Cart

3146 Safe staffing arrangements - user guide for CRR348/2001 methodology: Practical application of Entec/HSE process operations staffing assessment methodology and its extension to automated plant and/or equipment

human-and-organisational-factors
  • Published: May 2004
  • REF/ISBN: 9780852934111
  • Edition: 1st
Log in

Foreword

An important element of making a continuing demonstration of safe operation under the Control of Major Accident Hazards Regulations (COMAH) 1999 is that a structured and effective process is undertaken to ensure that staffing levels are adequate for abnormal or emergency situations, as well as for normal operations. This is a key issue for the Health and Safety Executive (HSE) in inspection and safety report assessment, and they have observed some companies taking steps to reduce staffing levels, change roles and responsibilities of personnel, and to generally reorganise their operating teams without considering possible adverse effects on safety and health.

Entec was commissioned by HSE to develop a practical methodology that companies could use to identify any weaknesses in staffing arrangements. Following industry and HSE trial and consultation, the research was published by HSE Books as HSE Contract Research Report CRR348/2001 Assessing the safety of staffing arrangements for process operations in the chemical and allied industries. Throughout this user guide, the methodology is referred to as the CRR348/2001 methodology and the report as the CRR348/2001 methodology report.

The CRR348/2001 methodology enables the assessment of staffing arrangements at major hazard process operations to ensure they are sufficient to prevent and/or respond to hazardous incidents. These are considered the worst case for staffing arrangements because they often result in high workload, stress, reliance on communication, and require a timely and effective response. The CRR348/2001 methodology addresses a wide range of human factors issues associated with operating process plants, not just major accidents. It is not designed to calculate a minimum or optimum number of staff to control a process, but to flag where staffing arrangements may not be sufficiently robust.

Whilst the CRR348/2001 methodology is widely used by the major hazard process industries, feedback solicited by the Energy Institute (EI) identified a need for guidance setting out a best practice approach to the CRR348/2001 methodology that captures learnings from its use. In addition, a need was identified for supplementary guidance on how best to apply it to automated plant and/or equipment. EI therefore commissioned Entec to develop this user guide. Note that the user guide does not duplicate the contents of the CRR348/2001 methodology report, and so should be read alongside it.

HSE’s view is that companies should engage with the process where necessary to demonstrate the continuing adequacy of their staffing arrangements, and as part of their management of organisational change using either the CRR348/2001 methodology and this user guide or equally effective alternatives. HSE’s experience also shows that real workforce engagement and participation in the process is necessary if it is to be fully effective.

Although it is believed and anticipated that this user guide will assist those with responsibility for human factors issues, the Energy Institute cannot accept any responsibility, of whatever kind, for adverse health, incidents, injury, damage or loss arising or otherwise occurring because of the application of this user guide.

Amendments to the user guide will be issued by the Institute as considered necessary and users are invited to send comments or suggestions for improvement to the Technical Department, Energy Institute, 61 New Cavendish Street, London W1G 7AR.

1. Best practice user guide for implementing the CRR348/2001 methodology

1.1 Overview

The CRR348/2001 methodology provides a framework for companies to assess the safety of their staffing arrangements. It is intended to be used in circumstances with the potential to cause major accidents. Figure 1.1 illustrates that the methodology is particularly applicable where staffing arrangements have been, or will be changed. It can also assist in meeting obligations and assessing risks, even where changes are not involved.

image

Figure 1.1 - When to use the CRR348/2001 methodology

image

Figure 1.2 - Initial considerations when planning to use the CRR348/2001 methodology

The CRR348/2001 methodology is intended to be implemented through a series of workshops attended by assessment teams knowledgeable of the relevant plant, hazards and procedures. Workshops are typically run by a facilitator supported by a scribe (or note taker), and have many similarities to HAZOP. Inputs to the process should reflect current arrangements and performance. Extensive use can be made of existing studies and reports (e.g. COMAH safety reports, offshore safety cases, and the safety management system), although the assessment should verify that these reflect reality. Figure 1.2 indicates the initial planning needed for assessing staffing arrangements.

The CRR348/2001 methodology provides the framework for carrying out the assessment, but relies on active participation by those people who are familiar with the staffing arrangements being assessed, particularly members of operating teams. Typical outputs from an assessment include an evaluation of the staffing arrangements and recommendations for improvement.

In developing the CRR348/2001 methodology, it was recognised that HAZOP had set a precedent for conducting structured hazard assessments. Like HAZOP, the CRR348/2001 methodology can be used to carry out an absolute assessment of a situation to identify potential weaknesses and also be used to compare situations, e.g. to assess the potential impact of changes to staffing arrangements. A comparison between the CRR348/2001 methodology and HAZOP is provided in Annex A.

image

Figure 1.3 - Overview of the CRR348/2001 methodology

The methodology has two parts:

  • Physical assessment - assesses the ability of staff to successfully detect, diagnose and recover hazardous scenarios.
  • Ladder assessment - benchmarks organisational factors in relation to industry best practice.

An overview of how these parts of the methodology can be applied, in parallel, is shown in Figure 1.3.

1.2 Physical assessments

There are a number of activities involved in completing a physical assessment:

  1. Identify scenarios for assessment.
  2. Develop scenario descriptions.
  3. Conduct the physical assessment for each scenario using the decision trees provided in the CRR348/2001 methodology report.
  4. Collate recommendations for improvement.

1.2.1 Identifying scenarios for assessment

A representative cross-section of events that may result in major accidents, either directly or indirectly, should be assessed. For the former, they could include some actual major accidents (e.g. toxic releases, process fires and explosions), whereas for the latter, they could also include some apparently lesser events that may result in the loss of control of a major hazard (e.g. utility and power failures that affect several plants or even a whole site). In addition, indirect events may include those that create a high workload that may restrict the ability of the operating team to detect, diagnose or respond to subsequent major hazard scenarios (e.g. major process trips, extreme weather). For major hazard operations, many of these events should been identified in safety reports or cases.

1.2.2 Discussing the scenario

The quality of the physical assessment will depend on how well the assessment team understand the scenario. Existing scenario descriptions from safety reports or cases can be a useful input. However, during the physical assessment the assessment team should discuss what they think could happen in an incident and what the response should be. Whilst it is often assumed that all experienced operators understand the hazards and appropriate response procedures, it is not until an assessment team discuss the issues in some detail that conclusions can be drawn. This also gives an opportunity to compare existing written descriptions with the views and perceptions of the assessment team.

Experience suggests that an unstructured discussion of a scenario can be long-winded and result in complications for the assessment team. Therefore, it is recommended that some structure should be imposed, whilst ensuring the structure does not hinder the discussion. One way to apply some structure is to agree a specific, 'hypothetical' scenario. This may be defined according to:

  • A location for the incident with which the assessment team are familiar (e.g. 'at the intersection of roads A and B', 'flange upstream of valve V101', etc.).
  • Time of the incident (e.g. '2 a.m. on a Saturday night in winter', 'the time when contractors are signing-on at the permit office', etc.).
  • Ongoing activities (e.g. 'two operators are busy overhauling pump P101', 'a tanker is delivering a load of caustic into tank T101', etc.).
  • Resources available (e.g. 'shift manager is at the far end of the site', 'operating team are at minimum manning', etc.).

Defining the scenario to this level of detail ensures the assessment team can visualise the incident and subsequently have a consistent view of what is happening. This can prove very useful in the opening discussions, although the scenarios discussed should address all the key issues. This may be achieved by using a 'what-if' approach (e.g. 'what if the incident occurs at another location?' or 'what if the incident occurs at a different time?').

