INCLUSION OF HUMAN FAILURE IN RISK ASSESSMENT

Transcription

1 INCLUSION OF HUMAN FAILURE IN RISK ASSESSMENT Alan G King ABB Engineering Services, Pavilion 9, Belasis Hall Technology Park, Billingham, Cleveland TS23 4YS, UK; Tel.: þ44 (0) , Fax: þ44 (0) , alan.g.king@gb.abb.com Management of chemical sites and facilities has an obligation to conduct the operations on the site in such a way as to ensure the safety of people and the environment. In many countries this obligation is a legal requirement. Within recent years a new standard IEC has been published. This standard and its derivative standards are providing clear guidelines for the use of electrical, electronic and programmable systems for functional safety. These standards are risk-based standards and they require the user of the standards to undertake some form of risk assessment. This risk assessment is to justify the choice of any instrumented protective functions and their required performance or safety integrity level. Within such risk assessment it is important to ensure that there is proper consideration of human factors and particularly the impact of human failures. This paper will address some of the aspects in which human factors impact upon the application of instrumented functional safety systems. It will specifically consider the hazard and risk analysis of event sequences leading to hazardous events and the ways for inclusion of human factors elements within such analysis. It will help users of IEC and related standards with the incorporation of human factors into their assessments and will conclude with some illustrative cases to show ways in which this can be done. BACKGROUND In recent years, two international standards have been published that have made a significant impact on the use and management of functional safety in the process industries. In 1998 and 2000 the standard IEC Functional safety of electrical/electronic/programmable electronic safety-related systems [1] was published and in 2003 a sector-specific version for the process industry, IEC 61511, was published under the title, Functional safety Safety instrumented systems for the process industry sector [2]. These two standards require that the user conduct some form of risk assessment and they represent the backdrop to this paper. The use of risk assessment is required for setting a required target failure measure and safety integrity level (SIL) for each safety instrumented function on a plant. The safety integrity levels then have implications on the design and ongoing management of the safety instrumented functions. This will include demonstration that the required safety integrity level is being achieved during the operational life of the plant. Both the standards quoted above require that human factors and possibility of human failure is included in the application of the standards. IEC states in relation to the consideration of hazardous events and the factors associated with them This shall include all relevant human factor issues 1. Also in IEC can be read For the preliminary hazard and risk analysis, the scope will comprise the Equipment under Control, the Equipment under Control control system and human factors 2. In a similar vein, IEC states that the Hazard and Risk Analysis shall result in,... a description of each identified hazardous event and the factors that contribute to it (including human errors) Later it indicates,... the specification of any action necessary to achieve or maintain a safe state in the event of fault(s) being detected in the Safety Instrumented System (SIS). Any such action shall be determined taking account of all relevant human factors; Whilst these standards require that human failure be taken into account in their application, the standards do not give much, if any, guidance on how this should be done. This paper presents an outline of how human failure may be taken into account when applying these standards within the process sector, with specific focus on the aspect of hazard and risk assessment. The approach described in this paper though it targets use in the process industry sector, the principles given may be applied to the application of these standards and other similar standards across all industry sectors. SCOPE This paper will begin by reviewing an appropriate model for human action leading to success or failure and the factors that influence the outcome. Provision of such a model is thought important for understanding and application of the latter part of the paper. This is followed by a review of the nature of hazardous event scenarios and the ways in which human interaction occurs during the different stages through which such scenarios progress. This provides a framework 1 Clause Table 1 Overall safety lifecycle: overview. See Scope statement for 3 Clause Hazard and Risk Analysis. 4 Clause #2007 ABB Engineering Services. Third parties have access for limited use and no right to copy and further. IChemE have intellectual property rights to make this paper available but ABB are the copyright owners. 1

