Safety Science 51 (2013) 319–327

Contents lists available at SciVerse ScienceDirect

Safety Science
journal homepage: www.elsevier.com/locate/ssci

A framework for human error analysis of offshore evacuations

T. Deacon a,⇑, P.R. Amyotte a, F.I. Khan b, S. MacKinnon b
a
Department of Process Engineering & Applied Science, Dalhousie University, Halifax, NS, Canada
b
Faculty of Engineering & Applied Science, Memorial University, St. John’s, NL, Canada

a r t i c l e i n f o a b s t r a c t

Article history: A framework is presented to identify and evaluate the risks of human error for critical steps in the escape,
Received 27 August 2010 evacuation and rescue (EER) process on offshore installations. A combination of expert judgment tech-
Received in revised form 16 May 2012 niques and major incident investigations from industry were used to evaluate the risk for the evacuation
Accepted 29 July 2012
stage. Risk reduction is also included in this framework via a separate risk assessment technique. Depen-
Available online 5 September 2012
dency and overall time to complete the EER process were not analyzed in this work. Further research
should be focused on some of the potential safety barriers identified in the framework so that they
Keywords:
may be effectively incorporated in the risk reduction stage.
Human factors
Offshore emergencies
Ó 2012 Elsevier Ltd. All rights reserved.
Risk analysis

1. Introduction
Human beings make errors. When these errors are made in one
of the world’s harshest work environments, the consequences can
be devastating. The risk of human error can be significantly low-
ered, but only by acting on the belief that human errors are rooted
in the science of human factors. Essentially, this means that we
must design our workplaces and their attendant procedures with
the actions of human beings foremost in our minds. This require-
ment is arguably at its most critical level during emergency situa-
tions when the potential for human error and the severity of the
possible consequences are at their greatest.
The research reported here is aimed at enhancing the safety of
offshore oil and gas operations in Atlantic Canada and eventually
worldwide. The scope of the research is emergency scenarios
which necessitate taking action to ensure successful personnel
evacuation, survival and rescue in response to various initiating
events. This is part of the three phases of the emergency escape,
evacuation and rescue (EER) process. While certain events may
only require escape, or egress to a muster station, the scope of
Abbreviations: ALARP, as low as reasonably practicable; ARAMIS, Accidental risk
assessment methodology for industries; EER, escape, evacuation and rescue; EPC,
error producing condition; FRC, Fast-Rescue Craft; GEP, generic error probability;
HAZOP, hazard and operability study; HEART, human error assessment and
reduction technique; HEP, human error probability; HRA, human reliability
analysis; HTA, hierarchical task analysis; LC, level of confidence; OIM, offshore
installation manager; OSC, on-scene commander; POB, personnel on board; QRA,
quantitative risk assessment; SAR, search and rescue; SBV, stand-by vessel; SLIM,
success likelihood index methodology; TEMPSC, totally enclosed motor-propelled
survival craft; TSR, temporary safe refuge.
⇑ Corresponding author.
E-mail address: tdeacon@dal.ca (T. Deacon).
the current work is limited to initiating events that lead to evacu-
ation from the facility. The focal point of the research is the quan-
titative determination of the risk of human error during these
emergency actions, as well as the reduction of the risk through
introduction of safety measures. Previous research has resulted
in a quantitative framework for the escape phase for initiators that
require escape, or egress (DiMattia, 2004; Deacon et al., 2010). The
current work presents an analysis of the evacuation phase with an
introduction to the rescue phase. The evacuation and rescue anal-
ysis is partially presented in Deacon et al. (2010a). The end-result
of the research is an engineering tool designed to employ expert
judgment and human reliability data in making objective decisions
from a human factor perspective. A list of the steps that personnel
must complete during the evacuation and rescue phases has been
developed. The probabilities of human error for each of the steps
for the evacuation phase have been evaluated. Also, an analysis
of the consequences of human error during the evacuation phase
has been developed to show failure modes, potential consequences
and their severities and a hierarchical view of useful safety mea-
sures. The introduction of the hierarchy of controls was aimed at
improving the focus of risk assessment and reduction on offshore
facilities, as recommended by Gurpreet and Kirwan (1998).
The fundamental knowledge gap addressed by the current work
lies in the field of human error assessment, which is a recognized
component of modern safety management systems as explained
by Amyotte et al. (2007). Human error assessment has become
increasingly important in industry and is a growing area of concern
for the public and for regulators. Quantification of human error is
therefore an essential although challenging undertaking. What is
required is a scientifically rigorous method of determining proba-
bility data for human error, such that objectivity is brought to an
otherwise potentially subjective process (Amyotte et al., 2007).

