Safety Science 51 (2013) 319327

Contents lists available at SciVerse ScienceDirect

Safety Science
journal homepage: www.elsevier.com/locate/ssci

A framework for human error analysis of offshore evacuations

T. Deacon a,, P.R. Amyotte a, F.I. Khan b, S. MacKinnon b
a b

Department of Process Engineering & Applied Science, Dalhousie University, Halifax, NS, Canada Faculty of Engineering & Applied Science, Memorial University, St. Johns, NL, Canada

a r t i c l e

i n f o

a b s t r a c t
A framework is presented to identify and evaluate the risks of human error for critical steps in the escape, evacuation and rescue (EER) process on offshore installations. A combination of expert judgment techniques and major incident investigations from industry were used to evaluate the risk for the evacuation stage. Risk reduction is also included in this framework via a separate risk assessment technique. Dependency and overall time to complete the EER process were not analyzed in this work. Further research should be focused on some of the potential safety barriers identied in the framework so that they may be effectively incorporated in the risk reduction stage. 2012 Elsevier Ltd. All rights reserved.

Article history: Received 27 August 2010 Received in revised form 16 May 2012 Accepted 29 July 2012 Available online 5 September 2012 Keywords: Human factors Offshore emergencies Risk analysis

1. Introduction Human beings make errors. When these errors are made in one of the worlds harshest work environments, the consequences can be devastating. The risk of human error can be signicantly lowered, but only by acting on the belief that human errors are rooted in the science of human factors. Essentially, this means that we must design our workplaces and their attendant procedures with the actions of human beings foremost in our minds. This requirement is arguably at its most critical level during emergency situations when the potential for human error and the severity of the possible consequences are at their greatest. The research reported here is aimed at enhancing the safety of offshore oil and gas operations in Atlantic Canada and eventually worldwide. The scope of the research is emergency scenarios which necessitate taking action to ensure successful personnel evacuation, survival and rescue in response to various initiating events. This is part of the three phases of the emergency escape, evacuation and rescue (EER) process. While certain events may only require escape, or egress to a muster station, the scope of

Abbreviations: ALARP, as low as reasonably practicable; ARAMIS, Accidental risk assessment methodology for industries; EER, escape, evacuation and rescue; EPC, error producing condition; FRC, Fast-Rescue Craft; GEP, generic error probability; HAZOP, hazard and operability study; HEART, human error assessment and reduction technique; HEP, human error probability; HRA, human reliability analysis; HTA, hierarchical task analysis; LC, level of condence; OIM, offshore installation manager; OSC, on-scene commander; POB, personnel on board; QRA, quantitative risk assessment; SAR, search and rescue; SBV, stand-by vessel; SLIM, success likelihood index methodology; TEMPSC, totally enclosed motor-propelled survival craft; TSR, temporary safe refuge. Corresponding author. E-mail address: tdeacon@dal.ca (T. Deacon). 0925-7535/$ - see front matter 2012 Elsevier Ltd. All rights reserved. http://dx.doi.org/10.1016/j.ssci.2012.07.005

the current work is limited to initiating events that lead to evacuation from the facility. The focal point of the research is the quantitative determination of the risk of human error during these emergency actions, as well as the reduction of the risk through introduction of safety measures. Previous research has resulted in a quantitative framework for the escape phase for initiators that require escape, or egress (DiMattia, 2004; Deacon et al., 2010). The current work presents an analysis of the evacuation phase with an introduction to the rescue phase. The evacuation and rescue analysis is partially presented in Deacon et al. (2010a). The end-result of the research is an engineering tool designed to employ expert judgment and human reliability data in making objective decisions from a human factor perspective. A list of the steps that personnel must complete during the evacuation and rescue phases has been developed. The probabilities of human error for each of the steps for the evacuation phase have been evaluated. Also, an analysis of the consequences of human error during the evacuation phase has been developed to show failure modes, potential consequences and their severities and a hierarchical view of useful safety measures. The introduction of the hierarchy of controls was aimed at improving the focus of risk assessment and reduction on offshore facilities, as recommended by Gurpreet and Kirwan (1998). The fundamental knowledge gap addressed by the current work lies in the eld of human error assessment, which is a recognized component of modern safety management systems as explained by Amyotte et al. (2007). Human error assessment has become increasingly important in industry and is a growing area of concern for the public and for regulators. Quantication of human error is therefore an essential although challenging undertaking. What is required is a scientically rigorous method of determining probability data for human error, such that objectivity is brought to an otherwise potentially subjective process (Amyotte et al., 2007).