2 Recognition Performance Shaping Factors Success Opportunity Action HEP Recovery Motivation Dependency System etc Error Feedback Failure Systematic Random Task Execution Figure 1. Task execution for discussion of the pluses and minuses of human interactions with the system. The paper concludes with a look at the specific issues associated with the inclusion of human failure in both SIL Determination (the setting of target failure measures and SIL for each safety instrumented function) and SIL Verification (the demonstration that the target failure measure and SIL are achieved). Some of what is contained in this paper may be familiar to you; however, it is hoped that the way in which the concepts are linked will provide fresh insight and understanding together with a robust approach to the issues raised. The paper is intended, not for human factors specialists, but for engineers who are involved in assessments for safety functions. ASSESSMENT OF HUMAN FAILURE The assessment of probability of human failure has been carried out for in some industry sectors for many decades as part of the creation of safety cases most notably in the nuclear sector; however, the process sector has been slow in many areas to adopt a similar approach. One key advantage of making assessment of human failure probability is that it allows some consideration of whether the nature of a task and the conditions under which it is to be carried out are sufficiently well thought through to allow the person carrying out the task to have a high enough probability of success. HUMAN ACTION MODEL There are many ways of thinking about human tasks and the actions taken by humans. For this paper, the model shown in Figure 1 contains the main elements to be considered. The first thing to notice is that the action is triggered by a combination of opportunity, recognition of that opportunity, and a decision to take the opportunity for action. The outcome of the action, success or failure, then depends on (a) the nature of the task and (b) the conditions under which the task is carried out. There may be an opportunity for error recovery, but this very much depends on the situation and is not to be relied on. The key measure of interest is the Human Error Probability (HEP), which is a measure of success or otherwise as the outcome of the task. HUMAN RELIABILITY Human Reliability is assessed as a probability. The human error probability (HEP) is defined by the following relationship: HEP ¼ Number of Errors Number of Opportunities for Error There are a large number of techniques 5 for assessing the magnitude of the error probability for a task, each claiming some benefits over previous techniques. It is not appropriate here to review the merits of the techniques but the reader is invited to consult one of the many books on the subject, such as that by Kirwan [3]. What is important to note, is that the nature of a specific task will determine the best level of reliability that might be achieved under ideal conditions with the most experienced well-trained person to do the task. The human error probability in this case may be referred to as the generic error probability for that type of task. Simple tasks are likely to have an inherently low error probability whereas tasks with a lot of diagnostic features, such as troubleshooting, will have a much higher inherent error probability. 5 Techniques such as: THERP, HEART, SLIM, APJ, CREAM, etc. 2

3 Tasks are not normally done under ideal conditions and some consideration needs to be given to the effect of what are referred to as Error Producing Conditions (EPCs) or Performance Shaping Factors (PSFs). These incorporate the effect of factors such as poor lighting, low temperatures, noisy environment, shortage of time, etc. The result of these is to change the human error probability to a larger value to reflect the non-ideal conditions for the task. The impact of these is also shown diagrammatically in Figure 1. Dependency is also a consideration regarding the error probability for a specific task context. If the task in question follows another task, then the appropriate probability for error for the task in question may be influenced significantly by error during the earlier task. This is an important but difficult area more discussion in Section 5. HAZARDOUS EVENT SCENARIOS In this paper, the scope of hazardous event scenarios will be limited to those where safety instrumented functions are operating in what is known as low demand mode. In process industry terms, these safety instrumented functions are trip functions not control functions. However, the same principles can be applied to safety control functions. A hazardous event scenario can be seen as a sequence comprising of three features (Figure 2): (a) a hazardous event, (b) an initiating cause(s) or causal failure(s) and (c) the safety function. The safety function is defined as one which is intended to achieve or maintain a safe state for the process, with respect to a specific hazardous event 6. Four types of human interaction with this sequence are shown in Figure 3. The safety function here represents a safety instrumented function. The first of these labelled HF1 is associated with causal failures. These are the human actions or failures that can lead to a demand on the safety function. It should be remembered that in addition to the human sources of demand, there are likely to be other causal failures, which will be related to equipment or other hardware. However, it is the human causal failures that are most easily overlooked. The second of these labelled HF2 is associated with human actions that prevent a causal failure from creating a demand on the safety function. The success of this form of human interaction with the system is highly dependent on the time available for action, as well as other critical Causal Failures Demand 6 IEC Clause Safety Function Failure Figure 2. event scenario Event HF1 Actions causing a demand on the safety function Causal Failures HF2 Action to reduce the demand rate on the safety function E.g. s Demand HF3 Testing and Maintenance of Safety Function (E.g. Errors increasing the failure probability) Safety Function Failure HF4 Action to mitigate the escalation of the hazardous event Event Figure 3. Sequence showing human interactions factors. Over optimistic claims for the success of this type of action often occurs in analysis. The third type of interaction labelled HF3 is one that is often overlooked entirely. It relates to those actions whose success or failure determines the state of the safety function. Typical examples would be repair and maintenance activities and include routine periodic testing and calibration. The interaction shown as HF4 corresponds to those mitigating actions which can occur after the failure of the safety function but are able to reduce the impact of the hazardous event. As with those labelled HF2, time available and pre-planning are essential elements for successful action at this stage. Of these four types of human interaction, three (HF1, HF2, HF4) are associated with SIL Determination and one (HF3) is associated with SIL Verification. SIL DETERMINATION & SIL VERIFICATION This next section looks at the implications for both SIL Determination and SIL Verification in terms of how to include the impact of human interactions. SIL DETERMINATION SIL Determination is the task of setting a target safety integrity level and may include setting a target average probability of failure on demand (PFDavg) for the safety function. It is essentially looking at the necessary risk reduction required from the safety function in order to achieve a sufficiently low or tolerable level of risk. For SIL Determination, there is some guidance in both IEC and in IEC In IEC it is found in Part 5 and in IEC it is in Part 3. Within each of these, there are examples of a number of different methods for SIL Determination. This paper is not going to describe each method in detail; all essentially follow the same initial steps: (1) List Events of concern with their potential consequences, (2) Take each hazardous event in turn and identify the initiating causes, (3) For each initiating cause identify the specific protection features against the hazardous event. To include the aspects of human failure in the SIL Determination, it is necessary to identify the key human tasks where error would make the hazardous event more likely. These form a critical task list. It must cover all the modes of operation of the equipment or process, and each 3

