SAFETY CRITICAL TASK RISK ASSESSMENT IN
OFFSHORE INSTALLATION DECOMMISSIONING: A
METHODOLOGY
A.P. Bradbeer*, E. Butterworth*, G.M. Rolt*
*Human Engineering Limited, Clarendon House, 81 Mosley Street, Manchester. M2 3LQ.
Andrew.Bradbeer@humaneng.co.uk Tel: 0161 233 2266
Keywords: Offshore, Decommissioning, COMAH, Task
analysis, Safety critical.
Abstract
Human Engineering Limited is currently supporting the
decommissioning of an asset in the North Sea. The aim of the
work has been to ensure that the risks of human error when
working in an unfamiliar environment, often on novel, one-
off tasks, are controlled to As Low As Reasonably Practicable
(ALARP). As part of this work, safety critical tasks have been
identified and assessed from a human factors perspective,
supporting the asset safety case and risk assessment. The
methodology used for a number of the assessments is the
Safety Critical Task Assessment (SCTA) Tool developed by
Human Engineering, in line with the Health and Safety
Executive’s (HSE) 7 step approach to risk assessment [1].
This paper describes this methodology, its use on an example
from the platform and identifies a number of other challenges
faced on the project.
1 Introduction
1.1 Overview
Cessation of Production approval at the platform was received
from the UK government and a well abandonment
programme is now underway. This gives rise to a new set of
challenges and risks to be faced by the team involved in the
decommissioning. The platform itself is in a water depth of
approximately 100 metres. There are also a number of
different contractors involved in the process working in teams
on the many different work packages being undertaken.
Whilst being decommissioned, the platform still has a
significant number of people on board (POB) of around 150,
supporting the decommissioning process and the people
living on the platform.
Whilst the hydrocarbon inventory has been significantly
reduced early in decommissioning, a number of sources of
major accident 1 hazard (MAH) remain on the asset. These
1
A ‘major accident’ means “an occurrence (including in
particular, a major emission, fire or explosion) resulting from
uncontrolled developments in the course of the operation of
any establishment and leading to serious danger to human
can include risks from dropped objects, electrocution and
asphyxiation, and limited hydrocarbons remain offshore in the
form of fuel gas and diesel.
Human Engineering was asked by the platform operator, to
provide human factors (HF) support to the decommissioning
work being performed on the platform, with the aim of
contributing to the safety case.
Human Engineering is focussing its efforts on addressing the
safety critical tasks involved in the work. Safety critical tasks
are classified as those in which human failure can result in or
contribute to a MAH. As such, Human Engineering is
utilising an in-house tool developed during a programme of
work for BP at Grangemouth, a top tier Control of Major
Accident Hazards (COMAH) site. The SCTA Tool 2 has been
approved by HSE and recognised by BP as industry best
practice at the recent BP Global Safety Awards, under the
Control of Work category.
1.2 Shift in perceived risk
As previously stated, one aspect of the decommissioning of
the platform is the reduction of the hydrocarbon inventory on
the platform. The platform no longer produces any oil/gas and
as such, the major hazards present on the platform are
significantly reduced. The focus on the platform has shifted to
occupational health and safety, and environmental issues.
However, hazards still remain on the platform and work being
undertaken is still run strictly under the permit to work
system. The human hazard in this scenario is the risk that the
personnel now feel, understandably, that it is a much safer
place to work, and as such may become complacent about the
hazards and risks. For this reason, the Offshore Installation
Manager (OIM) and the supporting platform management
retain the strict working practices and issue continual
reminders to the workforce on the need to focus on safety.
health or the environment, immediate or delayed, inside or
outside the establishment, and involving one or more
dangerous substances” [2].
2
Further information regarding the SCTA tool is available on
request from the author.
 Submit procedure to NO – consider
Step 1 next site
Procedure Screening Matrix.
Site Procedure procedure
Is procedure considered
Screening
safety critical?

YES – proceed to
step 2

NO – consider
next step in
Generate task Identify the the task
Step 2 Are these consequences analysis
analysis from consequences of
Safety Critical safety critical?i.e could they
procedure/ failure at a sub-task
Task Identification contribute to a MAH?
observation. level.