320

T. Deacon et al. / Safety Science 51 (2013) 319327

Deacon (2010) has reviewed several methods for estimating human error probabilities including the success likelihood index methodology (SLIM), technique for human error rate prediction (THERP), and human error assessment and reduction technique (HEART). These expert judgement techniques remain relevant because of a lack of empirical data on human error; HEART was selected as an appropriate method in the current work for reasons given in the following section on methodology. The escape phase of EER, evaluated in Deacon et al. (2010), is dened as the time of the initiating event (collision, man overboard, hydrocarbon release, severe list, etc.) to the time of registration at the muster station, or temporary safe refuge (TSR). The evacuation phase, evaluated in the current work, begins upon decision of the offshore installation manager (OIM) to evacuate, or upon any individual decision to evacuate the platform. It ends when the individual in question achieves reasonable distance from the platform. The rescue phase is identied as the period of retrieval of individuals from the installation, evacuation equipment or the sea. It is helpful to note that these phases can experience an overlap. For example, rescue operations may retrieve individuals from a sea evacuation before they have had a chance to achieve a reasonable distance from the installation. The tasks involved in the risk assessment and reduction methodology described herein are as follows: 1. 2. 3. 4. 5. 6. 7. 8. 9. Task analysis. Scenario identication. Human error probability calculation. Consequence severity evaluation. Procedural hazard and operability study (HAZOP) of steps. Determination of tolerability of risk via risk matrix. Evaluation of required reliability via risk graph. Selection and evaluation of safety barriers. Bow-tie analysis. The tasks are shown as a owchart in Fig. 1. 2. Methodology This section provides a description of the research methods used to develop the risk assessment framework illustrated in Fig. 1. Best-practice and best-available scientic methods were employed to assess the risk of human error. Noting that risk is of course composed of likelihood of occurrence and severity of consequences, this means that appropriate methodologies were required for both risk components. In the current work, the research methods included the human error assessment and reduction technique (HEART) to estimate likelihood of occurrence, and the use of historical data to estimate consequence severity. Additional concepts employed were hazard and operability (HAZOP) studies, a risk matrix, the as low as reasonably practicable (ALARP) principle, the accidental risk assessment methodology for industries (ARAMIS) technique, and bow-tie analysis incorporating both fault and event trees as well as prevention and mitigation barriers. The tasks outlined in Fig. 1 are explained further. 2.1. Task and scenario analysis The rst task of the framework is to break the main goal into the more detailed steps required to achieve this goal. The second task is to identify a range of emergency situations and choose reference scenarios that encompass this range. 2.1.1. Task analysis Task analysis is the identication of the steps that personnel on board (POB) must complete during an emergency. This was done

through hierarchical task analysis (HTA). In HTA, the main goals are identied and broken down into smaller steps. In the current work, the main goals were:  Escape danger (escape or muster phase).  Evacuate installation (evacuation phase, focal point of current work).  Rescue POB (rescue phase). These phases were further divided into steps that can be evaluated from a human performance perspective. The steps give greater detail about the main goals and can be evaluated in terms of risk. The probability of human error and plausible consequences can be identied for each step. Safety measures, herein referred to as safety barriers, that reduce the risk for individual steps can also be identied. The probability of human error, combined with the probability of failure on demand for the individual safety barriers, is the probability of failure on demand for a specic step. 2.1.2. Scenario identication Once the emergency steps are identied, a set of emergency scenarios representing a wide range of plausible situations must be dened. These scenarios include information on error producing conditions (EPCs). EPCs are factors that inuence the probability of human error for any given step. Examples include operator experience, noise level, time of day and individual stress level. 2.2. Human error probability calculation The most accurate method to determine HEPs is to identify the number of times a failure has occurred while performing the EER step in question and divide it by the total number of times the step has been performed. Unfortunately data does not exist to this extent. HEPs are therefore often determined using expert judgment techniques. Evacuation HEPs are discussed. Rescue phase HEPs are not explored in the current work. Evacuation HEPs were evaluated using the human error assessment and reduction technique (HEART). HEART is an expert judgment technique that relies on the knowledge and experience of the assessor in relation to evaluated actions. It is designed to be used on an individual basis to determine HEPs (Williams, 1992). The single-assessor approach to HEART offers an efciency of resources in comparison to other widely used techniques. Expert judgment in HEART occurs across three stages. The generic error probability (GEP) of a step is determined. This is the probability that a human error will occur given perfect conditions (i.e. no inuence of EPCs), or the basic error probability inherent to the step in question. Eight qualitative descriptions of basic actions are each associated with a quantitative GEP value. The assessor chooses which of these basic actions the step in question falls under in order to identify the GEP value. Second, relevant EPCs are chosen from a list of 17 possible EPCs in HEART. These are internal and external factors that may increase the probability of error (stress, noise level, experience, etc.) for the step in question. These EPCs have an associated maximum effect on the probability of error. Finally, the percentage of the maximum effect of the EPC is chosen. This is the weight that the EPC will have on the step, based on the identied scenario. The latter two stages combine to determine the overall effect of the EPCs on the GEP. The potential exists for different assessors to choose different paths in the use of the technique, however Kirwan (1997) notes that different paths can ultimately lead to similar HEP values for a given action. The inclusion of EPCs allows for risk assessment of a specic work site and situation. The use of generic data is a common pitfall in risk assessment. If a generic risk assessment is performed, efforts must be made to ensure that the assessment encompasses all hazards of

T. Deacon et al. / Safety Science 51 (2013) 319327

321

Fig. 1. Flowchart of risk assessment framework (HEP human error probability; ALARP as low as reasonably practicable; LC level of condence).

each site and job of the facility. Also, generic assessments must be validated (Gadd et al., 2004). While generic assessments can be used as a preliminary study of risk, the framework presented in Fig. 1 is designed to be site-specic. 2.3. Consequence analysis Risk is a function of the probability of failure on demand and the consequences of failure. Along with the HEPs for each step, the consequences of human error must be identied by their level of severity. Two types of analysis are presented: a consequence analysis, for use with HEPs to determine tolerability of risk, and a procedural HAZOP to determine how errors may occur and to aid in choosing proper risk reduction measures. 2.3.1. Consequence severity evaluation The lack of human error data on offshore emergency drills prevents a quantitative consequence analysis. Investigation reports from major incidents provided the data for consequence analysis in the current work. A study released by the UK Health and Safety Executive (Kennedy, 1993) also provided consequence data. In the evacuation phase, distance has been achieved between the EER initiator and personnel, making the immediate danger the sea itself. Thus, consequence severities are identical for each evacuation scenario. Consequences are evaluated on a severity level from 1 to 4, with 1 indicating the lowest and 4 indicating the highest severity.

