CCPS (2022) - Human Factors Handbook For Process Plant Operations - Improving Process Safety and System Performance

HUMAN FACTORS HANDBOOK
FOR PROCESS PLANT OPERATIONS

HUMAN FACTORS HANDBOOK
FOR PROCESS PLANT OPERATIONS
Improving Process Safety and

System Performance
CENTER FOR CHEMICAL PROCESS SAFETY

AMERICAN INSTITUTE OF CHEMICAL ENGINEERS
New York, NY
This edition first published 2022
© 2022 the American Institute of Chemical Engineers
A Joint Publication of the American Institute of Chemical Engineers and John Wiley &
Sons, Inc.
All rights reserved. No part of this publication may be reproduced, stored in a

retrieval system, or transmitted, in any form or by any means, electronic, mechanical,
photocopying, recording or otherwise, except as permitted_by law. Advice on how to
obtain permission to reuse material from this title is available at http://www.wiley.com/
go/permissions.
The rights of CCPS to be identified as the author of the editorial material in this work
have been asserted in accordance with law.
Registered Office
John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA
Editorial Office
111 River Street, Hoboken, NJ 07030, USA
For details of our global editorial offices, customer services, and more information
about Wiley products visit us at www.wiley.com.
Wiley also publishes its books in a variety of electronic formats and by print-on-demand.
Some content that appears in standard print versions of this book may not be available
in other formats.
Limit of Liability/Disclaimer of Warranty

In view of ongoing research, equipment modifications, changes in governmental
regulations, and the constant flow of information relating to the use of experimental
reagents, equipment, and devices, the reader is urged to review and evaluate the
information provided in the package insert or instructions for each chemical, piece of
equipment, reagent, or device for, among other things, any changes in the instructions
or indication of usage and for added warnings and precautions. While the publisher and
authors have used their best efforts in preparing this work, they make no representations
or warranties with respect to the accuracy or completeness of the contents of this
work and specifically disclaim all warranties, including without limitation any implied
warranties of merchantability or fitness for a particular purpose. No warranty may be
created or extended by sales representatives, written sales materials or promotional
statements for this work. The fact that an organization, website, or product is referred to
in this work as a citation and/or potential source of further information does not mean
that the publisher and authors endorse the information or services the organization,
website, or product may provide or recommendations it may make. This work is sold with
the understanding that the publisher is not engaged in rendering professional services.
The advice and strategies contained herein may not be suitable for your situation. You
should consult with a specialist where appropriate. Further, readers should be aware
that websites listed in this work may have changed or disappeared between when this
work was written and when it is read. Neither the publisher nor authors shall be liable
for any loss of profit or any other commercial damages, including but not limited to
special, incidental, consequential, or other damages.
Library of Congress Cataloging-in-Publication Data Applied for
Cover Design: Wiley

Cover Image: Pand P Studio/Shutterstock, manine99/ Shutterstock, agsandrew/Shutterstock
10 9 8 7 6 5 4 3 2 1
This book is one in a series of process safety guidelines and concept books
published by the Center for Chemical Process Safety (CCPS). Refer to
www.wiley.com/go/ccps for full list of titles in this series.
It is sincerely hoped that the information presented in this document will lead to
a better safety record for the entire industry; however, neither the American
Institute of Chemical Engineers, its consultants, CCPS Technical Steering
Committee and Subcommittee members, their employers, their employers'
officers and directors, nor Greenstreet Berman, Ltd., and its employees and
subcontractors warrant or represent, expressly or by implication, the correctness
or accuracy of the content of the information presented in this document. As
between (1) American Institute of Chemical Engineers, its consultants, CCPS
Technical Steering Committee and Subcommittee members, their employers, their
employers' officers and directors, and Greenstreet Berman, Ltd., and its
employees and subcontractors, and (2) the user of this document, the user accepts
any legal liability or responsibility whatsoever for the consequence of its use or
misuse.
Human Factors Handbook for Process Plant Operations
is dedicated to
Jack L. McCavit
Jack is passionate about process safety, especially in the areas of culture and
human factors. His work, both in his career at Celanese, and after his retirement,
has concentrated on educating workers and industry leaders on the importance
of process safety, the payback of sustaining a great program, and most
importantly, the impact of not making process safety a top priority. Jack had first-
hand experience with the latter when he witnessed a butane vapor cloud explosion
at the Celanese site in Pampa, Texas, in 1987, resulting in three fatalities and
dozens of injuries. Based on his significant and relevant expertise, Jack was
selected as the technical manager for the prominent Baker Panel investigation of
the BP Texas City Explosion in 2005.
Jack is a CCPS Fellow, an AIChE Fellow, and is rumored to be the fifth most famous
Texan in history. He was the committee chair for the CCPS flagship book,
Guidelines for Risk Based Process Safety, and a driving force behind CCPS’s Vision
20/20.
It is both an honor and a privilege to see Jack in action!
Louisa A. Nara, CCPSC

CCPS Global Technical Director
Table of Contents
Table of Contents .............................................................................................. ix

Glossary .......................................................................................................... xxiii
Acronyms ......................................................................................................... xxv
Acknowledgements ...................................................................................... xxvii
Foreword ........................................................................................................ xxix
Part 1: Concepts, principles, and foundational knowledge .......................... 1

1 Introduction.................................................................................................. 3
1.1 What is “Human Factors”? .............................................................. 3
1.2 Purpose of this handbook .............................................................. 4
1.3 Why Human Factors? ...................................................................... 7
1.4 The structure of this handbook ..................................................... 9
2 Human performance and error ............................................................... 11
2.1 Learning objectives of this Chapter ............................................ 11
2.2 An example of successful human performance........................ 11
2.3 An example of unsuccessful human performance ................... 13
2.4 Key learning points from this Chapter........................................ 17
3 Options for supporting human performance........................................ 19
3.1 Learning objective of this Chapter .............................................. 19
3.2 Types of human performance ..................................................... 19
3.3 Types of human performance, errors and mistakes ................ 21
3.4 Selecting options for supporting human performance............ 30
4 Supporting human capabilities................................................................ 35
4.2 Attention ......................................................................................... 35
4.3 Vigilance .......................................................................................... 36
4.4 Memory ........................................................................................... 37
4.5 Cognitive capacity .......................................................................... 38
4.6 Cognitive heuristics/biases ........................................................... 39
x Human Factors Handbook
Part 2: Procedures and job aids .................................................................... 43

5 Human performance and job aids .......................................................... 45
5.2 An example of a major accident .................................................. 45
5.3 The role of job aids in supporting human performance .......... 46
5.4 Approach to developing effective job aids ................................. 48
6 Selecting a type of job aid ........................................................................ 53
6.2 Stage 1: Determining the need for a job aid .............................. 53
6.3 Stage 2: Selecting the type of job aid .......................................... 62
6.4 Electronic job aids.......................................................................... 67
7 Developing content of a job aid............................................................... 69
7.2 Outputs from task analysis .......................................................... 69
7.3 Outputs from Hazard Identification and Risk Analysis ............. 72
7.4 User involvement........................................................................... 72
7.5 Validation of job aids ..................................................................... 74
7.6 Keeping job aids up to date ......................................................... 75
8 Format and design of job aids ................................................................. 77
8.2 Structure and layout...................................................................... 77
8.3 Navigation ....................................................................................... 82
8.4 Instructional Language ................................................................. 84
8.5 Pictorial information ..................................................................... 87
8.6 Icons ................................................................................................ 88
Part 3: Equipment............................................................................................ 91
9 Human Factors in equipment design ..................................................... 93
9.2 Definitions ...................................................................................... 93
9.3 Major accident example ............................................................... 94
Table of Contents xi
9.4 Error traps ...................................................................................... 96

9.5 How might poor equipment Human Factors cause error? ...... 98
9.6 Example of poor equipment Human Factors ......................... 101
9.7 Supporting human performance by good equipment
design ........................................................................................... 103
9.8 Mitigating poor design ............................................................... 111
9.9 Key learning points from this Chapter..................................... 113
Part 4: Operational competence ................................................................. 115

10 Human performance and operational competency .......................... 117
10.1 Learning objectives of this Chapter ......................................... 117
10.2 What is competency? ................................................................. 117
10.3 Competency Management ........................................................ 118
10.4 An example of effective Process Safety Competency
Management ............................................................................... 121
10.5 An example of gaps in operational competency .................... 122
10.6 Competency influencing factors ............................................... 124
11 Determining operational competency requirements........................ 127
11.2 Identify and define safety critical competency: overview ..... 127
11.3 Step 1: Identify safety critical tasks .......................................... 128
11.4 Step 2: Identify required competency ..................................... 130
11.5 Step 3: Define performance standards ................................... 132
12 Identifying learning requirements ....................................................... 137
12.2 Competency gap analysis .......................................................... 137
12.3 Training Needs Analysis ............................................................. 138
13 Operational competency development ............................................... 143
13.2 Good practice in learning .......................................................... 143
xii Human Factors Handbook
14 Operational competency assessment ................................................. 151

14.2 Reasons for competency assessment ..................................... 151
14.3 How to conduct assessment of competency .......................... 151
14.4 Reassessment ............................................................................. 157
14.5 Managing competency gaps ..................................................... 158
14.6 Competency and learning records ........................................... 160
Part 5: Task support ...................................................................................... 161

15 Fatigue and staffing levels ..................................................................... 163
15.2 A fatigue-related accident ......................................................... 163
15.3 Managing fatigue risk ................................................................. 168
16 Task planning and error assessment................................................... 179
16.2 Incident example ........................................................................ 179
16.3 Human Factors and task planning ........................................... 180
16.4 Error assessment within task planning ................................... 182
17 Error management in task planning, preparation and control ........ 189
17.2 Overview ...................................................................................... 189
17.3 Preventing optimism bias in task planning: scheduling ........ 190
17.4 Assigning safety critical tasks .................................................... 194
17.5 Distractions and interruptions.................................................. 195
17.6 Long and low demand tasks ..................................................... 199
17.7 The Human Factors of control of work packages .................. 202
17.8 Team briefings ............................................................................ 204
17.9 Human Factors of system isolation.......................................... 205
17.10 Human Factors of managing interlocks and automatic trips 210
18 Capturing, challenging and correcting operational error ................. 215
18.2 Failing to spot, challenge, and recover from errors ............... 215
Table of Contents xiii
18.3 Why do we fail to capture, challenge, and correct errors? ... 217
18.4 Coaching people to recognize risk of making errors ............. 218
18.5 Error Management Training ...................................................... 220
18.6 Enabling challenge of task performance ................................. 224
19 Communicating information and instructions ................................... 233
19.2 Incident example ........................................................................ 233
19.3 Causes of poor communication ............................................... 234
19.4 Human Factors of communications ......................................... 235
19.5 Avoiding communication overload .......................................... 237
19.6 Human Factors in shift handover ............................................. 241
Part 6: Non-technical skills ........................................................................... 247

20 Situation awareness and agile thinking ............................................... 249
20.2 What are situation awareness and agile thinking? ................ 249
20.3 Accidents from poor situation awareness and rigid
thinking ........................................................................................ 252
20.4 Causes of poor situation awareness and rigid thinking ........ 253
21 Fostering situation awareness and agile thinking.............................. 257
21.2 Training in situation awareness skills ...................................... 257
21.3 Practical situation awareness tools and tactics ...................... 262
21.4 Recognizing loss of situation awareness ................................. 268
21.5 Fostering agile decision-making ............................................... 270
22 Human Factors in emergencies ............................................................ 277
22.2 An example accident .................................................................. 277
22.3 Supporting human performance in emergencies .................. 281
22.4 Non-technical skills for emergency response ......................... 284
xiv Human Factors Handbook
Part 7: Working with contractors and managing change......................... 299

23 Working with contractors ...................................................................... 301
23.2 An accident involving contractors ............................................ 301
23.3 Human Factors tactics for supporting contractors ................ 304
24 Human Factors of operational level change ....................................... 309
24.2 What do we mean by operational level change?.................... 309
24.3 Operational level change and major accidents ...................... 310
24.4 Recognizing operational level changes that impact human
performance................................................................................ 311
24.5 Managing Human Factors of changes ..................................... 314
Part 8: Recognizing and learning from performance ............................... 319

25 Indicators of human performance ....................................................... 321
25.2 What are performance indicators? .......................................... 321
25.3 Identifying human performance indicators ............................ 323
25.4 Examples of human performance indicators ......................... 324
25.5 Sharing and acting on human performance indicators ........ 332
26 Learning from error and human performance .................................. 335
26.2 The importance of understanding error ................................. 336
26.3 Examples of poor learning ........................................................ 338
26.4 Learning in high performing teams ......................................... 340
26.5 Human Factors of investigating process ................................. 341
26.6 Selecting preventive Human Factors actions .......................... 356
26.7 Learning ....................................................................................... 359
Table of Contents xv
APPENDICES
A Human error concepts .................................................................... 373

B Major accident case studies ........................................................... 383
C Human Factors Competency Matrix ............................................. 397
D Competency performance standards ........................................... 415
E Learning methods and performance ............................................ 420
F Situation awareness and behavioral markers ............................. 425
G Human Factors change checklist ................................................... 431
Index................................................................................................................ 437
List of Figures
Figure 1-1: Human Factors science, concepts and principles .................................... 3

Figure 1-2: Overview of the handbook, by chapter................................................... 10
Figure 2-1: “Miracle on the Hudson” ........................................................................... 12
Figure 2-2: Performance Influencing Factors............................................................. 16
Figure 3-1: The Skill-Rule-Knowledge Performance Model ...................................... 20
Figure 3-2: Human performance modes, errors and mistakes ............................... 23
Figure 3-3: Strategies for knowledge and rule-based human performance.......... 31
Figure 3-4: Supporting skill-based performance ....................................................... 33
Figure 4-1: Typical vigilance decrement ..................................................................... 36
Figure 5-1: Overview of Human Factors aspects of developing a job aid .............. 51
Figure 6-1: Selecting a type of job aid for operational use ...................................... 56
Figure 6-2: Using HIRA risk matrix results to assess task safety criticality ............. 57
Figure 6-3: Example of a formal safety critical task assessment ............................. 58
Figure 6-4: Task safety criticality rating ...................................................................... 60
Figure 6-5: Mapping of type of job aid to type of task performance ...................... 63
Figure 7-1: Example of a graphical task description ................................................. 70
Figure 7-2: Example of HIRA results............................................................................ 72
Figure 7-3: Task walk-through process ....................................................................... 74
Figure 8-1: Good practice SOP example ..................................................................... 79
Figure 8-2: An example grab card ............................................................................... 81
Figure 8-3: An example decision flow chart for unresponsive casualties .............. 82
Figure 8-4: An example of icon and color coding ...................................................... 83
Figure 8-5: Examples poor and good practice of instructional language............... 86
Figure 8-6: An annotated diagram .............................................................................. 88
Figure 8-7: An example of icon and color coding ...................................................... 89
Figure 9-1: The Buncefield fuel storage facility before and after ............................ 94
Figure 9-2: A Human Factors solution to selecting the right control ...................... 96
Figure 9-3: A common error trap ................................................................................ 97
Figure 9-4: Control and instrumentation panel....................................................... 102
Figure 9-5: User- centered design ............................................................................. 103
Figure 9-6: Examples of good and poor natural mapping for a stove .................. 108
Figure 9-7: Example of good practice in natural mapping ..................................... 109
Figure 9-8: Principles of good alarm design ............................................................ 112
Figure 10-1: Competency Management ................................................................... 120
Figure 11-1: SCTA and Level of Training ................................................................... 129
Figure 13-1: Example of competency development through training .................. 144
Figure 13-2: The Learning Pyramid ........................................................................... 147
Figure 14-1: Learning assessments........................................................................... 157
Figure 15-1: Example of rapid rise in fatigue scores from a 16-hour day ............ 166
Figure 15-2: Working without rest breaks ................................................................ 167
Figure 15-3: Working nights ....................................................................................... 168
Figure 15-4: Typical scope of fatigue risk policy ...................................................... 169
xviii Human Factors Handbook
Figure 15-5: Guidelines on shift design .................................................................... 171

Figure 15-6: Signs and symptoms of fatigue ........................................................... 173
Figure 15-7: Signs of under staffing .......................................................................... 175
Figure 15-8: Managing workloads ............................................................................. 176
Figure 15-9: A simple task timeline ........................................................................... 177
Figure 16-1: Examples of error-likely situations ...................................................... 184
Figure 17-1: Overview of HF task planning, preparation and control................... 190
Figure 17-2: Open language for inviting questions and opinions ......................... 191
Figure 17-3: Barrier ownership prevented wrong valve line up ............................ 195
Figure 17-4: Tactics for minimizing distraction and interruptions ........................ 197
Figure 17-5: Schematic of some factors influencing attention span .................... 200
Figure 17-6: Features of a good Tool Box Talk or task briefing. ............................ 205
Figure 18-1: Draining pumps ..................................................................................... 215
Figure 18-2: Categories of cognitive error................................................................ 217
Figure 18-3: Factors contributing to error................................................................ 218
Figure 18-4: Error contributing factors ..................................................................... 221
Figure 18-5: Cognitive skills required for error self-management ........................ 223
Figure 18-6: Factors building psychological safety.................................................. 226
Figure 18-7: Challenging skills ................................................................................... 229
Figure 19-1: Repeating back....................................................................................... 240
Figure 20-1: Stages of situation awareness ............................................................. 250
Figure 21-1: Behavioral Markers for “Actively seeks relevant information” ......... 259
Figure 21-2: Causes of failed Situation Awareness ................................................. 268
Figure 22-1: Error recognition and management process ..................................... 279
Figure 22-2: Human Errors – categories ................................................................... 280
Figure 22-3: Refinery explosion, Philadelphia Energy Solutions ........................... 282
Figure 22-4: Stress management – training strategies ........................................... 288
Figure 22-5: Decision-making in emergency situations.......................................... 290
Figure 24-1: Types of change and impact ................................................................ 311
Figure 24-2: Sample Management of Change process ........................................... 314
Figure 25-1: Design of human performance indicators ......................................... 323
Figure 25-2: Gathering and reviewing feedback ..................................................... 326
Figure 25-3: Stress in the workplace and performance ......................................... 328
Figure 25-4: Signs of mindfulness ............................................................................. 331
Figure 25-5: Lessons learned – knowledge sharing ................................................ 332
Figure 26-1: Steps of effective learning – learning process ................................... 338
Figure 26-2: The consequences of blame culture ................................................... 343
Figure 26-3: “New” Just Culture Process ................................................................... 348
Figure 26-4: Error – causal factors and conditions.................................................. 350
Figure 26-5: Matching improvements to type of error ........................................... 358
Figure 26-6: Goals of Restorative Just Culture ......................................................... 359
List of Figures xix
Figure A-1 Energy Institute human performance principles.................................. 377

Figure A-2 What are the causes of incidents? .......................................................... 378
Figure B-1 Texas City Refinery Explosion ................................................................. 383
Figure B-2 Bayer Crop Science plant damage ......................................................... 385
Figure B-3 Longford Esso Gas Plant explosion ........................................................ 387
Figure B-4 The explosion and fires at Milford Haven ............................................. 389
Figure B-5 Interaction of the key valves and vessels .............................................. 392
Figure B-6 The polyvinyl fluoride process ................................................................ 393
Figure B-7 Deepwater Horizon Oil Spill – Macondo blowout................................. 395
List of Tables
Table 3-1: SRK types of human performance ............................................................ 22

Table 3-2: Case study example of a knowledge-based mistake .............................. 24
Table 3-3: Example of a rule-based mistake .............................................................. 27
Table 3-4: Example of skill-based human error in a major accident ...................... 29
Table 6-1: Guidelines for rating task complexity ....................................................... 61
Table 6-2: Guidelines for rating task frequency ........................................................ 61
Table 6-3: Time available to complete a task ............................................................. 62
Table 6-4: Definition of types of operational job aids .............................................. 64
Table 6-5: Pros and cons of electronic job aids ......................................................... 68
Table 7-1: Example task analysis as a table ............................................................... 71
Table 8-1: Typical structure of procedures ................................................................ 77
Table 8-2: Checklist for layout of job aids .................................................................. 78
Table 8-3: Checklist for instructional language ......................................................... 84
Table 8-4: When to use different presentation options ........................................... 87
Table 9-1: Examples of poor design for hard-wired interfaces – physical panels . 98
Table 10-1: Key features of effective process safety Competency Management 125
Table 11-1: An example industry standard .............................................................. 133
Table 11-2: Generic example of a competency standards matrix ........................ 134
Table 11-3: Petrochemical example of a competency standards matrix ............. 135
Table 12-1: Competency Gap Analysis and Training Needs Analysis template ... 140
Table 13-1: Learning methods for developing individuals ..................................... 145
Table 13-2: Team learning methods ......................................................................... 148
Table 14-1: Suitability of and differences between competency assessments ... 153
Table 15-1: Principles of shift design ........................................................................ 170
Table 16-1: Example of locks removed on wrong blinds........................................ 180
Table 16-2: Task planning tactics for potential high-risk situations ...................... 185
Table 16-3: Task planning tactics for different task errors .................................... 186
Table 17-1: Scheduling ............................................................................................... 193
Table 17-2: Barrier ownership to prevent commissioning loss of containment . 194
Table 17-3: Example tactics for enabling attention................................................. 201
Table 17-4: An isolation incident: relying on experience ....................................... 207
Table 17-5: Human Factors of isolation.................................................................... 208
Table 17-6: Example of defeating an interlocked valve .......................................... 212
Table 17-7: Human Factors good practice for interlocks and trips ....................... 213
Table 18-1: Draining pumps leads to product release ........................................... 216
Table 18-2: Error management training and coaching ........................................... 219
Table 18-3: High-risk observable behaviors............................................................. 220
Table 18-4: Error detection techniques .................................................................... 227
Table 18-5: Examples of error recovery techniques ............................................... 230
Table 18-6: Types of task verification ....................................................................... 231
Table 19-1: Verbal and communication techniques ............................................... 236
Table 19-2: Shift handover contributed to a massive explosion ........................... 241
xxii Human Factors Handbook
Table 19-3: Shift handover risk factors ..................................................................... 242

Table 19-4: Elements of effective handover ............................................................ 244
Table 20-1: Cognitive biases ...................................................................................... 254
Table 21-1: Situation awareness – Assessment record .......................................... 261
Table 21-2: Human performance tools – examples ................................................ 263
Table 21-3: Clues for recognizing impaired Situation Awareness ......................... 269
Table 21-4: Group-think – behaviors (symptoms) ................................................... 273
Table 21-5: Confirmation bias – observable behavior ............................................ 274
Table 22-1: Non-technical skills and error prevention ........................................... 285
Table 22-2: Stress indicators in emergency situations ........................................... 286
Table 22-3: Shared situation awareness requirements ......................................... 289
Table 22-4: Emergency decision-making aids.......................................................... 291
Table 22-5: Leadership in emergency situations .................................................... 295
Table 22-6: Delegating and communicating in emergency situations.................. 296
Table 24-1: Tips on recognizing change ................................................................... 313
Table 25-1: Leading and lagging indicators ............................................................. 322
Table 25-2: Specifying a human performance indicator ........................................ 324
Table 26-1: High performing teams and self-learning from error ........................ 341
Table 26-2: Investigation biases and mitigating strategies .................................... 345
Table 26-3: Human Factors investigation tools ....................................................... 352
Table 26-4: Effective learning tips ............................................................................. 361
Table A-1 ‘Hearts and Minds’ definitions for non-compliance............................... 375

Table C-1 Human Factors Competency Matrix ........................................................ 397
Table D-1 Competency standards template – Skill-based task ............................. 415
Table D-2 Competency standards template – Procedure/Rule-based task ......... 417
Table D-3 Competency standards template – Knowledge-based task ................. 418
Table E-1 Application of learning methods to type of performance .................... 420
Table F-1 Situation awareness – behavioral markers for oil and gas industry .... 425
Table G-1 Human Factors Change Checklist ............................................................ 431
Glossary
Accident: An event that can cause (or has caused) significant harm to workers, the
environment, property, and the surrounding community.
Anthropometrics: The science of measuring the size and proportions of the
human body (called anthropometry), especially as applied to the design of
furniture and machines.
Behavioral marker: Non-technical behaviors that can be observed and described.
They refer to a prescribed set of behaviors and are indicative of specific types of
non-technical skills performance (e.g., effective decision-making in emergencies)
within a work environment.
Cognitive overload: A mental state where an individual is unable to process all
the information provided by the system.
Cognitive underload: A mental state when an individual is under-stimulated due
to insufficient workload. This mental state leads to lack of attention.
Competency Assessment: System which allows measuring and documenting
personnel competency. The goal of competency assessment is to identify
problems with employee performance, and to correct these issues before they
affect performance.
Competency: Set of skills and knowledge which enables a person to perform tasks
efficiently, reliably and safely to a defined standard.
Competency Gap: Difference between the current competency level and the
required competency level of an employee.
Competency Management: Method of categorizing and tracking the
development of individual employee competency, allowing an organization to
track progress, and identify future training needs.
Fatigue: Fatigue is a decline in physical and/or mental performance.
Hold Points: Point where change cannot happen until there has been verification
that the prerequisites have been achieved.
Human Error: Intended or unintended human action or inaction that produces an
unintended result. This includes, but is not limited to, actions by designers,
operators, planners/schedulers, maintainers, engineers or managers that may
contribute to or result in accidents [1].
Human Factors: Discipline concerned with designing machines, operations, and
work environments so they match human capabilities, limitations, and needs. This
includes any technical work (engineering, procedure writing, worker training,
worker selection, operations, maintenance, etc.) related to the human interface in
human-machine systems [1].
Human Performance: Measure of an individual’s ability to execute a task
effectively.
Incident: Event, or series of events, resulting in one or more undesirable
consequences, such as harm to people, damage to the environment, or
asset/business losses.
xxiv Human Factors Handbook
Job aid: Specific information or material intended to help workers execute a task
more effectively.
Learning: Acquisition of knowledge or skills through study, experience, or being
taught.
Major accident: Major accident means an occurrence such as a major emission,
fire, or explosion resulting from uncontrolled developments in the course of the
operation of any establishment, and leading to serious danger to human health or
the environment (whether immediate or delayed) inside or outside the
establishment, and involving one or more dangerous substances [2].
Mistake: A decision or judgement that is misguided.
Non-technical skills: The cognitive, social, and personal resource skills that
complement technical skills and contribute to safe and efficient task execution [3].
Performance Influencing Factors (PIFs): Characteristics of the job, the individual
and the organization that influence human performance [4].
Performance standards: Description of how the job is a description of what
(actions/tasks) needs to be taken/executed, how the job must be done
(behaviors/methods) and outcomes/results that will define satisfactory or
acceptable performance.
Psychological safety: The outcome of an open workplace culture where people
are willing to express an opinion, or admit mistakes or unsafe behaviors, without
fear of being embarrassed, rejected, or punished.
Root cause: Fundamental, underlying, system-related reason why an incident
occurred that identifies a correctable failure(s) in management systems. There is
typically more than one root cause for every process safety incident.
Rota: A period of work taken in rotation with other workers (an abbreviation of
rotation).
Rotation: A period of work taken in rotation with other workers.
Shift working (shifts): Work which takes place on a schedule outside traditional
day work hours. It can involve evening or night shifts, early morning shifts, and
rotating shifts.
Training: “Practical instruction in job and task requirements and methods.
Training may be provided in a classroom or at the workplace, and its objectives are
to enable workers to meet some minimum initial performance standards
(minimum required competency level), maintain their proficiency, or to qualify
them for promotion to a more demanding position” [5].
Vigilance decrement: Decline in “the ability to sustain attention and remain alert
to a particular stimulus over a prolonged period of time” [6].
Acronyms
Acronym Meaning
ANP Agência Nacional do Petróleo (Brazil Petroleum Regulator)
BP British Petroleum
CCPS Center for Chemical Process Safety
CK Checklist
CSB Chemical Safety Board
CRM Crew Resource Management
DCS Distributed Control System
DFC Diagnostic Flow Charts
DIF Difficulty, Importance and Frequency Analysis
DOE Department of Energy
DT Decision Tree or Diagnostic Tree
EEMUA Engineering Equipment and Materials Users Association
FCCU Fluidized catalytic cracking unit
GC Grab Card
GUI Graphical User Interface
HIRA Hazard Identification and Risk Analysis
ICAO International Civil Aviation Organization
IChemE Institute of Chemical Engineers
IOGP International Association of Oil and Gas Producers
ISO International Standards Institute
ISOM Isomerization
LEL Lower Explosive Level
LFL Lower Flammability Level
LOPA Layers of Protection Analysis
MDMT Minimum design metal temperature
MEB Material and Energy Balance
MOC Management of Change
NATO North Atlantic Treaty Organization
xxvi Human Factors Handbook
Acronym Meaning
OIM Offshore Installation Manager
OSHA Occupational Safety and Health Agency
PFD Process Flow Diagram
P&ID Piping and Instrumentation Diagrams
PSB Plant Status Boards
PSI Process Safety Information
PSV Pressure Safety Valve
PTW Permit to Work
RBPS Risk Based Process Safety
SCTA Safety Critical Task Analysis
SH Shift Handover
SOP Standard Operating Procedure
SRK Skills, Rule and Knowledge
STAR Stop Think Act and Review
QRA Quantitative Risk Analysis
WI Work Instruction
UK United Kingdom
U.S. United States
Acknowledgements
The American Institute of Chemical Engineers (AIChE) and the Center for Chemical
Process Safety (CCPS) express their gratitude to all the members of the Human
Factors Handbook for Plant Operations Project Team and their member
companies for their generous efforts and technical contributions. The committee
structure for this concept book differs from other CCPS books in that this was a
project done in collaboration with the Energy Institute (EI) and the generous efforts
and technical contributions of the EI Technical Partner and Technical Company
members is also gratefully acknowledged.
The writers from the Human Factors consultancy Greenstreet Berman Ltd are
also acknowledged, especially the principal writers Michael Wright and Dr. Ludmila
Musalova, with additional inputs from David Pennie, Rebecca Canham and
Ninoslava Shah.
Project Team Members

Chris Aiken Cargill, Chair
Eric Freiburger Linde, Vice Chair
Stuart King Energy Institute (EI), Co-Chair
Charles Cowley CCPS Staff Consultant, Project Manager
Sandra Adkins BP
Lee Allford Energy Institute (EI)
Mayara Carbono Ex Ecolab
Carlos Carvalho Petrobras
Erin Collins Jensen Hughes
Ruskin Damani Reliance
Gretel D'Amico Pluspetrol
Joseph Deeb Exxon Mobil (retired)
Alexandre Glitz CCPS Emeritus
Cheryl Grounds CCPS Emeritus
Jeff Hazle Marathon
Gregg Kiihne BASF
Ajay Shah Chevron
Caroline Morais ANP
Andrew Moulder Inter Pipeline
Meg Reese OxyChem
Rob Saunders Shell
Scott Wallace Olin (retired)
xxviii Human Factors Handbook
Gabriela Dutra (ex Braskem), Sahika Korkmaz (ex Chevron) and Josué Eduardo
Maia França (Petrobras) also contributed to certain stages of the project.
Before publication, all CCPS and EI books are subjected to a thorough peer
review process. CCPS and EI gratefully acknowledge the thoughtful comments and
suggestions of the peer reviewers. Their work enhanced the accuracy and clarity
of this concept book. The peer reviewers have provided many constructive
comments and suggestions. They were not asked to endorse this book and were
not shown the final manuscript before its release.
Peer Reviewers
Linda Bellamy White Queen BV
Michelle Brown FMC
Denise Chastain-Knight Exida
Palani Chidambaram DSS
Ed Corbett UK Health and Safety Executive
David Cummings DuPont
Rhona Flin Aberdeen University
Jerry Forest Celanese
Jeff Fox CCPS Emeritus, ex Dow
Osvaldo Fuente Dow
SP Garg GAIL
Zsuzsanna Gynes The Institution of Chemical Engineers
John Herber CCPS Emeritus
Alison Knight 3M
Susan Lee Marathon
Maria Chiara Leva TU Dublin
Keith Mayer Kraton Polymers
Rob Miles Hu-Tech
Chelsea Miller Chevron
Raphael Moura ANP
Cathy Pincus ExxonMobil
Tim Thompson Braskem
Elliot Wolf Chemours
Neal Yeomans Advansix
The affiliations of writers, project team members and peer reviewers were
correct at the time of publication.
Foreword
Humans are resourceful, resilient, innovative, smart creatures. They can also be
error-prone – forgetting to complete a step in a sequence, misunderstanding
instructions, making mistakes in task execution. Disentangling these strengths and
limitations, determining how and why human performance can be both resilient
and fragile is the science of human factors.
The military and aviation sectors were the first to appreciate that the design of
equipment and task environments had to take into account the psychological,
anatomical and physiological capabilities of the human operators. The influential
role of the organizational culture and its component systems on both managers
and workers also became apparent. As the hybrid blend of engineers,
psychologists, designers and other human factors specialists began to coalesce in
the late 1940s, professional human factors and ergonomics societies were formed,
helping to systematize an established body of evidence relating to human factors
science, with a range of accepted methods for investigation and intervention. But
it has taken some time for the value of this approach for the management of
workplace operations to be recognized across industrial sectors.
In the early 1990s, I was working on research projects examining psychological

aspects of offshore safety in the oil and gas industry. These were influenced by
Lord Cullen’s Inquiry reports on the Piper Alpha disaster and included studies of
safety climate, managerial behaviors, emergency response decisions, supervisors’
leadership. It was evident that there was very limited knowledge in this sector of
the factors influencing human performance. So, my colleague Georgina Slaven and
I decided we would edit a book on this subject and submitted a proposal to
PennWell Books. They liked our proposal, but not our title, ’Human Factors in the
Offshore Oil Industry’ as one of their reviewers, an industry expert, had told them
that no-one would know what this meant. Our book was published in 1996 with a
different title that did not use the mysterious term ‘Human Factors’.
More than two decades later, at the time of this book’s publication, awareness
and understanding of the factors influencing human performance in the process
industries has become more active. This volume, one of a series directed by the
Center for Chemical Process Safety, reflects the increased activity in the process
industries. It provides an essential handbook for people on the frontline of plant
operations, helping them apply good human factors principles and knowledge
with practical techniques.
It has been written especially with operations and maintenance supervisors in

mind, since such technical specialists have not traditionally been educated on the
factors influencing human performance during their basic training, and there is
now a vital need to address that pervasive knowledge gap.
xxx Human Factors Handbook
Engineers, process safety practitioners and regulators who wish to gain an

understanding of Human Factors concepts and methods will find much of
immediate practical value.
This book has been written by a combined panel of plant operations

professionals with in-depth knowledge of a wide range of process plants together
with very experienced Human Factors experts. It has then been widely peer-
reviewed, resulting in a comprehensive handbook that is easy to follow. Each of
the 26 chapters contains essential knowledge, presented in a straightforward,
accessible manner and supported by numerous examples to show why the
concepts are relevant in processing industries. A notable feature is the analysis of
major accidents from this sector that reveal where human factors contributed to
failure or recovery during the event.
Practical tools and techniques are provided for each topic area with guidance
for application and more experienced practitioners will discover new ideas for
their portfolio of Human Factors methods.
This valuable handbook is definitely recommended reading for those striving

to improve the safety and efficiency of process plant operations.
Rhona Flin
Professor of Industrial Psychology
Aberdeen Business School
Robert Gordon University
Human Factors Handbook For Process Plant Operations: Improving Process Safety and System
Performance CCPS.
© 2022 CCPS. Published 2022 The American Institute of Chemical Engineers.
Part 1: Concepts, principles, and foundational knowledge

Performance CCPS.
1 Introduction
1.1 What is “Human Factors”?
As illustrated in Figure 1-1, like engineering, Human Factors is a combination of

science, concepts, and principles. Human Factors draws on several scientific
disciplines. These include psychology, ergonomics, anthropometrics, and
physiology. The Human Factors approach uses these disciplines to help people
understand how and why they behave and perform as they do, and how best to
support them to perform tasks. The science adds to the knowledge gained from
operational experience.
Figure 1-1: Human Factors science, concepts and principles

4 Human Factors Handbook
Human Factors also provides a set of principles and concepts that can be used
to guide day-to-day decisions. The decisions focus on how best to support
successful human performance. This approach helps people to understand tasks
from the perspective of the person doing the work and provides ideas on how to
support people to perform better. It advocates an orientation (a way of thinking)
towards making improvements that support human performance and the
prevention of error. It recognizes people’s capabilities and commitment, and it
aims to maximize people’s roles in safe and productive operations, and to build
their ability to cope mentally and emotionally with stressful and demanding tasks,
i.e., psychological resilience.
A short video that presents a Human Factors view for successfully

addressing human performance, titled Being Human, is available as a resource
for “understanding and accepting why, as people, we do what we do, why we
do it, and the way we do it.” [7]
Human Factors covers a very wide range of topics including, training, work
planning, and fatigue. Many of these topics come under existing management
systems, such as the operation of rotating shift schedule systems, and training
systems. Human Factors provides knowledge, tools, and insights that can be
integrated into an organization’s existing systems of work and operational
management, safety assessments, incident investigations, and day-to-day
operational decision-making. In this book, the terms ‘incident’ and ‘accident’ will be
used interchangeably.
1.2 Purpose of this handbook
1.2.1 Purpose and scope
This handbook provides practical advice

and examples of good practice that can be
applied to design, process operations, start-
ups and shut-downs, maintenance, and
emergency response. It is a comprehensive
but simple to understand handbook aimed
at people responsible for the process
operations.
The handbook:
• Provides examples of practical

application, principles, and tools. It
also provides an understanding of
the fundamentals of Human
Factors, so the reader can develop
their own approach.
1. Introduction 5
• Provides an explanation of how people think and behave, why people

make mistakes, and how to help people perform process operational
tasks successfully. This includes how to support human performance
through procedures and job aids, training and learning, effective task
planning, high reliability communications, fatigue risk management,
development of error management skills, and preparing people to
perform emergency response tasks.
• Briefly covers the Human Factors of change management and managing
contractors. It also offers help on how to learn from errors, and how to
use indicators of human performance to improve support to people.
1.2.2 Other guidance
How does this handbook fit with

other guidance documents?
Safety culture, leadership, and

process safety management are
covered in other CCPS publications,
as shown by the book front covers.
Most chemical process businesses
have a set of process safety
management systems in place
already. The advice in this handbook
can be integrated into these process
safety management systems.
Human Factors methods, such as

error analysis and Human Reliability
Assessment, typically applied during
a “Hazard Identification and Risk
Analysis”, are not covered in this
handbook. CCPS books on “Bow Ties
in Risk Management” and “Guidelines
for Integrating Process Safety into
Engineering Projects” are available if
further information is needed. This
handbook does outline forms of
error assessment that can be used by
everyone involved in task planning
and task management.
This handbook can be read in conjunction with other CCPS guidance on safety
culture and process safety management, including:
• Essential Practices for Creating, Strengthening, and Sustaining Process

Safety Culture [8].
• Process Safety Leadership from the Boardroom to the Frontline [9].
• Guidelines for Risk Based Process Safety [5] [10].
• Recognizing and Responding to Normalization of Deviance [11].
• Human Factors Methods for Improving Performance in the Process
Industries [12].
• Investigating Process Safety Incidents [13].
Some of the elements within “Guidelines for Risk Based Process Safety” are
relevant to this handbook. Therefore, they have been referenced at various points
throughout the handbook as additional information where this would be helpful
to the reader.
1.2.3 Who should read this handbook?
This handbook is intended for everyone involved with defining, planning,

instructing, and managing process operations, maintenance, and emergency
response. This includes:
• Frontline supervisors.
• Designers.
• Operations and maintenance managers.
• Plant superintendents.
• Process engineers.
• Project managers.
• Construction managers.
• Process safety and health and safety personnel with the role of coaching
higher-level managers on Human Factors aspects.
The handbook is intended for people who understand process operations and
have some process safety management experience.
1.2.4 A note on language and terminology
The explanation of some topics has been intentionally simplified and phrased in
normal everyday language, rather than in scientific terms. This has been done in
order to make the document more accessible, readable and more usable in the
practical domain, and also with the aim of making it more understandable for an
international audience.
1. Introduction 7
For example, the term ‘mistake’ is used in this book to refer to both mistakes
and other kinds of error, even though human factors specialists commonly
understand the term ‘mistake’ to mean a specific kind of error that is to do with
judgement and decision-making, as distinct from other kinds of error such as ‘slips
and lapses’. The term 'mistake' is used generally in the book, but where specific
types of error are being discussed then the specific appropriate terms are used
where that aids clarity.
A more complete explanation of the traditional terminology of ‘human error’

commonly used by Human Factors specialists is given in Appendix 0.
1.3 Why Human Factors?
1.3.1 Major accidents associated with human performance
Human performance is a factor in

BP's Texas City 2005 refinery almost every major process
explosion: 15 fatalities, 170 injured. accident. The costs of major
The compensation totalled billions of process accidents are well known:
US dollars. Repairs and lost profits major injury, destruction of
cost over US $1billion. facilities, environmental damage,
See section B.1 immense costs, reputational loss,
closure.
In those cases where obvious signs of poor Human Factors were found,
stakeholder confidence in the company was greatly reduced and employee morale
was destroyed.
The United States Chemical Safety and Hazard Investigation Board (CSB)
investigation of the Texas City accident cited that previous accidents have shown
that Human Factors plays a role in industrial accidents [14]. The Texas City event
includes several examples of Human Factors. People had worked without rest for
many weeks or worked excessively long days. In some cases, it was known that
process instrumentation was unreliable or that critical information such as Piping
and Instrumentation Diagrams were out of date, and that training on new control
systems had not been provided.
This kind of evidence greatly undermines stakeholder trust in an organization

and can cause loss of the “license to operate”.
1.3.2 It is more than common sense
Human Factors is more than common sense. People may make mistakes for many
reasons. Many factors influence how people perform. Process operations can be
complex and involve many difficult tasks. Technology is constantly changing.
People who plan work and develop

operating procedures should not be remote
“Work as done”
from the actual task. They need to understand
versus
how the tasks are carried out in the field.
“Work as imagined”
Authors should have a complete knowledge of
the surrounding environment or operational
requirements.
Time constraints and attention demands impact frontline managers and

supervisors. These demands can prevent frontline managers and supervisors from
spending time to understand how people are performing, and what is influencing
their performance. Issues should not be overlooked or considered in a superficial
way.
Businesses must prioritize and balance production, operations, maintenance,

and budget. Human Factors appreciation can direct focus to human performance
support. It can also aid in prioritizing schedule, and managing fatigue and
workloads.
In a dynamic process environment, with many complex tasks and safety critical
operations in flux, a high level of human performance needs to be achieved
systematically. Process safety does not depend on a single person’s view of what
is “common sense”. Recognized and implemented good practice and guidance is
necessary to achieve a high standard of human performance.
Human Factors adds scientific knowledge to help workers achieve high

standards of performance in safety critical process operations. It provides an
insight into how the mind and the body work. It also offers lessons learned from
decades of worldwide experience. Adopting a Human Performance mindset
enables people to understand the context of the work as well as monitor the gap
between ‘work as planned’ versus ‘work as performed’.
1.3.3 The benefit of high performing teams
People diagnose unfamiliar faults. They As a leader, it is

innovate solutions to novel problems. They important to get the
handle unforeseen process upsets. A process best from people and
cannot be designed, operated or maintained be responsible for
without people. A common business mantra is how they do their
"People are the solution, not the problem." work more robustly.
Workers are incredibly adaptable and at the same
time fallible, thus we must ensure systems are error
tolerant to avoid single points of failure where human error can lead to significant
events.
Stakeholders must have confidence that an organization can achieve high

standards of process safety and operational productivity. Human Factors helps to
achieve high performing and reliable teams.
1. Introduction 9
1.4 The structure of this handbook
An overview of the handbook is given in Figure 1-2. The handbook is loosely split
into eight parts. Each Chapter can be read by itself. It is, however, useful to read
Chapters 2 to 4 first.
Part 1 includes Chapters 1, 2, 3, and 4 which provide overarching Human

Factors concepts and knowledge.
The other Chapters can be grouped into Parts around a set of core topics, such
as Part 2 job aids, Part 3 equipment design, Part 4 competence, Part 5 task support,
Part 6 non-technical skills and Part 7 covering working with contractors and
managing change.
Part 8 comprises Chapter 25, which discusses the use of indicators in

recognizing human performance issues, and Chapter 26 covers learning from
error and performance.
Appendix C provides a tabulation of Human Factors skills and knowledge for

operational and frontline supervisors/managers.
Figure 1-2: Overview of the handbook, by chapter
Concepts, principles, and foundational knowledge

2. Human performance and error 3. Options for supporting human performance 4. Supporting human capabilities
Non-technical skills
Procedures and job aids Operational competence Task support
20. Situation awareness and
5. Human performance 10. Human performance and 15. Fatigue and staffing levels
agile thinking
and job aids operational competency 16. Task planning and error
21. Fostering situation
6. Selecting a type of job 11. Determining operational assessment
awareness and agile
aid competency requirements 17. Error management in task
thinking
7. Developing content of 12. Identifying learning planning, preparation, and
22. Human Factors in
a job aid requirements control
emergencies
8. Format and design of 13. Operational competency 18. Capturing, challenging,
job aids development and correcting operational
14. Operational competency error
assessment 19. Communicating
information and
instructions
9. Human Factors in
Equipment design
Recognizing and learning from performance

25. Indicators of human performance 26. Learning from error and human performance
Performance CCPS.
2 Human performance and error
2.1 Learning objectives of this Chapter
Understanding human performance is important to support people to successfully

complete tasks. Understanding human performance will also help people reduce
the likelihood of errors and mistakes. Learning from errors and mistakes is part of
the journey to high performance.
This chapter provides some Human Factors principles that will help people to
reduce the likelihood of errors and mistakes. By the end of this chapter, the reader
should be able to:
• Understand how to proactively and methodically support human

performance,
• Understand the many factors affecting human performance, and
• Understand solutions used to help improve human performance.
These principles will be addressed again in later Chapters.
2.2 An example of successful human performance
2.2.1 What happened?
The “Miracle on the Hudson” happened on January 15, 2009, when a bird strike
occurred shortly after US Airways flight 1549 took off from New York’s LaGuardia
airport [15]. The Airbus struck a flock of Canada geese while on the climb from the
airport. The Captain, Chesley Sullenberger, and First Officer Jeff Skiles decided to
ditch (emergency water landing) the aircraft in the Hudson River, saving all on
board. This famous event was portrayed in a 2016 film (Sully) starring Tom Hanks
as Chesley “Sully” Sullenberger. The successful ditching of an unpowered
passenger airline onto the Hudson River, within six minutes of the bird strike, when
both engines had failed, is an example of skilled and knowledgeable human
performance.
Following the bird strike, a very short period of time was available for the pilots
to determine what had happened, enact a Mayday, determine they could not
return to the airport, decide they had to glide around and find an alternative
landing site (the Hudson River), and identify a new course. They achieved this and
ditched on the Hudson River, after which the 150 passengers and five crew were
rescued by nearby boats and ferries.
The normal procedure for dual engine failure was to attempt to return to the
airport. This turn back to the airport was not possible at the plane’s low altitude. It
was also not possible to complete a “dual engine failure” checklist due to the
limited time available prior to ditching. Simulator training did not cover ditching.
Figure 2-1: “Miracle on the Hudson”
(credit: Greg Lam Pak Ng)
The Captain and First Officer needed to make decisions quickly based on their
knowledge and judgment.
2.2.2 How did they perform successfully?
Despite the popular title of “Miracle on the Hudson”, the successful unpowered
ditching did not happen by luck.
First, airline pilots receive a high level of training in piloting, annual simulator-
based training in handling emergencies, and training in Crew Resource
Management (CRM). CRM provides training in understanding human performance,
interpersonal skills, communications, leadership and decision-making. This
includes maintaining situation awareness and making decisions in high stress
emergencies. The National Transportation Safety Board investigation report
(NTSB, 2010) [15] stated:
“The captain credited the US Airways CRM training for providing him and the
first officer with the skills and tools that they needed to build a team quickly and
open lines of communication, share common goals, and work together.” (p61)
Second, the plane’s “fly by wire” design meant that after the pilot changed
course, the computers adjusted the flight control to maintain plane stability. This
allowed the crew to focus on emergency decision-making. The system design
reduced the crew workload.
Third, having two pilots also allowed them to multi-task as a team and to check
each other’s judgments and actions.
2. Human performance and error 13
2.2.3 The human performance perspective
Directors, managers and supervisors should

High standards of human
create the right environment for successful task
performance are developed
performance. This is sometimes called the
by identifying the demands
“systems” approach to Human Factors. This
of a task and the support
means it is vital to ensure that the system of
that people need.
training, the system of supervision, the rotating
shift schedule system, the system of
communication are all designed to positively support successful task performance.
The “Miracle on the Hudson” shows that with training and experience, people
are able to carry out complex tasks reliably and accurately. With education on how
a system works, people can use their knowledge and experience to quickly come
up with ways to handle new situations. Training in decision-making helps people
make better judgments and decisions, and to act quickly. While the application of
a Human Factors approach can prevent many errors and mistakes, it should
greatly improve human performance and reduce the potential for unrecoverable
errors.
2.3 An example of unsuccessful human performance
2.3.1 Texas City refinery explosion, 2005
In 2005, a major explosion occurred at the BP refinery in Texas City, United States
of America. A summary of the accident is given in B.1 (page 383) and the ‘The B.P.
U.S. Refineries Independent Safety Review Panel’ provides a very detailed report
of this accident [16].
The CSB [14] 2007 investigation report stated people were “set up to fail”. Some
points from the CSB investigation which highlight Human Factors issues include:
• Leadership Decision – The process unit was started despite previously

reported malfunctions of the tower level indicator, level sight glass, and a
pressure control valve.
• Competence – “The hazards of unit start-up, including tower overfill
scenarios, were not adequately covered in operator training…” ([14],
p.91).
• Procedures – “The ISOM raffinate section start-up procedure lacked
sufficient instructions for the Board Operator to safely and successfully
start-up the unit…” ( [14], p.75).
• Interfaces – the readings showing how much liquid raffinate was entering
the ISOM unit and how much was leaving the ISOM unit were on different
screens. This made it harder to spot an imbalance between the input and
output readings (i.e., more input than output), which would have indicated
over-filling.
• Fatigue – “…the CSB concludes that fatigue of the operations personnel

contributed to overfilling the tower” ( [14]
p.289). Several key operational staff had “…numerous latent
worked between 29 and 37 12-hour shifts conditions and safety
in a row. system deficiencies at
• Not enough staff – “…operator staffing the refinery influenced
levels below the numbers required for their (operator) actions
‘safe staffing’. This involves the day-to-day and contributed to the
operation of units with less than the accident…”
minimum numbers of operators
(CSB, 2007, [14] p.69)
required…” ( [14], p.285).
• Supervision – while the start-up shift
started with two supervisors, the experienced supervisor left due to a
family matter, leaving an inexperienced supervisor alone. The remaining
supervisor was busy with several tasks.
• Alarm flood – ISOM operators faced hundreds of alarms going off in a
short time frame. They were not able to assess the situation or warn
others.
There were many factors influencing the operational decisions and actions.
Deficiencies in each of these factors combined to exacerbate operational
problems.
2.3.2 Contributing Human Factors
“You cannot change the human condition, but you can change the conditions in
which people work.” Professor James Reason (Chapter 7, page 96) [17].
A Human Factors principle is that errors and Human error and

mistakes happen because of a combination of mistakes are not the root
problems in the working environment and due to cause of incidents.
the support, or lack of it, offered by the
organization.
It is important to provide a working environment (or set of conditions) that set

people up to succeed throughout the lifespan of an operating facility. Establishing
this working environment / set of conditions should begin in the design of each
new facility. Design should include proper Human Factors design in the layout of
systems and equipment, and process hazard analyses and risk assessments must
include consideration for Human Factors.
A Human Factors principle is that it is vital to ask how and why errors occur.
This includes asking:
• How an individual’s performance is influenced by the conditions they

work in;
• Whether the information and equipment they have been given are
suitable and sufficient;
• Whether the training they have been given is sufficient; and
• How an individual’s performance is influenced by the prevailing culture.
An understanding of human errors and mistakes makes it possible to identify
how to reduce the possibility they occur. Consequently, it enables the
improvement of human performance.
2.3.3 Performance influencing factors and human error
Many factors contribute to an individual or a team making a mistake. These include

the operator’s level of experience, the complexity of a task, the clarity of operating
instructions, the duration of working hours, organizational culture, as well as many
others. These factors are sometimes called Performance Influencing Factors
(PIFs). Some common PIFs are illustrated in Figure 2-2.
Directors, managers and

supervisors should identify which of “Performance Influencing Factors (PIFs)
these factors influence the are the characteristics of the job, the
performance of a particular task. It is individual and the organization that
then possible to create conditions to influence human performance.”
successfully carry out tasks. Later UK Health and Safety Executive [4]
Chapters in this handbook provide
advice on creating these conditions.
Figure 2-2: Performance Influencing Factors
Environment-
related
• Temperature,
humidity,
ventilation
• Noise
Person-related • Lighting Equipment-
• Attitudes & • Space related
behaviors
• Layout
• Training &
• Fit for purpose
experience
• Accessibility
• Capabilities
• Complexity
• Relationships
Performance
influencing factors
Information-
related
Job-related
• Clarity
• Fatigue
• Information
overload • Organizational
Task-related stressors
• Accuracy
• Situational stressors • Workload
• Completeness
• Availability • Distractions
• Multi-tasking
• Complexity
• Time available
• Task frequency/
duration
• Workload
2.4 Key learning points from this Chapter
Key learning points include:
• Errors and mistakes are caused by:

o The environment in which people work; and
o The level or type of support offered to people.
• High standards of human performance are achieved by identifying the
demands of tasks and providing the support needed.
• Understanding diverse performance influencing factors is important to
improving human performance.
• Understanding human errors and mistakes helps to identify how to
reduce likelihood of occurrence, thereby supporting successful human
performance.
Performance CCPS.
3 Options for supporting human performance
3.1 Learning objective of this Chapter
By the end of this chapter, the reader should be able to understand:
• The types of human performance; and

• The concept of matching solutions to the types of performance.
This Chapter provides some key principles for identifying options to support
human performance. The later Chapters provide advice on these options.
In order to support human performance and reduce the potential for errors
and mistakes, it is important to understand the nature of the tasks, the type of
human performance required, and the causes of possible error and mistakes.
A general understanding of human performance can be used when designing

training programs, setting staffing levels, selecting a type of job aid and many other
Human Factors matters.
3.2 Types of human performance
The Skill, Rule and Knowledge-based model (SRK) is a commonly used way of
thinking about how people perform. The idea is that people perform differently
according to the type of task they are doing and their familiarity with the task. The
SRK performance model is shown in Figure 3-1.
This model has been used since the 1980’s to help identify ways to support
people in performing process operations tasks. It was originally proposed by
Professor Jens Rasmussen [18] and further developed by other researchers such
as Professor James Reason [19].
Knowledge based tasks involve a person using their “general knowledge” to

work out what to do. This would be diagnosing a rare fault in a car engine that is
not explained in a manual. Knowledge-based behavior is often necessitated by
uncertainty or novelty in the circumstances at hand. It involves higher cognitive
activities and is fundamentally what most people mean by “thinking”.
Rule based tasks tend to require following a procedure, assessing the situation
(situation awareness), decision-making, and experience related to carrying out the
procedure. An example is identifying a fault in a car engine that is explained in a
manual.
Figure 3-1: The Skill-Rule-Knowledge Performance Model
(adapted from [18])
The words “rule” and “procedure” are not meant to be used literally. A written
procedure may not exist. These words are used to mean the right set of actions
are known in advance of performing a task and it has been determined when these
actions should be performed.
Skill-based performance means people can reliably and quickly perform tasks
with a low level of conscious mental effort, as the actions are so well practiced they
do not require much thought. Steering a car is a typical example. This may also
include being able to gather and understand information very quickly, such as
reading process instrumentation.
A task may involve a combination of these types of performance. For example:
• A control room operator may recognize a high-level alarm in a storage

tank and then check the status of inlet and outlet valves and pumps. This
involves knowledge of the meaning of high-level alarms and the possible
causes of what activated them.
• After identifying the cause of a high-level alarm, the operator may apply
“rules” in the form of a shut-down procedure for inlet valves and pumps.
3. Options for supporting human performance 21
• Quickly carrying out control actions, without using much thought, such as
operating the controls, would use a skill-based performance.
Different tasks will require different levels of each type of performance ability.
Table 3-1 provides definitions and examples.
3.3 Types of human performance, errors and mistakes
3.3.1 Types of human performance and types of errors and mistakes
Different types of errors or mistakes are linked to the three types of human
performance discussed in 3.2.
By identifying the type of errors or mistakes most likely to be made at different

stages of a task or activity, it is possible to put in place support and controls to
prevent or mitigate them. Without this understanding, any interventions made are
less likely to succeed. This is shown in Figure 3-2. The definitions for slips, lapses
and mistake are:
Slips and lapses Mistakes

Slips occur when a person intends to carry Mistakes are judgment and
out the right action, but accidentally does decision-making failures.
it wrong. For example, accidentally They often occur when people do
pressing the wrong button or misreading something wrong, while believing
a number. they have done something right.
Lapses of attention occur when a person This may happen when someone
loses their place in a series of actions (for incorrectly interprets what is
example, steps in a procedure), skipping a happening or selects a wrong
step due to a distraction or a gap in course of action.
memory. The intention is correct and the
knowledge may be right, but one or more
steps are missed.
Table 3-1: SRK types of human performance
Type of human
Definition Examples
performance
Knowledge- When a task is new or complicated, a person will need to • Diagnosing a process upset
based task pay a lot of attention to what they are doing and decide • Working out how to perform a rare
performance what to do based on general knowledge and experience. maintenance task
When the “rules” (actions, decisions and judgments) for a

• Choosing the right maintenance procedure
task are well known, for example, written into a procedure
Rule-based task to fix a faulty pump
or manual.
performance • Remembering the sequence of work for an
Task performance involves remembering and applying
these rules. operations team to follow
When a person can perform a task to a high level of • Pressing an accelerator pedal to maintain
Skill-based
accuracy and reliability with a low level of attention, the steady speed of a chemical road tanker
performance
performance is based on skill. • Applying the right amount of torque to a bolt
Figure 3-2: Human performance modes, errors and mistakes
Type of human
Type of error or mistake Example
performance
Mistake e.g., lack of Unable to understand a

Knowledge based knowledge of process rare process upset
hazards
Mistake e.g., wrong Misinterpret an event and

Rule based apply wrong emergency
procedure selected
response
Forgetting a step in a long

Error – lapse
procedure
Skill based
Accidentally pressing the

Error – slip
wrong button
3.3.2 Example of a knowledge-based mistake
An example of a knowledge-based mistake is

given in
Table 3-2. The example is from an explosion in

1998 at an Australian natural gas plant, resulting
in two fatalities and eight injuries. Gas supplies
to the State of Victoria were cut off for two weeks Reproduced from Victoria
during wintertime [20]. Government [20].
Table 3-2: Case study example of a knowledge-based mistake
Event Esso Longford gas plant explosion 1998
A pump supplying heated lean oil to a heat exchanger

stopped because of an increase in flow from a gas field. The
increase in flow had caused an overflow of condensate in an
absorber. The heat exchanger became very cold, with ice
What forming on it. A decision was made to continue pumping
happened? heated lean oil into the exchanger to melt it. The difference in
temperature between the heat exchanger and the lean oil
caused a brittle fracture of the heat exchanger. The heat
exchanger fractured, resulting in the release and ignition of
vapor.
Neither the operators nor the supervisors recognized the
A mistake hazards of the plant conditions. This resulted in the explosion
and the fire.
“…the instruction given to operators failed in arming them to
recognize the significance of cold temperatures.”
The training did not provide knowledge of the brittle fracture
hazards associated with loss of lean oil flow, uncontrolled flow
of condensate into the rich oil stream, or critical operating
The causes
temperatures for the heat exchangers. The procedures did not
cover the loss of lean oil or how to deal with such an event.
Engineers had also been relocated away from the site prior to
the accident. They were no longer available to provide on-site
support.
Further The Esso Longford gas plant accident. Report of the Longford
reading Royal Commission. June 1999 [20]
3.3.3 Common causes of knowledge-based mistakes
Some common causes of mistakes and some tips on potential solutions in

knowledge-based tasks follow.
3.3.3.1 Lack of knowledge
A knowledge-based task, such as diagnosing a rare process upset, may fail due to
a lack of knowledge of the process or a lack of familiarity with the rare event. The
likelihood of this failure may be greater if training focused on how to carry out the
procedure (procedural instruction) and did not provide detailed knowledge of
what is happening during the process (the underpinning knowledge of the
process).
It is also possible the people with the knowledge may not be available when
they are needed. For example, if senior engineers only work on day shifts, and
night shifts rely on operators; or if specialist engineers work from a central shared
facility or from a remote location.
Ensuring operators, engineers and other staff and contractors have an

opportunity to gain knowledge in advance and are available to support one
another will help set them up for success.
3.3.3.2 Lack of information
Information should be available and accurate to allow people to use their

knowledge. For example, to help a person properly understand a process upset,
they should have full and immediate access to complete information about flow,
levels, pressure and temperature as well as the valve positions.
Similarly, if a person needs to work out how to isolate a unit during an

emergency, they should have easy access to accurate Piping and Instrumentation
Diagrams (P&IDs).
Ensuring process safety information, such as P&IDs, are accurate and available
will help people understand what is happening and make correct decisions.
3.3.3.3 Information overload
Too much information may make it harder for someone to understand an event
and to use their knowledge, especially if it includes unimportant or irrelevant
information.
Designing control information and alarms such that their intents, priorities, and
relationships are clear can set up the operator for success.
3.3.3.4 Lack of time
Time is needed to process information, consider the information and put together
an opinion. If the time to perform the task is short, this may not allow someone to
develop an opinion, especially if it is a complicated matter.
Some options for helping people include, having more people available to
assess the information, simplifying the task such as by prioritizing shut down
actions, adjusting alarm set points to increase operator response time, or
simplifying the information.
3.3.3.5 Fatigue and stress
As with all tasks, tiredness (fatigue) and situation or organizational stress can make
it harder for a person to think or to remember what they know. Being interrupted
or distracted from a task, can also take attention away from decision-making.
Shift systems and staffing levels should be designed to avoid fatigue. Having
sufficient staff to enable the management of overtime for shift workers reduces
the likelihood that fatigue will affect performance. Task design and workspace
design should minimize distractions.
Another fatigue-fighting technique is to restrict the amount of overtime a

worker can have in a given time period.
3.3.4 An example of a rule-based mistake
An example of a rule-based mistake is

given in Table 3-3. This involved the
wrong choice of emergency response
actions.
In 2004, five fatalities and two

serious injuries occurred when an
explosion occurred in a polyvinyl
chloride (PVC) production unit at
Formosa Plastics in Illiopolis, Illinois,
U.S. [21]. The reactor area and the
warehouse next door to it were mostly (Reproduced from CSB [21])
destroyed.
Table 3-3: Example of a rule-based mistake
Event Formosa Plastics Vinyl Chloride Monomer Explosion

The operator was going to drain a flush out of the reactor to
prepare for cleaning it. The reactors spanned two levels of
the process area, with the bottom valve controls on the
lower level. An operator walked downstairs and mistakenly
went to the wrong reactor. Because the reactor still
contained highly hazardous material (Vinyl Chloride
What Monomer), the bottom outlet valve was interlocked closed.
happened? The operator used an emergency air supply to force open
the outlet valve on the active reactor. This allowed the Vinyl
Chloride Monomer to escape from the vessel. A cloud of
Vinyl Chloride Monomer spread across the floor. The
supervisor ran downstairs to investigate, then returned
upstairs to try to reduce the speed of the released chemical.
The monomer was ignited, causing an explosion.
The bottom outlet from the vinyl chloride reactor vessel was
mistakenly opened by an operator. The supervisor tried to
lower the pressure in the vessel to slow down the release of
A mistake the chemical, by ordering operators to open valves.
He did not command an immediate evacuation of the unit.
The flammable gas exploded, killing five people, seriously
injuring two and destroying the unit.
The investigation found that staff had not been trained
Causes properly to order an immediate evacuation, which could
have saved lives.
Further
U.S. Chemical Safety and Hazard Investigation Board. Vinyl
reading and
Chloride monomer explosion. [21]
video
3.3.5 Common causes of rule-based mistakes
Rule-based mistakes often involve misunderstanding of what is happening and/or

making the wrong decision about what to do next. Common causes of rule-based
mistakes are:
3.3.5.1 Missing, confusing or incomplete procedures
If the task is infrequent or must be performed quickly, a person may rely too much
on their knowledge to make decisions or judgments or they may quickly improvise
plans of action, instead of recalling instructions and procedures. A person may
incorrectly assume that the task can be done in the same way as a similar task, or
they may not know what the correct task steps are.
If a task and its procedures are complicated or confusing, a mistake may be

made in reading and understanding those instructions. A common failing is for an
organization to provide detailed written instructions that are hard to understand
and remember, when it would be better to use a simple diagram with notes or a
short set of clearer and better laid out instructions.
Procedures should be practical and easy to read. They should be tested by

using ‘real time walk-throughs’. Procedures should also be written with input from
the users to ensure that the "work-as-performed" in the field matches "work-as-
planned" in the procedures. Gaps in written instructions can take a user from rule-
based to knowledge-based performance mode (i.e., troubleshooting) which has a
higher rate of error.
3.3.5.2 Incomplete information
To make a correct choice between two options, it is important to have complete

and accurate information available. This may be process instrumentation, a
diagnostic read out, or a verbal report on a fault. If accurate and complete
information is not available, a person may misunderstand the situation or decide
to take the wrong actions.
As with knowledge-based tasks, too much information, not enough time,

tiredness, stress, distractions and interruptions can cause error. To set up people
for success, analyze the task, understand their information needs and ensure
these are met. Interfaces should be commissioned to check that information is
complete and easy to read.
3.3.6 An example of a skill-based error
Even when an individual has the right knowledge, skills, and experience to do a
task properly errors can still occur. Skill-based errors tend to occur during highly
routine activities, when attention is diverted from a task, either by thoughts or
external factors. Table 3-4 provides an example of a skill-based error, in this case,
a lapse. The example comes from the same accident in section 3.3.4, the Formosa
Plastics Vinyl Chloride Monomer Explosion in 2004 [21].
Table 3-4: Example of skill-based human error in a major accident

Event Formosa Plastics Vinyl Chloride Explosion, 2004
The operator (probably) became disoriented when going
The error down a staircase and went in the wrong direction to the
wrong set of vessels.
Sensory disorientation (confusion about direction) created
by the design of the facility. There were no signs on the
lower floor to indicate direction. While the vessels had
Causes
labels showing their numbers, the numbered vessels to
the left and right were identical in terms of color, shape
and positions.
Further reading U.S. Chemical Safety and Hazard Investigation Board. Vinyl
and video Chloride monomer explosion. [21]
3.3.7 Common causes of skill-based errors (slips and lapses)
During skill-based tasks, people pay less attention to what they are doing, because
they are skilled and can perform the task without focused thought. As such,
attention can lapse even without distractions or interruptions, causing a person to
leave out or skip a step, or to make a slip without noticing. If they have not had
sufficient time or experience to practice an infrequent task, they may not be able
to perform it reliably and accurately.
Even an experienced and capable person may suffer a lapse due to:
• Being interrupted or distracted.

