The first processor in the SRK model of the operator is observation of input.
The failure modes identified by analysis of the model in Chapter 2 are:
• Input overlooked or not seen due to the following:
• Input not visible
• Input badly placed on display
• Information hidden deep in a hierarchy of display screens
• Input not part of operators habitual monitoring pattern
• Input too complex to process
• Ambiguous input
• Misrecognition of input
• Failure of alarms, indicators or annunciations
POTENTIAL OPERATIONAL INPUT OVERLOOKED
Input needed by the operator can be available in principle but not be visible to him. One classic example in a nuclear plant is that of an alarm which was mounted on the rear of a row of control cabinets. Another is that of an alarm lamp which was obscured by a hanging label on which was written a note that another alarm lamp was nonoperational.
In modern practice of control room design, workstations show a plant mimic dia-gram, usually with several levels of display, so that the operator can zoom in on a detailed presentation of a particular plant unit. Each operator typically has two dis-play screens available, one which remains most of the time with the overall disdis-play, including alarm indications, and one which focuses on the most critical operating parameters. The operator can usually switch very rapidly between screens and can show alarm lists and trend curves as well as mimic diagrams.
One of the problems with this kind of arrangement is that much of the informa-tion needed by the operators is not continually displayed (Figure 4.1). They may switch quickly to the necessary display screen or ‘page’ but will only do this if they are performing a periodic browsing, are investigating a possibly minor disturbance or are responding to an annunciation or alarm. Alarms make the operators aware that there is something to investigate. If they are already in the process of respond-ing to another alarm, the information may be effectively invisible. If there are many alarms, it becomes difficult to follow what is happening (see Chapter 21).
COMPLEX OR UNRECOGNISABLE INPUT
The complexity of inputs can cause operators to mistake equipment or misunder-stand a situation. Their capacity to respond correctly depends on the degree of com-plexity and on experience with the actual equipment.
32 Human Error in Process Plant Design and Operations
Error-rEduction MEasurEs
Clear layout, good spacing and good labelling in the plant all contribute to good recognition. Clear and readable information on the control panel and the display screen contributes to good recognition in the control room, as do uncluttered display layout and standardised location of names, process variable displays, alarms and display screen navigation aids. Proper correspondence between control panel and plant labels is critical to proper understanding.
Names should be chosen carefully. ‘Local’ names for equipment should be avoided, but if there is a strong local naming tradition, designers should be made to follow it. They should not impose their own names onto equipment which are differ-ent from those widely used in the plant.
AMBIGUITY AND MISLEADING SIGNALS
Signals coming to the operator can be ambiguous, with the same indication arising in a case with several possible causes. An example is low pressure in a pipeline, which can arise from a failing pump or from a large leak. Another is a low temperature in a reactor, which can arise from a failure in the heating supply or can arise from FIGURE 4.1 A modern take on the case of the alarm lamp covered by a label, in this case by a Windows™ dialogue box.
Errors in Observation 33
a lack of catalyst. In the second case, increasing the flow of heating steam can be catastrophic, because if the reaction ignites at a high temperature, the reaction may run away.
In the Texas City accident of 2005, the level indication of the distillation column indicated that the level was high, enough for liquid to reach the lower tray of the column, but did not show that the column had filled. The indication was directly misleading. Figure 4.2 shows a similar problem, common on many plants.
MISLEARNING
When deciding the importance of a process parameter, the operator needs to refer to a reference value. If this value is learned wrongly, the operation will be in error.
Level indications show the bottom of the vessel full, while the actual level can be much higher
FIGURE 4.2 The board operator viewed this screen, which provided information on the raffinate product leaving the unit but not on the liquid being added to the unit. Also, the indication of level in the column was misleading. (Courtesy of U.S. Chemical Safety Board, Washington, DC.)
34 Human Error in Process Plant Design and Operations Alarms have also been involved in erroneous learning. If operators observe that an alarm has no particular significance, they may ignore it. If the operation is suc-cessful, this can then be built into the informal operating procedures. This happened at the Texas City accident of 2005, where operators were used to the level alarm for the distillation column being activated during plant start-up and ignored it.
FAILURES OF INSTRUMENTS AND ALARMS
Level-sensing instruments in particular have contributed to, or directly caused, many accidents. The Texas City Refinery accident in 2005 [1,2], the Milford Haven Refinery accident in 1994 [3] and the Three Mile Island nuclear power plant accident in 1979 [4] (Table 9.1) were all cases where stuck or limited level sensors caused extensive effects leading to major accidents but continued to indicate that at least the liquid level was OK.
REFERENCES
1. Chemical Safety Board, Investigation Report—Refinery Fire and Explosion and Fire.
BP Texas City March 23, 2005.
2. The Baker Panel, “The Report of the BP U.S. Refineries Independent Safety Review Panel,” 2007, Washington, DC.
3. UK HSE, The explosion and fires at the Texaco Refinery, Milford Haven. 24th July 1994, www.hse.gov.uk.
4. M. Rogovin, Three Mile Island: A report to the Commissioners and to the Public.
Nuclear Regulatory Commission, Special Inquiry Group, 1980.
35