2.3.2. Procedural HAZOP of steps A validation exercise was performed by Kirwan (1997) using HEART to assess the HEPs for 10 tasks. It was determined that different expert judges can arrive at similar HEPs using different GEP/ EPC combinations. This observation shows that while the overall HEP is determined, the HEP assessment itself does not provide enough information for a fault tree (Kirwan, 1997). A procedural hazard and operability study (HAZOP) is required to ensure that all failure modes for each step are identied. A procedural HAZOP was performed for each phase. Failure modes and their descriptions for each step, as well as potential safeguards, were identied. The procedural HAZOP for the evacuation phase steps is a modication of work by Kennedy (1993). Safety barriers were re-organized into two types: prevention barriers and mitigation barriers. Prevention barriers are measures that reduce the probability of a human error occurring, while mitigation barriers reduce the consequence severity of a human error. Safety barriers were also organized in terms of the hierarchy of controls (Amyotte et al., 2007), which is useful for determining their reliability at a later stage. 2.4. Risk reduction The next stage of the framework presented in Fig. 1 is the risk reduction stage. The overall risk of each EER step was determined by combining the HEPs and consequence severities in a risk matrix. A risk graph was then used to determine a minimum reliability

322

T. Deacon et al. / Safety Science 51 (2013) 319327

that incorporated safety barriers should have for each step. The procedural HAZOP was used to identify potential prevention or mitigation barriers. These barriers were evaluated to determine if they can be assigned a mathematical reliability. Safety barriers must have a proven record in industry to be assigned a mathematical reliability. Finally, any identied prevention and mitigation barriers with an associated reliability were incorporated into a bow-tie model. The result was an overall picture of the risk, including the effects of safety barriers. The probability of failure on demand of the step is the combination of the HEP and mathematical reliability of any safety barriers that affect that step. 2.4.1. Risk graph Many human reliability analysis (HRA) techniques have within them a basic risk reduction mechanism. However, validation studies (Kirwan, 1997) have suggested that a separate technique be used for the risk reduction stage. Often HRA techniques do not have comprehensive or user friendly risk reduction mechanisms. A second technique, the accidental risk assessment methodology for industries (ARAMIS; Anderson et al., 2004) is used in the current framework to identify risk reduction measures. ARAMIS uses a risk graph to determine the level of risk reduction required. This risk reduction is associated with the reliability of any barriers incorporated. Four factors are used to determine the required reliability of barriers:     Consequence severity (C). Frequency of exposure to risk (F). Potential to avoid damage (D). Probability (P).

 Barriers must be tested with a dened frequency. This frequency will be based on the experience of the operators or suppliers.  Barriers must have a schedule of preventative maintenance. These criteria are used to determine if a potential safety barrier is relevant in the system and can be assigned a level of condence (LC). If a potential barrier exists but is not a proven concept, further testing can be done to determine a mathematical reliability for the barrier in question. This mathematical reliability is known as the design LC, or the reliability at the time of proper installation with a schedule of preventative maintenance. A safety audit of the facility in question must be performed to determine the fraction of the design LC that is applicable (Anderson et al., 2004). The safety audit concept in ARAMIS follows the principle that the safety culture at a facility has a signicant impact on risk control. 3. Results The results of the application of the framework for human error analysis as applied to the evacuation and rescue phase of offshore emergencies are presented as follows. 3.1. Task and scenario analysis Fig. 2 shows the evacuation and rescue steps identied through hierarchical task analysis. Escape steps have been analyzed by DiMattia (2004) and Deacon et al. (2010). The escape phase is therefore not presented in the current work. Evacuation scenarios are given in Table 1. The scenarios in Table 1 are used to determine evacuation step human error probabilities (HEPs). As visibility and sea conditions have a signicant effect on individual performance during evacuation, the weather and time of day are specied for each scenario. The experience of the operator in question for each scenario is also specied. 3.2. Human error probability calculation A survey was developed from HEART and sent to experienced individuals in the eld of offshore safety. The solicitation exercise resulted in two complete surveys from which unique HEP data sets were evaluated. Each assessor was given the scenarios in Table 1 and asked to choose a qualitative GEP from a list for each evacuation step. Additionally, for each step, assessors were asked to identify between 0 and 3 EPCs that may affect an individuals performance. Finally, for each step and scenario, assessors rated the effect of each chosen EPC on the individuals performance, on a scale from 0 (no effect) to 10 (full effect). While individual assessors may choose different GEPs and EPCs for a given step, it remains possible that the resultant HEPs are similar. HEART is designed for efciency of resources, requiring only one expert judge to perform the analysis (Williams, 1992). The comparison of HEP data sets between assessors allows for an evaluation of the precision of HEART when performing risk assessments. Table 2 shows the HEP results from each assessor for the collision, gas release (GR) and re and explosion (F&E) scenarios. 3.3. Consequence analysis Table 3 shows the consequence category descriptions for the evacuation phase as adapted from DiMattia (2004). In order to reduce the consequence severity of a given step, measures must be introduced that will lower the severity of harm to the individuals in question. The consequence table is shown in Table 4. Included are references to the investigations that provide the data for the consequence severity of each step, with relevant appendices and page numbers in parenthesis.

