ABSTRACT · 2019-03-13 · Given the numerous hazard events possible on an offshore facility, owner/operators seek opportunities to minimize the staffing on the facility so fewer

©Copyrighted 2016 – Tom Shephard

1

Situation Awareness Integration into Offshore Emergency

Response Design: Justification and Methods

Chapters 1 -5 (of 7)

Tom Shephard Revision: May 2016

ABSTRACT

The oil and gas industry acknowledges the need to integrate situation awareness (SA) into the design, operation and maintenance of offshore drilling and production facilities. Investigations into catastrophic offshore accidents often cite a lack of situation awareness as a primary causal factor. SA principles and methods are employed in other highly hazardous and high-consequence industries including aviation, military, rail, nuclear, healthcare and shipping. The oil and gas industry’s research into its applicability to offshore drilling and production facilities, initiated in the 1990‘s, confirms it is both applicable and safety-critical. With that result, operating companies and industry organizations are moving into the early development and implementation phase, beginning with white papers and conceptual guidebooks. A few owner/operators introduced training programs for offshore drilling crews that include SA-rich training modules. Efforts to integrate SA into the fundamental design of an offshore facility are in the embryonic stage. To date, the industry has not presented or published an engineering process that integrates SA into the most complex operation in an offshore facility, the emergency response (ER) and barrier system. This manuscript presents the case on why such a process is needed, and presents a prototype methodology to achieve this end. It begins with a hierarchical task analysis that defines the goal-directed tasks that comprise the ER system and barrier design. The task sensing, decision and action functions are defined. M. Endsley’s often-cited, three-stage SA model is integrated into the sensing function design. D. Chiappe’s situated SA model (Team SA) guides the design of the team interactions and communications that are essential to maintaining Team SA, coordination and cohesion. The human, physical, organizational and societal elements that enable each task function, and the performance influencing factors (PIFs) that degrade SA, are defined. Suggested assessment steps evaluate the design, eliminate and mitigate PIFs, and verify that task goals and barrier functions are achievable. The methodology aligns well with the staged, project-based approach used globally by organizations that specify and design offshore facilities. The adopted SA models and the terms and definitions used are briefly introduced and discussed.

KEYWORDS: Situation awareness; emergency response; offshore; human factors, oil and gas; drilling and production


2

1 Purpose and Scope

This manuscript provides the justification for integrating situation awareness (SA) into offshore emergency response (ER) system and ER barrier design. It then presents a prototype methodology designed to achieve this end. Section 3 provides a brief overview of SA and the individual and Team SA models adopted in this manuscript. Section 4 describes the ER system and the human-dependent ER barrier and presents the case on why SA is uniquely applicable and ultimately essential to their success and performance. The importance of addressing performance influence factors that degrade SA and other barrier functions and contribute to human error is also discussed. Section 5 presents a project-based methodology that outlines how SA principles and methods can be holistically integrated into human, physical and organizational design of the emergency response system and barriers. Conclusions and recommendations are summarized in Section 6.

2 Introduction

In 1988, a series of incidents and events caused 167 fatalities and the destruction of the Piper Alpha facility (Cullen 1990). In US waters, 69 deaths, 1349 injuries and 858 fires occurred on offshore operating facilities (Sutton 2012). On April 20, 2010, the Deepwater Horizon drill platform operating in the Gulf of Mexico experienced a well blowout and an uncontrolled release of high-pressure oil and gas. The resulting explosions and fires caused 11 fatalities, destroyed the facility and triggered the largest offshore oil spill in US history. Failures in the emergency response system and response team performance were primary contributors (CSB 2010, Hopkins 2012, National Commission 2011, Skodalen et. al. 2011).

Situation awareness (SA) principles and models are employed in many highly hazardous, high-consequence industries that include aviation (Endsley and Garland 2000, Sorenson et al. 2011), military (Salmon et al. 2010), command and control (Stanton et al. 2010), rail (Golightly 2010), nuclear (Carvalho et al. 2012), and shipping (Chauvin et al. 2009). After Piper Alpha and the publication of the Cullen report (Cullen 1990), oil and gas multinationals, academia, and industry initiated research into SA, and its applicability to offshore facility design and operation (Flin et al. 1996, Crichton 2005, Sneddon et. al. 2006/2013, Taber 2010, Sætrevik & Eid 2013, Naderpour et al. 2014). Positive research results, owner/operator interests and the continued occurrence of offshore incidents motivated several industry organizations to issue recommendations and a ‘call-to-action’ to consider SA and human factors in the design of offshore drilling and production facilities (IOGP 2012, SPE 2014). Early SA adopters are transitioning to the applied development phase beginning with concept guidelines, a guidebook, and a drilling-crew training template and guideline (IOGP 2012, Flin et. al. 2008, IOGP 2014a/c). In 2005, owner/operator initiated training programs for offshore drilling crews that were based on the crew resource management (CRM) programs that are already widely used in other industries. CRM includes SA-specific training modules. In the oil and gas domain, a methodology that integrates SA into the physical, organizational and operational design of an offshore emergency response (ER) system remains new territory.

2.1 Barrier Terminology and Definitions

This section introduces the terms and definitions used in this manuscript. The oil and gas industry uses many definitions for safety barriers. Sklet (2006) provides the following barrier definitions employed in this manuscript:

“A barrier function is a function planned to prevent, control or mitigate events. The barrier can be physical (e.g., a technical system) or organizational/operational (e.g., the emergency response plan).”

“A barrier system is a system that has been designed and implemented to perform one or more barrier functions. A barrier system describes how a barrier function is realized or executed. The barrier system


3

may consist of different types of system elements, e.g., physical and technical elements (hardware, software), operational activities executed by humans, or a combination thereof.”

Preventive, control and mitigation barriers provide pre-determined responses to each major accident event

(MAE). Offshore facility design uses a defense-in-depth approach that implements multiple barriers of different

types to address the possibility that one or more barriers fail for unforeseen reasons. A preventive barrier (e.g.,

an automated safety shutdown system) is designed to prevent the occurrence of a MAE. Should the MAE occur,

control barriers provide the means to control and recover from the event, and therefore limit the opportunities

for event escalation. Mitigation barriers are the last line of defense if the preventive and control barriers fail.

The ER control and mitigation barriers rely fully on humans (the emergency response team) to achieve the

barrier function.

A control barrier limits the scale, intensity and duration of an accident event (ISO 13702).

A mitigation barrier limits the potential consequences and effects caused by the event (ISO 13702).

Barriers are also classified as ‘active’ or ‘passive’.

A passive barrier is continuously available to perform its barrier function, e.g., a blast wall.

An active barrier requires activation (a trigger event) to commence its barrier function. Emergency

response barriers are the active type.

Every facility has MAEs that must be considered in the emergency response system and ER barrier design. No two deepwater facilities are exactly alike. A major accident event is a plausible and unplanned event that acutely jeopardizes the safety of personnel, the environment or the integrity of the facility. Example MAEs include fire, explosion, toxic or flammable gas release, ship collision, helicopter crash and medical emergencies. A floating facility adds additional MAEs (e.g., the facility can sink, capsize or drift from its intended stationary position). MAEs unique to a drilling platform include a well blowout and other events that can lead to an uncontrolled release of hydrocarbons to the platform topsides (production and living areas) or to the sea. Norsok (2010) provides a complete list of possible MAEs.

3 Individual and Team Situation Awareness Models

3.1 Individual SA Model For individual SA, the model receiving the greatest interest from the offshore oil and gas industry was developed by M.R. Endsley. Endsley (1988 p. 97) defines situation awareness as “the perception of the elements in the environment within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future.” The three stages in Endsley’s (1995) SA assessment (process and product), the model adopted for use in this manuscript, include perception, comprehension and projection.