Whether the discussion is structured around a detailed, hypothetical scenario or carried out at a more general level, it is still useful to have some structure for the discussion, and when writing the report. Some forms have been developed to assist this process. Blank forms can be found in Annex D, and examples of completed forms provided in Annex E.

image

Table 1.1 - Example timeline for a leak/fire scenario

image

Table 1.1 - Example timeline for a leak/fire scenario

1.2.3 Scenario timeline

In discussing a scenario, it is easy for the assessment team to become confused about what is happening and to remain objective about what can realistically be achieved in the time available. Development of a timeline can be very useful. Table 1.1 provides a useful format.

The timeline in Table 1.1 highlights that, although the fire and rescue service may respond quickly to an event, it takes considerably more time from the start of a leak before they are in a position to extinguish the fire. If ignition of the leak is likely to occur within 54 minutes of a release, there is every likelihood that this scenario cannot be recovered before a potential major hazard occurs.

Some points to consider when developing a timeline are:

  • Some events and actions can occur in parallel (i.e. more than one thing happening at the same time).
  • There can be long periods when no events or action occur, whilst some critical events have a very short duration (i.e. milliseconds).
  • The actual duration of an activity depends on how long it takes someone to get into position with the tools and equipment they need, in addition to the actual time taken to perform the activity itself.
  • Communication takes time to perform and whilst communicating people cannot perform other actions (see 1.2.4).

When reviewing a timeline, it should be remembered that the actions required to return a hazardous situation to a 'safe state' may vary as the incident develops: e.g. it could take less time to extinguish a small fire than a large one. This highlights why all credible scenarios should be considered when performing the analysis.

1.2.4 Communications

Communication is critical in most emergencies. Not only does it take time (and hence should be addressed in a timeline), it also relies on having suitable 'channels' available.

Under 'normal' conditions, communication is relatively simple and people are likely to have a choice of channels to access. In an emergency, communication becomes more complex, and has to be conducted more quickly; hence, it is critical that messages are properly received and understood. Therefore, an analysis of the communication events taking place should be part of any staffing assessment.

Whilst the CRR348/2001 methodology does address communication, it can be useful to map out communication links between key people. Figure 1.4 gives an example of how this may be done during an assessment.

In Figure 1.4 the assessment shows that the control room operators (CROs) are able to communicate with each other and the field operators (FOs) quite effectively. Because different channels on the radio system are used, the FOs cannot communicate directly. Figure 1.4 highlights that CRO2 acts as a focal point with the fire and rescue service and gatehouse. There is some weakness in this arrangement as there is no method for the operating teams to communicate with the fire and rescue service once they arrive on site. In addition, there is a reliance on a single channel for each communication link, giving no redundancy should any failure occur.

1.2.5 Personnel movements

In developing and analysing the timeline for an event, the locations of people and what they are doing should be known. The assessment team should be realistic about what can be achieved, as no one can be in two places at the same time. Therefore, it is often useful to have a plan of the site available during the assessment, and to use moveable markers or tags to track where people are likely to be when an incident starts, and how they move throughout the site. This is illustrated in Figure 1.5, which shows likely starting positions for the CROs, FOs and shift supervisor (SS).

image

Figure 1.4 - Communication channels

image

Figure 1.5 - Tracking personnel movements

1.2.6 Conducting the physical assessment

The CRR348/2001 methodology provides eight decision trees for conducting the physical assessment. Working from the top of each tree, a series of questions is asked. The assessment team are required to reach consensus for each answer, and this will then determine where the analysis is taken, until a pass or fail point is reached, at which point the analysis moves on to the next tree in sequence.

The decision trees were developed on the basis that all scenarios would require a team of people to respond. The main contributors will be members of the operating team responsible for the plant or area of plant affected. This may be a team of CROs and FOs, although the CRR348/2001 methodology has been successfully used for scenarios involving only FOs, or operators who have a combined control room and field role. Also, it is recognised that for many scenarios the operators may require support from other people, including members of other operating teams, other shift personnel (e.g. shift manager, site security, laboratory), day staff (with arrangements for contacting them outside of normal hours) and the emergency services. Support may be physical, or oral (e.g. via a telephone).

Although the decision trees in the CRR348/2001 methodology are presented in some detail, they only serve as a guide for the assessment team to ensure that they discuss the key issues during the workshop.

1.2.7 Underlying principles of the physical assessment decision trees

To further assist assessment teams, the underlying principles are set out for each physical assessment decision tree.

Decision tree 1:
Is the control room continuously manned?

The issues at stake here depend on the control room manning philosophy. If it is the case that the control room should be manned at all times, the questioning should examine whether there would ever be an occasion when this could not be achieved. For example:

  • Do CROs sometimes 'nip onto the plant' to reset a trip or open a valve?
  • Are they always covered when taking a comfort break?

If a control room houses more than one operator:

  • What happens if they are not all present?
  • Are the remaining operators all able to respond appropriately to all scenarios?
  • If they are not, how do they contact the operator who has 'popped out'?

For control rooms that are not continuously manned, the issue is how reliably an operator will detect a scenario before it gets to a situation where actions cannot be sure to prevent unwanted consequences. If an alarm is used to notify a situation, the equipment should be reliable (i.e. it will sound when required) and a response should be assured (i.e. that the operator will hear the alarm, and not be distracted by many nuisance alarms that may delay the response). It cannot be assumed that a system is reliable, and it is unlikely that a single device will be sufficiently reliable (i.e. there should be a high degree of redundancy).

Decision tree 2:
Does the CRO have to perform tasks away from the console?

This tree explores what the CROs actually do in the control room that takes them away from the console. For example, do they need to issue permits to contractors, use a computer to access email, perform other administrative tasks, or visit a separate panel or console? If so, how likely is it that they will miss an early indication of a scenario? Once again, this depends on equipment reliability and the extent to which a response can be assured. It can also relate to how well the control system interface is designed, and whether it makes it effective at alerting operators to events and communicating key plant information quickly and reliably.

Decision tree 3:
As well as monitoring process parameters, what else does the CRO have to do?

The main issue here is whether the CROs are ever distracted by other people and/or tasks. Discussions should identify any times when this can be a problem (e.g. when contractors are signing-on for work, shift handover, meal times) and explore whether missing an early indication of a scenario could occur. Even if the assessment team conclude this is unlikely, it is a good idea to ask what if it was to happen.

Nuisance alarms are a major cause of distraction for operators. Although a scenario may cause only a small number of alarms at first, related events may cause more. For example, if a scenario occurs during a plant start-up, how many alarms will already be sounding and will it be possible to reliably detect an abnormal situation?

Decision tree 4:
Does the CRO need additional information for problem diagnosis and recovery?

To assess this tree it is first necessary to consider what information is available to the operators to assist in diagnosis (e.g. procedures, job aids, drawings). If information is provided and is not used, the reasons should be determined. If the assessment team feel it is because the operators are fully competent in diagnosis, this should be demonstrated. If it can not, there may be a problem with content or format, or a cultural problem of over-reliance on operator competence.

Decision tree 5:
Does the CRO need to call for assistance for problem diagnosis and recovery?

The tree examines the communication that takes place during diagnosis, and its reliability. The most important communication is usually between CROs and FOs, and with the SS and technical support staff.

In this case, it is necessary to consider equipment reliability and the likelihood that people involved in the communication will be able to contribute to the diagnosis. Radios are often the main communication method on a plant. There are often issues with handsets used by FOs. However, base-station reliability is usually of more concern as, if that fails (and there is no back-up), no one is able to communicate.

