure culture) 20 • Implicite norms

The hitherto most encompassing description and discussion of different models and analytic instruments to study safety culture has been collated by Wilpert et al., /55/ which covers altogether 20 different approaches. They differ in terms of depth of 25 analysis, psychometric quality criteria such as reliability, objectivity and validity as well as in terms of economy of use and manageability. However, a basic difference may be highlighted with reference to a difference in general conduct of the analysis, namely whether it is conducted by external experts from outside the studied organi-zation or whether the analysis is pursued as a self-assessment by staff members of 30 the organization itself.

External investigations usually utilize competent outsiders who conduct a safety au-dit, use questionnaires and interview guidelines, study the safety related features through observation and document analysis. The advantage of outsider investiga-tions lies mainly in their characteristic of introducing perspectives into the analysis 35 which are guided by experience from other contexts than those of the focal organi-zation. But such analyses are likely to remain in the realm of attitudes, climate and directly observable phenomena. Deeper layers of the organizational culture will be less approachable.

Self-assessments, in contrast, are conducted by internal qualified staff members who 40 are thoroughly familiar with their own organization. Self-assessments can easily and economically be carried out and have an immediate educational effect in the sense that once problems of safety culture are identified they may be discussed and inter-vention solutions can be developed and implemented. On the other hand, a disad-vantage of self-assessment may be the danger of analysts remaining focused on as-45



Discussion Document

40

pects in the organization which have no taboo, are acceptable to management and staff, and are easily optimized. In consequence, self-assessment and external as-sessment are techniques which are not mutually exclusive but complementary. The research of the Berlin based Research Center System Safety has so far mainly fo-cused on self-assessments in developing a screening technique for safety culture 5 which will be presented below.

Functional aspects are considered all those features of high hazard organizations which need to be present in the organization in order to make it viable such as lead-ership, group norms, control, rules, procedures. Structural parts are elements of the organizational build-up such as organizational level, including the most important 10 links to external institutions and organizations such as regulators or other reference organizations.

The authors distinguished five relevant system levels: technology ( e.g. hardware); individual (e.g. personal behavior, cognitive competence); group level (e.g. group dynamics); organization (e.g. leadership/control); environment (e.g. media/public). 15

Based on prototypical organizational features of nuclear power plants the following structural elements were identified: regulation, utility, plant management, managers, plant personnel categories (operational staff, maintenance, systems technology, su-pervision, accounting, logistics, general staff), external staff.

The allocation of functional factors resulted in the following clustering: 20

individual level: cognitive competence, rule compliance, qualification, risk percep-tion, attitudes/motivation, physiological influences, commitment to safety, behavior;

group level: communication, group dynamics, leadership/control, social norms;

organizational level: basic assumption of the organization, goals and visions, plan-ning, resources, process management and process evaluation, organizational learn-25 ing, training, information and documentation, incentive systems;

technology (hardware, software, ergonomics).

These structural and functional dimensions provided the basis for the development of a self-assessment screening methodology of safety culture and suggested con-ceptualizations for the introduction and maintenance of a sustained safety culture in 30 nuclear plants /55/.

Another new dimension or element was introduced by Olive et al. /56/, i.e. resilience and flexibility: “A strong safety culture is characterized by several traits: a definite commitment to the improvement of safety behaviors and attitudes at all organiza-tional levels; an organizational structure and atmosphere that promotes open and 35 clear communication in which people feel free from intimidation or retribution in rais-ing issues; a propensity for resilience and flexibility to adapt effectively and safely to new situations; a prevailing attitude of constant vigilance.” /56/, p. 139. Lardner (2003, /91/) stated, that “since safety culture is associated with occupational 40 accidents then organizations that have a lower accident rate than similar organiza-



Discussion Document

41

tions are also likely to have a positive safety culture” (p. 13). The following features characterize low accident organizations:

• Frequent, less formal communication about safety at all levels • Good organizational learning • Strong focus on safety by all 5 • Strongly committed senior management • Democratic and co-operative leadership style • High quality training, including safety training • Good working conditions and housekeeping • High job satisfaction 10 • Good industrial relations • Selection and retention of employees who work steadily and safely

According Lardner /91/ there are some features associated with a positive safety cul-ture which originate from several safety climate surveys:

1. Hardware: good plant design, working conditions and housekeeping; per-15 ception of low risk due to confidence in engineered systems

2. Management systems: confidence in safety rules, procedures and meas-ures; satisfaction with training; safety prioritised over profits and produc-tion; good organizational learning; good job communication

3. People: high level of employee participation in safety; trust in workforce to 20 manage risk; high level of management safety concern, involvement and commitment

4. Behaviour: acceptance of personal responsibilities for safety; frequent in-formal safety communication; willingness to speak up about safety; a cau-tious approach to risk 25

5. Organizational climate factors: low levels of job stress; high levels of job satisfaction

The U.S. Chemical Safety and Hazard Investigation Board summarizes in its report /92/ on the refinery explosion and fire in Texas City, that “safety management sys-30 tems are necessary for prevention, but that much more is needed to prevent major accidents. Effective organizational practices, such as encouraging that incidents be reported and allocating adequate resources for safe operations, are required to make safety systems work successfully” (/92/, p. 139). One of the identified cultural causes were, that BP Group and Texas city managers were working to make safety changes 35 prior to the accident, “but the focus was largely on personal rather than process safety. As personal injury statistic improved, the BP group executives stated that they thought safety performance was headed in the right direction” (/92, p. 139f.). But per-sonal injury rates are not a measure of process safety.

3.4 Conclusion 40 There is a huge body on documents on safety culture mainly from the nuclear field. In these documents a common agreement can be found on some points like “what is safety culture?”, but also open questions and blind spots. Although there are some differences, the key elements of safety culture are very 45 similar like commitment, learning organization, communication. Still missing are agreed key elements for the chemical industry.



Discussion Document

42

There are many different instruments for assessment, but it is still unclear which lev-els have to be assessed, norms, values or even underlying beliefs and how to treat observable behaviour and artefacts. The cited indicators are not simple to assess or to measure and there is no validated instrument for the chemical industry. 5 Furthermore there is no common understanding of whom to integrate only the op-erators, managers, top-management or even groups outside the organization. From the literature it can be derived that assessments should be repeated regularly and after significant changes, but it is not clear yet, whether these assessments should 10 be self-assessments by the industry or assessments by regulators. Thus, the workshop should be a platform to define basic requirements of methodolo-gies/ instruments, e.g. requirements related to the dimensions/key elements to be assessed as well as structures and/or groups to be included. 15 The key elements of safety culture according to OECD and the other cited literature should be:

• Establishment and promotion of corporate safety culture, reflected in a corpo-20 rate Safety Policy.

• Clearly-stated and visible commitment to safety in an enterprise • Initiative and alertness in the interest of safety should be encouraged • Management should take all appropriate actions to ensure that all employees

are aware of their roles and responsibilities with respect to safety, and have 25 the necessary skills, training, education, support and resources. Management should ensure that all safety procedures are disseminated, well-known and understood by all employees.

• Management and other employees should not become complacent; continu-ous efforts are needed to maintain safety. 30

• Enhancement of safety culture by management through an open attitude to-wards the public with respect to safety issues.

• A clear and meaningful written statement of Safety Policy agreed, promul-gated and applied throughout the enterprise, reflecting the corporate safety culture, containing the overall aims and principles with respect to chemical 35 safety

• Consultancy with and involving of employees at all levels for the safety policy • Independence of employees responsible for the development of corporate

safety policies from production management with direct access to top man-agement. 40

• Widely communication of the safety policy, the intent should be understood and appreciated by all employees

• Management and other employees should co-operate to comply with the en-terprise’s Safety Policy and meet its safety goals.

• The Safety Policy should be made accessible to the public. 45 • Safety programmes for all sites conforming to the enterprise’s safety policy

and addressing safety concerns and requirements specific to that site.



Discussion Document

43

• Development and implementation of a safety policy should be co-ordinated and integrated with the enterprise’s activities relating to other aspects of occu-pational safety, health and environmental protection

• Good organizational learning • Questioning attitude 5 • Systemic thinking • Role model of managers and supervisors, leadership • Professional identity • Treatment of errors (failure culture) • Implicite norms 10 • Motivation and job satisfaction

In the evaluation of safety culture the above key elements should be assessed. As a first approach the following assessment levels /55/ with the corresponding factors could serve: 15 1. Individual level

• cognitive competence • rule compliance • qualification • risk perception 20 • attitudes/motivation • physiological influences • commitment to safety • behavior

2. Group level 25 • communication • group dynamics • leadership/control • social norms

3. Organizational level: 30 • basic assumption of the organization • goals and visions • planning • resources • process management and process evaluation 35 • organizational learning • training • information and documentation • incentive systems

4. Technology 40 • hardware • software • ergonomics



Discussion Document

44

Groups to be included in the assessment of safety culture should be: 1. Top level management 2. Management 3. Operators 4. Maintenance personnel – crafts technicians 5 5. Contractors 6. External stakeholders 7. (Regulatory bodies) Safety climate as a first approach to safety culture could be assessed by question-10 naire with the above mentioned content, but for safety culture assessment a more holistic approach is needed, i.e. questionnaires should be completed by observa-tions, document analysis and interviews or group-feedback-analyses.

3.5 Questions 15 1. What problems/issues are related to the different instruments/methodologies? 2. What kind of regulatory and legal restrictions to safety culture are known and

how could they be minimized? 3. Are there coherences between the three level model and the five level model? 4. What alternatives exist in regard to the recommended indicators? 20 5. Are the key elements for the evaluation of the safety culture complete and well

defined? 6. Should process safety be aggregated with other aspects in the evaluation of

Safety culture? 7. Have regular surveys on safety climate to be regarded as best practice? 25 8. Should there be some kind of standardisation of these surveys to allow bench-

marking of enterprises? 9. Should more guidance on the improvement of safety culture be provided? 10. Should the results of survey on safety culture be presented in the Sustainabil-

ity Reports of enterprises? 30



Discussion Document

45

4 Thematic session 3: Appropriate Human Factors compe-tence

Key objectives to be covered in the session 5

• Identify the different types of responsibility in organisations requiring different competences in safety related human factors issues;

• Define the competences required with respect to these different responsibili-ties;

• Discuss the roles applicable to the industry 10 • Make recommendations to identify the training needs and develop training

programmes;

4.1 Introduction The various management and staff levels in organisations (industries, authorities, 15 expert organisations/consultants) have different responsibilities which require specific competences in human factors issues. The personnel involved in the safety tasks is usually technically competent and well trained to the safety issues, but has generally no specific knowledge of the social safety dimension and its human factors compe-tences are often less developed. The workshop will make recommendations on ap-20 propriate human factors competences taking into account the types of responsibilities and the different management and staff levels. Such recommendations may help set up adequate training programmes on human factors in the chemical industry aiming at reducing the number of accidents and mitigating their consequences. 25 Because this is a relatively new field only a few sources from the nuclear industry and aviation could be taken into account.

4.2 Types of responsibilities The IAEA /48/ identified the following relevant four actors with related areas of com-30 petency: Table 2: Relevant actors and areas of competency for the framework for education and training in

nuclear safety Relevant actors Areas of competency

Regulatory body staff Regulatory control

Technical support organizations Siting & Design of NPPs

Operators and utility staff Operation of NPPs

Research organizations and educators Research reactor design, operation & utilization

35



Discussion Document

46

The EU regulates in their Commission Regulation (EC) No 2042/2003 of 20 November 2003 /57/ on “the continuing airworthiness of aircraft and aeronautical products, parts and appliances, and on the approval of organizations and personnel involved in these tasks” the training needs for maintenance personnel. 5 Line Maintenance Certifying Mechanic (Cat. A) Category A authorisation entitles the holder to issue Certificates of Release to Ser-vice after simple scheduled maintenance work and after repairing simple defects within the scope of the authorisation. The issuing of Certificates of Release to Ser-vice is restricted to work which the holder of the authorisation has personally carried 10 out. Maintenance Certifying Technician/Mechanical (Cat. B1) Category B1 authorisation entitles the holder to issue Certificates of Release to Ser-vice after maintenance work, including work on the airframe, the engines and me-15 chanical and electrical systems. The authorisation also includes the replacement of quickly replaceable avionic units for which a simple check – usually on board – is re-quired to verify their integrity for further operation. Category B1 authorisation auto-matically entitles the holder to issue Category A Certificates of Release to Service. 20 Maintenance Certifying Technician/Avionic (Cat. B2) Category B2 authorisation entitles the holder to issue Certificates of Release to Ser-vice after maintenance work on the avionic and electrical systems. Category B2 cer-tifying staff can qualify for authorisation to issue Category A Certificates of Release to Service. 25 Base Maintenance Certifying Engineer (Cat. C) Category C authorisation entitles the holder to issue Certificates of Release to ser-vice after maintenance work. The authorisation applies to aircraft in their entirety, in-cluding all systems. 30 The classifications from both industries have some relevance for the chemical indus-try, but are not simply transferable. For the chemical industry the following groups seem to be relevant according to human factors competency:

• Regulatory body staff 35 • Management • Safety personnel • Operators

4.3 Identified human factors competency 40 In their proposed framework for education and training in nuclear safety the IAEA identified four categories of competence and related training contents: Regulatory control of NPPs

• Authorization process 45 • Review and assessment • Inspection and enforcement • Development of regulation and guides



Discussion Document

47

• Regulatory effectiveness Safety Assessment of NPPs

• Accident analysis methods • Probabilistic safety assessment • Accident management 5 • Ageing management • Safety assessment of modifications

Operational safety of NPPs • Safety culture and management of safety • NPP operator regulator interface 10 • Operational experience and feedback • Operational practices

Safety of research reactors • Regulatory aspects and safety documentation • Safety analysis 15 • Safety in operation and utilization • Management of ageing • Safe shutdown and decommissioning

Concerning the competence of staff members in the aeronautical field, the EU states: 20 “The organisation shall establish and control the competence of personnel involved in any maintenance, management and/or quality audits in accordance with a procedure and to a standard agreed by the competent authority. In addition to the necessary expertise related to the job function, competence must include an understanding of the application of human factors and human performance issues appropriate to that 25 person's function in the organisation. "Human factors" means principles which apply to aeronautical design, certification, training, operations and maintenance and which seek safe interface between the human and other system components by proper consideration of human performance. "Human performance" means human capabili-ties and limitations which have an impact on the safety and efficiency of aeronautical 30 operations. … The organisation shall establish procedures agreed by the competent authority taking into account human factors and human performance to ensure good maintenance practices and compliance with this Part which shall include a clear work order or contract such that aircraft and components may be released to service in accordance with 145.A.50. “ /57/. 35 It is regulated that basic knowledge for categories A, B1 and B2 are indicated by the allocation of knowledge levels indicators (1, 2 or 3) against each applicable subject. Category C applicants must meet either the category B1 or the category B2 basic knowledge levels. The knowledge level indicators are defined as follows: 40 Level 1 A familiarisation with the principal elements of the subject. Objectives: The applicant should be familiar with the basic elements of the subject. The applicant should be able to give a simple description of the whole subject, using 45 common words and examples. The applicant should be able to use typical terms.



Discussion Document

48

Level 2 A general knowledge of the theoretical and practical aspects of the subject. An ability to apply that knowledge. Objectives: The applicant should be able to understand the theoretical fundamentals of the subject. The applicant should be able to give a general description of the sub-5 ject using, as appropriate, typical examples. The applicant should be able to use mathematical formulae in conjunction with physical laws describing the subject. The applicant should be able to read and understand sketches, drawings and schematics describing the subject. The applicant should be able to apply his knowledge in a practical manner using detailed procedures. 10 Level 3 A detailed knowledge of the theoretical and practical aspects of the subject. A capac-ity to combine and apply the separate elements of knowledge in a logical and com-prehensive manner. 15 Objectives: The applicant should know the theory of the subject and interrelation-ships with other subjects. The applicant should be able to give a detailed description of the subject using theoretical fundamentals and specific examples. The applicant should understand and be able to use mathematical formulae related to the subject. The applicant should be able to read, understand and prepare sketches, simple 20 drawings and schematics describing the subject. The applicant should be able to ap-ply his knowledge in a practical manner using manufacturer's instructions. The appli-cant should be able to interpret results from various sources and measurements and apply corrective action where appropriate. 25 The training shall be conducted in modules; module 9 is on human factors and has the following contents:

1. General: Necessity to take human factors into account, incidents caused by human factors / human errors, Murphy’s law 30

2. Human performance and restrictions: seeing, listening, information proc-essing, attention and perception, memory

3. Social psychology: responsibility of individuals and groups, motivation and de-motivation, group pressure, “cultural“ issues, teamwork, management, su-pervision /control and leadership 35

4. Performance shaping factors: fitness / health, stress: work and home re-lated, time pressure and schedule, work load, fatigue, Shift work, alcohol, me-dicaments, drug abuse

5. (Workplace) Environment: noise and exhaust, illumination, climate and tem-perature, movement and vibration, work surrounding 40

6. Tasks: physical work, routine tasks, visual tests, complex systems 7. Communication: within the team and between teams, work minutes and re-

cords, “be in the loop“ / situation awareness, actuality, information processing 8. Human error: models and theories on errors, error modes during mainte-

nance, consequences of errors (i.e. accidents and incidents), prevention of 45 and treatment / coping with errors

9. Hazards at the workplace: perception and prevention of hazards, emergency treatment



Discussion Document

49

4.4 Conclusion For the chemical industry nearly all topics are relevant. Additionally should be added:

10. Ergonomics: knowledge of man-mchine-interfaces, design 11. Human Resource Management: recruiting and training, dealing with perform-

ance issues, motivation 5 12. Crisis Management: forecasting potential crises and planning how how to deal

with them, identifying the real nature of a current crisis, intervening to minimize damage, risk communication

The following qualifications may be recommended: 10 Table 3: Appropriate Human Factors Competence Knowledge level

Regulatory body staff Management Training con-tent Regulation Enforce-

ment

Operatio-nal ma-nage-ment

Strategic mana-gement

Safety person-nel

Opera-tors

General 2 2 2 2 3 2 Human per-formance and restrictions

1 2 2 1 3 2

Human re-source man-agement

1 2 2 1 3 1

Ergonomics 1 2 2 1 3 1

Social psy-chology

2 2 2 2 3 2

Performance shaping fac-tors

1 2 2 1 3 2

Workplace Environment

1 2 2 1 3 2

Tasks 1 2 2 1 3 2

Communica-tion

1 2 2 2 3 2

Human error 1 2 2 1 3 2

Hazards at the workplace

1 2 2 1 3 3

Crisis Man-agement

2 3 3 1 3 2



Discussion Document

50

In the discussion it should become clear whether the above mentioned responsibili-ties requiring different competences in safety related human factors issues are those which are relevant to the chemical industry. Training needs and training programmes should be addressed as well. 5

4.5 Questions 1. Are the above mentioned groups of responsibilities those which are relevant? 2. Are the mentioned competencies those which are relevant? 3. Are there missing competencies? 4. Are the knowledge levels sense-making for the above mentioned groups? 10



Discussion Document

51

5 Thematic session 4: Interfaces between Safety Systems and Operators

Key objectives to be covered in the session

• Discuss how operator tasks in abnormal situations are identified and assessed 5 when designing automatic safety systems: interlock, cut-off, shut-off, instru-mented safety systems according to the IEC 61511 /7, 58, 59/ standard;

• Consider how the human skills are taken into consideration in this process; • Describe how to prevent process alteration by operator activities to prevent

automatic shut-offs causing out of design situations causing major accidents 10 although an automatic safety system is installed;

• Make recommendation on interfaces between safety systems and operators;

5.1 Introduction The design and reliability of safety systems (i.e. interlock-, shut-off-, cut-off-systems, 15 safety instrumented systems and not control systems) and their interaction with the operators play a key role in making incidents become (major) accidents. Less atten-tion has been paid to the fact that the interface between man and process is different in "abnormal situations" as compared with normal operation conditions, and affects the overall success. In abnormal situations the successful operation of safety sys-20 tems has a very high priority and the prevention of major accidents will also depend on the quality of the interface between the safety systems and the operator. This session will discuss the strategies for developing ‘efficient’ interfaces between safety systems and operators based on the human factors knowledge. 25 For the preparation of this section of the discussion document the following sources were analysed:

• Regulations and technical standards • Scientific literature from the field of psychology and human factors

30

5.2 Regulations and technical standards (IEC 61511, VDI/VDE 2180, NE 31)

The Seveso II directive /60/ is aimed at the prevention of major accidents and at the restriction of accident consequences for people and environment. 35 Article 9 of the Seveso II /60/ directive, concerning the safety report requires that in this document it is demonstrated that adequate safety and reliability have been in-corporated into the design, construction, operation and maintenance of all plant and equipment. 40 IEC/EN61511/ /7, 58, 59/ transfers the concept of functional safety of the standard /EN61508/ /61/ specifically to the process industry sector. A safety instrumented sys-tem (SIS) encompasses all necessary components and subsystems – from sensor to



Discussion Document

52

actuator – for the performance of the safety instrumented function and integrates ex-plicitly operating staff. According to IEC 61511 the protection layer approach distinguishes three layers with different safety relevant functions of the operators: 5

From: IEC 61511 9.4 Requirements on the basic process control system as a protec-tion layer 10 First (inner) level is the control and monitoring system. The control and monitoring shall ensure the optimal and safe conditions of the proc-ess. Any failure of this layer shall not cause a major accident. As the figure shows the operators have two functions in this inner layer: a) Process control 15 These means that the operators shall react skill- or rule-based on alarms from control or monitoring systems for the optimisation of the process conditions. Any failure shall not cause a major accident. b) Supervision The operator shall rule- or knowledge-based supervise the process i.e. correct the 20 process conditions in abnormal situation with less or no suitable instrumentation. The second (middle) level is the prevention system. The figure shows only one operator function but in reality there are the same two functions, because the IEC 61511 considers low and high automated safety systems. 25 a) The operator is part of the safety function This is relevant, if the safety systems of a plant are less automated, i.e. there may be only a sensor-transmitter-alarm system and it is the function of the operator to be transmitters and actor.

MITIGATION Mechanical Mitigation Systems

Safety Instrumented Control Systems Safety Instrumented Mitigation

Operator Supervision

PREVENTION Mechanical Protection System

Process Alarms with operator corrective Safety Instrumented Control Systems

Safety Instrumented Prevention

CONTROL and MONITORING Basic Process Control Systems

Monitoring Systems (process alarms) Operator Supervision

PROCESS



Discussion Document

53

b) The Safety System is completely automated This means that all possible major accidents are prevented by complete automated systems including the complete sensor-transmitter-actor chain. As a consequence only the supervision function is left for the operator. The consequence is that there are (at least) two types of alarms with very different 5 relevance for the prevention of major accidents:

1. Alarms to ensure optimal process conditions (Messages according to NAMUR) and safe process conditions

2. Alarms to prevent major accidents (i.e. critical Alarms). This difference has to be regarded in debates on man-machine-interfaces especially 10 the human centred alarm management. In the frame of a defined safety-lifecycle-process (SLC) the standard requires a haz-ard and risk analysis (phase 1), to be able to derive the specification and the design of safety instrumented systems (phase 2…4). Other lifecycle-phases define assem-15 bly, validation, putting into operation, operation, maintenance and management of change (phases 5…7) and shut-down (phase 8). According to IEC 61511-1” each phase of the safety life cycle shall be defined in terms of its inputs, outputs and verifi-cation activities” p.35. For the phases of the SLC “safety planning shall take place to define the criteria, techniques, measures and procedures to: ensure that the SIS 20 safety requirements are achieved for all relevant modes of the process […]; ensure proper installation and commissioning of the safety instrumented system; ensure the safety integrity of the safety instrumented functions after installation; maintain the safety integrity during operation (for example, proof testing, failure analysis); manage the process hazards during maintenance activities on the safety instrumented sys-25 tem” p.37. The safety life-cycle model used in IEC 61511 is shown in the figure be-low:

Figure 2: The safety life-cycle model /7/ 30



Discussion Document

54

This document also covers the analysis, realization, and operation phases. It empha-sizes the continuous functions of planning, management, assessment, and verifica-tion, which support the sequential components of life cycle structure. The essential details of analyzing, designing, verifying, and documenting are dis-5 cussed and defined in all safety standards. It is important for an organization to de-vote extra care to the essential Safety Life Cycle so as to ensure that the desired safety level is achieved. The whole process of design, realization and maintenance of functional safety has to 10 be organized with a safety management system. There are requirements for the safety related integration of human factors aspects covering the whole lifecycle: Table 4: Human Factors requirements

paragraph in /EN61511-2/

HF-requirements

11 Design of SIS7 Human performance of operation and maintenance personnel as well as management is taken into account related to safety (man-machine-inter-face -MMI)

Qualitative and quantitative analysis of human reliability Examples of human errors as safety threats:

o Latent design errors o Errors during operation o Errors during maintenance o Errors during testing or interpretation of system state o Inadequate reaction in emergency case

11.7 Interfaces

If an operators’ action is part of the safety instrumented function all re-quirements for the commission of the action have to be treated as part of the safety instrumented function

Ergonomic requirements for interfaces: o Highlighting of safety instrumented elements vs operation related in-

struments o Frequencies of display update during emergencies o Colours, flashing lights and a clear data structure should support the

operator and prevent confusion o Messages should be clear, to the point and unambiguous

12.1 Requirement for the safety life cycle of software

Requirements fort the ergonomic design of the software

13 Factory accep-tance test

Participation of operating staff in the factory acceptance test

15 These ergonomic requirements reflect only a part of the safety management system. Not treated are important features like training and maintenance of knowledge and skills of operating personnel, integration of contractors, the influence of management, organizational structure, and motivation as part of the safety culture. Additional refer-ences have to be taken into account: 20

7 SIS- Safety Instrumented System, sicherheitstechnisches System (Schutzsystem)



Discussion Document

55

Safety instrumented systems – programmable electronic system (VDI/VDE 2180 -1 /62/, p.10f)

• Prevention oriented: Prevention of non-tolerable states of the system • Mitigation oriented: prevention of harm for people and environment.

5 The tasks of the safety instrumented systems are

• to monitor a safety relevant process parameter with respect to the admissible range of that process parameter

and in case of non conformity • to release a trip 10

or • to alert the permanently present operating crew by an alarm signal to perform

necessary and already well defined counter measures. Requirements for safety instrumented systems 15

1. Check, whether other direct impacting installation could be more adequate or more efficient like inherent safe design or protection / redundancy (mechanical or constructive)

2. Necessary risk-reduction 20

Namur Recommendation 31 /63/ “Contrary to the tasks of basic process control systems the task of a safety instru-mented system is exclusively limited to avoid that the process parameter will reach the non-admissible error range. In case of non existence of the safety instrumented 25 system a hazardous event is possible leading to personnel injury, significant hazard to the environment or a "serious hazard" according to the German legal regulation for incidents in industrial activities” The functions of a safety instrumented system always should override functions of 30 basic process control systems and monitoring systems. The initialization of the func-tions of a safety instrumented system occurs seldom, because of the low probability of the hazardous event and because of the measures of the different protection lay-ers. Common components, i.e. components used by the safety system as well as other systems, have to be specified according to the requirements of the safety in-35 strumented systems which are summarized in the annex. To operate a safety instrumented systems of class A organisational measures are required: 40

• Permanent monitoring by plant operators and instrument technicians • Inspection (functional testing) • Maintenance • Repair

45



Discussion Document

56

German working group on Human Factors of the Störfall-Kommission /64/ Loccum workshop results:

1. Pure technical measures for maintenance and enhancement of the safety of complex systems reached their limits (ironies of automation), only the joined integration of the technical, human and organizational components – taken 5 their strengths and weaknesses into account - guarantees reliability and safety.

2. System development and –design have to take an approach committed to de-fined safety goals as integrated parts, overcoming of the technical and eco-nomic design approach by “obligation of results“-policy (socio-technical 10 enlargement, precautious philosophy of safety – integration of HF-aspects). In-tegrative und human-centred design have to follow latest standards in an in-terdisciplinary perspective.

3. “A consequent human factors oriented approach in design and for safety en-hancement needs methods and tools“, for design (allocation of function be-15 tween man-machine, ergonomic aspects, control, safety instrumented and alarm systems, procedures, risk analysis, event analysis, human resource and organizational change programmes, training and education).”

Conclusions: 20 1. „System design for man-machine-interfaces should challenge the strengths of

the human and compensate his weakness“ (technology as compensation for human weaknesses is necessary in high-hazard industries, but technology in its recent shape restricts the strengths of the human operator (solution finding, routine, monotony) 25

2. „System design should ensure that the operator will be able to improve the safety actively during unforeseen events“ (goal of enhancement and enlarge-ment of competency, necessity of integration of system design and encom-passing operator training)

30

5.3 Literature research „We define automation as the execution by a machine agent (usually a computer) of a function that was previously carried out by a human.“ /65/, p. 231. 35 „Automation is any sensing, detection, information-processing, decision-making, or control action that could be performed by humans but is actually performed by ma-chine.“ /66/. In their framework for automation Parasuraman et al. /67/ discuss the questions at 40 which stage of the information processing automation comes into play: sensory proc-essing, perception /working memory, decision making or response selection, and on which level automation is realized (high vs. low). For the decision stage only a low automation level seems to be working. 45



Discussion Document

57

According to Endsley and Kiris /68/ there are five stages of automation with the fol-lowing roles (figure 2).

Figure 2: Levels of automation (Endsley & Kiris /68/) 5

Sheridan /69/ discusses the following eight automation levels: 1. Computer offers no assistance: the human must do it all 2. Computer suggests alternative ways to do the task 3. Computer suggest one decision alternative and 4. ... executes it if the human approves 10 5. ... allows the human a restricted time to veto before automatic execution 6. ... executes automatically, then necessarily informs the human 7. ... executes automatically, then informs the human only if asked for 8. Computer selects, acts and ignores the human 15

Allocation of function in MMI A typical solution is to say: allocate functions to the human for the tasks best suited to the human, allocating to the automation the task best suited to it. This is easy to say, but not so easy to do. 20 The ISO/TC 159/SC 1/WG 1 N 88 (2006) defines allocation of functions as “process of deciding how system functions shall be implemented, by humans, by equipment and/or hardware and/or software” and task allocation as “distribution of work tasks or work task elements between operators and systems”.

25 Criteria for the allocation of functions from a psychological perspective are:

• Complete tasks for operators /70/. • Degrees of freedom for work conduction and decision – loose coupling

(time and content) to technology /71/ • Use of existing qualifications – transparency of processes 30 • Ability to learn from experience

Criteria for man-machine-interface-design

1. Cost-centred approaches • Task are automated or left for the operator if the chosen solution is more 35

economic • Minimization of costs of „human“ / technology • Economic perspective



Discussion Document

58

2. Technology-centred approaches • All tasks which can be automated are automated • Reduction of the risk-factor „operator“ • Reduction to non-automation tasks (left-over principle /72/) • Engineering perspective 5

3. Skill-centred approaches • Allocation of function according to relevant performance strengths • Optimization of performance (speed, precision) • MABA-MABA-list (men are better at- machines are better at) • Kompensationsgedanke (compensatory principle /72/) 10

4. Human-centred approaches • Operator and technology are a co-operative system which performance should

be optimized • Operator and technology are complementary not compensatory, • Automated systems as „team-partner“ /73/ Optimization of system reliability /74/ 15

These approaches are mainly focused on the direct interface and do not take inter-faces to other operators, to the organisation or to the environment into account. Research results for problems caused by automation 20 • One of the problems is the so called out-of-the-loop-unfamiliarity (OOTLUF) phe-

nomenon which restricts the effectiveness of vigilance in observation and control and can lead to a loss of skills or to a loss of situation awareness /75/; /67/; /76/:

• Loss of skills is higher for cognitive skills than for routine psycho-motoric skills, 25 and can be reduced by regular training without automation

• Loss of situation awareness because of missing feedback, over-trust in automa-tion or missing system knowlegde: „Situation awareness is formally defined as perception of the elements in the environment within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near 30 future“ /77/.

Figure 3: Information sources for situation awareness /77/

35



Discussion Document

59

Correspondence between the level of automation and OOTLUF /78/ is not neces-sary. The way of implementation seems to be important, i.e. system transparency (information and feedback for perception, understanding and forecast of system state). The suggested solution is flexible automation, i.e. no static allocation, flexible change depending on defined criteria. 5

Figure 4: Model of flexible automation /76/

10

5.4 Conclusion According to the standards on safety instrumented systems four different types of man-machine-interaction can be distinguished:

1. Human impact on safety instrumented systems during the whole lifecycle 15 by design, maintenance, operation, quality management and supervision and control – like the four-eye-principle (independent checks)

2. Man-machine-interaction by monitoring of the safety instrumented system and response to faults.

3. Human impact via humans conceptualized as being “part of the safety in-20 strumented system”, as being part of the safety function – either func-tioning as signal detection / information processing part or the actor part

4. Human impact by bypassing the safety instrumented system – planned or allowed- by manual operation

25 If the operator is part of the safety function:

1. a task analysis should be completed and there should be rules for emergen-cies;

2. the maximal credit for risk reduction by use of the operator in the safety func-tion should be adjusted to IEC 61511 /7/ 30

It seems obvious that in the standards the operator is treated as a part of the safety function as discussed above, but that only a very few recommendations and requirements according to his potential impact are given, e.g. according to education, tasks and task design, training and necessary competence etc. It 35 seems necessary to formulate requirements to proof the safety function of the man-machine-interface.



Discussion Document

60

There is still a need to emphasise the four different types of human influence on the safety instrumented system as described above more explicitly in the standards and regulations. Furthermore there is a need to include the results of the research into existing regulation, especially the need for task-analysis, for ergonomic requirements, for education and training as well as safety culture improvements which have to be 5 formulated and taken into account.

5.5 Questions The discussion should cover topics like:

1. Are the four different types of Man-Machine-Interaction according to IEC 10 61511 well described?

2. How operator tasks in abnormal situations should be identified and assessed is the operator is part of the safety function?

3. How to consider human skills in this process? 4. Does it make sense to limit the credit to be taken from the operator as a part of 15

the safety function by 10 as maximum achievable risk reduction? 5. How to inhibit process alteration by operator activities to prevent automatic

shut-offs causing out of design situations causing major accidents although an automatic safety system is installed?



Discussion Document

61

6 Thematic session 5: Human Factors in alarm manage-ment

Key objectives to be covered in the session 5

• Explain considerations on how to take human factors into account in designing new alarm systems;

• Explain ways of evaluating and improving existing alarm systems of installa-tions;

• Make recommendations on the sufficient support of the operator handling 10 flood, suppression, prioritisation etc.

6.1 Introduction According to the IEC 61511 there are messages and two types of alarms: Monitoring System - Messages 15 Control system – Alarms Safety System – Critical alarms – operator action for prevention of major acci-

dents SIS - Alarms – operator supervision of the SIS 20 Parallel to the safety system exists the alarm system (i.e. alarms of the control and safety systems) and its interface with the operators involved in "abnormal situations". Design, modifications to, and maintenance of alarm systems should take human weaknesses into account as well as the ‘natural’ ability of operators to successfully control the course of events in abnormal situations and avoid a (major) accident. The 25 aim of this session is to make recommendations on suitable alarm management. For the preparation of this section of the discussion document the following sources were analysed:

• Regulations and technical standards 30 • Scientific literature

6.2 Regulation and technical standards For the discussion of human factors in alarm management the following official documents seems to be relevant: 35

• HSE information sheet No 6: better alarm handling /79/ • HSE Human Factors Briefing Note No 9: Alarm Handling /80/ • Namur Worksheet 102: Alarm management /8/ • EEMUA Publication No 191: Alarm systems – a guide to design, management

and procurement /81/ 40 HSE concludes in the information sheet No 6 /79/ that a better alarm handling can have a significant effect on the safety, because it leads to a tighter quality control, improved fault diagnosis and more effective plant management by operators. For the diagnosis of problems related to alarms the following questions are suggested: 45



Discussion Document

62

• How many alarms are there? • Are all necessary, requiring operator action? (Process status indicators should

not be designated as alarms) • How many alarms occur during normal operation? • How many occur during a plant upset? 5 • How many standing alarms are there? • Are operators overwhelmed by alarm “floods”? • Are there nuisance alarms, e.g. large numbers of alarms acknowledged in

quick succession, or are audible alarm regularly turned off? • Is alarm prioritisation helpful for operators? 10 • Do operators know what to do with each alarm? • Are there control room displays well laid out and easy to understand? • Is clear help available, written or on-screen? • How easy is it to ‘navigate’ around the alarm pages? • Are the terms used on screen the same as the terms the operators use? 15 • Have there been any critical incidents or near misses where operators missed

alarms or made the wrong response? • Is there a written policy/strategy on alarms? • Is there a company standard on alarms? • Is there a structured process for adding new alarms or modifying existing 20

ones? (There is a tendency for hazard and operability studies (HAZOPs) to generate actions which result in a lot of ‘quick fix’ alarms being installed)

• How many new alarms did your last HAZOP produce and how were they justi-fied?

• Can operators notice the alarms and correspond correctly to them? Was the 25 impact on the overall alarm burden on operators considered?

The following recommendation and references are given: The long-term average alarm rate during normal operation should be no more than 30 one in every ten minutes; and no more than ten displayed in the first ten minutes fol-lowing a major plant upset (EEMUA guide /81/, p. 37). For an effective alarm prioriti-sation it is necessary to define rules and apply them consistently to each alarm, to use about three priorities, to base priorities on the potential consequences if opera-tors fail to respond. The proportion of prioritisation should be 5% high priority, 15% 35 medium and 80% low (/81/, p.65). According to operator reliability it is required that there are a very obvious display of the specific alarm, few false alarms, low operator workload, a simple well-defined operator response, well trained operators and a test-ing of the effectiveness of operators’ responses. An effective alarm system should alert, inform and guide operators, allowing them to diagnose problems, prevent un-40 necessary emergency shutdown, only display useful and relevant alarms, be ergo-nomically designed and allow enough time for the operator to respond as well as de-fined responses for each alarm.



