IADC Human Factors Guidance On MODU MOU Safety Case Content
IADC Human Factors Guidance On MODU MOU Safety Case Content
IADC Human Factors Guidance On MODU MOU Safety Case Content
HUMAN FACTORS
Page 1 of 28
Issue 1 – 3 July 2019
Contents
Page
1. Abbreviations 3
2. Introduction 4
2.1 Objective
2.2 Design and Age of Installation
3. Relevant Legislation 5
6. Guidance 28
Page 2 of 28
Issue 1 – 3 July 2019
1. ABBREVIATIONS
Page 3 of 28
Issue 1 – 3 July 2019
2. INTRODUCTION
This Human Factors (HF) guidance has been developed by an International Association of Drilling Contractors
(IADC) North Sea Chapter (NSC) Work Group. The document is based on the Health and Safety Executive
(HSE) internal guidance, it also incorporates amendments and feedback provided by NSC members and input
from the HSE. This document describes and provides guidance that could be used to assist IADC North Sea
Chapter members (duty holders) in completing HF topic assessments for a safety case submission; to the
extent that HF have an impact on MAH and when developing their management systems with respect to
Human Factor elements.
Reference is made throughout this guidance to industry codes, standards and guidance and there is an
expectation from the HSE that duty holders should follow the principles set out in them. This should not be
interpreted as conferring any status to such material in terms of achieving legislative compliance and does
not guarantee a duty holder will comply with the regulations or provide all the information required of them.
2.1 Objective
The objective of this guidance is to assist duty holders in making appropriate provision for HF in their Safety
Cases and management systems, and by so doing, to reduce the risks from HAH accident hazards where HF
may have an impact. This document should be read in conjunction with the HSE Offshore Safety Directive
Regulator (OSDR) Guidance and Procedures for the Assessment of Safety Cases, and the assessment
principles contained within the APOSC. There are some useful links to both HSE and other industry guidance
within each sub section and at the end of this document.
The document should be read taking into account the fact that for a newly designed and built rig a higher
level of assessment, rigour and implementation of results from HF integration studies and assessment will
be feasible than for heritage assets.
The outset of the guidance and safety case “criteria” set out in this document is assuming an “ideal world”,
applicable when designing and laying out a new build rig. Members should take into consideration these
criteria not only for a newbuild, but when a rig is undergoing major modifications e.g. fitting of new
controls/control locations. Generally, a major modification in this context is considered as a change to a SECE
functionality, where human intervention is material either for monitoring, control or emergency response.
For existing/older rigs it will not be possible to meet the criteria in full, or the cost of meeting the criteria
would be disproportionate to any Human Factors benefit gained.
Where it is not possible to meet the criteria set out in this document it is recommended that members either
specify alternatives e.g. what has been done in way of implementing human factors considerations, or detail
the reasons why meeting the criteria in full would be impractical, e.g. life cycle of asset. It may be possible
to implement alternatives to the criteria that better reflect the age and design of the rig.
Page 4 of 28
Issue 1 – 3 July 2019
3. RELEVANT LEGISLATION
Human Factors are addressed (directly or indirectly) in many different regulations, but the principal ones that
impact UK offshore operations are listed below:
Page 5 of 28
Issue 1 – 3 July 2019
4. HUMAN AND ORGANISATIONAL FACTORS
4.1 Scope
This section provides guidance for the assessment of safety case content with respect to the integration of
Human and Organisational Factors considerations. Human Factors is a wide-ranging discipline. It is
concerned with both the human interactions with the technical components of the system, and the wider
human activities required to sustain the system. The topic area of HF covers four broad areas:
The four main areas of Human Factors are sub-divided into 14 practical topics for Assessment Sheets Sections
G1 to G14, shown in the table below. They are underpinned by regulation and relate to key offshore safety
issues, for both assessment and inspection of rigs under the Offshore Installations (Offshore Safety Directive)
(Safety Case etc) Regulations 2015 (SCR2015).
Full application of Human Factors principles in Design is mainly relevant for new builds, and for major
modifications, but the feasibility of integration of HF principles into existing systems should be considered
for existing rigs also, to the extent that it can be considered reasonably practicable.
The focus of HF assessment in safety cases is on the role people play in the prevention, causation, escalation,
and mitigation of MAH scenarios. The safety case should demonstrate how the variability of human
interaction with technical systems is addressed, and how HF considerations may play a role in the prevention
Page 6 of 28
Issue 1 – 3 July 2019
or mitigation of MAH scenarios. It should show that the duty holder has a systematic approach to managing
the human contribution to risk by having a management system in place to:
(i) Identify relevant safety and environmentally critical activities, and specifically those which could
prevent, initiate, control or mitigate the identified MAH scenarios
(ii) Analyse these critical activities for the potential for human performance variability, including
physical and mental factors, unintentional actions and deliberate actions that could lead to
undesirable outcomes.
(iii) Implement risk control measures appropriate to the type of human error identified
(iv) Identify relevant performance influencing factors (PIFs) and introduce measures to create
circumstances enabling safe intervention and minimise the likelihood of adverse outcomes of
human error.
When duty holders do not possess the necessary HF competence in-house, external competent parties can
be drawn upon, to the extent that they can demonstrate relevant knowledge of the sector and critical
operations to help inform and direct certain aspects of HF integration and assessment.
To facilitate assessment of a safety case, the HSE have developed/created a set of criteria relating to Human
Factors that are defined and set out in the following assessment criteria. Duty holders should ensure that
the safety case contains sufficient information/references to constitute a demonstration that suitable and
proportionate consideration has been given to the MAH identified.
The extent to which duty holders provide a description or evidence of HF management should be
proportionate to the risk exposure. HF integration should be made subject to the overall ALARP
demonstration, as an integrated part of the safety case.