4 Normal operation Start-up Shut-down Abnormal Emergency Maintenance Table 1. Critical task identification table Control functions responses Safety function interactions Mitigation measures of the types of interaction. This is represented systematically in Table 1. Each box in the table is discussed by the SIL Determination Team and all the critical tasks identified are listed in the appropriate box. For some tasks, the assessment of the human error probability may be possible for the task as a whole. For other tasks, it may be more appropriate to undertake some form of task analysis or human Hazop to pinpoint the critical step or steps in the task and assess the error probability for those steps. For example, a control task may be described as storage tank filling. However, the more detailed description resulting from task analysis may result in: (1) Start transfer into a storage tank A when request received from production, (2) Monitor the increase in level, and (3) Stop the transfer when the tank level reaches 80%. In terms, of a hazardous event of tank overflow, the third step is the critical one. Though in particular circumstances, there may be features of the first two that could contribute to overflow. It is then necessary, having identified a critical task or key step within the task, to assess the probability of failure the human error probability (HEP). This will involve the assignment of a generic task failure probability as well as consideration of the performance shaping factors that make the error more likely under the real conditions for the task. For HF2 tasks and HF4 tasks, the human error probability is used directly. For HF1 tasks, it is necessary to know the frequency of opportunity for the relevant error and to combine this frequency with the error probability. For example, if a storage transfer is carried out once a week (52/yr) and the error probability has been assessed as 0.01 then the frequency of demand on any relevant safety instrumented protective function would be ¼ 0.52/yr. This approach can be used for any of the SIL Determination Methods 7. However, the important aspect is to ensure that in assessing the human error probability account is taken of potential dependency between successive human tasks. Consider the following example in Figure 4. The task involves the control and monitoring of the level in the tank during filling using the Level Indication (LI) in the control room. Failure to stop the level at 80% would then place a demand on the high-high level trip function. The human task is an HF1 type of task and is essentially independent from the trip function (ignoring in this discussion any dependent failure between sensors or between valves). The human failure may result from problems arising from a conflict with other responsibilities in the control room that distract the operator s attention. It may seem a good move to provide an additional feature a high level alarm (LAH) also in the control room see Figure 5. Though this may seem to be an improvement, it is reliant on the operator to a similar degree to the level monitoring task. Any assessment of the probability of failure to respond to the alarm must take into account that the situation in which it is needed is one in which the operator has already failed to monitor the level and stop the flow at a level in the tank of 80%. Such an assessment opens up discussion of a number of important features. The operator may have problems with the level monitoring task because he is required to perform other duties which take him away from the control display. If these duties take him outside the control room area, then the alarm may not be of much additional value. Indeed, if the trip is regarded as part of the normal means of stopping the flow at an appropriate level, then it could become custom and practice to allow the level to be stopped at 95% by the trip. The alarm would be merely an indication that the trip would be imminent. In terms of the operator action, the normal response to reaching 80% level should be to close the control valve. If the valve does not close, even though the operator has performed the action, and the alarm operates at 90% level, what is the operator to do? The action in response to the alarm would be to close the control valve but this has clearly not worked as the level has risen to 90%. Manual triggering the high-high level trip would be the natural operator response in these circumstances. This would only be effective if the trip action is in a working state and would have been able to stop the flow at 95% anyway. Thus, it is clear that the operator response to the alarm is either not independent from the control function or not independent from the trip function. It is therefore quite demanding to make a good assessment of the probability of failure of a human action following the failure of some other action. It needs detailed consideration of the scenario and asking the question as to what of the equipment is working and what may have failed, what deductions the operator may make as to the actions to required. Figure 6 shows two of the initiating causes for the tank-overfilling event 8 and the risk reduction from the high level alarm and the high-high level trip. However, in the light of the preceding discussion it is clear that, as shown, this is likely to be optimistic if the probability of 7 Methods such as Fault Tree Analysis (FTA), Layer of Protection Analysis (LOPA), Event Tree Analysis (ETA) etc. 8 Note: there are a number of other causal failures that give rise to the same event and are not shown in the diagram for clarity. 4