Telephones are widely used. A control room may have more than one telephone line; however, if the person they are calling does not (or if the CROs only have one phone number), it should not be considered as an adequate back-up.

Mobile phones are also being used increasingly. People believe they provide more reliable means of communication, because someone can carry one at all times. However, again there may be no backup if any component in the system fails. In addition, in an emergency the Police have the power to shut down all mobile phone networks.

Decision tree 6:
Who executes recovery actions?

Many scenarios involve CROs and FOs working together, and so this tree is not assessed in any detail.

Where CROs respond to a scenario alone, this tree examines where they need to be to carry out the response. If this is away from the console or control room, the question should be whether they will reliably be able to perform their actions and/or detect escalation or other events.

There can be a tendency to assume recovery from the control room is straightforward because there is an emergency trip system and/or automatic shutdown devices. In discussing this tree, operators’ assumptions about how the systems operate and their reliability should be tested. In addition, the assessment team should establish how quickly they would actually respond, and whether they would wait for confirmation and/or approval from others.

Decision tree 7:
Does the CRO need to communicate with the field to perform recovery?

This tree is much focussed on the reliability of communication between the control room and the other people involved in the response, especially FOs. This includes the equipment reliability, but also usability (e.g. will people be able to use communication equipment during an emergency, or will they be restricted by noise caused by the event, the need to wear personal protective equipment or workload?).

Once again, radios are usually the main form of communication. There is often no backup device, so the reliability of the radio system is crucial (hence critical components or potential common causes of failure should be identified). Use of 'runners' is acceptable as a back-up system, as long as is can be ensured that people would be available and that it would be safe for them to do so.

Decision tree 8:
As well as performing recovery actions, what else does the CRO have to do?

This tree examines how well the CROs are able to concentrate on response actions, and to what extent they are distracted. In this case, the consequence of poor arrangements can be errors in performing the response, and failure to detect escalation or other events. In this case, alarm 'floods' are of particular concern as they are very distracting and can cause the operator to miss critical information.

1.3 Ladder assessments

Rather than being related to specific hazardous scenarios, the ladder assessment is carried out on a more general basis. Therefore, each ladder assessment only needs to be carried out once (i.e. not for each scenario), although it can be useful for the same ladder to be assessed by more than one assessment team. Each ladder addresses a specific issue related to the human factors of the staffing arrangements.

The following ladders are included in the CRR348/2001 methodology report:

  • Situational awareness.
  • Teamworking.
  • Alertness and fatigue (workload and health impacts).
  • Training and development.
  • Roles and responsibilities.
  • Willingness to initiate major hazard recovery.
  • Management of operating procedures.
  • Management of change.
  • Continuous improvement of safety.
  • Management of safety.

In addition, a new ladder entitled 'Automated plant and/or equipment' has been developed (see Figure 2.3 in Section 2).

1.3.1 Carrying out a ladder assessment

The stages of the ladder assessment are:

  1. Select the ladders to be assessed during the study.
  2. For each ladder, review the introductory statement and ensure the assessment team understands the topic.
  3. Answer the questions provided.
  4. Conduct the ladder assessment.
  5. Collate recommendations for improvement.

Ladder assessments address issues that are generally more subjective than those covered by the physical assessment. The aim is for the assessment team to achieve a consensus of how they perceive current performance of the various human factors assessed, and the potential impact of proposed changes. The facilitator has a key role in ensuring the team discusses all issues fully and that the participants agree with the outcome of the assessment.

1.3.2 Introductory statements

The CRR348/2001 methodology report provides introductory statements for each of the ladders. They aim to set the scene for the assessment. As well as explaining how the assessment should be conducted, the statements also introduce some of the terminology that is likely to be used, giving the team the opportunity to seek clarification before more detailed discussions start. It is usually sufficient for the facilitator to read the introductory statement, and then to ask for any questions or comments from the assessment team.

image

Figure 1.6 - Ladder assessment

image

Figure 1.6 - Ladder assessment

1.3.3 Guidance questions

The CRR348/2001 methodology report provides a set of guidance questions that are directed to different groups within the assessment team, including operators, support staff and management. In addition, a list of documents that should be available when conducting the ladder assessment, or for reference after the assessment, is provided.

1.3.4 Using the ladders

The overall objective of the ladders is not to define a minimum standard, but to instigate continuous improvement. Each of the ladders has a series of statements that form 'rungs'. These statements describe different circumstances that an organisation may have achieved. The bottom rung (labelled 'Z') is a circumstance where the organisation has failed to consider the factor. The top rung (labelled 'A') was considered industry best practice in relation to the factor at the time of developing the methodology. See Figure 1.6 for an overview of a ladder and its rungs.

The CRR348/2001 methodology defines a point on each ladder that is considered the 'minimum acceptable level' based on legal compliance and/or best practice. This is shown on each ladder as a dotted line. The number of rungs below and above this level varies across the ladders. Rungs below the line are labelled between 'V' and 'Z' and rungs above the line are labelled between 'A' and 'G'.

The assessment is carried out, starting at the bottom rung (rung 'Z') of the ladder. A rung is achieved if the assessment team agree that there are arrangements in place and/or planned to achieve those described. Once a rung has been achieved, only then can the higher rung be considered. The ladder assessment is shown in Figure 1.6.

1.3.5 Agreeing the results of a ladder assessment

It is important to remember that the methodology provides only a framework for carrying out an assessment. For the ladder assessments, one aim is to stimulate a level of discussion in order to provide a consensus about performance for the various human factors. Therefore, as well as agreeing which rung on a ladder is achieved, the assessment team should discuss whether that matches their perceptions. For example, if a low rung is achieved the team should agree that there are significant weaknesses in the existing arrangements. If this is not the case, a review of the higher rungs may reveal that a relatively minor weakness has caused a problem on one particular rung. In this case, whilst the initial assessment will stand, the action required to improve the results will normally be relatively simple. Alternatively, if a higher rung is achieved the assessment team should ensure they are comfortable with the conclusion that arrangements are relatively good. Sometimes it is the case that the initial assessment is carried out, based on knowledge of systems and procedures. However, on reflection the team decide that, in practice, the system does not always work as intended, and review their assessment.

1.4 Reporting results

A careful balance needs to be achieved when reporting the staffing assessment results. On one hand, a great deal of information will have been collected and used in the assessment, and this may be useful in the future. On the other hand, if the report is too large and/or complex it is less likely to be read and acted upon. Experience has shown that reports for assessments using the CRR348/2001 methodology should:

  • Provide only brief summaries of each physical and ladder assessment (ideally less than two pages for each).
  • Prioritise recommended actions according to both risk and the complexity (effort) required to implement them.
  • Use graphical representations to provide an overview of assessment results in the report summary.

1.4.1 Physical assessment summary

The report should include a summary for each hazardous scenario considered during the physical assessment. The summary should have the following three sections:

  1. Scenario description - one or two paragraphs describing the causes and potential consequences considered, and the expected response.
  2. Physical assessment - one or two paragraphs describing any issues that emerged when reviewing the decision trees during the physical assessment. Also, a table showing passes and fails for each tree, plus relevant comments.
  3. Suggested actions - a table of actions required with prioritisation.

It is not considered necessary to include copies of the completed decision trees in the report. The above summary should provide enough information for any reader. A form has been developed to assist in recording the results from a physical assessment (see Figure D.2 in Annex D).