Discussion Document

63

In HSE Human Factors Briefing Note No 9 /80/ the following problems and solutions are presented: Table 5: Alarm handling (/80/, p.3)

PROBLEM POSSIBLE SOLUTIONS DESIGN

Masking - alarm sound is not heard above typical noise levels; alarm drowns out communications - lit up alarm cannot be seen above typical lighting levels

Raise alarm volume to 10dB(A) above other workplace noise; allow operators to lower the volume of alarms once they've sounded. Make alarm bright enough for all expected conditions; use colour to highlight the alarm; accompany visual alarm with a sound

Flooding - more alarms than the operators candeal with are presented at once

System should be designed to filter out orsuppress unnecessary alarms and to presentalarms in priority order; operators may need clearprocedures and training on how to prioritise theiractions

Difficult to tell one alarm from another - soundsor lights are very similar

Use 'coding' (e.g. different sounds; pulsing of sounds; different colours; flashing) to show importance of alarms and group by the safety function to which they relate

Nuisance alarms - false alarms, 'fleeting' or standing alarms

Change set points, hysteresis or dead bands to make the system less sensitive to short duration unimportant fluctuations. When alarms are expected (e.g. during testing and maintenance) and these cannot be overridden, use tags to indicate they are being tested

ORGANISATION / PROCEDURESOperators do not have enough time after the alarm commences to take the right action

Set the alarm levels to show the progress of an alarm situation e.g. a tank overfill alarm sounds at 'high' level then again at 'high high' level

Alarms are missed because the area where they appear is not constantly manned

Install 'repeater' alarms in several places; enforce manning of key operating areas

Operators experience other problems with alarms such as irrelevant and unimportant information being given or poor alarm names being used

Include operators in making suggestions about alarm problems and in suggesting solutions; check solutions against recommended guidance (see references)

Alarms are produced when a warning signal would do (alarm is attached to an event that is safety critical)

Alarms are designed against a risk assessment that identifies what plant conditions should produce an alarm

Alarms are in place because it's too difficult to automate the process - puts the responsibility on the operator to act

Design alarms according to good practiceprinciples (see references) - beware not tooverload the operator

5 In the Namur Worksheet 102 /8/ the purpose is to set out a procedure for designing alarm management within a process control system with the following characteristics:

• “Demand for action depending on process status • Support for appropriate assessment of situations and operator intervention • Easy recognition, transparency and consistency of messages and alarms 10 • Number and frequency of alarm and message signals kept to a minimum • Low burden on operator when alarms or messages come up • Documentation and evaluation tools” /8/, p.5

An alarm should have the following characteristics /8/; /81/: relevant, unique, timely, prioritized, understandable, diagnostic, advisory, focusing. Because of physiological 15



Discussion Document

64

Priority

Prio

rity

and mental characteristics human beings are capable of differentiating between rela-tive signals (shades of colours, sounds) and distinguish one from another, but do not show the same skills for absolute signals (specific colours, specific pitch of sounds, flash frequency), which reduces the variety of those that can be used (e.g. no more than 5-9 colours, 2 different flash rates, see also VDI 3699 /82, 83/, IEC 73 /84/, DIN 5 2403 /85/). The provision of pre-processed information (meta-characters) has a posi-tive effect on fast recognition and association. Methods for alarm processing are: alarm grouping, filtering when generating alarms, first-event signal, and alarm suppression. It is suggested that the prioritization fol-10 lows the criteria of a) consequence and b) time available for action. Prioritization should be colour-coded. The following prioritization matrix is suggested: 15

Seriousness

Response time Shutdown Loss of product

quality

Delay in pro-

duction

< 5 min High Medium Low

5-20 min Medium Low Low

> 20 min Low Low Low

Figure 5: Prioritization matrix /8/, p. 12 20 In this prioritization matrix two implicit assumptions are covered: a) seriousness could be a major accident or an environmental damage and b) all systems with alarms have more or less automated shutdowns. Prioritizations can be reached by volume for audible signals or by pulsation fre-25 quency and by colour or flash frequency for visible signals. Types of visualization for alarms are:

• Alarm diagram for the area • Alarm visualization via alarm list 30 • Alarms in process displays • First event indication warning system

For a continuous improvement process, i.e. optimization, updating and organization of the alarm management the following functions are required: 35

• “Performance monitor for analysing the



Discussion Document

65

Number of alarm per alarm type, alarm signal, alarm source and unit type Number of process alarms of one alarm source per time unit, “wobby” alarms, permanent alarms Duration of alarm status Evolution of active alarm signals from one alarm source (alarm chains), 5 evolution over duration of active/unacknowledged signal separated into time units Incidence of active/unacknowledged alarm signal times Duration of alarm acknowledgement Number of alarms that have returned unacknowledged 10 Alarm resulting from operator intervention Operator intervention as a result of process alarm and following acknowl-edgement

• Audit trail for alarms, limit value warnings and suppressed alarms • Access and authorization” /8/, p. 19 15

A careful documentation of important features as prioritization, grouping and situa-tion-related alarm suppression is required. In the EEMUA guide /81/ recommendations for alarm systems design activities are 20 given:

• Risk assessment (development of a plant safety case, identification of the safety role of the operator, risk assessment to identify alarms to protect against safety, environmental or economic risks, review to identify alarms providing significant risk reduction) 25

• Ergonomics (identification of number of operators and their roles, overall de-sign of operator interface, design of alarm interface)

• Design of individual alarms (review of proposed alarms not deriving from risk assessment, identification of alarms with special integrity or display re-quirements, completion of data from for each alarm, production of alarm re-30 sponse procedures, design of plant alarm sensors, design of hardware for conditioning individual alarm signals, installation of plant alarm sensors and signal conditioning)

• Design integration (rationalization of lists of proposed alarms, review of overall system design to meet key design principles, identification of required 35 alarm processing functionality)

• Alarm system configuration (installation of alarm system hardware, con-figuration of alarm system hardware/software facilities, construction of alarm information database, configuration of hardware/software for individual alarms, configuration of alarm combination logic) 40

• Testing and commissioning (testing of alarm system facilities, testing of alarm sensors and signal conditioning, testing of individual alarm hard-ware/software configurations, evaluation of overall ergonomic acceptability, measurement of alarm system performance, determination of ongoing testing needs, optimization of operational performance) 45



Discussion Document

66

Furthermore, elements of user-centred design are described, because the complete interface should be designed reflecting best ergonomic practices as an integrated and usable system: design review, task analysis, operator involvement, early ergo-nomics evaluation, on-going monitoring. 5 According to EEMUA /81/ attributes of a good alarm message are the following:

• Clearly identifies the condition that has occurred • Uses terms that the operator is familiar with • Uses consistent abbreviations from a standard site dictionary of abbrevia-

tions 10 • Has a consistent message structure • Does not rely on the learning of tag names or numbers • Has been checked for usability during actual plant operation

6.3 Scientific literature 15 The evaluation of the scientific literature yields only a few additional items. Smith et al. /86/ describe a gap in safety management systems according to alarm handling: no clear identification of safety related alarm, too many top priority alarms, no site alarm policy or philosophy, no records of assessing operator competence, no per-formance specifications for alarm procurement. Dunn and Sands /87/ identify nui-20 sance alarms, stale alarms, flood of alarms and lack of clarity of alarms as problems related to alarm systems. They present an alarm management lifecycle: philosophy, identification, rationalization, design, implementation and training, operation, per-formance monitoring, maintenance, assessment, management of change with three loops for maintaining and improving: monitoring and maintenance loop, monitoring 25 and management of change loop, assessment loop. Honeywell /88/ identifies another problem: the fact that alarms actually are single-dimension representations of what are often multi-dimensional problems. 30 Nimmo /89/ suggests two types of assessments for alarm management: a physical assessment of performance in a range of scenarios and a ladder assessment of the management and cultural attributes underlying the control of operations, including individual factors (situation awareness, teamwork, alertness and fatigue, training and development, roles and responsibilities, willingness to act) and organizational factors 35 (management of operating procedures, management of change, continuous im-provement of control room safety, management of safety)

6.4 Conclusion In this session recommendations on the consideration of the results of EEMUA /81/ 40 and NAMUR /8/ in the OECD Guiding Principles /5/ should be presented and dis-cussed, concerning relevant recommendations as well as taking into account ergo-nomic requirements.



Discussion Document

67

According to EEMUA /81/ four core principles should be regarded: • Usability: Alarm systems should be designed to meet user needs and operate

within the user‘s capabilities. • Safety: The contribution of the alarm system to protecting the safety of people,

the environment and the plant should be clearly identified. 5 • Performance monitoring: The performance of the alarm system should be as-

sessed during design and commissioning to ensure that it is usable and effective under all operating conditions. Regular auditing should be continued throughout plant life to confirm that good performance is maintained.

• Investment in engineering: Alarm Systems should be engineered to suitably 10 high standards. When new alarm systems are developed (or existing systems are modified), the design should follow a structured methodology in which every alarm is justified and properly engineered.

Furthermore shall alarm systems help the operator: 15

• to correct potentially dangerous situations before the Emergency Shutdown System (ESD) is forced to intervene

• to recognise and act to avoid hazardous situations • to prevent major accidents or limit its consequences.

20 Alarm Management should include: 1. Design of alarm systems, including risk assessment, structuring of alarms (priori-

tisation), reliability evaluation and evaluation of the consideration of ergonomic requirements

2. Documentation, validation, testing of the alarm system 25 3. Monitoring, verification, performance measurement and improvement programme 4. Management of change and decommissioning 1. Alarm Systems Design Principles for alarm systems design are: 30 • The purpose of an alarm system is to direct the operators attention towards plant

conditions requiring timely assessment or action. • Each alarm should alert, inform and guide. • Every alarm presented to the operator should be useful and relevant to the op-

erator. 35 • Every alarm should have a defined response. • Adequate time should be allowed for the operator to carry out his defined re-

sponse. • The alarm system should be explicitly designed to take account of human limita-

tions. 40 • Every alarm should be justified, properly engineered and be consistent with the

overall alarm philosophy and the plant risk assessment. • The design of each alarm should follow a systematic structured procedure in

which design decisions are documented. • Stand alone systems can provide good reliability and can be designed so that 45

critical alarms are very obvious and easy to recognise.



Discussion Document

68

• The process control system should support the assessment of complex situations like more than one alarm is raised or failures of the emergency shut of systems or the alarm system.

• Alarm systems should be designed so that failures are made obvious to the op-erator. The operational implications of potential failures should be assessed, and 5 considerations should be given to the need for operator procedures to cover them.

• Alarm list displays should be designed such that repeating alarms do not cause them to become unusable.

• An integrated design should be developed for all audible alarms in the control 10 room. Human physiological performance factors muse be borne in mind.

• The colours and visualization standards must be used consistently throughout the alarm system

A fundamental issue when designing each alarm is to consider how important it is 15 and how reliable it should be. To do this it is necessary to go through some form of qualitative and quantitative risk assessment. The Principles for risk assessment are: • Risk reduction should start with the initial plant design by selecting processes and 20

plant configurations which have appropriate inherent safety. • The design of alarm systems should involve a consideration of the risks of injury

to people and damage to the environment, and a decision about which risks the alarms are intended to reduce.

• Even on highly automated plants with extensive automatic protection systems 25 there almost certainly will be potential fault scenarios that require operator inter-vention. These scenarios should be identified and it should be determined whether and how the alarm system will support the operator in carrying out this corrective action.

• There is a limit to the amount of risk reduction which can be achieved using (criti-30 cal) alarms even when the equipment is of the highest integrity.

• If an alarm system is not suitable for implementation and significant risk reduction is needed, then this should be obtained by alternative means (e.g. installing addi-tional technology or process modification).

35 Alarm processing should support the operator by compressing information and giving interpretation support. It includes alarm grouping, filtering when generating alarms, first event signals and alarm suppression. The Principles for structuring of alarm systems are: 40 • Availability of written rules on how priorities should be assigned. These should be

applied consistently to all alarms in all systems used by the operator. • In every alarm system the operator should not be overloaded with alarms pre-

sented by the chosen display arrangement – either in normal operation, start-up, changing process conditions or shut-down. 45

• It is usually appropriate to prioritise alarms according to two factors: the severity of the consequences that the operator could prevent by taking the corrective ac-



Discussion Document

69

tion associated with the alarm and the time available compared with the time re-quired for the corrective action to be performed to have the desired effect.

• Experience has shown that the use of priority bands within any one type of dis-play is ergonomically effective for the normal presentation of alarms. Definitions of alarm priority should be consistent across systems 5

• Displays should be designed to assist the operator information so that the opera-tor can easily access all key information even if the alarm system does become overloaded.

• In case of alarm overload the operator may be able to: select the alarm list display to show only high priority alarms and ignore all medium and low priority alarms or 10 ignore all alarms on the process control system and only look at alarms on the stand-alone system.

• There are two parallel approaches that the designer should take to reduce the problems of alarm overload: Eliminate the alarm overload or improve the man-agement of alarm overloads. Steps should be taken to ensure that the operator 15 performs as effectively as possible during any overload incident that do occur nevertheless.

2. Documentation, validation, testing of the alarm system For all credible accident scenarios the designer should demonstrate that the total 20 number of alarms and their maximum rate of presentation does not overload the op-erator. The following points should be regarded: • Each and every alarm should be covered by a written (or on screen) alarm re-

sponse procedure which should assist the operator in identifying and carrying out 25 the necessary response. Many alarms may have a very similar response and may be covered by a general procedure. However, for critical alarms an individual pro-cedure per alarm is generally justified.

• All alarm settings should be systematically determined and documented during design, commissioning and operation. All changes should be documented with 30 reasons.

• A strategy should be developed for the validation and testing of alarm systems. Validation and testing shall be carried out where an alarm is critical. There should be written procedures. The procedures should specify realistic tolerances on the point at which an alarm should become active. 35

3. Monitoring, verification, performance measurement and improvement pro-

gramme Alarm management is not a one-off exercise. It needs to be evaluated continuously or at reasonable intervals. Alarm systems performance should be regularly checked 40 especially to ensure that alarm overload is not occurring. • Measurement of the performance of an alarm system can be used: as perform-

ance targets for the acceptability of a new alarm system, to assess the adequacy of an existing alarm system, as management tools for assessing the effectiveness of an on-going improvement programme, to identify specific nuisance alarms. 45

• Usability benchmarks may help in the assessment of whether the operator will find the alarm system easy to work with.



Discussion Document

70

• A review programme should be set up to identify spurious or badly designed alarms and to re-engineer them. The review should ultimately cover every alarm in the system.

• A powerful tool for achieving alarm system improvement is to assign the task to specific teams. The operators and supervisors should be involved deeply in any 5 programme to improve alarm systems.

• Performance should be audited, overload incidents should be identified and steps should be taken to minimise their frequency.

4. .Management of change and decommissioning 10 There should be defined procedures to control changes to the alarm system including decommissioning of parts of it. Thus all proposed changes should be fully analysed, their consequences should be determined, and agreed changes should be recorded with reasons. 15

6.5 Questions 1. Is the overall structure of the proposed recommendations suitable? 2. Are relevant chapters or overall subjects missing? 3. Are general modifications due to existing legislation, standards or practices

required? 20 4. Are relevant recommendations e.g. of Namur, EEMUA etc. missing? 5. Are modifications of significant relevance of the proposed recommenda-

tions required? 6. What are the barriers and further problems related to alarm management? 7. What are the barriers and further problems to consider beside technical 25

and information processing factors those which are more “soft” like team-work and organizational factors?

8. How can the numbers according to human perception and progressing re-ported in Namur or EEMUA be validated?



Discussion Document

71

7 References /1/ Working Group on Chemical Accidents (2006). PREPARATION OF A WORK-

SHOP ON HUMAN FACTOR IN CHEMICAL ACCIDENTS AND INCIDENTS. ENV/JM/ACC(2006)5. Proceeding at the 16th Meeting of the Working Group on Chemical Accidents, to be held on 19-20 October 2006 in Varese, Italy. 5

/2/ Uth, H.-J., & Wiese, N. (2004). Central collecting and evaluating of major acci-

dents and near- miss- events in the Federal Republic of Germany- results, ex-periences, perspectives. Journal of Hazardous Materials, 111, 139-145.

10 /3/ HSE (2005). Inspectors Toolkit: Human factor in the management of major

accident hazards. Available under: http://213.212.77.20/humanfactors/comah/toolkitintro.pdf [19.12.2006]. /4/ Health and Safety Executive (1999). HSG48. Reducing error and influencing 15

behaviour. London: HMSO /5/ OECD (2003). Guiding Principles for Chemical Accident Prevention, Prepared-

ness and Response. Available under: http://www.oecd.org/dataoecd/10/37/2789820.pdf [23.06.2003]. 20 /6/ VDI 4006-1. Human reliability - Ergonomic requirements and methods of as-

sessment, November, 2002. /7/ IEC 61511-1. Functional safety- Safety instrumented systems for the process 25

industry sector- Part 1: Framework, definitions, system, hardware and soft-ware requirements, January 2003.

/8/ Namur- Worksheet NA 102. Alarm Management. AK 2.9, Dezember 2005. 30 /9/ VDI 4006-2. Human reliability - Methods for quantitative assessment of human

reliability, February 2003. /10/ HSL Report: Bell, J. & Healey, N. (2006). The causes of major hazard inci-

dents and how to improve risk control and health and safety management: a 35 review of the existing literature. Health & Safety Laboratory. HSL/2006/117.

/11/ Lee, T. (1998). Assessment of safety culture at a nuclear reprocessing plant.

Work & Stress, 12 (3), 217-237. 40 /12/ HSE (1996). The contribution of attitudinal and management factors to risk in

chemical industry. HSE Contract Research Report No. 81/1996. Available under: http://www.hse.gov.uk/research/crr_pdf/1996/CRR96081.pdf

[11.01.2007]. 45 /13/ Fahlbruch, B. (2000). Vom Unfall zu den Ursachen: Empirische Bewertung

von Analyseverfahren. Berlin: Mensch & Buch Verlag.



Discussion Document

72

/14/ Hollnagel, E. (2005). The Elusiveness of "Human Error". Available under: http://www.ida.liu.se/~eriho/HumanError_M.htm [28.11.2006].

/15/ Amalberti, R. (2001). The Paradoxes of almost totally safe transportation sys-

tems. Safety Science, 37, 109- 126. 5 /16/ Lourens, P. F. (1989). Error analysis and application in transportation sys-

tems. Accident Analysis & Prevention, 21(5), 419-426. /17/ Leplat, J. (1986). Human errors in new technologies: Methods of analysis. In 10

H. Raum & W. Hacker (Eds.), Optimierung geistiger Arbeitstätigkeiten. Refe-rate des V. Dresdner Symposiums zur Arbeits- und Ingenieurspsychologie.

/18/ Rasmussen, J. (1980). What can be learned from human error reports? In K.

D. Duncan, M. M. Gruneberg, & D. Walls (Eds.), Changes in Working Life (pp. 15 97-113). Chichester: Wiley.

/19/ Rauterberg, M. (1996). Why and What can we learn from human errors?. In A.

F. Özok & G. Salvendy (Eds.), Advances in Applied Ergonomics. Proceedings of the 1st International Conference on Applied Psychology, ICAE `96, Istanbul, 20 May 21.24, 1996 (pp. 827-830). Istanbul, West Lafayette: USA Publishing.

/20/ Duffey, R. B. & Saull, J. W. (2003). Errors in Technological Systems. Human

factors and Ergonomics in Manufacturing, 13(4), 279-291. 25 /21/ Zapf, D., Brodbeck, F. C., Frese, M., Peters, H., & Prümper, J. (1992). Errors

in working with office computers: A first validation of a taxonomy for observed errors in a field setting. International Journal of Human-Computer Interaction, 4(4), 311-339.

30 /22/ Shaban, R. Z., Wyatt Smith, C.M., Joy Cumming, J. (2004). Uncertainty, Error

and Risk in Human Clinical Judgement: Introductory Theoretical Frameworks in Paramedic Practice. Journal of Emergency Primary Health Care (JEPHC), 2, Issue 1-2.

35 /23/ Reason, J. (2001). Understanding adverts events: the human factor. In: C.

Vincent (Eds.), Clinical Risk Management. London: British Medical Journal Books.

/24/ Shappell, S. A., Wiegmann, D.A. (2003). Human Error and General Aviation 40

Accidents: A Comprehensive, Fine- Grained Analyses Using HFACS. Avail-able under: http://www.hf.faa.gov/docs/508/docs/gaFY04HFACSrpt.pdf [28.11.2006].

/25/ Helmreich, R. L. (2000). On error management: lessons from aviation. Avail-45

able under: http://bmj.com/cgi/content/full/320/7237/781#BIBL [07.01.2005].



Discussion Document

73

/26/ Bove, T. (2002). Development and Validition of a Human Error Management Taxonomy in Air Traffic Control. Doctoral Dissertation at University of Roskilde.

/27/ Yemelyanov, A. M. (2004). Toward a System Approach to Human Error Inves-5

tigation. Proceedings of the Human factors and Ergonomics Society 48th An-nual Meeting. Denver, CO: 20- 24 September 2004, pp. 2436- 2440.

/28/ Klumb, P. L. (1994). Attention, action, absent-minded aberrations: A behav-

iour-economic approach. Doctoral Dissertation at Technische Universität Ber-10 lin.

/29/ Lorenzo, D. K. (1990). A Manager's Guide to Reducing Human Errors. Wash-

ington, DC: Chemical Manufactures Association, Inc. 15 /30/ Singleton, W. T. (1973). Theoretical approaches to human error. Ergonomics,

16(6), 727-737. /31/ Rasmussen, J. (1993). Perspective on the concept of human error. Paper pre-

sented at Society for Technology in Anesthesia Conference "Human Perform-20 ance and Anasthesia Technology", New Orleans, February 1993.

/32/ More, D. A. (2003). A Simplified Risk- Based Approach For Analyzing Human

factors. In Hazards XVII- Process safety- Fulfilling our responsibilities, Sympo-sium Series No. 149 (pp. 537- 548). Rugby, UK: IChemE. 25

/33/ Abu- Khader, M. M. (2004). Impact Of Human Behaviour On Process Safety

Management In Developing Countries. In Proceedings of the Trans ICemE, Part B, Process Safety and Environmental Protection, 82 (B6), 431-437.

30 /34/ Leplat, J., & Rasmussen, J. (1984). Analysis of human errors in industrial inci-

dents and accidents for improvement of work safety. Accident Analysis & Pre-vention, 16(2), 77-88.

/35/ ICNPO- Conferenence Report. (1994). First International Conference on HF-35

Research in Nuclear Power Operations (ICNPO). 31 Oktober bis 2 November, Berlin.

/36/ Singleton, W. T. (1972). Techniques for determining the causes of error. Ap-

plied Ergonomics, 3(3), 126-131. 40 /37/ Reason, J. (1997). Managing the risks of organizational accidents. Aldershot:

Ashgate. /38/ Reason, J. (1990). Human error. Cambridge: Cambridge University Press. 45 /39/ Rasmussen, J. (1987). Approaches to the Control of the Effects of Human Er-

ror on chemical plant safety. Roskilde: Riso National Laboratory.



Discussion Document

74

/40/ Groeneweg, J. (1992). Controlling the controllable. The management of safety. Leiden: DSWO Press.

/41/ van Vuuren, W. (1998). Organisational failure: An explonatory study in the

steel industry and the medical domain (pp. 1-149). Eindhoven: Eindhoven 5 University of Technology - Proefschrift 1998.

/42/ Swain, A.D., Guttman H.E. (1983). Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications. Final report. (NUREG/CR-1278). Washington DC: U.S. Nuclear Regulatory Commission.

10 /43/ OECD (2003). OECD Guidance on Safety Performance Indicators. Available

under: http://www.oecd.org/dataoecd/60/39/21568440.pdf [11.01.2007]. /44/ Wilpert, B., & Fahlbruch, B. (2004). Safety culture: Analysis and intervention.

In C. Spitzer, U. Schmocker, & V. N. Dang (Eds.), Probabilistic safety assess-15 ment and management (Vol. 2, pp. 843-849). London: Springer.

/45/ INSAG. (1991). Safety culture. Vienna: International Atomic Energy Agency

(Safety Series No. 75-INSAG-4). 20 /46/ IAEA. (1998). Safety culture self-assessment. Report of a technical committee

meeting, June 1998. /47/ INSAG - International Safety Advisory Group (1998). Developing safety culture

in nuclear activities: Practical suggestions to assist progress. Safety Reports 25 Series No. 11. Vienna: IAEA.

/48/ IAEA. (2001). The operating organization for nuclear power plants: safety

guide. Vienna: International Atomic Energy Agency (IAEA). 30 /49/ Responsible Care (n.d.). Available under: http://www.cefic.be/Files/Publications/rcreport2004.pdf [11.01.2007]. /50/ The Keil Centre (2001). Safety Culture maturity model. HSE Offshore Technol-

ogy Report 2000/049. 35 /51/ A review of safety culture and safety climate literature for the development of

the safety culture inspection toolkit. Human Engineering 2005. HSE CRR 367. Key indicators from the safety culture inspection toolkit for the rail industry (HMRI): leadership, two-way communication, employee involvement, learning 40 culture and attitude towards blame.

/52/ Internationale Länderkommission Kerntechnik (2005). ILK-Stellungnahme zum

Umgang der Aufsichtsbehörde mit den von den Betreibern durchgeführten Selbstbewertungen der Sicherheitskultur. atw 2005/5, p.317-322. 45

/53/ Kadri, S.H. & Jones, D.W. (2006). Nuturing a strong process safety culture.

Process Safety Progress, 25/1, 16-20.



Discussion Document

75

/54/ Wilpert, B., Maimer, H. & Loroff, C. (2000). Einfluß des Menschen auf die Si-cherheit von Kernkraftwerken - Bewertung der Zuverlässigkeit einer com-putergestützten Ereignisanalyse (CEA) in der Kernindustrie. Endbericht. TU Berlin.

5 /55/ Wilpert, B. & Fahlbruch, B. (2003). Final Report on the Advanced Research

and Training Seminar (ARTS) on Work-Place Safety, System Safety and Psy-chology, Singapore, July 13-15, 2002. International Journal of Psychology, 38 (2), 113-118.

10 /56/ Olive, C., O’Connor, M. & Mannan, M.S. (2006). Relationship of safety culture

and process safety. Journal of Hazardous Materials, 130, 133-140. /57/ Commission Regulation (EC) No 2042/2003 of 20 November 2003 on the

continuing airworthiness of aircraft and aeronautical products, parts and 15 appliances, and on the approval of organisations and personnel involved in these tasks (Text with EEA relevance). Official Journal L 315 , 28/11/2003 P. 0001 – 0165.

/58/ IEC/EN 61511- 2. Functional safety- Safety instrumented systems for the 20

process industry sector- Part 2: Guidelines for the application of IEC 61511- 1, July 2003.

/59/ IEC/EN 61511- 3. Functional safety- Safety instrumented systems for the

process industry sector- Part 3: Guidance for the determination of the required 25 safety integrity levels, March 2003.

/60/ Richtlinie 96/82/EG des Rates vom 9. Dezember 1996 zur Beherrschung der

Gefahren bei schweren Unfällen mit gefährlichen Stoffen (“Seveso II- Richtli-nie“) . Available under: http://europa.eu.int/comm/environment/seveso/ and 30

http://mahbsrv.jrc.it. /61/ IEC/EN 61508 (2002). International Standard 61508 Functional Safety: Safety-

Related System. Geneva, International Electrotechnical Commission. 35 /62/ VDI/VDE 2180- 1. Sicherung von Anlagen der Verfahrenstechnik mit Mitteln

der Prozessleittechnik (Entwurf), Oktober 2005. /63/ NE 031. Anlagensicherung mit Mitteln der Prozessleittechnik. AK 4.5, Juli

2006. 40 /64/ IFSN- Interdisziplinäre Forschungsgruppe für soziale Nachhaltigkeit (2002).

Projekt: Wissenschaftliche Beteiligung sowie Informationsdarstellung zu dem Vorhaben „Human Factors“, Abschlussbericht. Verfügbar unter: http://www.sfk-45 taa.de/berichte_reports/andere_dokumente/abschlussbericht_uni_oldenburg.pdf [Stand: 11.01. 2007].



Discussion Document

76

/65/ Parasuraman, R. & Riley, V. (1997). Humans and automation: Use, misuse, disuse, abuse. Human factors, 39, 230-253.

/66/ Moray, N., Inagaki, T., & Itoh, M. (2000). Adaptive Automation, Trust, and Self-

Confidence in Fault Management of Time-Critical Tasks. Journal of Experi-5 mental Psychology: Applied, 6(1), 44-58.

/67/ Parasuraman, R., Sheridan, T. B., & Wickens, C. D. (2000). A Model for Types

and Levels of Human Interaction with Automation. IEEE Transactions on Sys-tems,Man, and Cybernetics, 30(3), 286-297. 10

/68/ Endsley, M., & Kiris, E. (1995). The out-of-the-loop performance problem and level of control in automation. Human factors, 37(2), 381-394.

/69/ Sheridan, T.B. (2000). Function allocation: algorithm, alchemy or apostasy?

International Journal of Human-Computer Studies, 52, 203-216. 15 /70/ Ulich, E. (2001). Arbeitspsychologie (4. Aufl.). Zürich: Verlag der Fachvereine;

Stuttgart: Poeschel. /71/ Grote, G., Weik, S., Wäfler, T., Zölch, M. & Ryser, C. (1999). KOMPASS 20

(Komplementäre Analyse und Gestaltung von Produktionsaufgaben in sozio-technischen Systemen). In: H. Dunckel (Hrsg.), Handbuch psychologischer Arbeitsanalyseverfahren. Zürich: vdf.

/72/ Hollnagel E., Bye, A. (2000): Principles for Modelling Function Allocation. In 25

International Journal of Human-Computer Studies, 52 (2), p. 253-265. /73/ Christoffersen, K., & Woods, D. D. (2002). How to make automated systems

team players. Advances in Human Performance and Cognitive Engineering Research, 2, 1-12. 30

/74/ Gisa, H. G. & Timpe K.-P. (2000). Technisches Versagen und menschliche

Zuverlässigkeit. Bewertung der Verlässlichkeit in Mensch- Maschine- Syste-men. In K.-P. Timpe, T. Jürgensohn & H. Kolrep (Hrsg), Mensch-Maschine-Systemsicherheit (S. 63-106). Düsseldorf: Symposium Publishing. 35

/75/ Manzey, D. (2005). Arbeit in Mensch- Maschine Systemen 1-2. Vorlesung an

der TU-Berlin. Available under: http://www.gp.tu-berlin.de/AOPsychologie/Studium/material/ws0506m/A&O_I_10_1.pdf [11.01.2007]. 40

/76/ Wickens, C. D., & Hollands, J. G. (2000). Engineering psychology and human

performance (3rd ed.). Upper Saddle River, NJ: Prentice Hall. /77/ Endsley, M. (1996). Automation and situation awareness. In: Parasuraman, R. 45

& Mouloua, M. (eds.), Automation and human performance. Theory and appli-cations. Mahwah: Erlbaum.



Discussion Document

77

/78/ Lorenz, B., Di Nocera, F., Röttger, S., & Parasuraman, R. (2002). Automated fault management during simulated space flight. Aviation, Space, and Envi-ronmental Medicine, 73, 886-897.

/79/ HSE (2000). Better Alarm Handling. HSE Information Sheet- Chemical Sheet 5

No. 6. March, 2000. /80/ HSE (n.d.). Alarm handling. HSE information Sheet- Chemical Sheet No. 9.

Available under: http://www.hse.gov.uk/humanfactors/comah/09alarms.pdf [11.01.2007]. 10

/81/ EEMUA (1999). Alarm Systems: A Guide to Design, Management and Proce-durement. EEMUA Publication No 191. The Engineering Equipment and Mate-rials Users Association: London.

/82/ VDI/VDE 3699- 1. Prozessführung mit Bildschirmen – Begriffe, Mai 2005. 15 /83/ VDI/VDE 3699- 2. Prozessführung mit Bildschirmen – Grundlagen, Mai 2005. /84/ IEC 73 (1990). Colours of pushbuttons and their meanings. NY: International

Electrotechnical Commission. 20 /85/ DIN 2403. Kennzeichnung von Rohrleitungen nach dem Durchlflußstoff, März

1984. /86/ Smith, W. H., Howard, C. R., & Foord, A. G. (2003). Alarms Management – 25

Priority, Floods, Tears or Gain?. Available under: http://www.4-sightconsult-ing.co.uk/Current_Papers/Alarms_Management/alarmsmanagement.html [13.03.2003]

30 /87/ Dunn, D. G. & Sands, N. P. (2003). ISA-SP18- Alarm systems Managament

and design guide. Available under: http://www.equistar.com/TechLit/Tech%20Topics/Equistar%20Industry%20Pa

pers/Alarm_Systems_Management.pdf. [11.01.2007] 35 /88/ Honeywell (2006). Alarm Management. Available under: http://hpsweb.honeywell.com/Cultures/en-

US/Products/ControlApplications/AlarmManagement/default.htm [11.01.2007].

40 /89/ Nimmo, I. (2002). It's time to consider Human factors in Alarm Management.

Available under: http://www.mycontrolroom.com/sitedata/articles/archive/Human%20Factors%2

0in%20Alarm%20Management.pdf [11.01.2007]. 45 /90/ MaTSU (1999). Summary guide to safety climate tools. HSE Offshore Tech-

nology Report 1999/063. Available under: http://www.hse.gov.uk/RESEARCH/otopdf/1999/oto99063.pdf [13.04.2007].



Discussion Document

78

/91/ Lardner, R. (2003). Safety Culture Application Guide. PRISM FG1. The Keil Centre.

/92/ U.S. Chemical Safety and Hazard Investigation Board (2007). Investigation

report. Refinery explosion and fire. Report No.2005-04-I-TX. 5 /93/ HSE (2004). Core topic 2: HF in accident investigation. Available under:

http://www.hse.gov.uk/humanfactors/comah/core2.pdf [13.04.2007] /94/ HSE (2005). Inspectors toolkit (Draft). Human factors in the management of 10

major accident hazards. Available under: http://213.212.77.20/humanfactors/comah/toolkit.pdf [13.04.2007]

/95/ HSE (2000). Major incident investigation report- BP Grangemouth Scotland:

29th May - 10th June 2000 a public report prepared by the HSE on behalf of 15 competent authority. Available under: http://www.hse.gov.uk/comah/bpgrange/glossary.htm [13.04.2007]

/96/ HSE (1998). Management of alarm systems. Available under:

http://www.hse.gov.uk/research/crr_pdf/1998/CRR98166.pdf [13.04.2007] 20 /97/ Parliamentary Office of Science and Technology (2001). Managing human

error. postnote, 156, p. 1-8. /98/ HSE (n.d.). Humans and risk. HSE Human Factors Briefing Note No. 3. Avail-25

able under: http://www.hse.gov.uk/humanfactors/comah/03humansrisk.pdf [13.04.2007]

/99/ ISO/TC 159 (2006). Terminology. Unpublished paper 30



Discussion Document

79

8 Annex I

Table 6: Descriptions of “Cause Human” in the MARS database

MARS Database Cause Human No. Description Frequency

1 accidental inversion 1 2 act of negligence 2 3 arson (sabotage action), inadequate safeguarding 1 4 checking erroneously 1 5 confusion 1 6 control error, failure to control 1 7 defective information system 1 8 defective work permit system 1 9 disregard of the risk 1

10 erroneous manoeuvring 1 11 erroneous mixture 1 12 erroneous operation 1 13 external manipulation 1 14 failure of supervision 1 15 failures were not noticed 1 16 forgotten, human error of omission 2 17 handling error 1 18 hazards underestimated 1 19 human error during repair / maintenance 3 20 inadequate maintenance works 1 21 inadequate operation procedures 2 22 inadequate plant design 3 23 inadequate procedures 1 24 inadequate process analysis 1 25 Inadequate safety education of operators 1 26 inadequate training/instruction 1 27 inappropriate action 1 28 inappropriate design of plant/equipment/system 1 29 incorrect operation 1 30 ineffective control 1 31 instruction wasn't followed by the operator 1 32 instructions have not been respected 1 33 insufficient maintenance procedures 1 34 insufficient operational procedures 4 35 insufficient testing/inspection procedures 1 36 insufficient training 3 37 interchange 1

5



Discussion Document

80

MARS Database Cause Human No Description Frequency

38 lack of coordination 1 39 lack of maintenance 1 40 loose of control 1 41 loss of operational process control 1 42 malicious act 1 43 mistake (of the operator) 4 44 misunderstanding 1 45 not completely degasified 1 46 not fastened 1 47 not informed 1 48 operation against regulations 1 49 operator error 10 50 operator's mistake during demolition of installation 1 51 over-charge 1 52 overfilling 1 53 overpressurization 1 54 procedures were not fully applied 1 55 safety procedures were not suitable 1 56 storage mistakes 1 57 terroristic action (sabotage). 2 58 too long delay in reacting 1 59 untimely (wrongly) opened 1 60 violation of procedures 1 61 wrong connection 1 62 wrong handling / (manipulation) 4 63 wrong inertization 1 64 wrong loading 1 65 wrong manipulation 1 66 wrong mixing operation 1 67 wrong performance of a venting operation 1 68 wrong removal 1 69 wrongly operated 1 70 wrongly set rupture pressure 1 71 wrongly shut 1 72 wrongly supplied 1

Sum 100



Discussion Document

81

Table 7: NRC Coding Scheme Categories Areas Details

T1 Initial T2 Continuing/requalification T3 On-the-job training

100 Training LTA 101 Training process problem 102 Individual knowledge LTA

T Training

T4 Simulator training 103 Simulator training LTA

P Procedures and Refer-ence Docu-ments

P1 General operating P2 Abnormal/off normal/alarm condition P3 Emergency (EOPs & ERPs) P4 Reactivity control P5 Maintenance/modification P6 Surveillance/calibration/test P7 Chemical/ radiochemical P8 Refueling P9 Administrative P10 Licensing Documents P11 Special P12 Other

110 No procedure/reference documents 111 Procedure/reference document techni-cal content LTA 112 Procedure/reference document con-tains human factors deficiencies 113 Procedure/reference document devel-opment and maintenance LTA

F Fitness for Duty

F1 Drugs F2 Alcohol F3 Mental/emotional F4 Fatigue F5 Unknown/other

120 Testing LTA 121 Assessment LTA 122 Behavioral observation LTA 123 Self-declaration LTA 124 Training missing/LTA 125 Work hour control 126 Task design/work environment 127 Circadian factors/individual differences 128 Non-compliance 129 Impairment

O Oversight O1 Oversight 130 Inadequate supervision/ command and control 131 Management expectations or direc-tions LTA

R1 Problem identification 140 Problem not completely or accurately identified 141 Problem not properly classified or prioritized 142 Operating experience (OE) review LTA 143 Tracking/trending LTA 144 Audit/self-assessment/effectiveness review LTA

R2 Problem evaluation 145 Causal development LTA 146 Evaluation LTA

R3 Problem resolution 147 Individual corrective action LTA 148 Action not yet started or untimely 149 No action planned

R4 Corrective action program 150 Programmatic deficiency

R Problem Identification and Resolu-tion R1 Prob-lem

R5 Safety conscious work environment 151 Willingness to raise concerns LTA 152 Preventing and detecting retaliation LTA

C Communi-cation

C1 Oral C2 Written

160 No communication/information not communicated 161 Communication LTA 162 Communication equipment LTA



Discussion Document

82

H1 HSI components/equipment 170 HSI or availability/quality LTA

H2 Simulator 171 Simulator fidelity LTA 172 Simulator use LTA

H Human - System Inter-face (HSI) and Environ-ment

H3 Physical work environment 173 Physical conditions LTA

W1 Work planning and coordination 180 Scheduling and planning LTA 181 Inadequate staffing/task allo-cation 182 Work package quality LTA 183 Pre-job activities LTA 184 Tag outs LTA

W2 Work practices 185 Procedural adherence LTA 186 Failure to take action/meet requirements 187 Action implementation LTA 188 Work practice or craft skill LTA 189 Recognition of adverse condi-tion/questioning attitude LTA 190 Failure to stop work/non-conservative decision making 191 Team interactions LTA 192 Work untimely 193 Non-conservative action 194 Housekeeping LTA 195 Logkeeping or log review LTA 196 Independent verification/plant tours LTA

W Work Planning and Practices

W3 Awareness/ attention 197 Self-check LTA 198 Worker distracted/interrupted



Discussion Document

83

Examples of CSB reports of accidents with human contribution: 1. Fire at Formosa Plastics Corporation, Point Comfort, Texas, October 6,

2005 • A worker driving a fork truck towing a trailer under a pipe rack backed into 5

an opening between two columns to turn around. • When the worker drove forward, the trailer caught on a valve protruding

from a strainer in a propylene piping system. • The trailer pulled the valve and associated pipe out of the strainer, leaving

a 1.9-inch diameter opening. 10 • Pressurized liquid propylene (216 psig) rapidly escaped through the open-

ing and partially vaporized creating both a pool of propylene liquid and a rapidly expanding vapor cloud.