Consequence severity is determined from the consequence table, and human error probability is determined from HEART. The value F is either F1 (exposure to risk is less than 10% of operating time) or F2 (exposure to risk is more than 10% of operating time). 2.4.2. Bow-tie analysis A bow-tie is a risk assessment method that uses a fault tree and an event tree centered on a common critical event. A fault tree identies a critical event and its potential causes (failure modes). An event tree identies a critical event and the pathway to potential consequences (Cameron and Raman, 2005). In the framework presented in Fig. 1, the critical event is the failure to complete an EER step. The probability of the critical event is the probability of failure on demand of the step. Failure modes for the fault tree are identied in the procedural HAZOP. Because there is no data for the probability of each failure mode occurring, safety barriers incorporated must have a risk reducing effect on all failure modes for that step. 2.4.3. Safety barriers For a prevention or mitigation barrier to be incorporated into the bow-tie, it must meet certain minimum requirements as dened in the ARAMIS user guide (Anderson et al., 2004):  Components of safety barriers must be independent from regulation systems (common failures of safety and regulation systems are not acceptable); this criterion is applicable in the case of two systems in place for the same function.  Design of the barriers must be made in compliance with codes and standards, and design must be adapted to the characteristics of the substances and the environment.  Barriers must be of a proven concept; i.e. the concept is well known (experienced). Otherwise, it may be necessary to perform on-site tests to determine the quality of the barrier.

T. Deacon et al. / Safety Science 51 (2013) 319327

323

1.0 Prepare to evacuate 1.1 Check wind speed, direction and sea state 1.2 Instruct personnel and maintain control 1.3 Issue sea sickness tablets 2.0 Evacuate installation do one of 2.1-2.5, priority in descending order 2.1 Evacuate via bridge link 2.2 Evacuate via helicopter 2.2.1 Move to helideck 2.2.2 Establish communication with pilot 2.2.3 Instruct personnel on boarding procedure 2.2.4 Board helicopter 2.2.5 Don flight suit, aviation life jacket and secure seatbelt 2.3 Evacuate via TEMPSC (totally enclosed motor propelled survival craft) 2.3.1 Ensure sea worthiness of TEMPSC 2.3.2 Check compass heading/direction to steer craft 2.3.3 Turn helm fully to clear installation on launch 2.3.4 Ensure drop zone is clear 2.3.5 Instruct personnel on boarding procedure 2.3.6 Fasten seat belt 2.3.7 Ensure everyone is secure 2.3.8 Start air support system 2.3.9 Close and secure all hatches 2.3.10 Call command centre/launch master/other lifeboats to confirm launch sequence 2.3.11 Release falls/confirm auto-release 2.3.12 Launch TEMPSC 2.3.13 Engage forward gear and full throttle 2.3.14 Steer TEMPSC at vector from platform to rescue area 2.4 Evacuate by life raft 2.4.1 Move to life raft muster station 2.4.2 Ensure seaworthiness of life raft 2.4.3 Secure painter to a strong point 2.4.4 Check for life raft instructions and number of personnel accommodated 2.4.5 Launch life raft 2.4.6 Board life raft 2.4.7 Cut painter 2.4.8 Paddle clear of danger 2.4.9 Stream anchor 2.4.10 Maintain sea worthiness of life raft 2.4.11 Look for TEMPSC, FRC, other life raft or overboard survivors 2.4.12 Attach painter to other life raft or tow craft 2.5 Escape directly to sea 2.5.1 Ensure survival suit properly sealed, lifejacket fastened 2.5.2 Move to lowest nearby platform 2.5.3 Assess direction of waves, danger and airborne contaminants 2.5.4 Jump away from platform, feet first, avoiding platform legs 2.5.5 Swim along side of platform 2.5.6 Look for other overboard survivors and rescue opportunities 3.0 Initiate search and rescue (SAR) 3.1 Appoint on-scene commander (OSC) 3.2 Monitor and coordinate SAR 3.3 Locate and rescue survivors 3.3.1 Rescue by helicopter 3.3.1 Rescue by stand-by vessel (SBV) 3.3.2 Give medical attention
Fig. 2. Hierarchical task analysis (HTA) of evacuation and rescue steps.

Table 1 Evacuation scenarios. Detail Evacuation scenario Collision Situation A jack-up rig collides with a xed installation during approach; signicant damage to platform leg 15 years experience Good weather, calm seas Daylight hours Gas release A hydrocarbon gas release Fire and explosion A re and explosion

Table 5 shows a procedural HAZOP analysis for one of the evacuation steps. A complete procedural HAZOP of the evacuation stage, as well as a risk reduction analysis for all relevant evacuation steps as presented in the next section, can be found in Deacon (2010).