YES – proceed to
step 3
Potential consequences of
Task step/ task description
task failure

Step 3 Identify the Identify any current processes/

Human Failure Identify the human Identify the likelihood Identify any future measures
performance mechanisms which reduce this
Analysis failures which would of a failure of this sub- to reduce risk of failure or
influencing factors that risk of failure or enable
cause this task occurring improve recovery.
could contribute recovery.

Potential to recover from

Likelihood of failure Performance influencing Existing risk management Additional risk Additional measures to
Possible human failures failure sources before
occuring factors measures management measures improve recovery
consequences occur

Figure 1: Safety Critical Task Assessment methodology. 2. Safety Critical Task Identification. Having identified
an activity as safety critical, the activity is then
2 Development of the Safety Critical Task Assessment
examined in more detail to reveal the individual
Tool
tasks that make the activity safety critical. This may
2.1 Overview account for only a few elements of a job in which
failure has the potential to result in MAH. These
Human Engineering developed the safety critical task risk safety critical tasks are then subjected to further
assessment methodology, in line with the HSE’s guide to analysis.
human factors risk assessment.
3. Human Failure Analysis. The safety critical tasks are
The HSE’s 7-step approach recommends the following risk assessed using a formal human failure analysis
process [1]: approach. This considers the potential human
1. Consider main site hazards failures that could occur, the likelihood and
consequences of these, and the PIFs that indicate
2. Identify human activities why an error may be made. By understanding the
3. Outline key steps in these activities possible errors and the underlying causes, an
effective assessment of the adequacy of existing risk
4. Identify potential human failures for key steps reduction measures can be carried out. Additional
5. Identify performance influencing factors (PIF) that measures for management and recovery can also be
make failure more likely developed in line with a hierarchy of control
approach.
6. Use hierarchy of control measures for identified
failures 2.2 Step 1: Site procedure screening
7. Manage recovery The first stage in the SCTA process involves determining
which site procedures need to be subject to detailed analysis.
Human Engineering’s methodology builds on the HSE Specifically an assessment team should consider all the site
approach and is carried out in 3 steps as illustrated in Figure procedures, and determine which should be submitted to Step
1, and is described as follows: 2 (safety critical task identification) (see Figure 1). This is
1. Site Procedure Screening. This initial process aims achieved by identifying and considering the major hazards
to identify activities which are safety critical and that exist on site.
therefore require further assessment. It requires Each procedure on site should be identified and the
consideration of the potential hazards relevant to the assessment team should then assess each procedure in turn,
job, as well as a thorough understanding of the and identify each of the identified site hazards that apply to
nature and difficulties of the activity undertaken by the procedure.
personnel.
2.3 Step 2: Safety critical task identification Hazard Potential Human Failure Sources to Consider
Having identified the safety critical site procedures to be risk Initiate Failure to Failure to
assessed, the next stage of the SCTA assessment process is to Detect Mitigate and
break down the task or procedure into its constituent steps. Control
This allows the assessor to understand all of the human
interactions in the task and therefore all of the stages where Road car x Potential x Failure x Failure to
human failure could occur and therefore contribute to a major BLEVE ignition to provide
accident hazard. at sources; detect ready
loading high access to
A task analysis is a proven Human Factors tool which will bays. x Failure to level fire
allow the assessor to do this. It can be applied by any disconnect in road fighting
individual or team with sufficient knowledge of the tasks road tanker tanker. equipment.
involved and an understanding of the task analysis approach. hose
An example excerpt of a task analysis is shown in Table 1. connection
before
Task Reference Sub-Task attempting
to move
vehicle.
1 Road tanker 1.1 Primary or secondary
