Goodbye to one man and his dog
12 Jun 2012
?The process plant of the future will be controlled by just one man and a dog: the man to feed the dog and the dog to keep the man from touching any of the controls - an old joke cited at a recent NG Downstream summit as a caricature of process automation in the 20th century.
At the event in Bremen, Germany, presenter Herman Van Roost of Total used the caricature to illustrate how ‘human reliability’ has remained largely untapped by the process industries. This was in contrast to other sectors that need human reliability to survive, such as the nuclear and aviation industries, where the science of ‘human and organisational factors’ is quite mature.
In a presentation titled ‘Human reliability in future operations’, Van Roost described a new vision of process automation, in which ensuring human reliability, and the science surrounding it, would become a core competency for operational managers.
For automation engineers in the process industries, though, the ultimate goal has long been the 100% automated plant, which eliminates operators and their associated human error, explained Van Roost.
“In the classical approach to automation, operators are a source of the errors that compromise safety and reliability,” he said. “Automation has been tailored to reduce the exposure of the process to human intervention and errors, with only moderate success.”
The two most observed root causes of human error remain a lack of competence and not following procedures. But despite huge training efforts, these problems are still prevalent.
“We engineers,” said the Total expert, “have mainly focused on technical reliability, based on the viewpoint that as humans are not machines, we cannot do anything. But by simply extending our competence with the quantified science of ‘human and organisational factors’ we could at least do for humans what we, as engineers, do so well for machinery.
For instance, he said, this could mean ensuring people work within their optimum operating range, and - as with machines - are equipped with alarms and overload protection.
Likewise, operators would be supported by control schemes specially engineered and adapted to optimise their performance and enhance their reliability.
After 30 years of automation, Van Roost said the process industries had come to a point where extra automation did not lead to manpower reduction.
“Apparently, the remaining human operators fulfill a unique and critical role which cannot be taken up by automation,” he remarked.
?In the process industries, automation has been tailored to reduce the exposure of the process to human intervention and errors, but with only moderate success
In the 21st-century approach, the operator is regarded as a “unique source of safety and reliability, able to anticipate, detect and respond to abnormal situations in process safety,” continued Van Roost - referencing research work carried out by the Abnormal Situation Management (ASM) Consortium.
“Realising the importance of human intervention for process safety promotes its reliable execution to the top priority of the operational management in the process industry,” he said.
This should also have implications for directors in the boardroom, as operator error will then be seen as a failure of senior management to adapt the systems and tools used to run their industrial facilities to the human characteristics of the operators on the frontline of the operation.
“As a consequence, incident investigation methodology and root cause segmentation has to be adapted to properly detect such failures,” commented Van Roost.
However, this greatly enhanced focus on human reliability will not decrease the importance of technology, the Total expert noted.
On the contrary, he concluded, “the aim of automation will be to develop and apply technology in such a way that it maximises the individual operator’s impact on his process in all circumstances - as opposed to avoidance of human intervention.
“This will require a good understanding by automation engineers of the underlying science of human factors, just like in the 20th century the quality of their contribution depended on a good understanding of the process they had to automate.”
?l When executing a sequence of instructions, human reliability is increased by a factor of 10 when followed by use of ‘in-hand’ instructions compared to relying on memory, and by 100 when using a procedure with a sign-off provision per item.
l The human brain, when fully mobilised towards a primary operational objective, such as a startup, is unable to properly judge a situation which involves a second, contradictory priority such as process safety. A dedicated process safety officer (PSO) must, therefore, be used for planned and unplanned critical operations - replicating the organisation of a professional firefighting team.
The PSO must never participate in the primary operation: his sole function and focus is to ensure that all conditions for properly carrying out the operation remain in place, and he has the overruling power to stop a process if he just feels it is necessary for safety.
l The typical problem of operators not following procedures, approached from a human factors viewpoint, is often caused by confusion between training manuals and procedures.
Although both documents treat the same operations, their purpose is profoundly different, requiring different content and formatting: the training manual’s purpose is to transform an incompetent person into a competent operator, while a procedure’s purpose is to boost the human reliability of a fully competent operator for the perfect execution of his critical work.
Under these conditions, the use of a procedure is a source of professionalism, recognition and personal pride. But if a procedure is perceived as a training manual (by its format, or simply because it is a common document), experienced operators will be reluctant to use it as it suggests incompetency.
l The presence of a second independent checker reduces the human error probability by a factor of 100.
This means that the reliability of a critical task, such as manipulation of a safety element, can easily be boosted by adopting a standard double-check by a second operator - replicating the formal interaction between pilot and co-pilot in an airplane, where both are intensely trained.
l The EEUMA norm, field-tested and validated as a realistic upper boundary by the ASM Consortium, indicates the following maxima per operator: standing alarms below 10, background alarms below 10 per hour, and in case of an upset less than 10 alarms during the first 10 minutes of the upset.
Beyond these boundaries, reliable operator response cannot be expected due to the limitation of the human brain. Ignoring this reality is, in engineers’ terms, similar to allowing the operation of process equipment outside its technical specification.