• Feeling tired, overloaded or fatigued, so it is harder to focus.
• Feeling the stress of the task, other stress at work or non-work stress
(e.g., problems at home), which makes it harder to focus.
• Carrying out a boring task, which can cause a drop in motivation and
attention.
• Environmental conditions such as heat, cold, noise, etc.
The design of the task can contribute to error, for example:
• If the task is long, it is easy for a person to forget their place in the task
and/or forget the sub-steps to be carried out, especially where there are
no job aids. A person has to accurately remember everything.
• If two tasks are very similar or use similar equipment, a person may
carry out the wrong actions accidentally and without knowing.
• If a task is repetitive, it is easy to miss a step.
• If a task is not carried out very often, it is harder to be accurate and
reliable, as it is not as well practiced.
The design of equipment and the work environment can also create lapses. For
example:
• If two similar controls are close to one another, the wrong control may
be used.
• In a noisy environment, or if heavy respiratory protection must be used,
verbal communication may be misheard.
• Information displays can be confusing and hard to read.
To set people up to successfully perform skill-based tasks, a workplace free of

distractions, high levels of task practice, easy to read displays and intuitive controls
are required along with rest breaks and well-designed shift systems.
3.4 Selecting options for supporting human performance
3.4.1 Common needs
All types of human performance are dependent on

operating conditions allowing operators to think, and apply See Chapter 15
for more
their skills and knowledge. Preventing fatigue, and assuring
information on
manageable workload and adequate time to perform tasks
fatigue & staffing
will enable people to think clearly and apply their skills.
Staffing levels, shift systems and workloads should be designed to avoid overload.
Controls and instrumentation should be intuitive, comprehensive and accurate.
The work environment must allow people to See Chapter 16

concentrate. People should be able to think without for more
distraction or interruption. This requires tasks and team information on
roles to be designed to allow people to use their knowledge. task planning.
3.4.2 Supporting knowledge and rule-based performance
The types of support for knowledge-based and rule-based tasks are similar. These
are shown in Figure 3-3 and summarized next.
3.4.2.1 Knowledge
Process knowledge can come from education and training,

See Chapter 13
such as through studying for an engineering qualification. for more
It can also come from work experience, for example facility information on
specific instruction, scheduled training and experience. training.
It is important to understand the process and its

hazards, and how operation of the plant impacts the risks. This knowledge can
help people better understand unexpected or unusual events and make good
decisions about how to manage these events.
Figure 3-3: Strategies for knowledge and rule-based human performance
Information, Diagnostic,
Education in
schematics, communication &
process, system,
decision-making decision-making
faults & hazards
aids & procedures skills
Teamwork, shared
Task & team situation
Workload &
design awareness, co-
fatigue
(distractions & ordination, clear
management
interruptions) roles &
responsibilities
When a process is changed, knowledge can become outdated. Knowledge of

process operations and hazards should be kept current by updating both process
documentation and training. This should be ensured by a Management of Change
procedure as noted in the CCPS “Guidelines for Risk Based Process Safety” [5].
3.4.2.2 Job aids
Up-to-date procedures and job aids can show the See Chapters 5,
circumstances and conditions where a sequence of actions 1, 7, and 8 for
should be used – it will also outline what these actions are. A more
logical step-by-step guide or list of clear instructions can help information on
with understanding and carrying out these actions, especially job aids.
when a person has had previous training and experience.
These should be designed to be practical and meaningful to operators as noted in
the CCPS “Guidelines for Risk Based Process Safety” as per the Operating
Procedures element [5].
3.4.2.3 Training and experience
Training and operational experience can help people See Chapters 10, 11,
12, 13 and 14 for more
to remember and use their process and procedural
information on training
knowledge. This is part of the ‘Training and and performance
Performance Assurance’ element of the CCPS assessment.
“Guidelines for Risk Based Process Safety” [5].
3.4.2.4 Operational information
To be able to use their knowledge and procedures, a person should have real time
information on the process operations. Accurate and complete information should
be available to help operators correctly assess a situation and choose an
appropriate procedure or action. This can include
See Chapters 5 - 9 for
information from process indicators, labelling, visual more information on
inspection of processes, schematics such as Piping and job aids.
Instrumentation diagrams, equipment labels, and
decision-making aids such as diagnostic flow charts.
This is part of the ‘Process Knowledge Management” element of the CCPS
“Guidelines for Risk Based Process Safety” [5].
3.4.2.5 Non-technical skills
Knowledge and rule-based performance involves using non-technical skills such as

decision-making, communication and diagnosis. These
See Chapters 20 and
can be supported by training, experience and exercises.
21 for more
People also should have the confidence to make decisions. information on non-
This can be created and enabled through clearly stated technical skills.
roles and empowerment. This is part of the ‘Conduct of
Operations” element of the CCPS “Guidelines for Risk Based Process Safety [5]”.
3.4.2.6 Teamwork
Many tasks involve sharing knowledge and decision-

See Chapter 22 for
making. This requires effective teamwork. A blame free more information
and open culture of co-operation and teamwork skills on effective
need to be developed through a supportive team culture teamwork.
and training in effective teamwork. This is part of the
‘Process Safety Culture’ element of the CCPS “Guidelines for Risk Based Process
Safety [5]”.
3.4.3 Supporting skill-based performance
Figure 3-4 shows ways of supporting skill-based performance.
Skilled performance is developed through a combination

of instruction and task repetition – training and experience. See Chapter 13
Staff should be given enough opportunity to practice and for more
acquire task skills. This is sometimes called the “learning information on
curve”, where a person needs to practice a task many times skills
in order to become skilled in it.
Figure 3-4: Supporting skill-based performance
Skill
development, Procedures,
Task planning &
instruction & instructions &
checking
operational memory aids
experience
Task,
Workload & environment & Controls &
fatigue team design instrumentation
management (distractions & design
interruptions)
Procedures, instructions and job aids can all help people See Chapter 22
remember the correct steps and check their progress (which for more
steps they have done) when working on long and complex information on
tasks. Double-checking and peer checking task completion task verification.
can help people spot and correct slips and lapses.
See Chapter 16
Attention can decline when carrying out skill-based tasks
for more
and people can be distracted. Tasks and working information on
environments should be designed to help minimize task planning.
interruptions, which helps to minimize distractions.
Controls and equipment can be designed to help avoid See Chapter 9 for
skill-based slips, such as placing the most frequently used more information
controls closer to the operator and ensuring information on equipment
displays are readable. design.
Supporting successful human performance and reducing the possibility of error

and mistakes can be achieved by understanding the nature of the tasks, the type
of human performance required and the causes of potential error and mistakes,
and then designing the work environment taking these points into account.
It is vital to create the conditions for successful task performance. In

addition, key learning points include:
• Each type of human performance is related to different types of error

and mistakes.
• Each type of human performance may benefit from a different form of
support.
Performance CCPS.
4 Supporting human capabilities
Whether someone performs well or makes an error or mistake, can be influenced

by how a person receives, processes and acts on information to make decisions.
The elements of human performance that are most relevant to process operations
are provided in this Chapter.
The Human Factors view is that people have a range of capabilities. By

understanding people’s capabilities, ways of thinking and limitations, it is possible
to design work to maximize human performance and minimize the potential for
errors and mistakes. It may also be possible to train people to be more aware of
how mistakes could be made. This would help people to recognize the risks or
precursors to error and give people the time and ability to prevent these mistakes
from happening.
These human capabilities apply to the skill-based, rule-based and knowledge-

based model of human performance explained in Chapters 2 and 3.
4.2 Attention
4.2.1 Attention and human performance
Everyone is surrounded by large amounts of

information. People can pay attention to only Attention may be captured by a
a part of this information. To think and make strong event, which may either
decisions, they should pay attention only to focus someone onto a key
the information necessary to perform a matter or distract from more
specific task. For example, when driving a important matters.
vehicle, they pay attention only to selected
information such as road conditions, obstacles on the road ahead, etc., and not to
activities taking place in the distance. This is known as paying “selective” attention.
Selective attention aids task performance by avoiding an overload of senses

and therefore the mind’s ability to process information and think. However, it may
also cause people to overlook key information and to only think of some of the
actions needed.
At times of high workload, important information may not be seen even if a

person is looking directly at it or sounds and verbal messages may be ignored
despite being loud enough to hear.
4.2.2 Supporting attention – where to find more information
Successful selective attention can be supported by methods such as:
• Minimize distractions.
• Minimize late information.
• Training to recognize deviations and drift.
• Developing cognitive skills to be aware of personal tendencies and drift.
• Training staff to focus on relevant information (Chapter 13).
• Avoiding alarm overload by alarm prioritization.
• Developing psychological skills (Chapters 21 and 22).
4.3 Vigilance
4.3.1 Vigilance and performance
Vigilance is the ability to keep watch for

possible danger. An example of vigilance is Vigilance can decline within
monitoring the level in a storage tank while it 15 minutes, especially in an
is being filled, to ensure it is not overfilled or unstimulating and uneventful
monitoring process control screens looking for work environment.
a spike in temperature or pressure. Other
examples include confined space attendants
and fire watchers.
Figure 4-1: Typical vigilance
In the absence of stimulation, attention decrement
may be limited to tens of minutes. An
absence of stimulation would include a
long period of time where someone has to
pay attention (remain vigilant) without
performing any actions. The experience of
the mind wandering, where vigilance
begins to decrease, is known as a “vigilance
decrement”. Attentiveness, the ability to
fully pay attention, is likely to decline the
longer a person is required to be vigilant. A
typical vigilance decrement is shown in
Figure 4-1 (adapted from [22]). (adapted from [22]
4. Supporting human capabilities 37
4.3.2 Supporting vigilance
Task design and easy to read instrumentation (at eye level and See Chapter 16
center of visual field) helps to ensure high levels of vigilance. for more
This includes designing tasks so that operators are not information on
required to remain vigilant for long periods without a break. task planning.
4.4 Memory
4.4.1 Memory and performance
The human memory system is made up of several parts, including:
• Sensory memory – a very short-term memory, less than a second or so.

It comprises the senses i.e., visual, auditory, taste, touch, smell or
proprioception. Proprioception is how someone knows where their body
is in relation to the environment, e.g., a person knowing how close they
are to a chair, or whether they’re lying down or upright.
• Working memory – a short-term memory of a small amount of
information (four or five items), such as a memory of a 5-digit number or
a short shopping list.
• Long-term memory – a large capacity to memorize information for a
very long time, such as remembering instructions from five years ago on
how to perform a task.
Age can affect aspects of memory; such

Anything that limits the
that older people have poorer prospective
formation and recall of
memory (of things they need to do). Stress and
memories, such as recalling
fatigue can prevent new memories forming
which valves isolate a heat
and damage the ability to learn.
exchanger, will affect
The ability to recognize something, or performance.
remember information, knowledge and skills
are influenced by a range of factors, including:
• Whether a person can focus on one task or their attention is split

amongst other tasks, or diverted by alarms, verbal messages or other
events.
• The amount of information to be recalled, with most people able to
remember 7+/- 2 items of information in their short term memory [23].
• The ability to organize memories in some way and trigger their recall,
such as using mnemonics and acrostics – words that trigger recollection
of a sentence. For example, STAR for Stop Think Act and Review.
• Repetition of a task aids memory and subsequent ease of recollection –

sometimes termed “over learning”.
• “Chunking” information into a smaller set of items to recall.
• Meaningfulness of learned information.
• Stress and fatigue.
4.4.2 Supporting memory – where to find more information
Carrying out long, occasional or complex tasks can be helped by using procedures
and job aids, and by clear task organization, as discussed in Chapters 5 - 8. These
methods can reduce reliance on memory to remember the right procedure and
the sequence of actions to be taken, therefore reducing the risk of mistakes.
4.5 Cognitive capacity
4.5.1 Cognitive capacity and human performance
Cognition is how a person uses their mind to gain knowledge and understanding.
Cognitive capacity is the amount of information, decisions and judgments a person
can hold and process in their mind at any one moment.
Cognitive overload happens when the amount of Even the most

information, judgments, decisions and/or actions capable person can
required within a period of time is more than the mind experience
can handle. In this situation people may manage overload cognitive overload.
by:
• Making decisions without considering all the relevant information.

• Focusing on just one task.
• Switching from one task to another task, without completing the other
task.
These strategies intend to focus on enough relevant information to make
decisions. However, these strategies can cause the person or team to stop noticing
what is going on around them – by focusing on one thing only or even switching to
“panic mode”, where they are no longer able to think calmly and logically. They
may miss important information or miss certain important tasks.
Cognitive overload can affect all forms of skill-based, rule-based and

knowledge-based performance.
4.5.2 Supporting cognition – where to find more information – related Chapters
Chapter 15 discusses how to make sure that the right number of people are
available for a task. It also explores “real time” systems for managing fatigue, i.e.,
helping to spot tired people at work. Changes in staffing levels, shift systems and
workloads should be managed, as covered in Chapter 15.
Abnormal or emergency operations require a high level of psychological skills,

including decision-making under stress and maintaining situation awareness.
Process operators often require a combination of knowledge, procedural skills and
psychomotor skills. Psychomotor skills are physical skills such as applying pressure
to an accelerator. Chapter 24 explores the Human Factors of helping to prepare
people to handle abnormal and emergency operations.
4.6 Cognitive heuristics/biases
4.6.1 Cognitive heuristics and performance
In order to help process large amounts of complex information and make

decisions faster, people tend to use mental shortcuts known as “rules of thumb”
or “cognitive heuristics”. Mental shortcuts are a pattern of thinking, like a “go to”
way of making decisions. The brain uses “shortcuts” to make fast decisions. These
are often subconscious and habitual ways of thinking. They are often correct.
These rules of thumb are often based on

Cognitive heuristics help
past similar experience. An example of a “rule
people to make quick and
of thumb” is that “rust thickness is more or less
sensible judgments and
10 times the amount of steel lost (that has now
decisions, even when
been transformed into rust)”.
information is missing or not
These “short cuts” help people simplify the available.
process of making sense of complex But they can also cause
information. mistakes.
Cognitive heuristics are relevant to rule-

based and knowledge-based human performance, especially when making sense
of events, forming judgments and making decisions.
In addition, if a person must complete a complicated task in a short period of

time, they may carry out the task by paying attention to enough but not all of the
information available and consider enough but not all of the possibilities. This
allows a “satisfactory” or “good enough” decision to be made in the time available.
As previously noted, people may not be able to pay attention to all of the
information, so selective attention may be necessary.
Although cognitive heuristics are useful and important ways to make decisions,
these “rules of thumb” can also cause mistakes. By taking a short cut when making
a judgment, some information will be missed, which means the right option may
not be considered. This may be even more likely if a person feels they are under
time pressure or are feeling fatigued, demotivated or bored.
However, they can have a negative impact on judgment, thinking and decision-
making. In a safety critical setting, it is vital to recognize the potential for these
mental shortcuts becoming inaccurate bias and to correct this.
Examples of cognitive bias are as follows:
Confirmation bias
Authority bias
• After a person identifies a possible
• An operator has too much
cause of a process upset, he/she then
confidence in the opinion of those
looks for information to support their
in authority, while not trusting their
opinion, while ignoring information
own feelings.
that suggests a different cause.
• The person goes with their original
• The person goes with a senior
engineer’s decision despite feeling
opinion, despite some information
that the judgment is wrong.
suggesting they are wrong.
4.6.2 Supporting cognition – where to find more information
People can develop and effectively apply their cognitive skills by use of
techniques such as “20 second scans”. People are trained and directed to pause
before starting a task and to scan the work site to identify anything unusual or
unexpected. They should then think whether it is safe to start work or do they
need to seek help or change their plan of action. This pause reduces the
possibility of “task focus” and reduces the possibility that a wish to “get the job
done” causes someone to not see unexpected hazards.
Chapters 16 and 17 cover how to identify tasks that may be prone to error and
how to pre-empt these errors. Chapter 18 looks at ways to help people develop
non-technical skills and detect errors and mistakes made by other people.
Cognitive performance can also be aided by developing individual

psychological skills, such as situation awareness. More information can be found
in Chapters 20 and 21. Chapter 21, Section 21.5 explores how to develop self-
awareness and a quick-thinking response to task performance.
• It is important to understand the demands of tasks and human

capabilities to know how best to aid human performance.
• Key human capabilities include the ability to:
o Be attentive
o Be vigilant
o Remember (Memory)
o Recognize and process information (Cognitive)
o Think and make decisions
Performance CCPS.
Part 2: Procedures and job aids

Performance CCPS.
5 Human performance and job aids
Job aids include things like instructions, checklists, procedures and information. By
the end of this chapter, the reader should be able to understand the:
• Role that job aids and procedures play in enhancing human

performance and preventing error.
• Attributes of effective job aids.
• The Human Factor aspects of producing effective job aids.
Read this Chapter with reference to CCPS “Guidelines for Risk Based Process Safety”
[24]. This Chapter and Chapters 1, 7 and 8 build on the “Operating procedures” and
“Process Safety Knowledge” CCPS elements by providing additional insights and
advice on the Human Factors of procedures and job aids.
The CCPS 1996 book “Guidelines for Writing Effective Operating and
Maintenance Procedures” [25] also provides sample formats and checklists, and
advice on job aids.
5.2 An example of a major accident
5.2.1 Bayer Crop Science plant in West Virginia U.S., 2008
Failures with procedures have contributed to significant disasters. One example

reported by the United States Chemical Safety Board (CSB) was a large explosion
which led to fatality of two workers at the Bayer Crop Science plant in West Virginia,
USA in 2008 [26]. The accident is summarized in B.2 (page 385 ).
Like many events, the Bayer explosion had multiple causes. Some causes were
associated with new or non-operating equipment. However, other causes were
clearly related to Human Factors.
Some of the system and Human Factors follow:
• Bayer had upgraded the computer control system for the unit, installing
a new Distributed Control System (DCS).
• The DCS had slower response times.
• DCS displays were hard to navigate, as operators had to switch between
screens to complete tasks. In addition, only one process variable could
be changed at a time.
• Operators were not properly trained on the new equipment. The

operating manual for the DCS did not correspond with the steps
required to run the control system. Formal training was not completed.
Operators’ on-the-job informal training was inconsistent and incomplete.
• The operating procedures were out of date and did not adequately
address all process equipment start-up and normal operating steps.
• The operators were using unapproved incomplete Standard Operating
Procedures (SOPs). These SOPs did not contain details on how to
operate the new DCS.
• In addition, the SOPs were 1,000 pages long. They contained more
content than the previous operating instructions. They included
additional and unnecessary information such as a change procedure,
and 400 pages of instructions for the previous operating system.
• The SOPs were only available electronically. Individual pages had to be
printed, making it hard to access the SOPs.
• Operators considered the SOPs unnecessary as they felt they
understood the system. The CSB considered that SOPs were needed for
infrequent and complex tasks such as start-up after a major upgrade,
noting that many errors occurred during this start-up.
• The lack of job aids (i.e., useable procedures) and failure to use available
job aids significantly contributed to this incident.
• It was also noted that time pressure, fatigue, routine non-compliance of
procedures and ineffective supervision played a role.
5.3 The role of job aids in supporting human performance
Job aids provide people with the necessary information and knowledge to perform
tasks. They help people perform tasks in a “rule based” mode of human
performance rather than having to rely on their general knowledge. Procedures
and instructions can help to ensure all members of a team have a consistent and
shared view of how to perform a task. This supports effective teamwork and
adoption of a safe way of performing tasks.
5. Human performance and job aids 47
Job aids also minimize the potential for error. This is because:
• Operators often require

instruction on the correct way “Developing, documenting, and
to operate a system. If the maintaining process knowledge
system is changed, they need is one of two elements in the
updated instructions and Understanding Hazards and Risk
information to help them to Pillar.”
correctly operate the changed ”Documented, current, and
system. accurate operating procedures
• Process safety requirements help ensure that each shift team
(i.e., operating within specific operates the process in a
parameters, such as pressure, consistent, safe manner.”
temperature, flow rate and CCPS “Guidelines for Risk Based
material composition) are Process Safety” [5]
accurately communicated to
operators.
• Job aids can help people to
remember steps in long or repetitive tasks where it can otherwise be easy
to forget or unintentionally skip steps, especially if the task is complex,
time pressured, performed less frequently and where a risk of distraction
or fatigue is present.
• Job aids can specify critical steps which are actions, or inactions, that are
irreversible and if performed incorrectly can result in significant harm.
Several human performance tools are at the disposal of personnel when
executing critical tasks, including the work planning, STAR method, and
three-way communication.
• Job aids can indicate safety critical task steps that should be double-
checked or independently verified, helping to spot and/or recover from
errors.
• Job aids can include “Hold Points”, where work is paused and checked.
This can help snap a person out of “fast brain mode” (where someone is
skillfully performing a task with little conscious thought), and allows them
and others to double check their work with a pair of “cold eyes” (fresh
eyes).
• Stressful situations, such as emergency response, can reduce the ability
to think clearly and accurately (limiting cognitive capacity). In these
conditions, job aids can reduce the demand placed on memory and
cognitive capacity (information processing and decision-making) and help
to ensure successful task performance.
Decision trees, alarm response procedure, manuals, process flow diagrams

and other process information can help people to understand how equipment and
systems work, what the hazards are, how to operate safely and what can lead to
accidents. This is especially important for emergency or unplanned events and

novel situations where no set rules or no previously agreed course of action exist.
These references can also help people write operating and maintenance
procedures and instructions.
It is important to note that the provision of job aids is not an

alternative to training. It is not feasible for people to develop
knowledge and skills just by reading procedures. Training, job
aids and having a defined safe way of performing tasks work
together to support successful task performance.
Be aware, that the dissemination of too many job aids and written procedures,
can create risks including:
• Operators may be unable to navigate through or be able to identify the

relevant aids for the work at hand,
• Operators may develop a perception that the volume of procedures is
excessive and unrealistic, and
• Operators may develop an excessive reliance on procedures instead of
thinking and applying their knowledge and judgement.
There may be situations, such as emergency response and process upsets,

where actions cannot be defined in detail due to the number of potential events
and complexity of responses.
5.4 Approach to developing effective job aids
5.4.1 Attributes of effective job aids
The attributes of effective job aids include:

1. Fit for purpose
2. Valid specification of a safe operating procedure
3. Practical and easy to use
4. Intuitive
5. Unambiguous and succinct
6. Accepted by users
7. Up to date
More information can be found in the CCPS Guidelines for Writing Effective
Operating and Maintenance Procedure [25].
Fit for purpose

The type of job aid selected should be the most appropriate way to
communicate the information and advice it provides. It should match task
demands. For example, a manual can provide an understanding of a process, while
a “grab card” may provide brief reminders of emergency actions in times of limited
response. A flow chart may communicate how to decide on an emergency
response better than a long-written explanation. An annotated picture may help

users understand a process.
Section 8.5 shows how pictorial information can help. This is part of “Good
Human Factors Guidance” in Figure 5-1. Figure 5-1 advises a match of task
demands to a suitable type of job aid. In some cases, a job aid may not be needed,
such as for low risk tasks.
Valid content
The instructions and information in a job aid are important. Some ways to
decide what information is needed include Hazard Identification and Risk Analysis
(HIRA), task analysis, and task walk-through. It is important to not only include the
end user, but to involve them in the authoring and writing process to ensure they
are feasible, useful, and can be understood. If job aid is inaccurate or poorly
reflects task, personnel are less likely to use procedure.
Procedures and other job aids should show how

See sections 7.2 and 7.3
a task is actually done to ensure that procedures are for advice on using HIRA,
accepted by people carrying out these tasks. task analysis and task
walkthrough (shown in
Job aids should be technically validated and
Figure 5-1.)
approved by authorized persons, such as engineers
and process safety specialists.
Practical, intuitive and easy to use

The drafting of a job aid should apply Human
See section 8.4 on Human
Factors guidance to layout and format (see Chapter
Factors of instructional
8). Job aids should be easy to navigate. Key language (also “Good
information such as warnings, cautions, and safety Human Factors” in Figure
critical actions should be obvious. 5-1.)
Unambiguous and succinct

Language should be consistent, unambiguous and succinct. This means it must
be clear and have no other possible meanings. Any text should also be as short as
possible. The procedure should be written at an education level commensurate
with the least qualified individual who would perform the task. Flesch-Kincaid [27]
readability test is a common metric to use for procedures. It is also important to
maintain simple/clear language due to global audiences and to understand that
the first language spoken by a worker may not be English.
Accepted by users
The approach to developing job aids should ensure that users accept that:
• They provide the correct and best way of performing the task.
• It is necessary to follow the procedure to safely operate and maintain
process operations.
This requires engagement with those people who are expected to use the job
aids. This is the user consultation step in Figure 5-1.
Supervisors, managers, and other staff should routinely verify in the field that
job aids and procedures are practicable and can be used as intended. Infrequent
and inconsistent verification can lead to large discrepancies between what
supervisors and managers think is occurring within the operation and what is
actually being practiced by the workers in the field.
Up to date
All job aids should be kept up to date with changes in processes, equipment,
risk analyses, and legislation or regulations to ensure an efficient and safe
sequence of actions. All outdated job aids must be removed from the work place
to avoid confusion. This is a requirement of the CCPS “Guidelines for Risk Based
Process Safety” Management of Change element [5].
Safety culture
The underlying culture of the organization should promote and reward the use
of job aids and procedures. The CCPS guide “Process Safety Leadership from the
Boardroom to the Frontline” provides advice on organizational safety culture.
5.4.2 Overview of Human Factors aspects of developing a job aid
Figure 5-1 provides an overview of how to achieve the attributes cited in section
5.4.1. The approach aims to ensure that the task is properly understood and that
the instructions and advice in job aids are practical as well as correct. This requires
a combination of analysis, engagement with users and validation in developing a
job aid including the following.
• Chapter 1 explains how to select a type of job aid.

• Sections 7.2 and 7.3 of Chapter 7 explain the use of task analysis, task
walk-throughs and Hazard Identification and Risk Analysis.
• Section 7.4 of Chapter 7 outlines user engagement.
• Section 7.5 of Chapter 7 covers operational and technical validation.
• Section 7.6 of Chapter 7 outlines keeping job aids up to date.
• Chapter 8 summarizes Human Factors guidance.
Figure 5-1: Overview of Human Factors aspects of developing a job aid
Task
characterization
Select
type of job
Task analysis & Hazard Identification

task walkthrough & Risk Analysis
Draft the Apply Human

Engage Users
job aid Factors guidance
Technically validate Operationally

& approve validate
Update &
maintain
job aid
• Procedures and job aids can support human performance by provision

of knowledge, and an understanding of the correct way to perform a
task.
• Using job aids correctly in both routine and non-routine activities is the
hallmark of proficient operators.
• Engaging users in the development, validation and updating of job aids,
and applying Human factors to their design, will help ensure they are
accepted and used.
• Observing workers directly in the field helps to ensure that job aids and
procedures are practical and valid.
Performance CCPS.
6 Selecting a type of job aid
By the end of this Chapter, the reader should be able to:
• Understand the different types of job aids.

• Select a type of job aid.
• Understand the use of Hazard Identification and Risk Analysis (HIRA),
Task analysis and worker involvement, in the development of job aids.
Selecting a type of job aid can be achieved in two stages.
1. Determine the need for a job aid.
2. Determine the best type of job aid to use.
6.2 Stage 1: Determining the need for a job aid
6.2.1 Overview
Procedures with many tasks are time consuming to write and maintain. HIRA may
be used to prioritize the higher risk tasks and identify lower risk tasks for which a
job aid may not be required. In order for job aids to be accepted as necessary it is
important to produce them only when they are really needed.
It is good practice to have a Standard Operating Procedure (SOP) for safety

critical tasks (i.e., those tasks that, if performed unsuccessfully, will result in a
process safety event, see section 6.2.2.2 for more detail). Assigning SOPs to these
types of tasks will produce a consistent and safe way of performing a task each
and every time and as a basis for training.
However, as noted in 5.4, it is important to remember that low risk tasks may
not require any form of job aid to be used every time a task is performed. Also,
people should be trained for tasks that must be performed very quickly, such as
emergency response, especially if task completion time frames prohibit reading
through procedures.
For example:
• Frequent, low complexity tasks
Frequent and less complex tasks may not require step-by-step

instructions (or a SOP) to be used each time a task is performed due to
operators having had enough experience performing the task.
• Less frequent, more complex tasks
Less frequent, more complex and critical tasks may benefit more from
step-by-step instructions and checklists. An example is process start-up.
Such tasks may be prone to errors (slips and lapses), especially if they
have many steps or take a long time. If the task is complicated and
involves judgment and decision-making, then SOPs and job aids can
support “rule-based” performance.
If the task is infrequent and complex, then it may be helpful to use
decision-making aids, such as diagnostic flow charts. These can give
operators the knowledge they need to decide what actions to take,
especially in abnormal or unique operational situations, such as process
upsets.
• Time critical emergency response tasks
Time critical emergency response tasks may be best supported by

shorter and easy-to-read job aids. A very detailed and long SOP may not
be practical if it cannot be applied in the time available to perform the
task.
The “Miracle on the Hudson” (see Chapter 2) involved the use of an
emergency response procedure. The pilots started to work their way
through the procedure but stopped when they realized that they would
crash before being able to complete the procedure.
A short “grab card” is likely to be more practical if an operator has to
decide what actions to take within a few minutes, as when responding to
an emergency. In this instance a single sheet of laminated paper could
be the best format, stored in the control room for example. The grab
card should be technically correct, up to date and specific to the process.
6.2.2 A flow chart for determining need for a job aid
6.2.2.1 Overview
Figure 6-1 provides a flow chart to help judge whether a step-by-step guide or a
job aid may be more useful for a task. The best type of procedure or job aid
depends on:
1. The complexity of the task.

2. The frequency that the task is performed.
3. The importance or criticality of the task.
4. The time available to use the job aid and complete the task.
6. Selecting a type of job aid 55
This is sometimes called “Difficulty, Importance and Frequency (DIF) analysis”

[28], where Difficulty is the task complexity, Importance relates to safety criticality
and Frequency is task frequency. Figure 6-1 suggests that:
• A job aid is recommended for all tasks rated as high criticality.

• SOPs are advised for less frequent complex tasks, especially if the task
has a long completion time.
• Memory and decision aids are advised for more frequent tasks, where
step-by-step SOPs, may not be required.
For example:
• A high ‘Task Criticality’, such as emergency shut down, which is

performed at a low ‘Task Frequency’, and must be completed in a Short
‘Time available to complete a task’, would be advised to have a GC (Grab
Card) or DT (Decision Tree).
• A medium ‘Task Criticality’, such as testing one of a pair of pressure relief
valves, is classed as medium ‘Task Complexity’, and performed at a
medium ‘Task Frequency’, would also be advised to have a job aid, such
as GC or alternatively a CK (Checklist).
In order to be able to apply the flow chart, it is necessary to understand the

task. This may be achieved by talking with people who perform the task, speaking
with process engineers or carrying out a high-level walk-through of the task (as
outlined in sections 7.2, 7.3 and 7.4).
The abbreviations for examples of job aids are given in Figure 6-1.
The chart is for guidance only. It can be amended to match company specific
policy and practice.
Figure 6-1: Selecting a type of job aid for operational use
Key:
CK = Checklist.
GC = Grab card.
DFC = Diagnostic flow chart
DT = Decision tree
Info = Information (e.g.,
chemical safety datasheet)
Log = Operational log
M = Manual
PTW = Permit to work
SH = Shift Handover
SOP = Standard Operating
Procedure
WI = Work Instruction
6.2.2.2 Task safety criticality
The safety criticality of a task can be assessed using knowledge of the task-related
hazards. The results of Hazard Identification and Risk Analysis (HIRA) can be used
to rate task risk. A common HIRA approach is to use a qualitative risk matrix to rate
the risk from very low to very high. This risk matrix approach can be used to rate
the risk of a task. If a HIRA has already been completed for a process, the results
can be used directly. These risk ratings may be applied to the Task Criticality in the
flow chart previously shown in Figure 6-1.
The example matrix in Figure 6-1 uses three risk ratings – high, medium and
low. HIRA may use a risk matrix, as in Figure 6-2. Figure 6-2 also gives a potential
alignment of HIRA ratings to high, medium and low in Figure 6-1, with red cells
being high safety criticality, yellow being medium and green being low.
Figure 6-2: Using HIRA risk matrix results to assess task safety criticality
Very high High
High
Moderate Medium
Likelihood
Low
Very low Low
Very low Low Moderate High Very high
Consequence
Some organizations perform “Safety Critical Task Analysis”. An example is given

in Figure 6-3 (this is a new example). This involves identifying safety critical tasks
(i.e., those tasks that, if done unsuccessfully, will result in a process safety event),
one by one, assessing them and deciding what needs to be done to support
successful task performance. The example in Figure 6-3 includes identifying
“Failure types” using the “mistakes, slips and lapses” categories, and then
identifying existing and additional “controls”. Task Criticality may be rated using
five factors, with ratings color coded red (high) or green (low) in this example, giving
a high score of 10. Guidance on Safety Critical Task Analysis is contained in the
Energy Institute guide [29].
Figure 6-3: Example of a formal safety critical task assessment
Safety Hot oil furnace flame detector proof test (drawn from Step Change in Safety [30])
Critical Task
index
Major Accident Hazard Loss of containment of flammable gas

scenarios
Nature of task Maintenance Roles Instruments
Task criticality overview
To what extent To what extent

To what extent are To what extent does the
How hazardous could incorrect does the task
ignition sources task involve changes to
are the systems 3 0 1 performance of 3 involve defeating 3 Total 10
introducing during the the operating
involved? the task cause protection
task? configuration?
damage? devices?
Task and human error analysis

Preconditions
Interface with the control room to identify the test to take place
Task/ error Task Error Error Failure class MAH consequence Existing controls / Training & Actions
identifier guideword description of error recovery competency required
1.1 Liaise with the Wrong info Wrong info Mistake No MAH Trips
control room passed on
to and carry
out risk
assessment
1.2 Ensure test Operation Use Lapse MAH fail to detect Yearly calibration
measuring omitted incorrectly flame out
equipment calibrated
calibrated equipment
(adapted from [30])

An alternative method of rating task safety criticality is cross-referencing the

possible consequence of task failure with the number of engineered safeguards
against task failure causing an incident. This is called “barrier analysis”. Engineered
protection may include, for example:
• Pressure relief valve.

• Automatic shut-down (e.g., a high-high level alarm closing an inlet valve).
• Automatic Distributed Control System (DCS) trip e.g., for high
temperature.
• Emergency venting system.
The engineered protection does not involve or require human action in order
to operate. It is tested and kept in operational condition so that it operates
automatically when it is needed.
Figure 6-4 shows an example, taken from INEOS ChlorVinyls Ltd, of how to use
consequence and barrier analysis to rate task safety criticality. A task where failure
has a low consequence (rated here as less than 4, where 4 includes fatality) or has
one engineered protection (e.g., a high level trip in a storage tank), would be rated
as “Criticality level 4, and would not be classified as safety critical. A high hazard
task (4 or more) without engineered nor procedural protection, is classified as
criticality level 1 or 2 and requires further assessment and management. This type
of analysis helps to screen tasks and select higher risk tasks for further
consideration.
These methods are relatively simple, can help identify safety critical tasks, and
can be referred to as qualitative analyses. One simple method that can identify
safety critical tasks and provide additional insights is Bow Tie analysis [31]. The
Bow Tie method graphically maps out failures that could initiate an accident and
the “barriers” against these failures and their consequences. This is explained in
the CCPS Bow Tie analysis guide [31].
Further analysis of higher risk tasks may be achieved using specialized

methods such as Layers of Protection Analysis (LOPA) or Quantitative Risk
Assessment (QRA) may be more appropriate.
The “Layers of Protection Analysis (LOPA) considers the impact of protection

layers in a structured semi-quantitative way that includes both the number and
strength of the protection layers. LOPA is explained in [32]. These, more advanced
methods, tend to be applied by safety specialists to support safety engineering and
safety management. Their results can be used to support safety critical task
analysis.
Figure 6-4: Task safety criticality rating
(adapted from [33] )
6.2.3 Other factors
Guidance is provided Table 6-1 and Table 6-2 for rating the remaining factors.
Some low complexity tasks may be performed frequently, such as depressurizing
oil storage tanks every day. However, sometimes the circumstances may change.
For example, a change in wind direction and speed may require special
precautions, such as turning off ignition sources downwind of the tanks. This could
be a low frequency task and higher complexity.
Table 6-1: Guidelines for rating task complexity
Rating Guideline Examples
Start up, shut down, major

Unfamiliar, high levels of maintenance, infrequent
High judgment and interpretation maintenance, emergency
required response. System operating
with a major plant change
Some judgment and Devising a work instruction for a

Medium
interpretation required process maintenance task
Common, familiar task, few task

Connecting chemical road
Low steps, little judgment or
tanker to a storage tank
decision-making required
Table 6-2: Guidelines for rating task frequency

Connecting chemical road
High Daily or every few weeks
tanker to a storage tank
Between once a month and

Medium Managing a process upset
once a year
Start up, shut down, major

Less frequently than once per overhaul, infrequent
Low
year maintenance, emergency
response
The time available (see Table 6-3) refers to either the time scheduled for a task,
such as in a work instruction or schedule, or the time in which the task must be
performed before an accident occurs. This is sometimes called “process safety
time”. This is defined by the International Electro-technical Commission (IEC 61508
Edition 2.0) [34] as the “Period of time between a failure occurring in the process
or the process control system and the occurrence of the hazardous event if the
safety function is not performed”.
Table 6-3: Time available to complete a task

Short Seconds or minutes Activating an emergency shut-down
Connecting chemical road tanker to a

Medium Tens of minutes
storage tank
Isolating and depressurizing a section of
Long Hours or longer pipe, pressure testing and installing
blanks
It should be noted that it is good practice to avoid relying on an operator to

make a response within seconds. Options such as automation should be
considered if this is the case. The time available to act should be no less than half
the process safety time. This is a key safety requirement. If it is not currently
achieved, options for re-engineering the process should be identified.
6.3 Stage 2: Selecting the type of job aid
Job aids can be thought of as a reference, for use in training for example, and as a
“real time” task aid, for use in everyday operations. Figure 6-5 gives a mapping of
types of job aid, to types of operational human performance. The types of human
performance have been expanded. For example, knowledge-based tasks have
been split into Problem Solving and Diagnosis. This expanded list of types of tasks
provides a more precise way of matching the type of job aid to the type of human
performance.
Process safety information, Process flow diagrams, Mass balance charts and
Piping and Instrumentation Diagrams may all be used as a form of Diagnostic Tool
and Task planning aid. They are included as ‘Info’ in Figure 6-5.
Table 6-4 defines each type of job aid and notes their role in supporting human
performance.
Figure 6-5: Mapping of type of job aid to type of task performance
Key:
CK = Checklist.
GC= Grab card.
DT = Diagnostic tree
Info = Process safety information
Log = Log books etc.
M = Manual
PSB = Process Status Board
SH = Shift Handover
SOP = Standard Operating Procedure
Table 6-4: Definition of types of operational job aids
Role in supporting human
Job aid Definition Task types
performance
A document that provides information
(e.g., how a piece of equipment works),
Process operational, systems
Manual (M) and instructions (e.g., how to operate a
and safety knowledge
piece of equipment). May contain
pictures with notes.
Documents explaining the physical,
Process safety chemical, and toxicological information Process operational, systems
information (PSI) related to the chemicals, process, and and safety knowledge
equipment. Knowledge-based operational
A diagram that shows the material flow planning.
from one piece of equipment to the Development of procedures and
other in a process. It usually provides training.
Process flow information about pressure, temp., Fault diagnosis.
Support process upset and fault
diagrams (PFD) composition, and flow rate of various Decision-making
diagnosis and decision-making
streams; heat duties of exchangers;
in rule-based tasks
and other information to help
understand the process.
A schematic showing properties
Material and (phase, temp., pressure, etc.) and
Energy Balance material inputs to and outputs from
Assists with rule-based process
(MEB) each stage of a process, including raw
operational decisions
materials, waste and by products.
Table 6-4 continued

performance
Supports process upset and
fault diagnosis and decision-
Piping and A diagram that illustrates a system of Task planning
making in rule-based tasks
Instrumentation equipment including vessels, piping, Fault or process upset diagnosis
Supports planning and
Diagrams (P&ID) valves and instrumentation. Devising emergency response
producing rule-based tasks and
instructions
Supports rule-based tasks
Standard A set of step-by-step instructions to
Long or repetitive Reduces reliance on memory
Operating help people carry out complex routine
skill/procedure-based tasks and potential decision-making
Procedure (SOP) operations.
mistakes
Reduces reliance on memory
and potential decision-making
A list of tasks, actions, and information
Long or repetitive skill/rule- mistakes
Checklist (CK) to be checked during a task, or at the
based tasks Reduces potential slips and
end of a task.
lapses
Supports error detection and
recovery
A set of instructions on how to carry
Work Instruction A specific or unique rule/skill- Reduces reliance on memory
out a specific or unique task, such as
(WI) based task and potential decision-making
isolating a section of pipework.
mistakes
Table 6-4 continued

performance
A set of precautions and permitted
Supports planning and
Permit to work actions in a document that authorizes Communicating scope of work
producing rule-based tasks and
(PTW) certain people to carry out specific and specific precautions
instructions
work within a specified timeframe.
An operations and system status log Supports communication
Shift hand over
that helps communicate critical Communicating between teams Reduces potential
logs (SH)
information from one shift to another. communication slips and lapses
A board showing the status of plant Supports dynamic process
Plant status Maintaining awareness of
and equipment, such as open/closed situation awareness and task
boards (PSB) process and system state
valves, or pump online/offline. planning
Supports process upset and
A diagram showing the actions to be fault diagnosis and decision-
Diagnostic flow Conditional decision-making
taken in the event that one or more making in rule-based tasks
charts (DFC) Fault/process upset diagnosis
conditions has occurred. Reduces reliance on memory
cognitive capacity
A set of abbreviated instructions
presented in words and pictures with Supports process upset and
notes to help remember actions. fault diagnosis and decision-
Time limited situation
May use mnemonics to aid memory, making in rule-based tasks
Grab card (GC) assessment and rapid decision-
and to help with quickly reading and Reduces reliance on memory
making
understanding instructions. cognitive capacity, especially in
May be kept in the control room, for time pressured tasks
example, in a wall mounted holder.
6. Selecting a Type of Job Aid 67
6.4 Electronic job aids
Job aids can be presented on paper or on

electronic devices. The attributes of a good
job aid and the criteria for selecting a type
of job aid, as noted in Chapters 6.2 to 6.3,
apply equally to electronic devices.
Table 6-5 provides some pros and cons

of electronic devices. Some situations
where electronic job aid may support
human performance include:
• When people must work with a wide range of equipment or systems.

The device may be able to provide access to equipment specific
information, thereby reducing reliance on memory or access to a library
of paper-based job aids.
• When needed to record information, such as results of equipment
inspections and tests. Records can be directly entered into a handheld
device, reducing the time and effort as well the potential for
transcription errors in paper based records.
• Where the diagnosis of faults is complex but can be coded into an
electronic device.
• Where creation of Stops and hold points may be helpful, such as that
approval by another person must be entered before proceeding to the
next step.
• Where communication with others is necessary for safe job
performance.
One of the major benefits of electronic checklists is that they can keep track of
skipped items and can track items that are not marked as complete. Table 6-5
notes the pros and cons of handheld devices.
Table 6-5: Pros and cons of electronic job aids

Pros Cons
Can hold a large amount of Limited use on sites with zones in

information which an explosive or flammable gas
Can provide interactive functions atmosphere could exist.
Can be centrally updated Potential problems in navigating

through screens and sub-screens
Can provide enhanced functionality,
such as entry of data and completion Screen size may create problems in
of records legibility of information
Can enable automated calculations to Glare and bright light conditions may
be performed reduce visibility.
Can have look up functions to search Complex imagery may be limited on a

databases, such as lists of parts when small screen
maintaining equipment Power (of the device) and internet /
Can enable remote verification of a data transmission mode access may
task step, a condition, or location not be available all of the time
when a second person is not available Wireless devices may be subject to
at the location cyber intercept or attack.
• The need for a job aid depends on task safety criticality, frequency,
complexity and time available to complete the task.
• Many types of job aids are available.
• The best type of job aid depends on the type of task performance.
Performance CCPS.
7 Developing content of a job aid
By the end of this chapter, the reader should be able to:
• Understand the use of task analysis and the results of Hazard

Identification and Risk Analysis in development of job aids.
• Understand the role of worker involvement in the development of job
aids.
This Chapter builds on the CCPS guide “Guidance for Writing Effective
Operating and Maintenance Procedures” [25]. In particular, this Chapter cites the
use of task analysis, the output from Hazard Identification and Risk Analysis (HIRA)
and task walk-throughs to help produce job aids. The Energy Institute provides a
detail guide on how to perform task analysis [29].
7.2 Outputs from task analysis
Task analysis includes identifying the task steps, describing the task actions, and
assessing the judgments and decisions needed to perform a task. The outputs
include:
• A detailed step-by-step record of tasks and sub-tasks.

• An estimated time to complete the task.
Task analysis can also be used to:
• Help judge the minimum number of people needed to perform a task.

• Identify the competences and skills required to carry out a task.
• Develop training and selection requirements, and
• Support error analysis.
A detailed description of task steps can be used to write the steps in a

procedure or in another form of job aid. This may be in the form of a diagram or a
table (list).
The development of task analysis can be time consuming, but it can be used
for other purposes. For example:
• As a source for writing a step-by-step SOP.

• As a training aid – to visually show the sequence of steps and to help
develop learning objectives.
• To support a critical review of the task. Is it possible to do the task in
fewer steps or with fewer people?
• To define a minimum staffing level to safely and accurately carry out the
task.
• To identify opportunities to clarify the task instructions.
• To identify opportunities to improve the work environment (e.g.,
labelling, lighting, access).
It can also be used to help identify potential errors. This will help to show when
job aids are needed (tasks more prone to error) and where to add warnings and
cautions into procedures and job aids.
An example of one type of task analysis is shown in Figure 7-1. The diagram is
reproduced as a table in Table 7-1. The table shows which staff member does each
task – this also provides a minimum staffing level.
Figure 7-1: Example of a graphical task description

7. Developing content of a job aid 71
Table 7-1: Example task analysis as a table
Task Tanker Storage tank Control room

Location
Description driver technician operator
Storage
1 Prepare for Communication Communication
N/A Control
offloading task task
Room
2 Connect road Offloading

Action N/A N/A
tanker bay
2.1 Connect
earth to road
Offloading
tanker Action Checking task N/A
bay
grounding
point
2.2 Connect
hose from Offloading
Action Checking task N/A
vapor return to bay
tanker
2.3 Connect
hose from road Offloading
Action Checking task N/A
tanker to filling bay
point
3 Offload road Offloading

Action N/A N/A
tanker bay
4 Disconnect Offloading
Action N/A N/A
road tanker bay
Communication Offloading
5 Leave site Action Checking task
task bay
7.3 Outputs from Hazard Identification and Risk Analysis
The output from Hazard Identification and Risk Analysis (HIRA) can be used to help
produce job aids. HIRA is explained in the CCPS “Guidelines for Risk Based Process
Safety”.
Hazard analysis will indicate: Hazards analysis indicates

the safe operating limits
• Process hazards, their causes,
established for critical
consequences, and safeguards.
process parameters, such
• Operating limits (e.g., temperature, as temperature, pressure,
pressure, material concentrations and level, flow, and
ratios, flow). concentration, based on a
• Potential recommendations to assure combination of equipment
safe operating and maintenance design limits and the
procedures. chemistry of the process.
These types of information should be used

in job aids to state hazards, minimum/maximum operating limits, task
prerequisites, and safe operating procedures.
Figure 7-2 shows an example from a HIRA. It identifies the possibility of

exceeding a safe operating limit, pressure in this example. This could be added
into a job aid as an explanation of the potential risk.
Figure 7-2: Example of HIRA results

Item Process Deviation Possible Possible Action Assigned
parameter causes consequence required to
Reactor Flow High Control Pressure Test and
vessel valve exceeds safe calibrate
R1A feeding operating limit control
to much loop
catalyst monthly
7.4 User involvement
Engineers and safety specialists are given the job of writing or updating a
procedure. It is important that they include people who will use the job aid and will
carry out the work. These people have experience in the operational and
maintenance tasks and can provide useful advice.
In a walkthrough of an
Representatives of operational and maintenance emergency response
teams should therefore be engaged during job aid procedure, personnel
and procedure development. This will help to ensure realized that the
that they are based on a realistic and accurate view supervisor had to be in
of “how work is done”, and not based on how work is two places at the same
envisioned. time!
A common approach to engaging operational and maintenance staff in

developing procedures for existing tasks is to conduct a walk-through or a talk-
through, possibly aided by a video recording of the task.
Task walk-through
The walk/talk-through approach is a simple process that consists of a person,

with knowledge of a task, demonstrating how it is done, while being observed
by someone else.
It should be a fair and accurate reflection of how the task is actually

performed. A task walk-through should be completed prior to first use of a
procedure.
It can help to use a questionnaire to assist with the production of the job aid or
procedure. This should include questions, with prompts or suggestions to help
encourage information sharing, and to capture details about the task. It should
also be used to record responses during the walk-through, to capture detailed
information about the task steps. An example process is provided in Figure 7-3.
The Human Performance Oil and Gas (HPOG) group also provide a Walk
Through Talk Through template and guide [35]. This is a free resource that also
covers capturing task steps, potential errors and ideas on error prevention.
In the case of new processes, tasks can be viewed or imagined by use of

process flow, functional, instrumentation diagrams and/or 3 dimensional models.
If available, drawings or mock-ups may be used to help identify tasks and sub-
tasks.
Some important information that can be realized or obtained from a walk-

through are 1) assumptions or preconditions assumed when starting the task, 2)
opportunities for errors, and 3) possible different ways of doing things.
Figure 7-3: Task walk-through process

(Compiled by CCPS)
The walk-through process
7.5 Validation of job aids
Even with the involvement of operational and maintenance teams in the

development process, it is possible that new or amended job aid or SOPs may not
be practical or may need improvement. This is especially true for new or upgraded
equipment and processes.
It is important to validate job aids on their first use and on an ongoing basis.
An operational validation includes a review with operational and maintenance
teams. This review should aim to identify unforeseen issues with the practicality,
accuracy, and fitness for purpose of job aids. A technical validation may involve
safety specialist or process engineer checking the job aid.
Verification of jobs aids and procedures through field-based observations

cannot be overemphasized. Effective validation of job aids and procedures cannot
be completed remotely. Workers using job aids and procedures should be
consulted to ensure they are valid and practicable.
The CCPS guide “Guidance for Writing Effective Operating and Maintenance
procedures” [25] provides further guidance on procedure approval.
7.6 Keeping job aids up to date
Job aids and procedures must be kept up to date. A “management of change”

process or a Procedure Life-Cycle Management Process should be used to manage
changes to the design, operating system or chemistry of a process, and ensure that
necessary changes are made to job aids and SOPs. Triggers for updating job aids
include:
• Developing new facilities or work areas.

• Introducing new equipment or updating the plant or equipment.
• Changes to work due to incidents, and lessons learned from operational
experience.
• Changes to roles and responsibilities.
• Learnings from a task analysis or a new HIRA.
• Requirement for periodic review, i.e., this procedure is valid to three
years after the date of issue.
When job aids are updated there should be a formal process to identify and
remove all out-of-date procedures to avoid the inadvertent use of old procedures.
This can be helped by color-coding versions or using watermarks with the date of
issue. All job aids should be updated by applying a formal process with final sign
off and authorization. The update process must be efficient and able to produce
timely updates. Long delays in the update cycle will create frustration with the
process and discourage operators from inputting them.
Further guidance on the management of job aids is given in the CCPS

“Guidelines for Risk Based Process Safety” [5]. The United States’ Department of
Energy guide “DOE-STD-1029-92 Writer's Guide for Technical Procedures” [36] is
also useful.
• The content of job aids, including instructions, warnings and cautions,

can be produced from task analysis, task walk-throughs and the results
of HIRA.
• Job aids should be developed with the engagement and involvement of
front-line personnel who use the written guidance, if company human
performance programs are to be sustained.
• All job aids should be validated and kept up to date.
Performance CCPS.
8 Format and design of job aids
By the end of this chapter, the reader should be able to understand:
• How to structure job aids.

• The use of Human Factors practices in writing job aids, creating pictorial
information (pictures), and developing navigation aids and icons (small
images or symbols).
8.2 Structure and layout
8.2.1 Human Factors Checklists
Table 8-1 provides advice on good practice for structuring procedures. The
structure should be intuitive and easy to follow. Table 8-2 provides a checklist for
the layout of job aids, including task instructions. Table 18-6 in Chapter 18 provides
information on task verification.
Table 8-1: Typical structure of procedures

Sections should be logically sub-divided according to their purposes. For
example:
• Authors
• Safety and operating rules, limits and conditions
• Process summary
• Hazards
• Scope
• Minimum staffing and competences
• Roles and responsibilities
• Task pre-requisites
• Operating instructions
• Associated documents
Table 8-2: Checklist for layout of job aids

1. Make headings large to help people identify information.
2. Make headings stand out from the surrounding text to help people
identify information.
3. Use spacing, images, and/or blank or white areas to reduce clutter, and
to make it easier to identify and recognize information.
4. Use bullet points to make reading easier.
5. Number sections and task steps.
6. Communicate one action per task step.
7. Present different types of information in different formats and fonts

(with supporting icons) so they are distinct and different (e.g., is it a
warning or instruction, or is it background information?).
8. Clearly indicate who should perform the task step if the task involves
more than one person.
9. Present supporting information separately from the task instruction.
8.2.2 Examples of job aids
Examples are shown in:
• Figure 8-1: SOP. Good features include:

o One instruction per numbered line;
o Use of color and icons (see 8.6) to indicate the status of each
point of information;
o Use of space to reduce clutter;
o Use of bullets to make requirements easier to read.
• Figure 8-2: Grab Card, with some key features highlighted.
• Figure 8-3: Decision Flow Chart. Good features include:
o Short sentences;
o Binary decision points;
o Unambiguous decision criteria;
o Color coded and large font for key text;
o Fits on one page.
8. Format and design of job aids 79
Figure 8-1: Good practice SOP example

(a mocked-up excerpt)
Purpose
The purpose is to cover all steps to remain safe and avoid the
possibility of ignition while driving a Bobcat loader in a Class 1
restricted area
Prerequisites
This procedure must be completed by:
• a level two or three Methanol technician; or

• a level one technician under direct supervision of a level two or three
Methanol technician.
EHS requirements
• All restrictions and stipulations of the Distillation Restricted Area

Policy apply for this task.
• No spark-producing devices are allowed.
• All material that is not suitable for a Class 1 restricted area will only be
allowed with proper authority and permitting.
• No Hot work permits will be active or coordinated while this
procedure is utilized.
• The Bobcat must be shut off while inside the restricted area if the LEL
is >0%.
• The Bobcat can proceed while inside the restricted area if the LEL is
0%.
Note: OR = Operating Rules OL = Operating Limit I = Information

Figure 8-1 continued
Figure 8-1 could be presented on a double-sided “front and back” mini

procedure.
Figure 8-2: An example grab card
(Compiled by CCPS for this handbook.)

Figure Note: This grab card is for managing gas leaks in a public gas pipe network
where the gas leak may not be known at first. Therefore, it starts with identifying
the gas leak and then makes reduces the likelihood of ignition sources (makes
them “safe”).
Figure 8-3: An example decision flow chart for unresponsive casualties
(Based on a compilation of several resources)
8.3 Navigation
For larger job aids, such as manuals and long procedures, it is important to support
navigation to help the reader find the information they want. Ways to support
navigation include:
Headings
Headings should be large and stand out from the surrounding text. This will
help people to identify information. They can also be color-coded in terms of
information, or to indicate the level of the heading.
Indents and tabs

The first page of each sections can be indented or indicated by a tab.
Color-coding
To help the reader find and identify relevant information color can be used to
code and group text. For example, sub-sections can be color-coded as per Figure
8-4. As some people are color blind, it is important also use other means of
distinguishing information, for example, by the use of icons (see section 8.6). Some
examples are also shown in Figure 8-4.
Regarding color contrasts, some guidelines are:
• Only use color where it helps to convey meaning;

• White text on red, blue, green, brown or dark grey backgrounds;
• Black on white, or yellow/amber or beige background, and vice versa;
• Pink, purple and orange backgrounds have lower contrasts but are best
paired with black, white and black text respectively.
It is also possible to utilize tone variance with color variance, especially to cater
for color blindness. For example, a saturated red and a soft green.
Figure 8-4: An example of icon and color coding

Hyperlinks
Hyperlinks can be used to help people find reference information. These are
not functional where people use printed copies and instead complete references
should be used.
When using hyperlinks, so that people can navigate back to their original page,
it is important to consider either:
• Adding a return button or link; or

• Opening the new page in a fresh window, so the original page remains
open on the first window.
Hyperlinks within a document can be useful as well to navigate directly from

the table of contents to a specific section or other references material in the
document, though they must be maintained to continue being effective.
8.4 Instructional Language
Table 8-3 provides good practice guidance on the language used in procedures
and job aids.
Table 8-3: Checklist for instructional language

Checklist for language
1. Write in the main languages spoken.
2. Write using words and sentence structure that matches the reading/writing
skill or ability of the readers.
3. Use terminology consistently.
4. Minimize the number of abbreviations so that readers are able to recall them
all.
5. State the meanings of terms or abbreviations in a glossary as well as spelling
them out on first use.
6. Use short familiar words e.g., “start” rather than “commence”.
7. Use words that have a single unambiguous meaning. Ensure the meaning of
words is not dependent on the context.
8. Use one word instead of a phrase. For example:
• Use “minimize” instead of “minimize as far as possible”

• Use “show” instead of “provides an indication of”
• Use “if” instead of “in the event of”
• Use “to” instead of “for the purposes of”
9. State the condition for conditional actions. For example, “Turn off the
compressor when the pressure reaches 5 bar”.
Table 8-3 continued
Checklist for language

10. Use the active rather than the passive voice:
• "Change the valve” rather than “The valve shall be changed by the
operator”.
The words “shall” and “should” may be misinterpreted, as they might be read
to mean that the valve shall already be changed. These terms do not convey
present tense.
11. Start each sentence with a verb (doing word) e.g., “close valve HV-001” rather
than “the valve should be closed”.
It is much clearer for the reader to understand directions if verbs are used at
the start of a sentence. For example, words such as: stop, open, check,
ensure, avoid, move, press, rotate, and lift.
12. Avoid double negatives.