0925-7535/$ - see front matter Ó 2012 Elsevier Ltd. All rights reserved.
http://dx.doi.org/10.1016/j.ssci.2012.07.005
320 T. Deacon et al. / Safety Science 51 (2013) 319–327
Deacon (2010) has reviewed several methods for estimating hu-
man error probabilities including the success likelihood index
methodology (SLIM), technique for human error rate prediction
(THERP), and human error assessment and reduction technique
(HEART). These expert judgement techniques remain relevant be-
cause of a lack of empirical data on human error; HEART was se-
lected as an appropriate method in the current work for reasons
given in the following section on methodology.
The escape phase of EER, evaluated in Deacon et al. (2010), is
defined as the time of the initiating event (collision, man over-
board, hydrocarbon release, severe list, etc.) to the time of registra-
tion at the muster station, or temporary safe refuge (TSR). The
evacuation phase, evaluated in the current work, begins upon deci-
sion of the offshore installation manager (OIM) to evacuate, or
upon any individual decision to evacuate the platform. It ends
when the individual in question achieves reasonable distance from
the platform. The rescue phase is identified as the period of retrie-
val of individuals from the installation, evacuation equipment or
the sea. It is helpful to note that these phases can experience an
overlap. For example, rescue operations may retrieve individuals
from a sea evacuation before they have had a chance to achieve a
reasonable distance from the installation.
The tasks involved in the risk assessment and reduction meth-
odology described herein are as follows:
1. Task analysis.
2. Scenario identification.
3. Human error probability calculation.
4. Consequence severity evaluation.
5. Procedural hazard and operability study (HAZOP) of steps.
6. Determination of tolerability of risk via risk matrix.
7. Evaluation of required reliability via risk graph.
8. Selection and evaluation of safety barriers.
9. Bow-tie analysis.
The tasks are shown as a flowchart in Fig. 1.
2. Methodology
This section provides a description of the research methods
used to develop the risk assessment framework illustrated in
Fig. 1. Best-practice and best-available scientific methods were
employed to assess the risk of human error. Noting that risk is of
course composed of likelihood of occurrence and severity of conse-
quences, this means that appropriate methodologies were required
for both risk components. In the current work, the research meth-
ods included the human error assessment and reduction technique
(HEART) to estimate likelihood of occurrence, and the use of histor-
ical data to estimate consequence severity. Additional concepts
employed were hazard and operability (HAZOP) studies, a risk ma-
trix, the as low as reasonably practicable (ALARP) principle, the
accidental risk assessment methodology for industries (ARAMIS)
technique, and bow-tie analysis incorporating both fault and event
trees as well as prevention and mitigation barriers. The tasks out-
lined in Fig. 1 are explained further.
2.1. Task and scenario analysis
The first task of the framework is to break the main goal into the
more detailed steps required to achieve this goal. The second task
is to identify a range of emergency situations and choose reference
scenarios that encompass this range.
2.1.1. Task analysis
Task analysis is the identification of the steps that personnel on
board (POB) must complete during an emergency. This was done
through hierarchical task analysis (HTA). In HTA, the main goals
are identified and broken down into smaller steps. In the current
work, the main goals were:
 Escape danger (escape or muster phase).
 Evacuate installation (evacuation phase, focal point of current
work).
 Rescue POB (rescue phase).
These phases were further divided into steps that can be evalu-
ated from a human performance perspective. The steps give great-
er detail about the main goals and can be evaluated in terms of risk.
The probability of human error and plausible consequences can be
identified for each step. Safety measures, herein referred to as
safety barriers, that reduce the risk for individual steps can also
be identified. The probability of human error, combined with the
probability of failure on demand for the individual safety barriers,
is the probability of failure on demand for a specific step.
2.1.2. Scenario identification
Once the emergency steps are identified, a set of emergency
scenarios representing a wide range of plausible situations must
be defined. These scenarios include information on error producing
conditions (EPCs). EPCs are factors that influence the probability of
human error for any given step. Examples include operator experi-
ence, noise level, time of day and individual stress level.
2.2. Human error probability calculation
The most accurate method to determine HEPs is to identify the
number of times a failure has occurred while performing the EER
step in question and divide it by the total number of times the step
has been performed. Unfortunately data does not exist to this ex-
tent. HEPs are therefore often determined using expert judgment
techniques. Evacuation HEPs are discussed. Rescue phase HEPs
are not explored in the current work.
Evacuation HEPs were evaluated using the human error assess-
ment and reduction technique (HEART). HEART is an expert judg-
ment technique that relies on the knowledge and experience of
the assessor in relation to evaluated actions. It is designed to be
used on an individual basis to determine HEPs (Williams, 1992).
The single-assessor approach to HEART offers an efficiency of re-
sources in comparison to other widely used techniques. Expert
judgment in HEART occurs across three stages. The generic error
probability (GEP) of a step is determined. This is the probability
that a human error will occur given ‘perfect’ conditions (i.e. no
influence of EPCs), or the basic error probability inherent to the
step in question. Eight qualitative descriptions of basic actions
are each associated with a quantitative GEP value. The assessor
chooses which of these basic actions the step in question falls un-
der in order to identify the GEP value. Second, relevant EPCs are
chosen from a list of 17 possible EPCs in HEART. These are internal
and external factors that may increase the probability of error
(stress, noise level, experience, etc.) for the step in question. These
EPCs have an associated maximum effect on the probability of er-
ror. Finally, the percentage of the maximum effect of the EPC is
chosen. This is the weight that the EPC will have on the step, based
on the identified scenario. The latter two stages combine to deter-
mine the overall effect of the EPCs on the GEP. The potential exists
for different assessors to choose different paths in the use of the
technique, however Kirwan (1997) notes that different paths can
ultimately lead to similar HEP values for a given action. The inclu-
sion of EPCs allows for risk assessment of a specific work site and
situation. The use of generic data is a common pitfall in risk assess-
ment. If a generic risk assessment is performed, efforts must be
made to ensure that the assessment encompasses all hazards of
 T. Deacon et al. / Safety Science 51 (2013) 319–327
Fig. 1. Flowchart of risk assessment framework (HEP – human error probability; ALARP – as low as reasonably practicable; LC – level of confidence).
each site and job of the facility. Also, generic assessments must be
validated (Gadd et al., 2004). While generic assessments can be
used as a preliminary study of risk, the framework presented in
Fig. 1 is designed to be site-specific.
2.3. Consequence analysis
Risk is a function of the probability of failure on demand and the
consequences of failure. Along with the HEPs for each step, the
consequences of human error must be identified by their level of
severity. Two types of analysis are presented: a consequence anal-
ysis, for use with HEPs to determine tolerability of risk, and a pro-
cedural HAZOP to determine how errors may occur and to aid in
choosing proper risk reduction measures.
2.3.1. Consequence severity evaluation
The lack of human error data on offshore emergency drills pre-
vents a quantitative consequence analysis. Investigation reports
from major incidents provided the data for consequence analysis
in the current work. A study released by the UK Health and Safety
Executive (Kennedy, 1993) also provided consequence data. In the
evacuation phase, distance has been achieved between the EER ini-
tiator and personnel, making the immediate danger the sea itself.