This section gives guidance on the depth of assessment required to determine the adequacy of the
demonstration that measures have been, are being, or will be taken to ensure compliance with the relevant
statutory provisions.
Where safety case contents match with good practice, identified in the topic assessment sheets, there will
usually be no need for HSE to probe into the details of how the good practice is applied. This may, however,
be a suitable issue for follow-up by inspection.
When a new rig is built subject to this guidance, HF considerations feature in all phases of the rig lifecycle
from inception through to dismantling. Human performance should be adequately considered at the initial
strategic, planning and design stages capturing user requirements and any potential mismatch between
design and operational function. Consequently, there is greater potential to eliminate hazards and reduce
costs during the design phase than at any other time.
Where rigs are already designed and built and are transferred to UKCS, or are already operating in the
UKCS, any risk reduction measures should be considered on an ALARP basis, where such measures are
considered to credibly be able to prevent or mitigate control losses over Major Accident Hazards.
Page 7 of 28
Issue 1 – 3 July 2019
The application of the Human Factors in Design to existing rigs/equipment/systems etc should consider
whether the design adequately considers HF in terms of operability, maintainability etc and whether there
are reasonably practicable measures to improve those aspects leading to improved
operability/maintainability/access etc, but this should be in line with the ALARP principle.
The integration plan could be used to develop a HF implementation plan for an organisation.
Page 8 of 28
Issue 1 – 3 July 2019
5. HUMAN FACTORS ASSESSMENT SHEETS
The Human Factors in design guidance below (G1-G5) should be considered for all new build drilling rigs,
constructed subject to this guidance that will enter the North Sea and UKCS regulatory regime.
Scope
Human Factors Integration (HFI) is a good practice approach for applying HF to systems development. As a
method, it provides a framework to help ensure that all relevant HF issues are identified and addressed in
new design and major modification projects. In addition, the HFI approach has a management strategy that
aims for timely and appropriate integration of HF activities throughout the project.
The earlier that HF are considered in the new building design process, the better the results can be in terms
of options for positive human intervention. For larger, complex projects, this entails either the development
of a specific Human Factors Integration Plan (HFIP), and/or clear provisions for the integration of HF in the
overall project plan. For smaller modifications, the duty holder should establish a framework for
proportionate HF integration (e.g. a targeted Human Reliability Assessment (HRA) triggered by local
Management of Change arrangements.)
The safety case should describe how a systematic approach to integrating HF within the design, assessment
and management of systems has been applied throughout each stage of the rig’s lifecycle.
To meet the criteria for Human Factors Integration, the duty holder should describe within their Safety
Case how they integrate HF into major projects, or for major modifications, as applicable by:
• The user and organisational requirements, and how a balance between user-centred design options
and relative cost, in line with ALARP principle has been achieved.
• How human reliability has been integrated.
Page 9 of 28
Issue 1 – 3 July 2019
Core References for guidance
• International Association of Oil and Gas Producers (IOGP) (2011) Human Factors Engineering in
Projects. Report number 454
• Energy Institute (2011) Human Factors Briefing Note No. 16 – Human Factors Integration. London
• Health and Safety Executive (2002) Human Factors Integration: Implementation in the onshore and
offshore industries. Research Report 001. Sudbury: HSE
• NORSOK S002 (2018) Working Environment
Scope
Human factors feature in all phases of the rig lifecycle from inception through to dismantling. Inappropriate
physical design and layout of plant elements can affect workers’ ability to access, commission, hear, see,
operate, inspect and maintain. While people are typically willing and able to adapt to shortcomings in
physical designs, doing so can adversely affect their reliability i.e. they may take longer, and be more likely
to make errors in what they are doing.
To prevent poor design of the rig and equipment leading to a major incident, it is important that the duty
holder ensures the rig and its equipment have been designed with both operation and maintenance in mind
e.g. accessibility for inspection, testing and maintenance; and that the separate parts of the rig and
equipment are clearly labelled. For new builds and major modifications, workforce representatives, where
possible should be involved in the design process e.g. the task analysis, identifying potential human failure
and any performance influencing factors where practicable.
There is an expectation that all rigs follow current industry practice, and the basic ALARP principle, however
this should be proportionate regarding the extent to which the rig applies current standards to legacy
equipment/rigs. Risk assessment in this regard should be proportionate to the nature of the MAH presented
by the rig. Where improvement measures are identified consideration for implementation should be based
on whether it is reasonably practical.
As part of the Human Factors Integration Plan (HFIP), a Human Factors Engineering (HFE) design specification
should be developed. The HFE design specification should define the HF requirements for the design and
layout of equipment and workspaces. It should cover, as a minimum, workspace envelope, horizontal and
vertical access, and equipment specific requirements. The design specification should also include minimal
requirements for the location of critical valves e.g. for vertically and horizontally mounted valve stems and
the location of instruments e.g. viewing distances and accessibility for calibration/testing routines, etc.
Although not directly related to MAH the design specification may also recommend the completion of
additional HFE activities such as Valve Criticality Analysis (VCA) to assist with the optimal selection of valves
in terms of location and orientation (based upon frequency of operation and maintenance). VCA can also be
used to justify valves for motor operation and/or gear actuation based on criteria such as maximum cracking
force, number of rotation and line size etc.
The HFE design specification should provide a ’one-stop’ reference for generic design requirements. For
example, rotating machinery (especially for long-lead items such as drilling and well control equipment, etc),
piping (for safety critical valve locations, flange heights, spool weights, etc) and control & instrumentation
(accessibility to pressure/heat/temperature readouts, design and layout of local control panels, etc). It is
important to remember that an HFE design specification is only as good as the data that underpins it.
Page 10 of 28
Issue 1 – 3 July 2019
Measurements and dimensions used in the HFE standard should be confirmed by the duty holder to be
suitable for the people who will use it.