entry to the driver arrives at the Table 2: High-level identification of potential human failure
depot –primary/ site vehicle access sources.
secondary gate and operates
drivers electronic key-fob This table helps analysts break down accident sequences into
a number of manageable component areas. These are easier to
1.2 Site vehicle access understand in terms of system vulnerability, and to assess in
gate will automatically terms of potential human failure. This type of structured
open, permitting decomposition approach, based on hazards and associated
controlled site entry human failure categories, is likely to increase the
effectiveness of assessments by reducing the complexity of
2 Road tanker 2.1 3rd party drivers park
the various accident sequences.
access to the vehicle adjacent to site
depot – 3rd vehicle access gate The table is referred to as the ‘High-level identification of
party drivers and present potential human failure sources’ table as it defines the human
themselves at the site failure sources that analysts use to consider if individual task
office steps are safety critical and so require more detailed
assessment (i.e. Human Failure Analysis) at Step 3.
Table 1: Example task analysis.
Those task steps where human failure could potentially
The aim of this stage of the assessment is to identify key contribute to an accident hazard, based on any of the three
stages in the task (sub-tasks) where the consequences of a potential human failure sources, are referred to as safety
human failure during that task could contribute to a major critical task steps and are then subjected to a human failure
accident. This would include tasks where there is: analysis (Step 3).
x The potential to initiate an event sequence 2.4 Step 3: Human failure analysis
x The potential to stop an event sequence The human failure analysis should ideally be undertaken
within a ‘workshop’ environment with all relevant operators
x The potential to escalate into an incident and other personnel. This can follow directly on from the
The hazards identified from Step 1 are presented in the left safety critical task screening process. It is essential that
hand column and the potential human failure sources are experienced operators are involved in the workshop, to
presented along the row. An example of an accident hazard facilitate the identification of potential human failures that
from a COMAH site is shown in Table 2 (Road car BLEVE 3 may occur and associated consequences.
at loading bays) with examples of potential human failure When carrying out Step 3, the focus of the workshop should
sources as shown by bulleted text. be on identifying where human failure may lead to an
identified failure consequence or related major accident
hazard (MAH), contribute to its severity, or compromise
emergency response.
For each task identified in Step 2, the types of human failures
3
BLEVE is an acronym for "boiling liquid expanding vapour should be identified that could occur during the task, which
explosion". This is a type of explosion that can occur when a may lead to one of the identified failure consequences. There
vessel containing a pressurised liquid is ruptured.
may be a number of likely failure types that could occur for
each step. The term human failure is used within this method
to cover deliberate human actions (violations) as well as those
that are inadvertent. When considering the failures that could
occur, always consider the deliberate/ ‘intentional’ acts
(violations), as well as the possible ‘unintentional’ errors that
could be made by the operator. This is an important point as
inadvertent errors have different root causes to deliberate
violations. For example, errors may arise from poor
competency whereas violations may relate to poor culture. It
is important to include these in the table as understanding
what failures have the potential to occur will assist the team
in assessing the current levels of protection that are in place
on site, and in identifying effective opportunities for their
improvement.
Having identified potential human failures for a particular
safety critical task step, the team should agree the likelihood
that a failure will occur during normal procedures. Where
multiple potential failures have been identified, the likelihood
should be considered in relation to the failure considered most
likely to occur. This judgement is required for undertaking a
risk evaluation.
Performance Influencing Factors (PIFs) are the characteristics
of people, organisations, tasks and working environments