Thus, consequence severities are identical for each evacuation sce-
nario. Consequences are evaluated on a severity level from 1 to 4,
with 1 indicating the lowest and 4 indicating the highest severity.
321
2.3.2. Procedural HAZOP of steps
A validation exercise was performed by Kirwan (1997) using
HEART to assess the HEPs for 10 tasks. It was determined that dif-
ferent expert judges can arrive at similar HEPs using different GEP/
EPC combinations. This observation shows that while the overall
HEP is determined, the HEP assessment itself does not provide en-
ough information for a fault tree (Kirwan, 1997). A procedural haz-
ard and operability study (HAZOP) is required to ensure that all
failure modes for each step are identified. A procedural HAZOP
was performed for each phase. Failure modes and their descrip-
tions for each step, as well as potential safeguards, were identified.
The procedural HAZOP for the evacuation phase steps is a modifi-
cation of work by Kennedy (1993). Safety barriers were re-orga-
nized into two types: prevention barriers and mitigation barriers.
Prevention barriers are measures that reduce the probability of a
human error occurring, while mitigation barriers reduce the conse-
quence severity of a human error. Safety barriers were also orga-
nized in terms of the hierarchy of controls (Amyotte et al., 2007),
which is useful for determining their reliability at a later stage.
2.4. Risk reduction
The next stage of the framework presented in Fig. 1 is the risk
reduction stage. The overall risk of each EER step was determined
by combining the HEPs and consequence severities in a risk matrix.
A risk graph was then used to determine a minimum reliability
322 T. Deacon et al. / Safety Science 51 (2013) 319–327
that incorporated safety barriers should have for each step. The
procedural HAZOP was used to identify potential prevention or
mitigation barriers. These barriers were evaluated to determine if
they can be assigned a mathematical reliability. Safety barriers
must have a proven record in industry to be assigned a mathemat-
ical reliability. Finally, any identified prevention and mitigation
barriers with an associated reliability were incorporated into a
bow-tie model. The result was an overall picture of the risk, includ-
ing the effects of safety barriers. The probability of failure on de-
mand of the step is the combination of the HEP and
mathematical reliability of any safety barriers that affect that step.
2.4.1. Risk graph
Many human reliability analysis (HRA) techniques have within
them a basic risk reduction mechanism. However, validation stud-
ies (Kirwan, 1997) have suggested that a separate technique be
used for the risk reduction stage. Often HRA techniques do not
have comprehensive or user friendly risk reduction mechanisms.
A second technique, the accidental risk assessment methodology
for industries (ARAMIS; Anderson et al., 2004) is used in the cur-
rent framework to identify risk reduction measures.
ARAMIS uses a risk graph to determine the level of risk reduc-
tion required. This risk reduction is associated with the reliability
of any barriers incorporated. Four factors are used to determine
the required reliability of barriers:
 Consequence severity (C).
 Frequency of exposure to risk (F).
 Potential to avoid damage (D).
 Probability (P).
Consequence severity is determined from the consequence ta-
ble, and human error probability is determined from HEART. The
value F is either F1 (exposure to risk is less than 10% of operating
time) or F2 (exposure to risk is more than 10% of operating time).
2.4.2. Bow-tie analysis
A bow-tie is a risk assessment method that uses a fault tree and
an event tree centered on a common critical event. A fault tree
identifies a critical event and its potential causes (failure modes).
An event tree identifies a critical event and the pathway to poten-
tial consequences (Cameron and Raman, 2005). In the framework
presented in Fig. 1, the critical event is the failure to complete an
EER step. The probability of the critical event is the probability of
failure on demand of the step. Failure modes for the fault tree
are identified in the procedural HAZOP. Because there is no data
for the probability of each failure mode occurring, safety barriers
incorporated must have a risk reducing effect on all failure modes
for that step.
2.4.3. Safety barriers
For a prevention or mitigation barrier to be incorporated into
the bow-tie, it must meet certain minimum requirements as de-
fined in the ARAMIS user guide (Anderson et al., 2004):
 Components of safety barriers must be independent from regu-
lation systems (common failures of safety and regulation sys-
tems are not acceptable); this criterion is applicable in the
case of two systems in place for the same function.
 Design of the barriers must be made in compliance with codes
and standards, and design must be adapted to the characteris-
tics of the substances and the environment.
 Barriers must be of a ‘‘proven’’ concept; i.e. the concept is well
known (experienced). Otherwise, it may be necessary to per-
form on-site tests to determine the quality of the barrier.
 Barriers must be tested with a defined frequency. This frequency
will be based on the experience of the operators or suppliers.
 Barriers must have a schedule of preventative maintenance.
These criteria are used to determine if a potential safety barrier
is relevant in the system and can be assigned a level of confidence
(LC). If a potential barrier exists but is not a proven concept, further
testing can be done to determine a mathematical reliability for the
barrier in question. This mathematical reliability is known as the
‘design LC’, or the reliability at the time of proper installation with
a schedule of preventative maintenance. A safety audit of the facil-
ity in question must be performed to determine the fraction of the
design LC that is applicable (Anderson et al., 2004). The safety audit
concept in ARAMIS follows the principle that the safety culture at a
facility has a significant impact on risk control.
3. Results
The results of the application of the framework for human error
analysis as applied to the evacuation and rescue phase of offshore
emergencies are presented as follows.
3.1. Task and scenario analysis
Fig. 2 shows the evacuation and rescue steps identified through
hierarchical task analysis. Escape steps have been analyzed by
DiMattia (2004) and Deacon et al. (2010). The escape phase is
therefore not presented in the current work.
Evacuation scenarios are given in Table 1. The scenarios in Ta-
ble 1 are used to determine evacuation step human error probabil-
ities (HEPs). As visibility and sea conditions have a significant
effect on individual performance during evacuation, the weather
and time of day are specified for each scenario. The experience of
the operator in question for each scenario is also specified.
3.2. Human error probability calculation
A survey was developed from HEART and sent to experienced
individuals in the field of offshore safety. The solicitation exercise
resulted in two complete surveys from which unique HEP data sets
were evaluated. Each assessor was given the scenarios in Table 1
and asked to choose a qualitative GEP from a list for each evacua-
tion step. Additionally, for each step, assessors were asked to iden-
tify between 0 and 3 EPCs that may affect an individual’s
performance. Finally, for each step and scenario, assessors rated
the effect of each chosen EPC on the individual’s performance, on
a scale from 0 (no effect) to 10 (full effect). While individual asses-
sors may choose different GEPs and EPCs for a given step, it re-
mains possible that the resultant HEPs are similar.
HEART is designed for efficiency of resources, requiring only one
expert judge to perform the analysis (Williams, 1992). The compar-
ison of HEP data sets between assessors allows for an evaluation of
the precision of HEART when performing risk assessments.
Table 2 shows the HEP results from each assessor for the colli-
sion, gas release (GR) and fire and explosion (F&E) scenarios.
3.3. Consequence analysis
Table 3 shows the consequence category descriptions for the
evacuation phase as adapted from DiMattia (2004).
In order to reduce the consequence severity of a given step,
measures must be introduced that will lower the severity of harm
to the individuals in question. The consequence table is shown in
Table 4. Included are references to the investigations that provide
the data for the consequence severity of each step, with relevant
appendices and page numbers in parenthesis.
 T. Deacon et al. / Safety Science 51 (2013) 319–327 323