A key objective of the HFE Design Specification is to minimise the risks resulting from human error, by
applying Human Factors principles to design. Designing tasks, equipment and workstations to match the
user’s capacities and limitations can reduce the risk of accidents. Effective application of HF principles,
approaches, methods and techniques, across the design phases, can make work safer.
Duty holders should describe in the safety case how a process has been applied to ensure that Human Factors
objectives specified during the engineering phase have not been compromised during construction (e.g.
locating piping, electrical cabling/trays etc. in way of escape routes or muster points). Without an effective
assurance process HFE design can be compromised and the benefits of good design negated.
Where rigs, plant equipment and systems are purchased in an “as built” status then the purchasing policies,
or the specifications for such equipment and systems should include specifications or reference to standards
on relevant Human Factors.
To meet the criteria for Installation Design and Layout of Equipment the duty holder should describe within
their Safety Case:
Additionally, where relevant, the following aspects should be summarised in the safety case:
• Inherent safety principles applied in design and modification processes, relevant personnel involved
in the design reviews, and usability/operability assessments performed.
• Safety & Environmentally critical plant and equipment including layout on the rig.
• Input from end users and where possible consultation with the workforce as part of the design
specification.
Core References
Page 11 of 28
Issue 1 – 3 July 2019
G3. CONTROL ROOM DESIGN
The duty holder should be able to demonstrate that appropriate HF considerations have been given to the
design, commissioning, and operation of control rooms under both normal and abnormal operating
conditions to reduce the frequency of human error due to control room deficiencies. Control rooms should
be designed to ensure that the risks to the occupants of the control room are within acceptable limits and
that it is suitable for the purposes of maintaining control of the rig, should the emergency response plan
require it, following any foreseeable, undesirable events. The safety case should demonstrate how systems,
including software, which require human interaction have been designed to take into account the needs of
the user and be reliable.
Where there is a reliance on human performance to keep a system within design parameters manually, the
safety case describes those measures taken to ensure human reliability.
General
The work performed in control locations can be mentally intense and demanding, requiring sustained
attention, concentration and high levels of situational awareness. Getting the HFE aspects right can be
particularly important in ensuring reliable human performance.
Duty holders should describe how a human-centred approach has been applied to control location design.
For example, control location design should ensure that interaction between systems, equipment and human
operators, takes into account safety critical communications between control location staff, front line
personnel and the emergency response organisation.
Note: Ergonomic checklists can be used to ensure drilling/ballast control room design, layout and
environmental aspects are compliant with relevant standards (e.g. ISO 11064) and that control location
equipment is based on the profile of the users etc.
Techniques such as CRIOP (CRisis Intervention and OPerability analysis - HSE’s Process Operations Staffing
Assessment Methodology i.e. “The Entec methodology” - CRR 348/2001), can be used to determine whether
staffing levels are sufficiently robust to prevent and/or respond to hazardous incidents.
To meet the criteria for Control Room Design the duty holder should describe within their Safety Case:
How human error is acknowledged and systematically treated in the design of HMI, with reference to current
industry practice and recognised human factors engineering (HFE) standards. Where there is a reliance on
human surveillance and/or intervention to keep a system within operating parameters manually, the safety
case should describe measures taken to ensure human reliability. For example:
• Clear labelling/tagging of plant (valves, flow direction and contents of pipework) and materials.
Page 12 of 28
Issue 1 – 3 July 2019
• Information and status are available to the operator (wellhead pressures, densities, volumes and flow
rates, etc) and is appropriately located.
• Control systems are designed to inform the user/operator if parameters deviate from the expected.
With regards to computer operated systems, the safety case should describe how interfaces are designed to
ensure effective and reliable interaction with the distributed or supervisory control and data acquisition
systems (DAS) and support the high levels of situational awareness required of control location operators. In
particular:
• A clear description of all relevant control locations and systems and interfaces.
• Reference to relevant standards applied.
• How relevant standards and current industry practice are applied during upgrades and modifications
of existing control interfaces, as well as the design of new control systems.
Note: Control location design should ensure that layout, lighting, noise and vibration levels etc. provide an
enabling and sustainable environment at all times, including during emergencies.
Core References
• The British Standards Institution BS EN ISO 11064 (Parts 1-7) Ergonomic design of control centres.
London: British Standards Institution
• Engineering Equipment and Materials Users Association (2010) Process plant control desks utilising
human-computer interaction. A guide to design, operational and human-computer interface issues.
EEMUA 201
• ASM Consortium Guidelines (2015) Effective Console Operator HMI Design (2nd edition). ASM
Consortium. Houston, TX: Honeywell.
Scope
HMI includes all controls and displays software, physical, digital and analogue that the operator uses to
control or monitor a function. The term HMI covers interfaces on individual control panels, whether that is
physically opening and closing a valve or operating a blowout preventer using a touch screen. It includes
those found in control locations (e.g. driller’s cabins) and control and monitoring environments, where the
quality of the HMI is critical in supporting direct intervention of operators.
To meet the criteria for Human Machine Interaction (HMI) and System Design the duty holder should
describe within their Safety Case:
The potential for human error is acknowledged and systematically treated in the design of HMI, with reference
to relevant good practice and recognised human factors engineering (HFE) standards. Where there is a
reliance on human performance to keep a safety critical system within operating parameters manually, the
safety case should describe those measures taken to ensure human reliability. For example:
• Clear labelling/tagging of plant (valves, flow direction and contents of pipework) and materials.
Page 13 of 28
Issue 1 – 3 July 2019
• HMI gives clear information and status to the operator (wellhead pressures, densities, volumes and
flow rates, etc) and is appropriately located.
