Vol1

Impact of Process Safety Management
Performance and Human Error on Off-Site

Risk -A Comparative Study
Volume I- Thesis
A Thesis Submitted to the University of Sheffield for the

Degree of Doctor of Philosophy
October 1997
by
Johari Basri
B. E. (Universiti Teknologi Malaysia, 1977),
M. Sc. (University of Manchester, UK, 1984)
Department of Chemical and Process Engineering

University of Sheffield, United Kingdom
Summary
The research described in this thesis provides a comparative study of the impact
of
Process Safety ManagementSystem(PSMS) performanceand Human Error rates on
off-site risk from two major hazardssites in Malaysia. One of the sites was built and
run by a multinational company until a few years ago while the other was built and
run by a local company since its inception. The sites handle bulk quantities of
ammonia for downstreamdistribution. The study considers:
the assessmentof the sitesPSMS performanceusing a structured audit technique

the assessmentof human error potential from ammonia road-tanker filling
operations
assessingthe impact of site PSMS and humanerror potential on off-site risk from
the sites
investigating the possibility of linking the assessmentof site PSMS performance
with human error potential
Resultsof QuantitativeRisk Assessment

(QRA) conductedon the two sitesshoweda
significantdifferencein termsof individualandsocietalrisk when site specificPSMS
performanceand humanerror potentialare takeninto consideration.The use of site
Factor(MF) andsite specificHumanError Probabilities(HEPs)
specificManagement
producesa significant impact on the results of the off-site risk as comparedto
estimatesof risk basedonly on genericfailure rates. This finding emphasizedthe
needto considerexplicitly the contributionof site specificPSMS performanceand
human error potential in major hazard risk assessment especiallyin developing
countries like Malaysiawhere there exists significantdifferenceson these factors

betweenlocally ownedandmultinationalsites. The approachto link the resultsof the
of humanerror potential
site specificPSMS performanceaudit with the assessment
was found to be inadequate to describeall the influenceswhich will be exertedon the
reliability of individualtasks involvinghumanerror potential.
opsis
The researchdescribedin this thesisprovidesa comparativestudy of the impact of

ProcessSafetyManagementSystem(PSMS)performanceandHumanError rateson
off-site risk from two major hazardssitesin Malaysia.One of the siteswas built and
run by a multinationalcompanyuntil a few yearsago while the other was built and
run by a local companysince its inception. The sites handlebulk quantitiesof
ammoniafor downstreamdistribution. The studyconsiders:
the assessmentof site safety managementperformance using a structured audit

technique
the assessmentof human error potential from ammonia road-tanker filling
operations
e assessingthe impact of site specific safety managementperformance and human
error potentialon off-siterisk from the sites
investigating the possibility of linking the assessmentof site specific safety
managementperformanceand humanerror potential
The Process Safety Management Systems(PSMS) at three major hazard sites were
using a structuredaudit techniquecalledPRIMA. Two of the siteswhich

assessed
are ammoniabulk terminalsprovidedthe venuefor the casestudies. The other site, a
compoundfertiliser plant which uses ammonia,was also audited to provide an
involvedsite inspection,interviewing
additionalPSMScomparison.The assessments
andworkforce,observingthe executionof hazardoustasks,verifying
the management
documentsand analysingaccidentrecords. The resultsof the audit are presentedin
the form of management
control loopswhich highlightthe strengthsand weaknesses
of key elementsof the PSMS for eachsite. A quantitativeoutput in the form of a
Modification Factor (MF) for eachsite is also determined. This factor is used to
modify genericfailure ratesusedfor QuantitativeRisk Assessment
(QRA) in order to
include site specificPSMS standardin the risk assessment.The audit assessments
A PhD Thesisby J.Basri

i
show that the three sites have different PSMS performanceas defined by the PRIMA
technique. Site A was assessedto have a Poor MF, Site B has an Average NE,
while Site C has a Good MF. The study indicated a difference of about a factor of
10 in term of the PRIMA Modification Factor between the two extreme sites. This
finding emphasisedthe need to consider explicitly the contribution of site specific
managementperformancein major hazardrisk assessment.
As the control of humanerror is an important aspectin processsafety managementa
specific study on this subject was also conducted in an attempt to explore its
relationship with the PSMS performancefor each site. For this purpose ammonia
filling operationsat Site A and Site B were assessed,
basedon physical inspectionsof
the filling system, interviews with the operators, analysing work procedures and
observation of critical tasks with the help of video taping. A human error analysis
technique, SLIM was used for the analysis,which identified a number of critical
tasks that provide major contributions to human error potential in ammonia filling
operations. The analysisalso yields a quantitativeoutput in the form of Human Error

Probabilities (BEPs), based on the analysis of Performance Influencing Factors
(PIFs) on thesecritical tasks. The tasks to connectand disconnectflexible hoses,and
setting the target filling weight for the road tanker were found among the most
critical to humanerror.
QuantitativeRisk Assessment (QRA) was carriedout on the two sitesto determine

the off-site risk from ammonialoadingoperationsto a road tanker in the form of
individualrisk and societalrisk. Informationrequiredfor the QRA was gathered
through the examinationof plant layout, piping and instrumentationdiagrams,
physicalplant inspections,analysisof the local weatherand a determinationof the
populationdistributions. Two typesof QRA approachwere conducted. The first
one used representativefailure sets to study the impact of site specific PSMS
performanceon off-site risk. Initially a baselineQRA was conductedon eachsite
using genericfailurerates. Thenthe PREWAModificationFactors(W) were used
to producesite specificfailurerateswhich providean explicit measureof the PSMS
performance.
A PhD Thesis by J. Basri

ii
The second approach used fault tree modelling to decomposethe failure events so as
to include the human actions in carrying out the loading operation. The human error
rates in the form of IHEPsfrom a SLIM assessment were used as an input for the
QRA. This approach models the effect of the site specific PIFs on human error
rates. Additional runs were then conductedusing nominal IHEP values from T]HERP
and BEART databasesto compare the off-site risk results using these values which
represent generic human error rates. A number of sensitivity runs were also
conducted using IHEPsderived from SLIM using different sets of calibration points to
analysethe impact of selectingthe different calibration points which representone of
the main uncertainties of using the technique.
Results from these two different approaches highlight the effect of PSMS
performance and human error on off-site risk. The effect of considering site specific
PSMS performance in conducting the QRA increasesthe off-site risk distance to a
specified individual risk level of IOE-06 by a factor of 2 and 1.2 for Site A and
Site B respectively, while the effect of considering individual human error
contributions increasesthe off-site risk distanceto a specified individual risk level of

IOE-06 by a factor of about 1.2 and I for Site A and Site B respectively. The
results show that both approachespredict similar effects for the influence of site
specific PSMS performance and the site specific human error rates on off-site risk.
The results also suggest that despite its global approach, the PREVA technique is
capable of predicting the effect of site specific organisational characteristics on

QRA results, in a mannerwhich is comparableto the more detailed approach of using
fault tree modelling.
The study found that the site specific PSMS performance provided significant
influence on off-site risk at the two major hazard sites. This suggested the need to
consider explicitly its influences, especially in developing countries like Malaysia
where there exist significant difference in PSMS performances, for example between
locally owned and multinational sites. The PSMS laid down by the multinational
company was found to have provided a positive contribution to PSMS performance

for the sites under study. It also provided positive contributions in managing human
error through better training, the retention of experienced personnel and good
A PhDThesisby J.Basri III

operating procedures. However it is interesting to note that the influence of
individual human errors on QRA is complex, becausewhile human error increases
system failure rates, people also provided mechanismsfor recovery in the event of
hardware failures.
The study also found that the PRIMA audit approach, the human error analysis
technique SLIM and the QRA tool RISKAT were all suitable to be used for a
developing country like Malaysia, with only minor modifications. It also found that
QRA requires good site specific weather data as this strongly influencesthe outcome
of the risk results, especially for toxic materials. It therefore stressedthe need to
develop good weather data which is quite scarcein developing countries.
An analysis was also made to link the results of the PRIMA audit with the
assessmentof human error. The aim was to utilise valuable information gathered
through the structured audit technique for the quantification of site specific human
error potential. However it was found that the PRIMA audit information can only
assessperformance at global or organisationallevel, and is inadequateto describe all
the PIFs which will have an effect on the reliability of individual tasks which involve
human error.
Finally the research has involved the application of knowledge from three distinct
types of subject areas i. e. Safety Management Systems,Human Error Analysis and

Quantitative Risk Assessment.It has explored the overlapping boundaries of the
contributions between systemhardware failures, human error and safety management
on off-site risk. The comparative study conducted on two major hazard installations
provideda means to investigate

the interplaybetweenthem in a real world situation.
The fact that the two sites under investigationwere in a developingcountry, like
Malaysia, provides further dimensions to the research.
A PhD Thesisby J.Basri iv

Acknowledgement
I would to take the opportunity here to expressmy gratitude to everybody that has
helped to made this researcha reality. In the U. K. special mention is made to
my
supervisor Dr. Martin Pitt of The University of Sheffield, my external advisors Dr.
Nick Hurst and Ms. Jill Wilday of Health and Safety Laboratory, and Dr. David
Embrey of Human Reliability Associatesfor their invaluableguidanceand support. In
Malaysia I would like to thank the The Government of Malaysia for sponsoring my
study, The Department of Occupational Safety and Health for granting me the study
leave, The Major Hazard Division officers for assisting me in conducting the field
work and various other governmentagenciesthat haveallowed me to obtainedthe

necessarydata for my research.
Moral support from my family has been instrumental in completing the research and
they deservemy deepestlove and gratitude. For my wife Ibah for her patience and
perseverance. For my three children Juriana,Ilyana and Izzaty for keeping the house
lively with their antics and I hoped they have enjoyed their stay here in Sheffield and
made many new friends along the way.
Finally in the world full of uncertaintymancould only at bestexplorewhat hasbeen

harmoniouslydesignedby the Creatorand stumbledalongthe way evidencesof His
greatness.While we canplanto anticipatethe future asin the caseof risk assessment,

He is the only Onewho could turn the planinto a reality.

V
Table of Contents
Page
Chapter I Introduction
1.1Research
Topic 1
..........................................................................................
1.2Background 1
..............................................................................................
1.3ProblemStatement 4
...................................................................................
1.4 ResearchGoal 4
..........................................................................................
1.5 ResearchObjectives 5
..................................................................................
1.6 Hypotheses 6
.............................................................................................
1.7 Conceptual Assumptions 6
...........................................................................
1.8 ResearchMethod 7
......................................................................................
1.9 The Thesis 8
................................................................................................
1.9.1 Chapter 2- Literature Review 8
............................................................
1.9.2 Chapter 3- ResearchMethodology 9
....................................................
1.9.3 Chapter 4- PSMS Audit on 3 Major Hazard Sites II
............................
1.9.4 Chapter 5- BEA on Ammonia Loading Operations 12
...........................
1.9.5 Chapter 6- Quantifying Off-site Risk from Ammonia 12
.........................
Loading Operation
1.9.6 Chapter 7- Using PRIMA as an Integrated Audit for PSMS and BE 14
...
1.9.7 Chapter 8- Findings, Conclusionsand Suggestionfor Further Works.. 14
Chapter 2 Literature Review

2.1 Introduction 17
..............................................................................................
2.2 Current Situation on Major HazardsControl in Malaysia .......................... 17
2.3 The Application of QRA for Major Hazards Control 19
.................................
2.4 Current ADt)roaches of ORA 20
....................................................................
2.5 The Influences of PSMS on ORA 25
.............................................................
2.6 The Quantification of PSMS Influences 26
....................................................
2.7 The Contributions of Human Error To Risk 30
..............................................
2.8 Qualitative Analysisof HumanError 32
........................................................
2.9 Quantificationof HumanError 37
..................................................................
2.10 CurrentApproachesto IncorporateOrganisational FactorsandHuman
Error into QRA 40
.....................................................................................
A PhD Thesisby J.Basri A
2.10.1 The Work Process Analysis Model (WPAM) 40
................................
2.10.2 The Onion Model 41
.............................................................................
2.10.3 Incorporation of Organisational Factors into Human Reliability
Analysis 43
.........................................................................................
2.10.4 Model Of Accident Causation using Hierarchical Influences Network
(MACHINE) 45
.................................................................................
2.10.5 System - Action - Management (SAM) Approach 48
...........................
2.10.6 The PRIMA Audit 51
..........................................................................
2.11 Conclusions 53
...........................................................................................
Chapter 3 Research Methodology
3.1 Introduction 55
.............................................................................................
3.2 ResearchBackground 55
..............................................................................
3.3 Regulatory Framework 56
............................................................................
3.4 Overview of Methodology 58
.......................................................................
3.5 ResearchDesign 61
......................................................................................
3.5.1 Selection of the NffH for comparison 62
................................................
3.5.2 Selection of an operational activity for Human Error Analysis 63
...........
3.5.3 Selection of techniquesfor analysis 64
...................................................
3.6 ResearchProcedures 66
................................................................................
3.6.1 Analysing the background of MER in Malaysia 66
...............................
3.6.2 Selectingtwo MIR in Malaysia for comparativestudy 67
.......................
3.6.3 Conducting baselineQRA 68
.................................................................
3.6.4 Quantification of PSMS performance 69
................................................
3.6.5 Modification of generic failure rate 70
....................................................
3.6.6 Conducting QRA using modified generic failure rate 70
.........................
3.6.7 Comparing QRA results between the two MIR 71
.................................
3.6.8 Selectingan activity in normal operation for Human Error Analysis ... 71
3.6.9 Conducting Human Error analysis 72
.....................................................
3.6.10 Comparing Human Error analysisresults 72
.........................................
3.6.11 Analysing the contribution of PSMS performanceand Human Error
to risk 73
.............................................................................................
3.6.12 Developinga procedureto link the PSMSandHumanError audit
73
usingPREVIA.................................................................................
3.7 Conclusion 74
..............................................................................................

vii
CHAPTER 4 Conducting PSMS Audits on 3 Major Hazard
Sites in Malaysia
4.1 Introduction 75
.............................................................................................
4.2 The PRRvfA Audit 75
...................................................................................
4.3 Conducting PRHv1Aaudits in Malaysia 77
....................................................
4.3.1 Conducting training for the Malaysia audit team 77
................................
4.3.2 Providing keywords to PRIMA audit questionnaires 78
...........................
4.3.3 Preparing a structured answersheets 78
.................................................
4.3.3 SelectingMH11for PRIMA audits 78
......................................................
4.3.4 Pre -Audit plant familiarisation 84
..........................................................
4.4 Conducting PRIMA Audits 85
......................................................................
4.4.1 Managementbriefing 85
........................................................................
4.4.2 Plant familiarisation 85
...........................................................................
4.4.3 Conducting interview 86
........................................................................
4.4.3 Document verification 88
.......................................................................
4.4.4 Site inspection 88
..................................................................................
4.4.5 Formed judgement 89
............................................................................
4.4.6 Post audit managementbriefing 89
.........................................................
4.4.7 Audits duration 92
.................................................................................
4.5 PREqA audit results 92
...............................................................................
4.5.1 PSMS Control Loops for the 3 sites 92
..................................................
4.5.2 Summaryof PSMS audit results for the 3 sites 97
..................................
4.5.3 Comparisonof PSMS audit resultsbetween Sites 99
..............................
4.6 PRIMA Modification Factors 100
...................................................................
4.7 Strengths and Shortcomings of PRHVIA 104
...............................................
4.7.1 Strengths 104
..........................................................................................
4.7.2 Shortcornings 105
....................................................................................
4.8 Recommendationto improve PRDJA 105
......................................................
4.8.1 The methodology 105
..............................................................................
4.8.2 The audit tools 106
..................................................................................
4.8.3 Usage of PREN4Aaudit 106
.....................................................................
4.9 Conclusions 107
.............................................................................................
A PhD Thesisby J.Basri viii

CHAPTER 5 Conducting Human Error Analysis on Road
Tanker Loading Operation
5.1 Introduction 108
............................................................................................
5.2 Human Error Analysis 108
............................................................................
5.2.1 Description of ammoniabulk terminals 109
..............................................
5.2.3 Data collection for Human Error analysis 112
..........................................
5.4 Qualitative Analysis of Human Error 112
........................................................
5.4.1 Selecting a hazardous activity for PHEA 113
...........................................
5.4.2 Brief description of road tanker filling operation 118
................................
5.4.3 Task Analysis 119
....................................................................................
5.4.4 Predictive Human Error Analysis 123
.........................................
5.4.5 Implementing human error reduction strategies through PSMS 132
.........
5.4.6 Performance Influence Factor (PIF) analysis 142
.....................................
5.5 QuantitativeAnalysisof HumanError 147
......................................................
5.5.1 The SLIM technique 147
.........................................................................
5.5.3 Determining 1HEPsfor ammoniaroad tanker loading tasks at the two
sitesusing SLIM technique ............................................................... 148
5.5.3.1 Definition of situationsand subsets 148
..............................................
5.5.3.2 Selectthe relevantPlFs 149
...............................................................
5.5.3.3 Rate the PIFs selected 151
.................................................................
5.5.3.4 Assigning weight to selectedPIFs 157
...............................................
5.5.5 Calculating the SuccessLikelihood Indices (SLIs) 157
..............................
5.5.6 Converting The SLIs into probabilities 158
..............................................
5.6 Conclusions 168
..............................................................................................
CHAPTER 6 Conducting QRA on Road Tanker Loading
Operation
............................................................................................
6.1.1 Objectives of conducting the QRA 171
........................................................
6.1.2 Types of ammoniareleasesthat can lead to off-site risk 174
........................
6.1.3 Events that could lead to ammoniareleases 174
...........................................
6.1.4 Quantifying risk from ammoniareleases 175
................................................
6.1.5 Criteria to assessthe impact of risk 176
.......................................................
6.2 Description of Ammonia Bulking Operations 176
...........................................
6.2.1 Site A 177
...............................................................................................
ix
6.2.2 Site B 178
...............................................................................................
6.3 Collecting Data for QRA on the Two Sites 179
.............................................
6.3.1 Collecting Malaysian Weather Data 180
...................................................
6.3.2 Determining population density surrounding the sites 184
........................
6.3.3 Selecting hardware generic failure Rate 184
.............................................
6.3.4 Determining Human Error Probabilities (HEPs) 186
................................
6.4 Conducting QRA on the Two Sites 186
..........................................................
6.4.2 Goal and Objectives 187
..........................................................................
6.4.3 Approaches taken to conduct QRA 188
...................................................
6.4.4 Conducting QRA using Representative Failures approach 191
................
6.4.5 Conducting QRA using Fault Tree Modelling 194
.....................................
6.5 Results of Fault Tree Analysis 196
..................................................................
6.5.1 FTA results for Site A 197
.......................................................................
6.5.2 FTA results for Site B 200
.......................................................................
6.5.3 Comparing FTA results between Site A and Site B 202
............................
6.6 Results of Quantitative Risk Assessment(QRA) 205
......................................
6.6.1 Discussion on QRA results for Site A 206
................................................
6.6.1.1 QRA results using RepresentativeFailure approach 206
................
6.7.1.2 QRA Resultsusing Fault Tree Modelling 210
...................................
6.6.2 Discussion on QRA Results for Site B 216
..............................................
6.6.2.1 QRA Results using RepresentativeFailure approach 216
...................
6.6.2.2 QRA Results Using Fault Tree modelling 217
...................................
6.6.3 Comparison of QRA results betweenthe two sites 225
............................
6.6.3.1 QRA using Representativefailure Set approach 225
.........................
6.6.3.2 QRA using Fault Tree Modelling 226
.................................................
6.6.4 Summaryof the impact of PSMS performanceand Human Error to
QRA results 227
.....................................................................................
6.6.4.1 The impact of PSMS performanceon QRA results ..................... 229
6.6.4.2 The impact of Human Error on QRA results ............................... 229
6.6.4.3 The impact of assessedand nominal IHEPson QRA results ......... 229
6.7 Conclusions 230
..............................................................................................
CHAPTER 7 Using PRIMA as an integrated audit for PSMS
and HEA
.............................................................................................
x
7.2 Common attributes that are essentialfor both PSMS and BEA 233
..................
7.3 How PRIMA Audit assessedthe attributes 233
..............................................
7.4 Examining the possibility of assessingPIFs for BEA using PRIMA Audit.. 233
7.5 A simple method to quantify PIFs rating 237
..................................................
7.6 Conclusion 241
..............................................................................................
CHAPTER 8 Discussions, Conclusions and Suggestions for
Further Work
.............................................................................................
8.2 Findings 242
...................................................................................................
8.2.1 PSMS performance differs between the 3 sites 242
..................................
8.2.2 Strengths and weaknesses of PSMS of locally owned site 243
..................
8.2.3 Strengths and weaknesses of PSMS sites owned by multinational 244
.......
8.2.4 Multinational influence on site PSMS 245
................................................
8.2.5 The effectiveness of ammonia road tanker loading task differs
between the two sites 246
......................................................................
8.2.6 PIFs situation at Site A is better than Site B 246
......................................
8.2.7 Critical task predicted by PIHEA is similar for the two sites 248
..............
8.2.8 IHEPs value strongly influenced by PIFs 248
............................................
8.2.9 Calibration points influenced IHEPs calculated using SLIM 248
................
8.2.10 Site A has higher IHEPs as compared to Site B 249
................................
8.2.11 Site specific PSMS performance increase the off-site risk for Site A.. 249
8.2.12 Site specific PSMS performance does not affect off-site risk for
Site B 249
.............................................................................................
8.2.13 Site specific weather data is a dominant factor in QRA 250
....................
8.2.14 Site specific PSMS performances have positive impact on 1HEPs 250
.....
8.4 Conclusions 252
.............................................................................................
8.3 Suggestions for Further Work 253
..................................................................
8.4.1 PSMS Auditing 254
.................................................................................
8.4.2 Human Error Analysis 255
.......................................................................
8.4.3 Quantitative Risk Assessment 256
...........................................................
8.4.4 Integrating PSMS and Human Error Analysis 257
..................................
References 258
..................................................................................................
A PhD Thesisby J.Basri xi

Appendix 1
A Sampleof PRDAAAuditQuestionnaires with keywordsandresponses from
interviewees 268
.....................................................................................................
Appendix 2
A sampleof summary of statements that
of criteria madeup judgement for the
ControlLoop 282
.................................................................................................
Appendix 3
SelectingHazardous Task using SPEAR ScreeningProcess 289
............................
Appendix 4
HierarchicalTaskAnalysis(HTA) for SiteA andSiteB 301
.................................
Appendix 5
PredictiveHumanError Analysis(P]HEA)for SiteA and SiteB 309
...................
Appendix 6
PerformanceInfluencingFactors(PIFs)Analysis
............................................ 337
Appendix 7
Simplified PI&D for Ammonia Road Tanker Loading Systemfor Site A and
Site B 352
............................................................................................................
Appendix 8
PhotographsShowingAmmoniaRoadTankerLoadingActivities 355
...................
Appendix 9
Meteorological Data used as Input for QRA for Site A and Site B 360
.................
Appendix 10
Population and Housing CensusAccording to Zones 368
......................................
Appendix 11
Department of Occupational Safety and Health Malaysia Failure Rate Data ..... 371
Appendix 12
Input for QRA using RepresentativeFailuresApproach 377
...........................
Appendix 13
IHEPsNominal Data from TIHERPand BEART Data base 380
..............................
Appendix 14
Fault Tree Diagrams for Site A and Site B 383
......................................................
Appendix 15
Input for QRA using Fault Tree Approach-GenericFailure Rates and I-1EPs 412
....

xii
Appendix 16
FaultTreeMnimumCutSet(MCS)importance 423
............................................
Appendix 17
Base Events Contribution SystemFailure and Suggestionsfor Improvement .... 426
Appendix 18
Eliciting PIFs from PRRVIAAudit 431
..........................................................
A PhD Thesisby J.Basri xiii

List of Figures
Figure 3.1. ResearchMethodology Flowchart 60
...............................................
Figure 4.1. OrganisationChart for Site A 80
......................................................
Figure 4.2. OrganisationChart for Site B 82
......................................................
Figure 4.3. OrganisationChart for Site C 83
......................................................
Figure 4.4. PRIMA Audit Anchoring Control Loop 90
......................................
Figure 4.5. PRIMA Control Loops for Site A 94
.............................................
Figure 4.6. PRIMA Control Loops for Site B 95
.............................................
Figure 4.7. PRIMA Control Loops for Site C 96
.............................................
Figure 5.1. Description of PIFs selectedfor humanerror quantification 150
........
Figure 6.1. QRA Methodology Flow Chart 173
Figure 7.1. Proposed quantification schemefor PIFs derived from PRIMA
Audit 239
.........................................................................................
Figure A7.1. Simplified PI&D for Ammonia Road Tanker Loading System
for Site A 353
..................................................................................
Figure A7.2. Simplified PI&D for Ammonia Road Tanker Loading System
for Site B 354
...................................................................................
Figure A8.1. ConnectingFlexible Hoses for Ammonia Road Tanker Loading
at Site A 356
....................................................................................
Figure A8.2. Piping Arrangementfor Ammonia Road Tanker Loading
at Site A 356
.....................................................................................
Figure A8.3. Ammonia Road Tanker Loading In Progressat Site A 357
...............
Figure A8.4. Ammonia Bulk StorageTanks at Site A 357
....................................
Figure A8.5. MaintenanceFitter ConnectingFlexible Hoses for Ammonia
Road Tanker Loading at Site B 358
..................................................
Figure A8.6. Operator OpensRoad Tanker Filling Valves To Commence
Ammonia Filling at Site B 358
..........................................................
Figure A8.7. Chiksan Ann and Flexible Hoses Connection at Site B .............. 359
Figure A8.8. Piping Arrangementfrom Road Tanker Loading Bay to
Ammonia Bulk Tanks at Site B 359
.................................................

xiv
List of Tables
Table 4.1. PSMS Audit activities and duration 93
............................................
Table 4.2. Results of Key Audit Areas Judgementfor the 3 sites 97
..................
Table 4.3. SampleCalculation for Site A 102
.......................................................
Table 4.4. Data basefor weights 102
....................................................................
Table 4.5. Results of PRUVIAModification Factor Calculation 104
.....................
Table 5.1. Human Error analysisactivities and duration 114
...............................
Table 5.2. Results of SPEAR ScreeningAnalysis for Activities on Site A 116
......
Table 5.3. Results of SPEAR ScreeningAnalysisfor Activities on Site B 117
......
Table 5.5. Results of ScreeningAnalysis for Ammonia Loading Operation -
Site A 119
........................................................................................
Table 5.6. Results of ScreeningAnalysisfor Ammonia Loading Operation -
Site B 120
............................................................................................
Table5.7. The maindifferencesin ammoniaroadtankerloadingoperation
betweensiteA andSiteB asidentifiedthroughHTA 124
....................
Table5.8. EEM Categoryusedfor PBEA 126
...................................................
Table5.9. Classificationschemefor the severityof consequences of error .... 127
Table5.10.Classificationschemefor the frequencyof consequences of error.. 127
Table5.11.Critical tasksthat arestronglyinfluencedby HumanError at Site
A asidentifiedthroughPHEA 128
......................................................
Table5.12. Criticaltasksthat arestronglyinfluencedby humanerror at SiteB
as identifiedthrough PBEA 130
..........................................................
Table 5.13. Implementing error reduction strategythrough PSMS on tasks 134
that are strongly influencedby humanerror as for Site A ...............
Table 5.14. Implementing error reduction strategythrough PSMS on tasks
that are strongly influencedby humanerror as for Site B ............... 138
Table 5.15. Summaryof findings from PIFs analysisat site A and Site B ......... 144
Table 5.17. Results of SLI Analysis for Site A 152

............................................
Table 5.18. Results of SLI Analysis for Site B 155
............................................
Table 5.19. Weighting Assignedto PIF 157
..........................................................
Table 5.20. Calibration point used for SLI calculation using SLIM ................... 159
Table 5.21.1HEPs value used for calibration points for SLI calculation using
SLIM 160
..........................................................................................
Table 5.22. Results of Human Error Probabilities CHEPs)calculation using
SLIM for Site A 161
.........................................................................
A PhD Thesisby J.Basri xv

Table 5.23. Results of Human Error probabilities (HEPs) using SLIM
calculations for Site B ................................................................. 164
Table 6.1. Meteorological Data for Alor Star Airport, Malaysia (MSD, 1996) 183
Table 6.2. Duration taken to collect on-site information for QRA 190
.................
Table 6.3. RepresentativeFailure Set Selectedfor two sites 193
..........................
Table 6.4. Results of Fault Tree Runs for Site A 198
...........................................
Table 6.5. Results of Fault Tree Runs for Site B 201
..........................................
Table 6.6. Comparisonof FTA ResultsBetween Site A and Site B 204
...............
Table 6.7. Results of QRA runs using FTA approachfor Site A 207
..................
Table 6.8. Results of QRA runs at various distancesusing FTA approach for
Site A 213
..........................................................................................
Table 6.9. Results of QRA Runs for SocietalRisk of Site A 215
....................
Table 6.10 Results of QRA runs using FTA approachfor Site B 218
...................
Table 6.11. Results of QRA runs at various distancesusing FTA approach for
Site B 222
........................................................................................
Table 6.12. Results of RISKAT runs for SocietalRisk of Site B 224
.................
Table 6.13. Effect of PSMS Performanceand Human Error on QRA Results
for Site A and Site B 228
..................................................................
Table 7.1. Results of PIFs assessmentusing PRIMA Audit findings at Site A 235
Table 7.2. Results of PIFs assessmentusing PRIMA Audit findings at Site B 236
Table 7.3. Comparing PIFs assessedusing PRIMA Audit results with PIF
assessedusing auditor'sjudgement .............................................. 237
Table 7.4. Comparing PIFs weighting for Site A 240
...........................................
Table 7.5. Comparing PIFs weighting for Site B 240
...........................................
Table Al. 1. A sampleof modified PRIMA Audit Questionnaireswith
keywords on key audit areaof Human Factors on Operations
(OP/HF) - ThemeD: Resources for the Job 269
...............................
Table A1.2 Sampleof StructuresAnswer Sheetsfor PRIMA Audit
.A
Questionnaires with Responsesfrom the Interviewees on Key
Audit Area of Human Factors of Operation (OP/HF) -
Theme D: Resources for the Job 274
..............................................
Table A1.3. PRIMA Key Areas for OP/1HFusedfor the two sites 281
.................
Table A3.1 Calculation of Intrinsic Hazard Score (IHS) 291
..............................
Table A3.. 2 Method of CalculatingIntrinsic Vulnerability Score (IVS);
.
Sampleof PREI calculation for ammoniafilling operation 292
.........
Table A3.3 Method for assessingIndex of Frequency Score (IFS) 293
. ...............
Table A3.4. Sampleof Index of FrequencyScore (IFS) calculations 293
..............
A PhD Thesisby J.Basri xvi
Table A3.5. Sampleof PREI calculation for ammoniafilling operations 294
........
Table A3.6. PREI for activities on Site A 297
.....................................................
Table A3.7. PREI for activities on Site B 298
.....................................................
Table A3.8. PREI for Ammonia Loading Operations- Site A 299
.....................
Table A3.9. PREI for Ammonia Loading Operations- Site B 300
......................
Table A5.1. Predictive Human Error Analysis (PBEA) for Site A 310
................
Table A5.2. Predictive Human Error Analysis (P]HEA) for Site B 325
................
Table A6.1. PerformanceInfluencing Factors (PIFs) Analysis for Site A 338
.......
Table A6.2. PerformanceInfluencing Factors (PIFs) Analysis for Site B 345
......
Table A9.1. Combination of 10 Years Meteorological Data for Alor Star
Airport (Total and normaliseddata) 361
...........................................
Table A9.2. Meteorological Data for Alor Star Airport from 1985 to 1994 362
...
TableAlO. I. Population and Housing CensusAccording to Zones for Melaka
Tengah, 1991 - Site A
............................................................. 369
Table A10.2. Population and Housing CensusAccording to Zones for Kelang,
1991 - Site B 370
...........................................................................
Table Al 1.1. Department of Occupational Safety and Health Malaysia Failure
Rate Data 372
................................................................................
TableA12.1. Input for QRA Using RepresentativeFailure Set Approach for
Site A 378
......................................................................................
Table A12.2. Input for QRA Using RepresentativeFailure Set Approach for
Site B 379
......................................................................................
Table Al 3.1. 1HEPSNominal Data for Site A and Site B from T]HERPData
Base (Swain and Guttman, 1983) 381
.....................................
Table A13.2. HEPS Nominal Data for Site A and Site B from HEART Data
Base (Williams, 1984) 382
..............................................................
Table Al 5.1 Input for Fault Tree Analysisto determinefrequency of system
failure using generic failure rates and BEI's for Site A 413
..............
Table A15.2 Input for QRA using Fault Tree Approach - Site A 417
....................
Table Al 5.3 Input for Fault Tree Analysis to determinefrequency of system
failure using generic failure rates and BEI's for Site B 418
...............
Table Al 5.4 Input for QRA using Fault Tree Approach - Site B 422
...................
Table Al 6.1. Fault Tree Mnimum Cut Set (MCS) Importance for Site A 424
.......
Table A16.2. Fault Tree Mnimum Cut Set (MCS) Importance for Site B 425
.......
Table Al 7.1 Base eventscontribution to systemfailure and suggestionfor
improvements Site A 427
- ............................................................
A PhD Thesisby J.Basri xvii
TableA17.1 Base eventscontribution to systemfailure and suggestionfor
improvements- Site B 429
............................................................
A PhD Thesisby J.Basri XvIll

List of Abbreviations
AIChE American Institute of ChemicalEngineers

APJ Absolute Probability Judgement
CIMAH Control of Industrial Major Hazards
EEM External Error Mode
EPC Error Producing Condition
FMEA Failure Mode and Effects Analysis
FTA Fault Tree Analysis
DOSH Department of OccupationalHealth and Safety, Malaysia
HAZOP Hazard and Operability Study
BEA Human Error Analysis
IHEP Human Error Probability
BEART Human Error Assessmentand Reduction Technique
HRMS Human Reliabilty ManagementSystem
HSE Health and SafetyExecutives,U. K.
HTA Hierarchical Task Analysis
IChemE The Institution of ChemicalEngineers,U. K.
R%4AS Influence Modelling and AssessmentSystem
MCS Minimum Cut Set
MF Modification Factor
N41H Major Hazard Installation
MORT ManagementOversightRisk Tree
NPP Nuclear Power Plant
OSHA Occupational Safetyand Health Act, Malaysia
PEM PsychologicalError Mode
PIF PerformanceInfluencing Factor
PHEA Predictive Human Error Analysis
PREI Potential Risk Exposure Index
PRIMA ProcessRisk ManagementAudit
PSMS ProcessSafetyManagementAudit
QRA Quantitative Risk Assessment
RISKAT Risk AssessmentTechnique
SAM SystemAction Management
A PhD Thesisby J.Basr! xix

SLI Success
LikelihoodIndex
SLIM SuccessLikelihood Index Methodology
SPEAR Systemfor Predictive Error Analysis and Reduction
SRK Skill, Rule and Knowledge
THERP Techniquefor Human Error Rate Prediction
WPAM Work ProcessAnalysisMethod
A PhD Thesisby J.Basri xx

4"F-
unapter
Introduction
1.1 Research Topic
Impact of Process Safety ManagementSystemand Human Error on Off-Site Risk

-
A Comparative Study.
1.2 Background
As Malaysiamovesrapidlytowardsindustrializationtherewill be growing numbersof
large chemicals,petrochemicalsand petroleumprocessingplants known as Major
HazardInstallation(MHI) beingbuilt in the country.This rapid growth unfortunately
will bring about a very significantincreasein the numberof people,including both
workers and membersof the public who will be subjectedto risk from major
accidentsarisingfrom the plantsoperation.Major accidentsof this naturehavetaken
place all over the world suchas at Flixborough,U. K (28 peoplekilled) Bhopal,
India (2000 peoplekilled) andMexico City, Mexico (500 peoplekilled) as mentioned
by Cox (1991). In Malaysiaitself a numberof similarincidentshavealso occurred,
suchas at SungaiBuluh, Selangor (23 peoplekilled) (MHLG 1992) and Perlabuhan
Klang, Selangor(13 killed) (MHLG 1994).
The Department of Occupational Safety and Health (DOSH) of Malaysia which was
formerly known as The Factories and Machinery Department (FMD) of Malaysia is
currently given the responsibility to regulate the operations of IWE in the country
with the overall objective of ensuringan acceptablerisk exposure to workers and the
A PhD Thesisby J.Basri I

public at large from the plants' operation. One of the means to carry out the
responsibility is by conducting process safety risk assessmentson such plants. Risk
assessmentcan systematicallyassess and measurethe level of risk arising from the
plant operations. The risk measuresobtained then could be compared to a set of
criteria to ensurethat there is an acceptablelevel to the workers and member of the
public in the vicinity. If the risk is found to be at unacceptablelevel a number of
decisions has to be made. In the caseof a new installation a strong advise would be
given to the planning authorities to not allow the plant to be built at the present site,
that would meanthey have to look for a more suitable site, failing which it would not
be allowed to built at all. As for existing installations order will be given to carry out
modifications and providing better mitigative measureswith the aim of reducing

present risk to an acceptablelevel and at the sametime giving advice to the planning
authorities to stop further development intended for human occupation within the
unacceptablerisk zones.
So proper utilization of risk assessmentresults is very important for MIR in Malaysia

in ensuringworkers and public safety from the plants' operation. Underestimating the
risk will put human lives and limbs at risk while an overestimates will deprive
investors of suitable locations to locate their plants, resulting in loss of much needed
investment and job opportunities in the country. Balancing both aspects has never
been easy even in industrialized countries in Europe and the U. S. While risk
assessmentresult is only one of the criteria in making the final decision, efforts to
make the technique more accurate and transparentto the decision makers is always
worth pursuing.
Traditionally, Quantitative Risk Assessment(QRA) was developedon a hardware and
engineeringbasedapproachbut lately human factors consideration are seenas at least
an equally important determinantof risk. It is important issuesto consider the extent

to which human error is included and how organisational structure and management
style affects the risk from specific plant (Hurst, 1989). In the hardware only
approach of conducting QRA the issue of human factors is only being considered
implicitly, i. e. by assumingthe plant is manned and operated to so-called 'industry
is
standard' which supposedto be monitored by a regulatory body in a particular area.
A PhDThesis
byJ.Basri 2
In reality though the so called 'industry standard' may vary significantly as the
enforcementactivity andproceduresdiffer. Most of the timesit fails to differentiate
the contributionof humanfactorsboth from humanerror and from the management
stylepoint of view.
Hence there exists an immediateneedto consider human factors, i. e. the human error
and the organisational and managementfactors in QRA. Currently there are few
techniques has been developed to incorporate safety managementsystem (PSMS)

into QRA. Their application is at the moment mainly restricted to the U. K and some
(on an experimentalbasis) in Europe (Hurst et al., 1993). The question whether they
are applicable to developing countries which have different safety cultures is left
unanswered. At the same time human error has been incorporated in fault trees for
consequencesanalysis on an ad-hoc basis. There is no formal procedure as yet to

fully incorporate it into QRA. Human error is likely to representa major contribution
to root causes of failures in process plant operations in developing countries thus
attempts to analyse its contribution to QRA in an explicit manner on would be
worthwhile. Finally, if the contribution of both human error and safety management
systemto QRA is found to differ significantly betweentwo major hazards installations
in developing countries like Malaysia, it could provide further evidence that the
assumptionthat all MIU is operated and mannedto the so called "industry standard"
is not true. It would also serve as a meansto validate whatever PSMS quantification
is being in different system climate of a developing
technique used, this time a
country.
Under presentcircumstancesthe abovementioned be

areaof researchwill only made
possibleusing a numberof proventechniquesthat are currently availablefor QRA,
PSMS quantificationandhumanerror analysisandquantification.Unfortunatelymost
of the techniques
arenot in the public domainso the proposed has
research to rely on
cooperationfrom the proprietorof thosetechniques.
The University of Sheffieldand HSE havebeen collaboratingwith eachother in a
number of researchprojects and postgraduatecourses for a number of years. A
of between
exists
memorandum understanding thetwo that
parties allowsresearchers
A PhD Thesisby J.Basri 3

from The University to have some accessto HSE facilities. Such an arrangementhas
made it possible to use two HSE in-house tools namely RISKAT and PRIMA for
research purposes. Similarly a private consultant that has links with the University
has agreed to allow the use of its proprietary human reliability quantification
technique called SLIM for the research.
1.3 Problem Statement
The quantification of risk from major hazard installations using generic failure rate
does not explicitly take into account the different performance of Process Safety
Management System(PSMS) which exists at such plants. Since in reality there exist
differences in PSMS performancesbetween major hazard installations especially in
developing countries like Malaysia, such an approach will result inaccurate
quantification of risk of a particular installation. This will lead to inaccurate input
made available to the decision makers (for example on siting issues for land use
planning). More detrimental is the failures to identify weakness in a major
installation's PSMS componentsthat provide major contributions to the overall level
of risks of the installation. If such componentscould be identified and expressedin a

more explicit manner, there exist opportunities to focus on their improvements which
in turn could significantly reducethe level of risk from a major hazard installation.
1.4 Research Goals
The overallgoal of this researchcouldbe dividedinto two i.e.;
a) To the
compare contributionof site specificPSMS performance on QRA of two
WH in Malaysiathat handled similarly hazardousmaterialbut with significantly
different style of management.
b) To comparethe contributionof humanerror on off-site risk from a similarly

hazardousoperationcarriedout at both sites. For this purposethe off-site risk from

ammonia loading operation to a road tanker will be assessedthrough the inclusion of
Human Error Probability (HEP) in the analysisof the systemfailures.
c) To providea linkagebetween of PSMS performanceandHuman

the assessment
Error potentialsthrough site auditing. Such linkage will allow the site specific
that influenceboth factors to be assessedtogetherin a
organisationalcharacteristics
singleaudit.
1.5 Research Objectives
There are severalobjectivesto be met in order to achievethe overall goal of the

proposedresearch.Theyaregivenasfollows;
a) To test whether the existing techniquedevelopedin U.K. to quantify PSMS

performancenamelyPRIMA is suitablefor use in developingcountries such as
Malaysiaby carrying out such an audit on two MIR in that country that handled
similar typesof hazardousmaterials.
b) To test whetherthe existingtool developedin the U.K. to conductQRA namely

RISKAT couldbe successfully
usedin developing
countrieslike Malaysia.
c) To find out whether PSMS quality detennined by PREVA provides significant
contributions to risk as being quantified using RISKAT on the two NEM.
d) To comparethe differenceof impact of PSMS on QRA that might arise from

different style of management at the two WE
e) To test whetherthe human technique

error quantification developed in the U. K
namely SLIM could be used in developing countrieslike Malaysiaby quantifying

humanerror on a hazardousactivitybeingcarriedout at the two N*H.
f) To comparethe differencein resultsof humanerror quantificationusing SLIM on
one of the most hazardous activity carried out, i. e. loading and unloading of
hazardousmaterialsat both WH.

1.6 Hypotheses
1. There exists significant differencesin the contributions of PSMS performance on

QRA of two N1ffl in Malaysia that handlessimilarly hazardousmaterialbut with
different style of managementas quantified using the ManagementFactor technique.
2. There exists significant differences in Human Error Probabilities CHEPs) in the
process of carrying out a similar hazardous operational activity between the two
humanerror quantificationtechnique.
WH asquantifiedby an established
3. The off-site risk level of WH that has a better PSMS performance is lower as
comparedto the other MIR as determinedplant wide usingthe ManagementFactor

technique.
4. There exist a linkage between site specific PSMS performance and Human Error
Probabilities that could be assessedthrough a same site audit that allowed their
impactto off-site risk to be assessed
together.
1.7 Conceptual Assumptions
Objectivesset in the previoussectioncould only be achievedby makinga numberof

conceptual assumptionsconcerning a number of important factors that will influence
aregivenasfollows;
its implementation.Theseassumptions
a) The to the
threetechniquesselected conduct researchnamely PRIMA, SLIM and
RISKAT representprovenandreliabletechniquesthat havebeenadequatelytestedin
a developed i.
country, e. in the U.K.
b) Sufficientinformationanddataare availableto provideinputsto carry out Human

Error quantificationusing SLIM, PSMS audit using PRIMA and to carry out QRA
using RISKAT.

c) The two MHI selectedfor the researchin a way representthe cross section of such
installations in Malaysia as far as PSMS is concerned, i. e. one is managed by a
multinational companywhile the other is managedby a local company.
d) The processsystemsat both WH are quite similar and almost at the samelevel of
technology even though the capacity and manninglevel might differ significantly
.
e) Both MM ammonia loading systemare quite similar and almost at the samelevel
of technology even though the capacityand manninglevel might differ significantly.
0 Both NffU has beenbuilt in the last ten years and has been continuously operated in
the last ten years. This ensuresthat they were not subjected to a nat.ionwide siting
policy that has only beenintroduced lately with regardsto land use planning.
g) Both NEM are not subjectedto changesof ownership for the last three years. This
ensuresa continuous managementstyle that has reacheda maturity stage.
1.8 Research Method
The researchis essentiallya comparativestudy of two major hazard sites in Malaysia.

As such the method adopted to conduct the study consistedof field work to collect
the necessary information and data, and the analysis of data using established
techniques for Process Safety Management System (PSMS), Human Error Analysis
(BEA) and Quantitative Risk Assessment (QRA). The selection of specific
techniques to analyse these subject areas will be discussed in Chapter 3. The

techniquesthat have been selectedfor the analysisof eachsubject areasas follows;
PSMS performance- PRIMA (Hurst et al, 1996)
Human Error Analysis - SLIM (Embrey et al, 1984)
Quantitative Risk Assessment- RISKAT (Nussey et al, 1993)

Baseline analysis will be conducted for each subject area that will serve as the
reference points for comparisons. A number of sensitivity analysis will also be

to
conducted evaluatethe effect of changing certain input parametersin an attempt to
better understand the source of uncertainties. Results from the analysis for each of
the subject areas will be compared within each site using the sensitivity analysis.
They will also be comparedbetween the two sites to look for evidence or indications
as to how the site specific PSMS performance and Human Error influence the
quantification off-site risk at the two sites. This evidencewill provide some answer
on problem statementsthat provided the foundation of the research.
1.9 The Thesis
This thesis is made up of eight chapterswhich when combinedprovide some

evidenceson what is the impact of PSMS and HumanError on off-site risk from
N1HI. The analysisis madepossibleusingdataandinformationcollectedduringfield
auditsand the techniques
useof a numberof established by
madeavailable a number
It the
of organisations. also explores possibilityof linking the for
assessment site
specific PSMS performanceand Human Error using a combined audit. A brief
descriptionof eachchapteris givenasfollows;
1.9.1 Chapter 2- Literature Review
Chapter I started with the current status of major hazard control in developed
in
countriesespecially Europe is
which currently at the forefront in this area. It then
focusesto the developingcountries,Malaysiain particular where it is just at the
infancystagedespiterapid growth in the production,handlingandutilisationof large
quantitiesof hazardous materials. Major problems that currentlybesetthe control of
major hazards are then discussed. The issueof usingrisk assessment as a predictive
tool for decision in
makingespecially landuseplanning is then discussed.One of the
main issues in risk assessment,especially in its quantification process are

uncertaintiesarising from the use of generic failure rate. In the real world the each
major hazard is
sites managed in a differentway and operated by different groupsof

peopleso the applicationof a genericfailure rate for QRA may not be appropriate.
The chapterthen reviewsthe management influenceon risk, focusingspecificallyon
PSMS. Critical review on the currentapproaches to incorporatemanagement aspect
into risk, their applicationandproblemsare presented.The influenceof humanerror
is then discussed.Currenttechniques
to risk especiallyfor a quantitativeassessment
in assessinghumanerrors in the form of BEP are described,commentingon their
strengths,shortcomingsandapplications.The discussionon QRA methodologythen
follows. It goeson to describethe ModificationFactor approachto incorporatesite
specific managementperformancein the quantification of risk. Methods of

incorporatinghuman error in the quantificationof risk then follow. The use of
HumanError ProbabilityCHEP)for risk quantificationusingfault tree decomposition
is reviewed. The literature review managedto identify a numberof 'gaps' that
existed in the currenteffort to the

address impactof management
and humanerror to
risk. They includethe questionof whetherthe currenttechniquesof assessingsite
specificmanagement factors and humanerror that have beendevelopedfor Europe
are applicable in developingcountries. Another gap is that since management

factors includehumanactivity, there must be commonground that links them with
humanerror in influencingthe risk from major hazardsites. Thesetwo gapsset the
researchdirectionfor the thesis.
1.9.2 Chapter 3- Research Methodology
This chapter describesthe methodologyin conductingthe research.It starts by

describinga comparativeapproachto assessthe influenceof managementsystem
PSMS
specifically andhuman error on threemajor hazardsitesin Malaysia. Selection
of the three siteswas madebased on a numberof criteria that would facilitate the
objectiveto compareand contrast management influences on off-site risk between
the sites. For comparing the influenceof human error a similar hazardous
activity
needed to be selectedwhich was undertakenat two sitesunder study. Based on the
numberof criteria being set the ammonialoading operationto road tanker activity
for As
was selected comparison. only two sitescarry out this activity, comparison
be
will madebetweenthesetwo sites.

The selection of techniques for analysis is described next. For PSMS the PRIMA
audit (Hurst et al, 1996) was selectedto assesssite specific PSMS performance in the
form of a quantitative measurecalled ManagementFactor at the three sites. As for
the human error the SLIM technique (Embrey, 1984) was used. As for the QRA the
RISKAT software (Nusseyet al, 1993) was chosen.
After identifying the sites and selecting appropriate techniques for analysis a field
studywill be conductedin Malaysiato collectnecessary information anddatafor the

their input. The field study is expectedto last about 15 weeksin total for the two
sites. The first part of the field study concerns conducting PSMS audit using
PRINIA. The audit will involve site inspections, interviews with managementand
operators,reviewingrelevantdocumentsand makingjudgementon the performance

of PSMS components. The secondpart involved the study of human error on
ammoniaroad tankerloadingoperations.This studyinvolved task observationwith
the help of video tape, talk through and walk through exerciseswith the operator,
reviewing operating procedures, inspecting safety protection equipment, and
analysing the task sequencewith process systemsavailable on-site. The last part of
the study is collecting information for QRA from ammoniaroad tanker loading
operation. This involved site inspection, detailed examination of piping and
instrumentationdiagram(PI&D), physicalinspectionson ammoniastoragetank's
equipmentand piping, processsafetyfittings and traffic movementwithin the site.