“The display will only indicate when the pressure has reached the required
level.”
Is better than
“The display will not indicate if the pressure has not reached the required
level.”
13. Refer to the name of the equipment or item, such as Bruno Press at plant 1,
rather than saying “it”.
14. Only use upper case and or bold for occasional emphasis, e.g., Turn OFF the
public address system.
15. Avoid using “etc.” as all guidance information should be complete.
16. Use short sentences and break-up long sentences, as lengthy narrative style
can increase likelihood of error or misinterpretation.
Paragraphs should be used to break up text. A new paragraph is usually used
when a new subject or topic is introduced.
Bullets points can be used to break up large chunks of text, especially where
lists or key points are being presented.
17. Arrange lists in columns, rather than in written text, when the tasks have a
specific order.
18. Emphasize important information by use of color-coding, bold, shading, and
text boxes.
19. Prioritize text boxes if printed in black and white.
20. Be mindful of words that can sound the same in the field if communicated
verbally as part of the procedure (increase and decrease) versus (raise and
lower) to minimize error or misinterpretation.
Figure 8-5: Examples poor and good practice of instructional language
Poor practice Good practice
Not specific Specific
Make reference to the relevant Isolation Preparation Make reference to the Isolation Preparation
Checklist. Checklist IP15 Issue 2.1.
Warnings and mandatory safety requirements are The warning is clear. Mandatory safety
hidden within the text. requirements are explicit.
Goggles, respirator, faceshield, acid protection suit and

gloves should be worn when draining hydrochloric acid Warning: Hydrochloric acid may be
and when working on the manifold. They should also be present in the manifold and inlet line. Goggles,
worn as a precaution when breaking into outlet lines for respirator, faceshield, acid protection suit and
blanking if there is a possibility of residual acid in the gloves must be worn at all times to prevent acid
line. burns and inhalation.
Unclear instructions - does this mean the operator
should check that the valves are closed, or should
they also close them? Clear instruction. Starts with a verb.
Ensure that the valves HFA1 and HFA2 are closed. Close valves HFA1 and HFA2.
8.5 Pictorial information
Diagrams, images, pictures, and illustrations (such as Figure 8-6) are very effective
tools in communicating information to the user in a simple and usable way.
Drawings and diagrams clearly explain what needs to be done. Control system
interface screen prints help to explain and demonstrate how to use the functions
of a system. They also show where relevant information is displayed. Table 8-4
summarizes some uses of pictorial information.
Table 8-4: When to use different presentation options

Format Example of use
Used to show, for example:
• Which tool or equipment is required.

Photographs
(including • The set-up of equipment.
screen prints) • What the reader should be checking for
• Image of cracking or rust on pipework.
• Image showing the position a valve should be set.
Used to provide clarification or to describe a process as in

Diagrams
Figure 8-6.
Demonstrate a summary of steps a person needs to follow

Flowcharts
and the order in which to perform these steps.
Useful in presenting large amounts of complex or similar

data.
Table
For example, lists of tools to use for a range of different
procedures.
Figure 8-6: An annotated diagram
(reproduced from [37])
8.6 Icons
Icons and symbols can help to give meaning to a sentence or paragraph. For
example, they can indicate the level of importance very quickly. They also help to
break up dense text, which can be unappealing and tiring to read.
It is important that they are used consistently and only with a clear link with the
text. Some examples are shown in Figure 8-7.
Icons should be used only where necessary. The excessive use of icons may
create clutter.
Figure 8-7: An example of icon and color coding
Operating limit: The maximum operating pressure is 5

bar.
Caution: Corrosive liquid may drip from the hose. Care

must be taken when disconnecting flexible hose from the
road tanker.
Warning: Entry of oxygen into the vessel enables auto-

ignition of heated flammable gas. An inert nitrogen gas
blanket must be maintained. Control vessel level at all
times to ensure liquids do not exceed 70% level.
Hold point: Stop work after inserting the second blind into
the manifold. Ask the team leader to verify the blinding.
Operating rule: The recirculation pump must be

operating before turning on the heating elements.
Information: The purpose of the procedure is to ensure

safe isolation of the tank prior to entry.
• The structure and layout of a job aid can make it easier to navigate and
understand the information provided.
• The use of language tips can make written instructions much easier to
understand.
• Navigation through a job aid can be made easier by using color-coding,
hyperlinks and headings.
• Flow charts, decision trees and pictures can show complex information
in an easy to understand way.
• Icons and symbols can help indicate important meanings quickly.
Performance CCPS.
Part 3: Equipment
Performance CCPS.
9 Human Factors in equipment design
• Identify different types of Human Factor design problems which can

increase likelihood of error.
• Understand how to use Human Factors in equipment design and how to
reduce the impact of Human Factor design issues.
9.2 Definitions
9.2.1 Defining equipment
For the sake of this handbook, equipment refers to things that people use in their
jobs including:
• Tools.
• Instrumentation e.g., hard-wired display panels.
• Communication devices e.g., phones.
• Physical controls e.g., hand wheels or levers.
• Process equipment e.g., field switches.
• Computer systems e.g., display screens or input devices.
Equipment plays a very important role in human performance and can

facilitate work during critical scenarios, for example a process control display
screen that helps control room staff to monitor plant conditions and then respond
to unplanned or emergency events.
Equipment can be customized, typically manufactured by a specialist

contractor or supplier. It can also be an “off the shelf” product that is offered for
sale on the general market.
Whether equipment is customized or “off-the-shelf”, it should be fit-for-

purpose (appropriate for the context it is used in) and meet the requirements of
the user. When equipment does not meet user requirements and is not fit for
purpose, this can have very serious consequences.
9.2.2 Who is the user?
The user is a person who actively uses the equipment. This could also include the
maintainer, or more occasional users such as a supervisor or a person conducting
calibration or quality checks.
It is important to identify and consider all possible users during the design
process.
9.3 Major accident example
The explosion at the Buncefield fuel storage facility (2005) in Hemel Hempstead
(North of London) was one of the biggest in peacetime Europe. It measured 2.4 on
the Richter scale and was audible in Belgium, France, and the Netherlands. The fire
engulfed over 20 fuel tanks, and the resulting smoke plume was visible from over
60 miles (97 kilometers) away. The devastation was enormous with many nearby
properties damaged. Remarkably, there were no fatalities, although 40 people
were injured.
During a gasoline filling operation to tank 912, several safety controls failed
that should have prevented the tank being overfilled. Eventually large quantities
of petrol overflowed from the top of one of the storage tanks. A vapor cloud
formed, which ignited and caused a massive explosion and a fire that lasted five
days.
Figure 9-1: The Buncefield fuel storage facility before and after
(reproduced from HSE [38])
The accident report is available from the UK Health and Safety Executive [38].
9.3.2 Why did this happen?
Many factors contributed to the explosion including organizational failure, and

issues with design and maintenance of the overfill protection and containment
system. One issue was the poor design of the interfaces and screens used by
control room staff to monitor tank levels and the filling process. The United
Kingdom’s Health and Safety Executive report [38] into the accident found that:
• Only one visual display screen was available. This meant that the status
of only one tank could be viewed at a time, with information on other
tanks stacked behind them. On the night of the accident, the display for
tank 912 was at or near the back of the stack of tank displays.
9. Human Factors in equipment design 95
• Some aspects of the tank displayed diagrams were inaccurate or wrong.

• The screen showed an emergency shut-down button to stop tank filling,
but this button did not work.
• The system had no ‘deviation alarms’ to indicate deviations between
tank level measurements and filling rates.
• A stuck level gauge meant that control room staff were not alerted to the
fact that tank 912 was overfilling.
9.3.3 A Human Factors perspective – why is design important?
Getting the design right is very important. Well-designed equipment will help
people perform to the best of their ability and will reduce the likelihood of errors.
Sometimes problems with equipment are not fully appreciated because time
has not been taken to understand the tasks that the equipment is going to be used
for, how the user needs the equipment to perform and how they are likely to need
to interact with it. When user needs are not used to inform equipment design then
people have to ‘make do’ with poor design. In these circumstances, instead of
equipment being designed to suit the human, humans must adapt to poorly
designed equipment.
Problems with poor design can be complex and expensive to resolve. Often
workarounds are required as it can be prohibitive / impractical to re-engineer
equipment. These workarounds can sometimes be unsafe, inefficient and increase
the opportunity for error or equipment misuse.
The context in which the iPhone was going to be used had not been properly
considered. If the task demands were understood at the time of purchase, i.e., that
the device would be used to read lengthy complex documents, outside, sometimes
in poor weather when wearing PPE / gloves, then a more appropriate device could
have been identified.
The iPhone is well known for its intuitive and well thought-out design.
However, its small screen size means that it is not suited to showing large
documents, and it can be difficult to see in bright sunlight. It is also difficult
to use wearing gloves and in poor weather.
Despite this, a company purchased iPhones to display its lengthy

maintenance procedure (over 500 pages) for use outside in all weather. A
more appropriate device could have been identified.
The origin of the discipline of Human Factors is partly rooted in tackling these
difficult design issues. In the mid-1940s, the United States Air Force identified a
problem with certain aircraft crashing on landing. Previously, when they could not
find an obvious reason for losing an aircraft such as a mechanical failure, the
response was to either retrain existing staff, to recruit new staff, or to change
recruitment procedures. Instead, the response this time was to bring in a specialist
psychologist to consider what was causing the crashes. It was identified that the
incidents were due to the positioning of the landing gear and wing flaps.
The pilots were reaching for the flaps on

the approach to landing. However, as the
landing gear lever was closer to them and Figure 9-2: A Human Factors
felt the same as the control for the wing solution to selecting the right
flaps, they were instead raising the landing control
gear rather than extending the wing flaps.
The planes were hitting the ground without
the wheels deployed. UP
Pilots were focused on the difficult task
of landing the plane, fatigued, and often with
a damaged plane and low on fuel.
They were feeling for the wing flap

controls rather than looking for them, as this
would have meant taking their eyes and
concentration away from landing the plane.
The solution was a simple redesign of the

landing gear (see Figure 9-2), so that it felt
and looked like a wheel. They also
repositioned the wing flap controls.
These solutions were arrived at because

time was taken to understand how the pilots
were interacting with equipment when
performing this activity. This involved real
effort to appreciate the task demands and
the context of use (i.e., the features of the
task which influence how the user
DOWN
performs). This is what good Human Factors
in design is all about.
9.4 Error traps
Designing equipment to fit the user is a key principle of Human Factors. It is far
more effective to design equipment well than training a person to use inadequate
equipment.
Even the most diligent people can make errors and fall for error traps.
Figure 9-3: A common error trap
Error traps
Error traps are common. One of
the most familiar is to pull on a
door handle when the door
opens away and needs to be
pushed. The stereotype of a
handle is to pull on it. A door push
plate is pushed. By its design, a
thing indicates it use: this is
termed affordance.
The steps for considering Human Factors in equipment design are as follow:
1. Begin to take note and recognize what poor design is. Get a measure of
how this can impact human performance.
2. When the opportunity arises (e.g., when purchasing or designing
customized equipment) apply a “user-centered” design approach.
3. Intervene to address existing poor design if replacing problem
equipment immediately is difficult.
If errors are caused by a design issue, then it would be sensible to understand

the extent and scale of the problem and consider what can be done. This can be
achieved by identifying the pattern in error occurrence by evaluating incidents and
proactively consulting staff.
9.5 How might poor equipment Human Factors cause error?
The United States Chemical Safety Board found that poor Human Factors design
of equipment was a factor in the ExxonMobil Baton Rouge Refinery Isobutane
Release and Fire in 2016 which resulted in four serious injuries to workers and
injured two others [39]. The incident occurred during minor maintenance on a
flammable isobutane line which failed, releasing isobutane into the unit which
ignited.
A 30 year old gear box needed to be removed. The bolts on the old gear box
were different to other newer gear boxes on the site. Most gear boxes were
newer. New gear boxes were removed using 4 vertical bolts on the top-cap of
the valve body. The old gear box could be removed using two horizontal bolts.
The top vertical bolts in the old gear secured the pressure retaining cap. The
operators removed the top vertical bolts. This breached the principle of “making
it easy for people to do things right and hard for them to do things wrong”.
Poor design can often lead to errors. Table 9-1 provides a summary of some of the
most common examples, and how these can impact on performance. Good
practice advice is given in sections 9.7.
Table 9-1: Examples of poor design for hard-wired interfaces – physical panels
Poor design Impact on performance
Hard-wired interface
Poor labelling e.g., it is:
• Not meaningful
(unfamiliar
abbreviations).
Poor labelling can mean important information
• Difficult to read is not identified or is misinterpreted.
(damaged, scratched)
• Poorly located (poorly
lit).
If displays are grouped closely together,

overcrowded, or not organized in a meaningful
Cluttered indicator lights. way, this can create clutter and makes it more
difficult for the operator to find and interpret
information. See Figure 9-4.
Table 9-1 continued

Hard-wired interface
Information is not
gathered, the
wrong information
Poorly located panel e.g., is read, or the
difficult to reach or see wrong control is
(behind other equipment). operated. It can
take longer to
complete tasks.
(reproduced from Energy Institute)
Graphical User Interfaces (GUIs) – electronic display, such as monitors
Text is not legible e.g.,
Incorrect action is taken, the wrong option is
small size, not visible from
selected. Delayed response.
a normal viewing angle.
Mistakes happen when interpreting displayed
Inconsistent with other
information. For example, on one display, an
interfaces e.g., conflicting
open valve is color-coded red to indicate it is on
icons, or non-standardized
(suggesting danger), while on another it is color-
use of color or how
coded green to indicate it is on (indicating “go”
information is displayed.
and a valve is in operation).
Loss of situation awareness and failure to
respond to an escalating emergency (as
Hidden information e.g.,
occurred during the Buncefield accident, where
important information is
the graphic display showing the 912 tank level
hidden from view.
was hidden behind other tank displays [38]).
See 9.3.2 for more information.
Too much information shown on a screen can
Cluttered information. make it difficult to detect and interpret
important information.
Graphics and on-screen information does not
In conflict with mental correspond to the how things are in the real
model e.g., does not world. For example, indicators for fuel tanks are
correspond to real world not shown in a graphical representation in the
stereotypes and same orientation of position as they are in the
conventions. real world. This may cause the wrong fuel tank
to be selected for filling.
Not error tolerant e.g., The wrong information can be received or the
does not provide prompts wrong information input, due to a slip or lapse,
on important actions. for example when entering numbers.
Table 9-1 continued

Graphical User Interfaces (GUIs) – electronic display, such as monitors
Feedback on the system Continue to press the same or different buttons
status e.g., no or delayed or keys, may cause delay in operation of
feedback that a control has inputting many changes to system state that
been activated. could lead to process failure.
Multiple electronic screens
that serve different User can pull up incorrect screen and activate
functions are similar in unintended function.
layout, look/feel.
Hand-held equipment
High physical demands to
Can lead to chronic injury or misuse, where the
hold and use equipment
item is not used as intended or not at all. Slips
that is a difficult weight,
and lapses can lead to acute injuries.
size, or shape.
Physical controls
Lack of labelling on pipes,
valves and other Wrong valve is selected, leading to process or
equipment to help identify safety incident.
items.
Label does not indicate the Wheel or valve is turned in the incorrect
direction to turn a wheel or direction: valve that should be closed is left
valve. open, leading to process or safety incident.
Alarms
Wrong alarm or indicator is prioritized. Delay in
response.
Alarm flooding e.g., During the Fukushima nuclear disaster in Japan
multiple visual indicators (2011), control room operators were initially
or auditory alarms occur flooded with alarms. This caused them to
simultaneously. become overwhelmed and overloaded with
information, which severely affected their ability
to respond.
Important alarms are ignored or missed,
Nuisance alarms e.g., because they are masked by other alarms.
alarms that sound but that Operators become used to alarms sounding, so
do not indicate a problem. they are more likely to ignore or not react
quickly when they do sound.
High priority alarms are
Failure to recognize and respond to a high
not easily distinguished
priority alarm. Delayed response.
from low priority alarms.
9.6 Example of poor equipment Human Factors
Figure 9-4 shows an image of two control screens for a set of filters and vessels.
Design issues with the panel include:
• The screens are mirrored images. The filters 1 to 4 are shown on the left
of top screen and filters 5 to 9 are on the right side of the top screen. On
the lower screen, filters 1 to 4 are shown on the right and filters 5 to 9
are shown on the left. This creates a potential for the operator to
confuse the filters between the two displays.
• The screens have no “mimic” of the connections between the filters and
vessels.
• The lower screen is very cluttered.
• The PSI indications are equidistant between the vessels at the bottom of
the lower screen, creating a potential to confuse which vessel the PSI
indicator relates to.
• Some of the indicated values obscure the vessel abbreviated names.
• The “FLOW In Out” labeling is not meaningful.
• Red text is used on the upper screen for RESET despite this not being a
warning.
• The gallons are shown in the upper screen as seven digit numbers such
as 3808998 which is harder to read than 3,808,998.
Figure 9-4: Control and instrumentation panel
[40]
9.7 Supporting human performance by good equipment design
9.7.1 User-centered design
When designing or buying equipment it is important that it meets user

requirements, is easy to operate, and is designed to reduce errors.
A key principle of Human Factors is that the user remains central to the design
process. This ensures that equipment is fit for purpose and works in the way the
user needs it to. The ISO Standard 9241-210:2010 can be applied [41]. Methods to
help do this include:
• Integrating user opinion – obtaining Figure 9-5: User- centered

and making use of user input throughout design
the equipment design or procurement
process.
• Understanding the task and task Understand task
demands – gathering information about
task objectives and the different types of
inputs or outputs needed to carry out a
task e.g., information, required actions.
• Consulting users – taking time to Consult users and learn
explore and capture the user’s from experience
requirements: what they want the
equipment to do, and how it should
function. Also trying to identify issues that
can make operating the equipment more
difficult (e.g., reading labels with poor Apply Human Factors
lighting). good practice principles
• Learning from experience – identifying
problems that users have previously
encountered with equipment by, for
example, carrying out interviews or
checking incident/accident reporting. Test and accept
• Using Human Factors good practice
design principles – see section 9.7.2 for
more information.
• Carrying out usability assessments e.g., user trials prototyping, mock-
ups – exploring how well equipment works by asking users to act out a
scenario (a series of typical tasks) involving the actual equipment, or a
prototype or mock-up of the proposed design.
• Conducting user acceptance testing – asking users to test out an

advanced (almost finished) prototype of the product before they
purchase or accept it. It should be tested against the user requirements
identified at project outset.
Prototypes
A prototype or mock-up can come in different forms and to different levels of

realism or fidelity (level of accuracy when compared with the finished design).
At the outset of the project this could be a paper-based description of the
equipment or a drawing. As the design matures, this could become a more
realistic prototype, e.g., a physical life-sized model.
Virtual plants created in 3D can be used in design and training.
9.7.2 Human Factors design principles
In addition to ensuring that the user is central to the design process, there are
several simple design principles to follow. Many Human Factors standards are
available, such as ISO 26800:2011 Ergonomics — General approach, principles and
concepts [42]; ISO 6385:2016 Ergonomics principles in the design of work systems
[43]; ISO 11064-1:2000(en) Ergonomic design of control centers — Part 1: Principles
for the design of control centers [44]; and EEMUA Publication 201 Control rooms:
a guide to their specification, design, commissioning and operation [45].
The book “Designing for Human Reliability” by Ron McLeod is also

recommended as further reading [46].
9.7.2.1 Create a system that is more error tolerant
Some design principles that can help

equipment to be more error tolerant include:
• Preventing error – such as an

interlock preventing an inappropriate
command or action from being
carried out.
• Indicate changes – information that
can be changed is clearly indicated, and changes made are clearly
communicated to users.
• Recovery methods – one example recovery method is a ‘cancel’ button
with the confirmation being a pop-up menu with a warning such as “You
have selected to Stop Pump X. Please click OK to confirm”.
• Protecting against error – ensure settings cannot be adjusted by
anyone unless they can demonstrate special permission. Make sure that
any information that can be changed is clearly indicated.
9.7.2.2 Support the body (consider the physical aspects of work)
Good equipment design should consider the physical world and how it minimizes
error and supports human performance in terms of:
• Environment – consider the context where equipment is used e.g.,

ensure audible alarms can be heard over background noise.
• Visibility – place controls or displays where they can be seen. Consider
distances, glare or reflection, contrast, angle of view, and layering and
stacking. Displays and controls should be legible to people with different
visual acuity (distance from which displays can be read).
• Anthropometry – ensure equipment is
designed to accommodate the limitations of
the human body with regards to body size,
shape, strength, mobility, flexibility, reach,
working envelope and working capacity. Use
appropriate anthropometric estimates /
database information for the anticipated
workforce (design for 95th and 5th percentile
female versus a 95th and 5th percentile male).
• Access – ensure sufficient space for operators
and maintainers to gain access to and into
machinery or equipment. This is so that they
can reach necessary subassemblies or
components, and reach equipment in order to perform the required
tasks.
• Clearance – ensure that the usual space around items is large enough
for the largest workers to pass comfortably and without risk of harm.
• Labelling – labels should clearly show an association to the item that
they relate to, as well as being readable and meaningful. For example,
labels should be placed above the push button / switch to allow the user
to clearly see what control is being activated without being blocked by
their hand/arm.
9.7.2.3 Support the mind (consider the mental aspects of work)
People are “programed” from birth to respond to

information in the world in a certain way. Good
design should work with rather against these
natural tendencies.
For example:
• Stereotypes and conventions – follow

known stereotypes or conventions,
such as color-coding, opening and closing of things, turning items off
and on. Ensure that this convention is applied consistently across the
design of all equipment to avoid confusion. Thinking specifically of
electrical panels with indicator lighting either green or amber, indicating
active / energized or deactivated - this should be consistently applied
across panels, buildings, etc.
• Affordance – use the form of equipment or an object in the way it
should be used. For example, buttons “afford” pushing, handles should
be pulled as noted in section 9.4.
• Uncluttered information – cluttered information can be off-putting and
difficult to read. Ensure appropriate spacing and the use of blank areas,
especially for Graphical User Interface (GUIs) displays, to help people
view relevant information.
• Simplicity – only provide information or controls that a person needs to
do their job.
• Co-location (items are near one another) – ensure related controls
and displays are located adjacent to each other.
• Consistency – ensure equipment design is consistent. For example, all
hard-wired interfaces conform to the same rules e.g., the emergency
shut-down button is always top right, and all local control panels have
buttons in the same layout.
• Feedback – provide timely information on user input so that users can
tell when the system has been changed or is doing something. For
example, with touchscreens (where the feel of a physical button is not
present), feedback can be provided with the touchscreen image
changing color or flashing, or with “haptic” feedback such as vibration.
• Natural mapping – set out information mimics (mimics are an exact or
approximate graphical representation of a process plant with integrated
indicators and instrumentation) and displays, so that they correspond to
things in the real world. For example, a touchscreen control panel to
move a crane should be orientated to correspond with the crane’s actual
movements. More information on natural mapping is provided in
section 9.7.2.4.
9.7.2.4 Supporting mental models and natural mapping
A key process safety measure in process industries is for control room staff to
know what is happening out on the plant, and what processes are currently in
operation. This means having a representation in their minds (or a “mental model”)
of the plant function, so that they can start and stop processes as needed and
intervene if something goes wrong. The “correctness” of the mental model will
influence the correctness and appropriateness of the operator’s actions.
One of the problems at the Buncefield site (see Section 9.3) was that the control
room staff did not have a clear mental model of which tanks were being filled or
of their status. If they had, they might have realized that tank 912 was being filled
to an unsafe level, and they could have stopped the filling process.
A key aid to helping provide an accurate mental model are “mimics” that display
the plant status. These mimics should be designed so that they give correct
information that is easy to interpret. When the operator makes changes or inputs
to the system, they should be provided with accurate and timely feedback in
response to their actions. A key aspect of supporting this mental model is, as far
as possible, to “map” to the arrangements in the real world. This is called “natural
mapping”.
A familiar example of natural mapping is the relationship between a cooking

stove and its controls. Commonly used mapping means that it is not always
obvious which control maps to each cooking ring. Their relation to one another is
usually indicated by a diagram next to the controls that shows which control works
for each cooking ring. With good natural mapping this would not be necessary, as
the controls would be mapped in such a way that no additional guidance or
information would be needed. It should be obvious how the cooking rings are
operated. Figure 9-6 illustrates a way to naturally map the controls to the burner
without the need for a diagram.
This is called “knowledge in the world” rather than “knowledge in the head”.
This means it is not necessary to know or remember any additional information to
understand how an object should be operated.
Figure 9-6: Examples of good and poor natural mapping for a stove
Poor mapping places a higher burden on memory, leading to greater mental

effort and a higher chance of error. With the example of the stove, trial and error
can be used to figure out the correct operation and mistakes can be corrected. It
is a different matter with a complex system where errors could have severe
consequences.
The three main levels of natural mapping between controls and the object
being controlled are:
1. Controls are on the item to be controlled e.g., a water faucet where the
control and water outlet are part of the same unit.
2. Controls are as close as possible to the object to be controlled e.g., the

control and the object are co-located.
3. Controls are arranged in the same spatial configuration (or layout) as the
objects to be controlled, as shown in Figure 9-6.
Figure 9-7 provides an example of natural mapping and a graphic of a process

that can be understood without specialist understanding of the process. It shows
the relationship between the piping, pumps valves, and reservoirs.
The controls to open and close the valves, and to turn the pumps on and off
are co-located. The blue arrow shows the reservoir is filling, and the gauge
associated with the valves and reservoirs indicate flow and fill rate.
The display could be further supported by an alarm that indicates a difference

in flow and fill rates. Such an alarm would have identified the inconsistencies
between tank level and filling rates on tank 912 at Buncefield.
Figure 9-7: Example of good practice in natural mapping
9.7.3 Alarms
The use of, and response to, alarms plays a critical role in plant and process safety.
Despite this, control rooms often operate with less than optimum alarm
management, for example:
• Alarms are not identified – alarms are missed because they are either
not seen or not heard, or because they are ignored due to previous
nuisance alarms or “alarm flooding”.
• Alarms are incorrectly prioritized – alarms do not indicate the priority,
or the priority is difficult to determine e.g., if audible alarms of different
priority sound the same.
• Alarms are not informative – alarms do not come with supporting
information that provides additional information about what the
problem is.
• Response is not defined – it is not clear how the operator should

respond.
• Alarm flooding – too many alarms or too many alarms in quick
succession going off can make it difficult to determine the underlying
issue.
• Nuisance alarms – alarms that sound, but that do not require a
response, due to poor calibration of sensors, can cause confusion. In
some cases, operators actually respond to an alarm in the field believing
that it is a nuisance alarm from past experience and are not prepared or
ready to manage the situation.
• High number of shelved alarms – alarms may be silenced even though
they have a purpose. This commonly occurs with nuisance alarms or
with standing alarms, where alarms remain in an active state for a long
period of time (usually due to malfunction or poor design of the alarm
system or processes).
Alarms should be designed to accommodate the limitations of users and

should apply good Human Factors design principles.
Further guidance on the management of alarm systems and alarm design is

provided in Publication 191 by The Engineering Equipment and Materials Users
Association (EEMUA) – Alarm systems: Guide to design, management and
procurement EEMUA [47]. This guidance is very comprehensive and explains the
overarching philosophy of an alarm system, setting out what alarms systems are
and how they should function. The guidance provides key principles of alarm
system design, advice on measuring alarm performance, and how to make
improvements. It also includes an extensive appendix of advice and tools to tackle
all aspects of alarm system management.
EMMUA 191 sets out a very simple performance metric to help assess alarm
system performance that shows how this can impact on operator ability to
respond. These are as follows:
• Average alarm rate in steady operation = less than one alarm

annunciating per 10 minutes.
• Total number of alarms annunciating in the 10 minutes after a plant
upset = under 10 alarms.
• Average number of standing alarms = under 10 at any one time.
• Average number of shelved alarms = under 30 at any one time.
The EMMUA 191 guidance goes on to suggest that if these benchmarks were
achieved, operators would find alarm systems more manageable. A summary of
the key principles of good alarm design is shown in Figure 9-8.
9.8 Mitigating poor design
Interfaces and control panels may be difficult to change. In addition, replacing or

upgrading equipment may take a long time. If problems with equipment are
identified for any reason, then the following options could reduce the impact of
the equipment design issue:
• Provide or improve existing labelling to make the function of controls

and displays clearer and/or to provide warnings.
• Introduce robust additional independent checking. It is important that
independent checks are managed so that they must be carried out. For
example, a signature or other confirmation must be provided to prove
that the check has been done, with clear accountability if omitted.
• Provide additional training to enhance competency in using complex or
poorly designed equipment. Training can also be used to indicate areas
for potential confusion or to point out common errors.
• Support training with detailed procedures that provide guidance to
explain complex equipment or to highlight potential issues and
problems.
• Provide additional screens so each can display different information, or
large screens where information can be split into different views while
maintaining easy readability.
• Use supporting tooling or equipment, such as task lighting.
• Change sensor calibration to avoid nuisance or problem alarms.
It is important to remember that mitigating poor design may not be simple nor
effective. Introducing measures to compensate for poor equipment design such
as delivering additional training, implementing additional checking steps or writing
new procedures can be a difficult undertaking. It can also shift the emphasis of risk
management towards administrative or organizational controls. This can be a
significant burden to maintain and increases the opportunity for human error, or
shifts the error to a different element of the system (i.e., failure of administrative
controls).
Figure 9-8: Principles of good alarm design
Alert
Alarms should focus operator attention on the
important or urgent issues
Inform users
Alarms should provide information to help users
understand the issue, and then decide upon
appropriate actions
Account for human limitations

Alarms should be deesigned with users in mind
Indicate importance
Alarms should indicate the priority of the alarm
and the timeframe for response
Provide a defined response

It should be clear what response is required when
an alarm occurs
Be easy to interpret
Alarms should not require uses to obtain
additional information from other sources befoe
they understand how to respond
• Poorly designed equipment can cause people to make mistakes,

especially if they are fatigued, time pressured, stressed, or
inexperienced.
• It is important to be able to identify the signs of poor design and
understand how they impact on performance.
• Use Human Factors principles in the design of equipment.
• It is important to include users of equipment when designing and testing
new equipment. Users can also provide key information on learning
from experience.
Performance CCPS.
Part 4: Operational competence

Performance CCPS.
10 Human performance and operational competency
This Chapter provides an overview of the Human Factors of operational (process

operations, production and maintenance) Competency Management, and explains
how competency leads to safer performance. The term ‘operational’ refers to the
skills and knowledge such as understanding of process hazards and how to
operate and maintain equipment. By the end of this chapter, the reader should be
able to:
• Understand what is meant by the terms competency and Competency

Management.
• Recognize the importance of operational competency in safety critical
tasks, and error prevention.
The CCPS “Guidelines for Risk Based Process Safety” [24] cites “Process
Safety Competency” and “Training and Performance Assurance” as
elements.
The CCPS “Guidelines for Defining Process Safety Competency

Requirements” [50] provides an overview of process safety competency.
This Chapter and Chapters 11, 12 and 13 build on the CCPS guidelines
by providing additional insights and advice on the Human Factors of
competency, learning, and Competency Management. These Chapters
focus on operational competency.
10.2 What is competency?
Competency is commonly regarded as a set of skills, knowledge, and practical

experience or abilities that enable people to reliably perform tasks efficiently and
safely. This includes routine tasks, and unexpected situations and changes to usual
activities.
Competency is also defined as the ability to perform work activities reliably and
consistently, to the required standards. Competency can be measured against
these standards. A term such as “Suitably Qualified and Experienced Person
(SQEP)” can be used to indicate that a person is competent in their role/in the tasks
they are conducting. This includes routine and non-routine tasks; abnormal and
upset; first line emergency response; safety-critical maintenance, inspection and
testing activities.
Competency includes not only the application of technical skills and knowledge,
but non-technical skills such as communication; this is important for supervisory
roles.
10.3 Competency Management
Competency Management refers to methods used to categorize and track the

development of employee’s competency. This allows the organization to track
progress and identify training needs.
Clear competency performance standards should be developed. People should

also receive appropriate training and development opportunities, to maintain their
competency over time. Key steps in achieving process safety competency are
shown in Figure 10-1. The five phases follow:
• Phase 1: Establish Requirements – Determine competency
Before starting Competency Management, it is important to identify

activities that may affect operational, and/or occupational safety. Risk
assessments are especially useful here, as they can identify safety critical
tasks (see Chapter 6 for advice on Safety Critical Task Analysis).
All the requirements for the position should be identified. As a priority,
the focus should be on safety critical task and required competency,
followed by all other tasks’ competency requirements.
The next step is to identify and define operational competency and
performance standards for these tasks.
• Phase 2: Identify Learning Requirements
This phase includes assessment of the gap between individual and team
competency, and the competency that individuals need to develop. It is
then necessary to identify the learning required to bridge the gaps,
including the type of learning most suitable to develop and demonstrate
the competency. This includes providing a description of learning
objectives, to aid development of the on-the-job learning and training
programs in Phase 3.
• Phase 3: Develop Competency
Relevant learning and coaching programs are designed to target

competency gaps and fulfil the learning objectives defined in Phase 2.
These programs are provided to selected individuals.
10. Human performance and operational competency 119
• Phase 4: Maintain and Assess/Reassess Competency
Monitoring and feedback from the workers ensures that performance

standards are maintained over time, and updated in line with changes
related to procedures, technology, and ways of working.
• Phase 5: Verify, Audit, and Review Competency Management
As with all aspects of safety management, the implementation and

effectiveness of learning and competency assessment should be audited
and reviewed. The review may include, for example, checking whether
competency played a role in incidents. The results of audits and reviews
should be used to make improvements or changes to Phases 1 and 2.
More detail on Phases 1, 2, 3, and 4 are provided in Chapters 11, 12, 13 and
14, in order.
Figure 10-1: Competency Management

10.4 An example of effective Process Safety Competency Management
In 2011 Warwickshire Oil Storage

Ltd (operated by Shell at the time of
this publication) engaged an
external consultancy to introduce a
Competency Management
Systems, as the General Manager
recognized the importance of
competency, and Competency
Management in:
a) Safe operations and

reducing incidents.
b) Increasing workers’ Warwickshire Oil Storage Ltd

feelings of success, and (Credit: Angella Streluk)
self-efficacy.
Warwickshire Oil Storage Ltd followed a process to identify high-risk tasks, and
to define competency standards. Good practice aspects included:
• Leadership’s recognition that competency plays an important part

in safety: the Warwickshire Oil Storage Ltd general manager drove the
initiative.
• Extensive process to identify high-risk activities: subject matter
experts methods to identify high-risk activities (e.g., accident hazard
scenarios, Bow Tie diagrams, and human error analysis).
• High level of employee engagement: operators and supervisors were
involved in identification of safety critical tasks, and related competency.
Employee engagement in Competency Management Systems
development contributed to an increased sense of involvement in safety
matters, and a sense of ownership.
• Clear and transparent competency matrices: the Competency
Management Systems matrices were used jointly by employees, and
their line management. This resulted in a collaborative approach to
identifying competency and devising developmental plans.
• Use of multiple assessment methods: Warwickshire Oil Storage Ltd
used several knowledge and practice-based methods to assess
individual competency. A combination of assessment methods leads to
more objective and accurate assessment and verification of required
competency.
• Commitment to continual improvement of the Competency

Management Systems: Warwickshire Oil Storage Ltd was aware that
competency requirements and job roles can change and recognized the
importance of regular job and task analysis.
10.5 An example of gaps in operational competency
The Esso Longford gas explosion in Australia in 1998 was an industrial accident
with severe consequences [20]. It is summarized in B.3 (page 387).
Several factors contributed to the accident, including:
• Engineers being relocated off-site;

• A focus on lost time injury rates;
• Poor audits;
• Management control failure;
• Inadequate regulatory systems;
• Government failure to provide alternative gas supply; and
• Market forces leading to a cost-cutting business strategy [48].
Deficiencies in operators’ knowledge, due to flaws in training and operating

procedures, were reflected in their actions on that day. Operators and supervisors
focused on Gas Plant 1 (GP1), specifically on the leak in flanges of heat exchanger
- GP922. Operators’ steps to restart the lean oil pumps were intended to restore
heat in GP922, and to reduce the temperature differential across flanges. This was
thought to be responsible for the leaks.
“Though the existence of a link between this failure and the occurrence of
the accident is hard to evaluate, appropriate management of change risk
assessment may have exposed important and relevant weaknesses in the
level of operator knowledge, in training programs, in communication
systems, in operating procedures and in other aspects of Esso’s
management system.” [20]
The operators and supervisor present on the plant on the day of the accident
were highly experienced individuals, yet no-one recognized the hazards associated
with the plant conditions.
The gaps in knowledge were due to failure of training programs, as noted in

the Royal Commission Report [20].
The Longford Royal Commission inquiry identified issues affecting operators’

competency as follows:
• Training programs: the programs did not include training with respect
to hazards associated with the loss of lean oil flow, hazards associated
with uncontrolled flows, critical operating temperatures of vessels, or
circumstances where brittle structure may occur.
• Plant Operating Procedures Manual: the Operating Procedures did
not contain any reference to loss of lean oil flow, or procedures on how
to deal with such events. Some information referring to the “Loss of
Lean Oil Circulation” could be found in the Red Book (1975 Operating
Instructions for Absorption Oil System), which was located in the training
room, and was not part of the Operating Procedures.
• Lack of understanding: the operators did not fully understand the
dangers of cold metal embrittlement, due to flaws in their training and
assessment.
• Knowledge assessment failures: the assessment did not test for real
understanding, because operators could give the correct answer to
questions without understanding the meaning of their answers – they
were learning by memorization. For example, operators knew the
correct answer to a question on the action of a valve was to “prevent
thermal damage” but did not know what was meant by “thermal
damage”.
• Reassessment of knowledge: this was conducted superficially on the
basis on operators’ self-confirmation of knowledge, rather than
examination of their understanding. Operators were asked if they
understood the matter. If they said “yes”, they were “ticked off” as
competent.
Collectively, these factors contributed to limited supervision, lack of expert

advice, and impaired information checking process and, therefore, impacted
overall competency.
Employees require relevant knowledge, procedural

See Chapter 3 for
competency, and skills (as noted in the SRK: Skill-based,
more information
Rule-based and Knowledge-based model) to perform well in on the SRK model.
emergency situations.
Operator competency, and actions during the day of the accident, played a
significant role in the outcome of the event. Three main factors impacted
competence.
The first factor was the number of on-site staff. Numbers had been reduced
due to gradual reduction of staff (over the period 1993 to 1998). The number of
supervisors and associated staff was reduced from 25 to 17 and the number of
maintenance staff was reduced from 67 to 58. This staff reduction led to
competency degradation. In addition, there was no shift handover from one

supervisor to the next one, as the incoming supervisor had arrived late.
The second factor was the reduced expertise on plant, due to the centralization
of engineers. All Longford engineers were relocated to Melbourne. Melbourne is
140 miles (230 kilometers) away from Longford, so any “technical” help was not
around the corner. Engineers lost awareness and detailed knowledge of the plant
activities; and operators were less able to consult engineers when required and
lacked the additional on-site support and expertise to maintain safe operations.
The final factor was the organization’s Competency Management Systems. The
training programs, knowledge assessment, and operating procedures failed to
equip operators with the required knowledge and skills to cope with emergency
situations.
10.6 Competency influencing factors
Human performance is influenced by individuals’ knowledge and skills. The

acquisition of competency is dependent on organizational efforts to ensure people
are competent. Competency in process operations is of great importance. Efforts
should be made to ensure that organizational changes, such as staff reduction, do
not negatively impact upon competency. This is accomplished through the
management of organizational change [49].
Human performance is only partly dependent on individuals' knowledge and

skills. Instead of focusing on how can individuals perform perfectly, the emphasis
should be on:
• How can the system help set the individual up for success?
• How can the system absorb mistakes that the individual can make?
Systems should be put in place to manage competency at individual and

organizational level. Key features of effective process safety Competency
Management are shown in Table 10-1.
Table 10-1: Key features of effective process safety Competency Management
Effective process safety Competency Management
• Competency should be linked to safety critical tasks identified in risk

assessments.
• All individuals engaged in safety critical tasks (including supervisors
and managers), are required to fulfil competency standards.
• Training is an important component of developing competency and
should include the underlying process basis for the criticality of tasks.
• Knowledge and the application of knowledge should be verified.
• Competency assurance should include “business as usual” activities,
infrequent and complex activities, and emergency situations.
• Competency assessment should be proportional to the safety
criticality of the tasks. Safety critical tasks should be subject to more
robust and more frequent assessment.
• Competency encompasses knowledge, skills, and practical experience

required to perform work tasks to the required standards.
• Competency (or a lack of) directly contributes to major accidents.
• Competency development and maintenance improves human
performance and minimizes the potential for errors, especially when
combined with a robust and error tolerant system.
• Competency can be achieved by a systematic approach to identify,
assess, develop, and maintain safety critical competency.
Performance CCPS.
11 Determining operational competency requirements
This chapter focuses on competency of people performing safety critical tasks.

Being competent to perform all tasks, not solely the safety critical tasks, is
important, as noted in the CCPS “Guidelines for Defining Process Safety
Competency Requirements” (2015) [50]. The “Guidelines for Risk Based Process
Safety” [24] puts forth the approach of allocating effort commensurate to the level
of risk. The IChemE “Process Safety Competency Guidance” [51] also offers useful
information on how to build and develop process safety competency.
There may be many tasks in a large process plant. It is appropriate to spend

more effort on tasks that, if conducted poorly, could result in greater potential
consequences. Therefore, these Chapters on competence focus on safety critical
tasks.
The success of Competency Management is supported by the identification of

safety critical tasks, operators’ competency, and the performance standards
required for these tasks.
• Identify the level of learning for low and high-risk tasks.

• Explain how to identify required competency for safety critical tasks.
• Define performance standards.
11.2 Identify and define safety critical competency: overview
Activities in the process industry are often carried out in difficult conditions.
Hazardous environments, complex processes, and production pressures demand
higher levels of competency.
Prior to defining competency requirements, tasks and activities should be

ranked in terms of their safety criticality. This can be done by conducting Safety
Critical Task Analysis and Hazard Identification and Risk Analysis, as outlined in
Chapter 6.
11.3 Step 1: Identify safety critical tasks
Safety critical tasks should be identified, followed by

See Chapter 1 for more other tasks required to complete activities. The final
information on Safety
output of this phase consists of a list of safety critical
Critical Task Analysis
activities, and their competency standards, as shown
and Hazard
Identification and Risk in Appendix C. As noted in Chapter 6, the following
Analysis activities can help to identify safety critical tasks:
• Safety Critical Task Analysis (SCTA).

• Difficulty, Importance and Frequency Analysis.
• Identification of safety critical tasks noted in:
o Operation and Maintenance procedures.
o Risk assessments.
o Job/Task analysis.
o Existing lists of safety critical roles and tasks.
The assessment should include normal Operators and supervisors are

process operations, process upsets, planned often involved in this phase, as
and unplanned maintenance, and infrequent they are knowledgeable of the
activities such as start-up and shut down. tasks and associated risks.
Figure 11-1 links the level of safety criticality to the level of training and
competency assurance. Each task can be rated against:
• Task criticality.
• Task complexity.
• Task frequency.
• Time available to complete the task.
Learning needs and their requirements range from “Very High” to “Very Low”.
For example:
• “Very High” learning requirements correspond to:
o Experiential learning – on-the-job learning, instructions and

assessment
o Extensive, multiple method of learning (e.g., on-the-job learning
combined with mentoring and coaching)
o Assessments (e.g., in situ assessment, knowledge questions and
observation of performance).
• “Very Low” requirements correspond to:
o Classroom learning/training – based, largely on theoretical
knowledge with little or no assessment.
Figure 11-1: SCTA and Level of Training
Key:
CK = Checklist.
GC = Grab card.
DT = Decision tree
Info = Information (e.g., chemical safety
datasheet)
Log = Operational log
M = Manual
SH = Shift Handover
SOP = Standard Operating Procedure
11.4 Step 2: Identify required competency
Operational Level – Job and Task analysis
Job and task analysis explore the required job or task competency in detail and
provide inputs for defining performance standards.
“Task analysis for training design is a process of analyzing the kind of skills and
knowledge that you expect the learners to know how to perform” [52, p. 3].
A task analysis is a systematic breakdown of a job into its component parts. A

task analysis is conducted by collecting information from subject matter experts,
ideally, using a walk-through/talk-through process. Where the subject matter
expert demonstrates how the task is carried out. This can be supplements with
interviews, focus groups and additional observations.
A task analysis comprises the following roles:
• Defines tasks and subtasks.

• Specifies knowledge, skills, and attitudes required by each team member
to complete the tasks.
• Determines learning goals, and objectives.
• Determines learning activities, and training requirements.
A task analysis provides a breakdown of task steps and decision points to be

taught in training of procedural tasks.
A distinction can be made between knowledge

See Chapters 5, 1, 7 and 8
and skills an individual or team needs (i.e., “what for more information on the
individuals need to know”) and knowledge which design and role of manuals
can be accessed from elsewhere (such as from and procedures.
operating procedures and manuals). For example,
it may not be feasible to remember lengthy operating procedures (e.g., 20 or more
pages long). Therefore, the focus of the training should be on providing where to
find the relevant procedure, how to understand the procedure and how to use it.
Task analysis indicates which type of knowledge (information content) the

training/learning opportunity should provide, such as:
• Memory-based information – information that trainees need to

remember (e.g., what are the visual signs of excessive rust).
• Resource access and their application – information that teaches
trainees:
o Where to access specific knowledge (e.g., procedure).
o When and how to apply this knowledge (e.g., in which
circumstances/situations to use the procedure, and how to use it
appropriately).
11. Determining operational competency requirements 131
Safety Critical Task Analysis can be used to make a distinction between which
type of knowledge should be provided during training. The Safety Critical Task
Analysis can be applied as follows:
• Very high to high Training Assurance – training would be performed

frequently using flow charts and specific procedures, until task
performance becomes automatic.
• Medium Training Assurance – training would focus on application in
practice with the help of procedures or manuals (“where” and “how”).
• Very low to low Training Assurance – training would focus on “where” to
access information, “when” to use it, and “how” it should be applied in
practice.
Various forms of job and task analysis exist. Some examples of task analysis
methods include:
• Hierarchical task analysis – breaks down a task into a series of sub-tasks

using a diagram.
• Tabular task analysis - presents the task, and sub-tasks steps in a table.
• Cognitive task analysis - can identify the cognitive requirements for the
job, such as decision-making, memory, and attention.
For illustration purpose, this Chapter focuses on tabular form analysis, as this
form of analysis allows for clear identification of required competency. The tabular
task analysis can identify required skills, procedural competency, and knowledge
per task and sub-task. It can also support decisions with regards to training
(memory-based information versus resource access and application).
The task analysis used in Chapter 6 is extended here for the purposes of
identification of required competency. In Appendix D, Table D-1, Table D-2 and
Table D-3 provide different levels (1, 2, and 3) and type of tasks (Skill-based, Rule-
based and Knowledge-based).
If relevant, task analysis can identify dependencies of individual tasks/sub-tasks

(e.g., Sub-Task C “opening a gas pipe” is dependent on Sub-Task B “Isolate and
depressurize the gas pipe”). These dependencies should be included in a training
syllabus.
It should be noted that the competency performance standards shown in

Appendix D (Table D-1, Table D-2, and Table D-3) detailing proficiency progression
may require adjustment in some cases. For examples, individuals with functional
illiteracy may require adjustment in terms of how individuals develop these skills
and progress from one level to another. Functional illiteracy consists of reading
and writing skills that are inadequate "to manage daily living and employment
tasks that require reading skills beyond a basic level". An example could be to
replace written procedures with on-the-job training that uses detailed verbal
instructions and tasks demonstration.
11.5 Step 3: Define performance standards
This stage involves defining performance standards and assessment criteria.

Performance standards should be clearly defined and linked to performance
assessment criteria. These are illustrated in Chapter 14.
This entails the following:
• Analyzing and identifying required competency (Knowledge, Skills and

Attitudes) for the tasks identified in Step 2.
• Describing adequate performance of tasks.
• Defining measurable criteria by which to assess performance.
The final output of this stage includes:
• Performance Standards.
• Key competency list consisting of:
o Skills (e.g., torqueing a bolt).
o Rules and procedure competency (e.g., able to enact
procedures, able to diagnose faults).
o Knowledge (e.g., understanding a chemical reaction).
Skills may include non-technical skills (e.g., communication, teamwork)

required to complete the task to required standards. More information on non-
technical skills is provided in Chapters 20 and 21.
The required standard of performance also needs to map onto individual

progression from beginner to expert, as in Table 11-2. A competency matrix may
be further broken down into certain levels (e.g., ranging from basic awareness to
mastery, to identify individuals with different competency), and allow for employee
development and progression.
CCPS “Guidelines for Defining Process Safety Competency Requirements”

(2015) [50] contains examples of competency matrix.
Consideration should be given to pre-requisites for certain roles, e.g., degree

in engineering, or number of years in a specific role to enable entry to a
competency level. As noted in Chapter 14, prior qualification and experience may
also be a means of determining if competency requirements (performance
standards) are met.
It is also possible that a generic standard may already exist as per the example
in Table 11-1. A generic standard can be used instead of a customized standard. A
11. Determining operational competency requirements 133
check is required of whether the generic standard identifies and includes all of the
competency required for a specific process operation. If it does not, then the
specific competency should be identified, and added in.
Table 11-1: An example industry standard
In the United Kingdom, Offshore Petroleum Industry Training Organization

(OPITO) Standards and Qualifications [53] provides competency standards for:
• Technical Roles - e.g., Lifting Roles, Safety Representatives, Deck Roles,

Gas Testing, and Performing Authority Roles.
• Basic Emergency Response has been developed for survival and
emergency response situations.
• Specialist Emergency Response - e.g., Management of Emergency
Response, Helideck and Emergency Response Teams, and Emergency
Response and Rescue Vessels.
The competency standards should take into account the allocation of roles
among a team. For example, a supervisor may be required to have the ability to
develop a safe operating procedure, while an operator is required to be able to
understand and apply the procedure.
An example of a competency standards matrix [54] containing generic and task

specific criteria is shown in Table 11-2 and Table 11-3.
Table 11-2: Generic example of a competency standards matrix
(table adapted from [54])
Competency – Job Level Requirements – Generic Criteria

Level 1: Awareness Level 2: Basic Application Level 3: Skilled Application Level 4: Mastery
• Have detailed knowledge

of principles, and • Have full understanding of
• Understand basic • Have broad knowledge of applications. theoretical principles and
concepts, and practices.
theoretical principles, and • Be able to work without
principles of the
practical applications. supervision. • Have detailed knowledge
tasks.
• Participate in designing field • Share and transfer of industry standards,
• Have general applications. trends, and best practices.
information, best
knowledge of
• Participate in routine practices, and lessons • Design, develop, and
technical subjects,
implementation of field learned. transfer knowledge.
procedures, and
their applications.
applications. • Serve as mentor and/or • Lead networks, provide
coach for junior mentors and coaches.
employees.
Table 11-3: Petrochemical example of a competency standards matrix
(table adapted from [54])
Competency – Job Level Requirements – For Petrochemical Staff of Cairn India Limited (CIL) “Reservoirs”
Level 1: Awareness Level 2: Basic Application Level 3: Skilled Application Level 4: Mastery
• Describe • Be able to characterize • Interpret reservoir maps and • Participate in integrated
lithostratigraphic reservoirs based on integrate them with seismic reservoir studies and
(strata or rock layers) interpretations of interpretations to predict recommend new strategies for
sections in cores and sedimentological and structural reservoir size, geometry, and optimizing reservoir models.
outcrops, based on models. trends. • Know the current state of the
sedimentary rock type • Build and interpret isopach and • Use regional geology art in reservoir
classification. net-to-gross sand maps. concepts and integrate them characterization and apply
• Use log • Characterize reservoir quality with seismic data to predict new techniques to improve
interpretations to based on sedimentological and reservoir trends. results.
generate petrophysical rock properties. • Create conceptual geological • Develop and foster networks
lithostratigraphic models from diverse data outside of Cairn, to access
descriptions and
• Be able to interpret diagenetic
processes in sediments, and sources, in preparation for specialists experienced in
identify facies. constructing geocellular various types of reservoirs.
construct paragenetic
• Determine reservoir sequences using textural models. • Visualize potential application
rock quality using information from a variety of of the adequate reservoir
core-sampling sources. geological models, to enhance
techniques.
• Be able to integrate diagenetic reservoir production.
• Recognize basic events with structural history. • Lead mentors and coaches.
techniques for
processing and
• Adopt a Quality
Assurance/Quality Control role
validating reservoir
wherever necessary and
data.
appropriate.
• Activities can be prioritized according to their safety criticality when

determining performance standards.
• Task analysis is used to identify competency required for tasks. Priority
is given to safety critical tasks.
• Performance standards should clearly define the required skills,
procedural competency, and knowledge, to reliably perform tasks and
jobs.
Performance CCPS.
12 Identifying learning requirements
Phase 3 of the Competency Management focuses on assessment of gaps in

competency, and limitations in current training.
• Understand a Competency Gap Analysis, and a Training Needs Analysis.

• Identify and describe learning objectives.
Competency Gap Analysis and Training Needs Analysis are important stages in
identifying learning objectives, and training needs. Normally, they would be carried
out together, as information from the Competency Gap Analysis feeds directly into
the Training Needs Analysis.
Competency Gap Analysis identifies what gaps exist between employees’

current competency and the competency required to fulfil performance
standards.
12.2 Competency gap analysis
Competency Gap Analysis is discussed in Chapter 11 and makes use of defined

competency standards matrices. Competency Gap Analysis assesses individual
competency against those outlined in the standards. It answers the following
questions:
• Which competencies do people currently possess?

• What is the level of their competency (e.g., awareness, basic application,
skilled application, mastery)?
• How can the competency gap analysis bridge the gap between the
competency people possess now, and the competency needed?
Competency Gap Analysis needs to recognize any prior experience and

qualifications and consider how they may satisfy parts of competency
requirements. Competency Gap Analysis should consider whether any types of
experience or qualifications are needed in satisfying a performance standard.
12.3 Training Needs Analysis
Training Needs Analysis is an on-going process of analysis, which determines

training needs so that training can be developed to fill any gaps in competency.
Training Needs Analysis determines all the training that needs to be

completed in a certain period to allow team members to complete their jobs to
the defined competency standard.
Once the competency gaps are identified, it is important to determine learning

needs requirements, via a Training Needs Analysis.
Training Needs Analysis would benefit from including the knowledge of

supervisors, operators, designers and managers. An effective Training Needs
Analysis should provide answers to the following questions:
1. What learning is required to bridge the competency gaps?
2. Who/which roles require the training?
3. How will learning opportunity be provided?
4. How soon does the gap need to be filled?
Training Needs Analysis identifies training needs based on Competency Gap

Analysis findings and determines how the competency gaps may be filled with
learning opportunities. This is the case when a person needs further training and
development to obtain the knowledge, skills, and/or attitudes described in the
competency standard.
Knowledge requirements will change in line with:
• Organizational changes (refer to CCPS Guidelines for the Management of

Change for Process Safety [55]) e.g., new roles and responsibilities.
• Changes in process or the introduction of new technology.
• Operating procedures e.g., a new control system, or a plant
modification.
• Insights from relevant industry process incidents or near misses.
• Inputs from operator insights and experience.
• Gaps identified from incidents and near misses.
Changes in knowledge requirements will require learning updates, to ensure

that the competency of trainees matches the latest standards requirements.
12. Identifying learning requirements 139
The Competency Gap Analysis and Training Needs Analysis should be

performed on all tasks, while safety critical tasks should be prioritized. An example
template of combined Competency Gap Analysis and Training Needs Analysis is
shown in Table 12-1.
Completion of the Competency Gap Analysis and See Chapter 14 for more
Training Needs Analysis template includes information on
information about: competency assessments.
• Competency standards requirements

(competency required at each level) – defined in Chapter 11.
• Current level of competency, which can be assessed using:
o Information from knowledge and skills assessments (e.g.,
interviews, tests, 360-degree feedback). 360 Degree Feedback is
a process in which employees receive confidential, anonymous
feedback from the people who work around them.
o Prior qualifications.
o Experience.
Required level of competency – the level of competency outlined in the

standards for a specific job role (e.g., process control room operator, supervisor).
• Learning needs requirements:

o These should specify knowledge and skills that require further
development for their required competency level.
o Training needs are also linked to learning objectives.
• Learning objectives – these should set expectations for individuals by
providing information on:
o Which competency needs to be developed.
o How to develop the competency (e.g., coaching, in the job
training or a training course).
o When the development is expected (e.g., the next two weeks, or
the next 12 weeks).
Table 12-1: Competency Gap Analysis and Training Needs Analysis template
Process control room supervisors should be able to successfully manage a simulated emergency response in
Competency
three tests (out of a possible 10 scenarios), & display appropriate skills such as task delegation, & effective
standards
communication.
Competency Skills
Knowledge of emergency response procedures
current Delegation: Awareness: Level 1
in various situation: Basic application: Level 2
level Communication: Basic application: Level 2
Skills
Competency Knowledge of emergency response procedures
Delegation: Skilled application: Level 3
required in various situations: Skilled application: Level 3
Communication: Skilled application: Level 3
Improve delegation skills: Move from Level 1 to Level 2 to Level
Learning Increase knowledge of emergency response
3
needs procedure: Move from Level 2 to Level 3
Improve communication skills: Move from Level 2 to Level 3
Improve knowledge of emergency procedures by Improve non-technical skills used during emergencies by
attending training, & completing required attending training, & completing required assessments,
assessments, within next four weeks. within next six weeks for Level 2, & within next 12 weeks for
Learning Level 3.
Effectively manage emergency response in a
objectives
series of simulated exercises, by using correct Demonstrate effective & efficient communication &
emergency procedures suitable for each delegation skills during emergency response simulation
scenario. exercises.
“Bridging
Classroom-based training; Walk-through Classroom training on Non -Technical Skills; Simulation
the gap”
procedures; Simulation training/case studies training
training
Learning Direct questioning; Open questions; A “show me
Quiz; Case studies; Observation
evaluation how” observation
12. Identifying learning requirements 141
• “Bridging the gap” is the training type that will help a person move from
one level of competency to another (e.g., on-the-job training, shadowing,
classroom learning, simulator, online learning, or a professional
qualification), with on-the-job learning providing most effective learning
opportunities.
• “Learning evaluation” is about assessing an individual’s competency after
the training has taken place.
o Assessments can take various forms (e.g., multiple-choice quiz,
“show me how” observations, or verbal explanation of the
process).
o As assessment would be carried out:
• Immediately after the training, to see what has been
learned.
• Some-time later, so that the person has a chance to use
(and show use of) new knowledge or skills.
Setting realistic objectives for the learning opportunity, as noted in Table 12-1,
is important when designing learning programs. The learning objectives should:
• Clearly state the purpose (e.g., how they fit with new procedures).
• Describe the expected outcomes that an individual should achieve at the
end of the learning opportunity.
o For example, move from Level 1 to Level 2 (from awareness to
basic application) competency, such as being able to follow
emergency procedures with instructions from others versus
being able to follow emergency procedures with minimal
instruction from others.
• Consider elements required for the learning e.g., pre-requirements for
attendance/admission, materials, resources.
• Ensure the learning objectives are SMART:
o Specific (clear)
o Measurable
o Attainable (achievable)
o Relevant (appropriate for the needs)
o Time-bound (to be done within a stated timeframe)
• An example of a SMART objective is shown in Table 12-1.
Learning objectives set expectations about developmental needs. They also act
as a measuring point to check progress or development of competency and
performance. Assessment of competency focuses on whether or not the stated
objectives were met.
• Two types of analysis are usually carried out to identify training needs
requirements:
o Competency Gap Analysis –identifies which competency need to
be developed.
o Training Needs Analysis –identifies what learning opportunities
are appropriate to develop the competency identified in
Competency Gap Analysis.
• Competency Gap Analysis and Training Needs Analysis also allow
learning objectives to be set.
• Learning objectives:
o Set the expectations of a person’s competency.
o Show the development (or required development) of an
individual’s competency.
o Allow progress of development (changes in competency) to be
effectively measured.
Performance CCPS.
13 Operational competency development
Competency development is composed of learning opportunities, including on-

the-job learning, coaching and training. The aim is to increase people’s knowledge
and skills levels.
Competency development focuses on individual and team (e.g., crew, shift or

team) competency. Similar to individual competency, team competency is also
based on the level or type of risks associated with tasks, and the complexity of the
work. Therefore, the process usually involves all individuals on the task, including
any contractors. Individual gaps in competency are filled through learning.
Collective or team competency gaps can be filled through adding team members
or third-party service providers that possess the missing skills or knowledge.
• Understand the process of developing and maintaining employee

competency.
• Identify suitable learning approaches for particular type of human
performance and types of competency.
• Have greater awareness of effective learning opportunity design.
13.2 Good practice in learning
13.2.1 Facilitate Learning, develop and assess
Individuals develop competency over time, through a combination of structured

learning opportunities, including on-the-job training, apprenticeship, mentorship,
assessment feedback, and formal qualifications programs. As individual
competency develops from basic application to advanced, or from awareness to
mastery, so does their ability to work independently. The progress from “knowing
how” to “being able to put knowledge into practice” happens slowly, bit by bit.
Learning is a gradual process, and it builds competency over time.
Various approaches to support learning help to develop knowledge from the

lower competency levels, e.g., from Primary Well Control and Secondary Well
Control concepts including pressure control and role of equipment to higher
competency levels such as functions and maintenance of Blow Out Preventer, as
shown in Figure 13-1.
Figure 13-1: Example of competency development through training
(adapted from [56])
13. Operational competency development 145
Learning opportunities enable an individual to progress from “learner/partially

competent” to “fully competent”. An individual’s competency can be categorized
as:
For more information on
• “Competent” to conduct the safety individual training methods see
critical task, safely without supervision. Table 13-1 and for group/team
training methods, see Table
• “Partially competent” where further
13-2.
development is required, through the
following:
o Training (e.g., refresher training, training, training and
supervision);
o Coaching; and
o On-the-job performance, until competency can be
demonstrated.
13.2.2 Individual competency - learning methods
Individual competency may be developed through three main learning methods.

These methods are provided in Table 13-1.
Table 13-1: Learning methods for developing individuals
Learning
Description
method
This type of method introduces operators to the core

Information- competency, and provides (for example) knowledge of
based processes, safety principles, and hazards (e.g., a training
course).
This type of method allows operators to observe or watch

Demonstration- the required skills, actions, and strategies.
based It helps operators think about how they will use these new
skills in their work (e.g., an apprenticeship).
This type of method helps operators understand and

organize their learning.
It helps operators to practice their new skills or knowledge
Practice-based
within a workplace environment, which helps them to
practically assimilate or incorporate their new skills into
their work (e.g., on-the-job experience).
Each learning method targets a specific outcome of human performance.