• HMI are designed to inform the user/operator if parameters deviate from the expected
• HMI design replicates the operational reality and displays the relevant parameters given the current
operation.
• How changes to critical HMI (local and remote) will be controlled.
With regards to computer operated systems, the safety case should describe how interfaces are designed to
ensure effective and reliable interaction with the distributed or supervisory control and data acquisition
systems (DAS) and support the high levels of situational awareness required of control location operators. In
particular:
• A clear description of all relevant control locations and systems and interfaces.
• Reference to relevant standards applied.
• How Relevant standards and current industry practice are applied during upgrades and modifications
of existing control interfaces, as well as the design of new control systems.
Core References
• Engineering Equipment and Materials Users Association (2010) Process plant control desks utilising
human-computer interaction. A guide to design, operational and human-computer interface issues.
EEMUA 201
• ASM Consortium Guidelines (2015) Effective Console Operator HMI Design (2nd edition). ASM
Consortium. Houston, TX: Honeywell.
Scope
Optimising alarm system design is important to facilitate accurate and timely fault diagnosis and response.
Alarm signals are typically visual, audible or both, and are intended to draw the operator’s attention to the
changed state of a specific operational parameter. Alarm handling (or alarm management) is an issue for
any rig or process where there is reliance on operator response to an alarm in order to control MAH. Poorly
designed alarm systems can hinder the operator and may result in a failure to identify the appropriate course
of action to bring the situation back under control.
Alarms, and additional information provided by the HMI, help the operator to understand and respond to
developing situations and to bring them under control before executive actions are taken.
Alarm systems should provide clear and concise information to the operator to enable them to recognise and
respond to process conditions, such as deviation from normal operating parameters and abnormal events,
which require timely action or assessment.
• The drilling control room or ‘doghouse’, which contains all the well control instrumentation
necessary to allow for safe intervention and control
• The marine and engine control rooms on rigs where watch keeping duties, monitoring of fire & gas
systems, ballast, dynamic positioning, communications systems and environmental monitoring
systems takes place.
The safety case should describe how the potential for human failure is acknowledged and systematically
treated in design of alarm systems and handling of alarms.
Page 14 of 28
Issue 1 – 3 July 2019
Specific Technical Issues:
The safety case should describe the alarm philosophy, including the prioritisation of critical vs. informative
alarms, alarm management in respect of shelving of alarms, nuisance alarms, alarm cascading, and inhibits
and overrides.
Awareness of relevant good practice guidance on alarm systems, such as EEMUA 191 should be considered
by the duty holder and show how alarm monitoring best practice has been implemented.
The duty holder should describe how alarm response procedures are developed, and how alarm response is
addressed in daily operations and in rig emergency drills and exercises.
To meet the criteria for alarm handling the duty holder should describe within their Safety Case:
Their alarm philosophy with regard to the design and management of alarms, including:
• A clear link between major accident hazards identified and the alarm philosophy (e.g. critical
conditions are alarmed at the appropriate level).
• How alarms will be justified and prioritised (e.g. safety related alarms take priority over operational
alarms, critical condition alarms take priority over informative alarms).
• How alarm systems are subject to continuous improvement e.g. there is a clear link between process
change and alarm system upgrade.
• How the design process accommodates human capabilities and limitations (including operator
availability to respond; time to respond; the potential for alarm flooding etc).
Core References
There are two important aspects to managing human failures. First, individual human failures that may
contribute to major accidents can be identified e.g. on bowties and controlled. Second, consideration should
to be given to wider issues beyond individual human error in risk assessment. Positive characteristics that
support interventions on human failures include open communications, participative involvement of staff,
visible management commitment to safety (backed up by allocated financial, personnel and other resources),
an openness to accept underlying management/organisational failures and having an appropriate balance
between production and safety.
Page 15 of 28
Issue 1 – 3 July 2019
G6. HUMAN FACTORS IN RISK ASSESSMENT
Scope
The duty holder should have in place a structured and systematic approach to identifying and managing
safety-critical tasks associated with the rig.
HRA is the systematic identification, modelling and assessment of tasks that affect MAH risks. The safety
case should describe human contributions to the management of the identified MAH, and the measures
taken to minimise the potential for adverse outcomes of human error. Documents supporting the MAH risk
assessment processes should clearly illustrate the part played by people in preventing, controlling and
mitigating MAH events.
For mobile rigs the above may be achieved through barrier management and the role of technical,
operational and organisational elements in MAH control.
Note: For appropriate HRA methodologies, reference can be made to UK HSE RR 679.
The safety case should demonstrate that all MAH have been evaluated and their likelihood and consequences
assessed. The demonstration should contain estimates of the probability (qualitative or quantitative) of each
major accident scenario or the conditions under which they occur. This should be included within the MAH
bowties.
PIFs are the characteristics of people, tasks and organisations that influence human performance and
therefore the likelihood of human failure. PIFs include competence, time pressure, fatigue extent, design of
controls/displays and the quality of procedures. Evaluating and improving PIFs is important for maximising
human reliability and minimising failures. PIFs will vary on a scale from the best practicable to worst possible.
Relevant factors in the context of operations that could affect the outcome of human tasks and actions,
should be identified and optimised in established control measures.
The duty holder should describe how, where the HRA (as part of the Safety Case MAH HIRA) identifies
equipment, task, organisational or procedural modifications which could support more reliable human
performance, these modifications have been implemented where it is reasonably practicable to do so.
In many cases, appropriate risk control measures may already be in place, and should be proportionate to
the task risks; these may include short-term actions through to longer-term engineering improvements
and/or initiatives such as better labelling of lines and valves etc.
The purpose of barrier management is to establish and maintain barriers so that the risk faced at any given
time can be handled by preventing an undesirable incident from occurring or by limiting the consequences
should such an incident occur. Barrier management includes the processes, systems, solutions and measures
which must be in place to ensure the necessary risk reduction through the implementation and follow-up of
barriers.