Perception (SA-1) refers to the acquisition of information that is perceivable and available to our five senses. Example sources of SA-1 may include a communication exchange or information acquired from a technical system, e.g., a radio or control system display. The accident scene provides visible information (e.g., the location and state of an injured person or visible damage to equipment). The ambient environment is a source of additional information (e.g., sound, heat, smell and visibility).

Comprehension (SA-2) is the result of combining SA-1 information with one’s stored experience and knowledge to develop a mental picture and understanding of what the SA-1 information means.


4

Projection (SA-3) is the result of combining the SA-2 product with a deeper level of stored experience and knowledge to project future outcomes and timing.

With SA-2, the degree of understanding and comprehension achieved depends on one’s training, experience, knowledge, fitness (e.g., fatigue), personality and cognitive capabilities. A responder with limited experience perceives events by matching them to training scenarios and an understanding of the ER plans and procedures. A responder with extensive experience has an additional source of information that can enhance his/her understanding of what the SA-1 information means.

SA-3 is the ability to understand the meaning of events and conditions as they change over time and project what may happen in the future. The time aspect is a critical piece of new information that guides decisions, establishing priorities, understanding if a control barrier or task action is effective and if conditions are deteriorating.

3.2 Team Situation Awareness Model

Several published Team SA models exist that share areas of commonality and but also have differences (Salas et al. 1995, Endsley and Robertson 2000, Salmon et al. 2009, Chiappe et al. 2014). Chiappe’s ‘Situated SA’ model, adopted for this manuscript, defines the essential elements needed to acquire and maintain team SA. These elements include shared SA (Chiappe et al. 2012), and compatible, transactive and meta SA (Salmon et al. 2009).

Shared SA (SSA) is the common picture of events shared by two or more individuals (Chiappe et al. 2014).

Compatible SA refers to the SA needed to execute assigned tasks. “.. no two individuals working within a collaborative system will hold exactly the same perspective on a situation. Compatible SA therefore suggests that, due to factors such as individual roles, goals, tasks, experience, training and schema, each member of a collaborative system has a unique level of SA that is required to satisfy their particular goals” (Salmon et al. 2009, p. 190).

Transactive SA refers to the information exchanges that occur among personnel, and between personnel and technical systems (Salmon et al. 2009 pp. 192-193).

Meta SA is the “...awareness of what other agents in the system know...” (Salmon et al. 2009 p. 220)

Given the numerous hazard events possible on an offshore facility, owner/operators seek opportunities to

minimize the staffing on the facility so fewer are exposed to these risks. The varied nature of the possible

hazards requires a team that has a wide range of response capabilities. To accommodate both objectives,

the organization model for the emergency response team (ERT) is a smaller organization with roles that are

often specialized in terms of skills, knowledge and expertise. As such, the team is heterogeneous. The

offshore installation manager (OIM), typically the person-in-charge, provides centralized command and

control. Team situation awareness (Team SA) encompasses the enabling actions and attributes that

transform this heterogeneous group of individuals into an adaptive team that can coordinate and execute

life-critical tasks in a complex, dynamic and stressful environment. The design of the ERT organization, roles,

procedures, communication protocols and training programs establish how the ERT interacts in a manner

that achieves the barrier function and is able to adjust if the OIM makes changes to the ER plan and

priorities (Crichton et al. 2005).

With Shared SA (SSA), no two ERT members typically and necessarily share a complete and mutually represented picture of the event in progress. The effort places an unrealistic and unsustainable cognitive and workload demand on individuals and the team as a whole. Instead, the design process should identify


5

the minimum Shared SA needed to achieve and maintain team cohesiveness, coordination and alignment to team goals. A common picture begins to develop when the team receives the first information from the OIM on the response plan, the nature of the emergency and assignment of team resources. Shared SA contributes to team actions that are mutually compatible. Crews that remain together over time develop a greater degree of SSA overlap as they experience how each member and the team as a whole perform in different situations (Sneddon et. al. 2006, Cooke et al. 2007). Cross training and drills aid in creating shared views as team members gain experience in their assigned roles, and the roles of others. These activities also contribute to one’s understanding of who holds specific information and who may request information from others (Flin et al. 1996).

A product of Transactive SA, an exchange between two responders provides clues to the sender about what the receiver may be doing. The exchange also requires less time and effort to convey the same information when their degree of Shared SA is high (Endsley 1995 p 39). From Chiappe’s Team SA model (Chiappe et al. 2012), the exchanged or conveyed information is limited to only what is needed to perform one’s assigned task, and maintain a minimum degree of shared understanding (Shared SA). Communication protocols, terms and syntax should be pre-defined and trained-in to minimize the exchange effort, duration and the likelihood that conveyed information is correctly understood (Chiappe et al. 2014, Gasaway 2013, Ch. 7). A two-way exchange can improve communication accuracy but also ties up both parties for the duration of the exchange. Use of predetermined and mutually understood terminology and code words can reduce the exchange duration and effort without reducing the exchange quality. An ER plan may include provisions to engage external expertise. The exchange is no longer limited to information that can be conveyed using commonly known terms and language. The challenge significantly increases when there is a need to convey complex knowledge between an expert and a novice. Enabling this capability introduces new terms and requires additional communication protocols, procedures and training (Rentsch et al. 2010, Crichton 2005).

The definition for Meta SA used the term agent. ‘Agent’ refers to the ERT member, technical system or other system components that possess SA-1 information that can be accessed. With experience, an ERT member learns where the information resides (e.g. a person, technical system, incident scene or ambient environment) and when it may be available. “SA may sometimes involve simply knowing where in the environment to find a particular piece of information, rather than remembering what the piece of information is” (Durso 1998, p 3). Stress, excessive workload, frequent interruptions and other environmental and task conditions common to the MAE environment reduce the information that one can reliably hold in working memory (WM). These conditions increase the likelihood that information stored in WM is forgotten or recalled incorrectly. Therefore, “Individual operators off-load as much as possible to limit what they have to do internally…” (Chiappe et al. 2012). Meta SA also refers to knowing the information that others may need and when they need it. A responder’s Meta SA is enhanced through training, procedures, drills and experience.


6

4 Why Situation Awareness Applies to Offshore Emergency Response

The section describes the ER system and barrier in terms of their constituent elements, and then presents the reasoning that defines why the integration of SA principals and methodologies is essential to achieving the intended system and barrier functions.

POSIT 1: The emergency response system and ER barriers are acutely dependent on one or more humans in the loop to achieve the intended barrier function.

POSIT 2: Emergency response barriers and operations are a compilation of tasks. All responders must correctly perform their assigned tasks within a timeframe that achieves the barrier function and operational objective.

POSIT 3: The likelihood that a task achieves its intended function depends on the effectiveness of the design processes used to define, specify, develop and integrate the human, physical and organizational elements that comprise the task.

POSIT 4: Task success requires timely and sound decisions. This can only occur if the task assignee acquires the right information, comprehends its meaning and understands what may happen next, a process commonly known as situation awareness or SA.

POSIT 5: A design process that does not eliminate or mitigate performance-influencing factors that degrade the SA process is a causal contributor to human error, a known contributor to ER barrier failure and major accidents.

POSIT 1: The emergency response system and ER barriers are acutely dependent on one or more humans in the loop to achieve the intended barrier function.