3.4. Risk reduction The risk matrix, shown in Fig. 3, is a tool that combines the probability of failure on demand and the consequence severity of a step to determine the tolerability of the risk. Tolerability criteria were embedded in the risk matrix to classify a step in one of three risk regions. The broadly acceptable region is a risk region where no further risk reduction measures are required. The tolerable if as

Operator in question Weather Time of day

7 years experience Cold, wet weather Daylight hours

6 months experience Winter storm Night time hours

324 Table 2 Assessor HEP results. Evacuation step

T. Deacon et al. / Safety Science 51 (2013) 319327

Collision HEP P1
a

GR HEP
b

F&E HEP P2 0.039 1.000 0.000 0.000 0.027 0.000 0.0200 0.003 0.003 0.342 0.020 0.000 0.000 0.000 0.003 0.020 0.000 0.020 1.000 1.000 0.020 0.260 0.000 0.000 0.000 0.020 0.0200 0.520 0.00 0.550 0.7000 0.020 0.000 0.020 0.003 0.020 0.003 0.090 0.260 0.260 P1 0.444 1.000 0.280 0.000 1.000 1.000 0.020 0.784 1.000 0.438 1.000 1.000 1.000 0.168 1.000 1.000 0.510 1.000 0.112 0.160 0.320 0.180 0.504 1.000 0.448 0.308 0.020 0.020 0.336 0.550 0.700 0.352 1.000 0.198 0.280 1.000 1.000 0.052 1.000 0.560 P2 0.180 1.000 0.000 0.000 0.051 0.000 0.000 0.003 0.003 0.450 0.020 0.000 0.000 0.000 0.003 0.020 0.000 0.020 1.000 1.000 0.020 0.780 0.000 0.000 0.000 0.020 0.000 0.520 0.000 0.550 0.000 0.020 0.000 0.020 0.003 0.020 0.003 0.090 0.260 0.260

P2

P1 0.444 1.000 0.280 0.00 0.770 1.000 0.020 0.784 1.000 0.276 1.000 1.000 1.000 0.168 1.000 1.000 0.510 1.000 0.112 0.160 0.320 0.180 0.504 1.000 0.448 0.308 0.020 0.020 0.336 0.550 0.700 0.352 1.000 0.198 0.280 1.000 1.000 0.052 1.000 0.560

1.1 Check wind speed, direction and sea state 1.2 Instruct personnel and maintain control 1.3 Issue sea sickness tablets 2.2.1 Move to helideck 2.2.2 Establish communication with pilot 2.2.3 Instruct personnel on boarding procedure 2.2.4 Board helicopter 2.2.5 Don ight suit, aviation life jacket and secure seatbelt 2.3.1 Ensure sea-worthiness of TEMPSC 2.3.2 Check compass heading/direction to steer craft 2.3.3 Turn helm fully to clear installation on launch 2.3.4 Ensure drop zone is clear 2.3.5 Instruct personnel on boarding procedure 2.3.6 Fasten seatbelt 2.3.7 Ensure everyone is secure 2.3.8. Start air support system 2.3.9 Close and secure all hatches 2.3.10 Call command center/launch master/other lifeboats to conrm launch sequence 2.3.11 Release falls/conrm auto-release 2.3.12 Launch TEMPSC 2.3.13 Engage forward gear and full throttle 2.3.14 Steer TEMPSC at vector from platform to rescue area 2.4.1 Move to life raft muster station 2.4.2 Ensure sea-worthiness of life raft 2.4.3 Secure painter to strong point 2.4.4 Check for life raft instructions and number of personnel accommodated 2.4.5 Launch life raft 2.4.6 Board life raft 2.4.7 Cut painter 2.4.8 Paddle clear of danger 2.4.9 Stream anchor 2.4.10 Maintain sea-worthiness of life raft 2.4.11 Look for TEMPSC, FRC, other life raft or overboard survivors 2.4.12 Attach painter to other life raft or tow craft 2.5.1 Ensure survival suit properly sealed, lifejacket fastened 2.5.2 Move to lowest nearby platform 2.5.3 Assess direction of waves, danger and airborne contaminants 2.5.4 Jump away from platform, feet rst, avoiding platform legs 2.5.5 Swim along side of platform 2.5.6 Look for other overboard survivors and rescue opportunities
a b

0.444 1.000 0.280 0.234 0.392 1.000 0.020 0.784 1.000 0.168 1.000 1.000 1.000 0.168 1.000 1.000 0.510 0.868 0.112 0.160 0.320 0.180 0.504 1.000 0.448 0.308 0.020 0.020 0.336 0.550 0.700 0.352 1.000 0.198 0.280 1.000 1.000 0.052 1.000 0.560

0.039 1.000 00.0 0.000 0.013 0.000 0.0200 0.003 0.003 0.270 0.020 0.000 0.000 0.000 0.003 0.020 0.000 0.020 1.000 1.000 0.020 0.260 0.000 0.000 0.000 0.020 0.0200 0.520 0.00 0.550 0.7000 0.020 0.000 0.020 0.003 0.020 0.003 0.090 0.260 0.260

P1 Participant 1. P2 Participant 2.

