CASE HISTORY 14.1 Everyday Communication Practices
Charlie and Frederik were unloading rail tank cars filled with inorganic waste from a metal plating factory. The acid waste from pickling (cleaning) steel would be neutralised with slaked lime in a large lined concrete tank. The cyanide waste would be detoxified with sodium hypochlorite (similar to household bleach but more concentrated). Charlie was in the control room. Having received two tanker loads of acid, he observed that the correct amount of fluid had been transferred and that the pump had stopped. He contacted Frederik, who was in the rail yard, by mobile radio: ‘Send up another bucket full’. (This sounds more fluent in the original language.)
Frederik disconnected the unloading hose, connected it to the next tank car and started the pump. About 6 cubic metres of cyanide waste had been pumped to the acid tank, before the release of hydrogen cyanide gas was registered and the pumping shut down. (The gas detectors were mounted on and around the cyanide tank, as required by the design, and not on the acid tank, where there was ‘no apparent need’.) No one was hurt, but the company was embarrassed, this incident being one in a fairly long series.
After the accident, two separate pipelines were installed, with large and clear signs, telling which kinds of waste would be accepted into which pipe. An inves-tigation was made to see whether tankers could be fitted with different discharge nozzles (this was unsuccessful). A new practice for communication was intro-duced, with a fixed system of messages and identifications, along the lines of those used in military firing exercise communications or as used by air traffic controllers.
Communication errors figure in many process plant accidents. There is a need for the following:
• Communication between board operators in the control room and field operators, to tell them to take readings, start or stop pumps and to line up (open close) valves for particular plant configurations
• Communication between supervisors in the control room and board opera-tors, for implementation of production decisions, for coordination between maintenance planning and production and in emergencies when supervi-sors should be standing back to get an overview of the situation while the board operator reports status and effectuates control
154 Human Error in Process Plant Design and Operations
• Communication between shift supervisors and between board operator at shift change, to ensure that the status of the plant and the stage in operating and maintenance plans are properly known; also at this time, details of any oper-ating problems, disturbances or failing equipment should be communicated There are two means of communication for such a shift change. One is direct verbal briefing. For this, a handover period of half an hour is usually planned, where shifts overlap, although a full half hour is generally needed only when there are problems. The second means of communication is the operator log, which should record operations performed during the shift, any change in plant configuration (which tanks are receiving product, for example, or any equipment shut down for maintenance), the plant status and any problems which have arisen:
• Communication from operators in the field to the board operator to tell when tasks have been completed or to report problems
• Communications during emergencies to report status and observations and to make instructions
COMMUNICATION ERROR TYPES
One type of error is simple lack of communication. This is particularly prevalent at shift changes, when operators or supervisors arrive too late or leave too early for a handover briefing. Another is failure to record actions in the operator log, by forget-fulness or simply due to poor reporting skills.
Communications between field and control room may be lacking because of excessive communications traffic, ‘dead spots’ in the same communications system or noise (both electrical and sonic).
Operators, of necessity, use quite special language. What a piece of equipment is called can vary from plant to plant though. As an example, the vessel used to separate out liquid droplets prior to a gas compressor may be called a scrubber, a knockout drum or a filter! A new operator needs to learn the local names of all the equipment.
Sometimes, new operators may not know the precise equipment referred to by some arcane term. Also, they may be afraid to ask, not wanting to show ignorance in front of new colleagues. Worse, they may think they know or may interpret a term differently. For example, the use of the term filter for a knockout drum, as referred to above, can be very confusing, since the term is used normally for a very different piece of equipment.
A good training programme will introduce an operator to all of the equipment items in a plant, their functions, their names and how they work. Such training pro-grammes, though, require careful writing by supervisors and operation engineers, with both long experience and good writing skills. First-class plant-specific training material of this kind is found in only a fraction of process plants around the world.
More often, training material consists of some plant-specific material, plus a large quantity of generic information. A good test of training material is to check that it describes all operating modes, disturbed conditions and troubleshooting and that it includes photographs both of the equipment externally, and of vessel internals.
Communication Errors 155
(It can be several years before a new operator actually sees inside a vessel, and internals of items such as cold boxes are rarely seen once they have been built. Good pictures are really needed if the operator is to understand the functioning.)
LANGUAGE DIFFICULTIES
There are special problems in operations when the staffing is multilingual. Some oper-ators will then have difficulty in understanding, and it may be necessary to have a good bilingual operator to check that communication in the standard language is under-stood. To see the extent of the problem, I asked recently, in a large control room, how many nationalities were represented. The answer—seven if we include you!
It is interesting to see the mode of cooperation in a situation like this. In the actual control room there was a good and very peaceful atmosphere, with notably quiet communication. No one wished to disturb the operators at their workstations. The culture was a mix of nationalities only outside the control room. Inside there was one culture, careful and safe operation.