1.0 Prepare to evacuate

1.1 Check wind speed, direction and sea state
1.2 Instruct personnel and maintain control
1.3 Issue sea sickness tablets
2.0 Evacuate installation – do one of 2.1-2.5, priority in descending order
2.1 Evacuate via bridge link
2.2 Evacuate via helicopter
2.2.1 Move to helideck
2.2.2 Establish communication with pilot
2.2.3 Instruct personnel on boarding procedure
2.2.4 Board helicopter
2.2.5 Don flight suit, aviation life jacket and secure seatbelt
2.3 Evacuate via TEMPSC (totally enclosed motor propelled survival craft)
2.3.1 Ensure sea worthiness of TEMPSC
2.3.2 Check compass heading/direction to steer craft
2.3.3 Turn helm fully to clear installation on launch
2.3.4 Ensure drop zone is clear
2.3.5 Instruct personnel on boarding procedure
2.3.6 Fasten seat belt
2.3.7 Ensure everyone is secure
2.3.8 Start air support system
2.3.9 Close and secure all hatches
2.3.10 Call command centre/launch master/other lifeboats to confirm launch sequence
2.3.11 Release falls/confirm auto-release
2.3.12 Launch TEMPSC
2.3.13 Engage forward gear and full throttle
2.3.14 Steer TEMPSC at vector from platform to rescue area
2.4 Evacuate by life raft
2.4.1 Move to life raft muster station
2.4.2 Ensure seaworthiness of life raft
2.4.3 Secure painter to a strong point
2.4.4 Check for life raft instructions and number of personnel accommodated
2.4.5 Launch life raft
2.4.6 Board life raft
2.4.7 Cut painter
2.4.8 Paddle clear of danger
2.4.9 Stream anchor
2.4.10 Maintain sea worthiness of life raft
2.4.11 Look for TEMPSC, FRC, other life raft or overboard survivors
2.4.12 Attach painter to other life raft or tow craft
2.5 Escape directly to sea
2.5.1 Ensure survival suit properly sealed, lifejacket fastened
2.5.2 Move to lowest nearby platform
2.5.3 Assess direction of waves, danger and airborne contaminants
2.5.4 Jump away from platform, feet first, avoiding platform legs
2.5.5 Swim along side of platform
2.5.6 Look for other overboard survivors and rescue opportunities
3.0 Initiate search and rescue (SAR)
3.1 Appoint on-scene commander (OSC)
3.2 Monitor and coordinate SAR
3.3 Locate and rescue survivors
3.3.1 Rescue by helicopter
3.3.1 Rescue by stand-by vessel (SBV)
3.3.2 Give medical attention

Fig. 2. Hierarchical task analysis (HTA) of evacuation and rescue steps.