1.4.2 Ladder assessment summary

The report should include a summary for each ladder assessment. The summary should have the following four sections:

  1. Response to operator background questions - one or two paragraphs giving an overview of responses (it is not considered necessary to provide an answer to each question).
  2. Response to any other background questions - one or two paragraphs giving an overview of responses to questions directed at other personnel (e.g. management, support staff).
  3. Results from the ladder assessment - start with a statement of which rung was achieved, followed by a summary of key issues that emerged when reviewing the ladder.
  4. Suggested actions - a table of actions required with prioritisation.

It is not considered necessary to describe every rung on the ladder with reasons why it was achieved, or not. A form has been developed to assist in recording the results from a ladder assessment (see Figure D.3 in Annex D).

1.4.3 Prioritising actions

Experience has shown that most staffing assessments identify a number of weaknesses in existing and/or planned staffing arrangements. This usually results in a substantial number of recommended actions that can vary in their criticality and complexity (effort) required to implement them. Therefore, it is very useful to prioritise any actions resulting from a staffing assessment. Table 1.2 suggests a method of rating each action, although many companies will have alternative methods of prioritising actions based on risk that are entirely appropriate (e.g. risk assessment matrices).

image
image

Table 1.3 - Tabulated results of a physical assessment

image

Table 1.4 - Tabulated results of a ladder assessment

It is recognised that, whilst the assessment team may make recommendations, it is a management function to agree and implement change. To develop action plans the following rationale should be adopted:

  • All actions involving low effort should be implemented as soon as possible, no matter the criticality, because the effort is minimal.
  • All high criticality actions should be implemented as soon as possible, no matter the effort required. A thorough risk assessment would be required to demonstrate why any such action is not implemented.
  • Low and medium criticality actions that require a high level of effort will be of low priority.

1.4.4 Overview of physical assessment results

Table 1.3 provides a method of displaying the results of a physical assessment.

It is apparent some responses for particular scenarios are weak (i.e. have more failures than others) and/or have consistent weaknesses across a number of scenarios. It is also possible to present a number of circumstances together to compare the results (e.g. before and after a proposed organisational change to assess the expected impact).

1.4.5 Overview of ladder assessment results

Table 1.4 provides a method of graphically displaying the results of a ladder assessment.

1.5 When should staffing arrangements be assessed using the CRR348/2001 methodology?

Organisations should assess their risks, and revisit their assessments periodically, in particular before, during and after any organisational change that may impact the way the risks are managed. As the CRR348/2001 methodology is a form of risk assessment such an approach would be considered good practice.

Until recently little has been understood about risks associated with staffing arrangements such that the first time the CRR348/2001 methodology is often used is when some organisational changes are being planned. In this case, the methodology should be used in parallel with the arrangements for managing the change. This may work as shown in Figure 1.7.

It should be remembered that the CRR348/2001 methodology provides a tool for assessing risks, and does not substitute a system for managing the risks of organisational change, which requires:

  • commitment and resources;
  • clear systems;
  • participation and communication;
  • performance monitoring;
  • review.

Further guidance is provided in HSE Organisational change and major accident hazards.

Conducting a staffing assessment at the wrong time can cause significant problems. For example, waiting until just before a change is to be implemented makes it very difficult for any recommendations to be carried out in time. It can also have a de-motivating effect if the assessment team feel they are wasting their time.

It is also critical that if a change to staffing arrangements is being assessed, the details of that change have been fully communicated to, understood and accepted by the assessment team. Any misunderstanding will affect the accuracy of the assessment. In addition, if the assessment team have any grievances with proposed changes, these are liable to be voiced during the assessment, especially if the results appear to confirm their worst fears.

1.6 How long does an assessment take?

Whilst the CRR348/2001 methodology provides a tool for assessing risks, the greatest value from its implementation comes from the discussion that takes place during the workshops. Figure 1.8 shows a timeline for a typical day using the methodology. Experience has shown that a physical assessment, including discussing the scenario, takes about two hours whilst a ladder assessment takes about one hour. Assessment teams can find it quite taxing, so plenty of breaks should be scheduled. In addition, it should be noted that the first assessments might take longer, especially if the facilitator is not very familiar with the process.

As there are ten ladders, the timeline shown in Figure 1.8 means each staffing assessment will require a minimum of five days. This would allow ten physical assessments to be carried out. Experience has shown that it is better to carry out an assessment with a series of half-day workshops, rather than as a single continuous effort.

image

Figure 1.7 - Flow diagram of the role of staffing assessment in managing change

image

Figure 1.8 - Timeline for using the CRR348/2001 methodology

Other considerations when determining the time required to conduct an assessment using the CRR348/2001 methodology include:

  • The number of hazardous scenarios requiring a physical assessment.
  • The number of people to be involved in the assessment (e.g. using one assessment team to conduct the whole assessment, or for a larger group to have the opportunity to take part).
  • The number of times each assessment is carried out (e.g. only once, or a number of times by different assessment teams to compare results).

The time estimates above are considered the minimum. In some cases, it may be more appropriate to conduct fewer analyses, but to go to a much higher level of detail. It has been known to spend a whole day on assessing one hazardous scenario, although in reality this may be considered a number of sub-scenarios combined. However, if the physical and ladder assessments are taking much less time than the estimates suggest, it should be ascertained whether the spirit of the methodology is being adhered to (e.g. has there been sufficiently robust questioning and/or is there sufficient evidence to support the conclusions?). In addition, it is noted that assessing more than about ten hazardous scenarios for a plant can result in data overload, which can detract from the overall aims of the assessment.

1.7 Scope of the study

There are a number of options when using the CRR348/2001 methodology. It may be appropriate to conduct a fully comprehensive assessment, but this is not always necessary. The following factors will guide the decision:

  • Level of hazard - typically the higher the level of hazard, the more comprehensive the study should be.
  • Known issues - if problems with certain staffing arrangements are already known, including them in the study may not add any value.
  • The number of people to be involved - if the same individuals are to be involved throughout the study it can result in a high degree of repetition. However, the method is a good opportunity to get people involved, in which case a wider scope may be useful.
  • The objectives of the study - the first study using the methodology may be considered as a 'pilot,' in which case it is advisable to reduce the scope. In addition, it may be better to plan several smaller studies over a longer time, than to carry out a single large study.

1.8 Supporting documentation and evidence

Supporting documentation and evidence are invaluable in assisting the assessment; these may take the form of process flow diagrams, piping and instrument diagrams, procedures, emergency plans and safety management systems. Some may be useful during the workshops, whilst others may assist in writing the assessment report. However, the assessment aims to establish how staffing arrangements function in practice, and this may differ from how they are documented.

1.9 Selecting an assessment team

The CRR348/2001 methodology relies on a team-based approach to allow the level of discussion necessary to achieve the objectives. It should never be carried out by an individual working alone.

The minimum requirements of the assessment team are:

  • The assessment should be organised.
  • The assessment workshops should be facilitated.
  • Comprehensive notes should be taken during the workshops.
  • Participants should have sufficient knowledge of the process operations, hazardous scenarios and staffing arrangements that will be discussed.
  • Process operators should be included.

1.9.1 The organiser

A staffing assessment needs an organiser to make logistical arrangements, including booking rooms, informing the assessment team of dates and times, providing refreshments and any necessary equipment (typically flip charts, white boards, projectors). The contents for each workshop should also be organised, including the hazardous scenarios for the physical assessments, and the ladder assessments to be conducted. A checklist to assist in organising an assessment using the CRR348/2001 methodology is provided in Figure F.1 in Annex F.

1.9.2 The facilitator

The facilitator should have the inter-personal skills to lead the assessment team, including ensuring discussion takes place and consensus is reached. They should also be familiar with the methodology. Although the method has been developed to require relatively little knowledge, the facilitator should take some time to prepare.