The ERT is responsible for performing the ER response and barrier activities. Non-ERT members on the facility also have barrier responsibilities, e.g., promptly and safely move to an assigned muster station when the muster alarm sounds. Achieving the barrier function assumes the ERT reliably executes the appropriate barrier actions when subjected to considerable time and performance pressure (Sneedon et al. 2006/2013, Woodcock and Au 2013). In this environment, the responder must rapidly adapt and respond to sudden, high-consequence and often highly complex events. The nature of the MAE establishes the ERT response in terms of workload, tempo and the emergency response options.

Multiple ERT members are assigned life-critical tasks on many human-dependent barriers. The capacity of the team is fixed, and may have insufficient resources if concurrent MAEs or escalations occur. Capacity and capability are also reduced if an essential person (a role that does not have a fully trained backup) becomes a victim of the event or is unable to reach the designated response station (Woodcock and Au 2013). The offshore installation manager (OIM) is typically the person in charge, with responsibility for the safety of personnel, the environment and the integrity of the facility, in that order. The OIM initiates the response plan, assigns resources, set priorities, makes life-critical decisions and manages the team in a manner that maintains team cohesion, focus and coordination.

For deepwater facilities, mobilizing resources from external sources often takes hours. In the earliest phase of the emergency, the first hours of the response are typically limited to the ERT on the facility. The likelihood that the event is sufficiently controlled to prevent an escalation is a function of the ERT’s actions and responsiveness in the earliest phases of the incident (Flin et al. 1996, Gasaway 2013).


7

Complex and concurrent events may require a rapid uptick in ERT activity to keep pace with rapidly changing conditions (Gasaway 2013, Hopkins 2012, Perrow 1999). Humans tend to underestimate this aspect of an accident (Reason 1990 p 92) and therefore do not adjust the pace of their emergency response accordingly. A slow or incorrect response may fail to block an escalation pathway that can lead to a larger, different or more complex event. Severe consequences from the Piper Alpha (fatalities) and Deepwater Horizon (blowout and spill) accidents did not occur with the initial event (Cullen 1990, CSB 2010, Hopkins 2012, National Commission 2011 p 121). In both cases, human-dependent barriers failed in the early stages of the accident event. The resulting escalations had the greatest impact on the number of casualties (Cullen 1990) and led to the largest offshore spill in US history (CSB 2010).

POSIT 2: Emergency response barriers and operations are a compilation of tasks. All responders must correctly perform their assigned tasks within a timeframe that achieves the barrier function and operational objective.

Identifying, clarifying and assessing barrier tasks is a pre-requisite (HSE 2005) to understanding and mitigating factors that are primary contributors to major offshore accidents (CSB 2010, Cullen 1990, IOGP 2012, Woodcock and Au 2012). Most emergency response tasks are time-critical and require a task completion time that may be measured in minutes. For those nearest to danger, a few seconds may be all the time available to assess and decide whether to transit an area with an active toxic gas alarm or select a longer, alternative route to reach a safe location. Understanding the full nature of the tasks and actions expected from responders and others on the facility should begin with a task analysis. The analysis provides the information needed to assess the task workload (mental and physical) and the likelihood that the task can be correctly completed within the time needed to achieve the barrier function. In the US and most areas of the world, regulatory statutes do not require a task analysis to support the design of the emergency response system. Some owner/operators include this requirement in corporate design standards, though many do not. Consequently, the design of ER systems in many newly designed facilities will not be based on a task analysis.

POSIT 3: The likelihood that a task achieves its intended function depends on the effectiveness of the processes used to define, specify, develop and integrate the human, physical and organizational elements that comprise the task.

Figure 1 represents the task in its simplest form.

Figure 1 - Functions of an Active, Independent Protection Layer

(excerpted and modified from CCPS 2001)

Every emergency response barrier activates a minimum core team of four or more responders, each executing multiple tasks in an integrated and coordinated manner. Like an automated barrier, the ER barrier is also the active type. To activate the barrier function, an ERT member must detect the barrier trigger condition and notify the other responders engaged in the barrier function. Unlike the automated barrier, a human performs the sensor, decision and action functions shown in Figure 1.

Sensor

instrument,

mechanical,

human

Decision

logic solver, relay,

mechanical device,

human

Action

Instrument,

mechanical,

human


8

The three task functions in Figure 1 are comprised of or affected by the elements shown in Figure 2.

Figure 2 - Task Elements (excerpted and modified from Bea et al. 2009)

Physical elements encompass the physical equipment and facility features that are essential to and employed in the barrier system. Example elements include technical systems and equipment, purposely designed rooms and reporting areas (temporary refuge and incident command center), and facility features (e.g., escape routes and muster areas).

Human elements encompass the emergency responders and their experience and expertise, cognitive skills, fitness for work, attitude, readiness, teamwork, trust, etc. They also include personnel who do not have ERT roles, (i.e. non-essential personnel or NEPs). NEP have assigned barrier tasks, e.g. respond to a muster alarm by promptly and safely transiting to the designated safety location and report-in so the ERT can assess the status and location of all personnel.

Organizational elements encompass the emergency response plans; procedures; communications protocols, staffing, and staff assignments; reporting structure; training programs; and competency assurance systems.

Societal elements are influencers that may affect a responder’s decisions and actions. Examples include laws and regulations, public opinion, news media, trade unions, education systems, labor and economic forces. A responder’s emotions and actions can be affected by other societal elements such as legal actions, media attention, corporate safety culture or the perceived consequence if an emergency response action does not comply with company procedures and expectations. In this regard, societal elements can also be performance-influencing factors.

In a human-centered barrier, the task assignee is the active and intentioned human element that employs and directs a system of physical and organizational elements in a manner that can achieve the ER barrier function and operation objective. A deficiency in the design of any task element can lead to task and barrier degradation or failure (Dekker 2011 pp 90-94, HSE 1999, Reason 1990 pp 201-211, SPE 2014). The responder and organizational elements are designed to perform the required sensor, logic and action functions. The sensor and action functions typically employ physical elements (e.g., radios, safety equipment and alarm systems). The organizational elements (e.g., ER plans, procedures and training) define how the responder is expected to perform assigned tasks and use each physical element. Humans are influenced, consciously and unconsciously, by societal elements (Bea 2009). The likelihood that a responder correctly uses and applies task elements in a manner that achieves the task goal and barrier is a reflection of the element’s fitness to the task, the task environment, and the responder’s capabilities such as knowledge, training and experience.


9

POSIT 4: Task success requires timely and sound decisions. This can only occur if the task assignee acquires the right information, comprehends its meaning and understands what may happen next, a cognitive process commonly known as situation awareness or SA.

An offshore accident triggers an immediate shift in the roles, physical reporting station, reporting structure, procedures, communication protocols, priorities, tempo and urgency of the ERT members. “Situational Awareness is clearly most in jeopardy during periods of rapid change and where the confluence of forces makes an already complex situation critically so” (Woods et al. 2010). “Sudden, unprepared onset makes it difficult for the user to get into the situation” (Sträter 2005).

The oil and gas industry recognizes that poor SA is a primary causal factor in major offshore accidents (Cullen 1990, CSB 2010, Skogdalen et al. 2011). Sneedon et al. (2006) analyzed a database of 332 incidents in an owner/operator’s offshore drilling operations. The study identified 135 incidents that resulted from poor SA. Of these, 67% were attributed to the first phase of SA assessment process, i.e., acquiring and comprehending the information (SA-1) needed to support task decision-making and execution. The remaining incidents were attributed to the other two aspects of SA, i.e., comprehension or SA-2 (20%) and projecting future events or SA-3 (13%). Though widely implemented in other highly hazardous and high-consequence industries, SA principles and methods are not currently integrated into the mainstream design processes that produce today’s offshore facilities.

