This action might not be possible to undo. Are you sure you want to continue?
John J. Yandziak III, Osmar de Lima, Monique Verboonen, José Orlando Gomes, and Stephanie Guerlain, Senior Member, IEEE
Abstract— Petroleum transportation accidents often cause losses of millions of dollars and take human lives. SIGA (Integrated Anomaly Management System) is an accident/incident reporting system that was designed by the largest petroleum transportation company in Brazil, to help remediate these accidents. SIGA’s function is to track reported accidents and their cost, determine the cause of these accidents, identify solutions, communicate accidents to relative parties, document the passing of information, and protect the company and employees from litigation. While the existing system administers the workflow of accident remediation, it lacks the functionality necessary for holistic posterior analysis. Such analysis is critical and would enable the examination of all reports to find patterns. This paper proposes a software solution to track large quantitative data sets composed from incident reports in order to preemptively identify potential hazards and recommend appropriate actions to eliminate future hazards before they occur.
I. INTRODUCTION With daily processes that involve the exploration, excavation, transportation, and distribution of highly combustible chemical products, the petroleum industry is an extremely high-risk industry in terms of the likelihood of large-scale industrial accidents and the potential severity of the economic and social harms that these accidents can inflict. In order to prevent future accidents, the causes of previous accidents must be accurately determined, corrective actions must be put into effect, and a reliable hazard detection system must be in place to focus company safety efforts in the areas where hazard remediation can have the greatest effect on future likelihood and gravity (together – the criticality) of industrial accidents . This project provides an analytical tool for Brazil’s leading petroleum transportation company to identify
Manuscript received April 15, 2006. This work was supported in part by the Coordenação de Aperfeiçoamento de Pessoal de Nível Superior (CAPES)/Fund for the Improvement of Secondary Education (FIPSE) Grant for the US-Brazil Cognitive Systems Engineering Program Stephanie Guerlain is with the Systems and Information Engineering Department, University of Virginia, Charlottesville, VA 22904-4747 USA, (corresponding author: phone: 434-924-4438; fax: 434-982-2972; e-mail: firstname.lastname@example.org). John J. Yandziak III is with the University of Virginia, Charlottesville, VA 22903 USA (e-mail: email@example.com). Osmar de Lima, Monique Verboonen and José Orlando Gomes are with the Universidade Federal do Rio de Janeiro, Rio de Janeiro, RJ, Brazil . (e-mails: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org respectively).
emerging high-risk trends, culled from a database of accident and incident reports, in order to identify likely causes of future accidents. . The current system is entitled “Sistema Integrada de Gestão de Anomalias” (SIGA)—translated from Portuguese into “Integrated Anomaly Management System”. SIGA is one of many examples of an Accident/Incident Reporting System—safety information systems utilized by large companies to monitor, administer, and analyze the large amount of descriptive data obtained from witness accident and incident reports. (Experts typically refer to events that actually occurred and caused some form of harm as accidents, while an incident, as defined is a “near-miss”, which could have resulted in a negative occurence, but did not. ) . The system has been in existence since 2002, and since its creation has registered over 10,000 reports.  This project seeks to redesign the current SIGA Accident/Incident Information System in order to provide the following additional features: 1) A new witness reporting form that allows for more accurate, robust incident accounts that are more readily analyzed in a quantitative manner 2) A relational database to keep track of the resulting large amounts of quantitative data, and 3) A filtering and visualization software that enables users to effectively confront the data overload problem in order to identify critical areas within the company where safety resources (both human and financial) can be most effectively leveraged to reduce likelihood and severity of future accidents. II. ACCIDENT/INCIDENT REPORTING SYSTEMS Accident/Incident Reporting Systems are so crucial to hazard management programs in high-risk companies that regulatory agencies have begun to require, standardize, and monitor their use in certain industries. The Occupational Safety and Health Administration (OSHA), under the U.S. Department of Labor, publishes safety standards for both general industry as well as specific industries, including the petroleum industry . OSHA requires accident reporting and investigation for all regulated industries, and, for the petroleum industry specifically, the administration also mandates collection of incident reports in addition to accident reports, through OSHA rule 29 CFR1910.119 .