• Control room operators saw the vapour cloud on a closed circuit television and began to shut down the unit. 15

• Outside operators tried unsuccessfully to reach and close manual valves that could stop the release.

• The vapor cloud ignited. • A large pool fire burned under the pipe rack and the side of an elevated

structure that supported a number of vessels, heat exchangers, and relief 20 valves.

• The fire was extinguished about five days after the start of the incident. 2. Kaltech Industries Group, Inc. Borough of Manhattan, New York April

25, 2002 25 A chemical reaction caused an explosion when the [nitric] acid was combined

with lacquer thinner from another container. Root Causes:

• There was no compiled list of hazardous chemicals present in the facility. • Containers of wastes and certain chemicals onsite were not labeled. 30 • Employees received no formal training on the hazards of specific chemi-

cals in the workplace. • Material safety data sheets were unavailable to the workforce. • Waste materials were mixed without being identified or characterized, and

no effort was made to determine compatibility among materials. 35 • Employees received no formal training on proper hazardous waste man-

agement practices.



Discussion Document

84

3. West Pharmaceutical Services Dust Explosion and Fire Kinston, NC, January 29, 2003

Root Causes: • West Pharmaceutical Services, Inc., did not perform an adequate engi-

neering assessment of the use of powdered zinc stearate and polyethylene 5 as antitack agents in the rubber batchoff process.

• The company’s engineering management systems did not ensure that relevant industrial fire safety standards were consulted.

• The company’s management systems for reviewing MSDSs did not identify combustible dust hazards. 10

• The hazard communication program at the Kinston facility did not identify combustible dust hazards or make the workforce aware of such.



Discussion Document

85

9 ANNEX II INSAG key issues in safety culture (/47/, p. 5ff) Commitment: “Commitment to safety and to the strengthening of safety culture at the top of an organization is the first and vital ingredient in achieving excellent safety 5 performance. This means that safety (and particularly nuclear safety) is put clearly and unequivocally in first place in requirements from the top of the organization, and there is absolute clarity about the organization’s safety philosophy. However, true commitment to the enhancement of safety means more than writing a policy state-ment and mentioning the importance of safety in speeches by senior staff. Although 10 these are vital steps, most people are adept at spotting mismatches between fine words and reality. Commitment means not only providing leadership but also devel-oping, in partnership with staff and their representatives, the means of translating the safety goals of the organization into day to day reality. This latter step provides the visible evidence that aspirations are really held. It means genuinely devoting time 15 and resources to safety and requires that senior managers are trained and, in par-ticular, have the necessary competence in matters relating to nuclear safety” /47/, p.5.

Use of procedures: “Management systems require clearly written procedures that are fit for their purpose to control all aspects of nuclear and radiological safety. How-20 ever, there is a great difference between having excellent procedures on paper and having procedures that are understood and applied consistently and conscientiously by all staff. There is a need for balance in the number and extent of procedures. They should identify and address the main risks and be intelligible and of relevance to those who will use them. In particular, the rules and procedures, reinforced by train-25 ing, need to bring out clearly to the workforce the reasons for particular requirements, since only then will the procedures pass the test of relevance required by the opera-tor if he or she is to be fully committed to their use. In other words, it is essential that employees’ perceptions of risk are such that the requirements placed upon them are seen to be necessary and relevant. If procedures are not valued, shortcuts or ‘work-30 arounds’ will begin to be practised. This could lead to further degradation of safety standards, since working around a requirement which is not a prime safety require-ment can quickly lead to a culture in which even vital and fundamental safety proce-dures are no longer viewed as sacrosanct. The important conclusion from this is that simple intelligible procedures should be in place for work which needs to be con-35 trolled. These procedures ought to be in a form that can be used directly at the place of work.” /47/, p.6.

Conservative decision making: “INSAG-4 [1] referred to a questioning attitude and a rigorous and prudent approach. Well tested systems relying on defence in depth and supported by procedural requirements will protect employees and the public from 40 radiation hazards. It is easy, therefore, for the workforce to develop the attitude that safe conditions are provided for them by others, and that events at other plants are exceptional and isolated and could not occur at their plant. It is therefore essential that everyone connected with nuclear safety be constantly reminded of the potential consequences of failing to give safety absolute priority. Most incidents and accidents 45 in the nuclear industry have occurred because someone has failed to take the rele-vant precautions or has failed to consider or question in a conservative way decisions that they have made or the steps which were taken to implement them. In practice, it is important that there should be a requirement for each individual or team to stop



Discussion Document

86

and review safety before starting a piece of work or beginning to carry out a proce-dure. Various techniques have been developed, including the STAR (stop, think, act, review) principle. They all have one feature in common: the need to be conservative in safety related matters by staff checking their understanding of a situation (and if necessary seeking more information or advice) and by assuming that the worst could 5 happen. To take a conservative course of action is not always easy, particularly when there are operational pressures, and this is when an organization’s priorities have to be clear and genuinely accepted. To develop and reinforce this culture, em-ployees should be praised if they stop work or do not approve modifications because there is a reasonable doubt about the safety implications.” /47/, p.7. 10

A reporting culture: “Failures and ‘near misses’ are considered by organizations with good safety cultures as lessons which can be used to avoid more serious events. There is thus a strong drive to ensure that all events which have the potential to be instructive are reported and investigated to discover the root causes, and that timely feedback is given on the findings and remedial actions, both to the work groups in-15 volved and to others in the organization or industry who might experience the same problem. This ‘horizontal’ communication is particularly important. Near misses are also very important because they usually present a greater variety and volume of in-formation for learning. To achieve this, all employees need to be encouraged to report even minor concerns. This raises the important question of ‘blame free’ reporting. If 20 employees are to report near misses, they must believe that these reports are valued and that they and their colleagues will not be penalized or disciplined as a result of coming forward to make them. There will, of course, be situations in which some ac-tion needs to be taken in relation to an individual as a result of an incident. One ex-ample would be a willful act; another, the deliberate contravention of a procedure 25 which is known to be workable, intelligible and correct. Sometimes retraining may be necessary. A more difficult issue arises when a conscientious worker makes re-peated mistakes which cannot be corrected by coaching and retraining. However, in a good reporting culture, it is accepted that it is the failure to report any issue that may adversely affect safety which is unacceptable. A good reporting culture will be 30 regarded by staff as ‘just’ and will be built on an atmosphere of trust. This open and responsive approach to reporting and following up also has implications for regula-tors. For example, they may become aware of a greater number of ‘failures’ reported by the operating organization as such a system is developed and may be tempted to take action as a result. It is vital that a balanced view be taken, however, since over-35 reaction could stifle developments which in the longer term will lead to real and sus-tainable enhancements in safety.” /47/, p.8.

Challenging unsafe acts and conditions: “Nearly all events, ranging from industrial and radiological accidents, incidents and near misses to failures affecting nuclear safety, start with an unintentionally unsafe act or an unacceptable plant condition or 40 process. These have often been latent and have gone undetected or been treated as ‘custom and practice’ and therefore been ignored. Then, in combination with another challenge to the system, a further more significant failure occurs. Minimizing existing latent shortcomings in working practices or plant conditions is therefore vital in avoiding more serious events. Minimizing latent shortcomings requires knowledge 45 on the part of plant employees and contractors about why specific safety systems and requirements are in place, and about the importance of each item of plant in contributing to safety. Not only should they be suitably qualified and experienced for their particular areas of specialization, but they must be encouraged to challenge po-tentially unsafe practices and identify deficiencies wherever and whenever they en-50



Discussion Document

87

counter them. In addition to knowledge about the safety significance of plant, sys-tems and procedures, they must be helped to develop the confidence to challenge others if they observe shortcomings in safety performance. This needs to be done in a constructive way and combined with praise for good safety performance. Regula-tors, also, should be aware of why safety systems and requirements defined by plant 5 management are in place, and why they are important. Regulators must also be par-ticularly careful to ensure regulatory actions taken to correct deficiencies do not im-pede continued improvements in safety culture. For example, employees must still ‘own’ their procedures and the procedures must continue to be seen by employees as being fit for their purpose. Failure to challenge, particularly by managers and su-10 pervisors, not only fails to eliminate the particular shortcoming in performance which has been observed, but also creates a culture in which failures, oversights and shortcuts become the norm. This is well captured by the phrase ‘to tolerate is to vali-date’.” /47/, p.9.

The learning organization: “If an organization stops searching for improvements 15 and new ideas by means of benchmarking and seeking out best practice, there is a danger that it will slip backwards. A learning organization is able to tap into the ideas, energy and concerns of those at all levels in the organization. Enhancements in safety are sustained by ensuring that the benefits obtained from improvements are widely recognized by individuals and teams, and this in turn leads to even greater 20 commitment and identification with the process of improving safety culture. Ideally, all employees are involved in proactively contributing ideas for improvement, and are encouraged to become aware of what world class performance in terms of safety means in their jobs. They contribute not because they are told to do so but because they want to do so. To do this, staff need to be given the opportunity to compare how 25 they do things with how other workers do, so that they are aware of what constitutes excellence in their field of work. To generate a sense of achievement, they need to be enabled themselves to carry out, wherever it is safe and sensible for them to do so, the improvements which they have identified, and to do so with the evident en-couragement and the full backing of management. It is necessary to provide mecha-30 nisms to enable experience and ideas to be transferred within the organization. It is also necessary to have formal systems for monitoring and providing feedback to management so that they know the effectiveness of the improvements that have been carried out and for ensuring that the organization retains ‘corporate memory’ of why and how improvements have been made. Although employees often concen-35 trate initially on industrial safety and issues relating to plant conditions, involvement in and commitment to the improvement process is likely to lead to a wider apprecia-tion of issues of nuclear safety and environmental issues, and to have broader bene-fits for the business in promoting a culture of active involvement and teamwork. Schemes which encourage staff to provide ideas for improvement are valuable. 40 Sometimes they can lead to either a team being rewarded or donations being made to good causes. However, experience shows that such schemes tend to lose mo-mentum and to become less effective with time. More sustainable approaches in-volve encouraging staff to work as teams and continually to seek improvements by identifying prioritized actions to enhance safety in their own work areas.” /47/, p.10. 45

Underpinning issues: communication, clear priorities and organization: “In ad-dition to the specific issues discussed earlier, there are three prerequisites which underpin all of these questions. The first is that of establishing good communication about safety issues. This involves the three elements of communication: transmis-sion, reception and verification. Various methods can be valuable, from oral team 50 briefings to dedicated written safety communications, but there is little doubt that



Discussion Document

88

face to face communication, achieved with high visibility of managers and supervi-sors at the place of work, has the greatest effect. It is sometimes found that, even when managers are able to provide evidence that they have transmitted a message concerning safety, it is the perception of employees that they have not received adequate information or that they do not recognize its significance to them. This 5 means that the form of transmission is inappropriate, that there is insufficient clarity or that the message is not being welcomed by those receiving it. It is thus important to check that messages not only have been sent but also have been received and understood, and are being acted upon. It is also important to ensure that communica-tion with regulatory bodies is carried out using the same principles. The second issue 10 is that of ensuring that a sense of reality is retained about what can be achieved and on what timescales. Many programmes of safety enhancement have faltered be-cause of a failure to deliver agreed objectives. The key prerequisite here seems to be one of prioritization. Providing ‘wish lists’ of improvements, which are not deliv-ered or are only partly implemented because clear priorities have not been agreed, 15 not only fails to deliver real improvement but also encourages cynicism and a feeling of initiative overload, and ultimately results in a loss of momentum in the process of safety enhancement. In discussions with staff and contractors, it is important that re-alistic objectives and timescales are set, and that efforts to achieve these are then properly resourced. Plans for enhancement or improvement need to be prioritized, 20 with feedback to regulatory bodies and employees on why certain activities have been selected for implementation while others have not been given the same prior-ity. One important way of signaling intent and providing a vehicle for change is the deployment of a plan to improve safety. To be effective this must be prioritized, re-flect any changes in priority (i.e. be a living document) and, very importantly, be de-25 veloped and widely shared with the workforce. It is also vital that such a plan should identify measures of success and be clear about timescales and accountabilities. The third underlying issue is that of achieving and maintaining clarity about the or-ganizational structure and accountability for what is to be done. People need to know what their task is in the organization, and how their skills and knowledge are to 30 be used in achieving and maintaining its goals. All team members need to know and respect the inputs expected of the other members, and of those, such as contrac-tors, who are working alongside them. This is particularly important in periods of rapid organizational change.” /47/, p.11ff. 35 40 45 50



Discussion Document

89

10 ANNEX III

10.1 Namur Empfehlung (Namur recommendation) 31 – Most Rele-vant Recommendations

Requirements for safety instrumented systems 5 In particular definitions have to be made for (NE 31):

• Safety objective • Function of the safety instrumented system • Conceptual process design (Principle) • Nature and frequency of the scheduled functional testing 10 • Other organizational measures (for instance scheduled maintenance)

The necessary risk reduction to meet the tolerable risk level and the safety related availability of the safety instrumented system have to be taken into consideration when defining the safety instrumented system. 15 “Basic requirements: The safety instrumented system class A has to be designed and operated in such a way that in case of one covert fault assumed to be probably to occur within the pro-tective equipment the scope of protection is still achieved.” 20 The safety related availability has to be selected in such a way that even in case of a covert fault the risk (R) to be covered is reduced below the risk limit (Rl) down to the remaining risk (Rr). The safety related availability of protective systems depends on

• the failure rate due to covert faults, 25 • average time for detection and eliminating covert faults, • degree of redundancy of the safety instrumented system

Fundamentals: • Proven and reliable equipment and installation techniques have to be selected,

the safety instrumented system has to be simple and clear. The effects of faults 30 (for instance consecutive faults within the safety instrumented system) have to be limited as much as possible by suitable fault suppression barriers

• Harmful influences by environment and by the product such as: Vibration, me-chanical impact or stress, temperature influence, corrosion, contamination, foul-ing, electromagnetic influence have to be taken into account. 35

• The principle of normally closed contacts has to be applied as often as possible and one has to make use of the fail safe properties of the equipment (for in-stance final control elements with fail safe position by means of a spring)

• If safety instrumented systems share equipment with Basic process control sys-tems and monitoring systems the following criteria have to be applied: the pro-40 tective function overrides all other functions, the design of this equipment should be governed by the rules for the design of safety instrumented systems, in ac-cordance with the safety problem the measurement of the safety related proc-ess value, the signal treatment and the actuation of the protective function has to be accurate and fast enough. 45



Discussion Document

90

• The measuring range for the safety related process value has to be selected in such a way that it provides a sufficient resolution. The limit values should be so distant from the end of the range that in case of erroneous measurements within the tolerable limits a reliable resolution can be guarantied.

• The correct adjustment of the limit values has to be protected against involun-5 tary manipulation.

• Any automatic restart after a reaction of the safety instrumented system should normally be blocked.

• All essential components of the safety instrumented system should be accord-ingly tagged in the documentation, in the field, in the switchgear room and in the 10 control room, in order to draw attention to its special service, whenever an inter-vention in the plant is necessary.

Functional testing is required to detect covert faults. The check procedure must con-tain indications of the specified status and reactions of the safety instrumented sys-15 tem as well as a description of the features and functions to be checked. In particular indications of limit values, ranges and other specified characteristics like travel time of valves, delay times for initiating signals or similar features which are essential to fulfil the protection task, belong to this content. The sequence of checks to be per-formed shall be described in a manner easily understandable to the checking per-20 sonnel. The check procedure has to be agreed upon between the plant management and the specialists of the instrument department. The limit values have to be pro-vided to the instrument department the plant management in written form. The frequency of functional testing procedures shall be determined in the general 25 safety review. Due to the difference in availability it may be necessary to check parts of the system more frequently than others. If no comparable experience is available, the check frequency has to be set appropriately high. If a sufficient safety related availability results from the checks, the check frequency can be decreased over the time the plant is operating. As a minimum in analogy to prevailing and pertaining 30 technical rules a check of the total safety instrumented system from sensor to actua-tor has to be performed once a year (Source: AD-Merkblatt A6, TRbF). A check has also to be performed after a longer shut-off of the plant and after any repair of the safety instrumented system. Any measures of inspection, maintenance 35 and repair of safety instrumented systems must be documented (see also § 2 (2) of German legal regulation for incidents in industrial activities). Particularly functional testing must be documented with the following information as a minimum:

• Name of the object which has been checked • Result of check and details of repair if any 40 • Date of the check Signature of the person who carried out the check • Signature of the plant operator



Discussion Document

91

10.2 IEC/EN/DIN 61511 - Required Consideration of Human Factors Contents and requirements of IEC 61511 with respect to

Operator action, consideration of HF and HF-SIS-interfaces IEC 61511 consists of the following parts, under the general title “Functional safety: 5 Safety Instrumented Systems for the process industry sector”: − Part 1: Framework, definitions, system, hardware and software require-

ments − Part 2: Guidelines in the application of IEC 61511-1 − Part 3: Guidance for the determination of the required safety integrity levels 10 IEC 61511-1 1 Scope ...In particular this standard ... 15 w) requires that the design of a safety instrumented function takes into account human factors; x) does not place any direct requirements on the individual operator or mainte-nance person. 20 3.2.72 safety instrumented system (SIS) NOTE 5: When a human action is a part of an SIS, the availability and reliability of the operator action must be specified in the SRS and included in the performance calculations for the SIS. See IEC 61511-2 for guidance on how to include operator availability and reliability in SIL calculations. 25 5.2.2.2 Competence of persons As a minimum, the following items should be addressed when considering the com-petence of persons, departments, organizations or other units involved in safety life-cycle activities: 30 a) engineering knowledge, training and experience appropriate to the process appli-cation; b) engineering knowledge, training and experience appropriate to the applicable technology used (e.g., electrical, electronic or programmable electronic); c) engineering knowledge, training and experience appropriate to the sensors and 35 final elements ; d) safety engineering knowledge (e.g., process safety analysis); e) knowledge of the legal and safety regulatory requirements; f ) adequate management and leadership skills appropriate to their role in safety life-cycle activities; 40 g) understanding of the potential consequence of an event; h) the safety integrity level of the safety instrumented functions; i) the novelty and complexity of the application and the technology. 45



Discussion Document

92

11.3 Requirements for system behaviour on detection of a fault Where the above actions depend on an operator taking specific actions in response to an alarm (e.g., opening or closing a valve), then the alarm shall be considered part of the safety instrumented system (i.e., independent of the BPCS). 5 Where the above actions depend on an operator notifying maintenance to repair a faulty system in response to diagnostic alarm, this diagnostic alarm may be a part of the BPCS but shall be subject to appropriate proof testing and management of change along with the rest of the SIS. 10 NOTE: The specified action (fault reaction) required to achieve or maintain a safe state should be specified in the safety requirements (see 10.3). It may consist, for example, of the safe shut-down of the process, or of that part of the process which relies, for risk reduction, on the faulty subsystem or other specified mitigation plan-ning. 15 11.7.1 Operator interface requirements 11.7.1.1 Where the SIS operator interface is via the BPCS operator interface account shall be taken of credible failures that may occur in the BPCS operator interface. 20 11.7.1.2 The design of the SIS shall minimize the need for operator selection of options and the need to bypass the system while the unit is running. If the design does require the use of operator actions, the design should include facilities to protect against op-25 erator error. NOTE If the operator has to select a particular option, there should be a repeat con-firmation step. 30 11.7.1.3 Bypass switches shall be protected by key locks or passwords to prevent unauthor-ized use. 11.7.1.4 35 The SIS status information that is critical to maintaining the SIL shall be available as part of the operator interface. This information may include: where the process is in its sequence; indication that SIS protective action has occurred; indication that a protective function is bypassed; 40 indication that automatic action(s) such as degradation of voting and/or fault handling has occurred; status of sensors and final control elements; the loss of energy where that energy loss impacts safety; the results of diagnostics; 45 failure of environmental conditioning equipment which is necessary to support the SIS. 50



Discussion Document

93

11.7.1.5 The SIS operator interface design shall be such as to prevent changes to SIS appli-cation software. Where safety information needs to be transmitted from the BPCS to the SIS then systems should be used which can selectively allow writing from the BPCS to specific SIS variables. Equipment or procedures should be applied to con-5 firm the proper selection has been transmitted and received by the SIS and does not compromise the safety functionality of the SIS. NOTE 1 If the options or bypasses are selected in the BPCS and downloaded to the SIS then failures in the BPCS may interfere with the ability of the SIS to function on 10 demand. If this can occur then the BPCS will become safety related. NOTE 2 In batch processes a SIS may be used to select different set points or logic functions depending on the recipe being used. In these cases the operator interface may be used to make the required selection. 15 NOTE 3: Provision of incorrect information from the BPCS to the SIS shall not com-promise safety. 20 IEC 61511-2 8.2.1 Requirements for hazard and risk analysis (guidance to IEC 61511-1 only) When considering the frequency of demands it may be necessary in some complex cases to undertake a fault tree analysis. This is often necessary where severe con-25 sequences only result from simultaneous failure of more than one event (e.g., where relief headers are not designed for worst case relief from all sources). Judgement will need to be made on when operator errors are to be included in the list of events that can cause the hazard and the frequency to be used for such events. Operator error as a demand can often be excluded if the action is subject to permit procedures 30 or lock-off facilities are provided to prevent inadvertent action. Care is also needed where credit is taken for reduction in demand frequency due to operator action. The credit that can be taken will need to be limited by human factors issues such as how quickly action needs to be taken and the complexity of the tasks involved. Where an operator, as a result of an alarm, takes action and the risk reduction claimed is 35 greater than a factor of 10 then the overall system will need to be designed according to IEC 61511-1. The system that undertakes the safety function would then comprise the sensor detecting the hazardous condition, the alarm presentation, the human re-sponse and the equipment used by the operator to terminate any hazard. It should be noted that a risk reduction of up to a factor of 10 might be claimed without the 40 need to comply with IEC 61511. Where such claims are made the human factors issues will need to be carefully considered. Any claims for risk reduction from an alarm should be supported by documented description of the necessary response for the alarm and that there is sufficient time for the operator to take the corrective action and assurance that the operator will be trained to take the preventive actions. 45



Discussion Document

94

11.2.6 Responsibility and influence of operators The operators, maintenance staff, supervisors and managers all have roles in safe plant operation. However, humans can make errors or be unable to perform a task, just as instruments and equipment are subject to malfunction or failure. 5 Human performance is therefore a system design element. The human machine in-terface (HMI) is particularly important in communicating the status of the SIS to oper-ating and maintenance personnel. Human Reliability Analysis (HRA) identifies conditions that cause people to err and 10 provides estimates of error rates based on past statistics and behavioural studies. Some examples of human error contributing to chemical process safety risk include: Undetected errors in design; Errors in operations (e.g., wrong set point); Improper maintenance (e.g., replacing a valve with one having the incorrect 15

failure action); Errors in calibrating, testing or interpreting output from control systems; Failure to respond properly to an emergency. 11.7.1 Operator interface requirements (guidance to IEC 61511-1 only) 20 The operator interfaces used to communicate information between the operator and the SIS may include:

• Video displays; • Panels containing lamps, push buttons, and switches; • Annunciator (visual and audible); 25 • Printers (should not be the sole method of communication); • Any combination of these.

a) Video displays BPCS video displays may share SIS and BPCS functions provided the displayed data is for information only. Safety critical information is additionally displayed via the 30 SIS (e.g., if the operator is part of the safety function). When operator action is needed during emergency conditions, the update and re-fresh rates of the operator display should be carried out in accordance with the safety requirements specification. Video displays relating to the SIS should be clearly identified as such, avoiding ambi-35 guity or potential for operator confusion in an emergency situation. The BPCS operator interface may be used to provide automatic event logging of sa-fety instrumented functions and BPCS alarming functions. Conditions to be logged might include the following: SIS events (such as trip and pre-trip occurrences); 40 Whenever the SIS is accessed for program changes; Diagnostics (e.g. discrepancies, etc.). It is important that the operator be alerted to the bypass of any portion of the SIS via an alarm and / or operating procedure. For example, bypassing the final element in a SIS (e.g., shutoff valve) could be detected via limit switches on the bypass valve that 45



Discussion Document

95

turn on an alarm on the panel board or by installing seals or mechanical locks on the bypass valve that are managed via operating procedures. It is generally suggested to keep these bypass alarms separate from the BPCS. b) Panels 5 Panels should be located to give operators easy access. Panels should be arranged to ensure that the layout of the push buttons, lamps, gau-ges, and other information is not confusing to the operator. Shutdown switches for different process units or equipment, which look the same and are grouped together, may result in the wrong equipment being shut down by an operator under stress in 10 an emergency situation. The shutdown switches should be physically separated and their function labelled. Means should be provided to test all lamps. c) Printers and Logging Printers connected to the SIS should not compromise the safety instrumented functi-15 on if the printer fails, is turned off, is disconnected, runs out of paper or behaves ab-normally. Printers are useful to document first up, Sequence of Events (SOE) information, di-agnostics, and other events and alarms, with time and date stamping and identificati-20 on by tag number. Report formatting utilities should be provided. If printing is a buffered function (information is stored, then printed on demand or on a timed schedule), then the buffer should be sized so that information is not lost, and under no circumstances should SIS functionality be compromised due to filled buffer 25 memory space. The operator should be given enough information on one display to rapidly convey critical information. Display consistency is important and the methods, alarm conven-tions and display components used should be consistent with the BPCS displays. 30 Display layout is also important. Layouts with a large amount of information on one display should be avoided since they may lead to operators misreading data and ta-king wrong actions. Colours, flashing indicators, and judicious data spacing should be used to guide the operator to important information so as to reduce the possibility 35 of confusion. Messages should be clear, concise and unambiguous. The display should be designed such that data can be recognized by operators who may be colour blind. For example, conditions shown by red or green colours could also be shown by filled or unfilled graphics. 40



96

Abstracts – Full Papers

Session I: Types of Human Error, Definition of related Terms Chair: Dr. Jochen UTH (Federal Environment Agency (UBA), Germany) Rapporteur: Jean-Paul LACOURSIERE (University of Sherbrooke, Canada)

I.1 Terms in the Context of Human Factors - Proposed Definitions Dr. Babette FAHLBRUCH TÜV NORD Systec GmbH & Co KG, Germany

See Discussion Document Thematic session 1: Types of Human Error, Definition of Related Terms



97

I.2 Accidents: From Human Factors to Organisational Factors Jean-Christophe LE COZE NERIS Institut National de l’environnement industriel et des risques, Parc Alata, 60550 Verneuil en Halatte, France; [email protected]

Abstract: Major accidents have been studied for several decades. From Bhopal (1984) to Chernobyl (1986) through Challenger (1986) and more recently Paddington (1999), Columbia (2003) and Texas City (2005), the scope has slowly gone wider throughout the years. Traditionally, accidents were understood as technical problems were failures of safety engineering devices were the main causes. This way of understanding accident has evolved towards human factors when it has been acknowledged that people, in a general sense, played a role in accidents genesis. In the 80/90’s, the human contribution was focused on the cognitive dimension of “errors”, looking for ways of improving human interface design through a better modelling of psycho-cognitive activities. In aeronautics and nuclear industry, models have been proposed, based on various researches through an active community of researchers in the field. In parallel, a complementary body of knowledge have accumulated in the 80/90/2000’s on the organisational dimension of accidents. Starting in the 80’s, the field of organisational factors have been based on major inputs such as Normal Accident theory (Perrow, 1984) and High Reliable Organisations theory (Rochlin, 1987) throughout the 90’s (Sagan, 1993). Some have identified this shift as a shift towards the purpose of “managing the risk of organisational accidents” (Reason, 1997). These approaches were based on various case studies in various industries such as nuclear, aeronautics or military organisations. The debates and modelling in these fields have recently shifted, in the last 10 years, from a more structural way of modelling organisations to a more dynamic and systemic perspective, including historical and cross level perspectives. Investigations following major accidents and theorising from social scientists (Vaughan, 1996, Snook, 2000) have helped shaping the current understanding on major accidents through the organisational dimension. This paper provides an example of an accident investigation stressing the organisational nature of the accident. It helps explaining the way in which the human factors view can be complemented by an organisational factors view. The case introduces some main themes found in the organisational perspective: the use and impact of power, the impact of cultural influences, the decision making process, the learning from experience process, the drifts of safety barriers under production pressure, the social redundancy issue as well as the safety indicators problems. These themes are some of the important themes of the organisational side of accidents.

mailto:[email protected]



98

I.3 Human Factors Data Traceability and Analysis in MARS Daniele BARANZINI EC, Joint Research Center, Major Accidents Hazards Bureau

Abstract: The European Community’s Major Accident Reporting System (MARS) is the main EC instrument to major hazard accident data collection, analysis and dissemination according to Seveso and Seveso II directives. To date, the MARS database counts 602 Seveso-type major events as reported across European Member States.

Despite the expected missing data condition common to most event reporting systems, past research on MARS data analysis highlighted human and organisational failures as relevant contributory factors, if not direct causes of events (Sales, et al., 2007; Mushtaq, et al., 2003). This seems to mirror also a deep rising trend in organisational failures rates industry-wide against technical or single human failure contribution (Hollnagel, 2004). Notably, human factors models contain human and organisational failures as common terms of reference.

Following on from this, two critical questions can then be defined: what is the present MARS capability to identify, organise and analyse human factors data? What human factors models and taxonomy is used and how could this be improved in terms of traceability?

This paper will report on the status of the present human factors related taxonomy adopted in MARS, the lessons learned and the new potential capability requirements for enhanced human factors traceability and analysis.

The ultimate goal is to increase sensitivity and precision to the identification and correlation of human factors to event occurrences. References Hollnagel, E. (2004). Barrier analysis and accident prevention. Aldershot, UK: Ashgate Mushtaq F., Christou, M.D. and Duffield, J.S. (2003). The European Community’s Major Accident Reporting System (MARS): Lessons Learnt Relating to Risk Management. IBC’s 5th Annual Conference on Safety Case Experience, April - May 2003, London, UK. Sales, J, Mushtaq, F., Christou, M.D. and Nomen, R. (2007). Study of major accidents involving chemical reactive substances: analysis and lessons learned. Trans ICheme, Part B, Process Safety and Environmental Protection, 85(B3): 1-8



99

I.4 Review of Two Incident Databases from the Canadian Chemical Industry and Discussion of Human Factors Related Terms/ Parameters, Incident Data and Opportunities

Manuel MARTA NOVA Chemicals Corporation, P.O. Box 3060, Sarnia, Ontario, Canada N7T 8C1; [email protected]

Abstract: Incident information in the context of human factors is presented from two sources: the Canadian Chemical Producers’ Association (CCPA) Process Related Incident Measure (PRIM) program and a chemical company’s “loss of process containment” incident database. Various human factors-related parameters/ terms used in these databases, as well as associated contributions, are described/discussed. The incident information is used to rank opportunities for improvement in key lifecycle steps. In addition, three important general areas are identified as opportunities for improvement, clarified with supporting details. A key opportunity that is emphasized is to clearly differentiate human factor causes and remedies for those related to an individual’s failure or limitation from management system failures. Introduction The term human factors can mean different things to different people. Opportunities exist to clarify terminology and intent as well as understand the difference between individual related failures and management system failures, and their relative contributions to incidents, in order to ensure that the proper and accurate correction is applied on the right priority. In order to clarify these issues, this paper looks at two incident databases from the Canadian chemical industry. One database is the Canadian Chemical Producers’ Association (CCPA) Process Related Incident Measure (PRIM) and the second one is a chemical company’s “loss of process containment” incident database. Process Related Incident Measure For the category of human factors, the eight-year average contribution to the total number of incidents is around 10% making it the fourth leading cause of incidents. This category consists of three sub-categories in the following order of contribution: operator- process/ equipment interface (54%), human error assessment (36%) and administrative controls versus hardware (10%).

In the PRIM database, these terms are defined as provided below.

Operator- Process/ Equipment Interface involves inadequate design of equipment that increases the potential for human error. Examples include confusing equipment, positioning of dials, color-coding, different directions for on/off, etc. Another example is use of computerized control systems that confront operators with unmanageable amounts of information during an upset condition. This is also referred to as alarm management.

The types of interfaces that require consideration include alarm display, information display and ergonomic arrangements. A method to analyse the potential for interface problems is to do a job task analysis, which is a step-by-step approach to examine how a job will be done, that can be used to determine what can go wrong during the task and how these potential problem areas can be controlled.




100

The second sub-category involves use of administrative and engineered controls. Administrative controls consist of procedures while engineered or hardware control measures typically involve adding protection equipment. The balance in selecting between these two approaches depends on the company culture and economics. Success in use of administrative measures requires that procedures be well understood and kept current while protection systems can only be effective if they are tested regularly and maintained.

It is important to note, however, that the decision on the balance between use of administrative control measures and engineered systems should be done by conscious choice and not by default.

The last sub-category deals with human error assessment. Humans err due to failures of understanding, judgment and motivation. Actions vary depending upon the individual or situation.

Effective implementation of process safety management will ensure human error assessments are done in advance to understand potential for human error and to devise systems to prevent occurrence or mitigate effects. This assessment should be applied proactively to the lifecycle which includes design, construction, maintenance and operation. A Chemical Company’s Loss of Process Containment Incident Database The data used from this database represents 3-year averages. This data is used to highlight the usefulness of sorting incident causes into two failure situations: (1) those attributed primarily to individual failures and (2) those attributed primarily to management system failures. This is done to emphasize that the remedies required for these two situations should be tailored appropriately and carefully for each to ensure effectiveness. Moreover, this incident database provides another example of use of terms related to human factors.

In reviewing the incident information, the author utilized judgment to allow clear sorting into the two the types of basic failure situations. It is recognized that this sorting may be different depending on the analyst’s perspective.

Type 1 or primarily individual related failures involves an individual’s action(s) or lack of action(s) contributing to the incident. Type 2 or primarily management system failures involve inadequate or non-existent systems causing one or more individual’s actions or lack of actions to contribute to the incident.

The correction opportunities for type 1 failures is to identify measures to help individual avoid errors of commission or omission while for type 2 failures it is to identify process safety management system implementation deficiencies.

At a high level, the general causes split between these two types of failure situations is somewhat close at 51% for primarily individual related (PIR) failures and 46% for primarily management system (MS) related failures.

The breakdown, in order, of the general causes is as follows: 1. Tools and equipment – MS and other (44.7% of general causes) 2. Procedures/ practices – PIR (27.7%) 3. Design – PIR (13.8%) 4. Knowledge/ Skill – PIR (5.5%) 5. Judgment – PIR (3.2%)



101

6. Communication – MS (2.4%) 7. Planning – PIR (2.3%) 8. Capabilities – PIR (0.4%)

We can see that the top two PIR failures involve procedures/ practices and design accounting for 41.5% of the general causes.

A breakdown of Tools and Equipment shows that the majority contribution is random equipment failure (i.e., defective equipment).

For the general cause procedures/ practices we find the top two specific causes involve PIR failures:

1. Inadequate – 34.9 % of procedure/ practice causes 2. Not followed – 34.2%

Looking in detail at the general cause design, the top three specific causes are PIR failures:

1. Inadequate design specification - (35.1% of design causes) 2. Inadequate hazard assessment – (32.4%) 3. Inadequate assessment of operational capability (25.8%)

The remaining general causes have minor contributions to incidents. Only significant specific contributors are shown below.

Planning (PIR)

1. Inadequate assessment of needs/risks (PIR) – 40% of planning incidents 2. Inadequate work planning (PIR) – 35.6%

Communication (MS)

1. Unclear responsibilities & accountabilities (MS) – 63.9% of communication incidents 2. Inadequate direction/ communication (PIR) – 27.8%

Knowledge/ Skill (PIR)

1. Failure to recognize hazard (PIR) – 69.4% of knowledge/ skill incidents 2. Inadequate assessment of needs and risks (PIR) – 27.8%

Judgment (PIR) The predominant specific contributor is failure to address recognized hazard (PIR) with 86.7% of the judgment incidents. General Recommendations Incident causes related to human factors should be sorted between management system failures and individual failures; the latter could be considered true human factors.

Corrective measures should address these failure situations separately and differently to ensure effectiveness. The following table illustrates areas of opportunities for the lifecycle.



102

A

Knowledge/ Skill

B Procedure/ Practice/ Training

C Human – System

Interfacing (Application)

Lifecycle Ranking – extent of

opportunity

Transfer of Knowledge/ Expectations

Information Development & Application

Doing Design

2 (moderate)

Operating 1 (large)

Doing Maintenance

3 (insignificant)

Improvement Opportunities General It should be recognized that there are two types of human factor considerations: (1) individual behaviour and interaction which requires identification of measures to help individuals avoid errors of commission or omission and (2) management system issues which requires effective implementation of process safety management. Knowledge/Skill This factor requires training to help identify potential for human error or human inabilities in order to conduct proper human error assessments.