Human performance can be grouped into four categories:
• Psychomotor skills tasks where movement and mind work together

e.g., depressurizing a gas pipe.
• Process knowledge task e.g., operate a process within prescribed
temperature or pressure limits.
• Procedural tasks e.g., technical knowledge of hazards.
• Cognitive skills, which can be called on for both procedural and
knowledge-based tasks e.g., problem solving, or situation awareness of
hazards.
Psychomotor tasks may require more practice time, for example, on-the-job
learning. This is because many of these tasks require to be carried out
automatically, without much thought required about how the job should be done.
Procedural and process knowledge tasks will require

See Chapters 5 to
less task-specific training, as individuals may use job aids
8 for more
to complete the tasks. However, it is still important to gain information on job
underpinning knowledge, and to have an ability to identify aids.
and apply the correct procedure.
Cognitive skills development should combine theoretical or classroom

training with some on-the-job experience. This is because classroom training only
provides theoretical knowledge and no practice.
Effective learning opportunity design would use a range of training methods

and forms of training, taking into consideration task type, and different levels of
competency. For example:
• Knowledge-based operational planning tasks may be most suited to a

combination of classroom training, formal qualifications, and instructor
led “walk-through” procedures methods.
• Operational and maintenance type of tasks may be most suited to on-
the-job training.
An example of effective use of training methods and techniques is shown in

Appendix E.
Participatory teaching methods (group discussion, practice and teaching

others) are more effective than passive teaching methods (lecture, reading and
audio-visual methods) as shown in Figure 13-2 [57]. Participatory methods
increase learner’s retention of information, and lead to effective learning and
competency development. Figure 13-2 was originally drafted by the U.S. National
Training Laboratories in the 1960’s. The retention rates should be viewed as
illustrative rather than taken literally.
Figure 13-2: The Learning Pyramid
(adapted from [57])
Average retention rates
5% Lecture
10% Reading
20% Audio-visual
Passive teaching
methods 30% Demonstration
Participatory 50% Group discussion

teaching
methods
75% Practice
90% Teaching others
13.2.3 Team competency - learning methods
Facilitating learning needs to address how to combine development of

individual competency with team competency.
The most effective strategy is dependent on several factors, such as:
• The issues that need to be addressed.

• Resources available.
• The makeup of the team.
Examples of team learning techniques, and recommendations on their

effectiveness [58] are shown in Table 13-2.
Table 13-2: Team learning methods
Specific recommendations/conditions
Type of learning
determining type of learning
• Effective even with teams that do not

have a fixed set of personnel.
Team co-ordination learning –
focuses on joint team effort to • The learning addresses a particular set
reduce risks. of non-technical skills - e.g., leadership
skills, decision-making in emergency
situations.
• The team has a high level of

Cross-learning - instructional
interdependence between members.
strategy in which each team
member is trained in the duties • Team members have a lack of
of his/her teammates. knowledge about the other team
members.
Team self-correction learning –
teaches and encourages team
members to review events,
• The team has high level of
interdependence between members.
correct errors, and discuss
future strategies.
Event-based learning -
introduces events or “trigger • Useful for problems with a particular
situations” within training subset of tasks, and the tasks can be
exercises that provide simulated.
opportunities to observe skills.
Team facilitation learning – • Useful for limitations in training

stimulates learning by creating resources.
an effective learning • Training on how to train others.
environment and facilitating and • This is specifically relevant to team
encouraging discussions. leaders.
13.2.4 Providing conditions or opportunities for development of competency
In order to increase the effectiveness of learning, learning programs should apply

points of good practice to facilitate learning, such as:
• Provide individuals with sufficient opportunity to learn on-the-job – to

carry out tasks that would allow them to develop the required
competency. This would also provide a chance for assessors and
supervisors to observe and assess their skills in a real-life environment.
• Group competency may be best developed via simulation exercises,
while assessment should take place on-the-job, in day-to-day tasks.
• Avoid information overload - e.g., do not provide individuals with a
continuous two-week onboarding training covering all policies and
procedures; as humans are unable to process extensive information for
a lengthy period of time.
• Allocate appropriate time for training/for learning opportunities. Do not
schedule the training when individuals have just finished the shift, as
individuals will be tired and unable to concentrate on the training.
• Provide inclusive learning opportunities, accounting for different
learning styles. Individuals have preferred learning styles and therefore
absorb more information (the learning is more effective) if conducted in
their preferred learning style. For example, some individuals prefer to
learn by practice (kinesthetic learning style) while others prefer to listen
to instructions (auditory learning style), or via pictures/diagrams (visual
learning style).
• The main learning methods include information-based, demonstration-

based and practice-based activities. A combination of learning methods
should be used to:
o Maximize the effectiveness of learning.
o Develop individual and team competency.
• Equal focus should be given to individual and team competency. Team
competency development is enhanced by the use of various learning
techniques, such as cross-learning, team self-correction learning, and
team facilitation learning.
• Learning methods and techniques should be matched to specific types
of tasks, skills and competency.
Performance CCPS.
14 Operational competency assessment
Competency needs to be maintained, assessed (competency demonstrated) and

reassessed, to ensure the level of competency continues to fulfil competency
standards.
• Understand the reason for and importance of competency assessment.

• Assess the suitability of competency assessment methods.
• Determine the frequency of assessment required.
14.2 Reasons for competency assessment
Competency assessment is of great importance. Previous accidents (including the

Longford explosion summarized in Section 10.5) indicate that a lack of skills and
knowledge is a strong contributing factor to accidents.
A common theme from accident reviews shows that it is often assumed that
because individuals have been provided with specific training, they should be
competent in conducting their job. This is often not the case.
Assessment of competency is an indicator of individual levels of competency,

and the ability to work to the required standards.
14.3 How to conduct assessment of competency
14.3.1 Based on performance standards
Assessments should be based on performance standards. See Table 11-2 for

more information
Performance standards often provide guidance on
on performance
assessment. For example, how many times an individual is standards.
required to complete a task correctly, prior to being judged
as “competent”.
Assessment of these skills and consequent accreditation as “competent”

depends on the safety criticality of the task – the more safety critical, the tougher
the assessment. For example, some industry-based performance standards (such
as for North Sea Offshore Installation Managers) say a person must successfully
complete a task three times before they can be called “competent”.
Some examples are:
• A fitter must correctly fit a seal to a pump on three separate occasions.

• Process control room supervisors may need to successfully manage a
simulated emergency response in three tests (randomly chosen out of a
possible set of 10 scenarios), and display appropriate skills such as task
delegation, and effective communication.
Assessment of competency is concerned with individual’s progression across

proficiency levels (awareness, basic application, skillful application, mastery and
expert), until the highest level of proficiency (appropriate for specific job role) is
reached. Achieving a certain level of proficiency (including expert proficiency), does
not mean that no further development and/or assessment is required. Individual
competency should be kept up to date, and therefore frequently reassessed (see
section 14.4 for more information on competency re-assessment).
14.3.2 Select assessment methods
Various methods can be used to aid competency assessment. The chosen method
should be suitable for the assessment of the competency in question. For example:
• Assessment of knowledge-based competency may use a series of “talk-

through” questions or a multiple-choice quiz.
• Assessment of skill-based competency may be assessed via simulation
exercises or a “show me” technique.
Examples of assessment methods [59], their suitability for different types of

performance, advantages, disadvantages, and issue to consider are listed in Table
14-1.
Table 14-1: Suitability of and differences between competency assessments
Assessment Type of human

Advantages Disadvantages Issues to consider
Method performance
• Not sufficient enough in
• Useful for investigating itself to demonstrate
Verbal Suitable for knowledge competency • Assessors should be
Questioning knowledge- • Can be standardized • Least likely to be trained and experienced
“What if” based • Valuable tool for representative of real in the use of questioning
scenarios competency collecting evidence work conditions techniques
across activities • Assessors may answer
their own questions
• Requires skilled
assessors to assess the
• Requires assessment time
outcome
Suitable for • Valuable for knowledge- for those being assessed
knowledge- based activities and for the assessors, and
• Danger that knowing is
Written exam confused with being able
based • Can be well structured time for the scorers
to do
competency and standardized • Requires time away from
job
• Provides supplementary
evidence of actual
performance
Table 14-1 continued

Method performance
• Well designed, and
standardized set of • Correct answers may be
• Time required for test
design, administration,
Multiple Suitable for questions randomly chosen
and marking
choice knowledge- • Provides overview of • Requires time away from
quizzes or based knowledge in a short work, and likely access to
• Supplementary evidence
tests competency only – not direct
period of time PC
evidence of
• Provides instant results • Requires careful design
performance
if automated
• May not show usual skills
(observer effect)
• Opportunity to show
• Assessment can be
competency across all
undertaken as part of • Need for trained
activities may be limited
Suitable for rule- line manager’s assessors
responsibilities • Assessors may not have
Observation based and skill- • Use of multiple
time to do assessments
of real skills based • Tests application of assessors
competency knowledge and skills • May be subjective –
• Requires checklist of
influenced by assessor
• Provides high quality what to observe
and observed individual
evidence
relationship
• Disruptive to the
workforce

Method performance
• Simulation conditions
only, may differ to real life
• Useful tool to generate • Observer effect-
evidence individuals may act
Suitable for rule- • Not disruptive to differently when observed
• Requires planning and
based, operations, as they can – therefore, performance
structure
Simulation knowledge be conducted off-site in the simulation
exercises based and skill- exercises may differ to • Need to ensure valid
• Time for testing can be
based performance in day-to- and appropriate
effectively allocated
competency day activities simulation
• Test conditions can be
standardized for skills • Individuals skills may
tests differ in test scenarios
• Difficult to predict exact
type of evidence
Peer review
Suitable for rule-
• Assessors (individuals or
Feedback by • Subjective due to colleagues providing
line manager,
based and skill- • Superior knowledge of
relationship between feedback) should be
based task execution
supervisor, or assessor and individual trained in providing
competency
colleague feedback
Competency assessment includes other aspects, such as:
• Assessors’ competency: assessors

Using multiple methods
should have the required knowledge
to assess performance,
and expertise in conducting
leads to more accurate
competency assessment, and the
assessment of
required knowledge and skills in the
competency.
tasks they are assessing.
• Frequency of assessment: decisions
should be made about how often competency should be
assessed/reassessed. For example:
o Higher risk tasks may require more frequent assessment than
medium/low risk tasks.
o In practice, all individuals or workers should be assessed at least
annually in the form of performance appraisal, defined as
“management observation of performance”. Individuals in high
safety critical tasks may be assessed every three to six months.
o High frequency tasks may require less frequent assessment
than low frequency tasks.
o This is because low frequency tasks are prone to skill fade. As
they are not often used, they are more likely to be forgotten.
o High complexity tasks may require more frequent assessment
than low complexity tasks.
o Highly complex tasks require using various psychomotor skills
and cognition.
• Functional illiteracy and associated adjustments to assessments:
Assessment of individuals with functional illiteracy require adjustment as
standard methods, such as pen and paper exam, or multiple choice
quizzes are not suitable and should be replaced with observations and
peer feedback.
• Productive learning environment: learners should be provided with a
safe environment allowing for learning from errors and testing of
knowledge. Learners should be encouraged to ask questions and not be
afraid to hide their lack of understanding.
• Usability of assessment results/output: competency assessment
output is used to aid recruitment and selection processes, internal
promotions, and succession planning.
To ensure that individuals’ competency have been developed and maintained,

assessment should be conducted:
• Post learning – following completion of learning opportunities.

• Post appointment into role – following application of knowledge, skills,
and abilities into practice.
14. Operational competency assessment 157
14.3.3 Post learning assessment
Assessment of learning should be conducted during learning opportunity, and (for

example) 4-6 weeks after, to allow for implementation of knowledge. This
assessment would aim to evaluate whether competency has been reached at this
stage.
Examples of post-learning assessment methods are shown in Figure 14-1. The

figure provides suitable assessment methods for “acquired learning” and for
“application of learning into practice”.
Figure 14-1: Learning assessments
14.4 Reassessment
Individual and group competency should be maintained over time and reassessed
to prevent skill fade. For example, refresher training is important for safety critical
roles and infrequent tasks. The reassessment requires use of methods that are
suitable for assessing competency and human performance, as shown in Table
14-1.
Reassessment should focus on technical knowledge or expertise, and skills

application. It should cover the regular activities and tasks that individuals
perform. For example:
• A highly critical task that is performed infrequently may require regular

reassessment and refresher training, such as every year.
• A medium critical task that is performed very frequently may require
reassessment every three to five years.
14.5 Managing competency gaps
14.5.1 Overview
Managing competency requires:
• Monitoring competency levels (competent vs not yet competent).

• Developing processes to identify and address situations where the
development of competency does not meet the competency standards.
Consideration should be given to some subtle/transient group competency

elements, such as:
• Changes in workload due to start-ups/shut-downs/equipment

preparation;
• Additional skills needed across a team.
The aim of this process is to improve performance, by helping people to reach

and remain at the required level of performance standards. In addition to building
error-tolerant systems, setting people up to succeed. To achieve this, people
should receive regular performance feedback. Managers should view dealing with
performance gaps as a normal part of their supervisory role.
It is important to investigate the causes of performance gaps to determine the

next steps of action. These actions could include:
a) Providing refresher learning opportunities.

b) Assigning individuals with an “on-the-job” mentor or coach.
c) Reviewing work conditions or job design.
d) Referring individuals to employee assistance services.
14.5.2 Understanding performance gaps
Prior to assessing the causes of performance gaps, it is

See Chapters 2 and 3
important to check the opportunities for learning. This
for more information
includes providing opportunities for transfer of on Systems Approach
knowledge into the job environment, where the to understand other
knowledge may have been gained in the classroom or factors that impact
via a formal qualification. It is also important to check the human performance.
development of job competency.
Higher critical gaps in competency may require immediate intervention to

address the risk that the competency gaps present. Immediate correction of
competency gaps will have positive effect on human performance.
14. Operational competency assessment 159
Some common causes of performance gaps include:
• Ineffective training:
o The training did not specifically target the required set of
competencies.
o Learning objectives were not clearly defined.
o The method of learning was not sufficient to develop the
required competency.
• Skill fade linked to infrequent tasks.
o Even with acquired learning, if there is not enough opportunity
to put the new competency into practice, an individual’s ability
to do the task to the required standards decreases over time.
• Excessive workload (e.g., due to understaffing) affects personal and
team performance.
• 'Drift' over time. Even individuals who are experienced and
knowledgeable start to 'do things in their own way'- over time. This
behavior can drift into being unsafe and need to be recognized when
carrying out reviews.
• Poor assessment practices, such as:
o Poorly defined competency assessment matrices.
o Assessors lacking training and expertise in assessment.
• Personal reasons and circumstances, such as:
o Poor health.
o Challenging family circumstances.
• Work-related conditions including, such as:
o Poor quality of tools used for the task.
o Poor team cohesion.
o Difficult or poor relationships with co-workers.
14.5.3 Principles for managing performance gaps
Effective management of performance gaps is based on the following principles:
• Performance gaps should be dealt with promptly. The aim would be to:
o Demonstrate commitment to a high-reliability culture.
o the issue from becoming more serious over time, and prevent
it having negative safety-related outcomes (e.g., leading to an
incident).
• Welfare and confidentiality should be maintained by:
o Providing people with relevant support. For example, having
one-on-one discussions to investigate issues which may impact
employee performance.
o Ensuring confidentiality of performance reviews and follow up
discussions.
14.6 Competency and learning records
Records of competency assessments should be kept:
• As evidence of completed learning.

• As evidence of an individual’s ability to work independently on safety
critical tasks.
• To help devise personal development plans, outlining development
needs, and tracking development progress.
Learning records would normally include the following information:
• Unique set of competencies required for each job role, safety critical
task(s), and sub-task(s).
• Equipment, tools, and machinery used within each task, and skills
required to use these tools effectively.
• Date, duration, and type of learning opportunity provided for each
competency.
• Proof of evidence demonstrating competency level. This may include a
statement of compliance, or sign-off sheets.
• Historical record of all previous training, and any changes to skills sets.
Keeping a record of competency is an important and key part of competency

development, which leads to safer operations, and improved individual and group
performance.
• Frequent competency assessment is important as it allows for:

o Tracking and maintaining individual and group competency.
o Devising development plans and tracking individual progress.
o Contributing to improved performance and error prevention.
• Competency assessment methods should be appropriate for the types
of competency they are assessing.
• The effectiveness of learning and development activities can be assessed
by the extent to which an organization adopts ‘just in time learning’
theory and applies it. ‘Just in time learning’ means that learning is
available on-demand and can be accessed when the learner needs it.
Performance CCPS.
Part 5: Task support

Performance CCPS.
15 Fatigue and staffing levels
By the end of this chapter, the reader should understand:
• How fatigue impacts human performance and may cause error.

• How to manage fatigue.
• How to match staffing levels to workloads.
15.2 A fatigue-related accident
The 2005 Texas City refinery explosion summarized in B.1 (page 383) occurred
during the start-up of the isomerization (ISOM) unit, following maintenance [14].
One contributing factor was fatigue.
Several key operational staff had worked 12-

hour shifts for several days in a row.
“…the CSB concludes
The Day Board Operator was likely suffering that fatigue of the
both acute sleep loss and cumulative sleep deficit operations personnel
after working 12 hour shifts 29 days in a row. He contributed to
usually slept for five or six hours per day. overfilling the tower.”
The Night Lead Operator had worked 33 (CSB, 2007, [14] p.289)
consecutive days. The Day Lead Operator had
worked 37 consecutive days.
In addition to working 12-hour shifts, they spent time commuting to and from
work, and assisting at home. There was limited opportunity to take rest breaks
when on shift.
These operators made mistakes on the day of the accident. For example, the
Day Board Operator did not recognize that feed was entering the unit but not
being removed, causing it to overfill. When the tower experienced pressure spikes,
the operators tried to reduce the pressure without exploring what was causing the
pressure spikes. They were focused on the symptom of the problem rather than
its cause. Awareness, vigilance, monitoring, and decision-making are all tasks that
can be affected by sleep deprivation and/or fatigue.
The CSB investigation [14] attributed the excessive levels of working to

understaffing. The company did not have a fatigue risk management policy. A
seven-day rotation with 12-hour shifts was operated. The shift pattern did not
cater for temporary peak workloads such as plant turnarounds.
Fatigue is a decline in physical and/or mental performance caused by factors

such as prolonged exertion, insufficient sleep, and/or disruption of the
sleep/wake cycle. Fatigue manifests as a sense of tiredness, weakness, or lack
of energy.
Fatigue can reduce a person’s ability to process information, reduce levels of

attention and alertness, impair memory, reduce reaction time both physically and
cognitively, impair physical coordination, and potentially cause errors. Examples
include:
• Forgetting which steps have been completed in a procedure, due to

memory lapse or incorrectly thinking something has been done.
• Being unable to understand information such as from instrumentation.
• Being unable to understand what is happening or to make a decision.
• Inflexible thinking and poor planning.
High levels of fatigue can cause people to uncontrollably fall asleep or have
“micro naps”. People will not be aware that their performance is affected by fatigue
and may think incorrectly that they can “power through” or use stimulants such as
caffeine, to combat fatigue. This is not true.
Sleep allows the brain to recharge and remove toxic waste by-products which
accumulate when awake. Sleeping helps to “clear” and reset the brain. A reduction
or disruption of the sleep cycle prevents the brain from maintaining their normal
function. Sleep is important for optimal cognition and judgement.
Common causes of fatigue include:
• Working for long periods without a rest break.

• Working many hours in one day.
• Working many days without a rest day.
• Working a shift system that disrupts the sleep/wake cycle.
• Night working and early starts.
Lack of sleep and inadequate rest breaks will affect more complex tasks and
tasks that require judgment and decision-making more so than simpler tasks.
However, tasks that place very low levels of demand on people, such as monitoring
a process, are also vulnerable to fatigue.
15. Fatigue and staffing levels 165
People’s biological clocks (circadian rhythms) have

a cycle of sleepiness and alertness. Alertness will be
People’s circadian
low at certain times of day (between 02:00 and 04:00,
rhythms “dip”
and 13:00 and 15:00). This sleep/wake cycle means
between 02:00
people are better able to sleep at night, and sleep is
and 04:00, and
likely to be poorer if people are required to sleep
13:00 and 15:00.
during the daytime, for example when on night shifts.
This can lead to a sleep deficit.
This also means that it is best to avoid scheduling

the most demanding tasks during the periods where circadian rhythms dip.
Acute and cumulative sleep deficits create fatigue. Acute deficits might be
caused by working one night, while cumulative deficits might be caused by working
seven nights without a rest day.
It is also possible that medical conditions can cause fatigue, such as narcolepsy
which causes daytime drowsiness and “attacks” of sleep. The management of
medical conditions is beyond the scope of this book, but an option is to test people
for conditions such as narcolepsy, especially if they show signs of daytime
drowsiness.
15.2.4 Fatigue and working patterns
Fatigue increases rapidly after working more than eight hours.

The risk of error increases when working for more than two hours without a
break.
Fatigue accumulates over the days when a day off is not taken.
Few people fully adjust to night shifts.
Working nights or early starts can cause “sleep deficits” – few people sleep well
during the day.
Older people, especially over 50 years old, get tired more quickly.
A set of examples of fatigue risk are shown in Figure 15-1 to Figure 15-3. These use
the United Kingdom’s Health and Safety Executive’s Fatigue and Risk Index [60] .
This is a free online tool that predicts fatigue and risk according to working hours,
rest breaks, and task demands. Task demands include both physical and mental
demands.
The Health and Safety Executive’s Fatigue and Risk Index has been used here
to provide examples that illustrate the impact of long hours. As with all analysis
methods, the results are approximate. It is also best suited for assessing rotating
(day- night) shift patterns rather than permanent day or night working.
The fatigue score ranges from zero to 100. A score of 50 indicates a 50% chance
that people will struggle to stay awake. The Health and Safety Executive’s Fatigue
and Risk Index does not prescribe acceptable levels of fatigue risk. It advocates
that fatigue and risk scores should be reduced as a low as reasonably practicable.
The Fatigue and Risk Index also gives a risk score that indicates the potential
for an accident/incident to occur.
In all examples it was assumed that the person takes 40-minutes to travel to
work and has a “moderately” demanding role that required attention “most of the
time”.
A long day
Figure 15-1 shows an example of how fatigue “jumps” when working a 16-hour
day. The fatigue score rises slowly from day one to day four. Then the fatigue score
jumps on day five. It then stays high for days six and seven.
Figure 15-1: Example of rapid rise in fatigue scores from a 16-hour day
Working without rest breaks

Figure 15-2 shows the impact of working 12-hour day shifts without rest breaks.
The “no rest break” example assumes a 15-minute lunch break after four hours,
and no other breaks. The “with rest breaks” example assumes a 15-minute break
every 2.5 hours and a half hour lunch break.
The lack of rest breaks causes fatigue scores to be increased three times.
The fatigue level at the end of the seven days without rest breaks would be
roughly a one in three chance of struggling to stay awake at work.
Figure 15-2: Working without rest breaks
Working night shifts

Working nights can create a “sleep debt/deficit”. People may work nights as
part of a standard rotation or due to “going around the clock” during plant
turnarounds, for example. It is often the case that people have lighter sleeps
during the day, especially if the home environment or accommodation is not
adjusted for daytime sleeping.
Figure 15-3 shows a seven-day rotation starting with four-day shifts (07:00-
19:00) and ending with three-night shifts (19:00-07:00). It assumes rest breaks are
taken and includes a 24-hour break between the final day shift and the first night
shift.
The fatigue level jumps upon starting night shifts, with a nearly 50% chance of
struggling to stay awake on the final night shift.
The fatigue score can be reduced by about one third by having more frequent
and longer breaks. For example, breaks could be of half an hour and every two
hours at night instead of fifteen minutes and every two and a half hours in the
daytime. In addition, risk can be reduced by performing work that is less
demanding at night.
Figure 15-3: Working nights
15.3 Managing fatigue risk
15.3.1 Fatigue risk policy
A formal fatigue risk management policy and set of arrangements should be in

operation. Typical parts of a fatigue risk policy are shown in Figure 15-4. This
should include a commitment to manage fatigue and satisfy national and local
laws and regulations as well as guidance such as the “IOGP Report 626 – Managing
fatigue in the workplace” [61]. This should include training for all key roles on how
to prevent fatigue, how to recognize fatigue and deal with it and an overview of
the company fatigue risk management program.
Further guidance on fatigue risk management is also available from the Energy
Institute [62].
The policy on maximum working hours and rest breaks should take account of
the physical and mental demands of tasks. More demanding tasks require more
rest. In addition, it should control people volunteering for over time. The policy on
the maximum hours worked should also limit permitted voluntary over time and
avoid a small number of workers taking on excessive hours.
Figure 15-4: Typical scope of fatigue risk policy
Organizational commitment to manage fatigue
Fatigue risk assessment
Training in causes and impact of fatigue, and how to manage fatigue
Maximum hours worked per day, per week, and per month
Minimum rest periods within a shift, and minimum sleeping time between
shifts
Maximum consecutive working days without a rest day
Shift design requirements, such as forward rotating and avoiding early starts
Triggers for acting on an individual who is working excessive hours or showing

signs of fatigue
Recording and monitoring hours worked
Action to be taken if people are working excessive hours each day or too many
days without a break
Fatigue risk key performance indicators
Audit and review of fatigie risk management performance
15.3.2 Shift systems and working hours
Some key principles are given in Table 15-1.
Figure 15-5 gives guidance on shift design and working hours for safety critical
roles. This includes allowing people to nap (sleeping for about 20 to 30 minutes) at
work, especially when working nights (e.g., at around 02.00 am), during periods of
inactivity if safe. Longer naps may induce sleep inertia, such as feeling “groggy”.
Table 15-1: Principles of shift design
Principle Guidance
As fatigue increases quickly after eight hours, the

Maximum hours per
duration of each shift should be limited, such as no
day
more than 12 hours per 24 hour period.
As few people adjust to night shifts, rapid forward

rotating shifts (such as two day shifts followed by
Rapid forward rotating three or fewer consecutive night shifts) minimize
shifts the adverse impact of working nights.
Working nights should be followed by rest days to
allow people to recuperate.
Regular rest breaks Rest breaks help people recover during a shift.
Early starts, such as 06:00, disrupt sleep and should

Minimize early starts
be minimized.
Limit consecutive shifts Fatigue accumulates – people need rest days.

Figure 15-5: Guidelines on shift design
Some tips on maintaining alertness
Rest breaks Exercise

A very short rest break of a few minutes Walking around during
can stop fatigue increasing. A long breaks, and moderate
break can reduce fatigue to its starting exercise before work can
level. increase alertness.
Stimulating tasks Talking

Doing more interesting work can help Talking with colleagues can
reduce drowsiness. boost alertness.
Naps Bright ambient lighting

Short naps can reduce fatigue by half, Bright white lighting improves
especially when working night shifts. alertness.
15.3.3 Recognizing fatigue
Good fatigue risk management includes

being able to recognize the signs of fatigue in
colleagues. Typical symptoms of fatigue are
shown in Figure 15-6, adapted from the
• Recognition of fatigue
Canadian Center for Occupational Health
in self and in others.
and Safety [63].
• Ability to ask for help
Team leaders, supervisors and and challenge others’
colleagues can recognize fatigue in fatigue.
themselves and others, creating the
opportunity to take action.
Figure 15-6: Signs and symptoms of fatigue
People may be screened for signs of fatigue at the start of shifts and monitored
throughout a shift. Tasks should allow for rest breaks throughout the shift. Fatigue
detection technology can monitor eye closures and head posture.
15.3.4 Task scheduling
As noted in section 15.2.3, people’s sleep/wake cycle means that complex tasks
may best be scheduled for the start of the day and the start of the work block,
when people are most alert and rested. Work planning should avoid scheduling
complex tasks for night shifts, after lunch (13.00 to 15.00), or during early starts.
There are differences in people’s fatigue risk. Those at greatest risk can include
older people, especially over 50 years of age, people with a challenging home sleep
environment (e.g., with young children), and those with long commutes. The
allocation of work and the scheduling of tasks may take account of individual
needs. For example, the tasks requiring the highest level of concentration should
be allocated to individuals at lower risk from fatigue.
15.3.5 Monitoring working hours in real time
Working hours can be monitored. For example, the actual hours worked can be
checked by a team leader at the end of a week. If excessive hours are being
worked, the reasons for this can be explored and action taken. For example, if it is
due to other staff being absent due to illness, a request may be made for staff to
be redeployed from elsewhere. It is especially important to monitor the hours
worked by people when:
• The time required to complete activities is uncertain e.g., start-up.

• Where it is known that there are gaps in staffing e.g., due to sickness
absence or problems in recruitment.
Facilities should maintain sufficient staff to cover absences and people leaving
an organization. If this is not the case, real time monitoring of hours worked
becomes even more important.
15.3.6 Recognizing the signs of understaffing
A common cause of fatigue is people working excessive hours due to

understaffing. Typical signs of understaffing are shown in Figure 15-7.
It is common that a shift or activity will have a defined number of staff, such as
a maintenance team of eight. It is good practice to map workload against staff
numbers and set out what tasks can and cannot be done by an understaffed team
e.g., no intrusive maintenance if team is depleted by 2 staff. The actual staffing
level can be monitored on a daily and weekly basis, against the defined minimum
level. Understaffing should be reported to responsible management. There should
be pre-planned contingencies, such as calling on additional staff in the event of
(for example) staff absence due to illness.
Figure 15-7: Signs of under staffing

15.3.7 Managing tiring workloads
It is also possible that a person’s workload is too high due to the design of the task.
An example is where the time taken to start up a process is so lengthy, that it stops
people from taking a rest break for over four hours, or the work is high intensity
and tiring.
Figure 15-8 shows the options for managing workloads. Typical examples of
these include:
• Splitting the task into stages and scheduling rest breaks.

• Making the task easier, such as by providing clearer instructions.
• Providing a high level of training so that people can perform the task
with less effort.
• Increasing the number of people allocated to the activity.
• Having one person overseeing the work, checking for errors and
verifying tasks are completed correctly.
Figure 15-8: Managing workloads
The number of people required for a task can be determined from past
experience of performing that task, such as replacing a pump. Past experience can
be used to decide how many people will be needed the next time this activity is
performed.
Whenever analyzing safety critical tasks, it is important to be realistic about the

time and effort needed to perform an activity. It is also important to recognize that
new problems may occur, and that more time and effort may be needed to
perform an activity than previously.
If the activity is complex or different, the activity can be analyzed. An example

is shown in Figure 15-9. The activity can be subdivided into sub-activities. These
can be plotted over time. Tasks that coincide can be spotted. The time taken to
perform each task can be estimated, such as by observation of tasks or consulting
people who perform the tasks. In this example, five sub-activities coincide, and the
task time splits over two shifts. At least five people are required, and rest breaks
will be necessary.
Further guidance on workload and staffing needs analysis methods is available

from the Energy Institute [64].
Figure 15-9: A simple task timeline

• Fatigue can greatly increase the potential for error.

• Causes of fatigue are many, and they vary by task and by person.
• Established good practices help managing fatigue.
• Fatigue can be monitored and managed in an operational setting.
Performance CCPS.
16 Task planning and error assessment
• The importance of effective and realistic task planning.

• The role that “error assessment” can play in foreseeing and preventing
error, by engaging in effective task planning and preparation.
Task planning refers to developing a maintenance or turnaround plan, a start-

up plan, temporary operating instructions, re-commissioning plan or producing a
work instruction. It may also include setting people to work in operating a process,
such as briefing operators at the start of a shift.
16.2 Incident example
The Energy Institute’s “Toolbox” provides many examples of failures in task

planning. One example, planning a confined space entry, is repeated in Table 16-1.
If heating oil had been introduced into the tubes while personnel were in the
heater, they could have been injured.
The example refers to locked blinds, as part of HEC (Hazardous Energy Control).
In some countries it is more common to use blind tags. The U.S. OSHA equivalent
of HEC is LOTO (Lock Out- Tag Out).
Table 16-1: Example of locks removed on wrong blinds

Example of a failure in task planning: Energy Institute – locks removed on
wrong blinds
What happened?
Four locked blinds under hazardous energy control (HEC) were removed from
the transfer line under the coke drums.
The blinds should have been left in place for a confined space entry isolation
to the heater.
Three of the blinds were found hanging from the cables with the locks and
tags attached. A cable had been cut to remove the fourth blind.
The product could have leaked through the valves, entering the tubes inside
the heater.
Why did it happen?
The permitted scope was too broad. It covered two jobs and 11 different
blinds, which were generically referred to as “blinds”.
Unclear job plan.
Lack of communication.
Lack of clarity around removing locked blinds. A workaround allowed the same
crew to remove locked blinds when a hydro blind was leaking.
What did they learn?
It is important to define the field coordinator’s and operator’s roles and

responsibilities clearly to ensure blind verification is effective.
It is important to ensure the task description includes a specific blind count

and blind locations.
The onboarding should be updated to ensure new staff know that locked
blinds should not be removed.
A procedure should be developed and implemented for hydro blind

management.
(adapted from [65])
16.3 Human Factors and task planning
Many tasks have specific safety requirements, such as operational turnarounds

and maintenance tasks. For example, maintenance tasks commonly require
isolation of specified sections of pipework and vessels, purging, and blinding at
specific points. A reliable method is needed for task-specific safety assessment,
communication of safety critical information, and task authorization.
16. Task planning and error assessment 181
A resilient and methodical approach to task planning
The production of work instructions can be a high frequency and knowledge-

based activity during which mistakes may occur. The identification of task-specific
risks and safety requirements draws on knowledge of the process, process
hazards, and safety procedures. Task planning needs to be methodical and
account for all relevant hazards. If task planning is not done well, hazards may be
ignored or overlooked, safety procedures may be incomplete, and instructions can
be unclear. The people that are planning the tasks must be competent, and the
system of task planning should be resilient.
Optimism bias in task planning
Tasks often have completion deadlines. Additional pressures include restoring

production quickly. This can contribute to “optimism bias” within task planning, for
example, being overly optimistic about how long a task will take. It can also involve
downplaying the challenges and risks in performing a task. This can contribute to
insufficient time being scheduled for a task and insufficient preparation of the
team.
Including error assessment in task planning
Many tasks are complex, with many task

steps. These tasks can occur over many hours, Task planning should:
they may involve many people, and they may
involve work in physically separate locations. • Identify the potential
There may be unanticipated events (such as for error
equipment failure) that may increase task • Identify the means to
complexity and require a change of plans. These support a successful
conditions create increased variability and the task performance
need for operators to adapt, creating the
potential for errors and mistakes.
In addition, motivated staff can be very “task focused” and intent on completing
the task and solving the problems. This can create a risk of losing awareness of the
situation, improvising unsafe ways of completing a task, and overlooking
unexpected events or conditions that require a change in their actions. When
people are task focused, they can miss “weak signals” around them that the
situation is unsafe or is changing.
16.4 Error assessment within task planning
Error assessment involves foreseeing the potential for human error in a specific
task, and the conditions that may cause failure. The person(s) planning tasks
(such as team leaders, supervisors, and senior engineers) are error managers.
They should be evaluating for potential errors and preventing them by good
task planning.
16.4.1 What is error assessment within task planning?
Error assessment when planning a specific task, includes:
• Understanding task demands and the support (e.g., instructions,

minimum staffing and scheduled time) people need in order to perform
the task successfully.
• Identifying potential errors, their causes, and the possible consequences
of the error.
• For errors identified, assessing for adequate safeguards that catch the
error and/or prevent escalation, or are additional, specific safeguard(s)
required for the potential error?
• Considering what contingencies need to be in place, and what changes
would require a halt and reassessment of the risks?
• Assess the unexpected consequences (bigger or worse than safeguards
can handle), safeguards that may fail or not be sufficient, and backup or
redundant safeguards possibly needed. This can cause problems in
analysis where it is assumed that safeguards will work as intended.
This type of assessment may be carried out as part of Job Safety Analysis,
development of Permits to Work and task specific work instructions. It requires the
people undertaking the error assessment to have some understanding of human
failure (18.4), and a belief that humans will fail if negative PIFs are present.
The task planner “walks through” the task in the field (not just on paper) and
the conditions in which the task is to be performed and identifies potential failures.
The task planner should refer to any available process hazard analyzes and
previous post job reviews.
The task planner should ask their team and other specialists to help with the
assessment. Ideally, the “walk-through” should be done by the team who will be
performing the task. This allows verification of task sequence, tools, staffing
requirements, timing and so forth. The team approach may identify some
improvements in tools or methods not used before.
Having identified potential failures, task plans are developed to support

successful performance. These task plans may take the form of written work
instructions, or verbal task briefings, such as “Tool Box Talks”.
The task plans are communicated as part of “Tool Box” talks, Tail Gate briefing,
start of production shift briefings and other forms of operational briefings.
This concept can be articulated as an acronym, such as “SAFER”:
Summarize the task

Anticipate high risk situations
Foresee potential errors and mistakes
Evaluate task plans
Review task preparations
16.4.2 Error management and error-likely situations
Error-likely situations include circumstances

See Chapter 18 for more
beyond the immediate control of the team that
information on how to
may impact task performance and/or the
spot, capture, and correct
margins of safety. These can be termed “error
errors during operations.
traps”, where circumstances and conditions can
cause failure.
Error-likely situations can be thought of as being:
• Anticipated – something could happen.

• Unanticipated – something that may be more unexpected or unlikely,
but could still happen.
• Latent – not obvious, may be hidden within systems or ways of working,
but could be identified through a safety analysis.
Typical error-likely situations are shown in Figure 16-1. The presence of these
conditions may make the task high risk.
An example of an error-likely situation could be a strong wind unexpectedly

developing, while carrying out maintenance using a heavy lift crane.
Figure 16-1: Examples of error-likely situations
Communicating
Shift handover with
Starting up a modified between physically
defective equipment
process for the first separated individuals
or plant in abnormal
time or teams during a
state
long duration task
Performing a long Performing a long Monitoring a process

duration task where duration task where for a long time with
the correct sequence precision, such as low task demands or
of actions is mass balance no active tasks to be
necessary calculations, is done
required
Trying to meet a tight A highly committed, Attempting to isolate

schedule of task focused, and and purge a storage
production or proficient team tank and pipework
maintenance while working hard to with out-of-date or
understaffed perform a challenging incorrect information
task with a tight
deadline
More information can be found in Table 16-2, which also offers some tactics for
managing these three types of situations. It can be used as a checklist to identify
error-likely situations.
Chapters 2 to 4 discussed types of human error and their causes – slips, lapses,
and mistakes. Task-specific conditions can contribute to potential errors and
mistakes, such as unclear instructions, task complexity, and inadequate task
experience.
A set of error conditions is given in Table 16-3 to use in task-specific error

assessment, with matching tactics for error management. It can be used as a
checklist to identify high risk situations.
Table 16-2: Task planning tactics for potential high-risk situations

Type Potential situation Task planning tactic
Define safe operating criteria (for
Adverse weather
starting and stopping tasks).
Test equipment as a task pre-
Repeat of past equipment
Anticipated requisite. Recommend additional
faults or process trips
engineered safeguards.
Repeat of past faulty Use a second indicator to, for
instrumentation example, measure pressure.
Draw attention to critical Hold or
Stop points where it may be
Novel equipment defects necessary to stop, regroup and
reassess the risks due to
unanticipated events.
Un-
Delays in prior tasks Define task pre-requisites.
anticipated
Define team competence and
Sudden absence of team minimum number of staff as a task
members pre-requisite and/or identify
replacement team members.
Apply fatigue and staffing controls

Fatigue or stress as a task pre-requisite. See Chapter
15.
Define team competence and

Understaffing or task
staffing level as task pre-requisites.
overload
See Chapter 15.
Verify clear and comprehensive

Latent Poor process
documentation as a task pre-
documentation
requisite. See Chapter 1.
Advise team of equipment
Process equipment not fit
limitations and devise safe system
for purpose
of work.
Stipulate “Hold” or “Stop” points and
Operational pressures or
independent checks to mitigate
delays
time pressures.
Table 16-3: Task planning tactics for different task errors
Error condition Task planning error management tactic

Unclear, incomplete, or Comprehensive and clear instructions. See Chapters 5
ambiguous procedures to 7.
Lack of agreement on best way
Team review to secure consensus
to perform a task
Inadequate competence Assignment of more experienced people.
Comprehensive and clear instructions, task briefing,

Unfamiliar task and condition verification.
Realistic schedule and task checking.
Task design (shielding people from distractions, e.g.,
temporary restriction of access to a work area) and job
aids (see 0).
Task interruptions or Determine the level of use of procedures for a task,
distractions such for 1) reference, 2) continuous use in hand or 3)
monitored.
Stipulate “Procedure place keeping” such as checking
off key steps or Hold points to check task completion.
Task and team design.
Checklists and/or other job aids, Hold or Stop Points,
Long or complex task
and checkpoints. See Chapters 5 to 7.
Independent task checking. See Chapter 20.
Dynamic and situation awareness aids, decision
Task focus reviews.
See Chapter 20
Over commitment of team to Dynamic and situation awareness aids, decision
complete tasks despite reviews.
unforeseen problems See Chapter 20
Realistic schedule and task checking.
Time pressures
See 17.3 and Chapter 16.
Many team members or
multiple teams – leading to Formal communications and logs. See Chapter 19
miscommunication and role Clear roles and responsibilities.
confusion
Unclear, unreliable, or
List all the information needs and verify their
incomplete process
availability.
information
Provide conducive environment e.g., ensure
Poor physical environment e.g., appropriate task lighting, PPE, and sound barriers.
issues with lighting, Specify special means of communicating in a noisy
temperature, workspace, environment, such as hand signals or written
humidity, noise communication.
Allow additional time for task completion.
Equipment not fit for purpose,

Source appropriate equipment.
such as hand tools
• It is possible to foresee error-likely tasks and situations.

• The potential for error-likely situations and error should be foreseen, as
far as possible, during planning tasks, and when creating work
instructions and Permits to Work.
• Work instructions should include mitigation for potential error-likely
situations.
Performance CCPS.
17 Error management in task planning, preparation
and control
• How to avoid “optimism bias” in task planning.

• How to build Human Factors into common process safety management
methods.
This Chapter is relevant to planning maintenance, test and inspections, plant

turnarounds, start-ups and shut-downs, operational readiness, commissioning,
and daily production activities. Such planning may involve operations/production
and maintenance teams.
17.2 Overview
Figure 17-1 provides an overview of Human Factors for task planning, preparation
and control. The results of assessing the impact and likelihood of error from
Chapter 16.4 should feed into task planning and preparation.
Key ways of controlling error in the process industry include:
• Team briefings and discussions;

• Control of work packages;
• System isolation;
• Procedures;
• Competency development;
• Management of interlocks and automatic trips;
• Assured operational readiness (returning equipment to service).
Human factors task planning is necessary for the operational continuity of the
progress of the plan between and among shifts. “Discipline” is required in
performing the familiar phases of permitting, energy isolation, zero energy state
verification, maintenance work and returning equipment to service.
Figure 17-1: Overview of HF task planning, preparation and control
Planning and critical

path analysis
Realistic task scheduling
Assign safety critical tasks
Tactics to minimize Tactics to maintain

distractions and attention in long or
interruptions complex tasks
Team briefings
Control of Work System Interlocks and

packages isolation automatic trips
17.3 Preventing optimism bias in task planning: scheduling
Unrealistic task scheduling can occur due to

optimism bias. This can occur despite past Planning fallacy
experience of longer task completion times.
Predicted task completion
Optimism bias can include people assuming
times are quicker than
future tasks will be performed better or faster
past experience and
than past tasks. assume no problems will
High levels of commitment, a task focus, occur.
and a high-performance culture can all cause
optimism bias. If the team is committed to a
common goal, this may lead to over-commitment to unrealistic schedules. The
communication of important production deadlines can also cause a motivated
team to commit to unrealistic schedules. They may be determined, hardworking,
17. Error management in task planning, preparation and control 191
and committed, and mistakenly believe they can achieve the unlikely or
impossible.
A wish to avoid conflict within a team or a strong team leader may prevent
individuals from challenging schedules. This is sometimes termed “group think”
(see Chapter 19.5). Similarly, a common fallacy (or mistaken belief) is to work
backwards from a deadline to determine the time available to complete a task,
rather than working forwards from an estimate of the time needed to complete
the task. Another fallacy is that increasing resources or setting a challenging
schedule will reduce the time taken to complete a task. The task completion time
may be determined by, for example, the rate of depressurization of a vessel and
whether or not unforeseen equipment faults and defects are discovered.
An open team culture that invites, values, and accepts questions and
alternative opinions is vital. When questions are asked about decision and plans,
they should be explored and understood. People need to be able to trust that their
questions and opinions will be welcomed by their colleagues. This can be helped
by the use of open and neutral language that depersonalizes common goals. Refer
to Figure 17-2 for examples.
Figure 17-2: Open language for inviting questions and opinions

Leaders and meeting facilitators, before ending a meeting, can use a simple
technique to ensure each individual has shared any remaining concerns they may
have. Using their first name, the meeting leader simply asks each individual if they
have any additional concerns or comments to share with the group - e.g., 'Jim, do
you have any additional concerns or comments? This approach is can elicit
concerns more effectively than asking the group as a whole 'Does anyone have any
additional concerns?' The reason for the effectiveness of this approach is simple:
many people simply will not speak up unless asked directly.
If someone is direct and clear in asking questions and stating opinions, this
increases the likelihood of being heard, especially if the team is operating under
time pressure.
In the following examples, the top sentence in the “Do not say” box fails to
recognize the problem. The second sentence may be interpreted as a complaint
and lead to a discussion about whether people are being treated fairly, rather than
trying to check how much time is needed to perform the task.
In the “Do say” box, the problem is clearly stated. The absence of accusation
avoids confusion regarding the required response to the statement.
Fails to state
Ambiguous the problem
Do not say Do say

“I think we might want to look “I think that we cannot safely
at the time required to dismantle dismantle the pump in the
the pump.” scheduled time.”
“You have not allowed enough
time to dismantle the pump. This
is very unfair of you.”
Accusatory
People responsible for planning operational, commissioning and maintenance

work should be trained and coached to be aware of the potential for optimism
bias, group think, and self-censorship. This can help them to spot, capture, and
correct themselves and their colleagues.
Some more tactics for reducing the potential for overly optimistic scheduling
are noted in Table 17-1.
Table 17-1: Scheduling
Tactics for reducing the potential for overly optimistic scheduling
Explicitly and consciously recognize past task completion times.
Compare the experience of teams who performed this task in the past with the
current team. A less experienced team may take longer.
Consider how long it has been since this task was last completed. If it has been a
long time, people may need to spend time to remind themselves of how to
perform the task.
Add an assumed uncertainty, such as +/- 20%, to task completion times.
In the event of a task sequence being interrupted, standard operating practice
can require that people return to the start of the task sequence and verify that
each step has been correctly performed. This time should be factored into the
schedule.
Consider the sequencing of tasks presented in the procedures, any required
checks/interruptions, and how that may impact schedule.
Have an independent third party facilitate planning sessions for larger scale
works, such as plant turnarounds.
Find someone who is independent of the operation and has no accountability

for task performance. Have them act as an independent check on the realism of
the schedule.
Encourage an open culture where team members can challenge plans without
fear of rebuke or ridicule.
Encourage a culture where team members can trust that leaders and colleagues
will respond neutrally or positively.
Thank people who challenge plans.
Strongly promote the importance of safety over other business objectives and
have this as a shared imperative.
Share examples of when upper management chose safety over production
within the company. Share specific examples of when safety was selected over
production at the floor level, and this decision rewarded by upper management.
Explicitly run “Decision Reviews” where team members are required to identify
and state potential problems and delays; and offer alternative plans.
Have team leaders explicitly say that people should “speak up” and not self-
censor if they think plans are unrealistic or if plans have not taken potential
problems into consideration.
17.4 Assigning safety critical tasks
Safety critical tasks and checks should be assigned

to a person who understands his or her task- Permits to Work and
specific roles and responsibilities. work instructions
should list all safety
An example of unclear roles is given in Table critical actions and the
17-2. In there, responsibility had not been clearly person(s) responsible
assigned for the safety critical action of ensuring a for them.
bleeder was closed. As such, the task was not
carried out.
Table 17-2: Barrier ownership to prevent commissioning loss of containment

An example of failing to assign tasks
What happened?
Multiple teams were working on returning a
sour gas charge line into service.
The 1,100 feet (335 meters) line had been
recently repaired and leak checked.
Upon opening the discharge block valves at
the charge pumps, head pressure from the
product storage tank allowed the product to
be pushed to an open bleeder, where loss of
containment occurred.
While making routine rounds, operations
discovered the open bleeder.
Why did it happen?
During the process of aligning the system, a bleeder was accidentally left open.
It was not clear which team was responsible for ensuring bleeders were closed
and completing pre start-up checks.
Define ownership for activities that involve more than one team.
Include verification steps for the following:
• Energy/equipment isolation conditions that require sign off (open

bleeders/vents/drains).
• Identification of management of change (MOC) in recommissioning.
• Hold points for operations to prevent MOC non-compliance when re-
commissioning equipment (e.g., MOC tag on lock box).
(adapted from [66])
Another potential error in barrier management is assigning a task like checking

bleeders to everyone, then no one will do it.
A successful example of barrier ownership is illustrated by Figure 17-3. Two

Pressure Safety Valves (PSV- A and PSV- B) were installed in a gas header to a plant.
These valves were lined up through two 3-way valves, one at the PSV inlet and
other at the PSV outlet.
Before start-up of plant, as part of safety valve checklist (barrier), a verification

round was conducted by the supervisor. The supervisor observed that the inlet 3-
way valve was lined up with PSV A but the downstream 3-way valve was lined up
with the other PSV B. Thus, both the PSVs were non-functional. The line-up of the
valves was corrected, and a possible event was averted through barrier ownership.
Figure 17-3: Barrier ownership prevented wrong valve line up
Wrong line up Correct line up
17.5 Distractions and interruptions
17.5.1 Error-likely tasks and situations
It is important to minimize distractions and interruptions when:
• A task requires a high level of concentration.

• It is important to do actions in a specific order.
• It is necessary to remember information from earlier in the task.
• It is necessary to remember a significant amount of information, such as
the status of multiple pieces of equipment.
• It is a long duration task where it is possible to accidentally miss a task
step due to a lapse of memory, especially when fatigued or tired.
A distraction or interruption may increase

the potential for someone to skip a step
without realizing, or to forget important Distractions can include
information. It is possible for a worker to ambient noise, nearby
think that they have carried out an action, conversations, or nearby
when in fact they are remembering their activities
intention to do the action just before they Interruptions can
were distracted. include colleagues asking
A high level of “ambient distractions”, questions or asking for
such as noise or background conversations, help on other tasks, or
can cause people to not register that background non-work
someone has said something to them, even conversations
if they can be heard. The requirement to
A distraction or interruption may also switch from one task to
cause people to take longer to complete the another requires
task. This can create additional time interruption
pressures and stress, as well as causing
frustration. People may compensate for lost
time by focusing on one part of the task and neglecting other parts of the task.
17.5.2 Tactics for minimizing distraction and interruptions
Some tactics for minimizing distraction and interruptions are provided in Figure
17-4. These can be put in place through a number of methods, including:
• Training teams being aware of the impact of

distraction and interruptions, and the protocol for
when it is and is not okay to interrupt someone.
For example, it is okay to interrupt someone for
an emergency, but it is not okay to interrupt
someone for a non-safety issue.
• The use of error assessment in task planning and
work instructions.
• Including tactics to minimize distraction and
interruption in work instructions.
An option is to define some activities or areas as “Authorized persons only”

where non-essential personnel are excluded by controlled entry systems, and
communication is limited to task-related matters. This may include, for example,
avoiding team meetings within control rooms.
This may be applied especially during peak workload periods, such as starting
up a process, devising Permits to Work, shift handover, or responding to a process
upset.
Figure 17-4: Tactics for minimizing distraction and interruptions
Noise reduction
Task design and planning
Wear hearing protection, use
Do not require people to multitask or
temporary sound barriers, and use
switch from one task to another.
noise muffling equipment.
Schedule low priority tasks in low
Use hand signals and written
workload periods.
communication.
Questions and requests for advice

Distracting activities
Filter requests for help or advice.
Cordon off work areas. Limiting
Route all questions to a coordinator
access. A physical barrier to prevent
who is not directly involved in the
sight of distracting activities can help.
task. They can judge if the question
Assign person to prevent entry of
or request justifies interrupting the
unauthorised persons.
task.
Heads down announcement

Declare a “heads down” period, Conversations
where interruptions and distractions
Limit conversations to the task.
should be limited to high priorities or
emergencies only.
Communication
Low priority alerts Limit communication within the team
to critical points. Use brief and
Minimize low priority alerts and
formal communication to minimize
alarms.
duration of interruption and level of
attention required.
17.5.3 Mitigating the impact of distractions and interruptions
Job aids can be used to reduce the impact of distractions, as discussed in Chapter
5 to 8.
• Checklists can record when a task has been completed, such as with
personnel signoff on each check point. This helps avoid false memory of
task completion after being interrupted. This is sometimes called “place
keeping”.
• Logs can help record information and reduce reliance on memory.
• Hold Points or Stop Points can check that a task sequence has been
completed before proceeding further.
In the event of a task sequence being interrupted, standard operating practice

can require that people return to the start of the task sequence and verify that
each step has been correctly performed. This can be included in work instructions
or Standard Operating Procedures as a requirement.
For example:
“The sequence of actions from step 12 to 20 must be completed without

interruption. In the event of task interruption, the completion of task steps
12 to 20 must be restarted, and they must be positively verified from step
12 onwards.”
Another option is to also train people on how to recover from interruptions.

For example, train them how to consciously verify their last action and place in the
sequence of tasks. This can include techniques such as asking:
• What was I doing? Verifying your

• What was the last thing I did? place in the task
• How do I check where I was in the task?
In addition, an explicit Hold or Stop Point should be declared. This allows a

pause in activity to check task progress, and to check completion of safety critical
actions. A Hold or Stop Point declaration may also mitigate overcommitted or
task-focused people from restarting a task before verifying completion of prior
actions.
If a task has been delayed by interruptions, good operating practice should

include asking for more time to complete the task. This should be allowed all the
time.
17.6 Long and low demand tasks
17.6.1 Attention spans and task failure
Everyone has a limited attention span. The timeframe that people can maintain
attention and concentration varies among people and between tasks. Some of the
factors influencing attention spans are illustrated in Figure 17-5.
Attention and concentration can fail after about 15 to 20 minutes or even faster
in situations of low task demands, especially if:
• People are demotivated.

• People are fatigued.
• It is during a low point of someone’s circadian rhythm (or the changing
energy levels throughout the day).
• It is a low demand and repetitive task.
Some common examples of low task demands include:
• Monitoring an automated high reliability process that rarely experiences

faults or process upsets.
• Long distance tanker driving on motorways.
• Standing watch on a tanker offloading operation.
These activities are long, do not require significant action and require
monitoring of an unchanging situation.
One of the risks of losing attention is that a person may not realize that their
attention has lapsed. This may reduce the ability to recognize a loss of attention,
and therefore reduce the likelihood that they will take corrective action.
Motivated people performing engaging tasks can maintain attention for longer,
possibly a few hours, especially for diverse tasks. However, a long high demand
task may actually exceed peoples’ ability to maintain concentration.
Figure 17-5: Schematic of some factors influencing attention span
Sleep cycle Awake cycle

Hot/humid Temperate
Fatigued Not fatigued
Singular task Diverse task
Low workload High workload
Low motivation High motivation
Shorter Longer
Attention span
17.6.2 Supporting attention
The potential attention span should be considered. Where there is a potential for
loss of attention during a task, some tactics for maintaining attention are noted in
Table 17-3.
Many of these tactics aim to either enable people to take a break from a task
before they lose attention or increase their stimulation levels by factors such as
task or environmental enrichment.
For low demand, task requirements may be created to keep people engaged.
For example:
• Verbal updates of the system status.

• Providing other tasks as a break, such as updating logs.
Taking short but regular breaks or alternating tasks, can help maintain people’s
attention for low demand tasks, such as 20 minutes on a task followed by 5
minutes performing a different task. If two people are performing task, they can
switch jobs occasionally or stop and check each other’s work.
The scheduling of additional tasks needs to ensure that they do not distract
from the primary task. For example, the secondary task may be short or performed
with the primary task still within the visual field of the primary task, such as
completing a log at the same workstation.
People’s circadian rhythms (body clocks) respond to light. People’s energy

levels cycle between periods of feeling awake and periods of feeling sleepy. People
are usually least alert between 02:00 and 04:00, and between 13:00 and 15:00. This
does vary between people. If someone’s sleep is disrupted, they can experience
greater sleepiness during the daytime. Tasks requiring high levels of attention may
best be scheduled for periods of alertness, such as 08:00 to noon, and not
scheduled for periods of sleepiness, such as during night shifts.
Table 17-3: Example tactics for enabling attention

Task breaks
Noise
Enable people to take a break
Low levels of ambient noise
before losing attention
Task enrichment
Task sharing
Redesign the task to increase the
Switch tasks between people
level of stimulation
Ambient environment
Maintain temperature (e.g., around Lighting
65 oF to 72oF/18 oC to 22oC) and Higher levels of ambient lighting
humidity
Shift design
Task scheduling
Adopt good shift design to
Schedule tasks requiring attention
minimize fatigue
to higher energy times of the
See Chapter 15 for more
circadian rhythms
information on shift design
Alert or alarms
Automate high attention tasks
Use to reduce demands on
Via control systems
monitoring
17.7 The Human Factors of control of work packages
17.7.1 The role of control of work packages in error management
Control of work packages, including

Permits to Work (PTWs) and work
instructions, are a standard part of
process safety management. PTWs can
also be called Safe Work Permits (SWPs).
They play important roles in error
management. These roles include:
• Specifying task pre-requisites,

such as equipment and people.
• Communicating a safe system
of work, especially for
infrequent, complex, and
unfamiliar tasks.
• Indicating who is responsible
for safety critical actions, Hold
or Stop Points and checks – to (Reproduced from BP [127])
help spot, capture, and correct errors or unsafe conditions.
• Specifying the level of task verification (See section 18.6.5), such as self-
verification for low risk tasks versus independent checking for higher risk
tasks.
• Ensuring task sequencing occurs to avoid task conflicts. For example,
stopping hot work in areas near to openings of flammable gas tanks.
• Ensuring required isolation and safety actions are carried out before
work takes place, for example, before opening gas pipes.
• Communicating information about safety critical actions and specific
items of equipment, such as stating which valves to close and which
pumps to stop.
• Supporting communication between teams when long tasks take longer
than one shift. For example, where two or more teams need to work
together to coordinate a task through shift handover.
• Supporting shared situation awareness of safety critical activities and
their interaction across teams.
Control of work packages are frequently used multiple times a day. This creates
a potential for people to perceive control of work packages to be too detailed or
unnecessarily prescriptive. If the control of work package is perceived as being too
detailed, this may reduce its acceptance. If the control of work package repeats
generic safety requirements this may also cause people to think they are not
needed.
Sometimes highly experienced and competent persons are required to use

control of work packages. These issues can be more common among experienced
people, who may feel they do not need help.
The operation of an effective control of work package system supports

successful task performance.
17.7.2 Human Factors good practice for control of work packages
Guidance on control of work packages good practice

See Chapters 5 to 8 for
includes the United Kingdom’s Health and Safety
more information on
Executive’s guide “The safe isolation of plant and Human Factors guidance
equipment” [67] and the American Petroleum on the design of job aids.
Institute guidance on isolation [68].
Good Human Factors practice includes ensuring that control of work packages
are used by competent people as part of safety management. It also includes:
• Having different levels of work control and task verification, with simpler
work packages for lower risk or less complex tasks, and more detailed
work packages for higher risk or more complex tasks.
• Using task specific assessment, including error assessment, to develop
the task plans.
• Indicating Hold or Stop Points, Checks, and key safety actions.
• Using quantitative (numbers-based) criteria for accepting test results
and/or stopping an activity.
• Avoiding creating or using generic safety requirements and procedures –
requirements and procedures must be specific to the task.
• Avoiding unnecessary detail that people will already know.
• Raising awareness that Permit to Work should be one of the safety
management systems that must be used properly on all occasions.
• Having a common Permit to Work system across a site and across
functions, to minimize error from factors such as inconsistent layout,
content, and icons etc.
• Ensuring that people who produce and use control of work packages are
competent.
It is also very effective to communicate common mandatory safety

requirements in a simple statement, such as a one-page list. The statement should
identify the mandatory safety requirements that protect against the most common
risks. By being simple it can be understood and recalled.
17.8 Team briefings
Tool Box Talks, Tailgate Meetings (a team briefing at the rear of a vehicle) and other
forms of team briefings are a standard part of process operations.
They are also an important part of error management.
In particular, they can:
• Communicate task expectations and objectives.

• Communicate task-specific information and
knowledge to people, helping to ensure they
know what to do.
• Provide a forum for people to:
o Ask questions and check their
understanding of a task.
o Challenge the realism of plans and identify potential problems.
o Reinforce safety instructions and the importance of following
the safety requirements.
Features of a good team briefing are provided

in Figure 17-6. This can include highlighting errors Tool Box Talks and
that could be caused by unfamiliar tasks, briefings communicate
unreliable equipment, and misguided safety aspects related to
assumptions (e.g., assuming the cause of a fault the specific job.
without checking and without any evidence).
Figure 17-6: Features of a good Tool Box Talk or task briefing.
Provide an overview of the task steps
Highlight hazards, and potential errors or threats
Highlight critical safety actions and Hold Points
Clarify roles and responsibilities
Invite discussion, challenge, and clarification
Confirm task objectives and importance of safety
17.9 Human Factors of system isolation
Common causes of process incidents include:
• Failure to correctly isolate a process before working on it.

• Re-starting operations prior to making a system safe.
17.9.1 Human error in system isolation
Human error can occur in:
• Failing to completely isolate a system. This could be caused by, for

example:
o Confusion about who was meant to isolate a system.

o Having incomplete P&ID, such that the isolation plan is
incomplete.
o Manual valves not being fully closed.
o Omitting a valve that should be isolated.
• Isolating the wrong part of the system or working on the wrong system,
such as due to poor or no labelling.
• Improvising an unsafe isolation, such as having inadequate or
inaccessible blind points, or failing to note blind points on process
diagrams.
• Failing to test the system state, such as not testing:
o Pressure levels.
o Residual content.
o Purging effectiveness.
• Failing to identify an interlock holding back the hazard.

• Failing to secure isolation, such that it may be mistakenly removed.
• Working around an isolation in order to “get the job done”.
• Miscommunicating or not communicating important information, so that
one team is unaware of maintenance work being done by another team.
• Failing to make a new shift aware that equipment was not in a safe state.
• Commencing work too early, such as due to miscommunication, before
a system is fully isolated.
• Forgetting to remove isolation.
While isolation is a frequent and highly practiced task, it can sometimes present
increased risk of error. For example:
• It may involve working on unfamiliar equipment.

• People who don’t usually work on the system may complete the
isolation.
• Equipment or piping changes that were not properly addressed in a
management of change process.
• Equipment in the field may be difficult to access and may have poor
lighting.
• Equipment may have been modified since the last time it was isolated. If
this is not checked, the isolation procedure may be wrong.
• People may forget specific steps or execute an action incorrectly,
especially if they are fatigued, distracted, or time pressured.
As shown by the incident in Table 17-4, experience alone does not ensure
correct performance. Even an experienced operator makes mistakes. It is
important for everyone to check for zero energy – no exceptions.
Table 17-4: An isolation incident: relying on experience

An example of not following an isolation procedure
What happened?
A pig trap was not depressurized before attempting to remove it from a pipe.
When the trap door was opened, a sudden release of high-pressure gas caused
the door to be blown 30 feet (10 meters) across the deck, through two handrails
and overboard.
A worker was injured (the Injured Person - IP) and treated for facial lacerations.
Why did it happen?
The worker did NOT:
• Open depressurization valves to confirm there was “zero energy”.