As with any facilitation role, it is helpful to appoint a facilitator who is relatively remote from the issues being discussed, and hence able to remain objective. The facilitator should also be trusted, so that the assessment team are not inhibited in any way over the issues they may wish to discuss.

1.9.3 The scribe (note taker)

Failure to capture the findings from the assessment will mean that its value is much diminished. Therefore, at least one person should be responsible for writing notes during the workshops. It is possible for the facilitator to also act as scribe, but this can be rather distracting for the assessment team, and can also result in them being overloaded at times.

Generally, the notes should be collated at the end of the assessment into some form of report. It is not so critical who writes the report, although clearly the scribe and facilitator are likely to take the lead.

1.9.4 Assessment team

CROs and FOs are the most important members of the assessment team. To ensure suitable team dynamics, three operators (between them knowledgeable of control room and field operations) would be the minimum assessment team. Additional members (up to a maximum of about ten) could include SSs, plant managers and technical support staff. However, whenever a person who is not an operator is included in the team, his/her presence should not stifle the discussion. Whilst this is often an issue regarding an individual's personality, it is usually worth advising him/her before they attend an assessment workshop about expected conduct. All perceived problems with the safety of staffing arrangements should be freely discussed and concerns addressed. No member of the team should feel that his/her comments during the study would result in negative reaction from management or colleagues.

In some cases, it may be useful for staff with specialist knowledge to attend specific workshops. These may be control engineers (e.g. to explain a complex trip system), members of the emergency services (e.g. to explain their role in a particular hazardous scenario), training and human resource managers (for specific ladder assessments). However, in most cases a satisfactory assessment can be carried out with a team made up entirely of process operators.

1.9.5 Use of independent third parties

The CRR348/2001 methodology has been developed in such a way that with very little preparation companies can assess their own staffing arrangements. Therefore, many companies have successfully used the methodology without the help of consultants.

Because of the importance of local knowledge of plant, hazards and staffing arrangements, the methodology can never be performed by consultants alone. However, there can be good reasons to receive assistance from a consultant, including:

  • They are able to be totally objective. They can elicit concerns that may not be made direct to management.
  • They have no operational responsibilities, and hence it is often easier for them to allocate sufficient time to plan the assessment, and write the reports.
  • They should have had more opportunities to apply the methodology, so can be more efficient in carrying out assessments.

Alternatively, it may be possible to achieve an objective view by involving personnel from other departments or divisions within the company; the advantage being they will know more about the plant and its hazards, and understand the local terminology. Whilst many companies have used third parties very successfully in carrying out assessments using the CRR348/2001 methodology, it should be remembered they may need some time to familiarise themselves with the plant before embarking on the assessment.

2. Additions to the CRR348/2001 methodology for automated plant and/or equipment

2.1 Introduction

To further enhance the CRR348/2001 methodology, this chapter sets out a new ladder on how automated plant and/or equipment impacts on staffing arrangements. This is based on a literature review, which is summarised in Annex C.

2.2 Guidance for using the CRR348/2001 methodology where automated plant and/or equipment is present

They following guidance should be used in conjunction with the respective physical assessment decision trees and assessment ladders contained in the CRR348/2001 methodology report.

2.2.1 Introducing the assessment

The text below should be reviewed by the assessment team before evaluating the particular decision tree or ladder.

Throughout an assessment when considering automated plant and/or equipment, situations where the automation may not be operated as 'normal' should be considered as this can introduce additional risk. These include:

  • Planned situations when manual intervention is necessary (e.g. for inspection, maintenance and repair).
  • Unplanned situations where manual intervention is urgently required (e.g. when automatic systems have broken down, control valves have stuck or a telemetry system has failed).
  • Emergencies, including sabotage, and accidents.

2.2.2 Physical assessments

This section provides guidance to consider for each of the decision trees when conducting a physical assessment for situations involving automated plant and/or equipment.

Decision tree 1:
Is the control room continuously manned?

In evaluating this tree, it should be established whether the automated plant has been designed to be operated unattended. If this is the case, this decision tree may not apply. If it is not the case, and the control room is sometimes left unattended, this tree should be evaluated.

It is recognised that many systems are designed to automatically respond to abnormal events, and hence avoid the development of an unrecoverable scenario. If it can be demonstrated that this will always be the case, then it may be reasonable to conclude that informing the operator about an alarm or trip is not relevant. However, in most cases, this cannot be demonstrated with absolute certainty, in which case the means by which the operator would know about an alarm or trip should be established. In addition, the consequences if the automated system had not responded to the event as expected should be determined.

Decision tree 2:
Does the CRO have to perform tasks away from the console?

The comments for decision tree 1 above, apply equally here.

Decision tree 3:
As well as monitoring process parameters, what else does the CRO have to do?

In evaluating this tree, it should be established to what extent the operator is required to monitor automated systems in order to detect abnormalities and maintain an awareness of what is happening on the plant. If distracted, the operator may assume that the automated systems will look after themselves. If this were the case, the assessment team should consider what warnings the operator would receive about an abnormal event. This is especially the case for situations that develop slowly as the automated system may be able to compensate for minor deviations, effectively hiding the problem in its early stages. The issue to consider is, if early signs of a problem were not detected because the operator is distracted, how easy would it be for him/her to detect, diagnose and recover the situation?

Decision tree 4:
Does the CRO need additional information for problem diagnosis and recovery?

In some cases, it may be necessary to refer to information regarding the automated system to assist in the diagnosis and recovery of a problem. This documentation should be considered when evaluating this decision tree.

Decision tree 5:
Does the CRO need to call for assistance for problem diagnosis and recovery?

It is unlikely that automation will affect the evaluation of this decision tree.

Decision tree 6:
Who executes recovery action?

If it is assumed that the automatic system will deal with any scenario without operator intervention (i.e. no one executes any recovery actions), it should be demonstrated that this is the case. If this cannot be demonstrated for all possible scenarios the assessment team should consider how an operator would detect, diagnose and respond to a situation where the automated system did not function as expected.

Decision tree 7:
Does the CRO need to communicate with the field to perform recovery?

It is unlikely that automation will affect the evaluation of this decision tree.

Decision tree 8:
As well as performing recovery actions, what else does the CRO have to do?

Similar to decision tree 3. During an emergency or other abnormal event, operators may assume that automated systems will look after themselves. Again, assessment teams should consider how they would detect, diagnose and recover a problem with an automated system, whilst they may be busy with other events.

2.2.3 Ladder assessments

This section provides guidance to consider for each of the ladders when conducting a ladder assessment for situations involving automated plant and/or equipment.

Ladder 1:
Situational awareness (workload)

This ladder is very relevant to automated plant. In evaluating the ladder, the ability of the operators to monitor what the automated system is doing, and to recognise abnormal situations is of particular interest.

Ladder 2:
Teamworking (workload)

Support staff relevant to automated systems include people who maintain the system, can provide technical information about how the system functions (e.g. control engineers) or have access to restricted functions (e.g. over-rides or abnormal operating modes). In evaluating this ladder, the risk if such support was unavailable or delayed should be evaluated.

Ladder 3a:
Alertness and fatigue (workload)

Automated plant can reduce variety and interest for operators. These issues should be discussed when evaluating this ladder.

Ladder 3b:
Alertness and fatigue (health)

It is unlikely that automation will affect the evaluation of this ladder.

Ladder 4:
Training and development (knowledge and skills)

Automation can reduce the opportunities for operators to actively interact with the plant. This makes on the job training less effective, which should be considered when evaluating this ladder. It can also make plant more reliable, which means refresher training for abnormal events is more critical. In addition, training needs should be identified when implementing automation.