and other—are vague and difficult to distinguish. if s/he can only distinguish between two levels of granularity. Typically. abnormal occurrence. and negligible. The bulk of this critical review and redesign will focus on the registration stage. and. possible consequences of the reported situation. used for organizational purposes. From there. agency managers take on responsibility for actions recommended by the supervisor and sign off on whether or not actions have been completed to satisfaction. incidents produce the extra amount of data required obtain a clear picture of potential hazards and their underlying causes. SIGA did not include them until September 2005 . the information provided is insufficient to conduct any type of filtration. operational failure. accident with injury. and the incidence to initial or reoccurring. typically. and Environment department of Brazil’s leading Petroleum Company. the likelihood limited to real or potential. The gravity option is limited to a choice between large and small. Witnesses conduct registration of the report. as opposed to the other four stages which serve largely administrative functions. nonconformity. after all recommended actions are completed. These additional fields include anomaly type.) They provide insight into how small defensive failures add up to large disasters. occasional. System administrators grant access to SIGA only after successful completion of a short online training program. at times. key words for facilitation of future system searches. While. and incidence of the event. particularly those in quantities of data collected. Possible consequences should be limited to a set number of options in order to produce more matching between separate reports and less confusion in reporting. SIGA. filling in such standard fields as location. 2. yield numbers required for penetrating qualitative analysis. only accidents—for example. likelihood. an administrator reviews the report for inaccuracies or missing information. The current SIGA design is used primarily to administrate the work flow involved with the submission. is operated and maintained by the Health. the accident analysts create recommendations in the approval stage. To quantitatively evaluate the likelihood of a potential hazard. any effective safety information system should consider the inclusion of incident gathering as a component due to its many advantages. the report is re-entered into the system. whose elimination is the primary goal of these systems. a commercially available client-server collaborative software system. probable. finally. III. Reason considers incidents as “free lessons”. critical. Access to the system is granted to all employees of the large petroleum provider. following the Department of Defense’s hazard-assessment matrix example. Roland has suggested a 1-5 scale corresponding to frequent. primarily for three reasons : 1. However. though we encourage the entry of as much relative words as possible during report registration in order to encourage more relational connections when conducting any subsequent key word searches.) They provide a powerful reminder of system hazards to communicate to top-level management In high-risk industries. and his or her own unique employee identification number causes little confusion. accident. focusing on how the information is gathered and organized. Finally. not be fully qualified to make an accurate evaluation. the final evaluator oversees the evaluation stage. danger. Once a witness report is submitted. the entire report is forwarded to the final evaluator for his or her approval. The current options available to the user for anomaly type—unexpected result. B.Many systems still do not include incidents in their reporting systems. Suggested Improvements for Witness Reporting Much of the responsibility of information quality falls on the witness. as well as all subcontractors currently participating in a project with the petroleum provider. Though the witness may. the agency managers administer implementation of recommended actions. and. the analyst is an employee within the Health. CRITICAL ANALYSIS OF EXISTING SYSTEM A. This Accident/Incident Information System solution is administrated entirely through Lotus Notes. fields to evaluate the gravity. Each of the five different user types participates in its own respective stage of the report remediation process.) They occur more frequently than accidents. analysis. and the process starts over from the analysis stage. the form requires additional analysis beyond basic reporting that implements the user’s subjective organization and evaluation abilities. although often they are not qualified or willing to produce all needed information. 3rd party complaint. and a new set of categories must be developed where each category is uniquely meaningful. remote. marginal. and then refers the report to the appropriate accident analyst. severity can be evaluated on a 1-4 scale representing catastrophic. The multiple of these two quantitative measures . Safety and Environment department with a specialization that is related to the referred report’s subject matter who then analyzes the cause of the event and recommends corrective actions. Safety. The wide majority of the SIGA system users are witnesses. If the reported hazard is not deemed sufficiently corrected after the final evaluation. and subsequent remediation of an accident or incident report. 3. and improbable . descriptive event details. Description of Existing System The system under review. Likewise. who submit an initial report including the details of their own personal account. where potential hazard consequences can be severe. Key words are best left as subjective entries. date.