• Check the local pressure indicator (PI).
The worker was relying on years of

experience instead of following a
safety critical procedure.
The worker was not positioned

sufficiently outside of the line of fire
and got injured but avoided fatality.
Check the pressure indicator and ensure ‘zero energy’ before opening a pig trap
door. Breaking containment is a high-risk activity.
When opening a pig trap door, ensure that staff members are positioned
outside of the direct ‘line of fire’ in order to prevent fatality.
It is vital to understand and follow safety critical procedures.
Compliance with the work management system is mandatory.
(adapted from Energy Institute toolbox [69])

17.9.2 Human Factors good practice for isolation
Extensive guidance is available on isolation Error management

systems and their management [67]. Table 17-5 should be built into
shows Human Factors good practice for isolation management
isolation. These practices aim to: systems.
1. Ensure people permitting and performing

isolations are competent and committed to high isolation performance
standards.
2. Ensure everyone has all the information they need to specify isolations.
3. Reduce the potential for error while performing isolations.
4. Identify error-likely situations in the management in the management,
verification and communication of isolations.
5. The equipment is in a safe state when it is handed back to operations.
The means of securing an isolation should be proportionate to the risk of

isolation failure. The integrity of the isolation should be commensurate with the
risk level. National and local regulations may define the level and type of isolation
required. Most companies will have guidance on isolation requirements, stating
for example that:
• Higher risk isolation should be locked off with secure key control and (as
applicable) removal of actuating devices.
• Lower risk isolations should be locked off with the team controlling the
keys.
Table 17-5: Human Factors of isolation

Human Factors good practice for isolation
1. All persons specifying isolation requirements should understand the
process, its hazards, and correct isolation practices. They should also be
qualified to issue isolation permits and instructions.
2. All persons involved in isolating systems should understand the isolation
requirements and procedures, their status, how to verify an isolation, how
to test the system state (e.g., pressure testing), and how to record
isolations.
3. All mechanical and electrical isolations applied to a single point of work
should be coordinated, such as in a single job pack.
4. Maintain a single point of logging and overseeing isolations for each job.
5. Where the sequence of isolation is important, it is necessary to use an
integrated process of verifying each isolation by use of Hold or Stop Points.
6. All pipes, vessels, and process equipment should be permanently labelled.
7. All labels should be simple, visible, and unambiguous (clearly worded).
8. All pipes, vessels, and process equipment should be on up-to-date P&ID,
schematics, or their equivalent.
Human Factors good practice for isolation

9. P&ID, schematics, or their equivalent, should clearly indicate all
connections and routes by which product may, for example, enter a vessel,
to allow all required isolation points to be identified.
10. P&ID, schematics, power supply diagrams, or their equivalent, should
clearly indicate all associated equipment that needs to be deactivated to
prevent accidentally restoring supply to isolated systems.
11. P&ID should be marked up to show the connected lines/systems, the
isolation valves and spading (blinding) points, test points etc. to help
visualize the extent of the isolation envelope.
12. The line should be walked as part of the development of the isolation plan,
to confirm the plan with the workers.
13. The open/closed position of isolation valves should be visible and
unambiguously indicated. It should be possible to verify the isolating valve
is 100% closed and not allowing gas or liquid to pass through.
14. It should be possible to tag and lock off manually operated isolation valves,
blinds, power supplies, and other isolation equipment.
15. Include a test or “try step” to verify isolation before commencing works.
This should be a positive method of verifying isolation or disabling of
energy sources.
16. There should be a test/sampling point for each and every section of
isolatable pipework, vessels, and other equipment.
17. Testing points, such as sample outlets and pressure valves, should be
accessible.
18. Isolation and bleed points should be close to the point of maintenance (to
aid task coordination).
19. Ensure physical access and lighting for all isolation, blinding, and bleed
points.
20. The “line” should be walked, by someone who did not perform the
isolation. to verify it is in a safe state prior to hand back to operations.
21. All Permit to Work (PTWs) and other job aids should include unambiguous
Stop or Hold Points for isolation to be verified and recorded before work
begins or continues.
22. Documentation and status boards should unambiguously and simply
represent the system state.
23. Shift handover systems should clearly communicate the system status.
24. Compliance with isolation requirements should be treated as mandatory.
25. A contemporaneous record of isolations should be documented to reduce
the risk of missing an isolation (for example via an isolation certificate/
checklist).
26. Any variation to the isolation procedure must be authorized.
If an existing system does not meet the good practices in Table 17-5 and it is
impossible to improve it, then problem locations should be identified, documented
and communicated in team briefings and instructions.
17.10 Human Factors of managing interlocks and automatic trips
Interlock systems detect out-of-limit or abnormal conditions, or improper

sequences. This either halts further action or starts corrective action.
Interlocks may be mechanical, digital, or electrical systems.
An automatic trip occurs when a system response, such as a Distributed
Control System (DCS), acts to put a process into a safe state. An example could
be when a safe operating limit is exceeded, the DCS closes a valve to address
the high level, and the level is returned to normal.
17.10.1 Interlocks and trips as a form of error management
Interlocks and automatic trips are important and frequently used methods of error
management. They are methods of stopping errors and mistakes from causing an
incident. For example, they can reduce the potential for someone to open a
drainage outlet on the wrong vessel (that is full of product).
17.10.2 Why people defeat interlocks and override trips
Systems and equipment must be locked out before working on them. In some
cases, people may not realize that a system should not be operated or is in an
unsafe state. For example:
• Confusing two similar storage tanks (one full and one empty). Operating
on the full one, while thinking that the interlock can be safely defeated
because the tank is empty.
• Incorrectly thinking the system has been isolated and purged, due to a
communication error or starting work prematurely.
These mistakes may lead to someone attempting to work on the wrong system,
without realizing their mistake. They then, in good faith, defeat the interlock to
allow them to complete their work.
Past incidents show that, in some cases, it can become routine to bypass or
defeat interlocks. Some of the reasons for doing this may include:
• A history of unreliable instrumentation causes operators to assume

interlocks are actuating unnecessarily.
• Interlocks are defeated to allow

someone to “get the job done”, Highly competent and
with an assumption that other experienced people defeat
engineered protection will assure interlocks.
safety.
They believe that they
• Interlocks are often left by- understand the system and
passed at the end of a calibration can safely bypass or defeat
procedure. the interlock, to help “get the
job done”.
Routine and occasional defeating of
interlocks is more likely if one or more of
the following apply:
• The interlock is easy to defeat.

• Disabling interlocks has become an accepted practice.
• The trips or automatic safety systems are easy deactivate, such as a
toggle switch to turn off gas detection.
• Process instrumentation is known to be faulty.
• A high frequency of equipment faults or process upsets requires people
to frequently shut down and fix faults.
• Lack of local indication. Instead of going back to a control room to check
indicators, the operator relies on their recollection of isolation and
system status and defeats the interlock in the belief that the system is
isolated.
• No indication, alert, or alarm to notify control room operators that an
interlock has been defeated.
These conditions can make it easy to defeat an interlock, with limited

opportunities for others to correct it.
An example of a fatal accident where an interlock was defeated is in Table 17-6.

Table 17-6: Example of defeating an interlocked valve

Formosa Plastics Vinyl Chloride
Explosion, 2004
During a cleaning operation, an operator
went to the wrong vessel. The operator
went to a reactor vessel which was
operating under heat and pressure and
contained vinyl chloride instead of a
vessel containing water. The reactor
(Reproduced from CSB) vessels, while numbered, were identical
and grouped in identical layouts.
The operator tried to open the bottom valve to release cleaning water into a
drain. When the bottom outlet valve did not open, the operator used an
emergency airline to open the valve. The emergency airline was available next
to the valve but was only to be used with authorization, which was not given.
The valve opened and vinyl chloride was released.
The CSB also produced a video of this incident [21].
17.10.3 Human Factors good practice for interlocks and trips
Robust methods of system and equipment interlock, tags, and lockout are
essential. Guidance on interlocks and their management is included in the
International Standard EN ISO 14119:2013 [70]. This notes, for example, that there
should be clear procedures describing the conditions where bypasses are
acceptable, any approvals required, and time limits for bypasses. The use of
bypasses should be infrequent and for a limited duration of time.
Some Human Factors guidance is given in Table 17-7. These ideas aim to
minimize the conditions for incorrectly defeating interlocks, specifically to:
1. Reduce the well-intended but mistaken motivations for defeating

interlocks.
2. Make it harder to defeat interlocks and trips.
3. Maximize understanding and recognition of the risks from defeating
interlocks and trips.
4. Increase opportunities to detect and correct the defeating of interlocks
and trips.
These tactics can be supported by an open culture that encourages people to

speak about conditions, such as unreliable equipment, that may create pressure
to defeat interlocks and trips. One attribute of a positive safety culture is the
understanding among operators and technicians to ask one another checking
questions such as, “Did you return that valve to the open position or was Pump X
returned to on-line?”.
Point 14 in Table 17-7 refers to a second person independently checking the

safe completion of tasks. The level of independence may be linked to the safety
criticality of the activity. The most safety critical activity may require an
independent person to be brought in from a different team or from an audit team,
for example. A lower risk activity may involve one member of the team checking
the work of other members. This latter arrangement has a risk of the checker
assuming that colleagues are competent and therefore not effectively checking
their work. A strong culture is required that recognizes the importance of task
verification and the possibility of error.
Table 17-7: Human Factors good practice for interlocks and trips
Human Factors good practice for interlocks and trips
1. The removal of an interlock should only be allowed as part of a Permit to
Work or equivalent management control procedure.
2. The activation of trips should be clearly stated or enunciated and
recorded in system logs.
3. Compliance with interlock rules and procedures should be a mandatory
rule.
4. Faulty or unreliable equipment that causes frequent process interruptions
and “workarounds” should be fixed or replaced.
5. Faulty or unreliable instrumentation that may cause people to disregard or

override trips should be fixed or replaced.
6. Systems and operating limits should be designed such that it is
unnecessary to override a trip in order to perform normal process
operations, start- up, or shut down.
7. Production and work schedules should be realistic and therefore not
create excess pressure to “get the job done”.
8. All pipes, vessels, and equipment should be clearly labelled to minimize
working on the wrong equipment.
9. Process instrumentation, gauges, signage, and status boards should clearly
indicate the system state.
10. The permitted disabling of (for example) interlocks, trips, and gas detection
should be clearly labelled, displayed on status boards, and logged.
11. It should be difficult to defeat an interlock.
12. Dummy keys, overrides, bypasses, and emergency airlines should be
secure. Their use should be controlled by formal permit systems.
13. Interlock key access systems should be designed so that it is obvious that
keys are in use.
14. Passwords to access control systems must be kept secure.

Human Factors good practice for interlocks and trips

15. The permit to work process should involve a second person. This person
should independently check the task, so that they can detect mistakes
such as working on the wrong system or working early on an unsafe
system.
16. The safety rationale for interlocks (including protecting against the
possibility of engineered protection failing) or working on the wrong (live)
system should be part of training and certification.
17. The testing of an interlock after its maintenance, to verify its effectiveness,
should be a mandatory and permit controlled activity.
18. The routine defeat of interlocks and trips should be recognized as a sign of
declining safety standards and acted upon immediately.
19. Defeating interlocks and overriding trips without a permit should be

investigated and learned from.
• Realistic tasks plans should create the conditions for successful task
performance and anticipate high risk situations.
• Many common elements of process safety management are also key
aspects of error management, including Permits to Work (work
instructions), team briefings, interlocks, and isolation procedures.
• These elements of process safety management need be managed to be
highly reliable, resistant to human error, and meet good Human Factors
practice.
Performance CCPS.
18 Capturing, challenging and correcting operational
error
This Chapter provides an overview of techniques on recognizing behaviors that

may lead to an error. It also provides information on how to recover from error.
• Understand factors contributing to human errors.

• Identify training elements and organizational factors required for error
prevention, detection, management and recovery.
• Identify techniques used to prevent, detect, manage, and recover from
errors.
18.2 Failing to spot, challenge, and recover from errors
The Energy Institute’s “Toolbox” provides many examples of failures in spotting,

challenging, and recovering from error. One example – where draining pumps
leads to product release – is shown in Figure 18-1, and repeated in Table 18-1.
Figure 18-1: Draining pumps
(reproduced with permission [71] )

Table 18-1: Draining pumps leads to product release
(adapted from [71] )
Example of a failure in detecting error: Energy Institute – Draining pumps

leads to product release
What happened?
Workers were rolling blinds open on the process side of product pumps, so
that they could be drained.
A worker loosened a flange on the active side of the isolation valve, causing
the release of heavy coker gas oil.
Why did it happen?
During a previous project the flange had been incorrectly installed. It was
therefore on the active side of an isolation valve and should not have been
opened.
The flange was still included in the isolation procedure.
The workers’ permit and jobsite visit did not identify that the flange had been
incorrectly installed.
It is important to update piping and instrumentation diagrams (P&IDs) and
procedures. They must be accurate. Undocumented changes can be missed.
It is important to confirm that P&IDs are accurate when planning a job.
Proactive detection and correction of errors prevents accidents and leads to faster
recovery. Limitations to individual cognitive capability can be enhanced by
effective teamwork, including checking and error reporting. Teams that detect,
report, and learn from errors are high performing, resilient teams.
The causes of the draining pump error probably lay within three main Human
Factors. These are as follows:
• Failure in processing information – this failure occurred via the

sensory system, memory, decision-making, and subsequent actions.
o Sensory failure/impaired situation awareness – there had been a
failure to notice the incorrectly installed flange and related P&ID and
procedures. This sensory failure occurred with the worker loosening
the flange, their co-workers, and employees carrying out site visits.
o Memory lapse – the worker who loosened the flange on the active
side of isolation may also have suffered a memory lapse, not
remembering the correct location of the flange, or the process of
draining the pump. Equally, the potential cause could be an
organizational memory lapse around wrong installation of flange.
18. Capturing, challenging and correcting operational error 217
• Failure in task verification – if task verification had been conducted

correctly (by a peer or through other independent verification) the
mistakes in the drawings or installation would likely have been detected.
• Failure in error challenge skills – in the instance that someone had
previously detected the fault in the P&ID and procedures, it could be
that they felt unable to challenge or report the error, due to fear of
repercussion, or lack of communication skills or error challenge skills.
A useful source of information on latent error detection is provided by Saward

and Stanton’s book - ‘Individual Latent Error Detection (I-LED): Making Systems
Safer’ [72].
18.3 Why do we fail to capture, challenge, and correct errors?
Human performance is affected by cognitive ability. Human errors, related to

cognitive ability, can be grouped into four categories or stages – sensory, memory,
decision, and action [73]. These are shown in Figure 18-2 and explained next.
Figure 18-2: Categories of cognitive error
1. People first process information through sensing what is happening

around them (use of sight, hearing, smell, taste, touch, and balance).
2. Next, information is retrieved from the memory.
3. Then, a decision is made on how to respond.
4. Finally, actions are initiated based on the decisions made.
An error can occur at any of these stages. Understanding this process is an

important step in learning to manage error effectively. Reasons for failures in
detecting, correcting, and/or challenging errors are shown in Figure 18-3.
Figure 18-3: Factors contributing to error

Biases that impair cognitive processes, and prevent people making
Cognitive objective judgments about the situation and possible consequences.
bias These include tunnel vision, confirmatory bias, similarity bias, and
escalation of commitment.
This is based on title or role. Senior members of the team or organization

make decisions or initiate actions that, in some cases, may not be correct.
Subordinates are afraid to challenge the individuals in power, due to fear
of repercussions, or due to cultural norms (e.g., do not challenge
Positional individuals in authority). Hofstede’s [74] cultural dimension of ‘power
authority/ distance’ (i.e., the degree to which the less powerful members of
Authority institution accept and expect that power is distributed unequally) refers
Bias to the concept of positional authority. Individuals from cultures that
value high power distance are very deferential to figures of authority and
generally accept an unequal distribution of power. Individuals from
cultures demonstrating a low power distance readily question authority
and expect to participate in decisions that affect them.
Fixation on a task often leads to displaced situation awareness.

Task focus Individuals miss additional clues from the environment, outside of the
task in hand. Task focus often prevents errors being corrected.
Working under tight time schedules causes individuals to use procedural

Time
shortcuts and workarounds to meet these deadlines, which often leads
pressures
to error.
High levels of stress impair individuals’ cognitive processes, such as not

thinking clearly, not making objective judgments, and experiencing
Stress
memory lapses. This may result in individuals failing to detect and correct
errors.
Limited When individuals have completed the same task successfully on repeated
self- occasions, they become complacent, believing everything will be fine, as
scrutiny it typically has been.
18.4 Coaching people to recognize risk of making errors
18.4.1 Training in error capture
An appropriate level and type of training or coaching can improve an individual’s

self-awareness. It can also decrease errors and helps to improve recovery from
error. High hazard industries (including process industries) have started
implementing or integrating error training and coaching within their training
programs.
The success of error coaching depends upon the attitude of the recipient. A
defensive response can shut down the error reduction effort.
An example of error training from the process industry [75] is shown in Table
18-2.
Table 18-2: Error management training and coaching
(adapted from [75])
Chevron North Sea Limited (2016) – error training

1. Chevron North Sea Limited employs Incident Free Operations coaches
who deliver support to operations offshore. The aim is to deliver Incident
Free Operations.
2. Chevron North Sea Limited has implemented error prevention training
based on the Team Error and Violations Analysis Method (TEVAM).
3. The aim of this training was to improve controls, and to develop tools and
safe habits that workers can apply to reduce the likelihood of human
errors at the workplace.
4. Five training modules were prepared for offshore personnel:
• Two modules for leaders (managers and supervisors).

• Three modules for all employees but aimed specifically at frontline
staff.
5. A Human Performance (HP) framework was developed to explain the

conditions in which human errors are more likely to occur. This
framework includes error due to time pressure, fatigue, poorly designed
procedures, and flawed control systems.
6. The focus was on nine categories of error-producing conditions including:
(1) work environment/ergonomic issues, (2) procedures, (3) lack of training
or knowledge, (4) multi-tasking and levels of concentration, (5) complexity
of tasks, (6) individual factors, (7) team-related issues and communication,
(8) time pressure or high workload, and (9) non-compliance with rules.
7. The training also focused on:
• Cognitive bias leading to poor decision-making and errors.

• How to manage conditions that contribute to error.
• Human performance tools such as three-way communication, peer
checking, concurrent verification; jobsite review, and contingency
planning.
8. The core concept of the course was “creative mistrust”, where the emphasis
was on constantly being aware, continually improving safety performance,
and anticipating potential issues. Trainees were taught how to think
through tasks and identify where errors can occur.
9. The program received excellent feedback from employees. The feedback
was based upon surveyed data and anecdotal evidence.
18.4.2 Observable behaviors
Many errors could be prevented if individuals were more aware of their own and
others’ actions. Table 18-3 shows examples of observable behaviors that are likely
to lead to errors. Knowledge of these behaviors could help workers to prompt
themselves and each other that something is amiss, to regain focus and situation
awareness.
Table 18-3: High-risk observable behaviors

Behaviors leading to error
Becoming withdrawn or closing down in terms of communication.
Very task-focused behavior.
Signs of stress e.g., anger, irritability, detachment, disengaging from
surrounding activities, erratic behavior (that is different to normal or out of
character).
Difficulty processing information e.g., repeatedly asking the same questions,
or difficulty following instructions.
No self-check of work.
Complacency or overconfidence in own ability.
Signs of fatigue such as sleepiness, slowed reflexes and responses, and
moodiness.
18.5 Error Management Training
18.5.1 Learning about error
Error Management Training emphasizes the fallibility of

See Chapters 2 and 3
humans – we all make mistakes, and human errors often
for information on
contribute to incidents. Trainees are taught to self-check
error and threat
their own work and the work of others; and avoid analysis.
completely assuming on robust equipment or
competent colleagues.
Error-prone situations, coupled with time pressure and task overload, and
error inducing factors such as fixation, stress, trepidation, or confusion can lead to
unsafe behaviors. This can result in slips and lapses as shown in Figure 18-4. This
is an example of a simplified error taxonomy used for training operational
personnel. Educating or training people about factors contributing to errors,
makes them more alert to errors and consequently more likely to:
• Detect errors in themselves or others.

• Challenge errors.
• Learn from errors and use the information to prevent future incidents and
accidents.
Figure 18-4: Error contributing factors
High risk or
complex tasks
Error contributing factor
Task Fixation Stress Trepidation Confusion Time

overload pressure
Error condition
SLIPS LAPSES
18.5.2 Learning through error
Learning through error training explicitly encourages learners to make errors

during training, so that they can learn from them. Error is seen as an opportunity
to learn and as a way to improve competency and build resilience.
Error Management Training is different from the traditional forms of training,

such as procedural or purely exploratory training. This is because:
• Participants are given little guidance and are encouraged to actively

explore and experiment on their own.
• Error Management Training creates a learning environment in which
errors are likely to occur.
The process helps learners to understand concepts better, and to learn

strategies to quickly recover from potential future errors. The method allows
learners to apply what they learn across a varied set of circumstances, and across
different job roles and job levels, including operators, supervisors, and managers.
It can also help people develop mental resilience for dealing with the
consequences of their errors in operational settings. Mental resilience means
being able to recover quickly from difficult situations. Practicing recovering from
error can help develop self-confidence, and thereby help people maintain focus
after making an error.
Training on error management targets three core cognitive skills groups [76]:
• Information management.
• Planning and mental simulation.
• Monitoring and evaluation.
More information is provided in Figure 18-5.
It is vital to enhance organizational awareness of sources of error, and to train

the workforce to proactively implement non-technical skills and error prevention
techniques. This is because raising awareness of error and its prevention will help
people to become better able to prevent, detect, and respond to early signals or
warning signs of human error before they turn into an incident or accident.
Figure 18-5: Cognitive skills required for error self-management
Attention and vigilance
Information
management
Information gathering and search
Plan formulation
Planning and mental

Problem diagnosis
stimulation
Systematic decision-making
Self-monitoring
Monitoring and
Systematic scans and checks
evaluation
Divergence detection
18.5.3 Building resilience from error recovery
Training on error prevention also includes building resilience. That is, the ability to
recover quickly from difficulties, otherwise known as “mental resilience”. Resilience
training is based on the idea that operators can be helped to bounce back from
difficulty or change. They can also be helped to learn to cope better with the
demands around them. This is achieved by a slow, step-by-step introduction to
complex, high hazard, life-saving, or threatening scenarios.
Trainees start at lower level or less stressful scenarios. For example, they
complete a well-rehearsed evacuation procedure within 10 minutes. They then
move to high-level or more complex tasks. For example, they have to complete an
evacuation procedure in new or unexpected circumstances within two to three
minutes. The training aims to develop individuals’ resilience and their ability to
cope with highly stressful situations, by slowly increasing the challenge and by
allowing them to recover from error in a safe environment.
Training on building resilience builds upon other non-technical skills, such as

communication and decision-making, to enable individuals to manage errors
effectively. The content of the training would normally focus on:
• How to identify, assess, and manage risks, as well as threats presented

by unpredictable situations.
• Topics such as:
o Emergency planning and emergency preparedness.

o Command control and coordination.
o Emergency response.
o Psychological aspects of emergencies.
o Recovery from emergencies and disruptions.
18.6 Enabling challenge of task performance
18.6.1 Psychologically safe environment
Psychological safety is to do with an individual’s willingness to express concerns,

including process safety concerns, without fear of consequences. It is influenced
by organizational efforts to promote trust, creating a psychologically safe
environment, and managing inter-team dynamics, as shown in Figure 18-6.
A psychologically safe environment allows people to identify areas of weakness

in safety and resolve them before they contribute to error. Psychological safety is
important in complex environments, where error may have serious safety
consequences, and where individuals or organizations may be held responsible for
adverse consequences.
Psychological safety plays an important role in: [77]
• Facilitating the reporting of errors and unsafe behaviors. This enables

errors to be identified, learned from, and improvements made to
prevent repetition.
• Facilitating open discussion of error, understanding errors, and unsafe
behaviors.
Organizations should create a trusting environment where reports of incidents,

errors, and near misses will be acted upon effectively and used as a learning
opportunity. In other words, emphasis should be on ‘Just Culture’ [78]. People who
report should also know that they will be treated fairly. Improved reliability and
safe operations are enhanced by creating a sense of trust, encouraging a climate
of respectful questioning, providing a common purpose, and ensuring effective
management of inter-team dynamics.
More information on psychological safety, can be found in Timothy Clark’s

(2020) book “The 4 stages of psychological safety: defining the path to inclusion
and innovation” [79] and in “Fearless organization” by Professor Amy Edmondson
[80].
Figure 18-6: Factors building psychological safety
Psychological safety
Creating a psychologically Managing inter-team

Promoting trust
safe environment dynamics
• Not victimizing reporting
• Fostering a climate of • Valuing diversity and
• Acting upon errors, near respectful questioning working with different
misses, and incident cultures
• Discouraging self-
reporting
censorship • Resolving conflict
• Using errors as a learning
• Using errors as a team • Promoting team
opportunity
learning opportunity mindfulness
18.6.2 Error detection tactics
Humans are prone to errors. Using error detection tactics may reduce the
potential for error and safety non-compliance occurrence. Examples of these
techniques are noted in Table 18-4.
As noted in the table, the error detection techniques rely on teamwork and
verification by others. It is more likely that someone will spot aspects that have
been previously missed, if one or more other individuals review the task. It also
ensures that the cognitive limitations of one individual can be mitigated or “offset”
by that of another team member. This helps to prevent errors due to impaired
situation awareness, memory lapses, and incorrect perception of the situation.
These techniques do not replace self-checking, which should be conducted in
parallel to the peer or team-checking techniques noted next.
Chapter 17 covers techniques for capturing communication errors.
Table 18-4: Error detection techniques
Error detection techniques (also referred to as ‘four eyes principle’)
Verbalizing activity – this means providing a step-by-step description of the

activity or task that the individual is conducting. This enables others to better
understand the current condition of the activity.
Second person monitoring – have another person with a hands-off role to

monitor the individual’s task and the surrounding environment.
18.6.3 Error challenge skills
Challenging others’ behaviors, when danger or harm has occurred or is imminent,

is an essential skill in safety critical tasks. Challenged individuals are more
responsive to an exploratory style of challenge, which encourages co-operation
(for example, gentle questions that explore the reasons behind their actions). They
are less responsive to a confrontational style of challenge, which makes people
less likely to co-operate (for example, blaming or scare tactics). Examples of “what
to say” and “what not to say” are in Figure 18-7.
Error challenging skills include the following elements:
• Ability to provide and receive feedback:
o Provide feedback that is timely, task specific and non-judgmental.

o Perceive feedback as a learning opportunity, rather than a personal
judgment of someone’s abilities.
• Active listening and appropriate response to concerns:
o Focus on the content and intent of the questions.

o Provide detailed answers containing all relevant information.
o React appropriately to negative feedback by asking how things can
be improved, rather than becoming defensive.
• Feeling able to report one’s own errors and concerns, without fear of
repercussions.
If an error occurs, using neutral language such as “What happened” and “How did
that happen” can help people speak about events without fear.
Figure 18-7: Challenging skills
18.6.4 Recovery from error
It is not possible to prevent all errors. Some tips on how to recover from error in
an operational setting are shown in Table 18-5.
Table 18-5: Examples of error recovery techniques

Error recovery
Practical execution
technique
Challenge The team takes an objective look at what is happening
perceptions (based on evidence) and possible actions to take.
Team reset is required to:
• Diagnose the current state of the team. For
example, identify team conflict and team
characteristics such as risk taking.
• Address the elements that act as a barrier to
effective teamwork, and that prevent the team from
Reset the team
resetting. For example, conflict or blame culture.
• Create team norms – set up new behavioral norms,
such as peer checking of each safety critical activity.
• Set team goals – create new goals for safety
standards. For example, strive for 0% workplace
injuries.
Discuss consequences of error from various
Recognize the
perspectives. For example, consequences for the
consequences of
employees, the company, customers, and the wider
error
society.
Ask team members to discuss what could have been
Encourage
done differently, and how another person’s contribution
collaboration
could have helped with detecting the error in a role.
18.6.5 Task verification It is important to ask an individual

Error prevention requires application of a who is not part of the team or not
risk-based approach to determine task involved in the task to conduct
verification needs. “Risk-based” means the task verification (e.g.,
prioritizing or categorizing based on risk independent verification).
level. In this case, the task verification Inclusion of an independent
approach should be appropriate for the person in task verification
risk level. reduces bias and subjective
judgment.
Task verification supports timely
identification and correction of human
failures. Some examples of task verification are shown in Table 18-6.
Table 18-6: Types of task verification

Tool Application Risk Level
The individual thinks about the intended action,

Self- understands the expected outcomes before
Low
checking acting, and checks the intended results after the
action.
This involves the individual self-checking and a

Peer-
peer checking for the individual at the same time, Medium
checking
and together agreeing what the correct action is.
Independent One individual separated by distance and time

High
verification from the action confirms the conditions.
Two individuals working together at the same

Concurrent time and same place separately confirm the
High
verification conditions. Independence of team member is
important here.
Successful task verification requires:
• Clear understanding of roles and responsibilities.

• The checker understanding the potential errors and their consequences.
• Utilization of checklists to support reliable performance of check.
• A physical environment that is free from distractions, especially for high-
risk tasks.
• Learning from errors identified during checks.
• Common Human Factors reasons for failures in spotting, correcting, and

challenging errors include cognitive bias, positional authority, task focus,
time pressure, stress, and limited self-scrutiny.
• Educating and training people about factors contributing to errors
makes them more alert to error and consequently more likely to:
o Detect error in themselves or others.

o Challenge error.
o Learn from errors and use this information to prevent future
incidents and accidents.
• Implementation of error prevention techniques may increase the

duration of tasks completion, until the individuals had developed the
required skills. Pressuring a team for faster performance during the
initial stages of skills development, may have the opposite effect and
increases likelihood of error.
• Effective strategies to detect, manage, and recover from error include:
o Error Management Training and coaching.

o Building resilience from error recovery.
o Creating a psychologically safe environment.
o Task verification, such as Human Based Checking.
Performance CCPS.
19 Communicating information and instructions
• How and why miscommunication can occur.

• High reliability communication techniques for safety critical tasks.
• High reliability communication between shifts.
This Chapter focuses on the communication of operational information and

instructions.
19.2 Incident example
A communication failure contributed to the 1998 explosion of the gas plant in

Longford, Australia [20], which is summarized in B.3 (page 387).
A heat exchanger had become very cold, after loss of lean oil flow, and was
leaking. The intention was to recommence the flow of warm lean oil. A production
coordinator realized the flow rate of warm lean oil into the cold heat exchanger
needed to be reduced to prevent brittle fracture. Brittle fracture occurs when
metal is exposed to a temperature below its minimum design temperature and is
then pressurized without warming above its minimum design temperature.
The summary of miscommunication follow ( [20], p59):
• The production coordinator noticed that a valve (TRC4) was open.

• Valve TRC4 needed to be fully closed to allow another valve (Valve 1) to
open. Valve 1 needed to open in order to reduce lean oil flow. Closing
one valve (TRC4) would allow another valve (Valve 1) to open.
• The production coordinator asked an operator to close valve TRC4.
• The operator misheard and thought the production coordinator had said
PRC4.
• PRC4 was closed by the operator. The lean oil flow was not changed.
• The production coordinator stood by Valve 1 in order to observe it open
(it did not open).
• The operator then confirmed by radio that he had closed valve PRC4.
The production coordinator misheard and thought the operator had said
TRC4.
Shortly afterwards the heat exchanger fractured due to cold metal

embrittlement, releasing the hydrocarbon vapor which exploded.
This was a very complex event with a series of equipment failures, errors, and
mistakes. It escalated over about five hours. There was a high volume of
communication between dispersed personnel by radio. They were communicating
safety critical information. As the event escalated, actions should have been
performed quickly.
There were omissions in the verbal

communication of plant state, including A complex safety critical
concerning levels in an absorber, and operation involving a high
between the preceding night shift and the volume of communication
day shift. There were also omissions in a log requires a high reliability
(reasons for not operating a locked and communication process.
tagged bypass valve).
The verbal communication technique

was weak and prone to error. There was a simple mishearing of “P” instead of “T”
over the radio. The production coordinator heard what he expected to hear – a
“typical” human error.
19.3 Causes of poor communication
People in process plants often communicate with one another from different
locations, such as from a control room to a remote part of the site. People may be
working in an area with high levels of noise from equipment and may be wearing
hearing protection.
Words and sentences can be partly obscured by “radio noise” or weak signals.
The recipient may mishear what is being said or incorrectly “fill in” the missing
words.
People have a limited cognitive capacity for receiving information. Information

(including verbal communication) is filtered to avoid overload. This is known as
“selective attention”. Selective attention makes it possible to think and make
decisions without being overloaded. It also creates a risk of unintentionally and
unknowingly filtering out safety critical information. In addition, as noted in 16.3,
people may be focused on a task or multitasking. This creates a risk that audible
verbal communication is not registered by the recipient.
If the amount of information being communicated exceeds the short-term

memory, then some of the information will be forgotten.
It is often necessary in a process environment to communicate precise

information, such as a valve number, or give warnings or instructions for safety
critical tasks. If words, letters, or numbers are used that sound similar to other
words, letters, or numbers, the recipient is more likely to hear something different
to what was said. For example, the letters “D” and “P” are easily confused, as are
19. Communicating Information and Instructions 235
“B” and “P”. This means that if, for example, valves are referred to a valve B123 and
valve P321, the B and P may be misheard.
Unclear articulation, ambiguity, and using words with double meanings can
each contribute to miscommunication.
Sometimes when a recipient is repeating back information, the original speaker

doesn’t actively listen to the instruction or information that is repeated back.
Instead, they just assume that the words repeated back are what they said. People
sometimes hear what they expect to hear, rather than what is actually said. This is
called a “hear back error”.
19.4 Human Factors of communications
19.4.1 Overview
Safety critical task analysis can identify which tasks are safety critical, and which
tasks involve communication of safety critical information (See Chapter 1).
Common examples of safety critical communications include:
• Communicating items of equipment e.g., which valves to operate or

close, or which gauges to read.
• Communicating settings, such as flow rates and pressure levels.
• Communicating the status of a system, such as whether it is live,
pressured, or isolated.
• Communicating alerts and warnings.
• Communicating during an emergency response.
A simple and high reliability communication system is important during time-

limited emergency responses, where people are stressed (with limited attention
span) and/or have very high workloads.
Multiple restricted radio frequencies can be used to avoid multiple

conversations and unrelated discussions
19.4.2 Communication protocols
In safety critical situations a formal high reliability communication protocol may be

used. Table 19-1 summarizes aspects of high reliability communication. These
tactics aim to:
1. Prevent communication error by use of reliable verbal techniques.
2. Repeat partly obscured communication.
3. Help capture communication errors.

One good practice is to use the NATO/ICAO [81] phonetic alphabet and number
pronunciation, such as Delta and Bravo for D and B, and NINER for 9. These types
of communication protocols are commonly used in aviation, emergency service
and military settings.
Table 19-1: Verbal and communication techniques
Type of
Don’t Do
communication
Articulation Enunciate poorly. Articulate clearly.
Rate of speaking Speak rapidly Speak at a moderate pace
This example uses the
Communicating NATO/ICAO phonetic
item of Use everyday letter and
alphabet and number
equipment to number sounds.
pronunciation.
operate “Valve D B fourteen.”
“Valve Delta Bravo one
four.”
All critical Assume you have been heard Ask for the message to be
communication correctly. repeated back to you.
Communication Use the 12-hour clock. Use the 24-hour clock.
of times “Four o’clock” “Sixteen hundred hours.”
Use words with two or more
meanings.
Use words with only one
Words with “Please give me a ‘conservative’
meaning.
double estimate of the flow rate.”
“Please give me an estimate
meanings This can be interpreted as a
of the maximum possible
request to estimate the
flow rate.”
maximum or a low rate of
flow.
Precision Use imprecise terms. Use precise terms.
“The tank will be full ‘soon’.” “The tank will be full in two
to three minutes from now.”
Avoiding Use words which if partly Use words that if partly

presumption of heard may have two heard have no other
meaning of meanings. meaning.
obscured words “Affirmative.” “Correct.”
Where “affirm” could be If “corr” is obscured, “ect”
obscured, and “tive” assumed has no meaning and
to mean “negative”. would require repetition.
Type of
Don’t Do
communication
Use words in a sentence
Use words in a sentence that that if partly heard cannot
if partly heard have a be misunderstood.
different meaning. “Pipe Victor Charlie one
Use of words in “It is not safe to open pipe eight is pressured. Keep
a sentence Victor Charlie one eight outlet.” valve closed.”
If the word “not” is obscured If “pressured”, “keep” or
the recipient may hear “It is “closed” are obscured, the
safe to open the pipe outlet”. sentence makes no sense
and must be repeated.
Be unambiguous and
Be oblique or circumspect.
Communicating clear.
“I think you might want to
specific “The level in naphtha tank
check the level on naphtha
warnings November Tango four two
tank November Tango four
has exceeded the high-level
two.”
alarm.”
Be unambiguous and
Be oblique or circumspect. clear.
Communicating “I think there may be a “There is a major fire at
an emergency problem with naphtha tank naphtha tank November
November Tango four two.” Tango four two. This is a
major incident.”
Auditory (echoic) memory is the ability to take in information that is

presented verbally, process it, retain it in one’s mind, and then recall it.
19.5 Avoiding communication overload
Unlike written information or displays, it is not possible to rescan or “reread”

auditory communications such as a radio message, unless the person receiving
the message asks for it to be repeated. Short-term memory is commonly limited
to between five and nine items of information.
Common tactics are:
• To limit the requirement for remote or verbal communication for safety

critical tasks, such as by use of logs and shift handover forms.
• To “chunk” information. An everyday example is the “chunking” of
telephone numbers into three or more strings of three or four numbers
each.
• Speak at a moderate pace and with moderate volume.
• Repeat aloud what has been said, to help reinforce the memory of the
communication. This also allows the receiver to control the pace or the
speed at which the speaker says each chunk of information.
• Use familiar words, abbreviations, and
codes that require less mental effort to Use common plant
memorize. lexicon.
• Ensure the time allowed for communication

is enough for the recipient to make a record of each chunk of
information, before communicating the next chunk of information.
Some examples of communication protocols include:
• Having a word and/or time limit for each safety critical communication,
such as 15 words or 30 seconds.
• Requiring long messages to be chunked, with each chunk recorded or
logged before saying the next chunk.
19.5.1 Repeat-back procedures
When using repeat-back:
• The sender starts by saying the receiver’s name and then states
their message.
• The receiver repeats the message back.
• The sender confirms the accuracy of the repeat-back or repeats the
message if it is not accurate.
Repeat-back may be implemented as a formal procedure for safety critical

communications. Repeat-back helps store information in memory and creates an
opportunity for the sender of information to spot that they have not been heard
correctly, and to correct the communication error.
Asking someone to confirm they have heard and understood a message by

saying “yes” is not reliable. The receiver may not realize that they have misheard
the message.
The repeat-back procedure is illustrated in Figure 19-1. It can include protocols

on how to ask for something to be repeated if the receiver is unsure that they have
heard it correctly. For example, protocol may include:
• The sender and receiver must say “ACKNOWLEDGED” each time they
receive a message, to be sure that they have heard and recognized the
message.
• If the repeat-back is wrong, say “THAT IS WRONG”. If the repeat-back is
right, say “THAT IS CORRECT”.
• State “SAY AGAIN” if the message is not clear.
• Say “ALL”, “FROM”, “BEFORE”, to indicate what should be repeated.
• Say “CORRECTION” if something has been said incorrectly by the person
sending the message.
• Say “OVER” to indicate a message has ended.
Figure 19-1: Repeating back

19.6 Human Factors in shift handover
Shift handover involves:
• The preparation of information by outgoing personnel.

• The exchange of information between outgoing and incoming
personnel.
• The cross-checking of information.
The goal is to ensure continuity of safe and effective working across shifts.
19.6.1 Error-likely handovers
The communication of information at shift handover can be an error-prone task.

While shift handover can be higher risk for complex continuous process
operations, communication failure can pose a serious risk even for simple
operations. Shift handover can be a high frequency activity, creating many
opportunities for error.
Poor shift handover was a factor in the Texas City refinery explosion [14]
summarized in B.1 (page 383). Another example is given in Table 19-2.
Table 19-2: Shift handover contributed to a massive explosion

Buncefield explosion, 2005 (United Kingdom)
A fuel storage facility had three

incoming pipelines. Two of these
were controlled by other sites, and
the site Supervisory Control and
Data Acquisition System (SCADA)
did not cover these pipelines.
Buncefield control room

personnel became confused about
which storage tank was being filled.
(Credit: Rick Martin)
The enquiry noted that supervisors
were confused about which of three
pipelines was filling the storage tank. It said, “This confusion arose because of
deficiencies in the shift handover procedures and the overlapping screens on
the ATG system.” (p17)
Handover time between shifts was unpaid. Staff tried to allow 15 minutes
for handover. This was thought to be too short.
Handover documentation only recorded information about the pipeline the

site controlled. Information on the two pipelines controlled by other sites was
recorded informally. The handover information only recorded the situation at
the end of the shift and did not record events occurring during the shift.
The tank level gauge was stuck, and an independent high-level switch was
inoperative. The tank was being filled by manual control and being monitored
by operators. It overfilled, ignited, and the vapor cloud exploded. The fire spread
to 20 fuel storage tanks.
The level gauge had failed before. It was usually unstuck by raising and
lowering it. Sometimes the sticking of the level gauge was logged by supervisors,
and at other times it was not. There were 14 previous occasions when the gauge
had stuck that had not been logged [38].
The conditions that may create the potential for shift handover error are noted
in Table 19-3. A formalized shift handover process should be developed if one or
more of these risk factors exist during the process.
Table 19-3: Shift handover risk factors

Shift handover risk factors
1. 24/7 process or operation
2. Complex process or operation
3. Activities, such as maintenance or start-up, that continue into the next
shift
4. Isolations, overrides, and temporary works that continue into the next
shift
5. A history of equipment faults and process upsets
6. High workload (potential to forget key events and plant status), long shifts,
or fatigue
7. Many teams working on one process
8. One or more team(s) has less experienced persons
9. Long shifts (potential to forget key events and plant status)
10. People feel inhibited to ask questions during the hand-over, such as out of
fear that they would be perceived to be incompetent or because they fear
adverse reactions from colleagues.
11. Team members have been absent from work
19.6.2 Potential causes of handover error
The main type of error that can occur during shift handover is the omission of
information, such as:
• An informal handover process relying

on improvised notes can create the Incomplete or inaccurate
potential to omit critical information. handover can cause the
Recording may also be unclear. oncoming shift team to
• Failure to communicate the state of lack awareness of
the process. For example, equipment process state and
faults, product levels within vessels, equipment condition,
or the point being reached within a creating conditions for
long start-up process. them to make mistakes.
• Failure to communicate the status of
isolations, permitted work, temporary workarounds, or overrides.
• Failure to communicate abnormal events in the previous shift that may
impact operations in the next shift.
• Failure to communicate maintenance or contractor activities in the area.
• Unnecessary information obscuring other more important information.
• Unreliable methods of recording, such as poor handwriting.
19.6.3 Good Human Factors of shift handover
It is common practice to use formalized logs and shift handover forms, either
paper-based or electronic. The specific fields will be process specific. The
elements of an effective handover are summarized in Table 19-4.
In addition to a formal handover process, people should be trained in:
• The importance of accurate handover.

• Two-way communication skills.
• An open and engaging culture.
The handover process should include information such as the reasons for
temporary bypasses, process state, and equipment faults. Good handover can also
include a checklist, especially those that highlight how the operating state of the
plant has changed. Failure to include relevant information in a clear and open way
will result in a poor shift handover. Other failings that result in poor shift
handovers can include not providing enough time on return to work situations or
poorly selected areas away from process (e.g., in the control room creating
distractions and providing on verbal cues alone).
Good handover process should include handover between supervisors and

between managers. An on-site formal or informal walk-through, is useful in
handovers. In addition to communication of process state, supervisors and
managers should communicate their view of any issues that the next shift will need
to handle and, in particular, whether these issues limit what the next shift should
attempt to achieve. For example, if the plant is part way through a long start-up
procedure, do they think the plant state at the point of hand over means that start-
up can or cannot be completed in the next shift. Key operational goals and
requirements should be stated and reviewed to ensure a common understanding,
along with the next steps in the procedure.
The United Kingdom’s guide “Managing shiftwork: Health and safety guidance”
[82] is recommended further reading.
Table 19-4: Elements of effective handover
Formalized Competent persons

There should be checklists and The people responsible for giving
prompts for all safety critical and receiving handover should be
information. suitable, qualified, and experienced.
Plant status is very visible Handover time

Status boards, temporary defects A sufficient period of overlap
boards, permits, isolations, between shifts is necessary to allow
overrides etc., should be very for communicating, cross-checking,
visible. and verifying understanding.
Repeat-back
Visibility of critical information Critical information should be
Priority information should be easy communicated verbally as well as in
to see and highlighted. writing and must be repeated back
by the oncoming shift leader.
Face-to-face
Formalized language
A social environment should be
Formal words should be used such
created that supports two-way
as ISOLATED and trip OVERRIDE.
communication and cross-checking.
• Safety critical communication activities should be identified.

• Miscommunication can happen in many ways.
• A formal communications process should be used, especially for higher
risk situations.
• Shift handover can be a high-risk activity.
• Good Human Factors should be integrated into the shift handover and
other safety critical communications.
Performance CCPS.
Part 6: Non-technical skills

Performance CCPS.
20 Situation awareness and agile thinking
This Chapter provides an overview of two non-technical skills – “Situation

awareness” and “Agile thinking” – and their roles in effective performance and
error prevention. By the end of this chapter, the reader should be able to:
• Understand what non-technical skills terms “Situation awareness” and

“Agile thinking” mean.
• Recognize how non-technical skills can enhance human performance
and contribute to safe operations.
Situation awareness refers to an individual’s perception and understanding

of their task environment (“what is happening now”). It is about using this
information to assess or predict what may happen in the future. It is also about
initiating an appropriate course of action if, for example, the situation is
perceived as a threat to health and safety.
Agile thinking refers to an individual’s ability to adapt to situations, and to

initiate an alternative course of action when necessary.
20.2 What are situation awareness and agile thinking?
The three stages of situation awareness are “gathering information”,

“understanding the situation”, and “anticipating events”. These stages can also be
termed “Perception, Comprehension, and Projection” of evolving events, as
shown in Figure 20-1. Stage 2: ‘Understanding the situation is especially important
as it includes assessment of the level of urgency, e.g., the situation is quickly
evolving and may lead to a process safety incident.
Agile thinking follows awareness that the situation has changed or when
someone recognizes new aspects of a situation. It includes changing one’s
understanding of what is happening and changing one’s plans and decisions. It can
also include recognition that a plan of action is not having its intended effect and
that an alternative plan of action is required.
Figure 20-1: Stages of situation awareness
Situation awareness
Stage 2:
Stage 1: Stage 3:
Understanding the
Information gathering Anticipating events
situation
Perception of the process Comprehension of: Projection of future

conditions, including events:
readings of: • Which parameter is
most important • Anticipation of the
• Temperature • Nature of the consequences that
• Pressure system or reaction impact the process
• Concentration • Effect of changes on performance,
subject to the
• Flow rates the process
operator’s action
• The previous and
next sections of the
process
20. Situation awareness and agile thinking 251
A practical example of these three stages follows, adapted from [58]:
Offshore oil drilling example: predicting the well

Perception
In offshore oil and gas explorations, especially when working in new locations,
drilling teams constantly monitor temperature, pressure, and drilling depth
during drilling operations to anticipate future conditions.
Comprehension
When drilling in oil and gas reservoirs, workers may experience higher
pressure than expected. The solution to their current mud weight calculation
may be related to the source of pressure. If they understand the pressure
source, they may be able to come up with a solution to manage the high
pressure.
Projection
Workers should also look ahead and predict what may happen. For example, if
they are experiencing high pressure at 6,600 feet (2,000 meters) down, then
what could happen when they get to 8,200 feet (2,500 meters)?
The team should make a decision: should they persist with the original plan or
do they need a new plan?
In the context of operations, situation

Situation awareness awareness refers to individuals’ awareness of the
underpins operational plant conditions that allows them to make
decision-making effective decisions and to take appropriate
actions. It is important to continuously monitor
the environment to detect changes, and to ensure
that the understanding of the situation remains accurate. For example, an
operator would proactively monitor a stable process for potential deviations; and
respond to any disturbances to the process before they escalate into unplanned
exceedance of safe operating limits. The operator would be aware of changes in
the environment (e.g., an emergency situation)
and take appropriate actions (usually with help
Team situation
from others) to return the process to normal
awareness is when
operating conditions.
everyone has a common
If the actions were not effective, the operator understanding of events
or the team would then review the situation and and intended actions
take an alternative course of action. That is, they
would be using agile thinking. The agile thinking
here is about the operators being willing to adjust their course of action.
For any team to work effectively they must have “shared situation awareness”
– that is, a common understanding of the event.
Shared situation awareness is important where the task is large and complex,
and where it contains many sub-tasks split between individual team members. An
example of this would be a complex industrial process, where teams of operators
are needed to complete procedures such as start-ups. Process plants, such as
refineries, are also often spread over large areas. Team members and processes
may be physically separate from one another.
20.3 Accidents from poor situation awareness and rigid thinking
20.3.1 Bayer Crop Science plant explosion, 2008
Poor situation awareness played a role in the Bayer Crop Science plant explosion,
2008 [83], as summarized in B.2
The newly installed operating systems played a key role in the Bayer Crop
Science plant accident. The new control systems significantly changed the interface
used by the board operator. This directly affected the operator’s situation
awareness. The new system presented many challenges due to the following:
• Operators had to familiarize themselves with the system and unit

measurements, which differed from the previous system.
• The control command method had changed from use of keyboard to
use of mouse.
• The new workstation had five display screens available to monitor the
processes and one display screen dedicated to process alarms. This
required the operators to move between screens and/or to monitor
several screens in order to complete a task.
The complexity of the system design coupled with human cognitive limitations
(limitations in perceiving and remembering a large amount of information
simultaneously) led to an incorrect assessment of the situation.
Loss of situation awareness can occur in routine operational and maintenance

tasks as well as during emergencies. The accident example in Section 20.3.1 shows
that situation awareness was severely impaired due to overreliance on control
systems. The accident highlights the impact of failed situation awareness, due to
the following factors:
• A lack of a good “mental model” – understanding of the process and

what was happening. This is a common pitfall associated with new
automation systems. Operators were not provided with the appropriate
level of training and practice for the distributed control system, in order
to access the data to create their mental model.
• An incorrect mental model led to incorrect diagnosis and understanding
of the situation.
• An overreliance on general expectations about how the system

functions, in the absence of real-time data.
• Several pieces of information may not have been registered by the
operator due to cognitive capacity limitations (e.g., limits to working
memory).
20.4 Causes of poor situation awareness and rigid thinking
20.4.1 Factors influencing situation awareness
Operators’ situation awareness is influenced by several factors. These factors may

reduce operators’ cognitive capacity and impair their performance. They include:
• Experience and training.

• Time pressure and workload.
• Motivation, stress levels, and work fatigue.
• Coordination with team members, and dependence on others.
• Weather conditions (visibility), equipment, and process noise.
• Complexity of the process.
• Location or site of the plant.
• Abnormal situations.
Mica Endsley and Debra Jones in their book “SA Demons: The Enemies of
Situation Awareness” [84] identified eight causes responsible for failures in
situation awareness. Those were termed as demons of situation awareness and
include:
1. Attention tunneling - focus on certain type of information and excluding

the rest.
2. Requisite Memory Trap – reliance on memory information, despite
human memory limitations.
3. Stress, anxiety, fatigue and other stressors – stress and fatigue impair
working memory.
4. Data overload- more data is available than the human cognition can
process.
5. Misplaced salience –the way information is presented (e.g., bright colors
and flashing lights) overwhelm and misdirect operators' attention.
6. Complexity creep - the more complex the system the more difficult it is
for operators to develop accurate comprehension of the situation.
7. Errant mental models – incorrect mental model may lead to inaccurate
interpretation of data.
8. Out-of-the -loop syndrome – highly automated systems may result in
operator shaving low awareness of the systems.
20.4.2 Cognitive biases and cognitive capacity
Human perception and memory possess limitations. A strong

focus on one part of the situation, or element of the See Chapters 4
environment, can lead to other sources of information being and 5 for more
neglected or missed. Individuals’ situation awareness and agile information on
thinking are often influenced by cognitive biases and cognitive
biases.
limitations to cognitive capacity. Examples of cognitive biases
and their consequences are shown in Table 20-1.
Table 20-1: Cognitive biases

Cognitive bias Definition of cognitive Consequences/impact
bias
Individual’s attention is
overly focused on one
• Disregarding the “bigger
or more elements of the
Tunnel vision picture” and overlooking
situation, rather than
the future impact or
evaluating the situation
scenario.
as a whole.
Individual’s attention is
focused on and biased • Failure to review a
to information that decision that has
confirms the current already been made, in
Confirmation bias interpretation of the light of new information,
event, neglecting because the new
information that does information does not fit
not fit in. People “see the initial perception.
what they want to see.” • Incorrect action taken.
Tendency to recall
solutions from • Causes are not
Similarity bias situations that appear investigated.
similar to past • Incorrect decision and
experience. action may be taken.
Group-think The focus is on reaching • Individuals may feel

consensus rather than pressured to agree with
on making a “good” others rather than voice
decision. their own views.
• Important information
may be omitted.
Cognitive bias Definition of Consequences/impact

cognitive bias
Rely on immediate
examples that come • May remember most recent
Availability to a person’s mind, cause or most vivid memory
heuristic such as when trying of a similar event rather
to remember than recalling less recent
something. examples.
When making a
judgement of the
likelihood of an
Representativeness
event, their • Assume a process upset is
heuristic
judgement is based caused by a similar reason.
on its similarity with
a common reason.
Continue investing
resources (time and
effort) into a course
of action that is • Missing vital clues from the
failing, as environment.
individuals believe • Important information may
Escalation of that with just a little be discounted and resources
commitment more time, they can misdirected.
figure out the • Incorrect/inappropriate
problem. They do decision and actions.
not wish to be seen • Losing track of time during
as inconsistent or to time critical actions.
waste previous
effort.
The cognitive biases noted in Table 20-1 are used subconsciously by individuals
to:
• Help them make decisions and act quickly in complex environments.

• Prevent cognitive overload – situations where an operator is provided
with too much information at once, is unable to process the information,
and cannot therefore understand the situation.
These cognitive biases can also lead to inadvertent errors. For example, the
“Escalation of commitment” bias can cause people to continue with a plan of action
despite information indicating it is ineffective or wrong. This is the opposite of agile
thinking.
20.4.3 Error-likely situations
Operators in the process industry work in a complex and dynamic environment

that includes error-prone situations. High workload, stress, and extensive task and
time focus can impair their cognition. For example, stress and fatigue can reduce
an individual’s ability to process information, which leads to an inaccurate view of
a situation.
The complexity of operators’ jobs is tiring because they have to:
• Handle and assess real-time data, process parameters, and alarms all at
the same time – individual situation awareness.
• Co-ordinate between field and control-room operators – which requires
shared situation awareness.
The decisions and actions operators take are of great importance as they can
either ensure smooth operations on the plant or lead to process upset and even
accidents.
• Situation awareness and agile thinking can enhance performance and

contribute to safe operations.
• Situation awareness has three stages:
o Information gathering.
o Comprehension.
o Anticipation of future events.
• Factors that affect situation awareness include stress, fatigue, expertize,

workload leading to cognitive overload or underload, distractions, and
abnormal situations.
Performance CCPS.
21 Fostering situation awareness and agile thinking
• Recognize how situation awareness and agile thinking can be further

developed by training.
• Understand the importance of practical training and experience in
maintaining situation awareness.
The role of non-technical skills training is to increase trainees’ awareness,

knowledge of situation awareness and agile thinking, as well as to practice using
these skills. Classroom-based training can only raise awareness of these skills. In
order to develop these skills fully, practical training is needed. This could include
simulation training or emergency response training.
Chapter 9 on equipment design covers how the provision of information can

also support situation awareness.
21.2 Training in situation awareness skills
21.2.1 Overview
Training in situation awareness and agile thinking can form part of wider non-
technical skills training. This is sometimes known as Crew Resource Management.
Crew Resource Management helps a crew to work together and perform well.
Training guidance available to process industry roles is included in The
International Association for Oil and Gas Producers (IOGP) Report No. 502
“Guidance for Implementing Well Operations Crew Resource Management
Training.” [85]
Training in situation awareness highlights the importance of situation

awareness in maintaining safe operations. This includes information on how the
brain processes and stores information, and factors affecting situation awareness.
Training objectives are focused on how to:
• Increase individuals’ knowledge of situation awareness. For example, by

explaining signs and causes of failed situation awareness.
• Develop situation awareness skills relevant to the process industry and
specific job environments. For example, how to gather and interpret
information, how to foresee future implications of current events, and
how to recognize a mismatch between personal situation awareness and
situation awareness of others, and act accordingly.
The content of the training would include topics such as task management,
recognition of critical cues, development of comprehension, projection, planning,
information seeking, and self-checking activities [86].
21.2.2 Use of behavioral markers
Behavioral markers are used across many industries to describe the expected non-
technical behavior. Behavioral markers are descriptions of expected behavior that
can be used to measure how well an individual demonstrates that behavior in their
work. Behavioral markers should be industry and job role specific, as task
requirements for situation awareness vary. For example, control room operators
should maintain awareness of control panels and alarms, while engineers may
focus on process operations. Behavioral markers can be used to:
• Support the development of non-technical skills and enhance operators’

training, including training in emergency response and crisis
management.
• Make judgments and assess the extent to which an individual possesses
the relevant non-technical skills.
• Engage the workforce and ensure that operators effectively use a range
of non-technical skills.
• Learn from accidents by identifying non-technical skills contributing
factors.
Behavioral markers contain a detailed description of the relevant non-technical

skills, for example, situation awareness. They provide a breakdown of the
elements relevant to the non-technical skills, and examples of positive and poor
behaviors for each element. An example is shown in Figure 21-1. Another
example of behavioral markers from the process industry is shown in the
Appendix F
Situation Awareness: Developing and maintaining a dynamic awareness of the

situation and of the risks present during an operation. This is based on
gathering information from multiple sources from the task environment,
understanding what the information means, and using it to think ahead about
what may happen next.
21. Fostering situation awareness and agile thinking 259
Figure 21-1: Behavioral Markers for “Actively seeks relevant information”
Regularly checks key sources of information including

alarms and other prompts
Makes use of all available information sources – e.g.,

instruments and colleagues – to check status of the
operation or assumptions about the operation
Shows concern and takes action if important information

is not available when it is needed
Asks for regular updates from colleagues who may have

relevant information
Is proactive in addressing missing relevant information
21.2.3 Training Techniques and Assessment
Situation awareness training methods include:
• Information-based methods in a classroom See Chapters 13 and

setting. The training could include an 14 for more
information on
interactive deck of slides, case studies, and
training and
group activities. The case studies would aim to
assessment.
engage trainees’ cognitive processes and
deepen their understanding of situation awareness.
• Practice-based methods using simulations, where specific cues and
events can be manipulated, along with workload and distracting
conditions. The simulation scenario can be stopped at any time to assess
trainees’ situation awareness, followed by review and coaching.
The IOGP Report No 502 [85] recommends refresher training at least every
three years. Employers may, however, consider more frequent refresher training.
As with technical competences, non-technical skills should also be assessed.

Non-technical skills are assessed through observable behavior, which is mapped
against the behavioral markers. The assessment record would include evidence of
examples of positive and/or poor behavior, along with their frequency of
occurrence, demonstrated by a number of check marks. An example of non-
technical skills assessment is shown in Table 21-1.
Table 21-1: Situation awareness – Assessment record
21.3 Practical situation awareness tools and tactics
Given the importance of situation awareness in many safety critical tasks, advice
can be offered on how to minimize the risks of reduced situation awareness.
Human performance tools are useful and can be used to reduce human error and
lead to various positive outcomes, such as:
• Heightened sense of situation awareness concerning safety, presence of

error precursors and error traps, tasks to be performed, conditions, and
surroundings.
• More accurate estimates of risk level of activities.
• Higher level of self-awareness, including biases, vulnerabilities,
deficiencies, and limitations.
• The most commonly used human performance tools are shown in Table
21-2.
These tools can also help foster agile thinking. For example, the Dynamic Risk
Assessment includes reviewing the effect of actions and adapting these.
Table 21-2: Human performance tools – examples
Human
performance tool Description Usage
(HPT)
STOP and seek This technique promotes awareness of workers’ knowledge limitations as applied to Especially when
STOP when unsure dealing with specific work situations, deviations, or uncertainties. workers operate in
PAUSE when unsure knowledge-based
Workers will seek help, usually from supervisors and/or co-workers, to continue work
modes.
and to deal with these uncertainties and/or lack of knowledge.
Pre-task briefings often follow the S-A-F-E-R pattern:
• Summarize the critical steps. When complications

• Anticipate errors and error precursors for each critical step. have occurred, after
completing a non-
• Foresee probable and worst-case consequences should errors occur at critical
routine or important
Pre-task and post- steps.
work activity, or
task briefings • Evaluate controls and contingencies at each step to prevent, catch and recover after each high-risk
from errors, and/or to reduce their consequences. phase of an
• Review previous experience and lessons learned, relevant to specific tasks and important project.
their critical steps.
HPT for teams.
Post-task briefings – staff should review job environments, identify program gaps, and
discuss corrective actions.
Human
(HPT)
Identify critical steps – any actions that will trigger immediate, intolerable, and Important in safety
Identify critical steps irreversible harm. Once critical steps are identified, workers can anticipate errors that critical tasks (high-
can occur at each critical step, estimate their consequences, then evaluate the risk).
existence of controls, contingencies, and stop work criteria.
Used in safety
A workplace risk assessment carried out by supervisors at the point of work, prior to critical, high-risk,
Point of Work Risk the start of an activity. It is used to identify those things, situations, processes, and complex tasks
Assessment (POWRA) activities that may cause harm to people. One completed POWRA form can apply to needing multiple
the whole team. checks.
The practice of mentally observing, assessing, and analyzing an environment while at

work, to identify and remove risk.
Dynamic risk assessment refers to a continuous assessment of risks arising from When operating in
potential hazards, in the ongoing and changing circumstances of work activities. The skill-based and rule-
Dynamic Risk process allows individuals to identify a hazard on the spot, and to make quick based performance
Assessment decisions about their own safety. It consists of the following steps: modes.
Step 1: Identify hazards – anything that may cause harm. Particularly effective
Step 2: Decide who may be harmed and how. for repetitive tasks.
Step 3: Assess the risks and take action.
Step 4: Make a record of the findings.
Step 5: Review the risk assessment.
Human
(HPT)
Stop-Think-Act-Review (STAR) assessment is often part of a Dynamic Risk
assessment. Following is a description of the S-T-A-R steps:
Stop
STOP
• Look for hazards
• Review hazards
• Has the situation changed?
Think
When operating in
Dynamic Risk
• Evaluate the situation skill-based and rule-
• Evaluate options based performance
Assessment
modes.
Particularly effective
Act
Act for repetitive tasks.
now • Apply safety measures
• Recommence the work
Review
• Complete an after Action Review

• Reassess the system of work
• Record lessons learned for sharing
Human
(HPT)
• Stop (or slow down) – pause to focus attention on the immediate task.
• Think – think methodically and identify the correct actions to perform. Consult
Dynamic Risk with others if further information is required. Understand what will happen
Assessment (cont’d) when a correct or incorrect action is performed.
• Act – perform the action.
Review – confirm anticipated result has occurred or apply contingency if required.
Shadow Boards provide effective workplace organization and control by enabling

prompt recognition that tools and equipment are missing.
In time constrained
tasks.
Shadow Boards Use in safety critical
tasks – frequent
tasks.
21.4 Recognizing loss of situation awareness
It is important to recognize:
• Why situation awareness fails.