Page 16 of 28
Issue 1 – 3 July 2019
Bowtie Analysis is an approach that can incorporate the human contribution to safety and environment and
has become an increasingly common way of demonstrating the MAH that a rig needs to manage and the
barriers and controls in place to prevent or mitigate the threat of those being realised. In bowtie risk
assessments, human factors and human error can be found in two places:
• Threats: human factors or human error appear as a threat in a bowtie when the human act or
condition directly impacts a top event.
• Escalation factors: human factors can appear as an escalation factor in a bowtie when the human act
or condition can defeat or reduce the effectiveness of a barrier.
Summarised below are some of the issues that should be considered regarding how human performance is
addressed within Bowtie Analysis:
• Human interactions with barrier elements can be conceptualised as an escalation factor that may
occur at each barrier element (especially procedural barrier elements) with the potential to
contribute to its failure
• Human performance is often required to achieve barrier functions, therefore the level of human
performance needed for the barrier to function should be considered; unlike safety environment
critical elements, which have clearly defined engineering performance standards.
• Preventative barriers (those on the left-hand side) typically operate over a timescale that can be
measured in weeks, days and hours, mitigation barriers (those on the right-hand side) typically
operate in a timescale of hours and minutes. This can create pressure for people to perform to
extremely high standards in situations of both stress and time pressure. The HF implications of this
should be carefully considered and tested e.g. at emergency drills.
• The nature or complexity of the tasks and especially the cognitive elements of those tasks that need
to be carried out for barriers to function as intended should be understood, if not this could lead to
unrealistic expectations regarding human performance.
• It is important that there is an awareness of the difference between ‘work-as-imagined’ and ‘work-
as-done’, because it could result in unrealistic expectations about the compromises and adaptations
made when carrying out tasks under real-world constraints and pressures.
Barrier models should be prepared and implemented with involvement of front-line personnel, and pertinent
information and guidance should be made available to ensure an understanding of the role of front-line
personnel in the control of MAH.
To meet the criteria for Human Factors in Risk management the duty holder should describe within their
Safety Case:
• The methodology for identifying safety and environment critical tasks on the rig including e.g. routine,
non-routine, abnormal and upset, emergency response, safety environment critical maintenance.
• The methodology used for task and human failure analysis.
• Systematic identification of the different types of human failure (slips, lapses, mistakes and violations
etc) using a recognised methodology (refer to RR679 - how active involvement of front-line personnel
who will perform the task being analysed is achieved).
Core References
• Energy Institute (2011) Guidance on human factors safety-critical task analysis. London: Energy
Institute
Page 17 of 28
Issue 1 – 3 July 2019
• Health and Safety Executive (1999) Human factors assessment of safety-critical tasks. Offshore
Technology Report OTO 1999/092. Sudbury: HSE
• ONR GUIDE Human Reliability Analysis NS-TAST-GD-063 Revision 4 2018
Scope
As humans are often an integral part of the work activity, human error accounts for both successes and many
incidents/accidents, from the smaller scale near-misses right through to the major incidents.
The consequences of human failure can be immediate (active failure) or delayed (latent failure). Active
failure has an immediate consequence and this type of failure is usually made by front line operators. Active
failure is directly linked to the accident (e.g. operator error) and if an inadequate (superficial) investigation is
carried out it may conclude that ‘human’ or ‘operator’ error is a sufficient end to the investigation. As part
of a thorough and robust investigation, aimed at identifying the root causes, the investigators should be
asking why the front-line operator made this type of error; this may reveal safety management system
failures, or latent failures. Latent failures are further back along the causal chain and represent deeper,
underlying causes that are characteristic of the organisation, rather than the individual front line operator.
The duty holder should describe how accident, incident or near-miss investigations are used to identify the
potential impact of human errors (including relevant human and organisational factors), and how learnings
from accident investigations are applied to improve the management of human factors. The duty holder
should describe how HF is integrated into the accident/incident investigation processes.
The duty holder should have processes for communicating learnings from these investigations to the
workforce.
References
To meet the criteria for Human Factors in Accident Investigations the duty holder should describe within
their Safety Case:
Core References
• Energy Institute (2015) Guidance on meeting the expectations of EI Process safety management
framework. Element 19: Incident reporting and investigation. Energy Institute. London
• Health and Safety Executive (2004) Investigating accidents and incidents – a workbook for employers,
unions, safety representatives and safety professionals. HSG 254, HSE, Sudbury.
• HSG48 Reducing error and influencing behaviour
Page 18 of 28
Issue 1 – 3 July 2019
5.3 ORGANISATIONAL INTEGRITY
Scope
Organisations are under continuous pressure to change and adapt in order to meet their business needs,
particularly in a competitive marketplace. Organisational change can take varying forms. Some types of
organisational change include staff numbers, changes to the roles and responsibilities of existing staff,
increased use of contractors, outsourcing, or re-organising departments and teams.
It is important that the full implications of a proposed change, or a series of changes, are assessed prior to
implementation of the change(s). This is to guard against a failure to consider all relevant factors and
potential dependencies between related changes.
Management of change arrangements should ensure that the safety implications of a proposed change are
fully considered and that risks arising from inadequate assessment and implementation of the change are
recognised and suitably controlled. This involves assessing both the direct as well as any potentially indirect
effects of the planned change. These arrangements should be part of the duty holder’s safety and
environmental management system (SEMS).
A procedure should be in place for the management of change in relation to a rig. The safety case should
describe the system in place for ensuring organisational changes including modifications, are adequately
conceived, designed, installed and tested.
Organisational changes are usually not analysed and controlled as thoroughly as plant or process changes.