Table 1
Table 5 shows a procedural HAZOP analysis for one of the evac-
Evacuation scenarios. uation steps.
A complete procedural HAZOP of the evacuation stage, as well
Detail Evacuation scenario
as a risk reduction analysis for all relevant evacuation steps as pre-
Collision Gas release Fire and sented in the next section, can be found in Deacon (2010).
explosion
Situation A jack-up rig collides with A hydrocarbon A fire and
a fixed installation during gas release explosion 3.4. Risk reduction
approach; significant
damage to platform leg
Operator in 15 years experience 7 years 6 months
The risk matrix, shown in Fig. 3, is a tool that combines the
question experience experience probability of failure on demand and the consequence severity of
Weather Good weather, calm seas Cold, wet Winter a step to determine the tolerability of the risk. Tolerability criteria
weather storm were embedded in the risk matrix to classify a step in one of three
Time of day Daylight hours Daylight hours Night time
risk regions. The ‘broadly acceptable’ region is a risk region where
hours
no further risk reduction measures are required. The ‘tolerable if as
324 T. Deacon et al. / Safety Science 51 (2013) 319–327

Table 2
Assessor HEP results.

Evacuation step Collision HEP GR HEP F&E HEP

a b
P1 P2 P1 P2 P1 P2
1.1 Check wind speed, direction and sea state 0.444 0.039 0.444 0.039 0.444 0.180
1.2 Instruct personnel and maintain control 1.000 1.000 1.000 1.000 1.000 1.000
1.3 Issue sea sickness tablets 0.280 00.0 0.280 0.000 0.280 0.000
2.2.1 Move to helideck 0.234 0.000 0.00 0.000 0.000 0.000
2.2.2 Establish communication with pilot 0.392 0.013 0.770 0.027 1.000 0.051
2.2.3 Instruct personnel on boarding procedure 1.000 0.000 1.000 0.000 1.000 0.000
2.2.4 Board helicopter 0.020 0.0200 0.020 0.0200 0.020 0.000
2.2.5 Don flight suit, aviation life jacket and secure seatbelt 0.784 0.003 0.784 0.003 0.784 0.003
2.3.1 Ensure sea-worthiness of TEMPSC 1.000 0.003 1.000 0.003 1.000 0.003
2.3.2 Check compass heading/direction to steer craft 0.168 0.270 0.276 0.342 0.438 0.450
2.3.3 Turn helm fully to clear installation on launch 1.000 0.020 1.000 0.020 1.000 0.020
2.3.4 Ensure drop zone is clear 1.000 0.000 1.000 0.000 1.000 0.000
2.3.5 Instruct personnel on boarding procedure 1.000 0.000 1.000 0.000 1.000 0.000
2.3.6 Fasten seatbelt 0.168 0.000 0.168 0.000 0.168 0.000
2.3.7 Ensure everyone is secure 1.000 0.003 1.000 0.003 1.000 0.003
2.3.8. Start air support system 1.000 0.020 1.000 0.020 1.000 0.020
2.3.9 Close and secure all hatches 0.510 0.000 0.510 0.000 0.510 0.000
2.3.10 Call command center/launch master/other lifeboats to confirm launch sequence 0.868 0.020 1.000 0.020 1.000 0.020
2.3.11 Release falls/confirm auto-release 0.112 1.000 0.112 1.000 0.112 1.000
2.3.12 Launch TEMPSC 0.160 1.000 0.160 1.000 0.160 1.000
2.3.13 Engage forward gear and full throttle 0.320 0.020 0.320 0.020 0.320 0.020
2.3.14 Steer TEMPSC at vector from platform to rescue area 0.180 0.260 0.180 0.260 0.180 0.780
2.4.1 Move to life raft muster station 0.504 0.000 0.504 0.000 0.504 0.000
2.4.2 Ensure sea-worthiness of life raft 1.000 0.000 1.000 0.000 1.000 0.000
2.4.3 Secure painter to strong point 0.448 0.000 0.448 0.000 0.448 0.000
2.4.4 Check for life raft instructions and number of personnel accommodated 0.308 0.020 0.308 0.020 0.308 0.020
2.4.5 Launch life raft 0.020 0.0200 0.020 0.0200 0.020 0.000
2.4.6 Board life raft 0.020 0.520 0.020 0.520 0.020 0.520
2.4.7 Cut painter 0.336 0.00 0.336 0.00 0.336 0.000
2.4.8 Paddle clear of danger 0.550 0.550 0.550 0.550 0.550 0.550
2.4.9 Stream anchor 0.700 0.7000 0.700 0.7000 0.700 0.000
2.4.10 Maintain sea-worthiness of life raft 0.352 0.020 0.352 0.020 0.352 0.020
2.4.11 Look for TEMPSC, FRC, other life raft or overboard survivors 1.000 0.000 1.000 0.000 1.000 0.000
2.4.12 Attach painter to other life raft or tow craft 0.198 0.020 0.198 0.020 0.198 0.020
2.5.1 Ensure survival suit properly sealed, lifejacket fastened 0.280 0.003 0.280 0.003 0.280 0.003
2.5.2 Move to lowest nearby platform 1.000 0.020 1.000 0.020 1.000 0.020
2.5.3 Assess direction of waves, danger and airborne contaminants 1.000 0.003 1.000 0.003 1.000 0.003
2.5.4 Jump away from platform, feet first, avoiding platform legs 0.052 0.090 0.052 0.090 0.052 0.090
2.5.5 Swim along side of platform 1.000 0.260 1.000 0.260 1.000 0.260
2.5.6 Look for other overboard survivors and rescue opportunities 0.560 0.260 0.560 0.260 0.560 0.260
a
P1 – Participant 1.
b
P2 – Participant 2.