Ladder 5:
Roles and responsibilities (knowledge and skills)

Although there is unlikely to be any direct impact on roles and responsibilities in implementing automation, it can have a knock-on effect as team structures and activities adapt. Management of change systems should consider this when implementing automated systems.

Ladder 6:
Willingness to initiate major hazard recovery (knowledge and skills)

It is unlikely that automation will affect the evaluation of this ladder. The situational awareness ladder is more relevant because response to an incident may be delayed if automation means operators are not aware of what is going on.

Ladder 7:
Management of operating procedures (organisational factors)

Procedures should reflect how tasks are actually performed i.e when automatic systems are in different modes of operation (e.g. fully automated, manual control, during start-up).

Ladder 8:
Management of change (organisational factors)

Management of change systems should consider the impact on technical, human and organisational factors when implementing automated systems. They should include a thorough analysis of potential effects on human performance and well-being.

Ladder 9:
Continuous improvement of safety (organisational factors)

Performance of automated systems should consider technical, human and organisational factors. The results of performance reviews should lead to redesign of automation and jobs.

Ladder 10:
Management of safety (organisational factors)

It is unlikely that automation will affect the evaluation of this ladder.

2.3 Additional ladder for safe operation of automated plant and/or equipment

As with all ladders, the intention here is to assess at a general level, how automated plant and/or equipment is designed, implemented and used. An introductory statement, sets of questions directed to operators and management, and a ladder (see Table 2.1) are provided.

2.3.1 Introduction

To progress beyond the minimum acceptable level on the ladder for safe operation of automated plant and/or equipment, adequate reliability and availability of the automated systems should be demonstrated through analysis of actual system performance, considering the technical and human elements. Further explanation of the progression towards best practice is provided with each ladder rung.

2.3.2 Questions directed to operators during the ladder assessment

  1. To what extent are the systems you operate automated?
  2. How often do you operate with the systems in automatic mode:
    1. During normal operation?
    2. During abnormal situations?
  3. Did your training include how to use the automation:
    1. During normal operations?
    2. During abnormal operations?
  4. Has automation impacted:
    1. The number of people in the operating team?
    2. Individual roles and responsibilities?
    3. The nature of the tasks performed?
  5. How do you maintain an understanding of how the plant operates?
  6. How well do you understand what the automated system does in controlling the plant?
  7. How easy is it for you to respond to abnormal situations when operating in automatic mode?
  8. Are you/have you been involved in the design and implementation of automated systems?
  9. Do you have enough variety in your job to maintain your interest?
  10. Do you have enough control over how you perform your job to optimise your performance?

2.3.3 Questions directed to management during the ladder assessment

  1. How are human factors taken into account when designing and implementing automated systems?
  2. Does the management of change system address potential risks associated with technical, human and organisational factors when implementing automated systems?
  3. Have performance indicators been developed for automated systems? If so,
    1. Are they evaluated regularly?
    2. Do they include the performance and wellbeing of people operating and maintaining the system?
    3. Are they used to redesign automated systems or other aspects of individuals' jobs?
  4. Is it possible to demonstrate the benefits of automation through:
    1. Productivity/quality?
    2. Health and safety?
    3. Other benefits?
  5. Has the potential for automation to cause or contribute to safety incidents been identified fully?
image

Table 2.1 - Ladder assessment - Automated plant and/or equipment

Annex A
Comparison between the CRR348/2001 methodology and HAZOP

image

Table A.1 - Comparison between the CRR348/2001 methodology and HAZOP

Note 1: Courtesy, The Institution of Chemical Engineers.

Annex B
Glossary

abnormal situation:

definition: A disturbance or series of disturbances in a process that causes plant operations to deviate from their normal operating state.

explanation: The nature of the abnormal situation may be of minimal or catastrophic consequence. It is the job of the operations team to identify the cause of the situation and execute compensatory or corrective actions in a timely and efficient manner.

reference: Abnormal Situation Consortia website

alarm (process):

definition: A signal to the operator indicating a plant condition that requires attention.

explanation: Alarms should inform operators of situations where their actions will avoid a hazardous condition.

Nuisance alarms are those that inform operators of a situation that they already know about and/or for which they are not required to act.

An alarm flood is a situation where more alarms are received than the operator can understand and act upon (typically during a plant upset). They can cause hazards if the occurrence of nuisance alarms means important alarms are missed.

reference: EEMUA Alarm systems

assessment (training and development):

definition: Method of collecting evidence of an individual’s competence according to a specified standard through observation and questioning.

explanation: Assessment should result in an evaluation of what the person is able to do, and his/her under-pinning knowledge and understanding. It may also identify further learning required or that the person should start to work towards another standard.

reference: Department for Education and Skills website

best practice:

definition: An activity or procedure that has produced outstanding results in another situation and could be adapted to improve effectiveness, efficiency, ecology, and/or innovativeness in another situation.

reference: Interoperability Clearinghouse website

communication:

definition: Imparting or exchange of information.

explanation: Successful communication occurs when a message is sent in such a way that it is received in full, and understood as intended by a person. It is far more than simply sending a message, as that does not guarantee how it is understood.

Success of communication depends on how the sender presents the message, the method used to pass on the message, and how well the recipient is tuned in to the message.

competence:

definition: The ability to undertake responsibilities and to perform activities to a recognised standard on a regular basis.

explanation: Core competencies are an individual’s characteristics that make him/her able to perform a job when given the appropriate training and experience. They include personality, aspirations, underpinning knowledge and attitudes.

Skills and knowledge are part of being competent. A skill is the ability to perform a specific task or activity. This may include manual dexterity and/or mental aptitude. Knowledge is required to know which tasks/activities need to be performed, and when.

Note that individuals and teams that have received training and/or are experienced may not be competent.

reference: HSE Competence assessment for the hazardous industries

ergonomics:

definition: A process of designing equipment and systems to ensure there is a good fit between people and the things they use.

reference: HSE Reducing error and influencing behaviour

fatigue:

definition: A high level of tiredness that can affect an individual’s health or causes a safety concern because of increased likelihood of errors.

explanation: Fatigue is caused by working long hours, working during nights, disturbed sleep, carrying out strenuous work and/or carrying out boring or repetitive tasks.

reference: HSE Reducing error and influencing behaviour

human factors:

definition: Factors that influence behaviour at work in a way that can affect health and safety.

explanation: Includes environmental, organisational and job factors. Also, human and individual characteristics.

reference: HSE Reducing error and influencing behaviour

job aid:

definition: A device or document that stores information required by a person to perform a particular operation or class of operations and which makes the information available for use on the job.

explanation: They are typically abbreviated versions of full procedures that provide only the information needed by competent personnel (i.e. they are not aimed at novices). They typically include checklists, flow charts, diagrams etc.

multi-skilling:

definition: The removal of traditional divisions between work areas and disciplines.

explanation: The advantages can be organisational flexibility, which can improve efficiency and reduce labour costs. However, introducing multi-skilling represents a significant organisational change and care is required to ensure workload and skill dilution do not have an impact on performance.

A multi-skilled worker is someone who acquires additional competencies that allow him/her to carry out tasks that previously would have been carried out by another person.

A multi-skilled team is a group of individuals who collectively have a range of competencies. This can be achieved by including people with different competencies in the same team (e.g. maintenance personnel within an operating team). Alternatively, it can be a team of multi-skilled individuals (e.g. operators competent in maintenance tasks).

reference: HSE Development of a multiskilling life cycle model

situational awareness:

definition: Quality of knowledge on current and near future situations.

explanation: The extent to which a person or team’s perception of what is happening reflects reality. It is affected by the quality of information available and the ability of individuals to interpret it.