low as reasonably practicable (ALARP) region follows the ALARP principle. If a risk is in this region and it has been shown through cost-benet analysis that it is not practical to further reduce the risk, the risk is considered tolerable. If further measures can be introduced practically, then the risk should be reduced (DNV, 2001). Risks in the intolerable region must be reduced. An example is step 2.3.14 of the evacuation phase, steer TEMPSC at vector from platform to rescue area. This step identies the importance of moving towards a designated rescue area. The HEP, or probability of failure on demand, for evacuation step 2.3.14 in a re and explosion scenario is evaluated as 0.18 for one assessor and 0.78 for the other. From Table 4, the consequence severity for a human error during evacuation step 2.3.14 is 4. The risk from both HEP data sets is therefore in the intolerable region of Fig. 3 and must be reduced. 3.4.1. Risk graph For the current study, all steps were considered to be category F1, assuming that emergency situations occur less than 10% of the facilitys operating time. The potential to avoid damage depends on the particular step. If there is time to correct an error or achieve distance from the consequence, category D1 is used. Otherwise, category D2 is used. Using these four factors and the risk graph shown in Fig. 4, the required reliability of safety barriers can be determined. This is a

mathematical reliability known as the level of condence. A reliability of 1 will reduce the risk by a factor of 10; a reliability of 2 will reduce the risk by a factor of 102 = 100, etc. The LC ranges from 1 to 4, or is identied as a. An LC of a indicates that safety barriers should be introduced but are not required to have a mathematical reliability. For example, evacuation step 2.3.14 for a re and explosion scenario is in categories C4 and F1 of Fig. 4. It was determined there is not time to correct an error and avoid the consequence. Therefore category D2 is used. This leads to line X5 of the risk graph and, combined with a HEP of 0.18 or 0.78, depending on the data set consulted, leads to a total required LC of 3. Fig. 5 is an example of a bow-tie using evacuation step 2.3.14; steer TEMPSC at vector from platform to rescue area for a re and explosion scenario. The three failure modes for this step are shown on the left of Fig. 5. The probability of failure on demand of this step (the HEP) is 0.18 or 0.78, depending on the data set consulted. A safety barrier that would be effective in this case is a training barrier, with an LC of 1. It is noted that a training barrier can only be given a design LC if it meets the following conditions (Deacon, 2010):  Drills including verbalization of weather and sea conditions.  Drills including the completion and verbalization of every evacuation task in various scenarios, with personnel feedback.

T. Deacon et al. / Safety Science 51 (2013) 319327 Table 3 Consequence severities for evacuation steps. Evacuation step 1.1 Check wind speed, direction and sea state 1.2 Instruct personnel and maintain control 1.3 Issue sea sickness tablets 2.2.1 Move to helideck 2.2.2 Establish communication with pilot 2.2.3 Instruct personnel on boarding procedure 2.2.4 Board helicopter 2.2.5 Don ight suit, aviation life jacket and secure seatbelt 2.3.1 Ensure sea worthiness of TEMPSC 2.3.2 Check compass heading/direction to steer craft 2.3.3 Turn helm fully to clear installation on launch 2.3.4 Ensure drop zone is clear 2.3.5 Instruct personnel on boarding procedure 2.3.6 Fasten seat belt 2.3.7 Ensure everyone is secure 2.3.8. Start air support system 2.3.9 Close and secure all hatches 2.3.10 Call command center/launch master/other lifeboats to conrm launch sequence 2.3.11 Release falls/conrm auto-release 2.3.12 Launch TEMPSC 2.3.13 Engage forward gear and full throttle 2.3.14 Steer TEMPSC at vector from platform to rescue area 2.4.1 Move to life raft muster station 2.4.2 Ensure seaworthiness of life raft 2.4.3 Secure painter to a strong point 2.4.4 Check for life raft instructions and number of personnel accommodated 2.4.5 Launch life raft 2.4.6 Board life raft 2.4.7 Cut painter 2.4.8 Paddle clear of danger 2.4.9 Stream anchor 2.4.10 Maintain sea worthiness of life raft 2.4.11 Look for TEMPSC, FRC, other life raft or overboard survivors 2.4.12 Attach painter to other life raft or tow craft 2.5.1 Ensure survival suit properly sealed, lifejacket fastened 2.5.2 Move to lowest nearby platform 2.5.3 Assess direction of waves, danger and airborne contaminants 2.5.4 Jump away from platform, feet rst, avoiding platform legs 2.5.5 Swim along side of platform 2.5.6 Look for other overboard survivors and rescue opportunities Severity 2 4 2 2 2 2 2 1 4 2 2 4 2 2 2 3 4 4 4 4 4 4 2 4 4 2 4 4 4 4 4 4 4 4 2 4 2 3 4 4 Reference Kennedy (1993) Kennedy (1993) Kennedy (1993) Kennedy (1993) Kennedy (1993) Kennedy (1993) Kennedy (1993) Kennedy (1993) Kennedy (1993) Kennedy (1993) Kennedy (1993) Kennedy (1993) Kennedy (1993) Kennedy (1993) Kennedy (1993) Kennedy (1993) Kennedy (1993) US Coast Guard, (Appendix B) (Appendix B) and (Appendix B) and (Appendix B) (Appendix B) (Appendix B) (Appendix B) (Appendix B) (p. 30) (Appendix B) and (Appendix B) (Appendix B) (Appendix B) (Appendix B) (Appendix B) (Appendix B) and (Appendix B) and 1983 (p. 133) Vinnem (2007) (p. 94) Robertson and Wright (1997) (p. 14)

325

Robertson and Wright (1997) (p. 13)

Robertson and Wright (1997) (p. 14) US Coast Guard (1983) (p. 124)

Kennedy (1993) (Appendix B) and (1981) (p. 162) US Coast Guard (1983) (p. 124) Kennedy (1993) (Appendix B) and Kennedy (1993) (Appendix B) and Kennedy, 1993 (Appendix B) Kennedy, 1993 (p. 30) Kennedy (1993) (Appendix B) and Kennedy (1993) (Appendix B)

Vinnem (2007) (p. 83) and Moan et al.

