Chemical & Processing
Oil & Gas
Pharma Biotech
Infrastructure & Design

Can Technology Eliminate Human Error?
R Rajagopal, Chief Executive Officer, Robot Instruments This article argues that it would not be possible to design control and safety systems to eliminate all human errors during operation because people are involved in specifying, designing, implementing, installing, commissioning and maintaining systems as well as operating them. The paper illustrates this with examples of incidents caused by human error and concludes that, even if systems can operate without human intervention, there is still the possibility of human error at other phases of the lifecycle.

Speakers in a conference on ¬Human Factors & Behaviour  put forward views on if human error can be eliminated by Smart Technology and Instrumentation Systems. Some described ways of changing behaviour and others thought that it was more effective, particularly when trying to improve process safety, to change designs or methods of working so as to remove or reduce opportunities for human error. All agreed that there is a need for both approaches. There was a real disagreement on which approach was the more practicable and successful. The disagreement reported that some people suggest focusing primarily on a design that eliminates human errors during operation. This paper gives examples of incidents in a variety of Industry sectors to illustrate:

• The problems of focusing on designs when trying to improve process safety;
• The need to consider the behaviour and methods of working of designers \ engineers.
Human Error
When trying to improve process safety, we need to consider all three approaches to reduce the opportunities for human error:
1) Ways of changing behaviour,
2) Designs,
3) Methods of wor king. (Procedures and Guidelines)

Any discussion of the value of focusing on designs needs to consider:
1) The various types of human error,
2) The design process itself.

Types of Human Error
provides one classification of types of human failure. Thus, we might think that a design could aim to eliminate all seven of the categories of errors, mistakes and violations shown in Figure 1 during operation. A design would then not be accepted unless evaluated against all possible skill-based errors and mistakes and violations during operation of the design.

Design Process
Operation is only part of the lifecycle of any design and the guideline does not cover the capability of the designer or the activities involved in design or any parts of the lifecycle other than operation and maintenance. Human error needs to be considered during:

1) Specifying
2) Designing
3) Implementing
4) Installing and commissioning
5) Operation,
6) Maintenance.

The book Out of Control (2003) summarises the analysis of 34 incidents in the process industry. On pages 44 and 45 it states: ". . . a total of 56 causes were identified for the 34 incidents. This data has been grouped in Table 2, which gives the percentage of the primary causes attributable to each lifecycle phase."

based on Figure 10 from Out of Control, 2003) presents these figures in a pie chart. The summary in Out of Control reveals that technology failures resulted in only a small proportion of the incidents. In the 34 incidents analysed, 44 per cent had inadequate specification as their primary cause.

Other primary causes listed are:
• 20 per cent changes after commissioning;
• 15 per cent design and implementation;
• 15 per cent operation and maintenance;
• 6 per cent installation and commissioning.

In order to produce a design that eliminated all human errors during operation we would also need to eliminate human error from all the other phases of the lifecycle.

Out of Control (2003) illustrates how difficult this is to achieve for control, monitoring and protection systems. The following examples illustrate that similar problems apply to many designs, not just control, monitoring and protection systems.

Specification Error Example
An engineering datasheet for a pressure transmitter had incorrect measured range specified during design and detailed engineering phase. This resulted in incorrect calibration of the Transmitter during commissioning. During operation \ process control, the Transmitter never read above a certain pressure, when the process has actually changed significantly. The operator is unaware of the actual pressure, due to a simple specification error.

If the Transmitter was used for safety critical service, then this could have developed into an unwanted scenario and potentially hazardous situation.

Design Errors
The Process control system or DCS, which is essentially used for maintaining the measured parameter (flow, pressure, temperature, level) in the in process within pre-determined limits to prevent the process developing into a hazardous situation. Simple configuration errors in the DCS, such as channel addressing, incorrect Tagging references configured on Operator Display (SCADA \ HMI) can mislead the operator in taking incorrect action to correct any alarms that pop up on the HMI display. If PT-1101 is used for Pressure control through a process unit, but the operator display is incorrectly configured for referencing value of PT-1011, instead this can be very disastrous.

Implementation Errors
A supplier provided 20 flanges, 19 mild steel and one stainless steel (as he did not have enough mild steel flanges). He thought this was helpful as the stainless steel flanges were better than the required mild steel specification. He did not consider that mild steel welding would have failed on the stainless steel flange. Fortunately the customer used 100 per cent material testing and the mistake was identified before welding commenced. Given a good specification, implementation errors should be easier to detect, but design and implementation errors are still a significant cause of incidents.

Installation and Commissioning Errors
The low-pressure trip failed at a power station. Examination revealed that the commissioning override had never been removed. (This might be considered a design error, as the override should have included a timer that limited how long the override could remain in place)

A distillation column was upset every time it rained. Months were spent tr ying to analyse what was happening. Eventually a small plastic protective plug was found in the vent port of the air supply regulator of the valve controlling the heat input to the column; normally there was sufficient leakage around the plug for the regulator to work correctly, but when rainwater got into the threads between the regulator and the plug it formed a seal. The plug should have been removed as part of the installation and commissioning process.

Operation Errors Despite Design for Safety Some decades ago there was an unusual increase in the incidence of minor shunt road accidents. Initial analysis showed the increase was occurring with more expensive into the wrong tank. The design plus the intervention of the supervisor prevented an accident arising from mixing acid and caustic soda.

Maintenance Errors
Repair or replacement Aircraft windscreen (Aviation Safety Network, 1990): The windscreen of a British Airways BAC One-Eleven 528FL passenger aircraft was replaced with bolts of which 84, out of a total of 90, were of smaller than specified diameter. The maintenance work looked complete, but on 10 June 1990 at altitude when the aircraft was pressurised, the windscreen blew out. The commander was sucked halfway out of the windscreen aperture and was restrained by cabin crew whilst the co-pilot flew the aircraft to a safe landing at Southampton Airport.

1. Shutdown valve: A solenoid operated pneumatic valve (SOV) was a vital part of a shutdown system. The exhaust port of the SOV was not covered while the surrounding area was cleaned by sand blasting. Sand entered the SOV and caused a fail to danger. Fortunately this was discovered at the next trip (proof) test, so no injuries resulted.

2. Aircraft pressure por ts (Job, 1998): The underside of an aircraft was to be cleaned so the static (reference) ports for both the air speed indicator and the altimeter were covered with strong adhesive tape before cleaning began. The maintenance procedure required that after completing the cleaning, the cleaner should remove the tape and the maintenance supervisor should sign that he had checked that the tape had been removed. Despite these precautions, the aircraft took off with both static ports still covered with tape.

During the flight the pilot received the bizarre combination of simultaneous warnings for both overspeed and stall Sadly the plane crashed into the sea with the loss of all crew and passengers before the false alarms were recognised.

The examples in Out of Control (2003) and those above illustrate that human error may occur when specifying, designing, implementing, installing, commissioning, operating and maintaining systems. Even if technological systems can operate without human intervention, there is still the possibility of human error at other phases of the lifecycle.

Design may reduce the possibilities for human error during operation, but only if human error can also be eliminated during all the other phases of the lifecycle. Thus it will be necessary to focus on human behaviour and methods of working during the whole lifecycle, not just operation. Focusing on ¬the design for operation  alone will not be enough.