CAN TECHNOLOGY ELIMINATE HUMAN ERROR?

A. G. FOORD and W. G. GULLAND�

4-sight Consulting, Harpenden, UK

This paper argues that it would not be possible to design technological systems toeliminate all human errors during operation because people are involved in: specify-ing, designing, implementing, installing, commissioning and maintaining systems as

well as operating them. The paper illustrates this with examples of incidents caused byhuman error and concludes that, even if systems can operate without human intervention,there is still the possibility of human error at other phases of the lifecycle. Thus to improveprocess safety it will be necessary to focus on behaviour and methods of working during allphases of the lifecycle so as to remove or reduce opportunities for human error.

Keywords: safety; human behaviour; methods of working; specification errors; design errors;installation errors; maintenance errors.

INTRODUCTION

Trevor Kletz (2004) chaired a half-day discussion at theHazards XVIII (2004) conference in Manchester on‘Human Factors & Behaviour’. The speakers put forwardtwo opposed views. Some described ways of changing beha-viour and others thought that it was more effective, particu-larly when trying to improve process safety, to changedesigns or methods of working so as to remove or reduceopportunities for human error. All agreed that there is aneed for both approaches—the differences were ones ofemphasis—but nevertheless there was a real disagreementon which approach was the more practicable and successful.

The disagreement reported implies that some peoplesuggest focusing primarily on a design that eliminateshuman errors during operation. This paper gives examplesof incidents in a variety of industries to illustrate:

. the problems of focusing on designs when trying toimprove process safety; and

. the need to consider the behaviour and methods of work-ing of designers.

When no reference is cited, the information came from aprivate communication or our own experience.

HUMAN ERROR

The authors agree that, when trying to improve processsafety, we need to consider all three approaches to reducethe opportunities for human error:

(1) ways of changing behaviour, and

(2) designs, and(3) methods of working.

Any discussion of the value of focusing on designs needs toconsider:

(1) the various types of human error; and(2) the design process itself.

TYPES OF HUMAN ERROR

Figure 1 based on Figure 2 from HSG48 (1999) providesone classification of types of human failure. Thus, we mightthink that a design could aim to eliminate all seven ofthe categories of errors, mistakes and violations shown inFigure 1 during operation. A design would then not beaccepted unless evaluated against all possible skill-basederrors and mistakes and violations during operation of thedesign. For example, Hazards XVIII (2004) mentions onpage 663 an ‘Application Guide on Human Factors inEngineering Design’ (Kariuki and Lowe, 2004)—a guide-line to assist engineers to design a process facility thataddresses the capability of the operator.

DESIGN PROCESS

However, operation is only part of the lifecycle of anydesign and the guideline (Kariuki and Lowe, 2004) doesnot cover the capability of the designer or the activitiesinvolved in design or any parts of the lifecycle other thanoperation and maintenance. Human error needs to beconsidered during:

(1) specifying(2) designing(3) implementing

�Correspondence to: Mr W. G. Gulland, 4-sight Consulting, 51 CowperRoad, Harpenden, AL5 5NJ, UK.E-mail: bill.gulland@4-sightconsulting.co.uk

171

0957–5820/06/$30.00+0.00# 2006 Institution of Chemical Engineers

www.icheme.org/psep Trans IChemE, Part B, May 2006doi: 10.1205/psep.05208 Process Safety and Environmental Protection, 84(B3): 171–173

(4) installing & commissioning(5) operating and(6) maintaining.

The book Out of Control (2003) summarizes the analysis of34 incidents in the process industry. On pages 44 and 45 itstates: ‘. . . a total of 56 causes were identified for the 34incidents. This data has been grouped in Table 2, whichgives the percentage of the primary causes attributable toeach lifecycle phase’.

Figure 2 (based on Figure 10 from Out of Control, 2003)presents these figures in a pie chart. The summary in Out ofControl reveals that technology failures resulted in only asmall proportion of the incidents. In the 34 incidents ana-lysed, 44% had inadequate specification as their primarycause.

Other primary causes listed are:

. 20% changes after commissioning;

. 15% design and implementation;

. 15% operation and maintenance; and

. 6% installation and commissioning.