low as reasonably practicable (ALARP)’ region follows the ALARP
principle. If a risk is in this region and it has been shown through
cost-benefit analysis that it is not practical to further reduce the
risk, the risk is considered tolerable. If further measures can be
introduced practically, then the risk should be reduced (DNV,
2001). Risks in the ‘intolerable’ region must be reduced.
An example is step 2.3.14 of the evacuation phase, ‘steer
TEMPSC at vector from platform to rescue area’. This step identifies
the importance of moving towards a designated rescue area. The
HEP, or probability of failure on demand, for evacuation step
2.3.14 in a fire and explosion scenario is evaluated as 0.18 for
one assessor and 0.78 for the other. From Table 4, the consequence
severity for a human error during evacuation step 2.3.14 is 4. The
risk from both HEP data sets is therefore in the ‘intolerable’ region
of Fig. 3 and must be reduced.
3.4.1. Risk graph
For the current study, all steps were considered to be category
F1, assuming that emergency situations occur less than 10% of
the facility’s operating time. The potential to avoid damage de-
pends on the particular step. If there is time to correct an error
or achieve distance from the consequence, category D1 is used.
Otherwise, category D2 is used.
Using these four factors and the risk graph shown in Fig. 4, the
required reliability of safety barriers can be determined. This is a
mathematical reliability known as the level of confidence. A reli-
ability of 1 will reduce the risk by a factor of 10; a reliability of 2
will reduce the risk by a factor of 102 = 100, etc. The LC ranges from
1 to 4, or is identified as ‘a’. An LC of a indicates that safety barriers
should be introduced but are not required to have a mathematical
reliability.
For example, evacuation step 2.3.14 for a fire and explosion sce-
nario is in categories C4 and F1 of Fig. 4. It was determined there is
not time to correct an error and avoid the consequence. Therefore
category D2 is used. This leads to line X5 of the risk graph and, com-
bined with a HEP of 0.18 or 0.78, depending on the data set con-
sulted, leads to a total required LC of 3.
Fig. 5 is an example of a bow-tie using evacuation step 2.3.14;
‘steer TEMPSC at vector from platform to rescue area’ for a fire
and explosion scenario.
The three failure modes for this step are shown on the left of
Fig. 5. The probability of failure on demand of this step (the HEP)
is 0.18 or 0.78, depending on the data set consulted. A safety bar-
rier that would be effective in this case is a training barrier, with an
LC of 1. It is noted that a training barrier can only be given a design
LC if it meets the following conditions (Deacon, 2010):
 Drills including verbalization of weather and sea conditions.
 Drills including the completion and verbalization of every evac-
uation task in various scenarios, with personnel feedback.
 T. Deacon et al. / Safety Science 51 (2013) 319–327 325

Table 3
Consequence severities for evacuation steps.

Evacuation step Severity Reference

1.1 Check wind speed, direction and sea state 2 Kennedy (1993) (Appendix B)
1.2 Instruct personnel and maintain control 4 Kennedy (1993) (Appendix B) and Vinnem (2007) (p. 94)
1.3 Issue sea sickness tablets 2 Kennedy (1993) (Appendix B) and Robertson and Wright (1997) (p. 14)
2.2.1 Move to helideck 2 Kennedy (1993) (Appendix B)
2.2.2 Establish communication with pilot 2 Kennedy (1993) (Appendix B)
2.2.3 Instruct personnel on boarding procedure 2 Kennedy (1993) (Appendix B)
2.2.4 Board helicopter 2 Kennedy (1993) (Appendix B)
2.2.5 Don flight suit, aviation life jacket and secure seatbelt 1 Kennedy (1993) (Appendix B)
2.3.1 Ensure sea worthiness of TEMPSC 4 Kennedy (1993) (p. 30)
2.3.2 Check compass heading/direction to steer craft 2 Kennedy (1993) (Appendix B) and Robertson and Wright (1997) (p. 13)
2.3.3 Turn helm fully to clear installation on launch 2 Kennedy (1993) (Appendix B)
2.3.4 Ensure drop zone is clear 4 Kennedy (1993) (Appendix B)
2.3.5 Instruct personnel on boarding procedure 2 Kennedy (1993) (Appendix B)
2.3.6 Fasten seat belt 2 Kennedy (1993) (Appendix B)
2.3.7 Ensure everyone is secure 2 Kennedy (1993) (Appendix B)
2.3.8. Start air support system 3 Kennedy (1993) (Appendix B) and Robertson and Wright (1997) (p. 14)
2.3.9 Close and secure all hatches 4 Kennedy (1993) (Appendix B) and US Coast Guard (1983) (p. 124)
2.3.10 Call command center/launch master/other lifeboats to confirm 4 US Coast Guard, 1983 (p. 133)
launch sequence
2.3.11 Release falls/confirm auto-release 4 Kennedy (1993) (Appendix B) and Vinnem (2007) (p. 83) and Moan et al.
(1981) (p. 162)
2.3.12 Launch TEMPSC 4 US Coast Guard (1983) (p. 124)
2.3.13 Engage forward gear and full throttle 4 Kennedy (1993) (Appendix B) and Moan et al. (1981) (p. 162)
2.3.14 Steer TEMPSC at vector from platform to rescue area 4 Kennedy (1993) (Appendix B) and Moan et al. (1981) (p. 162)
2.4.1 Move to life raft muster station 2 Kennedy, 1993 (Appendix B)
2.4.2 Ensure seaworthiness of life raft 4 Kennedy, 1993 (p. 30)
2.4.3 Secure painter to a strong point 4 Kennedy (1993) (Appendix B) and US Coast Guard (1983) (p. 67)
2.4.4 Check for life raft instructions and number of personnel 2 Kennedy (1993) (Appendix B)
accommodated
2.4.5 Launch life raft 4 US Coast Guard (1983) (p. 149)
2.4.6 Board life raft 4 Kennedy (1993) (Appendix B)
2.4.7 Cut painter 4 Kennedy (1993) (Appendix B) and Moan et al. (1981) (p. 162)
2.4.8 Paddle clear of danger 4 US Coast Guard (1983) (p. 134) and Moan et al. (1981) (p. 162)
2.4.9 Stream anchor 4 Kennedy (1993) (Appendix B)
2.4.10 Maintain sea worthiness of life raft 4 Kennedy (1993) (Appendix B) and US Coast Guard (1983) (pp. 62–63)
2.4.11 Look for TEMPSC, FRC, other life raft or overboard survivors 4 US Coast Guard (1983) (p. 67)
2.4.12 Attach painter to other life raft or tow craft 4 US Coast Guard (1983) (pp. 62,63,67)
2.5.1 Ensure survival suit properly sealed, lifejacket fastened 2 Robertson and Wright (1997) (p. 18)
2.5.2 Move to lowest nearby platform 4 Vinnem (2007) (p.83) and Moan et al. (1981) (p. 143)
2.5.3 Assess direction of waves, danger and airborne contaminants 2 Robertson and Wright (1997) (p. 18)
2.5.4 Jump away from platform, feet first, avoiding platform legs 3 Robertson and Wright (1997) (p. 18)
2.5.5 Swim along side of platform 4 US Coast Guard (1983) (p. 134) and Moan et al. (1981) (p. 162)
2.5.6 Look for other overboard survivors and rescue opportunities 4 Vinnem (2007) (p. 84)