Moan et al. (1981) (p. 162) Moan et al. (1981) (p. 162)

US Coast Guard (1983) (p. 67)

US Coast Guard (1983) (p. 149) Kennedy (1993) (Appendix B) Kennedy (1993) (Appendix B) and Moan et al. (1981) (p. 162) US Coast Guard (1983) (p. 134) and Moan et al. (1981) (p. 162) Kennedy (1993) (Appendix B) Kennedy (1993) (Appendix B) and US Coast Guard (1983) (pp. 6263) US Coast Guard (1983) (p. 67) US Coast Guard (1983) (pp. 62,63,67) Robertson and Wright (1997) (p. 18) Vinnem (2007) (p.83) and Moan et al. (1981) (p. 143) Robertson and Wright (1997) (p. 18) Robertson and Wright (1997) (p. 18) US Coast Guard (1983) (p. 134) and Moan et al. (1981) (p. 162) Vinnem (2007) (p. 84)

Table 4 Procedural HAZOP for evacuation step 2.3.4 (ensure drop zone is clear). Failure mode Check omitted Description Coxswain omits or forgets to check for debris in the water Coxswain makes check too early or too late, leaving time for debris to oat over or forcing the boat to be committed to the launch Consequences  Delayed evacuation  Capsize of/hole in boat  Injury/death Prevention barriers Active Engineered  Lights to illuminate drop zone during low visibility Procedural  Warning prompt at helm of TEMPSC  Training/drills that require verbalizing state of drop zone and delaying or aborting launch Mitigation barriers Passive Engineered  Boats constructed to withstand severe impacts and absorb shock

Check mistimed

 Written prompts and instructions at all evacuation stations.  Drills with measurement equipment (compass heading, etc.).  Personnel in command (coxswain, OIM, etc.) identied by different colored suits.  High stress training for coping while maintaining command.  Behavioral testing to determine panic potential.  Personnel in command equipped with checklist of orders to issue.  Personnel equipped with card on boarding procedure of all evacuation vessels.

 Boarding procedure written and illustrated at all evacuation stations  Training for coxswains to correctly orient TEMPSC under minimal visibility.  Prompts inside vessels to fasten seatbelt, await instructions.  Drills that complete certain tasks out of order (e.g. starting air support system before ensuring everyone secure) to show consequences.  Personnel provided with two-way radios.

326

T. Deacon et al. / Safety Science 51 (2013) 319327

 Photo-luminescent pathways.  Personnel supplied with evacuation checklist and evacuation route maps. The revised probability of failure on demand is now HEP 10LC = HEP 0.1 = 0.018 or 0.078. The new HEP/consequence severity combination is still in the intolerable region of the risk matrix. A possible mitigation measure, should an error occur, is a mechanical GPS unit on each TEMPSC. A GPS unit would allow rescue personnel to track and locate the TEMPSC should it not arrive at the designated rescue area. With an LC of 1, the revised potential for a fatality is 0.1 HEP 0.1 = HEP 102 = 0.002 or 0.008. Even should the GPS locator be successful, the potential exists for a severe injury (i.e. consequence severity 3 should GPS

Fig. 3. Risk matrix.

Fig. 4. Risk graph (adapted from ARAMIS; Anderson et al., 2004).

Fig. 5. Bow-tie graph for Step 2.3.14, Steer TEMPSC at vector from platform to rescue area.