For off-site risk meteorologicaldata,populationdistributionand ground conditions
surroundingthe siteswill needto be collected. Informationgatheredfrom the field
study will then be to
used analyse the three major componentsof the i.
research e.
PSMS, HumanError and QRA. Result of the analysisis expectedto indicatethe
influenceof PSMS andhumanError on off-site risk. It is also expectedto clearup
possible links between safety managementand human error. While practical

in
experiences conductingthe PSMSauditandHumanError will allow somefindings
to be madeon the 'suitability' of PRIMA and SLIM techniqueusagein developing
countrieslike Malaysia.

1.9.3 Chapter 4- PSMS Audit on 3 Major Hazard Sites
Chapter 4 describedthe auditing of Process Safety Management Systems(PSMS) at
three major hazard sites in Malaysia. The audits were conducted using a PSMS audit
tool called PRIMA. The audits were carried out to fulfill a number of objectives
which include the suitability and effectivenessof PRIMA, which was developed in
Europe, to be use in developing countries like Malaysia. It is used to assessthe
PSMS on the three major hazard sites and to identify their strengths and weaknesses
using the concept of managementcontrol as provided in PRIMA and to compare the

differences in PSMS between the sites. A quantitative output from PRIMA known
as a Modification Factor has been determinedfor each site to modify generic failure
rates for Quantitative Risk Assessment(QRA). In generalPRIMA was found to be a
useful tool to assessthe PSMS at major hazard sites in Malaysia. The structured
questionnaireswere comprehensiveenough to draw out relevant information for a
critical assessmentof the PSMS. This information can be combined with a thorough
site inspection and document verification to obtain a view of the overall situation of
the site's PSMS and can be representedin the form of a control loop. The control
loop enabled the state of the PSMS on each site to be summarised in a simple
diagrammatic form that highlighted its strength and weaknesses. Key areas of
strengths and weaknessesof the PSMS of each site will be briefly discussed. The
study also identified some problems and shortcomingsof PRIMA as an auditing tool
for major hazard sites in developing countries like Malaysia. This included the need
to provide adequatetraining for the assessors,the need to translate the questions to

local language, and to balance the requirements for written document with the
complexity of the processand size of sitesunder review.

1.9.4 Chapter 5- Human Error Analysis on Ammonia Loading
Operation
The control of humanerror is an importantelementin processsafetysincevarious

studieshaveshownthat it is one of the largestsinglecontributorsto accidents.This
chapter describes predictivehumanerror analysison ammonia filling operationto
road tanker at two ammoniabulk terminalsin Malaysia.The first part of the study
involved a qualitativeapproachusing the HierarchicalTask Analysis (HTA). This
is
approach used to identify critical tasks in ammonialoading operationsand their
Influencing
Performance
associated Factors (PIFs), predict human errors and their
consequences and finally provideappropriateerror reductionstrategies.The second
part of the study involved the humanerror quantificationanalysis.Critical tasks
identified in the qualitativeanalysis were quantifiedusing the SLIM techniquethat
generatedHumanError Probabilities(BEPs) for eachtask. The probability figures

to
were used rank the critical tasksaswell as input to QRA. The study hasidentified
a numberof task inducedhumanerrors in ammonia filling operations that could be

by
reduced proper management control. Findingsfrom the study also indicatedthat
the site specificPSMS performanceexertssignificantinfluenceon the way human
to in
error contributed accidents carryingout a hazardous
operation.
1.9.5 Chapter 6- Quantifying Off -Site Risk from Ammonia Loading

Operation
This chapterinvolvedthe processto estimatepublicrisk arisingfrom SiteA and Site

B operationin handlingbulk quantitiesof toxic gasi.e. anhydrousammonia. Result
is
of the risk estimates to be comparedwith a specifiedpublic risk criteria in this case
will be the probability of fatality to an individual(individualrisk) and to the public

(societalrisk). The chapterstartedby putting down the objectivesof conductingthe
QRA which includes;
0 to off-site
estimate risk to of
members the public the
surrounding site
* to estimatethe impact of site specificPSMS performanceto off-site risk using

PRRvIAModificationFactors

* to compare the risk estimatesfound on Site A with Site B to identify the key
managementcontributions
It then describedthe approachtakento conductthe QRA for the study;
9 identifying potential leaks and major releasesfrom fractures of process pipelines
andvessel
o estimating' the frequency (failure rate) of the Top Event which was associated
with major releasesusing fault tree analysis
modifying the generic failure rate vvith site specific ManagementFactors (W) as
obtained from PRRVIAaudits
incorporating key human failure rate in the form of Human Error Probability
(BEP) together with equipmentfailure rate in fault tree analysis
The analytical techniqueused for the analysisincludesFault Tree Analysis using Fault
Tree Manager (AEA, 1994) computer code - for event frequency estimation,
RISKAT Computer Code for QRA which facilitates the calculation for releaserates,
gas dispersion analysis,hazard ranges and fatality probability (Hurst et al, 1989) and
the PRRvIA Audit technique to calculate the Modification Factor for generic failure
rate.
The chapterdescribessignificantfindingsbasedon the experienceof conductingthe

QRA aswell asresultsof the analysis. Theyincludes;
* The site specificweatherdata is one the most dominantfactors influencingthe

off-site risk levelat the two sites.
QRA runs using FTA that takes into considerationthe hardwarefailures and
IHEPsshowed a lower off-site risk valueas comparedthosewhich only consider
hardwarefailures.
Site specificPSMSperformanceprovidessignificantimpacton off-site risk at the

two sites. PRRvfAModification Factor can be used as a meansto explicitly
the
consider of effectsite specific influences.
management

1.9.6 Chapter 7- Using PRIMA as an integrated audit for PSMS
and HEA
This chapter describedan analysisthat looked into the possibility of integrating PSMS
audit and Human Error Analysis using the PRIMA technique. The analysislooked at
some common attributes that essentialsfor both PSMS Audit and HEA, mainly in the
form of some organisational factors such as procedures, training, stress,
communication and feedback, and hardware factors such as operator/equipment
interfaces, personal protective equipment (PPE) and process safety system. As the
existing PRIMA Audit questionnairesassessedthese attributes, its findings could be

used not only to assesssite specific PSMS performance but also to assess the
influence of site specific PIFs for BEA. Results of the analysisfound that the PRIMA
audit questionnaires were found to be able to address a number of areas that

provided basic information to determinethe overall or 'global' PIFs, at least for the
four common PIFs under consideration. However it is less rigourous as compared to
the dedicated PIF analysissuch that has been carried out in Chapter 5. However for
the purpose of quantification using the SLIM technique, such information is adequate
to assistin assigningappropriate weighting of the overall PIFs influence on each site.
Further investigation is neededto look at the existing PRIMA Audit structure to find
out whether it is capableto accommodateother componentsof BEA.
The attempt to link the PSMS audit results with IHEPsanalysisfound difficulties as
the audit could only assessthe site specific PIFs at the management(global) level.
As PIFs influenced differently for a different task a global assessmentof PIFs was
found to be inadequate.

1.9.7 Chapter 8- Findings, Conclusions and Suggestions for Further
Work
Thelastchaptersummarised major findingsandconclusionsfoundfromthe studyas

furtherwork that couldbe usefulto supportthe outcomesof the
well as suggested
research.This chapterstartedwith the discussion
on the overallfindingsfrom the
onthesefindingson specificsubjects
study. Discussions areputundermainheadings
on PSMS Audit, HumanError Analysisand QRA. The discussionhighlights
significantfindingsfrom resultsof the analysisof eachsubjectas well as from the
in
practicalexperience carryingout theanalysis.ThePSMSaudittechnique PRIMA
wasfoundto be usefulin providinga structuredandefficientmeansto assess site
specificPSMSperformance.ThePRIMAauditresultsshoweda significantdifference
in site specificPSMSperfon-nances
which betweenthe good and the worst site
showeda differenceof abouta factorof ten. Howevera numberof shortcomings
were identified and were suggestions providedto make the techniquemore
with developing
compatible countries'situation.TheHumanError Analysisusing
SLIM technique
wasfoundto be in
capable identifying
the criticaltasksthat heavily
influenced of humanerrorthatcould
by humanerror,andto quantifytheprobabilities
leadto majorreleasesof ammonia.RISKAT was foundto be quite effectivein
QRA
conducting for off-siteriskfrommajorreleases
of ammonia. TheQRA results
showedsitespecificPSMSperformance asbeingquantifiedusingPRIMA technique
exertsstronginfluenceon off-siteriskon eachsiteunderstudy. Thisfindingsupports
theneedto considersitespecificPSMSperformance QRA. Theresults
in conducting
alsoindicate
thatHuman
Error in the form of HEPs influences
providedconsiderable
on risk results.
Conclusions derived from the study are centered around the main objective of the
is
study that to compare and contrast the managementand human error influence on
off-site risk between the two sites that has a quite different PSMS system and
performance. Finding from the study found that both factors provided signiflcant
influences on off-site risks for the two sites. This finding supports the need to
consider the two factors explicitly when conducting QRA for off-site risk at major
hazard sites. Other conclusion related to the suitability of a number assessment
A PhDThesisbyJ.Basri 15
technique that are primarily developed for usage in the developed countries
performedin a developingcountry environment. The PRIMA techniqueused to
determinethe PSMSperformance,
the SLIM techniqueusedto analyseHumanError
and The RISKAT computercode used to conductthe QRA which were develop
primarilyfor usagein the Europeantheatrewasfoundequally suitableto be usedin a
developingcountrylike Malaysia,albeitwith somemodifications.Finally the attempt
to integratePSMS andBEA auditthroughPIF from the PRIMA audit is only partly
successfulat the globallevelPIFs
for furtherwork includeconductinga similarstudyon major hazardsites

Suggestions
in other developingcountries. If time and resourcespermit more major hazardsites
be in
should studied order to compare findingsfrom this studythat was basedonly on
two sites. The applicationof other techniquesfor PSMS audits, Human Error
Analysis and QRA should be consideredif other techniquesare made available.
Finally a suitableframeworkshouldbe developedto integratethe assessment
of site
specificPSMS performanceand HumanError as both aspectsare related to each
other in someway. Sucha frameworkwill allow the interactionbetweenthe two and
how they influencethe off-siterisk be established.

e-11-
unapter 2
Literature Review
2.1 Introduction
Essentially the proposed research is expected to cover three distinct subject areas,
namely PSMS, BEA and QRA, each of which on its own is a very comprehensive
subject. So the literature review will not attempt to discuss each subject in its
entirety, but to highlight the links that exist between them, the gaps that still exist and
the future direction of researchareasas indicated by various researchers.This chapter
mainly provides critical reviews of the current situation which deals with PSMS, BEA
and QRA with the emphasison the incorporation of management
and human error
influencesto risk assessment.Such review aims to set the scenario of the proposed
researchand show the direction for its implementation.
2.2 Current Situation on Major Hazards Control in

Malaysia
Malaysiahasa fairly comprehensive to
regulatorysystem ensuresafety and healthat
work places. Through The FactoriesandMachinery Act 1967 (FMD, 1967) and the
new Safety
Occupational and HealthAct 1994(DOSH, 1994)which is basedon the
UX Health and SafetyAt Work etc Act (HASEWA) (HSE, 1974) the safety and
healthof workers at work beingregulatedthroughoutthe country. There are many
regulationsmadeunder both Acts, which provide detailedrequirementson specific

areassuchas boilersandpressurevessels,competency of personsin charge and the
registrationof placesof work, just to namea few. For hazardousinstallations

suchas
and called
petroleum,petrochemicals chemicalplantsspecificregulations The Control

of Industrial Major Accidents Regulations (DOSH, 1995) which is based on the UX
CIMAH Regulations (HSE, 1995) is currently in place. Similar to the CI?VM
Regulations a new major hazard installation is required to present a safety case or a
safety report to the authority, i. e. DOSH before given the approval to operate.
However the Malaysian CIMAH Regulations require the owner of such installations
to consult a competent person or a competent company which is authorised by the
authority in the preparation of the safety case. This requirement is to ensurethat the
owner or the operator of a major hazard installation will be given proper assessment
of their sites by a responsibleexpert, especiallythose run by small time operators.
One aspect of regulatory activity which is quite unique to Malaysia as compared to
other countries like the U.K, is direct involvement of the authority in ensuring the
safety at potentially hazardous plant and equipment, such as boilers, reactors,
distillation towers and other pressurevessels. This is being carried out by reviewing
the design, checking the fabrications, conducting hydrotest, witnessing commissioning
and carrying out annual inspectionson each vessel for 'fitness for purpose'. Such a
to
systemensures a certain extent the integrity of suchvesselson the aspect of design,
fabrication, operation and maintenance. Records showed that such an inspection
system has contributed to low incidents of overpressure, explosions and loss of
containment of these hazardous vessels especially those operated by small and
medium size operators (DOSH, 1996).
However there are other areaswhich are not regulatedin such an explicit manner,
yet could significantlycontributeto the overallrisk from a major hazardinstallation.

Areaslike safetymanagement system, operator'sskill andqualifications,the control
of human error and the overall systemreliability still much left to the operatorsto
implement. This situation to a certain extent resultedin different systemsbeing
by
adopted each MH operatorwith different endresults.Those who have adopteda
good system will benefit from good PSMS performance while those who have not
will sufferfrom low PSMS Similarly

performance. from human error point of view
WH operator which implementan effective human error reduction strategy will
benefit from low incidentrate that contributedto humanerror while those who do
not.
2.3 The Application of QRA for Major Hazards
Control
The unfortunate events resulting from major hazardsincidents that occurred around
the world have prompted the need for an effective control system. The major
accidentsthat have took place in Saveso,Flixborough, Bhopal and Mexico City, and
Piper Alpha has increasedthe public awarenesswhich in turn have put pressureson
to
various governments provide legislative to
measures prevent such accident from
taking place.
In Europe, the EC Directive (CEC, 1982) provided the basisfor such legislation. The
Directive requires that safety studies of major hazards have to be carried out. In
some European countries like the Netherlands the safety studies must include
quantified risk estimates (Jensen, 1992). Other countries like Germany do not use
probabilistic method, instead rely on consequenceanalysisto assesssafety distance
and protective measures(Pasman,1995). The Health and Safety Executives (HSE) in
the U. K uses tolerability criteria of risk for land planning purposes (HSE, 1989).
They have used QRA in a number of studies involving major hazard sites such as
Canvey Island (HSE, 1978). They also carried out studies on the transportation of
hazardousgoods by rail, road and water that involved QRA (Purdy, 1993). After the
Piper Alpha incident, Safety Casesfor off-shore installations became compulsory in
Norway, The UX and The Netherlands(Jensen,1992). In the U. K. for example the
HSE use quantitative risk estimates to advise the Local Planning Authorities on
planning permission (HSE, 1989). Other European countries like Portugal and
Greece do not specify specific requirementsfor QRA (CEC, 1995).
The control of Major Hazardsin the U. S. takeseffect through a numberof separate

legislation such as the OSHA!s ProcessSafetyManagementof Highly Hazardous
Materials (OSHA, 1993) and the DOE's Nuclear Safety Analysis Report (DOE,
do
1992). Both regulations,while they not specifyspecificsrequirements for QRA,
be to
requireadequateanalysis carriedout reflectthe level of risk at the facility under
consideration(Deshotelset al, 1995).

In Australia,the New SouthWalesGovernmentincludedthe use of risk assessment
criteria as guidelinesfor land use safetyplanning(DOP, 1990). Quantitativerisk
assessmentcriteria covering cumulativerisk levels for individual fatality, injuries,
propertydamageandaccidentpropagationareprovidedby the guidelines.Resultsof
the risk analysisis assessed
againstthe criteriato assistthe decisionmakingprocess
for landusesafetyplanning(Schubach,1995).
Meanwhilein Malaysiathe major hazardcontrol is provided by specific legislation

called The Control of IndustrialMajor AccidentsRegulations(DOSH, 1995).The
regulationsrequires'top tiee major hazardinstallations
W) identifiedthrough the
type and quantityof hazardousmaterialsto preparesafetycasesdemonstratingtheir
safeuse. This includedthe useof quantitativemeasures
whereappropriate.
2.4 Current Approaches of QRA

QRA is a methodology for assessingand improving the safety of a technology. The
methodology entails the construction of possible chains of events called 'event tree'
which lead to unwanted consequences

or working backward, constructing chains of
faults called 'fault tree' in searchfor accident precursors. The risks are quantified by
calculating an estimate of probability of these event or fault sequencesand combining

this with an estimateof consequences(Tweeddle, 1992).
This methodwas introducedas an alternativeto deterministicmethodswhich have

been the basis of most safety criteria in the past, for example the use of a single
the fail-safe principle. The weakness of a deterministic approach is that

criterion and
it adopts conservative assumptions,and consequentlyfocuses on worst case accident
give little
scenarios which provide an unrealistic picture of the safety system and
evidenceon the relative ranking of safety improvements(Bayer, 1991).

The American Institute of Chemical Engineers (AIChE, 1989) described ten
componentsof QRA. Theyare;
1. QRA Definition: decidingon studygoal andobjectives
2. SystemDescription: compiling of all technical and human information neededfor
the analysis
3. Hazard Identification: identifying hazardsthat could arise from the system using
techniquessuch as HAZOP, FUEA, Fault Trees and Event Trees.
4. Incident Enumeration: identifying and tabulating of all events or incidents without
regard to their importance or to the initiating event
5. Selection:selectingsignificantincidentsandidentifyingincidentsoutcome
6. QRA model construction: selecting appropriate consequencemodels and their

integrationto the overallalgorithmto producerisk estimatesfor the systemunder
study
7. Consequenceestimation: the methodologyusedto determinethe potential for

damageor hannfrom specificincident
8. Likelihood estimation: estimatingthe frequencyor probabilityof occurrenceof

an incident
9. Risk estimation: combines the consequencesand likelihood of all incident
from
outcomes incidents
all selected to providea measureof risk
10.Utilisation of risk estimates: utilising results from risk analysisfor decision

making
For large plant with complex process and technology the execution of QRA
components that has been describedabove becomestedious and time consuming.
Hencethere a needto developcomputerizedmethodsto acceleratethe derivationof
risk estimatesneededfor decisionmaking. As the outcomea numberof computer

codes were developed in an attempt to addressthe problem such as SAFETI and
RISKAT.
RISKAT (Nusseyet al, 1993)was developedby HSE initially for majortoxic hazards
and later was refinedandextendedto flammablehazards.As it is not commercially

its is
available use restricted within HSE and some other research institutions.
SAFETI (DNV, 1994)was developedby TechnicaLtd. for the Dutch Government
andlater was commercialised

andusedby quite a numberof organizationthroughout
the world. Thereare other softwarebeingdevelopedfor the samepurposesbut they
are either not as completeas these two or have not matured yet to gain wide
acceptance.
The procedure which is used by RISKAT to calculate risk from major hazards can be
broken down into a number of steps(Papeand Nussey, 1985);
L Analysis of the major hazard plant, its control and safety system, and
numberof hypotheticalreleases
operationalproceduresso that a representative
with the potential to affect workers and the neighbouringpopulationscan be
identified.
I For each hypothetical releasethe chance that such an event will occur in a
given time period is determined either from historical failure statistics (so-called
generic failure rate data) or by synthesisfrom basic component failure rate data
using well-establishedtechniquessuch as fault tree analysis.
iii. For each releasecase,estimatesare made of the rate of releaseof hazardous
materialanddurationof the release.
iv. For toxic, andcertaintype of flammablereleases,calculationsare madeof the

atmospheric dispersionof hazardous in
material variousweather conditions.For
flammable releasesthe chanceof immediateignition at the source is also
considered.Delayed ignition is treatedin terms of predictedconcentrationlevel
within a drifting or
cloud plumeof flammablematerialand the likelihood of an
ignition sourcebeingencountered.
v. Thesedispersion,
explosionand flammablecalculationsenablethe spatial and

temporal variations in the effects, for example toxic gas concentration, thermal
radiation, extent of fire zone and overpressureof the hazardsto be mapped out.
RISKAT in essencecalculatesthe chanceof a hypotheticalindividual receivingat

least a specifiedcriterion dose of the toxic material,a specifieddose of thermal
radiation,or a specifiedlevel of overpressureat a particularlocation (Nusseyet al,
1993). Thesedosesin principlecan be convertedinto probabilitiesof fatality or
somespecifiedlevel of injury. Oneof the commonmethodsusesfor this purposesis
the 'probit' relationship(Finney, 1971). The probit relationship links dose with
probabilityof death or someother level of injury which allowes the level of risk to
an individual of receivingat least the specifieddose be calculatedand known as
'individualrisle. If suchrisk estimatestakesinto accountthe numberof peoplein the
surroundingareasthat could be affectedby an incidentthe risk measureis called
'societalrisle (IChemE,1995). The societalrisk normallypresentedby a probability
in any one year, F, of an event affectingat least a certain number,N, of people
forming the FN curve.
Risk quantification exercisesrequire significant amounts of data. So ideally when
applying QRA to a specific operation, a specific data base for the study must be
created from new and existing data bases. The types of data bases required include
equipment failure rate, human error, toxicity, ignition, external event, meteorology,
and location specific data of the nearbypopulation (AIChE, 1989). These data could
be obtained from a number of sources such as from existing data banks, from plant
experience,using predictive techniques,and from expert opinion (Skelton, 1997). In
the U. K. the National Centre of System Reliability (NCSR, 1990) is the largest
reliability data bank which contains failure rates for various failure modes, time
dependenciesof failure rate and the predicted effect of preventive maintenance or
For accident and incident data the NIMAS maintained by
condition monitoring.
AEA TechnologyU.K. (previouslySafety and Reliability Directorate) and FACT
maintainedby TNO Division of Technology Society, The Netherlands provided

major hazard incident data. In the U. S. the WASH 1400 Report (US Nuclear
Reliability Centre) and NPRD 91 Database(Reliability Analysis Center, New York)
provided reliability data that could be useful for chemicaland processindustries.

However the application of such data may not be representative to developing
countries as they are mostly obtained from developed countries which have different
operating conditions, level of inspection and maintenance, and operator skill and
experience. So ideally a comprehensivecountry specific data base would be the best
sources of data. While the accuracyof the QRA may not be significantly affected for
certain data bases like the failure rate, the effect of not using local weather data could
be severe,for examplefor toxic releases(Marshall et al, 1995).
The strengthof QRA lies in its abilityto decompose

complexsystemsandextrapolate
failure rates derivedfrom historicaloperatingdata on the componentparts such as
vesselsand pipework. Experiencehasshownthat QRA methodologyis well suited
for identifying safety improvementsin plant designand operations,for regulatory
compliance, as well as for general safety purposes such as land siting and
environmentalimpact statements.The techniquehas been used extensivelyin the
aerospace,electronics,nuclear and chemicalprocess industries to quantify the
likelihood of either a specificincidentof event of a sequenceof event (Cox et al,
1992)
There are a numberof weaknesses in the current approachof QRA. They can be
divided into technicallimitationsand management limitations (AIChE, 1989). The
technicallimitationsis mainly dueto the manysourcesof uncertaintyat all stagesof
the risk assessmentprocess.They include incompleteenumerationof incidents,
improper selectionof incidents,unavailabilityof requireddata, and uncertaintyin
consequencesand frequencymodelling. limitations

Management include lack of
resources(personnel,time andtool) andinadequate
skill to performthe analysis.
Another apparentweaknessof the currentapproachof QRA is that it only addresses

the 'hardware'componentof the processsystemsuchas vesselsand pipeworkwhile
assumingthe 'software' aspectssuch as human error and organisationaland
managementfactors of at an 'averageindustry (Jeremy
standard' and Hurst, 1992).
Then the utilisation of genericfailure rate for hardwarefailures are assumedto
implicitly includethe contributionsof the softwareaspects.Given the scenariosof
WR which consistsof a wide rangeof different processwith different technology,

and with different organisational and management style and quality, the implicit
is
approach not satisfactory. In some casesthe use of generic failure rate data could
give misleadingrisk estimates(Smith, 1994). Despite the weaknessesassociatedwith
QRA, its numerical approachof evaluatingrisk could lead to better understandingof
the system particularly through the enumeration of incident scenarios, hazard

identification, and human response to emergencies,allowing the benefit of risk
reduction strategiesfor exampleto be measured(Allum et al, 1993).
2.5 The influence of PSMS on QRA
According to Hurst (1989), QuantitativeRisk Assessment(QRA) has traditionally

beendevelopedon a hardwareor engineeringbasedapproachbut increasinglyhuman
factors considerationare seenas at leastequallyimportantdeterminantsof risk. It is
an importantissueto considerthe extentto which humanerror are includedandhow

organisationalstructureand managementstyle affectsthe risk from specific plant.
Kuo (1994) is of the opinion that the identificationof hazardfor risk analysisand
reductiontends to be seenas an engineering task, but for the effectivetreatmentof
safetythere is a need for the incorporationof the PSMS. More often than not the
roles of managementand human error in safety are often not fully understood
(Tweeddle,1992). Hencethere is a needto addressthe effects of PSMS in risk
to
analysisaswell as measure the human error contributionon the overall risk arising
from hazardousplant operations. If an effectivemethod could be establishedto
relate human error to PSMS, and PSMS to risk analysis,it would allow more
accurateassessment of risk from a hazardous
plant to be carriedout.
Therehavebeena numberof attemptsto look at managerialinfluenceon safety. A
study by Suokas (1988) identified eight characteristicsof companieshaving low

incident rates, one which relates directly to managementcommitmentto safety.
Whaley and Lihou (1988) mentionedtwo techniquesnamelyMORT and Statement
Analysisthat can be usedto identify the contributionthat managementmadeto an
accidentor the current standardof managementstructurewithin the organization.

Ratcliffe (1993) described STATAS, an in-housetechniquedevelopedby HSE to

assesssafety managementsystems by systematically looking into the management
activities and in particular evaluatingthe effectivenessof managementcontrol loop.
Phang(1994) in her surveyof safetyaudit techniquesfound out that a numberof

techniques did provide some means to evaluate safety managementsystem
effectivenessin qualitative form. Most of these technique like ISRS, SHARP,
CHASE andLETSA are looking at someimportantfactorsin PSMS suchas health
and safetypolicy, management structure,management of hazardoussubstancesand
training at variouslevelsof depth. ISRS for exampleprovidesa systematicanalysis
planat a particularinstallation.The principalobjectiveis loss
of a safetymanagement
control on an existingplantby the identificationof critical deficienciesin all elements
of the healthandsafetyplan.A pointssystemis usedto evaluateeachsafetyelement.
2.6 The quantification of PSMS influences
As QRA gainedconsiderable by the regulatorsandthe operatorsthe need

acceptance
to look at the possibilityof quantifyingthe management influencearosewhen the
industry started to query the applicationof generic failure rate to all plant and
companiesdespite differences
management when carrying out the QRA. It is
commonthat for a considerationof the QRA, planthardwareandthe performanceof

its PSMS be kept quite separatebecausewhile the interlockingbetweenthem is well
it is (Hurst,
appreciated not well understood 1993). As a result in the last few years
therehasbeengrowinginterestto measureor quantifythe qualityof an organisational
PSMS andits effecton the outcomeof QRA beingcarriedout. In the UX a number
have
of audit systems been developed
in an attemptto how
analyse management and
factors
organisational contributeto accidents
or incidents.
The MANAGER audit technique (Pitblado et al, 1990) was the early solution to this
problem and was based on consideration of major causesof accident where system
failure had occurred. It is based on audit questions that have been developed under
major causal categories, experience and data gathered from various sources. The
quantification processwas developedfrom a combination of the auditor's evaluation,

and a risk modifications formula derived from both expert judgement and an
examination of the rangesof failure rates of component. The technique concentrates
on four main areasof sociotechnicalinfluencesthat influence safety managementi. e.
system nonns, pressures, resourcesand communication. It is based on a review of
the role of safety managementto actual accident causation within the chemical
process industry. The technique attempts to provide both a qualitative overview of

site safety management and an indication of quantitative modification to generic
failure frequencies(Williams and Hurst, 1992). The strength of this technique is in its
investigative approach which could provide a snapshotof the performance of SMS
and provide an organized set of recommendations given reasonable time and

resources. It weaknesseslay on the fact that equal weighting given to each question,
the nature of the quantification processand the uncertainty whether all relevant areas
are covered. The results of applying NUNAGER have produced findings indicating
that PSMS influencescould reducerisk estimatesbasedon generic failure rate data.
The quantitative technique developedby Health and Safety Laboratory of HSE which
hereafter is called PRIMA, is based on an audit system with a demonstrable
statistical and theoretical basisto quantify the quality of PSMS at a plant and link this
into the QRA being carried out (CEC, 1995). The statistical basis is based on an
analysis of reported incidents involving failure of fixed pipework and vessels on

chemical and major hazard plants. A 3-Dimensional classification scheme was
developed which classifiesdirect causes,underlying causesand failures of preventive
mechanisms. This schemeprovided an objective quantitative model on which to base
a PSMS audit which emphasized loss-of-containment accidents as opposed to

occupational accidents. The theoretical basis is based on the Sociotechnical Pyramid
Model of the effects of PSMS, and the general climate within which it operates on
failure rates. It explores increasingly remote system failures through engineering
reliability to organization and management,communication and control and system

climate. This theoretical model is based on authoritative texts on chemical plant risk
management,conventional organization and managementtheory, and managementof
quality and consideration of major accidents and system failures (Hurst, 1991).
PRIMA have been used by HSE Factory Inspectors to audit PSMS and to quantify it

for QRA on a number chemicalplants in the U. K. It is also being used on a trial basis
by a number of European countries under EEC funding (CEC, 1995).
The University of Surrey, Department of Psychology developed the so-called

ManagementFactor Techniquewhich evaluatethe contributionof humanand social
factors to hazardousoccurrencesin the chemicaland petrochemicalindustry. The
techniqueessentiallyconsistsof questionsdevelopedusing expert judgement and
review of incidents,which relate to management
factor contributions.An assessor
would visit a plant and makea rating on eachof the questionsfor that plant. This
ratingwould be multipliedby weightingcoefficients,reflectingthe relativeimportance
of the questions,prior to calculatingthe final management
factor (Bellamy,1990).
The management factors determined by an audit technique such as PPJA4A or
MANAGER couldbe usedto provideinput into QRA in threeareas;
a) Modification of generic failure rate.
b) Modificationof releaseparameter.
c) Modificationof impacton the population.

From the literature it appears that the first area, i. e. the modification of generic
failure rate seemsto be favoured by current researchersto include the W in QRA.
Hurst (1989) described two approachesin modifying the generic failure rate. They
are;
i) The implicit approach
This approach assumesthat the installation is mannedat least to the average standard
that is supposedto be monitored by regulatory agencies.QRA is then carried out on
hardware only using generic failure rate data which incorporates component failure
rate from all causes'including' human error. The advantagesof this is

approach that
difficult judgements about issues of adequacy of management do not need to be
quantified , it is easyto appreciateand not open to criticism for arbitrariness.
the implicit approachis 'conservative'sincefailuresratesaretakenfrom

Nevertheless
the genericfailurerate probablylessthanthe averageplant standard.A refinementto
this approach could be made by the use of engineeringjudgement to modify the
generic failure rate to the condition found at the plant. Assessors might include an
adjustment to failure rate to allow for some deviation from 'average' of the overall
quality of the safety managementat the installations.
ii) Modification of Risk.
In this approachthe 'hardwareonly' QRA is usedto calculatethe 'average'risk for a

site given details of chemical inventories and hardware data using generic failure
rates.The risk figure is then 'modified' in a formal way on the basisof a site specific
audit to take accountof wider issues.Essentially
this formalizes
the methodof using
engineering judgement. This methodimproves the 'transparency' of QRA by making
the assumptionsin the methodexplicit and thus enablesa broader consistencyof
approachto be adopted. It also allows the cost and benefitsof improvement
to be
quantified,acrossa wider range of influencingfactors ratherjust hardwarefailures.

Its weaknessis that the level of judgementdependson the experienceof the assessor
which could leadto inconsistency be
and opento criticism.Nevertheless
accordingto
Hurst (1991) someof the weaknessesof the modificationof risk method could be
by
overcome using the 3-Dimensional scheme
classification as describedearlier.
By combining the statistical basis and the theoretical model, a comprehensive

questionset could be developedto cover the mainunderlyingcauses of failures and
failuresof management Hence
control system. a distinction could be made betweenan
is
operatingerror which a direct causeof failure leading to loss of containment,and a
failure
safetymanagement which maybe both underlyingcauseof a failure or failure
of a potentialpreventivemechanism.
While the quantificationof PSMS has been carried out on quite a number of
installationsusing various techniquessuch as PRRvfA and MANAGER, very few
comparisons have been made to validate whether these techniquescould really

differentiatethe influenceof PSMS performanceon two similar plant. Jeremyand
Hurst (1992) conducted a study in this direction by comparing the management
effectivenessof two technically similar major hazard site using MANAGER. The sites
selectedoperatedpracticallyidenticalplant, possessedsirnilartoxic had

inventories,

high daily throughputs and required the highest level of
product quality control at all
times. The comparative study was aimed to make unqualified prediction of the
computed ManagementFactor (MF) difference that might be observed between the

two sites. Findings from the study has shown that the technique was able to predict
an overall difference by about a factor of two in relation to the safety management

performance and this was found to be highly compatible with observed safety
performance. This suggeststhat it may be possible in the future to discriminate
betweenthe safety managementeffects of individual organisationsin relation to
assessmentof MEH. They have suggestedthat similar studiesbe conducted in order to
support the finding.
2.7 The Contribution of Human Error to Risk
The contributionof humanerror to accidentshasbeenrealizedway back in the 60s.

Kriliss (1962) found out from his investigationthat almostseventypercentof plane
crashesin the USAF over a period of time was due to humanerror. In the nuclear
industry, empiricaland analyticalstudieshave shownthat humanerror contributes
significantlyto accidentat nuclearpower plants (Barnes,1990). The Health and

SafetyExecutives(HSE, 1989)in their publicationon HumanFactorshas indicated
that as many as 90% of workplaceaccidentsin the UX had a contribution from
humanfactors. Gano (1987) found out basedon studiesby United StatesBWR
utilities and INRO, that 36% of root causesof incidentsare due to human error.
Even root causescategoriesunder proceduraland equipmentfailures have human
contribution. Hurst (1993),in a studyon causalcontributionof safetymanagement
failures basedon an extensivedatabaseand pipework failure, found out that the
contributionof humanfailuresfrom operationand maintenance
activitiesis between
25% to 30% of the overall causesof failures. The many exampleshas prompted
WatsonandOakes(1988)to concludethat humanreliabilityandits quantificationis a
centralandimportantaspectof reliabilityandrisk assessment.
Sincerisk assessment
is now widely beingusedto assessthe potentialhazardsposed
by NIM, any attemptto evaluatethe contributionof humanerror would increasethe

transparency of such assessmentand provide valuable information on the means of
how to minimise it. In this respect, a distinction could be made between operating
error which is a direct cause of failure leading to loss of containment, and a safety
managementfailure which may be both an underlying causeof failure or the failure of
a potential preventive mechanism.
According to Watson and Oakes (1988) the ten-n "human error" is used to cover
many different situations and events,including error of managementdecision, design

and maintenance, and most particularly operators. The Kennedy Report (1979)
describedthe interplay of a large number of managerial,organizational and regulatory
root causes in the Three Mile Island Incident. Kletz (1985) has also provided
numerous case studies which illustrate the ways which human error at various levels
of an organization can give rise to a major disaster. Recent disasters including
Bhopal, Chernobyl and Piper Alpha, have showed the importance of managerial and
organizational factors in accident causation(Pate-Cornell, 1992).
Accidentsand major lossesin chemicalprocessindustriesseldomarisefrom a single

human factor or componentfailure (AIChE, 1994). Most of the time it is a
combinationof some triggering events (hardwareor human) coupled with pre-

existing conditions such as design error, maintenancefailures or hardware
deficiencies.Thereforeit is importantto distinguishbetweenactiveand latent errors
of failures. An active human error has an immediateeffect in that it either directly
causesa hazardous stateof the systemor is the direct initiator of a chain of event
which rapidly leadsto the undesirablestate.The latent failures on the other handcan
occur at the level design
of engineering policy.
or management
The degree of which a systemi. e. ammonialoading operation is vulnerable to human
error is one of the principal determining factors in deciding the level of analysis
required (Kirwan, 1994). If the systemcritically depends on human reliability for safe
operation, and which involves potentially large lossese.g. in term of lives, then a full
investigation of human contribution to the level of risk is justifiable. Perrow (1984)

defined three factors which can be considered in setting the scope for BEA i. e.
complexity, interactiveness and coupling. According to him a system w1fich is

complex, highly interactive and tightly coupled will require an intensive risk analysis
and in turn needsan in- depth IHEA.
2.8 Qualitative Analysis of Human Error

Early human reliability methodologies were dominated by behavioural psychology,
and measurementswere taken of simple stimulus or responsetasks to the exclusion

of higher level decision making and problem solving tasks and out of context of the
overall system.The behaviouristview of human as a mechanism(or a machine) fitted
in with the way in which the human component was modelled in most system
reliability assessmentsas being described by Hagen and May (1981). Here human
is
error treated as a factor in systemreliability and needsto be seenas a process itself
Probability data on required task performancewere feed into conventional fault tree
analysisin the sameway as hardware component failure probabilities. Then whether

this error could be recovered, and if it cannot be recovered what would be the
consequencesthat will affect the overall systemreliability are considered.
Looking from a systemcontext,humanerror couldbe definedas a failure of the part
of a human to act
performa presented (or the performanceof a prohibitedact) within
specified limits of accuracy,sequence,or time, which could result in damaged
equipmentand property, or disruptionof scheduledoperation (Hagen and Mays,
1991). While Park (1981) definedit as the probability of error free performance
within a specificperiod of time. Both of the descriptions looking

are essentially at a
human error from human factors engineeringor ergonomicsperspective.This
is
approach concernedwith the 'external'modeof human error (External
Error Mode
EEM), suchas error of omission,error of commissionand extraneous error (Swain
-
and Guttman,1983). It could be easilyappliedto the technologicalsystemsuchas
NPP and offshoreinstallationsdespitelack of a soundtheoreticalmodel (Kirwan,
1994).
(1986) challengedthe behaviouristthinking.He revieweda large number

Rasmussen
of incidentsand accidentsreportedfrom nuclearpower plant, chemicalplant and
aviationindustryand madethe observationthat 'operator error' only makessense
when they were classified in term of the mental operations being utilized in the task.
His resulting model called Skill, Rule, and Knowledge (SRK) based model of
ccognitive' control has become a market standard within the system reliability
community in assessingwork place reliability (Cox and Tait, 1991). Norman (1988)
highlights two fundamentalcategoriesof error; slips and mistakes. Slips are results
of automatic and routine action under subconscious control, while mistakes are
results from conscious deliberation. Although a number of cognitive models have
been developed, Rasmussen'sis probably the only model that has achieved wide
spread acceptance(Kirwan, 1994). This approach goes beyond the EEM and look
further at the 'internal' mode of human error which is known as Psychological Error
Mode (PEM). Human error taxonomy basedon this approach has been proposed by
HSE (1989) which comprised of 5 types of human error namely; misperception,
mistake priorities, attentional lapse, mistake action and willfulness, and finally
violation and sabotage.
Reason (1990) extended the SRK framework to form the basis of a generic error
modelling system (GEMS). The system provides a conceptual framework within

which to locate the origins of basic types of human error. It integrates two different
areas of error research; slips and lapses in actions deviate from current intentions
and mistakes, in which action may run according to plan but where the plan is
inadequatein someway.
However, concern for the reliability of specific systems (more generally the
of safety)requiresthe error to be classifiedand explainedin the context

management
of the work process.This approachhas been suggestedby Meiser (1971) and
Rasmussen(1986). Suchcontext dependenttaxonomieshave to considerthe role
and the interplay of task, technologicaland organizationalas well as individual
process.Mappingtaxonomiesof error onto the work processopensup the possibility

that error maybe usefullyreviewedin differentwaysin relationto differentaspectof
work, i.e. designof systemimplementation,
operation,management andmaintenance.
In this context humanerror is viewedas a sociotechnicalprocessrather than as an
individualpsychologicalprocess.This requiresthe study on the interrelationof task,
individual, organisationandtechnologywhich contributesto humanerror.

The various approachesattempting to deal with human error analysisthat have been
describedabove could be adequatelysummarisedby AIChE (1994) to be
made up of,
1. Traditional Safety Engineering
2. Human Factors Engineering/Ergonomics
3. Cognitive SystemEngineering
4. Sociotechnical Systems
Traditionalengineeringapproacheslook at the individualfactorsthat could give rise

to accidents and so give emphasisto the selection of people, together with
motivationalanddisciplinaryemphasis.
Human factors engineering/ergonomics

approachemphasizes the mismatchbetween
humancapabilitiesand systemdemandsas beingthe main sourceof humanerror so
the primaryremedyis to ensurethat the designof the systemtakesinto accountthe
of the human.
physicalandmentalcharacteristics
The cognitive system engineering approach is rooted in the applied psychology

branchof knowledgewhich took the currentview that individualswere purposefulin
that their actionswere influencedby future goalsand objectives,insteadof merelya
passive black box that is analogousto an engineeringcomponent. This approach is
applicablein particularto activitiessuchasplanningandhandlingabnonnalsituations.
The last approachis the sociotechnicalsystemsperspectivewhich arose from the
realizationthat humanperformanceat the operationallevel cannotbe consideredin

isolation from the culture, social factors and managementpolicies that exist in an
organization.This approachis mainlyconcernedwith the implicationsof management
andpolicy on systemsafety,qualityandproductivity.
Currently a numberof methodsexist to conduct qualitativehumanerror analysis.

This includes THERP, Human Error HAZOP, SRK, SHERPA, GEMS, Murphy
Diagrams,andERMS (Kirwan, 1994). Eachof the techniqueat the very leastshould
be able to identify the EEM as it is a necessarystep to integratethe humanerror
element into QRA. Each of the method has its own strengthsand weaknesses.

THERP (Swain and Guttman) for example is the simplest method yet capable to
identify a high proportion of human error. Its weaknesslies with the fact that this
methodology lacks rigourous structure and is not capable of considering the

underlying psychological mechanism. At the other end the ERMS technique
(Kirwan, 1990) is a fully computerised system which allows the complete task of
assessing human reliability to be accomplished through its task analysis module,

human error identification module, task classification module, cognitive error analysis
sub-module and human error analysis sub-module. However this technique is quite
new and still not availablein the public domain. As such there is not enough practical
application to show its effectiveness.
In betweenthe two classesof techniquesthat has been describedabove lies the

Systemfor PredictiveError AnalysisandReduction(SPEAR)technique.The SPEAR
frameworkwas developedas one of the methodologiesfor analysingand reducing
risks arisingfrom human error in chemical industries

process (Embreyet al, 1994). It
is based on an earlier computerisedframework called SHERPA which has been
developed for the same purposes(Embrey et al, 1986). The framework was
developedin order to provide a logical and consistentstructureto allow usersto
easily apply specifictechnique for human error analysissuch as task analysisand

predictive error analysis. SPEAR representsan integratedset of techniquesfor
identifyingtaskswherehumanerror could occur with severeconsequences.It goes
on with the processof identifying specificerrors and their consequenceswithin the

task. The framework also facilitatesthe development of cost-effectivemethods for
the
reducing probabilityof these error. In the areaof risk assessmentthe framework
be
could used to identify a critical task with high risk potentialwhich subsequently
be
could usedas input for QRA.
Phase I of SPEAR is made up of a screeningprocess. Its purpose is to identify the
human interaction with a process system which in the event of error occur could
in
result significant risk. The screeningprocessensurethat all possible sourcesof risk
on a site are identified. Decisions could be made with regard to whether the risks
constitutesa seriousthreat that warrantsdetailed By

analysis. focusingon operator
involvementon high risk systemof the plant, the amountof effort requiredto apply

other techniques such as task analysis, which form the SPEAR framework could be
reduced. The screeningprocessuses a number of scoring systemsthat are used to
rank a particular task based on its intrinsic hazard, intrinsic vulnerability and the
frequency of operator involvement.
Detailed Predictive Error Analysis made up Phase 2 of the SPEAR system. The
process evaluates errors that could arise in the subset of tasks that have been
identified by the screeningprocess. The evaluation is carried out in three stages.The
first stage is the Hierarchical Task Analysis (HTA) which describes in detail the
structure of tasks and the plans which determine the order in which the task step is
performed. The secondstageis the Predictive Human Error Analysis (PBEA) where
each of the task stepsidentified in the task analysisis evaluatedfor its error potential.
The last stage of Phase 2 is the ConsequenceAnalysis which specifies possible
consequencesfrom errors that have been identified in term of the severity of the
consequenceand the frequencythat it could happen.
The final phaseof SPEAR is Error ManagementControl Analysis. The first stage of
Phase3 involves the evaluationof the factors which determinethe probability of error
known as PerformanceInfluencing Factors (PIFs). These factors such the quality of
training, procedures, and human-machineinterfaces, most of the time are dependent
on the performance of site specific safety managementsystemsfor their effectiveness.

The PIF analysis allows factors that exert strong influences in the realisation of an
error to be systematicallyidentified and their current situation assessed.The analysis

is then extended to look at the weaknessesor shortcomings of the present safety
managementsystemsthat created the site's PIFs situation. Based on this information
appropriate error reduction strategiescould be developed,which made up the Stage 2

of Phase 3. The Phase 3 determines cost-effectivenessof various error reduction
strategies that have been developed in Stage 2. Finally the most cost effective
reduction strategies that has been identified are implemented on site and their
is
effectiveness verified over time.

2.9 Quantification of Human Error
Safety and Reliability Directorate (SRD) in its publication on Human Reliability
Assessor Guide (Humphreys, 1988) described eight techniques for determining
humanreliability;
1. Absolute Probability Judgement(APJ)
2. Paired Comparison(PC)
3. Technique Empirica Stimo Operation (TESEO)
4. Technique for Human Error Rate Prediction (TIHERP)
5. Human Error Assessmentand Reduction Technique(BEART)
6. Influence Diagram Approach (IDA)
7. SuccessLikelihood Index Method (SLIM)
8. Human Cognitive Reliability Method (HCR)
techniquescouldbe groupedinto basicallyfour maincategories

The abovementioned
asfollows;
1. Analytical Decomposition Methods - e.g. TBERP and BEART
2. Time-Reliability Curve Approaches- e.g. HCR
3. Expert JudgementBasedMethods - e.g. APJ
4. Scaling Techniques- e.g. PC and SLIM
AnalyticalDecompositionMethods breakthe task down to the task step level for
exampleopenvalve,press button etc. It Human

assigns Error Probabilities(HEPs)
to eachtask elementfrom a data bank. Then the HEPs are modified to take into
betweentask
accountthe PerformanceInfluencingFactors(PIFs)andthe dependence
steps. Finally the overall probability of error is synthesisedfrom constituent
probabilitiesusingthe eventtree. THERP (Swainand Guttman,1983)is one of the
techniquesthat fall under this categorywhich basicallycompriseof a databaseof

human error IHEPs and PIFs such as stress which could affect human performance.
These factors can then be used to alter the basic human error probabilities in the
database,using an event tree modelling approachand a dependencymodel. BEART
(Williams, 1986); was developedbasedon a literature review on human factors and
experimental evidencesof various parametersthat affect human performances. A set

of generic error probabilities for different types of tasks is defined for quantification
purposes. The task under considerationneed to be defined under one of the generic
error provided. Then the Error Producing Conditions (EPCs) which is sin-Oar to
PIFs, that could influence the task needto be identified. For each of the EPC evident,
the generic IHEP need to be multiplied by the EPC multiplier provided, which will
yield the final IHEP. A set of practical error reduction strategiesare also provided by
the technique.
The Time-Reliability Curve approachesare based on the assumptionthat the

probability that the operator will not perform a required function is primarily
dependenton the time availableafterthe onsetof the signalfor action. HCR is one of
the techniquewhich usethis approachwhereits correlationis a set of time-reliability
curveswhose shape is determinedby the type of information processingassociated
with the task beingperformed.It encompassed three typesof informationprocessing;
skill-based,rule basedandknowledge-based
processing.
basedmethodsuseexpertsto generate
As the namesuggestedthe ExpertJudgement
humanprobabilitiesdirectly. It may occur in variousforms, from the single expert
to
assessor, the use of a larger group of individualswho may work together, or
be
whose estimatesmay mathematicalaggregated. one As of such techniques APJ
requiresexperts,and theseexpertmust firstly have i.

substantiveexpertise, e. they
must know in-depth the area that they are being asked to assess. Secondlythe
expertsmust have normative expertise,i. e. they must be familiar with probability

calculus,as otherwisethey will not be to
able expresstheir expertisecoherentlyin
quantitativeform.
The scalingtechniqueoriginatesfrom the theory of decisionanalysis.It is essentially
a techniqueof definingpreferences
amongsta set of items, in this casehumanerror

task. SLIM is one of the technique which fall under this category. It defines
preferences which represent the relative likelihood of the errors, as a function of

various factors that can affect human performance which is known as the
Performance Influencing Factor (PIF). This includes for example level of training,
quality of the procedures, time available, quality of the operator interface, etc. It
creates a relative scale representing the likelihood of errors, called the Success
Likelihood Index (SLI). This index can be "calibrated" to generate human error
probabilities using a logarithmic relationship based on experimental data and relative

scaling of error likelihood from the comparisonof different experts.
Roafaat and Abduoni (1987) developedan expert systemon human reliability analysis
is
which modelled on three previously listed techniquesi. e. THERP, SLIM and APJ.
The main intention of developing an expert system in this area was to reduce the
dependenceon the human factors and ergonomic analystjudgement required in the
current method and technique. Although the system was primarily designed for
nuclear and process plant, it can be adapted for other industrial and occupational
situations.
Analysisof humanperformanceand estimationof humanerror probabilitiesrequire

supporting quantitative data. These data could be obtained through the following
methods (AIChE, 1994);
1) Laboratorystudies.
2) Task simulators.
3) Operational observations.
Time measuresof humanperformancecouldbe obtainedusinginstrumentationwhich

includesreactiontime andtask duration. Meanwhilefrequencydataare producedby
counting numbersof operatorresponses,errors, output and events.Data collected

from relevantoperatingexperienceor from relevantindustrialexperimentwould be
ideal to be used(Yjrwan, 1994).In the absenceof suchdata,subjectiveor operator
basedjudgementhavebeenusedanda variety of psychometrictechniquesemployed
(Gertmanet al, 1994).