(e.g. poor/inadequate procedures, fatigue, peer pressure)
which influence human behaviour and therefore the
likelihood of human failure. They are a good indicator of why
human failures occur. For each task step, the team should
identify all PIFs that are relevant. There may be a number of
applicable PIFs, particularly if more than one failure is
possible. All relevant PIFs should be recorded. Understanding
the factors that cause failures to occur will assist the team in
assessing the current levels of protection that are in place on
site, and in identifying appropriate opportunities for their
improvement.
For each task step, the team should identify the existing
mechanisms and processes currently in place on site which:
x Improve the potential for recovery of the failure
before the consequences occur.
x Reduce the probability of the failure occurring.
x Reduce the severity of the consequences if the failure
should still occur.
Finally, the team should identify any recommendations for
processes or mechanisms that could be implemented in the
future to further reduce the risk of human failure. The
recommendations may range from extra training or improved
procedures, all the way to a redesign/refit of safety critical
equipment or a review of a company’s safety culture. This
stage is especially important where the probability of a failure
occurring is judged to be high and the failure recovery
mechanisms are minimal or rely solely on operator
intervention.
3 Risks in decommissioning tasks
3.1 Novel/non-routine tasks
One aspect of the decommissioning process is the fact that the
workforce, whether they be drillers, pipefitters, electricians
etc., are often undertaking novel or non-routine tasks. Whilst
they may be experienced and fully competent, the types of
tasks being undertaken are often ones which they may not
have encountered before. This introduces a number of HF
risks into the work, for example:
x Operators are having to apply their knowledge to the
new task and perhaps make assumptions as to how to
perform the task.
x The added complexity/difficulty of the task may not
be fully appreciated by the operators.
x The procedures being followed may have been
generated by someone who has not actually visited
the site, and so does not appreciate the contextual
nature of the task being performed.
x In overcoming minor difficulties with the procedures
(for example, in context it may not be possible to
access a certain bolt on a flange to break a joint due
to adjacent plant equipment), operators may make a
number of minor changes to overcome these
procedural shortcomings.
3.2 Creeping change
Management of change is one of the major safety aspects
considered by the offshore industry when performing risk
assessments. The issue with decommissioning tasks is that the
change is often not realised by the operators as it may arise
from a series of incremental changes. As identified above in
Section 3.1, minor changes are often made to overcome
procedural issues where the procedure may not consider the
context of the work.
Whilst the operator may make a risk assessment on the minor
change, albeit not a formalised one, a series of minor changes
may build up which constitutes a significant departure from
the original procedure. This overall change is often missed
due to this ‘creeping change’ as the task progresses, and
whilst the individual minor changes may have been
considered safe on their own, the overall change may not
have been fully risk assessed, which introduces a significant
hazard/risk into the work.
The SCTA tool is especially useful in these situations as it
can analyse the procedures from the outset, look at the system
in context, and based on an understanding of human
behaviour and performance on a task, predict the instances
where a departure from the procedure may lead to an
undesirable consequence. The SCTA tool can also be used in
incident investigations, to identify the human failure aspects
which led to the incident as described in Section 4.
4 Use of the SCTA Tool – an example Ref Task Ref Sub task Consequence
4.1 Overview 1 Mark up 1.1 Mark joint Worksite
Although the SCTA can be used to assess procedures for their worksite to be incorrectly
safety critical tasks proactively, the tool can also be used worked on identified
with pen
retrospectively. In the example described below, the SCTA
tool was used to assess the safety critical aspects of an 1.3 Tag Worksite
incident which occurred on the platform. worksite incorrectly
4.2 Use of SCTA in incident analysis identified