Table 4
Procedural HAZOP for evacuation step 2.3.4 (ensure drop zone is clear).

Failure mode Description Consequences Prevention barriers Mitigation barriers

Check omitted Coxswain omits or forgets to
check for debris in the water
Check mistimed Coxswain makes check too early
or too late, leaving time for
debris to float over or forcing the
boat to be committed to the
launch
 Delayed evacuation Active Engineered Passive Engineered
 Capsize of/hole in boat  Lights to illuminate drop zone  Boats constructed to withstand
during low visibility severe impacts and absorb shock
 Injury/death Procedural
 Warning prompt at helm of TEMPSC
 Training/drills that require verbalizing state
of drop zone and delaying or aborting launch

 Written prompts and instructions at all evacuation stations.
 Drills with measurement equipment (compass heading, etc.).
 Personnel in command (coxswain, OIM, etc.) identified by dif-
ferent colored suits.
 High stress training for coping while maintaining command.
 Behavioral testing to determine panic potential.
 Personnel in command equipped with checklist of orders to issue.
 Personnel equipped with card on boarding procedure of all
evacuation vessels.
 Boarding procedure written and illustrated at all evacuation
stations
 Training for coxswains to correctly orient TEMPSC under mini-
mal visibility.
 Prompts inside vessels to fasten seatbelt, await instructions.
 Drills that complete certain tasks out of order (e.g. starting air
support system before ensuring everyone secure) to show
consequences.
 Personnel provided with two-way radios.
326 T. Deacon et al. / Safety Science 51 (2013) 319–327

 Photo-luminescent pathways.
 Personnel supplied with evacuation checklist and evacuation
route maps.

The revised probability of failure on demand is now

HEP  10 LC = HEP  0.1 = 0.018 or 0.078. The new HEP/conse-
quence severity combination is still in the ‘intolerable’ region of
the risk matrix. A possible mitigation measure, should an error
occur, is a mechanical GPS unit on each TEMPSC. A GPS unit would
allow rescue personnel to track and locate the TEMPSC should it
not arrive at the designated rescue area. With an LC of 1, the re-
vised potential for a fatality is 0.1  HEP  0.1 = HEP  10 2 = 0.002
or 0.008. Even should the GPS locator be successful, the potential
Fig. 3. Risk matrix. exists for a severe injury (i.e. consequence severity 3 should GPS

Fig. 4. Risk graph (adapted from ARAMIS; Anderson et al., 2004).