analysis. If it doesn’t match any other report the ball remains green. environmental harm. A conceptual model depicts the structure of the system without the restriction of specifying certain technologies to implement for the proposed solution . Anomaly type has been changed to a pull-down menu consisting of eight options—hardware.forms a “criticality” variable. In a similar fashion incidence was modified from “initial” or “reoccurring” to first time. for fear of receiving blame. information about the anomalies is provided. probable. For possible consequences. or not able. occasional. PROPOSED SOLUTION – QUANTITATIVE DATA POPULATING A RELATIONAL DATABASE LINKED TO DATA VISUALIZATION SOFTWARE The following sections describe the components of our prototype for an improved SIGA Accident/Incident Information System. approval. Relational Database – Organizational Structure This section will describe the conceptual model of our proposed relational database. either through the use of pull-down menus with limited options or through quantitative evaluation scales with a greater granularity than before. This registration stage will also identify if the values entered in the new report match any existent report. financial loss. and negligible). otherwise it changes to red (see Figure 1). Much of this has to do with the processing of Relatório de Tratamento de Anomalias (RTAs)—translated from Portuguese to mean Anomaly Treatment Report. Also. an excellent quantitative indicator for the remediative priority of a particular hazard . The registration section of the report must be fulfilled and than it can be either analyzed by the person who registered the report or sent to another person who is going to analyze it. The form also shows the number of reports that match. identification method. anomaly type. second time. Quantitative Data Population – Creating a New Witness Form The previous form and its vague queries that were not conducive to quantitative analysis are now replaced by new fields that require more specific information. for lack of situational awareness. unsafe company culture. and evaluation of a individual accident/incident report Any person with access to the system who has a key can open a RTA report. procedures. their own petroleum industry accident/incident information system . and defenses —adopted from the 11 General Failure Types used by Royal/Shell Group in Tripod-Delta. remote. design. Usually the witness of the accident/incident opens the RTA. and damage to organizational property. critical. third time. Figure 1 Proposed Registration Form for Witness Report B. there currently exists no functionality to allow for multiple witness reports of the same event. marginal. and improbable) and severity changed from “high” and “low” to a 1-4 scale (catastrophic. location of anomaly . error-enforcing conditions. or more than three times. damage to organizational reputation. training. implementation. A. we created the following seven categories (from which the user can choose one or more): injury. A more accurate account of any event should include multiple perspectives blended into one holistic account that blends characteristics from each. As mentioned before likelihood had its scale changed from “real” and “potential” to a 1-5 scale (frequent. death. this is the term used to describe all data related to the registration. to provide a comprehensive account of the witnessed event . such as: certification scope. In the Registration section. maintenance management. managing agency. When the RTA is opened the key of that person is associated to the report. IV. One witness is often not willing.
occurrence. anomaly type. This is important because it is possible that the user doesn’t know about the existence of these reports. If it finds RTAs that matches those fields at some specific level. possible consequences. anomaly likelihood (1-5). the RTA is ended. zoom and filter. and the Corrective/Preventive Action and its responsible party(s) and deadline(s). In this section he will describe the Disposition Actions and its responsible party(s) and deadline(s). The widely cited visual-information-seeking mantra states that successful information visualization is conducted through a recursive exploration described as “overview first. he can either merge the two reports or add his report as a second version of the first one. the system is going to present the user a list of these reports. anomaly gravity. In the event he decides to merge them. Figure 2 Conceptual Model of Proposed Relational Database TreeMap software incorporates a initial overview with a movable field-of-view box. managing agency. key words. likelihood. The responsible party for the implementation section must identify these actions by clicking on the “implemented” or “not implemented” buttons. [Shneiderman] In our SIGA-customized version of the TreeMap software there are tree nodes. So. The last section is the verification. then details on demand. location and a range of dates. After the registration section is finished the responsible party for the analyses must fulfill the RTA analysis section. a different responsible party for the RTA approves some of the proposed actions. When the user chooses the “create a new RTA” option. If he classifies as effective. anomaly type. In the approval section. identification method. we incorporated a SIGA-customized version of Shneiderman’s Treemaps data visualization software with our own relational database. and visual attributes that combine to produce a dynamic query environment that C. managing agency. anomaly severity. filters. incidence. and incidence) and maintain the two sections with the description of the anomalies. It he classifies as not effective the RTA returns to the analysis stage. date and time of occurrence. where new actions can be included and some can be excluded. key word to be used for future search. anomaly severity (1-4). dynamic queries in the form of sliders that allow the user to filter uninteresting items according to a indicator variable. The responsible party for this section must classify the RTA as effective or not. The user must check if any of them are reporting the same anomalies. The system is going to compare some specifics fields: title. If this is the case. and a narrative description immediate corrective actions taken at the scene. after the user finishes the registration section. some are going to be implemented and some are not. It is important that the database only store one report per anomaly or manage to merge different reports of the same anomalies to have a more detailed view of what happened. Repeat. its possible consequences and the immediate actions. Data Visualization Software – Treemaps To combat the data overload problem. searching for RTAs for the same anomalies that might have been created.” Snheiderman’s . user-controlled zoom factors. and OLAP drilldown capabilities which capacitate quick detail reference on any selected item. These approved actions should be implemented. the user has the option to create a new RTA or to add a description in the Registration section of an existing RTA. the system is going to exclude some fields (certification scope. anomaly criticality (1-20). Although all the proposed actions from the previous list should be implemented. location of occurrence. the system is going to compare this report to other reports in the database.