In order to produce a design that eliminated all humanerrors during operation we would also need eliminatehuman error from all the other phases of the lifecycle.Out of Control (2003) illustrates how difficult this is toachieve for control, monitoring and protection systems.The following examples illustrate that similar problemsapply to many designs, not just control, monitoring andprotection systems.

Specification Error Example

The specification should include both the functionrequired and the environment within which the functionis to be performed. Kletz (1999) states on page 158 ‘Forexample, a Hazan showed that the probability of a leakof toxic material was acceptably low. At times small fragilepackages containing toxic substances had to be moved butthey were conveyed in trolleys and kept in them. However,when the lift was out of order a package was carried down-stairs and placed on a table. It slid off and the contentsleaked.’

Software tools are available to check that explicit specifi-cations are consistent, but it is much harder to ensure thatspecifications are complete. It is difficult to imagine a tech-nology that does not depend upon human behaviour to definea specification, although technology could be used to warnthat the environment is not consistent with the specification.For example, monitoring systems are now available that canwarn of abuse of packages during transportation.

Design Errors

For example, the instructions for one of the first Appleportable computers stated ‘with the aid of a largehammer it is possible to insert the battery the wrong wayround!’ Unfortunately the same care was not taken withthe design of a light guard on a guillotine using an edgemounted printed circuit board. The guard stopped theblade from operating if anything interrupted the beams oflight in front of the guillotine. After maintenance theprinted circuit board was reinstalled upside down. Inter-rupting the light beams then caused the blade to move,injuring an operator. This was not fail-safe and is primarilya design error, not just a maintenance and testing error.

Implementation Errors

A supplier provided 20 flanges, 19 mild steel and onestainless steel (as he did not have enough mild steelflanges). He thought this was helpful as the stainless steelflanges were better than the required mild steel specifica-tion. He did not consider that mild steel welding wouldhave failed on the stainless steel flange. Fortunately thecustomer used 100% material testing and the mistake wasidentified before welding commenced. Given a good speci-fication, implementation errors should be easier to detect,but design and implementation errors are still a significantcause of incidents.

Installation and Commissioning Errors

The low pressure trip failed at a power station. Examin-ation revealed that the commissioning override had never

Figure 1. Types of Human Failures. Based on Figure 2 from HSG48(1999).

Figure 1. Allocation of Primary Causes of Incidents to Project LifecyclePhases. Based on Figure 10 from Out of Control (2003).

Trans IChemE, Part B, Process Safety and Environmental Protection, 2006, 84(B3): 171–173

172 FOORD and GULLAND

been removed. (This might be considered a design error asthe override should have included a timer that limited howlong the override could remain in place.)

A distillation column was upset every time it rained.Months were spent trying to analyse what was happening.Eventually a small plastic protective plug was found inthe vent port of the air supply regulator of the valve con-trolling the heat input to the column; normally there wassufficient leakage around the plug for the regulator towork correctly, but when rainwater got into the threadsbetween the regulator and the plug it formed a seal. Theplug should have been removed as part of the installationand commissioning process.

Operation Errors Despite Design for Safety

Some decades ago there was an unusual increase in theincidence of minor shunt road accidents. Initial analysisshowed the increase was occurring with more expensivecars, and further analysis showed these cars were fittedwith anti-lock braking systems (ABS). After questioningmany drivers it eventually emerged that a significantnumber of drivers were driving closer to the car in front,knowing that ABS would enable them to brake harderand more effectively.

This is now recognized as a possible effect of any carsafety device: seat belts; air bags; active suspension; andso on. Some drivers may drive nearer the edge of thesafe envelope assuming that the technology will protectagainst their driving errors. ‘Risk compensation’ (some-times known as ‘risk homeostasis’) is the term now usedto describe this behaviour.

A chemical plant had separate storage tanks for acid andcaustic soda. Both were delivered by road tanker. One daythe supervisor challenged an operator who was leaving thecontrol room with a large spanner. The operator explainedthat he needed to change a coupling on the plant as it didnot fit the tanker that had just arrived. The supervisorexplained that it was designed that way to prevent liquidbeing unloaded into the wrong tank. The design plus theintervention of the supervisor prevented an accident arisingfrom mixing acid and caustic soda.