Fig. 5. Bow-tie graph for Step 2.3.14, ‘Steer TEMPSC at vector from platform to rescue area’.
 T. Deacon et al. / Safety Science 51 (2013) 319–327
unit be successful). The risk is evaluated as 0.1  HEP  (1–
0.1) = 0.09  HEP = 0.016 or 0.07 for consequence severity 3. The
risk graph has identified a required LC of 3; therefore additional
safety measures should be incorporated.
4. Discussion
A risk assessment was undertaken for the evacuation phase of
the EER process. Three scenarios were evaluated for each phase
to encompass the full range of risk. For risk reduction, only one sce-
nario was analyzed for each phase of EER. The highest severity risk
scenario for a given step was analyzed. Bringing the risk to a toler-
able level for the highest severity scenario will have the same ef-
fect on the lower severity scenarios. It is noted that a training
and procedures safety barrier is important for all steps. For some
steps, it may be the only barrier with an associated LC. However,
as this is the least reliable barrier in terms of the hierarchy of con-
trols, efforts should be undertaken to determine an LC for potential
barriers identified in the procedural HAZOP. The evaluated HEPs
for several evacuation steps were adequately similar and had iden-
tical risk reduction requirements from the risk matrix and risk
graph. However, HEP data conflicted between assessors for several
evacuation steps. Little conclusion can be drawn from the HEP re-
sults alone. It can be seen that HEPs differ between assessors for
several steps, and that they are similar for others. More detailed
conclusions require the combination of the evaluated HEPs with
consequence severities to determine the overall tolerability of risk
and the required level of risk reduction necessary for each step.
Combined with the results of the consequence table, the difference
in HEPs led to differing requirements for risk reduction in the risk
graph. One assessor’s results led to a higher LC requirement than
the other’s. This discrepancy can lead to a less efficient allocation
of risk reduction resources. Management may put fewer resources
than necessary to reduce the risk of one step, put excessive re-
sources into reducing the risk of an adequately controlled step,
or both. Calibration of HEART with known human error data on
evacuations may reduce the inconsistencies between assessors.
Greater accuracy in HEP assessment will increase the efficiency
of risk reduction efforts. Steps were assumed independent from
one another in this study and the overall time taken to achieve
the goal of evacuation was not analyzed. The time taken to evacu-
ate a platform can be a critical factor depending on the structural
stability (Moan et al., 1981). It would be beneficial in future work
to perform a dependency analysis.
It is important to note that a facility safety audit was not per-
formed to adjust the design LC values in the current work. No facil-
ity was available for a safety audit for the current work.
Nevertheless, it is crucial that in practical risk assessments using
ARAMIS a safety audit is performed.
While the scenarios studied in this undertaking are from the
perspective of an offshore environment, this framework can be ap-
plied to various fields in industry. Onshore oil operations, nuclear
power plants and chemical process facilities all have the potential
for emergencies requiring site evacuation. While evacuation itself
may simply involve running to achieve a safe distance from the
emergency, escape from the facility and rescue operations are
more complex. The presented framework provides a means to eval-
uate and reduce the risk for these industries as well.
327
5. Conclusion and recommendations
The current work presents a framework for human reliability
analysis of offshore emergency situations that can supplement a
QRA. Dependency between steps and overall process time were
not evaluated in this work. The overall time to achieve the main
goals of escape, evacuate and rescue, as well as the effect of failure
of one step on later steps should be evaluated as a further study.
These two factors may have a significant effect on the EER process.
Furthermore, efforts should be made to obtain empirical HEP data
for offshore evacuations. Empirical data for several evacuation
steps may provide a means of calibrating expert judgment tech-
niques to evaluate all steps. Finally, efforts should be made to en-
sure that more of the potential safety barriers identified in the
procedural HAZOP meet the ARAMIS requirements and are incor-
porated into bow-tie analysis.
Acknowledgments
The authors gratefully acknowledge the financial support of
Petroleum Research Atlantic Canada (PRAC), the Nova Scotia
Department of Energy and Pengrowth.
References
Amyotte, P., Goraya, A., Hendershot, D., Khan, F., 2007. Incorporation of inherent
safety principles in process safety management. Process Safety Progress 26.
Anderson, H., Casal, J., Dandrieux, A., Debray, B., Dianous, V., Duijm, N., Delvosalle,
C., Fievez, C., Goossens, L., Gowland, R., Hale, A., Hourtolou, D., Mazzarotta, B.,
Pipart, A., Planas, E., Prats, F., Salvi, O., Tixier, J., 2004. ARAMIS User Guide (The
European Commission Community Research).
Cameron, I., Raman, R., 2005. Process Systems Risk Management, vol. 6. Elsevier
Academic Press, San Diego, CA.
Deacon, T., Amyotte, P., Khan, F., 2010. Human error risk analysis in offshore
emergencies. Safety Science 48.
Deacon, T., Amyotte, P., Khan, F., MacKinnon, S., 2010. A framework for human error
analysis of emergency situations. In: Proceedings of the 6th Global Congress on
Process Safety, San Antonio, Texas, 22–24 March. AIChE.
Deacon, T., 2010. Human Error Risk Analysis and Reduction for Offshore Emergency
Situations. MASc Thesis, Dalhousie University.
DiMattia, D., 2004. Human Error Probability Index for Offshore Platform Musters.
PhD Thesis, Dalhousie University.
DNV, 2002. Marine Risk Assessment. Report OTO 2001 063, UK Health and Safety
Executive.
Gadd, S., Keeley, D., Balmforth, M., 2004. Pitfalls in risk assessment: examples from
the UK. Safety Science 42.
Gurpreet, B., Kirwan, B., 1998. Collection of offshore human error probability data.
Reliability Engineering and System Safety 61.
Kennedy, B., 1993. A Human Factors Analysis of Evacuation, Escape and Rescue from
Offshore Installations. Report OTO 93 004, UK Health and Safety Executive.
Kirwan, B., 1997. The validation of three human reliability quantification techniques
– THERP, HEART and JHEDI: Part III – practical aspects of the usage of the
techniques. Applied Ergonomics 28.
Moan, T., Nsheim, T., Uveraas, S., Bekkvik, P., Kloster, A., 1981. The Alexander L.
Kielland Accident. Report NOU 1981:11, Norwegian Public Reports.
Robertson, D.H., Wright, M.J., 1997. Ocean Odyssey Emergency Evacuation: Analysis
of Survivor Experiences. Report OTO 96 009, UK Health and Safety Executive.
US Coast Guard, 1983. Marine Casualty Report – Mobile Offshore Unit (MODU)
OCEAN RANGER. Report USCG 0001 HQS 82, US Coast Guard.
Vinnem, Jan E., 2007. Offshore Risk Assessment, 2nd ed. Kluwer Academic
Publishers, The Netherlands, pp. 77–116.
Williams, J.C., 1992. Toward an improved evaluation tool for users of HEART. In:
Proceedings of the International Conference on Hazard Identification, Risk
Analysis, Human Factors and Human Reliability in Process Safety, Orlando,
Florida, 15–17 January. AIChE-CCPS, New York.