T. Deacon et al. / Safety Science 51 (2013) 319327

327

unit be successful). The risk is evaluated as 0.1 HEP (1 0.1) = 0.09 HEP = 0.016 or 0.07 for consequence severity 3. The risk graph has identied a required LC of 3; therefore additional safety measures should be incorporated. 4. Discussion A risk assessment was undertaken for the evacuation phase of the EER process. Three scenarios were evaluated for each phase to encompass the full range of risk. For risk reduction, only one scenario was analyzed for each phase of EER. The highest severity risk scenario for a given step was analyzed. Bringing the risk to a tolerable level for the highest severity scenario will have the same effect on the lower severity scenarios. It is noted that a training and procedures safety barrier is important for all steps. For some steps, it may be the only barrier with an associated LC. However, as this is the least reliable barrier in terms of the hierarchy of controls, efforts should be undertaken to determine an LC for potential barriers identied in the procedural HAZOP. The evaluated HEPs for several evacuation steps were adequately similar and had identical risk reduction requirements from the risk matrix and risk graph. However, HEP data conicted between assessors for several evacuation steps. Little conclusion can be drawn from the HEP results alone. It can be seen that HEPs differ between assessors for several steps, and that they are similar for others. More detailed conclusions require the combination of the evaluated HEPs with consequence severities to determine the overall tolerability of risk and the required level of risk reduction necessary for each step. Combined with the results of the consequence table, the difference in HEPs led to differing requirements for risk reduction in the risk graph. One assessors results led to a higher LC requirement than the others. This discrepancy can lead to a less efcient allocation of risk reduction resources. Management may put fewer resources than necessary to reduce the risk of one step, put excessive resources into reducing the risk of an adequately controlled step, or both. Calibration of HEART with known human error data on evacuations may reduce the inconsistencies between assessors. Greater accuracy in HEP assessment will increase the efciency of risk reduction efforts. Steps were assumed independent from one another in this study and the overall time taken to achieve the goal of evacuation was not analyzed. The time taken to evacuate a platform can be a critical factor depending on the structural stability (Moan et al., 1981). It would be benecial in future work to perform a dependency analysis. It is important to note that a facility safety audit was not performed to adjust the design LC values in the current work. No facility was available for a safety audit for the current work. Nevertheless, it is crucial that in practical risk assessments using ARAMIS a safety audit is performed. While the scenarios studied in this undertaking are from the perspective of an offshore environment, this framework can be applied to various elds in industry. Onshore oil operations, nuclear power plants and chemical process facilities all have the potential for emergencies requiring site evacuation. While evacuation itself may simply involve running to achieve a safe distance from the emergency, escape from the facility and rescue operations are more complex. The presented framework provides a means to evaluate and reduce the risk for these industries as well.

5. Conclusion and recommendations The current work presents a framework for human reliability analysis of offshore emergency situations that can supplement a QRA. Dependency between steps and overall process time were not evaluated in this work. The overall time to achieve the main goals of escape, evacuate and rescue, as well as the effect of failure of one step on later steps should be evaluated as a further study. These two factors may have a signicant effect on the EER process. Furthermore, efforts should be made to obtain empirical HEP data for offshore evacuations. Empirical data for several evacuation steps may provide a means of calibrating expert judgment techniques to evaluate all steps. Finally, efforts should be made to ensure that more of the potential safety barriers identied in the procedural HAZOP meet the ARAMIS requirements and are incorporated into bow-tie analysis. Acknowledgments The authors gratefully acknowledge the nancial support of Petroleum Research Atlantic Canada (PRAC), the Nova Scotia Department of Energy and Pengrowth. References
Amyotte, P., Goraya, A., Hendershot, D., Khan, F., 2007. Incorporation of inherent safety principles in process safety management. Process Safety Progress 26. Anderson, H., Casal, J., Dandrieux, A., Debray, B., Dianous, V., Duijm, N., Delvosalle, C., Fievez, C., Goossens, L., Gowland, R., Hale, A., Hourtolou, D., Mazzarotta, B., Pipart, A., Planas, E., Prats, F., Salvi, O., Tixier, J., 2004. ARAMIS User Guide (The European Commission Community Research). Cameron, I., Raman, R., 2005. Process Systems Risk Management, vol. 6. Elsevier Academic Press, San Diego, CA. Deacon, T., Amyotte, P., Khan, F., 2010. Human error risk analysis in offshore emergencies. Safety Science 48. Deacon, T., Amyotte, P., Khan, F., MacKinnon, S., 2010. A framework for human error analysis of emergency situations. In: Proceedings of the 6th Global Congress on Process Safety, San Antonio, Texas, 2224 March. AIChE. Deacon, T., 2010. Human Error Risk Analysis and Reduction for Offshore Emergency Situations. MASc Thesis, Dalhousie University. DiMattia, D., 2004. Human Error Probability Index for Offshore Platform Musters. PhD Thesis, Dalhousie University. DNV, 2002. Marine Risk Assessment. Report OTO 2001 063, UK Health and Safety Executive. Gadd, S., Keeley, D., Balmforth, M., 2004. Pitfalls in risk assessment: examples from the UK. Safety Science 42. Gurpreet, B., Kirwan, B., 1998. Collection of offshore human error probability data. Reliability Engineering and System Safety 61. Kennedy, B., 1993. A Human Factors Analysis of Evacuation, Escape and Rescue from Offshore Installations. Report OTO 93 004, UK Health and Safety Executive. Kirwan, B., 1997. The validation of three human reliability quantication techniques THERP, HEART and JHEDI: Part III practical aspects of the usage of the techniques. Applied Ergonomics 28. Moan, T., Nsheim, T., Uveraas, S., Bekkvik, P., Kloster, A., 1981. The Alexander L. Kielland Accident. Report NOU 1981:11, Norwegian Public Reports. Robertson, D.H., Wright, M.J., 1997. Ocean Odyssey Emergency Evacuation: Analysis of Survivor Experiences. Report OTO 96 009, UK Health and Safety Executive. US Coast Guard, 1983. Marine Casualty Report Mobile Offshore Unit (MODU) OCEAN RANGER. Report USCG 0001 HQS 82, US Coast Guard. Vinnem, Jan E., 2007. Offshore Risk Assessment, 2nd ed. Kluwer Academic Publishers, The Netherlands, pp. 77116. Williams, J.C., 1992. Toward an improved evaluation tool for users of HEART. In: Proceedings of the International Conference on Hazard Identication, Risk Analysis, Human Factors and Human Reliability in Process Safety, Orlando, Florida, 1517 January. AIChE-CCPS, New York.