Microsoft Word - 476hernandez.docx CHEMICAL ENGINEERING TRANSACTIONS VOL. 43, 2015 A publication of The Italian Association of Chemical Engineering Online at www.aidic.it/cet Chief Editors: Sauro Pierucci, Jiří J. Klemeš Copyright © 2015, AIDIC Servizi S.r.l., ISBN 978-88-95608-34-1; ISSN 2283-9216 Modified Swiss Cheese Model to Analyse the Accidents Mehmood Ahmad*a,b, Marco Pontiggiaa aD’Appolonia S.p.A. Milan, Italy bPolitecnico di Torino, Torino, Italy mehmood.ahmad@dappolonia.it Human and organizational factor (HOF) can lead to accidents in process industries, but at the same time HOF can also be used as a safety barrier in order to optimize the existing resources. This paper illustrates the idea to use the revised Swiss cheese model to study an accidental situation, since this new model can provide a better understanding of the system with respect to automatic and manual safety barriers. Afterwards, accidental scenario (i.e. Top Event) can be analyzed by using the Bow-tie analysis. However, in this paper only the descriptive analysis of accidental scenario has been provided using Bow-tie analysis. 1. Introduction After studying number of past accidents in process industries, it was concluded that usually an accident cause by number of active and latent errors, although sometimes it is difficult to analyse the latent errors. Mainly latent errors are associated with the organizational characteristics; therefore organizational characteristics have an influence on outcome of operator’s action. Meanwhile, OGP (2010) illustrated that human factor aspects of maintenance and normal operations accounts for around 30% of loss of containment incidents. Moreover, Lees’ (2012) reported that human factors are mainly determined by the organizational factors, therefore it is necessary to add organizational characteristics into analysis, whenever performing a human factor analysis, as in Colombo & Demichela, 2008; Monferini et al. (2013) and Demichela et al. (2014). Although control systems have achieved a high degree of automation but still the process operator has the immediate role for safe and economic operations of the plant (CCPS, 2012). Leva et al (2013) also highlighted the notion of human and organizational factors (HOF) as a safety barrier. Ahmad et al (2014) proposed a methodology to assess the HOF with respect to the different protective layers in process industries while emphasising the enhanced role of an operator. Lot of existing literature focused on learning from accidents; in this way retrospective learning can be applied during the prospective analysis to avoid the reoccurrences of similar events. A simple accident has been selected to apply the revised Swiss cheese model to the system as described in the accidental report. Afterwards, output from the Swiss cheese model can help to apply the learning in prospective way by using several existing techniques, Bow-tie technique has been chosen in this study. 1.1 Existing accidental models Al-Shanini et al (2014) have reported the categorization of different accidental models which are commonly used for the accidental analysis. Sequential, Epidemiological, Systematic and Dynamic Sequential Models (DSAMs) are main classes of accident models as reported by the Al-Shanini et al (2014), and illustrated in the Figure 1. Sequential models follow the chain of events while epidemiological models focus on the performance deviations and also on the environmental conditions. However, description of these models is not scope of this work, although selection of these models highly depends on the objective, accuracy and capability. DOI: 10.3303/CET1543207 Please cite this article as: Ahmad M., Pontiggia M., 2015, Modified swiss cheese model to analyse the accidents, Chemical Engineering Transactions, 43, 1237-1242 DOI: 10.3303/CET1543207 1237 Figure 1: Accident model classification 2. Swiss cheese model Swiss cheese model is the most widely used accidental analysis model. Swiss cheese model was developed by the Reason in 1990. In this model the concept of safety layers was used while holes in the safety layers correspond to the deficiencies due to latent errors (e.g. organizational errors, environment etc). When the holes in the defensive layers align, then hazard can lead to an accident. Figure 2 illustrates the Swiss cheese model. Figure 2: Swiss cheese model Adapted from Reason (2008) Although this model also have some limitations, which are even acknowledged by the James Reason but still this model can provide a detailed insight about the system. The main aspect of this model is that latent conditions interact with the local triggering conditions and in case of safety barriers are unavailable, this could lead to an accident. 