Transfer of knowledge or expectations requires doing proper communication to those who need the knowledge. Procedure/ Practice/ Training Procedures should be properly written to ensure adequacy. To achieve this they must be accurate, complete and consistent in approach and format. In order to prepare procedures, people first require knowledge. Approved or accepted practices should really be captured in procedures. Management support or intervention is required to deal with inadequate motivation resulting in procedures not being done or followed. Other motivation issues requiring management intervention include substance abuse and criminal intent. Priority conflicts can also result in improper application of procedures and management has a responsibility to provide appropriate management personnel to manage priority conflicts properly.



103

Human – System Interfacing Human – system interfacing involves the application of previously identified requirements and expectations; i.e., knowledge captured in procedures. When assessing human – system interface the following questions must be considered:

• Is the expected task(s) physically possible? Ergonomic or task analysis can be used to assess this issue. Other programs that can be implemented to ensure tasks are physically possible include fatigue monitoring and medical surveillance.

• Is the expected task(s) mentally possible? Alarm management program can help with excessive alarm situations. There should also be a program to help assess judgment demands and management support systems to help resolve priority conflicts.

acing Human – system interfacing involves the application of previously identified requirements and expectations; i.e., knowledge captured in procedures. When assessing human – system interface the following questions must be considered:

• Is the expected task(s) physically possible? Ergonomic or task analysis can be used to assess this issue. Other programs that can be implemented to ensure tasks are physically possible include fatigue monitoring and medical surveillance.

• Is the expected task(s) mentally possible? Alarm management program can help with excessive alarm situations. There should also be a program to help assess judgment demands and management support systems to help resolve priority conflicts.



104

I.5 The Use of STORYBUILDER as an Incident Analysis Tool Joy OH Ministry of Social Affairs and Employment, The Netherlands; [email protected]

Abstract: As part of the program “Improving Occupational Safety In the Netherlands”, the narratives of 9000 Dutch occupational incidents over the period 1998-2004 were analysed with respect to the underlying causes of these incidents. For this a tool was developed called STORYBUILDER, enabling the systematic analysis of accidents as a sequence of events. The incidents were classified according to the hazard e.g. loss of containment, explosion, hit by moving objects, falling from heights etc. Basis of the analysis is an incident model which has been developed within an European project called IRISK. In this project emphasis was put on organisational and human incident factors. In the presentation the results of the analysis of selected hazards will be discussed in relation to four underlying human factor incident factors: provide, use, maintain and monitor.




105

Session II: Assessment of Safety Cultures Chair: Prof. Dr. Michael BARAM (Boston University Law School, USA) Rapporteur: Daniele BARANZINI/ Maureen WOOD (EC, Joint Research Center, Major

Accidents Hazards Bureau)

II.1 Challenges and Opportunities of Assessing Safety Culture B. Wilperta and M. Schöbela

a Institute of Psychology and Ergonomics, Berlin University of Technology, Marchstr. 12, F 7, 10586 Berlin, Germany; [email protected]

Abstract: The contribution starts out with a review of the intrinsic complexities and recent theoretical developments of the concept of safety culture. Although the concept is by now generally accepted as a critical safety relevant element in virtually all high hazard industries, it still needs further conceptual clarity and operational usability. The review leads to a refined conceptual model of safety culture which takes into account recent international theorizing in terms of the dynamic open systems and holistic characteristics of the notion. The contribution goes on to address the central needs and goals of validly assessing safety cultures. The benefits of practicable assessment approaches are seen in the potentials that their results lend themselves to detect naturally occurring drifts towards incident and accident borders, to identify potentials and points of departure to positively influence safety culture by drawing attention of the whole organization to safety issues. A further goal of the contribution is to respond to actual practitioner needs as frequently expressed by staff in high hazard facilities as well as by staff from international organizations such as OECD, ACC, IAEA. These expressed needs particularly call for the development of adequate assessment techniques and methodologies. The contribution goes on to address the main theoretical target points to be tackled by novel methodological approaches for the assessment and evaluation of safety culture: artefacts, norms, values and basic beliefs, crucial personnel categories such as the hitherto largely neglected category of middle management and the opportunities for self-assessment approaches. It concludes with a brief description of current FSS-research to develop a multiple methodological approach for the assessment of safety culture which seems to the only adequate response to the complex and multi-level character of safety culture. 1. Problems of dealing with the safety culture concept In discussing safety culture we are dealing with a relatively novel concept. Being little more than 15 years old, the term rescued the International Safety Advisory Group of the International Atomic Energy Agency from the puzzlement of explaining the Chernobyl catastrophe of 1986 (INSAG, 1991). Fifteen years in the life of a social scientific concept is a short period. It therefore should not come as a surprise that the term still lacks theoretical maturity and practical solidity.

In spite of its novelty the notion of safety culture turned out to develop into a remarkable shooting star. Today, in 2007, literally all high hazard industries have adopted safety culture as their banner under which to assemble efforts to promote safety in their installations and operations – nuclear industry, chemical and petrochemical process industry, civil aviation, space programs, medical operations, genetic engineering, railway systems.




106

Whence this pragmatic ubiquitous adoption of a still in many ways rather fuzzy concept of culture by industries which traditionally pride themselves to be marked by level headed engineering scientists? Culture seems to have become what might be called an omnibus term. Little is known why the notion has so quickly gained international omnipresence and currency. One reason may be that “culture” has an intuitive explanatory appeal in many contexts. As examples may be mentioned: corporate culture, investment culture, discourse culture, leisure culture, burial culture. Everyone can associate something with it, unfortunately probably everyone something else.

Another reason may be that given the present dramatic economic and value changes in many industrialized countries “culture” serves as a genuine panacea for emerging problems. Emery & Trist (1965) have pointed out that at times of drastic social turbulence people tend to return to received proven values. And “culture” seems to transport meanings of wholeness, identity, cohesion, commitment and effectiveness (Dülfer, 1988; Meek, 1988).

However, there seems to be also a wide-spread general unawareness of theoretical roots and complexities of the concept of culture. Originally the historical roots of the notion of culture in social science go back to Anglo-Saxon traditions of social and cultural anthropology. Two intellectual camps, which are still somewhat in conflict with each other, each harbouring claims of orthodoxy. One camp considers culture as “pattern of behaviour”, the other as “pattern for behaviour” (Keesing, 1974). The first might be called “concretist camp” (Wilpert, 2001) in referring to all observable features of a populace, such as their general behaviour, their cultural products, including their architecture, technology, and social institutions. The second camp considers as culture mainly the socially transmitted psychic preconditions of activities and cultural production of a collective such as the knowledge and fundamental convictions which serve as basis for the members of a community to order its perceptions and experiences, to make decisions and to act. They are not accessible to direct observation (Büttner, Fahlbruch & Wilpert, 1999). Culture thus constitutes a system of meanings for its members. We might call it the “mentalistic-cognitive” camp. The distinction is not only of theoretical interest, but has also crucial pragmatic consequences: To influence culture in a concretist perspective will demand changing social institutions and behaviour. Influencing culture in a mentalistic-cognitive perspective would demand the change of fundamental psychic preconditions.

The relative novelty of the concept with its concomitant dearth of theoretical clarity, further fostered by the apparent intuitive explanatory value for many social phenomena, and the unawareness of theoretical roots and complexities of the concept all constitute difficulties in dealing adequately with the notion of culture. And this, as we shall see, is also a troublesome legacy for dealing with the concept of safety culture. 2. Practitioner demands It is therefore not surprising that certain practitioner demands are voiced with increasing urgency to make “safety culture” more amenable to the real life problems of analysing and promoting industrial safety. In order to give just a few examples:

The International Atomic Energy Agency (IAEA) of the United Nations claims “no composite measure of safety culture exists. The multifaceted nature of culture makes it unlikely that such a measure will ever be found…we may have to abandon the search for a single composite measure and concentrate on identifying the range of indicators that reflect the individual sub-components of safety culture” (IAEA, 1998, pp. 29). This position is again taken up by IAEA



107

(1999) when it is pointed out that “no indicator has been developed that provides a measure of nuclear safety. A range of indicators needs to be considered in order to provide a general sense of the overall performance” (IAEA, 1999, pp. 21). On the other hand, a certain degree of scepticism is expressed a few years later: “Various indicators have been developed which allow some assessment to be made of the quality of particular aspects of safety culture in any organisation. These are difficult to measure reliably and should not be given undue weight” (IAEA, 2002, pp.10).

The OECD/CCA Workshop on Human Factors in Chemical Accidents and Incidents” (Potsdam, German, 08. – 09. May 2007) published a call for papers in which the assessment of safety culture was mentioned as a central workshop concern. It called for contributions on “Methodologies and instruments which allow to assess safety culture as well as to improve them; requirements related to the dimensions/key elements to be assessed as well as structures and/or groups to be included, e. g. requirements related to the organisational structures and safety management used”.

The intimate and intricate relationship between safety management system and safety culture has been a critical topic in the deliberations of the German Nuclear Rector Safety Commission when it tried to formulate new general rules and regulations for the conduct of nuclear operations (2006-2007). The World Association of Nuclear Operators (WANO, 2002) advocates the need for self-assessment activities by way of a multi-dimensional self-assessment programme in order to promote excellence in human performance.

The recent Independent Safety Review Panel report of the BP U.S. refineries (BP Review Panel, 2007) illustrates convincingly the specific practitioner needs of the chemical industry for novel methodological developments. The 257 page plus eight appendices long report is immensely impressive in its staggering rigour and comprehensiveness. The panel was directed “to make a thorough, independent, and credible assessment of BP’s corporate oversight of safety management systems at its five U.S. refineries and its corporate safety culture “(pp. viii). In the course of its investigations the panel saw the need also to conduct an empirical study of the perceived safety culture of BP employees but was unable to locate an appropriate assessment method. Hence it had to develop ad hoc its own methodology. The general conclusion which may be drawn from these statements of representative bodies in high hazard industries is that irrespective of the solid and unquestioning reliance on the programmatic notion of safety culture, crucial developments are clearly demanded: further theoretical underpinnings and development of assessment techniques of the concept. 3. Theoretical reflection The concept of safety culture offers a promising way for organizations to improve their safety performance. It is assumed that its impact extends to all parts of an organization. Continuous improvements of the organization will be more effective than increased supervision or more rigorous procedures, because the safety management systems will function better in organizations which have a highly developed culture of safety (Reason, 1997, 1998; Hopkins, 2002; Parker, Lawrie & Hudson, 2006). As pointed out before, the first definition of safety culture in the context of IAEA appeared when its INSAG agreed to the following definition in a small brochure (INSAG, 1991, pp. 1):

„Safety culture is that assembly of characteristics and attitudes in organization and individuals that, as an overriding priority, nuclear plant safety issues receive the attention warranted by their significance“



108

The definition speaks of characteristics and attitudes in organizations and individuals. While “characteristics” remains rather vague, the reference to attitudes places the definition in what we called the mentalistic-cognitive domain. Shortly after the publication of INSAG – 4 criticism of this definition was formulated on grounds that it leaves out the crucial ingredient: safety related behaviour (Wilpert, 1991). The „working definition“ of the British Advisory Committee on the Safety of Nuclear Installations (ACSNI, 1993) was already more precise and comprised elements which refer to the deeper defining dimensions of organization culture:

„The safety culture of an organization is the product of individual and group values, attitudes, perceptions, competencies, and patterns of behaviour that determine the commitment to, and the style and proficiency of, an organization’s health and safety management“

(ACSNI, 1993:23).

Meanwhile IAEA has also widened its definitional understanding in discussing safety culture:

“Safety Culture is also an amalgamation of values, standards, morals and norms of acceptable behaviour. Therefore, safety culture has to be inherent in the thoughts and actions of all the individuals at every level in an organization” (IAEA, 1998, pp. 3).

In a next step it seems necessary to clarify the relationships of the concept of safety climate to safety culture. Safety climate is defined as "a summary of molar perceptions that employees share about their work environment” (Zohar, 1980, p.96) and its emergence in safety literature is mainly based on questionnaire research. In a rather comprehensive review of theory and research on safety culture and safety climate Guldenmund concludes that safety climate “has come to mean more and more the overt manifestation of culture within an organisation”. Therefore, climate follows naturally from culture or, put another way, organisational culture being the causal basis of organisational climate denoting mainly “the aggregated attitudes of its members” (Guldenmund, 2000, pp. 221-222). Organisational culture may then be considered a socially shared, holistic and faceted (multi-dimensional) concept, providing a collective frame of reference for action. This assumption finds support by the work of Edgar Schein (1992), who differentiates the concept as being constituted by three different layers (see figure 1).

Artifacts and human behavior

Espoused values, norms and attitudes

Basic underlying beliefs

Figure 1: Model of organisational culture according to Schein (1992)



109

Schein’s organisational culture model provides a framework for the analysis of cultural influences on human behaviour. Moreover, it suggests that organizational culture can be understood as a set of basic underlying beliefs derived from the learning experience of its members. In the context of safety these psychological mechanisms are assumed to determine shared beliefs and collective practices in relation to risk and risk control systems (Hale, 2000). Unfortunately, received research on safety culture so far pragmatically addressed mainly the first two layers of Schein’s model. This is easily explained: phenomena of the upper most layer can be directly observed and registered. The attitudes and espoused values of the second level are reachable by questionnaire studies. However, the culture constituting core values and unconscious basic assumptions and dogmas of the base level are difficult to reach and require novel methodological approaches. 4. Methodological challenges and potential analytic response If organizations want to improve their safety performance, they should have an idea about the existing strengths and weaknesses of their safety culture. Therefore, a valid and reliable assessment of an organization’s own safety culture is crucial. As mentioned above, the majority of existing assessment tools struggles in its attempt to cope with the complexities of cultural theory. Therefore, we want to highlight three methodological challenges which assessments of safety culture have to address.

First, the assessment of safety culture has to go beyond the analysis of artefacts and espoused values. Culture is constituted by shared basic assumptions that influence beliefs and behaviour. In order to understand why organization members act in distinctive ways, one has to gain access to these deeper manifestations of organizational culture. As a consequence, assessing artefacts, espoused values and attitudes of organizational members by means of questionnaires and check-lists is not sufficient and will dwell on the surface of culture. This is why organization studies have begun to differentiate between core-values or central values and espoused values (Argyris & Schön, 1974). The latter ones are mainly written down in enterprise policies or articulated in managerial ideologies and can relatively easily be articulated by organisation members. However, it is not clear to what degree espoused values reflect and correspond to core values of organisation members and guide their action. Core values relate to self-definitions and definitions of professional identity of organisation members. With their sense making and motivational effects they are comparable to basic assumptions in Schein’s model of organisational culture (Weick, 1995). They influences how organizational members explain or experience situations, how they feel about and describe it. The action inducing character of values has been stated early on by Lewin (1952: 41):

„Values influence behaviour but have not the character of a goal (i.e., of a force field). For example, the individual does not try to “reach” the value of fairness, but fairness is “guiding” his behaviour… In other words, values are not force fields, but they “induce” force fields”.

Verplanken & Holland (2002) have demonstrated in experimental studies that core values impact on issues such as the interpretation of situations, the search for value relevant information, the weighting of information obtained and the initiation of activities which are congruent with the core values. Accordingly, recent organizational studies increasingly focus on the assessment of core-values as key variable of organizational culture (e.g. Van Rekom, J., van Riel, C.B.M. & Wierenga, B., 2006; Reiman, T. & Oedewald, P., 2004).

In sum, we propose that the assessment of safety culture needs to integrate methods which cover characteristics of all three layers of culture. More specific, it is necessary to comprise the taken-for-granted beliefs of organization members. This offers openings for deeper



110

investigations, e.g. to analyze the sources of identified contradictions between artefacts and espoused values or to get a more comprehensive view on organizational phenomena like resistance to change or non-compliance to safety rules.

The second methodological challenge we want to address results from the notion that safety culture is a characteristic of groups and not of individuals. This implies that the assessment of safety culture has to focus on shared characteristics of a group or organization. Whereas most theoretical work on safety culture supports this claim, practitioners sometimes tend to see culture as a matter of individual attitudes or mindsets. In discussing Esso`s 24 hour safety program, where safety is promoted as a 24 hour job (similar to the DuPont approach), Hopkins (2002) comes to the conclusion that “culture as a mindset tends to ignore the latent conditions which underlie every workplace accident, highlighting instead workers’ attitudes as the cause of accidents.” (p.3-4). With respect to the assessment of safety culture, the aggregation of obtained results on a group level is crucial, even when the primary source of information is the individual. However, one has to take into account that organizational culture is only one of a variety of determinants of affecting safety performance. Other cultural groupings can be more dominant, i.e. based on gender, ethnicity, or professional background of organizational members. Against this background, it becomes clear that safety culture research faces the problem of defining and analysing groups within an organization. For instance, one has to decide whether to start from communalities of different groups or from different groups and to seek to identify their communality.

As a consequence, it is suggested to use qualitative and quantitative methods in a complementary way in order to assess safety culture. This provides the opportunity to aggregate obtained data on different levels (group or organizational levels), to check findings against each other, to develop and test hypotheses and therefore to differentiate between potential subcultures in an organization. It seems that even ethnological approaches of field observation are required to penetrate some of the more idiosyncratic features of a given safety culture. This need for multiple methodological approach should even include experimental designs to test specific aspects.

A third methodological challenge stems from the notion that safety culture is a dynamic concept. As mentioned earlier, culture is a result from the learning experience of its members. Organisational culture research has identified management as one of the main drivers of these culture specific learning processes (e.g. Schein, 1992). Therefore, management or leadership behaviour should be one crucial target of assessing safety culture. However, safety research fails to conceptualize leadership in the past (e.g. Guldenmund (2004) with respect to the conceptualization of leadership in safety questionnaires) or solely focus on top-management commitment to safety. .However, in our view, middle management seems to be the critical driver or crucial hinge to mediate safety culture between top management decision-making and working practices on the shop-floor-level. Moreover, theories about the dynamics of culture lead to the conclusion that due to specific organizational learning experience organizational cultures are unique. From this it follows that the assessment process has to be grounded in specific contents of the organisation under study in order to cope with the idiosyncratic qualities of the concept. Therefore, it is necessary to tailor the assessment process to the specifics of the “assessed” domain and organization. Accordingly, it must be stated that culture is not a quantifiable phenomenon which lends itself easily to benchmarking.



111

5. Intended FSS research In concluding this paper, we want to briefly outline a research project which will be carried out at the FSS. The goal of the project is to develop an assessment methodology of safety culture assessment in nuclear industries. As argued in this paper, the assessment of safety culture needs to address three main methodological challenges: (1) to assess all of the three layers of organizational culture according to Schein’s model of orqanizational culture (1992), (2) to focus on shared characteristics of organizational members and (3) to target the uniqueness of the organization under study. Given these multiple methodological challenges and the fact that one unique assessment approach seems not feasible, the research project is aimed at developing a multi-method approach in the form of a tool box consisting of qualitative and quantitative methods building upon each other. The assessment process starts at the two upper levels (the level of artefacts and level of espoused values), contrasting characteristics of safety management systems with the espoused values of organizational members. This enables the assessors to identify contradictions between characteristics on the level of artefacts and the level of espoused values. Thus, the identified differences guide the application of additional assessment techniques in order to assess deeper levels of safety culture (e.g. prevailing core values or implicit norms). The research process integrates analytic methodologies already developed or used by FSS, such as the Group Feedback Analysis (Heller, 1969), the screening technique (Wilpert et al., 2003) and the scenario technique on implicit norms (Wilpert, Ignatov & Schöbel, 2002).

The described research project on the development of a multiple analytic methodology will be conducted in close cooperation with nuclear reference plants, as it has been the research tradition of FSS throughout its history. This implies written cooperation agreements between FSS and the respective nuclear plants and the nomination of project liaison personnel in the nuclear power plants, and the joint conduct of the different research steps. Thus it is guaranteed that the project is carried out as a genuine interdisciplinary venture. In line with this research philosophy, the project should provide a methodology for the self-assessment of safety culture. Because the assessment methods strive to scrutinize the deeper layers of safety culture, it is a basic prerequisite that the cooperation between researchers and plant personnel is characterised by high levels of trust. Therefore, the inclusion of plant personnel as (self-) assessors seem to be the only way to handle such sensitive matters like the elicitation of core-values or unwritten rules in work teams. Moreover, the close cooperation with nuclear power plant personnel opens up immediate learning opportunities which lend themselves to the initiative of intervention measures to positively influence the furthering of a sustained safety culture. References ACSNI – Advisory Committee on the Safety of Nuclear Installations (1993). Third report: Organizing for safety. London: Her Majesty’s Stationary Office Argyris, C. & Schön, D.A. (1974). Theory in practice, Increasing professional Effectiveness. San Francisco, CA: Jossey-Bass. BP Review Panel (2007). The Report of the BP U.S. Refinieries Independent Review Panel. Büttner, T. Fahlbruch, B. & Wilpert, B. (1999). Sicherheitskultur. Konzepte und Analysemethoden. Heidelberg: Asanger Dülfer, E. (1988). Organisationskultur: Phänomen – Philosophie – Technologie. Eine Einführung in die Diskussion. In E. Dülfer (Hrsg.), Organisationskultur. Stuttgart: Poeschel, 1-21 Emery, F.E. & Trist, E.L. (1965). The causal texture of organisational environments. Human Relations, 18(1), pp. 21-32



112

Heller, F.A. (1969). Group Feedback-Analysis: A method of field research. Psychological Bulletin, 72, pp. 108-117. INSAG - International Safety Advisory Group (1991). Safety Culture, Safety Series No. 75-INSAG-4. Vienna: IAEA INSAG - International Safety Advisory Group (1998). Developing safety culture in nuclear activities: Practical suggestions to assist progress. Safety Reports Series No. 11. Vienna: IAEA. INSAG – International Safety Advisory Group (1999). Management of Operational Safety in Nuclear Plants, ISNAG – 13. Vienna: IAEA INSAG – International Safety Advisory Group (2002). Key Practical Issues in Strengthening Safety Culture, INSAG – 15. Vienna: IAEA Guldenmund, F.(2000). The nature of safety culture: a review of theory and research. Safety Science, 34, 215-257. Guldenmund, F. (2004). The Use of Questionnaires in Safety Culture Research – An Evaluation. Paper presented at the 2004 NeTWork Workshop in Blankensee, 9 – 11 September 2004. Hale, A. R. (2000). Editorial: Culture's Confusion. Safety Science, 34, 1-14. Keesing, R. (1974). Theories of culture. Annual Review of Anthropology, 3:73-97 Hopkins; A. (2002). Safety, Culture, Mindfulness and Safe Behaviour: Converging Ideas. Paper prepared for the Jim Reason Festschrift. Canberra: NRCOHSR. Lewin, K. (1952). Constructs in field theory (1944). In D. Cartwright (Ed.), Field theory in social science: selected theoretical papers by Kurt Lewin (pp.30-42). London: Tavistock. Meek, V.L. (1988). Organizational culture: Origins and weaknesses. Organization Studies, 9/4: 453-473 Parker, D, Lawrie, M. & Hudson, P. (2006). A framework for understanding the development of organisational safety culture. Safety Science, 44 (6), 551-562. Reason, J. T. (1997). Managing the risks of organizational accidents. In. Brookfield, USA: Ashgate. Reason, J. T. (1998). Achieving a safe culture: theory and practice. Work and Stress, 12(3), 293-306. Reiman, T. & Oedewald, P. (2004). Measuring maintenance culture and maintenance core task with CULTURE-questionnaire – a case study in the power industry. Safety Science, Vol.42 (9), 859-889. Schein, E.H. (1992). Organisational culture and leadership, 2nd edition. San Franciso,CA: Jossey-Bass Van Rekom, J., van Riel, C.B.M. & Wierenga, B. (2006). A Methodology for Assessing Organizational Core Values. Journal of Management Studies, 43 (2), 175-201. Verplanken, B. & Holland, R.W. (2002). Motivated Decision Making: Effects of Activation and Self-Centrality of Values on Choices and Behavior. Journal of Personality and Social Psychology, Vol.82 (3), 434-447. WANO (2002). Principles for Excellence in Human Performance. World Association of Nuclear Operators, WANO-GL2002-02, December 2002. Weick, K.E. (1995). Sensemaking in Organizations. Thousand Oaks, CA: Sage Wilpert, B. (1991). System safety and safety culture. Paper prepared for the IAEA/IIASA-Meeting on "The Influence of Organization and Management on the Safety of Nuclear Power Plants and other Industrial Systems", Vienna, 18 - 20 March Wilpert, B. (2001). The relevance of safety culture for nuclear power operations. In: B. Wilpert & N. Itoigawa (eds.), Safety Culture in Nuclear Power Operations. London: Taylor & Francis, pp. 5-18. Wilpert, B., Ignatov, M. & Schöbel, M. (2002). Implicit norms as regulators of safety performance. Final report, Reactor Safety Research-Project-Nr.: 1501082, University of Technology Berlin. Wilpert,.B., Büttner, T. Otto, S., Fahlbruch, B., Schöbel, M., Niehoff, J., Rieger, M.E. (2003). Self-assessment and enhancement of safety culture in NPP. Final report, Reactor Safety Research-Project-Nr.: 1501255, University of Technology Berlin Zohar, D. (1980). Safety climate in industrial organizations: theoretical and applied implications. Journal of Applied Psychology 85 (4), 587-596.



113

II.2 Diagnosis of Safety Culture: A Replication and Extension Towards Asessing "Safe" Organisational Change Processes

G. Grote

Work and Technology Group ETH Zürich, Kreuzplatz 5, 8032 Zürich, Switzerland; [email protected]

Abstract: Organizational changes that are apparently unrelated to risk and safety management may in fact be very relevant to the level of process and work safety, e.g. based on "objective" parameters like work load and "subjective" parameters like motivation. Therefore, assessments of an organization`s risk quality should also consider change management during major organizational changes. To help such assessments an existing questionnaire used to evaluate safety management and safety culture was extended to include indicators for change management. Results from applying the new instrument at seven petrochemical plants as part of insurance audits are presented. The validity of the previously developed parts of the questionnaire measuring perceptions of operational safety management by means of three scales "Enacted Safety", "Formal Safety", and "Technical Safety" and of safety and design strategies by means of sixteen items related to various characteristics of managing safety and uncertainty was confirmed. A principal components analysis with the sixteen newly developed items for evaluating change management revealed four factors, "Esteem", "Procedures for Organizational Change", "Transparency", and "Vision", corresponding partially to four content areas deemed crucial for safe organizational change, i.e. reflected radicality of change, support for constructive redevelopment, esteem for employees, and employee involvement. Evidence for the validity of the new scales is provided and the usefulness of the new instrument discussed. 1. Introduction When evaluating a company's risk quality, for example as part of insurance assessment, technical factors have been dominant, with only fairly recent introduction of some consideration of the company's formal safety management and to a lesser degree the company´s safety culture (e.g. Müller et al., 1998). While the acceptance of organizational safety measures as crucial determinants of system safety is growing, a push for an even broader view of organizational factors in risk has been occasioned by reports of detrimental effects attributed to major organizational changes such as mergers, outsourcing and downsizing (e.g. Perron & Friedlander, 1996; Weick & Sutcliffe, 2001). So far, systematic evidence on decreases in safety as a consequence of radical organizational changes is scarce (e.g. Rousseau & Libuser, 1997). In his analysis of the Longford Esso Gas Plant explosion, Hopkins (2000) identified organizational change as a contributing factor. Another example, where inadequate handling of organizational change was considered relevant as an accident cause was a refinery in California (Acusafe, 1999). Most studies focus on effects on employee attitudes and behavior (e.g. Kets de Vries & Balazs, 1997), sometimes including indicators of employee health such as sick leave (Vahtera, Kivimäki & Pentti, 1997). Generally, the findings demonstrate the dramatic nature of major organizational restructuring for the individuals affected, resulting in severly lowered job motivation and organizational loyalty. A newer strand of research has looked at effects of perceived job insecurity on safety. It appears from those studies that job insecurity as a consequence of layoffs will negatively affect safety compliance, accidents and injuries mainly in organizations with negative safety climate (e.g. Probst, 2004).




114

These studies also indicate, however, that the effects can be strongly influenced by the strategies and procedures chosen for carrying out the changes (cf. e.g. Boonstra & Bennebroek Gravenhorst, 1998). This poses a challenge for theory and practice in the field of organizational development, where up to now the focus has been on evolutionary changes. Recommendations such as strong and early employee involvement in the change process, a long-range time perspective, and complete Transparency of the change process (e.g. French & Bell, 1984) have to be examined in the context of requirements stemming from radical organizational change such as fast decision making in order to help both organizational and individual reorientation (Grote & Zirngast, 2001). The study reported here had three aims: (1) to replicate findings on the validity of an already existing instrument for assessing safety culture (Grote & Künzler, 2000), (2) to extend this instrument by developing and testing indicators for effective change manage¬ment during radical organization restructuring, and (3) to study the assumed link between change management and system safety. 2. Revisiting the socio-technical model of safety culture by Grote and Künzler (2000) There is a long-standing debate on the appropriate degree of (de-)centralization in high-risk organizations. While in industrial practice, mostly a „minimizing uncertainty approach“ (Grote, 2004a) is followed, assuming that through tight planning and control of operations uncertainties and thereby also risks can be designed out of the system, organization theorists have argued that a „coping with uncertainties approach“ (Grote, 2004a) is required, providing local actors with enough autonomy to flexibly handle changing demands in complex systems. In view of the advantages and disadvantages of both approaches to uncertainty management, Weick (1976) has suggested the principle of loose coupling: Organizations contain interdependent elements which through their linkages preserve some degree of determinateness; at the same time these elements are subject to spontaneous changes which produces some degree of independence and indeterminateness. These processes simultaneously ensure autonomy of actors and sufficient binding forces for all actors to use their autonomy to promote the organization`s objectives (Orton & Weick, 1990; Weick, 1976). Weick (1987) has also pointed out that culture is a powerful means for achieving loose coupling as it helps to provide sufficient coordination and integration of otherwise autonomous agents. Through this conception of the role of culture in safety, the often rather superficial discussion of safety culture as safety-promoting norms and attitudes shared by the members of an organization appears in a new light. This thinking has been taken up in a socio-technical model of safety culture proposed by Grote and Künzler (2000) (see Figure 1). The model combines the proactive integration of safety into organizational structures and processes, which is common to most concepts of good safety management and safety culture (cf. e.g. Cox & Flin, 1998; Hale, 2000), with design requirements derived from socio-technical system integration aimed at handling uncertainties locally. In the model, cultural norms are assessed against both furthering proactive safety management and socio-technical integration. From the model a questionnaire was developed to support safety management and safety culture audits. This questionnaire contains three parts, (1) questions on material characteristics of an organization's safety management, linked especially to the material part of proactiveness in the model, (2) questions concerning strategies chosen in the organization regarding both safety management and socio-technical system design, aiming mainly at the assessment of value-consciousness in the model, and (3) questions on material characteristics of job design as implied by the material part of socio-technical integration in the model.



115

}

}

Proactiveness

Sociotechnical integration

Value- consciousness

Joint optimization of technology and work organization aiming at the control of disturbances at their source

Integration of safety in organizational structures and processes

Values and beliefs that further integration of safety in all work processes

Norms related to socio-technical design principles like automation philosophy and beliefs concerning trust/control

visible, but difficult to decipher

Material characteristicsof the organization

hidden, taken for granted

Immaterial characteristof the organization

Figure 1. Socio-technical model of safety culture (from Grote & Künzler, 2000)

The instrument has been applied extensively in insurance audits in the petrochemical industries (Grote & Künzler, 2000). One particularly interesting application, which also indicated the need for an additional assessment of change processes, happened in the course of a reorganization program at one plant where the instrument was used twice allowing for a longitudinal investigation of changes in safety-related perceptions. While the very positive results obtained in the first survey could be linked to a strong and shared effort to improve safety management, views two years later seemed more sober with the plant just having overcome some conflicts between management and unions over the reduction of central safety staff and delegation of safety responsibility to line management and also being uncertain about the general direction safety efforts would take under a recently appointed new plant management. The management-shopfloor tension was especially evident in the far more critical evaluations by operators compared with supervisory personnel. Interestingly, these differences existed mainly in the assessment of material indicators of safety management, not so much in the assessment of safety and design strategies, where responses were fairly similar for both groups and indeed for both surveys. These findings indicate that the second part of the questionnaire referring to safety and design strategies is able to capture more general and enduring aspects of safety management, which might be considered expressions of culture, while the first part of the questionnaire referring to safety management is more related to the immediate situation in a company. The third part of the questionnaire concerning job design was only applied during the second audit in this plant and showed little interpretable variance. With its emphasis on supporting local actors in controlling variances at their source, the socio-technical model of safety culture is more focused on the coping with uncertainties approach to uncertainty management (Grote, 2004a). Elements of loose coupling are included through making a deliberate effort to discuss the balance between autonomy and central control in the audited organizations. Grote and Künzler (2000) reported some evidence for the validity of this approach: For example, higher perceived operational autonomy as well as "higher order autonomy" (i.e. autonomy regarding the restriction of one's own operational autonomy, e.g. through involvement in the definition of operating procedures and in organizational planning; cf. Grote, 1997; Klein, 1991) were positively related to adequate handling of risks as judged by external auditors. However, the special form of autonomy related to the independent handling of disturbances - as one of the core requirements embedded in the competent handling of uncertainties approach to organization design - did not appear to be beneficial to



116

system safety, as plants where this aspect was evaluated positively by plant employees were assessed particularly negatively regarding the overall safety managament by the external auditors. This issue was taken up again in the present study along with trying to replicate the structure and validity of the questionnaire. 3. Indicators for effective change management In the vast literature on organizational change and its management, general agreement can be found regarding the need to counter resistance to change and to improve the quality of change decisions by participation of the individuals affected (e.g. Ulich & Grote, 1997). However, assumptions about the timing, extent, and form of participation vary across authors and also according to the particularities of the change process in question (e.g. Boonstra & Bennebroek Gravenhorst, 1998). Especially regarding radical and fast changes, broad participation is not considered suitable. In the literature discussing management of radical changes such as mergers & acquisitions, downsizing and major restructuring, three important elements as complements or even substitutes of participation are discussed: care for survivors and victims of change, mending or recreating culture, and management commitment to a medium to long-term vision regarding the aimed at effects of the change (e.g. Callan, 1993; Kets de Vries & Balazs, 1997). Combining these recommendations with the assumptions underlying organizational development in general (e.g. French & Bell, 1984), four broad themes for effective change management were defined: reflected radicality of change, support for constructive redevelopment, esteem for employees, and employee involvement (see Table 1). For each of these themes a number of possible indicators were defined using existing literature as well as the extensive experience of risk management experts in auditing companies which have undergone major organizational change.

Table 1. General change management indicators Content area Possible indicators Reflected radicality of change Unquestionable need for change

Proactiveness Integral success criteria Value consciousness Personal commitment Appropriate speed

Support for constructive redevelopment Closing gaps Measures for growing together Balance of change and stability

Esteem for employees Investing in employees Care for survivors/victims Acceptance of emotions

Employee involvement Process Transparency Predictability of change measures Participation in decision making

From this list of themes and indicators, questionnaire items were developed to complement the questionnaire on safety management and safety culture by Grote and Künzler (2000), which will be described in more detail in the next section. The overall goal was to develop an instrument that – as part of a safety management audit and thereby as a complement to interviews with plant management, to observations during plant tours and to survey responses



117

by employees on safety management and safety culture – would help to assess how well change is handled in high-risk organizations. The instrument was also to support the participating company in reviewing their own safety management and change program and to discuss best practice regarding safety and change management. Method Sample The test sites all belonged to globally operating petrochemical corporations. Five of the test sites were located in the US, one in the UK and one in Sweden. Three test sites belonged to the same corporation. Plant size ranged from about 350 to 700 employees. The samples drawn for application of the questionnaire focused on representativeness with respect to the different groups of personnel, i.e. employees in operations and maintenance with and without management functions and members of the engineering, inspection, and safety departments. While for operations and maintenance representative subsamples of about 60-80% of the total populations were chosen, all employees of the other departments were included. Having determined the number of questionnaires to be handed out within each organizational unit based on the considerations just described, members of management of those units were given the questionnaires on the first day of the audit and were instructed to provide their employees with time during regular work hours to fill them in individually on that same day. Usually, the number of questionnaires to be handed out was close to the number of people present on that shift, so that no further selection was necessary. If fewer people were required than those present, the responsible manager could make the selection. The filled-out questionnaires were returned to the auditing team in sealed envelopes. The average response rate was 85%. The questionnaire results were analyzed on-site in order to allow for direct feedback at the end of the audit visits. Table 2 provides an overview of the samples at the seven sites.

Table 2. Samples at seven test sitesa Site 1 Site 2 Site 3 Site 4 Site 5 Site 6 Site 7 Plant size 500 450 700 500 550 350 450 Operations 131 (44) 116 (16) 192 (26) 120 (21) 153 (7) 59 (20) 103 (12) Maintenance 76 (37) 53 (14) 122 (21) 91 (21) 108 (24) 82 (25) 78(13) Engineering 26 (7) 44 (16) 31 (4) 30 (7) 41 (3) 29 (5) 17 (4) Inspection 9 (3) 14 (4) 9 (1) 10 (2) 4 (1) 5 (1) 8 (2) Safety 5 (5) 7 (1) 8 (2) 17 (6) – 10 (8) 12 (7) Other/not specified

3 – – 8 – 5 5

Total sample 250 234 362 276 306 190 223

a Numbers in parantheses indicate the numbers of employees with management functions of the total number of employees included in the respective group. As the questionnaire was always administered as part of insurance audits on the safety management of the plants visited, the results of the formal insurance assessments could be used as external criterion. These assessments are expressed as numbers of points reached in several areas of safety management (e.g. resources, training, procedures) in six organizational sectors (top management, operations, maintenance, engineering, inspection, loss prevention). Also, particular weaknesses are identified in terms of topics where zero points are obtained.



118

Instrument Two parts of the questionnaire developed by Grote and Künzler (2000) were included in the new instrument: (1) questions on material characteristics of an organization's safety management ("operational safety"), and (2) questions concerning strategies chosen in the organization regarding both safety management and socio-technical system design ("safety and design strategies").