The key issue is that the direct and indirect effects of a proposed change on the control of MAH should be
identified and assessed. Of particular importance are the transitional arrangements, to ensure the continued
integrity of maintenance and safe operation procedures. It is the duty holder’s responsibility to demonstrate
that adequate transitional provision has been made for such and are in place to ensure continued safe
operation of the rig.
Potential problems can arise e.g. if existing staff feel overloaded because they are given more or different
tasks to do, or they may have to learn new skills in order to be able to operate automated plant.
To meet the criteria for Management of Organisational Change the duty holder should describe within
their Safety Case:
• That the management of change procedure(s) makes provisions for organisational change.
Core References
• Health and Safety Executive (2003) Organisational Change and Major Accident hazards. Chemical
Information Sheet (CHIS) CHIS7. HSE, Sudbury.
Page 19 of 28
Issue 1 – 3 July 2019
G9. SHIFT WORK AND FATIGUE RISK MANAGEMENT
Scope
One of the key characteristics that separate the UK offshore sector from other employment sectors is the
nature of the shift working arrangements. Like every other safety critical operational decision, the choice of
shift working patterns and tour length are under management control and subject to risk assessment and a
risk-based decision process. This is likely to be an analysis of alternatives against defined objectives with the
chosen alternative being the option that reduces the risks so far as is reasonably practicable.
The 21 consecutive work periods of 12 hours worked on mobile rigs have come about because of the
limitation to the numbers of employees that can be transported to and accommodated on an offshore
installation. There is also a significant overall risk reduction in having two workers offshore per post rather
than the three workers that would be required if eight-hour shifts were worked.
The safety case should acknowledge that fatigue may result in slower reactions, reduced ability to process
information, memory lapses, slips of action, lack of attention etc.
Duty period
Industry-wide guidelines for the UK North Sea sector normally limit offshore trips to 21 consecutive days
after which a shore break should be taken. With the documented authorisation of the offshore installation
manager (OIM), and subject to fitness to work the extended period, the offshore work duration can be
extended.
Fatigue Risk Management
Effective management of the risks associated with shift work requires a clear policy and associated
procedures for managing shift-working arrangements as part of a safety management system; it should be
based on good practice and made specific to the company’s operations. The procedure should detail the
corporate management of risk (e.g. planning of work schedules) and the reactive management of risk (e.g.
management of emergent conditions that impact working hours and fatigue). To be meaningful, this should
consider not just the hours of work but also the work that is being undertaken. Issues which should be
addressed in a procedure on working hours offshore, include the acceptance of the relevance of HF in health,
safety and welfare.
• Recognition of the effects of fatigue on the performance of individuals and on the implications, this
may have for their health and safety, and the need to ensure good quality rest periods.
• Identification of the working time factors which are specific to the company, installation and
occupation. These may include travel aspects, tour length, shift patterns and changeover routines,
staffing levels, organisational structures, work practices, work activity, rest periods, facilities for rest
and recreation and effects of upsets such as bad weather or operational problems.
• Adoption of criteria defining acceptable norms and the extent of permissible deviations, including
any compensating mechanisms such as extra rest.
• Contingency plans for unusual situations, such as the failure of personnel to turn up to relieve those
currently at work, or unexpected process problems.
• Systems to monitor and record factors related to working time including, where appropriate, records
of hours worked, shift patterns, etc.
• Provision of information to employees on potential health and safety problems and on the
precautions to be taken.
• Adequate consideration of human factors in the design of operational procedures and in incident
investigation.
Page 20 of 28
Issue 1 – 3 July 2019
Other Related Assessment Sheets are:
To meet the criteria for Shift Work and Fatigue Risk Management the duty holder should describe within
their Safety Case:
• The framework for managing fatigue using appropriate standards and good practice (e.g. HSG256
Managing shift work) including:
o How fatigue is addressed with respect to shift patterns, working hours, overtime etc.
o Shift roster design that takes account of shift types, shift length, rest periods and rotation.
o Assessment of changes to working hours and shift patterns.
o Arrangements to set, record, monitor and enforce limits and standards for working hours,
overtime, on-call working, shift swapping etc.
o Assurance that contractor fatigue management is in place.
o Arrangements for personnel and contractors to report fatigue problems.
Core References
• Energy Institute (2014). Managing fatigue using a fatigue risk management plan (FRMP). Energy
Institute, London
• Offshore Information Sheet 1/2018. Managing offshore shift work and fatigue risk. Offshore Safety
Directive Regulator (OSDR)
• IPIECA/OGP (2014) Assessing risks from operator fatigue. IPIECA/OGP 492, London
• IOGP/IPIECA (2015) Fatigue in fly-in, fly-out operations. Guidance Document for the oil and gas
industry. IPIECA/IOGP Report Number 536, London
Scope
To ensure adequate staffing levels for safety critical roles, it is necessary to understand how staffing levels
impact upon human performance. It is especially important to ensure adequate staffing levels for effective
performance of safety-critical tasks, that is, those tasks where poorly executed work, or substandard
performance, has a high consequence on safety. Staffing levels for the rig should ensure that the right
numbers of people are in the right place at the right time; particularly where an emergency situation may
arise, resulting in a number of staff detecting, diagnosing and recovering from a potential major incident.
If managed inadequately, staffing levels and workload can have an adverse impact on the performance of
staff and therefore safety cases should include a formal assessment of staffing arrangements using
established methods. The safety case should explain how senior management provide sufficient human
resources to maintain adequate staffing levels for the full range of safety-critical tasks on the rig. Where
applicable, the safety case should provide a description of, and take due account of both multi-skilling and
multi-tasking, and any potential impact on human reliability, e.g. competing/conflicting demands. Any
justification given should take due account of a recognised standards or codes of practice.