Maintenance Errors

Repair or replacementAircraft windscreen (Aviation Safety Network, 1990):

The windscreen of a British Airways BAC One-Eleven528FL passenger aircraft was replaced with bolts ofwhich 84, out of a total of 90, were of smaller than speci-fied diameter. The maintenance work looked complete, buton 10 June 1990 at altitude when the aircraft was pressur-ized, the windscreen blew out. The commander was suckedhalfway out of the windscreen aperture and was restrainedby cabin crew whilst the co-pilot flew the aircraft to a safelanding at Southampton Airport.

Cleaning1. Shutdown valve: A solenoid operated pneumatic valve

(SOV) was a vital part of a shutdown system. The exhaustport of the SOV was not covered while the surroundingarea was cleaned by sand blasting. Sand entered the SOV

and caused a fail to danger. Fortunately this was discoveredat the next trip (proof) test, so no injuries resulted.

2. Aircraft pressure ports (Job, 1998): The underside ofan aircraft was to be cleaned so the static (reference)ports for both the air speed indicator and the altimeterwere covered with strong adhesive tape before cleaningbegan. The maintenance procedure required that after com-pleting the cleaning, the cleaner should remove the tape andthe maintenance supervisor should sign that he had checkedthat the tape had been removed. Despite these precautions,the aircraft took off with both static ports still covered withtape. During the flight the pilot received the bizarre combi-nation of simultaneous warnings for both overspeed andstall (the stick shaker operated as part of the stall warning).The pilot made the plane dive to avoid stalling but the alti-meter read 9700 feet when in fact the plane was less than1000 feet above the sea and the ‘too low terrain’ warningsounded as well as the overspeed and stall warnings.Sadly the plane crashed into the sea with the loss of allcrew and passengers before the false alarms wererecognized.

CONCLUSION

The examples in Out of Control (2003) and those aboveillustrate that human error may occur when specifying,designing, implementing, installing, commissioning, oper-ating and maintaining systems. Even if technological sys-tems can operate without human intervention, there isstill the possibility of human error at other phases of thelifecycle.

Design may reduce the possibilities for human errorduring operation, but only if human error can also be elimi-nated during all the other phases of the lifecycle. Thus itwill be necessary to focus on human behaviour andmethods of working during the whole lifecycle, not justoperation. Focusing on ‘the design for operation’ alonewill not be enough.

REFERENCES

Aviation Safety Network, 1990, Available from World Wide Web:http://aviation-safety.net/database/record.php?id=19900610-1, accessedJanuary 2005.

Hazards XVIII, 2004, IChemE Symposium Series No 150, ProcessSafety—Sharing Best Practice, pp. 652–725 (IChemE).

HSG48, 1999, Reducing Error and Influencing Behaviour, p. 12 (HSEBooks).

Job, M., 1998, Air Disasters Volume 3 (Aerospace Publications Pty).Kariuki, G. and Lowe, K., 2004, Incorporation of Human Factors in the

Design Process, guide prepared for PRSIM Focus Group 4, Institutefor Plant and Process Technology, Process Safety and Plant Technology,Technische Universitat Berlin, Germany. Available from World WideWeb: http://www.prism-network.org/, accessed January 2005.

Kletz, T., 1999, HAZOP and HAZAN Identifying and Assessing ProcessIndustry Hazards, p. 158 (IChemE).

Kletz, T., 2004, Trevor’s Corner, Previous Issues, Corner no 1 Availablefrom World Wide Web: http://psc.tamu.edu/TrevorSays/T%27s%20corner%201%20Rev.pdf, accessed January 2005 from Mary KayO’Connor Process Safety Center, http://psc.tamu.edu.

Out of Control (2003), 2nd edition, pp. 44–45 (HSE Books).

The manuscript was received 31 August 2005 and accepted forpublication after revision 1 February 2006.

Trans IChemE, Part B, Process Safety and Environmental Protection, 2006, 84(B3): 171–173

CAN TECHNOLOGY ELIMINATE HUMAN ERROR? 173