2.10 Current Approaches to Incorporate
Organisational Factors and Human Error into
QRA
Realisingthat organisationalfactorsand humanerror playsa significantrole on risk
from hazardousinstallationsmanyresearchershaveproposeda numberof approaches
in trying to includetheir impactin risk assessment.
Many of themare gearedtowards
the nuclear industry where the application of risk assessmentin the form of
Probabilistic Risk Assessmentare well established.However some of these
approachescould be extendedto otherindustrieswith certainad ustment. A number
of theseapproachesis rootedin the chemicalprocessindustriesespeciallyin Europe
in the form of QuantitativeRisk Assessment
wherethe applicationof risk assessment
(QRA) has gained considerableacceptancefrom the owner, practitioner and
regulators (CEC, 1995). Reviews of some of the prominent approachesto

incorporateorganisationaland humanerror in risk assessment
will be deliberatedin
the folloAringparagraphs.
2.10.1 The Work Process Analysis Model (WPAM)
The Work Process Analysis Model (WPAM) (Davoudian et al, 1994), as the name
suggestedusesthe work processin the nuclear industry as its foundation. In a typical

nuclear power plant, the by
plant work processesare created working units formed
according to their technical specialisation. This may include units of operations,

maintenance, instrumentation and control, and health physics. The coordination
between these working units is made by a series of information based decision
processeswhich are developed to facilitate the accomplishmentof the overall tasks.

There are a number of organisationalfactors which influence the successof achieving
these tasks. The bottom layer of these organisationalfactors is made up of the plant
specific culture such as organisational culture, ownership, and safety culture. The
next layer is made up of factors such as decision making, communication,

administrative knowledge and human resource allocation. The link between the two
layers is achieved by taking into consideration that any one or more of the
organisational factors can influence the quality and efficiency of a given work process
A PbD Thesisby J.Basri 40

in the format of 'many to many mapping'. In turn this will affect the personnel and/or
equipment performance.
The model attempted to incorporate the impact of organisational factors on nuclear
power plant safety by accounting for the dependenceof these factors introduced
among probabilistic safety assessmentparameters. WPAM framework is geared
towards capturing the common-cause effect of organisational factor on NPP. It
considers not only organisational common causefailures of similar systemsbut also

between dissimilar systemsor components.
The strength of WPAM is that it concentrateson capturing the common-causeeffect
of organisational factors on nuclear power plant safety. It goes beyond conventional

common-cause failure analysis since it considers common-cause failures of the
organisation of similar and dissimilar systems or components or both. Such an
approach allows the common effect of organisationalfactors to be considered rather
than a mere recalculation of independentevent probabilities.
As for the shortcomings,WPAM currentlyonly considersa steady-statescenario,for

examplea pre-accidentoperation.A dynamicsituation,for examplethe operator
action during a transientare not analysed.Secondlythe analysisis only shown the
usagewithin the framework of the corrective work
maintenance process. It is
claimedhowever that the be

with somemodifications, model could madeapplicable
to other work processes,for exampletesting work processes(e.g. surveillance
testing,in-servicetesting).
2.10.2 The Onion Model
Modarreset al (1992) proposeda frameworkwhich candepictthe elementsof plant

in
safety a hierarchical manner. The frameworkis madeup of two The
structures.
first structureis calleddiamondtreeswhich describesthe functionalhierarchyof plant
safety, includingthe The

role of operatorandplant management. secondstructure is
called the organisational field modelwhich describesthe behaviouralaspectof the

organisationrelatedto the management
andoperationof the plant.
OF
UNVERSITY
SHEFFIELD
The diamond tree is a structured top-down, successoriented tree that can describe a
plant functional hierarchy and its operation. The functional hierarchy shows how the
function of the systeminfluencesand fiilfil a system objective. The development of a
diamond trees involves firstly identifying the plant's principal objective in this case
would be plant safety. Secondly,identifying the plant's function that must be met in
order to achievethat objective. Thesefunctions then will be examinedin detail which
will describe the plant in term of its functional requirement for operation. By
developing the tree further the relationshipsbetween hardware components and the
plant function which they support can be identified and shown in the form of success
tree or successpath. These relationship provide a basisto identify aspectsof the plant
operation which are essentialto safety. The complete tree then will be able to show
the relationships between human activities and hardware performance. This is
achieved by recognising the fact that human actions affecting the hardware
performance and the same affecting the quality of various activities under plant
programme such as maintenance activities. And since the plant programme are
implemented and monitored by the managementsome form of relationship could be
establishedbetweenthe plant hardware and humanactivities within the plant.
The OrganisationField Model (OnionModel) is usedto considerthe informalfactors

or elementof safetywithin the organisationthat cannotbe adequatelyrepresentedby
the DiamondTree structure. Factorssuchas morals,attitude,and knowledgeof the
plant personnel.The modellooks at a site organisationfor exampleat nuclearpower
plant as a seriesof concentriclayers(englobingfields) levels
of organisational that
mutuallyinteractwith eachother while maintainingtheir identity at eachlevel. This
organisationfield modelis developedfrom researchin management,
organisation,and
humanfactors which structureattemptsto depict genericfactors that influencea
worker's reliabilityandproductivity.
The proposedframeworkcould be usedfor qualitativeassessmentof how different

factors influenceplant and personnel.The frameworkshowshow various elements
interact with eachother and showsthe paths from a given factor to safetywhich
providesa qualitativeexplanationof the influenceof that factor. The frameworkalso

be
can usedasthe underlyingmodelfor quantitativeassessment
of the organisational
factors influence. In principle by using appropriate quantitative measuresof safety
the effect of various organisationalfactors and characteristicsof the systemof interest
could be calculated. However the need to define measuresof influence and develop
method of estimation is not an easy task. For this purpose the author proposed
converting the entire framework into a digraph representation and measure the
propagating degree of influence through the model using special mathematical rules
such as Mason's rule from Signal Graph Theory.
The strength of the proposed framework is that it uses two separatemodels, i. e. the
diamond trees and the organisation field model. The diamond model depicts a fairly
accuraterepresentationof the formal elementsof safety in hierarchical form while the

later deals with psychological side of the organisation. Combining the two models
yield a useful framework that could provide qualitative and quantitative assessment
of organisationalinfluenceson safety.
Its weaknesslies in the lack of application for chemicalprocessindustries. The author

it
only mentioned uses for and
assessment integration of safety performance indicator
in NPP but did not elaborate its effectiveness. A case study to show the actual
application of such a framework for a qualitative or quantitative would

assessment be
very useful. For qualitative assessmentthe framework is unable to show the

dynamics of organisationalinfluences. As for a quantitative assessmentthe measures
of influence are not defined and the method for estimation was not mentioned. Only
the method to propagate this influence from basic elements to the higher level of
organisation was described, i. e. using Mason's Rule.
2.10.3 Incorporation of Organisational Factors into Human

Reliability Analysis in PRA
Moeni and Orvis (1993) proposed a systematic approach to incorporate

factors
organisational into human for
reliabilityestimates probabilisticrisk assessment
it be to
so could applied safetyculture improvement
and integrate risk management.
It uses the decisiontrees, expertjudgement,empirical data on human error and
information collected on organisationalfactors (M) in the form of ratings. The

dependence between multiple operators' actions in an accident scenario due to
common factors rooted at the organisationallevel is also being addressed.
The determinationof human error probability of a specific task requires the

assessmentof a number of important Performance Shaping Factors (PSFs) that
influence the likelihood of error being committed by human attempting carrying out
or completing the task. Traditionally the PSFs being used are those that directly
influence the outcome of specific task such as the quality of training, operating
procedures,time stressandman-machine interface.Hencea logical extensionof the

PSFconceptswould be the inclusionof organisationalinfluencesas higherinfluences
that may affect severalof the specificor low level influencesthat are currentlybeing
used. In addition other organisationalfactors that can directly influencepersonnel
performancesuchasmotivationandattitudeare alsointroduced.By calibratingPSFs
for organisationalfactors(M) empiricallythe probabilityof an accidentor incident
of anNPP could be calculatedunderoneorganisational
situation.Any changesto the
plant organisationalsituationwill affect OR (for worse or better) which in turn will
alter the probabilityof that accidenttaking place.This will allow comparisonto be
made on a failure probability of an event at the same NPP under a different
organisationalsituationor with anotherNPP whichmayunderdifferentorganisational
situation. The authorsexplainedthe applicationof such an approachby using an
exampleto determinethe reliabilityof controlroom operatingcrew in a typicalNPP.
The strengthof the proposedmodelis its ability to breakdownthe organisationinto
variousdepartmentsof work processessuchas training,licensing,maintenanceand

etc. This way the organisational
factor that influencessafetycanbe rooted at specific
departments. The model also usesfive groups of organisationalfactors that have
beenidentifiedthrough extensiveresearchon past safetyrelatedincidentson NPP in
the U. S. It uses a decision tree techniqueto estimateIHEPsunder identified
categoriesof humanfactors.The techniqueallowed the influenceof organisational
factors to be assessed,
rated, andweightedusing well establishedtechniquesuchas
BARs andweight of evidence.
The shortcomingof this techniqueis that the casual model developedmust be

adequate to depict the relevant department and identify the category of influencing
factor within an organisation. Another shortcoming is the need to provide anchor
points as starting point for the subsequentestimation of weight of evidence for other
influencing factors. Lastly the 5 groups of organisational factors used is based on
NPP historical data (incident assessment)which will be significantly different in non-
nuclear application such as in the petrochemicals industry.
2.10.4 Model of Accident Causation using Hierarchical Influence

Network (MACHINE)
Embrey (1992) proposed a generic model of accident causation which combine
human errors, hardware failures and external event called MACHINE. This model
attempts to approximate accident causation involving three levels of human errors,

i. e. active error and two levels of latent error, one from operational and another from
organisational. It describes the interrelationships between management influences,

immediate causes and operational errors which can be used for organisational
auditing, monitoring and system design. The influences are in the form of 'many to
many mapping' or 'many to many pattern of influence' that has been described by
other researcher(Davoudian, 1993).
While their relationshiplooks complexcertaingenericfeaturescanbe deducedbased

on large numberof accidents that hasbeenanalysed. It is claimedthat this model
be to influences
additional
could easilyextended accommodate and levels so that it
constituteda comprehensive genericmodelof accidentcausation.An exampleof the

applicationof the techniquefor accidentanalysisis given using a genericmodel of
accidentcausation.The first level of influences typical
represents factors such as
performanceof training and time pressure which provide direct effects on the
likelihood of occurrenceof the immediatecauses.The secondlevel of influences
represent typical policy level factorswhich determine

the likelihoodthat the first level
influenceswill be negativeor positive,for examplethe policy to ensurefeedbackfrom
operationalexperiencewill be of useas input for future training. Using the Influence

Diagram techniquethe probabilityof influencesbetweenthe secondand first level
could be establishedbasedon the concept of weight of evidence.This concept

requires the assessmentof weight of evidence of the lower level factors influencing
the higher level influencing factor in term of probability. These probability values
could be obtainedusing techniquessuch Absolute Probability Judgementand SLIM.
One of the potentialapplicationsof the modelis that it could be usedas a basisfor a

safety auditing tool it
since could show various levels of influences that actually
determinethe likelihoodof an accident.Anotherapplicationareaof the modelwould
whereit could capturethe effectsof a network
be for a quantitativerisk assessment
of influences.
In fact the be
model could used to incorporatedirectly the effects of
managementand organisationalvariablesin the quantificationof both human and
hardwarefailures.
As for its implementationthe modelneedsto use a suitableelicitation techniqueto

capture from individualsin the the
organisation detailedstructuresof influences
that
could resultsor have in
resulted accidents. For this purposethe information made
availablefrom accident investigationand near-missoccurrencescould be used. In
addition some form of representationof influence is required which need to be
compatible with the generic model. To fulfill these requirementsthe Influence

Modeling and AssessmentSystem(WAS) ( Embreyet al, 1984) is used.It has an
addedadvantageof being to the
able quantify effectsof various influencesthat have
beenidentified. HAASwas originallydevelopedas a methodto elicit the diagnostic
models held by NPP operator when responding to emergencies. An interactive
to
computerprogramwasused elicit the diagnostic
modelwhich depictsthe modelas
a network comprisingof threeentities;
(a) Event - occurrencesthat are causally connected to other events or nodes in
the network
betweeneventsthat arecausallyrelated
(b) Linkages- patternof connections
(c) Indicators - infonnation sourceswhich can be directly observedby the

operator,which indicate be directly.
statesor eventswhich cannot assessed

The IMAS structure can be readily applied to the MACHINE accident causation
influence network. The nodesin IMAS representthe statesthat influence other states
as opposed to events that causally lead to other events in MACHINE. This in turn
influences the likelihood of events active or latent error of hardware failures. The
Influence Diagram methodology could be used to quantify these influences. And as
these influence links are probabilistic in nature the outcomes could be easily
incorporated into probabilistic risk assessment.
The strength of MACHINE is that the model is supposedto be generic in nature since
it is based on information gathered from analysis of real accident or near-miss
occurrences. It is fairly comprehensiveand capturesvarious levels of influence that

actually determine the likelihood of an accidents. Its structure also lends itself to
quantification using techniques such as Influence Diagram which use an approach
based on balance of evidence as opposed to the use of absolute judgement of a
particular error.
Shortcomingof the approachlies on the needto tailor the genericmodelfor a specific

The
systemunderconsideration. elicitationtechnique to capturedetailedstructuresof
influencesneedinformationfrom teamsof individualsat all level in the organisation.
Data from incidentandnearmissinvestigationcould be usedas a startingpoint. This
will be well and good for an which
organisation have a good safety management
system in placed backed by i.
adequateresources, e. trained and experienced
personnel.But in an organisationwith poor PSMS,informationfrom individualsand
datafrom accidentandnearmissesinvestigation,maynot be adequateto identify the
actualstructuresof influences to the

needed modify genericmodel. This will result in
wrong representationof site specific structuresof influencesby the model. The

MAS tool use for eliciting and representingthe influencestructuresalso doesnot
attemptto captureevery interrelationship

but only thoseneeded for the purposein
hand.It meanthat the modelis not genericin a true senseas it needsto be modified
every time for different uses.Field validationsalso needto be conductedto check
the
whether provisional influencing factors assignedto the modelare truly genericin
natureor if the factorsvaries within differentindustries. Finally the error probability
calculatedas shown in the is

casestudy at global level which includesactive, latent

and recovery errors. The application to assesshuman influences on hardware failures
which normally involve influencesof low level tasks was not illustrated.
2.10.5 System-Action-Management (SAM) Approach

Pate-Cornell and Murphy (1994) proposed the SAM approach which provides the
link between probabilities of system failures to human and managementfactors. Its
objective is to improve probabilistic risk analysis(PRA) as a tool for managing and

reducing risk. The important feature of this model is that the management factor
affects the physical systemonly through human decisionsand actions. It uses PRA as
a starting point to simplify the subsequenthuman and organisational analysis. The

PRA will provide the guidanceto searchfor the pertinent human and organisational
factors. Variables from each of the model will lead to a study of the specific parts of
the processesthat affect it. SAM was claimed to offer an analytical approach for
modelling the risk associatedwith a specific system as the structure of human and
management effects on risk can be described by a simple set of equations. The
application of the technique was illustrated in three case studies of failures of three
diverse systems, i. e. operation and fire risk on-board offshore platforms, the
managementof heat shield of the NASA spaceshuttle orbiter, and the root of patient
risks in anesthesia.Despite the diversity of the system under study some common
traits were found be
which could useful in designing risk managementstrategies for a
complex system.For examplethey found too much emphasisis often put on technical
rather than organisational risk mitigation measures and found that operators are
generally predictable, competent,and well intentioned than normally perceived.
The proposedmodelwas an extensionof previouswork carriedout by Pate-Cornell

and Bea (1992). They to
presenteda methodology link the PRA input to decisions
and errors during design, constructionand operationphasesof offshoreplatforms.

They assessed the contributionof different types of error scenariosto the overall
probabilityof platformfailures. Accordingto them a largefraction of theseerrorsare
to
attributed errors and bad decisionsrooted in the organisation, based on accident
analysisof well-known incidentssuchas Piper Alpha platfonn. Sucherrors and bad
decisionsmay affect the PRA inputs but not accountedin an explicit manner,

eventhough they might be included implicitly in performance statistics and expert
opinion. Bad decisions may involve errors of reasoning, excessive risk taking, or
unwarranted optimism. Thus organisational errors encompasssome of the classical
human error and other factors, such as communication and incentive problems that
give significant contribution to the probability of a system failure. These
organisational errors could be linked to a system reliability through PRA which is

designedto provide information for amongstothers for the setting of priorities among
different types of measuresat improving systemreliability that includes organisational
means.
Key organisationalelementsof systemreliability includes individual skills, information

(collection, communication, and learning), resource constraints (budget set by
corporate goals), and the reward system Oob appraisal, wage increases, incentives,
etc.). In turn these factors are rooted in the structure, the procedures, and the culture
of an organisation which contributed to safety of the site operation.
They proposed a taxonomy of operator error which can relate the individual decisions
to organisational features such as information and reward systems. The taxonomy
made fundamental decision between gross errors that taking in

place unambiguous
situations and error of judgement which occurred under uncertainty. Gross error
involved mostly information problemswhich are causedby a temporary or permanent
lack of knowledge, and misunderstandingof a situation. This error can also causedby
human physical and psychological limitations for example when working under an
unusual environment such as on an offshore oil platform.
Errors of judgementconcernedwith issuesof incentives,preferences,and rationality.

Theseerrors cannotbe easilydefinedby a violation of a fixed norm (a deterministic
truth). Hencethe authorsused an approachbasedon "boundedrationality" where
people generallyrespondto the reward systemand use, to certain extent available
informationevenwhenit is incomplete.Violation of this rationalrepresentone of the
key sourcesof errors ofjudgement.
Strengths of this approach are that it looks at errors rooted at organisational level
through error of actionsanddecisionswhich someof them go beyondthe traditional

approach of human error. The division of error to gross error and error ofjudgement
make it much easierto find their root at the organisationallevel. This in turn Provides
the linkage for variablesin risk analysisto some organisationalfactors and assessthe
effect of errors (occurrence and consequences)on systemperformance. Hence it may

be possible to reduce the base rate of errors and increasethe rate of error detection
by organisational changes,such as improving learning mechanismsor improving of
scheduling to reduce time pressures. Using offshore platforms as case study the
approach was shown to be able to comparedifferent approachesto risk management.
It was also able to highlight the contribution of low-severity error which provides
significant contribution to system failure. This type of error normally hidden by the
emphasisto look at high is

severity error which often the visible trigger of an incident.
of suchan approachlies firstly on the highly simplifiedrepresentationof

Weaknesses
a complexinstallationsuchasthe offshoreplatformin order to elicit humanerror and
providestheir linkagesto the organisational level.While sucha global approachwill
facilitate the elicitation processit may miss the linkage of certain low level tasks
which may not follow such global representation.Secondlyon the use of expert
opinionsin the form judgement
of an absolute for all humanerror data. While it is
quite straightforward for to for

grosserror, assignvalues error of judgement (under
uncertainty) need a more robust approach.This is especiallytrue as not much

statisticsare availableon error of judgementor exist for comparison.A bounded
valueof sucherrorsprobablynecessary to checkthe rangeof uncertainty.Thirdly the
approachdid not addressthe way to detanglehumanand organisationalerror which
madeup the generichardwarefailure rate usedin the analysis.Finally the approach
was only testedon off-shoreplatformswhich havespecificandwell definedstructure
for decisionmaking.It remainsto be seenhow it would cope with other industries
where decisionmakingstructureis lessclearandmorecomplicated.Or in a situation

where the operator does not have much say (e.g. due to lack of expertise)at the
designandconstructionstagesasoftenfoundin the developingcountries.

2.10.6 The PRIMA Audit
Health and SafetyLaboratory of HSE, UX has developeda technique to quantify site
specific PSMS performance. The technique is based on an audit system with a

demonstrablestatistical and theoretical basisto quantify the performance of PSMS at
a plant and link this into the QRA being carried out (Hurst, 1993). The statistical
basis is taken from an analysis of reported incidents involving failure of fixed
pipework and vessels on chemical and major hazard plants. A 3-Dimensional

classification schemewas developedwhich classify direct cause,underlying causeand
failure of preventive mechanism. This scheme provided an objective quantitative
model on which to base a PSMS audit which emphasized loss-of-containment

accidents as opposed to occupational accidents.The theoretical basis is based on the
SociotechnicalPyramid Model of the effects of PSMS, and the general climate within
which it operates on failure rates. It explores increasingly remote system failures

through engineeringreliability to organization and management,communication and
control and system climate. This theoretical model is based on authoritative texts on
chemical plant risk management,conventional organization and managementtheory,
and managementof quality and consideration of major accidents and system failures
(Hurst, 1991). The technique has been used by HSE Factory Inspectors to audit
PSMS and to quantify it for QRA of a number chemical plant in the UX It is also
.
being used on a trial basis by a number of European countries under EEC funding
(Hurst et al, 1993)
.
Experience gathered from audit trials in the U.K and other European Countries has
led to further development of the technique, primarily revising the question set and
the judgement for various anchor points (CEC, 1995). The final audit version is then
called PRIMA ( Process RIsk ManagementAudit). PRIMA is an audit tool for the
quantitativeassessmentof PSMS The

performance. techniquewas initially developed
to incorporatesite specificsafetymanagement systemquality into quantitativerisk
assessment. Sincethen it hasundergonefurther developmentincludingon the audit
materials,primarily the questionsets and anchor points. Training audit has been
conductedin the U.K the

and auditversion producedfollowing the audit andusedin

field trials at a numberof European countries was referred to
as PRRvIA.
PPJMA consistsof eight key audit areasnamely;
o Hazard review of design(DES/HAZ)
" Human factor review of maintenance(MAINTAHF)
" Checking/Supervisionof maintenancetasks (MAINT/CBECK)
" Routine inspection and maintenance(MAINTIROUT)
" Human factors review of operations(OP/HF)
" Checking/supervisionof construction/installation(CON/CBECK)
" Hazard review of operations(OPARAZ)
* Checking/supervision
of operations(OP/CHECK)
The following tools are availableto assistthe auditor in carrying the audit;
9A modelof anidealPSMSdefinedby the control andmonitoringloops
eA setof four key themeswithin eachauditarea
eA question set
9 An audit manual
*A calculationmethodto generatethe modificationfactors
Strengths of PRIMA;
9 The techniquewas developed basedon soundtheoreticaland statisticalbasis.

Howeverthe lossof containmentdatabaseneededupdating.
The audit questionnaires

set is comprehensive
and do cover the necessaryareas
for PSMS audit. In fact some of the information made availablefrom the
questionnairecould be usedfor other purposesfor exampleto carry out human

error analysis

* The use of managementcontrol loop provides an effective way to represent
PSMS situation for eachsite
o The technique provides a quantitative output in the fonn of PFJMA Modification

Factor that can be used to modify generic failure rate for QRA
Weaknessesof PRIMA;
* Need a thorough site inspectionand documentverificationsin order to make

soundjudgment for the PSMS performance
9 Too much emphasis on written documents which may not be appropriate to
smallersitewith simpleprocess
0 The time requiredto completethe wholeauditexercisesis quite significant.
2.11 Conclusions
The literaturereviewhasshownthe emergence
of QRA as a decisionmakingtool for
Major Hazard control in somedevelopedcountries(Pasman,1995) and to certain
extentin few developingcountries(ELO,1992). The contributionof QRA doesnot
lie squarelyon the numberthat they producebut throughthe processitself which is
capableof systematicallyidentifying,assessingand estimatingthe risk from major

hazardsites (AIChE, 1989). Suchan exercise providesvaluableinformationthat
could be usedto assistthe decisionmakingprocessby the operatorandthe regulator

alike (McQuaid,1995andBayeret al, 1991).
However eachmajor hazardsite possesses that

specificorganisationalcharacteristics
shapedtheir ability to managerisk associatedwith its operation. The existenceof
effectiveoperatingprocedures,the availabilityof skill andexperienceof the operator,
of inspectionandmaintenance
the effectiveness system, andnot leastthe management
commitmentinfluencethe ability of a particularsite in controllingrisk. Thesefactors
were found to be important to
contributors risk beside the hardware integrity (Purdy
and Wasilewski, 1994). As humanand managementsystemsare part of a site

their
organisation,understanding influenceto QRA could providea meansto reduce
the risk, and improving the transparencyand accuracyof the risk estimate.
Existing research on the influence organisational factors to QRA is still at the

development and validation stages. In the US the researchmostly concentrated on
nuclear industry (Davoudian et al, 1994) while in Europe is more prominent in the
chemical process industries (CEC, 1995). The situation in developing countries is
more or less uncharted for (Basri, 1996), even though this is the place where the
organisational differencesare more pronounceddue to side by side existenceof local
and multinational major hazard sites. Any attempt to address this situation is
consideredtimely as risk reduction effort through organisational changesrequire less
resourceswhich is of major concernin developing countries (ILO, 1992).

lieýI-
unapter
Research Methodology
3.1 Introduction
The proposed researchis essentiallya comparative study on the influence of PSMS
on risk from major accidents of two MFH in Malaysia which handles similarly
hazardous material but with a significant difference in safety management
performance. The comparative study will be carried out using the established
technique of QRA and the PSMS quantification. Further attempts would then be
made to comparethe result of human error quantificationon one of the main

components in PSMS, that is human error with one of the hazardous operational
activities being carried out at both installations. The is
main goal to compare and
contrast the differences on the level of risk and human error probability that might
arisedueto the differentstyleof PSMSexistingat the installations.
3.2 Research Background.
Malaysia as a fast developing country has successfullymoved from agriculture based

industry to manufacturing and processingindustries. Discovery of gas and petroleum
reserves in the last decade has seen many large petroleum, chemical and
petrochemical plants being built throughout the country. At the sametime small and
medium size downstream industries started to be established. While the large
upstream industries mainly belong to multinational or nationalized companies, the

downstream industries see the mixture of such companies as well as those who are
ownedby smalllocal operators.

Different types of ownershipmeanthe possibility of a different approach in managing
the day to day running of the plants. Their differences to a certain extent will filter
down to safety management system of individual plant. This unique scenario
represents an excellent opportunity to evaluate the impact of safety management

performancewhich might arise from the different managementstyle in such plants on
the overall risk from its operations. It is expectedthat the plant which is owned by a
multinational will be operated by the parent's company managementstyle to a large

extent and this includes the safety managementaspect. While the locally owned
company is managed by a managementstyle that is peculiar to small Malaysian
companieswith very little influencesfrom developed countries. Any little influences
that exist probably in the form of following the operational and maintenance
procedures and guidelines as laid down by the process hardware suppliers which
mostly come from developedcountries.
Similarly the scenario also offers good opportunity to explore and investigate the
contribution specific component of safety managementi. e. human reliability to both

the safety management quality and plant overall risk. The plant owned by the
multinational is expected to benefit from the parent's company expertise and

experiencewith regardsto humanerror. Necessarystepsto reduce human error such
as achieving task pre-conditions and carrying out task analysis on critical activities
should have been taken. As for the locally managed plant, typically very little
consideration is given on the aspect of reducing human error. Whatever steps taken
toward that probably will be by trial and error basis.
3.3 Regulatory Framework.
As beendescribedin Chapter2, Malaysiahasadequateregulatorysystemto ensure

safety and health at work places. The Factoriesand Machinery Act 1967 (FMD,
1967)andthe new OccupationalSafetyandHealthAct 1994(DOSH, 1994)which is
basedon the UX Health and SafetyAt Work Act etc (HASEWA), provide the
rninimurnstandardof safetyand healthfor workers at work placesthroughout the

country. The regulationsmadeunderboth Acts, provideddetail requirementson

diverseareassuchas the registrationof place of work, competencyof personsin
charge and inspection of dangerous machinery such as lift, boilers and pressure
vessels.
The Control of Industrial Major Accidents,which is basedon the UX CHVLAH

regulationsis -currentlyin place to control hazardousinstallationssuch chemicals,
petroleum,and petrochemicalsplants. Theseregulationsare similar to CRVLAH
wherethe major hazardsinstallationexistingandnew, is requiredto presenta safety
caseor safetyreport to the authoritybeforebe given the approvalto operate. The
Malaysianregulationshowever, requirethe owner of suchinstallationsto consult a
which areapprovedby the authorityin the

competentpersonor competentcompanies
preparationof safety casesto ensurethat the owner or the operator of a major
hazardsinstallationwill be givenproperassessment
by an expert,especiallythoserun
by smalltime operators.
DOSH of Malaysia has direct involvement in ensuring the safety of potentially

hazardous hardware like boilers, reactors, distillation towers and other pressure
vessels. This is carried out by reviewing the design, checking the fabrications,
conducting hydrostatic tests, witnessing commissioning and carrying out annual
inspection on eachvesselfor 'fitness of purpose'. This direct involvement ensuredto
a certain extent the integrity of such in vesselat the design and fabrication stages,and
continue through its operation and maintenancecycle. It will be interesting to find
out whether this sort of arrangement benefits the PSMS of both MFH under
investigation especially in auditing the design integrity and maintenance aspect of
pressuresystems.
Still there are other areasthat are not regulatedthoroughly,yet that could contribute
significantlyto the overallrisk of the installations.The operator'squalificationsand
skill, accidentstatisticsmonitoring system,managementof human error and the
overall systemreliability still much left to the operatorsto implementas long as it
of safetyandhealth. The situationresulted

meetsthe minimumgeneralrequirements
in different systemsbeing adoptedby each NEM. This has resulted in different
quality of PSMSperformanceand humanerror management at differentsites.

3.4 Overview of Methodology
The method employedto conductthe researchwill be basedon field study which

interviews,
consistedof observations, site inspections
and documentsreview to be
conductedon two MIR in Malaysia. Field studieson two siteswhich have different
style of plant management systemwill be conductedto assessthe site specificPSMS
performance contribution to QRA. One of the installationsis owned by an
establishedmultinational company and managedaccording to a modem big
corporationstyleof management.Whilethe otherinstallationsselectedis ownedby a
family businessand managedas a family run organization. However both
installationsare expectedto handleor processsimilarlyhazardousmateriali.e. toxic
the
gas such ammoniaeventhough capacityand size may be different. Such an
is
arrangement expectedto be to
able provide a commonbackgroundas far as the
hazardousmaterialis concerned,allowing the effectof differentmanagement
styleto
PSMS andeventuallythe resultsof QRA to be properlyinvestigated.
The secondfactor that will be assessed is the humanerror on one of the activities
that it is expectedto providethe highestrisk contributorin the plant operations.This
activity will be identified during the baseline QRA and
assessment supported by
historical data on the plant failures. As this aspect is not adequately or explicitly
covered by the current legislation in Malaysia, it will be interesting to explore their

effect on both the safety management system and the overall risk level of the
installation. It is envisagedthat human error for this research is approached in a
system context. In this approach human error will be treated as part of the overall
systemreliability. As one of the factors in systemreliability, human error is expected
to be seen as a process itself rather than of causation-kind effect and recovery. This
approachrequires the identification conditions

of antecedent that could leadto human
error. The is
next step to detennine be
whetherthis error could recovered,and if it
cannot be recoveredwhat would be the consequencethat will effect the overall

systemreliability. To fiilfill this objectivea similarly highly hazardous
task will be
selectedin both plant operations,for exampletask or activity of loading and

unloadingof highly flammableor highly toxic material. Analysison humanerror in

carrying out two almost identical hazardous tasks at different site would allow
comparisonto be madeon its effecton PSMS andeventuallyon resultsof QRA.
Results from the analysis of PSMS and Human Error on the two MIR will be
compared and contrasted. These compare and contrast approach is expected to

highlight differencesand similarities on important factors of PSMS and Human Error
that contributed to the outcome of QRA between the two plants. Factors that
provide significant contributions to the plant's QRA then will be scrutinised to look
for effective mean to reduce their impact to the overall risk level on both MHL
Findings from this researchon meansto reduce the off-site risk then could probably
extend to other MIR in Malaysia.
Further resultsfrom the research coupledwith experiences

gatheredwhile carrying
out the PSMSaudit andHumanError analysiswill be usedto developa procedureto
link the effect of PSMS and HumanError on QRA. This procedurewill allow a
unified approachto assessthe impactof the quality of PSMS andthe stateof human
error in a particularMIR plant througha commonsite audit. The interplaybetween
humanfactors, organisationalstructureand managementis expectedto be clearly
defined,analysedandassessed
in a systematicmanner.
An overview of the researchmethodology could be representedby a flow chart as
shown in Figure 3.1

Figure 3.1 ResearchMethodology Flowchart

60
3.5 Research Design.
In theory the methods to carry out research of this nature falls under one of the
following categories;
o Expefimental
* Quasi-experimental
* Correlational
* Causal-comparative
o Survey
This research which compared PSMS and Human Error contributions to QRA and
coming up with a method to link assessmentof the two factors basedfrom results and
knowledge gained from conducting the exercisesis expectedto fall under the causal-
comparative category. Under this category specific factors i.e. PSMS and Human
Error will be used to compare and contrast off-site risk associatedwith the operations
of two MHI in Malaysia which handled similarly hazardous material, namely

ammonia. Results from the analysisand observationsmadewhile conducting the field
study is hoped to provide input for developing a procedure to integrate the
assessmentof PSMS and Human Error contribution to QRA.
In order to achievethis objective it is essentialto designthe researchin a mannerthat
will allow valid comparisonsto be made between the two sites. The research design
formulatedfor this researchis givenasfollows;

61
3.5.1 Selection of the MHI for comparison
As the main goal of the researchis to compare and contrast, the proper selection of
MHI is of a paramount importance. Statistical representationis not critical since the
study looked at specific factors i.e. PSMS and Human Error in great details rather
than looking at basic correlation between many samples. The two MHI selected
should have the following characteristics;
*A major hazard installation as defined in the Malaysian regulations in the

control of majoraccident.
Different type of ownership, i.e. one installation belongs to an established
multinational, preferably a European concern, which have been exposed to

some form of major accident control legislation through the European
Community (EC) directives. The other installation to be fully locally owned
preferably 'family run' type of ownership
40 Different style of plant's management, i. e. it is anticipated that the

multinational installation being selectedwill be managed in accordance with
that be practiced at their plant in developed countries. The locally owned
installation selected may or may not follow strictly to any particular
management style as practiced by the multinational. Certain degree of

influence by the processhardwaresupplier is to be expected.
Different plant's operator recruitment policy, training procedures and work

incentives, i.e. it is expected that the multinational company provides more
comprehensive training and better work incentives while possessing an

effective recruitment policy as comparedto the local one.
Operating an almost similarly plant, process same level of technology but
plant capacity or through-put could differ significantly.
0 Sitedin an industrialestatebut at differentlocations.
40 Built or constructedin the last ten yearsand havebeenoperatedever since.

These factors are important to ensurethat they have existed well before any
A PhD Thesisby J. Basr! 62

legislation in place with regard to major hazard control, especially on siting
issues.
0 Have fairly adequate records on accident statistics, maintenance, repairs,

inspection and training of personnelespeciallythe plant's operator.
* Management willingness to provide information, to allow safety audit and

human reliability assessmentto be carried out on site over a significant
duration. This factor is extremely important to ensure the success of the
proposed research
3.5.2 Selecting an operational activity for Human Error Analysis
The activity selectedfor Human Error analysisshould be made available at both MEL
It is decided the activity should be a hazardousoperational activity that forms part
and parcel of the plants' normal operation. Operational activity is selected against
it
other plant's activity such as maintenanceand repairs since representsthe highest
contributor to failures of vesselsand pipework as reported by an analysis conducted

by HSE (Hurst, 1991). The activity will be selectedbasedon the following criteria;
0 It should be one of the highest risk contributors as determinedby the baseline

QRA.
0 Involve a number of tasks that require humaninvolvement
0 Has set of establishedprocedures
9 It requires a fairly high degreeof skill for execution
* Operators has beenadequatelytrained to carry out the activity
* Historical data has shown that such activity is one of the highest contributor
of processplant failures.
A PhD Thesisby J. Basri 63

3.5.3 Selection of techniques for analysis
A number of techniqueswill be employed to conduct the research. For this purposes

it is necessaryto select appropriatetechniquesfor a specific purpose from an array of
techniquescurrently availablein public domain. Criteria of selection differ depending
on types of applications but academicendeavourover commercial interest would be

the prime consideration. Full discussionson the selection of various technique is
given as follows;
a) PSMS auditing technique

There are a number of techniquescurrently available to audit PSMS. Some of the
techniques such as MORT and CHASE only provide qualitative results while others
as ISRS, MANAGER and PRIMA provide mean to convert qualitative results to
quantitative ones. As the researchis aimed towards QRA it would be necessaryto
select only those techniques that are capable of giving quantitative results. After
conducting thorough evaluations from available literature it was found that the
PRIMA (Hurst et al, 1996) is the most appropriate technique that could fulfill the
researchobjectives. Main reasonsfor selectingthis techniqueare;
it was developedbasedon a sound managementtheory i. e. the Sociotechnical
managementtheory.
the quantitative part of the technique is basedon a good set of historical data
of vesselsand pipework failures.
* it allows the analysis of contributing underlying causes of failures which
includehumanfactors
* has been successfullytested for field applications by a number of research

bodies in the UX and to lesserextent in Europe.
b) QRA Technique
Conducting full QRA on medium size MEI requires a lot of resources and time
consuming if done manually. To ensure completeness large numbers of credible

be
scenarioswould requiredto be analysedandquantified. So thereis a needto usea
A PhD Thesis by J. Basri 64

computer code to carry out numerous runs for the analysis. Currently there are a
number of QRA computer codes available but almost all are proprietary software,
hence accessibility is of prime importance. At the end the available choice is between
two software namely RISKAT developedby HSE (Nussey et al, 1993) and SAFETI
developed by TECHNICA Ltd. (Technica, 1994). Evaluation made based on
available literature showed very little to separatebetween the two. Finally RISKAT
was chosen due to the following reasons;
9 it is more user-ftiendly as it utilised the Window operating environment
* allowed faster sensitivity analysisto be carried out
usage of 'toxic load' is

which more realistic for land use planning (Fairhurst
et al 1993)
c) Human Error Quantification Techniques
There are quite a number of techniquescurrently availablefor the prediction of human
error. They fall under three broad category as follows;

* Analytical Decomposition Methods - e.g. THERP and HEART
e Time-Reliability Curve Approaches- e.g. HCR
* Expert JudgementbasedMethods - e.g. APJ
9 Scaling Technique - e.g. PC and SLIM
Some of the techniques such as THERP (Swain and Guttman,1983) and HEART
(Williams, 1986) are in public domain while others like SLIM (Embrey, 1984) and
JHEDI are propriety owned. Selecting one appropriate technique for this research
based upon available literature proved to be quite difficult. Validation exercisesthat
have been conducted by a number of researcherssuch as Humphreys (1988) and
Kirwan (1988) provided some guidelines. Finally the SLIM technique was selected
for use for the following reasons;
the technique to
capable assess Human Error Probability (HEP) at system,
sub-systemand task levels

* accessibilityto techniqueand owner could provide training
0 fairly accuratetechnique
e maturity - has been in existenceand used for quite sometime in the chemical
process industry
* fairly high degree of acceptability by the regulatory bodies, the scientific
community and HRA assessor
available as computer code that would speed up the analysis and permit
greater degreeof sensitivity analysisto be carried out.
3.6 Research Procedures
The research procedures are described in the following paragraph. Step by step
description of the proceduresis given as follows;
3.6.1 Analysing the background of MHI in Malaysia.
The first step is to study and analysethe background of MHI in Malaysia. Such an
analysis is important in order to understandthe earlier development, current status

and future direction of the industry. The previous and current regulatory framework
that governs safety and health aspectsand land siting policy in Malaysia would be
scrutinised. Information by
made available such analysiswould be in
valuable setting
up the research direction and boundary. For in

example the absenceof regulatory
requirement for minimum level of plant's operator basic it
qualifications would be
difficult to consider such factor as a major aspect in human reliability. Another
example is that the in

absenceof comprehensivesiting policy Malaysia until recently,
created a situation where one major hazard installation is allowed to be built nearer to
populated area as to
compared another installation.
The Malaysian government policy to attract foreign investment has resulted many
multinational companies to invest in the country by building up large petroleum,

petrochemical and chemical installations. Each multinational company will then bring

in together their management'sskill and system for the plant's operation. Some
of
these companies formed joint ventures with locals that sometimes resulted in a
different style of management.Then there are local companies,most often family run
businesswhich run small and medium scale major hazard installations such as LPG
bottling plants, ammonia bulking plants for the rubber industry and chlorine bottling
plants for the water treatment. These mixtures of plant's managementstyle, would
affect the safety managementsystem of the plant to certain extent and this could
provide a fertile ground to investigate the 'managementfactor' influence on overall
risk.
Similarly the absenceof any form of curriculum be it at the national or state level for
plant operator's basic theoretical knowledge and skill has resulted in a quite big
difference in terms of the operator's skill operating major hazard installations
eventhough for those using hardware of the same technology. There are instance
where due to the requirement to provide job opportunities to people surrounding a
newly built major hazard installation, the company has to recruit locals who were
mainly with fishing or agricultural skill to operate a highly sophisticated process. In
such situation the local operator will be given an ad-hoc 'crash' training programme
that sometimes involved short attachment with a foreign installation followed by
supervision of on-site training. Since it is done on an ad-hoc basis by each company

it would be interesting to find out whether the skill they have acquired is appropriate
and how they contributed to humanreliability in each plant or installation. Also how
further training, incentives, safety and quality management on-site contributes to
human reliability especiallyon hazardoustasks or activities.
3.6.2 Selecting two MHI in Malaysia for comparative study
The second step involving the selectionof two major hazard installations where a full
scaleanalysisof QRA. PSMS audit and Human Error analysiswill be carried out. As
the research does not intend to prove statistical significance but to compare and
contrast, their selectionsdo not require strict procedures to ensure randomnessand

representativeness. In fact a certain degree of familiarisation is desirable to ensure
their selection fulfills the objective of research. Basically the two major hazard

67
installations selected should have the characteristics as described earlier in Section
3.5.1
3.6.3 Conducting baseline QRA
Conducting 'baseline' QRA on both installations will serve two purposes. One is to
determine the risk level on both plants using generic failure rate without considering
the impact of PSMS. Second is to determine which activity within the plant that
represent one of the highest risk contributor to the overall plants risk level. This
activity then will be consideredto be subjectedto humanreliability analysis.
The QRA will be conducted using RISKAT software which was developed by HSE.
Necessaryinput for the analysiswould be madeavailablethrough physical inspection,
examining records and procedures, interviewing personnel and site observations.

Further input such as weather information, population density, site-map, PI&D
diagram could be made available prior to the actual analysis. Some of the input
requires expert judgement to be made.
Necessary steps will be taken to ensurethose input data to RISKAT are compatible
it
since was being developed basically for use in the U. K. Certain input like the
weather data, site-map grid and population density from Malaysia probably need to
be modified to make it compatible with RISKAT. Another factor that needs to be
considered is on various built models that being utilized by the software for
consequencesanalysis. For example it is necessaryto check whether the heavy than
air gas dispersion model utilized by RISKAT is suitable to be used in a humid climate
like in Malaysia.
As it is required to comparethe QRA results of the two MHI a consistent approach in
conducting the is
analysis needed. For this purpose a checklist will be developed to
ensure similar type of questions asked, sametype of documents searchedand similar
assumptionsbeing made in the processof carrying out the analysis. In the event of
expert judgement needing to be made a cautious approach will be taken to prevent

bias toward a particular MHI.

3.6.4 Quantification of PSMS performance
An establishedaudit technique called PRIMA (Hurst et al, 1996) will be used to
conduct PSMS audits on both major hazardinstallationsthat have been selected.The

aims of this audit is to determine or 'measure' managementfactor that is associated
with the performance site specific PSMS. The PRIMA audit checklist is quite
comprehensive and requires the participation of both workers, supervisors and
managers.To ensure some degree of accuracy, it is essentialthe auditor be familiar
with the philosophy, concept and technique of auditing system selected and have
some experienceconducting safety managementaudit.
The PRIMA audit technique utilises formal questions set covering nineteen functions
within an overall safety managementsystem. Based on the extensive analysis on

vesselsand pipework failures eight combinationsof functions were identified as major
contributors. The researchwill attempt to cover the eight combinationsnamely;
" Design/Hazop (DES/HAZ),
" Maintenance/HumanFactor (MAINT/HF)
" Maintenance/Checking(MAINT/CHEC)
" Maintenance/Routine(MAINT/ROUT)
" Operation/HumanFactor (OP/HF)
" Operation/Hazop (CON/CHEC)
" Operation/Checking(OP/HAZ)
" Construction/Checking (OP/CHEC)
The audit will involve conducting interviews with senior managers, line managers,
supervisors,operators and tradesman. Relevant company documentswill be reviewed
and critical documented procedureswill be checkedupon. However it would be very

difficult to interview everyone involved in the activities under scrutiny. Instead a
sampling technique will be used to look at 'horizontal' and 'vertical' slices of the site's
organisation that ensure that opinion will be obtained from a cross section of
personnelon each site.

The horizontal slice involved carrying out formal interviews with managers,who have
influences and have duties in the areasof forming and implementing policy in relation
to the activities under consideration which include establishing organisational
arrangementsand managing the relevant system and procedures. The vertical slice
involved interviewing those individuals in the chain of command who are responsible
for delivery of engineering reliability and operator competence including foreman,
operators and technicians.
A number of visits to each NMI are expectedto be carried out to complete the audit
process. The availability of subjects for interviews especially the senior managers
make it difficult to really estimate the actual duration of the auditing process.
Similarly looking for the right documents for review will be another factors to be
considered. Also the observations of some critical activities against written

proceduresmay not take place at certain periods of time. So comprehensiveplanning
is necessaryto ensure the audit's successfor example by fixing appointment for
interviews, looking at the plant's works scheduleand informing in advancethe type of
information neededto be reviewed.
3.6.5 Modification of generic failure rate
A Management Factor (MF) obtained from safety management audit from each
installation will be used to modify the generic failures rate. The use of modified failure
rate will be better able to reflect the actual performanceof safety managementsystem
to
as compared using the implicit approach. PRIMA provides the option to use the
audit results to modify generic failure rate used in QRA. This will be done by directly
failure information: the audit ratings; weights for

modifying rates using three types of
each area; and a scaling factor based on range and distribution of loss containment
accidentsand incidents.
3.6.6 Conducting QRA using modified generic failure rate
This step requires QPLAto be conducted on both installations using modified generic
failure rates that have been determined as in Section 3.6.5 using the same QR-A
assessmenttool RISKAT. Other inputs needed for the analysis such as weather

data, population density and system hardware together with various assumptions
made will remain the same. This will ensurethat all the other factors remain constant
except the modified generic failure rate is used for analysis. A number of sensitivity
analyseswill be conductedto evaluatethe effect of a number of input parameters
3.6.7 Comparing QRA results between the two MHI
The next step is analysing and comparing results of QRA conducted on both
installations. The QRA results are expected to be in the form of individual risk,
societal risk and some critical hazard ranges. The effect of different management
factor value (MF) between the two installations is expected to be reflected in the
QRA results. This comparison will show how QRA is going to be affected by
managementfactors at both installations. Results obtained from this analysis will be

used to test two hypothesisthat havebeen set earlier, i.e.;
9 PSMS doesaffectQRA results
* N4HI with better PSMS performancehas lower off- site risk
3.6.8 Selecting an activity in normal operation for Human Error

Analysis
This step represents an attempt to investigatethe effect of human error on PSMS and
the overall risk from major hazard installations. To achieve this objective it is
necessaryfirstly to select a hazardoustask in

or an activity the plant where a critical
assessmenton the aspect of human error could be carried out. This approach is
expected to provide a 'snap shot' on the state of human error managementof the
entire plant since it is to

not possible conduct a complete assessment on all major task
or activities. Concentrating on only one activity will reduce task diversity, differences
in preventive mechanismand the level of hardware technology as well as operator's
to
skill requirement carry out such activity safely and efficiently. It will also make the
investigation and the following analysismore manageablewithin the scope and time
available to conduct the research. Providing common background for the selected
activity for both installations will minimise the influence from other variables that are
not directly related to humanerror.

3.6.9 Conducting Human Error analysis
The next step is to conduct human error assessmenton the selectedactivity using an
establishedhuman error predicting technique SLIM at both MHI. The emphasisagain

is familiarisation on the usageof the techniqueespeciallyon its concept, approach and
methodology. This step is expected to be given a lot of attention due to lack of

in
exposure conducting such assessment.Adequate training will be sought from the
technique's proprietor. Expert advice from human error specialist probably needsto
be sought to ensurecompletenessof assessment.
Once again close cooperation from the plant's managementis essential, especially
from the operators which carry out the designatedtask. A briefing sessionwill be
carried out to the supervisorsand operators involved to prevent undue stressworking

under close observations. Similar to the QRA analysisa checklist will be developed
to ensureconsistencyin carrying out this humanerror analysison both MIR
3.6.10 Comparing Human Error Analysis results.
This step involves the analysis of results on human error analysis for both
installations. Due to significant differences in areas like operational procedures,
maintenance standard, operator's knowledge and skill, work incentives and
motivation as well as managementcontrol, it is expectedthe level of human reliability

between the two plants will be different on the activity under consideration.
Judgement is then needed to be made to estimate whether results from analysis on
human error for both
specific task or activity could representthe overall standard of
installations. Findings from this exerciseswill be used to support the hypothesis that
has been set earlier i.e.;
0 Human error does contribute to the risk level of an MHI-
9 The MEI managedaccording to multinational style have smaller human error

in
probability one of the activity under investigation i. e. loading and unloading
operation comparedto the locally managedone.