CASE HISTORY 14.2 A Surprising Problem in Written Communication—Illiteracy
One very experienced (18 years) operator went out to a tank farm and adjusted valves to fill the wrong tank. He operated the wrong valves. In the subsequent accident investigation, it was found that he could not read the work order.
DRAWINGS AS A MEANS OF COMMUNICATION
One item of communication which is very prone to error is that of drawings. If draw-ings are out of date, there may be additional pipes, valves, etc. which the operators do not know about. Such items may cause unwanted blockages, provide routes for unwanted flows or defeat the isolation during maintenance.
Provision of up-to-date drawings is part of any good management of change (MOC) procedure. However, it is rare to find a company in which small changes are made on drawings just as soon as the physical change is made. For reasons of convenience, several small changes are ‘stored up’ until a full updating becomes
‘worthwhile’ or until an audit is expected. This approach is guaranteed to cause an accident at some stage.
Some other drawing office practices are potential accident causes. Engineering office managers do not like unregistered drawings to be kept in a plant, because they are guaranteed to be out of date. Provision of online drawing databases has allowed the elimination of all paper drawings in some plants. However, companies do not always provide good access to the operators and technicians who need the drawings.
For example, on one offshore platform which I audited, the Internet bandwidth was so limited that it took half an hour to receive a drawing. As a result, operators and maintenance technicians in such places tend to keep their own ‘private’ drawing sets, which brings us back to the original problem.
156 Human Error in Process Plant Design and Operations There is no real excuse for the problems of access to drawings in this age. If commu-nications bandwidth is limited, drawing databases can be ‘mirrored’ automatically on a local server. Out-of-date drawings can be ‘red marked’ by operators or by supervisors after modifications have been made or as part of the MOC procedure. The red marking can be made on computer-aided design (CAD) systems, without affecting the original drawing, and will be available to all until a full drawing revision can be carried out.
Warning
One warning about as-built drawings: A company, concerned about the state of its drawings, contracted with an engineering company to provide as-built CAD draw-ings. When these were submitted for a HAZOP analysis, the drawings were found to reflect the originals very faithfully, including drawing errors and erroneous items which had been corrected in the actual plant. The markup of changes over the years was incomplete, and the draughtsmen making the as-built drawings did not make a complete survey of the plant.
SHIFT HANDOVER
Shift handover is a critical aspect of communication. The status of the plant, any abnormal conditions and any problems which have occurred must be transferred from the operations supervisor going off shift to the supervisor coming on, and the information needs to be spread to all operators.
Ideally the handover would be both verbal and written, but staffing schedules often do not allow for this. Shifts may be 8 hours or 12 hours and it might be thought that supervisors could work over for 30 minutes to ensure good handover. This is possible on some plants, but transport arrangements often prevent this. This is especially so in large plants where entry of personal vehicles is prohibited. When you need to go home, you must catch the bus, and if you are late, there are personal problems.
Operators vary widely in their writing skills. Some can write a full page in a log, with an in-depth description. Others have difficulty in making more than a sentence or two. Some companies have introduced therefore a fixed form for handover, in which the information to be handed over is clearly specified.
Lack of communication played a major role in the Texas City explosion of 2005, where no shift handover was made at the shift change prior to the accident. It was also a major factor in the Piper Alpha accident in 1988 [1], where information about the status of the equipment was left as a note on the control station keyboard, rather than on the formal operations log. The note had not been noticed or had gone miss-ing. As a result, a compressor was started with a flange still open.
Various systems exist which should ensure that state-specific information is deliv-ered to the next operator at handover. Examples are shift change handover proce-dures, entries in the operation logbook, representation of valve status on displays and visualisation of bypass status on safety shutdown instruments and shutdown valves.
Prediction of accident frequencies due to lack of knowledge, therefore, involves an investigation of which systems are in use; whether the procedures such as handover briefings really work or have become just an empty routine and assessment of the
Communication Errors 157
reliability of the knowledge handover delivery process. It also requires an assess-ment of how often unusual states arise. As an example, the status of the systems at Piper Alpha had not been reported from one shift to the next; the shift operators never met. The first operator stated that he had left a note on the control panel, a decidedly nonstandard approach to hand over briefing.
The probability of accidents arising due to lack of plant state knowledge is there-fore the probability of the abnormal situation arising in the first place multiplied by the probability of failure of the handover procedure.
It is the shift supervisor, in the first instance, who needs the transfer of informa-tion. Following this, the information must be relayed to operators and maintenance technicians, who will actually effectuate decisions.