For operational safety, a total of 20 items was used, which in previous exploratory factor analyses had been found to belong to three factors, Enacted Safety, Formal Safety, and Technical Safety (Grote & Künzler, 2000). Enacted safety concerned the integration of safety into everyday operations (sample items: "Members of management are often in the plant and discuss safety issues with plant personnel", "Proposals developed during safety meetings are swiftly implemented"). Formal safety referred to elements of the formal safety management system (sample items: "There exist sufficient training courses for the advancement of safe behaviour", "There are sufficient written procedures, checklists etc. to ensure safety of plant operation"). Technical safety included items very directly related to technical safety measures (sample item: "All technical systems provide good support in critical situations"). All items were phrased as positive statements and the respondents were to rate on a five-point Likert scale, to what extent the statement fit the situation in the organization as they perceived it. Additionally, an overall evaluation of safety measures was included by means of a seven-point scale with more or less happy and unhappy faces as anchors.

For safety and design strategies, 16 pairs of statements were used describing different ways of handling safety responsibility, technology use, competence distribution etc. For each pair of statements, a 'positive' side was defined based on assumptions contained in the socio-technical model of safety culture, e.g. in the pair "Employees are motivated for safety by information and interesting tasks vs. Employees are bound to safety by strict control" the first statement describes the assumed positive way of handling the issue of motivation for safe behavior. Respondents were asked to indicate for each pair of statements on a five-point scale, which value described best the way the respective issue was handled in their organization.

In order to not increase the length of the questionnaire, the items related to change management replaced the third part of the original questionnaire dealing with personal job needs, as this part had previously been found to be least revealing of safety management and safety culture in the plants studied. From the themes and indicators presented in Table 1, sixteen statements were derived, which are listed in Table 4. As reflected radicality of change was considered most crucial and there was the least empirical knowledge regarding this aspect of change management, half of the items were derived from indicators under this theme. Employee involvement as another core element of change management - which is much better understood, though - was covered by four items. Support for constructive redevelopment and esteem for employees were covered by two items each. Each item was measured on a 6-point scale ranking from 1 "totally disagree" to 6 "totally agree". A 6-point scale was chosen because pilot tests during several insurance audits with a questionnaire version using a 5-point scale for all three parts had shown that there was a particularly strong tendency towards using the middle value of the scale for this part of the questionnaire.

At all test sites, the same English version of the questionnaire was used.



119

Results and Discussion Safety Management and Safety Culture The three factor structure of the 20 operational safety items was tested by means of confirmatory factor analysis, using AMOS maximum likelihood estimation. Accounting for the nested structure of the sample, multiple group analysis was applied, testing the hypothesized three factor model in comparison to a general factor model simultaneously in the seven sub-samples. In the analyses, the factor structure was fixed by either constraining items in all seven sub-samples to load on one of three factors according to the factor structure identified in Grote and Künzler (2000) or by constraining items to all load on one factor in the sub-samples. The magnitude of the loadings was left unconstrained as there were no specific assumptions about item weightings in the factors. Fit statistics are shown in Table 3. The χ2 value for the three factor model indicated a significant difference between the implied and the observed covariances. However, the χ2 is inflated with large sample sizes. For this reason, other fit indices were also taken into account, which all indicated a good fit of the three factor model with the data: The ratio of χ2 and degrees of freedom was lower than 2.5 (Backhaus et al., 2006); the incremental fit index (IFI) and the comparative fit index (CFI) were both greater than .90 (Hoyle, 1995); the root-mean-square error of approximation (RMSEA) was less than .05 (Browne & Cudeck, 1993).

The comparison of the three-factor model with a one-factor model, using the χ2-difference test, showed that the three-factor model had a significantly better fit with the data. This was also supported by the 90%-confidence intervals of the RMSEA because the confidence intervals for the two models did not overlap. These results indicate that across the seven sub-samples the three-factor model as reported by Grote and Künzler (2000) fitted the data best. Also, no major differences were apparent in the magnitudes of the item loadings on the three factors across the seven samples (data available from the authors).

Table 3. Multiple group analysis for test sites 1 to 7 of the items on operational safety

Structure χ2 a df χ2/df IFIb CFIb RMSEAb RMSEAb confidence interval

Δχ2 p for Δχ2

1-factor model 3146.12 1190 2.64 0.98 0.98 0.030 0.029;0.031 3-factor model 2548.87 1169 2.18 0.99 0.99 0.025 0.024;0.027 597.25 <.001

a All χ2 are significant at p < .001. b IFI = incremental fit index; CFI = comparative fit index; RMSEA = root-mean-square error of approximation. Even though the three factor model had a very good fit with the data, one should also mention that the two factors Enacted Safety and Formal Safety were highly correlated with values greater than .9 in the total sample and most subsamples in the multiple group analysis. One may therefore argue that these factors are not sufficiently distinct constructs. Correlations between the two respective scales and the overall satisfaction by employees with the safety management in their companies could also serve this view, as they were very similar for Enacted Safety (r=.68, p<.001) and Formal Safety (r=.66, p<.001), while there was a lower correlation for Technical Safety (r=.5, p<.001) (all Pearson correlation coefficients with company partial out).



120

Keeping Enacted Safety and Formal Safety as two factors is motivated by the assumption that formal safety management and the safety enacted on a day-to-day basis conceptually are not necessarily correlated. This is also illustrated by one of the companies analyzed in this study. At site 6, the external evaluation of safety management by the auditors was the most positive of all the seven sites, the employee responses on the enactment factor in particular were the most negative (see Table 5). In the auditors' understanding of this particular plant, this result was due to the fact that the plant had recently been bought by a corporation with very good formal safety management procedures, which were immediately introduced in this plant as well, while at the same time there were many open conflicts between management and work force not adequately handled. When correlating the formal audit assessments with employee responses from all seven test sites, the resulting Spearman's rho was -.04 for Enacted Safety, .32 for Formal Safety, and .39 for Technical Safety. When test site 6 was excluded, the rho was .54 for Enacted Safety, .6 for Formal Safety, and .35 for Technical Safety. Due to the very small sample size of test sites, these correlations were all non-significant and can only serve as a still preliminary indication of both the validiy of the three scales and Enacted Safety being valuable as a separate factor.

For the items related to safety and design strategies, no factor structure was assumed as discussed in Grote and Künzler (2000).8 While some items had a somewhat stronger emphasis on safety management and others on socio-technical design, all items contained both aspects because on a strategic level safety management and socio-technical design are highly interlinked. This is also a core tenet of the socio-technical model of safety culture. Analyses were therefore based on the single items, aimed at a better understanding of the particular ways an organization handles safety and uncertainty. ANOVA results showed significant differences between companies for all items, with often the companies evaluated worst by the formal audit assessment having lower values and the companies with the best auditing results having the highest values.

Interestingly, one item related to the autonomous handling of process upsets by plant personnel, which can be considered a crucial indicator of the coping with uncertainties approach to uncertainty management (Grote, 2004a), showed - unlike in the previous study by Grote and Künzler (2000) - very consistent results with the formal safety assessment by the auditors with the test site evaluated worst by the auditors also having the worst response by plant personnel (significant Dunnett post-hoc contrasts in ANOVA). It has been proposed that operational uncertainty might act as moderator in the relationship between autonomy and safety just as it does in the relationship between autonomy and performance (Grote, 2004b; Grote, Turner & Wall, 2003; Thompson, 1967; van de Ven, Delbecq & Koenig, 1976; Wall, Cordery & Clegg, 2002). Potentially, the sample analyzed in the current study included companies with higher levels of process uncertainty, necessitating a coping with uncertainties approach more. Unfortunately, not enough information on the particular production conditions at the test sites was available to substantiate this assumption.

Regarding employee overall satisfaction with the safety management in their companies in relation to the items on safety and design strategies, correlations higher than .3 were found for five items (Pearson correlation coefficients with company partial out), concerning resources available for safety (r=.34, p<.001), learning from near misses (r=.41, p<.001), technology replacing versus supporting people (r=.36, p<.001), a questioning attitude towards instructions (r=.36, p<.001), and participation in rule making (r=.46, p<.001). Most of these items concern 8 I thank one the reviewers for pointing out the difference between reflective and formative indicators. The safety and design strategy items could be conceptualized as a formative indicator, but in this study could not be tested as such.



121

core elements of the coping with uncertainty vs. minimizing uncertainty strategy, indicating the importance of uncertainty management for safety perceptions. Overall, results from the Grote and Künzler (2000) study on the structure and validity of the scales measuring operational safety and the items measuring safety and design strategies could be replicated. This provides additional support for the instrument being useful in assessing safety management and safety culture as part of formal safety management audits. Change management The newly developed questionnaire items related to change management were subjected to exploratory factor analysis. Using principal components analysis with varimax rotation for the total sample as well as for the sub-samples from the seven test sites, usually two to three factors were found based on the eigenvalue greater 1 rule. When forcing four factors based on the four content areas that were used as basis for the construction of the questionnaire, usually three of the factors were quite consistent across the different sub-samples, though only partially overlapping with the pre-defined content areas. These correspond to the factors 1, 3 and 4 in Table 4. Taking into consideration these results as well as the practical experience of the auditors with the questionnaire, the four factor solution as presented in Table 4 was chosen for scale construction. However, the last item on the first factor was excluded due to both its low loading and negative feedback from the auditors. The one other item with a loading lower than .5 on its factor was the last item on factor 2, which was kept, though, due to the auditors' positive feedback about its practical relevance.

Table 4. Factor structure for the change management items in the total sample

Item Content area

Factor 1Esteem

Factor 2POC

Factor 3Transparency

Factor 4Vision

Individual support is offered to employees to cope with the effect of organizational changes on their personal situation.

Esteem for employees

.75 .18 .17 .20

Concern for employees is expressed by investments into training, better working conditions etc. even in times of scarce resources.

Esteem for employees

.73 .28 .20 .11

Management looks regularly for feedback about the quality of change processes from all employees affected.

Employee involve-ment

.69 .18 .32 .20

Organizational units and individual employees affected by changes are adequately involved in the decision process.


.65 .29 .29 .20

Much effort is spent in developing and reassuring common cultural standards during change processes.

Construc-tive rede-velopment

.65 .26 .32 .16

Change processes are carried out in a way to foster a shared innovative spirit and a proactive attitude in the company.(excluded from Esteem scale)

Reflected radicality

.48 .45 .30 .38



122

Item Content area

Factor 1Esteem

Factor 2POC

Factor 3Transparency

Factor 4Vision

The scope and speed of changes is not higher than the employees can cope with.


.19 .81 .17 .08

Potential impacts on safety resulting from organizational changes are always evaluated.


.34 .57 .24 .32

Organizational changes are always carried out in a way that ensures sufficient resources and procedures for safe operation.


.33 .57 .42 .14

It is the company`s major concern to keep people with crucial safety-relevant knowledge and experience.


.35 .50 .09 .38

Great care is taken to avoid unclear definitions of responsibilities, especially in safety-critical areas.


.43 .45 .26 .39

During change processes, crucial decisions are made as fast as possible to minimize uncertainties for all involved.

Constructive rede-velopment

.18 .13 .83 .19

Decisions made during change processes are communicated immediately and comprehensively.


.38 .22 .72 .17

Reasons provided by management for changes in the company are always plausible and transparent.


.33 .26 .62 .09

13. Key persons in change processes are selected based on their commitment to the company`s progress.


.15 .07 .15 .86

14. New organizational structures and processes are designed in accordance with long-term visions and goals.


.23 .32 .16 .68

Variance explained 49% 6% 5% 4%

POC=Procedures Organizational Change

The four scales constructed as mean scores across the items selected in accordance with the four factors Esteem, Procedures Organizational Change (POC), Transparency, and Vision, had Cronbach's Alphas of .86, .82, .76, and .64 respectively. As can be seen from Table 4, the content area Reflected radicality was split into two scales, POC and Vision. The items of the content area Esteem for employees did load on one factor, but this factor also contained items of the last two content areas, Constructive redevelopment and Employee involvement. Other items of these two content areas loaded most highly on a separate factor again.

Given the fact that there were the most items related to the content area reflected radicality, which in itself covers quite diverse aspects such as personal commitment to change, speed of



123

change and success criteria for change, the items loading on two separate factors was not astonishing. One item meant to measure proactiveness of change did not have a high loading on either of these two factors and as a matter of fact did not load highly on any factor. The idea of proactiveness is best captured in the factor Vision, which currently is only represented by two items. In future applications of the questionnaire, it might therefore be worthwhile to include a new item on proactiveness as part of the Vision scale.

The four items concerning employee involvement did not come out as a separate factor, but the two items capturing preconditions for participation, i.e. Transparency and predictability, had the highest loading on the factor Transparency, while the items concerning the actual participation in decision making had the highest loading on the factor Esteem. One item concerning the indicator Balance of change and stability within the content area Constructive redevelopment also loaded most highly on the factor Transparency, which is comprehensible as the item alluded to providing a basis for reorientation. The second item of Constructive redevelopment concerning efforts for assuring common cultural standards loaded most on the factor Esteem, together with the two items from the content area Esteem for employees and the two participation items. Overall, the four factors, though not completely corresponding to the four content areas, were meaningful and captured different aspects of change management well.

In order to test the validity of the suggested change management scales, the most direct criterion was the number of weak points in change management identified in the formal audits. As the audit instrument was developed primarily to assess safety management, there were only few elements of change management included, such as identification of key knowledge to be kept during lay-offs and keeping single standards during mergers and reorganizations. For three of the seven test sites one or more of these weak points were identified and it was found that on all four change management scales these sites had lower employee responses (see Table 5). These differences were also statistically significant, as indicated by post-hoc contrasts in ANOVA.



124

Table 5. Mean scores on the employee survey and results of the formal safety management audits

Test site

Formal assessment a

Enacted Safety

Formal Safety

Technical Safety

Esteem POC Transparency Vision

1 74 (0) 3.95 4.22 3.76 4.06 4.60 3.94 4.17 2 68 (1) 3.34 3.62 3.20 2.74 3.32 2.76 3.57 3 36 (1) 3.29 3.59 3.25 3.26 3.58 3.27 3.67 4 67 (3) 3.25 3.75 3.20 3.18 3.52 3.40 3.59 5 53 (0) 3.81 4.15 3.61 3.66 3.96 3.65 4.11 6 92 (0) 3.19 3.63 3.31 3.32 3.85 3.50 3.83 7 71 (0) 3.65 3.93 3.26 3.64 4.05 3.81 4.00

a The numbers in paratheses indicate the number of weak points identified related to management of organizational change.

POC=Procedures Organizational Change In terms of the overall safety assessment by the external auditors and by the employees themselves in relation to the employee assessments of change management on the four scales, correlations between .29 and .46 were found for the audit assessments (Spearman`s rho, all non-significant) and between .35 and .55 for the employee overall satisfaction ratings (Pearson correlation coefficients, company partial out, all p<.001). So, correlations were lower than for the safety management scales, but still substantial, which would be expected due to the conceptual distinction between safety management and change management. In summary, the results indicated that the change management items covered meaningful and valid dimensions of change management, which add to the richness of the picture obtained during formal safety management audits. Test site 6 was particularly interesting, as it received by far the best assessment in the formal audit, but the employee responses indicated medium to negative assessments of both safety management, especially enacted safety, and change management. As mentioned earlier, these results can be interpreted in terms of positive developments in the plant through the introduction of better formal safety management happening in parallel with ill-handled conflicts with employees during the change process.

The relationship between safety management and change management assessments and the actual system safety could not be analyzed directly in this study. No attempt was made to correlate results from either the questionnaire or the formal safety management audits with accident and incident data. Occupational accidents - often accidents like falls, bruises or cuts - cannot be expected to be linked strongly to the quality of process safety management, which is the focus of the developed instrument, whilst process safety-related incidents were too rare in the companies studied to permit statistical analysis. The claim made in this study that the developed instrument allows to asses safety management and safety culture in conjunction with effective change management during radical organization restructuring in terms of their effects on system safety therefore remains tentative.



125

Conclusion Based on the results of this study, the use of the proposed instrument for assessing safety

management, safety culture, and change management can be recommended. The structure and validity of the two previously used parts of the questionnaire concerning operational safety management and safety and design strategies could be replicated. Also, some additional evidence for the relevance of evaluating management of uncertainty as part of safety management was provided. For the newly developed part of the questionnaire on change management, meaningful scales were identified that cover four dimensions of change management, i.e. Esteem, Procedures for Organizational Change, Transparency, and Vision. Some first evidence on the validity of these scales could also be found. Further applications of the instrument are encouraged in order to add to this evidence as well as to increase our understanding of safety management and safety culture in relation to the management of uncertainty and of aspects of change management relevant to the safety of organizations. Also, change management should be reflected more in terms of its embeddedness in and effects on organizational culture, which could lead to an enhanced understanding and conceptualization of safety culture as well.

Acknowledgements I thank my project partners at Swiss Re Risk Engineering Servies, especially Ernst Zirngast, for financial support as well as for the stimulating and fruitful cooperation. Also, my thanks go to Cuno Künzler, who collaborated with me on this project, and to Anette Wittekind, who helped with some of the statistical analyses. References Acusafe, 1999. http://www.acusafe.com/Incidents/Tosco-Avon1999/TOSCO_Final_ADL_ InitialSafetyReport_5-99.pdf Backhaus, K., Erichson, B., Plinke, W. & Weiber, R.,2006. Multivariate Analysemethoden. Eine anwendungsorien¬tierte Einführung (11. Ed), Springer, Berlin. Boonstra, J.J. & Bennebroek Gravenhorst, K.M., 1998. Power dynamics and organizational change: A comparison of perspectives. European Journal of Work and Organizational Psychology 7, 97-120 Browne, M.W. & Cudeck, R., 1993. Alternative ways of assessing model fit. In: Bollen, K.A. & Long, J.S. (Eds.). Testing structural equation models. Sage, Thousand Oaks, pp. 136-162. Callan, V.J., 1993. Individual and organizational strategies for coping with organizational change. Work & Stress 7, 63-75. Cox, S. & Flin, R., 1998. Safety culture: Philosopher’s stone or man of straw? Work & Stress, 12, 189-201 French, W.L. & Bell, C.H., 1984. Organization development. Behavioral science interventions for organization improvement (3rd ed.), Prentice-Hall, Englewood Cliffs. Grote, G., 1997. Autonomie und Kontrolle - Zur Gestaltung automatisierter und risikoreicher Systeme. vdf Hoch¬schul¬verlag, Zürich. Grote, G., 2004a. Uncertainty management at the core of system design. Annual Reviews in Control 28, 267-274 Grote, G., 2004b. Understanding and assessing safety culture through the lens of organizational management of uncertainty. Paper presented at NETWORK meeting on Safety Culture and Behavioral Change at the Workplace, Berlin, September 2004. Grote, G. & Künzler, C., 2000. Diagnosis of safety culture in safety management audits. Safety Science 34, 131-150 Grote, G., Turner, N., & Wall, T.D., 2003, March. The uncertain relationship between autonomy and safety. In D. Elisburg (Ed.). Occupational safety. Symposium at the 5th Work, Stress, and Health conference, Toronto, Canada. Grote, G. & Zirngast, E.G. Change Management Audit Program, Change MAP. Proceedings of CCPS International Conference on Making Process Safety Pay Off, Toronto, 2001.



126

Hale, A., 2000. Editorial: Culture's confusions. Safety Science, 34, 1-14. Hopkins, A., 2000. Lessons from Longford: The Esso Gas Plant Explosion. Sydney: CCH. Hoyle, R.H., 1995. The structural equation modelling approach: Basic concepts and fundamental issues. In: Hoyle, R.H. (Ed.). Structural equation modelling, concepts, issues, and applications. Sage, Thousands Oaks, pp. 1-15. Kets de Vries, M. & Balazs, K., 1997. The downside of downsizing. Human Relations 50, 11-50 Klein, J.A., 1991. A re-examination of autonomy in the light of new manufacturing practices. Human Relations 44, 21-38. Müller, S., Brauner, C., Grote, G. & Künzler, C., 1998. Safety culture - a reflection of risk awareness, Swiss Re Publications, Zürich Orton, J.D. & Weick, K.E., 1990. Loosely coupled systems: A reconceptualization. Academy of Management Review 15, 203-223 Perron, M.J. & Friedlander, R.H., 1996. The effects of downsizing in safety in the CPI/HPI. Process Safety Progress 15, 18-25 Probst, T.M., 2004. Safety and insecurity: Exploring the moderating effect of organizational safety climate. Journal of Occupational Health Psychology 9, 3-10 Rousseau, D.M. & Libuser, C., 1997. Contingent workers in high risk environments. California Management Review 39, 103-123 Thompson, J. D., 1967. Organizations in action, McGraw-Hill, New York. Ulich, E. & Grote, G., 1997. Work organization. In: ILO Encyclopaedia of Occupational Health and Safety, 4th Ed., Vol. 1, International Labour Office, Geneva, pp. 29.48-29.52. Van de Ven, A.H., Delbecq, A.L. & Koenig, R., 1976. Determinants of coordination modes within organizations. American Sociological Review 41, 322-338 Wall, T.D., Cordery, J., & Clegg, C.W., 2002. Empowerment, performance, and operational uncertainty: A theoretical integration. Applied Psychology: An International Review 51, 146-169 Vahtery, J., Kivimäki, M & Pentti, J., 1997. Effect of organisational downsizing on health of employees. Lancet 350, 1124-1128 Weick, K.E., 1976. Educational organizations as loosely coupled systems. Administrative Science Quarterly 21, 1-19 Weick, K.E., 1987. Organizational culture as a source of high reliability. California Management Review 29, 112-127 Weick, K.E. & Sutcliffe, K.M., 2001. Managing the unexpected. San Francisco: Josseey-Bass



127

II.3 Safety Culture Models as the Basis for Improvement P.T.W. Hudson

Dept of Psychology Leiden University, PO Box 9555, 2300 RB Leiden, The Netherlands; [email protected]

Abstract: The concept of a safety culture has proven difficult to define and, therefore, measure. Most definitions centre about the identification of a set of characteristics that can be best seen as describing an ideal, advanced safety culture. This approach makes it difficult for organisations to structure improvement plans and implement them because the definition often represents an almost impossible ideal. An alternative approach involves recognising a range of cultures, each quite distinct, that represent steps from Pathological cultures, that can hardly be called safety cultures, right through to the advanced safety culture that has been labelled as Generative. The latter has also been equated with the High Reliability Organisation. The advantage of this approach, that has been adopted by the world’s Oil and Gas upstream industry through the OGP, is that it provides a way of both measuring where an organisation (or parts of a larger organisation) is on this ladder and of defining detailed intermediate behaviours and practices that can serve to define a pathway to the advanced culture without requiring a single ‘leap to the top’. The paper will describe work done using this model in both Shell Group and BP.




128

II.4 The international safety rating system “ISRS” and the SAMOS interview technique

Dr. L. Adolph

Det Norske Veritas, DNV Germany GmbH, Schnieringshof 14, 45329 Essen; [email protected]

Abstract: The “International Safety Rating System” (isrs) is globally used by many companies of the chemical industry for the continuous assessment and improvement of their safety culture and performance. This history started back in the 1970s with the isrs1 and resulted in the currently used isrs7 methodology. The methodology includes nowadays a “plan-do–check-act” logic as well as safety, health, environmental, and quality aspects. Furthermore it integrates requirements of different international standards (ISO 9001; ISO 14001; OHSAS 18001; GRI “Global Reporting Initiative”; PAS 55 “Asset Management”; EFQM; BS7799 “IT Security”). Having a closer look at the development of these rating systems, it becomes clear that the focus moved from "formalised safety management" towards a "holistic, vital safety management” and a ”realised safety culture". This development has been caused by the finding that there is a risk of having a sophisticated formalised safety management, which barely has an impact on managers’ daily decisions and workers’ safety or risk behaviour. To face this callenge the current version of the International Safety Rating System (isrs7) comprises not only management system aspects but also best practice criteria in the field of safety culture. Additionally, employee interviews have gained more weight in the assessment process. Especially those companies which already have achieved a good safety performance need to achieve an even profounder analytical insight into their safety culture: The beliefs and motivations of employees, informal norms, social and group dynamics, cognitive aspects like learning processes, and individual risk competence have to be regarded. Diagnosing these deeper layers of safety culture needs an approach which is flexible and analytical. For this purpose DNV uses a situative behaviour description interview technique called SAMOS additionally to the rating system methodology. SAMOS is an acronym for “Situation, Ask for the task, Mastering, Output, Self-reflexion”. The technique is used to collect little “case studies" – representing real experiences of the interviewees. The data gathered is transformed into a standard scheme for documentation. For the analysis a categorical system is used and within the categories a model of individual and social risk competence serves to explain behaviour patterns. The use of the SAMOS interview technique provides

• more information than a standard audit procedure • information of high importance and quality, showing cultural patterns of an

organisation • specific information about real events instead of common sense opinions and socially

desired self portrayal This new kind of information allows to understand the strengths and weaknesses of an organisation’s safety culture more profound and gives direct hints for organisational and personnel development requirements. The added value of the recommendable interview technique has so far been proven successful in the chemical and industrial gas industry as well as in a nuclear power plant.




129

II.5 Improving Occupational Safety in The Netherlands P. van Wissena and P. van Loenhouta

aDutch Ministy of social affairs, P.O. Box 90801, 2509 LV, The Hague, The Netherlands; [email protected]

Abstract: In 2003 the Dutch ministry of social affairs started the program “Improving Occupational Safety in The Netherlands”; a project on safety culture and incident analysis. Goal of this project is to reduce the number of occupational accidents in companies with at least 10 percent by doing experiments with improving the safety culture in 22 companies from different sectors of industry. Companies participating in this program had to submit a plan in which they described by what percentage the number of accidents would be reduced and over what period of time and which instruments they would use. The ministry monitored the projects and did assessment of the safety cultures at the start, the middle and the end of the projects. Policy in The Netherlands is that companies are responsible for a safe working environment for employees, not the government. With this project the Dutch government helps companies to take their responsibility and to have great results without taking over the responsibility. Several companies have reduced the number of accidents and incidents by 25 to 50 percent. These results will be made public in order to inspire other companies. In this presentation we will discuss the lessons we learned from doing the experiments, and look more closely to the following topics: safety culture assessment, change management, communication.




130

Session III: Appropriate Human Factor Competence Chair: Lee ALLFORD (EPSC Manager Operations, UK) Rapporteur: Oliver RAUPACH (TÜV NORD Systec GmbH & Co. KG, Germany)

III.1 What they should have known: Human Factors Competencies in Plant Environments Diagnosis of Safety

G. Horn

Ingenieurbüro Dr. Horn, Textorstr. 55, 60594 Frankfurt, Germany; [email protected]

Abstract: In this presentation the participating human factors in two incidents from the process industry will be explained and discussed. Thus appropriate human factors competences for the different hierarchy levels of a typical chemical plant in Germany will be developed. Incident one revolves about a spill of caustic soda into a river. The involvement of different levels inside and outside of the company will be discussed. The management of the chemical plant will be split up in the different hierarchy levels to show the potential for accident avoidance by human factors trained and competent personal. Incident two shows an incident caused by computer related faults and how skilled operators could avoid the imminent accident due to their situational awareness and instant problem solving ability. Human factors worked here as safety resources. Due to lacking human factors competences in the management of the chemical plant no further learning could be derived from the avoided accident. A one sided human factors training is not sufficient. Human factors have to be introduced top down with support from top management. During the training a feedback loop has to be established bottom up yielding a continuous improvement process for all hierarchy levels. Especially in the chemical industry government agencies have to be involved periodically so they can participate from the learning process. 1. Case Study In a continuous operating chemical unit producing phosphor derivates a spill of caustic soda 33% occurred into a river running through the chemical site. The chemical site consists of more than 100 chemical and pharmaceutical units plus research and infrastructure facilities. The respective chemical unit is a relatively small unit belonging to an inorganic business unit of a chemical division.




131

NaOH

LA++

LSA+

pH

On the day of the incident a shift worker had to fill a storage tank for caustic soda. The tank was filled from an internal pipeline of the site. To fill the tank he used an automatic filling valve connected to a high level alarm of the tank acting as closing device. The filling process used to take a very long time due to the low flow capacity of the valve. To shorten the time an additional bypass was opened by the shift worker. Thus the filling time could be reduced to less then half an hour. The regular checking tour shift workers performed at the beginning of each shift started and ended at the storage tank. Therefore some shift workers opened the bypass valve at the beginning of the tour and closed it at the end. It was officially forbidden to use the bypass valve except for maintenance or in case of problems with the automatic valve.

On the day of the incident the shift worker had to interrupt his checking tour to help a co-worker with a congestion of a component of the unit. This took more time than expected. In the mean time the storage tank filled up and the high level alert closed the filling valve as designed. But the storage tank was now filled further trough the bypass. A second high level alert sounded in the control stand. No one was present there, so the tank filled further and the caustic soda finally spilled through the ventilation pipe into the tank pit. There it gathered in the drainage sump and flew further into the rain water channel. On the chemical site the rainwater channels led directly to the river running trough the site. The drainage was controlled by a pH monitor that caused an alarm that rang through the complete unit alerting all shift workers. It took another 20 minutes to locate the open bypass valve because the checklist obligatory for a response of the pH alarm mentioned the storage tank as last point.

At first glance the only contribution factor to the incident is the deliberately opened bypass valve, a typical human failure of a single worker. But at a closer look it becomes obvious that all hierarchy levels plus the regulation regulating authority take part in the accident:

• The regulating authority demanded a separation of the drainage of the tank pit for the caustic soda storage tank from the sewage to the biological treatment plant. This was due to the fact that in this area a caustic pH was prevailing, so a spill of NaOH would have caused a chemical reaction in the sewage line. The pit had to be



132

drained into the rainwater sewage. The only demand was the monitoring of the pH in the sewage.

• The plant did not have a capture tank at the discharge of the rain water sewage. • The production management knew that the manager of the chemical unit lacked

communication skills with the shift personal. But his retirement was due in half a year, so no further steps were taken.

• The unit manager was a very experienced chemist who had a special expertise for phosphorous chloride plants. He had travelled almost the whole world starting up such plants. He had spent several years in India and Brazil and had a low opinion on shift personal. He had established a thorough set of check lists and operating procedures and demanded a 100% commitment to them, refusing discussions about them.

• The unit personal tried to avoid contact with the unit manager as much as possible since they used to be criticised almost any time on contact. The unit day shift foreman was the only accepted sparring partner for the unit manager. Thus the low flow capacity of the filling valve for the store tank was discussed with the foreman. But he saw no chance in realizing the proposal due to the costs of the replacement.

• The unit personal had thus established the unorthodox filling procedure; well aware that is was not allowed. But since the walk around started and ended at the storage tank it was considered a fail safe procedure.

• The unit manager had made the use of the checklist in case of a major alarm absolute obligatory. Therefore the unit personal followed the procedure closely and used their complete mental resources to work the checklist as efficient as possible. Therefore the deliberately left open bypass valve was forgotten by the shift worker performing the checking tour. Since the probability of a leaking storage tank was very low, it was the last point on the checklist.

The spill and emission in a public river caused a shut down of the unit by the regulating authority. Only three days later, after several additional safety procedures had been established and further technical measures taken the plant was allowed to operate again. How could this incident have been prevented by more knowledge in human factors?

• The plant management would have considered that a solution of a latent problem can not be delayed. Relying on the built in redundancies in the safety system does imply that they are kept upright all the time. o The rain water system should have a cut off o The unit manager should have been replaced

• The plant manager would have seen his workers as acting and thinking characters and not as contributors to failures. Even the well meant checklists for major alarms should not prevent the situational awareness.

• The dayshift foreman would have established a routine to ensure safety standards and so would have detected the problem with the filling valve. He would have discussed the problematic valve with the unit manager. Eventually he would have sought support from the unit assistant or unit engineer. Furthermore he would have installed a safeguard to prevent the use of the bypass valve.

• The dayshift foreman would have trained the use of checklists especially stressing the special situation of thinking and acting under pressure.

• The shift foreman would have discussed the cumbersome filling procedure with his shift workers but stressed the importance of the safety procedure not to use the



133

bypass valve. He would have locked the bypass to prevent the opening. He would have communicated the latent problem to the shift foreman and unit manager.

• The shift worker would have considered “Murphy’s Law” and filled the tank without using the bypass.

2. Case Study In a chemical plant producing emulsions in 30 m³ reaction vessels an incident happened during the polymerisation process.

To Gasometer

Rupture Disc

Trap

M

Expansion vessel

Reactor

The polymerisation process is performed in water. The major components consist of vinyl acetate and ethylene. Thus high pressure up to 90 bars is necessary to perform the reaction. The polymerisation takes about 6 hours at temperatures between 70 an 90°C. The reactors are automated and monitored by an extensive control system. During the polymerisation a bottom valve was abruptly opened by the process control system. In the control room three shift workers were monitoring six reactors. An opening bottom valve of a pressurized reactor leads to numerous alarms in the reactor periphery and the outlet including the emergency expansion unit. In this so called alarm shower the monitoring shift worker was able to locate the origin of the problem, and close the valve manually with the process control system. He did this in such a short time, that a busting of the rupture disc in the emergency expansion pipe could be prevented. A busted disc would have caused a foaming spill of the complete reactor content over the roof of the production building. Not reacted vinyl acetate would have been emitted in the surrounding and a warning of the neighbourhood would have been necessary. It should also be mentioned that the problem occurred during a Sunday night shift at about two a.m..

The cause for the abnormal opening of the bottom valve was a programming error in the control system. During a modernisation of the system another manufacturer was selected. To save costs crucial parts of the monitoring system were kept and interfaces programmed. The new control system comprised two CPUs for safety reasons. During a breakdown of one CPU



134

a faulty source code in the program caused a step in the recipe control. Though the control system had been tested thoroughly this programming error had not been detected.

It took the process control experts half a day to find the origin of the malfunction the night before. The source code was corrected and the unit manager demanded a thorough check of all remaining interfaces between the modules of the process control system. Since an actual emission was prevented the problem was treated internally in the production unit. The respective shift worker got the notice, that the problem had been found and eliminated.

This incident shows that humans are the actual safety factor in our plants. The question is, do they know it? In this case the good reaction of the shift worker was seen as normal, “That is his job”. Often the “experienced worker” can be found in descriptions of safety systems as last resource.

Therefore it is important to ensure that this last resource can act as safety factor. He has to know it, and he has to be supported by management and technology. How could a gainful reaction to this incident have looked like?

• The unit manager should have reported the excellent reaction of the shift worker internally and to the management. A learning lesson for other shifts and units could have been developed.

• The corporate management should have acknowledged the shift worker officially, i.e. via an internal publication. At the same time it could have announced that standards for interfaces in process control units would be revised and enforced.

• The incident should have been discussed in all shifts by the daytime foreman to show the capabilities of man in a complex technological surrounding for problem solving in unforeseen situations.

• Interfaces between older and newer process control systems have to be tested completely. Standards for requirements should have been derived from the learning of the incident and applied in all units.

• Process control engineers should have been confronted with the incident to learn how to involve human factors into safety systems. The problematic alarm shower could have been investigated and measures to ensure the competent actions of the monitoring workers derived.

What would the effect of this reaction have been?

• Revealed latent problems are handled promptly and are not covered up. • Human capabilities are not ignored or seen as normal • Human limitations can then be discussed and trained • Communication on latent problems is opened up • A constructive error culture can be established as integral part of the safety culture

3. Conclusion The case studies show, that a thorough competence on human factors is necessary to ensure the human capabilities in complex working environments and especially in safety systems. The focus on special fields has to be adjusted to the hierarchy level and the field of responsibility. Management levels have minor compact on the actual operating of the unit. Thus only basic knowledge on active mistakes, escalation mechanisms and group dynamics are necessary. On the other hand strategic thinking and problem solving in complex situations



135

is a major issue. Upper hierarchies have to learn how to communicate and coach the thematic into the operating units. Operating staff from the actual shift worker to the daytime foreman have to have a profound knowledge on active mistakes and the human capabilities and limitations in tackling escalation in complex working environment. They have to learn i.e. to handle errors in a team effort to bundle resources. This learning should be achieved as close to the working environment as possible so case studies in workshops seem to be a good way.

Production Personal: Thinking and Operating

Concept for Integration of HF

CoachingStrategic ThinkingIndividual Problem SolvingConcepts for CommunicationGroup DynamicsError Detection Awareness of Influencing De-EscalationPragmatics, Case Studies

Production Management:Thinking and Conceiving

The training issues have to be adjusted and tuned so that the communication bottom up and top down on human factors ensures that human factors can be the superior safety factor.



136

III.2 Inspecting for Human Factors within the German Major Hazards Ordinance – Examples, Experience and Future Needs

B. Reddehasea, D. Drägerb, M. Hailwoodc and .I. G. Heuera

a Staatliches Gewerbeaufsichtsamt Hannover, Am Listholze 74, 30177 Hannover, Germany; [email protected]

b Regierungspräsidium-Darmstadt, Gutleutstraße 114, 60327 Frankfurt, Germany; [email protected]

c LUBW Landesanstalt für Umwelt, Messungen und Naturschutz Baden-Württemberg, Griesbachstraße 1, 76185 Karlsruhe, Germany; [email protected]

Abstract: Human factors are not necessarily directly measurable quantities. However, carrying out inspections require that a real situation is assessed. In order to do this, inspectors need some kind of measure to compare the actual situation to the desired reference state. Currently in Lower Saxony (and other federal states) a check-list method is used to assess the safety management system. This enables deficiencies in the organisational system to be identified. Whilst carrying out the on-site inspection, which includes employee interviews, indications are often received, that employees are under emotional pressure (stress) whilst carrying out safety related tasks. This pressure is often rooted in the safety culture of the company, based on the employees' actual or perceived constraints on the manner in which the tasks are to be organised and carried out. These deficiencies in the safety culture can lead to an increase in accident potential. In one of the states a project "Psychological stress art work" has been carried out using a systematic approach to identify problems in the work flow which may lead to a reduction in the standard of safety. Other examples show that whilst human factors and safety culture have been identified by inspectors as being relevant aspects of major accident prevention, there is no uniform approach to assessing the situations. The paper concludes with requirements which the authors believe are necessary to enable inspectors to effectively identify situations in which deficiencies in the safety culture of a company lead to an increased accident potential. Introduction Under Section 16 of the Major Hazards Ordinance (the German implementation of Article 18 of the Seveso II Directive) the competent authorities are required to carry out inspections of the establishments, taking into account technical, organisational and management specific aspects. Depending on the individual administrative structure within the federal states, the on-site inspection under Section 16 may be carried out by a) inspectors responsible for both environmental and occupational health and safety legislation, b) jointly involving inspectors from authorities responsible for environmental legislation and those responsible for occupational health and safety, c) by inspectors solely responsible for environmental legislation. The Major Hazards Ordinance is embedded in the German environmental legislation. Inspectors will almost always have a scientific or technical qualification, usually at least to degree level. It is rare for inspectors to have specialist knowledge or qualifications in the fields of occupational psychology or sociology.