Information presented by an offshore accident can be highly dynamic and therefore subject to frequent and rapid change. The SA process for individual ERT members and the team as a whole must keep pace with this dynamic environment to maintain an accurate picture of events (the situation) and the threats to personnel, the environment and the facility. The SA process is impeded if essential information is incomplete, delayed or not organized in way that directly supports the SA process. It is also impeded if a responder is not able to perceive and comprehend this information.

The temporal (time) attributes of a task should be identified and well understood. The OIM and the ERT must identify, track and implement time-sensitive activities. SA includes an awareness of time and time-sensitive activities (e.g., ‘How long should this take?’, ‘what time has passed?’, ‘how long can I wait?’ or ‘is it now the right time to initiate this action?’). There is a clear need to provide task elements (tools and devices) that support the ERT as a whole, and particularly the OIM’s ability to maintain an active awareness of time, upcoming future actions and the time at which those actions must occur.

A passive barrier function, (e.g., passive fire protection or a firewall) is designed to provide the barrier function for a limited period. Many ER barriers also rely on secondary support system (e.g., a back-up power system) that provides temporary power if the primary systems fail. The OIMs planning for many MAEs must always allow for the 5 to 11 minutes of time needed to fully evacuate the facility (IOGP 2010 Table 2.2) and move escape vessels away from the facility if control and recovery measures fail. The ERT must remain aware of these and many other time constraints when planning and executing emergency operations and ER barrier tasks. Safety-critical ER tasks are also time-critical.

POSIT 5: A design process that does not eliminate or mitigate performance-influencing factors that degrade the SA process is a causal contributor to human error, a known contributor to ER barrier failure and major accidents.

The term performance influencing factors (PIFs) is often used to describe and encompass the full range of human, environmental, physical, organizational and societal factors that can degrade the SA process and contributes to human error, both conditions that can lead to task and barrier failure or degraded performance. Table 1 provides examples of common PIFs.


10

Table 1 – Examples of Performance Influencing Factors

Task workload Concurrent, complex and sustained vigilance tasks.

Task urgency Significant time pressure, e.g., a rapidly evolving or immediately life-threatening incident is pressing the response team pace to keep up and get ahead of this event.

Task complexity Complex task sequencing. Must closely coordinate actions with others.

SA and cognition High demand on short-term working memory. Task information is incomplete, conflicting or ambiguous. Complex decisions. Task goal conflicts.

Temporal demands Tracking life-critical time and timing events. Prospective memory tasks.

Display design Display content, design and presentation does not support the task

Ergonomics Equipment not appropriate for the intended tasks or use environment.

Physical demands Task requires physical strength and sustained endurance. Awkward positions.

Health & emotions Stress, fitness, sleep and fatigue, confidence

Competency Inadequate training, experience, knowledge of the necessary personality traits.

Teamwork Limited experience working with team members. Not familiar with team member experience, capabilities, accents (language), idiosyncrasies or expectations.

Organizational factors Deficiencies in plans and procedures, staffing, training or use of external resources.

Societal factors Failure to consider the effect of “governance, laws and regulatory regimes, and social, demographic and economic forces…” (Bea et al. 2009) on personnel and organizational elements.

Reason (1990 p 201) states, “...our principle concern is with the human contribution to system accidents, because accident analyses reveal that human factors dominate the risks to complex systems.” The ability to eliminate or mitigate such errors requires a process that systematically identifies all required elements and provides insight on how the responder is likely to use, deploy and interact with each element. The process should also understand what drives human performance (and error), and assess the mental and physical workload demands under the expected range of response conditions and working environment to ensure these demands are realistic and reliably achievable.

Tasks success is at risk if one or more ERT members are unable to complete a task in a timely manner because the responder’s mental or physical workload exceeds his/her capability. Workload increases when tasks are urgent and complex. Many initiating events or an event escalation can trigger many simultaneous ER barriers, a condition that can lead to excessive workload. In this confusing, complex and resource-constrained ER environment, responders must prioritize safety-critical tasks in what may be a highly dynamic environment (Woods et al. 2010 pp. 125-128). The OIM and others may be confronted by an ‘either-or’ decision to minimize the risk to personnel or act on a perceived management expectation to ‘do everything possible’ to save the facility from damage or destruction.

A poorly designed user interface to a technical system increases the time and effort needed to find access and comprehend SA-1 information. According to Woods et al. (2010 pp. 151-153), “...demands for monitoring, attentional control, information and communication among team members (including human machine communication) all tend to go up with the unusualness (situations at or beyond margins of normality or beyond textbook situations), tempo and criticality of situations. If there are workload or other burdens associated with using a computer interface or with interacting with an autonomous or intelligent agent, these burdens tend to be concentrated at the very times when the practitioner can least afford new tasks, new memory demands, or diversions of his or her attention away from the job at hand…” Poor interface design contributes to task complexity, increases workload and places a greater demand on a responder’s short-term working memory (SWM). The type and amount of information one can reliably store and recall from SWM can be significantly reduced when highly stressed, fatigued, distracted or fearful (Reason 1990). A task that requires calling up and remembering information from many computer displays may fail given the high likelihood that information is forgotten or incorrectly remembered.


11

Consciously or unconsciously, a decision is made on where a responder directs his/her attention. Humans have one ‘attention’ resource. The responder must correctly select where to direct his/her attention and maintain it long enough to complete the SA assessment process, a pre-condition to sound decision making and taking the appropriate actions. Many conditions can cause a responder to unconsciously divert attention from a higher priority task (Flin et al. 2008) or dart between tasks in a manner that makes it very difficult to maintain SA and complete a multi-step task (thematic vagabonding, Reason 2010 p. 93). Driven by evolution, the human tendency is to unconsciously and automatically divert one’s attention to a nearby conversation, a sudden or loud noise, or in the direction of a person walking toward them (Gasaway 2013 p. 160). Locating an incident command center within a poorly designed control room exposes a stressed and potentially overloaded responder to many sources of distractions and interruptions (Woodcock and Au 2013) making it more difficult to complete a complex or multi-step task (Reason 1990 p. 72).

Externally paced tasks, a condition common to the emergency response environment, can “cause work-induced stress” (Booher 2003). Stress, complex tasks, difficult decisions and excessive workload can trigger undesirable behaviors that degrade SA and decision-making, and increase the potential for mental (cognitive) errors (Sneedon et al. 2006). These conditions can cause a responder to fixate on a single task (i.e., cognitive lockup and tunnel vision, Dekker 2006) delaying a high priority task. Essential information may be ignored if it is not consistent with one’s current theory of an evolving event (i.e., confirmation bias, IOGP 2012, Hopkins 2012, Woods et al. 2010, Reason 1990, SPE 2014). Under stress, a responder is more likely to commit a plan continuation error, a circumstance when someone chooses to continue a nearly complete task that is no longer appropriate or safe (IOGP 2012, Hopkins 2012, Endsley and Jones 2012 Section 3, Dekker 2006, Section 14).

A feeling of isolation from home events (Sneedon et al. 2006), lack of sleep and the disorientation that can occur when one is suddenly woken from a deep sleep can degrade SA. Owner/operator staffing decisions and crew rotation practice affect these areas. An individual is “probably unfit to continue working on safety critical tasks” (IOGP 2014b) if he/she had little sleep in the last 48 hours.

When highly stressed one’s ability to accurately perceive the passing of time becomes distorted (Dekker 2006 p. 143). “Failures of prospective memory – forgetting to remember to carry out intended actions at the appointed time – are among the most common forms of human fallibility” (Reason 1990 p. 107). Prospective memory “…constitutes one of the more vulnerable parts of the memory system...” (Reason 1990).