At any given time, a person will hold a set of beliefs about what is happening in the world around him/her, and from this he/she will decide what action to take. If a discrepancy exists between his/her beliefs and the reality of the situation (as might occur in conditions of high mental or physical workload, or as a result of the poor display of information), situational awareness becomes degraded, possibly leading to errors and/or a failure to act when required.

reference: HSE Assessing the safety of staffing arrangements for process operations in the chemical and allied industries

stress:

definition: The adverse reaction people have to excessive pressure or other types of demand placed on them.

explanation: High levels of stress occurring over a short term (e.g. during a period of high workload) can increase the likelihood that individuals will commit errors. More modest levels of stress over a longer term can cause serious health problems.

reference: HSE website

teamworking:

definition: The ability to co-ordinate individuals to achieve an objective or goal.

explanation: A team are a group of people who have a defined organisational function and identity, and share common objectives or goals. Team members should have interdependent roles.

reference: HSE Effective teamworking

training:

definition: Training is the process by which skills, tasks or jobs are learnt.

explanation: The way training is delivered should depend on what the trainee is required to learn (i.e. a training programme may consist of combination of classroom, on the job and simulator training). The content and method of training should also be based on an individual’s training needs, based on his/her prior learning, ability and motivation to learn.

Simulator training provides a method by which the trainee can practise a skill or task without using operational equipment to minimise the risks and/or costs incurred. At its simplest level simulation may be provided verbally (i.e. by a trainer describing a scenario and the trainee describing his/her response) through to complex computer simulators, which provide an accurate representation of how a system operates and responds to events and human interactions.

reference: Salvendy Handbook of human factors

unrecoverable scenario:

definition: A situation where intervention cannot be made to prevent an unwanted consequence.

explanation: This may be because the intervention will take longer to complete than the time to cause the consequence; the intervention is not possible because the system is out of action and/or people cannot get into position to carry out necessary actions (e.g. a fire prevents access to a local control panel); or loss of control of a hazard has already occurred and the consequence, although delayed, cannot be prevented (e.g. a toxic cloud leaving site boundary).

reference: HSE Assessing the safety of staffing arrangements for process operations in the chemical and allied industries

Annex C
Literature review of staffing arrangements for automated plant and/or equipment

C.1 INTRODUCTION

The increased levels of automation in process control have had a significant impact on the way plants are operated. Directly, it means that less people are needed to carry out certain activities. However, indirectly it has changed the nature of an operator’s job: e.g. less physical activity, more monitoring, and increased responsibility by controlling a greater number of hazardous processes. These impacts should be fully understood, as increased automation makes it more difficult to observe how operations are performed and means that normal operations are not representative of what occurs during abnormal situations.

There are a number of benefits of automating the control of process plants. It can relieve people of boring, unpleasant and potentially hazardous tasks. It should also result in more consistent, and hence reliable operation, and more reliable response to some abnormal situations (e.g. automatic trip systems). However, it does not necessarily result in a smaller workforce overall (see DiMartino, V. and Corlett, N. Work organisation and ergonomics), although it will undoubtedly change the type of jobs people perform (e.g. less operators may be required but higher levels of maintenance are required, possibly provided by specialist contractors). Other potentially negative consequences include:

  • People end up working in smaller teams (possibly alone), and hence feel more isolated.
  • People feel they have less autonomy because the plant and equipment drive their work.
  • People feel they have less opportunity to make a positive contribution to the job because the most productive activities are automated.
  • Operators have less opportunity to experience abnormal situations, and those situations can be more complex than is the case for manually operated plant.

C.2 SOCIO-TECHNICAL SYSTEMS

Automation of process plant has been made possible by advances in technology that means equipment can be controlled without continuous human intervention. However, human intervention has not been totally eliminated, particularly during abnormal operations and during maintenance. Therefore, even highly automated plant should be considered as a 'socio-technical' system (see HSE Human factors aspects of remote operation in process plants), which highlights that technology and people need to work well together if the system is to be effective. This not only relates to the human-machine interfaces, but also organisational and management factors.

As the level of automation increases, the level of active interaction with the system reduces (see Hockey Skilled performance and mental workload). This reduces the opportunity for the operators to develop an effective understanding of how the system functions and makes it more difficult for them to intervene appropriately when required.

C.3 THE OBLIGATIONS OF DUTY HOLDERS

Duty holders should be able to demonstrate the safety of their operations. This should be based on a hierarchy of risk control measures, with inherent safety being a primary objective, followed by measures to control resultant risks. In this context, automation cannot be assumed to provide complete control of, or mitigation against hazardous situations. Therefore, for hazardous plant it should be demonstrated that the whole sociotechnical system achieves a tolerable level of risk. As a minimum, this requires that:

  • Equipment is sufficiently reliable and available (i.e. well designed, installed and maintained).
  • Human interactions with the equipment can be conducted reliably.
  • Staffing arrangements ensure that enough people, with the necessary competencies are available to deal with all potential situations (especially abnormal events that create a high workload).
  • Staffing arrangement ensure people are able to achieve and maintain sufficient competence (particularly complicated for highly reliable plant).

C.4 FACTORS TO CONSIDER WHEN DESIGNING AUTOMATION

To ensure a system functions as intended the function of each component (technical and human) and how they work together should be understood. From this it is then possible to balance the level of automation with the number of people involved in its operation and maintenance. This is known as 'allocation of function', for which there are four main options (see HSE Safety management of process faults):

  1. Functions that should be automated because they exceed human capabilities.
  2. Functions that are better automated because, although they could be performed by a person, they are lengthy, repetitive or involve a degree of personal risk.
  3. Functions that are best performed by a person because they require inferential knowledge or a degree of flexibility.
  4. Functions that should be shared, depending on circumstances at the time of performance.

Having made a decision, the operational reliability of the resultant system should be considered. In particular, that the people will be able to deal with the likely workload and complexity. It is increasingly being accepted that the role of the human operator in automated systems should be supported by better design of decision making (including the provision of information and training) and more flexible means of allocating control between human and automatic elements of the job (see Hockey Skilled performance and mental workload).

It is also recognised that appropriate balance between automation and human control depends on the nature of the system being controlled. For predictable systems where actions are relatively certain, high levels of automation are likely to enhance system performance. However, for complex and unpredictable systems, giving human operators greater job control will improve system performance (see Parker and Wall Job design and modern manufacturing).

C.5 JOB DESIGN

Allocation of function is able to address the technical and human aspects at a task level. It does not address the more wide-ranging human factors that are related to the jobs performed by individuals and teams. Therefore, automation should be considered in the wider context of how jobs are designed, organised and managed.

Job design involves considering how the characteristics work and affect the performance and psychological well-being of the people involved. The aim is to design jobs so that people can work effectively, and feel their work is meaningful and satisfying. The following five characteristics have been identified (see Hackman and Oldman Work redesign):

  1. Skill variety - the opportunity to use skills.
  2. Task significance - a feeling that the work is worthwhile.
  3. Task identity - having well-defined tasks with specific objectives.
  4. Autonomy - being able to control how work is performed.
  5. Task feedback - receiving information that confirms work has been successful.

C.6 SAFETY CRITICAL DEVICES

IEC 61511 is an international standard relating to safety-critical electrical, electronic and programmable electronic systems used in the process industry. Therefore, it is applicable to much equipment associated with the automation of process plant operations.