3.6.11 Analysing the contribution of PSMS performance and
Human Error to off-site risk
In this step the contribution of humanerror and PSMS and the overall plant risk level
will be investigated. The contribution of two human factors areas in PSMS auditing
namely OP/HF and MAINT/HF will provide a good starting point to investigate a
possible correlation between PSMS and Human error. However the two factors only
representa portion of a complex interaction between the two. While human error has
significant contributions to PSMS it also has direct contribution to QRA on its own.
One possible approach is to further decompose the interplay of human error at
managerial,organisational and operational level as describedby the Kennedy Report

(1979) and quantifying human reliability as part of the system's overall reliability as
proposed by Cox (1991) and Embrey (1992). Specific attempts will be made to link
the contribution of human reliability with the site specific PSMS. Results of the
PRIMA audit and Human Error analysis as well as experiencedin conducting both
exercisesat the two sites will be in

scrutinised order to look for possible linkage.
3.6.12 Developing a procedure to link the analysis of PSMS and

Human Error
The final step is looking at the possibility of linking the assessmentof PSMS and
Human Error at a particular site. This representsan initial attempt to follow through
suggestionsmade by Reason (1989) for an integrated approach to analyse accidents

and human error, as the root causesdo not appear to belong exclusively to any one
domain i. e. hardware, software or liveware. Information and data gathered from the
field study will be used together with extensiveliterature reviewed to come up with
some form of procedure.

3.7 Conclusion
The research involved the application of knowledge from three distinct types of
subject i. e. Safety Management System, Human Error and Risk Assessment. It

attempts to explore at overlapping boundaries of contributions between system
hardware, human error and safety management on risk. The comparative study
conducted on two major hazard installations provides a means to investigate the

interplay between them in a real situation. The fact that the two sites under
investigation were in Malaysia provides additional dimension to the study. While
there have been many attempts to look at it from developed countries' perspectives
(mainly in the nuclear industry) this study is believed the first one to address the
situation prevailing in developing countries.

Chapter 4
Process Safety Management Audits on

Three Major Hazard Sites in Malaysia
4.1 Introduction
The majority of MH1 in Malaysia were built after the discovery of large quantities of
gas and petroleum in the eighties. They comprise mainly of gas processing plants,
petroleum refineries, petrochemical complexes and some related downstream
chemical plants. These MHI are operated by large companies, either belonging to
multinationals or large national corporations. Having significant experiencein dealing
with hazardous operations these companiesnormally have good PSMS installed on
site. They have proper safety organisations and adequate resources in place to
managethe risk associatedwith the sites'operations(Nanyan, 1987).
However there are also small numbers of MEI which are operated by small
companies, mainly locals. These sites operate simple processes such as chemical
blending operations, bulking and bottling operations of chemicals and petroleum
products. The sites PSMS is characterisedby lack of effective organisation and

inadequate resources to effectively managerisk that arised from the sites operation
(DOSH, 1994.)
4.2 The PRIMA Audit
PRIMA is an audit tool for the assessmentof PSMS performance(Hurst et al, 1996).
The technique was initially developedto incorporate site specific safety management
system quality into quantitative risk assessment.Since then it has undergone further
development including on the audit materials, primarily the question sets and anchor

points. Trail audits have been conducted in the UX and the audit version produced
following the audit and used in field trials at a number of European countries was
referred to as PRIMA (Hurst, 1996).
PRIMA was developedfrom a number of concepts,researchstudies and classification
schemes which include analysis of loss of containment accidents, a sociotechnical

model of accident causation, a control and monitoring loop model of safety
managementand audit themes. It consistsof eight key audit areasnamely;
e Hazard review of design(DES/HAZ)
* Human factor review of maintenance(MAfNT/HF)
o Checking/Supervisionof maintenancetasks (MAINT/CHEC)
* Routine inspection and maintenance(MAINT/ROUT)
* Human factors review of operations(OP/HF)
e Checking/supervisionof construction/installation(CON/CHEC)
9 Hazard review of operations(OP/HAZ)
* Checking/supervisionof operations(OP/CHEC)
The following tools have been developed for PRIMA which could be used to assist
the auditor in carrying out the audit,
eA model of an ideal PSMS defined by the control and monitoring loops
*A set of four key themeswithin eachaudit area
9A question set
o An audit manual
9A calculation method to generatethe modification factors
As the PRIMA technique was developed primarily based on the European
experiences,this study set out to see if it could work in developing countries like

Malaysia. The existenceof multinational and small local companiesoperating MHI in
such countries allows analysisto be carried out to compare and contrast the PSMS
management performance between the two. Strengths and weaknesses in the
application of the technique could also be identified from a developing country

perspective.
4.3 Conducting PRIMA audits in Malaysia
As the PRIMA audit technique is quite new to Malaysia a significant amount of
groundwork neededto be carried out to ensurea reasonabledegree of audit standard

achievedas what the technique is intended for (Basri, 1996). As an example training
sessionshad to be conducted to familiarise the Malaysian auditors with the theoretical
and practical aspects of its application. The following steps were taken as
groundwork to the audit;
4.3.1 Conducting training for the Malaysian audit team
The auditors were made up of three DOSH Inspectors with Major Hazards auditing
experiencebetween three to eight years. The training was conducted by the author
and lasted for about two weeks. It covered the theoretical aspectsof the technique
and practical aspectsof its application. The theoretical aspectsinclude explaining the
sociotechnical approach used to develop PRIMA and the statistical background that
provided the weightings for the Modification Factor used for the quantification of
PSMS performance. The practical aspectscovered previous experienceconducting
the audit by a number of researchersin the U. K. and Europe (Hurst et al, 1996).
Due to time constraint no specific pilot audit was conducted, however a considerable
time was allocated for practice on the first day of the actual audit at Site A.

4.3.2 Providing keywords to PRIMA audit questionnaires
The existing audit questionnaireswere found to be quite lengthy and were judged not
suitable to be asked in their entirety in a country where English is not the first
language. It was felt necessaryto simplify the questionnairesby providing keywords
for each question and posing them using simpler sentences.This arrangementhelped
both the auditors and the interviewee to focus quickly on the gist of the questions
using short sentences. For the category of personnel like fitters and operators a
translation to Malay, the local language was found to be necessary. A sample of
keyword for the audit questionnairesis shown in Appendix 1.
4.3.3 Preparing a structured answer sheets.
The requirementsto conduct the horizontal and vertical slices during the audit meant
that responsesfrom a number of personnel for similar questions need to be noted

down to assistin the forming of audit judgement. As the existing questionnaireslack
space for this purposes a structured answer sheet was developed to facilitate the
process. This arrangement facilitated quick cross references to be made between
responsesfrom various personnelon a particular question and assistedthe judgement
making process. It also allowed each member of the audit team to note down the
answersgiven by an interviewee systematicallyand facilitate the comparison of notes
between team memberswhen makingjudgement on a particular key issue. A sample
of the answer sheetsmade for audit questionnairesis shown in Appendix 2.
4.3.3 Selecting MHI for PRIMA audits
Three MIHI sites were selectedfor the audits. Two of the sites handle ammonia for
downstream distribution while the other uses ammonia as feedstock to make
compound fertilizers. The main risk from the three sites is from toxic releases of
ammonia gas. Such similarity provides common background as far as the type of risk
is concerned. This allowed the comparison of PSMS performance to be made on
more equal basis. A brief description of each site is given as follows:

i) Site A
Site A is an anhydrous ammonia bulk terminal which has an annual throughput of
about 12,000 metric tonnes per year with sales value close to 4 Million Pounds
Sterling. It basically runs ammonia bulking and bottling activities and has been in
operation since 1985. Ammonia is brought into the terminal via low pressure
refrigerated ships from producers and pumped into onshore pressurisedstorage tanks
through a dedicated pipeline running along the berthing jetty. The two 225 metric
tons (MT) capacity storagetanks near the jetty area serve as holding tanks where the
whole load of the ship could be discharged in one go. The ammonia is then
transferred on demand using road tankers to two 125 MT storage tanks at the
bottling plant located about three kilometers from the jetty. At this location the bulk
ammonia is filled into smaller skid tanks, cylinders and dedicated road tankers to be
sent then to customers throughout Malaysia and the neighbouring countfies like
Singapore, Indonesia and Sri Lanka. Customers consist mainly of rubber latex
processing factofies where ammonia is used as an anti coagulant agent, electficity

generating plants where it is used for anti-pollution treatment, and food
manufacturing plants where it usedto provide the protein chain for food additives.
The bottling and bulking process is fairly straight forward using simple technology
and a high degree of manual operations.The plant was designedand constructed with
minimum automation and process control. There are about twenty process workers
and five office staffs headedby a Plant Manager. The plant operates only during the
day, except for ammonia unloading from the ship which may be carried out at night
depending on the availability of time for berthing at the Tanjung Bruas Port jetty.
The managementstyle adopted by the sites could be describedas typical of a family
owned local companies. Organisationchart for Site A is shown on Figure 4.1.

1.0.
10
ol
.C
ii) Site B
Site B was commissionedin 1989 and was part of Site C until the last two years
where major businessrestructuring has turned this plant into a separateprofit centre.
The plant throughput currently standsat 34,000 MT of anhydrousammonia valued at
about 10 Million Pounds Sterling yearly. Unlike Site A, this plant is located within a
port areawhere bulk ammoniacould be pumped straight from reffigerated ship tanker
via dedicated pipeline straight to the plant's four pressurisedstorage tanks each with
125 MIT capacity. Sixty percent of the ammoniais sent via pressurisedrail tankers to
Site C located about 30 krn away where it is used as feedstock for compound
fertilisers. The rest of the ammonia is sold to customersin anhydrous form through
road tankers and cylinders. A small amount is turned into ammonia solution and sold
in drums or small containers. The customersare mainly rubber latex producers, food
manufacturing and metal treatment plant.
The bulking andbottling processat this plantis moreautomatedandwith a few more

safety features as compared to Site A, having benefited from the previous
multinationaldesignstandardfor suchinstallation. It employsabout 20 permanent
6 for
processworkerswith an additional contractworkersmainly ammoniacylinders
stackingand plant housekeeping.It operatesa3 shift operation mainly to cater for
ship unloadingand rail tanker loadingof ammoniawhile cylinders bottling and road
tankerloadingis only carried out on day shift. The managementinheritedthe style
from the multinational company especially for the PSMS. The management
organisationof SiteB is shownin Figure4.2.
iii) Site C
This company is formerly owned by a European multinational chemical company until
a local management buy out, where the majority of the equity is held by former
employees of the company in November 1994. The company started operation in
September 1966 as the first compound fertiliser plant in Malaysia that used the ICI
process technology at that time. Now the plant is fully managed by locals but still

m
00
IE
t
cts
tf)
C14
tI,
CA
m
C rA (L) 00
-
4C
Cd ed
(U cis
to Ic:
ed 0 4) (A U,
*4= I-
cd crj 0
cd
ce 2 Z) V
Cd
cd
Ln C
I
-1 CA
1-
m
cqs (A t2.
0
CA
6.
C02
U.
u 0
W cis
to
e:l o
to
.0
4-
CO r. co
rN
CO
co
r.
cqs
04E-u (U
0
.ý
-t rA
4-
Cd
r_
cis
Cd
()
>1
cd
un
.0
0
4ý
U, tz:
; L4 -C
follows very closely the safety management style inherited from the previous
multinational owner. The works currently consistsof the following plants on its site;
oA nitric acid plant with production capacity of 75000 MT per year

eA granulation plant with production capacity of 240000 MT per year
"A paraquat and gramoxonneplant with production capacity of 2400 MT and

10 million litres per year respectively
"A packing plant with large storagefacility
The operation of each plant is headedby a Plant Manager supported by the so called
engineering groups each headed by a senior engineer which basically provides

maintenanceservices for respectiveplants on site. The works is headed by a Works
Manager who reports to the Managing Director. Safety Department is not under the
Works Manager and is headed by a Safety Manager who reports direct to the
Managing Director. The works employs 316 permanentstaff and working 24 hours
per day, 7 days per week on 3 shifts.
Ammonia that is used as feedstock for the nitric acid plant is supplied by its sister
company Site B at Port Mang by pressurisedrail tanker each with 50 NIT capacity.
The liquid ammonia is then stored in a pressurised600 Nff sphere which is semi-
reffigerated. The nitric acid is then converted into ammonium nitrate which is then
to
mixed with other compounds make the fertilisers. The fertiliser plant uses almost
20 years old ICI technology but the level of automation and process control is
considered adequate with minimum upgrading. The current management style

PSMS largely follows the system that has been set by the former
especially the still
multinational owner. The managementorganisationof Site C is shown in Figure 4.3.
4.3.4 Pre-Audit Plant Familiarisation
The three NflU sites selectedare registeredwork placesunder the OSHA, and DOSH
have kept records of each site which includes hazardous inventory, process layout,
critical vessels and piping diagram, accident records, up to date safety and health
inspection records, managementorganisation charts and emergency response plan.

Such information provided valuable background knowledge for the pre-audit plant
familiarisation.This did shortenthe time requiredfor the actualsite familiarisation.So
more time could be spent on the interview, task observation and assessingprocedures
and safe systemof work.
4.4 Conducting PRIMA Audits
After the backgroundworks hadbeencompletedthe actualauditwasthen conducted.

A consistentapproachwas taken to ensureeach site being audited in the same
manner.For eachsitethe following auditstepsweretaken;
4.4.1 Management Briefing
This briefing was to explain to the managementthe purposes and objective of the
audit. It would be an academicexercisein nature and any shortcoming and possible

violation occupational safety and health law discovered would not result in legal
action. This was essentialas the audit team consisted of enforcement officers from
DOSH. The site managementwas askedto give a short briefing on the current PSMS
organisation and issues,and activities carried out at the site. This was to ensure that
the audit would take into considerationthe latest site situation. The managementand
worker representativeswere told in advance on the scope of the audit, level of
personnellikely to be interviewed and documentsto be verified.
In essencethe briefing was trying to convince the managementand workers that the
audit was intended for researchpurposesaiming to evaluate the effectivenessof the
site PSMS. This briefing also provided essentialsafety and security arrangements that
to
needed be adheredto by the auditteam.
4.4.2 Plant Familiarisation
the actualsitevisit to familiarisethe auditteamwith the plant

This steprepresents
safesystemof
processlayout,activitiescarriedout on site,meansof communication,
work installed,the usageof work procedures andpermitto work, andwearingof
personalprotectiveequipmentwhen carrying out hazardous
tasks. It is one of the
most important stepsin the audit as it givesa snapshotof the site activities and the
current situationof the PSMSinstalledon-site.Sufficienttime neededto be allocated
for this purposes especially for a large site. The pre-audit plant familiarisation was
found to be a big help.
4.4.3 Conducting Interview
The interview was conducted using the PRRAA questionnaires set which has been
improved to facilitate the process in view of the local situation as mentioned in
section 4.3.2 previously. The PRUSAAaudit manual was constantly referred to

throughout the exercises to ensure consistency with the technique approach and
requirements.
As it would not be practical to interview all workers, only a number of them were
selectedfor interview. The selectionis madebasedon the site work organisation and
was made as such to representthe so called 'horizontal slice' and 'vertical slice' of the
organisation as suggested by PRIMA audit manual. The horizontal slice involved
carrying out formal interviews with managerswho have influence and duties in the
areas of forming and implementing policy in relation to the activities under scrutiny
for example establishing organisational arrangements and managing the relevant
systems and procedures. For the vertical slice individuals in the chain of command
who are responsible to deliver engineeringreliability and operator competence that

included shift managers,supervisors,operatorsand technicianswere interviewed.
For the vertical slice the same sets of questions were asked to the shift manager,
supervisors,operatorsandgeneralworkerswho belongsto the same department e.g.

department.The purposeis to get a crosssectionview
the operationor maintenance
right from the shift managerto shop floor workerson a particularissue. Conflicting
answers between this group of intervieweesindicatedproblems with the site PSMS
which neededto be in
analysed detail. As the
an example shift manager feels very
but
strongly the need to adherestrictly to operatingprocedures, the shop floor
operators think otherwiseas the proceduresare poorly written to assistthem in
carrying out the operations. This vertical slice approach was able to highlight
conflictswithin a in
department trying to to
adhere the PSMSinstalledon site.

As for the horizontal slice a number of similar questionswere asked to the group of
personnel who are responsible in the areas of forming and implementing policy in
different departments. For example questions on the implementation of permit to
work system were asked to the operation managerand to the maintenancemanager.

As both of them were implementing the same permit to work system e.g. for the
to
maintenancecrew check certain operational equipment, the answersobtained from
the two managerswere able to highlight whether there existed conflicts in the use of
work permit system between the two departments.This horizontal slice approach is
able to highlight the inter departmental in

problems and conflicts trying to adhere to
the PSMS installed on site.
The selection of personnel to be interviewed was also made in such a way it
represented the best representation of each site's PSMS. At the top of the site
management hierarchy the Managing Director or the Works Manager was
interviewed. The vertical slice is made up of personnel from the Operation
Department becauseit has the largest hierarchy on site and they performed critical
tasks that were judged would give significant impact on off-site risk. For the
horizontal slice purpose personnel from other department such as the Maintenance,
the Technical Services and Safety personnel were interviewed depending on the
arrangementof the PSMS organisationavailableon site.
Personnelinterviewedfor the vertical and horizontalslice for eachsite is shown in

the respectiveorganisationchart in Figure4.1, Figure4.2 and Figure 4.3. To ensure
frank answersmade availableespeciallyfrom the lower rank personnelall the
interviews were conducted in a closed room without interference from the
management. Where permissionwas granted,both from the management and the

individual, the interviewswere recordedusing audio tape to assistthe audit team.
The interview processwas found to take the largest portion of the audit time.
Howeverit was essentialasit providesthe insightof the sitePSMSperformancefrom
the policy makerdown to the shopfloor operator. It also identifiedareasof conflict
that impacton the sitePSMS.
betweenworkersandmanagement

4.4.3 Document verifications
The types of document verified were those relate to the successfulimplementation of
the site's PSMS. This includes safety policy and organisation, operating procedures,
maintenanceproceduresand records, permit to work system, accident and near miss

records and result of previous internal or external safety audits done at the site. The
verification exercisesserved two purposes. First to confirm that written documents
referred to during the interview exist and those who require them can have easy
access. Secondly to assessthe 'quality' of the document itself in term of depth of
coverage, usefulnessof content and the easeof use to the intended target group for
example the shop floor operator. Given the nature of the audit it would not be
possible to verify all documents so priority was given to those associatedwith high
risk activities and those found to be a source of conflict or concern by workers and
managementduring the interviews.
4.4.4 Site inspection
Site inspection carried out differed from site familiarisation in terms of details. For
the site inspection the conditions of plant housekeeping,critical vesselsand pipework,
safety systems installed and personal protective equipment provided on site were
inspected in detail. Observation of critical tasks carried out on site also included
checking whether it followed the correct procedures, to identify possible violations

and to estimate the duration taken to complete critical tasks such as loading of
ammonia to road tanker. The time required to complete a critical task gave some
indication of time pressureto carry out the task given the production target set by the
management. Another important area was inspecting the availability of work
procedures on site, the implementation of permit to work system, the
operator/hardwareinterfaces, and the effectivenessof communication within

departmentand betweendepartments. We found this step of the audit is very
importantin order to makesoundjudgementof a site PSMSperformancebecauseit
revealedwhat actuallyhappened
on the A
ground. certaindegreeof biaswas detected
for exampledue to operatorconsciousness when work under observation. Audit

teammemberknowledgeandexperiencein chemicalprocessplant inspectionplaysa
very important role at this stage.
4.4.5 Formed Judgement
Culminating the PRIMA audit exercise was making judgement on the site PSMS
performance. Judgementswere made basedon the information gathered from all the
steps described above. The judgement formed for each key audit area is translated
into PRIMA managementcontrol loops. For this purpose the audit team had to sit
down together shifting through answers from questionnaires, refer to related
documents, recall site observations and inspections' findings. At all times the
process had to refer to the various anchor points that made up the PRIMA audit
control loop as shown in Figure 4.4. Our experience shown that this is the most
difficult part of the audit and adequatetime needsto be set aside. Sometimesfurther
verifications were required from workers and management on areas of conflict.

Additional verifications were sometimes needed of important document such as
operating procedures and accident records. At times additional inspections on plant

condition and extra tasks observation needed to be carried out to bridge missing
information neededto make soundjudgements. However by closely referred to the
audit manual, the ideal model of a PSMS control loop and the definition of anchor
points provided as shown in Figure 4.5, a reasonablejudgement was reachedbetween
the audit team members. Managementcontrol loops for each key audit areas were
drawn up at the end of this judgement making exercise.
4.4.6 Post-audit managementbriefing
This post audit briefing is aimed to let the managementand worker representatives
know the results of the PRIMA audit. The briefing was broad in nature and mainly
outlined the key strengths and weaknessesof the PSMS. The managementcontrol
loops of the eight audit key areas were shown and explained to them. Some
suggestionsfor improvement were given. Great care had to be taken in making the
presentation as not to create issues that could be exploited by other parties to
jeopardise the site's industrial relations.

Figure 4.4 - PRIMA Audit Anchoring Control Loop
Lavrl 2
3 -* 2
c=pew, m of
pýMXUA
2-0-3
I Auo=ant o
ol!l'CT'ie*3cm-=frc6'
(training, offodivwe"
imoemontcdion
pracedums, Le-,
-J 3
A 3
SettingofýVcs LayelA Rayisionof
standards,g4
)d V es -t: -:-.
'.
polides,an 8 pnonfies,oqlcn,
SITE
--- ---------------- SYSTEM
5 CUMATE
Regulafions,
,r2uiclance,
ustry norin
u
acmomics an
resource fodors
A PhD Thesis by J-Basri 90

Figure 4.5 Definition of Anchor Points for Control Loop
1. GOOD
9 PSMS fully representedby Control and Monitoring Loop diagram
* Little evidenceof weaknesses

within anyof the key elements
* The systemcomponents(boxes) and links (arrows) are in place
9 The componentsandlinks areactivelyused
* There is complete integrity within the loop
9 There is a continuous processfor improvement
2. AVERAGE
by the diagram
9 On the wholethe PSMSis represented
9 Someevidenceof weaknesses
within the systemcomponents
or links
0 The componentsarein placeandarenormallyused
0 Incomplete integrity of the loop (systemnot used or used incorrectly)
41 Processof continuous improvementcontainsweaknesses
3. POOR
ThePSMSrarelymatchedthe ControlLoop diagram
9 Evidenceof majorweaknesses of systemcomponents

andabsences
40 Not all systemcomponentsand links are in place
9 Ad hoc systemmaybe used
0 Thereis no integrityof the loop
41 Processof continuous improvementabsentor have major weakness

4.4.7 Audits Duration
The time neededto conduct the PRIMA audit for each site varies primarily due to the
size of site under review. However from our experiencethe learning curve from the
first site audit will cut short the time required to do the next audit. This was especially
true when the audit team is relatively new to the technique. A summary of the
duration taken to carry out various stagesof the audit activities for each site are given
in Table 4.1.
4.5 PRENIA Audit Results
Discussion on PREVIA audits results for the 3 sites are made based on the PSMS
control loops constructed from the audit team judgement for the eight key audit
areas. In making the judgement, findings from the audit team members were
discussedand summarised for eachkey audit area, as samplesshown in Appendix 2.
Detailed discussionof the results are given as follows;
4.5.1 PSMS Control Loops for the 3 Sites
The PRIMA management control loops of all key audit areasfor the three sitesare
shown in Figure4.6 to Figure4.8. The constructionof the control loops for the three
siteswere made based on PRIMA PSMS Anchoring Control Loop shown in Figure
4.4 and the definition of anchorpoints for control loop as shown in Figure 4.5.
These diagrammaticalpresentationsare madeof boxes and arrows that show the
linkages. The existenceof boxes meansthat there is evidencethat the PSMS
componentsunderreview (suchasthe monitoringand assessment of control system)

are in place. The arrow line indicatesthe link betweentwo PSMS componentsand
the frequencyof usageof the two. A thick arrow line indicatesthat there is evidence
of strong linkages between the two PSMS componentsunder review, e. i. it is
regularlybeing used.A thin arrow line indicatesa weak link, i. e. that they are only
occasionally being used. The advantage of representing the state of PSMS
componentsin diagrammaticalform is that it capturesthe performanceof the site

PSMSin a simpleformatthat is easyto understand.
Table4.1. PSMSAudit activitiesand duration
Activities Site A Site B Site C

(no. of days) no. of days) (no. of days)
1. Management briefing and plant I
familiarisation
2. Conducting audit interview on 7 6 8

PSMS for vertical and horizontal
(9 personnel (9 personnel (13 personnel
slices based on PRIMA interviewed) interviewed interviewed)
questionnaires
3. Verification of document I I I
related to PSMS
4. Physical inspection on safety, 1 1 2
operation and maintenance
system installed on site.
5. Discussing on preliminary 2 2 2
findings of the audit interview
with other team members with the
aid of answer sheets and tape
recorders
6. Forming initial judgement on 1 1 2
PSMS control loop based on
results of the interviews,
document verifications and plant
inspections
7. Presentation of the preliminary I I I

audit finding to the plant
management
TOTAL DAYS SPENT 15 days 14 days 17 days
A quick glanceat the control loop diagramwill tell the strengthsandweaknesses

of a
site's PSMS that could assistin decisionmaking. A site management could use the
control loops to assessthe stateof the site's PSMS,identify problemareasand then
implement a strategy to improve them using available resources. For a regulatory
of a site PSMS componentas identifiedfrom the

agencylike DOSH the weaknesses
control loop will be the areathat needscloserattentionandthe site management
will
be askedto give top priority to improvethemwithin a specifiedperiod.

Figure 4.6 PRIMA Control Loops for Site A
lit-INiAN FACTORS OF I
HAZARD REVIEW OF MAINTENANCE - I'm
DESIGN - Poor
I:
ROUTINE INSPECTION AND

CHECKING AND SUPERVISION I MAINTENANCE -Average
OF MAINTENANCE -Average
HUMAN FACTORS OF I CHECKING AND SUPERVISION

OPERATIONS - P"r OF CONSTRI ICTION - Poor
[1II
II
II
[HAZARD REVIEW OF
CHECKING AND SUPERVISION
OF OPERATIONS -A verage I OPERATIONS - Poor
KEY t
Lim
Weak link-present

Figure 4.7 PRIMA Control Loops for Site B
HAZARD REVIEWOF
HUMAN FACTORS OF
DESIGN - Average
I%IAINI'I-'N..
XNCF -. -Iverage
II
1.1
I.
CHECKING AND SUPERVISION I ROUTINE INSPECTION AND
OF MAINTENANCE - Avffage MAINTENANCE -. 4verage
HUMAN FACTORS OF CHECKING AND SUPERVISION

OPERATIONS -Average OF CONSTRUCTION - Poor
ýHAZARD ---7--l
REVIEW OF
CHECKING AND SUPERVISION
OF OPERATIONS - AveraRe OPERATIONS - Average
0
1.
KEY t
Link, prewnt
Weak link prewnt

Figure 4.8 PRIMA Control Loops for Site C
I
HAZARD REVIEW OF IIUMAN FACTORS OF
DESIGN - Good MAINTENANCE -. 4vffage
CHECKING AND SUPERVISION ROUTINE INSPECTION AND

OF MAINTENANCE -Average MAINTENANCE - Good
HUMAN FACTORS-07ý CHECKING AND SUPERVISION

OPERATIONS -Average I OF CONSTRUCTION -Average
CHECKING AND SUPERVISION I IIAZARD REVIEW OF

OF OPERATIONS -Average OPERATIONS -Average
KEY t
Link present
Weak link prm-nt

4.5.2 Summary of PSMS Audit Results for the 3 Sites
The summary of PRIMA audit results on eight key audit areas for all the sites is
shown in Table 4.2. The rating Poor, Average and Good in PRIMA audit rating were
assessedfrom the definition of anchor points for control loops as shown in Figure
4.2. PRRAA audit derived these ratings were from statistical analysis of loss of
containment incidents (Hurst, 1994). The rating Poor in a simple term meansthat
they are below the industrial average,Average meansabout equal to the industrial
average while Good means they are better than the industrial average. Closer
examinations show that Site A fared the worst among the three sites, i. e. with
highest number of key audit areasrated Poor.
Table 4.2 Results of Key Audit Areas Judgementfor the 3 Sites
Key Audit Areas Judgement
SiteA SiteB Site C
HazardReviewof Design Poor Average Good

(DES/HAZ)
HumanFactorsof Maintenance Poor Average Average

(MAINT/BEF)
Checkingand Supervisionof Maintenance Average Average Average

(MAINT/CBEC)
RoutineInspectionandmaintenance Average Average Good

(MAINT/ROUT)
HumanFactorsof Operations Poor Average Average

(OP/HF)
HazardReviewof Design Poor Poor Average

(OP/HAZ)
CheckingandSupervisionof Operations Average Average Average

(OP/CBEC)
I
CheckingandSupervisionof Poor Poor Average
Construction(CON/CBEC)

Site B hasmore key audit areacomponentswhich werejudged to be average. Only
two key audit areaswere judged to be poor. Site C wasjudged to have the best
PSMS performanceamongthe threesites. Two of its key audit areaswerejudged to
be good while the restwerejudgedto be average.
Discussionson results of PRRvIA audit for each site is presentedbelow. The

discussionsare centred around the strengths and weaknessesof the PSMS
components.
i) Site A
Site A was found to havethe weakestPSMS. The site overallPSMSwasjudged to

be Poor. For key audit areasnamelyOP/BF,OP/HAZ, CONCHEC, DES/HAZ and
MAINT/BF were rated poor. Theseaudit areasare concernedwith hazardreviews,
checkingand supervisionand the control of humanfactor in design,construction,
operationand maintenance. Typical of a smalltime operatorin Malaysiathey have
little knowledgeand experiencein all thoseareas.The designand constructionof the
plant for examplewill be left entirelyto foreigncompanieswith very little input from
the operator especiallyfor hazard review of design and safety checking and
supervisionduring construction. The control of human factors using specific
approachis unheardof. Minimum effort is given to proper documentationsuchas
written procedures,permit to work systemand emergencyresponseplan. The site
strengthlies in the lessformal structureof the management
organisationthat allows
effective communicationbetweenthe managersand workers. It also allows the
implementationof 'multi-skilling' wheresupervisorsandworkers'duty are rotatedi.e.
from maintenance
to productionvice-versaover a threemonthsperiod.
ii) Site B
Even though Site A and Site B carry out a similar processi.e. handlingof bulk
quantitiesof ammoniatheir PSMS is

performances quite different. Only two key
audit areasat SiteB i.e. CON/CBECandOP/HAZ werejudged to be Poor while the

rest are consideredto be of Average. Evidencefrom the audit finding indicatedthat

the main reasonthe two audit areasare poor is the businessrestructuringexercise
which turned Site B (originally part of Site A) into an independent
business
entity.
This resultedin lossof experiencedpersonnelwhich usedto be sourcedfrom Site A
suchas safety inspector,
HAZOP reviewerand instrumentation However
technicians.
as far as safety systemand safety are
organisation concernedSite B has
undoubtedly
benefitedfrom the goodPSMSlaid downby the previousmultinationalowner. The
Site overallPSMSwerejudgedto be Average.
iii) Site C
The best amongthe three sites,noneof Site C key audit areaswere rated poor. In
fact two areasi.e. DES/HAZ and MAINT/ROUT were rated good while the rest
ratedas average.This sitewas built andrun by a well-knownEuropeanmultinational
for
chemicalcompany nearly twenty-five years. Even thoughit hasbeenbought by a
local companyrecentlythe new owner has retainedthe PSMS laid down by the
previousowner. The site retainedmost of the experiencedtechnicalstaff and shop

floor operators. Safety related documentssuch as operating and maintenance
procedures,permit to worký emergencyplanning, process and instrumentation
diagramsare availableandupdatedquite regularly. Howeverthere are a numberof
potential problemsthat could degradethe PSMS in the near future that includes
downsizingof the workforce that will reducethe numberof experiencedoperators
andmaintenance personnelin the nearfuture.
4.5.3 Comparison of PSMS audit results between Sites
By examiningthe PRD4A audit resultsof the three sites the following comparisons
could be made;
* SiteA wasfoundto havethe weakestPSMS,while site C was the bestamong

the threesites.
Eventhoughthey belong to the sameownerthe PSMSat SiteB is weakerto

Site C. On closerexaminationof the audit resultsit was found SiteB usedto
rely on maintenancespecialist support from Site C. However, recent

managementrestructuring turned the site into an independent businessentity
which deprivedSite C from havingcompetentpersonnelto provide specialist
maintenancesupportfor them.
e Site B and Site C hadbenefitedfrom good PSMS laid down by the previous
multinationalowner.
o Lack of written PSMS document is the most glaring difference between Site
A and Site C. The strong emphasison written documentationby PREAA audit
makethe differencemoreobvious
* Apparentweaknessin managinghumanerror at all sites. While therehasbeen

someform of control method(e.g. ergonomicconsiderationfor control panel
layoutto managehumanfactors)they weread-hocandnot systematic
9 Weaknesses
in communicationand feedback(level 3) were apparentat all
sites,reinforcingthe needfor better communicationwithin the organisation.
This area was found to be a low priority in each site PSMS as it needs
adequateresourcesto implementwith low immediatereturnsas comparedto
productionimprovements.
4.6 PRIMA Modification Factors.
Ratings made on judgement of various key audit areas at each site provides a
quantitativeoutput calledPRIMA ModificationFactor. The factor can be used to
calculatea failure rate which explicitly includesthe assessed PSMS performance. A
summaryof ratings judged for various key audit areasfor the three sitesis shownin
Table4.2.
These qualitative ratings made during PRIMA audit are converted into a quantitative
scaleusing findings from statistical analysisof a failure rate data databasethat covers
some vessels and pipes (Hurst et al, 1994). The failure rate data is found to be
lognormally distributed and to vary by about ± an order of magnitude. An analysis
of loss of containment data reported through the HSE Reporting of Incidents,

Diseases and Dangerous Occurrence Regulations (RIDDOR) (HSE, 1985) also

indicatedthat a varianceof one order of magnitudebetweenthe best and worst
performing sites. This finding is supportedby other researcherssuch as Taylor

(Taylor, 1994)who found that incidentratesof similar equipmentcould vary by a
factor of 100. Basedon thesefindingsPRIMA scalingfactor, x(i), useda value of
±I order of magnitudefrom median(2 ordersof magnitudeoverall). This meansthat
the use of genericfailure rates(in lognormalscale)referredto an Averagesite as
ratedusing PRIMA will have a zero rating in relationto a Poor site which has higher
failure rate than average,and a Good site that will have lower failure rate than
average.The formulausedto calculatethe factor is givenasfollows;
Logfail sms= LogfailG + a(i)x(i) .......... equation (1)
where;
Logfailsmsis the(-Iogio)failurerateadjustedby the ModificationFactor
LogfailGiS the(-loglo)unmodifiedgenericfailurerate
a(i) is the weightingfor eachauditarea
x(i) is the scaling factor; where Good = 1, Average = 0, and Poor = -1
Z a(i).x(i) is the (-Loglo) of the ModificationFactor
is
A samplecalculation shown in Table 4.3. The to
calculation referred rating for key
audit areas for Site A as given in Table 4.2 and their associatedweighted based on
pipework failure in Table 4.4.

Table 4.3 Sample Calculation for Site A
Key Audit Areas PRIMA Pipework Scaling

Rating Weighting Factor a(i)x(i)
a(i) X(i)
Hazard Review of Design
(DESMAZ) Poor 0.25 -1 -0.25
Human Factor of Maintenance
(MAINT/HF) Poor 0.15 -1 -0.15
Checking and Supervisionof
Maintenance (MAINT/CHEC) Average 0.13 0 0
Routine Inspection and
Maintenance (MAINTYROUT) Average 0.10 0 0
Human Factors of Operations
(OP/HF) Poor 0.11 -1 -0.11
Hazard Review of Design
(OP/HAZ) Poor 0 -1 0
Operations(OP/CHEC) Average 0.02 0 0
Construction (CON/CHEC) Poor 0.08 -1 -0.08
Modification Factor (MF) Za(i)x(i) -0.59

-Loglo
Table 4.4 - Data basefor weights (Bellamy, et al, 1989 )
Audit Areas Databasefor weights(%), a(i)
Pipework Vessels Hoses

HazardReviewof Design
(DES/HAZ) 25 29 19
HumanFactor of Maintenance
(MAINT/BF) 15 6 0-
CheckingandSupervisionof
Maintenance(MAINT/CHEC) 13 4 2
RoutineInspectionandMaintenance
(MAINT/ROUT) 10 11 is
HumanFactorsof Operations
(OP/HF) 11 24 35
HazardReviewof Operations
(OP/HAZ) 0 5
Checkingandsupervisionof .9
construction(CON/CHEC) 8 2 6
CheckingandSupervisionof
Operations(OP/CHECK) 2 2 10
Assumea genericpipeworkguillotinefailurerate(Logfail of IxIO'7 /m /year,
sms)
Substituting values of a(i) and x(i) from Table 4.3 into equation (1);
i-8
Logfail sms= LogfailG+ a(i)x(i) equation(1)
.........
7+[0.25 x (-I) ]+[0.15 x (-I) ]+[0.13 x (0) ]+ [0.1 x (0)]

+ [O.Ilx (-I)] + [(0 x (-I)] + [0.02 x (0)] + [0.008 x (-I)]
6.41
Modified failure rate= anti Loglo (-6.4 1)
4xlO'7 /m /yea
Altematively;
From Table 4.3 we get,
- LogloModificationFactor(NIF) = Ea(i)x(i) =-0.59

- Loglo W=-0.59
W= anti Log, 00.59
W=
Assume a generic pipework guillotine failure rate (Logfail sms)of IxlO*7 /m /year
Then the corrected failure rate (LogfailG) becomes;
Modified failurerate= genericfailureratexW
= IxIO'7x4
0-7 /m /year
= 4xl
Similar calculationswere carried out using weightingsfrom pipework, vesselsand

hosesdata bases. Multiplying genericfailure rate for specific component(e.g. a
transferhose)with the appropriateW (in this caseW basedon weightingsfrom
hose data base)yieldedthe modifiedfailure rate for the component. The modified
failureratethenis usedasinput for failurefrequencyin the QRA.

Results of PRIMA Modification Factors (MF) calculationsfor Site A, Site B and Site
C are shown in Table 4.5. The calculations were made using three different sources
of loss of containment data base as shown in Table 4.4. They show a difference of
about a factor of ten between the worst site, i.e. Site A and the best site, i.e. Site C.
This emphasisesthe need to consider site specific PSMS performance when carrying
out the QRA for a majorhazardsite.
Table 4.5 Resultsof PRIMA Modification Factor Calculations
Data basefor
weighting Site A Site B Site C
Pipework 4.0 1.2 0.45
Vessels 4.6 1.2 0.44
Hoses/Arms 4.9 1.4 0.46
4.7 Strengths and Shortcomings of PRIMA
Throughout the whole audit exercisewe have identified a number of strengths and
weaknessesof the technique. They will be discussedas follows;
4.7.1 Strengths
The technique was developed basedon sound theoretical and statistical basis.
4o
However the loss of containmentdata baseneedsupdating.
The audit questionnairesset is comprehensiveand covers the necessaryareas

for PSMS audit. In fact some of the information made available from the
questionnaires could be used for other purposes for example to carry out
human error analysis.
* The use of managementcontrol loop provides an effective way to represent

PSMS situation for eachsite.

* The technique provides a quantitative output in the fonn of PRIMA
Modification Factor that can be used to modify generic failure rate for QRA.
4.7.2 Shortcomings
9 Needsa thoroughsite inspectionanddocumentverificationsin order to make

soundjudgement on the PSMS performance.
e Too much emphasison written documentswhich may not be appropriate to

the smaller site with a simple process.
e The questionnaires
do not addressexplicitlythe aspectof on-siteand off-site
emergencyresponseplanswhich are crucial for major hazard sites PSMS.
e The need to rephrasethe questionnairesin simple English or to translate it to
the local languageso they couldbe easilyunderstoodby lower rank personnel

suchasshopfloor operatorsandfitters.
* The time required to complete the whole audit exerciseis quite long i. e. from
14 days for a smallestsite (Site A) to 17 days for the largest site (Site
4.8 Recommendation to improve PRIMA
Based on the experiencein conducting PRRVIAaudit at the three sites the following
recommendationsare suggested to improve the technique. For easy discussion they
are dividedinto headingsasfollows;
4.8.1 The Methodology
e There is to
a need updatethe database
usedto detenninethe weightsusedto
calculate the PRIMA Modification Factors. ideally it should base on quite a
largedatabaseof lossof containmentfrom developingcountriesto reflect the
design,construction,operationandmaintenance
standardsof suchcountries.

* PSMS at Major Hazard site should include an effective on-site and off-site
emergency response plan. PRIMA audit questionnaires currently do not

addressthis factor explicitly.
4.8.2 The Audit Tools
9 There are a number of overlapping questions in the questionnairesset, which
needto be streamlined.
om As mentionedpreviouslythe questionnaires could be simplifiedby defining

key words and build the questionaroundit using simplesentences.This will
be of a big help in countrieswhereEnglishis not the first language.At the
extremetranslationto local languagemight be necessaryespeciallyfor lower
rank personnelsuchasthe shopfloor operatorsandfitters.
9 There is a needto developcomputerisedversionsof the questionnaires

with
facilities to store answersfor the questionnairesas well as findings from site
inspectionand documentverifications.This will speedup the processof
makingjudgementfor the management control loops.
4.8.3 The Usage of PRIMA Audit
A thorough site inspectionand documentreview are essentialin order to be

to
able makesound judgement on management control loop. Hence adequate
time mustbe setasidefor this purposeespeciallyfor largersites.
The techniqueplacesa very strongemphasis on written While

documentation.
this is essentialfor a large site with complexprocessesit is probably not
totally applicablefor a small site with simpleprocess.Adequacyon written
documentationshouldreflectthe specificneedof a particularsite.
A PhD Thesisby J.Basrl 106

4.9 Conclusion
The PRIMA auditsconductedon threemajor hazardsitesin Malaysiais believedto

be the first attemptto apply the techniqueoutsideEuropewhere it was originated.
The techniquewasfoundto be suitablefor use,albeitwith someminor modifications.
This could pavethe way for further use in other developingcountrieswherePSMS
audit could becomea usefultool to assistin the control risk from major hazardsites.
The PRIMA Modification Factor madeavailablefrom this techniquecan be usedto
modify the genericfailure rate usedfor QRA. It will allow the performanceof site
specificPSMS to be in
considered an explicitmanner. Such factor is very pertinentin
developingcountrieswherethereexist significantdifferencesin PSMS performance,
for examplebetweenmultinationalsand small local operators.The modified QRA
result that takes into account a site specificPSMS quality will greatly assistthe
decisionmakingprocess,for examplefor land-useplanningto ensurethe safety of
workers andthe public at largefrom risk of majorhazardsites. Underestimatingthe

risk will put humanlives and limb at risk while an overestimatewill depriveinvestors
of suitablelocation to built their plant, resultingthe loss of much needed investment

job
and muchneeded opportunity a for developing country like Malaysia.

lelly-
t.,napter
Conducting Human Error Analysis On

Road Tanker Loading Operations
5.1 Introduction
Controllingthe risk from major hazardsitesrequiresthe assessment
of potentialrisk
from the sites using a suitableapproachsuch the QuantitativeRisk Assessment
will identify, evaluateandquantifyrisks associatedwith
(QRA). Suchan assessment
the siteoperationfrom possiblefailuresof the planthardwaresuchas processvessels
and piping. Of late the assessmenthas been extended to 'software' failures that
includehuman,management failures
and organisational. (Tweeddle, 1992). This is
dueto the fact that humanerror contributesto the high percentagecausesof failures
process
at chemical plants (HSE, 1989). The analysisof humanerror will provide a
betterdescriptionof the humancontributionto risk andidentifywaysto reducethem
(Gertman,1994).
5.2 Human Error Analysis

The questto studyhumanperformancehasleadto the analysisof humanerror. The
foundations of human error analysis were basic research conducted in the
psychology
experimental andthe behavioural
sciences.It providesthe taxonomiesof
behaviour,task analysistechniques,psychometrictechniques,and the quantification
of human error (Gertman, 1994). Many of the techniqueshave gathereddata and
provided mechanisms for estimatingfailure from
probabilities thesebasic disciplines.
In the last decadethe numberof quantificationtechniqueshas grown considerably,

but none has universal acceptance(ACRE, 1988). It is left to the analyst's discretion
to decidewhichtechniqueto be used,eventhougha numberof reviewsandvalidation

exercises(Humphrey, 1988 and Kirwan, 1988) could provide some guidelines.
5.2.1 Description of ammonia bulk terminals
Theselection
of ammonia bulkterminals
for the studywasmadebasedon two main
reasons.Firstly, the risk from majortoxic is
gas releasesuchas ammonia time
dependentandcouldreachwiderpopulationthatmakesit a criticalinputin landused
Secondly
planning. ammoniais usedverywidelyin therubberandfertiliserindustries
in Malaysia.Also ammonia
bulkingactivitiesin Malaysiais currentlybeingcarried
out by bothbig multinational local
andsmall operators the
usingabout samelevelof
hardwaretechnology.The last reasonprovidesa uniquescenarioto exploreand
the
compare influences
of management on humanerror.
andorganisational
Full descriptionof the two sitesselectedfor the humanerror analysiswas given in

Chapter 4. Specific description of each site which focus on human factors is given
below;
i) Site A
in brief SiteA is an ammoniabulk terminalwhich hasan annualthroughputof about

12000metric tonnes(MT) per year. It basicallyruns ammoniabulking and bottling
activitiesandhasbeenin operationsince1985. At this locationthe liquid is

ammonia
filled into road tanker, skid tanks and cylindersfor downstreamdistribution. The
bulkingandbottling processis fairly straightforwardusinglow technologyandwith a
high degreeof manualoperations.
The plant was built loosely based on Japanesetechnology but most of the critical
vessels e.g. storage tanks and piping system were fabricated locally. It is totally
owned by a local company with a managementand organisational style typical of a

Malaysian medium size industry. The Managing Director is the main shareholder of
the company and responsiblefor the overall control of the company. As he also runs
a number of other companiesthe day to day running of the plant is carried out by the
Plant Manager. During the audit period the Plant Manager had just resigned so his
byJ.Basri
A PhDThesis 109
responsibility was taken by the existing plant engineerwho will eventually take over
the vacantpost.
There are three main work sectionsat the sites,divided by the types of work that
eachcarriesout. The operationsectioncarriesout the ammonialoadingfrom andto
the road tanker, filling of ammoniacylindersand skid tanks and filling the liquid
ammonia solution (aqueous ammonia) into plastic containers and drums. The
maintenancesection carries out inspectionson the integrity of oncoming empty
cylinders,drums, skid tanks and their fittings
associated to ensurethat they are in
good condition for filling. They are also carry out scheduled and breakdown
maintenanceof the plant equipmentand conductpressuretesting on cylindersand

ammoniatransferhose at specificintervals.The Task Group is involved with ship
tanker loading of ammoniato the holding tanks at the jetty and transportingthe
ammonia to Site A by road tankers. Currentlythe two sectionsi. e. operationand
maintenancework only on day shift, while the Task Group has to work in shifts
during the unloadingof ammoniafrom ship. Workersin eachsectionwill be rotated
to other sectioneverythreemonthsor so. Accordingto management such a system
promotes 'multi-skilling' amongthe workers, reducesboredom and automatically
rotates the workers to work night shifts for ship tanker unloadingwhen they are
assignedto the SpecialTasksection.
The workforce of this plant mainlyconsistsof ablemenin their late twenties. They
were recruitedfresh from schoolmostwith SPM qualification(an equivalentto the

U.K. '0' Level qualification). They were given on the job training that involved the
to
attachment seniorworkers or supervisor, learningthe trade through observation
andgradual hands-oninvolvement with a particulartask. The attachmentis made to
all main work departmentsof the i.

site e. operation, maintenance and specialtasks.
No fixed time periodis setfor a traineeattachmentto a particularsection. It depends
on the ability of each trainee in learningthe trade of a section. The is

emphasis to
carry out a particulartask efficientlyand safely. The trainee is

progress assessed by
the sectionsupervisorandthe plantmanagerthroughobservationand interview. No

written evaluationsarecarriedout.

ii) Site B
Site B is another bulking terminal with an annual throughput of about 34,000 MT.
The plant was commissionedin 1989 and served mainly as an import terminal for a
large compound fertiliser plant located about 30 km inland. Liquid ammonia is
discharged through dedicated pipeline straight from the ship tanker to the site's four
storage tanks each with 125 MT capacity. Sixty percent of this load is immediately
transferred to the fertiliser plant using pressurised rail tankers. The remaining
ammonia is stored on-site and filled into road tankers, skid tanks and cylinders for
downstream distribution. A small amount of ammonia is turned into ammonia
solution (aqueousammonia) and sold in drums and small containers.
The plant was designed, built and run by a European multinational until a local
managementbuy out about two years ago. The process is basically similar to Site A
and uses about the samelevel of technology. The difference mainly lies on the level
of processautomation and capacitywhich is slightly higher than Site B.
The managementstill inheritedthe style set by the previous multinationalowner
especiallyon site organisation,work division, production managementand safety

management. Under the new local the is
management site put under tile overall
control of a Works Managerwho are stationedat the company's Chlor-Alkali Plant
locatedabout300 km away. Day to dayrunningof the site is underthe responsibility
of the Plant Manager. He has the overall responsibilityon the site personnel,
production,safetyand administration.He is authorisedto spenda certainamountof
moneyfor the but
site expenditure needsapprovalof the Works Manageron works
that involvelargesumsof moneysuchas majorrepairs,modiricationsor replacement
of systemof equipmentwhich require large capital outlay. The Works Manager
the
oversees site throughfortnightlyvisitsand reports postedto him everyweek.
Training for new workers is conducted through the on the job method where they
learn through observation and hands-on involvement under the supervision of
experiencedworkers and supervisors. For new workers and outside contractors there
are compulsory safety and emergencytraining. The basic training lasted about six
months. The plant manager and supervisor assesswhether they are ready to do
A PhDThesisbyJ.Basri III
certainjobs throughobservationsandinterview. After the basictraining the workers
are assignedto specifictask i.e. operations,maintenanceor servicesthat becomes
their long term careerwith the company. While this approachpromotesworker
specialisationit wasfoundthat it alsocreateddiscontentamongthem. Over the year
workers from the operationsdepartmenti.e. the operator have a better chanceof
counterparts.They could rise to the post
promotionascomparedto their maintenance
of Shift Managerwhile the maintenance
could only moveup to fill few maintenance
supervisor posts. The low turnover of workers aggravatesthe situation. Post
employmenttraining is only given to those ranking as supervisorsand on courses
mainlyrelatedto qualityandproductivity andoccasionallyon healthandsafety.
5.2.3 Data collection for Human Error analysis
The observationaltechniquewas the main methodused for data collection in this

study. This techniquewas selectedbecauseit is able to collect physical task
performancedata, to capturesocial interactionand representmajor environmental
influencessuch as noise, light and interruptions(Kirwan, et al 1992). It also is
suitableto be usedin 'naturalenvironment'as the field study, insteadof a controlled

and constrainedenvironmentas in a task simulator.Using this techniquedata is
obtainedby directly observingthe activity or behaviourunder study (Drury, 1990).
The written notesmadeduringthe observationprocesswere supplemented by audio-
visual recordingand verbal descriptionfrom the operatorof the decisionprocesses

taking place. Further clarification on critical points was made from reviewing
relevantdocuments the The
such operatingprocedures. activity associatedwith data
collectionthat hasbeencarriedout at the two sitesis shownin Table5.1
5.4 Qualitative Analysis of Human Error