Environmental conditions can interfere with one’s ability to acquire information. Background noise and poor audio quality may interfere with a telephone conversation between responders and cause the message receiver to miss or misunderstand conveyed information (Gasaway 2013 p 110). Incorrectly selected personal protective equipment can interfere with a responder’s ability to speak and hear when using the specified communication equipment in the performance of a task. A poorly designed evacuation pathway (blind turns) or the presence of smoke across the path obscures the view of what lies ahead. Both can trigger urgent and safety-critical decisions on route selection, movement speed, and evacuation and escape options. Such conditions affect the safety of the evacuation and muster process, and can delay the overall emergency response if the muster process is delayed (Skogdagen et al. 2011).

The perception of organizational priorities and societal expectations may cause a responder to unconsciously and incorrectly prioritize tasks affecting which are attended to first. From the investigation of the Piper Alpha disaster, Bea (2009) argues that a failure to consider organizational and societal elements is a critical error because the true risk is significantly underestimated.

“The investigative report stated that the majority of the causes of this failure (80 per cent or more) were firmly

rooted in human, organizational and institutional malfunctions.” “The human, organizational and institutional

causes are termed ‘extrinsic”. “Because the neglected extrinsic factors are actually fundamental to system

performance, expected risks were under-predicted by factors of 100 or more. These findings are consistent with a

large body of research that highlights the role of ‘extrinsic’ factors in large-scale system failures…” (Bea 2009).


12

5 A Process to Integrate SA into ER System and Barrier Design

5.1 Integrating SA into the ER Task

Barrier performance requires a process that holistically designs and integrates all elements that comprise the task sensor, decision and action functions. SA is the product of the sensor function. From POSIT 3, a design error can exist in any element or the integration of elements that comprise the task functions. Reliable and timely task performance begins with a correct ‘sensor’ function design. This is achieved by integrating Endsley’s 3-stage SA model, discussed in Section 3.2, into the sensor function as indicated in Figure 3.

Figure 3 – Human ‘Sensor’ Function

Figure 3 defines the SA needed to guide the decisions and actions that are unique to this task. Populating this form defines the SA-1 information and its sources, and the required comprehension (SA-2) and temporal insight (SA-3). This provides a new and important source of design information used to guide the selection, definition and development of the human, physical, and organizational elements that contribute to each phase of the SA assessment process. This information, when considered in the design process, should reduce the design errors that degrade the SA assessment process (POSIT 3) and contribute to other types of human errors. The same is true for organizational design input, e.g., the SA-3 capabilities may indicate a task that requires a significant level of experience and expertise. The design process can now identify and address the performance-influencing factors that negatively and positively affect each stage of the SA process (POSIT 5). In this representation, societal elements identify aspects that act as performance-influencing factors.

Adding decision and action functions to Figure 3 produces Figure 4. This begins to integrate the information that fully defines a barrier task. The task goals, defined in the task analysis process provide the basis for understanding the required decisions and the subsequent task actions. Task actions typically employ or rely on one or more physical elements, which can now be defined. A full understanding of how physical and organizational elements are applied and used provides valuable input into the element selection and design process, and into the training program.


13

Figure 4 – SA Centric Task

Insert Figure 3

sensor

Insert Figure 3

sensor

Identify: required task actions and

acceptable task options

Identify: physical and organizational

elements, performance-influencing factors

ACTIONSDECISIONS

Identify: required decisions and

available decision options

Identify: organizational elements,

performance-influencing factors

Task Boundary

SA-1

Information

The content presented in Figure 4 provides new information to designers that may reveal unacceptable physical and cognitive demands placed on the responder. The responder’s performance in task decisions and actions are affected by the selection, design and integration of the elements used to implement these functions (POSIT 3). A design error that can degrade individual or Team SA can be introduced in any of these design activities or elements. To complete a fully defined goal-directed specification (GDTS), Figure 4 is combined with additional information to create Figure 5.

Figure 5 – Goal-Directed Task Specification (GDTS)

The barrier information is entered or referenced. A unique task ID is entered, giving this a unique document number. Many tasks are employed in every ER barrier function, e.g., those assigned to a core group of responders who have assigned tasks with every barrier function.

A target task response time is entered. This entry depends on the nature of the task. Achieving the barrier function within the designated response time means the tasks that contribute to this time must be collectively completed within this period. Many tasks have more easily defined desired response time, e.g. tasks that make


14

up a muster operation. An on-demand task may require an immediate response to an ERT member’s request. This type of task may interrupt a task already in progress, i.e., the responder faces an immediate task priority decision. Other tasks may repeat periodically, e.g., an ongoing activity to monitor production or drilling processes to ensure they remain in a safety state. The time entered may be the period between cycle completions. This type of activity may be prone to falling behind if one’s workload exceeds his/her capacity.

From POSIT 5, many task attributes affect SA and contribute to human error. Assigning high-level task attribute ratings provides a simple means to flag the more challenging tasks and task traits that should be addressed in the design process. Below are suggested task attributes. From POSIT 5, increasing workload (cognitive and physical) can degrade SA. Workload increases with increasing task urgency and complexity.

Task urgency indicates how quickly the task must be completed given the expected barrier response time. ‘High’ may mean the task must be completed in five minutes or less, or immediately activated and progressed upon receiving the task activation signal or an ad hoc request.

Task complexity indicates the cognitive demands of the task. A ‘high’ rating may identify a task that places considerable demand on short-term working memory or invokes complex decisions. The task may require continuous attention to monitor and report on rapidly changing SA-1 information, or may require coordination with other tasks. It may indicate a high reliance on prospective memory or the need to accurately track the passing of time, both areas of known human limitations.

Physical effort is the physical exertion required to execute the task. ‘High’ may indicate a task action that requires significant physical strength, is performed under severe ambient conditions or an awkward physical position, or requires unusual endurance if the task repeats or continues over time.

Consequence is the impact if the task is not successfully completed within the defined response time. ‘High’ may mean multiple casualties. A task that can delay or provide incorrect essential information to the OIM used to develop, track, adjust and manage the response plan and ERT actions has this potential.

The team coordinating and communication fields identify the information that is exchanged between parties and the direction of the information flow. For the input field, the task ID of the task that provides the information is entered. If this task provides information to another responder, the task ID of the receiving task is entered. These fields are only used to identify exchanges of clearly defined information that is essential SA-1 information for the receiver and required to coordinate inter-dependent tasks with others.

5.1.1 Team Interactions, Inter-dependency and Team SA

The Team SA elements discussed in Section 3.3 define the ‘glue’ that contributes to team coordination and cohesion. Communications (transactive SA) is the means to achieve and maintain intra-team coordination and a minimum shared understanding of events (Shared SA). Members develop meta SA through experience and training exercises that help each to understand how ERT members respond to their assigned roles, knowledge that may help with work efficiency and responsiveness. Team SA is significantly affected by the organizational and human elements, e.g., the ER plans; communication protocols; training and drills; and the attitude, attribute and experiences of the responders (human elements). The design of physical systems (e.g., technical systems and displays) must consider these exchanges, and address the performance-influencing factors that can interfere with their use under all expected conditions. The barrier element design should consider each of these when defining and determining how each element is designed and implemented.

A core group of responders is typically engaged in every barrier function (Woodcock and Au 2013, Tabor 2010, Flin et al. 1996). Each must correctly execute many tasks, in coordination with others, to achieve the barrier function. The nature of an accident (e.g., a fire or medical emergency) activates additional responders having event-specific skills and training. Pre-defined communications between responders represent inter-dependency


15

between tasks and responders. The nature of the inter-dependency can contribute to increased task complexity, workload, interruptions (e.g. stop a task to respond to an on-demand request) and challenge responders with changing priorities and overall task management. From POSIT 5 these conditions can degrade or interfere with the individual SA process, and contribute to other types of human error. The assessment process, discussed in later paragraphs, should consider the effect of these interactions and the performance-influencing factors that can interfere with these interactions.

