OPERATOR ABSENCE

One cause of operational input being overlooked is that of the operator simply being absent. Case History 1.2 in Chapter 1 is of this type. There are others.

CASE HISTORY 3.1 Absence from the Work Location

A tank truck driver started filling his tank truck with gasoline. Since it would take a long time, he left the filling and went to the smoking room. He stayed too long, and the tank truck overflowed. The gasoline caught fire and the loading racks burnt down.

CASE HISTORY 3.2 Absence from the Work Location—Another Case An operator was to drain water to an open drain from a waste oil tank. The draining would take some time, so he went to the smoking room after opening the valve. By the time he returned, about 5 cubic metres of oil had drained to the water-treatment plant, allowing oil to overflow to the fjord and requiring a com-plete plant shutdown.

26 Human Error in Process Plant Design and Operations

CASE HISTORY 3.3 Yet Another Absence from the Work Location A ship traffic controller in a vessel traffic services centre was absent from the observation radar in order to clean a few cups. During this time, a ship with the mate asleep at the helm missed a waypoint and sailed into a bridge. About 50% of the bridge width was lost. Ironically, the vessel traffic services centre had been designed in part on the basis of the mate falling asleep at the helm at just the waypoint concerned. Even more ironically, the automatic collision- prediction function of the radar, which would have prevented the accident, had not been implemented because of cost and because the probability of overlook-ing the collision potential on the radar had been considered to be low.

In plants with a few personnel, with just one board operator, the operator may be absent for a short period to make coffee or tea or visit the toilet.

E^rror-r^Eduction M^EasurEsfor a^bsEncEfroM W^ork L^ocation

Long operations in which the operator is required to stand and wait should be avoided. If such steps are necessary, a rest area should be provided in which the operator can sit and still observe the operation. In warm countries the location should be shaded, and in cold countries shelter should be provided from cold. Steps should be taken to ensure that the task is interesting, or some kind of alarm should be provided to arouse or call the operator.

HINDRANCE

Operators are sometimes hindered from performing their job by physical obstruction.

Locked doors, materials set down in access ways and materials not removed due to poor housekeeping are all examples. In one case a supervisor checking completion of instrumentation work before giving permission for start-up was unable to check some items because scaffolding had not been removed and was hiding the equipment. Even worse, the ladders had been removed so that he could not climb to make the inspection.

In some cases it is difficult or even impossible for the operator to react to a situa-tion because of the physical hindrances built into the plant. One example is that of a valve located high on a plant with no access ladder or stairs.

More frequently in accidents it is fire, smoke or explosion that prevents an opera-tor responding.

CASE HISTORY 3.4 Prevention of Action by Fire

In the Piper Alpha accident of 1988 [1], operators were not able to coordinate the response because the control room was damaged by the explosion. Also, person-nel could not activate standby fire pumps because of the fire. Two persons who put on protective clothing and breathing apparatuses and went to start the pumps were never seen again.

Hindrances and Inability to Function 27

Obstructions due to poor storage and housekeeping can prevent operator response in an emergency.

CASE HISTORY 3.5 Work Hindered by Laying down of Materials In an audit survey on a large gas plant, five of the fire water monitors which would be needed in case of fire were obstructed by piles of materials stored and made ready for the next major maintenance.

INCAPACITATION

Operators may be unable to undertake a task or respond to an alarm because they are dead or ill. Equally, they may be asleep or intoxicated.

Death is one form of incapacitation and has quite a high probability when com-pared with other causes of an operator failing to function. In the relevant age group and job class, the probability of fatality is about .025 per year (in the countries stud-ied). This gives a failure frequency of about 2.5 × 10⁻⁶ per hour, which is comparable with many high-quality plant components. It corresponds to a failure rate of 5 × 10⁻³ per year while actually working, which is significant when compared with other error frequencies (see Chapter 19). No good data could be obtained for the frequency of collapse due to illness in the appropriate groups, but from health records and unsystematic observation, the frequency of incapacitating illness seems to be two to three times higher than the fatality rate due to nonwork causes.

E^rror-r^Eduction M^EasurEsfor incapacitation

The possibility of death or illness is one of the primary arguments for the provision of dual staffing for a lightly loaded control room job. The buddy system is a similar requirement in many companies for operations in the field.

Another possibility is the provision of devices similar to the dead man’s handle used in rail and public transport, which ensure a fail-safe action unless the person is able to respond. A similar concept is to provide check-in points, with swipe cards, for persons making plant inspection tours. One of the most effective recent innova-tions is the provision of wireless monitoring of operator and other personnel location.

Personnel-monitoring systems can also be provided with some vital signs monitor-ing. While these are generally provided for ensuring operator safety and for rescue in accident situations, they also provide a degree of security for the plant as well.

For the problem of intoxication there are many measures for limiting its probabil-ity, which in some cases is required by law. These measures include strict prohibition of intoxicating substances and in some cases periodic or random blood or urine tests.

DISTRACTION

Distraction is one of the causes of failing to detect signals or observations, which should lead to operator intervention. Distraction can take many forms.

28 Human Error in Process Plant Design and Operations Talking on the telephone represents a form of distraction.

CASE HISTORY 3.6 Distraction by the Boss

An operator was discussing with his supervisor the need to replace a con-trol valve. It would require a complete plant shutdown unless the valve could be bypassed and the flow controlled manually. The discussion was serious because the shutdown would mean that production targets could not be met, but manual control would be difficult and would require an additional operator to be brought in.

During this discussion, a high-level alarm occurred on one of the distillation columns for which the operator was responsible. It took some time for the opera-tor to notice the alarm and to disengage from the discussion. By this time the lower trays in the distillation column were flooded, causing some damage. The plant shut down at a high level, but the shutdown was a little too late to avoid damage because of a set point error.

Other forms of distraction are discussions taking place in the control room, visi-tors and incidents taking place in other parts of the plant and dealt with by other operators.

E^rror-r^Eduction M^EasurEsfor d^istraction

A culture which allows the operator to focus on the job and discourages interruptions is necessary for safety. Supervisors must avoid involving panel operators in lengthy discussions, as should others. When control panel activity is low, operators need to be able to talk to others or to do something else such as filling out the operators log or reading the newspaper. It is preferable, though, to design the operator’s job so that there is enough happening to maintain interest. If this cannot be done, all upset conditions must be provided with audible and visual alarms.