137

Human Factors and inspections In the past the human factor at work was not inspected, certainly not as a major issue – this is most probably due to the lack of awareness amongst inspectors. Current guidance documents9 on human factors have not addressed the role of inspectors and Section 16-Inspections in detail Human factors are not directly measurable, in the same way as temperature, pressure or concentrations of hazardous substances. Without specific awareness they are difficult to "see" or "hear". In order to identify them, we have to inspect associated factors as indicators. In addition the Theme "Human Factors" is extremely broad, taking in a wide range of individual topics such as ergonomics, human behaviour, communication, stress, work-flow and organisation. Therefore it is necessary to break it down into aspects which can be handled within an on-site inspection. For example, the control room can be assessed according to ergonomic criteria; plant and site managers can be interviewed and asked about the planning and flow of work (shift work, maintenance turnaround, start-up and shut-down, etc.) and what aspects of human performance are taken into account in doing it. Inspections of Seveso establishments are extensive, however they are not exhaustive and it is not possible to inspect every safety relevant factor at one inspection date. Based on experience, the essential findings are made during an inspection by asking the right selection of critical questions and identifying the critical aspects (plant, people, situations, documents) which must be seen and which are very often hidden from view. The more experience an inspector has and the better the preparation, the more an inspector is able to "sniff out" the safety relevant aspects Where human factors are addressed in on-site inspections, they are generally included in the assessment of the safety management system (SMS). Guidance has been developed at national level for the Section 16 – Inspections10 and one module of the guidance document is concerned with various aspects of the SMS. This document has found widespread acceptance throughout Germany. It includes a large number of questions which systematically address the processes, activities and documentation related to the SMS. As the SMS reflects the safety culture which is practiced within a company, it is possible, during the interviews with employees and managers, to gain a feeling for the safety culture. However, without specific methods it is not possible to make a systematic assessment of the safety culture or identify the process safety relevant factors precisely. Psychological stress at work – Lower Saxony In Lower Saxony a method has been developed to assess the “psychological stress at work”. Being aware that psychological stress could have an effect on the safety performance, it was decided to apply this to a control room for a process plant at a Seveso site. Here the employees were accompanied throughout their whole work period. Their work situation was assessed and a schema was used to classify the probable psychological stresses. The findings highlighted various factors including those leading to a reduction in the standard of safety and the role of human factors in this. The findings were discussed with the employees in a

9 SFK-GS-32 ARBEITSHILFE Human Factor-Aspekte für Betriebsbereiche und Anlagen nach der Störfall-Verordnung (12. BImSchV) des Arbeitskreises Human Factor 10 LAI/LASI/LAWA: Arbeitshilfe zum Überwachungssystem nach § 16 der Störfall-Verordnung (2004) Prepared by the Länderausschuss für Immissionsschutz (LAI), the Länderausschuss für Arbeitsschutz und Sicherheitstechnik (LASI) and the Länderarbeitsgemeinschaft Wasser (LAWA). The current edition was adopted by the LAI at its 106th Meeting (30.9.-2.10.2003), by the LASI at its 43rd meeting (30./31.3.2004) and by the LAWA by agreement dated 21.5.2004.



138

workshop, over about 8 hours. The resulting list of evaluated findings was then presented to the company management at the end of the workshop. One finding was very important, because it is particularly safety relevant. To quote a plant operator who took part in the workshop, "In actual fact there is no time to go to the toilet." It is a poor safety culture which either regulates the work load in such a way that there is really "no time to go to the toilet" or at least leaves this impression with the operator. Stress is as much related to what the operators believe the management wants to see in terms of results as it is related to the demands which are written down. A good safety culture recognises that operators should not be placed under excessive demands or be unchallenged for any length of time. Over the past years many companies have been looking to maximize their profit by reducing the number of staff employed. In many plants this may lead to a situation where there are insufficient operators to carry out the safety relevant tasks or to deal with abnormal operation. These situations do not show up in day-to-day working and are thus hidden, latent risks. Within the "psychological stress at work" project a number of tasks were identified which the operator was required to carry out within the work-flow, but which were also time consuming, and were not identified as such by the time schedules and planning. The actual time required to carry out the task had not been assessed and was not known by the management. The risk hidden in this situation is that the culture will set the agenda. Activities will end up being carried out on a "whoever shouts the loudest" basis. Maintenance of safety equipment is "very quiet" in this respect, until the equipment is required. Operators are put under psychological stress to:

• keep the plant running • provide the figures for the accounting departments • keep the boss happy.

Inspectors looking at safety management systems have few or no tools to allow them to assess the work load and the safety relevance of operations. For those inspectors who are aware of the potential risks they may ask whether the company has systematically assessed the working practices, whether methods and frequencies for the assessment have been defined within the SMS and what the results of past assessments were. Human Factors Inspection – An example from Hesse In the State of Hesse an attempt was made to address the issue of human factors within the Section 16-Inspection. In a limited project the Module "Assessing the SMS" was augmented by an interviews based section "Layout of Control Rooms". This section of the assessment was carried out in a "joint-inspection" by a psychologist from the occupational health and safety authority, who had the necessary training and experience. Unfortunately this section was seen by the majority of the technical inspectors as more or less a completely separate inspection. Thus in future attempts there must be a greater effort towards gaining greater acceptance within the team. To do this, it appears necessary to address not only the fairly abstract topic concerning the layout of control rooms, which also includes aspects which are not related to the process safety control systems, but also more intensively consider the psychological demands (stress) undergone by the operators, and thus make the link to operating errors, fatigue etc. which lead to safety relevant situations. A further example in which "Human Factor" was linked to the technical safety appeared in a particular licensing case carried out under the Federal Pollution Control Act. In a particular establishment an additional installation was to be built without employing any additional

http://dict.leo.org/ende?lp=ende&p=/gQPU.&search=number

http://dict.leo.org/ende?lp=ende&p=/gQPU.&search=of

http://dict.leo.org/ende?lp=ende&p=/gQPU.&search=employed



139

operating personnel. This surprised the licensing authority which then required the company to present accurate operating schedules and time-sheets for the employees. Within their license application the company provided no indication that they had assessed the possibility that the additional plant would lead to increased demands on the operators or that these demands could be safety relevant. The assessment of the physical and psychological demands of the shift patterns proved to be very difficult for the authorities as suitable criteria and benchmarking was not available. An accident investigation highlights human factor and safety culture issues At a chemical manufacturer a hazardous liquid was to be transferred from its transport container via pipe-work to a reactor. This was to be carried out using nitrogen gas to displace the liquid. The seal of the dry coupling failed due to mechanical damage; this lead to a release of hazardous substance. No one was seriously injured; however a small number of people from a neighbouring works needed medical treatment for breathing problems and irritation. On discussing the accident with the management it was discovered, that the coupling was already pressurised with nitrogen, although the operator was not expected to operate the nitrogen valve until all connections had been successfully made. Further discussions brought to light that in following the expected procedure for unloading the hazardous material to the reactor the operator would have to walk past the nitrogen valve at least twice without opening it, until at the final stage he visited the location for a third time to then open the valve. The manager could not understand why the operator had opened the valve so early in the procedure. In this company there was a philosophy and a belief that whatever the manager said was to be done would be done. Safety assessments were carried out and standard operating procedures (SOPs) were written by the plant managers without involving the operators. Expectations were made which were not appropriate. This was not a safety culture which had safety performance at its heart. Types of Manager There are three types of manager which can be found in a company. There are those who don’t know – this situation is simple to correct by providing them with the appropriate information. They will correct the failings once they are aware of them. Then there are those who are not able to do, very often the ability to correct failings is limited by financial resources. However, once the willingness to take corrective action has been clearly identified, the management and the public authorities can draw up a time plan and priority list and the necessary action will be taken. Sometimes it is necessary to issue an enforcement notice to ensure that the manager has access to sufficient financial resources to carry out the work. Lastly there are those responsible managers, who don’t want to take the action needed. In these cases it is necessary for the public authorities to issue an enforcement order and possibly issue penalties for non-compliance. This requires that the authorities are very precise in wording the order and that they can clearly link the order to an infringement of a regulation or non-compliance with legal requirements. Situations in which a poor safety culture lead to unsafe working practices with the potential to harm the employees, their co-worker, property, the neighbourhood or the environment.



140

Future needs of inspectors Inspectors are aware that the technical construction and operation of an installation plays a major part in the prevention of major accidents. This is usually due to their academic qualification in a scientific or technical discipline. They are also aware that the organisation and management of an establishment contributes in a major way to the safe operation of processes and to the prevention of chemical accidents, as well as preparedness for and response to them should they occur. However there is generally a lack of awareness amongst inspectors of Seveso establishments of the role played by human factors and in particular the safety culture. The need for management commitment, accepted values and ideals which define the company's identity, as well as personnel development measures which take account of the physical and psychological limits inherent to every person11 are not recognised by all. This needs to be addressed. There is a need for interdisciplinary working between occupational health and safety specialists and process and environmental safety specialist. Where appropriate the skills of occupational psychologists and sociologists need to be used12. Caution should however be applied to make sure that process safety risks are being addressed when the goal is the prevention of major accidents and an over emphasis on classical work-place safety (slips, trips and falls) does not occur – although they may be useful as general. Psychological stress at work is a safety relevant factor which can lead to chemical accidents. The acceptable level of stress is highly influenced by the safety culture of the working environment. Currently inspectors lack effective tools to be able to adequately identify inappropriate levels of stress and to asses the quality of the safety culture in the workplace. These conclusions lead the authors to the following list of requirements:

• Appropriate training for inspectors to make them aware of the role played by human factors, in particular safety culture in chemical accident prevention, preparedness and response.

• Development of a "toolbox" of methods, check-lists (where appropriate) and guidance to assist inspectors in identifying safety critical human factors at an installation, and in assessing the quality of the safety culture in the workplace.

• Development and dissemination of appropriate information and guidance to companies to enable them to assess their own safety culture and to develop and improve its quality.

• Clear guidance for inspectors on appropriate enforcement measures, where a poor safety culture has fostered working practices which pose an increased risk of a major accident.

• Current guidance on inspections should be extended to include human factors as an element.

11 Hermann, B. (2002) Zusammenfassung des zweiten Tages in Der Human Factor in der Sicherheitspraxis der Prozessindustrie – Aktivierung der Sicherheitsressource Mensch durch Beteiligung, Loccumer Protokolle 43/02 12 LASI –Papier LV 31 „Handlungsanleitung für die Arbeitsschutzverwaltung der Länder zur Ermittlung psychischer Fehlbelastungen am Arbeitsplatz und zur Möglichkeit der Prävention“ (http://lasi.osha.de/docs/lv31.pdf)



141

III.3 How to learn Human Factor Competencies at Different Organisational Levels

G. Hofinger

Plattform „Menschen in komplexen Arbeitswelten“ e.V., Hohenheimerstr.104, 71686 Remseck; [email protected]

Abstract: In teaching appropriate Human Factors competencies to persons at different organisational levels, it is important to define contents to be learned and forms of teaching and learning. Currents attempts to define Human Factor competencies usually focus on definitions of contents and on the intensity of knowledge expected on different organisational levels. Depending on who is to learn what is also necessary to discuss how to learn. Knowledge of facts can be achieved by traditional methods like class room teaching and reading. Skills can only be acquired by hands-on experience. Action-based training methods like simulator training courses or interactive seminars have proofed to be useful in domains like aviation and medicine. The example of civil aviation shows that a combination of classroom teaching (Human Performance and Limitation), simulator sessions and interactive seminars (Crew Resource Management) can improve safety-relevant knowledge, attitudes, and skills. As for economic reasons not every member of staff in chemical industries will receive extensive training in Human Factors, it should be defined who needs to know about Human Factors (factual or declarative knowledge) and who needs also to be able to behave in a different way (procedural knowledge, skills). Communication is an example for a Human Factors issue that can be taught using different methods so that different knowledge and skills levels will be achieved. Possible trainings schemes for different organisational levels will be introduced. Further efforts in the field of Human Factors training should include a more specific definition of organisational levels (i.e. groups of staff), a action-centered definition of necessary competencies, and criteria for the evaluation of training programs.




142

III.4 Human Factors related chemical Accidents occurred in Korea S. Pak

Korea Occupational Safety and Health Agency, Center for Major Hazard Accident, 519 Kosan-dong Ansan-si Kyungi-do, Korea South; [email protected]

Abstract: The main purpose of the presentation is to introduce the analysing result of chemical accidents caused by Human Factors during last 10 years in Korea. The analysis will include the detailed statistical results considering the several points of views to find out the direct and indirect causes according to their types of industries, processes and equipments. Accident causes will be also categorized in terms of human factors such as procedural error, management and operation mistakes, etc. After the analysis, some recommendations for controlling the human factors in the chemical industries will be introduced, which are to be reminded to workers, managing staffs and operators as well as competent authorities. Some of particular chemical accidents related to the human factors will be presented in the end.




143

Session IV: Interfaces between Safety Systems and Operators Chair: Prof. Dr. Christian JOCHUM Rapporteur: Roland FENDLER (Federal Environment Agency (UBA), Germany)

IV.1 Human Error Risk Management for Engineering Systems:A methodology for design, safety assessment, accident investigation and training

P.C. Cacciabue

European Commission, Joint Research Centre; [email protected]

Abstract: The objective of this paper is to tackle methodological issues associated with the inclusion of cognitive and dynamic considerations into Human Reliability methods. A methodology called Human Error Risk Management for Engineering Systems (HERMES) is presented that offers a “roadmap” for selecting and consistently applying Human Factors approaches in different areas of application and contains also a “body” of possible methods and techniques of its own. Different types of applications are possible, from retrospectrive study of accident causes, to proactive and preventive assessment of hazards and risk. These types of applications are discussed to demonstrate practical applications of the methodology, with specific focus to petrochemical environments. A particular attention is given to the issues of data collection. The application of the methodology to a real working environment is discussed.




144

IV.2 Relevant characteristics of the human system as determining factors for the man-machine-interface in process plants

H. Drathena and B. Hermannb a Bayer Technology Services, 51368 Leverkusen, Germany; [email protected] b Landesamt für Umwelt, Wasserwirtschaft und Gewerbeaufsicht Rheinland-Pfalz, Kaiser-Friedrich-

Str. 7, 55116 Mainz, [email protected]

Part 1: Dr. Hasso Drahten: The IEC 61511 The standard IEC 61511 of the International Electrotechnical Commission “Functional safety: Safety Instrumented Systems for the process industry sector” (DIN EN 61511) of 2003 is now introduced in the process industry. There is some experience on the recommendations of the IEC 61511 in Germany because they are similar to those of a older German Standard DIN 19250 and Guidelines like VDI Guideline 2180 and Namur Recommendation 31.

Relevant characteristics of the human system as determining factors for the man-machine-interface in process plants

Dra

then

/ H

erm

ann,

NAM

UR

/ LU

WG

, Se

ite 2

History of SIS Standards01.08.2004

IEC 61508

IEC 61511

DIN V 0801

DIN V 19250 / DIN V 19251

VDI/VDE 2180 1 VDI/VDE 2180 2 VDI/VDE 2180 3

NE 31

EN 61508

EN 61511

1993

ISA S84 ISA S84

draft IEC 1508

draft IEC 1511

The IEC 61511 has relevance for process plant instrumentation and the related consideration of Human Factors. There are two systematic approaches on plant safety that could have value for a systematic approach for the consideration of Human Factors in the process industry:

1. The protection layer approach and the consideration of the level of automation (of the safety systems)

2. the consideration of the life cycle of safety systems This contribution shall refer to 1. Human Factors, protection layers and automation of safety systems





145


Dra

then

/ H

erm

ann,

NAM

UR

/ LU

WG

, Se

ite 4

Aim of IEC 61508 / 61511

Safety Integrity =average probability, that

• a safety related system• meets the required safety functions• under all defined conditions• within a fixed time• according to the requirements

Safety Integrity =average probability, that

• a safety related system• meets the required safety functions• under all defined conditions• within a fixed time• according to the requirements

Protection of personnel and environmentProtection of personnel and environment

Risk assessment and definition of safety functionsRisk assessment and definition of safety functions

predefined target

Safety Integrity Level (SIL)

predefined target

Safety Integrity Level (SIL)>

The protection layer approach distinguishes three layers with different safety relevant functions of the operators:


Dra

then

/ H

erm

ann,

NAM

UR

/ LU

WG

, Se

ite 6

IEC 61511 part 1 Figure 9 – detail

PREVENTIONMechanical Protection System

Process Alarms with operator corrective actionProcess Alarms with operator corrective actionSafety Instrumented Control Systems

Safety Instrumented Prevention Systems

MITIGATIONMechanical Mitigation Systems

Safety Instrumented Control SystemsSafety Instrumented Mitigation Systems

Operator SupervisionOperator Supervision

CONTROL and MONITORINGMonitoring Systems (process alarms)Monitoring Systems (process alarms)

Operator SupervisionOperator SupervisionBasic Process Control Systems

PROCESS

From: IEC 61511 9.4 Requirements on the basic process control system as a protection layer Similar considerations can be made according to the level of a process factor:



146


Dra

then

/ H

erm

ann,

NAM

UR

/ LU

WG

, Se

ite 7

NE 31 Safety of Process Plants using Process ControlSystems – Fig. 2

Basic process control systemwith product specific tasks

Monitoring system where higher attention is necessary to avoid the reaction of SIS

Safety Instrumented System or other protection system, that works automatically

Adm

issa

ble

erro

rran

ge

Non

ad

mis

sabl

eer

rorr

ange

Nor

mal

op

erat

ing

rang

e

Mitigation System minimize in caseof an hazardous event the consequences for personnel and environment

First (inner) level is the control and monitoring system. (green) The control and monitoring shall ensure the optimal conditions of the process. Any failure of this layer shall not cause a major accident. As the figure shows the operators have two functions in this inner layer: a) Process control These means that the operators shall react skill- or rule-based on alarms from control or monitoring systems for the optimisation of the process conditions. Any failure shall not cause a major accident. b) Supervision The operator shall rule- or knowledge-based supervise the process i.e. correct the process conditions in abnormal situation with less or no suitable instrumentation. The second (middle) level is the prevention system. (yellow) The figure shows only one operator function but in reality there are the same two functions, because the IEC 61511 considers low and high automated safety systems. a) The operator is part of the safety function This is relevant, if the safety systems of a plant are less automated, i.e. there may be only a sensor-transmitter-alarm system and it is the function of the operator to be transmitters and actor. b) The Safety System is completely automated This means that all possible major accidents are prevented by complete automated systems including the complete sensor-transmitter-actor chain. As a consequence only the supervision function is left for the operator. The consequence is that there are (at least) two types of alarms with very different relevance for the prevention of major accidents:



147

1. Alarms to ensure optimal process conditions 2. Alarms to prevent major accidents.

This difference has to be regarded in debates on man-machine-interfaces especially the human centred alarm management. In both systems, the control and the monitoring system as well as a less automated prevention system, the man-machine interface has to consider the human possibilities and limitations: The monitoring system has to consider that information perception is dependant on

• a suitable workstation representation (according to requirements on the respective guidelines)

• a defined maximum number of different information (which can be perceived and processed)

and that information processing is dependant on the fact if the information could be expected ( rule based reaction is possible) or if the information is totally unexpected (a knowledge based reaction is required). The control system has – in addition – to consider that the operator has the opportunity to react in the correct way. That means that a correct movement coordination is supported by a compatible design of the manual control actuators and by training of the expected acting sequence before the situation occurs. The prevention system has in addition to consider the typical behavior of men in critical situations ( in alarm situations) resp. to train the behavior of the operator expressively for emergency situations that means:

- to avoid the reduction of self reflections - to avoid the reduction of a systematic procedure - to avoid the loss of self control - to avoid increasing rules offences - to avoid increasing risk behavior

When we are speaking about the man-machine interface we don’t speak in the first line of full automated system, but of systems where the operator is given an active role in the control and monitoring system and the prevention system. Part 2: Consideration of human Factors in the context of IEC 61511 Mr. Drahten has given a short overview of the standard IEC 61511 of the International Electrotechnical Commission with the title “Functional safety: Safety Instrumented Systems for the process industry sector” of 2003 which is now introduced in the process industry for new plants. In the second part of this contribution the context of IEC 61511 with and the relevance for human actors shall be shown. The standard requires - firstly - a change of views with regard to the consideration of an integral system approach which enlarges the safety requirements for complex devices to the complete safety installation, from the sensor to the actor, including management conditions (referring to layer model and life cycle model). To understand the interface between man and machine in the context of this integral system approach, it is necessary to know and to



148

consider the human properties as sensor, as processor and as actor, not only the properties of the machine as sensor, processor and actuator. Figure: Information model of human factors (see i.e.: Eisgruber, 1997)

Information perception → correctly see → readings of a gauge → correctly hear → signals → documents Information processing → correctly assign → communication → nothing forget → knowledge → correctly interpret → available time Information transfer in action → correct movement coordination → operating instruments → correct operation → tools, devices → plant surrounding

Secondly, the analysis of hazard and the definition of the threats are standing in the centre of safety attention. The IEC 61508-113 (see No. 7.4.2.3 and 7.4.5.3), requires that human factors have to be considered when hazards and hazardous situations are determined in the risk analysis. In the context of E/E/PE14 safety related systems three areas have to be considered:

- human activities or failures which activate a E/E/PE-function - human error while reacting on alarms - human error while testing and maintaining which may reduce effectivity of the

protection system

And thirdly, the standard requires a quantitative proof of the remaining risk on the basis of a calculation of failure probability. Human’s reliability is generally estimated at a failure probability of 10-2 to 10-4 in dependence on knowledge and training standard and the special plant and operation situation. But the reliability of persons cannot be exactly calculated comparable to the reliability calculation of an instrument or a device in the technical protection system of a process plant. In order to judge the relevance of the operator for the safety system of the plant it may be useful to consult the safety classification of “still possible man-machine-interaction under extreme conditions” shown in the following table. This classification is following the safety integrity levels (SIL) of the IEC 61511 and was developed by the automobile industry.

13 IEC 61511 can be considered as the interpretation of IEC 61508 for the process industry 14 E = electrical, E = electronical, PE =programmable electronical



149

Table: Safety classification according to MISRA (Motor industry software reliability association)

Categories Definition

SIL

Uncontrollable This relates to failures whose effects are not controllable by the vehicle occupants, and which are most likely to lead to extremely severe outcomes. The outcome cannot be influenced by a human response.

4

Difficult to control

This relates to failures whose effects are not normally controllable by the vehicle occupants but could, under favourable circumstances, be influenced by a mature human response. They are likely to lead to very severe outcomes.

3

Debilitating This relates to failures whose effects are usually controllable by a sensible human response and, whilst there is a reduction in the safety margin, can usually be expected to lead to outcomes which are at worst severe.

2

Distracting This relates to failures which produce operational limitations, but a normal human response will limit the outcome to no worse than minor.

1

Nuisance only This relates to failures where safety is not normally considered to be affected, an where customer satisfaction is the main consideration.

0

The kind of safety classification which is shown in this table implies that the human/the operator can have an active function in the safety system of the plant. The extent of technical support is here dependent on the severity of the outcome and the more or less expectable possibility that the operator will react correctly. The protection layer approach of the IEC 61511 distinguishes three layers with different safety relevant functions of the operators (see No. 9.4.1, IEC 61511):



150

First (inner) level is the control and monitoring system. The control and monitoring shall ensure the optimal conditions of the process. Any failure of this layer shall not cause a major accident. As the figure shows the operators have two functions in this inner layer:

a) Process control This means that the operator shall react skill- or rule-based on alarms from control or monitoring systems for the optimisation of the process conditions. Any failure shall not cause a major accident.

b) Supervision The operator shall rule- or knowledge-based supervise the process i.e. correct the process conditions in an abnormal situation with less or no suitable instrumentation.

The second (middle) level is the prevention system. The figure shows only one operator function but in reality there are the same two functions, because the IEC 61511 considers low and high automated safety systems.

a) The operator is part of the safety function This is relevant, if the safety systems of a plant are less automated, i.e. there may be only a sensor-transmitter-alarm system and it is the function of the operator to be transmitter and actor.

b) The safety system is completely automated This means that all possible major accidents are prevented by complete automated systems including the complete sensor-transmitter-actor chain. As a consequence only the supervision function is left to the operator.

MITIGATION Mechanical Mitigation Systems

Safety Instrumented Control Systems Safety Instrumented Mitigation

Operator Supervision

PREVENTION Mechanical Protection System

Process Alarms with operator corrective Safety Instrumented Control Systems

Safety Instrumented Prevention

CONTROL and MONITORING Basic Process Control Systems

Monitoring Systems (process alarms) Operator Supervision

PROCESS



151

The third level is the mitigation system. The figure shows the operator as supervisor of the mitigation process without any action requirements except of a possible shut down, if the shut down is not automated. What does that mean for the consideration of human factors in the safety system of a plant? The term “man-machine-system” refers – according to TIMPE (1999) – to “a practical abstraction of the purposeful interaction of persons with technical systems (machines) in order to fulfil a task (taken on by oneself or taken on by another person) within defined system limitations”.

In ergonomic context the strategies for the man-machine-function distribution differ in more than two degrees of automation, not only in “completely automated” or “completely operator based”:

BAILEY (1989) differs i.e. five strategies:

1. Comparison allocation (using the MABA-lists, see below) 2. Leftover allocation (automation to a maximum degree, which means: “to leave the

functions which cannot be automated to the operator”; this is a kind of paradox) 3. Economic allocation (to reach the cheapest solution) 4. Humanized approach (the technical solution shall (only) support and compensate the

human performance) 5. Flexible allocation (the user decides himself which means and instruments he wants to

use for his task)

WANDKE (2004) differs in a similar way:

1. Automate what ever possible 2. Automate what is economic 3. Automate in order to avoid human errors, to avoid human weaknesses (based on the

MABA-method) 4. Automate in order to use human strengths 5. Adapt automation degree flexible to the task, the situation and the operator

From all these strategies different levels of automation may result which assign different levels of responsibility to the operator.

The MABA-method gives judgement advices and refers to a systematic and comparing analysis of “Man are better at …” and “Machines are better at …”, like the following list (see i.e. KOLREP, 1996):

Men are better at:

• detecting small amounts of visual, auditory, chemical survey • perceiving and recognizing patterns • improvising and using flexible procedures • storing information for long periods of time and recalling appropriate parts • reasoning inductively • exercising judgement • change strategies



152

Machines are better at:

• responding quickly to control signals • applying great force smoothly and precisely • storing information briefly, erasing it completely • reasoning deductively • exact repetition of actions

In general you can say, that humans are less reliable at performing routine repetitive tasks than machines. But it is obvious that plant engineers may design the plant in such a way that people are given tasks in the control loop for which they are not well suited what means i.e. for all potentially boring and monotonous tasks. So improvements for the design of the man-machine-interface which is more suitable for a reliable functioning of the safety system can be imagined.

Referring to the layer “mitigation”, consideration of human factors means to respect the changed behaviour of human in emergency situation. Machines doesn’t behave differently in normal or in irregular situations but humans do so.

The common features that make problems for a person in complex situations are (see DÖRNER, 1989):

- Complexity: many interdependent features that cannot be understood in isolation - Dynamics: the world changes, creating time pressures - Opacity: lack of visibility of certain parameters characterising the problem

And the common problems that people have when faced with complex situations like emergency situations or alarm situations are often:

- failure to state and prioritise specific goals - failure to reprioritise as events change - failure to anticipate side effects and long term consequences - failure to gather the right amount of information (neither to rush ahead with no plan,

nor to expressively overplan) - failure to realise that actions have delayed consequences (so overcorrecting when the

results of an intervention do not show immediately) - failure to build suitably complex, individual models of the situation - failure to monitor progress and re-evaluate actions

Operators in critical situations like the reactor incident of Chernobyl show therefore typical behaviour which is different of the behaviour in normal situations. The behavior is characterized by a

- reduction of self reflections - reduction of a systematic procedure - the loss of self control - increasing rules offences - increasing risk behaviour



153

Conclusion: So, as a result of these considerations of the man-machine-interface in the safety system, an adequate proceeding of designing and planning which considers explicitly the man-machine-system can be proposed as:

1. A systematic task analysis ⇓

2. A MABA-Analysis referring to the proceeding task analysis ⇓

3. The determination of task share between man and machine ⇓

4. Judging the safety implications ( SIL, determination of the safety integrity level resp. the allowed failure rate, see table above)

⇓ 5. Determination of the conditions of a reliable performance of the subsystem man or

machine Literature: BAILEY, R. W., 1989, Human Performance Engineering

DÖRNER, D., 1989, The Logic of Failure: Recognizing and avoiding error in complex situations

HSE (Health and Safety Executive), 2001, Proposed framework for addressing human factors in IEC 61508

HOYOS, C., 1990, Menschliches Handeln in technischen Systemen, in: HOYOS & ZIMOLONG, Ingenieurpsychologie, Enzyklopädie der Psychologie, Serie III, Bd. 2

NORWEGIAN OIL INDUSTRY ASSOCIATION, 2001, Recommended guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on the Norwegian continental shelf

PARASURAMAN, R., SHERIDAN, Th. & WICKENS, C. D., 2000, A Model of types and levels of human interactions with automation

RAUTERBERG, M., STROHM, O. & ULICH, E., 1993, Arbeitsorientiertes Vorgehen zur Gestaltung menschengerechter Software, in: Ergonomie & Informatik, Vol. 20, 1993, pp. 7-21

SHERIDAN, Th., CORKER, K. & NADLER, E., 2006, Final report and recommendations for research on human-automation interaction in the next generation air transportation system

TIMPE, K.-P., 1999, Verantwortung und Führung in Mensch-Maschine-Systemen, TU Berlin

WANDKE, H., 2004, Einführung in die Ingenieurpsychologie (unv. Vorlesungsskript)



154

Session V: Human Factors in Alarm Management Chair: Dr. Günter HORN (Horn Engineering, Germany) Rapporteur: Mark HAILWOOD (State Institute for Environment, Measurements and

Nature Conservation Baden-Württemberg (LUBW), Germany)

V.1 Alarm Management in Process Industries, Aims, Experiences, Benefits

H. Drathena and H. Kurzb

a Bayer Technology Services, 51368 Leverkusen, Germany; [email protected] b Degussa, Rodenbacher Chaussee 4, 63457 Hanau, Germany; [email protected]

Abstract: The "human factor" concept is often used in conjunction with the management of safety alarms, frequently being interpreted in the negative sense of "human error", potentially resulting in hazardous system conditions. The NAMUR AK 2.9 working group presents the human factor positively in the context of alarm management because the plant operator must not be included as a link in the safety chain aimed at preventing equipment damage; awareness of this frees the plant operator from stress, giving them a sense of safety. Thanks to the human ability to integrate complex and unclear information into decision-making, the operator can avert the development of critical operating states beforehand. For this reason, optimized alarm management offers the plant operator the scope to manage and monitor the plant, enables the earliest possible detection of deviations from the planned status, and provides decision-making assistance.

Alarm management has frequently been paid little attention to date. Many unimportant alarms deaden the operator's senses and important alarms then go unnoticed, sometimes resulting in unintentional plant shutdowns, which although irrelevant to safety drastically reduce availability. There are still many meaningless alarms, e.g. production messages which are not alarms but merely inform the operator that the next production step can be started. Moreover, in the past there has been no prioritization, meaning that if several alarms went off (frequently in normal operating conditions) there was no clear indication of the alarms' urgency. Finally, the handling of alarm floods, where one event triggers many follow-up alarms which do not provide any additional information, has to be resolved.

Owing to an ever increasing flow of data from the process and from what are known as intelligent devices, such as transmitters, flowmeters, position controllers, and so on, new requirements on information presentation are being set for the operator. Builders and operators of medium-sized to very large plants have to adopt new engineering methods in order to meet these requirements. Alarm management is a very useful tool in this regard.

NA 102, which has been drawn up by NAMUR in cooperation with the insurance industry, provides guidance on the design, application and updating of alarm management systems for planners and operators of process technology systems. It sets standards for manufacturers on providing the required functions in their management systems.

Alarm management in this form is used at many chemical companies, such as Degussa, Oxeno, Röhm, Linde, BASF, Wacker Chemie, Bayer, and others. Having started ten years ago, alarm management now forms part of the engineering process and is taken into account





155

in every new plant. Over these ten years a wealth of experience has been gathered by the NAMUR 2.9 working group, the most important aspects of which are summarized below:

• Consistent engineering, implementation and updating require time and resources, especially with new plant and equipment.

• The plant engineer is responsible for implementation, with the plant manager, foremen and shift workers also involved. The inclusion of the shift workers has had a very favorable impact and promoted acceptance, with plant operators welcoming the reduction in alarm frequency.

• The safety technology must always function without the influence of the plant operators. Safety alarms are usually signaled with high priority although intervention by the operating staff is no longer possible.

• The number of alarms depends chiefly on the plant type and the degree of automation. • System messages continue to burden the plant operator to a certain degree.

Prioritization is not envisaged in most cases. The manufacturers are promising improvements with the introduction of asset management.

• Alarm management is a continuous improvement process. • A reduction in alarm frequency significantly eases the psychological burden on the

plant operator, giving them the time and scope for process control tasks. • Deviations from the process are recognized early on, resulting in prompt

countermeasures, a reduction in production and quality losses and the avoidance or reduction in unscheduled plant shutdowns.

• Recognition from the Association of the Insurance Industry has prevented a rise in insurance premiums.

Experiences from several company show, that the top 20 alarms are responsible for 2/3 of all alarms and can be addressed to very few plant units.



156

Moreover only 25% of all information are alarms and warnings, most of them are operating messages. So one needs a clear definition of alarm, because production messages and system information are no alarms.

Alarm statistic shows, that a significant reduction can be realized. Significant psychological workload reduction by decreased alarm frequency has the consequences that there is more time and free space for process management. The deviation of the production process can now be recognized early, which leads to timely counteracting a trend, avoiding of production or quality losses and to avoiding or reduction of unplanned plant shutdowns.



157

0

1000

2000

3000

4000

5000

6000

Janu

ar 04

Februa

r 04

März 04

April 0

4

Mai 04

Juni

04

Juli 0

4

Augus

t 04

Septem

ber 0

4

Oktobe

r 04

Novem

ber 0

4

Dezem

ber 0

4

Janu

ar 05

Februa

r 05

März 05

April 0

5

Mai 05

Juni

05

Juli 0

5

Augus

t 05

Septem

ber 0

5

Oktobe

r 05

Novem

ber 0

5

Dezem

ber 0

5

Janu

ar 06

Monat

Dur

chsc

hnitt

liche

Ala

rman

zahl

pro

Tag

.

AlarmeEingriffe

Beginn der Umsetzung der

MaßnahmenBeginn der

Analyse

Mittelwert vorher

Mittelwert nachher

Abschluss der Umsetzung - Erster Zyklus



158

V.2 Alarms for operators M. Hollendera and T. Atkinsonb

a ABB Corporate Research, Wallstadter Str. 59, 68526 Ladenburg, Germany; [email protected]

b ABB Engineering Services, Billingham, TS23 4YS, UK; [email protected]

Abstract: The alarm system has for many years been an important element of control room design. However, the reality in many of today’s chemical plants is that operators are often bombarded with very large numbers of alarms (rates of more than 2000 alarms/day per operator are not unusual), devaluing the alarm system and undermining the effectiveness of the operator. The reality of modern control systems has made the proliferation of alarms cheap and easy, resulting in many nuisance or spurious alarms that mask the one critical alarm at exactly the time that the operator needs to focus his attention. During process upsets or trips, large bursts of alarms can interfere with the operator making the vital decisions he must make to analyse and deal with the problem in a timely fashion. Reacting to alarms is only one of many tasks operators have. A larger proportion of operators’ work is not self-paced but driven by the process. From that point of view, nuisance alarms are distractions and “real” alarms are (necessary) interruptions. Human Factors research in areas like aviation or computing has shown that task distractions and interruptions lower the effectiveness and can contribute to critical errors. Too many distractions and interruptions can also lead to health problems (occupational diseases) and absenteeism and impaired performance. A thorough analysis of accidents like the explosion in the Texaco Refinery, Milford Haven (1994) has clearly shown that bad Alarm Management does contribute to accidents. In Milford Haven the operators got 275 different alarms in the last 11 minutes before the explosion, effectively making analysis and effective action impossible. This is why authorities like HSE (Health and Safety Executive) in UK or Norwegian Petroleum Directorate require safety critical plants to implement systematic Alarm Management, including an assessment of the capabilities of the operator working in the designed environment, i.e. human factors. If critical situations can be avoided by operators stabilizing the process so that the emergency shutdown system doesn’t need to be used, this not only increases the safety of the plant, but has in many cases substantial economic benefits, because every unplanned shutdown can be very expensive. This approach of using alarms to reduce the demand on the safety system is also built in to standards such as IEC-61508 and IEC-61511. Current best practice in alarm management is captured in EEMUA 191:1999 ‘Alarm Systems – A guide to design, procurement and management’. This document focuses on the properties of the operator’s information processing capabilities. It emphasizes the usability of an alarm system from the operator’s perspective. It points out that if the operator is overloaded with alarms, the whole alarm system becomes useless. The old way of thinking was to claim human error of an operator because he had overlooked an important alarm, but since the publication of EEMUA 191, it has become clear that if the plant management hasn’t reduced the alarm rates to some reasonable value, it’s not the operator’s fault if he overlooks alarms. EEMUA 191 specifies several measurable performance indicators that can be used to benchmark a plant’s alarm system performance:




159

• Long term average alarm rate in steady operation: around one alarm in 10 minutes

• Number of alarms during first 10 minutes after a major plant upset: under 10.

• Alarm priority distribution: high (5%) - medium (15%) - low (80%)

• Average fewer than 10 standing alarms

EEMUA 191 offers an affordable and proven methodology to analyse and improve the quality of an alarm system. Key elements of this methodology include

• An emphasis on management commitment • Recognition of the value of consistent and appropriate design • Consistent alarm priorities • Defined operator responses to alarms

The above performance indicators and methodology are based on solid operator performance measures and are designed to relate explicitly to the capability of the operator to manage alarms in the real and stressful world of today’s control room. Every high hazard plant should have :

• a defined alarm management strategy • a defined alarm design guide • a list of alarm KPIs • a responsible alarm management person • an audit programme •

Literature EEMUA 191: Alarm Systems. A Guide to Design, Management and Procurement. 1999 ISA RP18.2 Management of Alarm Systems for the Process Industries. To be published Namur NA102: Alarm Management. 2005 Norddeutsche Metall-Berufsgenossenschaft Psychische Belastungen in der Arbeitswelt. 1999 Norwegian Petroleum Directorate YA-711: Principles for alarm system design. 2001 Bailey B. P., Konstan J. A. & Carlis J. V.: Measuring the effects of interruptions on task performance in the user interface, in: IEEE International Conference on Systems, Man, and Cybernetics 2000 Tanner, R., Gould J., Turner, R. and Atkinson T. (2005) Keeping the peace (and quiet). ISA InTech September 2005.



