“Shallow men believe in luck; wise and strong men in the cause and effect.” – Ralph Waldo Emerson
In process safety, one important aspect of assessing risk is determining what safeguards are in place to protect against a hazard. Often, we see teams credit human response as a safeguard, sometimes relying on the response as the only safeguard to protect against a hazard.
Is this a wise practice? Can we really rely on people to provide enough protection against fires, explosions or toxic releases?
The simple answer is that it depends.
Human Response as a Layer of Protection
When PHA teams decide to credit human responses as risk reduction measures, those response become safety critical layers of protection. Therefore, any safety critical human response should be evaluated like all other layers of protection: it must be effective, independent and auditable. Can the human response arrest the hazard? Can it do this if this response is all that works? Can you test the human response? If the answer to all three questions is yes, then human response may be credited.
When considering these questions, it is critical to be honest about the capabilities of personnel to respond. No good, and in fact great harm, can be done when we are not realistic about the abilities of the people we credit. When human response is being relied upon to protect our people, the community, the environment, and our assets, we need to be sure that we have honestly assessed the situation. If that response fails when we need it to work, we will all suffer the consequences.
Finding the Problem
To credit human response as a safeguard, it needs to be able to prevent the hazard. Generally, the ability to address the hazard is not in question. When the proper controls are available, either manual or remotely actuated, a person can intervene before a dangerous situation becomes an incident.
Rather, the questions that really need answers are “Can a person detect the hazard?” and “Is there enough time to respond?” To detect the hazard, the person must either be present to discover the problem with their own senses, or there must be a sensor that gives an indication or prompts an alarm that there is a problem. In either case, the indication or alarm should in turn prompt someone in a specific role to address the problem in specific way, rather than have them intuit this on their own.
This also brings up the subject of operator rounds. To be blunt, unless the situation presents a very obvious symptom of a hazard – low odor threshold, loud and distinct noises, visible cloud or spray – or there is a specific check list that will catch the problem, we tend to give much more credit for an operator on rounds catching the problem than is warranted.
Fixing the Problem in Time
Once someone has detected the problem, they still need enough time to respond before the hazard becomes an event with impacts. If they do not discover that the reactor is being overwhelmed until the seams are coming apart, then the human response cannot really do much good.
As we consider the time to respond, we must address the concepts of process safety time and buffer time. Process safety time is the time between when a hazard first becomes present to the point that a hazardous event occurs. To be effective, the response time must be less than process safety time. Response time includes time to detect the problem, time to decide what to do about it, time to act, and time for that action to take effect. This idea, that response time must be less than process safety time, is true whether the response is a human response or something else.
The difference between response time and process safety time is the buffer time. This buffer time is what determines how much credit can be taken for human response. In general, the buffer time must be at least half of the process safety time to take any credit for a response, human or otherwise. For human response, buffer time of more than 50% of process safety time allows for an order of magnitude reduction of risk.
The more time the human has to respond, the more likely they are to succeed. When the buffer time is more than 90% of the process safety time, that is, when the response time is less than 10% of the process safety time, the risk reduction can improve to two orders of magnitude as long as that does not exceed the probability of failure of any component involved in the response. For instance, if the response is to an alarm with a PFDAVG of 0.1, then overall risk reduction of the response can be no better than that.
If there is an alarm, where the alarm setpoint is informs us of the buffer time, but when the human must detect the problem on his own, buffer time gets a little trickier. In general, its best to err on the side of caution and take the lower credit unless one can spell out in detail how the higher buffer time is achieved.
Independence and Testing
We must also judge human response for its independence, both from the initiating cause and from other layers of protection. In general, human response tends to be independent of a process. One thing to consider is an alarm or indication. If that component is part of what failed in a hazardous scenario, we cannot count on it prompting a human response.
Another case to consider is multiple alarms on the same hazard scenario. While multiple alarms may indicate the hazard, unless they alarm at different points in the progression of the hazard, thus giving multiple opportunities for response, they still rely on the same human response to avert the event. For example, just as it would be inappropriate consider both a credit for a high alarm and a second credit for high-high alarm coming from the same sensor, it would be inappropriate to credit both a pressure and temperature alarm that would prompt the same human response.
On a different note, human response itself may not be independent of the cause. When an error is the cause of the hazardous condition, a team must be careful about crediting a human response to the hazardous condition, especially when it is the same person responding as was the initial cause. Also, when the hazard in question involves personnel exposure, then a safeguard where a person must be present to detect the hazard is not really a safeguard.
Finally, there must be a way to ensure the human response is auditable and audited before taking credit for it. This includes some combination of alarm testing, shutdown testing, emergency drills, training, etc.
Bringing it all together
When we have gone through all these considerations and found that a human response is effective, independent and auditable, then we can credit it as a layer of protection. When it does not meet any one of these criteria, then we must disregard it in favor of other safeguards or improve it such that it does.
When we rely on operator rounds to catch a hazard by chancing upon a local indicator when a problem occurs, consider installing an alarm to prompt the operator instead, acknowledging that alarms have their own probability of failure.
We must be honest in our deliberations when considering human response as a safeguard against process hazards and be open to the possibility that we cannot count on human response for a scenario. On the other hand, we should take credit where it is due when human response is applicable, especially when a wide network of layers of protection is needed to properly cover a risk.
Going forward, let’s take a good hard look at our considerations of human response and make sure that when we take credit for it, it can be counted on to provide the protection we are counting on.