• How to spot impaired situation awareness or a lack of situation
awareness in oneself and/or others.
The main causes of situation awareness failures at different levels (L) are shown
in Figure 21-2.
Figure 21-2: Causes of failed Situation Awareness
L1: Perception L2: Comprehension L3: Projection
• No data • Poor mental • No attempt to

available model anticipate
• Difficult to • Use of incorrect future state
detect or mental model • Incorrect
perceived data • Memory failure assumptions
• Failure to scan about how the
or observe data situation will
develop
An example of failed situation awareness is provided next.
When cutting a hole in a tank; the worker did not continuously monitor the
oxygen content in the tank. The oxygen in the tank was consumed by the heat from
the cutting operation and the worker passed out. The worker should have been
aware that oxygen could drop and should have had a ventilation fan providing
fresh air or monitoring CO/CO2.
Spotting signs of decreased situation awareness in oneself and/or others can

help to prevent the complete loss of situation awareness. Table 21-3 provides
some examples. These are “clues” of observable behavior which indicate possible
loss of situation awareness, and tips on what to do or say to minimize the impact
of this potential loss. These can be included in situation awareness training and
on-the-job coaching.
Table 21-3: Clues for recognizing impaired Situation Awareness

Impaired situation Communication tips to resolve the loss of
awareness situation awareness
Ask probing questions, such as:
Ambiguity –
• Why do you think these two pieces of
information from two
information are different?
or more sources does
not agree.
• How can we reconcile the differences?
• What can cause the different readings?
Use gentle “nudges” or questions, such as:
Fixation (tunnel vision)
• Have you thought about the bigger picture?
– focusing on one
thing and excluding
• What may be the impact of this failure on the
plant?
everything else.
• Which other factors may have caused this?
Confusion – Use gentle “nudges” or questions, such as:
uncertainty or • Which aspect are you not sure about?
bafflement about a • Can you explain to me what is happening?
situation. • Why do you think this is happening?
Use of leading questions, such as:
• Have you considered checking pressure
levels/valve B?
Lack of required • Who is the right person to ask about the
information. situation?
• Who would you normally ask for assistance?
• Would anyone else have access to this
information?
Ask a series of questions to identify shared situation
Failure to: awareness, such as:
• Maintain the task. • How is the task progressing?
• Meet expected • Why is it not progressing the way it should?
targets or check
• Is there anything I could help you with?
points.
• Who else is working with you on this task?
• Resolve
discrepancies. • What are your colleagues or teammates views on
these discrepancies?
21.5 Fostering agile decision-making
Agile decision-making is a process that is collaborative, iterative (can be

repeated), and transparent.
All stakeholders are updated on assigned tasks at regular intervals, they

give feedback, and the team knows what needs to be improved and why.
The next few sections outline decision-making and agile thinking traps and provide
techniques on how to avoid these. These techniques aim to help people to
recognize and consider alternatives actions, to review these alternatives, and to be
open to changing plans and decisions.
These techniques are usually developed through non-technical skills training

and coaching. They can be supported by formulating and using guidelines on, for
example, how to manage a meeting, evaluate options and make decisions.
21.5.1 Avoiding group-think in dynamic operations
Group-think is where people focus on reaching consensus, instead of

challenging opinions and considering alternative decisions. [126]
Group-think can lead to poor decision-making. The group may ignore information
that contradicts their understanding. Individuals may self-censor. For example, if
they think a mistake is being made, they may keep this view to themselves.
It is important to stimulate free and open discussion especially if the group is

made up of individuals of different authority and status.
Table 21-4 provides symptoms of observable behavior demonstrating group-

think. Group Think can be very common in risk assessments and understanding
what is happening in a process upset or incident, where individual(s) have strong
preferences toward the likelihood of certain scenarios. With limited data or
information to support otherwise, it can be very easy to succumb to the peer
pressure of the group and agree with the consensus view. This highlights the
importance of having good information and decision-making methods that
remove subjectivity of the group and skewed opinions.
By understanding group-think and recognizing the symptoms (Table 21-4),

group-think can be avoided or mitigated.
Individuals can be trained and coached on how to avoid the “group-think”

phenomenon during decision-making. Chapter 16 discusses tactics to avoid group-
think within task planning. Some techniques to avoid group-think in operational
decision-making, include:
• Increase awareness – increase individuals’ awareness of group-think,

what it is, and why and how it occurs.
• Bring in subject matter experts – when the topic is of high importance,
subject matter experts can help with understanding issues, such as
alternative options, and consequences.
• Independent group member – individuals outside of the working group
can provide a fresh perspective on the topic and also act as a “cold eye”
by challenging the group members’ views.
• Psychological safety – environment in which people feel safe to speak
up and share ideas, even if these ideas are against the norms or
consensus.
• Engage in open discussion – create a culture when individuals are
encouraged to critically analyze a situation and provide feedback.
• Document the decision made – once a decision had been made, a
team member should document:
o The current situation and associated problems.

o All possible solutions. All issues relating to each solution.
o The recommended solution and its rationale.
o A high-level implementation plan: when, who, how.
Table 21-4: Group-think – behaviors (symptoms)

Group-think Definition
symptoms
Illusions of Lead members of the group are overly confident
invulnerability and engage in risk-taking behaviors.
Lead members of the group ignore possible moral
problems and ignore the consequences of
Unquestioned belief in
individual and group actions.
the inherent morality
Members believe in the “rightness” of their causes,
(“goodness”) of the
such as an imperative to start up a process for the
group
sake of the company despite being aware of illegal
emissions.
Rationalizing and Shared beliefs/justification that prevent members
collective from reconsidering their beliefs. Justifications that
rationalizations cause people to ignore warning signs.
Individuals who think differently to the group are
Out-group stereotyping stereotyped as “trouble makers” or “difficult to
work with”.
People who are unsure hide their fears or
Self-censorship misgivings, by using neutral or politically correct
language to hide their disagreement.
One or more group members act as self-appointed
"Mind-guards" censors or “mind-guards” to hide disputable
information from the group.
Belief that everyone is in agreement and feels the
Illusions of unanimity same way. Silence is often interpreted as
agreement.
Lead members of the group often place pressure
Direct pressure to on members who pose questions. Those who
conform question the group are seen as disloyal or
traitorous.
21.5.2 Avoiding confirmatory bias and fixation
As with group-think, “confirmation bias” prevents individuals from evaluating

situations objectively. It can also influence the decisions individuals and groups
make; and can lead to poor or faulty choices.
If individuals are aware of confirmation bias and accept its existence, they are
then able to consciously avoid the biases. Confirmation bias affects people in four
primary areas of cognition. Table 21-5 provides examples of behaviors associated
with confirmation bias.
Table 21-5: Confirmation bias – observable behavior

Observable bias Definition
People search for information that confirms their pre-
Biased search for
existing beliefs and ignore information that contradicts
information
them.
People give more weight to information that supports
Biased favoring of
their beliefs, and less weight to information that
information
contradicts them.
Biased People interpret information in a way that confirms their
interpretation of beliefs, even if the information could be interpreted in a
information way that contradicts them.
People tend to remember information that supports
their beliefs and forget information that contradicts
Biased recall of
them. They may also incorrectly remember
information
contradictory information as having supported their
beliefs.
Confirmation bias should be covered in training and coaching. Examples

include:
• Avoid forming a hypothesis too early. Encourage people to process as

much information as possible before forming an initial hypothesis.
• Seek information from various sources and compare the findings.
• Think about various reasons why a hypothesis could be incorrect, or why
alternate hypotheses could be correct.
• Process new information consciously and unemotionally.
• Seek out and process information that disagrees with existing mental
models.
21.5.3 Avoiding escalation of commitment and rigid thinking
Some further tips on supporting agile thinking include:
• Developing awareness of the potential for escalation of commitment

and the risk of continuing with an ineffective plan of action.
• Highlighting the value of flexible, agile, thinking and the importance of
changing one’s opinion when new information is received or when the
situation changes.
• Having a clear and shared understanding of the ultimate goal. This can
encourage people to recognize that existing actions are ineffective and a
new plan of action is required.
• Encouraging an attitude that it is acceptable to change one’s opinion and
decisions if new information is received or when the situation changes.
• Encouraging group debate to change plans. The expression of options

for new plans of actions can increase the perception within a team of the
acceptability of changing decisions.
Some people are uncomfortable with changing their opinions, especially if they
feel they will be criticized for their initial opinion or decision being “wrong”. A
culture of trust and shared purpose is important. People need to feel that they can
change their opinions without fear. A common commitment to a shared purpose
can help people prioritize effective decision making over the avoidance of
individual fear about changing opinions and plans.
• Both classroom and simulation training are required to develop

knowledge and application of situation awareness and agile thinking.
• Behavioral markers are effective tools to enhance training and
assessment of situation awareness and agile thinking.
• Spotting signs of decreased/impaired situation awareness in oneself and
others can prevent complete loss of situation awareness, thereby
preventing occurrence of error and incidents.
• Situation awareness and agile thinking can be enhanced with human
performance tools such as:
o 20 second scan;
o STOP and seek, STOP when unsure; and PAUSE when unsure;
o Pre-tasks and Post-tasks briefing;
o Point of Work Risk Assessment (POWRA);
o Dynamic Risk Assessment;
o Stop-Think-Act-Review assessment;
o Verbalize – Point – Touch;
o Shadow Boards.
• Group-think and other cognitive bias are common biases and should be
avoided. This is because they can contribute to poor decision-making
and may lead to severe consequences.
• Coaching, training and behavioral markers should also promote the
importance of changing opinions and decisions when new information is
received, if a plan of action is ineffective or when the situation changes.
Performance CCPS.
22 Human Factors in emergencies
This Chapter provides an overview of the Human Factors of emergency response.

• Understand how Human Factors affect performance and management

of emergency situations.
• Recognize the importance on non-technical skills in emergency
response.
22.2 An example accident
22.2.1 Milford Haven refinery explosion, Wales, 1994
On July 24th, 1994, a large explosion occurred at Texaco Refinery, Milford Haven in
Wales, which caused injury to 26 people [87]. The blast from the explosion
damaged properties in a 10 mile (16 kilometer) radius and was heard 40 miles (64
kilometers) away. The site suffered severe damage to the process plant, the
building, and storage tanks. A summary of the event is given in B.4 (page 389).
During the sever electrical storm that proceeded the explosion, operators and
operations management failed to identify the underlying causes of the problem or
to recognize that they had the potential to lead to hazardous consequences,
despite these data being available to them. They continued to operate in a
disturbed environment for five hours prior to the explosion. All the information,
including alarms, was available to the operators via six distributed control systems
(DCS) screens, which were used to control the process and to diagnose faults.
Many alarms, in the plant were sounding simultaneously, all with the same -
high priority. In the 15 minutes before the explosion, operators were receiving
alarms at a rate of one every two seconds. Thirty minutes before the accident, a
critical alarm went off. Had the operators recognized the criticality of the final
alarm and taken appropriate action, the explosion may not have happened.
The accident was caused by a combination of factors, including:
• A control valve shut when the control system indicated it was open.
• A modification that was carried out without proper assessment of
consequences.
• Control panel graphics that did not provide the necessary process
overview.
• Attempts to keep the unit running when it was supposed to be shut
down.
• Inadequate emergency management.
During the process upset, the actions taken by operators were reactive. There was
no assessment or management of the situation. People at senior level took on
operating roles during the upset. That is, they helped out, rather than taking an
overview of the complete process/overall perspective of the situation. Decisions
were made at an individual level with no coordination among team members.
A key issue identified by the official report into this accident was the
importance of emergency management training. One of the report
recommendations stated that training should include:
• Assessment of operator knowledge and competence for actual

operational roles under emergency response conditions.
• Guidance on when to initiate controlled or emergency shut-downs.
• Guidance on how to manage unplanned events, including working
effectively under the stress of an incident.
Emergency response places demands on human cognition, as it requires

engagement of all senses, retrieval of information from the memory, and decision-
making. Emergency management requires execution of several steps, as shown in
Figure 22-1.
Error management begins with recognizing and understanding the situation

(identify errors) and associated conditions. This includes the time available to deal
with the situation and the severity of the potential risk. The two possible outcomes
are:
1. The problem is fully understood.

In this case, the focus can be turned to evaluating available options to
manage the issue, choosing appropriate actions, and reviewing the
outcome/output of these actions.
2. The problem is not fully understood.
In this case, it is necessary to gather more information from relevant
sources to form a more accurate picture of the situation.
It is also important to put the process unit into a safe state or shut it down, in
high risk situation, and then aim to understand the problem.
22. Human Factors in emergencies 279
Figure 22-1: Error recognition and management process
Error Recognition
What is the problem?
How much time is available?
How risky is the situation (present and future)?
Time Limited Time Available

High Risk Risk Variable
Put the process Problem

into a safe state: Understanding
shut down
YES NO
Evaluate Gather more

options Information
Execute
actions
Review
(Adapted from [88]) outcomes
Emergency situations increase the likelihood of human errors. Figure 22-2

shows six main categories of errors [89]. These are errors of action, checking,
retrieval, transmission, diagnosis, and decision. Emergency scenario incidents
commonly present with multiple human errors.
Figure 22-2: Human Errors – categories
In the Milford Haven Refinery explosion, three human errors were evident:
• Diagnostic error – misinterpretation of an abnormal event – operators

were not able to recognize the severity of the situation or to correctly
interpret the alarms.
• Decision error – incorrect decisions were made by individual(s), and not
evaluated by a team.
• Action error – individuals continued operating in a highly hazardous
scenario for several hours.
Employees require relevant knowledge, procedural competence, and skills to

perform well in emergency situations. More
information on skills is noted in the SRK model. See Chapter 3 for more
information on Skills,
Other skills or abilities required to manage Rule and Knowledge -
emergency situations include: based (SRK)
performance model.
• Cognition – see Chapters 18 and 19 for
more information on cognitive heuristics.
• Effective use of non-technical skills.
Human factors contributing to error in emergency situations include:
• Stress • Poor communications

• Information overload channels
• Haste • Inadequate control
• Inadequate communications • Poor definition of
and/or instructions responsibilities
• Inadequate procedures • Inadequate training
• Difficult operational • Poor cooperation
interface
22.3 Supporting human performance in emergencies
22.3.1 An example of effective operator action
A refinery explosion occurred on the 21st June 2019 at the Philadelphia Energy
Solutions refinery (see Figure 22-3). The consequences could have been much
worse without prompt action by the control room operator.
At 04:00 am propane and some hydrofluoric acid escaped after an elbow joint
fractured in a hydrofluoric acid alkylation unit. The leaking vapor formed a ground
hugging vapor cloud around parts of the unit. Two minutes later the cloud ignited
causing a massive fire.
The control room operator quickly took steps to prevent the release of
additional hydrofluoric acid by rapidly draining the unit’s hydrofluoric acid to a
vessel designed to hold the acid in the event of an incident.
Hydrofluoric acid when released under pressure can form a toxic aerosol cloud
and travel for miles. This aerosol can immediately penetrate skin and cause
deaths. By draining the hydrofluoric acid, the operator greatly reduced the scale
of the accident. There were no serious injuries, due, in part to the operator’s quick
actions.
A preliminary video from the U.S. Chemical Safety Board had been issued at
the time of publication [90].
Figure 22-3: Refinery explosion, Philadelphia Energy Solutions
(Source: ww.CSB.gov [91])
22.3.2 Supported skilled response
In order to minimize the impact of emergency situations, it is important that

everyone involved in the situation knows exactly what to do and can execute their
tasks efficiently and effectively.
Even highly experienced and fully trained operators can experience skill fade.
This can occur due to lack of practice when carrying out low frequency emergency
response tasks.
Repeated exercises and drills promote the acquisition of skills (technical and
non-technical) through repetitive practice, until individuals have reached the stage
where their responses are “automatic”. This is
especially useful for emergency situations, as
Automatic responses are
they are rare and cannot be predicted and
being able to do tasks
people must make decisions in high stress
without having to think
situations. The individuals involved must be
about it.
able to react fast.
Effective drill exercises should:
• Be based on realistic scenarios, which should be based on scenarios

from the risk and hazards assessments (including low frequency ones).
• Be based on current or impending conditions; e.g., severe weather
scenarios before hurricane season.
• Include both technical and non-technical skills required during
emergencies.
• Identify who has the authority to invoke a procedure and who is
responsible for ensuring the steps are (properly) followed.
• Focus on individual and team skills.
• Evaluate performance after the drill.
• Be performed frequently (e.g., every three to six months), to avoid skill
fade and to enhance expertize.
Teams working in high hazard environments where situations are dynamic,

risky and uncertain, and they often involve multiple operators. Teams are
composed of skilled individuals who may not have worked together previously or
may be geographically removed. In addition, unfamiliar personnel could stem
from mutual aid among companies or local responders. Lack of cooperation may
lead to differing goals and perspectives on situations. Therefore, exercise drills
should take into account the lack of familiarity between individual team members,
and to focus on the development of team working skills.
22.3.3 Supporting a knowledgeable response
Individuals require the relevant technical knowledge to

See Chapters 10 to
understand what is happening in an emergency situation 14 for more
and to devise appropriate actions. For example, an individual information on
with an in-depth knowledge of process hazards will have a training.
better chance of understanding a rare process upset.
Training needs to ensure people have an understanding of the process,

potential events and key actions.
See Chapters 5
Job aids, such as decision trees, manuals, process flow to 8 for more
diagrams, and other process information, are designed to information on
enhance individuals’ performance by helping them to: job aids.
• Understand how equipment and systems work.

• Identify hazards.
• Diagnose process upset.
• Identify factors or elements and situations that can lead to adverse
events.
Employees should be encouraged to “challenge” the information from the

control system when it is inconsistent with other information. Awareness of
control systems, their reliability and potential faults should be emphasized to
prevent the following scenarios:
• Operators trusting the system’s reliability too much (actually responding

to incorrect information).
• Operators distrusting the system’s reliability too much (actually ignoring
correct information).
22.4 Non-technical skills for emergency response
Non-technical skills are social, cognitive, and personal skills that enhance the
way individuals carry out technical tasks and procedures. Examples of non-
technical skills include communication, decision-making, leadership, teamwork,
and situation awareness.
Non-technical skills are central to safe, effective, and efficient behaviors in

any work environment and across all job roles.
22.4.1 Recognizing and understanding events
Training in non-technical skills is crucial to effective management of emergency

situations, as non-technical skills enhance technical skills and contribute to safe
operations. This is especially so for complex and unfamiliar events because people
may need to improvise a response.
Poor non-technical skills can increase the likelihood of error, which can
increase the likelihood of an adverse event. Adverse events can take the form of
costly production failures without causing harm to anyone – for example, getting
a drill pipe stuck when exploring oil, or shutting down a manufacturing process by
mistake. They can also result in more severe consequences that lead to injuries
and fatalities.
The International Association of Oil and Gas Producers (IAOGP) [92] proposed
a basic Crew Resource Management (CRM) syllabus, with a focus on individual non-
technical skills. The proposed non-technical skills are transferable, and the
intention is that individuals can utilize them across a range of different teamwork
activities.
The IAOGP syllabus – Well Operations Crew Resource Management (WOCRM)

– consists of the following set of skills showed in Table 22-1. These non-technical
skills can support performance in emergencies, and potentially prevent errors.
Table 22-1: Non-technical skills and error prevention
Non-technical
Performance support and error prevention
skills
• Maintains awareness of what is happening in the

environment
• Helps understand the current situation
Situation Awareness
• Enables identification of deterioration in
cognitive skills and interpersonal skills
• Monitors process performance
• Recognizes faults, upsets, and anomalies in
emergency situations
• Recognizes situations where decisions are
needed
• Engages in decision-making process:
• Assesses the situation;
• Considers various options/alternatives;
Decision-making
• Selects and implement most appropriate option;
• Reviews the outcome.
• Recognizes where a different approach to
decision-making is needed
• Recognizes where decisions may be affected by
cognitive bias (group think)
• Manages recognition-primed decision-making
• Enables effective information sharing and
Communication process status verification
• Allows the process of searching for clues
• Performs effectively as a team

Teamwork
• Supports colleagues and verifies their work
• Delegates during emergency situations
Leadership
• Centralizes decision-making
• Monitors effectiveness of actions, and assesses
the outcome of actions
Performance • Strengthens personal resilience and
influencing factors performance under pressure
(e.g., stress and • Enables coping in unplanned situations and in
fatigue) time-pressured emergency scenarios
22.4.2 Recognizing and managing stress in emergencies
Stress can impair individuals’ cognitive processes, which affect individuals’

performance. To avoid this happening, individuals need to be able to recognize
stress in themselves and in others. They should also learn how to manage stress.
Cognitive stress indicators [58] likely to be present during emergency situations
are shown in Table 22-2.
Table 22-2: Stress indicators in emergency situations

Indicators Description
• Prone to distraction – unable to concentrate or to

retrieve relevant information
• Confirmation bias – focusing on information which
confirms initial assumptions
Impaired
memory
• Information overload – inability to process all
information
• Task-shedding – abandonment of certain tasks when
stress makes it difficult to concentrate on all tasks
simultaneously
• Difficulty prioritizing tasks

Reduced • Perception tunnelling – focusing on a specific
concentration element or task rather than the bigger picture
• Preoccupation with certain tasks
Difficulty in • Stalling thinking – mind goes blank

decision- • Availability (Similarity) bias – linking the current event
making or situation to a similar event which comes to mind
The impact of stress was evident in the Piper Alpha disaster (1998). This was a
fast-developing situation. People on the platform were at imminent risk of major
injury. The situation was in many respects, uncontrollable as well as confusing and
complex. The Offshore Installation Manager (OIM) was the individual responsible
for organizing the response to the emergency. Evidence from the report [93]
highlighted the inability of the OIM to make critical decisions in this situation of
stress. Some excerpts from the report are shown next.
Self-awareness of stress reactions is as essential as recognition of stress

reactions in others. Individuals should alert their colleagues, including their
superiors, if they notice they are experiencing signs of stress. This should be
followed by attempts to manage the stress.
“The OIM had gone a matter of seconds when he came running back in what
appeared…to be state a panic…The OIM made no specific attempt to call in
helicopters from the Tharos (a rescue vessel) or elsewhere, or to communicate
with the vessels around the installation, or with the shore or other installations;
or with personnel on Piper…” (para 8.9 [93, pp. 152-153])
“The OIM did not give any other instructions or guidance. One survivor said
that at one stage people were shouting at the OIM and asking what was going
on and what procedure to follow. He did not know whether the OIM was in
shock or not, but he did not seem to be able to come up with an answer.” (para
8.18 [93, pp. 156-157])
Training individuals in stress management techniques for coping with stress

reactions can take the form of:
• General exercises, such as realistic situations or case studies.

• Specific techniques, such as simulated emergency drills.
Building experience of stressful situations increases individuals’ coping ability,

builds confidence, and reduces the likelihood of stress and consequent cognitive
deterioration or paralysis.
Training content on coping with stress in emergency situations includes

techniques that directly target stress responses. It also includes techniques to
increase technical skill proficiency e.g., automated task execution.
Examples of these techniques are shown in Figure 22-4.

Figure 22-4: Stress management – training strategies
Cognitive control – mindfulness Physiological control – tactical

breathing
Individuals learn how to regulate
distracting thoughts, to allow them Individuals learn how to step away
to maintain concentration on the from situations, calm their bodies'
task in hand. responses (shaking, heavy
breathing), and regain control of
their breathing.
Modeling
Learners are given the opportunity
to observe another team in a
stressful situation, and to then
assess the effectiveness of their
performance.
Overlearning Time-sharing skills

Learners are over-trained beyond the Learners get the chance to work
level of proficiency that would on task prioritization skills.
normally be required for the particular
task.
22.4.3 Achieving shared situation awareness in emergencies
Shared situation awareness means the ability of

team members to gather and use information to See Chapters 20 and 21 for
develop a common understanding of the task and information on situation
awareness or loss of
the environment. Lack of situation awareness is
situation awareness.
another factor that can contribute to errors.
Individuals often form different impressions of a
situation without realizing they are doing so. Differences in understanding of a
situation contribute to difficulties in decision-making and thereby impact the
resolution of the problem.
It is important that individuals receive information. However, this should only

be information that is relevant to their job role and to the task in hand. Providing
each team member with all the available information relevant to the error or
incident would create information overload. Effective error management requires
awareness of individual team members’ tasks, and the whole situation.
Individuals need to be aware of the loss of their own and/or others’ situation
awareness. To stay in control of a situation, various types of information need to
be processed. Shared situation awareness requirements [94] are shown in Table
22-3. In emergency situations, individuals should be aware of:
• Who is doing what and where are they doing it?

• The impact of each other’s goals and actions.
• Potential consequences of actions for the immediate future.
Table 22-3: Shared situation awareness requirements

Situation awareness–
Elements per stage
stages
• Job and kit/equipment

Perception – data and
• Environment
information
• Other team members’ status
Comprehension – • Status of own and others’ goals

understanding of what • Impact of own actions on others
is happening • Impact of others’ actions on self
Projections – future • Actions of team members and leaders

events and impact (supervisors/managers on duty call)
It is important that individuals challenge others See Chapters 20 and 21 for

if they perceive their decisions and/or actions are more information on
not correct. This includes their colleagues and situation awareness traps,
supervisors or managers – whoever the positional including positional
authority in charge is. An absence of challenging authority.
skills has shown to have severe consequences on
emergency situations across industries.
22.4.4 Decision-making in emergencies
Emergency situations require individuals to make a decision in real time, while

considering various influencing factors and potential outcomes. Dynamic decision-
making consists of assessment of the situation, using a range of decision-making
processes (e.g., creative, analytical, intuitive, and rule-based strategies), and
executing the decided actions, as shown in Figure 22-5.
Figure 22-5: Decision-making in emergency situations.
(Adapted from a decision-making model [58] )

Inaccurate assessment of a situation can be due to several factors such as:
• Cues from the environment may be misinterpreted, misdiagnosed, or

ignored. This creates an incorrect mental picture of the problem.
• Risk levels may be miscalculated.
• The time available to deal with the situation may be misjudged.
Additional factors contributing to inaccurate See Chapters 20 and 21 for

situation assessment include: loss of situation more information on how to
awareness, confirmation bias, escalation of avoid perception bias,
including confirmation bias
commitment, and/or tunnel vision.
and tunnel vision.
Mnemonic and decisions aid are available for
individuals to help them make decisions during emergency situations. Examples
of decision-making aids and mnemonics are shown in Table 22-4.
Table 22-4: Emergency decision-making aids

Aid or
Definition Use
mnemonic
Useful in
emergency
situations to
DODAR provide the
DODAR is a cyclical model of decision-
steps of dealing
making, consisting of the following steps:
with abnormal
situations.
• Diagnosis – What is the problem?
• Options – What are the options?
• Decisions – What are we going to
do?
• Assign the tasks – Who does what?
• Review – What happened? and
What are we doing about it?
Aid or
Definition Use
mnemonic
This is a method that uses diagrams focused
on cause and effect. It also shows potential
blockers to solutions.
It can range from simple scenarios to

complex emergencies or rapidly changing
situations.
An example of a simple decision tree follows.
Useful in
The yellow square represents the starting
breaking down a
point (‘an alarm), while the green squares
highly complex
represent actions or critical points along the
Decision scenario into
decision pathway.
Trees simpler and
more
manageable
Shut De- chunks.
down pressure
Alarm
Evacuate
This is a method that considers the scenario

from two perspectives or frames.
Negative Useful when

Positive Frame evaluating the
Frame
“What is the impact of event.
Decision “What is the
best-case
Framing worst-case
scenario?” Allows people to
scenario?”
consider several
“what if”
Decision Framing enables people to focus on scenarios.
an action’s impact. For example, what is the
worst that could happen if option A were
selected?
Examples of good decision-making behavior exhibited by individuals during

emergency situations would include:
• Sharing knowledge – involving others in decision-making and asking for

opinions.
• Gathering information and identifying problems.
• Reviewing causal factors with team members.
• Generating and evaluating various options, considering risks and time
criticality of each option.
• Reassessing the situation after actions are completed.
• Reviewing options again and changing strategies if the action was not
effective.
These items can be used to guide training and assessment of individuals.
22.4.5 Responding to unplanned incidents
Responding to unplanned actions requires prioritization of emergency actions.

Despite the time pressure in such situations, the decisions and subsequent actions
should not be taken in haste. The prioritization of actions will be specific to the
event, however, a generic approach to prioritization of actions would include:
• STOP – to assess the situation and anticipate future events or potential

dangers. This could include, for example, harm to individual workers, or
damage to the property or environment.
• ASSESS THE HAZARD – consult with team members to assess the hazard
using the following categories:
o Risk – the severity and likelihood of a hazard.

o Manageability – whether anything can be done about the
hazard.
o Vulnerability – assessing how damaging the potential outcome
of the hazard could be to colleagues, property, wider
communities, and the environment.
• PRIORITIZE ACTIONS – priority would be given to activities focused on

high risk, high vulnerability hazards.
Further consideration should be given to the time available to manage each

hazard, and to the sequence of actions required to mitigate the hazard.
22.4.6 Readiness to enact emergency procedures
Emergency procedures provide a clear plan of action to be conducted in a certain

order in response to a specific reasonably foreseeable emergency. Emergency
procedures are designed to aid individuals in managing emergency situations.
However, employees are often unable to activate or re-enact the procedures.
Employees also tend to delay actions due to the following factors:
• Confusion about who has the authority to act.

• Fear about being disciplined if they are found to be overreacting.
• Limited knowledge about when and how to activate or enact the
procedure.
• Doubts about own or others’ perceptions or situation awareness.
• Perceived lack of management support.
A collaborative approach to problem solving, an open culture, and an emphasis on

learning from mistakes can increase confidence in utilizing emergency procedures
as and when required.
22.4.7 Team behavior in emergencies
Effective management of emergency situations is highly dependent on effective

teamwork. Effective teams’ behavioral characteristics include:
• Individual task proficiency – including technical and non-technical skills.

• Clear, concise, and efficient communication driven by awareness of each
other’s needs and information requirements.
• Shared understanding of the task and other team members’ roles.
• Flexibility – an ability to adjust the allocation of resources to fit tasks, and
to alter strategies to fit the situation.
• Self-correcting ability – the ability to monitor own performance and the
performance of others.
22.4.8 Leadership in emergencies
Leadership plays an important role in emergency situations. Leadership roles

include centralizing communication and decision-making. Important leadership
behaviors in emergency situations are shown in Table 22-5.
It is important to be aware that in emergency situations a specific job role or

job title is not necessary to assume leadership. It is more important that an
individual is in possession of the relevant technical knowledge and has the ability
to delegate and manage the situation successfully.
Table 22-5: Leadership in emergency situations
Leadership behavior Description
Taking responsibility for directing all team members’

efforts.
Setting goals and priorities according to situation
demands.
Coordinating tasks Planning and prioritizing activities to contain the
and workload situation.
Communicating the plan clearly to all team members.
This includes communicating individual tasks, and
how team members’ efforts should be joined
together to contain the situation.
Directing relevant information and task “order”.

Centralizing Receiving or obtaining all relevant information to
communication allow for effective decision-making.
Ensuring that all team members have a common

understanding of the situation. This is known as
Developing the team’s shared situation awareness. It includes ensuring all
understanding of the team members understand the problem, the issues,
situation the tasks, and the order that tasks are to be
completed in.
Ensuring that individuals’ negative emotions (i.e.,

panic or anxiety) do not spread, and that each
individual maintains focus on their tasks.
Managing stress Emergency situations are stressful due to time
pressure, awareness of hazards, and unsuccessful
attempts to contain the situation. It is the leader’s job
to manage this.
Teams function best with sound leadership during emergency situations.

Critical situations require the leader to direct, coach, support, and delegate.
Therefore, the leadership style must be matched to the situation and to the people
involved in the situation.
22.4.9 Delegating and communicating
Delegating and communicating are two non-technical skills that are crucial in
emergencies. These skills are also vital for individuals assuming a leadership
position. Table 22-6 show how these two non-technical skills translate into practice
in abnormal situations.
Table 22-6: Delegating and communicating in emergency situations

Delegation Communication
• Delegate tasks and duties • Communicate essential updates to
during an emergency all individuals involved including
response. operators, the on-call duty manager,
• Ensure delegated tasks are and off-site personnel.
understood. • Promote a common understanding
• Ask for feedback and the of the situation. For example, what
outcome of delegated tasks. is the situation, and what should be
done to contain the situation?
• Maintain an accurate record of key
events. For example, “Closing valve B
did not resolve the situation.”
22.4.10 Maintaining oversight and agility
Personnel dealing with emergency situations should maintain oversight of an

evolving situation, focusing on:
• Completion of delegated tasks – Have all tasks been completed to the

required standards?
• Outcomes of tasks – positive versus neutral versus negative effect.
• Evolving situation – actions which may have worsened the situation.
• Need to change course of action – change of plan (agile thinking).
• Review of the successfully contained situation.
Maintaining oversight in emergencies can be helped with a three-way

communication consisting of the following steps:
• Step 1: The sender states his message to the receiver.

• Step 2: The receiver acknowledges the communication by repeating the
critical information in the communication back to the sender. If the
receiver did not understand the communication, then he must ask the
sender for clarification.
• Step 3: The sender confirms the message is correctly understood by the
receiver or if it is not understood the sender has to indicate that the
message is not understood and the three-way communication process
must start over.
High levels of stress decrease performance and increase likelihood of errors.

Therefore, it is also important to maintain awareness of people’s stress levels, to
ensure that the team does not succumb to panic and stress.
22.4.11 Being resilient
Resilience is the capacity to recover quickly from difficulties. It is an important skill

to possess in emergency situations, enabling effective coping and recovery from
stressful situations. It also aids stress management.
Resilience in emergency situations refers to the development of

mechanisms to deal with error and changing conditions effectively, while
recovering from adverse effects and quickly returning to normal operating
conditions.
Resilience can be developed via:
• Training – developing an awareness of stressors, learning about stress

coping strategies, and understanding normalization of stress.
• Experience or exposure to emergency situations – such as that
gained via simulation training or real-life events.
Resilience is often included within stress management training, as discussed

in section 22.4.2.
Key learning points include that successful emergency response requires:
• Accurate perception and understanding of the situation.

• Consideration of risk severity and the time available to deal with the
situation.
• Consideration of the option to stop dealing with the situation and shut
down the operation.
• Effective use of non-technical skills such as decision-making, situation
awareness, communication, teamwork, and leadership.
• Effective stress management.
• Resilience building.
Performance CCPS.
Part 7: Working with contractors and managing change

Performance CCPS.
23 Working with contractors
Every Chapter of this handbook applies equally to contractors and subcontractors.
It is common practice for process organizations to have a “Contractor

Management” policy and procedure. This is an element of the CCPS “Guidelines for
Risk based process safety” [24]. The CCPS guidelines cover the selection,
acquisition, use, and monitoring of contractors. Human Factors integration should
be demonstrated in selection, acquisition, use and monitoring of contractors.
Examples of guidance on the safety management of working with contractors

includes:
• Contractor and Client Relations to Assure Process Safety, CCPS, 1996

[95].
• American Petroleum Institute Recommended Practice 76 – Contractor
Safety Management for Oil and Gas Drilling and Production Operations
[96].
• The International Association of Oil and Gas Producers (IOGP) Report
423 – Health and Safety Executive (HSE) management guidelines for
working together in a contract environment, IOGP [97].
This Chapter’s learning objectives include:
• Understanding the Human Factors issues of working with contractors.

• Understanding additional actions to support contractors’ task
performance.
23.2 An accident involving contractors
23.2.1 DuPont, Yerkes chemical plant explosion, New York, 2010
The United States Chemical Safety Board reported that, on November 9th, 2010, an
explosion occurred at E.I. DuPont de Nemours and Co. Inc. (DuPont) Yerkes
chemical plant in Buffalo, New York [98]. This explosion occurred when a contract
welder and foreman were repairing the agitator support atop an atmospheric
storage tank containing highly flammable vinyl fluoride (a gas).
The accident is summarized in B.5 (page 393).

This incident had multiple causes. The Chemical Safety Board report noted that:
• Repairing a cracked seal loop was postponed (allowing vinyl fluoride to

flow to the slurry tank).
• The equalizer line, which provided the direct path for the flammable
vapor to enter tank 1, was not blinded and was not included on the lock
out card for the slurry tank.
• The hot work permit procedure did not require testing the atmosphere
inside the tank.
There were issues with the role of contractor management, which are
discussed next.
DuPont recognized that contractors may be unfamiliar with process safety or

activities on their sites. DuPont’s intention was to ensure that everyone would
understand the work and potential hazards. In this instance, DuPont intended that
the construction field engineer and the area manager would help the contractor
understand the hazards.
The contractor submitted a “hot work permit”. However, the section of the
permit which asked if flammable material would be within 35 feet (10 meters) of
the work was not completed. The hot work was within 35 feet (10 meters) of the
slurry flash tank that vented vinyl fluoride to the atmosphere.
It was concluded that:
“The contractors were unfamiliar with the Tedlar® process and the process
equipment involved. The contractors did not know what the slurry flash tank
was or which chemicals were present inside it.” p10, CSB [98]
The permit was signed off by the DuPont construction engineer and by the area
manager. It was reported that:
• The DuPont construction engineer for the slurry tank work had no
working knowledge of the Tedlar® process.
• The construction engineer expected the area manager would advise the
contractors of plant-specific process safety information for hot work.
• An area manager signature was obtained by someone in a service
department. The area manager lacked knowledge of the area and of the
Tedlar® process. In addition, they did not perform the required “walk
down” of the area before signing the permit.
• The area manager assumed the construction engineer was briefing the
contractors on-the-job and the hazards.
23. Working with contractors 303
It was also concluded that:
“The contractors … were allowed to complete the hot work permit and begin
hot work without getting approval from any DuPont employee knowledgeable
about the process.” p11 CSB [98].
23.2.3 A Human Factors perspective
“…the potential lack of familiarity that contractor personnel may have with
facility hazards and operations, pose unique challenges for the safe utilization
of contract services”. CCPS, [24].
Working with contractors creates some Human Factors risks. These include:
• A need for communication between personnel of the client’s

organization and the contractor’s organization. As with all
communication, this poses a potential source of error.
• Procedural discrepancies between the contractor and the client not
being recognized or agreed upon.
• The contractor may be reluctant to challenge their client.
• Some contractors may only work occasionally on a site. They may not be
familiar with the site-specific hazards, safety management
arrangements, or procedures.
• As with all team and inter-team working, ensure clear allocation of roles,
responsibilities, and accountabilities.
• Contractual deadlines may create a perceived pressure for working long
hours and/or rushing work.
• Contractors often perform specialist inspection, testing, commissioning,
and maintenance work. These tasks may be complex.
• Contractors work on many sites with various terms or different
procedures.
• Contractors may perform the same task elsewhere with different safety
management system.
The client organization personnel should recognize the risks, and proactively
offer support to help contractors perform tasks successfully. It is important to
verify the activities and stop points with contractors. The host employer (Company)
should ensure that the work is inspected and the work plan is being followed.
23.3 Human Factors tactics for supporting contractors
Some good practices that can help with the Human Factors of working with
contractors are outlined next.
Planning and job safety assessment
It is common practice to perform job safety assessment as part of work

planning. This can include the identification of where working with contractors
increases the potential for error, miscommunication, and confusion of roles and
responsibilities. The key steps in an activity can be listed or written out. The
potential for error, miscommunication, and confusion can then be noted per step,
with suitable actions in place to mitigate these.
It is important to understand the contractors’ levels of knowledge of the site,

the management arrangements, and procedures, as well as their behavioral
orientation, such as whether they are likely to speak openly.
Some questions to ask include:
1. To what extent are they familiar with the site, its hazards, job and task
specific hazards, safety management arrangements, and procedures?
What actions will they take in case of an incident?
2. Are they familiar with availability and functionality of controls?
3. Are they familiar with performance expectations, and operational and
safety standards?
4. To what extent do the contractors feel psychologically safe to challenge,
report problems, and speak up about safety concerns?
5. To what extent do the contractors feel they are part of a “one site, one
team” approach, with an expectation to share information, and to
coordinate and communicate with one another?
These questions could also be applied when selecting contractors.
Joint task planning and safety assessment
The joint assessment of jobs and shared task planning can help to ensure a
shared understanding of plans, roles and responsibilities, objectives, and risks. It
can also help to foster a “one site, one team” approach.
Mobilization
It is important to recognize that contractors, especially those that rarely visit

the site, probably require additional support to be prepared for a task. An explicit
“mobilization” activity can help to ensure that time and resource is allocated to
preparing and continuously support to contractors. The contracting terms and
mobilization effort need to address 'stand down' costs and schedule impacts in
order to build a framework where contractors can feel they have the freedom to
question and challenge the safety of a situation that could delay their work.
Common mobilization activities include:
• Instructing contractors on safety procedures.

• Familiarization with client specific documentation.
• Communicating mandatory safety rules.
• Highlighting anything that is unique to the site or company, and that is
different to practices in the rest of the industry.
• Providing a site orientation and induction, including process hazards.
• Briefing contractors on simultaneous operations.
• Asking if they have performed these operations before and checking
what training and support they need.
• Emphasizing a “don’t hesitate to speak up” approach and reminding
contractors that they are working in an open challenge culture.
• Communicating key behavioral expectations, such as stopping when a
risk is found, or if a work instruction cannot be completed properly.
• Sharing fatigue risk management requirements, such as adopting the
client’s fatigue risk management policy and requirements.
Sufficient time should be allowed within schedules to enable briefing of

contractors who are less familiar with the site and safety management procedures.
Supporting open communication
If contractors are reluctant to disagree, this may be mitigated by:
• Communicating that there will be no adverse repercussions to express

challenges or disagreement.
• Stating that contractors must report any unsafe condition or event, or
potential risk.
• Demonstrating reporting mechanism for incidents, accidents, near
misses and unsafe acts.
• Actively listening to contractors.
Operational readiness review
An explicit “readiness to commence work” review can help confirm that the
contractors:
• Are equipped with work instructions.

• Are aware of nearby or simultaneous activities.
• Have certificated equipment, tags, and locks etc.
• Have clearly defined roles.
• Are aware of stop and hold points.
• Are aware of applicable emergency plans.
• Have a named person/role to report to.
The last step before signing a Permit to Work should be a field visit of
Operations personnel together with the person responsible of the contractor crew
to check the real conditions before any activity starts. This provides a last
opportunity to identify any unusual situation or hazard.
Coordination
This can include:
• Communicating and coordinating – holding communication and

coordination sessions daily, where all tasks over the next 48 hours are
reviewed for potential conflict or overlap. Drawings and plans can be
shared and discussed.
• Zonal control – this is where multiple contractors may be operating in
the same area. Identified areas are defined for “zonal control”, with each
zone supervised by an identified contractor or by client personnel.
• Notice boards or asset maps – these should show all daily and planned
activities, each contractor color-coded, so it is clear which teams are
working in which parts of the plant.
Double-checking task completion
Some examples include:
• The client supervisor performing a “walk-down” before the start of work

and at the end of each shift. This is to check the site is safe and that site
housekeeping is in order.
• Additional checks on the safe completion of tasks such as isolation and
whether a system is safe to restore to service.
• Higher levels of checks on task completion during peak periods and
critical points e.g., restored to service.
• Using independent specialists to check work of other specialist
contractors.
Double-checking tasks is important a) where contractors are scheduled to work

on systems that normally contain hazardous substances or energy sources, and b)
where a system is to be started or restored to service after a contractor completes
a task.
It is important that double checking is undertaken by an independent person

not part of the contracting team. Checks completed by colleagues may be
unreliable because they assume that the other’s work is trustworthy.
Demobilization
An explicit demobilization activity can help to ensure that site restoration and
reinstatement is performed without omission or miscommunication.
• Working with contractors can create additional Human Factors risks.

• Risks of working with contractors should be included in task assessment
and planning.
• Time and resource should be applied to provide the support contractors’
need, especially where they are unfamiliar with the site, its hazards,
and/or its safety procedures.
• Specific actions, such as joint planning, mobilization and readiness
reviews, can help ensure that contractors are effectively supported.
Performance CCPS.
24 Human Factors of operational level change
It is standard practice for process organizations to have a “Management of

Change” (MoC) policy and procedure. This is an element of the CCPS “Guidelines
for Risk Based Process Safety” [24]. These procedures tend to focus on engineering
and process changes, as well as the impact on operators.
The Energy Institute has published guidance that covers the management of
major organizational changes entitled “Managing major accident hazard risks
(people, plant and environment) during organizational change” [99]. This is a
detailed and comprehensive guide. It covers the Human Factors process of change
management and provides checklists and assessment tools.
This Chapter focuses on operational level changes rather than corporate level
organizational change.
This Chapter’s learning objectives include:
• Understanding how operational level changes may affect human

performance.
• Recognizing operational level change and potential impacts on human
performance.
• Managing the Human Factors aspects change.
This Chapter does not cover the mental health aspects of change, or the
management of laying people off or terminating their employment.
24.2 What do we mean by operational level change?
“Front line” operational level changes mean any change that may occur within an
operation/ production, maintenance or logistics department, that may affect
human performance. This may include:
• Process plant changes, such as alterations to piping and new

computerized control systems;
• Production changes, such as increased production level;
• Changes in policy and procedure, such as revision of a Standard
Operating Procedure;
• Deviation to maintenance, inspection and testing programs;
• Control and instrumentation changes, such as new control systems;
• Organizational changes, such as a change in the number of staff,
removing a supervisory role, changes in workload, changes in shift
rotation (rota) etc.
These changes may be initiated by local management, such as altering roles

within a single team, or by senior management, such as introducing a new
business wide organizational model.
24.3 Operational level change and major accidents
Many of the major accidents cited in this handbook were, in part, caused by
changes in process plant, staffing, or ways of working. The following examples
include introducing a new control system, increased production and alteration of
piping.
The failure to recognize and effectively manage changes can undermine

human performance in many ways. While some of the potential impacts were easy
to foresee, some potential impacts were less obvious.
The explosion at the Bayer Crop Science plant in West

See B.2 for more
Virginia, USA (2009), had a new computer control system
information on the
for the unit – a Distributed Control System (DCS).
explosion at the
Operators were not properly trained on the new Bayer plant.
equipment. The operating manual for the DCS did not
correspond with the steps required to run the control
system. This had an immediate impact when they tried to start up the system.
The Esso Longford Gas Plant explosion, Australia

(1998), occurred following two changes: the
See B.3 for more
centralization of engineers outside of the plant, and
information on the
the decentralization of safety. The accident occurred
explosion at the Esso
Longford plant. long after these organizational changes and the
impact of these changes was not apparent until the
site staff had to respond to a complex event.
An increase in throughput at the Buncefield

fuel facility had reduced the time available to See Chapter 9 for more
recognize and resolve process safety problems. information on the
While this did not have an immediate impact, it explosion at the Buncefield
facility.
contributed to staff being unable to resolve
equipment faults.
The piping had been altered at the Pembroke

Cracking Company refinery, contributing to errors in
See B.4 for more
responding to a lightning strike, leading to an
information on the
explosion. The lightning strike occurred long after the
explosion at the
Pembroke Cracking change in piping and the failure to ensure operators
Company. understood the new layout was not apparent until the
accident occurred. A key lesson learned is that
operators need to be informed about changes in
process plant.
24. Human Factors of operational level change 311
24.4 Recognizing operational level changes that impact human
performance
24.4.1 The need for early recognition
In any organization, changes should be Figure 24-1: Types of change and

recognized and managed. impact
Some impacts are less obvious

(latent as in Figure 24-1) or may be Immediate Latent
delayed. If “hard evidence” of
immediate adverse impacts on human
performance is demanded before
taking action, this may cause failure to
manage changes effectively.
24.4.2 Immediate impacts
Some changes and their potential impacts are more obvious and immediate.
These include the following examples:
• Retraining of people on a new control system, a major change to a

process, or new operations.
• A major change to staffing levels, such as moving from 10 to seven
people per shift team.
• A major change to supervision, such as removing team leaders.
• The change of the person staffing a key role such as Emergency
Response Commander.
• A change in piping and instrumentation, requiring a revision of Piping
and Instrumentation Diagrams.
24.4.3 Latent impacts

Latent impacts
Some impacts may not be immediate nor obvious. The
occur sometime
impact is hidden until circumstances occur to reveal it,
after the change
such as a process upset. For example:
has occurred.
• The installation of new, high reliability, or
automated process equipment may reduce the frequency of
maintenance and emergency response. This could lead to a lower
frequency of performing tasks, which can cause skill fade. This increases
the likelihood of mistakes when the task is performed.
• The centralization of control rooms may reduce the frequency of control
room operators working outside, and lead to a gradual reduction in their
level of local plant knowledge. This would only be revealed when a
process upset occurred.
• The relocation of staff from one part of a site to another may reduce the
level of contact between two teams. This can slowly erode the level of
teamwork and create an unintended obstacle for seeking help.
24.4.4 Tips for recognizing change and potential impacts
MoC procedures typically rely on someone recognizing that a change is planned or

is occurring, and then initiating the MoC process. All managers, team leaders and
supervisors of operations, production, maintenance and associated functions
should be conscious of what constitutes change and aware of the potential impact
of change. This is true regardless of whether they initiate change or whether
change is initiated by others.
A proactive approach is required, and it is important to keep an open mind

about potential impacts on human performance. Some tips on recognizing change
are given in Table 24-1.
Table G-1 in Appendix G, provides a list of typical changes, examples of their

Human Factors impacts, and typical Human Factors actions. This table can be used
to identify changes and recognize their potential Human Factors impacts.
Table 24-1: Tips on recognizing change
Do Do not
• Be committed to speaking up • Demand “hard evidence”

about potential impacts and (such as accidents, high
expressing opinions about levels of fatigue or error) of a
potential risks potential impact
• Keep an open mind about • Demand evidence that the
potential impacts impact will certainly happen
• Systematically identify all • Disregard impacts that may
elements of change not happen for a long time
• Systematically consider all • Limit the scope of
potential impacts assessment before
• Think about latent impacts identifying all potential
that will not be immediately impacts
revealed by normal • Assume the impact will be
operations negligible without assessing
• Think about how the change the risks
can impact performance of • Assume people will work out
infrequent and emergency how to adapt to the change
management tasks after it has been
• Consult with workers and implemented
colleagues and actively listen • Disregard concerns
to their concerns and expressed by staff on the
opinions grounds that they are
• Engage with safety specialists “resistant to change”
in assessment of change • Feel a need to “push”
• Think about potential through changes and
impacts during the overcome “barriers to
implementation of changes change”
• Recognize the value of early • Ignore local operational and
assessment of the risks maintenance requirements
posed by change when implementing business
• Get an independent opinion wide organizational change
about the changes and about
the impacts and the
effectiveness of plans
• Ensure that all key tasks and
responsibilities are identified
and successfully transferred
24.5 Managing Human Factors of changes
Most MoC procedures involve a number of steps as shown in Figure 24-2. Front
line managers and supervisors should be involved at every stage of this process.
Figure 24-2: Sample Management of Change process
• Judge the risk level – is it low, medium or high?

• Does it impact safety critical tasks?
Risk
• Identify potential impacts.
Impacts
• Determine actions to support human performance.

• Devise a transition plan.
Actions
• Verify effectiveness of actions.

• Monitor for unexpected impacts.
Verify
The Energy Institute guidance “Managing major accident hazard risks (people,
plant and environment) during organizational change” [99] provides a simple tool
for rating risk levels and identifying potential impacts.
It is also common for businesses to carry out operational readiness reviews

before starting up a new or modified process. This includes verification that the
organization is operationally ready to accept the change and perform at expected
levels. Further CCPS guidance on operational readiness reviews is available [100].
24.5.1 Assessing risk and impacts
Upon recognizing change, most Management of Change

procedures require a risk assessment. The impact may be
minor or major. This will indicate the level of risk
management required. The local team usually manages low
risk changes. Medium or high-risk changes may involve
more senior management and/or specialists such as safety
professionals. Some organizations may also use advanced
risk assessment methods such as Process Hazard Analysis,
especially for complex and high risks.
24.5.2 Actions
The actions for managing potential impacts on human performance should be

informed by the guidance in this handbook. The extent of action should match the
risk level. High-risk changes should have a high level of action, while low-risk
changes may require less action. Table G-1 in Appendix G provides a list of typical
Human Factors actions aligned to types of change. Pre-implementation activities
should be completed such as communicating proposed change, updating
documentation and undertaking associated training. Any changes to roles and
responsibilities should be clearly defined and communicated.
24.5.3 Managing the transition period
Change can create uncertainty. In addition, Prerequisites

the change may require certain actions to be
completed.
Sequencing actions
A transition plan can identify risks and
requirements, to assure successful
implementation of change and management Hold Points
of risks during the transition period. For
example:
Verification of actions
• Assigning additional staff or
specialist support while operators
become familiar with a new control system.
• Ensuring training for new roles takes place before the new roles are
implemented.
• Ensuring team leaders are informed of the new/revised operation and
understand the hazards, safeguards and major impacts of it.
The sequence of action should be determined. This should include identifying
where the introduction of change is dependent on prerequisites. The achievement
of these prerequisites should be HOLD POINTS. For example, a new DCS cannot
be used for process start-up before training and procedures have been 100%
updated.
Many changes can cause uncertainty among people, which can lead to stress.
This is more likely to happen if the change alters their role, adds new tasks, or
changes the people they work with. The potential for stress may also be related to
individual factors. The potential for stress, and its impact on performance, should
be recognized and proactively managed. This may include consulting people and
being able to recognize within them the signs of stress, uncertainty, or concern.
Talking to people to understand their concerns is vital. Examples of how to help
people include:
• Explaining changes, their aims, timings, and sequences.

• Giving people the opportunity to offer opinions and to highlight
potential risks.
• Actively listening to people.
• Acknowledging the value of what people are saying.
• Identifying training and other support that can be given.
• Outlining how the impact of change will be monitored and checked.
• Making it clear that people are welcome to express their concerns and
ask questions and can do so without fear of rebuke.
Frontline people will often recognize risks that have been overlooked. A
psychologically safe environment is required – this includes ensuring that people
are actively engaged. It also means ensuring they are asked to speak up about
potential risks and the adequacy of change plans. This will help to reassure people
that all risks have been recognized and are being managed, especially if plans may
change in response to feedback. Error precursors, such as, Time Pressure or Late
Information may influence the thoroughness and accuracy of the change effort.
Refer to section 3.3 for common precursors to error.
24.5.4 Verifying impacts on human performance
The effectiveness of change management should be checked.

Some common options include:
• Piloting the change – for example, implementing a

trial period of three to six months, during which a
new shift rotation (roster and schedule) is operated, before changes
become permanent.
• Checking performance – verifying the competence of people assigned
new or merged roles six months after implementation.
• Consulting staff on the impact of changes – checking whether staff are
confident in their new roles.
• Tracking near misses and incidents after implementation of changes.
An option, especially for higher risk changes, is to formally audit and track
selected indicators.
Chapter 25 summarizes indicators of human performance, which may be

used to help spot unexpected impacts of change and to monitor the
effectiveness of actions.
For example:
• Signs of stress and fatigue may indicate that new lower staffing levels
are too low.
• Low morale may indicate dislike of new roles.
• An increase in error may indicate a new control system is confusing.
These potential impacts may be checked by day-to-day observations of people

and their performance.
• Changes have been a factor in major process plant accidents.

• Change and its impacts should be recognized. It is important to
remember that not all changes or impacts are obvious or immediate.
• Management of Change should assess impacts on human performance.
It is important to use formal plans and to verify actions.
• Human performance should be managed during transition periods.
• Human Performance should be monitored and managed following
change.
Performance CCPS.
Part 8: Recognizing and learning from performance

Performance CCPS.
25 Indicators of human performance
This Chapter builds on the previous two Chapters about learning from error. By
the end of this chapter, the reader should be able to:
• Understand what is meant by performance indicators.

• Identify performance indicators of the standards of human
performance.
• Act effectively on performance indicators.
The CCPS “Guidelines for Risk Based Process Safety [5]” cites “Measurements
and Metrics” as an element.
“The metrics element establishes performance and efficiency indicators to

monitor the near-real-time effectiveness of the RBPS [Risk Based Process
Safety] management system and its constituent elements and work activities.”
It also notes the need for developing, managing, and using metrics.
The CCPS publications – “Process Safety Leading Indicators Industry Survey”

[101] and “Guidelines for Process Safety Metrics” [102] – summarize many key
performance indicators.
This Chapter does not cover safety culture nor culture-related indicators, such
as safety culture surveys. These are covered by several CCPS guidance documents
[5] [101] [102], which also cite many Human Factors metrics.
This Chapter focuses on indicators that can be self-applied by operations

teams and by frontline management. The focus is on qualitative indicators
(rather than on quantitative indicators). These can be applied, for example,
during operational debriefs, individual performance reviews, and self-assessment
of teams.
A general awareness of indicators can be applied to day-to-day work and can

then feed into continual improvement activities. This could include improved
training, or enhanced procedures.
25.2 What are performance indicators?
The concept of leading and lagging indicators is well known. Most organizations
will already have measures in place for these indicators, which are largely
quantitative and applied at organizational level. Some examples of leading and
lagging indicators are shown in Table 25-1. The indicators are used to identify
issues (spot problems), and to prompt actions to improve performance.
Indicators can point towards positive as well as negative situations. For

example, near miss reporting would be a positive indication of reporting culture,
while increase in the number of accidents and incidents indicates a negative trend
in process safety performance. The aim is to have a balance of leading (positive)
and lagging (negative) ones.
Table 25-1: Leading and lagging indicators

Leading indicators Lagging indicators
Indicate that something may happen Provide information on what has
in the future. already happened.
Indicate the “health” of a
management system or a practice.
• Percentage of required • Percentage of reported
safety training sessions incidents or accidents caused
delivered by human error
• Percentage of lessons • Percentage of safety
learned, shared, and applied procedure non-compliance
following incidents • Number of extended shifts
• Fatigue-risk training • Percentage of people
• Training competency carrying out overtime
assessment
• Percentage of audited
management of changes
• Number of Toolbox talks
• Participation in safety
committee meetings
• Number of task safety
observations completed per
week
• Number of process safety-
critical task safety
observations completed per
week
• Number of occupational
safety-critical task safety
observations per week
25. Indicators of human performance 323
25.3 Identifying human performance indicators
As noted in this handbook, many factors influence human performance in the

process industry. Individuals perform a range of tasks, including, planning,
communicating, decision-making, and emergency management. The leading and
lagging indicators are also wide-ranging, and can be formulated into behavioral
markers, which can form part of self-assessments (including team self-
assessments) and 360-degree reviews.
When identifying human performance indicators (Figure 25-1), the following

issues should be considered:
• What are the critical tasks in a specific area of operations? For example,
blinding, handling a process upset, correct maintenance, correct fault
diagnosis.
• What are the key factors (e.g., competence, job aid, tools and physical
environment) influencing the performance of people in safety critical
tasks?
• What demands (job requirements) are placed upon people in
operational areas? For example, shift work, or tasks that are lengthy,
complex, or novel.
• What indicators can be used to demonstrate adequate performance of
these tasks?
Figure 25-1: Design of human performance indicators
Safety critical
tasks
Factors influencing Demands placed upon

performance in safety people
critical tasks
Performance indicators in
safety critical tasks
25.4 Examples of human performance indicators
25.4.1 Supporting human performance
Indicators of the support offered to people should be clearly defined. Parameters

should be specified, the criticality stated, and the data collection sources should all
be identified and recorded, as shown in Table 25-2.
Table 25-2: Specifying a human performance indicator

Definition
The concept being Effectiveness of emergency drills.
measured
Parameters
Technical skills: monitoring and interpretation of
The attributes that are
emergency alarms, and the response to the alarms.
being measured and
Non-technical skills: decision-making,
how they impact
communication, and performance under pressure.
performance
Criticality
Safety importance (very Very high.
high to very low)
Data collection Review internal training records.
Sources of data Discuss training in toolbox talks.
Frequency of emergency drills.
Drill exercise performance response time.
Indicators
Frequency of formal discussions related to
effectiveness /usefulness of training.
More examples of human performance supporting indicators are
• Percentage of planned training sessions delivered.

• Percentage of filled posts or consecutive days of work.
• Percentage of safety critical tasks with job aids or appropriate
procedures.
• Percentage of up-to-date Piping and Instrumentation Diagrams.
• Number of toolbox talks.
• Number of safety problems identified by management vs. total safety
problems identified.
• Safety culture training activities vs. incidents.
• Percentage/Proportion of lessons learnt from successes/failures shared.
25.4.2 Feedback from people on level of support
People can provide feedback about the support they get when performing process
operational tasks. This helps improve performance. Individuals should provide
feedback for the “right” reasons (because they want to) rather than for the “wrong”
reasons (because they were told to).
The “right” reasons to provide feedback can stem from:
• Commitment to colleagues or to their job, or concern for others.

• A sense of responsibility.
• A desire to support and enhance their own or others’ performance.
Feedback from people at operational level can focus on:
• “How do we do things around here” – for example:
o Are procedures practical?

o Do we apply STOP and THINK procedures when we should?
• Adequacy of support:
o Is the training effective?

o Are job aids practical?
o Are there enough people to complete tasks?
o Is enough time allowed to perform the tasks safely?
The process of giving and receiving feedback is also called a “feedback loop”.
This is because the process involves gathering feedback on a performed action,
analyzing the feedback, and (if necessary) correcting the actions and gathering
feedback once more. The process of receiving feedback and using it to improve
performance is shown in Figure 25-2.
.
Figure 25-2: Gathering and reviewing feedback
Action
Collect feedback
Review feedback
Positive Negative
feedback feedback
Monitor effectiveness
Improvement
of action
25.4.3 Operational debriefs
Operational debriefs provide rich information on what was done well versus what
could have been done better. Operational debriefs can look at the execution of the
tasks and at the non-technical skills exhibited during tasks.
Operational debriefs can take place after doing a process start-up, and after
process upset or abnormal events, for example. They should reflect on:
• Individual and shared situation awareness.

• Effectiveness teamwork and task sharing.
• Effectiveness and efficiency of decision-making under pressure,
including decision-making under time pressure and under stress
conditions.
• Strategies used to avoid decision-making bias in safety critical situations.