5.2 Defining a Prototype SA-Focused Design and Implementation Process

Changes to traditional design processes are needed to holistically integrate SA methods and principles into the design of an offshore emergency response system. Posits 3, 4 and 5 provide the background and justifications for changing how a human-centered barrier task is designed and specified, and for integrating SA methods and principles into the design process. To be successful given today’s compressed project cycles, the appropriate work must also be performed at the right time in the project cycle. Figure 6 proposes a holistic design methodology that should achieve both objectives. A new facility progresses through a series of discrete project phases that concludes with the installation and startup of a new facility. The proposed design process begins in an early design phase often referred to as the front-end engineering and design (FEED) phase. In this phase, the widest range of design options is possible. Sufficient design information is available to perform one of many process hazard analysis studies, i.e. the hazard identification study or HAZID.

Figure 6 – Project Based Approach to Integrate SA into ER Design

Owner/Operator ER PhilosophyProposed ER Team Organization

Muster & ER Station Location PlanTypical ER Response & Mgmt.

Plans

SCE ListEvac., Escape & Rescue PlansMuster & ER Station Design &

ProvisioningCommunications Equipment Plan

Preliminary ER Mgmt. Plans & ProceduresER Staffing Plan & Organization

Facility Layout DrawingsEER Plan Drawings

Muster & ER Response Station Design

Muster & ER Response Station DesignProvisioning of ER Stations

EER Plan Dwgs & Equipment Human Factors Design Data

PPE List and Performance DataFormal Safety Assessment StudiesSCE List & Performance StandardsHMI Display & Alarm System Design

Develop Initial Goal-Directed Task Sheets(Workshop)

Draft GDTA

Major Accident Events (List)

Draft GDTS

Update input documents. Draft/update

SCE performance

standards

Project Phase: Front-End Engineering

Design (FEED)

3

Update GDTA(Workshop)

6

7

Project Phase: Detailed Engineering, Procurement & Design

Updated GDTA

Update GDTS(Workshop)

Updated GDTS

Assessments

Recommendations

Finalize Organizational Development & Implementation

8

Update Input

documents

Update

LEGENDER – Emergency Response

EER – Evacuation, Escape RescueGDTA – Goal-Directed Task AnalysisGDTS – Goal-Directed Task SheetHMI – Human Machine InterfaceSCE – Safety Critical Elements

Implement Approved Changes

Recommendations

Hazard Identification Study (HAZID)

1

Develop Initial Goal-Directed Task Analysis

(Interview/review)

2

Assessments

4

5

Implement Approved Changes

9

Issue Final GDTS & GDTS

10


16

Step 1.0, the HAZID process, identifies the MAEs that must be addressed in the facility and emergency response system design. This process is common to all offshore projects. The scope of this process should be expanded (or a post-HAZID activity performed) to define the ER barrier function, response time and trigger event or condition.

Step 2, a preliminary task analysis, identifies the goal-directed tasks that comprise the barrier functions that respond to the MAEs identified in Step 1. A hierarchical task analysis (HTA) described by Shepherd (2001) is the proposed method for performing this study. (HTA, more common to Norwegian- and UK-based offshore projects, is less commonly used in other regions and countries.) The proposed form of the study is an interview process (Shepherd and Marshall 2005). A task analyst interviews key members of the proposed ER team and other experts from the owner/operator organization. The analyst collects and organizes the information into the format suggested by Shepherd (2001). The process does not directly address cognitive processes. Because SA is a cognitive process, the HTA process is modified to define the task information and decisions to understand the cognitive challenge placed on the responder and understand how the task goal is achieved. Tasks and task goals should also be framed to encompass the most dynamic information, a task attribute that presents a significant challenge to the responder (Endsley and Jones 2012, chapters 5 and 6).

The HTA process can be time consuming. It can be adjusted to frame task goals at levels of detail (higher or lower) that reflect the time and resources available to participate in the study. Task goals that are later found to encompass too many decisions or actions can be reassessed using the HTA process of ‘re-describing’, a process that parses a high-level goal into several constituent tasks and goals that are more appropriate to the design process. Critical to this process, the operating company provides the ER operating and organizational design experience and expertise. The suggested role of the analyst:

Conducts the goal-directed task analysis (GDTA) interviews.

Formats the interview results into the HTA format.

Requests clarifications as needed to close gaps and resolve discrepancies. Review the preliminary task analysis with the OIM to confirm content.

Issue the product of the task analysis to the study participants for review and approval. Alternatively, this team reviews the results in a workshop format.

Step 3 generates the preliminary task specifications (GDTS) described in Section 5.1. A suggested approach, the

task analyst pre-populates specifications with the information, gathered from Step 2, in the form indicated in

Figure 5. In a workshop format, the sheets are reviewed by the Step 2 study team. The suggested objectives for

the workshop:

Identify tasks that may be inadequately framed. Return to Step 2 as needed.

Review the presented information for general appropriateness and correctness.

Populate the missing information if known.

To reduce the workshop duration, it may be effective to move the primary review of the specialized tasks

outside of the workshop format. For this group of tasks, the owner/operator’s experts in medical or fire

response can review and make recommended changes beforehand. The updated sheets are then reviewed in

the workshop.


17

In Step 4, the EPC and owner/operator assess the output from Steps 2 and 3. A checklist approach may be the

most efficient approach given the typical constraints on an offshore project, e.g., truncated project schedules

and the often-limited availability of the operations personnel. From Bea’s (2009) assessment of the Piper Alpha

accident, 80% or more of the failures were “firmly rooted in human, organizational and institutional

malfunctions.” Many of those malfunctions were attributed to the ERT, and especially the OIM. The task

specification provides a new and rich source of information to better understand the unique challenges in each

task, and identify the cognitive aspects that are the most vulnerable to performance-influencing factors that

degrade SA and responder performance. The assessment may identify tasks that are not appropriately framed

or adequately defined, and should be revisited in the HTA process. Table 2, below, identifies the organization

that may be best suited to assessing each element.

Table 2 – Proposed Organization to Assess ER Elements (Steps 4 & 8)

Task Element

Proposed Assessor

Owner / Operator

EPC Contractor

Human Elements

Physical Elements

Organizational Elements

Societal Elements: Reviewed in organizational and human factors assessments

Situation awareness is intrinsically tied to the task decision and action functions. A process that assesses the viability and efficacy of these functions may help to identify issues that can affect the SA process, while directly working to assess the effectiveness and potential reliability of the task and its contribution to achieving the ER response or barrier function. Sklet (2006) defines the following barrier attributes. The scope of the assessment should verify that the collection of tasks that make up the barrier system achieves the defined barrier function.

Functionality/effectiveness: “The barrier functionality/effectiveness is the ability to perform a specified function under given technical, environmental and operational conditions.”

Reliability/availability: “The barrier reliability/availability is the ability to perform a function with an actual functionality and response time while needed, or on demand.”

Response time: “The response time of a safety barrier is the time from when a deviation occurs that should have activated a safety barrier, to the fulfilment of the specified barrier function.”

Robustness: “Barrier robustness is the ability to resist given accident loads and function as specified during accident sequences.”

Trigger event or condition: “The trigger event or condition is the event or condition that triggers the activation of a barrier.”

To that end, the assessment should address the following as a minimum.

