Growing role of human/machine interaction in risk management

A risk management evaluation for safety-critical equipment (SCE), including use of a risk matrix, is fundamental to controlling operating hazards, but even proven industry hazard determination templates won’t work with outdated data.

By Niresh Behari, Shell Canada October 9, 2018

Risk management evaluation, including use of risk matrix, is fundamental to controlling operating hazards associated with safety-critical equipment (SCE) in the oil and gas industry. Yet these evaluations, despite the use of proven industry hazard determination templates such as “bow-tie diagrams,” may be flawed for reasons that have nothing to do with the template and everything to do with its foundation: outdated data.

Unfortunately, a process safety management system may be considered acceptable for years until an incident, possibly a major hazard event (MHE), occurs.

There can be no SCE risk reduction without a thorough and comprehensive evaluation. Energy companies, including oil and gas businesses, assume their hazard identification and risk assessment and bow-tie diagram for each SCE are based on an up-to-date historical database of incidents, aligned with its current process safety management system. Such assumptions should be verified on an ongoing basis, including for SCEs, control rooms, alarm management, and human/machine interaction.

SCEs and hazard avoidance tools

Safety-critical elements are defined by the American Petroleum Institute in its Recommended Practice for the Design of Offshore Facilities against Fire and Blast Loading (2006) as “any component part of structure, equipment, plant, or system whose failure can cause a major accident.” The definition pertains to all SCEs, yet each SCE element is unique. Almost every organization relies on a risk matrix to identify SCEs and establish priorities for process management (see Figure 1).

The matrix identifies large-scale hazards, which can include equipment containing such hazards as gasoline, liquefied petroleum gas (LPG), and paraffin. These SCEs require the highest priority for management of hazard avoidance—a designation that must be understood by all who encounter it.

Following completion of a hazard and operability (HAZOP) study that identifies and examines risks either to the equipment or to those who operate it, the next step is the creation of the bow-tie analysis and risk-management scenarios focused on hazards associated with an SCE.

The bow-tie’s left side represents the threats and proactive responses to counter them. The right side consists of reactive controls. The idea is to educate all SCE operators about causal factors that could expose the operator, equipment, and in some cases, the public to what the industry commonly refers to as an “event.” The bow-tie analysis, although customized for the process engineer and plant operator, is a mandatory major hazard avoidance tool that must be understood and complied with by operators and workforce.

Barrier assurance is another component of risk management and hazard avoidance. Some assume barriers are limited to hardware, so as to either prevent a hazardous release threat or limit negative outcomes when process containment is lost. A second barrier, however, can be just as important as hardware—human intervention. A hardware barrier assurance template distributed by Oman LNG contains eight safety risk barriers, but the human element is its foundation.

Some questions for SCE operators and workers in the assurance template require a proactive response. For example: “What can I do to keep my barriers safely operating?” and “How do I safely manage impaired barriers?”

The hardware barrier assurance form says it all: “Do you own your bow tie barrier?” Anything less than an affirmative response is a warning that process safety flaws exist, without proactive measures to eliminate those shortcomings. The goal is to always institute appropriate barriers that manage risk by limiting it to the greatest extent possible.

SIL levels versus maintenance standards

Having targeted safety integrity levels (SIL) for each safety instrumented function can contribute to a false sense of security. Each level measures performance against the potential for failure over a specified time. For level 1, the specified time for failure risk is 10 years; level 2 is 100 years; level 3 is 1,000 years. These levels are standard in the petrochemical sector to safeguard critical control systems such as those for pressure vessels, column stacks, and tanks.

It’s not so simple, however, with SCEs at Levels 2 and 3. The challenge is to identify SCE instrumented functions, not an easy task since there are thousands of SIL 1 safety instruments and control loops that could have the wrong SCE classification. Misclassification compromises the maintenance priority for critical instrumented and control loops. Best industry practices are to include SIL 2 and higher-rated safeguarding control loops as major hazard SCE and filter through all SIL 1 instrumented equipment and safeguarding loops through an established SCE management process.

The SIL 1 filtering process should include reviewing incidents that occurred recently. Modern safety management systems do not need to reference archaic incident data when the safety management system bears no resemblance to the one used today.

What does this mean for human/SCE interaction? A robust and modern SIL 1 filtering process for SCE identification, with relevant and recent process safety incident data, reduces maintenance and turnaround priority and saves operating expenses. Management must advise SCE workers to avoid taking century-old SIL time parameters for granted, despite the minimal likelihood of an occurrence or event.

In the oil and gas industry, the fire, explosion, and release severity index (FER-SI) is another vital hazard avoidance and mitigation tool that measures and quantifies SCEs. It is a hydrocarbon leak quantification and qualification model developed to assess potential equipment flaws that could result in leaks. The index can be used as a lagging indicator that provides an idea of SCE identification.