This includes biases such as group-think, confirmation bias, and tunnel
vision.
25.4.4 Observation of people’s “states”
Human performance indicators can also be based on

See Chapter 15 for
observed individual’s behavior indicating cognitive states. more information
The most common signs indicating that an individual’s on fatigue.
cognitive state may be impaired include:
• Signs of fatigue:
o A team member demonstrates slow reflexes, tiredness, and
impaired judgment.
• Signs of stress:
o A team member struggles to maintain focus or to remember
information.
o A team member demonstrates low levels of confidence or
morale.
Figure 25-3 shows examples of environmental factors at work that contribute

to stress. While it may not be possible to change a person’s working environment,
it is possible to lessen any negative impacts of the work environment through
support strategies. If the support is not sufficient, the individual will experience a
range of signs and symptoms of stress. Stress response includes:
• Behavioral (e.g., hyperactivity, irritability, outbursts);

• Emotional (fear, anxiety and panic);
• Somatic (e.g., muscle tension, energy surge, increased heart rate); and
• Thought based (e.g., reduced concentration, difficulty in decision-
making) symptoms.
These symptoms can be used as indicators that an individual is experiencing

high level of stress. Stress leads to behavioral consequences, such as impaired
cognition, impaired performance, and undelivered output. For example, work
objectives are not met, or tasks are not completed to the required standards.
Measures of stress and fatigue can be collected through observations or

anonymous surveys. Useful and freely accessible surveys are available from the
United Kingdom Health and Safety Executive. These include:
• The Management Standards Indicator Tool [103], which focuses on

working conditions known to contribute to stress.
• The Fatigue and Risk index [60].
Figure 25-3: Stress in the workplace and performance
Environmental demands
Job demands
Not enough time to complete the task.
Insufficient training for the job. Stress Stress response- Behavioral
Boring/repetitive work. The working
mitigating symptoms consequences
environment – (e.g., shift work, temperature
extremes, noise).
Control
Lack of control over work activities –no • Prior • Cognitive
involvement in decision making, no control experience impairment
over pace of work, etc. • Training • Behavioral • Emotional
• Practice • Emotional imbalance
Supervisor/Manager • Social support • Somatic • Impaired
Lack of support from supervisor or manager. • Thought-based performance
• Coping
strategies • Undelivered
outcomes/ output
Role
Lack of clarity about responsibilities.
Uncertainty about work objectives.
Change
Fears about job security. Restructuring of job (Adapted from Cooper et al. 1988, stress at work [124])
role.
25.4.5 Observations of performance
Observations of performance can also contribute to leading indicators. The focus

of these observations may include:
• Mistakes and Lapses:
o Are individuals making frequent mistakes/lapses? If so, is there

a pattern in these mistakes/lapses? Is there a common cause?
• Task completion:
o Are tasks being completed on time? Are they being completed

effectively, or do they need to be redone or corrected?
• Effectiveness of audits:
o Do audits detect errors and omissions? For example, do they

detect failure to tag lock outs?
• Lessons learned:
o Are lessons learned and applied? For example, have incident

recommendations been implemented?
25.4.6 Signs of psychological safety and teamwork
Psychological safety is an important indicator of safety culture and allows for free,
open discussion about human performance. Indicators of psychological safety
include:
• Open reporting of errors without fear of repercussion.

• Conversations about lessons learned.
• Discussions about potential error traps.
• Challenging others (including superiors) on safety-related issues e.g.,
mistakes, incorrect commands.
• Effective communication and information sharing across business units.
• Leaders tend to reserve judgment until all facts are obtained and not
jump to conclusions, blame workers, and seek unwarranted disciplinary
action.
It should be noted that task safety observations conducted in the field by a

small group of individuals (e.g., a manager, a supervisor, and the worker) often
results in a psychologically safe environment in which the worker may freely
escalate concerns. The reality of leaking pipes, broken equipment, and faulty
instrumentation are in clear view of the manager and/or supervisor when they are
in the field together with the worker. Direct engagement with the worker by the
supervisor and/or manager may also implicitly show respect to the worker and
may also convey that his work is important. Also, for some workers, they are less
likely to escalate concerns in a large group, however, task safety observations
afford a more natural environment in which to escalate concerns since the worker
can directly show the supervisor and/or manager the challenges he faces in the
field.
25.4.7 Signs of individual operational mindfulness
A lack of operational mindfulness can have severe consequences in a high-risk

environment. A lack of mindfulness, when the mind wanders, is associated with
failure to perform, failure to monitor procedural steps, deficiencies in recalling
information, inability to interpret alarms, and overall reduction in task
performance. These performance failures can also be due to other systematic
causes, and the reasons behind these failures should be determined, such as poor
job design. If individual mindfulness is found to be the underlying cause of
impaired performance, then it should be incorporated into performance
indicators.
Mindfulness is "the quality or state of being conscious or aware of

something.” When a person is being mindful, they are focusing on the task
in hand and aim to eliminate potential distractions (e.g., newspaper in the
control room, or chatter on the radio). Mindfulness is not only influenced by
an individual’s physical and psychological state, but also by organizational
(e.g., organizational change such as restructuring and staff reduction / de-
manning) and environmental (e.g., night shift, noise/alarms) factors.
Signs of mindfulness are shown in Figure 25-4. Mindful individuals exhibit alert
and perceptive behavior towards hazard and risk identification (chronic unease)
and they respond calmly in emergency situations, regularly engage in self-
reflection, exhibit natural curiosity by asking open questions, and perceive error
as a learning opportunity.
Figure 25-4: Signs of mindfulness
Alert and
perceptive
to
identifying
risks and
hazards
Learning Calm
from error response
Mindfulness
Self-
Curiosity
reflection
Some tips on how to prevent loss of mindfulness at work are as follows:
• Work one task at a time – when multitasking (i.e., doing various things at
a time) individual’s focus switches back and forth and loses important
information.
• Take time out – when a person feels overwhelmed with things or a
situation, they should step back for few minutes and clear their mind
start the task again.
• Be fully “present” at meetings - individuals should be fully present
(physically and psychologically) and actively listening to what others are
saying and contributing to the discussion.
• Mindfulness scan (i.e., bring mind back into focus) – it is important that
individuals take regular short breaks (taking a minute or two break from
work) to allow them to re-assess the situation.
25.5 Sharing and acting on human performance indicators
Lessons learned about human performance should be fully understood and

shared. This sharing can take place during toolbox talks and team briefings, or
during any other meetings between operators and supervisors.
Lessons should focus on successful events as well as failure events. Successful

events provide opportunities to learn from activities that helped improve human
performance.
Lessons learned should be fed back into the wider organization, in order to
show others how to benefit from the experiences. In particular, where other
business units may experience similar issues or be exposed to similar error traps.
The effectiveness of lesson sharing should be evaluated, and if actions arising from
the lessons learned are appropriate to another unit or team, they should be
implemented. The action implementation cycle shown in Figure 25-5 should result
in improved company-wide performance.
Figure 25-5: Lessons learned – knowledge sharing
Monitor indicators of performance
Reflect on performance
Identify lessons learned
Explore lesson sharing
Share lessons learned
Check effectiveness of lesson sharing
Implement actions
Effective support of human performance requires the application of a

systematic approach and clarity on:
• How people can be better supported.

• How people can continue to support others beyond the immediate
action, into future scenarios or work.
Error is a symptom, not a cause. The root causes of error should be resolved
by improving the level and type of support given to people.
• Indicators can be used to improve human performance.

• When selecting human performance indicators, consideration should be
given to:
o Task criticality.
o Key factors influencing performance.
o Environmental/work demands placed upon people.
o Characteristics that indicate effective performance.
• Ways to monitor human performance indicators at operational level

include:
o Operational debriefs.
o Observations of:
• People’s states e.g., stress, fatigue.
• People’s performance e.g., mistakes, tasks being
completed on time.
o Task safety observations of workers doing their actual work in
the field.
• Providing an environment of psychological safety where it is possible for

staff to comfortably talk about their performance.
• Observations of ‘mindfulness’ – an individual’s awareness of their
current mental and physical states, and of their environment.
Performance CCPS.
26 Learning from error and human performance
This Chapter provides an overview of learning from error and discusses the
importance of Human Factors in incident investigation. By the end of this chapter,
the reader should be able to:
• Understand the factors that contribute to effective learning.

• Apply tools and techniques to facilitate learning and incorporating
lessons learned into practice.
Guidance on learning from incidents and accidents that supports the

information provided in this Chapter is available in the literature. “Learn from
Experience” and “Management Review and Continual Improvement” are pillars in
the CCPS “Guidelines for Risk Based Process Safety” [5]. The guideline describes
key elements of standard approaches to learning and improvement.
The CCPS guide on “Essential Practices for Creating, Strengthening, and

Sustaining Process Safety Culture” [8] discusses some important behaviors that
support learning from error. Key topics include:
• Warning Signs of Poor Process Safety Culture.

• Maintain a Sense of Vulnerability.
• Process Safety Culture and Operational Excellence.
Those elements of culture that affect learning from error are highlighted in this
Chapter.
Organizations have procedures in place for incident investigation and learning,

which will not be discussed in this Chapter. CCPS provides various material on
incident investigation, such as:
• Project 292: Driving Continuous Process Safety Improvement from

Investigated Incidents [104] provides overview of best
recommendations and learning, and their application within an
organizational setting.
Guidelines for Investigating Process Safety Incidents [105] provides a

comprehensive overview on investigating chemical processing incidents. This
Chapter focused on Human Factors involved in learning from error and human
performance, including barriers and enablers to learning.
26.2 The importance of understanding error
26.2.1 Preventing reoccurrence
People often assume that learning occurs automatically once an incident has been
analyzed and lessons have been drawn from it. This thinking excludes the most
important element of learning, which is change. This refers to the application of
learning (behavioral change) into the work environment.
Learning requires that a person understands an issue and takes action. It

requires changing behaviors and systems.
Both understanding and behavioral change need to take place for learning
to be fully accomplished. This will ensure that the lessons learned are robust,
and sustainable across time and changing circumstances.
Learning is a continuous, ongoing process, and takes place in day-to-day

activities.
The possibility of human error occurring exists in every task performed by any
person working in the process industry. Error can happen, but it is manageable.
Error should be fully understood to prevent

its repetition. Individuals should look beyond
the immediate causes and focus on the root For example, do not focus on
causes and the sequence of events that took the operator failing to follow
place before the error occurred. procedure.
Blaming an individual is a barrier to truly Instead, focus on the fact

understanding the error and will likely lead to that the procedures were
the error reoccurring. For example, if the poorly written and difficult to
individual is blamed, then the procedure does comprehend, and that a high
not get rewritten and the operators will still be level of fatigue in the
overly fatigued due to poor shift patterns. The operator made it even
error is likely to happen again. harder to follow the
procedure accurately.
As stated by Todd Conklin [106]:
"You can blame and punish or learn and

improve, but you cannot do both."
26. Learning from error and human performance 337
Preventing reoccurrence of errors requires people to:
• Fully understand why an error occurred (the causal factors).

• Determine trends/patterns in errors. This is done by analyzing whether
the cause of an error is unique to that particular task and set of
circumstances, or whether it occurs in different activities and situations.
In addition, depending on the type of error (such as skill-based versus

knowledge-based errors), the cause and solution will differ, as shown next:
See Chapters 2
• Lapses (forgetting a step/action) can be caused by
and 3 for more
fatigue or distractions. information on
• Slips (completing the action incorrectly) can be due errors, types of
to poor layout of controls. error, and the
SRK (Skills, Rule,
It is only possible to identify solutions on how to avoid Knowledge)
error, by understanding the factors that contributed to the model.
error.
More For example, if an error occurred because of fatigue due to

information on lengthy working hours, the shift system will require review and
error solutions adjustment. This includes ensuring that there are more than
(improvements two individuals on safety critical tasks and adding in more
and solutions) frequent breaks (to maintain situation awareness).
is provided in
section 26.5.4. Reoccurrence of error and repetition of accidents,
incidents, and near misses is also linked to:
• Failure to perform adequate root cause analysis.

• Not applying identified improvements.
• Applying ineffective improvements because of poorly conducted root
cause analysis.
26.2.2 Learning process
Incidents and errors offer valuable learning opportunities and lessons. If these
lessons are acted upon, they will help prevent reoccurrence of errors, and also
enable improvement in the way risks are managed.
Several steps are required to achieve learning. These steps are provided in
Figure 26-1.
Figure 26-1: Steps of effective learning – learning process
Reporting
Monitoring
effectiveness of Analysis
improvements
Implementing Planning
improvements improvements
26.3 Examples of poor learning
26.3.1 Macondo well blowout, 2010
On April 20th, 2010, the Macondo well blew out [107]. Eleven fatalities resulted and
the Deepwater Horizon drilling rig sank and spilled an estimated four million
barrels of crude oil in the Gulf of Mexico. The spill disrupted the entire region’s
economy, and severely damaged fisheries and the eco-habitat.
A summary of key events preceding the blowout is provided in B.6 (page 395).
The technical cause of the blowout was that the cement that was pumped at the
bottom of the well did not seal off the hydrocarbons in the formation. Factors that
increased the risk of cement failure included:
• Drilling complications forced engineers to revise plans and use a low

overall volume of cement.
• The cement slurry was poorly designed and inadequately tested.
• The results of the negative pressure tests conducted on April 20th, 2010,
showed that hydrocarbons were leaking into the well. These results were
misinterpreted by the team leader and other personnel. Personnel
missed additional signals that hydrocarbon had entered the well and
was rising to the surface in the final hour before the blowout occurred.
Other blowouts had occurred in the offshore drilling industry around the time
of the accident, and recommendations had been made on the application of better
cementing practices [108]. For example, just one year earlier the Montara Oil Spill
(2009) accident had occurred. The inquiry report for this accident [109] noted that
a direct cause of the accident was the defective installation of a cemented shoe
casing, intended to operate as a primary barrier against blowout.
The root causes of the accident noted in the investigation report [110] were
cited as “organizational and safety management failures”, including:
• Lack of an adequate risk assessment/hazard procedure, and inadequate

details within the procedure.
• Inefficient recognition or timely responses to early warning signals.
• Poor communication.
• Lack of leadership, and an absence of a culture of leadership
responsibility.
• Lack of learning from the lessons of previous incidents and recent near
misses.
• Lack of appropriate emergency training to personnel.
Among other recommendations, the report focused on learning, and

highlighted the following “learning” recommendation:
The need for increased transparency, reporting of incidents and near

misses for the purposes of learning lessons.
26.3.3 A Human Factors perspective
From a Human Factors perspective (and learning focus) it was evident that
reporting systems were weak, which impaired lesson learning. Lessons learned
from a similar near miss (caused by a negative pressure test failure) which
occurred on December 23rd, 2009, in the North Sea [111], were not shared across
the wider organization soon enough.
The United Kingdom Health and Safety Executive was satisfied with the
corrective actions implemented by Shell and Transocean following the North Sea
incident. The Executive also noted that the shortcomings that had led to the
accidents had been addressed [112]. This suggests that the 2009 near miss lessons
may have been shared and applied in the North Sea. The fact that the 2010
Deepwater accident occurred suggests that this learning had not yet been shared
with the Gulf of Mexico site.
Lessons learned in the aftermath of the 2009 near miss and the subsequent
2010 accident, suggest that it is vital that systems to investigate accidents are
appropriately designed. Such investigation systems must be able to identify
relevant key lessons learned from other errors, incidents, and near misses. These
lessons should be communicated to all individuals and teams that do similar work
and/or are exposed to similar error traps.
Efforts should be made to ensure that the lessons learned result in

improvements, and that these improvements are fully applied. This means that
behavioral and/or system changes must be evident. The effectiveness of any
change should be assessed.
26.4 Learning in high performing teams
Even high performing teams make errors. They are viewed as “high performing”
because they learn from errors. That is, they identify root causes of error, seek out
relevant lessons learned, and apply appropriate solutions.
Errors and mistakes are “windows into reality” and offer a unique opportunity
for learning and application of learning into the working environment. Lessons
should be drawn from both negative events (accidents) and positive events
(what went well). Self-directed learning behavior is an attribute of high
performing teams, as shown in Table 26-1.
.
Table 26-1: High performing teams and self-learning from error

Characteristics of high performing teams
Time is allocated for self-reflection on the accident. This
Understanding the
allows individuals to understand the context of
context of the
incidents and draw out a meaningful lesson, which they
incident
can apply to their work environment.
Use of scenario-based approaches and simulations. This
Learning by active
ensures that all team members are engaged in the
engagement
practical task.
Learning lessons from an individual who was involved in
Learning from the incident is far more powerful than learning from
peers someone who was not involved. “Credibility of the
messenger” is a strong motivating factor in learning.
Individuals are encouraged to gain maximum learning
Challenging the potential from incidents by asking questions, discussing
status quo the incident and lessons learned, and talking about the
recommended actions and their effectiveness.
Various individuals (operators and managers, directly
Having a global and indirectly involved in the incident) learn from the
picture of learning incident. This means that information is shared across
different units and job roles in the organization.
Learning from
Lessons learned are drawn from accidents or errors,
positive and
and from excellent performance.
negative events
All individuals (supervisors and operators) are involved
Shared or collective in the application of improvements. They are also all
responsibility responsible for the effectiveness of these
improvements.
26.5 Human Factors of investigating process
26.5.1 Challenges in investigating process

See Chapter 5 to 8;
Learning from error includes several challenges [113],
and 16 to 18 for
such as:
more information on
job aids and errors
• Reluctance to report error due to: management.
o Fear of disciplinary action, ridicule, or

harm to career prospects.
o Perception that reporting does not lead to change.
• Lack of Human Factors expertize in analyzing incidents.

• Lack of time and resources dedicated to helping people understand
shared lessons.
• Overload of recommendations.
• Failure to check the effectiveness of implemented actions.
Strategies on how to mitigate these barriers to learning from error are

discussed in the following sections.
26.5.2 Fostering openness
Incident investigation or the discussion of “what happened” is a complex process.

Individuals involved in the incident may be reluctant and/or unable to provide a
full account of the situation. The investigation may not be able to provide the full
account of events as:
• Individuals may be sensitive about what they did or did not do (when
they should have), and why they acted as they did.
• Individuals may genuinely not remember the exact sequence of events
and actions that occurred. This can be due to a range of reasons
including stress, cognitive overload, or impaired memory.
Emotional responses are difficult to overcome after a mistake or incident.

Leaders often want to take charge and make decisions that they think will lead to
improvements. The perception that disciplining a worker will deter others from
making the same mistake is often incorrect. This can manifest itself as "they should
have known better" or "it's common sense". This is counter-productive to a
learning culture. These statements should be challenged. The more difficult path
for leaders to take is to reserve judgment and not hold someone to an expectation
that was not clearly explained prior to the incident.
Blame culture is when an organization seeks to place blame on an individual

person or a group of people who made a mistake, rather than seeking to identify
the systems or procedures that may be inadequate. In order to get a detailed
description of the event, incident investigators must ensure that they avoid a
blame culture. It is important to focus on what happened, and to identify any
related root causes in the systems and processes of the incident, rather than on
the person “who made the mistake”. The pitfalls of blame culture are shown in
Figure 26-2.
Blame culture negatively impacts employee relationships (e.g., employees

versus management), impairs decision-making and problem solving, and
ultimately acts as a barrier to learning.
Figure 26-2: The consequences of blame culture
Lack of
accountability
Underreporting Lack of trust
Blame Culture
Prevents
Impaired
problem
relationships
solving
Employee
disengagement
To get a fuller account of the incident and people’s actions, the following
techniques can be used:
• Encouraging people to “freely” describe what happened. For example,

why do they think this happened, what were they thinking or feeling,
what could they see.
• Refreshing people’s memory by:
o Providing a short factual description (focused on technical

issues) of what happened.
o Asking them to show what they were doing or seeing, by taking
them to their usual work environment.
• Emphasizing that the focus is on learning and future error prevention,

not on individual fault-finding.
• Conducting two to three discussion sessions over a period of time with

individuals to:
o Fully capture their perceptions of the incident.

o Allow for individual later memory recall.
o Allow time for post incident-stress recovery. For example,
people may remember more information if asked about the
incident a few days or a week after it happened. This is because
people sometimes need time to process any negative emotions
and to allow their stress levels to fall.
26.5.3 Avoiding bias in investigations
Incident investigations should avoid investigation bias to ensure the gathered

information is an objective and true reflection of events. Some investigation biases
and strategies to lessen the impact of these biases are provided in Table 26-2.
Table 26-2: Investigation biases and mitigating strategies

Type of Definition Strategy to avoid bias
bias
Investigators focus on specific Consult all individuals involved
factors or facts and disregard in the incident.
the rest. Analyze contributing factors,
Selective Strong focus on a single piece including processes, systems,
fact finding of evidence that is used as a and the environment.
stepping stone to build a case Cross-check to validate
for why the incident people’s responses and
happened. causes.
Interviewer provides leading Use open-ended questions
information to refresh such as, “What do you
Leading an interviewee’s memory, such remember from the event?”
individual to as: “Your team mates have Do not use closed questions,
“fill gaps’” in said that the pipe started such as “Do you remember
their leaking just before noon and closing the faulty valve?”
memory efforts were made to stop the Ask individuals to provide a
leaks. What were you doing at free narrative of the event.
that time?”
Incidents can be very Give people time to process or
stressful. Individuals involved manage strong emotions such
or affected by the incident as anger. This will allow people
may be overwhelmed with to become more rational and
strong emotions such as make them less likely to blame
Strong or
anger or fear. This can a single individual.
negative
prevent rational thinking. Use emotions in a positive
emotions
It is possible that they may way. Try to focus people’s
influence
focus on finding fault and minds on safety and future
trying to attribute blame, improvements.
rather than seeing the wider
picture and analyzing the
causes of the incident.
26.5.4 Identifying Human Factors issues during investigations
Investigations should establish whether an incident was due to a mistake, an error

or a non-compliance, and to develop appropriate strategies to prevent
reoccurrence. Various aids are available to help make this decision.
An example of an aid – the “New” Just Culture Process applied by British

Petroleum (BP) – is shown in Figure 26-3. The “New” Just Culture tool aims to instill
trust, such that everyone feels more comfortable and more confident in reporting
errors and near misses. Therefore, the focus shifts from attributing blame to
offering workable solutions to a problem. The tool consists of five parts:
• Assess– this is composed of eight questions:
o Was the individual instructed/influenced to do this by the

supervision or other figure of authority?
o Was the expectation clear? If there was a procedure, was it
clear, available, current, and workable?
o Did they understand what was required, and did they have the
knowledge, experience, skills, physical capacity, and resources
to do it?
o Did they intend to act with company expectations, but made a
mistake?
o Were they following “custom-and-practice”, which was common
among their peers?
o Substitution test: Could another person with the same
knowledge, skills & experience have done the same thing in the
identical situation?
o Is there evidence to suggest they acted to help self or company,
to save time and effort?
o Is there evidence to suggest they intended to cause harm,
damage, or loss?
• Interpret behavior
Aim to identify and interpret behaviors that provide reasons for an

individual’s actions. For example, the individuals found themselves in a
difficult situation, or the expectations were unclear or impractical.
• Address conditions people work under
Investigate and address factors contributing to error, such as

procedures, training, or clarity of expectations.
• Work with people involved
Work with individuals involved to provide help or solutions such as

training, coaching, or additional resources. In some circumstances (e.g.,
intentional non-compliance – intentions to cause harm) it may be
necessary to seek advice from human resource staff on appropriate
performance improvement measures.
• Test supervisor, line manager/others contribution
Identify whether other people’s actions contributed to the individual’s

behavior e.g., supervisors, managers. Assess whether anything requires
further investigation.
Human error is not the cause of incidents. Error is just a symptom of error-
inducing conditions or preconditions – that, is conditions that allow or cause the
error to happen. Examples include lengthy and difficult to follow procedures,
inefficient training, or conditions that lead to fatigue.
Reoccurrence of error is often associated with “error traps” – factors that make
errors more likely. The presence of “error traps” means that other people are more
likely to make the same or similar mistakes in the same situation.
Eliminating preconditions to error requires a detailed understanding of what

caused the error. For example:
• The focus should be on root causes such as organizational issues, a lack

of learning from incidents, ineffective training processes, or poor safety
culture.
• The focus should not be on “immediate causes”, such as individuals not
following procedures or forgetting steps in a procedure.
Addressing root issues makes it more likely that similar accidents with similar
causes can be avoided in the future. The causal pathway including root and
immediate causes and preconditions to error is shown in Figure 26-4.
Fatigue should be evaluated during the root cause analysis. This can be done
by reviewing the work schedules of employees involved in the incident for a few
weeks before the incident, as well as conducting interviews with them.
Figure 26-3: “New” Just Culture Process
1 Assess 2 Interpret Behavior
Start Here
1 Was the individual instructed / influenced Yes The individual acted on the instructions or
to do this by the supervision or other figure
under the influence of an authority figure.
of authority? 1
No
2 Was the expectation clear? If there was a No

The expectations were
procedure was it clear, available, current and
unclear or impractical.
workable? 2
Yes
3 Did they understand what was required, and No The individual did not have the capability
did they have the knowledge, experience, skills,
or the resources to meet the expectations.
physical capacity and resources to do it? 3
Yes
4 Yes
Did they intend to act with
The individual made an unintentional error.
company expectations, but made a mistake?
4
No
5 Yes
Were they following custom-and-practice which A custom-and-practice
was common among their peers? had developed among the team.
5
No
6 Substitution test: Could another person with Yes The individual found
the same knowledge, skills & experience have
themsleves in a difficult situation.
done the same thing in the identical situation? 6
No
7 Yes
Is there evidence to suggest they acted to The individual acted to
help self or company to save time and effort? benefit themselves of the company.
7
No
8 Yes
Is there evidence to suggest they This is a special case
intended to cause harm, damage or loss? - always consult Huam Resources.
8
No
It's not clear why this happened.

You may need to investigate further
(adapted from [114])

*Expectations: Expected conduct in line with Values and Behaviors, Code of Conduct, rules, policies, and
procedures
Figure 26-3 continued
3 Address conditions 4 Work with people involved

people work under
• Assess and coach supervision and managers

• Define and test figure of authority's action 1
on leadership with this process
1
• Clarify and verify expectations are met

• Work with thouse involved to understand 2
where there are misunderstandings or
2
conflict in expectations
• Improve management of procedures or
consider alternate means of control
• Encourage people to "stop and consult" when

something is new
• Address selection, training, assessment and

• Provide appropriate traning assessment 3
quantity of people required to fulfill the and resources for individuals involved
3 expectations
• Investigate factors which triggered error or

• Work with those involved to understand 4
made it more likely (e.g. equipment, where other errors and problems could
procedures, design, distractions, fatigue, etc.) occur
• Identify tasks which would have a serious

• Where the individuals have a history of
outcome in case of error errors in different circumstances, consult
Human Resoures for advice on appropriate
performance improvement measures
• Redesign tasks to eliminate and detect errors

and recover without harm
4
• Work with those involved to understand 5

why this became the preferred approach
• Investigate why the practice became routing

• Coach appropriate behavior with those
and how widespread it is involved
• Encourage use of formal Continuous

• Encourage individuals involved to act as
Improvement process role-models for appropriate behavior
• Consult HSE team for advice on tackling

• Consullt Human Resources for advice on
group non-conformance whether disciplinary measures are
5 appropriate
• Review and address what made it difficult to

• Work with those involved to agree how this 6
meet expectations in this case situation could be managed to meet
expectations in the future
• Investigate factors which made the situation

• Where the individuals have a history of
more likely (e.g. equipment, procedures, errors in different circumstances, consult
design, distractions, fatigue, etc.) Human Resoures for advice on appropriate
performance improvement measures
6 • Encourage a "stop and consult" attitude
• Understand what motivated the action 7
• Understand how priorities set by supervision

• Work withj individuals involved to reinforce
and management could have contributed the appropriate behaviors
• Encourage use of formal Continuous

• Consult Human Resources for advice on
Improvement process whether disciplinary measures appropriate
7
5 Now test supervisor / line manager /

others contribution

Figure 26-4: Error – causal factors and conditions
Causal pathway leading to accident
Underlying causes
Preconditions
Policy, culture, Immediate causes
Organizational, ACCIDENTS,
design, training, Active failure:
environmental, and INCIDENTS, AND
supervision, and incorrect action or no
psychological BUSINESS UPSETS
operating action.
influences.
procedures.
ERROR
Understanding error requires identification of underlying causes.

As documented in Figure 26-4, underlying causes sometimes termed “root

causes” can create preconditions (sometimes termed ‘precursors’) that lead to
immediate causes, which ultimately contribute to an accident or incident.
Examples of each of these are as follows:
• Underlying causes e.g., work design, shift design, site and corporate
level processes, management systems.
• Preconditions e.g., tiredness, impaired cognition or focus, difficulties
with memory, poor situation awareness.
• Immediate causes e.g., individual action failures, slips, or lapses.
Impaired cognition and cognitive bias contribute See Chapters 20 and 21

to a distorted perception of a situation. They lead to for more information on
error or actions that may worsen the situation. cognitive bias and
Individuals are often overwhelmed with emotions cognitive processes.
when in stressful situations and unable to act
rationally, despite having all the relevant information available to them.
Task characteristics can often be contributing factors to action failures, such as:
• If the task is too complex, individuals experience cognitive overload and

are unable to process all the information.
• If the task is too simple, individuals experience boredom, which impairs
situation awareness.
26.5.5 Human Factors investigation tools
Incident investigation and identification of root causes of errors can be helped by

the use of Human Factors investigatory tools. Examples of Human Factors
investigatory tools and techniques are shown in Table 26-3.
Table 26-3: Human Factors investigation tools
Investigatory Description of tool
tools
Root Cause Analysis seeks to:
• Determine what happened.
• Determine why it happened.
• Identify what to do to reduce the likelihood of reoccurrence.
Root Cause Analysis looks at physical, human, and organizational causes. It consists of five steps:
1. Define the problem.
Root Cause 2. Collect data e.g., the impact.
Analysis 3. Identify possible causal factors. The “Five Whys” technique can be used here, where the question “Why did
this happen?“ is asked five times to explore all possible causes.
4. Identify the root causes.
5. Identify and implement solutions.
Fish Bone Diagrams consist of the following steps:

1. Define the problem/effect.
Fish Bone 2. Identify major factors involved e.g., equipment, process, people, materials, environment.
Diagrams 3. Identify possible causes.
4. Analyze the diagram.

tools
Cause
Effect
Fish Bone
Diagrams
Alarm design Ambient noise Response time
Did not
respond
to alarm
Experience Staffing Training


tools
The Tripod Beta technique consists of three steps:
1. “What happened?” – develop a diagram that shows the sequence of events in the accident.
2. “How did the incident happen?” – identify failed, inadequate, missing, and effective barriers. This is to
identify risk management measures that should have been in place.
3. “Why did the accident happen?” – create a causation path that identifies immediate causes and related
human failures of failed barriers, pre-conditions influencing the immediate causes, and underlying (root)
causes that created the preconditions.
Underlying Precondition Immediate

Tripod Beta cause cause
[115]
Agent Event
Barrier
Object


tools
One example of Barrier Analysis models is a Bow Tie Diagram. The diagram gives an overview of multiple
scenarios in one picture. The Bow Tie technique consist of the following steps:
1. Identify the hazard.

2. Define the top event – the exact moment at which control was lost.
3. Define the threats – the factors that caused the top event.
4. Define the consequences – the outcomes of the top event.
5. Identify the barriers.
Bow Tie analysis is also applied to human error.
Barrier
Analysis [31]
(reproduced from [31])

26.5.6 Human Factors practice and principles in understanding error
Individuals involved in incident investigations require relevant technical and

Human Factors knowledge. This is so that they are able to conduct effective
incident investigations that allow identification of underlying causes (root causes)
and that enable effective long-lasting learning.
Good Human Factors practice recommends that individuals involved in

incident investigations possess the following knowledge and understanding:
• Types of human failures including:

o Action errors (slips and lapses).
o Thinking errors (rule-based versus knowledge-based mistakes).
o Non-compliance (routine, situation, or exceptional) [116].
• Capabilities and limitations of human beings e.g., cognitive bias,
cognitive overload, mind traps.
• Performance influencing factors e.g., people, work, technological and
organizational factors.
• Understanding of an “Open and Challenging Culture” and/or a “Just
Culture”.
Human Factors practice also recommends that individuals involved in incident

investigations possess an “investigation mindset”. This means having an interest in
finding the root causes and providing lessons learned, with a strong focus on
improving safety through the implementation of recommendations that well help
prevent recurrence.
26.6 Selecting preventive Human Factors actions
This handbook does not cover culture (e.g., Safety Culture or Just Culture).
However, many good Human Factors practices recommend a focus on culture and
its underpinning elements. This is because they contribute to a more effective
incident investigation, and they allow for application of lessons learned. “Good”
safety culture also reduces the likelihood of non-conformance or procedural non-
conformance, and increases understanding of risk.
One common pitfall of actions arising from investigations is to call for more
training for the personnel involved even when the incident has occurred as a result
of an action error.
In order to identify improvements, it is important to:
• Identify the root causes of error.

• Assess if the causes are common to other tasks (e.g., all training is poor),
and therefore whether the solution should be applied across all
tasks/work environments, not just the one where error was detected.
Selection of solutions can be tailored to specific performance influencing

factors and to the type of error that occurred, as noted in Figure 26-5. Some
performance influencing factors, such as fatigue or environmental stressors, can
cause many types of errors. However, other performance influencing factors can
be mapped against specific types of error.
Improvements should include performance influencing factors (people, work,

and organizational factors) to improve human reliability, and/or to introduce
barriers in situations where the existing layers of defense are not sufficient to
reduce the potential for error.
Figure 26-5: Matching improvements to type of error
26.7 Learning
26.7.1 A learning culture
Learning culture organizations are committed to improve safety and working

conditions, and they perceive error as a collective learning opportunity.
Organizations with learning cultures:
• Promote and reward continuous learning.

• Give meaningful and constructive feedback.
• Empower employees.
• Set aside time for learning.
• Encourage knowledge sharing.
Learning from incidents is not an easy process, especially if the incident had
significant consequences such as causing injury, fatality, or damage to property
and/or the environment. Individuals affected by the incident may carry a lot of
resentment or other strong feelings, which can act as a barrier to rational thinking
and taking forward (sharing and applying) lessons learned.
Restorative Just Culture aims to repair trust and relationships after an incident.
It allows all parties involved to discuss how they been affected and decide what
needs to be done to repair harm. The goals of restorative culture are shown in
Figure 26-6 [117].
Figure 26-6: Goals of Restorative Just Culture
Emotional healing
Moral engagement
Help to cope with guilt,
Do the right thing now
resentment, etc.
Restorative Culture
Reintegrating the practitioner Organizational learning

Do what is needed to get the Explore and address systematic
person back in their job causes
Individuals should engage in self-reflection following involvement in an

incident to assess what went wrong, and what they did
See Chapter 18 for
or could have done differently. The self-reflection can
more information on
take the form of a group discussion, as points discussed psychological safety.
with others can offer additional insight into learning
from incidents. Learning culture and psychological
safety are required for individuals to engage in an open and honest discussion.
Lessons learned should be applied in practice. Individuals should be open to

change – that is, that they are willing and interested in changing their thinking and
behavior. There should be a sense in an organization of “chronic unease” and
readiness to change. It is important to maintain ‘chronic unease’ at a certain level,
to keep people thinking about potential situations and be alert to danger (what
could go wrong).
Chronic unease is the experience of unease and discomfort regarding the

management of risks.
It is defined as a healthy scepticism about the true standard of safety

performance. It is about probing deeper and understanding the risks, not just
assuming that just because systems are in place everything will be “ok”.
26.7.2 Tools for learning
Learning from incidents is a crucial element of process safety. The learning does
not stop once the incident investigation is completed (i.e., root causes were
identified and improvements proposed). The lessons learned from error should be
shared and applied to ensure employees’ full understanding of the issues and in
order that change may begin.
Lesson sharing includes:
• Immediate incident notification and interim updates.

• Lessons learned from an incident investigation.
• Lessons learned from a review of incident trends.
Information and updates shared should be written in a simple comprehensible

format, and should contain incident descriptions and actions taken. This
information should also offer feedback on the effectiveness of the undertaken
actions. This is shown in more depth in Table 26-4.
Table 26-4: Effective learning tips

Tips for information sharing and learning
This should be a brief description of what happened, using
only the facts known at that time. Use of photographs (e.g.,
An incident
images of the incidents) or other visual aids (e.g., process
description
flowcharts) can help to understand the incident and to
visualize the event.
This should clearly set out the steps that operators need to
The
undertake, such as conducting additional checks, suspending
immediate
certain activities, or stopping use of particular equipment or
action taken
processes.
Supervisors should seek confirmation that:
• Everyone has received and discussed the report.
A feedback
loop • Individuals have taken on the required actions.
It is then important to evaluate the lessons learned and to
monitor the effectiveness of any improvements.
Learning from incidents requires an appropriate attitude and a desire to learn

from them. Further tips supporting learning from incidents include the following:
• Empathize with the people involved. Try to understand the reasons

behind their actions.
• Appreciate the benefits of knowing the end results.
• Pose a series of questions:
• Could this has happened to other people?
• Are the systems robust enough to withstand the threats posed by the
incident under study?
• Effective learning from error is dependent on:
o Understanding of the error.

o Identifying root causes and causal trends (i.e., whether the
causal factors are unique to a particular task or are common
across other tasks).
o Sharing lessons learned in discrete units or across the whole
business if causal trends are identified.
o Applying preventive and/or corrective measures.
o Evaluating and monitoring the effectiveness of improvements.
• High performing teams place emphasis on learning from error, and

typically:
o See error as a shared learning opportunity.

o Foster openness.
o Practice restorative culture and offer a psychologically safe
environment.
.
Performance CCPS.
References
[1] Center for Chemical Process Safety (CCPS), “CCPS Process Safety Glossary,” 2021.
[Online]. Available: www.aiche.org/ccps.
[2] United Kingdom Government, “The Control of Major Accident Hazards Regulations
2015,” 2015. [Online]. Available: https://www.legislation.gov.uk.
[3] R. Flin, L. Martin, K. M. Goeters, H. J. Hormann, R. Amalberti, C. Valot and H. Nijhuis,

“Development of the NOTECHS (non-technical skills) system for assessing pilots'
CRM skills,” Human Factors and Aerospace Safety, vol. 3, pp. 97-120, 2003.
[4] Health and Safety Executive (HSE), “Performance Influencing Factors (PIFs),”
www.hse.gov.uk, Undated.
[5] Center for Chemical Process Safety (CCPS), Guidelines for Risk Based Process Safety
(RBPS), Hoboken, NJ USA: John Wiley and Sons, 2007.
[6] F. Al-shargie, U. Tariq, H. Mir, H. Alawar, F. Babiloni and H. Al-nashash, “Vigilance

decrement and enhancement techniques: A review.,” Brain Sciences, vol. 9, no. 8, p.
178, 2019.
[7] Energy Institute, Being Human, toolbox.energyinst.org, 2020.
[8] Center for Chemical Process Safety (CCPS), Essential Practices for Creating,
Strengthening, and Sustaining Process Safety Culture, Hoboken, NJ, U.S.: John Wiley
and Sons, 2018.
[9] Center for Chemical Process Safety (CCPS), Process Safety Leadership from the
Boardroom to the Frontline, Hoboken, NJ USA: John Wiley and Sons, 2019.
[10] Center for Chemical Process Safety (CCPS), “Risk Based Process Safety Overview,”
AIChE/CCPS, www.aiche.org/ccps, 2014.
[11] Center for Chemical Process Safety (CCPS), Recognizing and Responding to
Normalization of Deviance, Hoboken, NJ USA: John Wiley and Sons, 2019.
[12] Center for Chemical Process Safety (CCPS), Human Factors Methods for Improving
Performance in the Process Industries, Hoboken, NJ USA: John Wiley and Sons, 2006.
[13] Center for Chemical Process Safety (CCPS), Guidelines for Investigating Process
Safety Incidents, 3rd Edition, Hoboken, NJ USA: John Wiley and Sons, 2019.
[14] U.S. Chemical and Hazrd Investigation Board (CSB), “BP America Refinery Explosion,”
U.S. Chemical and Hazrd Investigation Board, www.csb.gov, 2007.
[15] National Transportation Safety Board (NTSB), “Loss of Thrust in Both Engines After
Encountering a Flock of Birds and Subsequent Ditching on the Hudson River US
Airways Flight 1549,” US National Transportation Safety Board, Washington, 2010.
[16] The B.P. U.S. Refineries Independent Safety Review Panel, “The Report of the BP U.S.
Refineries Independent Safety Review Panel,” The B.P. U.S. Refineries Independent
Safety Review Panel, 2007.
[17] J. Reason and A. Hobbs., Managing Maintenance Error: A Practical Guide, Burlington,
VT USA: Ashgate, 2003.
[18] J. Rasmussen, Information Processing and Human-Machine Interaction: An Approach

to Cognitive Engineering, New York: Elsevier Science Inc, 1986.
[19] J. Reason, Human Error, Cambridge: Cambridge University Press, 1990.
[20] Longford Royal Commission, “The Esso Longford Gas Plant Accident, No. 61 - Session
1998-1999,” Government Printer for the State of Victoria, Melborne, Victoria
Australia, 1999.
[21] U.S. Chemical Safety and Hazards Review Board (CSB), “Formosa Plastics Vinyl
Chloride Explosion, Report No. 2004-10-I-IL,” U.S. CSB, Washington, DC U.S., 2007.
[22] Australian Transport Safety Bureau (ATSV), “An Overview of Human Factors in
Aviation Maintenance, ATSB Transport Safety Report, Aviation Research and Analysis
Report – AR-2008-055,” Australian Government, www.atsb.gov.au, 2008.
[23] G. Miller, “The magical number seven, plus or minus two: Some limits on our
capacity for processing information.,” The Psychological Review, vol. 63, pp. 81-97,
1956.
[24] Center for Chemical Process Safety (CCPS), Guidelines for Risk Based Process Safety,
Hoboken, N.J. USA: John Wiley and Sons, 2007.
[25] Center for Chemical Process Safety (CCPS), Guidelines for Writing Effective Operating
and Maintenance Procedures, Hoboken, NJ USA: John Wiley and Sons, 1996.
[26] U.S. Chemical Safety and Hazard Investigation Board (CSB), “Pesticide Chemical
Runaway Reaction - Pressure Vessel Explosion, Investigation Report No. 2008-08-I-
WV,” Chemical Safety and Hazard Investigation Board, www.csb.org, 2011.
[27] J. P. Kincaid, R. P. Fishburn, R. L. Rogers and B. S. Chissom, “Derivation of new

readability formulas for Navy enlisted personnel, Research Branch Report 8-75,”
Institute for Simulation and Training, Unversity of Central Florida, Millington, TN U.S.,
1975.
[28] International Atomic Energy Authority, “Analysis phase of systematic approach to

training (SAT) for nuclear plant personnel,” International Atomic Energy Authority,
https://inis.iaea.org, 2000.
[29] Energy Institute, “Guidance on human factors safety critical task analysis, 2nd
Edition,” Energy Institute, publishing.energyinst.org, 2020.
References 365
[30] G. Petrie and A. Errington, “Understanding Precursors to Major Accident Hazard

Events Using Safety,” in Hazards 25, www.icheme.org, 2015.
[31] Center for Chemical Process Safety (CCPS), Bow Ties in Risk Management: A Concept
Book for Process Safety, Hoboken, NJ U.S.: John Wiley and Sons, 2018.
[32] Center for Chemical Process Safety (CCPS), “What is LOPA?,” 2021. [Online].
Available: www.aiche.org/ccps.
[33] C. Brunold and C. Mattock, “Development of a Task Analysis Programme Addressing

Safety Critical Tasks at INEOS ChlorVinyls, Runcorn Site,” in HAZARDS 24, Symposium
Series No 159, www.icheme.org, 2014.
[34] International Electro-Technical Commission (IEC) / American National Standards

Institute (ANSI), “Functional Safety Of Electrical/ Electronic/ Programmable Electronic
Safety-Related Systems - Part 2: Requirements For Electrical/Electronic/Programmable
Electronic Safety-Related Systems,” American National Standards Institute (ANSI),
webstore.ansi.org, IEC 61508-2 Ed. 2.0 b:2010, 2021.
[35] Human Performance Oil and Gas group, “Walk Through Talk Through Template and
Guide,” Human Performance Oil and Gas Group, https://www.hpog.org, 2020.
[36] U.S. Department of Energy (US DOE), “Writer's Guide for Technical Procedures
(Archived DOE-STD-1029-92 Chg Notice 1),” U.S. Department of Energy (U.S. DOE),
www.standards.doe.gov/standards-documents, 1998.
[37] M. Beychok, “Petroleum Refining Processes,” Tel Aviv University, 2011; This work is in
the public domain.. [Online]. Available: www.tau.ac.il.
[38] U. K. Health and Safety Executive (HSE), “Buncefield: Why did it happen?,” U.K. Health
and Safety Executive (HSE), www.hse.gov. uk, 2011.
[39] U.S. Chemical and Hazard Investigation Safety Board (CSB), “Key Lessons from the
ExxonMobil Baton Rouge Refinery Isobutane Release and Fire,”
https://www.aiche.org, 2017.
[40] CCPS, Images supplied for publication with permission by a CCPS Project Team
Member, 2021.
[41] International Standards Organisation, “ISO 9241-210:2010(en) Ergonomics of user-

system interaction - Part 210. Human centred design for interactive systems,”
International Standards Organisation, https://www.iso.org, 2019.
[42] International Standards Organisation, “Ergonomics — General approach, principles

and concepts,” August 2011. [Online]. Available: https://www.iso.org.
[43] International Standards Organisation, “ISO 6385: 2016. Ergonomics principles in the
design of work systems,” September 2016. [Online]. Available: https://www.iso.org.
[44] International Standards Organisation, “ISO 11064-1:2000. Ergonomic design of

control centres — Part 1: Principles for the design of control centres,” December
2000. [Online]. Available: https://www.iso.org.
[45] Engineering Equipment and Materials Users Association, “EEMUA Publication 201
Control rooms: a guide to their specification, design, commissioning and operation,”
Engineering Equipment and Materials Users Association, https://www.eemua.org,
2019.
[46] R. McLeod, Designing for Human Reliability: Human Factors Engineering in the Oil,
Gas, and Process, Massachusetts, U.S.: Gulf Professional Publishing, 2015.
[47] Engineering Equipment and Materials Users Association (EEMUA), “Alarm systems: a
guide to design, management and procurement, EEMUA Publication 191,”
Engineering Equipment and Materials Users Association (EEMUA), www.eeuma.org,
1999.
[48] A. Hopkins, “An AcciMap of the Esso Australia Gas Plant Explosion,” in Proceedings of
the 18th European Safety, Reliability & Data Association Seminar, Karlstad, Sweden,
2000.
[49] Center for Chemical Process Safety (CCPS), Guidelines for Managing Process Safety
Risks During Organizational Change, Hoboken, NJ, U.S.: John Wiley and Sons, 2013.
[50] Center for Chemical Process Safety (CCPS), Guidelines for Defining Process Safety
Competency Requirements, Hoboken, NJ, U.S.: John Wiley and Sons, 2015.
[51] Institution of Chemical Engineers (IChemE), ISC Process Safety Competency

Guidance, Rugby: IChemE Safety Centre, 2018.
[52] D. H. Jonassen, M. Tessmer and W. H. Hannum, Task analysis methods for

instructional design, Mahwah, NJ USA: (Lawrence Erlbaum Associates) Aquired by
Taylor & Francis in 2006, 1999.
[53] Offshore Petroleum Industry Training Organization (OPITO), “Industry Standards

Library,” Offshore Petroleum Industry Training Organization (OPITO),
www.opito.com, Various Issue Dates.
[54] C. K. Ogle, D. S. Burley, T. Magan and K. N. Senapati, “Building Technical Excellence:

E&P Competency Development in India, ITPC 15177,” in International Petroleum
Technology Conference (IPTC), Bangkok, Thailand, 2011.
[55] Center for Chemical Process Safety (CCPS), Guidelines for the Management of
Change for Process Safety, Hoboken New Jersey, USA: John Wiley and Sons, 2008.
[56] Oilennium, Fundamentals of Drilling, 1 Introduction to Primary Well Control,

www.oilennium.com, 2019.
References 367
[57] K. Letrud, “A rebutal of NTL Institutes's Learning Pyramid,” Education, vol. 133, pp.
117-124, 2012.
[58] R. Flin, P. O'Connor and M. Crichton, Safety at the sharp end: A Guide to Non-
Technical Skills, Farnham: Ashgate, 2008.
[59] S. Fletcher, Competence-based assesement techniques, London: Kogan Page, 2000.
[60] Health and Safety Executive (HSE), “RR446 - The development of a fatigue / risk index
for shiftworkers,” Health and Safety Executive (HSE), www.hse.gov.uk, 2006.
[61] International Association for Oil and Gas Producers (IOGP), “Report 626 – Managing
fatigue in the workplace,” International Association of Oil and Gas Producers,
www.iogp.com, 2019.
[62] Energy Institute, “Managing fatigue using a fatigue risk management plan (FRMP),”
Energy Institute, www.eneryinstitute.org, 2014.
[63] Canadian Centre for Occupational Health and Safety (CCOHS), “Fatigue,” Canadian
Centre for Occupational Health and Safety, https://www.ccohs.ca/, Undated.
[64] Energy Institute, “Human factors briefing note no. 23 – Workload and staffing levels,”
Energy Institute, www.energyinstitute.org, 2016.
[65] Energy Institute, “Locks removed on wrong blinds,” 21 February Undated. [Online].
Available: https://toolbox.energyinst.org.
[66] Energy Institute, “Barrier ownership to prevent loss of containment during

commissioning,” December 2019. [Online]. Available: toolbox.energyinst.org.
[67] Health and Safety Executive (HSE), “The safe isolation of plant and equipment,” HSE
Books, https://www.hse.gov.uk, 2006.
[68] American Petroleum Institute, “Energy Isolation,” American Petroleum Institute,

https://www.api.org, Undated.
[69] Energy Institute, “Confirming zero energy when pigging a pipeline,” 2 April 2019.
[Online]. Available: https://toolbox.energyinst.org.
[70] International Standards Organisation, “EN ISO 14119:2013 “Safety of machinery.

Interlocking devices associated with guards. Principles for design and selection,”
International Standards Organisation, https://www.iso.org, 2013.
[71] Energy Institute, “Draining pumps leads to product release,” 10 April 2109. [Online].
Available: https://toolbox.energyinst.org.
[72] J. R. Saward and N. A. Stanton, Individual Latent Error Detection (I-LED): Making
Systems Safer, Boca Raton: CRC Press, 2018.
[73] C. Wickens, Engineering Psychology and Human Performance, Columbus, OH, U.S.:
Charles.E.Merrill Publishing Co, 1984.
[74] G. Hofstede, Culture's consequences: Comparing values, behaviors, institutions and

organizations across nations, London: Sage Publications, 2001.
[75] J. Mitchell, “Lessons learnt from the introduction of human performance concepts
and tools on oil and gas platforms.,” in Hazards 27, Birmingham, 2017.
[76] M. Thomas, “Error management training: defining best practice. ATSB Aviation Safety
Research Grant Scheme Project 2004/0050 2007,” Autralian Transport Safety Board,
https://www.atsb.gov.au, 2004.
[77] M. Wright and S. Opiah, “Literature review: the relationship between psychological
safety, human performance and HSE performance,” Energy Institute, London, 2018.
[78] S. Dekker, Just culture: Balancing safety and accountability., London: Ashgate
Publishing Ltd.., 2012.
[79] T. R. Clark, The 4 stages of psychological safety: defining the path to inclusion and
innovation., Oakland: Berrett-Koehler Publishers, 2020.
[80] P. A. Edmondson, The fearless organisation: Creating psychological safety in the

workplace for learning, innovation and growth, Hoboken: Wiley, 2019.
[81] North Atlantic Treaty Organisation, “The NATO phonetic alphabet,” North Atlantic
Treaty Organisation, www.nato.int, Undated.
[82] U.K. Health and Safety Executive, “Managing shiftwork. Health and safety guidance,”
HSE Books, www.hse.gov.uk, 2006.
[83] U.S. Chemical Safety and Hazard Investigation Board (CSB), “Bayer CropScience
Pesticide Waste Tank Explosion,” U.S. Chemical Safety and Hazard Investigation
Board , Washington, DC., 2011.
[84] M. Endsley and D. Jones, “SA Demons: The Enemies of Situation Awareness,” in
Designing for Situation Awareness: An Approach to User-Centered Design, Boca Raton,
CRC Press, 2011, p. pp. 31–41..
[85] International Association for Oil and Gas Producers (IOGP), “Report 502 – Guidelines
for implementing Well Operations Crew Resource Management training,”
International Association for Oil and Gas Producers, www.iogp.org, 2014.
References 369
[86] M. Endsley and D. Garland, “Training for situational awareness in individuals and
teams,” in Situation awareness analysis and measurements, MAHWAH:NJ, LEA, 2000.
[87] U.K. Health and Safety Executive, “The explosion and fires at the Texaco Refinery,
Milford Haven, 24 July 1994: A report of the investigation by the Health and Safety
Executive into the explosion and fires on the Pembroke Cracking Company Plant at
the Texaco Refinery, Milford Haven,” HSE Books, www.hse.gov.uk, 1997.
[88] J. Orasanu, “Training for aviation decision making: The naturalistic decision making
perspective.,” in Proceedings of the Human Factors and Ergonomics Society Annual
Meeting, Los Angeles, 1995.
[89] T. Kontogiannis and D. Embrey, “Human Reliability Assessment. In Practical

Techniques for Assessing and Reducing human error in industry.,” 1992.
[90] U.S. Chemical Hazards and Safety Review Board, “Preliminary Animation of
Philadelphia Energy Solutions Refinery Fire and Explosions,” 16 October 2019.
[Online]. Available: www.csb.org.
[91] U.S. Chemical Hazard and Safety Investigation Board, “Fire and Explosions at
Philadelphia Energy Solutions Refinery Hydrofluoric Acid Alkylation Unit. Factual
update October 16, 2019,” U.S. Chemical Hazard and Safety Investigation Board,
www.csb.gov, 2019.
[92] International Association for Oil and Gas Producers (IOGP), “Report 501 – Crew
Resource Management for well operations teams,” International Association of Oil
and Gas Producers (IOGP), www.iogp.org, 2020.
[93] D. Cullen, “The Public Inquiry into the Piper Alpha Disaster: Volumes I and II.,” Her
Majesty's Stationery Office, London, 1990.
[94] M. McNeese, E. Salas and M. Endsley, “A model of inter- and intrateam situational
awareness: implications for design, training, and measurement,” in New Trends in
Cooperative Activities: Understanding System Dynamics in Complex Environments, Santa
Monica, Human Factors & Ergonomics Society, 2001, pp. 46-67.
[95] Center for Chemical Process Safety (CCPS), Contractor and Client Relations to Assure
Process Safety, Hoboken, N.J. U.S.: John Wiley and Sons, 1996.
[96] American Petroleum Institute, “Contractor Safety Management for Oil and Gas
Drilling and Production Operations,” American Petroleum Institute,
https://pslcolombia.com, 2005.
[97] International Association of Oil and Gas Producers (IOGP), “Report 423 – HSE
management guidelines for working together in a contract environment,”
International Association of Oil and Gas Producers, https://www.iogp.org, 2017.
[98] U.S. Chemical Safety and Hazard Investigation Board (CSB), “E. I. DuPont De
Nemours Co. Fatal Hotwork Explosion,” U.S. Chemical Safety and Hazard
Investigation Board, www.csb.gov, 2012.
[99] Energy Institute, “Managing major accident hazard risks (people, plant and
environment) during organisational change,” Energy Institute,
www.energyinstitute.org, 2020.
[100] Center for Chemical Process Safety (CCPS), “Introduction to Operational Readiness,”
Center for Chemical Process Safety, https://www.aiche.org, Undated.
[101] Center for Chemical Process Safety (CCPS), “Process Safety Leading Indicators
Industry Survey,” AIChE/CCPS, New York, NY USA, 2007.
[102] Center for Chemical Process Safety (CCPS), Guidelines for Process Safety Metrics,
Hoboken, NJ USA: John Wiley & Sons, 2009.
[103] U.K. Health and Safety Executive, “HSE Management Stanadards,” HSE Books,
https://www.hse.gov.uk, Undated.
[104] Center for Chemical Proces Safety (CCPS), Driving Continuous Process Safety
Improvement from Investigated Incidents, Hoboken, N.J., U.S.: John Wiley and Sons,
2021.
[105] Center for Chemical Process Safety (CCPS), Guidelines for Investigating Process
Safety Incidents, New York: Wiley Inter Science, 2003.
[106] T. E. Conklin, The 5 Principles of Human Performance: A contemporary update of the

building blocks of Human Performance for the new view of safety, Santa Fe:
PreAccident media, 2019.
[107] British Petroleum (BP), “Deepwater Horizon - Accident Investigation Report,” British
Petroleum (BP), https://www.bp.com, 2010.
[108] D. Izon, E. P. Danenberger and M. Mayes, “Absence of fatalities in blowouts

encouraging in MMS study of OCS incidents 1992-2006,” Drilling contractor, vol. 63,
no. 4, pp. 84-89, 2007.
[109] Montara Commission, “Report of the Montara Commission of Inquiry.,” Australian

Government, www.industry.gov.au, 2010.
References 371
[110] “National Commission on the BP Deepwater Horizon Oil Spill and Offshore Drilling,
“Report to the President”,” 2011.
[111] M. Christou and M. Konstantinidou, “Safety of offshore oil and gas operations:
Lessons from past accident analysis.,” Publications Office of the European Union.,
Luxemburg, 2012.
[112] Offshore Engineer, “The Future of Offshore Energy and Technolog,” onedigital,
https://www.oedigital.com, Undated.
[113] E. Smith, R. Roels and S. King, “Guidance on learning from incidents, accidents and
events.,” in Proceedings of Hazards 25 Conference, www.icheme.org, 2015.
[114] F. K. Bitar, D. Chadwick-Jones, M. Nazaruk and C. Boodhai, “From individual

behaviour to system weaknesses: The re-design of the Just Culture process in an
international energy company. A case study.,” Journal of Loss Prevention in the Process
Industries, vol. 55, pp. 267-282, 2018.
[115] D. R. Edwards, “Tripod Beta: Guidance on Using Tripod Beta in the Investigation and
Analysis of Incidents, Accidents and Business Losses.,” Energy Institute., London,
2017.
[116] United Kindgon Health and Safety Executive, “Human Failure Types,” HSE Books,
https://www.hse.gov.uk, Undated.
[117] S. Dekker, “Restorative Just Culture Checklist,” http://sidneydekker.com, 2018.
[118] A. Swain and a. H.E.Guttmann, Handbook of Human Reliability Analysis with

emphasis on nuclear power plant applications, https://www.nrc.gov: Nuclear
Regulatory Commission, 1983.
[119] J. Reason, “Managing the risks of organisational accidents,” Ashgate, Singapore,

1997.
[120] Energy Institute: Hearts and Minds, “Making compliance easier (formerly Managing
rule breaking),” Energy Institute, https://heartsandminds.energyinst.org, Undated.
[121] U.S. Department of Energy, “Human Performance Improvement Handbook Volume

1: Concepts and Principles,” U.S. Department of Energy,
https://www.standards.doe.gov, 2009.
[122] M. Naderpour, J. Lu and G. Zhang, “The explosion at Institute: Modeling and

analyzing the situation awareness factor.,” Accident Analysis & Prevention, no. 73, pp.
209-224., 2014a.
[123] International Association for Oil and Gas Producers (IOGP), “Introducing behavioural
markers of non-technical skills in oil and gas operations - Report 503,” International
Association for Oil and Gas Producers, https://www.iogp.org, 2018.
[124] C. C. R. Cooper and L. Eaken, Living with Stress, London: Penguin Books, 1988.
[125] Energy Institute, “HSE 184 Learning from incidents,” Energy Institute,
https://publishing.energyinst.org, 2015.
[126] I. Janis, Groupthink, Boston: Houghton-Mifflin, 1982.
[127] BP, “Hot Work Safety Manual,” BP U.S. Pipelines and Logistics (USPL), BP,
www.bp.com, 2014.
[128] Energy Institute, “The Modern View of Incident Causation,” Energy Institute - Hearts
and Minds, https://toolbox.energyinst.org, 2020.
Performance CCPS.
A Human error concepts
A.1 Human Error categorization and terminology
A.1.1 Intended and unintended errors
A classic publication by A. D. Swain and H. E. Guttmann (1983) “Handbook of

Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications:
Final Report” [118] classifies error into two general categories: unintentional and
intentional.
• Unintentional errors:
The action was not intended, for example, pressing button A when the
intention was to press button B.
• Intentional errors:
“The operator intends to perform some act that is incorrect but believes it to
be correct or to represent a superior method of performance. In everyday
language, he has good intentions, but the effect on the system of his performance
may be undesirable.” (page 2-7)
A.1.2 Errors of commission and errors of omission.
A. D. Swain and H. E. Guttmann (1983, page 2-16 [118]) also used the following
categories of error:
• Errors of commission: doing something that is wrong. This includes:

o Selection errors such as select wrong control;
o Error of sequence (do things in the wrong sequence);
o Time error (do something too early or too late);
o Qualitative error (do something too much or too little).
o Errors of omission: omitting to perform a task or a task step.
A.1.3 Active and latent failures
Professor Reason authored in 1990 an accident causation model termed the “Swiss
cheese” model [19]. According to the model, hazards are prevented from causing
loss by a sequence of barriers, such as training, supervision and engineered
protection. Each barrier may have unintended weaknesses. These weaknesses are
represented as holes, such as with Swiss cheese.
This model uses the terms active and latent failures.
• Active failures are the unsafe acts committed by people who are in
direct contact with the system. These include slips, lapses, or mistakes,
such as omitting an operational task or performing a task incorrectly.
• Latent failures are “resident pathogens” within a system caused by
decisions made by engineers, procedure authors, and management for
example. These can create “error provoking conditions” such as time
pressures and understaffing and poor procedures. They may lay
dormant for many years until a combination of events reveals them.
Latent failures are also referred to as “psychological precursors” as they also

create the conditions for error.
This model has been used to help understand accidents and the role that the
systems of management created the (hidden) conditions for human error. This
includes the notion that latent failures can cause multiple defenses to fail, and
thereby undermine “defense in depth” safety management systems. The model is
also used to prompt the identification and resolution of latent failures before they
contribute to an accident. The concept being that resolving one latent failure would
avoid many active failures.
A.2 Compliance concepts
A.2.1 “Violations”
The term “violations” is not typically used in current human performance

discussions. However, Professor James Reason in his 1997 book “Managing the
risks of organizational accidents” [119] stated that “Violations are deviations from
safe operating procedures, standards or rules. Such deviations can be either
deliberate or erroneous…” (p72).
Reason listed three major categories of safety violations:
• Routine: these tend to be habitual “corner-cutting” in skilled

performance. They may be associated with “clumsy” procedures and
rare sanctions.
• Optimizing: Professor Reason describes these as “violating for the thrill
of it”.
• Necessary: These involve non-compliance being “essential” “to get the
job done”. These tend to be related to organizational failings such as
tools.
Reason defined these as non-malevolent acts. The actions are intended but the
harmful consequences are unintended.
Appendix A - Human error concepts 375
A.2.2 Non-compliance
The Energy Institute’s ‘Hearts and Mind’ have issued extensive guidance on
“Making Compliance Easier” [120]. The guide provides an up to date view of ‘non-
compliance’ (p7), citing four forms of non-compliance. Their definitions are
reproduced in Table A-1. They note that reckless violations are considered to be
very rare. Their definitions focus on how the organization, the design of
procedures, team norms and knowledge of risks influence behavior.
Table A-1 ‘Hearts and Minds’ definitions for non-compliance
a) Situational non-compliance
These happen when it is very difficult or impossible to get the job done by
following the procedures strictly. For example, there may not be enough people,
or the right equipment may not be available to follow the procedures as written.
b) Optimizing non-compliance
These happen when people think they can get the job done faster or more
conveniently by not following all the rules. There are two subtypes of optimizing
non-compliance:
Optimizing for organizational benefit: These happen when people take
shortcuts because they believe that it will help the organization achieve its goals,
e.g., achieve a performance target or meet a deadline. Non-compliance for
organizational benefits may show ways to improve productivity and safety if
brought out into the open, communicated, discussed and approved.
Optimizing for personal benefit: These happen when people take shortcuts
to reach a personal goal (e.g., leaving work on time, or meeting a target),
avoiding using complicated procedures, or because they have found a quicker,
easier or better way of doing the job.
c) Routine non-compliance
A non-compliance of any type can become routine.
These happen when people no longer appreciate the risk of the situation, or
when the rule no longer reflects reality, and not following the rule becomes the
accepted behavior. The rule may be seen as no longer relevant or important.
These non-compliances become routine, either by a whole group or just by one
individual. This indicates that there is an issue around a particular rule, or a
particular individual, or the effort required to follow the rule is perceived to be
greater than the benefits.
d) Reckless violations – a very rare occurrence

In a very small number of cases people commit non-compliance without
thinking, or even caring, about the consequences to themselves or others,
despite being aware of the potential consequences. Such ‘violations’ are outside
the scope of this tool. Reproduced from the Energy Institute [120]
A.2.3 Making Compliance Easier
The Energy Institute’s ‘Hearts and Mind’ have issued extensive guidance on
“Making Compliance Easier” [120]. The guide states that:
“The new way of thinking sees non-compliance as a natural consequence of

work situations that are far from ideal. It is therefore up to organizations to
ensure that their systems and processes do not give rise to situations that make
mistakes and non-compliances more likely... World class organizations …make
rules and procedures clear, helpful and easy to follow, and are always open to
ideas for improving them.” (p4)
“The human performance principles were designed to help organizations

consider how to keep everyone safe, healthy and productive. They
acknowledge that everyone makes mistakes, and that performance may be
compromised by factors like complexity of a task, distraction and repetition.”
(p2)
Two figures from the guide are shown in Figure A-1 and Figure A-2.
Figure A-1 Energy Institute human performance principles
The human performance principles (Reproduced with permission [120] )
Human performance has a big role to play in incidents and accidents, and the
human performance of an organization arises from the interaction of people,
culture, equipment, work systems and processes.
The following principles of human performance embody the approach that
recognises the contribution of the system as well as the individual to errors,
mistakes and non-compliances in the organization (adapted from [106]).
We all make mistakes
We can predict or prevent, and have to

manage error-likely situations
Actions are rarely malicious, but well-

Error is normal meaning behaviors intended to get the
job done
Organizations influence their systems

Blame fixes nothing and people: the social context drives
behavior
Context drives behaviour Majority of errors associated with

incidents stem from hidden
organizational conditions
Learning is vital Understanding how and why errors occur

can help us prevent them
How you respond matters How leaders respond to failure matters;

we need to learn from mistakes
Our people are the experts of their job

and the key to solutions
People who feel valued are more engaged

Figure A-2 What are the causes of incidents?
The traditional view is that 80% of accidents are caused by

human failure. However, if you look at what is behind
mistakes and non-compliance, you’ll often find that these
mistakes/non-compliances are related to the underlying
systems and conditions that people work with. This means
that most incidents are actually due to organizational issues,
and not ‘bad people’. 30%
individual
mistakes
70% due to
work
20%
systems
equipment
failure
80% human
error (mistakes
and non-
The modern view acknowledges that incidents are the result of complex
interactions in the system between people, plant and processes.
Therefore, improvements should focus on the system as a whole rather
than the individual, and on the need to reduce conditions and situations
that make mistakes and non-compliances more likely. Watch the video:
The Modern View of Incident Causation [128]
(Reproduced with permission from the Energy Institute: Figure 2 from [125])
A.3 Five Principles of Human Performance
The United States’ Department of Energy 2009 manual “Human Performance

Improvement Handbook Volume 1: Concepts and Principles” [121] (pages 1-19 and
1-20) gives the following principles:
1. “People are fallible, and even the best people make mistakes.
2. Error-likely situations are predictable, manageable, and preventable.
3. Individual behavior is influenced by organizational processes and

values.
4. People achieve high levels of performance because of the

encouragement and reinforcement received from leaders, peers,
and subordinates.
5. Events can be avoided through an understanding of the reasons

mistakes occur and application of the lessons learned from past
events (or errors).”
The DOE (page 1-19) state that:
“Excellence in human performance can only be realized when individuals at all

levels of the organization accept these principles and embrace concepts and
practices that support them.”
“Integrating these principles into management and leadership practices,

worker practices, and the organization’s processes and values will be instrumental
in developing a working philosophy and implementing strategies for improving
human performance within your organization.”
A.4 Twelve Principles of Error Management
Professor James Reason and Alan Hobbs, in their 2003 book “Managing
Maintenance Error, A Practical Guide” [17] offer 12 Principles of Error
Management. These twelve principles are as follows:
1. “Human error is both universal & inevitable: Human error is not a

moral issue. Human fallibility can be moderated but it can never be
eliminated.
2. Errors are not intrinsically bad: Success and failure spring from
the same psychological roots. Without them we could neither learn
nor acquire the skills that are essential to safe and efficient work.
3. You cannot change the human condition, but you can change
the conditions in which humans work: Situations vary
enormously in their capacity for provoking unwanted actions.
Identifying these error traps and recognizing their characteristics are
essential preliminaries to effective error management.
4. The best people can make the worst mistakes: No one is

immune! The best people often occupy the most responsible
positions so that their errors can have the greatest impact.
5. People cannot easily avoid those actions they did not intend to
commit: Blaming people for their errors is emotionally satisfying
but remedially useless. We should not, however, confuse blame with
accountability. Everyone ought to be accountable for his or her
errors [and] acknowledge the errors and strive to be mindful to
avoid recurrence.
6. Errors are consequences not causes: …errors have a history.