Barrier functions are clearly defined.

Each barrier task is correctly framed and the appropriate task goal defined.

The barrier and task trigger is clear and easily detected given the defined environmental, cognitive and physical conditions.

Task sensor, decision and action functions are defined.

The human, physical, organizational and societal elements that comprise the task are defined.


18

The SA-1 information and level of SA-2 comprehension and SA-3 projection capability needed to support the task decision and guide task actions are appropriately defined.

Physical elements are assessed (ergonomically and cognitively) to confirm they are suitable for the defined use and use conditions.

Task functions (sensor, decisions and actions) are achievable, and can be performed reliably given the assigned staff and staff competencies, the indicated physical, organizational and societal elements, and the remaining performance-influencing factors.

Performance-influencing factors are assessed and, to the extent possible and practical, eliminated or mitigated in accordance with ALARP (as low as reasonably practicable) principles.

The collection of tasks that make up the barrier system can reliably achieve the barrier function within the defined barrier response time.

Table 3 includes examples of published assessment tools and methods that may be appropriate. Operator/owners may have existing tools and methods that are suitable. The content of the task specification indicated in Figure 5 and the overall approach proposed in Figure 6 may warrant a set of assessment tools and processes that are specifically adapted to these processes and products.

Table 3 - Assessment Tools and Methodologies

Assessment Focus Source Methodology

Task framing and SA design Endsley & Jones (2012) Task Analysis and SA design principles

SA performance influencing factors Endsley & Jones (2012) SA design principles

General task understanding SINTEF (2011) CRIOP (checklist 4)

Procedures SINTEF (2011) CRIOP (checklist 5)

Training & competency SINTEF (2011) CRIOP (checklist 6)

Human error IE (2011) Workshop

Organizational systems HSE (2008) Barrier failure assessment

General human factors engineering screening

IOGP (2011) Human factors HAZOP

Task complexity Peng & Zhizhong (2012) Evaluate task complexity

Team SA Chatzimichailidou et al.

(2015) Guidelines

Human factors assessment HSE (2000)

Human error risk assessment Deacon et al. (2010) Human factors HAZOP & risk

assessment

Organizational systems Flin et al. (2008) General principle descriptions

General task design Booher (2003) General design principles

Task transition design Booher (2003) General design principles

Cognitive and technical system display assessment

Booher (2003) General design principles

Staffing EI April 2004 CRR348/2000 methodology

Human error, performance-influencing factors

HSE (1999) Checklist


19

In Step 5, the approved changes from Step 4 are implemented or transferred to the detailed design phase of the project for follow-up and implementation. The GDTS should be updated accordingly. This step should also consider the use of the ALARP process to consider and implement additional recommendations that are appropriate and cost effective. The EPC will have the likely responsibility for implementing changes to the physical systems and equipment, e.g., display systems and display design, facility features, communications equipment, supporting systems, etc. The owner/operator is responsible for the human and organizational changes.

Steps 6 to 10 are performed in the detailed engineering phase of the project. During this period, the detailed design and engineering work is progressed and finalized. The early phases begin by updating and confirming the preliminary design work performed in FEED.

In Step 6, the task analysis is reviewed and, where needed, further detailed. Barrier tasks are reviewed to confirm they can achieve the barrier function, and that they align with the owner/operator’s human and organizational plans. This step may be more effective if performed in a workshop format.

In preparation for the Step 7 (the task specification workshop), the EPC contractor may be the appropriate organization to update the FEED task analysis with the latest information. The purpose of this step is to further detail and confirm that task goals are:

appropriately framed and defined, and

achieve the barrier function within the defined barrier response time.

In Step 7, The GDTS are updated in a workshop process. The final documents are then issued for design and use. To the extent possible and practicable, all task elements should be called out using unique tag, document and program numbers, a practice that creates a traceable design process and may enhance the efficacy of the assessment process.

The Step 8 assessment may be more rigorous than that employed in Step 4. The objective of the assessments may be similar to those discussed earlier. An ALARP assessment should be performed when required by regulatory or client requirements. Approved recommendations are implemented in Step 9. As required, the GDTS are updated to reflect the final design. The requirements for the ER barrier system are now fully specified. The updated task assessment (GDTA) and task specifications (GDTS) are issued so the contributing organizations can complete their implementation. In Step 10, the owner/operator implements the human and organizational elements accordingly. The value of this package of information is that all organizations are now working with a common set of design information, an approach that works to reduce or eliminate the class of design errors that can occur when multiple organizations contribute to a safety-critical system.

6 Comparative Study of the Proposed Approach to Existing Practice (Future)

In a future issue of this manuscript, this section will compare the presented approach against the more advanced industry and regulatory practices employed in the UK and Norway.

7 Conclusions and Futher Development (Future)

In a future issue of this manuscript, this section will draw conclusions from the comparative study. If warranted, this section will also define additional research and development to progress and mature the methods presented in this manuscript.


20

References

Bea, R., Mitroff, I., Faber, D., Foster, H., Roberts, K.H., 2009. A new approach to risk: the implications of E3, Risk Management (2009)

11, 30-43.doi:10.1057/rm.2008.12

Booher, R.H., 2003. Handbook of systems integration, Hoboken, N.J.: Wiley and Sons Inc.

Carvalho, P., Benchekroun, T., Gomes, J., 2012. Analysis of information exchange activities to actualize and validate situation awareness

during shift changeovers in nuclear power plants, Human Factors and Ergonomics in Manufacturing & Services Industries, 2012, Vol 22

(2) 130-144

CCPS, 2001. Layer of protection analysis simplified process risk assessment, New York, Center for Chemical Process Safety of the

American Institute of Chemical Engineers

Chatzimichailidou, M. M., Neville, A. S., Dokas, I. M., 2015. The concept of risk situation awareness provision: Towards a new approach

for assessing DSA about the threats and vulnerabilities of complex socio-technical systems, Safety Science, 79 (2015) 126-138

Chauvin, C., Closterman, J.P., Hoc, J.M., 2009, Impact of training programs on decision-making and situation awareness of trainee watch

officers, Safety Science, 47 (9) 1222-1231

Chiappe, D., Rorie, R. C., Mogan, C. A., Vu, Kim-Phuong, 2014. A situated approach to acquisition of shared SA in team contexts,

Theoretical Issues in Ergonomic Science, 2014, Vol 15, No 1, 69-87

Chiappe, D., Strybel, T., Vu, Kim-Phuong (2012) Mechanisms for the acquisition of shared SA in situated agents, Theoretical Issues in

Ergonomic Science, 2014, Vol 13, No 6, 625-647

Cooke, N.J., et al., 2007. Team cognition in experienced command and control teams, Journal of Experimental Psychology, Applied, 13,

146-157

Crichton, M.T., Lauche, K., Flin, R., 2005. Incident command skills in the management of an oil industry drilling incident: a case study,

Journal of Contingencies and Crisis Management, September 2005, Vol 13, No 3

CSB, 2010. Investigation report volumes 1 & 2, explosion and fire at the Macondo well, Report No. 2010-10-I-OS 6/5/2014

Cullen, Lord W.G., 1990. The public inquiry into the piper alpha disaster, volumes 1 and 2, Department of Energy (UK)

Deacon, T., Amyotte, P. R., Khan, F. I., Human error risk analysis in offshore emergencies, Safety Science, 48 (2010) 803-818

Decker, S., 2006. The field guide to understanding human error, Surrey UK, Ashgate Publishing Ltd., reprint 2010

Decker, S., 2011. Drift into failure, from hunting broken components to understanding complex systems, Surrey UK, Ashgate Publishing