Qualitative humanerror analysisrepresents one of the most important aspectin
assessingand reducing the human to

contribution risk (AChIE, 1988). Such an
analysisallows the identificationof critical tasksthat are greatly influenced by human
error and the identification influencing

of performance factors that influence such

risks. It is also capableof predicting the specific errors associatedwith tasks or task
steps and identify the by
means which these errors could be prevented and recovered
before they have negative consequencesto risk. The scope and detail of this type of
analysis depend on the objectives of conducting such analysis. For the purposes of
this researchthe qualitative humanerror analysishave involved the following;
9 Selectionof hazardoustasks
" Task Analysis
" PerformanceInfluencingFactorAnalysis(PIF)
" PredictiveHumanError Analysis(PHEA)
" Consequences
Analysis
" Error Reduction/Recovery

Analysis
5.4.1 Selecting a hazardous activity for PHEA
As theobjectiveof thestudyis to compareandcontrastpossiblehumanerrorat tile

two sitesit is importantto selecta taskthat is similarin naturecarriedout at both
sites.Thefollowingcriteriawasusedfor theselection;
*a hazardoustask that couldleadto majorreleasesof ammonia
involvement
9 high degreeof humanfoperator
e usingaboutthe samelevelof hardware/technology
9 regularlyconducted
0 not a new task that hasonly recentlybeenintroduced
e not too complexwhichrequireslarge for

resources analysis
0 historicaldataindicatingthat the task could leadto majorreleasesof ammonia
e supportfrom someform of rankingassessment

Table 5.1 Human error analysis activities and duration
Activities Site A Site B

(no. of days no. of days
1. Critical observation of high fisk activities with
high proportion of human involvementfor selection 1.5 2
purposesusing TEACHER screeningcriteria
2. Observing step by step operation of the selected
I I
i.e. loading of ammoniato road tanker
_activities
3. Intervieving the operator, super"sors and plant
0.5 0.5
engineeron ammonia loading activity
4. Analysing the written job1 procedurefor ammonia 05 05
loading with the aid of flow chart and PI&D . .
5. Videotaping the entire ammonia loading to road
I I
tanker activity assistedby verbal description of decision
making processby the operator
6. Conducting preliminary task analysis
1 1
7. Checking and observing PerformanceInfluencing
I I
Factors(PlFs) associatedwith road tanker loading
8. Discussing with the plant engineerand supervisoron
I I
the outcome of the preliminary task analysisand
modifý*ing them after obtaining ftinhcr clarification on
specific issues
TOTAL DAYS SPENT 7.5 8
There are a number of separateactivities that are carried out at both sites that could
result in the release of ammonia. These included bottling operation, ship unloading
operations, rail tanker loading operation, and, road tanker loading and unloading
operation. However for comparison purposesonly one activity needsto be selected
for the Human Error Analysis. The method used for the selection is SPEAR the
screeningtechnique that was put forward (Embrey et a], 1994).
The SPEAR screening process allows the identification of human involvement in a
to
processwhich could yield significant sourcesof fisk if errors take place. A detailed
discussionof this technique is given in Chapter 3, The processis important to identify
all sources of risk on the plant and to reduce the amount of effort In applying other
techniques by focusing on risks arising from operator involvement. The site visit
allowed the development of an inventory of tasks with significant human involvement

in the various areasof the plant and rating the associatedhazard potential.
A PhD Thesis by I Basri 114

The three stagesof screeningprocessthat have been carried out at Site A and Site B
are:
" developmentof an inventory of operator tasks
" identification of a subsetof critical task with risk potential
" prioritisation of the critical tasks on the basisof consequences
Thesethreefactorswere assessed
using a seriesof to
questions produce an index in
eachcase. The threeindexeswerethen combinedto give an overall index calledthe

PotentialRisk ExposureIndex (PREI). Detailedcalculationof this index is given in
Appendix3.
The result of PREI calculations for main activities at Site A is shown in Table 5.2.
The ammonia loading activity to road tanker is ranked first with a PREI value of 0.88,
followed closely second by the activity of filling ammonia into cylinders and drums
with a PREI value of 0.81. The result of PREI calculations for main activities at Site
B is shown in Table 5.3. The ammonia loading activity to road tanker is ranked first
with a PREI value of 0.81. The calculations showed that the ammonia loading
activity is with the highest PREI, suggesting that detailed analysis of the activity
should be given the top priority. The use of the PREI was found to be useful in
selecting critical activity that has high risk exposure to human error. The alternative
approach like in the Dow Index looking at the potential risk solely from process point
of View i. e. quantity of hazardousmaterial, reactivity, temperature and pressure tends
not to be able to assessthe impact of human (operator ) involvement to risk in a
particular activity.
Discussionwith the management and operators at the two sites also indicated this
is
operation quite critical and could lead to major release. In fact there has been
major releaseat Site A during the loading operations of a lorry mounted tanker
(FMD, 1992). In this incidentabout I metric ton of ammoniaescapedfrom a skid
tank during filling operationdue to burstingof filling hose. The resultingammonia
travelled downwind more than a kilometreinjuring about forty people living in the
surroundingareas.
A PhD Thesisby J.Ba3rl 115

10
C
00 - e'1
00 00 *(
r-_, 7ý
r-
*(A
11
Pro
CA
I I 1
C; c; C5
I'
C5
C14
---
C
r.
-0
CO
C-i
W)
cr
4)
0
E- 9) öü -m r. 10
. +ý
Co
F--4 "o
CA C
C) 0ce E
+,
cn-
10 W
E 2)
9 r_ +-
u -0
Z r-
cu x m
Gn
Co
ýx öü GA rA cn
.a ce 4.
tý Zu im
.0
't ceCU
0
Z
cr
=
>%m
9)
<
>
-
L.
+
loý v cN 00
0
1 441 11111
Ei
r-
"I I
.4 Pro
Oý clý
0
00 "a 0.4
cd
CD CD
ll-ý
U. 0
Cd C
r. r_ Ici
Ici E Gn E en
(A -a u ý2 2 r_ fi
oý
Z W_ý il; :1 -0 ce
-0
= Cd
1-.
u r. 'ö
r. 4) g
r- w-i
4) Z$ 9)
-ci 0
9) Ici ý2 .0
= u
22
,e
u
Analysis of historical data on loss of containmentof hazardousmaterials by a number
of researchersalso indicated that the loading operations of road tanker represent one
of the main causesof loss of containment(HSE, 1989 and Embrey et al, 1994).
Using the SPEAR screeningmethod the road tanker filling operation at both sites was
found to be the activity where the risk is heavily influenced by human error. This is
further supported by judgement made by the auditor based on information gathered
through task observations, interview of personnel, reviewing operating procedures
and accident records on each site and findings from other studies that has been
mentioned above.
5.4.2 Brief description of road tanker filling operation
The systemof filling ammoniato road tanker for downstreamdistribution at both

is
sites almostidentical.Detailedstepsfor the road tanker loading for
operation the
two sitesis given in operatingproceduresdescribedin Appendix4. Basicallyliquid
ammonia from the storagetank is pumpedinto the roadtankerthrougha flexible hose
connectionat the filling bay. The backpressuredevelopedduringpumpingoperation

is dischargedback to the storagetank through the vapour return line. The filling
it
continuesuntil reaches the target filling weight that hasbeen pre-setbased on the
allowableullage of the particular size of a road tanker. The road tanker is then
disconnectedfrom the filling bay, checkedand sentto the customerafter filling the
necessarydocument.
Even though Site B was designedand equippedwith Chiksanhard loading arm for
top loadingit could not be usedas intendeddueto the differentconfigurationof the
current road tanker valve inlet that is for
designed bottom loading. So additional
the bottom
flexible hoseshadto be fixed to the endof Chiksanarm to accommodate
loading.
Similarlyeventhoughboth sitesadoptedthe samesystemfor road tankerfilling there

is somedifferencesin term of operatingprocedures,safetysystemand the hardware
being utilised. The differenceswere determinedthrough analysisof site operating
procedures,interview of operators,task observationon site and from video taping.

5.4.3 Task Analysis
After selectingan activity whererisk is subjectedto high degreeof humanerror, the
next stepis to carry out detailedanalysison the activity,usinga techniquecalledtask

analysis. The objectiveof task analysisconductedin this study is to provide a
systematicand comprehensivedescriptionof the task structureand provide insights
into how error arisesfrom tasksassociated
with ammonialoadingoperationsto road
tanker. The type of task analysisused for the study is called Hierarchicaltask
Analysis(HTA) which hasbeenwidely appliedin the industries(Kirwan et al, 1992).
HTA representsa wide approachto task analysiswhere the analyst needsto establish
the sequenceof various subtasksto be carried out to meet a system'sgoal. For this
study the technique is used to produce a hierarchy of 'operations' which refer to

tasks that need to be carried out by the operator within a system, i. e. ammonia road
tanker loading operation, and'plans'which refer to statementsof conditions which are
necessaryto undertake the operations. Hence HTA provides an effective means to

describe how work should be organisedin order to meet a system'sgoal of loading
ammoniato road tanker.
Using this approachthe overallobjectiveof the task underconsiderationi.e. loading

of ammoniato road tanker was broken down to the level that could have direct
implication on failures of a systemor sub-systemwhich eventuallycould lead to
major releasesof ammonia. This was carriedout by describing

successively the task
of loading to
of ammonia road tanker in detail
increasing to the desiredlevel. A plan
is producedat eachlevelthat describedhow the stepsor functionsat eachlevel were
to be executed. The HTA provideda complete,structured,and detaileddescription
for exampleof what the operatoractuallydoesduring eachof the loadingsub-tasks
being considered.With its structuredhierarchicalformat HTA has considerable
advantageover a sequentialtask The

description. structuredformat also provided
importantinput in managinghumanerror suchasfor the improvementof trainingand
operatingprocedures.

In order to concentrateon tasks that could lead to off-site risk there is a need to make
further selection between the tasks that made up the ammonia loading activity. This
would reduce the amount of analysisneededto addresshuman error that posed little
significance to off-site risk from the operation. For this purpose the SPEAR
screening process was applied again to identify the critical tasks that involve human
error that could lead to the releasesof a large amount of ammonia.
Results of the second screeninganalysison tasks that made up the ammonia loading
activity is shown in Table 5.5 for Site A. The analysisidentified the task of filling the
ammonia road tanker with a PREI ranking of 0.88 as most critical in terms of the
contribution of human error to off-site risk from ammonialoading operations. This is
followed by the task of disconnectingroad tanker from plant with a PREI ranking of
0.83. The task of connecting road tanker is third with a PREI ranking of 0.59.
These three tasks will be subjectedto detailedPIHEA analysisas they are subjectedto
high degree of human error that could result in major releasesof ammonia at Site A.
Results of the second screeninganalysison tasks that made up the ammonia loading
is
activity shown in Table 5.6 for Site B. The analysisidentified the task of filling the
ammonia road tanker and disconnectingtanker from plant, both with a PREI ranking
of 0.79 as the most critical in terms of the contribution of human error to off-site risk
from ammonia loading operations. This is followed by the task of preparing the road
tanker from plant with a PREI ranking of 0.55. Similarly only these three tasks will
be subjectedto detailedPHEA analysisasthey are subjectedto high degreeof human
in at
of ammonia
error which could result majorreleases SiteB.
Details of HTA conducted for Site A and Site B is shown in Appendix 4. The
analyseswere conductedonly on three subtasksthat have beenidentified as high risk

tasksthat could leadto major releaseof ammoniaat the two sites. Resultsfrom the
analysiswere ableto indicate criticaltasksthat are likely to contributeto failuresdue
to humanerror. As an examplethe task analysis revealed greaterrisk of ammonia

releasefrom overfilling of road tanker at Site A. This is mainly due to poor
to
procedures determinethe ammoniaroad tanker filling weight has been reached.

riD
tn +
0T
-t
tn tn 00 00
>-ý -0
'I'll
10
Oý1-1
-1-1-1 -1 "0 0
Ln
'I'll -1 001 'I'l
N
0
10. > Cq cq ýo ol
0-0
6 C; 60C;
llýl
ID
--
000
(A
11
rA
ce
>
(A CA
*Gn
-0
ce
e 0
Gn
CZ
0
Ci. m. 2p *a 0
eq
eq
P-4
1r41-I Wý
I-
Iw ,It
(A N ON t- ON t-
(. 0 r-
ri)
0
10 ", 1
ei Ilý1e1Ilý1
CD (D CD 0 CD
c71
1.2 "
l'
ssss o t'
.2 odó
0
rA C14
(::5
r_ m 0
ce 0
r4
4ý pý 'Z u 40) vý Ln
ce
r_ , P-
ýTZ2ý
CD.. Z.
The road tanker ammonia loading bay is not fitted with a weighbridge. Hence the
loading bay cannot be fitted with weight trip system and the operator has to rely on
observing the road tanker content gauge to ensurethe tanker is not being overfilled.
This situation could easily lead to human error as the operator may not be around
throughout the filling duration.
The HTA results are also used to highlight major differences on the task loading of
ammonia to road tanker between the two sites through its structured step by step
format. Discussion of the differencesbetween the two sites and how they influences
human error on each site is presentedin Table 5.7.
5.4.4 Predictive Human Error Analysis (PHEA)
This analysisinvolvedthe predictionof specificerrors associatedwith tasks or task

stepsin a systematicmanner. The processinvolvedtwo stages. The first stagewas
to determinethe planningerror, i.e. error associatedwith incorrect planningbeing
followed, e.g. filling the road tanker without establishingits empty weight or
decouplingloadinghoseduring pumpingoperation. The secondstageinvolved the
analysisof operation errors. This analysissystematicallyidentified External Error

Mode (EEM) that could occur while conductinga task or task steps.The EEM
consideredfor operationerrorsof the studyareactionerrors,checkingerror, retrieval
error, transmissionor communicationerror, andfinally the selectionerror. The EEM
by SPEAR(Embrey,1994)asshownin Table5.8.
categoryusedwas assuggested

mt
0
0
w -ige0
ei)
1
-83 ý: j 0 ý:IU, -.
i. AA ý 0
Z
0, ýM:
cn 09
20
to
2ý,
la cn u lu Z
0 c2. .
§ cn JE -2 r2 -,3 c-.e 0Zg -
co. Z ýý08
A . >
5ý
C) cn
-ci
lu
:i
0
'j Ei -2
E9 to 5 0W
9.0
0
9 +ý
+ý E 48 e
= ..
rA ce
'CJ :5 9)
0 4- - 8 jz
0. 15
. A050
0 r.
U e8o0
A-- s2 )g
-0
Gn
0
0
-2
78 *:, g Ei ý L, "g 8.
Z
0
lý tz
L) -Z -ý =0
C2.u- 0, Ei .
4)
5 '
-cs 0>>,
;e 9 -;e -w =0 4ý '0 0
rA , :g > * Q)
E Z-0 .'A Q)
li
0.8l
r. ..
cn
Z 0 0' 12 Cli
r_ eägr. -
Z. 2
"
U n
2 iß 0
r, - s rn 0
cj - :-
m 75 0 -2O
>
=0
,. 9. 0
M0
r-L Gn
0
Z:
0
cn
0 on
+ý 0 1-. to-
. im
9.1
0 ce 82
5
0
15
c2. 0 -CJ
-9
0 :i
A c)
ýg
.-
Gn
0
9
.
2:1
to -2
ýs: cn '5 t2
t. 8ý
14
. 0e ä9 -5 *E
cu
0
M 00U
'; 00 0 ,5l?
cli t. 'U.
Le 0
0
ce Gn
f5
1 g 0 2,
0 0
'9
c2
.
e%
0l ;
0»
li
;3 nö
0 8
Gn 0 ie Z 0
to
0 9.1
0 19n)
> u2
4)
c03 0 0
-
1-13
ýCO: >% Gn
2
.m. -ýI
8 co,2 "r=
1.
) 9
0
to 2 u CJ U9 -ý tý -2
2 U==0 0
ce
1
t) ce
ci , ý . 0 ý IZ
g)
0
4: n-
1
u
(D E00
= 2
4 >i
14c2.0
ri--
F- Z?.
E-
.
-0
:1
4= r.
0Q0 .- 0E <-
8 1
0ä? >if 92. 0>0
0 -:S
týZ 9
>
ýä
IU- = o
.43 c2..
gt 4;z
:2 .E
=3
esZ8
-ri -C9
;rn =9
14-- -ci
to >
r-
a -
u
il E>s
:j-
KZ..=a.
- -
..
c42 ýq 2
8
Z
..
v
=,
-5
p.
Ei ÖD
c2.2
ý '0 ý--G--
0-
0
cetz
rz
r cn
2 ZO:2= 8
2=ý
m .500
2
0
In En 0 =0
A. 0
cu 0 -2
ý ,2,2'.
.5 tn b
1
"ý
to .J-3
e 0---a
--2
1
4 1 8.,
-(L) , u
-u . ,
-
rA +ý 91-0
28A U-.
m,0-0 +5 . LD 0
& 1--i 31s <UJ
ý: .42 ,-0- E
i rz -e O>
*25- - A 0
. -
.2ga)0 E
.E-. , >
>
20 0
0r IK
to 0
0e
g) (4-4
)
ig.
914 Ei $Z. 0
4)
0 0 2 * 0
-bd U) q-
ch lUl ý0 -0W
8 c2.r. -Ei-
.2> .82 = "ID E9
W
iß E5
, . -
""
e 0
0 e 1,
- -5,
> ý)-- ic> E u2 0
.2 12 Z
. rA
>b
ID
0
e 5 E
0 -cs 0 -g-o
0 .15
Z.
e ZJ
0 r,-, :i*
0 ;3
*a E>%. m', 0 -u8 tn ýe

.5 0
4ý 0 -ig 'C u cg
:. '. 02 (2
:11 94 g «2 (L)
-r) e 2 -8 00 . g eIn 14
2
CJ +A
0
0>
4ý
90 9Z8
_ý g2.Ici tu m r. ý e. , ö. 8.
E 1- 1. >
0 0
01
141)
00
0 0
to - 0
0.
+ý 0=
j1
0: 0 -ci
.4-ce 'U 'E 2
"8 0
to .2. se lu
9
*r. 0 200 C)
cz
5 .
ý. -8 c2. -4- LIJ +-
to
e
-2
=
. "e
t. 4 Ici
ul
.5 ce
9.9
; EI 0
2
1
"ti 0 >o li Cl.
8,4 1
0 CL
g-
c 08
8. e
0 .a
Ir.
in
PA
Table 5.8 - EEM Category used for PHEA
Error Category Error Mode

Action Action omitted
Action incomplete
Action in wrong direction
Action too much/too little
Checking Check omitted
Check incomplete
Right check on wrong object
Retrieval Information not obtained
Wrong information obtained
Information retrieval
incomplete
Selection Selectionomitted
I Wrong selectionmade
The consequencesanalysis was then carried out on human error that has been
identified. In this analysisthe consequencesof all predicted errors were considered.
This reduced the chance of discounting certain errors from quantitative analysis
before considering its consequences.Errors with low probability of manifestation but
with high consequencesare important contributor in risk analysis. Both immediate
and long term consequenceswere consideredwhich related to two types of failure i. e.
active failures and latent failures. The one that has immediate consequencesto
is
personnel, plant or process called active failure. While latent failures are those
actions or decisionsthat generatevulnerableconditions which, in combination of with
subsequentoperating errors or operational conditions, give rise to accidents.
Two types of ratings were included in the consequencesanalysis. The first rating was
for the severity of the consequences,while the second is for the likelihood that the
error will occur and will lead to the (i.

consequences e. will not be recovered). In both
casesthe rating usesthe classificationof 'high', 'medium', and 'low'. The consequences

severity reflects the effects of error on personnel,plant, process or environment. The
classification schemesuggestedby Embrey (Embrey et al, 1994) for consequencesof
error is used with slight modification to reflect the ammonia loading operations under
study, as given in Table 5.9. and Table 5.10. A similar approach to this classification
scheme was also proposed recently (Moore 1997). Results of the consequences
analysis have made it possible to identify critical tasks that are most likely to initiate
major releasesof ammoniawith off-site consequences.
Table 5.9 - Classification schemefor the severity of consequencesof error
Uonsequences
HIGH Loss Time Accident Large releasesof

(LTA), Hospitalisation, Ammonia
Fatality
MEDIUM Exposure to ammonia Significant releaseof
which cause minor injury ammonia
LOW Irritation only Not more than slight
I releaseof ammonia
Table 5.10 - Classificationschemefor the frequency of

consequencesof error
Detailed PHEA for the two sites is shown in Appendix 5. The results identified a set
of critical tasks that are heavily influencedby human error. These critical tasks were
made up of a number of sub-tasksthat were predicted could lead to major

(severity
consequences and frequency) and low meansof recovery as shown in Table
5.11 and Table 5.12 respectively. The judgement high, medium and low were made

based on SPEAR classifications scheme where information was available. In the
absenceof such information expert judgement of the auditor was used.
Table 5.11 Critical tasks that are strongly influencedby human error
at Site A as identified through PHEA.
SystemGoal Type of Error Cons quences

(PlanningError) Frequency(F) Severity(S)
Loading ammoniato Incorrect plan Low High
road tanker executed.
Inappropriate plan High Medium

executed.
Tasks Type of Error Cons quences

(Operation error) Frequency(F) Severity(S)
2.1 Drive tanker to Action too much Medium High

weighbridge.
2.3 Chock front and Action omitted High Medium

rear wheel .
2.4 Ensure the tanker is Check omitted. Medium High

empty
2.6 Established Action omitted Low High

ammonia filling weight.
3.1 and 5.1, Operators Action omitted. Low High

put on PPE
3.4 Connect liquid Action omitted. Low High

filling hose to tanker's
liquid inlet valve.
3.9 Ensure there is no Check omitted. High High

leaks.
3.10 Rectify leaks Action omitted. High High

Table 5.11 shows that the influence of human error on system goals and tasks that
could lead to major releasesof ammoniaon Site A. The errors consisted of two types
of error i. e. planning error and operation error.
The planning errors identified through the PBEA at Site A include two critical
planning errors. First is the planning error where the incorrect plan executed. The
correct plan requires the weight of ammoniaremainingin the incoming road tanker to
be established before filling. This is to ensure that the tanker will not be filled
exceeding the permissible ullage level based on the tanker volumetric capacity that
could lead to catastrophic failure of the tanker. Such a failure would result in large
releasesof ammonia with high severity high off-site risk. As the existing procedures
to establish the tanker empty weight at Sight A is poor, the frequency of such error
to taking place is expectedto be high.
The secondplanningerror is associatedwith the executionof an appropriateplan.

The written proceduresfor road tanker loading at Site A did not include the
requirementfor leak test to ensure integrity
connection of flexible loading hoses. In
the absenceof suchwritten requirementthe frequencyof sucherror taking place is
judged to be high. Without leak testingto checkits integrity,the connectionsmight
fail under pumpingpressurewhich could lead to major ammoniareleaseswith high
severityoff-site risk.
There are a number of operation errors that have been identified through the PIHEA.
Under this category of error there are several tasks that were found to be under
strong influence of human error. The EEM error types are mainly under action error
i. e. action omitted. The tasks that have been identified using the consequences
(frequencyand severity)includeddriving the road tanker, putting chocks to road
tankerwheels,establishingthe permissibleammoniafilling weight, wearingPPE and
connectingand disconnecting
flexible loading hoses to road tanker. The tasks
selected were judged to have at least one of the i.
consequence component, e.
frequency or severity, in high category.

Table 5.12 Critical tasks that are strongly influenced by human error
at Site B as identified through PHEA
SystemGoal Type of Error Cons quences

(PlanningError) Frequency(F) Severity (S)_
To load Ammonia to road Incorrect plan Low High
tanker.
_executed.
Plan pre- Low High
condition ignored
Tasks Type of Error Consequences
(Operation Error) Frequency(F) Severity (S)
2.1 Drive road tanker to Operation too Low High
loading bay much / too little.
2.2 Establish tanker Action omitted Low High
empty weight
2.2.8 Place 4 chocks to Action omitted. Low Medium
front and rear wheels to
prevent tanker movement.
2.2.9 Deduce tanker Action omitted. Low High
filling weight
3.1 and 5.1 Operator Operation Low Medium
dons appropriate PPE omitted.
3.2 and 5.2 Ensure that Check omitted. Low Medium
maintenancecrew and
driver wear appropriate
PPE
3.5 Connect Chiksan Operation omitted Low High
arms and flexible hosesto
tanker.
3.6 Do leak test on joint Operation Low High
to ensureconnection omitted.
integrity.
3.7 Set weight trip setting Operation Low High
omitted.
3.9 Ensure there are no Check omitted Low High
leaks.
3.10 Rectify leaks Action omitted Low High

Table 5.12 shows the influence of human error on system goal and tasks that could
lead to major releasesof ammonia on Site B. Similarly the errors consisted of two
typesof error i.e. planningerror andoperationerror.
The planning errors identified through the PHEA at Site B included two critical
planningerrors. First is the planningerror whereincorrectplan executed. The plan
for ammonialoadingto road tankerrequiresthe incomingtanker emptyweight to be
determinedin order to check for remainingammoniainside before filling. This is
important especiallysince Site A uses the contractor or customer tankers for
downstreamdistribution. If this stepof the loadingplan is omitted, eithervoluntary
or by mistakes,the ammoniaremainingwill not be accountedfor in establishingthe

filling weight. This could resultin wrong settingof weighttrip systemandcould lead
to the overfillingof the roadtanker.
The secondplanningerror identifiedis where the plan pre-conditionsare ignored.

The existing operating procedurecalls for the servicesof maintenancecrew to
connectand disconnectthe road tankerto plant usingthe Chiksanarms and flexible
hoses. From the observationand interview this has causedconsiderabledelay in
loading the ammoniaespeciallyfor urgent shipment. There are chancesthat in the
event the is
maintenancecrew not available, the operator under delivery pressures
may decide to carry the is
connection,which not a difficult task, all by himself.
Given lack of training and experiencein carryingout the task the connectionmade
may not be secureand could fail underpumpingpressures,resultingmajor ammonia

releases.
The PIHEA also identified a number of critical operation errors that could be
in
committed carrying out the road tanker loading operations at Site B. Similarly the
consequence'scriteria based on frequency and severity was used to identify tasks that
are strongly influenced by human error. Tasks that has been identified included
establishing road tanker empty weight, deduce the correct filling weight, connecting
and disconnecting road tanker to plant, putting wheel chocks to prevent hose pull
the
awayand wearingof PPEfor the drivers
operators, crew.
andmaintenance

As can be seenfrom the analysis,by using simple criteria of consequences,i. e. that
made up of frequency and severity, tasks that are under strong influence of human
error could be identified. The consequences
approach was found to be appropriate
for the research as the study is looking at major releases of ammonia with high
consequencesthat could give rise to off-site risk. The limitation of such an approach
is lack of transparencyin makingjudgement as to what should fall under the low, high
and medium scalefor both the frequency and severity. Site specific incident and near
miss records could be used to support the judgement, but unfortunately they were not
sufficient for both sitesunder study.
5.4.5 Implementing human error reduction strategies through PSMS
One objectiveof the researchis to link the humanerror to site specificPSMS. It is

importantto assesswhetherthe so-calledhumanerror that could arisein executing
certain tasks is actually rooted in managementweaknesses. However as the

relationshipbetween human error and PSMS has many facets, a straight forward
is
relationship always difficult to realise. In this study such a relationship is
establishedusing the error reductionstrategiesand the PSMS componentsthat will

be involvedin the implementationof suchstrategies.As canbe seenfrom Table 5.13
and Table 5.14, the PHEA could be extendedto include strategiesto reducethe
impact of human error on tasks that madeup the ammoniaroad tanker loading
operation.
Such inclusionswill be able to servetwo purposes. First as important source of

information on relevant strategieson how the human error influence on certain task
could be reduced or minimised. Second providing the linkage to the site specific
PSMS on means to implement the recommendederror reduction strategies. When
for linkages be directed further
using PPJMA technique PSMS evaluation such could
to include the relevant key audit areasand the control loop audit levels. The analysis
in both tables is carried out only on tasks that under strong influence of human
shown
error using PBEA for Site A and Site B as shown in Table 5.13 and Table 5.14
respectively.

Table 5.13 shows the analysisthat depicts human errors, their possible consequences,
the recommendederror reduction strategiesand the relevant PSMS componentsthat
need to be addressedfor successfulimplementations on Site A. For example the

planning error of not including leak test requirement in operating procedures
(inappropriate plan executed),could be overcome by including the requirement. The
failure to include such requirementwas found to be rooted to the PSMS failure to set
a good safety standard,in this caseto check the integrity of connectionjoints.
Referringthe situationto PRIMA audittechniquesuchfailurefalls underOP/CHECK

key audit areas.Looking further into the PRIMA control loop the reductionstrategy
recommended lies in Level 4 3

--> of the loop which represents the items on
feedback.
communication,control and,, The operationalerrorscould be analysed in the
samemanner. For example for the task to
of placingwheelchocks road tanker (task
number 2.3), the error reduction strategy recommendedis the formalisation of

additionalchecksto reducethe operator'serror in placingthe wheel chocksat road
tankerwheels. Suchrecommendation falls underPRIMA key audit areasof OPAHF
andat level 2 -> 3 in the PRIMA control loop. It requiresexercisinggreatercontrol

on adhering to the through
written procedures additionalchecks by the driver and
occasionalspot checksby the supervisor.
The analysisthat showshumanerrors,their possibleconsequences,

the recommended
error reduction strategiesand the relevant PSMS componentsthat need to be
for implementations
addressed successful on Site B is shown in Table 5.14. As an
examplethe planningerror of operatorfailing to establishthe quantity of ammonia
remaininsidethe tanker prior to filling (incorrect be
plan executed),could overcome
by proper training and strict adherenceto operating procedures.Referring the
situation to PRIMA audit techniquethe recommended error reduction falls under

OP/CBECKkey audit areas. Within the PRIMA control loop the reductionstrategy
recommendedlies in Level 2 -> 3 of the loop under the component of

involved exercising
communication,control and feedback. The recommendations
greatercontrol on adheringto opeiatingproceduresthrough observationsand spot
checks.

le
mý
W-4
r_ u t.
,Wd rq CU
(V (A
=
CJ M
r ý4 2 Co 0
4. ce
ce 10 10
*W 21 5 " - cl
-
uw = rn
(V
2ý
==
0
0
c. =U
-bd "ýý >
Q
tu
sý
ý..
ZI &)
(6-4
,.
4 C) EA 4- Co
000 1-. -0
" (V
ý c2. tu cn- g) iD
ti-- a-,
12.4 0 r-
n
0 Co -
r_r 4-
0 0r = r- 4) 00
W öo r-
Gn 8
ce -0
V tz. cr
03
1 0
'CJ 9
ce
= (L
ö ß
zi ) lu m
. 5.
cqj r.
Z.
- 4) 4Co- =
-
lý2
r- vi
cis Q x0= '. 00

1-
4)
CL e e, rA rn
u ce
cl)
C
0
,
r. 0
Z
ý: t9 -,Z
, rA -2,
10 G
0
r- ý2Ä
öz cdz =s = X
*z
E-0
0
öü
L. r- >, -0
(J U
-ö u 45). -5
g2, ý.
Q
0
.-Co r 0 =j
0 .
0 O
ý- ý- c2
A a . . . U
.
0
.Z +ý 4)
+- rn iD
Co :3 (4.
gj
=m 0 Gn öo 0 tio
tn
c (bý w .-
Z c2. r
4) 0 "0 r- 0 .-
Z r-i. :3 (A r-
- ce ce
to :30 IIW>,
r- 0 g> 0u &) >
= ci (A
rA "C Q
CD.2
t. Co (V ,0 4) r- -tia -0
iý +ý ý. :j
(L) -ýd Z 4) Ln
'u bo-ci
.- .
.Z-
in
0 0 4-
r.
-
(A 0 v
Gn
eu
ci
t. - t)4 ce r_ tm -ci 4-
cl
0- 0- 0
'CJ
4.) = r- r- m-a(V '0 t-
r_ -
-
E (zu0 r=1 UuZ -
=0Q Z, En
F-
(L) M
rj Co
E 0 *- ca
.0
Z E 4
cgi -0 40
oj
ce
I')
-
A- r. :i> ý
*Z 110 -a 1-.
0 ý4 za - 00
M rn 4)
r
"ýg u Gn
E Ci. uý 0 O =0
1. ci
0 u
%- ,0= CJ
gL9 0 E +ý
(V r= 0 - =
+ý
.2 C0 >
-5 "lý Z to Md r_
0 (V 0
Z (D CZ
0 U Gn
1-. >" 1 ý-
'ö - 0« ci r
(L) C2. -0 (V
ce 4) .-= m
Gn r- >
eQ ZU-ý m 12ý2 r-
Gn rn " Z r- -ci
LA
aw -ý
;4-
0
Ut ce
i. =
0mu iz
.,::
i->
(L)
4ý 0
00
.+ý-
Z
m
-ö 5 :2 72
E
u
9)
ý eu 0ý-)
ý: mö 1Z2
-0
rA eu
:3" .
52 *ý ce
.ý . >
cu t
CU
2 4241-ýzüi.ý= W 2- '00> ý'20 2 0 c2.
.1 . c,
ei .1w.
(V
ci tz
EE -5 Ir.
>
U 0
lu v «s -0
Gw >ý 0 c2. >ý Q
x 44
AE 4) rA
0 '.'
rA 0 ý
0.
Cl
J, 0
u -X
ci CA :j
2 *05: ýA 2 a ý. e Q)
rA
,
ci 0 *4m
ýc 5: CA
04 4ý 0 00
' 't -0
A .E
c 4) c( = Z: u)
Z 0
E 1> ( L) Z ej
0
U ce u 4) r-
ce 62 Gn -
0
E
cM-, cu
A 2 E-
ý- t)re > -a %4., u Co"0
b- 19 (V 9)
1 -
-6, " ý.. Co
*Z b4
ce (V
*C '0 0 cj CU -0 E r
coi ý r-
_X bo.E
0Z
=0 Ei
ew
<0
'In
rA
F-
in
ic
%0
r. = Z
"Ci
ý4 r.
lu 0 iz 4ý 0 2 '0 A0 JD t-: 0 '
W 2
(-) M- u cu , C.)
CA
-2
t-:
g) Lii ld tQ t.
ce 0
m
W zz
0 tw
U
94
-
0
0
&) 4) to
ci ce
ce
ci
4) -ý
=O- tn
U
U
0 r. - -c ý
0
rA
cz.
= P.
j--
CJ
4
0
r_
(V 0 E (6-4
0E
r. r_
0 (V 0 e0= CD
0 r_
r1. -1- 1 U c2. cu (V *- 1 CL) Q
"
1
u2
Q 0 0 tn 7EL
w =$ x--
ce %. cn = ei t.. +- r3,
cz Qý .
rA
(V
ce
=
CKS0
ce 0 cu -ýd
(V cl. == p4
1-- CU
(V
f-
(L)
+ý M Ze. '- , CA
rj Co
-ý tue
, r
u - u »
-läd
u2
ce
+ý
.at to- - 0 - 0 4-
"Ci t *
(L) r. ýZ --
.10
t' to .
-- 1-.
0 j:
-C
.
w t
ý
-CJ 1 t4 4- 'Cu
u3
m (L)
c5ýi > ý> -
:3
.
.
< cu 4) 0
> ý
(L) .6. +J tn n. En U
0. 0 0 :1
a 0 cn x c m
) : ' 2
0. g> 0 r. r-
-o
cn .. C02 .
>, 1-. p4 ce -C r. W 0
:j
=
:-2 12.4 Q Z
0 Ln
0 P.,
CJ .2 1-.
0
0
,-o 2 =0. r- (L) :. ý..
0 LA (L) = ce
Ln
ei
E! Q)
= ce
%.. I' ,
0
&.. bo '5
ýA *5: +ý 0
9) 2
-1 ýa
M 0
+Z - r-
rn
Co 0
(L) :j -0 .
2-0
0
"CJ (V 0 91 ce 2
... n a
Q) 0.
+,
0
0 cu
t) .> tu
0
1
>
0
(L) .- W
0
(L)
ce
15 .- iý Z -
14-
0 0
2
A
Gn
-5--:
3) r.
9)
Ln 0 r. .2
CU 12 0
-2
m 0
F-4 (L) 0
0
0
+"
. ZJ J-- >, iz r_ ý4- +ý k. tn 4ý %. -

+ý
tu .4. C)
4) ce ei u -A
+,
bl) -
,-
zi ce
'A 0 -eJg (1) >
1-. 0 -0 W
Co bb
43 (6-4
0w
, i:1, ?- =
Q)
e
- U 0
tz 0 4-- 0 0
42
1-. (V 1- 9) 1-. 0 1-.
cz$ , 4 0
,
ca -0
9) (V 2
ce (1) cu
... > A c2.
-tr. CD cn
0
4ý
=s
Q. 0 vl
0 0 cv cz« j--
-d -0 0 zi 0
-0
0 0
< 2
0
rA
W
"0
4)
to _A
rA
w t 0
%ý
i-- cd (L) tr; 0
ch i: 3 ý: -0
r.u 0 .M
.- 0. *ý u
w. to Ici gj
ce 4) 0 (V .-
c2ý ý, 0 -4- 1 E. t .-:3cr ul
g=
r 0
i ci w w r-; Ei. m==
t-
en
". 4
0
+ý 0
+ý
t -0 %. '0-
t;; Iti
+ý
"0 c4 tn (4-4 l= Gn +- 0
Uu9 0 ' = (L) 0 c2. 4-
=0 cu t. (1)
Q) -tý = 0 CA"0 0 '0
ly 8 4ý t) tý (V U jz i.
c2.t 2 0 l=
0 0
r
0
0
-rs c-. 0 -CJ r- (U
2ýýcz
(L) 0 ci
CO
00
0 n
d
0
%..
00
0. +ý
+,
E
t.
Jl, tm ý
Z ý.
ce
0 0 0 C: r 0
10 ti
. zj
:, - Z
Q CD.. 4)
0 -ý4
0
(L) .2 (L) +Z In Z"
0
+ý
E2 CU +ý
cqj 0 -bd
ce
C:r CZ
(V t. Q)
W Q)
0- 0Z- cu JW
"Ci Q
&v0 t>
e,
0
0= fi 0
-3 0 ri
0
li m cu c)
cu - CD., 0
0 CU (L)
ci -ci > c:L,
15 0* ie
J--
EI)tu .- 0 .2 w .2
0 4)
Gn =s
k5*0iý -
b4 - g)
>
cu 0
(L) E g-e ce e A
Co -ci
Z
CU
c) -u(1)-ö E Ei fi
u2
II 2
Q)
0
u
%. m ce cu
0 0
-CJ rA rA
(L) -,ýd 0
(V =
0
2
1
1
i-- ,2 5.9
0 <0
0 (iýI
W2 rA (Z
CA
-1.4
CO
00
mý
V.A
4ý Co
-0 u
E- CU %.. =
c
qj
4)
ci
rA -
tw, ID -0 Co ý-
r.
U1 ,j cu
-ö 0= cu
la. CD000
C:L.
000Z
W t.
(D E0
c2.
«0 Ln
o gL4 ý:2 'ut
4ý
CU
ewrý c2. c2.
si
r- ý, -0 4) '. c-
E1- ý.- %Z ce 4)
cu Z > e>4 c1
ce c2.-E
0=0 4) - 'Uv
mm rj :j .e
4.
cd
4-
cl.
o
(V (V cu ch 0
0
ýo e Gn r- Co
cýi
44
< rq 52 = Z$
0 -0 00
CA 4'
,u> . 2 4- '0 "ýý
cis 4) ce Co m
>0 2 r-
-&) r_ U ý-. >ý >
00U
r- %. CL 9) 9)
0 052 c2.0
M.
4 0 zi
(A
Z., M
,
,0 -CJ
r- 7@)
CA
ý, - -F I.. ý ,6
V 1
4) 0
r.
6c 4) Z3
.
Cd 0 c:
Cd
C4
-0 -E C AD
ý.1 cd o
0
E-,ý Cd
0 k-
U,
-C
0 IZ JD gý CJ CU
z2
rA
t-; 0
(V
10
ce Gn 0
r- 0
cu
15 ri -0
CDZt. jý to r_
-ýd
cj ce 0 5 ZW 0 cu (V
ýz . ril
o
t. = Q E0A %.. =Q E 4-
=
-- Co cu
w 0 0 C) 0
0 t2.
bo. 1-1-n- =W Gn CJ n
%. r.
U u2 - = (U Gn A- t) Ln 0*
r.
Z
cqj
ce = =
ce -0 "- i-- zu ce CJ 0 4-
cu b. ms (L) .a
b)
0
0 Co, . *-0 c)
%. 4ý
0' ou ý- 0 1. vý g> %.
ý *cu *ý -g 0
cn -5 > :3
-ci ce
; 2. c--1 En
4) i-. -M (L) Q)
Q=
iz
:J (-q
(L)
2 w
ch
c.. g)
*2 ce-r-
0 -010
;2
< -0 -0
ýqt
`
:1 Q
ýI
,v
(U (L)
C:L
0
c",
Z
.E J--
rA =
U,
(L)
(V
Z
(V +,
> b Q +Z En -d c)
>, ý- 2 cn 0
E
= (A . ý
W.
rA
(L) >-% .
>
0 P. 4 -0 _kd %. C)
, Z:) ý P., 1. 0
ci tr-4
r- Z.- c - Pi 0 rA (0
0
0 Q iz t)
r.
bo r-
; -i öz - >ý 0
ý4- tý s. r.
cu ci Q) 0 9.
ce
r. fi
m cu
*.. 5ý , E a
cu
t.
c2. 0
0 ci F--4
c
Z! 9.1 -fý
rA
m
t.
r_
ce
+ý = ce r.
4)
CO] Ei
0 +ý 0 r 0
Ci (L) 0 *m
t; z e +ý CJ
0
j--
tn 4-- r- -ce
r-
+ý «2 Cl.
> >
(L) -
E t)o 9.1
Gn Ei (L)
jý,
0 -2
cu
Q) " (L)
EA
cz 42 CU ci 0 -g (V(L) (L) E c
O -
29 .5 +, t2
Z$ t)
Z 0
tu
v c2. ;2
>
Gn
- c«
*ý
e
= LZ
- r
u
x ce
A 0 .
.
CU g. CU -0 1-. 0
,e .ý IJ - t0 4)
-0 , r_ cn *;:3 (L) 2 (V v
t) ý' A
15-ci m-ýA 0
r. 00
cn
= tu
U
+ý
1-.
0
5
(V
924
c2.
92-.
t.
(V 0(L)
c14j -
ý ý: te
i--
4ý .; a
10
-5 ,0 tý:19
Z . 1. 0 *- (L)
0
JW
0 0
Ln
-0 ý: ý (L)
>
Ic
0 - c2
0 . (L) - C
+ý :3
ce rA th tr; =, r. 11ý4 rA .-ý 0
0 *C ce ms -ci . rý Cd ý: 0 2 = *P 0
Cl-
.4
-ci
lu r.
(L) r-
ce
c2
.'
co
..
0 ce V - t.;
0 15 2D
0
4 W :i r.
2ýw U rA (L) Q 0
u
.r.
r. -24 0 1
N V) "0
l ,- Q 94 I 2 0
15 1-4
m P. ý - ý: clu
l. P. 0
mo
ý flý
W
E ei ý Ee rý C ri
.- cn 55
r t) +-
i
0 0 0 0 ce (L)
+ý
Ici ci tu m «2
> 10 r- 2: -CJ
r.
>%
ti) JD
ch Q) u2 = rA
JD 1. = JD W .- 114
U
.-0 u -0 00 = 00 *ýýQ
r_ 92.Q
(L) -
y
ýz öz :j0 = =ý
Z$ 4)
p4 44 0
0 =
.4 En 94 ruý rA
=4- '5
=-
0 0 0
W 0 Z
0 -1-
9) -
w >, 0 cn >, = e-%
rA re
,U ;2 (A ce Z u2 m
cli
(L)
(L) 52 Co (V
r-
;e 4) t en 92-
ý.. 5 t2 1- = 4Q-- (V r-
.
52 -b-
rn .-
; 2. C,1
4) 4-
0 1.
4)
= 2u
2) c2. +ý
0 ý
,
a t
;i. ,t, u=
W
"CJ
=0 ci
- ör-
0
4-
cn
.4c5 w --t cle,
> >0
0 t. E
.
cu
0
.ý -(L) 0Z. =(A(V öo
-ci >, ý:
z ce ý
-6-
>. %-
r.
r.
2p
>%*C
4) r- 10
CU CA "V
.=i al) -
X.
Im ýo :s Z =$ lý rý-
cz
0*5 -2 0, 0
t5
0 Co
r_
5 ýf- . Im.
. 9)
Q r. Co
6,
,va . 0
rn -6ý
%.
0 pý w CZ p U
j
U0 0
:1 --cu
u2 r2.
ns En ci
z r. +- -2..
5
CA C: -0 -
0 ce
C: 9 Arzog iu d
(L) > ,Z = .- (L) ce
rA
=
41)
(V 0
9.
(L)
ýo -02
4ý
cii
c) en -W r_ -
ce 4)
ce
.
(L)
1-. 4..-
Cl. 0 m -rA 0 CJ t4 -4-4
=
CU CU 0
cu
fa 7D "p Q
to
r 0
= Gn
0 4) e * Q 0
ci 0
Z 0 2 - ce
0 "Ci E
0
? 0 Q) r- e c4-, ie M
ý4 5 9r . ce
lý 0 4 "0 u
w tu cu 4
s ci ZA 0 ý .-
r_ r_
tu li.
4-
-
ä2
=i
= "0
W r , r.
9.
0 0 .- 0
1-. 7D
CK3
0
ý5
0 - 00r.
+ý
e CA '*ýg cn ýu ý ký Ln -
cn (V ce
Gn = cn
ci.*@
" 9) ce "0 cn
CI.'2 -2 c2.ýE
(V "0 Ci.
C 0 4-
- c2ý r_ 0
0 0 "Ci-u m-4.1
.-0 0
"-, -d
4) IC 10 .- zi
CD
Q r. *c
15 J-- "C .
ä e
.bo
Cli t CU= m
: i En ed
+,
+ý
4- 9 u in -2 >, r- -a0
4)
(L)
CA
r
W- .2
0
p4 Q
U D c2.
c2. = 0
rA
CD.
tn CU
Cl% (V
ý.
1-4 .2
toi
Co Q
9
Task number 3.7, i. e. setting weight trips on road tanker weighbridge is an example
of a task that could be subjectedto operation error. The omission to set the weight
trip system could result in overfilling of road tanker. The recommended error
reduction strategy calls for fonnalising of the use of checklist and reference tables to
assist the operator. Such recommendation falls under the PRDv1A audit area of
OP/CHECK. It lies in Level 4 -> 3 of the PRRvfA control loop under the component
of communication, control and feedback.
The explanationaboveshowedthat PBEA resultsmay not only be usefulto identify

tasksthat understronginfluenceof humanerror andto recommendappropriateerror
reduction strategies,but also to determinethe PSMS safety componentsthat are
associatedwith their implementation.
- If PRRJA techniqueis usedto assessthe site
specificPSMS the be
performance analysiscould extended further to identify the key
audit areasand control loop levelsassociated

with the recommended
error reduction
strategies. This the to
enables site management evaluatesuch recommendations in
the resourcesrequiredfor their implementation.In a way

greaterdetailandassessing
this approachprovides one meansto integratethe analysisof human error and
PSMS.
5.4.6 Performance Influence Factor (PIF) Analysis
This step involved the evaluationof factors associatedwith a task which could
influencethe likelihoodof errorsidentifiedin Step5.4.2and 5.2.3. Thesefactorsare
calledPerformanceInfluencingFactors(PIFs). Thesefactors to a large extent are

determinedby the effectiveness
of the in
policy controlling
management human error.
Theseincludequality of procedures,effectiveness
of training, and implementingthe
useof PPE for hazardoustasks. For exampleresults from PSMS auditusingPRIMA
techniquein Chapter4 havefound that SiteB inheritedquality operatingprocedures
from the previousmultinationalowner, but the site lacked experiencepersonnelto
the
review and update proceduresas new changesare made. These could result in
errors made by the operatorswho are not aware of the changes,which in some
situationscould lead to accidentalreleasesof ammonia. This illustrated that the
quality of PIFs at the operationallevel, in this caseoutdatedoperatingprocedures,

provided an indication of the effectivenessof managementpolicy in controlling human
error.
The relevantPIFs associated with ammonialoadingoperationsat the two siteswere

identifiedusing a classificationas suggestedby AIChE (AIChE, 1994). ThesePIFs
were identified by assessinginformation made available to the auditors from

interviewsof workers and managers,review of documents,tasks observationwith
the help of video taping, physicalinspectionsof the site process,vesselsand piping
andevaluationof factorsthat affectthe operatingenvironmentsuchas heat,humidity
and noise. However suchdetailedclassificationwas found could be groupedunder
four main PIFs associatedwith ammonialoading operations,i.e. experienceand
training,procedures,stressandfeedback. The groupingalloweddetailedanalysisto
be carry out for humanerror quantificationat the later stage.
Findingsof this assessmentfor the SiteA andSiteB are shownin Appendix6. Such
qualitativeanalysisprovidedimportantinformationon the statusof site specificPIFs
and theirs influenceson human error. As an examplefor PIF on operating
experience,the majorityof operatorsat SiteA havelessthanfive yearsof experience
due to high workforce turnover. Whereasfor Site B the majority of the operator
havemore thanten yearsexperienceworking with ammoniarelatedfacilities. Better
pay and long term job securityfrom has

a multinationalorganisation resulted in low
operators.The availability
workforce turnover,enableSite A to retainit experienced
of experiencedoperatorsto carry out hazardoustaskssuchas ammoniaroad tanker
loadingwill reducethe chanceof humanerror.
In terms of job aids and procedures,Site A was found to be lacking. The majority
of the tasks performedon site are without written procedures.Proceduresthat are
availablefor certaintasks like ammoniaroad tanker loading operationwere poorly
written andinadequate. SiteB howeverinheriteda good set of operatingprocedures
and job aids from the previousmultinationalowner and they are well written and
regularly being used. The usage of good operating proceduresin carrying out
hazardoustaskswill reducethe chancesof humanerror andincreasethe likelihood of
successfullycompletingthe tasks.
A PhD Thesisby J.Basr! 143

The summary PIFs analysis in Appendix 6 for the four PIFs under consideration is
shown in Table 5.15. The analysisprovides site specific assessmenton the current
situation of main PIFs that are judged to exert strong influence on human error.
However the assessmentonly provided for the overall PIFs situation at the
organisational level (or global level) of each site. Apart from identifying strengths
and weaknessesof managementcontrol, the results of the assessmentare used to
assignweighting of eachPIFs for humanerror quantification later.
Table 5.15 Summaryof findings from PIFs analysisat Site A and Site B
PlFs Site A Site B
1. Experience The majority of operators Operators have long working

and Training have lessthan 5 years working experienceand the majority
experience.High turnover of have more than 10 years of
operators due to lower salary working experience.Low
and hazardousworking operator turnover due to job
conditions as comparedto security from an established
other factories surrounding company. Training programme
the site, e.g. electronic was based on job specialisation
factories. Training as set by previous multinational
programmewas not properly company followed good in
developedand implemented. house standards. Adequate pre
Only received ad hoc training -employment training, with
in the form of work someopportunity for
attachmentwith senior continuous training.
operators and very limited
chancesfor continuous However the job specialisation
training. while providing specialised
skill has created inflexibility in
The adoption of multi-skilling the utilisation of manpower and
provides work flexibility and fewer chancesfor promotion for
allowed better promotion the non-operators(i. e.
chancesas all workers are maintenancecrew).
capableto carry out most of
the tasks associatedwith This particular PIF at Site B is
to be good with little
ammonialoading operations. assessed
influenceson human error.
This particular PIF at Site A
is assessedto be average and
could impart quite strong
influenceson humanerror.