Typical abnormal situations which require to be noted are the following:
• Items performing abnormally
• Items of equipment being in a failed state
• Items locked out for maintenance
• Items opened for maintenance
• Items isolated, e.g. by blind flanges or spades
• Persons present in hazardous areas
Failure of verbal handover procedures arising because
• Management does not allow for time overlap between shifts
• Too much is happening; there is simply too much work and information to be transferred within the time available
• Handover procedures have become too relaxed, for example, after a long period in which there are no problems to communicate
• Simple oversight
Reading the operation log can compensate for lack of verbal communication. The extent to which this is possible depends on how well the operator writes, how much time is available at the end of shift and how much the senior operator or supervisor understands the needs of shift change replacement.
Providing formatted handover reports or fixed format operation logs has proved more effective than free-text reporting. Not everyone is capable of literary excellence at the end of a long shift and not everyone can remember all that needs to be said. A fixed format can alleviate the problem, providing spaces for all the kinds of informa-tion needed. It is much easier for a person to ‘fill in the blanks’ than to try to compose a complete and coherent text from scratch.
PERMIT TO WORK AS A SOURCE OF PLANT STATE KNOWLEDGE In many cases, PTW procedures and lockout–tag-out (LOTO) procedures provide a much better defence against accidents which arise due to lack of plant state knowl-edge. When designed properly, when PTW offices are properly staffed and where proper LOTO facilities are provided, the reliability of these is very high.
158 Human Error in Process Plant Design and Operations Of the failures of PTW procedures, the following cases give some idea of the distribution of causes of failure.
CASE HISTORY 14.3 Delays in Permit Can Cost Lives
Two contractors entered a vessel and started to remove internals for cleaning and replacement. They did this before the Health, Safety and Environment (HSE) inspector arrived, tested the atmosphere for oxygen content, flammable gas and hydrogen sulphide. The reason was their desire to ‘get on with the work’ and impatience with the HSE rules. The HSE inspector had been delayed because of the need to solve other problems arising elsewhere on the job. This incident was reported as a near miss.
CASE HISTORY 14.4 A Bad Response to Frustration (see also Case History 11.7)
Two labourers refused to carry out a job of clearing a blockage in the outlet of a hot solution tank until a proper HSE inspection had been made. The fore-man insisted they should go ahead, because production was stopped. The HSE inspector, after he arrived, approved the method of emptying the tank by pump-ing out from the top but did not approve any additional work until the tank emp-tied and arranged to return later to check the cleaning and the atmosphere in the tank before removing the manhole cover.
A few hours later, the one labourer was found dead, killed by the hot solu-tion, and the other was severely injured. Some of the manhole bolts had been removed; the others were ripped away by the liquid pressure. Either the main-tenance labourers had started to open the manhole cover before the tank was drained or possibly they had been doing ‘hot bolting’, that is, loosening bolts and then retightening them, to make later removal of the cover easier and faster. They were probably unaware of the unzipping phenomenon, which can occur when this is done on a large cover, due to the high stresses placed in single bolts. They were also probably unaware of the high force (about 2 tons) being exerted on the cover by the liquid in the tank. The actual cause of the accident is not known but impatience certainly played a part in setting up the circumstances for the accident and possibly some residual anger that the foreman had insisted on work being done before safety approval was achieved.
In about one-third of the installations audited for a company, work permits were found to have been signed without HSE inspectors visiting the work location. The reason for this was the lack of staffing. Inspectors were fully occupied in filling out PTW forms. While this ensured that the proper checks and procedures were documented, it did not ensure that the workplaces were safe. In other audits LOTO procedures are intended to ensure that electrical equipment, valves, etc., are locked
Communication Errors 159
in their safe position while people are exposed during maintenance. One of the most important features is that the people at risk keep the key.
LOTO procedures can fail if there is a single lock, and two persons are involved in carrying out independent tasks out of sight of each other. If one person completes his or her task but forgets or is unaware of the other, he or she will remove the lock and tag, with dangerous results. This problem can be overcome by providing individ-ual locking systems (one lock per person). There are some proprietary lock clamps which allow several locks to be closed, one for every person at risk.
Errors in which blind flanges and closed valves remain closed after maintenance can be prevented by completing ‘isolation lists’ in which each isolation measure is listed as it is put in place and is crossed off as it is removed. For large units, isolation cannot be carried out without error in the absence of such lists.
SAFEGUARDS AGAINST COMMUNICATION ERRORS
1. Establish one common language for operations and maintenance, and ensure that all have the necessary language competencies. If necessary, provide training. Issue certificates of competency.
2. Establish one nomenclature for the plant, including acronyms. Provide a lexicon of the plant terminology.
3. Make the language form used in radio communications formal. Identify all equipments by tag number and functional name.
4. Establish a procedure of confirmation of any instruction. The receiving per-son repeats back the order.
5. Do not make unconfirmed assumptions about the understanding of a com-munication. For new employees especially, confirm that instructions have not only been heard but also understood.
6. Give information about why a particular action is to be carried out. This helps field operators, for example, to understand the urgency, if any
6. Give information about why a particular action is to be carried out. This helps field operators, for example, to understand the urgency, if any