Ltd., reprint 2011

Durso, F., et al., 1998. Situation awareness as a predictor of performance in en route air traffic controllers, Air Traffic Quarterly, 6 (1), 1-

20

EI, 2004. Safe staffing arrangements – user guide for CRR348/2001 methodology: practical application of Entec/HSE process operations

staffing assessment methodology and its extension to automated plant and/or equipment, Energy Institute, London, April 2004

EI, 2011. Guidance on human factors safety critical task analysis, Energy Institute London, 1st Ed, March 2011

Endsley, M. R., 1988. Situation awareness global assessment technique (SAGAT), Proceedings of the National Aerospace and Electronics

Conference (NAECON), 23-27 May 1988, Dayton, Oh, New Hour IEEE, 789-795

Endsley, M. R., 1995. Toward a theory of situational awareness in dynamic systems, Human Factors, 37(1) pp 32-64

Endsley, M.R., Robertson, M., 2000. Training for situation awareness in individuals and teams. In: Endsley M., Garland D. (eds) Situation

Awareness Analysis and Measurement. Lawrence Erlbaum, Mahwah pp 349-367

Endsley, M.R., Jones, D.G., 2012. Designing for situation awareness: An approach to user-centered design, 2nd Edition, CRC Press

Flin, R., O’Connor P., Crichton, M., Slaven, G., Stewart, K., 1996. Emergency decision making in the offshore oil and gas industry,

Human Factors 38(2) 262-277

Flin, R., Slaven, G., Stewart, K., 2008. Safety at the sharp end, Ashgate Publishing

Gasaway, Richard B (2013) Situational awareness for emergency response, Penn Well Corporation (Fire Engineering Series)

Golightly, D., Wilson, J.R., Lowe, E., Sharples, S., 2010. The role of situation awareness for understanding signaling and control in rail

operations, Theoretical Issues in Ergonomic Science 11 (1) 84-98

Hopkins, A., 2012. Disastrous decisions: the human and organizational causes of the Gulf of Mexico blowout, CCH Australia Ltd

HSE, 1999. Reducing error and influencing behavior, 1999, HSG48, HSE Books

HSE, 2005. The offshore installations (safety case) regulations 2005, UK S.I. 2005/3117, 2005

IOGP 2010. Risk assessment data directory, evacuation, escape and rescue, London: International Association of Oil and Gas Producers,

IOGP Report No 434-19, 3/2010

IOGP, 2011. Human factors engineering in projects, London: International Association of Oil and Gas Producers, IOGP Report No 454,

8/2011


21

IOGP, 2012. Cognitive issues associated with process safety and environmental incidents, London: International Association of Oil and

Gas Producers, IOGP Report No 460, 7/2012

IOGP, 2014a. Crew resource management for well operations team, International Association of Oil and Gas Producers, IOGP Report No

501, April 2014

IOGP, 2014b. Assessing risks from operator fatigue, International Association of Oil and Gas Producers, IOGP Report No 492, 2014

IOGP, 2014c. Guidelines for implementing well operations crew resource management training, International Association of Oil and Gas

Producers, IOGP Report No 502, 12/2014

ISO 13702, 2015. Petroleum and natural gas Industries – control and mitigation of fires and explosions on offshore production installations

–requirements and guidelines

Naderpour, M., Lu, J., Zhang, G., 2014. A situation risk awareness approach for process systems Safety, safety Science, April 2014, V 64,

pp 173-189

National Commission on the BP Deepwater Horizon Oil Spill and Offshore Drilling 2011. Deep water the gulf oil disaster and the future

of offshore drilling, report to the president, January 2011

Norsok, 2010. Risk and emergency preparedness assessment, Z-013, Oct 2010, 3rd Ed, Standards Norway

Peng, L., Zhizhong, L., 2012, Task complexity: a review and conceptual framework, International Journal of Industrial Economics, 42

(2012) 553-568

Perrow, Charles, 1999. Normal accidents: living with high-risk technologies, Princeton University Press, 1999

Reason, J., 1990. Human Error, Cambridge: Cambridge University Press

Rentsch, J., Mello, A., Delise, L., 2010. Collaboration and meaning analysis process in intense problem solving teams, Theoretical Issues

in Ergonomic Science, 11, 287-303

Salas, E., Prince, C., Baker, P.D., Shresthal, L., 1995. Situation awareness in team performance: implications for measurement and training.

Human Factors, 37, pp. 123-36

Sætrevik, B., Eid., J., 2013. The “similarity index” of shared mental models and situational awareness in field studies, Journal of Cognitive

Engineering and Decision Making, Human Factors and Ergonomic Society, 2013, pp.1-18

Salmon, P.M., Stanton, N.A., Walker, G. H., Jenkins, D.P., 2009. Distributed situation awareness, theory measurement and application to

teamwork, Ashgate Publishing Co., England

Salmon, P.M., Stanton, N.A., Walker, G. H., Jenkins, D.P., 2010. Is it really better to share? distributed situation awareness and its

implication for system design, Theoretical Issues in Ergonomic Science 11 (1 & 2) 58-83

Shepherd, Andrew, 2001. Hierarchical task analysis, CRC Press

Shepherd, A., Marshall, E., 2005. Timelines and task specification in designing for human factors in railway operations, Applied

Ergonomics 36, pp 719-727

SINTEF, 2011. CRIOP: A scenario method for crisis intervention and operability analysis, SINTEF Technology and Society, Report

SINTEF A4312, 2011-03-07

Sklet, S., 2006. Safety barriers: definition, classification and performance, Journal of Loss Prevention in the Process Industries, 19 (2006),

pp 494-506

Skogdalen, J.E., Khorsandi, J., Vinnen, J.E., 2011. Looking back and forward – evacuation, escape and rescue (EER) from the Deepwater

Horizon Rig, Deepwater Horizon Study Group Working Paper – January 2011

Sneddon, A., Mearns, K., & Flin, R., 2006. Situation awareness and safety in offshore drill crews, Cogn Tech Work, 8 pp 255-267

Sneddon, A., Mearns, K., & Flin, R., 2013. Stress, fatigue, situation awareness and safety in offshore drill crews, Safety Science, 2013,

Vol 56, pp 80-88

Sorenson, L, Stanton, N.A., Banks, A.P., 2011. Back to SA school: contrasting three approaches to situation awareness in the cockpit,

Theoretical Issues in Ergonomic Science 12 (6) 451-471

SPE, 2014. The human factor; process safety and culture, SPE Technical Report, Society of Petroleum Engineers, March 2014

Stanton, N.A., 2010. Situation awareness: where have we been, where are we now, and where are we going?, Theoretical Issues in

Ergonomic Science 11 (1 & 2) 1-6

Sutton, I. S., 2012. Offshore safety management, Sutton Technical Books, 2012

Sträter, O., 2005. Cognition and safety: an integrated approach to systems design and assessment, Ashgate Publishing Ltd, 1st Ed

Taber, Michael John, 2010. Human systems integration and situational awareness in microworlds: an examination of emergency Response

within the offshore command and control system, PhD Thesis, Dalhousie University, Halifax, Nova Scotia, December 2010

Woodcock, B., Au, Zachary, 2012. Human factors issues in the management of emergency response at high hazard installations, Journal of

Loss Prevention in the Process Industries, 26 (2013) 547 -557

Woods, D.D., Dekker, S., Cook, R., Johannsen, L., Sarter, N., 2010. Behind human error, Ashgate Publishing, 2nd Ed.

Documents

ABSTRACT · 2019-03-13 · Given the numerous hazard events possible on an offshore facility, owner/operators seek opportunities to minimize the staffing on the facility so fewer