2.1 Modified Swiss cheese model After doing a literature review it was found that Swiss cheese model can be used to study the casual factors to an accident in an efficient way. In this slightly modified Swiss cheese model a classification has been made between the operational errors and errors during the prevention/mitigation actions. Operational errors related to all those errors that occur during the normal operations and consequently can lead system to an undesired situation, while prevention/mitigation errors are the errors which can happen when system is already in an Accident models Modern Traditional sequential Epidemiological systematic Formal Dynamic Sequential FTA ETA FMEA CCA Reason’s model Integrating event -chain DRA methodol gy Process hazard preven. probabilis tic accident WBA Cognitive system models Theory system models SHIPP model Offshore oil & gas model DREAM CREAM FREAM STAMP AcciMApp model Rasmussen’s model 1238 undesired situation. At this point, actions could be preventive if the system still in allowable boundaries and mitigation if an accident has already occurred. Moreover, a classification is also maintained among the technical/human and automatic/manual interventions corresponding to operational and barrier layers, respectively as detailed in Figure 3. Relevant latent errors are also highlighted showing the influence on the active errors. Whenever, the layers align in a way to provide a pass to existing hazard an accident can occur. Figure 3: Modified Swiss cheese model Operator can interact with the automatic safety barrier (e.g. ESD) both during the normal operating conditions and during the maintenance conditions (e.g. proof test) which are considered in the human operational layer. Apart from automatic safety barriers, manual safety barriers are also considered in this model. If consequences of a failure is very local and can be controlled by the human barrier, then it is recommended to use the human barrier. Since, initiating the automatic shut down sequences also involved steps like isolation and depressurization which itself can enhance the complications. This model assumes that potential undesired situations can occur due to technical failure (e.g. random rupture) and also due to failure of human intervention. Furthermore, if these scenarios have been foreseen during the design phase of the plant or during the safety assessment there must be safety barrier to prevent the situation or at least to mitigate the consequences. An accident (as defined by definition during the design phase) can occur only if the automated safety barrier doesn’t intervene when required. In addition to that manual barrier interventions can also be analysed by looking into supervisions of either human operational interventions or by providing manual prevention/mitigation measures. In this model organizational and meteorological latent errors/ performance shaping factors are considered for the equipment, while for the operators actions organizational, environment and stress/fatigue have been considered. However, to study an accident in detail other models can be used depending upon the depth of an analysis. 2.2 Possible system paths After doing a preliminary analysis of accidents, it was concluded that an accident can occur by involving different layers. Table 1 listed the three predominant accidental situations by involving the different layers as the initiating cause of an accident, while Model “B” represents the involvement of one of the barrier layers (either automatic or manual). Table 1: Accidental models Model Name Initiating cause Prevention/ Mitigation 1 1B 2 2B 3 3B Technical & Human Technical & Human Technical Technical Human Human Automatic & Manual Automatic/ Manual Automatic & Manual Automatic/ Manual Automatic & Manual Automatic/ Manual Model 1 in Figure 4 corresponds to situations when failure of technical and human active errors both led to an accident along with the failure of subsequent barrier layers. Accident Manual Automatic Human Technical HAZARD Organizational + Meteorological conditions Organizational + Environment + Stress / Fatigue Latent errors Active errors Prevention/ Mitigation Operational Intervention layer 1239 Figure 4: Modified Swiss cheese model (Model 1) Model 2 in Figure 5 corresponds to the situations when only the failure of technical (i.e. equipment) layer led to an accident. In this model no active human errors are involved, but since technical failures could be influenced by the organizational characteristics therefore this model is considered separately. Figure 5: Modified Swiss cheese model (Model 2) Model 3 in Figure 6 represents the only situations when the active human failure can lead to an accident. In this model there will be no involvements of the technical (i.e equipment) errors. Figure 6: Modified Swiss cheese model (Model 3) Accident Manual Automatic Human Technical HAZARD Model 3 Organizational + Meteorological conditions Organizational + Environment + Stress / Fatigue Latent Errors Active Errors Intervention layer Prevention/ Mitigation Operational Accident Manual Automatic Human Technical HAZARD Model 2 Organizational + Meteorological conditions Organizational + Environment + Stress / Fatigue Latent Errors Active Errors Intervention layer Prevention/ Mitigation Operational Accident Manual Automatic Human Technical HAZARD Model 1 Organizational + Meteorological conditions Organizational + Environment + Stress / Fatigue Latent Errors Active Errors Intervention layer Prevention/ Mitigation Operational 1240 3. Human factor as a safety layer Operator has to perform normally four D’s when it is required to use them as safety barrier. 