with rigorous tests V. we propose a defined plan of action for a large petroleum distributor. gravity. and number of reports. identifies the most pertinent hazards. gravity. and not just the hazard itself . the visual attributes displayed within the visual space – label. Finally. Finally. Within the visual space. Each of these steps can also be iterated until an acceptable final product is produced. Second. If a software application can be produced to accomplish the automatic translation of previous reports into quantized database relations. responsible agency. In order to produce a safety culture that encourages abundant reporting of incidents an effective training program taught by human professors. In the design of a good user interface. this section will contain recommendations for action for future academic projects related to the continued development of our proposed software solution.visually reveals patterns and trends from a very large set of data. and a cognitive task analysis (see Vicente’s work for an extensive tutorial on this methodology ) conducted on workers using the implemented software solution. user testing must be included along all each iteration of the design process . A. The tree nodes in our software are location of occurrence. then the company should do so. the labels for each rectangle can display the name relevant variable displayed. . criticality. Figure 3 TreeMap Data Visualization and Filtration Software Customized for SIGA System B. criticality. implementation of a prototype within a work environment. and incident category. as well as effective recommendations that eliminate root causes of hazards. because of the amount of manual labor required for this. and disseminates that hazard information to the right people at the right time is the key to any successful safety management program. color –can each also be customized to represent the same variables (likelihood. RECOMMENDED ACTIONS Though our research has come to a close. Recommendations for Future Projects Projects for future academic endeavors include further user testing. size. or any other company acting in a high-risk arena with an interest in a better safety management system. As the implementation plan currently stands. Recommended Implementation Plan for Large HighRisk Company A robust and accurate safety information system that collects the right data. First. as seen in Figure 3. simply by manipulating the sliders on the right sidebar. development of a functional prototype. the visual space is divided according to these nodes. the information displayed can be filtered down through the choice of any or all of the following variables: likelihood. and number of reports). A successful implementation must include a safety culture that encourages reporting. there is no intent to enter prior incident reports into the current database. the project has the potential to continue in a variety of forms. a management program that seriously considers recommendations made by the program and its users. to fully implement our software solution.
Managing the Risk of Organizational Accidents. Safety.  Department of Defense. Roland & B. C . pp. Technology. VT: Ashgate. E. Mahwah.required for certification.J. 22-36. S. Productive.S.M. 1984. and Healthy Computer-Based Work.  J.  Shell. Roth. C. Y. and E. 1997. 2002. J. Becker. 1990. and an information visualization software to view large amounts of data at the same time and identify patterns. 2005. MD: Pearson Addison Wesley. pp.  Personal Communication with employees in the Health. 2005. and Environment Department at TransPetro for their generous support in describing the SIGA system. E.D.  B. Patterson. England: Pearson. Wickens.gov on April 7th. Cognitive Work Analysis: Towards Safe.  K. “Can we ever escape from Data Overload? A cognitive systems diagnosis. Upper Saddle River. pp 117-119  H. College Park. users of our proposed system should be capable of identify more potential hazards. New York: Springer-Verlag.: Pearson Prentice Hall. Moriarty. CONCLUSION Through the combination of a reporting culture that encourages employees to enter incident reports without fear of blame to provide sufficient data. Database Systems: a Practical Approach to Design. Implementation. Safety. Essex. Brookfield. 342-386. and communicate the presence of those high-priority hazards in order to successfully apply corrective actions that eliminate not only hazards.  T. System safety engineering and management. An Introduction to Human Factors Engineering. D. pp. Designing the User Interface: Strategies for Effective Human-Computer Interaction.S. and Work. 4.  . suggesting ideas for improvement.G. Obtained at www.C. Shneiderman. 360-389. Connoly and C.  Occupational Safety and Health Organization – The OSHA Homepage. NJ: Lawrence Erlbaum. Begg. Washington D. Woods. and Management. VI. 580-600.” from Cognition. 17-18. pp. 2006. and a renewal requirement every year would raise the average ability level of the typical user as well as encourage more users to buy into the system. M. 2nd ed. NJ. Review of Tripod-DELTA. M. ACKNOWLEDGMENT The Capstone team thanks the Health. a wellorganized relational database to store the data. identify which hazards are most critical. but their underlying causes as well. REFERENCES . Liu. 1997.osha. Reason. Lee. and Enviironment Department of Brazil’s largest petroleum distributor. pp. Government Printing Office. 1999. New York: Wiley.: U. 2004.  D. a easy-to-use and meaningful reporting form to maintain data quality. vol. Plaisant.l-STD-882B. Vicente. and providing valuable feedback on our proposed solution. Aberdeen: Shell Expro UK.