De-manning
Reductions in staffing levels do not necessarily pose a direct threat to safety. Rather, the impact of changes
to staffing arrangements on safety performance will depend on the quality of the planning, assessment,
implementation and monitoring. Safety should be managed in the same planned and informed manner as
Page 21 of 28
Issue 1 – 3 July 2019
all other elements of reorganisation. Amongst the many difficulties of reducing staffing levels, problems can
occur when:
• Remaining staff take on all the tasks of staff who have left, leading to an ever-increasing workload
and job scope, until safety problems become obvious
• Key safety competencies are lost, if not successfully transferred to others during a managed
transition period
• Work processes are not reorganised to reduce workload, and staff competence is not managed for
their new range of responsibilities, before posts are merged
• Insufficient allowance is made for emergent work, illness, absence, and peak workloads
To meet the criteria for Staffing Levels and Workload the duty holder should describe within their Safety
Case:
Core Reference
• Health and Safety Executive (2001) Assessing the safety of staffing arrangements for process
operations in the chemical and allied industries. Contract Research Report 348/2001
SEMS are crucial mechanisms in the delivery of safety and environmental control designed to reduce adverse
outcomes of human error. SEMS are relevant throughout the lifecycle of a rig.
Scope
A procedure is an informative, written description of the steps that should be followed to perform a task as
required and safely. They can include checklists, diagrams, flow charts, or photographs. Problems with
procedures, such as failure to follow procedures, or inadequacies in procedures are frequently cited as
contributing factors to major incidents. For most work activities, a basic procedure is adequate to assure
safety.
In developing a safety-critical procedure or work instruction, organisations need to ensure that they are
linked to the risk level, including the human reliability potential identified for the tasks and that they are
proportional given their intended purpose. For very complex, and safety critical tasks or tasks that are rarely
performed, detailed step-by-step procedures are required. Detailed procedures can provide a control for
gaps in knowledge, which lead to errors and mistakes.
Page 22 of 28
Issue 1 – 3 July 2019
Where procedures are relied upon as a risk control measure, the safety case should summarise how tasks
have been analysed. The duty holder should reference the procedures for the key activities in the rig’s
lifecycle. These should be within an overarching safety management system but should be suitable and
sufficient for purpose in their own right. Written instructions should be easy to understand, set out in a
logical order. Procedures should not be viewed as the sole defence against human failure - they form an
integral part of a broader range of measures to reduce the potential for human failure.
• Procedures need to be easily accessible and applicable (e.g. for operational tasks, maintenance
tasks, abnormal or emergency tasks), and fit for purpose containing the right amount of
information depending on the complexity and frequency of the task, and the experience of the
operator.
• Involving operators from the start (or in reviewing procedures) is crucial to help promote
ownership and avoid non-compliance. Operators may have devised an informal procedure that
is quicker or easier and this can be incorporated in the formal procedure as long as safety or
quality is not compromised.
• Clearly outlining the purpose of the procedure, the precautions required to avoid potential
hazards, any special equipment/tools required, the initial conditions that should be satisfied
before starting, references to other relevant documents (e.g. data sheets or manuals), and the
steps to be followed to ensure the task is completed safely and efficiently
• Procedures particularly for safety critical tasks should be reviewed regularly to ensure that they
are accurate and up to date. This process should involve obtaining feedback from users,
identifying ‘informal’ practices, examining a sample of procedures in the workplace, analysing
non-compliances and finding out why procedures are not used.
• Staff should be trained, or coached, on the procedures that they are expected to use; it will also
help identify if there are errors or if the procedures are not practical.
To meet the criteria for Procedural Integrity the duty holder should describe within their Safety case:
• How the operating procedures for safety critical tasks are linked to the control of MAH scenarios.
• Procedures are in place for safety-critical tasks across the full range of activities and measures exist
(such as audit) to ensure compliance with these procedures.
Core References
Scope
Page 23 of 28
Issue 1 – 3 July 2019
Competence is the ability to undertake responsibilities and perform activities to a recognised standard on a
regular basis. It combines practical and thinking skills, knowledge and experience. Competence assurance is
a key Human Factor offshore, where the continuing ability of individuals and teams to reliably perform the
safety critical aspects of their roles, responsibilities and tasks is important. Further to this is the requirement
to have a set of competence standards that directly cover the processes associated with the control of MAH.
The duty holder should consider the competence of staff in relation to the control of MAH and how this is
identified, assessed and managed as part of a competence assurance system. Duty holders should have
robust competence assurance systems in place to ensure that the competency of all those involved in safety-
critical tasks is established and maintained. Training is only one element of this and is found to be one of the
poorer controls when used in isolation. MAH competency needs to be appropriately linked to the MAH and
risk analysis and key procedures. The aim is to assure safety-critical tasks, and associated roles and
responsibilities. Where key safety-critical roles are identified, evidence is required that there has been a
capability assessment undertaken for the role.
Duty holders should have in place an effective Competence Management System (CMS) that is being
managed, implemented and is delivering the desired outcomes. A robust selection and training needs
analysis process should exist for key safety-critical roles; competence should be clearly linked to key
responsibilities, activities and tasks identified in risk assessments ensuring safety critical tasks are addressed.
Competency systems should also identify where contractors are carrying out safety-critical work and ensure
they are fit to do so. Companies should ensure that they can appropriately specify, manage and oversee any
work carried out by contractors.
Independence
Where specific roles require an individual employed by the duty holder to be ‘independent’, such as the
verification process, evidence should be provided to demonstrate how their competence is established.
To meet the criteria for Selection, Competence and Training the duty holder should describe within their
Safety Case:
• That a system is in place to establish and maintain levels of competency for all those involved in safety
critical activities.
• How the CMS meets current industry standards and is relevant to the activity and competence being
assessed, ensuring they are linked to the competence standards themselves.