2. Procedures Proceduresandjob aid are Proceduresandjob aids are
minimum and only available adequate.Developed basedon
for road tanker and ship good standardslaid down by
loading operations. previous multinational owner.
Developed basedon limited Level of descriptions, clarity of
operating experienceand instruction and compatibility
manualsof the equipment with operational experience is
supplier. Description is not good. However updating
detailed enough,instructions exercisehas fallen behind the
and diagramsare not clear and stipulated scheduleunder the
lack compatibility with the presentmanagement.
actual task that needsto be This particular PIF at Site B is
carried out. Proceduresare
assessedto be good with
updated only as the outcome
moderateinfluenceson human
of seriousincidents
error.
This particular PIF at Site A
is assessedto be poor and
could impart strong influences
on human error.
3. Stress The road tanker loading Similarlythe roadtankerloading
operation is not complicated operationis fairly straight
but with high level of forwardbut with high level of
perceiveddangerand perceived danger and
suddennessonset of event suddenness onsetof event
(e.g. from suddenreleasesof (e.g. from suddenreleasesof
ammonia)that provides ammonia)that providedenough
enough stressto keep the stress to keep the operatoralert.
operator alert. On average Timepressurefor unloadingis
three road tanker loading are low at this siteason average
made daily, besidesother only two shipmentsaremade
loading for skid tanks per week. Stressfrom physical
mounted lorry and theseposed work environmentwhich mainly
fairly high time stress. As the from hot tropical sunandhigh
loading bay is in the open the humidityis moderateasthe
operators are subjectedto hot loadingoperationscarriedout
tropical sun and high humidity undersolarcanopyof the
which exerts high physical loadingbay. Low numberof
work stress. The ammonia ammonia loading eliminatesthe
loading operation is mostly to
need carry out loading at
carry out in day time and that night.
reducesthe stressfrom
working at night. This particular PIF was assessed
This particular PIF was to be averagewith moderate
influenceson human error.
assessedto be poor and could
impose strong influenceson
human error.

4. Feedback Plant and equipmentlayout Good plant and equipment
are satisfactorybut manual layout provide good interface
control could only provide and facilitate adequatefeedback
minimum recovery. No to the operators. A central
central control room but rely control room provides critical
on a number control panels information on the plant status
located near the placewhere a and allowed remote operation of
major activity takes place, e.g. major processequipment and
the road tanker loading bay. valves that provide certain
Remote operation is limited to degreeof recovery in the event
emergencystop button that of failures due to human error.
shut down all site operation. Identification, display and
Critical information on plant grouping of critical process
status has to be gathered information is satisfactory and
manually, somewhich located compatiblewith user
at heights and in the open and expectation. Labelling and
this could lead to humanerror. identification schemefor
Labelling and identification equipment, valves and piping is
schemefor equipment,valves adequate. Emergency alarms
and piping is inadequate. for
available gas leaks, fire and
Emergencyalarmslimited to evacuation.
gas leaks and fire only. This particular PIF at Site B is
This particular PIF was assessedto be good with small
assessedto be poor and could influence on human error.
impose strong influence on
human error.
For individual task steps they have to be analysed in more detailed as each PIFs
influenced specific errors in different manner and with varying degree of influence
depending on the nature of the task. As an example, one of the PIF under
consideration, i. e. procedures exert strong influence on the successof executing the

task to vent-off the ammonia filling lines after loading. However the samePIF only
has marginal influence on the task of putting the road tanker wheel chocks. For this
reason a more focused application of information from the PIFs assessment,together

with other relevant data collected by the auditors is neededto assessthe influence of
the PIFs under consideration for each task. That is one of the main reason why for
quantification purposesit is not feasibleto assessall PIFs associatedwith task under

consideration, instead only those with significant influences are considered.Details of
the quantitative analysisfor the two sitesare describedin the following section.

5.5 Quantitative Analysis of Human Error
Quantificationof humanerrors is central and important aspectof risk assessment
(Humphreyet al, 1988). In this study it is used to contributeto an evaluationof
overallrisk for comparisonwith quantitativerisk criteria.It also provideda meansto

determinethe relativecontributionof differentsourcesof system failuresthat could
be usedto prioritisethe allocationof limitedresourcesin order to minimiserisk. Due
to its importancea fairly large numberof techniquesexist. However, only a small
numberof the techniques have been in
used practices,mainly in the nuclearindustry.
A much smallernumberhas beenusedin the chemicalprocessindustries(AIM,
1994). The SLIM techniqueis usedfor quantificationof humanerror in this study
(Embreyet al, 1984).
5.5.1 The SLIM technique

The Success Likelihood Index Method (SLM(Embrey, 1984) was initially
developed for the nuclear industry but has subsequentlybeen used for the other
industries such as chemical and transportation. The technique can be applied to tasks
at any level of details, i. e. whole tasks, subtasks, task steps down to individual error
associatedwith task steps. Full description of the technique is given in Chapter 3.
The basis of SLIM technique is that the probability of error at any level of task is a
function of Performance Influencing Factors (PIFs) in the situation. The PIFs which
have direct influences on error such as the quality of procedures,the level of training,
and the degree of feedback is used to numerically rate the tasks. The combined
ratings of PIFs influence on each task yields an index called the SuccessLikelihood
Index (SLI). Using a general relationship between SLI and a task with known error
probability the task error under consideration could then be converted to a

quantitative measureknown asHuman Error Probability (IiEP). The SLIM software
provided by the Human Reliability Associates was used for the quantification. It
consists of two modules. The first module called SLIM is used to analyse the
likelihood of successof a set of task based on the evaluation and contributions of
important PIFs that could affect the human reliability in performing the tasks. The
second module, called SARAH (Systematic Approach to the Reliability Assessment

of Humans) is used to calibrate the relative successlikelihood's, in order to generate
absoluteIHEPs.
5.5.3 Determining HEI's for ammonia road tanker loading tasks at

the two sites using SLIM technique
The main application of the quantification of humanerror in the form of HEI's for this
study is as input to failure model of ammonia road tanker loading operation. This
study used Fault Tree Analysis (FTA) to depict the failure models that show the
contribution of both hardware failures and human errors to the overall system failure,
i. e. loading of ammonia to road tanker. Human errors reduce the likelihood of
success to accomplish the tasks associatedwith road tanker loading operation.

BEI's in conducting the tasks that have been identified from FTA for each site are
quantified using the SLIM technique. The FTA which depicts the critical tasks that
made up the failure model of ammonia road tanker loading operations for the two
sites is shown in Appendix 14. Incidentally some of the tasks identified using the
FTA were also predicted to be under strong influence of human error as indicated
from PHEA results in Section 5.4.3.
Stepstaken in using SLIM procedurefor this analysisare;
Definition of situation and subsets

Elicitation of PIFs
Rating of the tasks on the PlFs
Elicitation of ideal points and calculations
Weighting procedure
Calculation of the SuccessLikelihood Index (SLI)
Converting the SLI to probabilities
Sensitivity Analysis
5.5.3.1 Definition of situations and subsets

This task involved carefully defining the situations to be evaluated in this case
ammonia road tanker loading operation, by getting as much information as possible

regarding the characteristicsof the tasks, the individual (operator) who performed the

tasks, and other factors that influencedthe likelihood of success. In ammonia loading
operation the situation involved the execution of several tasks by human, i. e. the
operators which required interfacing with the hardware. For this study such
information is gathered through observations, interviews, studying operating
proceduresand video taping of the ammonialoading operation.
5.5.3.2 Select the relevant PI[Fs
A data basedevelopedwithin eachsite on the predeterminedPIFs associatedwith
particularcategoriesof taskswould be the idealinformationfor decidingthe relevant

PIFs to be used in the analysis. However as such information was not readily
available,the relevantPIFswereselectedfromjudgementmadebasedon information
gatheredthrough interview of workers and management,task observation,physical
inspectionand documentreviewed.As eachtask is underthe influenceof manyPIFs
only those which were judged to have direct and major influenceson errors in
performingthe taskwereselected(AChEI, 1994).
Using this approach four PIFs were selected for the quantification purposes. They
are;
* Experience
9 Procedures
0 Stress
o Feedback
The four PIFs belong to operational level factors that have a direct effect on
probability of errors occurring. Management level factors such as the effect of

policies on training and equipmentdesignwas not includedeventhough they have
indirect impactto the likelihoodof error, asthey determinethe quality of operational
levelPIFs mentionedabove. This was dueto the difficultiesin makingjudgementon
the degreeof influenceof eachfactor, and they may havemultiple influenceson all
the operationallevel PIFs that havebeenidentified.Brief definitionsfor eachPIFS
selectedfor quantificationpurposesis givenin Table5.16.

Figure 5.16. Description of PIFs selectedfor humanerror quantification
PIFs Description
1. Experience Representthe importance of an operator experienceand

training on the successof a particular task. This factor
representsthe importanceof an operator experienceand
training on the successof a particular task. It is a
combinationof relevanttraining given to the operator
and the length of time of which the operator work for a
particular task. While the training provides the essential
knowledge on how to carry a task safely and efficiently,
the length of time of the operator hasbeen carrying out
the task allowed an in depth familiarisation in carry out
such task. Such familiarisation allowed the operator to
understand the specific characteristicsof the hardware
and its interfacesunder various operating conditions.
2. Procedures Representthe importanceof written proceduresandjob

aids in assistingthe operator to successfullycarry out a
particular task. It concernswith the availability of good
procedure in term of depth, coverageand practicality, in
ensuringsuccessof a task e.g. depressurisingammonia
filling line
3. Feedback Representthe amount of information (if any), being

relayedback to the operator during a task, which
indicatesthat he is in the error mode. For example,the
pressure indicator on the supply line gives the operator
information on pressureinside the line, and this
representsimportant feedbackduring disconnection
procedures.
4. Stress Representthe effect of operator stresson the successof

a task. It is consideredthat there is an optimum stress
level and the ideal point hasbeen set at 6. The range of
I to 6 representsan increasinglevel of stressthat is
beneficialto the successof the task. The stresslevel
representsthe operator perception of risk, i. e. if the
operator perceivedthat a task is potentially dangerous
to his welfare he is more likely to take considerable
care. Once the optimum level of stresshas been
exceeded,however, there is possibility of panic and the
thus the rangebetween6 to 9 representsan increasing
chanceof error due to panic.

5.5.3.3 Rate PI[Fs Selected
The next stepis to ratePIFs on tasksunderconsiderationwhich in this casewould be

the tasksthat needto be carriedout for loadingoperationof ammoniato road tanker.
SLIM techniqueprovideda numericalrating on a scaleof I to 9. The end of the
scalenormally representthe best or worst PIF conditions. For examplea highly
experiencedoperatorwill havean optimalvalue of 9, while a novice is represented
by the worst scale of 1. However, other PIFs like Stresspossesseda different
optimalvalue. For Stressit wasjudged that certainlevel of stresswas necessaryto
keepthe operatoralert. The stresswould rise from perceiveddangerof a particular
task for exampleduringdecouplingof transferhoseafter filling which might still have
remainsof ammonia insideit. As the 6
such scalerating of would best representthe
optimumvaluefor this PIF. Howevertoo muchstress,e.g. from suddenescapedof
largeammoniacloud dueto ruptured loadinghoseduringfilling, will posetoo much
stressand increasedthe tendencyof the operatorto makeerrors. In suchsituation
stresswould be at the worst with a9 ratingon the scale. Closerattentionwas given
during the analysisdue to the fact that the samerating value could have a different
significanceto a successfulexecutionof a taskunderconsiderations. Rating of PIFs

for tasksunderconsiderationfor SiteA and SiteB is shownin Table 5.17 and Table
5.18 respectively.

0 (14
U j--
-4-3 s-. ?
>ý 0
5 0
z
1
O>
ý m e* 811
ci, -2,0
0
b-4 to
O=c
R
a
-0*,0 ;ä to .2
u :10
1-.8 9) 3
Ei 5
ýM ., . 0 Z
tý, 0
0t u
-NI
'cl ýý CZ
. 0
c> 24 -
L
C ic 0. ;ä0 =8
0 m
r.
ö
= .ý', Z. ý2 0
,0 8.
Co, u = ri
cli
0 1Z8 ý '; e0
0
0
5:
Z,
ý2-x.,
r- (2 s-.E c2.
b' r. 2
t.
ä
tA
>
O8 gmý
U)
Ei
r, ' Z
-2 ,e>22
-5 -1 8 ? W
= le
u0 92- g) -0
+ ý >,
ce -Uo
= (n 2 Z$ . -in
.5 tZ
ce .-
i2 2 t 0
ne to Ici
0
1
.2ý
A22to.
Ei
=0.0
5: ý 08
--g) Z rz
M 0
c).8 cý
m ce "ö
c2. 9
1,0
ce 'e
R
-ö
ce
(2 c
c2. 10
ý2
cu cu b- 4Q
Ln
CD
V)
2 1. 0. ri
124!2 W1
0ä
g,
ýo r- r- t-
1
F-
r.
0
0
0 0
0
0
0
LU
ý K
(D C)
00 c9
Ln E- Z ý- -1
F-
.0 iz iz 0 .0 -4
1--1 r, 1 1--1 N
9
0.) 0
bo 0 9.
tb
cs 0
1 Iti c4.d Ici
0
-
>
o ln 00
42
e A
m ý: 0>,8U 8 l ý.
0.)
u Ei
2 Ion -8 . +ý W 2 c4.-4
ý= CL4 -2
U)
9.1 ö .2
-3 LZ a Ei
0
gcli -8 t ce
t) ý2=e Cm
.
.2 i-b 0 0 rx.
m
:i ci .3
C, 9-
=
ý X
0. > U E0 "0
n85u8
,0 8ý -8 ýgý 0
) ti-4
C. 0 0 0
lu- 8 ,
-0 r. -0 c2.
0g - v iz g)=
to %:
ý, =u 2 - >,= - 018. ý 2p -ci
1 .2
,8 108e 7. 0 Mjw 9)
g ri4
2g5ý ei ýa
W
LE cz.2e
vi >
c2.u -2 %
:b 0 "2
4ý
H
0 .2
.5M
iä
im
*
00
E;.
>b
-0
- bd
Ji Igil
CD
00.
Z ýA
c4.4
%0 ce
> j> m
0> ch 23
0 m (1) ÖD
"22 -8 ip C
2 We - ce >, --;>0Z -5
vi ýi
0 21), -ß -5
+i
g2.0 p=2 * '

'. i
-E u) (1)
>00
=
j
s wý -
8
r 0
0
0
Eis
t4.4
3 g5
Z. Er.
o -
r- 8
:jr.
.2 1:,
8
u;
r- ß. (A -4
cn
2 .9
m0 Gn U A
r. CL.
5 0> , .- 2 d ý3
eab4 ,Z 8 A.
0 (n
Z
ýp- -E Il>0. e0 2 0
a 2 -5 8, at +ý
> ý
1 0
,'E00 ., E,P (n 0
2
0 m.
(U
E
rA =E
5
%1
(A
g Qý10 En u2
.9>
%10 -4
In C>
Itý
CD CD
"0
0
0
0
4ý Gn
te =2 0 0 92.
0 0
0
> 0
cz 0 0
.io 0
12 U
Z
tu =u E, le
0 =
0 U
0>
9-)
22,
0 92
*r.
"0
-0
.
IRt
(1)
>, .2
0 C.) ce
1. tw
(L)
e
M
0
Q00
l
o
1--
E ce 0-5
.0 ý9
'n Z0
ý
la 0 1-8 0 ,9
10 .2ý . 2
UN (40 Ü
0.9 fi
ce4.
0$-to0- 0
ge
ce c:lý Z0--
55
w
d 'e A ö,
ý2 -ý J. . .-2 iMt;-. 8 ýZe
1--4 rq r- r- r-
9
C,
CD
rIlý
c>
lIci \Icý \Icý
(Z CD C>
\O ýD 4-ý V) V)
\o ýo %D ýo
1 10
1
cn -
m .2S
A
to
tz
w -,
ý ccz 1
u
ý ci)
1211
Z
8 gri = 0
0
W 2 25e ba
r. .2
0ý
'g "8 to ý. 0
0 0 Ue
1 1 - -2 Gn
5 1-
412
ý5 8
b.
+d
rn
-rn
+d
9.8
0 4? &ý U 9.
0
-A 2 0
-=1
0 u
0 CD 9) 5? '
- CD-0 CDe2
T
W,
Oa r,01
Z
.0
rq 1-4 1--9
ýoq --4
cli
"-t
ýo
. -1
-. 4 1---l
ýQ
..
r, 1 (N
r-,1 c--1 --4 C,1 --4 ('4
> >
kn
tf)
"0
.0.
to =
ý: >0
0w
(n
? (U
m
8
-
rz.2' 2 Ei
0A
c) 0 c92
o
-Z
1. E2 m 22 E ll'n ý 2 ýa > -8 ýq r,
ý3 .!::
10 cl
-
.ý -9 0cli ce 9 e N. =o ll-'
ý
C-) 12n ÖP
0 +ý
c2. 5
r) e cu o ro--' 0
rn -- 0
3 v 'CJ tz
L, *0-, M 8 e
r14 '=
r. En
09
CA
0 0
2
"j
.
02=
1- g's ce 5k2 i' zi z ul
140.
2
0Q
2 V *5 C,
c122.
ý
ý;
2
-
ce .0
:1
,
ýe g
=2 .
2ý, -,
ýe :5
,0 ,
cn - (U 4)
ID e ce
2
0=
.2 p4 0
'-
0
s
5 "8 23-
2pezo'= 2: . 3
L, 5j
= -ci ? 5
*5 0 >
U- 0-
ce .g : gýu
. M . 28
za u9 U
4'o
(N4 E
j r-L 1 u to
:5 0
OA
.r
0 +g
5
a.
=
4)
0 -
-2
u W0 C) .
r_ e. 8 ce e
8-r.
. - -a
ýD .tDA-. .
23 0
208
9 (n
E 9- .ý % r5 .2
m
t! rA 2 - ý:
0j 0
4-ý
-2 %.
e)
JE --
-2
E2 ý
,,5
c26..20 g. -
10 ,S -e A .u-ý,
u 1 E2
ti -
0, g 8
-
En
Le 2 .-.;
'n
-)
.5 rl.
9)
ý9 "2
m ro-
ý2
M
9
ý
0 5 Z (1) ý
,
4.4
1
r-
%ýze
-. r>-5
4) m -ci cn 0
u4 . - 92. 1-- ýM. (D r-.
ýo
u
lu
'
0
l -'
u CM -.s
ce ri rq 00
00
c; C>
U2
0 %0 \O
tn %0 %D \D r- 00
rA
00
0
-0
m
E--4 0 0 ce, 0
0
m In. oý .-
2 s. 0 0 cu0
9 =
0.) JL)
tn .5
rn A1
-41111 -8 -8 s5
> *Z:
V2
0
ri
ý- to
00
>
0
*
ro- 0
,0
0
ol- PZ
ý3 20Z 00
CA A
2
,0
0 O. ID ;2
iz
1--4 iz
-4 rq r9 rq Oa
JD iD
--4
clý rq r-i ri
cq
%c
s. ce
ce 0 (6-4
0
A 0
ce -,4 c)
to
>
Z
0
-2W ce
0Ur. 0
1
C0 0
19 9)
>
"0 (1) 2 E00 9
,zi ig j= 111
00
*ge
le > Z
rA 00
(1) tn (n Z. 0
g
"Ci 0 C) ýa
CU c3
0
gL4
4) -cu 0 0 :S0
Z 2, ýa
to'. 2N 2u a 2 -A ýEa- ý.' -3
A 0
e 2 o ä 0 ý:
%. .g -ý r, 0 . -x
C'4 ci 0,0U
gt ce 4ý
0
is
e.) tu
0
.*
C> (D
CD C) (D (D (D
1
%Z %0 %D %0 %A
1 -
\.0 %0 10 %0 \io
00 00 00 00 00 00 00
kl CW)
=
.0ci 924
m>
0e 13
0
U
-8 -8 ý- 11) e
59 =O
45
'0
(42 58
ö 0
10 röll
eO
(L) CL= c2..
5 0 e
c c2ý 1 2ý E 0 0
e
9)
CD.. Ü.
0
-2
-
:1
.
0
cz
-4A
=U
cz10
(Dý
- E
0. - 01 -
ý9 0 ei ti.-
*c
lý
cc
rq rq
.0
:;: --4 iD 0
r-i
1-4
.. 4
-4
rq N
-d
--1 Zý r-i
-. 4 -4 mN
-g
4 -4
rq
F.
, --4
>
91
>
A
4 4
5.5.3.4 Assigning weight to selectedPIFs
The step concernedwith evaluatinghow much emphasisis to be given to each of the

PIF in relation to its effect on the likelihood of success. The weight representsthe
relative influence that each PIF exerts on all the tasks being evaluated. It could be
done based on the analyst's experience or error theory (AChIE, 1994). The
assignmentof weight is not mandatoryin SLIM. The technique assumesthat all PIFs
are of equal importance in their contribution to the overall likelihood of successif the
weights are not used. For this study attempt was made to assignthe weight for each
PIFs basedon the qualitative assessmentmadepreviously as shown in Table 5.19.
Table 5.19 - Weighting assignedto PIF
PlFs Weight
1. Expefience 0.4
2. Procedures 0.2
3. Stress 0.2
4. Feedback 0.2
Given limited information available to support the judgement made, a sensitivity
analysiswas carried out using equal weight to all the PIFs (or not assigningweight)
to see the difference on results of HEPs. It was found that the use of weighted and
unweighted PIFs only introduced small differences in the HEPs values as shown in
Table 5.22 and Table 5.23.
5.5.5 Calculating the SuccessLikelihood Indices (SLI)
Based on rating and weight assignedto each task, the SLI were calculated using the
following expressions;
SLIj =I Wi
.R ij

157
Where;
SLIJ = the SLI for taskj (j= no. of tasks)
Wi = normalisedimportanceweight for the i PIF
Rij = Scaledratingof Taskj on the i th PIF
Results of SLI calculation using the SLIM software is shown in Table 5.17 and Table
5.18 for Site A and Site B respectively.
5.5.6 Converting The SLI into Probability

As the SLI only representa measureof the likelihood that the operations to carry out
a task is successful relative to one another, some forms of conversion need to be
carried out to turn it into probability of failure, i. e. in the form of Human Error
Probability (HEP). To transform into HEP, the SLI scalewas calibrated for each task
under consideration. For this purposes the relationship between SLI and BEP
followed a log-linear relationship (Embrey et al, 1984) in the form of;
Log CHEP)= aSLI +b......... equation (1)
Where a and b are constants
Embrey et al, (1984) provides some theoretical justification and gives experimental
data to support the validity of this relationship in SLIM's context. Such relationship
also provided by other researcher such as Pontecrovo (1965) and Comer, et al

(1984). The two constantsa and b was calculatedusing two tasks with known SLI
and Error Probabilities, referred to as the calibration points. Two simultaneous
equations were produced using the two calibration points from equation (1) to
calculate the value for the constants. By substituting the values of these constantsto
equation (1), a general calibration equation for converting SLIs values to IHEPs is
made. The SLI values for the remaining tasks were then converted to IHEPs using
this formula. The SLIM computer code calculatesthese FIEPs and converts them to
IHEPsvalues automatically.
The selectionof two calibrationpointsfor conversionwas found to be quite difficult.

Embrey(1984) suggestedthreewaysof gettingthesedata,i.e. the use of data made
available from simulator, using data made available from other similar analysis that
hasbeenconductedby other analystor usingabsoluteprobabilityjudgement(Comer
et al, 1984). However it was found that data from simulator available in the literature
are mainly on simpleand basictasks(Kirwan et al, 1990) which did not adequately
represent the actual tasks under consideration. The use of published data from other
analYstswas also found not that feasiblebecauseeither they originated from the
nuclear industry or they utilised PIFs that did not match the PIFs selected for the
current analysis. Finally the absoluteprobabilityjudgementmethod was used for
calibration points that takes into considerationon site specific situation such the
influence of relevant PIFs, the processsafety systeminstalled, and accident records.
BEPsvaluesderivedusingthesecalibrationpointsservedasbaselinevaluesfor QRA.
Additional analysisusing calibrationpoints taken from study on chlorine loading
operation (HSE, 1989) to
was also conducted check the difference in BEPs values
arising from the use of different set of calibration points. The report is used as
referenceasit was conductedon similarloadingoperation,but for differentchemical,
i.e. chlorine. Summaryof the calibrationpointsusedfor the SLIM analysisis shown
in Table 5.20.
Table5.20 Calibrationpointsusedfor SLI calculationsusing SLIM
Source of Tasks with known HEPs used as calibration BEPS HEPs

information points Site A Site B
Auditor 1. Operator omits to check pressuregauge is 5E-03 IE-03
Judgement zero prior to disconnectingfilling hoses
(APJ) (upper calibration point)
2. Operator omits to check line valve stuck 5E-02 IE-02
(lower calibration point)
HSE(1989) 1. Operator omit to connect filling hosesto IE-04 IE-04
road tanker (upper calibration point)
2. Operator conducts leak test incorrectly 3E-01 3E-01
(lower calibration point)
As canbe seenfrom the tablethe IHEPvalueson similartaskswerejudged differently

for the two sites.Thesewere madeto reflectthe site specificPlFs situationobtained
from PIFs analysisconductedin Section5, that influencehumanerror on eachsite.
To provide some measureof confidence,the IHEP valuesjudged by the auditor were

compared with nominal IHEPson similar or equivalent tasks from two human error
databases,i. e. TBERP (Swain and Guttman, 1983) and BEART (Williams, 1986).
The comparisonshowedthat the IHEPsvalueson tasksusedfor calibrationpointsas
judged by the auditor lies within the uncertaintyboundsof nominalIHEPsfrom the
two data basesas shown in Table 5.21.
Table 5.21. IHEPsvalue usedfor calibration points for SLI

calculations using SLIM
Tasks with known BEPs used as Auditor TBERP HEART

calibration points Judgement Database Database
BEPs BEPs Nominal Nominal
Site A Site B BEP BEP
1. Operator omits to check 5E-03 IE-03 0.001 0.07
pressuregauge is zero prior to
disconnectingfilling hoses LB = 0.0033 LB 0.008
(upper calibration point)
UB = 0.003 LTB 0.009
2. Operator omits to check line 5E-02 IE-02 0.01 0.09

valve stuck (lower calibration
point) LB = 0.0017 LB = 0.06
UIB = 0.015 1UB = 0.009
Where; UB - Upper Boundary, LB Lower Boundary

-
The calibrationpoints taken from HSE study (HSE, 1989)were madeusing expert
judgementmadeby the auditorswho preparesthe report then. If thesevaluesare
adoptedthen Site A and SiteB will be usingthe sameIHEPsvaluesof for calibration

points despitebeing subjectedto different degreeof PIFs influence. This highlight
major drawbackof adoptingknownBEPsvaluesfrom other site analysis,as eachsite
may be under different influencesof PIFs. Even under similar PIFs influences,the
degreeof influencesmay vary. The effectof usingthreecalibrationpoints insteadof
two to increaseregressionaccuracyassuggested by Kirwan (1994)was alsoexplored
throughanotheranalysisusingthreecalibrationpoints. Resultsof theseconversions
are shownin Figure5.18for SiteA andFigure5.19for SiteB respectively.

P-4
10
"4
9.1 1. -1
.0 rA
00
CD 0 0 0
4) 00
rn c>
-
00
CY\ E ýýZ N rn m 00
-
00 1-4 00
cu
ce
0 c> c> c>
0 C) 0
40. 15:
ý '-, r- c> m (n w 0ý
(L) 0
CA -ý zr, >. nZ
ý24 ei
't od zi zi m m
5
0 cn ý
t. jz ýý z (1q N (1q ri le P-4
0
Cd
0
""
lzný =* 5EAr..- ýh
Z ýh
m
ig ýh 9
cn 0
1-ýI .:s ..'
ý-Z
J-- -0
Jz 4) -
ce
.0
r-. K-Z-
Ln cz. ý ýý --
ýZ ýx >-4
ýZ :i
9) %Z
rq
t1q
cq
10
N
"0
N 1(>
V.,
(L) :j +- 9
=ce .5
0 Cz' 00 00 00
Cd
ce ji
0
W (L) =
92. C) 0
r. %.. +ý
:3 c2. Cz. (L)
0 0 0 -4- r1.
4s fi 0
tu
0 0> 0
. 4- 0
2p
4ý Z
14-
cq 0
Ln 0 -0 "0 -0 > 0 .- "Ci
cq > 52 tr,
.
0 Ei «,
0
iz J-- 0 00 0 0
cu 0
E- > 0
(L) u
E2 4) t. W (9
t2
cn ný
CD *C
VI
4) u cli CNI le le
cu
9
P4
C14
10
1-4
m V) m en en en en m m m m
a C) 0 0 0 0 0 0 0 0 C)
I 1 1
C4'j
;4
en WI
00 WI W W m
W
1-4 00 en cn cn
C14 C*4 C*4 en N en en C*4 N en N

40 C> C> 0 C) C) 0 a 0 0 C)
C-4 cq C*q Cl) clq m m (14 C14 m cq
clq C14 cli N m m CA Clq

0 0 0 0 0
9 0 Zt
4
M CS a4
en W ý4
qT
4
00 ý4 c)
cn
a4
V: 06 m
vi "i 00
C14 m (14 m C14

0 C) 0 0 C)
C14 (14 cq
0 N
9 N 1 1 1 1
H ýg 9 H
W C14
W
cl
W
C14
4
C14 cl Ci
C14
Clq
m m m m m
0 C) C) 0 C) 0 C) C) C)
10 V) ýo \0 10 W) 00 \0 In m
cn W) CO) V) CIF) cNi vi In
1 --4
N C14 C14 IT C14 m C14 en

0 0 0 C14 0
0
C14 ýo
N N N C% cli
W
t4f)
I-
Cý
tf)
14
ýo
ci
a4
In
li
en
C14
C-4 N N eq en cq N en
C) 0 0 C) 0 0 0 C)
00
-4
ýo
N
00 Cý 00 ýo
C-4
00 Nr
1.4
00
-4
- ýg
C'4 m
rA 1ý
cn - to 14. 1.
E! 0.) =1 ) Iu
4) (U r. cr , (U r. ,4
0 .- == 0 > = J
(A En
0 r-
+ý
0 0 -Cýt=
- +6
EL tn
0 4--0
.
(U iýEi
izi -0 - (L) > 4)"0
I. =
-
:3
CL. 1
,E
4- 0 CL. 'o
to j! -0 P. oc
0 C)t4
4ý r
0.
1.14 o o 0=
vm 1
0 0 .5
r-
zc" 41 Or-
-EL 5
= 8 6 0
:z
.6. 4ý 1. 4- 5 *15 1.
.
Cw. 0
I- .-
(L) >-. C)
+ý 1:0 1 "o Q 0
S. 0 .0
t.4
-;
En .0 0 0 0 Q
> - o0 -14 V
4")
0
-6ý - COL,
00CL 0 tý! 00r - 0. ý4 Cd

S.
4) .ý aw 4):2 Ou0 P ,
Q.. 4) t. -a
. I
I. o- . I-
o 4
t. 1. 0 crj ,-(L)
E 0 0
0 ry) o 2: o ,-.
-
4)
4) Cl
0 .
4) "
. o
Cc 1ý Cd d) Cd
. C', 4) 4) t
:: I ým
4) b& .> C) ý cd Cd ^
> S..
-Y. " -&ý I. I. , t-. -= 0
4) Cd Q
5. 0
Qý Cd C: L. =0
(L)
"
4)
r- .
v=
C: J. 4ý
-5
tn
o 4) 0
- cd 0
00
-
Cý, 0
a-)Cl (v I--
Cý, ",
tML
r-1,0
Qtr. 0U 0 -a oRI. . cd Edo
0 > o > Tlt
C14 N
N 10 10 .0
(14 ýq
CN It In N -4 -4 N .0
19T 1-4 lt
4 -4 -4 -4 C*4 lt
ý4 -4
cq cl l--4 -4 N
4 > >
1. ý4 ý4 I-
en
en N
C) C>
--4 en en -4 -4
C14 en en CA C14
C) C> C> 0 C)
ýh Vý a5
ýh Vý
Clq en V) cq cq
C14 N (14 m
C) 0 0 0
ýh
Cý
00 00 00
C14 N C14
C) C) C) 0
C14 cli cli
C> C) C)
Ci ei Ci Ci
tn tn kn kn kil
en en m
IRt 9 0
C) w 4
Ci Ci Ci
ýh Cn cn
w
kn
C-4
C?
Ci eli Ci Ci Ci
t1l tn tn
4.)
E :ý W= Q r. Ew9
0
.1
to
15
o
.4-
ý:
0 CQ
-0 np
(U 4) 4)
"o 0=
as
.20
0.0
(L)
týl 0 tfý4" a! Co 0 -;
5
1.
0
U
Ch
6.
0 E
4)
"0
0
S.
0
u
.5
0
0
.4
_0
01 0 4) al 5p In
ý1. c:,.-ý 0C:
w.(0)
-
.
0.2 (L)
.g .
lt
in
.0
1-4 .0
1ý --4 .0 1-4
N v"
-4
cq
4 C-4 C14 N c"I
cli C11 N eq
i- E-
I I- I E-
- I i
0.4
le
%0
V-4
0
A4
C)
IT
00
cn cn 00 00 cn 00
0
.
Cý ý'o
9 m
as
t. 00
-4
Cý
-4
cd cd
0 A4 cq C14 C14 C14 en C14
ED CA
m .0 0 C) C) C>
cli clq C14 C14

Cd
0
r)4
0
-%
1ý PL4
C\
00 m en
en en ItT
C)
CA En
tn tf)
cl
i
Nt IT
0 C) C)
=6 \, -0 .5
0 m w w w ýh w w
C7 -W ý-, Cli
rA t- Clq
12
0 .2
E! ca.o -s 'it
>, r. c1:
1 W t.
I m IT 141, tn I*
Gn
4- 0
-J:ý ,ý .0
I-- Cf) 0 0 0
CL)
.
bo 4 0
.0aý:
JZ
en ý 00 00
.0 .-Mý:
. ID
E!
0 al C)
(D oq clq
Ln =
m
-R *aý 41) til ti) C'n 1.4
cd -Cd :; ý
0 04
Cd
Q) V tr4 0
CIS 0.) r- =s 0.
t"0 ;; P. 0 0 u
-9
0 0 0 0
crj
9.1 .4-
"o .- C's
-x:l >
CL. . -co
0 -14
U -
'm = Cýj cd
.0ce
F--4 4) "0
CL
0
>
0 0 0 0
En 0 ts '. 0
Cd > :5
> r. 00 0 W0 CL
r. = ". I"" " 0. cn
o
Q rz 0 0 0> cz C)
T
-4 -4
-4 cq >1
.0
-4 -4 .0 10
C14 C14 IRT V')
Cd
Cl
.E-4
tn
en V) m m
m m Cn en en
0 C-) 0 0 0 0 C> Co 0 C>
4
M
ý4
en
ý4
00
ý4
en
Lý
00
;4
cn
ý4
1-4 L4
00
L4
M
14
C4)
N C14 N N C*4 cq en
C) C) C)
4
C*4 C, 4 cq M cq M V)
;h
C14
lh
clq cn
til en en en
C'n en NT IT
c> 9 c) 9 C) C>
CS 00 en C%
Cý
en en en
C)
4 C) 0 C) C)
I
C14 C14 N lh ýh
4
C, C14 ýo 00 en cl
t-: cli t/i C-i
en R C) It
C> C>
w w 4 ýh
00 t- 00 ON 00 ON
en en 0 0 C> C) C) C>
c) 4 4 4
ýh 00 00 ON ýh 00 C7%
cfý tri tr;
rA
:3 tm) o
-
ýa
0
1!
ic
0
-
(D
1J.
Cl.
-0
r-
Q .-
Ln
al
.-
=
r
. +ý
.4.
.2
t. 1
CA 4) = Z
W Cz S. +ý o > as
ca.
C..
0
CL vi 11-1.
0
cl. tc En >
0
0
0 -0
Q 0 (1) 4)
.2
cd 0
+ý
0
0
0
.4. r.
0 r-
Z: cl. zcd 0
4ý
0 =w 0 1.. -0 C,
E ý
rj)
(L).-
ý -(D 0 E 00 IN e 4) ý
rz. CL) ý0 N)
-. E
ce
0
>
th to :n o tth
0
0 o 0
r
o>
o o
o
0 0
0
0
0 0
0 4
t. Z4
b
>
4 z
o m (D 4) Cd>cd cd 00
t. :st ý R- 0 0 0 E
rL 0 CL (1)= 4) = _
o 0
Q.
Cd
"= CL. 1,- 0 0 O
CdL
J > 0 0 0 u 0 0 > 0
B
C14 Jn
.0
cl cli
.0 .0
cq
> >
4 4
0- ý- 1 I
P-4 Aq 44 P-4
0.4
ýo
140
". 4
eq C14 m en C14 N
0
clq en en N m
9
N N m
en
9
17ý Cý Cý
00 00 00 00 00 00
en m M en m m
0 0
C> C>
to to
bo rA
0 id 0. a o 5p 9
. 4- 4- .0 0
W (2) .- .- C's ý ýE
-,
to "> 0 I.,
C. c5- Cýý j-- 0 -g
o 0 4) 00 0
0
V 4) cts
f. 'n cc 4)
ý. >
0 KI )
(L cp
41)2 U
M.2 m.-p c: -4
L. C:
). Cl.0
0 0 o C) Cd 0 to 0 JD
1 .4- cz I
-
.0 .0 .0 .0 JD JD
N4 1"
cq
"-4
-4 -4
-4 cq C11
cq
.M
cq cq C*q
0 0
1 1 1
-
E-4 E- I F.
p. 4
Results of IHEPscalculationsfor Site A are shown in Table 5.22. The results showed
the differences of IHEP values obtained using 6 different calibration points for each
tasks under consideration. For example the BEP for task No BL121b, i. e. driver
moves tanker while filling operation is in progresscould range from the highest value
of 4.3E-02, using calibration points from HSE report (HSE, 1989) to the lowest
value of 3E-03, using calibration points from TBERP nominal data (Swain and
Guttman, 1984), a difference of about a factor of 10. Given large uncertainties
associated with data base use for human error and risk assessmentthe difference
shown by this analysis is very reasonable. The effect of using weighted and
unweighted PIFs for the task is also small. The BEP value for this task using equal
weight for PIFs is 1.8E-02 and when using weighted PIFs from Table 5.22 is 2.6E-
02, a difference about a factor 2. Using the APJ with two calibration points the
BEP value the task under considerationis 1.8E-02, while when using three calibration
is
points 3.6E-03, a difference of about a factor of 5. This small difference shows that
the use of three calibration points over two calibration points in calculating the
BEPs is not as significant as suggestedby Kirwan (1994).
Table 5.23 shows the results of HEPs calculations for Site B. Similarly the results
showed the differences of IHEPvalues obtainedusing 6 different calibration points for
each tasks under consideration. The BEP for task No HL12lb i. e. driver moves
tanker while filling operation is in progress range from the highest value of 2E-02,
using calibration points from HEART nominal data (Williams, 1986) to the lowest
value of IE-03, using calibration points from using the APJ, a difference of about a
factor of 10. The difference shown by this analysisis considered acceptablegiven
large uncertainties associatedwith data baseuse for human error and risk assessment
(Hurst et al, 1992). The effect of using weighted and unweighted PIFs showed for
the task is also small. The IHEP value for this task using equal weight for PIFs is
IE-03 and when using weighted PIFs from Table 5.23 is 5.2E-03, a difference of
about a factor 5. The analysis also shows small difference using the auditor
judgement of APJ with two calibration points the BEP value the task under
consideration is IE-03, while when using three calibration points is 1.2E-03, a

difference of about a factor of 5. This shows that the effect of using three calibration

points over two calibrations points in calculating the BEPs is also not that
significant.
The IHEPvalue of the taskNo. IHL21b, i.e. operatorfailed to isolateleak for Site A
is 7.3E-03 (Table 22 column3) and for Site B is UE-03 (Table 23 column 3), a
differenceof about a factor of 7. The result showedthat PIFs at Site A provided
greater influence in reducingthe likelihood of successin executingthe task as
comparedto SiteB. A similartrend alsoexistsfor other tasksunderconsideration.
For examplecomparingIHEPsresultscalculatedusingunweightedcalibrationpoints
madethroughAPJ in column3 in Table22 andTable23 showedthat BEPs valuesof
similartasksat SiteA are higherthan SiteB. Their differencesrangedfrom a factor
of about 30 for task No. IHL41I lb and to a factor of about 7 for task No.]HL21b.
Evenwhen comparingthe IHEPsvaluesobtainedusingthe samecalibrationpointsfor
the two sites,(i.e. Site A-Table22. Column3 and Site B-Table 23. Column 5), the
trend persistsbut with muchsmallermarginof differences. Basedon theseresultsit
could be concludedin this studythat SiteA is subjectedto higherIHEPsas compared
to SiteB in ammoniaroadtankerloadingoperation.
5.6 Conclusions
Resultsfrom the qualitativehumanerror analysisfor the two siteshas indicatedthe
following;
The I-EerarchicalTask Analysis(HTA) has revealedthat Site B has a better

to
work plan successfullyundertakethe task of ammoniaroad tanker loading
operation as comparedto Site A. The work plan and procedures in place are
appropriate and comprehensive which could reduce the chances of the
operator making planning errors. The usage of specialist, i. e. maintenance
crew to carry out the connection and disconnectionof filling hosesalso reduce
the chances of operational errors. Error recovery is enhanced by better
process safety hardware,e.g. the use of weight trip system to prevent

overfilling of road tanker and the presenceof independentchecks by the
maintenancecrew of certaincritical tasks such as the venting-off the filling
line prior to disconnection. However the use of maintenancecrew at Site B
to carry out the filling hose connection and disconnection increases the
duration of filling as compared to Site A due to waiting period for their
availability. Inadequate hardware design consideration at Site B also has
resulted the needto modify the Chiksanarm for bottom loading to road tanker
by adding flexible hose connection.That arrangementmakes the task to vent-
off the remaining of ammonia prior disconnection more difficult and

hazardouswhich defeatsthe very purpose of installing the Chiksan arms.
* Results from the PBEA conducted showed that use of consequencesi. e.
severity and frequency provides a simple and effective mean to predict tasks
that are under strong influence of human error. However lack of site specific
information on the two attributes, e.g. from accidents or near miss records
forced the use of expertjudgement which at best lacks transparency. Forboth
sites tasks associatedwith the connection and disconnection of filling hoses,
the establishmentof correct filling weight to prevent overfilling and the on-site
movement of road tanker which could resulted to collisions and hose pull
away has been identified as those likely to fail to be due

accomplished to
humanerrors. The analysisalso allowedappropriaterecommendations to be
to
made reduce the impactof humanerror on the critical tasksthat havebeen
identified. The implementationof recommendations being made were then
referredto the site PSMS. Using PRIMA the
technique relevant key audit
areasand the control loop levelswithin the PSMS could be determined.This
enablesthe appropriateerror reductionstrategiesand the resourcesneeded

to be identifiedin a systematicmanner.This approach
for their implementation
alsoindicatedonepossiblemeanto integratehumanerror with PSMS.
Results of PIFs analysis at the two sites have systematically identified the
relevant PIFs at the level

organisational, (global level) that would influence
human errors on tasks that made up the ammonia loading operations. As it is
not practical to consider the influences of all PIFs that has been identified)
only four were assessed showedthat they

in detail. This detailedassessment

are all more likely to increasethe chancesof human error in carrying out tasks
associatedwith ammoniaroad tanker loading operation at Site A as compared
to Site B.
The primary objective of conducting quantitative analyseswas to calculate BEPs for

input to failure analysis of the ammonia road tanker loading operation. However
analysingthe IHEPsresults using SLIM techniquethe yield the following conclusions;
* Proper selection of PIFs is important as they provided the basis for

deterniiningthe IHEPsvalues. This can only be achievedthrough proper
qualitative analysis. The study found the need for a thorough qualitative
analysisprior to humanerror quantification exercises.
e Selecting appropriate calibration points in SLIM was found to be one of the
main difficultiesof the Proper

quantificationexercises. is
selection neededas
they influencethe outcomeof IHEPsvaluesfor all tasksunder consideration.
Lacking reliable data the points were selectedusing absolutejudgement
technique. Sensitivityrunsusingcalibrationpointsobtainedfrom otherHEPs
quantificationexercisesshowedthe maximumdifferenceis about a factor 30.
Taking into considerationlarge differencesnormally associatedwith human
error databasesuchdifferenceis quiteacceptable.
Results of IHEPs calculated using SLIM techniques showed that Site A has
higher value of IHEPsas comparedto Site B for identical tasks. This finding
that
suggested in ammoniaroad tanker loadingoperationSite A is subjected
to higherinfluenceof humanerror ascomparedto SiteB.

e-I 7-
t, napter
Quantifying Off-Site Risk from Road

Tanker Loading Operations
6.1 Introduction
Risk associated
with ammoniabulkingoperationwould be major releasesof ammonia
that could affectthe surroundingpopulation.In the eventof a major releasecloud of
ammoniacould travel over a long distancein the downwind direction. People
engulfedby the could be exposeto variousconcentrations
of ammonia. The amount
of ammoniaconcentrationexposedand the durationof exposureis known as 'toxic
load' (Nusseyet al, 1990). Above a certain level of toxic load people could get
injured from ammoniaexposure. A very high level of toxic load could result in
fatality. Consequences
from suchreleasescould be consideredin term of possible
'injury' or 'fatality' to an individualor the population due to exposureof certain
amountof toxic load of ammonia.
6.1.1 Objectives of conductingthe QRA

The main objective of conductingthe risk assessmentexercise for this studYis to
determinethe off-site risk posedby roadtankerloadingactivity at two major hazard
sitesusingtwo differentapproaches, i.e. the representativefailure setsand the fault

tree modelling. Resultsof individualrisk and societalrisk obtained using the two
approacheswere compared. The impact of site specific PSMS performancewas
analysed. This is done by modifyingthe genericfailure rate with the site specific
ManagementFactor or W. The ManagementFactor is determinedthrough the
PSMS audit that hasbeenconductedas being describedin Chapter4. A numberof
sensitivity analysiswere also conductedto compare among others the effect of
different values of Human Error Probabilities(HEPs) to the systemfailures. The

IHEPsvalues quantified using the SLIM technique were compared to those obtained
using nominal values of generic databases

from other technique such as BEART and
TBERP. This provides the mean to evaluate the effect of so-called 'generic human
error' (comparable to generic hardware failure rate) on the system failure rate and
eventually the off-site risk values from ammonia loading operation. Sensitivity
analysis using different IHEPsvalues from SLIM technique is also carried out. The
primary aim is to addressthe main weaknesseson the usageof such technique, i. e. the
selection of calibration points to convert the SuccessfulLikelihood Index (SLI) into
BEPs (Kirwan, 1994). For this purpose two sets of calibration points were derived.
The first set is derived using Absolute Probabilistic Judgement(APJ) values based on
site specific situation. The second set of values is obtained from existing HSE
Report (HSE, 1989) on risk assessmentof a similar activity. The flow chart of QRA
conducted for this study is shown in Figure 6.1.
The other objective is to comparethe off-site risk posed by the two sites in carrying
out a similar activity, i. e. the loading of ammonia to road tanker. Using the same
failure scenarios at both sites their off-site risks were calculated. Since the level of
technology for this activity is almost identical at both sites, differencesin off-site risk
values between the two siteswill reflect to some degreethe influences of site specific
PSMS performance and Human Error performance influences. Along the same line
of argument the contribution of human error to the overall system off-site risk was
compared between the two sites. Since the two sites belong to two different types
of ownership (one locally owned while the other ex-multinational) the results could
provide some insight into the influence of site specific ownership on process safety
managementsystem performanceand on the control of human error. Admittedly the
off-site risk results from the two sites under consideration could not be taken
statistically to representthe prevailing situation in Malaysia. However if the

contribution from site specific PSMS and Human Error found in the study is
significant, it could highlightthe needto considerthe two factors in detailedwhen
usingQRA asa tool for decisionmaking,e.g. for land-useplanning.