160

V.3 Alarm management practices in NOVA Chemicals J. Windhorst

NOVA Chemicals, P.O. Box 5006, Red Deer Alberta T4N 6A1, Canada; [email protected]

Abstract: Alarm proliferation causes problems which can be identified by two simple metrics: large floods of alarms during upset conditions and long lists of standing alarms during normal operation. Alarm management was developed to avoid, control or otherwise manage the condition where operators have been set up for failure through a large number of indiscriminate alarms and an unrealistic expectation of what humans can possibly process and achieve during an emergency. Enabling an operator to fulfill given tasks is key to a successful alarm system and it is the effective human-machine-interface (HMI) that is the most essential component of such a system. This paper presents the NOVA approach to alarm management, including the so-called alarm objective analysis. AOA pays particular attention to alarm prioritization and ergonomics, and is used to optimize the probability of a successful operator response. The NOVA alarm classifications follow clauses from the German environmental legislation, while the layout is in accordance with the International Electrotechnical Commission standards. Introduction Goethe’s Faust (see [1]) and the Longford incident (see [2]) that happened on 25 September 1998, in Victoria, Australia seem appropriate platforms for framing the issue of human factors in chemical accidents and incidents. Both deal with fiery issues.

In the beginning of Goethe’s play Dr. Faust states: “I've studied now Philosophy - And Jurisprudence, Medicine, - And even, alas! Theology - All through and through with ardour keen! - Here now I stand, poor fool, and see - I'm just as wise as formerly. - Am called a Master, even Doctor too, - And now I've nearly ten years through - Pulled my students by their noses to and fro - And up and down, across, about, - And see there's nothing we can know! - That all but burns my heart right out.”

Faust is lamenting the fact that even after in-depth studies the realm of human knowledge is limited or rather non-existent. Extrapolated to the process industry this lamentation could be: “How come we keep making similar mistakes”? In the Longford case a process incident occurred that could have been easily avoided, since the technical causes were well known.

The repetition of process incidents is, fortunately, limited. However, it is certainly not realistic to believe that every hazard, known or unknown can be designed out or that procedures can be developed for every conceivable hazardous event. Weick (see [3]) echoes this point when he observes that it is of the essence of complex systems, such as hydrocarbon plants, that they always retain a capacity to produce novel or surprising events. Consequently, well-implemented standard solutions, design or procedural, do not guarantee a safe and reliable operation. The main human factor issues are therefore: How do we avoid repeating known incidents, and secondly, how do we prepare for the unknown.




161

Prepare For the Unknown There is a defined need for being able to deal with novel events; e.g., ageing of plants and creative human errors are and will create new challenges. The capability to pick up from things that haven’t happened includes aspects of flexibility and responsiveness which is sometimes called a capability to recover.

A capability to recover (v.d. Schaaf, see [4] and [5]) will depend on the detection of the failure(s) that have occurred, an explanation or understanding of the problem and its causes, and an implementation of countermeasures aimed at returning the process to a normal or safe situation. In order to deduce facts and define a recovery from an unknown hazardous trend, operators need to have a robust; i.e., fault tolerant, holistic understanding of the process. Such a holistic understanding not only requires knowledge of the behaviour of individual pieces of equipment but also an understanding of the process, at large and of the underlying physical and chemical principles.

The aforementioned incident at the Longford Gas Plant occurred because of a drive for efficiency. In order to improve efficiency at Longford, the number of supervisors had been reduced from four to one, the number of control panel operators reduced to one, and all the engineers had been withdrawn from the plant (see [3]). This had degraded the understanding of the process and impaired timely responses to upsets, and thereby:

• caused something that should have been known to become unknown,

• degraded the capability to avoid repetition of known events, and

• “chipped” away at the robustness of being able to deal with the unknown.

The lone Longford Gas Plant panel operator would, on an average day, attend from a minimum of 300 up to a maximum of 8800 process alarms, or one every six seconds. It is obvious that alarms coming in at such a rate cannot be rationally dealt with and only make a bad situation worse by imposing additional stress on the operator.

To make matters worse, there was no prioritization of the alarms and besides dealing with the alarms, the panel operator had to issue up to 90 permits a day and liaise with supervisors and field operators. In essence the engineering design, while most likely solid from an pure engineering perspective, had set the operators up for failure.

On 25 September 1998, a gas absorber burst, releasing a large cloud of hydrocarbon vapours that eventually exploded. Two members of the staff were killed and 4 million people were deprived of gas for about two weeks. Longford has become synonymous with the need for a robust, fault tolerant culture of an organization; otherwise called a culture of mindfulness or high reliability organizations (see [2] and [3]). These are organizations where staff are constantly wary of the dangers, sensitive to new and surprising occurrences, and that have sufficient resources to deal with emergencies when they arise.



162

The Influence of DCS History Prior to the introduction of Distributive Control Systems (DCS) alarms were implemented through electric or pneumatic systems. Since these systems carried a significant cost, they had to be justified on their own merits and were designed accordingly. With the advent of DCS, alarms became essentially free and virtually limitless numbers could be added at the discretion of an engineer, designer or operator. This proliferation caused operators to loose sight of truly important alarms and made his or her task nearly impossible when a true emergency caused alarm screens to become cluttered, the so-called “alarm flood”.

The DCS also “reformatted” the control display. Wall-size displays were abandoned in favour of CRT Graphical User Interfaces (GUIs) that were not always well laid out. In case of a poorly laid-out GUI the operator might have to flip through many screens before arriving at the source of an alarm. The standardized P&ID size can cause similar inefficiencies in case of process safety hazard analysis when many P&IDs need to be consulted before identifying a hazard.

Organizational changes, specifically the pursuit of greater financial returns by eliminating inefficiencies or perceived inefficiencies, have resulted in fewer operators. This in turn has increased the need for automation, which for all intent and purposes is synonymous with more instrumentation and an increased number of alarms. Metrics Problems with alarm systems are identified by two simple metrics: (i) large floods of alarms during upset conditions and (ii) long lists of standing alarms during normal operation. The latter can be considered a key indicator of a badly operated and maintained plant or of too many superfluous alarms that possibly need to be eliminated, suppressed or re-prioritized. Alarm Management The basic essence of alarm management is to design the alarm systems around the operator, thereby reversing a trend where the operator was “straight-jacketed” into a haphazardly designed alarm system. The goal of alarm management is to return alarm functionality to the pre-DCS era by swiftly presenting up-to-date, prioritized and manageable plant data to the operator. This allows an operator to assess the situation with a few keystrokes, or screen touches, and to take appropriate actions with a minimum time delay. Furthermore, operators need to be trained and be physically, as well as mentally, capable of responding correctly to the presented alarms, taking process dynamics and alarm dynamics into consideration. Where this is not possible automated systems need to be installed.

Key to a successful alarm system is enabling an operator to fulfill given tasks. An effective human-machine-interface (HMI) is probably the most essential component of such a system. The ergonomics associated with HMI are to be embedded in many design functions; e.g., lighting of the control room, the number of keystrokes, the layout of the panels in a logical sequence, the use of clusters, etc.



163

ERR

FSI

SB

PCS

Figure 1 Basic Alarm Classifications.

NOVA Chemical’s approach to alarm management NOVA Chemical’s alarm management stresses functionality and effective communication. Because chemical assets are sold and bought on a regular basis, it is fairly easy to introduce human errors if strict descriptive corporate standards were imposed. A case in point is labelling, at a NOVA Chemicals’ integrated plants system where one facility uses a red light to indicate that the safety systems are active (“armed”) while at another one it means the safety systems are not available. Labelling is therefore a very important issue. Labelling

Because of the possibility of confusion and lowering an operator’s effectiveness, especially under stress situations, there is no imposition of labels. Default names and the alarm management structure are given in Figure 1 which represents a NOVA Chemicals’ adaptation of a figure in a German environmental standard (see [6]). The NOVA alarm layout is in accordance with the IEC 61508 and 61511 standards. In particular there is a strict separation of the external risk reduction facilities (or ERRF) alarms from the DCS and SIS. ERRF alarm actions are, because of the human involvement, as a rule only safety integrity level 1 (SIL 1) compliant (their design is outside the scope of the IEC SIS guidelines). However, such a SIL 1 compliancy needs to be available after the event. If this event were to be an explosion then the whole ERRF loop, including the operator shelter, needs to be explosion-resistant.



164

Alarm Objectives Analysis (AOA) Alarms are normally specified during the latter stages of the process flow diagram development and the P&ID development. Assigning alarms during HazOps has not been a good experience and is therefore avoided. Within NOVA Chemicals, a special review, the so-called AOA is used to ultimately define and specify alarms. The goal of the AOA is to optimize alarm system functionality.

During this analysis particular attention is paid to risk, alarm prioritization and ergonomics. To a large extent this depends on the probability of a successful operator response. A team that is typically composed of a facilitator/scribe and representatives from stakeholders performs the AOA. Stakeholders normally involve: operations, process control engineering, process engineering, safety engineering, and others, as needed.

Complexity Simplest Routine & Simple

Routine Requires Care

Complicated – non-Routine

No Stress 1×10-4 1×10-3 1×10-2 0.1

Moderate Stress 1×10-3 1×10-2 5×10-2 0.3

High stress 1×10-2 1×10-1 – 1.0 0.25 – 1.0 1.0

Table 1 Human Probability of Failure to respond correctly on demand for different situations

The AOA team has to establish an alarm philosophy and policy for the process under consideration as well as to consider multiple aspects and ergonomic factors. For example, the maximum acceptable incoming alarm rate at the time of a planned intervention is a critical piece of information. Such rate information is needed in order to assess or evaluate the stress to which an operator is subjected and the practicality of additional alarms. If an alarm rate is too high at the time of a planned intervention, then that intervention needs to become a process trip (executed by the DCS) or a SIF (executed by a SIS, see Figure 2). This automation requirement is driven by ergonomics. NOVA Chemicals uses a simple human probability of failure for different situations table (see Table 1).



165

Normal Process Control Domain

Process Supervisory

FunctionDomain

SafetyInstrumentedFunctionDomain

Low Priority Alarm(LPA)

Operator Acts on LPA

Maximum LPA-Related Process Excursion

High Priority Alarm (HPA)

SIF Initiated

Operator Acts on HPA

Low Priority

High Priority Max. HPA-RelatedProc. Excursion

Max. SIF-AllowedProc. Excursion

Figure 2 A process subject to an accelerating drift with two intervention opportunities for an operator and one SIF intervention. The first Low Priority Alarm allows the operator ample time for trouble-shooting and corrective action (ΔτLow Priority). A second alarm provides precious little time (ΔτHigh Priority). An AOA team could decide that the chance of a succesful implementation of the procedures associated with the High Priority Alarm are too slim and therefore drop the High Priority Alarm, in which case a reclassification of the first alarm might be needed.

The process of determining what an operator has to face during an abnormal process condition can be broken down into sequences of task-associated questions. The AOA team goes over these questions and ultimately decides how the alarms will be controlled and managed. These questions are typically structured as follows:

1. Snapshot problem identification – what is wrong – what mode is the plant in; e.g., startup? 2. What else can go wrong? 3. What action will minimize the consequences? Specifically:

• If a loss of process containment occurred or is pending, what ERRFs need to be activated and alternately, if such process containment is not likely to occur, what actions will bring the process back to the normal operating range or a safe state?

• How can the activation of one or more Safety Instrumented Functions (SIFs) or ERRFs be avoided?

• What follow-up actions are needed to restore normal operations?



166

4. Considering human probabilities of failure, can the “least-skilled” operator respond correctly to all foreseeable demands under a variety of different stress situations?

5. How can the possibility of an operator-initiated recovery, during a completely unexpected event, be maximized?

Figure 3 Example of an Alarm and Process Overview Display Other alarm aspects to be considered by the AOA team Other elements that need to be considered include: • The Mean Time To Restoration (MTTR) of components/systems and other design aspects

that underlie the alarm classifications (see Table 2). • The capabilities of the least-skilled operator. • The acceptability and constraints of operating with faulty or non-available systems and

components. In case of a redundant system, there are typically several options for repairing components without shutting a process down.

• Plant information (where available) such as alarms and hard-wired annunciator points, current trip values, and a list of all process signals brought into the control system.

Within the constraints of the elements the following issues need to be resolved:

• The need for alarms as opposed to other protection measures. • Alarm suppression techniques; i.e., only functional alarms are to be presented (no alarm

flood). For example, a number of related alarms can be grouped into a composite alarm as in the case of a reactor with many catalyst bed thermocouples. Instead of alarming each



167

individual thermocouple, one common high temperature alarm can be provided. The common alarm will have the required alarm priority, whereas the individual temperature alarms are merely journalled.

• Prevention of problem escalation. • Providing a navigation tool; e.g., a high priority alarm can be accessed with a minimal

number of keystrokes.

Figure 4 Dedicated hardwired alarm panel (top right corner)

Presentation of Alarms The presentation and display of alarms has to assist operators with gathering plant status information in an effective fashion. For example, it would be an unreasonable assumption to expect that operators will read the lines of a tabular display under stress conditions.

Therefore, emergency/critical alarms are presented on separate but adjacent GUIs, the complete alarm system being clearly visible to operating staff at all times. A good practice is to duplicate emergency/critical alarms on the BPCS GUI and have a setup that allows the operator to respond from either location. An example of an effective GUI for a process area that displays the important alarms for the process area as well as pertinent control functions is given in Figure 2 and Figure 3. In addition emergency alarm systems have to be latched, hard-wired and be provided with uninterruptible or emergency power supplies and to use non-process related sensors. For example, gas releases should be detected directly by perimeter (e.g., light beam) detectors or point detectors and not indirectly by derived values such as material balance discrepancies.



168

Conclusions 1. Design alarm systems around the least skilled operator.

2. Design alarm systems with respect to the unwanted scenario. For example; in case of a fire & gas alarm alerting an operator to close a remotely actuated emergency block valve, ten minutes may pass between the loss of containment and closing the valve. If the inventory is LPG under fairly high pressure and the line diameter significant, then this system can be too slow, and an alternate solution should be pursued.

3. Avoid repeating known incidents.

4. Prepare for the unknown.

5. ERRF alarms and intervention must remain functional after the underlying unwanted event.



169

Table 2 – Alarm Management General Guidance Pr

iorit

y C

at.

(See

Fig

. 1)

Ala

rm

Sour

ce

Impl

e-m

enta

tion

Ala

rm

disp

lay

(i.e.

, Pl

acem

ent)

Set P

oint

for

Ala

rm

Ope

rato

r A

ctio

n R

equi

red

Des

crip

tion

Exam

ples

How

D

eter

min

ed

MO

C

(Yes

/No)

?

(A) (B) (C) (D) (E) (F) ( G) (H) (I) (J)

1

Emer

genc

y

ER

RF

sens

ors;

e.g

., Fi

re &

gas

(F&

G) Hardwired from

field AND independent from DCS and SIS. System shall survive under-lying event (e.g., explosion).

Light on a separate panel dedicated to hardwired ERRF alarms AND also shown on adjacent DCS console. Panel can also show hardwired SIS alarms. DCS – Journal.

“On” signal (can depend on a voting sensor/analyzer array system).

Immediate operator follow-up is needed to validate alarm. Action(s): Validation that alarm represents a genuine event AND Emergency response.

A potential loss of containment has initiated the alarm (one or more setpoints have been exceeded). ERRF function involving operator is at best SIL 1 compliant. Risk Reduction Factor (RRF) ≤ 100

Common gas alarm; common fire alarm; common deluge alarm

Design, PHA, SIL-Analysis, AOA.

Yes

2

SIS

, a S

IF w

as a

ctiv

ated

, Tr

ue o

r spu

rious

trip

or A SIF was allegedly activated and

operator follow-up is needed. Confirm that (i) final element tripped AND (ii) plant is in safe state AND (iii) trip was spurious (yes/no) AND (iv) if other operator initiated actions are required. Prepare for S/U after cause has been removed.

Potential for breaching equipment integrity. SIS pre-trip alarm was ignored, too slow or not available.

Crit

ical

SIF

Hardwired from SIS (including PLC) to shutdown/ isolate facility

Light on separate hardwired panel (e.g., a shared SIS/ERRF panel) AND also shown on adjacent DCS console. DCS – Journal.

SIF setpoint: Determined by Process Eng. Implemented by Process Control.

Operator activates SIF with SIL 1.

Manually activated SIF (max SIL equals 1).

A SIF closes an S/D valve automatically. An alarm warning an operator to shut down pump down-stream of S/D valve. This is a SIL 1 SIF alarm configured according to NOVA.


Yes



170

Prio

rity

Cat

. (S

ee F

ig. 1

)

Ala

rm

Sour

ce

Impl

e-m

enta

tion

Ala

rm

disp

lay

(i.e.

, Pl

acem

ent)

Set P

oint

for

Ala

rm

Ope

rato

r A

ctio

n R

equi

red

Des

crip

tion

Exam

ples

How

D

eter

min

ed

MO

C

(Yes

/No)

?

(A) (B) (C) (D) (E) (F) ( G) (H) (I) (J)

SIS

Dia

gnos

tics System management

configuration (vendor specs). Independent of DCS.

Light on SIS panel (e.g., the

shared SIS/ERRF panel)

AND also shown on adjacent

DCS console.

DCS – Journal.

Set by PLC and SIS component vendors/ NOVA Process Control

Specific operator intervention needed. No delay permissible.

SIF/SIS malfunction alarm. Mean time to repair (MTTR) has to be preserved. Cannot wait a weekend.

Failure of a process sensor in a 1oo1 system, requiring a shutdown (if validated).


Yes

3

Hig

h Pro

cess

P

re-S

IF DCS On DCS console.

DCS – Journal.

Allow operator to avoid the execution of a SIF. Determined by Process Eng. Implemented by Process Control

Prompt operator intervention required BPCS Supervisory function Pre-SIS Trip Alarm.

Tower control temperature excursion – avoid steam trip to reboilers. HH or LL - flow, temp, pres alarms.

Design, PHA, AOA.

Yes

SIS

D

iagn

osti DCS On DCS console. Set by PLC and SIS

component vendors/ NOVA Process Control

No specific action by operator other than issuing a repair request to maintenance.

SIF/SIS malfunction diagnostic alarm that does not require urgent action (e.g., it can wait a weekend). Permissible MTTR is high.

Failure of one channel in a 2oo3 logic system because it will revert to a 1oo2 system.

AOA Yes

Low

Pro

cess

O

pera

tio

DCS On DCS console. Set by operator Operator returns process to normal operating range or prepares for s safe startup after a DCS (not SIS) initiated trip.

Process Supervisory function used to return the process back to normal range

Abnormal PV change but still within permissible operating limits. H or L - flow, temp, pres alarms.

AOA No

4 DCS DCS- Message only Alert Messages No immediate operator intervention required

A notification to the Operator but no immediate intervention is required

Asset management Expert guidance system

No

Not

an

Ala

rm

Pro

cess

DCS DCS- Journal only Status Indication No operator intervention required An indication of a long term change of state

Pump running status No

Table 2 – Alarm Management General Guidance (continued)



171

References

[1.] Faust, Johann Wolfgang Von Goethe (famous German poet). [2.] Lessons From Longford: The Esso Gas Plant Explosion, Andrew Hopkins (May 2000). [3.] University of South Australia, Division of Business - Corporate Social Responsibility

http://www.unisa.edu.au/corpsocialresp/casestudies/longford.asp [4.] Van der Schaaf, T. W. (1996, 8-11 October). Human Recovery of Errors in Man-Machine Systems.

Paper presented at the International Conference and Workshop on Process Safety Management and Inherently Safer Processes, Orlando, FL.

[5.] Lisette Kanse, Tjerk W. van der Schaaf, Nanco D. Vrijland, Heleen van Mierlo, Comparing two approaches to failure recovery: medication preparation versus chemical plants. ACM International Conference Proceeding Series; Vol. 132, Proceedings of the 2005 annual conference on European association of cognitive ergonomics http://portal.acm.org/citation.cfm?id=1124692&dl=ACM&coll=&CFID=15151515&CFTOKEN=6184618.

[6.] Der 12. Verordnung des BlmSchG (Bundes-Immisionsschutz), Germany, June 27, 1980. [7.] The RCM Perspective on Maintenance, Reliability HotWire, Issue 71, January 2007. Copyright © 2007

ReliaSoft Corporation. [8.] Impact of Organizational Climate on Employee’s Safety Knowledge Sharing Behaviors, Xie Hefeng,

Ma Qingguo & Xue Jing. ISSST 2006. [9.] Recommendations on the design and operation of fuel storage sites, Buncefield Major Incident

Investigation Board. © Crown copyright This publication may be freely reproduced, except for advertising, endorsement or commercial purposes. First published 03/07.

http://www.unisa.edu.au/corpsocialresp/casestudies/longford.asp

http://portal.acm.org/citation.cfm?id=1124692&dl=ACM&coll=&CFID=15151515&CFTOKEN=6184618

http://portal.acm.org/citation.cfm?id=1124692&dl=ACM&coll=&CFID=15151515&CFTOKEN=6184618

http://www.reliasoft.com/



172

V.4 Experience from the ASM Consortium P.V. Pandita and A. Ogden-Swifta

a Honeywell Controls UK Ltd., Lovelace Road Southern Industrial Estate, Bracknell, Berks UK RG12 8WD, UK; [email protected]

Abstract: An abnormal situation is a disturbance or series of disturbances in a process that cause plant operations to deviate from their normal operating state. The nature of the abnormal situation may be of minimal or catastrophic consequence. It is the job of the operations team to identify the cause of the situation and execute compensatory or corrective actions in a timely and efficient manner. A disturbance may cause a reduction in production; in more serious cases it may endanger human life. Abnormal situations extend, develop, and change over time in the dynamic process control environments increasing the complexity of the intervention requirements. The ASM Consortium (www.asmconsortium.com) is a industry research body that develops best practices related to managing abnormal situations in process plants, developing and deploying the technologies that support the adoption and sustenance of these best practices. The ASM Consortium guidelines are organized under seven practice categories:

Abnormal Situation Understanding

Management Structure and Policy

Knowledge and Skill Development

Communications

Procedures

Control Building Environment

Process Monitoring, Control and Support Applications This paper will discuss the developments in these practice areas, the technologies being deployed by best in class companies and what the focus of new areas of research for the consortium are. We will also discuss particularly the area of Alarm Management and the benchmarks companies are aiming for in this regard.




173

Other submitted Abstracts (not presented)

X I Quantification of human factors in the process industry – A practical assessment tool

K. Löwea and S. G. Kariukia

a Technische Universität Berlin, Institute of Process and Plant Technology, Sekr. TK0-1 Straße des 17. Juni 135, 10623 Berlin, Germany; [email protected]

Abstract: Human failure is still the leading cause of the incidents in the process industry. Literature review shows that a lot of work has been done on human error analysis but most studies concentrate on operator error. This is treating the symptoms only. Unless we understand all these indirect factors that lead to direct human failures there is slim prospects of reducing accidents or incidents caused by operator errors15. This paper outlines the development of a new tool to analyse and quantify human factors in chemical process plants. It applies analytic hierarchy process (AHP), a decision theory analysis-based method, to establish how well an organisation takes into account and manages human-related issues that contribute to process safety. Therefore, it looks into how the individual human factors components e.g. job design, human-system-interface, supervision, operator physical characteristics; among others affect the overall quality of human factors and consequently the safety in a given plant16. Evaluating human factors is a complex problem. There is usually no consensus of what one should strive to achieve with regard to these factors. Each individual component of human factors possesses a number of characteristics, which contribute to its complexity. These characteristics are non-technical and therefore interpreting them and constructing performance measures is a challenging problem. In this method these challenges are addressed. For easy applicability, even for non-human factors experts, a software tool based on this new method was developed. The output of the tool is a qualitative report and a quantitative value. From the detailed report, the weak areas in a plant can be detected. The actions to improve these areas can be derived and this not only leads to higher safety but also to higher operation efficiency.

15 Vuuren, W. van; Shea, C.E.; Schaaf, T.W. van der: The development of an incident analysis tool for the medical field. Report EUT/BDK/85, Eindhoven University of Technology, Eindhoven, 1997. 16 Kariuki, S.G. and Löwe, K.; Integrating Human Factors into Process Hazard Analysis. accepted: Reliability Engineering & System Safety, Elsevier, 2007.




174

X II Development of possibilities to improve Safety Culture Dr. V. Hoensch

Haselbergstr. 8, 82377 Penzberg, Germany; [email protected]

Abstract: Assuming that by safety culture, deficiencies both in knowledge and motivation in certain matters to comply with, such as making decisions in unexpected situations, are opposed to appropriate knowledge transfer and measures to raise the motivation, which supplies the possibility of alteration.

Safety culture should be changed in a way that the demand of failure tolerant systems will be met what emanates from an understanding of failures which isn’t based upon blaming attitude of inaccurate behaviour but sees failures as an important part of actions that shouldn’t be prevented a priori. However, it should leads to organisational supported learning processes.

According to this understanding of safety culture a policy will be introduced how learning culture becomes to the main concern of safety culture. This policy consists of three steps.

In the end there are questions the answers of which could be subject of controlled efforts.

1. Prerequisites in order to improve safety culture Exact knowledge of the occupational characteristics. Assign of the occupational characteristic to the psychosocial functions:

- activity and competence - structuring of time - co-operation and contact - social acceptance (tribute) - personal identity

2. Analysis of psychosocial criteria of the work under consideration of aspects like workload (stressor) and reactivity to the load (strain) Classification of the working conditions:

- task and stress - behaviour setting and stress - role and stress - scope “Working Process” as the origin of stress

3. Operationalisation of the target “Safety” for the working process Definition of values to impact behaviour in the following levels:

- individual - group/interactions - organisation - safety

4. Recommendations on methodologies to review the existing safety culture For the supervising procedure:

- Are there commitments for the mentioned procedure regarding safety management? - Are there regulations to interpret the mechanism into living safety culture? - Are the necessary mandatory obligations for the guideline relating to programs for the

preservation of technical qualification of expert knowledge for management-personnel?




175

X III.1 Trends in Aviation Industry. A perspective to understand human factors requirements and best practices to process industry

D. Baranzini

European Commission, Joint Research Centre - MAHB; [email protected]

Abstract: Human factors discipline in the aviation systems has a long history of both successful implementations as well as too-little-too-late achievements. This paper presents trends in aviation human factors methods and applications with particular emphasis to those approaches that could benefit other industrial domains such as process industry. The rationale is to build upon knowledge transfer from other industrial “cultures” and practices.

Reference to some European funded research projects such as HILAS (HILAS, 2007), ADAMS 2 (ADAMS2, 2004) and AITRAM (AITRAM, 2002) will be discussed in the light of such new trends. In particular, verification and assessment human related hazards and organizational factors are shifting towards human-centred design and human integration into the life-cycle of entire work systems and related technologies. Auditing and accident investigation capabilities are bringing new emphasis on managerial levels of human and organizational failures removing the emphasis on operator errors at the sharp end.

A case study of new practices and technologies in maintenance domains is presented along with suggestions on how to increase capacity to manage risk and human factors across large work processes (Baranzini and Cacciabue, 2006). Results of this paper should bring forward suggestions for process industries as follows:

• Process industries demand process perspectives to understand human factors traceability

• Causal orders embedded in process dependencies is revealing where and why to invest in human factors

• Lesson learned from normal work events and near misses reveal a richer picture to understand where and how to implement lessons learned form major industrial plans incidents.

Reference: ADAMS 2 (2004) - http://www.adams2.net/ AITRAM (2002) - http://www.aitram.de/ Baranzini, D. and Cacciabue, P.C. (2006). Modelling co-ordination effects in complex work systems: The aviation maintenance case. In D. de Waard, K.A. Brookhuis, and A. Toffetti (Eds.), Developments in Human Factors in Transportation, Design, and Evaluation (pp. 225 - 237). Maastricht, the Netherlands: Shaker Publishing. HILAS (2007) - http://www.hilas.info/mambo/index.php


http://www.adams2.net/

http://www.aitram.de/

http://www.hilas.info/mambo/index.php



176

X III.2 Prevention of accidents with dangerous chemical products in Brazil

R. J. Calixto

Ministério do Meio Ambiente (Ministry of Environment), Esplanada dos Ministérios, Bloco B, Sala 820, Brasília – DF, Brazil, ZC 70068-900; [email protected]

Abstract: The prevention and the combat to the accidents with dangerous chemical products in Brazil take its authorities to face difficulties varying since the dimensions of the country to the serious problem of the truck drivers' rest. Differently of the oil sector, where there is a consolidated culture already, the need of creating a prevention culture to accidents with other types of dangerous chemical products represents a huge challenge for the National Plan of Prevention, Preparation and Fast Response to Environmental Emergencies with Dangerous Chemical Products - P2R2, established in 2004, involving training and discussion of the available legal frame, while strengthening environmental and health entities as well as civil defense to envisage different emergencial situations. Coordinated actions are in process, more experiences and views need to be exchanged.




177

X III.3 HAZOP-based innovative approach in the human factor assessment

M. Krskoa and J. Kandraca

a RISK CONSULT, s.r.o, Račianska 72, 83102 Bratislava, Slovaika; [email protected]

Abstract: While performing a detailed risk analysis of a large technology, a synergic approach has been adopted in evaluating the human factor within. As the risk assessment environment – time, resources and information support- has been limited; a HAZOP-based approach has been chosen to provide answers concerning the human factor influence on the safe and correct operation of the technology. Performing the human factor risk assessment this way has fully met the before-set expectations and provided added value in the form of simplicity, clarity and structure.

This paper describes this HAZOP-based simple approach towards the human factor in the overall major risk assessment which can be as well used in determining economic risk and other threads.

Keywords: human factor, HAZOP, synergic, risk assessment, economic risk.




178

X IV.1 Valuation of Human Actions in Probabilistic Safety Assessments for Process Plants

U. Hauptmanns

Otto-von-Guericke-Universität Magdeburg, IAUT-AS, Universitätsplatz 2, 39106 Magdeburg, Germany; [email protected]

Abstract: Based on PSAs for six installations of the process industry covering both storage and production the application of the THERP procedure for assessing probabilities for human actions is presented. An overview of the required actions along with the corresponding valuation is given. Performance shaping factors and uncertainties are discussed. Advantages and drawbacks of the procedure, which is illustrated by showing the Human Error Event Tree for a complex action required to isolate a leak from an ammonia pipe, are presented. Improvements of plant safety resulting from both the qualitative and quantitative analyses of human acts are pointed out. This includes one case which has similarities with an important aspect of the Buncefield tank fire. A note on data requirements and the application of generic data to specific plants as well as desirable improvements of the methodology concludes the talk.




179

X IV.2 Operational safety in process control through ergonomic design of operator work documents

P. Nickela and F. Nachreinerb

a Department of Psychology, The University of Sheffield, Psychol-ogy Building, Western Bank, Sheffield S10 2TP, UK; [email protected]

b Carl von Ossietzky Universitaet Oldenburg, Institut fuer Psycholo-gie, Abteilung Arbeits- und Organisationspsychologie, 26111 Oldenburg, Germany; [email protected]

Introduction: Legal requirements in health and safety regulations within the EU call for usable instructions concerning the use of process control systems, and in the event of changes in the system, for instructions specific to the operators’ job in such conditions (e.g., Seveso II Directive, Safety and Health Directive, Work Equipment Directive). From an ergonomic perspective work documents like operator manuals and instructions in process control systems are part of the work system (ISO 6385). Thus they are to be designed as to safeguard operational safety, effectiveness and efficiency of process control as well as to optimise operator workload, which in turn will contribute to operational safety in process control. Work documents can be conceived as a kind of information presentation which are critical to safety, as they act as both, production control devices and job aids for operators. Thus job aid design is a problem concerning the interactions between the documents and the operators’ tasks, qualifications and operational states to optimise the results of the whole sys-tem. These interaction interfaces should be designed according to ergonomics and human factors design strategies and principles. Taking them into account thus does not merely reflect the necessary compliance with legal regulations but also the pursuit of basic system goals. Since ergonomic requirements for the design of such documents for operators in process control are not readily available a research project to close this gap was initiated and financed by the Federal Institute for Occupational Safety and Health, Germany (FIOSH). The following two sets of questions were addressed. (1) What are the requirements for the design of work documents for control room operators from an ergonomics and health and safety perspective? (2) Are there specific design requirements with regard to differential usability of paper based and electronic work documents? Methods: In order to gain on interactions of knowledge both from theory and practice a combined approach was chosen with a review of the available literature and with specifically designed field and laboratory studies. Information available on an ergonomic design of work documents was to be gathered by a review of the available literature in ergonomics and human factors and related disciplines. In the field studies six different control rooms were selected from five different German chemical plants and one control room with a full simulation of a process control system (Invensys Systems GmbH) at the Work and Organisational Psychology Unit’s Usability Laboratory. Interview studies were carried out with the plant management and control room operators in order to obtain information on purposes, contents, availability, usage, and design of operator work documents in relation to the operators’ tasks, qualification and operational states. Further information was collected by observational studies within the control rooms. Work





180

documents were inspected and discussed with the operators. Examples of work documents were requested for a more detailed off-site analysis. For the laboratory study work documents were specifically developed. Operators (highly trained students) performed monitoring and control tasks in the control room of a simulated benzene/toluene distillation plant in the Unit’s usability lab. Task performance included atypical operational states and was supported by work documents either electronically presented or as printed versions. Differential handling and usability were evaluated using questionnaires, workload and performance measures as well as observational data. Results: The literature review resulted in only a small amount of evidence for the ergonomic design of work documents which could be directly used for a systematic analysis of existing documentation or for application to design procedures. Most of the publications focus exclusively on specific recommendations concerning more formal requirements (e.g., EN IEC 62079). However, an orientation on general ergonomic design strategies and principles led to a more promising top-down approach. In conjunction with the field studies ergonomic recommendations for the design of work documents were derived considering interactions within the work system such as with operators’ tasks and qualifications and the process under control. General recommendations: Operator work documents should

• give appropriate information about the plant and the interdependencies within the plant

• provide factual knowledge about work equipment and operating supplies with regard to relevant safety information

Recommendations with regard to qualification: Operator work documents should • maintain the operator’s qualification by providing information for frequent and rare

actions • provide functional information about the plant and its subsystems for all qualification

levels Recommendations with regard to tasks: Operator work documents should

• describe system and subsystem’s tasks and objectives • point out possible risks and consequences of actions for specific operational states

Recommendations with regard to the media of presentation: Operator work documents should • be presented only by media capable of serving the documentation demands • always be specifically designed with regard to their mode of presentation

Recommendations with regard to the documents: Operator work documents should • be systematically arranged or grouped in order to give purposeful access to the

contents • give clear and definite advice in operating instructions

Recommendations with regard to the use of documents: Operator work documents should • be developed and maintained in parallel with the work system • include their users (e.g., operators) in development and maintenance

Recommendations based on ergonomic principles of human-machine dialogue design: Operator work documents should



181

• be suitable for the task (e.g., be compatible with the process of task performance) • provide for controllability (e.g., indicate appropriate actions, their consequences or

limits) • conform to user expectations (e.g., instruct in chronological and logical sequence of

tasks) • be understandable (e.g., give explanations before presenting instructions)

These requirements will be illustrated with both best practice and some rather deficient practical examples in the presentation. Conclusions: In most control rooms in the chemical process industry instruction material is available to the operator, but its contribution to safety and health, system reliability and productivity appears to be suboptimal. Thus, an ergonomic design of work documents is not solely needed but also of increasing importance due to ongoing developments towards increasing complexity in process control. The results presented can be used to improve system and operational safety and as a preventive approach to health, safety and environmental protection.



182

X V.1 Alarm flooding in control rooms M. Büßelmann

Yokogawa Deutschland GmbH, Broichhofstr. 7-11, 40880 Ratingen; [email protected]

Abstract: Alarm flooding in control rooms is a still a critical issue in many installations over the world. Operators are often overcharged by alarms. As a result accidents and incidents happen.

The presentation will differ between alarm system design concepts for new control systems and alarm management concepts for existing installations. Beside strategies to improve the situations in control rooms to reduce the human factor making mistakes on one hand, solutions have to be developed to make use of the human capability of understanding complex situations. Therefore alarm systems should not inform only about single events somewhere in the plant. A more comprehensive engineering process which includes a cause and effect analysis plus possible actions to be taken, structuring alarms according to the plant hierarchy and taking dynamic aspects of the process like load changes and start up and shutdowns into account, can give better information to the operator.

Because existing control systems are designed based on a static process model, those alarm systems are also designed in a static way. Process boundaries are only well defined for the ESD system.

To reduce alarms in existing installations reverse methods are used. As part of a continuous improvement program based on the SixSigma method DMIAC, alarms are analysed and reduced, optimized and adapted to dynamic situations. Grouping alarms is also a method to further reduce alarms.

Often repeating alarms could not be reduced due to high engineering costs. For those alarms software tools are available (agents), which interfere with the control system in that way, that the appearance to operator is limited to only a few events.

With the fact that less operators have to operate larger and more complex plants education and training, e.g. operator training on training simulators, will be a key factor in the future. Optimization of Existing Alarm Systems For Existing Plants we propose Retrospective Alarm Management, meaning Alarm analysis and optimization based on existing information. It will be implemented as a continuous improvement program based on the Six Sigma method DMIAC. Analysing Alarms, root cause analysis Reducing unnecessary repeating alarms Optimize alarms, e.g. redefinition of limits Make use of automatic alarm reduction, software tools Adopt alarms to dynamic situations Develop SOPs for start up, shutdowns and load changes including dynamic alarm settings

(check list based operation)

Installations at customers showed that alarms could be reduced dramatically.




183

Designing new Alarm systems For new plants we propose Prospective Alarm Management, which means that the definition of the alarm system is part of the whole engineering process.

Today the design of the alarm system within a DCS is based on P&IDs and a verbal description of chemical process. The description is mainly based on a steady state of the process at 100% load. Dynamic aspects are mostly not considered. A detailed cause and effect analysis to define the process boundaries is only done for the ESD system.

By expanding the engineering process to the definition of the process boundaries in respect to a dynamic, economic, efficiency and environmental aspects alarm systems could be optimized. Similar methods are well known for defining ESD systems. Cause and effect analysis can be used to develop check lists or assistance systems for the operators.