Discovering an error is the beginning of a search for causes, not the
end. Only be understanding the circumstances can we hope to limit
the chances of their recurrence.
7. Many errors fall into recurrent patterns: Targeting those

recurrent error types is the most effective way of deploying limited
Error Management resources.
8. Safety significant errors can occur at all levels of the system:

Making errors is not the monopoly of those who get their hands
dirty. …the higher up an organization an individual is, the more
dangerous are his or her errors. Error management techniques
need to be applied across the whole system.
9. Error management is about managing the manageable:

Situations and even systems are manageable if we are mindful.
Human nature – in the broadest sense – is not. Most of the enduring
solutions involve technical, procedural and organizational measures
rather than purely psychological ones.
10. Error management is about making good people excellent:

Excellent performers routinely prepare themselves for potentially
challenging activities by mentally rehearsing their responses to a
variety of imagined situations. Improving the skills of error detection
is at least as important as making people aware of how errors arise
in the first place.
11. There is no one best way: Different types of human factors

problem occur at different levels of the organization and require
different management techniques. Different organizational cultures
require different ‘mixing and matching’ of techniques. People are
more likely to buy-in to home grown measures.
12. Effective error management aims as continuous reform not

local fixes: There is always a strong temptation to focus upon the
last few errors but trying to prevent individual errors is like swatting
mosquitoes the only way to solve the mosquito problem is drain the
swamps in which they breed. Reform of the system as a whole must
be a continuous process whose aim is to contain whole groups of
errors rather than single blunders.”
While these principles were cited in a book on maintenance error, they are
considered to be applicable to all error. Professor Reason stated that errors could
be anticipated, prepared for, and eliminated by the application of these principles.
The principles recognize that error will occur and needs to be guarded against
while also adopting a “systems” view that the organization should systematically
identify potential error and avoid the conditions that cause error.
Performance CCPS.
B Major accident case studies
B.1 Texas City Refinery explosion, 2005
The 2005 Texas City refinery explosion, shown in Figure B-1, occurred during the
start-up of the isomerization (ISOM) unit, killing 15 people and injuring 180 [16].
The unit was being restarted after maintenance. The raffinate splitter tower
was overfilled. The raffinate flowed from the tower through a set of pressure safety
relief valves to a blowdown drum and stack, from which it was released into the
atmosphere and likely ignited by a nearby truck engine.
The CSB produced a video of this incident [14].
Figure B-1 Texas City Refinery Explosion
(from www.csb.gov)
The steps leading to this accident are as follows:
• The ISOM raffinate section start-up began during the night shift and
stopped with the tower level control valve closed (this was unusual). The
operator did not use the start-up checklist and did not log his actions.
When the day shift started work, they had no record of the start-up.
• The bottom of the tower had been filled to 99%, which was not unusual
but was not consistent with the start-up procedures. Over time, this had
become an accepted deviation to the procedures. A high-level alarm set
at 72% activated and alarmed throughout the incident. A 78% high-high
level alarm did not activate.
• A poor shift handover meant the day shift was unaware that heat
exchangers, piping and other equipment had been filled in addition to
the tower bottom section. At an early morning shift meeting, personnel

decided that tower start-up could not begin because the storage tanks
were thought to be full. They did not share this decision with the ISOM
operations team.
• A miscommunication between operators meant that the level control
valve was closed and light raffinate was directed into the heavy raffinate
line. The level control valve was manually maintained at closed to keep
the level high, to protect downstream equipment. Experience was that if
the level was set at 50%, the level could drop below 50% and shut down
the process. The control valve should have been set to automatic and at
50% to establish outflow to storage.
• The feed pump was started. A defective indicator incorrectly showed
raffinate leaving the tower through the closed level control valve.
Burners were then started to heat the raffinate entering the tower. This
increased the liquid level and the pressure in the tower.
• Operators thought that the pressure rise was due to overheating in the
tower bottoms, compressing nitrogen in the tower, as this was a known
issue. Therefore, they opened a valve to relieve the pressure to a
blowdown drum.
• The tower outlet valve was then opened. However, heat from outflowing
raffinate was being transferred to incoming raffinate by a heat
exchanger. This caused the liquid in the tower to expand and the level to
rise until it entered the overhead vapor line and flowed into a pressure
relief system. The relief valves opened and released raffinate to a
blowdown drum and stack. From there it vented to the atmosphere.
• The operator noticed the pressure spike. He fully opened the tower level
control valve and turned off the furnaces but did not stop the raffinate
feed into the tower. However, this was too late. The raffinate overflowed
the stack and the vapor was likely ignited by a nearby truck engine.
Appendix B - Major accident case studies 385
B.2 Bayer Crop Science plant explosion in West Virginia, U.S.
In 2008, a large explosion led to fatality of two workers at the Bayer Crop Science
plant in West Virginia, USA [26]. The fire burned for more than four hours. Two
contractors and six firefighters were treated for possible toxic exposure [83]. The
damaged plant is shown in Figure B-2.
‘What happened’ is summarized after Figure B-2.
A thermal runaway reaction (a chemical reaction) occurred inside a 4,500 gallon

(17,000 liter) pressurized residue treater, causing it to fracture. Highly flammable
solvent sprayed from the vessel and ignited, causing fire.
Figure B-2 Bayer Crop Science plant damage
(reproduced from www.csb.gov)
The incident happened during the first methomyl restart after an extended
outage to install a new process control system and a stainless-steel pressure
vessel. The steps leading to this accident are outlined next:
• A methomyl unit was due to be restarted after replacing the control

system and the residue treater vessel.
• Prior to start-up, the vessel should have been loaded with solvent and
the solvent preheated. Neither of these actions were done.
• At 04:00 the outside operator manually opened a feed valve to start
filling the residue treater vessel with methomyl. The methomyl should
have been instantly mixed with the missing solvent.
• With a low flow rate, more than 24 hours is required to fill the residue
treater to the normal operating level (50%). During this time the mix was
not sampled, so the absence of the solvent was not identified. The state
of the vessel was also not discussed at shift handover.
• At 18:15, the outside operator started a recirculation pump as advised
by the board operator. At this time, the residue treater was not at its
optimal operating level, filled only to 30%. The temperature ranged from
140°F (60oC) to 149°F (65oC), which was below the critical operating
temperature of 275°F (135oC).
• It was recorded at 18:38 that the temperature began to steadily rise.
• At 22:21, a little under four hours later the vessel was filled to 51%
(normally filled to 50%). The temperature rose gradually from about
140oF (60oC) during this four-hour period (between 18:15 and 22:21),
well within the critical decomposition temperature of 275oF (135oC).
Thus, at this moment there was no indication of the filling failure.
• Recirculation then stopped due to an automated control system error.
• The temperature then rapidly rose to 286oF (141oC), within three
minutes to exceed the critical decomposition temperature of 275oF
(135oC).
• The board operator had observed that the residue treater pressure was
above the normal operating limits and still climbing but could not
understand why.
• At 22:25, this operator then heard the residue treater high-pressure
alarms sounding. The panel operator asked two outside operators to
check the vent system, as he suspected the vent line was blocked, while
he switched the residue treater recirculation system to full cooling.
• Due to the unusually high temperature, a ‘runaway thermal reaction’
occurred, i.e., the chemical reaction was accelerated by the high
temperature which in turn increased the temperature.
• Temperature continued to rise until it exceeded the safe operating limit
of 311oF (155oC).
• At 22:27, the gas produced by the thermal reaction overwhelmed the
emergency vent system. The vessel over pressured and ruptured. The
blast spilled approximately 2,200 gallons (8,300 liters) of flammable
solvent and toxic residues onto the road and into the unit, which
erupted into flames.
The incident was a result of:
• Deviation from start-up operating procedures.

• Bypassing critical safety devices intended to prevent such conditions
from occurring.
• Poor distributed control system interface, which prevented the operator
from achieving the correct operating conditions, and also impaired their
situation awareness. [122].
B.3 Longford gas plant explosion, Australia, 1998
As shown in Figure B-3, the Esso Longford gas explosion in Australia was an
industrial accident with major consequences [20]. The incident resulted in two
fatalities and eight injuries. It also cut the gas supply for the state of Victoria for
two weeks.
A failure of a warm liquid (lean oil) system caused the temperatures of a heat
exchanger to drop and become intensely cold and therefore brittle. When
operators tried to reintroduce the warm oil, the brittle vessel fractured and
released large quantities of hydrocarbon vapor, which found an ignition source,
and exploded.
Some key events and failures are noted after Figure B-3.
Figure B-3 Longford Esso Gas Plant explosion
(reproduced from www.icheme.org)
The steps leading to this accident are as follows:
• The accident was preceded by unsuccessful attempts to repair leaky

vessels. A heat exchanger, GP922, had developed flange leaks. Attempts
were made to repair it. While the repairs were underway, another heat
exchanger, GP905, lost its supply of lean oil. The temperature of GP905
had dropped to -54 °F (-48 °C), which is below its normal operating
temperature of approximately 212 °F (100 °C).
• The low temperature was caused by loss of lean oil flow in pump GP1.
Hot lean oil flowing via GP905 would normally keep the temperature at
optimal level.
• The lean oil flow in GP1 was stopped when pumps in GP1202 tripped
and were not restarted.
• GP905 experienced loss of lean oil flow. However, cold rich oil, and cold
condensate continued to flow through.
• GP1201 pump operations were disrupted for a few hours. Once it was
restarted there was some flow of warm oil into GP905 for a short period
of time. The flow of warm lean oil into a cold reboiler caused it to
become brittle and rupture. The reboiler temperature had fallen below
its minimum design metal temperature (MDMT). Metals below their
MDMT are susceptible to brittle fracture.
• The rupture of GP905 led to the release of a large volume of
hydrocarbon in the form of vapor, igniting, and consequently leading to
a series of explosions, and fire.
The impact of the incident was wide reaching, affecting operating personnel
and surrounding communities. The plant supplied heating gas to Melbourne and
other regions. The accident occurred during wintertime when the local
temperature was low and consumption of natural gas for heating was high.
Consequently, the resulting 20 days with gas shortage had a high impact on the
community.
B.4 Milford Haven refinery explosion, Wales, 1994
On July 24th, 1994, a large explosion occurred at the plant of Texaco Refinery,
Milford Haven in Wales, which caused injury to 26 people [87]. The blast from the
explosion damaged properties in a 10 mile (16 kilometer) radius and was heard 40
miles (64 kilometer). The site suffered severe damage to the process plant, the
building, and storage tanks.
The event was preceded by a severe electrical storm that caused disturbance
to the plant, affecting the vacuum distillation, alkylation, and Butamer units, as well
as the fluidized catalytic cracking unit.
The explosion occurred some five hours later. The direct cause was a
combination of failures in management, equipment, and control systems during
the plant upset. These failures led to the release of approximately 22 tons (20
tonnes) of flammable hydrocarbon from the outlet pipe of the flare knockout
drum.
The released hydrocarbon formed a cloud of vapor and droplets that found a
source of ignition and consequently exploded.
It took two days before the fires were finally extinguished.
Figure B-4 The explosion and fires at Milford Haven
(reproduced from UK HSE, [87]).
Some key events and failures leading to the explosion are noted next:
• On Sunday July 24th, 1994, at about 07:20, an electrical storm approached

the Milford Haven area. This caused a series of interruptions to the power
supply, leading to a range of consequences including a fire on the crude

distillation unit, and various effects on the vacuum distillation unit, the
alkylation unit, the fluidized catalytic cracking unit (FCCU), and the
Butamer units. These conditions led to a plant upset but were not the
cause of the explosion that happened five hours later.
• Hydrocarbon flow was lost to the deethanizer, a vessel in the FCCU
recovery section. As a result, the liquid was emptied into the next vessel
along the debutanizer. The system was set up to prevent loss of liquid in
vessels. This caused valve FV 404 to close, preventing hydrocarbon from
leaving the vessel. This had a knock-on effect on outlet valve FV 436,
causing it to close. The hydrocarbon in the debutanizer was now blocked.
However, the trapped liquid was still subject to heat. As a result, the liquid
vaporized and the debutanizer pressure rose, which caused the pressure
relief valves to open. It also caused the debutanizer to vent into the flare
knock-out drum and on to the flare.
• Shortly after this event, the liquid level in the deethanizer was restored,
valve FV 404 reopened, and flow to the debutanizer restored. This should
have caused valve FV 436 to open and allow hydrocarbon out of the
debutanizer into the naphtha splitter, but this did not occur. The
operators in the control room received a signal incorrectly indicating that
valve FV 436 did open. The debutanizer continued to fill with liquid, while
the naphtha splitter emptied.
• Operators’ control systems did not allow overview of the whole process.
The process was broken down into discrete sections, which could be seen
on separate screens. The operators focused on problems around the
deethanizer and debutanizer.
• The operator opened another valve (valve HCV 439), with the intention of
relieving the pressure on the debutanizer system. Opening valve HCV 439
did not prevent the debutanizer becoming full of liquid, and it vented to
flare via the knock-out drum (for the second time).
• Opening of valve HCV 439 caused the liquid levels in the interstage drum
to rise, so that it flooded into the dry end and caused the compressor to
trip (shut-down). A large volume of gas had nowhere to go and had to be
vented to the flare stack to be burned off.
• There were high liquid levels in the flare knock-out drum, which were
increased by an operator’s next actions. The operators tried to remove
the flooding from the dry end of the interstage drum by draining the liquid
directly to the flare line via an impromptu modification that employed
steam hoses. The operators’ actions resulted in the gas compressor
restarting, which increased flow through the unit and caused an increase
in pressure in the debutanizer, which vented to flare (for the third time).
• Operators had decided to alleviate the pressure in the debutanizer by
opening valve HCV 439 to allow hydrocarbon to move from the
debutanizer into the wet gas compressor system. The compressor

tripped, as the dry end became flooded. The flare drum was filled beyond
its capacity.
• Fast flowing gas was passing through the overfilled vessels, which forced
liquid into the knock-out drum discharge pipe. The line was not designed
to take liquid (liquid would normally be removed by the flare drum), and
the line was corroded. The force of the liquid in the pipe caused it to break
at an elbow bend, releasing 22 tons (20 tonnes) of highly flammable
hydrocarbon, which formed vapor and exploded.
A process diagrams illustrating the interaction of the key valves and vessels
that led to the explosion is shown in Figure B-5.
Figure B-5 Interaction of the key valves and vessels
(adapted from UK HSE [87]).

B.5 DuPont Yerkes chemical plant explosion, 2010
The United States Chemical Safety Board reported that, on November 9th, 2010, an
explosion occurred at E.I. DuPont de Nemours and Co. Inc. (DuPont) Yerkes
chemical plant in Buffalo, New York [98]. This explosion occurred when a contract
welder and foreman were repairing the agitator support atop an atmospheric
storage tank containing highly flammable vinyl fluoride (a gas).
The plant had a Tedlar® process to convert vinyl fluoride into polyvinyl fluoride
(PVF), as shown in Figure B-6. The process includes the following stages:
• Vinyl fluoride is pumped from storage tanks to a reactor to form

polyvinyl fluoride slurry in water and unreacted vinyl fluoride.
• The unreacted vinyl fluoride is transferred from the separator by a
compressor and recycles back to the reactor.
• After the separator stage, steam is injected into the polyvinyl fluoride
slurry to vaporize any vinyl fluoride. The heated mixture passes through
a flash tank where residual vinyl fluoride is released to the atmosphere.
• Non-combustible polyvinyl fluoride flows from the flash tank to three
insulated slurry tanks and then to a production area.
• If the flash tank level is too high, an overflow line goes to tank 2. A liquid
trap (seal loop) was designed to stop steam and vinyl fluoride from
directly entering tank 2. An equalizer line connected all three tanks.
Figure B-6 The polyvinyl fluoride process
(reproduced from CSB [98]).

The asbestos insulation on slurry tanks 1 and 2 was to be removed and

replaced. Key events are noted next:
• On October 21st, the process was shut down and all slurry was pumped
out of slurry tanks 2 and 1. The slurry tanks were locked out.
• On October 29th, a damaged agitator support on tank 1 was discovered
after the insulation was removed.
• On November 1st, repairs on tank 1 were delayed because materials
were unavailable. It was decided that slurry tank 1 repairs could be
completed after the process restarted on November 9th.
• On November 3rd, DuPont engineers discovered that the seal loop on
the flash tank overflow line had a split. They decided to return the tank
to service without repairing the split until the next outage. They
overlooked that the split provided a pathway for vinyl fluoride to enter
slurry tank 2.
• On November 6th, the Tedlar® process was restarted, with valves aligned
so that slurry went to slurry tank 3. Tank 2 had been returned to service.
• The equalizer line remained, connecting all three tanks.
• On November 7th, the reactor recycle compressor malfunctioned. The
unit was restarted without the compressor, doubling the vinyl fluoride
entering the flash tank.
• Later that day, a lock out card for tank 1 indicated that all valves to and
from the tank had been locked out, and the agitator was locked out. The
flash tank overflow line had no valves.
• Finally, on November 9th, A DuPont technician checked the atmosphere
around the tops of slurry tanks 1, 2, and 3. Continuous air monitoring
was arranged on tank 1.
• The atmosphere in tank 1 was not tested. This was not a requirement.
• Contractors completed a permit and started work on slurry tank 1, using
an arc welder.
The defective (split) seal loop had allowed vinyl fluoride and steam to flow from
the flash tank to tank 2, with some also entering tank 3. The vinyl fluoride and
steam flowed via the equalizer line from tank 2 into tank 1. Vinyl fluoride is heavier
than air and concentrated in the bottom of tank 1.
The top of tank 1 had an unsealed half-inch hole (for the agitator pipe). In
addition, the arc welder raised the temperature of the metal on top of the tank to
far above the ignition temperature of the vinyl fluoride. Either sparks entering the
tank or vinyl fluoride vapor contacting the hot metal, ignited the gas and caused
an explosion. A fire occurred in the tank and the overpressure ripped off the
majority of the top of the tank, causing the welder’s fatality. The foreman was
injured. The vinyl fluoride was consumed by the fire and the fire self-extinguished.
B.6 Macondo well blowout, 2010
On April 20th, 2010, the Macondo well blew out [107]. Eleven fatalities resulted and
the Deepwater Horizon drilling rig sank and spilled an estimated four million
barrels of crude oil in the Gulf of Mexico. The spill disrupted the entire region’s
economy, and severely damaged fisheries and the eco-habitat.
Deepwater was operated by Transocean and had been under contract to BP.
Figure B-7 Deepwater Horizon Oil Spill – Macondo blowout
(reproduced from the U.S. Coast Guard)
A summary of events in the Deepwater Horizon Oil Spill (2010) are noted next:
• 00:36 to 07:30 – Cement job
The cement job was completed. This was followed by two pressure tests that
were also successfully completed. Later on, a decision was made not to run the
cement bond log.
• 10:55 to 19:55 – Positive pressure test, followed by negative pressure

test
A successful positive pressure test was conducted on the production casing.

Deepwater Horizon started offloading mud to motor vessel Damon Bankston (a
supply ship tied alongside Deepwater Horizon). The mudlogger noted that the pit
levels could not be monitored. An unexpected loss of fluid was observed on the
riser pipe, which suggested leaks in the blowout preventer.
Negative pressure tests (where the crew reduced the fluid pressure to test for
leaks through the cement or well casing) showed unexpected results and raised
concerns over potential leaks.
A high-pressure pipe used to cut off the flow of oil fell to zero. Pressure in the
drill line increased to 1,400 pounds per square inch, indicating a buildup of natural
gas.
• 20:00 to 21:49 – Well monitoring and control response
The internal blowout preventer and annular preventer opened. They started
pumping seawater down the drill pipe to displace mud and spacer from the riser.
The well pump was shut down for a sheen test, but the well continued to flow. The
drill pipe pressure increased. Abnormal pressure and more fluid returns were
observed.
• 21:50 to 22:22 – Explosion and fire
Gas surged from the well and up the riser. Motor vessel Damon Bankston
reported drilling fluid spilling onto its deck. A warning was issued for Damon
Bankston to move 1,600 feet (500 meters) from the rig.
The rig then lost power. A few seconds later, the first explosion occurred. The
second explosion occurred 10 seconds later. A mayday call was made by
Deepwater Horizon, the emergency procedure was activated, and transfer
commenced of 115 personnel, including 17 injured, to Damon Bankston.
• 10:30 – Deepwater Horizon drilling rig sank

Performance CCPS.
C Human Factors Competency Matrix
Table C-1 Human Factors Competency Matrix
Performance/ Knowledge
HF Competency Level 1 - Operator Level 2 - Supervisor* Level 3 - Manager**
Criteria
Overarching concepts, principles, and knowledge
Understands the Understands the

Understands the definition of
Understand what is meant by concept of Human contribution of Human
Human Factors Human Factors as it applies
Human Factors Factors and its Factors to improvement of
to process operations
component disciplines process operations
Understands
implications of Human
Can instruct on Human
Understands Human Factors Factors concepts
Factors concepts (systems
Can explain and apply Human concepts (systems approach (systems approach to
Human Factors approach to human
Factors concepts to process to human performance, error human performance,
concepts performance, error is a
operations is a symptom, error traps, no error is a symptom,
symptom, error traps, no
blame, etc.) error traps, no blame
blame, etc.)
etc.) for their
supervisory role
Table C-1 continued
Criteria
Can recognize how

specific factors (e.g., Able to assess human
Understands factors Can identify various factors environment, task or performance and is able to
influencing human influencing human environment related review and mitigate impact
performance performance factors) contribute of performance influencing
Human to/influence human factors
Performance and performance
error
Understands link between Can identify various types of Can identify and mitigate
Able to assess effectiveness
human performance and error (slips and lapses) and impact of factors
of error mitigating strategies
error mistakes contributing to error
Can contribute to design Can help develop new ways

Has skills to minimize
of tasks to minimize to minimize potential
Cognition, memory potential cognitive bias. Can
Cognition, memory bias, potential cognitive bias cognitive bias and to
bias, attention recognize where tasks
attention spans and exceeding cognitive, minimize exceeding
spans exceed human cognitive,
memory or attention cognitive, memory or
memory or attention spans
spans attention spans
Table C-1 continued
Criteria
Understand different types of

human performance (Skill-
based, Rule- Able to assess effectiveness
Can select appropriate
Supporting human Understands how to support based/Procedure-based and of solutions designed to
solution to support
performance human performance Knowledge-based support human
human performance
performance) and error performance
within each type of
performance
Can suggest solutions
Understand the demands of
which would enhance Able to assess effectiveness
Supporting human Understands how to support tasks and understands limits
human capabilities – aid of solutions/aids designed to
capabilities human capabilities to human capabilities (e.g.,
cognition, avoid aid human capabilities
cognition limits)
cognition bias
Can perform Safety
Can review effectiveness of
Safety critical task Ability to perform Safety Can contribute to Safety critical task analysis and
Safety critical task analysis
analysis critical task analysis critical task analysis identify task specific
and its application
needs
Table C-1 continued
Criteria
Procedures and job aids
Understand the concepts and Can recognize the need
various forms of procedures for application of various Able to lead on how to
and job aids procedures and job aids develop procedure and sign
Understands procedures and
Understands the importance Can recognize and select off/approve procedures
job aids
of procedures and job aids in the most suitable Able to appraise/critique
enhancing human procedure/job aid for a procedures and job aids
performance particular task
Can recognize the need

Procedures and job Able to lead discussion on
Contributes to development, for development,
aids Is able to develop procedures appropriate ways to
validation and updates of job validation and or update
and job aids develop, validate and update
aids and procedures of procedures and job
job aids and procedures
aids
Table C-1 continued
Criteria
Procedures and job aids
Understands when Can recognize effective Able to assess effective

Is able to apply procedures
procedures and job aids use of procedures and use/application of
and job aids
should be applied job aids procedures and job aids
Procedures and job

aids (continued)
Understands the importance Able to assess the
Is able to apply Human Can apply Human
of Human Factors in job aids effectiveness of job aids
Factors practice when Factors practice in job
design (e.g., structure, use of design from a Human
designing job aids aid design
color and language) Factors practice perspective
Human Factors of equipment

Can recognize when
Can recognize when poorly
poorly designed
designed equipment may
Mitigate poor Understands equipment equipment may Can also develop equipment
contribute to error and
equipment concepts contribute to error and upgrades
understands the importance
can develop temporary
of reporting this
mitigation methods
Table C-1 continued
Criteria
Operational competency
Can determine
competency
requirements by
Supporting Is involved in the process of Able to review the
Understand the process of conducting task analysis,
operational determining competency for effectiveness of competency
determining competency perform learning needs
competency safety critical tasks process
analysis, and select
assessment learning
methods
Can recognize personal

and team need for
Understands the importance
training, by conducting Able to assess effectiveness
Is able to identify training of training
Identify training training needs analysis of training
needs requirements Recognizes personal need for
requirements Can suggest/
training
recommend forms of
training
Able to assess effectiveness

Understands the need and Understands the importance Monitors and advises on
of strategies to maintain and
Develop process of developing and process of developing the importance of
develop competency
Competency competency and maintaining competency developing competency
Table C-1 continued
Criteria
Operational competency
Understands the need and

Is involved in assessing
process of assessing Able to assess the
Understands the importance competency
competency effectiveness of competency
and the process of assessing Can recognize need to
Assess competency Can identify various assessment methods
competency revise assessment
competency assessment
methods
methods
Task Support
Task planning and Can develop realistic task Can provide input and Can apply techniques of Can develop task planning
error management plans challenge to task plans “grounded” planning methods
Understands and can
Can help identify potential apply techniques to
Distractions and Can minimize distractions and Can review effectiveness and
distractions and minimize task
interruptions interruptions develop tactics
interruptions distractions and
interruptions
Can recognize which control
Can review effectiveness and
Can select, develop and apply of work processes apply and Can implement control
Control of work develop control of work
suitable control of work offer input to their of work processes
processes
development
Table C-1 continued
Criteria
Task Support
Can determine and
Understands the imperative Can review effectiveness and
Isolation and Can achieve high reliability apply suitable isolation
to apply isolation and develop isolation and
interlocks high Isolation and interlocks and interlock
interlock controls interlock requirements
requirements
Can identify and support
Communication Can reliably operate Can apply formal application of
develop communication
protocols communication protocols communication protocols communication
protocols
protocols
Can identify and support
Can apply shift handover develop shift handover
Shift handover Successful shift handover application of shift
procedures procedures
handover procedures
Can recognize how
fatigue contributes to Is able to assess the impact
Understands the concept of impaired performance of fatigue on performance
Can describe factors
fatigue management and its Can determine staffing and safety
contributing to fatigue
relation to performance needs for tasks Can design shift rotating
Can detect signs of schedules and staffing levels
Fatigue fatigue
Management Can identify factors (e.g.,
Is able to detect signs of excessive workload,
Can identify signs of fatigue Is able to assess level of
fatigue in self and others and understaffing)
and its impact on fatigue risk and identify
initiate course of action to contributing to fatigue
performance mitigating strategies
mitigate fatigue and suggests mitigating
strategies
Table C-1 continued
Criteria
Task Support
Can review task plans
Is able to lead discussion on
and evaluate task
Understands concepts and Can describe error traps and error management,
operations
importance of error the components of error including effective error
Can recognize
management management prevention and
occurrence of errors in
management
Error Management self and others
Is able to ensure that
Can recognize error traps
Can identify potential employees understand the
Is able to contribute and envisage potential
error traps and change principles of error
effectively to error consequence. Can identify
tasks and conditions to management and apply
management someone at risk of making a
minimize risk of error them in practice
mistake
Can support the
Can coach people in how development of new ways of
Can recover from error and Can recover from error and
Error recovery to recover from error recovering from error and
be resilient be resilient
and be resilient being resilient

Can diligently and reliably Can identify and arrangements for task
Can perform high reliability
Task checking check the work of other implement effective task checking and lead their
task checking
people checking requirements. improvement
Table C-1 continued
Criteria
Task Support
Willing and able to challenge Can identify factors

Can challenge actions, Can facilitate and enable
actions, behaviors and influencing challenge
Challenge behaviors and decisions of people to make and
decisions of colleagues and behavior and help improve it
colleagues and superiors receive challenge
superiors
Can lead creation and Can lead creation and Can identify factors
maintenance of a Understands and can apply maintenance of a influencing psychological
Psychological safety
psychologically safe tactics for speaking up psychologically safe safety and help improve it
environment for a team environment for a team
Can recognize the

importance of individual Is able to facilitate
Understands concept of Can apply individual and and shared situation discussion on the
Situation Awareness individual and teams’ situation shared situation awareness awareness in various importance and impact of
awareness techniques context – normal and situation awareness in
abnormal operating emergency situations
conditions
Table C-1 continued
Criteria
Understands conditions Can identify: a) factors Can recognize factors Is able to conduct an
contributing to loss of contributing to impaired that lead to assessment of situation
situation awareness and signs situation awareness; and b) impaired/loss of awareness and categorize
of impaired situation signs of impaired situation situation awareness in situation awareness as:
awareness awareness self and others maintained; impaired; or lost
Situation Awareness
(continued)
Is able to prevent loss of

Is able to regain and maintain Can describe techniques Can apply techniques to situation awareness, and
situation awareness of self used to prevent and /or prevent loss of/to regain initiate mitigation strategies
and others regain situation awareness situation awareness to regain situation
awareness
Can recognize the

Can describe and understand Is able to facilitate
impact/importance of
Understands the process of the importance of effective discussions on effective
Decision-Making effective decision-
effective decision-making decision-making in decision-making in various
making in emergency
emergency situations operating conditions
situations
Table C-1 continued
Criteria
Can identify factors which Can recognize when

Understands the factors affect effective decision- decision-making Is able to assess the
which impair effective making (such as tunnel (cognitive processes) are effectiveness of a decision-
decision-making vision, confirmatory bias, impaired and decision- making process
Decision Making group think etc.) making bias are present
(continued)
Is able to apply techniques
Is able to make effective Can describe Can apply techniques to
to prevent/mitigate decision-
decisions and avoid decision- techniques/strategies to prevent decision-making
making bias
making bias avoid decision-making bias bias
Table C-1 continued
Criteria
Can recognize the Is able to lead discussion on

Can describe the concept of
importance and need for the concept of agile thinking
agile thinking and how this
Understands the concepts of application of agile and its contribution to
concept links to other non-
agile thinking thinking in dynamic, effective emergency
technical skills (e.g., decision-
rapidly evolving management
making)
situations
Can recognize the need Is able to assess the need for
Agile Thinking agile thinking in evolving
for application of agile
situations
thinking
Is able to apply agile thinking
Can identify situations when Is able to apply lead agile
in rapidly changing; evolving Is able to apply agile
agile thinking is required thinking in emergencies to
situations thinking in emergencies
control the situation if
to control the situation if
current course of action current course of action is
is not effective not effective
Table C-1 continued
Criteria
Is able to lead discussion on

Understands the concept of Can recognize when
Can describe what is meant effective communication in
effective communication and communication is being
by effective communication normal and abnormal
related topics (e.g., barriers impaired
Can identify barriers and situations, including barriers
and enablers to effective Can recognize barriers
enablers to effective and enablers to
communication in emergency to communication in
communication communication
situations) work context
Communication
Is able to review and

develop techniques to
Is able to communicate Can apply and train enhance communication in
Can apply effective
effectively in emergency people in techniques to various operating
communication techniques.
situations improve communication conditions, including
Table C-1 continued
Criteria
Can recognize the

Understands impact of stress Can describe basic concepts Is able to identify the causes
impact of stress on
on performance of stress management and consequences of stress
safety and performance
Is able to assess - detect
Stress Management
Can recognize the signs of stress in the
Is able to mitigate stress in
Can identify signs of stress effectiveness of stress workforce and apply
self and others
mitigating techniques appropriate stress mitigating
strategies
Can recognize the
Can lead discussion on
Understands contribution of Can describe the role of impact of teamwork on
effective teamwork in teamwork in normal and performance in normal importance of highly
emergency situations emergency situations and emergency performing teams
situations
Can apply techniques
Teamwork
(e.g., other non-technical
Is able to work effectively as Can assess team’s
skills, such as
part of a team, in normal and Can identify characteristics of effectiveness and identify
communication,
abnormal situations and a highly performing team solutions for improvements
leadership, decision-
process upset conditions
making) to enhance
teamwork
Table C-1 continued
Criteria
Can demonstrate
effective leadership skills
(e.g., centralizing
Is able to assess
Understands the concept and Can identify characteristics of communication,
Leadership importance of leadership in effective leadership in coordinating tasks, effectiveness of leadership
emergency situations emergency situations managing teams skills in abnormal situations
understanding of the
situation etc.) in
Managing contractors

Can identify potential
Can implement methods for arrangements for working
Working with Can effectively support risks of working with
supporting contractors task with contractors and lead
contractors contractors task performance contractors and identify
performance their improvement
suitable controls
Table C-1 continued
Criteria
Managing change
Can recognize when a Is able to assess the risk and

change affects human the impact of change (high,
Recognizing Can identify the impact of performance of medium, low) and devise
Understands the impact of
changes that impact change on performance individuals and teams mitigating strategies
change on human
human relevant to the job role/task Can suggest strategies to Is able to lead discussions
performance
performance in hand mitigate the impact of on the impact of change and
change on human consult staff
performance
Recognizing and Learning from performance
Is able to lead discussions
Can report information to on the contribution of
Is able to understand and support Human Performance Can recognize and track indicators to human
Indicators of Human
identify indicators of human KPIs leading and lagging performance
Performance
performance Can describe the importance indicators Is able to assess (predict)
of these indicators human performance on the
basis of collected indicators
Table C-1 continued
Criteria
Understand the importance of Can describe the importance Can recognize the need Is able to lead discussion on
lessons learning and sharing of lessons learning and for lessons to be learnt lessons learnt
in error prevention sharing across business units and shared across wider Is able to assess
Can contribute to lessons business effectiveness of lessons
Lessons Learning being captured and shared Can contribute to sharing strategies
discussions involving Is able to assess the
lessons learning and effectiveness of applied
their application in lessons across the whole
practice business
* / ** The definition of supervisors and manager may differ across organizations and countries.
Performance CCPS.
D Competency performance standards
Table D-1 Competency standards template – Skill-based task
Basic operational knowledge.

Utilization of basic available information.
Task/sub-task Low new idea generation.
knowledge & skills Narrow range of knowledge.
requirements Established and familiar.
Offer a clear choice of routine responses.
Involve some prioritizing of tasks from known solutions.
1. Monitor functioning of compressors & pumps. Take

necessary action following Standard Procedures (SP).
2. Control (level & capacity) of materials to specification
Competency
following SP.
standards
3. Operate equipment as per job requirement following
SP.
4. Maintain records to job requirement following SP.
Medium
Safety criticality Monitor process indicators & keep within safe operating
(High, Medium, Low) limits.
Share information about equipment faults or failures.
Complexity of task
Low
(High, Medium, Low)
Freq. of task (High,
Medium
Medium, Low)
Time required to
complete task (Long, Medium
Medium, Short)
Knowledge
Function of equipment including safety devices.
Interpret signs, signals, & symbols.
Competency - Knowledge of safe operating limits, & process hazards.
Knowledge, Skills and Procedural
Attitudes required Establish procedures.
Skills
Alertness, communication, task planning, interpreting
info, basic reading & writing.
Table D-1 continued
Knowledge
Competency - Knowledge of safe operating limits, & process hazards.
Knowledge, Skills and Procedural
Attitudes required Establish procedures.
Skills
Alertness, communication, task planning, interpreting
info, basic reading & writing.
Skill; Rule; and
Mostly skill-based.
Knowledge-based
Some procedure-based.
activities
Training content
Memory-based Resource & application.
versus resource & Memory-based (partial).
application
Dependency N/A
Appendix D - Competency performance standards 417
Table D-2 Competency standards template – Procedure/Rule-based task
Need range of well-developed skills.

Offer choice of procedures, requiring prioritization.
Task/sub-task Employed within a range of familiar contexts.
knowledge & skills Some relevant theoretical knowledge.
requirements Interpretation of available information.
Discretion & judgments.
Range of known responses to familiar problems.
1. Able to recognize common faults & select

established procedure.
Competency
2. Able to understand established procedures &
standards
prioritize & communicate steps to ops & maintenance
staff.
Safety criticality
Medium
(High, Medium, Low)
Complexity of task
Medium
(High, Medium, Low)
Freq. of task (High,
High
Medium, Low)
Time required to
complete task (Long, Short
Medium, Short)
Knowledge
Knowledge of safe operating limits, & process
Competency
hazards.
Knowledge, Skills and
Procedural
Attitudes required
Establish procedures.
Skills:
Communication, task planning, interpreting info,
decision-making, basic reading & writing.
Skill; Rule; and
Knowledge-based Procedure/ rule-based task.
activities
Training content
Memory-based Resource & application.
versus resource & Memory-based.
application
Dependency N/A
Table D-3 Competency standards template – Knowledge-based task

Need wide range of technical or scholastic skills.
Offer range of procedures requiring prioritization to
Task/ sub-task achieve ideal outcomes.
knowledge & Employed in different known & unknown contexts.
skills Broad range of knowledge, incl. theoretical.
requirements Analytical interpretation of information.
Informed judgment.
Innovative responses to clear, but unknown problems.
1. Able to devise safe operational procedures.

2. Able to devise safe process isolation & maintenance
procedures.
Competency 3. Able to inspect & verify safety of ops & maintenance
standards work.
4. Able to recognize & diagnose rare & unfamiliar faults.
5. Make decisions & communicate actions in an emergency
situation.
Safety
criticality (High, High
Medium, Low)
Complexity of
task (High, High
Medium, Low)
Freq. of task
(High, Medium, High
Low)
Time required
to complete
Medium
task (Long,
Medium, Short)
Knowledge
Competency Knowledge of safe operating limits & process hazards.
Knowledge, Skills Procedural
and Attitudes Establish procedures.
required Skills
Problem solving, communication, task planning,
interpreting info, leadership, teamwork, decision-making,
advanced reading & writing.
Appendix D - Competency performance standards 419
Table D-3 continued
Skill; Rule; and

Knowledge- Knowledge-based task.
based activities
Training
content
Memory-based.
Memory-based
Resource & application.
versus resource
& application
Dependency N/A
Performance CCPS.
E Learning methods and performance
Table E-1 Application of learning methods to type of performance
Types of human
Task category Task types performance (skill, Learning method Form of learning
rule, knowledge)
• On-the-job training
Skill-based task,
requiring visual • Mentoring
Process Skill-based Practice-based
or auditory • Trial and practice
recognition skills • “Show me”
Knowledge- Knowledge-based Information-based • Pre-course material & classroom

based fault learning e.g., diagnostic diagram
Process • On-the-job training, simulation,
diagnosis, and
decision-making Skill-based Practice-based role play, case studies
• Pre-course material & classroom

learning
Assimilating Information-based • Talk through Piping &
Process Knowledge-based
information Instrumentation Diagrams,
Process Flow Diagrams, etc.
Table E-1 continued
Types of human
rule, knowledge)
Information-based • Pre-course material, & classroom
Knowledge-based
Knowledge- learning
based • Formal qualifications
operational • On-the-job training, mentoring,
Procedural
planning, shadowing
Rule-based Demonstration-based
development of
• “Talk through” or “walk-through”
procedures
procedures
Knowledge-based Information-based • Pre-course material, & classroom

Devising learning
Procedural emergency • Simulations, case studies,
response Practice-based scenario analysis, & application
Skill-based
Rule-based Information-based • Instructor led “walk-through”

Procedural fault procedures
diagnosis, and Demonstration-based
Procedural • Non-technical skills classroom led
decision-making training, case studies/videos, &
Knowledge-based
task Practice-based
role play
Table E-1 continued
Types of human
rule, knowledge)
Procedural, Demonstration-based • On-the-job training
operational, or • Instructor led “walk-through”
Procedural Skill-based
maintenance Practice-based procedures
task
Information-based • “Walk-through” procedures

Rule-based
A specific or • Individual learning (pre-course
Procedural unique rule or material)
skill-based task Skill-based Practice-based
Rule-based Information-based • Classroom learning, instructor led

Long or “walk-through” procedures
Psycho-motor repetitive skill or • Simulations, on-the-job training
Demonstration-based
rule-based task
Skill-based • Trial & practice
Practice-based
Skill-based task,
requiring • Mentoring/coaching
Psycho-motor Skill-based Practice-based
psychomotor • Trial & practice
skills • “Show me”
Table E-1 continued
Types of human
rule, knowledge)
Information-based • Classroom learning; Process flow

Knowledge-based and parameters training; non-
Cognitive Problem solving technical skills classroom training,
Skill-based
Practice-based • Scenarios, case studies, role plays
Knowledge-based Information-based • Classroom learning

Cognitive Task planning • On-the-job training
• Scenarios, case studies
Skill-based Practice-based
Communicating Practice-based • Classroom non-technical skills

Skill-based
task instructions, training
Cognitive • Case studies, videos, scenarios,
and specific
precautions Knowledge-based Information-based and role play
• Classroom non-technical skills

Communicating training
Cognitive Skill-based Practice-based
between teams • Case studies, videos, scenarios,
and role play
Table E-1 continued
Types of human
rule, knowledge)
Maintaining Information-based • Verbal instructions, on-the-job
Knowledge-based
Cognitive & awareness of training
Process process, and Practice-based • Shadowing
Skill-based
system state
Conditional Practice-based • Classroom non-technical skills

Skill-based
training
decision-making
Cognitive • “Walk though” procedures
(rule-based
tasks) Rule-based Information -based • Case studies, scenarios
Performance CCPS.
F Situation awareness and behavioral markers
Situation Awareness: Developing and maintaining a dynamic awareness of the situation and of the risks present during an
operation. This is based on gathering information from multiple sources from the task environment, understanding what the
information means, and using it to think ahead about what may happen next.
Table F-1 Situation awareness – behavioral markers for oil and gas industry
Elements Examples of behaviors reflecting good practice Examples of behaviors reflecting poor practice
Regularly checks key sources of information including Does not go to the effort to locate or confirm important
alarms and other prompts. information that is not readily available.
Makes use of all available information sources – Does not initiate prompt intervention at the activation
instruments, colleagues, and others – to check the of the alarm. Is unable to interpret signals or other
Actively seeks status of the operation, or to check assumptions about parameters to prevent a problem.
relevant the state of the world or the operation.
information Shows concern and takes action if important
information is not available when it is needed.
Asks for regular updates from colleagues who may have
relevant information.
Proactively addresses missing relevant information.
Table F-1 continued
Makes time for anyone offering potentially relevant

information.
Attends to all Shows respect to anyone offering potentially relevant Does not give sufficient attention to information from
relevant information. unexpected sources or from more junior team
information Knows the key indicators of risk and success, and members.
sources regularly monitors them. Accepts information sources without validating them.
Promptly reacts to critical information that arises from
other people or the system.
Challenges key assumptions that could impact safety, Does not evaluate the reliability of information that has
and regularly checks to confirm they are still the potential to create an unsafe condition.
reasonable. Makes statements, asks questions, or makes
Works to Challenges assessment of risk and the state of the suggestions that may indicate:
understand world.
information Shows unease or concern and checks if data or • Lack of awareness of what is happening.
information is not consistent with expectations. • That they have not understood the
Prioritizes actions, taking into account critical signals, significance of information.
avoiding “information flooding”. • That they have ignored the views of others.
Table F-1 continued
Is not properly prepared before starting a critical

activity. Does not allow sufficient time to check risks
and key information sources.
Makes others aware of their thinking about the effect Does not plan ahead e.g., does not look for information
Projects and of current decisions and actions on possible future until the time it is needed and does not consider the
anticipates events. future impact on others.
future states Considers recent trends and conditions, and possible Allows problems to develop before responding to
projections to the future. them.
Dismisses information that could indicate undesirable
future events.
Regularly takes steps to check the “bigger picture” for

information, or signs of developing or changing risks in
the working environment. Finds reasons not to act on information that is not as
Avoids becoming overly focused on the task at hand expected, that could interfere with planned progress,
Avoids
(e.g., focus on task to the extent that other important or that would involve additional effort.
“tunnel
factors/changes are being missed) Fails to consider the implications of new information or
vision”
Reflects and asks others for their opinion of ambiguous a change in operating conditions for future activities.
or unexpected events or indicators.
Asks colleagues to alert them if they become overly
focused on one activity or option.
Table F-1 continued
Maintains Steps back and checks that the situation or conditions Gives too much weight to expectations based on
awareness have not changed significantly with time. experience, rather than current information/opinion.
and respect If something unexpected happens, steps back and Shows a willingness to disbelieve data or information
of risk reassesses planned activity in consultation with peers. that conflicts with what is expected.
Checks the work environment to ensure it is as it should Shows a willingness to quickly accept data or
be before beginning a critical activity. information that backs up preconceptions.
Plans to make allowance for interruptions or Does not consider potential problems. Gives no insight
unexpected events. into expectations or actions if the situation changes.
Identifies and proposes alternative options if events do Acts in ways that knowingly goes beyond their
not go as planned. competence or experience.
Table F-1 continued
Responds to signs that other team members:
• Have a different understanding of the current Reacts negatively or not at all, if other team members
state of the operation than they do. say or do things that suggest they have a different
Recognizes • Are not aware of the state of critical assessment of the situation, equipment, or risks.
mismatches equipment. Does not make others aware of:
between own • Have a different assessment of the key risks.
• Difficulties until after things have gone wrong.
SA and that • Have a different assessment of team goals and
held by • Information or events that are unexpected.
priorities than their own.
others Assumes, without checking, that others who need to
Interrelates different types and sources of information.
know are aware of the same risks as they are that
Willing to be challenged on their mental model and
could affect the safety of an operation.
change.
Does not hesitate to challenge other’s mental model
respectfully.
Adapted from [123]
Performance CCPS.
G Human Factors change checklist
Table G-1 Human Factors Change Checklist
Typical Human Factors

Type of change Potential impacts actions
Process plant and equipment
New piping layout. Update operating and

Error in planning work
Changes in valves, emergency procedures.
such as maintenance.
compressors/pumps. Update Piping and
Emergency response
Changes in Instrumentation Diagrams,
errors e.g., attempting
operational criteria Process Flow Diagrams etc.
to isolate a leak without
(pressure, Update and rerun training.
up-to-date P&IDs.
temperature etc.).
Reduced morale due to
changes in role(s).
Fewer staff for normal
operations is insufficient Verify usability of a new
for peak demands. system, including alarm
Error in control management.
New control system operations e.g., difficulty Rewrite job descriptions.
e.g., new DCS. in navigating screens. Verify staffing levels.
Change in system Update operating and
response time. emergency procedures.
Increase in process Update and rerun training.
information and
controls causing
overload.
Scheduled periods of
Skills fade due to lack of manual operation and/or
Automation or high “hands on” operation. use of simulators to
reliability equipment. Reduced morale (due to maintain skills.
low demand role). Job enrichment (add new
tasks to the role).
Reduction in “hands on” Introduce additional

outside work on the process familiarization
Centralized or plant – reduced plant training.
remote control knowledge. Identify and formalize
rooms. Reduction in contact teamworking and
with outside workers – communication
loss of teamwork. opportunities.
Table G-1 continued

Process plant and equipment
Verify staffing level.

Excessive pressure to Verify sufficient time is
optimize production. available to respond to
Less time for handling upsets/alarms.
Increased unexpected tasks, Specific time allowance for
production levels. teamwork, and ad hoc and improvement
improvement activities. tasks.
Increased workload, Ensure staffing level is
stress, and fatigue. sufficient for peak periods.
Increased workload, Verify staffing level.

stress, and fatigue. Increase resourcing for
Operating with procedure updates and ad
unreliable or hoc task planning/risk
Aging plant – higher unavailable assessment.
rate of equipment instrumentation. Reinforce dynamic risk
faults. Distrusting old assessment and situation
instrumentation. awareness training.
Erosion of correct Introduce verification of
standard operating the status of unreliable
procedures. instrumentation.
Test usability during

Poor usability. development or before
Confusion due to new purchase.
New tools or Consult people and verify
tools or equipment
equipment. practicality of new tools or
being different to old
tools or equipment. equipment before
implementation.
Appendix G – Human f actors change checklist 433
Table G-1 continued

Policy, procedures, and ways of working
Less time for handling

unexpected tasks,
teamwork, and Verify staffing level.
Increase in Simplification of
improvement activities.
administrative administrative work.
Less time for staff
requirements. Upskill teams.
supervision and
support.
Low morale.
Brief people on new
procedures.
Consult people and verify
Change in practicality of new
Confusion and error.
procedures e.g., new arrangements before
New arrangements are
shift handover implementation.
impractical.
procedure. Verify comprehension and
acceptance of new
procedures.
Test usability during

Difficult to navigate. development.
Difficult to read. Consult people and verify
Computerized
Impractical in outdoor practicality of new
procedures.
environment or process technology before
plant. implementation.
Test acceptance during

development.
Shift to online Disengagement of Consult people and verify
training and learners. effectiveness of new
assessment. Reduction in learning. learning technology before
implementation.
Table G-1 continued

Staffing arrangements
Verify staffing levels.

Conduct task simplification.
Increase training and task
Change in staffing Fewer staff. support.
level. Greater workloads. Assess fatigue risk in case
of increased work loads
Assess fatigue risk in case
of increased work loads
Assess fatigue risk of new

shift system.
Fatigue. Monitor fatigue levels
Loss of staff – people during a pilot period.
New shift system.
leave due to disliking Allow an element of
the new shift system. individual choice on shift
patterns.
Verify new job descriptions

Confusion of roles and and ensure people are
responsibilities. briefed.
Loss of morale (dislike Tailor roles to individual
Merged or revised
of new roles). needs.
roles.
Role overload. Monitor workload and
Role expectations capacity for tasks such as
exceed competence. improvement projects.
Identify and formalize

Loss of contact with teamworking and
Relocation of staff. other teams, and communication
erosion of teamwork. opportunities.
Appendix G – Human f actors change checklist 435
Table G-1 continued

Staffing arrangements
Verify the “span of control”

in respect of workload,
Ratio of staff to level of supervision etc.
supervisors reduces Monitor workload and
capacity to support capacity for tasks such as
Reduction in number staff. improvement projects.
of supervisors or Excessive supervisory Increase supervisory non-
team leaders. workload, stress, and technical skills, such as
fatigue. leadership and delegation.
Reduction in time for Increase self-management
improvement activities. competence of team
members.
Creation of new
communication and
contact interfaces. Formalize communications.
Loss of in-house Provide team bonding
expertise. exercises.
Reliance on continuity of Determine the minimum
service. level of in-house expertise
Outsourcing.
Contractor does not to be retained.
adopt company safety Offer a cultural induction.
values. Provide contractor training
Contractor lacks and certification.
competence in site
management
procedures.
Performance CCPS.
Index
Active failures, 374 Hazard Analysis, 72

Barrier Analysis, 355 Interfaces, 13, 28, 99, 100
Behavioral markers, 258, 275, 425 Just Culture, 225, 346, 348, 356
Challenge skills, 217, 227 Labelling, 32, 70, 98, 100, 111, 206
Checklist, 55, 56, 63, 65, 78, 84, 85, Latent failures, 374
129, 431 Leadership, 6, 13, 121, 285, 294,
Chronic unease, 330, 360 295, 412
Circadian rhythms, 165, 200, 201 Leading and lagging indicators, 321,
Cognitive overload, xxiii, 38 323, 413
Color-coding, 82 Learning from Experience, 103
Communications, 5, 12, 186, 235, Mental models, 99, 107, 252, 253,
237, 238, 244, 435 274, 429
Competence, 9, 13, 123, 127, 185, Mindfulness, 330, 331, 333
186, 278, 281, 316, 323, 428, 434, Motivation, 253
435 Natural mapping, 106, 107, 108, 109
Control of Work, 189, 202, 203, 403 Non-compliance, 46, 219, 227, 322,
Crew Resource Management, 12, 346, 347, 356, 374, 375, 376
257, 284 Operating limits, 72
Culture, xxiv, 5, 6, 15, 32, 159, 190, Performance influencing factors, 15,
191, 193, 212, 213, 230, 243, 272, 285, 356
275, 294, 305, 321, 322, 324, 329, Performance standards, xxiv, 118,
335, 339, 342, 343, 347, 356, 359, 119, 127, 130, 131, 132, 136, 151,
360, 362 158, 208, 415
Distractions, 26, 28, 29, 30, 33, 36, Permit to work, 56, 63, 66, 129
186, 195, 196, 198, 231, 256, 337, Permits to Work, 182, 187, 196, 202,
403 214
Equipment design, 9, 95, 97, 103, Process flow diagrams, 62, 64
105, 106, 111, 257 Psychological safety, xxiv, 224, 225,
Error detection, 227 272, 329, 406
Error traps, 96, 183, 262, 329, 332, Restorative Just Culture, 359
340, 347, 397, 405 Root Cause Analysis, 352
Error-likely situations, 183, 256, 379 Root causes, 333, 336, 339, 340, 342,
Errors of commission, 373 347, 351, 352, 356, 360, 362
Errors of omission, 373 Routine non-compliance, 375
Grab card, 56, 63, 66, 129 Safety Critical Task Analysis, 57, 118,
Group-think, 254, 270–273, 275, 327 127, 128, 131
Shift handover, 124, 196, 202, 238, Teamwork, 32, 285, 411
241, 242, 243, 244, 383, 386, 404, Trust, 7, 191, 193, 224, 225, 275,
433 284, 346, 359
Shift Handover, 56, 63, 129 Usability assessments, 103
Shift system, 164, 337, 434 User acceptance testing, 104
Staffing level, 70, 174, 185, 432, 433, User-centered design, 103
434 Vigilance, xxiv, 36
Stress, 38, 218, 253, 286, 288, 327, Walk-through, 49, 55, 73, 74, 130,
328, 411 146, 421
Supervision, 13, 46, 79, 123, 134, Work instruction, 65
145, 311, 346, 433, 435 Workload, xxiii, 12, 35, 53, 158, 159,
Tabular Task Analysis, 131 174, 176, 177, 196, 219, 242, 253,
Task analysis, 53, 69, 128, 130, 136 256, 259, 295, 309, 404, 432, 434,
Task verification, 77, 202, 203, 213, 435
217, 230, 231

CCPS (2022) - Human Factors Handbook For Process Plant Operations - Improving Process Safety and System Performance

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCPS (2022) - Human Factors Handbook For Process Plant Operations - Improving Process Safety and System Performance

Uploaded by

Copyright:

Available Formats

HUMAN FACTORS HANDBOOK

FOR PROCESS PLANT OPERATIONS

Improving Process Safety and

CENTER FOR CHEMICAL PROCESS SAFETY

All rights reserved. No part of this publication may be reproduced, stored in a

Limit of Liability/Disclaimer of Warranty

Library of Congress Cataloging-in-Publication Data Applied for

Cover Design: Wiley

It is both an honor and a privilege to see Jack in action!

Louisa A. Nara, CCPSC

Table of Contents .............................................................................................. ix

Part 1: Concepts, principles, and foundational knowledge .......................... 1

Part 2: Procedures and job aids .................................................................... 43

9.4 Error traps ...................................................................................... 96

Part 4: Operational competence ................................................................. 115

14 Operational competency assessment ................................................. 151

Part 5: Task support ...................................................................................... 161

Part 6: Non-technical skills ........................................................................... 247

Part 7: Working with contractors and managing change......................... 299

Part 8: Recognizing and learning from performance ............................... 319

A Human error concepts .................................................................... 373

Figure 1-1: Human Factors science, concepts and principles .................................... 3

Figure 15-5: Guidelines on shift design .................................................................... 171

Figure A-1 Energy Institute human performance principles.................................. 377

Table 3-1: SRK types of human performance ............................................................ 22

Table 19-3: Shift handover risk factors ..................................................................... 242

Table A-1 ‘Hearts and Minds’ definitions for non-compliance............................... 375

Project Team Members

In the early 1990s, I was working on research projects examining psychological

It has been written especially with operations and maintenance supervisors in

Engineers, process safety practitioners and regulators who wish to gain an

This book has been written by a combined panel of plant operations

This valuable handbook is definitely recommended reading for those striving

Part 1: Concepts, principles, and foundational knowledge

1.1 What is “Human Factors”?

As illustrated in Figure 1-1, like engineering, Human Factors is a combination of

Figure 1-1: Human Factors science, concepts and principles

A short video that presents a Human Factors view for successfully

1.2 Purpose of this handbook

1.2.1 Purpose and scope

This handbook provides practical advice

• Provides examples of practical

• Provides an explanation of how people think and behave, why people

1.2.2 Other guidance

How does this handbook fit with

Safety culture, leadership, and

Human Factors methods, such as

• Essential Practices for Creating, Strengthening, and Sustaining Process

1.2.3 Who should read this handbook?

This handbook is intended for everyone involved with defining, planning,

1.2.4 A note on language and terminology

A more complete explanation of the traditional terminology of ‘human error’

1.3 Why Human Factors?

1.3.1 Major accidents associated with human performance

Human performance is a factor in

This kind of evidence greatly undermines stakeholder trust in an organization

1.3.2 It is more than common sense

People who plan work and develop

Time constraints and attention demands impact frontline managers and

Businesses must prioritize and balance production, operations, maintenance,

Human Factors adds scientific knowledge to help workers achieve high

1.3.3 The benefit of high performing teams

People diagnose unfamiliar faults. They As a leader, it is