A pipefitter involved in decommissioning the platform 2 Pre-work 2.1 Supervisor Error in worksite
incorrectly removed a section of pipework from the live side checks carry out markup / tagging
of a valve and attached a blind flange. This action left a line walkthrough missed
to the flare open to atmosphere which could have resulted in a with
loss of containment of residual hydrocarbons within the line. pipefitter
The tasks that the pipefitter was required to undertake were as 2.2 Supervisor Error in worksite
follows: checks markup / tagging
1. Release two joints (Joint A and B) and then remove location of missed
Valves 1 and 2, install blind flange downstream at joint tags
Joint A and remake joints. before work
commences
2. Release Joint C and remove Valve 3 or elbow. Blind
flange not required at Joint C as this was required to 3 Pipefitter 3.1 Pipefitter Pipefitter
be left to free vent as part of engineering down. on site identifies undertakes work
worksite in wrong
3. Release Joint D, install blinds upstream of Valves 4 location.
and 5 and remake Joint D.
Delay to work
4. Release Joint E upstream of Valve 6, install blind to programme.
Valve 6 and remake Joint E.
Damage to
The use of the SCTA in this case aimed to investigate the equipment /
incident from a human factors perspective. In doing so, the injury / loss of
aims were to identify the potential causes and then provide containment
meaningful recommendations based on the findings of this
analysis to reduce the likelihood of a similar incident 3.2 Pipefitter Pipefitter
occurring in the future. interprets undertakes work
upstream in wrong
The initial step in the assessment process in this case was the and location.
generation of a task analysis of the incident as it could be downstream
assumed that the procedure was indeed safety critical (and Delay to work
therefore screening was not required). As such, the programme.
assessment began at Step 2 in the SCTA tool process. Damage to
The task analysis of the incident is shown in Table 3, along equipment /
with the potential consequences of task failure identified at injury / loss of
each step. containment
The sub-tasks and consequences were analysed further by 3.3 Pipefitter Pipefitter
identifying the potential human failures which may lead to the identifies undertakes work
consequence. PIFs were then identified for each sub-task. valve in wrong
These were considered along with the existing risk control location.
measures, to establish if the level of risk was acceptable. Delay to work
4.3 Findings programme.
The findings from the assessment were that the pipefitter felt Damage to
unable to determine the direction of flow along a section of equipment /
pipework, and therefore was unable to judge which valves injury / loss of
could be considered ‘upstream’ or ‘downstream’ of a given containment
point.
 Ref Task Ref Sub task Consequence x Ensure that the Operations Technician is consulted
prior to isolations work and that they are also
4 Pipefitter 4.1 Pipefitter Pipefitter
involved in the pre-job walkthrough in order to
undertakes undertakes undertakes work
facilitate the supervision of breaking containment.
work work (e.g. incorrectly
Installation x Use fluorescent spray paint (rather than black
Delay to work
of blank) markers) to mark valves and worksites.
programme.
Damage to x Indicate direction of flow on pipework if relevant to
equipment / isolation tasks.
injury / loss of x Ensure worksites are marked up / tagged by
containment personnel with good local knowledge of the platform
4.2 Ops tech Loss of and are independently checked by third party with
observes containment good local knowledge of the platform.
break in x Include local knowledge in work packs,
containment walkthroughs and pre-task discussions as required,
to facilitate complicated tasks.
Table 3: Task analysis of pipefitting incident.
x Consider the use of annotated photographs, isometric
With reference to the tasks numbered above in Section 3.2, it drawings or simple schematics in work packs to
was found that the pipefitter undertook Task 1 successfully, facilitate complicated tasks, particularly the
but then undertook Task 2 in the wrong location. Instead of identification of work locations.
moving downstream from the joint worked on in Task 1, he
moved upstream to a different joint and performed the task x Brief contractor supervisors in local knowledge
there in error. The incident report records that the pipefitter relevant to their role / work area.
removed an elbow, and left a section of pipework to free vent. 5 Conclusions
The primary cause of the incident was assessed to be poor The use of the SCTA tool has shown its value during the task
local knowledge of the platform, resulting in the operator of decommissioning, especially where novel procedures may
carrying out the task in the wrong location. be used for an unfamiliar task. It has been successfully used
It was also found that poor operator knowledge of the terms to address the risks of such tasks, this being especially
‘upstream’ and ‘downstream’ may have contributed to the important as with, unlike other hazardous operations, there is
incident. The terms ‘upstream’ and ‘downstream’ refer to the less opportunity to learn from experience with
location of a given point relative to the source of hazard. For decommissioning activities. Therefore, it is considered
example, under normal operating conditions, a closed drain essential that a predictive tool, like the one described in this
may be considered downstream of the process. However, paper, be used to manage the risks of such activities to
during decommissioning, if pipework leading to the drain is ALARP.
isolated, the drain is then considered upstream of the References
isolation, as it and associated pipework may still contain
residual hydrocarbons. [1] Health and Safety Executive. Inspectors’ Toolkit.
Human factors in the management of major accident
It is unclear whether all parties involved in the above incident hazards (2005).
were aware of this distinction, however it may explain http://www.hse.gov.uk/humanfactors/comah/toolkit.pdf
perceived difficulties in determining the meaning of the terms
upstream and downstream, especially during [2] HMSO. The Control of Major Accident Hazards
decommissioning activities. Regulations (1999).
http://www.opsi.gov.uk/si/si1999/19990743.htm
By dealing specifically with this operator’s competency ‘gap’,
it is likely that the immediate cause of this particular error
would be addressed. However, the analysis demonstrated that
there were a number of potential errors and influencing
factors which could result in this or similar incidents. A total
of 15 recommendations were made to address these errors,
including:
x Clarify the terms ‘upstream’ and ‘downstream’
during walkthroughs preceding process isolations.