Similar methods and systems have been developed by the aviation industry and are already in used in most cockpits all over the world. Help Operator to manage abnormal situations As already described above cause and effect diagrams, advises (possible actions), check lists and grouping of messages according to the plant hierarchy can give better information to operators. Training abnormal situation on Training simulators is the best way to ensure best knowledge of operators. How to distinguish safety alarms from those with no safety relevance Modern alarm systems do have separate displays for safety and non safety alarms. Non safety alarms could be displayed in different categories, even in different displays for production, economic, environmental alarms.

0

5000

10000

15000

20000

25000

30000

01-M

ar-0

5

08-M

ar-0

5

15-M

ar-0

5

22-M

ar-0

5

29-M

ar-0

5

05-A

pr-0

5

12-A

pr-0

5

19-A

pr-0

5

26-A

pr-0

5

03-M

ay-0

5

10-M

ay-0

5

17-M

ay-0

5



184

X V.2 Managing Fatigue Risk in an evidence-based and systematic Manner Dr. A Holmesa, Dr. P. Jacksona and Capt S. Stewarta

a Clockwork Consultants, 83 Victoria Street, London EC1V 7HU, UK¸ [email protected] Abstract: Fatigue risk Fatigue is recognised as a significant risk in safety critical industries (e.g. Energy Institute 2006; US Nuclear Regulatory Committee 2004). Unfortunately this recognition stems largely from the role that fatigue plays in severe incidents. Fatigue was identified as a contributor to the publicised incidents at Three Mile Island, Chernobyl and Bhopal and is estimated to contribute to 15% of fatal crashes involving heavy vehicles (e.g. Batelle Memorial Institute 1998; Vicroads 2006). We also know that fatigue constitutes a health and safety risk because academic research findings have shown that fatigue impairs reaction time, situational awareness and problem solving and is associated with increased absenteeism (e.g. Caldwell 2005; Ricci et al. 2006). Despite awareness of the problem of fatigue there is minimal guidance available on how to manage this risk in the chemical and allied industries. This paper suggests some practical first steps for moving towards managing fatigue risk in an evidence-based and systematic manner. Current controls The primary control for fatigue risk that is utilised is compliance with prescribed limitations on hours of work (HoW). While prescribed limits can provide clear parameters for work they have been criticized on the basis that they are largely determined by industrial relations, are not scientifically defensible and vary significantly between national regulating authorities (e.g. Cabon et al. 2002). Moreover, HoW compliance does not involve the measurement or knowledge of the level of fatigue risk to which employees and the operation are actually exposed. Pro-active organisations, particulalry those involved in transportation, have implemented a range of additional controls in an attempt to obtain more comprehensive protection from fatigue risk. Some organistaions have provided fatigue awareness training for employees and managers and others have attempted to design work schedules according to best practice guidelines. While commendable, these strategies are often implemented on a sporadic basis, do not necessarily target ‘the real root of the problem’ and their benefits are not usually quantified. Fatigue risk management systems Best practice in safety management suggests that, for fatigue risk to be addressed it should be managed within a safety management system (SMS). To this end, researchers, regulators and organisations have worked to develop the construct of a Fatigue Risk Management System (FRMS) - defined as an evidence-based SMS for the control of fatigue risk to as low as reasonably practical (e.g. Civil Aviation Safety Authority, Australia; Transport Canada 2005). An FRMS gathers data on fatigue from multiple sources across an operation, thereby enabling controls to be implemented at the appropriate levels within the organisation. The data collection tools that have been suggested for use within a FRMS include bio-mathematical models that predict the level of fatigue associated with work schedules, scientific research methods, checklists and reporting systems for identifying the cognitive and




185

physical signs of fatigue and procedures for identifying the likelihood that fatigue contributed to a road accident (e.g. Dawson et al. 2005). Fatigue risk management and the chemical industry For fatigue risk to be managed efffectively in the chemical industry it is not sufficient to rely upon existing FRMS tools and design guidelines. The available tools are either generic for all industries or have been designed specifically for use in a particular industry. Operators in the chemical industry will need guidance on how to adapt existing tools to suit their environment. Ideally, tools specifically designed to detect fatigue and fatigue-related errors in the chemical work environment(s) would also be made available. To enable pro-active risk detection, it will be necessary not only to develop tools for detecting fatigue, but also strategies for collecting information on fatigue surrogates or precursors, for example work schedule predictability and commute times. One cost effective strategy would be to investigate whether existing safety and quality data can be considered in novel ways to provide indicators of fatigue. For data collection tools to have maximum value they should collect information on fatigue risk continuously and using a consistent categorisation framework. The information can then be integrated to facilitate a multi-layered understanding of fatigue risk (Stewart et al. 2006). In isolation each of the tools have their disadvantages; for example, some are predictive and others are subjective and open to bias. Layering the outputs of these various tools would enable the calculation of confident indicators of system fatigue risk, and ultimately enable evidence-based and systematic fatigue risk management in the chemical industry. References Batelle Memorial Institute. An Overview of the Scientific Literature Concerning Fatigue, Sleep and the Circadian Cycle. Prepared for the Office of the Chief Scientific and Technical Advisor for Human Factors Federal Aviation Administration (1998).

Cabon P, Bourgeois-Bougrine S, Mollard R, Coblentz A and Speyer J. Flight and duty time limitations in civil aviation and their impact on crew fatigue: a comparative analysis of 26 national regulations. Human Factors and Aerospace Safety, 2(4):379-393 (2002).

Caldwell J. Fatigue in Aviation. Travel Medicine and Infectious Disease, 3:85-96 (2005). Civil Aviation Safety Authority, Australia. Fatigue Risk Management Systems. Downloaded 1st February 2007 http://www.casa.gov.au/aoc/fatigue/FRMS/index.htm

Dawson D and McCulloch K. Managing fatigue: it's about sleep. Sleep Medicine Reviews, 9(5):365-80 (2005).

Energy Institue. Improving Alertness Through Effective Fatigue Management. ISBN 978085293 (2006). Ricci JA, Chee E, Lorandeau AL and Berger J. Fatigue in the U.S. workforce: prevalence and implications for lost productive work time. Journal of Occupational and Environmental Medicine, 49(1):1-10 (2007).

Stewart S, Holmes A, Jackson P and Abboud R. An integrated system for managing fatigue risk within a low cost carrier, 59th Annual International Air Safety Seminar (IASS), Paris, France (2006).

Transport Canada. Booth-Bourdeau J, Marcil I, Laurence M, McCulloch K and Dawson D. Development of Fatigue Risk Management Systems for the Canadian Aviation Industry. Conference proceedings of Fatigue Management in Transportation Operations, Seattle, USA (2005).

US Nuclear Regulatory Committee. Fitness-for-Duty Orders to Address Fatigue of Nuclear Facility Security Force Personel, COMSECY-04-0037 (2004).

Vicroads, Australia. Managing Driver Fatigue. Information Bulletin (2006).

http://www.casa.gov.au/aoc/fatigue/FRMS/index.htm



186

X V.3 Human Factors Analysis in the Chemical Industry: Insights and Recommendations

C. Spitzer

TÜV SÜD Energietechnik GmbH Baden-Württemberg, Dudenstraße 28, 68167 Mannheim Germany; [email protected]

Abstract: In the framework of a research project different approaches have been utilized for the performance of a risk analysis in the context of the Seveso II Directive resp. the corresponding German implementation. Objective of the project has been the comparison of the methods used with reference to the applicability, power and efficiency with respect to the request of the a. m. regulatory guidance documents. The approaches utilized have been the method HAZOP, a semi-quantitative approach called ZHA and the QRA (Quantitative Risk Assessment) which is in Germany in particular established in the nuclear domain and not yet in the chemical industry. Object of analysis has been a pressure storage system of liquid chlorine (part of a larger chemical establishment) in the open air with three stock tanks (50 t chlorine; 0,68 MPa (20 °C); one spare tank as emergency capacity) including the pipework up to the transmission into the production. The scope and level of investigation has been limited to the release categories, i. e. no consequence assessment has been performed. Given these conditions for the research project, no risk assessment in a stricter sense has been performed, but an exemplary application of approaches and methods. In this paper the Human Factors (HF) analysis performed including the insights obtained in the framework of the QRA will be presented. This HF analysis is of particular relevance, because all control and safety measures in case of a LOC (Loss of Containment) in the chlorine pressure storage system (CPSS) have to be taken manually by the personal, i. e. there are no automatic safety functions. The analysis of human erroneous behaviour before the occurrence of a LOC during normal operation resulting e. g. in a containment bypassing is also subject of the HF analysis. Focus of the HF analysis within the research project has been the examination of the control and safety actions to be taken after an occurring LOC in the CPSS as well as the unloading of chlorine from a rail tanker into the CPSS. The HF methodology applied has been HERMES /CAC 98/. This methodological framework offers a procedural as well as a functional content: a procedure for consistently and coherently selecting and applying the most appropriate HF methods and techniques for specific analyses to be conducted (retro- and prospective types of analyses) including the identification and definition of data. Further on, a body of methods, models and techniques of its own is implied ready for application to deal with the essential issues of Human Reliability Assessment, i. e., cognitive processes, organisational factors, dynamic Human Machine Interaction, Human Error Management, a taxonomy correlated to the model of human behaviour and the evaluation of the operational experience. The safety report of the operator of the chemical establishment as well as additional information provided during definite plant visits and meetings have been the basis for the work carried out in the research project. Meanwhile, in the analysed chemical establishment safety relevant technical and operational measures have been carried out resp. planned, which have therefore not been subject of the investigations in the research project described in the paper.




187

According to the methodological approach HERMES, first of all the working and socio-technical environment and human-machine interaction have been analysed in order to become acquainted with the procedures and practices that are implemented within the organisation under consideration, as well as with the strategies that affect them. In the course of this process, issues like design, system performance, safety and control system, human tasks, working conditions, organisational and management aspects have been observed, reviewed and evaluated.

Main objective of the first evaluation to be described in detail in the paper has been • information gathering on general issues like plant layout, control rooms, procedures etc.

during plant visits, • the determination and description of operation and system principles and goals as well as

related functions, • the analysis of existing operating procedures with HF related aspects and • the analysis of environmental and contextual (external) conditions and performance

influencing factors, that may affect human behaviour. In the subsequent phase, a detailed and extensive Task Analysis (TA) has been performed, referring to actual manifestations of human behaviour. Such a TA is mainly subject of a QRA to be carried out, but also of an integrated Root Cause Analysis and Accident Investigation. The major issue of the research work carried out thus referred to the TA of the control and safety actions to be taken after an occurring LOC in the CPSS (structural failure of the containment or containment bypassing). Qualitative insights and safety relevant issues to be discussed have been the result of the work, i. e. environmental and contextual conditions and performance influencing factors affecting human behaviour in such a way, that only very pessimistic and estimated quantitative results could have been achieved. Therefore, the qualitative results revealing deficiencies in the safety management system have been documented in the research project and have been discussed with the operator of the establishment. In spite of the more exemplary application of approaches and methods in this research project, the applicability, the power and the efficiency of a systematic HF analysis in the framework of a QRA could clearly be demonstrated – in consideration of the significant safety relevant insights gained, which will be described in detail in the paper. Moreover, we will outline in the paper some of our HF related experiences and insights gained in the nuclear domain, e. g. /SPI 98, 00, 04/. A large number of safety relevant insights referred particularly to the development and improvement of operating procedures partly having a significant impact. Finally, we will provide recommendations that can be given based on the experiences and work performance as well as the safety relevant insights obtained in the chemical industry and the results achieved in the nuclear domain with respect to a systematic and structured HF analysis resp. investigation in order to be able to achieve safety relevant insights and only thereby to reduce the risk of major accidents. References /CAC 98/ Cacciabue P. C. (1998). Modelling and Simulation of Human Behaviour in System Control. Springer-

Verlag Berlin Heidelberg New York



188

/SPI 98/ Spitzer C. (1998). Data Collection and Evaluation as well as Methods for Incorporation into PSAs: Recommendations due to the Experiences Gathered during the Course of the Assessment of PSAs Performed by Utilities. Final Report with reference to IAEA Co-ordinated Research Programme on Collection and Classification of Human Reliability Data for Use in Probabilistic Safety Assessments, May 1998

/SPI 00/ Spitzer C. (2000). Improving Operational Safety in Nuclear Power Plants: Extended Consideration of the Human Factor Issue in PSAs. Proceedings of the 5th International Conference on Probabilistic Safety Assessment and Management (PSAM 5). S. Kondo, K. Furuta (Eds.), held on November 27 - December 1, 2000, Osaka, Japan; pp 627-632. Universal Academy Press, Inc., Tokyo, Japan

/SPI 04/ Spitzer C. (2004). Human Factors Analysis: Central Needs for Practical Applications. Proceedings of the International Conference on Probabilistic Safety Assessment and Management: PSAM 7 – ESREL ´04. C. Spitzer, U. Schmocker, V.N. Dang (Eds.), June 14-18, 2004, Berlin, Germany. Springer-Verlag London (UK)



189

Annex: List of Participants



190

ADOLPH Lars

Det Norske Veritas DNV Germany GmbH Schnieringshof 14 45329 Essen

Fon: +49 (0) 2017296409 Fax: +49 (0) 201729611 [email protected]

Germany

ALEN Hannu

Ministry of Social Affairs and Health Box 536 33101 Tampere

Fon: Fax: +358 3262 72499 [email protected]

Finland

ALLFORD Lee

EPSC 165 - 189 Railway Terrace CV213HQ Rugby

Fon: +441788 534418 Fax: +44 1788 534488 [email protected]

United Kingdom

AMINI Homa

Swedish Work Environment Authority Ekelundsvagen 16 15184 Solna

Fon: +46 8 730 9682 Fax: +46 8 730 9889 [email protected]

Sweden

ATTARD Vincent

Occupational Health and Safety Authority 17, Edgar Ferro, Str. PTA 3153 Pieta

Fon: +356 21247677 Fax: +356 21232909

Malta

AURES Robert

The Bavarian State Ministry of the Environment, Public Health and Consumer Protection Rosenkavalierplatz 2 81295 München

Fon: +49 (0) 89 9214 2451 Fax: +49 (0) 89 9214 2451 [email protected]

Germany

BADEA Nicolae Mircea

National Environmental Guard Uniri Blvd., No. 78, Bl. J2, District No. 3 30837 Bucharest

Fon: +40 21 326 89 80 Fax: [email protected]

Romania

BAHR Waldemar

IG BCE (Mining, Chemical and Energy Industrial Union) Königsworther Platz 6 30167 Hannover

Fon: +49 (0) 511 7631(0) - 409 Fax: +49 (0) 511 76 31 - 7 69 [email protected]

Germany

BARAM Michael

Boston University School of Law 765 Commenwealth Avenue 2215 Boston


United States of America

BARANZINI Daniele

European Commission - Joint Research Centre Via E. fermi 21020 Ispra (VA)


European Commission

BAROJAS WEBER Luis Héctor

Ministry of Environment & Nature Resources Address Blvd. Adolfo Ruiz Cortines 4209 4th Floor Col Jardines en la Montana 14210 Mexico City

Fon: Fax:

Mexico

BEHRENDT Dietmar

State Environment Agency Brandenburg Fehrbelliner Straße 31 16816 Neuruppin


Germany

BELLAMY Linda

White Queen BV Postbus 712 2130 AS Hoofdorp

Fon: +31 2356 51353 Fax: +31 2356 51353 [email protected]

Netherlands

BEYER Kerstin

Federal Ministry for the Environment, Nature Conservation and Nuclear Safety Postfach 120629 53048 Bonn


Germany

BIERMANN Tobias

European Commission BU-9 4/015 1049 Brussels


European Commission

BORGONJON Isabelle

Federal Public Service Employment, Labour and Social Dialogue Ernest Blerstraat 1 1070 Bruessels

Fon: +32 2 233 45 12 Fax: +32 2 233 45 69 [email protected]

Belgium

BOURILLET Cédric

Ministry for Ecology and Sustainable Development 20 Avenue de Ségur 75007 Paris


France



191

BREKAU Uwe

Bayer AG Building 9 Corporate Center Bayer AG 51368 Leverkusen

Fon: +49 (0) 214 3072610 Fax: [email protected]

Germany

BUCHMÜLLER-KIRCHHARDT Renate

Federal Ministry for the Environment, Nature Conservation and Nuclear Safety Postfach 12 06 29 53048 Bonn


Germany

CACCIABUE Pietro Carlo

European Commission - Joint Research Centre V E. Fermi 1 21027 Ispra (VA)

Fon: +39 0332789869 Fax: [email protected]

European Commission

CADARIU Radu

Ministry of Environment and Water Management B-dul Liebertatii, No 12 40129 Bucharest

Fon: +4021 316 04 21 Fax: +4021 316 0421 [email protected]

Romania

CAJKOVA Henrieta

Ministry of Environment Nam. L. Stura 1 812 35 Bratislava


Slovakia

CARDARELLI II John

US Environmental Protection Agency 26 W Martin Luther King Dr. Room 271 45268 Cincinnati

Fon: +513 487-2420 Fax: +513 487-2537 [email protected]

United States of America

CHRISTOU Michalis

European Commission - MAHB v. Fermi 21020 Ispra


European Commission

COOKE Anne

Pfizer Ireland Pharmaceuticals Ringaskiddy API Ringaskiddy, Co. Cork

Fon: +353 21 4378701 ext. 159 Fax: +353 21 4378432 [email protected]

Ireland

DAG Kemal

Ministry of Environment and Forestry Sogutozu Caddesi 14/E Bestepe 6560 Ankara


Turkey

DAGASAN Mahmut

Ministry of Environment and Forestry Sogutozu Caddesi 14/E Bestepe 65560 Ankara

Fon: +90 312 207 6577 Fax: +90 312 207 [email protected]

Turkey

DAMIAN Hans-Peter

Federal Environment Agency Wörlitzer Platz 1 6844 Dessau

Fon: +49 (0) 340 210 331 63 Fax: +49 (0) 340 2104 3163 [email protected]

Germany

DANIELSSON Fridrik

Administration of Occupational Safety and Health Bildshödi 16 110 Reykjavik


Iceland

DANIHELKA Pavel

VSB - Technical University of Ostrava Lumirova 13 70030 Ostrava


Czech Republic

DARIMONT Thomas

Hessian Ministry for Environment, Rural Development and Customer Protection Postfach 3109 65021 Wiesbaden

Fon: +49 (0) 611 8 15 (0) 1242 Fax: +49 (0) 611 8 15 19 41 [email protected]

Germany

DE SCHOUWER Henri

Flemish Government, International Environmental Policy Division Verdunstraat 36 1130 Brussel


Belgium

DELANOY Paul

Dow Chemical Company Estuary Road PE302JD King's Lynn


United Kingdom

DO CARMO PALMA Maria

Instituto do Ambiente Rua da Murgeira - Zambujal Lisboa


Portugal

DRÄGER Dagmar

Regional Authority Darmstadt Gutleutstr.114 60327 Frankfurt


Germany

DRATHEN NAMUR c/o Bayer Technology Services GmbH Fon: +49 (0) 214 30 71034 Germany



192

Hasso

51368 Leverkusen

Fax: +49 (0) 214 3072774 [email protected]

DROLSHAMMER Lars

Norwegian Pollution Control Authority P.O. Box 8100 Dep 32 Oslo


Norway

DRYANKOVA Conka

Ministry of Environment and Water 67 William Gladstone Str. 1000 Sofia


Bulgaria

DUBIEL Jörk

TÜV NORD SysTec GmbH & Co. KG Große Bahnstr. 31 22525 Hamburg


Germany

DUTA - GHERGUT Maria Magdalena

National Environmental Protection Agency Aleea Lacui Morii no. 151, sector 6 60841 Bucharest

Fon: +4121 207 1101 Fax: +49 (0) 4021 207 1103 [email protected]

Romania

EBERT Klaus

Saxonian State Ministry for Environment and Agriculture Archivstr. 1 1097 Dresden


Germany

ENGSTRÖM Anna-Karin

Swedish Rescue Services Agency Karolinen 65180 Karlstad

Fon: +46 54135060 Fax: +46 54135600 anna-karin.engströ[email protected]

Sweden

ERTMANN Reinhold

Ministry of the Environment Baden-Württemberg Postfach 103439 70029 Stuttgart

Fon: +49 (0) 711 12 6(0) 29 68 Fax: +49 (0) 711 2224957 2968 [email protected]

Germany

FAHLBRUCH Babette

TÜV NORD SysTec GmbH & Co. KG Große Bahnstraße 31 22525 Hamburg

Fon: +49 (0) 30 201 77 454 Fax: +49 (0) 30 201 77 488 [email protected]

Germany

FENDLER Roland


Fon: +49 (0) 340 21 03 36 79 Fax: +49 (0) 340 21 04 36 79 [email protected]

Germany

FERNANDEZ Raquel

Dirección General de Protección Civil Quintiliano 21 28002 Madrid


Spain

FESTAG Sebastian

University of Wuppertal Kluser Höhe 50 42119 Wuppertal


Germany

FISCHBACH Ursula

German Branch of Friends of the Earth (BUND) Merowingerstr. 88 40225 Düsseldorf

Fon: +49 (0) 0 41 61 4 03 01 05 Fax: +49 (0) 0 41 61 4 03 01 05 [email protected]

Germany

FOLEY Julian

European Commission BU-9 2/189 1049 Belgium


European Commission

FORINT Pavel

Ministry of Environment Vršovická 65 10010 Praha


Czech Republic

FROMMANN Peggy

TÜV NORD SysTec GmbH & Co. KG


Germany

GALKOVA Margita

Slovak Environmental Agency Tajovskeho 28 97590 Banska Bistrica


Slovakia

GALL Bill

Kingsley Management 8 Salisbury Road, Cressington Park L19 0PJ Liverpool

Fon: +44 (0) 151 427 2424 Fax: [email protected]

United Kingdom

GARCES DE MARCILLA Antonia

Direción General de Proteción Civil Quintiliano 21 28002 Madrid


Spain



193

GIERKE Wolfgang

Federal Ministry for the Environment, Nature Conservation and Nuclear Safety Postfach 12 06 29 53048 Bonn


Germany

GNAUSCH Wolfgang

Ministry for the Rural Development, Environment and Consumer Protection Brandenburg Albert- Einstein-Str. 42-46 14473 Potsdam

Fon: +49 (0) 331 866 7356 Fax: +49 (0) 331 275 487 356 [email protected]

Germany

GÖLZ Helmut

SIMON Tanklager Gesellschaft mbH Essener Str. 64 68219 Essen


Germany

GORIS Karen

Flemish Government Konig Albert II-Iaan 20 bus 8 1000 Brussel


Belgium

GROTE Gudela

ETH Zürich Kreutzplatz 5 8032 Zürich


Switzerland

HACKBUSCH Thomas

State Institute for Environment, Measurements and Nature Conservation Baden-Württemberg Griesbachstr. 1 76185 Karlsruhe


Germany

HAILWOOD Mark

State Institute for Environment, Measurements and Nature Conservation Baden-Württemberg Griesbachstraße 1 76185 Karlsruhe


Germany

HARTWIG Martina

University of Wuppertal Rainer-Günther-Str. 21 Geb. FF 24119 Wuppertal

Fon: Fax: [email protected]

Germany

HARTWIG Sylvius

University of Wuppertal Gaußstraße 20 42097 Wuppertal


Germany

HEIDLER Armin

Federal Ministry of Agriculture, Forestry, Environment and Water Management Stubenbastei 5 1010 Vienna


Austria

HEM Gunnar

Directorate for Civil Protection and Emergency Planning P-O- Box 2014 3103 Tonsberg

Fon: +47 33412509 Fax: +47 33310660 [email protected]

Norway

HERMANN Begoña

State Agency for Environment, Water Management and Industrial Inspectorate of Rhineland-Palatinate Kaiser-Friedrich-Str. 7 55116 Mainz

Fon: +49 (0) 6131 60 33 12 47 Fax: +49 (0) 6131 67 49 20 [email protected]

Germany

HEUER Iris-Gesine

State Industrial Inspectorate Hannover Am Listholze 74 30177 Hannover


Germany

HÖCHST Thilo

German Chemical Industry Association (VCI) Postfach 11 19 43 60054 Frankfurt


Germany

HOFFMANN Ralf

Senator for Health, Environment and Consumer Protection Berlin Brückenstr. 6 10173 Berlin

Fon: +49 (0) 30 90252170 Fax: +49 (0) 30 90252929 [email protected]

Germany

HOFINGER Gesine

Platform "Humans in Complex Work Environments" Hohenheimerstr. 104 71686 Remseck


Germany

HOLLENDER ABB Corporate Research Fon: +49 (0) 6203 71 6275 Germany



194

Martin

Wallstadter Str. 59 68526 Ladenburg

Fax: +49 (0) 6203 71 6253 [email protected]

HORN Günter

Horn-Engineering Textorstrasse 55 60594 Frankfurt


Germany

HORSTER Angelika

German Society for Nature Conservation (NABU) Prinz-Ferdinand-Str. 122 47798 Krefeld


Germany

HUDSON Patrick

Leiden University Wassenaarseweg 52 2300RB Leiden


Netherlands

HUET Marie-Chantal

OECD/OCDE 2 Rue André Pascal 75775 Paris cedex 16 Paris

Fon: +33 1 45 24 79 03 Fax: +33 1 44 30 61 80 [email protected]

OECD

JANIK Pawel

National Headquarters of State Fire Service Poland Podchorazych 38 00-463 Warsaw


Poland

JOCHUM Christian

Commission on Process Safety Robert-Stolz-Str. 54 65812 Bad Soden


Germany

JÜRGENS Gerd

Senator for Health, Environment and Consumer Protection Berlin Oranienstraße 106 10969 Berlin


Germany

KANDRÁ Ján

RISK Consult, s.r.o. Ra. ianska 72 83102 Bratislava


Slovakia

KATAI-URBAN Lajos

National Directorate General for Disaster Management h9 Mogyroadi Róad 1149 Budapest


Hungary

KIM Duk-Sik

National Institute of Environmental Research, Ministry of Environment Environmental Research Complex, Kyungsoe-dong, Seo-gu 404-708 Incheon

Fon: +82 32 560 7252 Fax: +82 32 560 7249

Korea

KIVIOJA Siiri

Technical Inspectorate Aru 10/Auna 6 10317 Tallinn


Estonia

KLEIBER Michael



Germany

KOHLEN Rainer

Degussa GmbH Bennigsenplatz 1 40474 Düsseldorf


Germany

KOLESZYNSKI Bogdan

Chief Inspectorate for Environmental Protection Piwna 36/39 80-831 Gdansk


Poland

KRSKO Martin

RISK CONSULT, s.r.o. Ra. ianska 72 83102 Bratislava


Slovakia

KYRIACOU Themistoclis

Department of Labour Inspection 12 Apellis Str. 1493 Nicosia

Fon: +357 224 05673 Fax: +357 226 637 88 [email protected]

Cypros

LACOURSIÈRE Jean-Paul

Chemical Engineering Department, University of Sherbrooke 35, rue Lemoyne


Canada



195

J6A3L4 Repentigny (Quebec)

LAFRENZ Bettina

Federal Institute for Occupational Safety and Health Postfach 17 02 02 44061 Dortmund

Fon: +49 (0) 231 90 71(0) 23 55 Fax: +49 (0) 231 90 71 2364 [email protected]

Germany

LÄHDE Anne-Mari Helena

TUKES (The Safety Technology Authority of Finland) PL 123 181 Helsinki


Finland

LARSEN Ragnhild Gjöstein

Directorate for Civil Protection and Emergency Planning P.O. Box 2014 3103 Tönsberg

Fon: +47 33 41 26 60 Fax: +47 33 31 06 60

Norway

LE COZE Jean-Christophe

INERIS Parc Alata BP2 60550 Verneuil en Halatte


France

LÉVAL Zoltán

Ministry of Economy and Transport Honved u 13-15 1055 Budapest


Hungary

LHEUEREUX Emmanuel

Ministrière de la Région Wallonne Av Prince de Liegé, 15 5100 Jambes


Belgium

LICHT-KLAGGE Uwe

State Industrial Inspectorate Hannover Am Listholz 74 30177 Hannover


Germany

LÖHER Heinz Josef

Bayer Cropscience Industriepark Hoechst 65926 Frankfurt


Germany

LOHRER Wolfgang

Federal Environment Agency Wörlitzer Platz 1 O6844 Dessau


Germany

LORENZ Harald

Hessian Ministry for Environment, Rural Development and Customer Protection Mainzer Str. 80 65189 Wiesbaden


Germany

LÖWE Katharina

Technische Universität Berlin Straße des 17. Juni 135 10623 Berlin

Fon: +49 (0) 30 30 314 265 24 Fax: +49 (0) 30 314 26907 [email protected]

Germany

LUDBORZS Boris

BG Chemie Postfach 10 14 80 69004 Heidelberg

Fon: +49 (0) 6221 5 23 (0) 4 98 Fax: +49 (0) 6221 5 23 4 20 [email protected]

Germany

LUKOSIUS Kestutis

Fire and Rescue Department under the Ministry of the Interior Svitrigailos Str. 19 3223 Vilnius


Lithuania

MADLA Rüdiger

MEAB mbH Neu Fahrland Am Galluner Kanal 15806 Zossen


Germany

MALÝ Stanislav

VÚBP, v.v.i. Praha Jeruzalémská 9 11652 Prague

Fon: +420 224 11 425 Fax: [email protected]

Czech Republic

MARQUARDT Nicki

Institut für experimentelle Wirtschaftspsychologie Weg beim Jäger 193 22335 Hamburg

Fon: +49 (0) 40 50 70 66 92 0 Fax: [email protected]

Germany

MARTA Manuel

NOVA Chemicals Corp P. O. Box 3060 N7T8C7 Sarnia


Canada

MENZEL Federal Environment Agency Fon: +49 (0) 340 2103 2082 Germany



196

Ralf

Wörlitzer Platz 1 6844 Dessau

Fax: +49 (0) 340 2104 2082 [email protected]

MITROPETROS Konstantinos

DECHEMA e.V. Theodor-Heuss-Allee 25 60486 Frankfurt am Main


Germany

MÜLLER Detlef

State Environment Agency Brandenburg Müllroser Chaussee 50 15230 Frankfurt (Oder)


Germany

NÄSSLANDER Helena

Schwedish Rescue Services Agency Karolinen 65180 Karlstad


Sweden

NERONOVA Alla



Bulgaria

NIEMITZ Klaus-Jürgen

Clariant Produkte (Deutschland) GmbH Am Unisys-Park 1 65843 Sulzbach

Fon: +49 (0) 6196 757-7312 Fax: +49 (0) 6196 757-8964 [email protected]

Germany

NYSTRÖM Rune

Swedish Rescue Services Agency Norra Klaragatan 18 65180 Karlstad


Sweden

OH Joy

Ministry of Social Affairs and Employment P.O. Box 90804 2509 Den Haag

Fon: +317 333 5499 Fax: [email protected]

Netherlands

PAK Seungkyoo

Occupational Safety and Health Agency Banwol Blg 4F 777-6 Wonsi-dong 425-852 Ansan


Korea

PANDIT P.V.

Honeywell Control Systems UK Ltd Lovelace Road Southern Industrial Estate Bracknell RG12 8WD Berkshire

Fon: +44 (0) 1344 656 000 Fax: + 44 (0) 1344 655 454 [email protected]

United Kingdom

PHILIP Eric

Internal Ministry - Civil protection 87 - 95 Quai du Docteur Dervaux 92600 Asnières sur seine


France

PLARINA Robbert Jan

Ministry of Housing, Spatial Planning and the Environment P.O. Box 30945 2500 GX Hague


Netherlands

POHLE Horst


Fon: +49 (0) 340 21 03 - 33 74 Fax: +49 (0) 340 21 04 - 33 74 [email protected]

Germany

PRAZÁKOVÁ Martina



Czech Republic

RAUPACH Oliver

TÜV NORD SysTec GmbH & Co. KG Große Bahnstr. 31 22525 Hamburg


Germany

REDDEHASE Bruno

State Industrial Inspectorate Hannover Am Listholze 74 30177 Hannover


Germany

RICHTER Birgit

North Rhine Westphalia State Agency for Nature, Environment and Consumer Protection Postfach 101052 45610 Recklinghausen


Germany

RUUD Arnfinn

The Labour Inspection Authority Havnegata 10 3040 Drammen


Norway

SABLINSKIENE Ausra

Fire and Rescue Department under the Ministry of the Interior

Fon: +370 5 271 7534 Fax: +370 5 216 3494

Lithuania



197

Svitrigailos Str. 18 3223 Vilnius

[email protected]

SALONG Rivo

Estonian Rescue Board Raua 2 10124 Tallinn


Estonia

SAVOV Nikolay



Bulgaria

SCHMELZER Peter

Bayer Industry Services GmbH & Co. OHG Gebäude B 407 51368 Leverkusen

Fon: +49 (0) 214 30(1) - 61259 Fax: +49 (0) 214 30 - 966 12 59 [email protected]

Germany

SCHMIDT Dirk

Federal Institute for Materials Research and Testing Unter den Eichen 87 12200 Berlin


Germany

SCHMIEDER Wilfried

Bayer Cropscience Industriepark Hoechst 65926 Frankfurt am Main


Germany

SCHÖBEL Markus

Berlin University of Technology Sekr. F7, Marchstr. 12 10587 Berlin


Germany

SCHWITTE Josef

State Ministry of Urban Development and Environment Hamburg Billstr. 84 20539 Hamburg

Fon: +49-(0) 40 428 45 4169 Fax: +49-(0) 40 428 45 4117 [email protected]

Germany

SEEBAUER Ralf

German Society for Nature Conservation (NABU) Auf der Weide 38 47669 Wachtendonk


Germany

SEITZ Stephan

TÜV Süd Industrie Service GmbH Westendstrasse 199 80686 München


Germany

SENZACONI Francisc

General Inspectorate for Emergency Situations 46 Banu Dumitrache 23765 Bucharest


Romania

SKREHOT Petr

VÚBP, v.v.i. Praha Jeruzalémska 9 11652 Prague


Czech Republic

SLUKA Vilém



Czech Republic

SORSA Ilkka Ensio

Neste Oil Oyj Juttenpolku 2 B 7 6100 Porvoo


Finland

SPITZER Cornelia

TÜV SÜD ET Dudenstr. 28 68167 Mannheim


Germany

STANGL Maria

Styrian Regional Government Landhausgasse 7 8010 Graz


Austria

STEFAN Marian

National Environmental Guard No. 1, Nerva Traian Street 31041 Bucharest


Romania

STOOF Hans-Joachim

State Office for Occupational Health and Safety Brandenburg Horstweg 57 14478 Potsdam

Fon: 0331 8683 201 Fax: 0331 864335 [email protected]

Germany

STRUCKL Federal Ministry for Economics and Labour Fon: +43 171 100 5839 Austria



198

Michael

Stubenring 1 1011 Vienna

Fax: +43 171 42 718 [email protected]

SUGDEN Caroline

Health and Safety Laboratory Harpur Hill, Buxton SK17 6RJ Derbyshire


United Kingdom

SUSINI Alberto

Geneva Labour Inspectorate Rue des Noirettes 35 1227 Carouge


Switzerland

SZAFINSKI Heike

Ministry of the Environment, Nature Conservation, Agriculture and Consumer Protection North Rhine-Westphalia Schwannstr. 3 40476 Düsseldorf


Germany

TAMURA Shuji

Ministry of Economy, Trade and Industry of Japan (METI) 1-3-1 Kasumigaseki, Chiyoda-ku, 100-8986 Tokio


Japan

TRCKA Tomas

Ministry of Environment Nam. L. Stura 1 812 35 Bratislava


Slovakia

TROSS Jaan

Estonian Rescue Board Raua 2 10124 Tallinn


Estonia

TSCHIEDEL Kerstin

State Environment Agency Brandenburg Dammweg 11 16303 Schwedt/Oder


Germany

UTH Hans-Joachim



Germany

VALANTO Tapani

Safety Technology Authority P.O. Box 123 181 Helsinki


Finland

VAN GILS Erik

Federal Public Service Employment, Labour and Social Dialogue Ernest Blerostraat 1 1070 Brussels

Fon: +32 2 233 45 21 Fax: +32 2233 45 69 [email protected]

Belgium

VAN STAALDUINE Jacob

Ministry of Housing, Spatial Planning and the Environment P. O. Box 30945 2500 GX Hague


Netherlands

VAN WISSEN Purdey

Dutch Ministry of Social Affairs P. O. Box 90801 2509 Hague

Fon: +31 70 333 4608 Fax: [email protected]

Netherlands

VASS Gyula

National Directorate General for Disaster Management 49 Mogyoaódi Road 1149 Budapest


Hungary

VENÂNCIO Catarina

Servico Nacional de Bombeiros e Protecca Civil Av. do Forte em Carnaxide 2794-112 Carnaxide


Portugal

WIESE Norbert

North Rhine Westphalia State Agency for Nature, Environment and Consumer Protection Postfach 101052 45610 Recklinghausen

Fon: +49 (0) 201 79 95 19 40 Fax: +49 (0) 201 7995 1910 [email protected]

Germany

WIKSTRÖM Per-Olof

Swedish Rescue Services Agency Karolinen 651 80 Karlstad


Sweden

WILPERT Bernhard

Berlin University of Technology Franklinstr. 28

Fon: +49 (0) 30 314 22915 Fax: +49 (0) 30 314 25434

Germany



199

10587 Berlin

[email protected]

WINDHORST Jan Cornelis Arie

NOVA Chemicals Corp P.O. Box 5006 T4N 6A1 Red Deer


Canada

WITTER Rolf

Schirm GmbH Mecklenburger Straße 829 23568 Lübeck


Germany

WODTKE Bärbel

State Environment Agency Brandenburg Seeburger Chaussee 2 14476 Potsdam OT Groß Glienicke


Germany

WOOD Ron

Transport and General Workers Union 47 Penfold Way CH49NL Dodleston Chesire


United Kingdom

WOOD Maureen

European Commission Via E. Fermi 1 - TP 670 21020 Ispra


European Commission

YANG Hee-sun

National Institute of Environmental Research, Ministry of Environment Environmental Research Complex, Kyungsoe-dong, Seo-gu 404-708 Incheon

Fon: +82 32 560 7252 Fax: +82 32 560 7249

Korea

ZIEGENFUSS Hans-Peter

Regional Authority Darmstadt Gutleutstraße 114 60327 Frankfurt am Main


Germany

ZIRNITIS Pauls

Ministry of the Environment Peldu iela 25 1494 Riga


Latvia

Herausgeber:UmweltbundesamtWörlitzer Platz 106844 Dessau