4 D’s are detect, diagnose, decide and do an action. Therefore, whenever using an operator as safety barrier it should be required to analyse 4D’s accordingly to ensure the maximum reliability of the operator. Table 2 lists the most used barrier systems against different situations. Table 2: Most used barrier systems Adapted from NORSOK Z-013 standard Barrier function Often uses systems Over pressure protection Leak detection Fire detection Fire protection Process instrumentation HIPPS Material thickness/ design margins Automatic gas detection Manual gas detection Automatic fire detection Manual fire detection Active fire protection Passive fire protection Manual fire protection 4. Case study: A past accident In order to implement the revised Swiss cheese model to accidents, An accident happened in 23/12/2003 at one the BP’s plants in Netherlands (Noord- Holland) as reported in EMARS is chosen. Unclear markings caused confusion leading to operator error are the main causes to this accident. A temporary employee, closed the valve under supervision of his mentor. After a while the temporary employee returned without his mentor. Since he had doubts if the valve was really closed he turned it a second time. At that time he thought he closed it, but in fact with this action he opened valve again activating the alarm. He then decided to turn the valve a third time. Now the valve was closed. He didn’t know that there is always a (minor) delay in the decrease of pressure in the pipeline (since it was long pipeline) because of which the alarm bells continue to go off for a short time. Operator then asked for assistance of the mentor. They decided to turn the valve fourth time thinking it would close the valve, but actually opened it again. And most importantly they turned off the alarms. Higher pressure in the pipeline leading to release of 50 tons of Butane to atmosphere. Unclear markings (i.e. open/close) on the valve caused the confusion for operator to carry out the right action, these marking were applied as improvement/correction action followed a similar accident 2 years prior to this accident. But, in fact these improvement caused more confusion. Since this accident causes by the operator error explicitly without any technical (i.e. equipment failure), so it corresponds to the model 3 as illustrated in the Figure 6. Casual model of this accident is represented in the Figure 7. This model can help to identify the relevant latent errors corresponds to a layer or even to understand the relevant safety barriers. This retrospective approach to learning from accidents can also be apply in proactive way to understand the operator, equipment interactions and also function of safety barriers. Figure 7: Accidental causal model supervision Alarms Technical Model 5 Operator error to close a valve Butane Released Butane Flammable Design (double valve) Training+ Design (markings)+ Procedures Latent Errors Active Errors Intervention layer Prevention/ Mitigation Operational 1241 5. Conclusions Proposed revised Swiss cheese model can help to investigate and to learn from accidents, this model can sum up almost all the scenarios that can exist in the process industries by considering the technical and human aspects. After learning from the accidents and obtaining the quantitative data it will be possible to use it in proactive way indicating the probability of initiating events and to quantify the role of barriers. Acknowledgements This work is done in the project Innovation through human factors in risk assessment and maintenance management (InnHF), financed under EU FP7 Marie Curie Actions Initial Training Networks - FP7-PEOPLE- 2011-ITN: Project ID 289837. References Ahmad M., Pontiggia M., Demichela M., 2014, Human and organizational factor risk assessment in process industry and as risk assessment methodology (media) to incorporate human and organizational factors, Chemical Engineering Transactions, 36, 565-570 DOI: 10.3303/CET1436095. Al-shanini A., Ahmad A., Khan F., 2014, Accident modelling and analysis in process industries, Journal of Loss Prevention in Process industries, 32, 319-334 Colombo, S. , Demichela, M. 2008. The systematic integration of human factors into safety analyses: An integrated engineering approach. Reliability Engineering and System Safety, 93 (12), 1911-1921. CCPS (Centre of Chemical Process Safety), 2012, Guidelines for Engineering Design for process safety, Second Edition, John Wiley Demichela, M. , Pirani, R. , Leva, M.C. 2014. Human factor analysis embedded in risk assessment of industrial machines: Effects on the safety integrity level. International Journal of Performability Engineering, 10 (5), 487-496. EMARS (Major Accidental Reporting System), Major Accident Hazards Bureau, European commission, https://emars.jrc.ec.europa.eu/fileadmin/eMARS_Site/PhpPages/ViewAccident/ViewAccidentPublic.php?a ccident_code=645, accessed 20.11.2014. Lees’ (2012), Loss Prevention in the Process Industries: Hazard identification, Assessment and Control, Volume 1, Fourth edition, Butterworth-Heinemann. Leva C., Bermudez Angel C., Plot, E., Gattuso, M., 2013, When the human factor is at the core of the safety barrier, Chemical Engineering Transactions, 33, 439-444 DOI: 10.3303/CET1333074. Monferini, A. , Konstandinidou, M. , Nivolianitou, Z. , Weber, S. , Kontogiannis, T. , Kafka, P. , Kay, A.M , Leva, M.C. , Demichela, M., 2013, A compound methodology to assess the impact of human and organizational factors impact on the risk level of hazardous industrial plants. Reliability Engineering and System Safety, 119, 280-289. NORSOK Z-013, 2001, Risk and emergency preparedness analysis, Rev, 2, Norwegian Technology Centre, Oslo, Norway. OGP (International Association of Oil and Gas Producers), 2010, Risk assessment data directory: human factors in QRA.. Report no. 434-5, March 2010. Reason J., 2008, The human contribution: Unsafe acts, accidents and heroic recoveries, Ashgate: Farnham. 1242