• How the CMS manages further development of staff as part of continued professional development,
not just initial assessment.
• How the CMS takes account of foreseeable work and operating conditions. This includes infrequent
and complex activities, emergency situations and upsets, maintenance etc.
• CMS allows for consolidation of training, evidenced by extra support and supervision.
• How evidence of safety critical third-party competence is managed.
Core References
Page 24 of 28
Issue 1 – 3 July 2019
• Office of Rail and Road (2016) Developing and maintaining staff competence
• IADC North Sea Chapter – Guidance on the Management of Third-Party Competence for Safety
Critical Positions Offshore
[Online - Available at www.iadc.org/wp-content/uploads/2016/03/IADC-NSC-Guidance-Rev-1.pdf]
Scope
There are certain situations where it is critical to have good and reliable safety communication. These
situations include when tasks and responsibilities need to be handed over from one person, or team to
another e.g. at shift changeover, between shift and day workers; or between different functions of an
organisation within a shift, such as operations and maintenance; during process upsets and emergencies;
and following an individual’s lengthy absence from work. Organisations use a variety of methods to
communicate safety information. These can include general safety communications e.g. toolbox talks, shift
handovers, written instructions or procedures, informal communications and emergency communications
e.g. alarms, briefings.
It is important that organisations have systems in place to monitor safety critical communications to ensure
that information is being sent, understood and acted upon and conduct investigations to identify and remove
any communication barriers. Key principles to consider in safety critical communications include:
• Ensuring that the content of the message is clear and unambiguous, and the language used is
appropriate to the workforce (consider first language, literacy)
• Using more than one means of communicating key information, e.g. verbal and written methods of
communication
• Targeting the information appropriately to ensure that it reaches everyone that needs to be aware
of the information. This may include employees, contractors, or mobile teams
• Considering the timing of communication e.g. hazards should be communicated before people are
required to carry out tasks
Note: Major accidents have occurred involving shift handover and PTW systems. Communications around
active permits, contractors involved with permitted work, and lines of communication across shifts and
between worker groups should be considered.
To meet the criteria for Safety Critical Communications the duty holder should describe within their Safety
case:
• Arrangements for safety critical communications, including:
The standard/procedure for shift handover which has been implemented and
communications during emergencies
• Any form of remote communication between control room and outside operators e.g. coordination
of work on the drill floor via the doghouse/driller’s intercom.
• PTW procedures, particularly where work continues over a shift change.
Page 25 of 28
Issue 1 – 3 July 2019
• The systematic identification of organisational interfaces and the communication of hazards and risks
to contractors.
Core References
• Extract from the Inspector's Human factors toolkit – Safety-critical communications. [online –
Available at http://www.hse.gov.uk/humanfactors/topics/common3.pdf]
• HSE (2005) Guidance on permit-to-work systems: A guide for the petroleum, chemical and allied
industries. HSG 250. HSE, Sudbury
G14. SUPERVISION
Scope
Supervision is an important management function and therefore a key component in any effective safety
management system. The front-line supervisor has been identified as having a critical role in the
management of safety, representing a crucial link between planning a job and its execution. Other key
supervisory functions include allocating work, making decisions, monitoring performance and compliance,
providing leadership and building teamwork, and ensuring workforce involvement. Supervisors may also
have an important part to play in managing contractors and/or issuing permits to work.
The actions and behaviours of individual offshore supervisors have a significant impact on workers safety
behaviour. Supervisors are the focal point of safety improvement initiatives as they act as the interface
between management and the workforce. Crucially, supervisors can have a significant, positive impact on a
range of local performance influencing factors (compliance with procedures, training and competence,
safety-critical communication, staffing levels and workload, shift work and fatigue, organisational culture
etc).
Supervisory roles and responsibilities should be clearly defined in the context of major hazards including their
role in supervising safety-critical activities.
To meet the criteria for Supervision the duty holder should describe within their Safety Case:
• Competence standards have been established for supervisory personnel which include:
o Non-technical skills e.g. leadership, managing poor performance, communicating effectively
o Technical skills (relevant to the plant and process)
o Management of organisational PIFs within their control (competence assurance, workload,
staffing levels, shift work, fatigue etc).
• Supervisory roles and responsibilities are clearly defined in the context of major hazards.
• Supervisors role in managing compliance with safety critical rules/procedures, and reference is made
to the relevant processes in the competency management system.
Core References
• HSE Research Report 292. Different Types of Supervision and the Impact on Safety in the Chemical
and Allied Industries. HSE (2004)
Of greater practical use may be the associated supervisor assessment guide derived from this report:
Page 26 of 28
Issue 1 – 3 July 2019
• Different types of supervision and the impact on safety in the chemical and allied industries -
Assessment Methodology and User Guide (Prepared by Entec UK Ltd for the HSE) [Online - Available
at http://www.hse.gov.uk/research/rrpdf/rr292b.pdf]
6. GUIDANCE
Page 27 of 28
Issue 1 – 3 July 2019
There is a vast amount of both HSE and industry guidance available related to Human Factors and some if it
has been incorporated into the text above. Below is a link to the HSE web site where over 12,000 pieces of
guidance can be found related to HF:
http://www.hse.gov.uk/search/search-
results.htm?gsc.q=human%20Factors#gsc.tab=0&gsc.q=human%20Factors&gsc.page=1
http://www.hse.gov.uk/osdr/safety-cases/safety-case-topic-specialist-assessment.htm
http://www.hse.gov.uk/search/search-results.htm?gsc.q=APOSC#gsc.tab=0&gsc.q=APOSC&gsc.page=1
https://store.iadc.org/product/iadc-drilling-control-system-alarm-management-guidelines
Page 28 of 28
Issue 1 – 3 July 2019