5 95% LZHH Manual Control Trip LI Monitoring Level Figure 4. Tank filling 95% LZHH High Level 90% LAH Manual Control Trip LI Monitoring Level Figure 5. Tank filling with alarm function no response to the alarm is assessed in isolation. A more conservative and realistic approach would be to take no credit for the human response to the alarm in relation to the human failure, only claiming credit for the response to the alarm when related to the failure of the level indicator. This is shown in Figure 7. The same issues arise when considering risk reduction from HF4 actions. It should be noted that there are ways of addressing the issues of dependency between human tasks and assessing the conditional probability of failure of one task after failure of another task, but this is a level of complexity that is best avoided in SIL Determination, if possible. SIL VERIFICATION In Part 6 of IEC there are a number of equations for calculation of the average probability of failure on demand for a safety instrumented function. There are different equations for different types of architecture: single channel, dual channel (1oo2 voting), dual channel (2oo2 voting) etc. In practice, many people use some simpler equations for these calculations such as those in TR Part 2 9 [4]. Whilst the complex equations in IEC take many factors into account, they do not include direct consideration of human failure. The equations assume that all repairs are perfect, all calibration and maintenance is error free, and a safety function that is said to pass a proof test is actually in a fully functional state at the end of the testing task. In most of these tasks, there will be only one or two steps, which if omitted or done incorrectly would leave the 9 ISA Technical Report: Safety Instrumented Systems SIL Evaluation Techniques Part 2: Determining the Safety Integrity Level of a Safety Instrumented System via Simplified Equations. 5

6 Monitoring Level incorrect low reading operator to monitor level and stop flow at 80% level (HF1) Operator response to High Level (HF2) Action Event: Overfilling Figure 6. Optimistic risk reduction measures involving human actions Monitoring Level incorrect low reading operator to monitor level and stop flow at 80% level (HF1) Operator response to High Level (HF2) Action Event: Overfilling Figure 7. More conservative risk reduction involving human actions safety function or part of it in a non-functioning state. These are usually simple steps such as opening an isolation valve between the sensor and the process. With good procedures and training, the human error probability for such may be found in the range from to Consider for the moment a single channel pressure trip safety instrumented function (Figure 8). This sort of safety function would be expected to have a PFDavg in the range for SIL 1 10, such as It can be seen that the probability of error in leaving the isolation valve closed at the end 10 Range of probability from 0.1 to 0.01 of the test or calibration task is small compared with the overall PFDavg for the safety function. Omitting consideration of human failure for SIL 1 functions is probably not going to be significant. However, for SIL 2 functions where the target PFDavg may be of the order of then the additional probability of the safety function being in a non-functioning state due to human failure, becomes highly significant. For SIL 3 safety functions, the human failure element could, in some situations, totally dominate over consideration of the hardware failures. Without proper thought and design of the arrangements for human interaction with the function, 6

7 Manual Isolation PZH Pressure Switch Sensor Logic Solver Trip Figure 8. Single channel pressure trip a site with what are claimed to be SIL 3 safety functions, could be only achieving SIL 2. In general, we have for a safety instrumented function: Calculated Overall PFDavg ¼ Hardware þ PFDavg Probability that human failure has left the safety function in a nonfunctioning state Design of human interactions with safety functions so as to minimise the impact of human failure on the performance of the safety function becomes increasingly important at the higher integrity levels. Without such, it is highly likely that higher safety integrity levels will not be achieved. CONCLUSIONS The impact of human failure is not well understood when it comes to the management of safety instrumented functions under IEC or IEC The proper inclusion of human failure in risk assessment for SIL Determination and SIL Verification is important. Without it, the actual level of risk will be higher, in many cases significantly higher, than the level intended by those responsible for managing risk across the site. The benefit from consideration of human failure in relation to functional safety is not only better management of risk, but also a better understanding of the factors that influence human performance on the site. ACKNOWLEDGEMENTS The author would like to acknowledge the many conversations with colleagues that have helped in the formulation of the ideas put forward in this paper. The author has also been working with Ned Hickling of Vectra to put this and other aspects of human failure assessment into a guidance document for wider publication. It is hoped that this guidance will be available in the not too distant future. REFERENCES 1. IEC 61508: Functional safety of electrical/electronic/programmable electronic safety-related systems, International Electrotechnical Commission, Geneva, 1998 & IEC 61511: Functional safety Safety instrumented systems for the process industry sector, International Electrotechnical Commission, Geneva, Kirwan, B, A Guide to Practical Human Reliability Assessment, Taylor & Francis, TR : Safety Instrumented Systems Safety Integrity Level Evaluation Techniques, Draft Version 4, 1998, Instrument Society of America. 7