Of importance to management and SCE operators are the probabilities and possibilities involved including, for example, plume type created by the leak, safety room location, safe distance for workers in the event of a toxic release, and ramifications following from dropped-object hazards.

Figure 2 shows an established practice for devising leading and lagging indicators related to SCE management, alarm control, and trip bypasses. Figures 3, 4, and 5 display underlying causes of process safety equipment failure related to SCE. The hydrocarbon leaks shown in Figure 3 may be associated with equipment design, management of change (MOC) issues, asset integrity, or operations. The latter two deficiencies tend to be exacerbated for plants lacking a robust SCE management system.

In Figure 4, equipment or machinery failures for gas processing plants often indicate non-adherence to maintenance integrity frequencies is the major root cause of leaks or catastrophic process safety events. These usually are associated with shortcomings in SCE prioritization and the process safety management system.

Some underlying human factors are associated with ineffective SCE management (see Figure 5). These include incorrect risk management principles when assessing reliability-centered maintenance (RCM), and risks misaligned with existing safety management systems based on incidents that are either archaic or unrelated to process safety management systems.

Do operators or workers understand the usage limitations involved for each item designated as SCE? For almost any company, standard operating procedure is issuance of documents that clearly specify each operation’s boundaries. Figure 6 is an example of a boundary approach implemented by the oil sands industry. It identifies pressure vessels, heat exchangers, rotating equipment, and tanks used in hydrocarbon service as SCEs.

The right column itemizes specific equipment and structures included in the scope of the SCE performance standards along with those that are excluded. Each of the four examples provided references a bow-tie model while some, such as the intermediate bulk containers in the tanks category, do not qualify under the company category for “red risk.” For these four examples, there should be no doubt in the operator’s mind what is or is not an SCE.

Human/machine interaction assessment

Individual job-related factors and organizational components are integral to a process safety culture and worker/SCE interactions. To better understand, multi-disciplinary process safety experts and human factors researchers at Sasol Gas and Chemical Operations conducted perception surveys from 2009 to 2013 to evaluate the human/machine interface systems followed by a risk assessment interview to address technology, machinery, maintenance, job, and staffing pressures. The questions covered subjects such as safety-critical communications and remote operations. Organizational aspects, including FER-SI, evaluated machinery performance related to leaks, along with an audit of the process safety management system.

Question templates pertained to control room, alarm handling, and process control systems, as well as safety-related employee perceptions about associated issues. One template, for example, posed questions about loss of containment and general plant equipment reliability. The results from the assessment were surprising, and even disturbing.

The survey found inattention on the job was becoming a major issue due to what respondents described as a lack of employee rotation. Other questions, pertained to alarm management, produced both positive and negative implications.

On the positive side, facilities worked to address issues. Reviews of monthly alarm trip lists while an alarm-handling automatic control containing an artificial intelligence component were seen as effectively supporting the process control system architecture. On the other hand, respondents described inadequate scrutiny of trends and patterns. One facility noted the frequency of “spurious” alarms.

The responses demonstrated why perception surveys for staffing, workload, and maintenance are recommended as part of risk assessment templates. A checklist of “human factors” relative for each item of SCE technology machinery should be considered mandatory.

The potential negative impact of an insufficient or inadequate risk matrix on human/machine interaction is reason enough for executives and management to demand ongoing reviews of processes and procedures for every potential industry hazard. The template can demystify the process safety culture assessment by using best-in-class performance metrics gleaned through the leading and lagging indicators for all SCEs. That includes the employees’ perception surveys of their equipment interactions.

This approach can reverse a disturbing industry trend in which companies base SCE risk reduction on lessons learned long ago from MHEs or highly-publicized catastrophes. While there is valuable information within that history of a long-ago disaster, but today’s risk matrix must be relevant to today’s safety management system. Anything less is an unacceptable increase in hazardous risk.

Niresh Behari is a process safety engineer in the petrochemical and explosives sectors for Shell Canada. For more than 20 years, he has developed, implemented, and managed safety management systems for Fortune 500 companies for compliance with OSHA’s Process Safety Management Standard and EPA’s Risk Management Plan Rule. He recently published a research textbook on process safety culture in the energy sector. Edited by Jack Smith, content manager, Control Engineering, CFE Media,


KEYWORDS: Safety, security, processing

There can be no safety-critical equipment (SCE) risk reduction without a thorough and comprehensive evaluation.

The bow-tie analysis is a mandatory major hazard avoidance tool that must be understood and complied with by operators and workforce.

In the oil and gas industry, the fire, explosion, and release severity index (FER-SI) is another vital hazard avoidance and mitigation tool that measures and quantifies SCEs.


Have you evaluated the risks in your organization?

Original content can be found at Control Engineering.