The standard is based on assigning Safety Integrity Levels (SILs) to systems that guide the necessary reliability and levels of redundancy, according to risks associated with system failure. Human factors should be taken into account throughout a system’s lifecycle. Specific requirements include (see HSE Proposed framework for addressing human factors in IEC 61508):

  • All accident initiating events, including procedural faults and human errors, should be identified.
  • The system should be tolerant to operator errors.
  • The system should be designed to cover all reasonably foreseeable misuse.
  • Particular attention should be given to abnormal or infrequent modes of operation.
  • Consideration should be given to the availability of skills and resources needed for operation and maintenance of the system.
  • Maintenance requirements should be specified.
  • Operating rules should be specified for use during normal, degraded, abnormal and emergency states of the system.
  • Safety requirements should identify user interfaces.

In general, safety devices covered by IEC 61511 have little direct impact on the operation of plant and equipment as they only operate once process parameters have deviated from the specified limits. However, this assumes the demand rate (i.e. the frequency the device is required to operate) is as intended at design. If the demand rate is higher than design, the device may essentially be performing some control function (i.e. the operators start to rely on the device) and the SILs will not be appropriate.

C.7 DEVELOPING THE LADDER FOR ASSESSING AUTOMATED PLANT

C.1-C.6 set out a number of issues related to the impact of automation on the performance of a socio-technical system, such as a process plant. The automated plant and/or equipment ladder (see Table 2.1 in Section 2) has been constructed on the following rationale:

  • The lowest rung on the ladder establishes whether the plant is actually operated in automated mode some of the time.
  • The region on the ladder below the minimum acceptable level relates to the technical aspects of the automated system (i.e. it may have been implemented without consideration of human factors).
  • The minimum acceptable level relates to the ability to demonstrate adequate reliability and availability through analysis of actual system performance, considering the technical and human elements.
  • The region above the minimum acceptable level relates to consideration of human performance and well-being during design of automated systems, and post-implementation reviews.
  • The top rung on the ladder establishes whether there is a continuous evaluation of the performance of the socio-technical system.

Annex D
Staffing assessment forms (blank forms)

image

Figure D.1 - Blank form - Recording a scenario description

image

Figure D.2 Blank form – Recording the results of a physical assessment

image

Figure D.3 - Blank form - Recording the results of a ladder assessment

Annex E
Staffing assessment forms (completed examples)

image

Figure E.1 - Example completed form - Recording a scenario description

image

Figure E.2 - Example completed form - Recording the results of a physical assessment

image

Figure E.3 - Example completed form - Recording the results of a ladder assessment

Annex F
Checklist for completing a staffing assessment

image

Figure F.1 - Blank form - Checklist for completing a staffing assessment

Annex G
References

Introductory references

Assessing the safety of staffing arrangements for process operations in the chemical and allied industries, HSE Contract Research Report CRR348/2001, HSE Books (2001). See www.hse.gov.uk/research/crr_htm/index.htm

Hazop and hazan: Identifying and assessing process industry hazards, Kletz, T., 4th edition, Institution of Chemical Engineers (1999).

Organisational change and major accident hazards, HSE CHIS7, HSE (2003). See www.hse.gov.uk/pubnsindex.htm

Glossary references (Annex B)

Reducing error and influencing behaviour, HSE HSG48, HSE Books (1999).

Competence assessment for the hazardous industries, HSE Research Report RR086, HSE Books (2003).

Development of a multiskilling life cycle model, HSE Contract Research Report CRR328/2001, HSE Books (2001).

HSE website www.hse.gov.uk.

Alarm systems - a guide to design, management and procurement. Publication 191, EEMUA (1999).

Effective teamworking: reducing the psychosocial risks, HSE Contract Research Report CRR328/2001, HSE Books (2001).

Abnormal Situation Consortia website www.asmconsortium.org.

Handbook of human factors, Salvendy, G. (Ed.), Wiley (1987).

Department for Education and Skills website www.dfes.gov.uk/nvg.

Interoperability Clearinghouse website www.ichnet.org/glossary.htm.

Assessing the safety of staffing arrangements for process operations in the chemical and allied industries, HSE Contract Research Report CRR348/2001, HSE Books (2001). See www.hse.gov.uk/research/crrpdf/2001/crr01348.pdf

Research references for literature review of staffing arrangements for automated plant and/or equipment (Annex C)

Work organisation and ergonomics, DiMartino, V. and Corlett, N., International Labour Office (1998).

Human factors aspects of remote operation in process plants, HSE Contract Research Report CRR432/2002, HSE Books (2002).

Skilled performance and mental workload, Hockey, R. in Psychology at Work, Warr, P. (Ed.), Penguin Books (1996).

Safety management of process faults: a position paper on human factors approaches for the design of operator interfaces to computer-based process control systems, HSE Contract Research Report CRR60/1993, HSE Books (1993).

Job design and modern manufacturing, Parker, S.K. and Wall, T.D. in Psychology at Work, Warr, P. (Ed.), Penguin Books (1996).

Work redesign, Hackman, J.R. and Oldman, G.R. Addison-Wesley (1980).

Proposed framework for addressing human factors in IEC 61508, HSE Contract Research Report CRR373/2001, HSE Books (2001).

IEC 61511 Functional safety: Safety instrumented systems for the process industry sector.

Acknowledgements

The Institute wishes to record its appreciation to Dr Andrew Brazier and assistance provided by Peter Waite and Andrew Gait (Entec) who prepared this user guide under the direction of the EI Human Factors Working Group, which comprised during this work:

Robin Bryden Shell International Exploration and Production B.V.
Bill Gall Kingsley Management Services
Bob Miles Health and Safety Executive
Peter Mullins Health and Safety Executive
Graham Reeves (Chairman) BP Oil UK Ltd.
Clive Sheil Shell UK Oil Products Ltd.
Dr John Symonds ExxonMobil Corporation
John Wilkinson Health and Safety Executive

The Institute would also like to recognise the contributions to the technical review made by individuals, companies and organisations, in particular the Chemical Industries Association, and to acknowledge the financial assistance provided to this work by HSE.

Download sample pages

Our publications website is designed exclusively for EI members and customers to easily access and download PDF versions of our publications. For hard copies, please contact the EI Publishing Team at pubs@energyinst.org. To access previously downloaded copies go to My publications.

Membership icon Your membership
  • User type icon User Type
  • PDF icon PDF Document
  • Hard copy icon Hard copy
  • Discount icon 25% discount on most EI publications
  • Free icon Free access to other EI publications
Membership icon Your membership
  • Technical partners
  • Free
  • Contact us
Membership icon Your membership
  • Technical company members
  • Free
  • Contact us
  • Limited access
Membership icon Your membership
  • EI member
  • Free
  • Contact us
Membership icon Your membership
  • Non-member
  • Free
  • Contact us
Membership icon

Your membership

Technical partners

  • PDF icon PDF Document
    Free
  • Hard copy icon Hard copy
    Contact us
  • Free icon Free access to other EI publications
Membership icon

Your membership

Technical company members

  • PDF icon PDF Document
    Free
  • Hard copy icon Hard copy
    Contact us
  • Free icon Limited access to other EI publications
Membership icon

Your membership

EI member

  • PDF icon PDF Document
    Free
  • Hard copy icon Hard copy
    Contact us
  • Free icon Limited access to other EI publications
Membership icon

Your membership

Non-member

  • PDF icon PDF Document
    Free
  • Hard copy icon Hard copy
    Contact us
  • Free icon Limited access to other EI publications

Related EI content