t
tv c
"Ci A:
6.1.2 Types of ammonia releasesthat can lead to off-site risk
Ammoniais comparativelylesstoxic thanother bulk gasesusein the industrysuchas

chlorine, so canonly be harmfulto the peopleat high toxic load (Nusseyet al, 1990).
This suggestedthat off-site risk could only be realisedfrom considerablereleasesof
ammonia. At the ammoniabulking installationsunder study releasesof this nature
were considered possiblefrom significantloss of containmentof pipework and
storagetanks. As for the pipeworkand hoses,large containmentloss would most
likely arise from guillotine failuresor completerupture of piping. Such releases
could also result from humanerror. For examplethe operator may fail to connect
the liquid transferhosebut continue pumpingthe ammoniathat could lead to a full
bore spillage(error of omission).The operatormight also inadvertentlydisconnect
the filling hoseswhile the loadingoperationis in progressresultingin a release(error
of commission).In the caseof storagetankssuchreleasescould arisefrom rupture
of the tanks. Ruptures below the tank liquid level resulted to liquid releases.
Rupturesabove the tank liquid level gave vapour releases. For a same size of
rupture hole liquid releaseswill have a higher releaserate comparedto vapour
releasesdueto the highermassdensityof liquid ammonia.
6.1.3 Events that could lead to ammonia releases
After identifyingthe type of releasesthat could most likely lead to off-siteAsk the
next step is to identify the eventsthat could causesuchreleases.Theoreticallythey

aremanyeventsthat could leadto suchreleases. As it is not practicalto considerall
possible events only credible events associatedwith the actual site under
considerationwere evaluated.Therearemanymethodsavailablefor suchevaluations
suchFault Trees, FUEA, HAZOP andExpertJudgement.Two differenttechniques
wereusedfor the evaluation.
The first evaluation was madeusing Expert Judgementmethod. This technique was
used as the systemunder consideration,i.e. road tanker loading operationis quite

simple. Results of hierarchical task analysis(HTA) conducted for the Human Error
Analysis was also used to identify human error that could lead to large releasesof
ammonia. The audit teamthat analysedthe systemalso had considerableexperience
in the design,operationand conductingaccidentinvestigationof similar systems.In
time at eachsite to observeand inspectthe
additionthe teamalsospentconsiderable
system.
The secondmethodis Fault Tree modelling. Using this methodthe chain of sub-
eventsthat could leadto majorreleases top
of ammoniawere constructed down in a
hierarchicalmanneruntil it reachedthe so-calledbase events.These base events
representa seriesof componentsor actionsthat could initiate the top event, i.e.
major releasesof ammonia.The next step is to determinethe frequencyof such
eventstaking place. For components
or hardwarefailuresthesevalueswere obtained
from historical data. As for the human error these values were obtained from
historical data or evaluatedin the form of humanerror probabilities(BEPs). These
IHEPsvaluewere calculatedusinga numberof techniquessuchas TBERP, BEART
or SLIM. Failure frequenciesor failure probabilitieswere assignedto each of the
base componentsor actions.Using mathematicalmanipulationthese values were
combined and calculatedfollowing the hierarchicalpath upward right to the top

event. The failure probability of the top event, e.g. the probability of liquid hose
guillotine failure is then determined.This probabilityvaluerepresentsthe chancesof
failure per demand,e.g. the probabilityof guillotinefailure of liquid hoseper loading.
The valueis then convertedto frequencies
by multiplyingit with the numberof events
taking place over a duration of interest,for examplethe numberof loading takes
placeper year.
6.1.4 Quantifying risk from ammonia releases
By combiningthe consequences of failuresandthe probabilityor frequencyof failure

of an event the risk from such event was determined.For individual risk, the risk
measureis presentedin the chancesof fatality over a duration of interest, e.g.
frequency of deathin one million years. Another form of measuresis the societal
risk that describedthe frequencyin which a certain numberof population will be

affectedby the injury or fatal consequences
of an event. The latter risk takes
measure

into account the population distribution density surrounding a site that could be
affected by major ammoniareleases.
A comprehensiverisk assessment needsto consider the consequences of a number

eventsundervariousinfluences
of actualsiteconditions.This includesthe site layout,
surroundingpopulation, and the prevailingmeteorologicalconditions besidesthe

actual physicalsystemunder consideration.Suchnumberof contributionsand the
possible combinationof variablesrequire the representationof a fairly complex
consequence modeling. Such modelneeds to be worked out using a computerfor
efficiency. For this studythe HSE risk assessment code

computer RISKAT is used.
6.1.5 Criteria to assessthe impact of risk
For toxic materials such ammonia, RISKAT assessmentcriterion is based on 'toxic

load' (Pape and Nussey, 1985). This criteria is a combination of gas concentration
and exposure time referred to as 'dose'. For the land planning purposes the toxic
load criteria in RISKAT used the HSE 'dangerous dose' criteria which could resulted
in severe distress to almost everyone exposed, a substantial fraction requiring
medical attention, some of those seriously injured requiring prolong treatment, and
highly susceptiblepeople possibly being killed (HSE, 1989). The broad criterion is
set to avoid spurious impressionon accuracysuch as normally implied by the use of

probit relationship, e.g. the use of single criteria such as lethality (Turner and
Fairhurst, 1989). This approach also allowed greater flexibility, particularly when
faced with poor quality data, when comparedwith probit expressionof mortality data
only (Fairhurst and Turner, 1993). Such criteria is adopted for this study.
6.2 Description of Ammonia Bulking Operations
The bulk of ammonia usage in Malaysia is as feedstock for compound fertiliser. In
the rubber industry ammonia is used as anti-coagulant agent for rubber latex. As
there is no ammonia producing plant in West Malaysia where the majority of the
rubber plantation situated, it has to be imported using semi-refrigerated tanker from

East Malaysia and Sumatera, Indonesia. The anhydrous ammonia imported is a by
product of urea production from the synthesisof natural gas which is abundant in the
two areas.
6.2.1 Site A
SiteA is an anhydrousammoniabulk terminalthat hasan annualthroughputof about

12,000MT per year andhasbeenin operationsince1985. Ammoniais broughtinto
the terminal via low pressurereffigeratedships from producersand pumpedinto
onshorepressurisedstoragetanksvia a dedicatedpipelinerunningalongthe berthing
jetty. The two 225 MT capacitystoragetanks nearthe jetty area serveas holding
tankswherethe whole load of the shipcouldbe dischargedat onego. The ammonia
is thentransferredon demandusingroadtankersto two 125MT storagetanksat the
bottling plant locatedaboutthreekilometresawayfrom thejetty. At this location the
bulk ammoniais filled into smallerskid tanks,cylindersanddedicatedroad tankersto
be sentto customers.
The plant was designedandconstructedlooselybasedon designstandardof the U.K.

multinationalthat built Site B but with minimumautomationand processcontrol.
The plant operatesonly duringthe day, exceptfor ammoniaunloadingfrom the ship
which maybe carriedout at night dependingon the availabilityof time for berthingat
the TanjungBruasPort jetty. This terminalis a dedicatedammoniabulking located
near the jetty. They are equippedwith facilities for road tankers, skid tanks and
cylindersfilling.
The bottling and bulking process is fairly straight forward using simple technology
with high degree of manual operations. The simplified line diagram for road tanker
loading is shown as Figure A7.1 in Appendix 7. The empty road tanker arrived at
the site will be physically check for fitness of purposes. The target filling weigh is
then determined by the capacity of the road tanker and the permissible ullage. The
tanker is then connected to the plant's liquid and vapour return line using flexible
transfer hoses. Liquid ammoniais pumped from the storage tank into the road tanker
under the watchful eyesof the operators. Once the target filling weigh is reachedthe
pump is stopped. The remaining ammoniainside the flexible transfer hoses is vented
to the scrubber before being disconnected.The road tanker is once again checked for
abnormalitiesand allowed to drive-off afler the relevant paper work has been
completed.
6.2.2 Site B
SiteB is also an ammoniabulk terminalbut with a largerthroughputof about 34000

MT per annumandwasthe ammonialoadingterminalfor a compoundfertiliser plant
i.e. Site C, until the last two yearswheremajorbusinessrestructuringhasturned this
plant into an independentprofit centre. The management style is inheritedfrom the

mutItinationalcompanyespeciallyfor the PSMS.
Unlike Site A this plant is locatedwithin the port areawherebulk ammoniacould be

pumpedfrom reffigeratedship tanker via dedicatedpipeline straight to the plant's
four pressurisedstoragetanks eachwith 125 MT capacity. Sixty percent of the
ammoniais shippedto Site C by pressurised
rail tankersto be used as feedstockfor
compoundfertiliser. The remaining ammoniais filled into road tankers,skid tanks

and cylindersfor downstreamdistributionmostly for anti-coagulantagentfor rubber
latex.
The bulking andbottling processat this plantis moreautomatedandwith a few more

safetyfeaturesas comparedto Site A, having benefitedfrom its UX multinational
parentcompanydesignstandardfor suchinstallations.It operatesa3 shifts system,
mainlyto caterfor shipunloadingandrail tankerloadingof ammoniawhile cylinders
bottling androadtankerloadingis only carried out on the day shift.
The bottling andbulkingprocessis very similarto SiteA but with a higherdegreeof

processautomation. The rail tanker loadingis equippedwith a numberof process
safetysystemssuch as wheel interlockswhich preventthe rail tanker from moving
while loading is in operation. The road tanker loadingbay is not fitted with wheel
interlocks nor barriersthat could reducethe chanceof connectionfailures due to
hose pull-away. Even though it is equippedwith Chiksanarm top loading, the
arrangementis not compatiblewith the current fleet of road tankers that require
bottom loading. So additionalflexible hosesneed to be fitted to the end of the
Chiksanarmto facilitatethe loadingoperations.

The simplified line diagram of road tanker loading operation is shown in Figure A7.2
in Appendix 7. The empty road tanker arriving at the site will be physically checked
for fitness of purpose. The tanker is then driven to a dedicated filling bay equipped
with a weighbridge fitted with weigh trip system. The tanker is weighed to determine
its empty weight. The target filling weight is set by calculating capacity of the road
tanker and the permissibleleague. The alarm for the weigh trip system is set at 10%
below the target filling weight. The tanker is then connectedto the plant's liquid and
vapour return line using flexible transfer hoses attached to the end of the Chiksan
arms. Liquid ammonia is then pumped from the storage tank into the road tanker
under the supervision of the operator. Once the trip is
weigh reached the pump is
automatically stopped and the tripped alarm sounded. The operator then needs to
reset the alarm to allow the pumping to proceed until the target filling weight is
reached. After the pumping stops ammonia remaining inside the Chiksan arm and
flexible transfer hoses is vented to a catchpot before the hosesare disconnectedfrom
the road tanker. The tanker is once again checked for abnormalities and allowed to
drive off after the relevant paper work hasbeencompleted.
6.3 Collecting Data for QRA on The Two Sites
The main effort in conductingQRA on the two major hazard sites involved the
collection and gathering of site specific information such as plant layout, major
vesselsand piping data, safetysysteminstalled,failure rate data base,population
data, meteorologicaldata and frequencyof road loading operations. For this
purpose a variety of tasks have been carried out which include site inspections,
interviewingworkersandmanagement,
observingthe road tankerloadingoperations,
visiting populatedareassurroundingthe sites, visiting a numberof Government
agenciesfor population data, site maps and meteorologicaldata. Such activities
consumedbulk of the field studythat spanover almost6 weeksdurationfor the two
sites. The populationdataandmeteorologicaldatathen were modifiedto fit into the
requirementsof the QRA computercodeRISKAT.

The ammonia release scenarios of selected incidents were quantified using
establishedsource models which estimate the discharge rate and extent of flash and
evaporation from a liquid pool. RISKAT incorporates two types of computer code
developed within the HSE to calculate discharge rates. A computer code called
VOGLE is used to calculate dischargerate from liquid releases,and COPTERA is
the computer code used to calculate 2-phase flow. The source term output is then
converted to concentration fields downwind using an appropriate dispersion model.

Two type of gas dispersion models are incorporated in RISKAT. The first model is
called DENZ which deals with instantaneousor 'puff type dispersion. The other is
called CRUNCH which models the continuous dispersion of heavier than air gases.
Both models are able to predict the gasesdownwind concentration at given distances.
The dispersion's calculations rely heavily on the weather data input such as the
prevailing wind speedand wind direction as well as the atmosphericstability.
6.3.1 Collecting Malaysian weather data
Weatherdata is essentialin conductinga realisticquantitativerisk assessment.The

dispersionmodellingpart of the consequence calculationsrequiresspecificationof
wind speedandatmosphericstability. The impactcalculationsalsorequiredirectional
frequenciesfor eachcombinationof wind speedand stabilityused.The atmospheric
the
stability classificationemphasised importanceof utilising data on wind direction
fluctuation and wind-inclinationfluctuation. The Pasquill-Gifford (Gifford, 1975)
classificationis usedfor this purposes
A numberof combinationsof wind speedand stabilityare selectedfor the dispersion

modelling.The combinationnumbergenerallyis six which can adequatelyreflect the
full rangeof observedvariationsof the wind speedandatmosphericstability.It is not
practical nor computationallyefficient to consider every combination observed.

These combinationsare groupedinto representativeweather classesthat together
cover all the conditionsobserved.The classeschosenmustbe sufficientlydifferentto
producesignificantvariationsin dispersion
modellingresults. The conditionsmost

likely to give rise to large effect distancesmust not be grouped with those leading to
shortereffect distance.
The collection of weather data in Malaysiais carried out by the Meteorological

Departmentof Malaysia(MDM). The Departmentonly monitors weather data at
major airports for civil aviationpurposes. The dataconsistsof basicinformationon
wind speeds,wind directions, monitored
and atmosphericstabilityclasses on a daily
basis. Only at few locationsdoesthis data go back for the last fifteen years.For
RISKAT this dataneedto be analysed
furtherinto stabilityclasses.
Risk assessment
conducted in Malaysia that
currentlyusedstabilityclasses are based
on assessors
own judgement made basedon limited local weatherdata. Someeven
usedmuchsimplifieddispersionmodelwhich doesnot take into accountthe effect of

atmosphericstability. Suchapproaches because
are not satisfactory they are neither
of the real conditions. So the authorthrough the good
consistentnor representative
office of his employer, Departmentof OccupationalSafetyand Health (DOSH) of
Malaysia initiated the request for the analysesof stability classes from the
MeteorologicalServicesDepartmentof Malaysia(MSD, 1996). Suchanalysiswould
not only be useful for the author's currentresearchbut also for future usedby the
public, e.g. for consequences in
analysis emergencyplanning. The format for the
requiredstability classeswas givento them andthey were requestedto analysethe
last 10yearsweatherdata.
However due to cost and other job priorities the MSD only managedto analyse
weatherdatafrom i.
oneairport, e. Alor Star in the format It for
requested. gives the
first time the stability classesinformationderivedfrom the actual data rather than
basedon individualestimates.The analysedweatherdatafor this airport is shownin
Appendix8. Summaryof the 10 year datais shownin Table6.1. This data is used
asinput for RISKAT runsin this study. Eventhoughit is not the actualdatafor the
two sites,in the author's opinion it is a better representationof Malaysianweather
dataas comparedto individualestimatesor the useof availabledata from developed
countries. Furthermorethe airport andthe two sitesunderstudy are locatedon the

west coast of PeninsularMalaysiaand are subjectedto almost the sameweather

pattern especially the direction of the wind blows. From the month of March to
Septemberthe wind blows north-easterlY
from the MalaccaStraits while the rest of
blowssouth-westerly
the yearthe wind predominantly from the SouthChinaSea.
As shown in Table 6.1 atmosphericstability category A and B dominate the day time
with a combined contribution of about 92% of the day time stability classes.
Referring to atmospheric stability classificationin Appendix 9, such situation reflects
very unstable conditions normally associatedwith warm and sunny weather with light
wind and cloudless skies. The rate of change of temperature with height known as
'lapse rate' is high in the atmosphere.Thus any gas releasesin this type of weather
will be quickly diluted due to strong mixing with air and dispersedupward following
the rise of warm air from the ground. As a result the toxic gas cloud that being
releasedis quickly diluted and would not travel over a very long distance downwind.
The area under toxic concentration will not be large and in a populated area less
number of people will be put at risk.
During the night howeverthe situationis reversed.Almost 98% of the conditionsfall

under F weathercategory. This categoryindicatescalm or stableweatherwhere
there is strong cooling of the ground. There exists inversion of atmospheric
temperature. In this conditionvery little or negativeupwardmovementof air exists.
A gas cloud releases in this conditioncannotreadily dispersedupward and will
travel over a long distancedownwind. For a toxic gas cloud this meansa greater
areawill be engulfedby lethal toxic concentration due to the lack of dilution and
dispersionin the atmosphere.In a populatedareathis meansmorepeoplewill be put
at risk.

Table 6.1 Meteorological Data for Alor Star Airport, Malaysia (MSD, 1996)
(Combination of 10 years normaliseddata)
Directional
Daytime Data (0700-1900)
Sector
AI m/s A2 m/s B3 m/s D5 m/s D7 m/s F m/s TOTAL
N 7.35 4.12 1.09 0.26 0.00 0.00 12.82
NNE 2.19 3.83 1.42 0.37 0.00 0.00 7.82
NE 1.95 5.82 4.60 1.62 0.03 0.00 14.02
ENE 1.54 2.82 2.68 1.27 0.02 1 0.00 8.33
E 1.87 2.17 0.39 0.19 0.00 0.00 4.62
ESE 1.03 1.51 0.15 0.01 0.01 0.00 2.72
SE 0.87 1.72 0.28 0.03 0.00 0.00 2.91
SSE 0.68 1.79 0.37 0.07 0.00 0.00 2.92
s 0.96 2.44 1.06 0.30 0.01 0.00 4.77
SSW 0.59 143 0.96 0.31 0.01 0.00 3.31
sw 0.90 2.54 2.19 0.61 0.02 0.00 6.27
WSW 1.02 3.62 3.50 1.14 0.04 0.00 9.32
w 1.64 4.77 3.72 1.07 0.03 0.00 ll.. 22
WNW 0.83 1.95 0.86 0.23 0.01 0.00 3.89
NW 0.76 1.36 0.41 0.08 0.00 0.00 2.61
NNW 0.89 1.29 0.23 0.04 0 00 0.00 2.46
.
TOTAL 25.09 43.19 23.92 7.61 0.19 0.00 100.00
Directional
Nighttime Data (0700-1900)
Sector
A1 mIs A2 mIs B3 m/s D5 m/s D7 m/s F m/s TOTAL
N 0.00 0.00 0.00 0.28 0.00 18.05 18.33
NNE 0.00 0.00 0.00 0.00 0.00 13.14 13.14
NE 0.00 0.00 0.00 0.05 0.00 26.29 26.34
ENE 0.00 0.00 0.00 0.24 0.00 9.50 9.74
E 0.00 0.00 0.00 0.03 0.00 3.49 3.52
ESE 0.00 0.00 0.00 0.00 0.00 4.00 4.00
SE 0.00 0.00 0.00 0.16 0.00 4.33 4.49
SSE 0.00 0.00 0.00 0.15 0.00 3.17 3.32
s 0.00 0.00 0.00 0.10 0.00 2.65 2.75
SSW 0.00 0.00 0.00 0.10 0.02 0.73 0.85
sw 0.00 0.00 0.00 0.17 0.00 1.03 1.10
0.00 0.00 0.00 0.16 0.00 1.33 1.49
-WSW
w 0.00 0.00 0.03 2.31 2.60
0.00 0.26
WNW 0.00 0.00 0.00 0.06 0.00 2.13 2.19
NW 0.00 0.00 0.00 0.08 0.00 2.93 3.01
NNW 0.00 0.00 0.00 0.00 0.00 3.04 3.04
LIOO.
TOTAL 0.00 0.00 0.00 1.84 0.05 98.10 OOJ

6.3.2 Determining population density surrounding the sites
the impactof the site'soff-site risk on

Populationdistributionis requiredfor assessing
peoplewho lives nearby. Toxic releases have the to
potential affect large areaso it
is necessaryto analysepopulationdistributionquite a distanceaway from the source
of releases. The impact of the be
off-siterisk could assessed based on the individual
risk distanceor risk contour that could reach the populatedarea. Alternatively it
be
could assessed
of using Societal
Risk in the form (F-N)
Frequency-Number curve
which givesthe frequency N
of eventscausing or more fatalities,injuriesor exposure
(AlChE, 1989).
For this study the population density for the two sites was obtained from the
StatisticalDepartmentof Malaysia(SDM). It is basedon the 1991 nation-wide
survey on population density (SDM, 1991). The population density map for a
particular district wasmappedbasedon the total numberof peoplesurveyedwithin a
definedarea. The populationdensityfor the two sitesusedfor this studyis shownin
Appendix 10. The populationdensitymapis capableof giving an indicationof areas
whereit is densely but

populated not the type of dwelling,i. e. whetherit is residential,
industrialor commercial.For the latter purposesthe dataneedsto be referredto the
OrdnanceMap of the two sites. Thesemapswere obtainedfrom the Land Surveying
Departmentof Malaysia (LSDM, 1992). By comparinginformationon the two maps
the populationdistributionsurroundingthe sites in term of densityand type were
established.HoweverRISKAT is only capableof dealingwith four differenttypesof
population density namely urban, commercial,rural and special area. So the
population density range categoriesneededto be regroupedto fit into RISKAT
requirements.
6.3.3 Selecting Hardware Generic Failure Rate
Oneof the mainsourcesof uncertaintyto besetthe QRA is the lack of robustdatafor

the hardware failure rate. While there has been some progress in establishing
hardwaredata banks in developedcountries,very little is availablein developing
countries like Malaysia. As such the QRA practitioner in the country resorts to
A PhDThesis
byJ.Basri 184
various data banks or literature availableworld wide. Large multinational companies
areresortto in-housedatabankswhencarryingthe QRA.
This situation posed difficulties for a regulating agency like DOSH in Malaysia in
interpreting the risk results for decision making. It is not practical to standardisethe
use of hardware failure rate sincenone of the data banks is truly generic and could be
appropriately applicableat all sites. Given different operating conditions, maintenance

standardand operators skill in developingcountries, imposing the use of a single data
bank will be counter productive. InsteadDOSH maintaineda set of internal data that
is used as guidelinesto review the all the QRA submitted to them (DOSH, 1996). The
QRA proponent will be required to provide satisfactory explanation if there is large
discrepancy between the hardware failure rate used by them when compared to this
internal data. The data also is used by DOSH when conducting its own QRA for
regulatory and advisory purposes, e.g. advising the local authority on land use
planning matters.
The internal data was established

with the help of an foreign
established consultant
which has wide experiences worldwide in the areaof risk and environmentalimpact
This
assessment. data is usedas the baselinedata for local applicationand will be
reviewedregularlyto incorporatelocalfactorsasthe informationmadeavailable, e.g.

through operating experienceand accidentdata. So the DOSH internal data as
shown in Appendix II is the primarysource for generichardware failures used in
the analysis. In the absenceof specifichardwaredata from the list data from HSE
(HSE, 1989)is used. In the event particulardatais not availablefrom both list the
handbookon processsafetyto (Lees, 1990)is referred.When availablethe DOSH
data is alwaysusedeventhoughthereis differentdata available in HSE data base
and the reference handbook. This approachwill provide some consistencyin the
selectionof generichardwarefailures.

6.3.4 Determining Human Error Probabilities (HEPs)
TheHEPsis requiredasinputto the QRA beingconducted. The modellingof failure

scenariosusing Fault Tree Analysis(FTA) includehumanerror componentsin the
form of ExternalError Mode (EEM). As describedin Chapter4, the SLIM technique
was used to detern-fine

the IHEPs. A numberof sensitivitycalculationshave been
madeto addressuncertaintyfrom calibrationpoints selectedto convert the SLI to
BEPs. BEPs calculatedin the sensitivityrunswerealsobe usedasinput for the QRA
sensitivityruns. Thesesensitivityruns showthe rangeof error in QRA resultsthat

contributedto the usageof differentcalibrationpoints in calculatingthe BEPs. Table
5.17 and Table 5.18 from Chapter5 show the summaryof IHEPsvaluescalculated
using SLIM techniquethat will be usedfor the QRA runs using FTA approachfor
SiteA andSiteB respectively.
Nominal IHEPs values from TIHERP (Swain and Guttmans, 1983) data base and
BEART (Williams, 1986) data base were also used as input to the FTA. The
purpose as mentioned in Chapter 5 is to provide the equivalent of the generic

hardware failure rate in determining the system failures. These two sets of BEPs
also were used as input to the FTA and eventually for the QRA. Results of the QRA
run using BEPs obtained through this method could provide some indication of the
effect of considering Performance Shaping Factor (PSFs) in determining the BEPs.
Sets of nominal BEPs values obtained from the TBERP data base and those
obtained from BEART data baseare shown in Appendix 12.
6.4 Conducting QRA on the Two Sites

The QRA exercisesmadeup the final stagesof the researchafter the PSMS Audits
and HumanError Analysis. Resultsobtainedfrom first two analysiswere used as
input to the QRA. This provideda meanto assess
the influenceof site specificPSMS
performanceandHumanError on off site risk from the two sites. The main goal,
takento conductthe QRA on the two sitesis given in the
objectives,andapproaches
following paragraphs;

6.4.1 Goal and objectives of conducting the QRA
The goal of the study is to estimatepublic risk arising from the handlingof bulk
quantitiesof toxic gas,i.e. anhydrousammoniaat the two sites. Resultsof the risk
estimatesare to be comparedwith a specifiedpublic risk criteria which in this case
will be the probability of fatality to individual (individual risk) and to the public
(societalrisk).
The specific objectives of the study are;
* to estimateoff-site risk to membersof the publicsurroundingthe site
e to estimate the impact of site specific PSMS performance to off-site risk using
PRRvIA Modification Factors
* to comparethe risk estimatesfoundon SiteA with SiteB
e to identify the key managementcontributions
As the mainobjectiveof the studyis to estimateoff-siterisk to the public,the general

approach in this study will be to identify that
crediblescenarios could lead to major
releasesandto calculatetheir impact. Localisedincidentswhich could lead to small
releaseswould not be considered,asthey arenot expectedto createoff-site risk.
The following approachis usedfor this study;
9 identifying potentialleaksand major releasesfrom fracturesof processpipelines

andvessels
* estimatingthe frequencyof the Top Eventwhich is associatedwith major releases

using fault tree analysis
* incorporating human failure rates in the form of Human Error Probabilities

WPs) togetherwith equipmentfailureratesin fault tree analysis

The analyticaltechniquesusedfor the analysisare;
9 Fault Tree Analysis using Fault Tree Manager computer code - for event
frequency estimation and minimum cut set importance (AEA, 1994)
9 RISKAT Computer Code - for release rates, gas dispersion analysis, hazard
rangesand fatality probability (Hurst et al, 1989)
PRDAA Audit technique - to calculateModification Factor for generic failure rate

(CEC, 1995)
SLIM Computer Code - to calculateHuman Error Probability OFiEPs)
6.4.2 Approachestaken to conductQRA
The quantitativerisk assessment

conductedfor both sites is carried out using two
methods. The first methodbasedon engineeringjudgementand expansivelist of
failures of critical componentsmainly vessels,piping, transfer hoses and their
associatedfittings. This impliessomeselectionsasincidentsthat consideredto small
to give consequencesto off-site risk are ignored. The remainingincidents were
analysedand were grouped togetherif they give similar consequences.A single
cumulativefrequency be to
will used representall the failure in
cases that group. For
exampleseveralliquid leaks be
can groupedtogether, andseveralvapour leaksplaced
in anothergroup.
The secondmethodusedFault Tree techniqueto decomposefailure of the top event

to a series of basic eventsthat eventuallylead to hardwareand human failures.
Genericfailure ratesareusedfor hardwarefailures,e.g. pipework or vesselsrupture.
HumanError ProbabilitiesCHEPs)derivedfrom SLIM techniqueareusedasinput for
humanfailurescontribution. Using a computercode(FaultTreeManager)the failure
probabilitiesof the baseeventswere combinedusing Booleanalgebramathematical

rulesto yield the overallfailureprobabilityof the top event.
For the consequences

analysisof toxic releasesspecificsourceand dispersionmodels
within RISKAT were utilised. These modelsprovided quantitativeinformation on

source rates (releaserate) and dispersion of vapour clouds to specific concentration
levels of interest. Effect models were then used to convert the incident-specific
results into effect on people in terms of injury or deaths or dangerous dose which
combinesthe two (Nussey et al, 1993). The facility to include mitigating factors such
as sheltering and evacuation,which in real life can reduce the magnitude of the effects
of such incidents provides by RISKAT were also being utilised.
In both approachesthe processof collectingon-siteinfonnationto identify credible

failure scenariosthat could lead to off-site risk at eachsite involved the following
activities;
1. Managementbriefing
2. Site visit for plant familiarisation
3. Reviewingdocuments
9 plant layout and PI&D,
e operatingprocedures
o maintenance
schedules
0 accidentandnearmissreports
* emergencyresponseplan
4. Critical observationon ammonia bulking processwith emphasison the road

tankerloadingoperations
S. Conductingphysicalinspectionon the plant conditionswith specific emphasis

on flexiblefilling hose,piping,storagetanksandroadtanker
Interviewing the manager,supervisorsand operatorson road tanker loading
process
7. Conducting walk through and talk through exerciseswith the operator on

ammonialoadingprocessto roadtanker.

Table 6.2. Durationtakento collecton-siteinformationfor QRA
Activities Site A Site B

(no. of days) (no. of days)
1. Managementbriefing and deciding on the 0.5 0.5

QRA boundary
2. Detailed understandingon the plant layout, I I

processand critical equipment
3. Reviewing documentssuch as operating 1 1.5

procedures, permits to work, maintenance
proceduresand emergencyprocedures
4. Critical observation of ammonialoading of 0.5 0.5

road tanker on-site
5. Conducting physical inspection on critical I I

plant items such as road tanker, plant piping
and flexible hoses
6. Interviewing managers, supervisorsand 0.5 0.5

operators on the ammonia loading activity
7. Walk through exercisewith the operator on 0.5 0.5

road tanker loading activities
8. Identifying credible failure scenariosthat I I

could lead to maj or releasesof ammonia
9. Visiting the plant surrounding areato assess I I

the impact on population in the event of a
major ammonia releases
TOTAL DAYS SPENT 7 7.5

Visiting the areassurroundingthe plant to identify inhibited buildings, busy roads,
open spaces,groundroughness,and estimatedistancebetweenthem and the

site
9. Discussion sessionto make final judgement on credible scenarios.
6.4.3 Conducting QRA Using Representative Failures Approach
The representativefailuresapproachis one of the methodof conductingthe QRA.

In this approachthe crediblefailure scenariosare identifiedusing expertjudgement.
As the nameimpliesit requiresadequateknowledgeand experienceof the system
underconsiderationon the part of the assessor.A simplesystemwhich consistsof a
few storagetanksandpipingruns would alsomakeit easierto applythe technique.
It is consideredappropriateto use this approachfor the QRA in this study for the
following reasons:
* the systemunderstudy,i.e. loadingof ammoniato road tankerfor the two sitesis

fairly simpleandindependent
from the restof plantoperations.
the ammonialoadingoperationinvolvedonly a smallnumberof personnelat each

site.
* the teamthat assessed the

and conducted QRA has knowledge
considerable and
experiencein the operationof similarsystem.
4, the assessorteam spent considerabletime to in carrying out site inspection,

reviewing PI&D and safety documents,observingthe operations and interviewing
the operator.
* only failure scenariosthat could lead to off-site risk are consideredwhich

eliminatesto needto considersmallreleases.
results of the HierarchicalTask Analysis performedon the ammonialoading

activitieswere alsoreferredto in identifyingthe crediblefailurescenarios.

* resultsof QRA will be usedmainlyto for comparisonbetweenthe two sitesand
not to meetspecificrisk criteriafor decisionmaking
The processof identifyingandselectingthe crediblefailure scenariosthat could lead

to off-site risk at eachsiteinvolvedthe activitiesasshownin Table6.2.
The representative failure set that has been identified using expert judgement that
could lead to off-site risk for the two sitesis shown in Table 6.3 respectively. As can
be seen from the table failures from ammonia storage tanks on-site are not
considered. Results of on-site inspectionrevealedthat these tanks are located quite a

distance from traffic movement. So the possibility of them being hit by moving
vehicles are remote. Secondly these tanks are fixed and so not subjected to fatigue
loading from road abuse unlike the road tankers. The tanks are also fitted with
additional safety features such as non-return valves, excess flow valves and
adequately sized pressure relief valves. The steel plate construction with sufficient
notch toughnessproperties also greatly reducedthe possibility of fast fracture. While
it will be essentialto analysethese tank failures in overall risk assessmentfor the site,
it was judged not to be within the risk assessmentboundary of road tanker loading
operation.
Input datausedfor conductingthe QRA usingthe representative

failuresset approach
for the two sitesis shownin Appendix12. As shownin Table A12.1 and for Table
A12.2 the releasesscenariosfor hosesandpiping arebasedon full-bore releasesdue
to guillotine failures. As for the road tanker the failure scenariosassumedshell
ruptures equivalent to 100 mm (4 inches)diameter for the two sites. Ruptures below
and above the liquid line were considered. The frequencies of failures for vessels,
pipework and hoses were taken from DOSH failure rate data as shown in Appendix
11. Thesefailure frequencieswere then convertedto failure probabilitiesby dividing
them with the total numberof ammonialoadingoperationstake place in a year for
eachsite. As thesefiguresvary slightlyeveryyear dependingon customersdemand
an averagenumberis usedfor the analysis.The averagenumberof ammonialoading
to road tanker for Site A is taken as 480 per year, while for Site B the numberis
takenas96 per year.

Table 6.3. RepresentativeFailure Set selectedfor two sites
Credible FailureScenarios Justificationfor selection
1. Guillotine failures of flexible This hosecouldeasily rupturedin guillotine fashion

liquid filling hose due to hosepull away, strengthdegradation,hit by
movingvehicle, and overpressure. This type of failure
alsoincluded thosedue to human errors,i. e. failure to
properly connectprior filling and disconnectingthe
hosewhile filling operationis still in progress.
2. Guillotine failure of flexible Similarly liquid filling hoseguillotine failures could

vapour return hose be due to hose pull away, impact loading, strength
degradation andoverpressure.
3. Guillotine failures of liquid The plant piping arrangementat the two sites made
filling line this type of failures quite credible.Ile most likely
probably due to impact loading from moving
vehiclessuchas lorry and other road tanker as well
asstrengthdegradation of piping.
4. Guillotine failures of vapour Similarly the plant piping arrangementat the two
return line sites madeguillotine failures of vapour return lines
It
possible. could be due to impact loading from
movingvehiclessuchas lorry and other road tanker
andstrengthdegradation of piping
5. Rupture of road tanker below Thereis a lot of vehiclemovementwithin the site,e.g.

liquid line fork lift, lorry carrying ammoniacylinder and skid
tanks. Poor traffic arrangementwithin both sites
would make failures due to impact loading feasible.
Howeverslow movementof vehicleswithin the site
in
would not result collision that could completely
rupture the road tanker. Fastfracturefrom ammonia
inducedstresscorrosioncrackingis considerednot to
be significantdue to the materialapprovedthe road
tanker constructionhas to meet notch-toughness
requirements by
set approved designcodeby DOSH
6. Rupture of road tanker above Apart from failures due to impact loading from
liquid line collision as describedabove,the road tanker could
also fail from loss of strengthdue to corrosionor
fatigue. As internalinspectiononly conductedevery
5 years it is quite likely weakeningof the tanker
integrity left undetected. However this type of
failures is more likely to have resultedin hole-type
failures rather than catastrophicrupture of the road
tanker.

6.4.4 Conducting QRA Using Fault Tree Modelling
In this approachthe failure scenariosidentifiedusingthe representativeset approach

were modelledin moredetailusingthe fault tree analysis.By decomposingthe failure
scenariosfartherthe baseeventsthat could contributeto the failure of the top event
could be identified. Thesebaseeventswere madeup of hardwarefailure and human
errors.
For the purpose of the study, hardwarefailure baseevents are made up of component
failures due to physical defects. As an example a faulty content gauge is considered
a hardware failure even though it may be due human error in fixing or calibrating the
gauge.
Baseeventsthat were consideredas humanerror are thosewhich failuresare due to

humanactivities. The type of humanerror consideredare thosewhich fall underthe
ExternalError Mode or EEM. This type of error only dealwith error of commission
or error of omission(SwainandGuttman,1983). As an examplefailure to connect
filling hoseto tankerby the operatoris consideredas humanerror. The study does
not attemptto look at psychologicalreasonwhy the operatorfailed to connectthe

hose.This type of humanerror fall under the PsychologicalError Mode or PEM
(Rasmussen et al, 1983). For examplethe underlyingreasonwhy the operatorfailed
to connectthe hosemaybe dueto memorylapseor mentalblock. The main reason
for not attemptingto look at the PEM is that lack of reliabledata on this type of
error. Other reasonsincludedlack of expertiseon the part of the assessment

team.
Both reasonswould increasethe level of uncertaintyin the study, which did not
justify their inclusion.
In essencethe modelling of the failure scenariosusing the FTA was to identify the
influence of human and hardware failures to the overall system failures. The main
objective is to measurethe contribution of both types of error that could lead to large
releases of ammonia which capable of creating off-site risk to the surrounding
population.
Fault tree diagramsfor site A are shown in Appendix 14. Diagrams A14.1 shows the
fault tree for system failure (guillotine failures) due to both hardware failures and
A PhDThesis
byJ.Basri 194
human error failures. Diagrams A14.2 shows the fault tree for system failures due to
hardware failures only. Thesediagramsprovide the basisto compare the contribution
of human error to the overall systemfailures.
Fault tree diagramsfor site B are shown in Appendix 14. Diagram 14A.3 shows the
fault tree systemfailures of Site B from baseeventswhich are made up of hardware
failures and human error. The top-down decomposition of base events showed
similarity with fault tree for Site A. This is due to the fact that the tasks involved in
the ammonia loading activity at both sites are very similar. Despite being designed
and built by a multinational company the level of automation and safety system
installed for this site is not much higher than Site A. The main difference lies in the
road tanker weighing systemwhich uses a weighbridge equipped with a weight trip
system. This provides an additional safety feature to the system in preventing
overfilling. Diagram 14A.4 shows the system fault tree due to base events from
hardware failures only. The human error contribution to the overall system failure
could be assessedby comparing results of the two fault trees.
Input for QRA usingthis approacharecomprisedof genericfailurerate andBEPs for

hardwareandhumanactivitiesasidentifiedin the fault trees.The baselineQRA used
HEPs values derived using SLIM techniqueas describedin Chapter 5. QRA
sensitivityruns usednominal BEPs valuesas providedby THERP and HEART data
bases. This nominal data is basedon 'average'industrialcondition which did not
subjecta worker to unusualdegreeof discomfortandthat is fairly representativeof

the NPP industry(SwainandGuttman,1983). This input is shownin Appendix 15.
TableA15.1 showsthe input datafor SiteA while TableA15.2 showsthe input data
for Site B. The genericfailure ratesfor hardwaresuch as valves and gaugesare
taken from the DOSH failure rate dataas shownin Appendix 11. For HumanError
different1HEPsvaluesgeneratedusing differentcalibrationpoints provide additional
run for the sensitivityanalysis. Theseanalysiswere carriedout to addressone the

inherentweaknesses of SLIM i.
technique, e. the selectionof appropriatecalibration
points to generatethe BEPs (Kirwan, 1994). This aspect has been describedin
detailedin Chapter5.

6.5 Results of Fault Tree Analysis (FTA)
Results of fault tree analysisusing FTM software for Site A are shown in Table 6.4.
while Table 6.5 shows the result of fault tree analysisfor Site B. The Mnimurn Cut
Set (MCS) importance analysisfor the two sites is shown in Appendix 16. The base
events contribution and some suggestionsfor error reduction for the two sites is
shown in Appendix 17.
Discussionof the results is given in the following paragraph. The discussionis

brokeninto two parts. The first part will describeresultsbetweenvariousbaselines
and sensitivityrunsfor a particularsite. The secondpart will compareresultsof the

fault tree analysisbetweenthe two sites. This is to compareand contrastthe risk
componentsbetweenthe two sites.
Analysisof resultsfor both siteswill be discussedat the systemlevel, i.e. for the
overall system failure from road tanker loading operations, and at sub-systemlevel,
i.e. the majorfailurecomponents
that contributedto the overallsystemfailure.
Analysis at the systemlevel providessome insight into the probability values of

systemfailure from the applicationof 1HEPsvalues derived from three different
sourcesLe, SLIK BEART andTBERP. It alsoprovidescomparisonon sensitivity
runs using IHEPsvalues derivedfrom different calibrationpoints from the SLIM
technique.
The analysisof sub-systemfailuresresultsidentifiesimportant baseeventsand the

MCS that actedasthe highestcontributorto the overallsystemfailure. By analysing
the underlyingmechanism why the baseeventfailuretook place, certainsuggestions
could be madeto reducetheir probabilityof failure.

6.5.1 FTA Results for Site A
Discussions on system failure rates are based on FTA results shown in Table 6.4,
Appendix 16 and Appendix 17.
1. FTA using the BEART and TIHERP nominal human failure rate data yields
higher overall systemfailure rate as compared to those assessedusing SLIM
technique for the humanfailure rate. This suggestedthat the site specific PIFs
that are the major determinantof IHEPsshould be taken into consideration in
determining the systemfailure rate.
2. Results of FTA using PIFs with equal weight and assessedweight in SLIM
analysis show a difference by a factor of 2 for Site A. This small difference
suggestedat least in the casestudy that the contribution of weighting on PIFs

are not that significant, contrary to finding by Zimolong (1992).
3. FTA usinghardwareonly datagiveshighersystemfailure rate as comparedto

further to hardwareandhumanerror components.It
thosebeingdecomposed
appearsthat the presenceof humanactivitiesprovidedthe recoveryin the case
of hardwarefailure.
4. Minimum Cut Set (MCS) analysis of Site A fault trees shows 3 MCSs
provided the highest contributions to the system failures. The 3 MCS made
up to more than 96% of the contribution to the system failures as shown in
Table A16.1 in Appendix 16. Referring the fault trees for Site A in Diagram
A14.1 show that the baseeventsthat made up these MCSs belong to the sub-
system failures of flexible hoses. The results indicate that a considerablerisk

reduction to the overall system failures could be realised by improving the
safety measuresof this sub-system. One of the measuresis installing a barrier
with interlock to prevent road tanker pull away.

00
cm
cm
-C
-C
5. At the component level the failure rates of flexible hoses failures were found
to be much higher than tanker and piping failures. Analysing the tree further
showed that guillotine failures of hosesthat could release ammonia from the
road tanker could be not easily isolated by hardware or human intervention.
Operator failures to isolate such releases could arise from the need to
manually shut-off the road tanker valves in the event of guillotine failures of
the hoses. Such action would be likely to have a low degree of successas the
operator would need to work inside the ammonia cloud. Wearing inadequate
PPE like gas mask without air supply, the operator would most likely abandon
the task when he comes under threat of large releases of ammonia from
guillotine failures of the hoses.
6. Base events contribution in term of importance is shown in Appendix 17. One
of the highest contributors for the system failure is base event no. BL21b
which representsthe operator failure in isolating possible leak from guillotine
failure of the flexible liquid hose. This failure scenario would be from the
release of ammonia from tanker to the atmosphere(reversed flow) when the

tank is filled after sometime. If the hosefailure takes place ammonia from the
tanker will flow outward. Note that road tanker could not be fitted with non-
return valve as it is supposedto receive and to deliver ammonia via the same
valves system. The samebase event also provided the highest contribution of
system failure for the rest of the sensitivity runs. This provides valuable
information when attempting to reducethe off-site risk from the systembased
on hardware and managementdeficienciesthat exist at Site A. For example

from a design point of view putting separatevalves on road tankers for the
delivery and receiving, with the latter fitted with non-return valves. In the
event of guillotine failure of flexible liquid hose the non-return valve could
prevent ammoniareleasesfrom the road tanker being filled. From the human
error point of view further analysis could provide more insight on how and
why the operator fail to isolate such releasesin the event of hose failures.
The audit interview and site observation revealed that the main reason could

be due to the operator failing to wear the necessaryPPE in hot working
environment. From safety managementpoint of view lack of comprehensive

emergencyproceduresor insufficient emergencydrills makes the operator not
adequatelypreparedwhen facing with the actual event.
7. Severaltaskscould be decomposed further to includemore sub-components

of humanerror but this was not donebecauseof the needto stay within the
boundaryof ExternalError Mode (EEM). Treatingthe humanerror further,
i.e. analysingthe PsychologicalError Mode (PEM) would introduce more
uncertaintyto the analysisas explainedearlier.
6.5.2 FTA Results for Site B
Results of system and sub-system failure rates for Site B calculated using FTM are
shown in Table 6.5.
1. FTA using the ]HEART and TBERP nominal human failure rate data yields
higher overall system failure rate as compared to those assessedusing SLIM
technique.
2. FTA using hardware only data gives lower systemfailure rate as compared to
thosebeingdecomposed
furtherto hardwareandhumanerror components.It
appearsthe presenceof humanactivitiesincreasesthe likelihood of failure.
This finding reinforcedthe needto considerthe impact of human error in
conductingthe QRA.
3. At the componentlevel the failure rate of flexible hosesis much higher than
road tanker and piping failures. Analysingthe tree further showed that
guillotine failures of hose are difficult to isolate by hardware or human
intervention. This is due to the likelihoodthat the operatorwould haveto
work within a large in

cloud of ammonia order to be ableto isolatethe leak.
However the operatorat SiteB is providedwith gasmaskwith air breathing
line which maintainsa positivepressure. Such and arrangementwill allow,
moretime for the operatorto manuallyshutoff the tankeroutlet valves.

1.0
±2
.Z
A
Wi
.
ý_o
4. Similarly Nfinimurn Cut Set (MCS) analysis of Site B fault trees in Table
A16.2 in Appendix 16 showed 3 MCSs that provided the highest
contributions to the system failures. As shown in Appendix 16 the 3 MCS

made up more than 96% contribution to the systemfailures. Referring to the
fault trees for Site B in diagram A14.3 showed that the base events that made
up theseMCSs belong to the sub-systemfailures of flexible hoses. The results

also suggestedthat a considerablerisk reduction to the overall system failures
could be realisedby improving the safety measuresof this sub-system,such as
installing barrier with interlock to prevent road tanker pull away.
5. The baseevent contribution in term of importanceto systemfailure for Site B
as calculatedusing the FTM software is shown in Appendix 17. Similar to the

Site A scenariothe highest contributor for the systemfailure is base event No.
HV21b which representsthe human activity of isolating possible leak from
guillotine failure of the flexible liquid hose. Such failure would result in
reverse flow of ammonia from the road tanker to the atmosphere via the
ruptured flexible hose that would be difficult to isolate.
6. The need to limit to External Error Mode (EEM) when comparing the
importance of base events prevented severaltasks being decomposedfurther
to include more sub-components. Treating the human error further into the
Psychological Error Mode (PEM) such as 'memory lapse' would introduce
more uncertainty and make the comparison between the two sites more
difficult.
6.5.3 Comparing FTA Results between Site A and Site B
Comparisonof FTA resultsbetweenthe two sites providessome indication of the

differencein terms of the probabilityof failures in road tanker loading operations.
For comparisonpurposesresultsof the fault tree runsfor both sitesare summarised
in
Table6.6. Comparingthe baselineFTA in Table6.6, failure probabilityof ammonia
loadingof road tanker at Site A is shownto be higherthan Site B by about a factor
about360. The differencein systemfailuresin term of frequencyper year for Site A

is much higher as this site carry out four times more road tanker loading as compared
to Site B. Taking into considerationthat the error factor in the generic hardware
failure rate of vesselsand pipeworks is about by a factor of an order of magnitude
(Hurst et al, 1992) and BEPs which about is about a factor of 3 (Swain and Guttman,
1997) this difference is quite significant.
The two sites possessthe same level of hardware technology so far as ammonia
loading operations to road tanker is concerned. Site B, despite having a more
sophisticated safety system for the rest of the bulking operation, e.g. for rail tanker
and cylinder filling, has a road tanker loading systemequippedwith only basic safety
system. The only major difference in safety systems is the used of a weighbridge
equipped with a weight trip alann that could reduce the likelihood of overfilling.
Comparison of failure probability due to hardware contribution only (as shown in
item no.4 in Table 6.6) shows a very small difference, i. e. of only 0.04. So factors
that created these large differences in the likelihood of the ammonia road tanker
system failures must have been contributed by the non-hardware items, i. e. PSMS
performance or Human Error or both.
So it could be concludedthat from the hardwarefailure contributionpoint of view

there is not much differencebetweenthe two sites. However the IHEPvaluesfor
baseevent at Site B for are lower than Site A. This reducesthe human error
contribution to the overall systemfailures. The HEN values in turn are heavily
influencedby site specificPIFs and suchprocedures,stress,experienceand training.
As thesefactors are prominentlyfeaturedin the assessment
of site specific PSMS
performancethey maybe deducedto havesignificantinfluenceon systemfailures.
2. At the two sites the probabilities of flexible hoses failure provide the highest
contributor to the overall systemfailures. This is due to the fact that hardware failure
rate of flexible hoses from historical data base is higher as compared to piping and
road tanker. The underlying cause of hose failures is because they are of inferior
construction material which make them more susceptibleto rupture due human error,
e.g. and tanker pull-away and due to strength degradation.

Table 6.6. Comparisonof FTA Results Between Site A and Site B
Description of Probability of Differences

Fault Tree Runs System (Ratio of
failure Site A Site B probability of
systemfailures -
Site A over Site B)
1. FTA using IHEPs Probability

8.22E-04 2.30E-06 360
from SLIM
(per demand)
Frequency 1780
3.95E-01 2.21E-04
(per year)
2. FTA using Probability

2 09E-04 2 44E-04 0.85
IHEPsfrom . .
(per demand)
THERP nominal
data base
Frequency 0.04
LOOE-01 2.34E-02
(per year)

1.26E-03 1.34E-03 0.94
IHEPsfrom (per demand)
HEART nominal
data base
Frequency
6.04E-01 1.28E-01 4.72
(per year)

1 81E-04 4 5E-05 0.04
Hardware only . .
(per demand)
data (not using
HEPs)
Frequency
8.69E-02 4.32E-03 0.2
(per year)

6.6 Results of Quantitative Risk Assessment(QRA)
As the main objectiveof conductingthe QRA is to determineand comparethe off-
site risk from ammonialoadingoperationsat the two sites, the QRA resultsneedto
be discussedin full. To fulfil that objective,the discussionof the resultsis broken
into two parts. The first part will discussQRA resultsbetweenthe baseline run and
sensitivityrunsfor a particularsite. The secondpart will compareresultsof the QRA
betweenthe two sites. The aim is to explain the QRA results and to highlight
significantdifferencesin off-siterisk betweenthe two installations.
Two types of QRA were conducted for both sites. The first run used the
representativeset of failure scenariosapproach. The failures set were selectedbased

on judgement of credible scenarios that could lead to off-site risks. As the toxic
load for ammonia is for land planning purposesis fairly high, i. e. 3.76E-08 ppmý min
(Nussey et al, 1993) only guillotine failures of flexible loading hoses and piping, and
large ruptures of road tanker are consideredfor the analysis.
The second RISKAT run for the Site QRA used Fault Tree Modelling. In this
approach major releasesof ammonia that could lead to off-site risk were modelled
using the top-down approach. Using Fault Tree Analysis the top event was
decomposeddown to the base events that could trigger the event. The base events
identified are made of hardware failures such as line valves sticking open, and human
error failures such as the operator failing to close road tanker valves. Hardware
failures values for base eventswere obtainedfrom generic failure rate data from
various sources. The main sourceof datawill be the MalaysianDOSH failure rate
databasethat providesmostof the failureratevalues. In the absenceof certainfailure
rate from this data,failure ratevaluesfrom other sourcessuchasthe U.K. HSE and
SRDData bankareused. As for the humanerror failuresthe SLIM techniqueis used
to generatethe failureprobabilitiesin the form of the BEPs.
The combinedhardwareand humanerror probabilitiesfor the baseeventsare then

analysedin the fault tree usingthe Fault TreeManagersoftware. This analysisyields
the top eventandthe sub-eventfailureprobabilitiesper loading.The probabilitiesthen

could be convertedto failure frequenciesby multiplying them with the numberof
ammonia loading in a given time period, for example in a year. These failure
frequenciesare then usedto quantifythe individualrisk from ammonialoading of
road tanker. As the IHEPsfor the baseeventswere derivedin different ways using
SLIM technique,the RISKAT analysisis also used to calculatetheir results for
comparison.Also comparisonis madeusingnominalIHEPsvaluesfrom TBERP and
BEART database.
6.6.1 Discussionson QRA Resultsfor Site A
Two types of QRA were conductedfor Site A, one using the representativefailure
approachwhile anotherusing the fault tree modelling. Result of QRA runs using
RISKAT softwarefor Site A are shownin Table 6.7. The discussionsof the QRA
resultsfor each type of the analysisaregivenin the following paragraphs.
6.6.1.1 Results of QRA using representative failure set approach
QRA resultsfor Site A usingthe representative failure is shownunder item No. 1 in

Table6.7. Discussionon the resultsis givenasfollows;
9 Baseline QRA (Run No. AI) using generic failure rate, i. e. without Modification
Factor show a maximumdistance200 metresto the individual risk values of
IOE-06. This indicatesthe off-site risk to public did go beyond the site's
boundarywhich is approximatelyabout70 metresfrom the loadingbay and will
affecta numberof factoriesthat surroundthe site. Howeverthe distancestill falls

short of nearestpublic dwelling which the nearestlocated approximately500
metresfrom the sourceof releases.At IOE-07individualrisk level the contour
reachedthe maximumdistanceof about470 metres. This distancestill fell short
of the populatedareawherethereare 'sensitivepeople' i.e. children and elderly
that would be susceptibleat that individual risk level. The nearestschool is
locatedabout 1.5 kilometresawayfrom this site.

CIA
rA C) C) C)
rn r- Ilt
C)
C) C) C) I Cý I C>
0 0 C> tf) C>
cq 'IT
en IT
tn
o
"0 CD
ý4 00 C)
r- M r-
C>
1.0.
Cy
(4ý
0
.0
6
Z
rA
,I-
0 cli cis tcis

z .E
cqs
0
it-,
Q
00
CD
f4
CD CD CD 0
CD CD alý CD
00 r- e V')
r-1
(Z C) 0 0
M "0 llt (C)
V ') ri
't le
CD C> C>
00 00
=
ý2L4 r_ 0r_ r- CA
.
4)
t1.
ce
,E.
ýn E
0 .-.
rA
1.0
rn
E: e - E E
x 0 tu lu
:1 0ý c
_ 0. iz-
*U c7 fi-
.ý
- Co
CY
(4-
0
CA
04
01)
< "CJ
< r- r_ <m
90
1-. w) Q ce
(A um
.=
4) m2 .
.
F-
< <
< E, 15 2
>, M Z >% c) 122ý
1. :, (;Z
>Q t; ý,
-
.0 (U 6 ID . S.
vý
m. 1.
Q cn
-ý 0.
h-o r rA
.
CY
00
<
.M
ll,
41
.C
9 Modifying the failure rate using PRR%IAPoor Modification Factor for hoses,
piping andvesselyieldsa differentset of individualrisk values(Run No.A2). As

the site's PSMS performancewasjudgedto be Poor, the QRA resultsusing this
modification representthe 'true' off-site risk values which have taken into
consideration of site specific PSMS performanceinfluence. The IOE-05
individual risk level distanceincreasedby about 20 metresto 100 metres.The
I OE-06individualrisk levelincreased by about200 metresto 400m.
This meansthat usingthe genericfailurerate,i.e. not takinginto considerationthe

site specificPSMS performancethe individualrisk distanceat IOE-06 risk level
will be underpredicted
by a factor of two. The I OE-07individualrisk distanceis
reaching630 metresthat still fell shortof the distanceto schoollocatedabout 1.5
krn away.
* Result for SocietalRisk for Site A is shownin Table 6.14. The baselineQRA
(Run no. AI) shows a value of F=30E-06, N=20. This suggestedthat there is
thirty times in a million years risk that ammonia releasefrom Site A will lead to
exposure of dangerous dose to 20 or more persons (Nussey et al, 1993). The

number of persons involved is dependedon the population density surrounding
the site. Societal risk for the Modified QRA using Poor W (Run No. A2) shows
an increasein frequency (F) by about a factor of 2. As this is supposedto be the

actualrisk value for Site B after taking into considerationsite specificW, the
useof genericfailurerateresultedin anunderpredictionof off-site risk by a factor
of two from the societalrisk point of view.
9 The relevantauthoritiesin Malaysiado not usesocietalrisk asthe criteria for the

acceptanceof the off-site risk measuresin the decision making. One country to
use such criteria for land planning purpose is the Netherlands Government
(Pasman, 1995). However the criteria
used in the Netherlands is based on the
frequency of fatality (F) as opposedto the dangerousdose by RISKAT.
produced
As such no direct comparisoncould be made between the Site A
societal risk and
the Netherlands societal risk acceptancecriteria.

6.6.1.2 QRA Results Using Fault Tree Modelling
The results of the RISKAT run for Site A are shown in Table 6.7. Discussion on
results using this approachis given as follows;
Baseline QRA runs using IHEPsgeneratedfrom SLIM using AN calibration points
showed that the IOE-06 level extendedto 400 metres from the loading position of
the road tanker. For Site A this meansthat the a number of factories surrounding
the site will be affected. As the site is located within a light industrial area such
level is consideredto meet the off-site risk criteria. The IOE-07 risk level which is
the criteria for sensitive population, e.g. the school children and elderly extended
to about 630 metres, well away from the nearestpopulation centre located about
1.5 kilometre away from the site.
* QRA sensitivity runs using nominal IHEPsvalues from TBERP (Run No. A5) and
HEART (Run No. A6) data basesshow about the same distance covered by the
IOE-06 risk level as compared to baselineQRA runs, i. e. by about 100 metres. It
appears to suggest that the use of nominal HEI's values without taking into
considerationsthe site specific PIFs do not really affect the off-site QRA result for
Site A.
Whenconsideringthe systemfailuredueto hardwareonly, i.e. omitting the human
error components,the QRA results (Run No.A7) also show much longer
individual risk distance. For the IOE-06 risk level the differenceis about 130
metresas comparedto the baseline QRA runs. This suggestedthat the use of
hardwareonly dataresultedin overpredictionof off-siterisk by morethan 30% It
-
appearsthat the introduction of human error componentsinto the Fault Tree
Analysisgavelower failure probability. It could be that human, i.e. the operator
providedsomeform of recoveryfrom hardwarefailures.

A QRA sensitivity run using REPs value derived from SLIM technique using APJ
calibration points obtained from an HSE study (Run No. A8) showed slight
difference with the baseline QRA results. At IOE-06 level the individual risk
distanceis 460 metresas comparedto 400 metres for the baselinerun, a difference
of about 60 metres or about 11%. This suggestedthat the calibration points

selectedusing APJ method by the auditor for the base line QRA was not far out
from thosejudged by the expertsconducting a similar study (HSE, 1989c).
9A QRA sensitivity run using three APJ calibrationpoints (Run No.A9) was
conductedto checkwhetherthe use of more calibrationpoints would make the
BEPs value more reliable as comparedto the minimumtwo calibration points
suggestedby Kirwan (1994). Resultsshowedfor Site A the differenceis quite
small. At the IOE-06 and IOE-07 risk level the differenceis only about 10%
respectively. At leastfor Site A the useof threecalibrationpoints did not really
resultin significantdifferenceto the off-siterisk.
The final QRA sensitivityrun (RunNo.AlO) wasto investigatethe effect of using

differentweatherdata. As ammoniadispersionis influencedby weatherconditions
suchaswind speedandatmosphericstabilityit would be of interestto seeits effect

on off-site risk of Site A. For this purposethe UX weather data taken at
Portsmouthweatherstation havebeenutilised. QRA resultsusing this weather
data showeda big differenceas comparedto the baselineQRA using Malaysian
weatherdata. The distanceto the IOE-05risk level differs by a wide margin of

almost400 metres. The IOE-06 risk level differs by nearly 800 metresor by a
factor of 2. The differenceto IOE-07 risk level distanceis even higher, about
1800metresor about a factor of 3. Analysingthe stabilitycategoryof the two
setsof weatherdata showedthat the Malaysianweatherdata were dominatedby
ClassA andB which indicatesvery unstableweatherconditionswith high lapse
rate which could dispersethe ammonia rapidly into the upper atmosphere
(Marshallet al, 1995). This is the reasonwhy the baselineQRA showinsignificant
risk level beyondthe 750 metresdistanceas shownin Table 6.8. While the U.K.
weathertendsto be equallydivided in term of weatherclassstability. The day

time is dominated by Class A to D categories weather which promotes rapid
dispersion of ammonia. However during the night ClassE to G weather category
prevails which representcalm weather where an ammonia cloud could travel over
long distance before natural process of mixing with air reduces its lethal
concentration. As RISKAT apportioned this weather conditions to average the

daytime and night time weather probability the calm weather under Class E to G
category slows down the upward dispersionof the it

gas and makes linger close to
the ground at much further distance.
* Table 6.8 showed that the individual risk distance using the U. K weather data
exceeds the 2 km. The result of this sensitivity run showed the importance of
using site specific weather data. Using another country weather data in the
absenceof local data might result in a significantly wrong estimate of off-site risk
distance.
Societal Risk results for Site A using FTA modelling are shown in Table 6.9. The
baselineQRA (Run No. A4) shows a value of F=150E-06, N=20. This suggested
that a prediction of fifteen incidents in a hundred thousand years that ammonia
releasesfrom Site A will lead to dangerous dose exposure that will affect 20
personsor more.

en
000
Ix
C4
; 0.
.4--a
0
ý.
ow
-0
Wý
=
"o
.- 0
C)
. ce
40
Q
rA
ij
0
i'.'
0
.tl
1.0.
CY
W,
W)
W-4
f4
CD CD
"0 0
CD
0 CD
u U- 11 CD
0 (Z k/) (Z
4
ý4 4
Z'
-,
t. -m9
t. E-0.
GA
:i
9) JX
1.. o
6. 6.-
0
+ý
CJ Z0
-- 9==in,
w ce -- ý: 0
CM-v
a2 l E
.. ý
ci d.-
0>
0
P., 0r .
-
2
ý
ýo 0.ý u
:3 '-, D; 0
CA
(A
o.
'. cy. 2 ci [-,
Co u.
rA
0 v +ý
< =
r_ c: >
00
.0
0
Z
4 ll% b'n b-
f4
6.6.2. Discussionon QRA Resultsfor Site B
Two types of QRA were conductedfor Site B, one used the representativefailure
approachwhile anotherusing the fault tree modelling.Results of QRA run using
RISKAT softwarefor Site A are shownin Table6.10. The discussionsof the QRA
resultsfor eachtype of the analysisaregivenin the following paragraphs.
6.6.2.1 QRA Results Using Representative Failure Approach
Results of RISKAT runs on Site B using this approachindicate the following;
4P As the PSMS perfonnance of Site B was assessedto be Average, the QRA result
(Run No. 131) using the generic failure rate, i. e. without Modification Factor is
considered to be representativeof the 'true' values. This baseline QRA using

generic failure rate show a maximum distance 290 metres to the individual risk
values of IOE-06. It indicates that the acceptablelevel of off-site risk to public
did go beyond the site boundary which is approximately about 50 metres from the
loading bay. This level of risk will cover the adjacent public road as well as a
portioned of the Animal Feedmill factory next door. However the level of risk
did not go beyond the industrial estate to the populated area that are located
about 2 krn away.
At IOE-07 individual risk level the contour almost reacheda half kilometre
distance.Howeverthis distancestill fell shortof the populatedareaasthe nearest
housingestatewheretherearechildrenandelderlyis about3 km from the site.
Modification of failure ratesusing Good Modification Factor (Run No.B2) for

hoses,piping andvesselsshoweda decrease in the individualrisk contourdistance
as comparedto the genericor unmodifiedfailure rate. For the IOE-06individual
risk level the contour distanceis reducedby about 190 as comparedto analysis
usingunmodifiedfailure rate. This meansthat if the Site PSMS were assessed
to
fall underthe Good categorythe I OE-06risk level will be by almosta factor of 2.
The result showsthe needto considersite specificPSMS performanceas each

site may have different performance even though they belong to the same
companyasin the caseof SiteB andSiteC.
* Table 6.12 shows the results of Societal Risk for Site B. The baseline QRA
(Run No. BI) shows a value of F=70E-06, N=30. This suggested that there
would be seventy incidents in a million years that ammonia releasesfrom Site B

will lead to a dangerousdose exposurethat will affect 30 persons or more. The
number of persons involved is dependedon the population density surrounding
the site.
e Societal risk for the Modified QRA using Poor W (Run No. B2) shows an
increase in frequency (F) by about a factor of 2. As this supposed to be the
actual risk value for Site B after taking into considerationsite specific W, the use
of generic failure rate resulted an underprediction off-site risk by a factor of two
from the societal risk point of view.
6.6.2.2 QRA Results Using Fault Tree Modelling
Results of the RISKAT run using the approachis given in Table 6.10. Discussion of
the resultsis givenasfollows;
* Baseline QRA run (Run No. B4) using HEPs generatedfrom SLIM using APJ
calibrationpointsshowsthat the IOE-06individualrisk distancelevel extendedto

270 metresfrom the loadingpositionof the road tanker. For Site B this means
that the next door installation,i.e. the animalfeedmillwill be affected. As the site
is locatedwithin the port industrialareasuchlevel is consideredto meetthe off-
site risk criteria.
The IOE-07 risk level which is the criteria for sensitivepopulation, e.g. the
schoolchildrenand elderlyextendedto about half a kilometrewell away from
the nearestpopulationlocatedabout3 kilometresawayfrom the site risk.

00
V-4
(A
4-.
to
CY
td.
0
GO2
4)
iz
.0
.m
CN
V-4
r14
m
9)
40.
rA
I
QRA runs using nominal IHEPsvalues from THERP (Run No. BS) and BEART
(Run No. B6) data bases show much longer distance covered by the IOE-06
individual risk level as comparedto baselineQRA runs, i. e. by about 100 metres or
40%. This indicates that the IHEPsvalue has considerableinfluence on the QRA
results. It also suggeststhat the use of nominal BEPs values without taking into
the sitespecificPIFswould overpredictthe off-site QRA result.

considerations
Whenconsideringthe systemfailuredueto hardwareonly, i.e. leavingthe human

error components,the QRA results (Run No. B7) also show much longer
individual risk distances. For the IOE-06 risk level the differenceis about 120
metresas comparedto the baseline QRA runs. This suggeststhat the use of
hardwareonly data resultedan overpredictionof off-sitc risk by about 45%. It
appearsthat the introductionof humancomponentinto the Fault Tree Modelling

improvedthe failure probability. One possibleexplanationwould be that human,
i.e. the operator provided someform of recovery in the event of hardware
failures.
9A QRA sensitivity run (Run No. B8) using BEPs value derived from SLIM
techniquesusing APJ calibration points obtainedfrom an HSE study (HSE,
1989c)showedsomedifferencewith the baselineQRA results. At IOE-06 level
the individual risk distanceis 310 metresas comparedto 270 metres for the
baselineruns,a differenceof about40 metresor about 13%. This suggeststhat
the calibrationpointsjudged usingAPJ methodfor the baseline QRA was not far
out from thosejudgedby the expertsconductingthe HSE study.
eA QRA sensitivity run using three APJ calibration points (Run No. B9) was
conductedto checkwhetherthe use of more calibrationpoints would make the
IHEPsvalueasderivedfrom SLIM morereliableascomparedto the minimumtwo
calibrationpointsas suggested by Kirwan (1994). Resultsshowedfor Site B the
differenceis quite small. At the IOE-06risk level the differenceis only about 10
metresor a mere2%. As for Site A the use of three calibrationpoints did not
reallyresultin significantdifferenceto the off-site risk for SiteB.

The final QRA sensitivity run was to investigate the effect of using different
weather data (Run No. BIO). As ammonia dispersion is influenced by weather
conditions such as wind speedand atmosphericstability it would be of interest to

its effect on off-site risk of Site B. As for Site A the UX weather data within
RISKAT taken at Portsmouth weather station have been utilised. QRA results
using this weather data show a very significant difference as compared to the
baseline QRA using Malaysian weather data. While the distance to the IOE-05
risk level differs only by about 7%, the IOE-06 risk level differs by 275 metres or
a factor of 2. The differenceto IOE-07 risk level distanceis even higher which is
about 750 metres or about by a factor of 8. These differences are comparable to
that of Site A. This showed a consistentimpact of using the U. K. weather data for
the two sites. As discussedearlier the Malaysian weather data were dominated by
Class A and B which indicates very unstable weather conditions with high lapse
rate that could disperse the ammonia rapidly into the upper atmosphere. That
explained why the baseline QRA show insignificant risk level beyond the 750
metres distance as shown in Table 6.11. The U. K. weather tends to be equally
representedin term of weatherclassstability. ClassA to D dominatedthe day
time weathercategorieswhich promoterapid dispersionof ammonia. During the
night calmweatherpersists,i.e. ClassE to G weathercategory,where ammonia
cloud could travel over a long distancebeforenaturalprocessof mixing with air
reducesits toxic concentration.Table6.18 showedthat the I OE-06individualrisk
distanceusing the UX weatherdata could reachedI km from the releasepoint.
Result of this sensitivity run once again showedthe importanceof using site
specific weather data. Using another country weather data especiallywith a

significant climate difference,e.g. betweentropical and temperateclimate, will
resultedin a very significantdifferencein off-siterisk distance.

CD '1
(Z (Z) C) I C)
C)
CD
CD CD 0 0
CD C)
(Z
CD CD C) 0
CD
CD CD
CD
C>
m C CD
CD
cc; c;
00 e aN
CD 0
CD 0 CD
ý2.
CD CD
CD
JW rn - CD
Gn
c;
V') M
l= (=) all
coi cý
\Z tA
f4.
0
rA
5 r- tu
= (A
(1) . 0 . 92
GeýGA
'Z
M ce
ZM
E ý9
ei
-0 U- ,ýd CU
-b-
iz
"Z
*-
" 0 CZ
:1 Q)
91 "ri
0 &) 4)
2
"0
tQ Gn
,im 10
00 (L)
(A
ý-
m *0
0 Z 5 E.
ýý
rA
0
*d
X
:1 r. -GA
:s t. '
t. *,r-
7;
ý
)..
=$
< 2 En
CY
GA
ý- *2E
21
[-. =Em
w. a-0C
fi 1. 9) 10 4 0
C. *
Gn C:6 (V : . ttz -7i
X -Z ý.
a r
- 0
0
Zc>
6
V*
l'C
11.1
m
eq
0.
t.
Ici
Gn
.0
. r6
an
.0
22
19
IT
eq
40.
CA
(L)
JD
11.3
Societalrisk results for SiteB usingFTA modellingis shownin Table 6.12. The
baselineQRA (Runno. B4) showsa valueof F=2.3E-03,N=30. This suggeststhat
therewould be 23 incidentsin ten thousandyearsthat ammoniareleasesfrom Site
B will leadexposureto dangerousdoseaffectingpersonsor more. Comparingthis
figure with baselineQRA using representative
failuresapproach(Run no.B I) of
70E-06 shows a difference of about a factor of about 30.
6.6.3 Comparison of QRA Results Between The Two Sites
The main objectiveof comparingthe resultsof variousQRA runs betweenthe two

sitesis to identify their differencesand similarities. As the two sites carry out the
sametype of activity,i.e. roadtankerloadingoperationsusingbasicallythe samelevel
technology, it would be useful to identify factors that influencethe QRA results.
Someof thesefactors may be link to the site PSMS. Assessingthe interactionof
thesefactorswith site specificPSMSperformancewould providesomeunderstanding
on how PSMS influencesthe off-site risk from major hazard installations. QRA
resultsfor Site A as shownin Table 6.7 and for Site B as shownin Table 6.10 are
referredto for the discussion.
6.6.3.1 QRA Using Representative Failures Approach
9 The QRA resultsusinggenericfailureratesfor both sitesshoweda varying degree

of differencesbetweenthe two as shownin run No. Al andBI respectively. At
the individualrisk levelof I OE-05the off siteof SiteA reacheda distanceof about
80 rn as compared 40 rn to Site B, a differenceof abouta factor of 2. At these
distancesthe risk would not extendoutsidethe two site'splant boundary. For the
IOE-06 and IOE-07 individualrisk level distances, the differenceis just about
23% and 2% respectively.The resultssuggestthat the off-site risk posedby the
two sitesis aboutthe samewhenunmodifiedgenericfailure rate databeingutilised
in the analysis.

9 The PREVIA Audit results show that Site B PSMS performance fall under the
Average category so the generic failure rates need not to be modified as they
represent the failure rate of an averageplant. However the PR1MA Audit results
show that Site A PSMS performance fall under Poor category hence a Poor
Management Factor (W) should be applied to the generic failure rate. The QRA
results of the two scenarios(Run No. A2 for Site A and Run No. BI for Site B)
would represent the 'true' off-site risk level, i. e. after considering the site specific
PSMS performance. Analysing the QRA results between the two shows a
significant difference. At individual risk levels of I OE-05, I OE-06 and I OE-07 the
risk values of Site A are higher than Site B by about 60%, 35% and 23%
respectively. Theseresults suggestthat the off-site risk from ammonia road tanker
loading operations posed by Site A is higher than Site B. Given an almost similar
level of hardware technology, the factor that influencesthe QRA results would be
the site specific PSMA performance. The results provide a positive indication on
the needto consider the influence of site specific PSMS performanceto the off-site
risk.
6.6.3.2 QRA Using Fault Tree Modelling
Analysing the QRA results for Site A and Site B using this approach yields a number
of importantfindings. QRA resultsfor SiteA asshownin Table6.7 and for Site B as
shownin Table6.10 arereferredto for the discussion.
9 Comparing the base line runs for the two sites shows that the overall individual
risk level distancefor Site A (Run No. A4) is higher than Site B (Run No.B4).
The risk valuesof Site A arehigherthan SiteB in term of individualrisk level at
IOE-05, IOE-06and IOE-07by about90%, 30% and 30% respectively. These
results suggestthat off-site risk from Site A is slightly higher than Site B. As
mentionedearliergiven the sametype of activity conductedat the two sitesand
the use of almost similar hardwaretechnologythese results pointed out to
possibledifferencesin the levelof IHEPs.The IHEPsvaluesare largelyinfluenced
by site specificPIFs suchthe quality of operatingprocedures,experienceand
training which alsofactorsthat influencethe site specificPSMS performance.As

such some indirect conclusion could be made that site specific PSMS did
influencethe off-siterisk.
9 The QRA runs using nominalHEPs from THERP and HEART data basesshow
smalldifferencesbetweenthe two sites.UsingTHERP databaserate (RunNo.A5
and B5) the differencein individualrisk level at IOE-05, IOE-06 and IOE-07 is
only 21%, 8% and 12% respectively.As for the HEART data base rate (Run
No.A6 andB6) the differencein individualrisk level at I OE-05,I OE-06and I OE-
07 is only 18%, 2% and 23% respectively.Sincethe samevaluesof BEPs are
used for both sites the differencesin the off-site risk would be most likely
contributedby the genericfailurerate.
* Comparingthe QRA runs usingfault treesthat only considerhardwarefailures
showedsimilartrend.The QRA resultsshowthe off-siterisk from Site A is higher

than SiteB. The differencein individualrisk level at IOE-05, IE-06 and IE-07 is
about 28%, 25% and 33% respectively.
* The final runs using the baselineQRA but with U.K. weatherdata also indicate
that Site A off-site risk is higherthan SiteB. In fact this QRA run providesthe
biggestdifferenceon the individualrisk level distance.At individualrisk level of
IOE-05, IOE-06 and IOE-07 the risk value of Site A is higher than Site B by
about 80%, 58%, and 50% respectively.The results support the need to give
priority in developingmoreaccuratesitespecificor countryspecificweatherdata
asits impacton off-site risk is morepronounced.
6.6.4 Summary of the impact of PSMS performance and Human

Error to QRA results
The impactof site specificPSMSperformanceandHumanError on QRA resultsfor

the two sitesare shownin Table6.13. In orderto makea consistentcomparisononly
the risk measuresof lOE-06individualrisk level distancewill be utilised. Discussion
on the resultsis givenasfollows;

00
e'i
C/) ýc 00 tl- 't tl-

rq m N cq
"0
(A
ý4
ý5 --, 42
14
.
10
M
1.
6.6.4.1 The impact of PSMS performance on QRA results
The analysisNo. 1 and 2 in Table 6.13 showed that the difference of QRA results
when the site specific PSMS is

performance taken into consideration is by about a
factor of 2 for Site A. The difference of ManagementFactor (MF) of about a factor
of 4 for generic failure rate of pipework for Site A (Table 4.5, page 104 in Chapter
4) is translated into a difference of a factor of 2 in the QRA results.
As for Site B the differenceof the QRA results is about a factor of 1.2. The
differenceof ManagementFactor of abouta factor of 1.2 for genericfailure rate of
pipework for Site B (Table4.5, in Chapter

4) to
seems be directly translatedinto the
actualdifferencein the QRA results.
6.6.4.2 The impact of Human Error on QRA results

The impact of Human Error in the form of IHEPs on QRA could be made by
comparing results as shown in analysisNo. 3 and No. 4 in Table 6.13. For Site A the
analysis that did not take into consideration of Human Error in carrying out the
ammonia road tanker loading operation provided higher off-site risk than the one that
does, by a factor of about 1.2. The result implies that Human Error provides positive
contribution to off-site risk at Site A. However for Site B the difference is

insignificant indicating negligible impact of Human Error on the QRA results.
6.6.4.3 The impact of considering Human Error component in Fault Tree

Analysis for QRA results
AnalysisNo.5 and No.6 show the impactof consideringHumanError component

in Fault Tree Analysisfor QRA results. For site A, the inclusionof Human Error
componentsbesidethe hardwarecomponentsasbaseeventsin Fault Tree Modelling

for QRA reducethe off-site risk by a factor of 0.8. Onepossibleexplanationis that
the high level of manualoperationfor ammoniaroad tankerloadingat Site A affords
a higherlevel of recoveryin the eventof hardware
failures.
As for Site B the QRA result is higherby a factor of about 1.2 when considering
HumanError as baseeventsbesidethe hardwarefailures in Fault Tree Modelling.
Similarlyone possibleexplanationis that the higherlevel of processautomationfor

ammoniaroad tanker loadingat Site B reducethe chancesof manualrecoverythe
eventof hardwarefailures
6.7 Conclusions
Basedon the experiencein conductingthe QRA aswell asresultsof the analysisa

numberof significantconclusionscouldbe made.
* The site specificweatherdatais oneof the most dominantfactorsinfluencingthe

off-site risk level at the two sites. So more resourcesshould be allocated in
establishingsuchdataif a fairly accurateandreliableQRA resultsneedto be used
to assistdecisionmaking,e.g. for landuseplanning. This finding seemsto agree
with finding by other researcherssuchas Kukkonen(Kukkonenet al, 1993) and
Marshall (Marshallet al, 1995). This is especiallytrue in developingcountries
wherethereis lack of reliableweatherdatafor QRA. Developingcountrieswhich
local weatherdatashouldmakeits developmentas one
still without the necessary
of the top priorities if they intend to use QRA as a tool to assistdecision
making, e.g. for landuseplanning.
* QRA runs using FTA which takesinto considerationthe hardwarefailures and

IHEPsshowed a lower off-siterisk valuesascomparedthosewhich only consider
hardwarefailuresfor the two sitesasshownin Table6.13. The resultssuggested
that human action reducesthe off-site risk level. Analysing the Fault Tree
componentsshowedthat humanactionsprovide someform of recovery in the
event of hardwarefailures.This finding showsthe importanceof humanfactors
contributionto QRA, the outcomessharedby PurdyandWasilewski(Purdy et al,
1994).
9 Site specificPSMS performancedo providesignificantimpact on off-site risk at

the two sites. PRIMA Modification Factor is used as a means to explicitly
influence. The effect could be
considerthe effect of site specificmanagement
positive or negative dependingon the PSMS performancein the form of

Modification Factor of the site underconsideration. In the study Site A has a
poor than averagePSMSperformanceso the off-site risk level is higher than the
baselineQRA that usesgenericfailure rate. As for Site B, it has an average
PSMS performancehencethe off-site risk level using the generic failure rate
would be representative.As Site A is a locally ownedsite while Site B is an ex-
multinationalsite,the findingseemto suggestthat the poor PSMS performanceof
Site A as ratedusingPRRVIAcontributedto the higheroff-site risk as compared
to Site B. This finding providesan indicationon the influenceof site specific
PSMSon off-site risk from majorhazardsitesin Malaysiaconsideringthe fact the
two sitesmight not be representative
of the whole industry.
* THERP and HEART nominal data bases provide an equivalent of the generic
humanerror rates or humanerror probabilityor IHEPs,while SLIM generated
IHEPsis a meansto explicitly consideredthe site specific managementand
organisationalinfluenceson BEPs. As shownin Table 6.13 results of off-site
risk using these'generichumanerror rates' for Site A is lower as comparedto
the oneusingSLIM generatedhumanerror rates. While resultsof QRA run using
these'generichumanerror rates'for Site B showedalmostthe sameoff-site risk
valuesascomparedto usingSLIM generatedhumanerror rates. Eventhoughfar
from conclusivethe resultscouldimply a neutralto negativeeffect (not a positive
and organisationalinfluenceon the generic

effect) of site specificmanagement
humanerror rates.

d-Y 1-
unapter
Using PRIMA as an integrated audit

for PSMS and HEA
7.1 Introduction
PSMS are made up of comprehensive set of policies, procedures, and practices
designedto ensure that barrier to process incidents are in place, in use and effective
(AIM, 1993). This implied the requirement for an effective interaction between
procedures, human and organisation. As such some form of site specific common
factors will influence both the PSMS and human performance. The interplay between
these factors is fairly complex as its involved the multiple interaction at many levels
(Moieni, 1993) in a fonnat known as 'many to many mappings' (Embrey, 1992 ).
For example ineffective feedback from operational experience could not only affect
the quality of training programme but it also could make the existing operating
proceduresobsolete as it should be reviewed and updated regularly from lesson learnt

from operational experience. A number of approacheshave been put forward by
various researcher such Embrey (1992), Aspotolaskis (1994), and Pete'-Cornell

(1996) in attempting to capture humaninfluencesto systemsafety.
Development of new approach either in the form technique or framework is beyond

the scope of this research. What is apparentwhile conducting the current researchis
that there are some common attributes of PSMS and Human Error that could be
derived through PRIMA audit results. If these attributes could be assessusing
PRIMA audit then an opportunity to link part of BEA with PSMS assessmentbe
realised. This will enhance the effectiveness of PRIMA audit by providing an

additional feature to assesscertain attributes that essentialfor BEA.

7.2 Common attributes that essential for both PSMS
Audit and HEA
The common attributes that are essentialfor both PSMS Audit and BEA are mainly in
the form of some organisational factors such as procedures, training, stress,
communication and feedback, and hardware factors such as operator/equipment

interfaces, process safety system, as well as operating environment such heat,
humidity and lighting. For PSMS audit these factors are important aspect to be
considered in assessingits performance for a particular site. As for the BEA these
factors are called PerformanceInfluencing Factors that influence the human/operators
for successful execution of a particular task. Assessing both attributes using a
common field auditing technique such as PRRVfA would enable the efficient use of
resources,which is critical in developing countries.
7.3 How PRINIA Audit assessedthe attributes
such attributesin order to evaluatethe key componentsof

PRIMA audit assesses
PSMS. It's audit questionsextract the information at four levels of the socio-
technicalpyramid i.e. Level 2- operatorreliability,Level 3- communication,control
and feedback,Level 4- organisationalprocessand structure,and, Level 5- system
climateunderfour differentthemes(i.e. ThemeA- proceduresand processto do the
job, ThemeB- standardsfor thejobs, ThemeC- other pressuresthat interferewith
the job, and ThemeD-resourcesfor the job). Suchan approachwas found could
yield valuable information on the commonattributesthat influence both the site
specificPSMS andthe PIFs in BEA. This could leadto the possibleintegrationof
PSMSandBEA site auditthrougha provenaudittechniquelike PRIMA.
7.4 Examining the possibility of assessingPIFs for

HEA using PRIMA Audit
To examinethe possibility of such approacha detailed analysisof PRIMA audit
results of the two sites was carried out. Information obtainedthrough the audit
in
questionnaireswas analysed trying to extract the relevant information that could
be used to assessthe PIFs. The assessmentis made basedonly on responsemade by
the intervieweeswithout involving auditorsjudgement as it may involved information
gathered through other means such as site inspection and document reviews. This
enabled the comprehensivenessof the PREWA audit questionnaires to be examined
independently, minus the expert judgement input that needed to form the PSMS
control loops. To find out the feasibility of such approach PIFs that have been
selectedfor the quantification of Human Error of the two sites namely Experience,
Procedures, Stress and Feedback study were analysed. Results of the analysis using
information gathered through PRIMA questionnairesfor Site A and for Site B is
shown in Appendix 18.
As canbe seenfrom Appendix18 thereareusefulinformationthat could be extracted

from PRIMA Audit Questionnaires
which couldbe useto assessthe PIFs situationat
eachsite. As for
an example Site A the informationfor PIF of Experiencein Theme
A is availablefrom Level 5 to Level 3 even though is not adequate.However
informationon Level 2 i.e. operatorreliability is not availableat all. For ThemeB
informationon Experienceis availableto certainextent in Level 5 and Level 4 but
none is availablein Level 3 and Level 2. Summaryof the PIFs evaluationusing

PRIMA audit resultsfor Site A is shownin Table 7.1 and for Site B is shown in
Table 7.2. The two tables showedthat PIFs informationis not availablefrom all
themethat madethe PRIMA audit questionnaires.Howeverby combiningthe PIFs
for all the 8 key audit areas(each
informationmadeavailablefrom the questionnaires
madeup of 4 Levelsandunder4 differentThemes)a reasonable judgementcould be
made for their qualitativeratings as shown in Table 7.3. Thesequalitative ratings

representthe overall situationof the sitePIFs or at 'global' level. For examplethe
PIF of Experiencefor SiteA is judgedto be of Average,Procedureis of Poor, Stress
is of AverageandFeedbackis Poor. For SiteB the PIF of Experienceis judged to be
of Average,Procedureis of Average,Stressis of Averageand feedbackis Good.

441)
eol
LU C14
>
<
2 g2 E i2 EI L'
...
< 12. <<- 0. iz. 0. < 0. J.
ý
c,
>
< <ý<
92
>
Z<
Z< Z
LLý v
9) ý utn ZK A (4) = '
ZK 45 (A <<
C 2
n.
=
:>:
0 4)
>- Z::
9) (U
>.
0
Z >. ::
9) uu uu
ý
>« ý :
12.e m :
a) ---- ---- ---- ----
cis
00u 9) 0 0u (A = vi
00u
ZZ :ZZ ZZ :Z:
"a
rn r, 4 vl 't m C,1 vý 't m r-4

---- ---- ---- ----
fA tA
U02
(A Z<<
lý
Kn
u
ý-
V)
uýý
(A Z
'ý
u0u0=A=
fA rA
000
Z : ZZ :ZZZ
rA
ýjo -2 -
(u - 91> zm - 9) - u -U -0 mzzz -u -u -u -u
r. >>> > >>
0
21
.8
0
rA
j3 .5
rA <<<
ZZ <<< Z<<<
CJ2 Gn r. ? ýýý ýý1. jý ý
U. -- r.
0
:Z .Z
JD (A 0 2>2 2.
(n 3e .2
-' -2
u OUO
t
rA
GA
z<
0
b. w U
10
en
Lo (14
gi
0 000 ho 0
EEE! ILI
= (A (A ýto =
00
fA (A
4)
(A
4)
Z. ýZ, 2. O=j
0-
It m C14 to'l It m t14 W) It m C14 tn qt en C4
--- ---- ---- ----
r_
.2 -8
I.T. E
zzzzzz 000
.0
(A *2
tn
1,, II,, Ii,, IIII
-t m C-4 wl ,tm C-4 wl --t m-., -ýt m C-4
----------------
8p=
rA
(V
rA
rA
ce
000
12. '. >2 ZZZ
0
.1
>.ZZ >ý
w
Iýt C.) r4
5,0.8
(A0
IV
M
ce
<<<
=- <<<Z<<
"' , un
,0u -0 v) z. '.' r. .. 0
"0
.-'M
,' 'm .-
(A m=
9
:J=u9
,2H=uZ -12
12 a«
m9=
9e1ýg
1
"0 rr V
z< .0
22
t
c
,2U&.
w (i Z I1
uZ00w
PIFs rating obtained using this approach is then compared with PIFs assessedsolely
using auditor judgement as obtained from Table 5.15 Section 5.4.4 in Chapter 5 and
shown in Table 7.3. As can be seen from the table PEFsrating as assessedusing
PRIMA Audit results differs on Stressfor Site A and on Experience for Site B. Even
that the differenceis smalli.e. from Averageto Poor for Stress(Site A) and Good to
Averagefor Experience(Site B). This indicatesthat basedon the four PIFs under
i. Feedbackand Stress,the informationmade
consideration e. Experience,Procedures,
available in PRIMA Audit results is quite adequate to rate the site specific PIE
However the four PlFs under considerationi.e. Experience,Procedures,Feedback
and Stressare commonfactors that influencehumanerror on majority of tasks in
chemical process engineering environment. It remains to be seen whether PRIMA
audit resultscould also provide similar informationfor other PIFs such Distraction
andTaskComplexity.
Table 7.3. Comparing PIFs assessedusing PRRVIAAudit results with PIF assessed
using auditor'sjudgement
PITS Site A Site B
PlFs Rating from PlFs Rating PIFs Rating from PlFs Rating
PRIMA Audit using auditor PRIMA Audit using auditor
iudgement judgement
Experience Average Average Average Good
Procedures Poor Poor Good Good
Feedback Poor Poor Good Good
Stress Average Poor Average Average
7.5 A simple method to quantify PIFs rating

A simplemethodto quantifyPIFs ratingwhich convertsthe qualitativerating of PIF
into a quantitativeform is presentedhere. Using someform of quantitativescale,
these qualitative rating could be convertedto a quantitative rating. The SLIM
technique used a nine scale rating for expressing a particular PIF situation that
influenced the likelihood of successin executing a particular task. The ideal value
(that most favourable) could be at any point of the scale. For example the ideal value
for training would be 9 (the most comprehensive and effective) while the lowest
would be on the scale of I (grossly inadequate training done in ad-hoc manner).

While for Stress the ideal value could be 6 (the right amount of stress that keep an
operator alert but not created undue stress) and the lowest would be I (too little
stress that to keep the operator alert). The ideal values for SLIM used by Gertman
(1994) and Chien (1992) is shown in Figure 7.1.
By using the ideal value as the maximum value for 'good' and the associate lowest
range of scale as maximum value for 'poor', a quantitative scale could be made from
the qualitative input as shown in the Figure 7.1. This quantitative scale then could be
used for example for apportioning weighting of PIFs contribution in SLIM technique.
However difficulty arised when deciding the scale for stress as it has a different ideal
value i. e. 6 instead of 9. This difficulty could be overcome by re-assigning its ideal

value to 9 and making appropriatejudgement basedon this ideal value.
Results of apportioning PIFs weighting to calculate BEPs in SLIM using such
method for Site A is shown in Table 7.4. For example the qualitative rating of
Procedures for Site A is judged to be Poor indicating that it will have small
contribution in the successfulexecution of a particular task. As SLIM technique

calculates the in
probability of success executing a particular task in the form of
SuccessLikelihood Index (SLI), Procedurescontribution to SLI will be small which
is reflected by its weight of 0.14. On the other hand the Experience contribution to
SLI is Good, meaning that they will have large contribution to the probability of
successin executing a particular task. In this case the weighting for Experience on
SLI is higher as reflected by a value of 0.36.

0\
00 00 00 00 00 00
\o %D ýo IND %D ýo
E- \o
vi &A kn V) Vlb kn
vl
,Z
m m m
4) m M
10
0
402
Ici
0 u
(4-4
0
J.,
0
L.
.2 L) E
P.4 b 8
-0
-i a to 8 U 0
Ei 0 c)
A -
Ei
8
1 L, I<ci 2
P.4 F- cn 10
_-; cli cl; 1.2: kei %d r.:
Z)
9
For comparison purposes the weighting obtained using the quantification of PIFs
rating from PRIMA Audit results is compared with the weighted assignedfor these
PIFs using expert judgement as describein Section 5.5.4 of Chapter 5 (Table 5.19) as
in
given the last column of Table 7.4. The difference for PIFs weighting is quite small
for all the PEFsindicating someform of agreementbetween the two approaches.
Table 7.4. ComparingPIFs weighting for Site A

PIFsRatingfrom Quantitative Weightingassigned Weightingassigned
PRIMA Audit Ratingusing for SLIM using for SLIM using
conversionmethod conversionmethodin ExpertJudgement
in Figure7.1 Figure7.1
Experience - Average 5 5/9 x 9/14 = 0.36 0.4
Procedures - Poor 2 2/9 x 9/14 = 0.14 0.2
Feedback - Poor 2 2/9 x 9/14 = 0.14 0.2
Stress - Average 5 5/9 x 9/14 = 0.36 1 0.2
Results of apportioning PIFs weighting to calculate HEPs in SLIM using such
method for Site B is shown in Table 7.5. For comparisonthe weighting assignedfor
thesePIFs using expertjudgementas describein Section5.5.4 of Chapter5 (Table
5.19) Chapter 5 is given in the last column of Table 7.5. Similarly the difference for
PIFs weighting is also quite small. However between the two approaches, at for
least for the four PIFs under consideration,the conversionmethod using PRIMA
Audit resultsprovidebettertransparencyas it is basedon all the informationgathered
throughthe audit questionnaires.
Table7.5 - ComparingPIFsWeightingfor SiteB
PIFsRatingfrom Quantitative Weightingassigned Weightingassigned

PRIMA Audit Ratingusing for SLIM using for SLIM using
conversionmethod conversionmethodin ExpertJudgement
in Table7.1 Figure7.1
Experience - Average 5 5/9 x 9/24 0.2 0.4
Procedures - Good 7 7/9 x 9/24 0.3 0.2
Feedback- Good 7 7/9 x 9/24 0.3 0.2
Stress - Average 15- T5/9 x 9/24 0.2 0.2

However the influence of each PIF on specific task varies requires separate
assessment. This is due to the fact that each task comes under a different degree of
influences from eachPlFs as being discussin detail under the topic of PIF analysis in
Chapter S. Thus the usefulnessof PIF analysis using PRIMA Audit questionnaires
seem unable to go beyond determining the overall or global weighted of PIF at a

particular site. The quantification of BEP of a specific task requires a more rigorous
assessmentto reflect the varying degreeof PIFs influenceson that particular task.
7.6 Conclusions
In conclusion the PRIMA audit questionnairewas found able to address a number of
areasthat could provide basic information to determine the overall or 'global' PIFs
influence, at least for the four PIFs under consideration. However it is less rigorous
as compared to the dedicated PIF analysissuch that has been carried out in Section
5.4.4 of Chapter 5. Neverthelessfor the purpose of quantification using SLIM, such

information is adequate to assist in assigning appropriate weighting of the overall
PIFs on each site. Such weighting could be used to reflect the overall influences of a
particular PIF on all tasks for

under consideration quantification purposesat each site.
Further investigation is neededto look at the existing PRRAA Audit structure to
find out whether it is capableto accommodateother componentsof BEA.

d-'y 1-
unapter
Findings, Conclusions and Suggestions

for Further Work
8.1 Introduction
This chapterpresentsthe outcomeof the overallresearch.The outcomeis presented
underthreedifferentheadings
namelyfinding, for
suggestions further work and finally
the conclusions.
8.2 Findings
A discussionof the salientpointsfrom findingsof the overallresearchis given below.
The discussionis madeundereachmajorheadingof the researchcomponentfor ease
of explanation.The aim of this discussionis to highlightkey researchfindingsbased
on findingsfrom the threedifferent namely
researchareas PSMS,BEA and QRA.
8.2.1 PSMS performance differs between the 3 sites
Results from the analysis of PSMS for the 3 sites using the PRIMA technique show
significant differencesin performance. As shown in Table 4.5 in Section 4.6 Chapter

4, Site A, which is the locally owned and managedfared the worst. The overall
PSMS fall under Poor category with a Modification Factor of about 4 based
pipework loss of containment data base.
to havea ModificationFactor of 0.9. This indicatedthat Site

Site B was assessed
PSMS perfonnanceis slightly lessthan the averageplant as definedunder PRDAA.
Even though this site benefit from a good PSMS laid down by the previous
owner,
multinational recentmanagement structurechangehas deprivedthe site with
the resourcesneededto maintainan aboveaveragePSMS. This is especiallytrue in
term of the absenceof dedicated Safety Department specialistssuch as the
instrumentationandelectricaltechnicians.
The best PSMS performance among the 3 sites is Site A. This site was assessedto
have a ManagementFactor of 0.4 using the PRROA assessment.This site was able to
retain most of the Safety Management structure and human resources laid down by
the previous multinational owner. The key contribution to the site's good PSMS
performance was a dedicated safety department answerablestraight to the Managing

Director and the ability to retain most of the skill and experienced operators and
supporting technicians.
The PRIMA audit resultsshoweda ModificationFactor differenceof about a factor
of 10 between the Site A and Site C. This difference

significant showedthe needto
consider the site specificPSMSperfonnanceinfluencewhen conductingQRA using
genericfailurerate.
8.2.2 Strengths and weaknessesof PSMS of locally owned Site
The main strengths and weaknessesof the locally owned plant, i. e. Site A as assessed
using PRRvIA technique are given below. Evidence of these findings is given in
Section 4.5.2(i) in Chapter 4 and in Table 5.15 Section 5.4.4 Chapter 5.
Strength
0 Less rigid work division, i. e. operatorand maintenanceallow multi-skilling for
rotation of job. Such arrangementallowed operator to switch role e.

g. from
to
maintenance operationwhen the needsarise. It also avoids boredom and
createsequal opportunity for promotion that normally favour the operatorsas
comparedto other supportingstaff suchasthe maintenance
crew.
Weaknesses
0 lack of good working procedures

lack of qualifiedandexperiencedpersonnelto conductsafetyassessment
suchas
HAZOP for designandmodifications
lack of structuredtraining for new personneland lack of specialist/continuous
training for existing workers
0 lack of clear safety policy - only to meet minimum regulatory requirements.
* fairly high turnover of operator and supporting staff due tight labour market,
experiencedworkers move to new sites which offer better wages and less
hazardousworking conditions, e.g. at electronic componentsassembly.
8.2.3 Strengths and weaknessesof PSMS Sites owned by multinational
The main strengthsand weaknessesof PSMS Sites owned by multinational are given
below. Evidence of these finding could be found in Section 4.5.2(ii) and 4.5.2(iii) in
Chapter 4 and in Table 5.15 Section 5.4.4 in Chapter 5.
Strengths
Good written safety policy which is fairly comprehensiveand practical.
0 Well laid organisationalstructure for safe operations of plant including a

dedicatedsafetydepartment
0 Possesses
well trainedpersonnelwhich havestayedwith the companysince its
inception
* Goodtrainingprogrammefor operatorsandsupportingstaff. Apprenticeshipstyle

trainingcreatessteadystreamof qualifiedpersonnel
* The availabilityof comprehensive
written work standardsand proceduresbased
on worldwide experienceof the formermultinationalowner
Weaknesses
9 Rigid division of work into operationsand supportingservices(i.e. maintenance)

has hinderedjob rotation or multi-skilling. The situation createsdissatisfaction
among the supporting personneldue to lack of promotion chancesas compared to
their counterpartsin the operations.

o Current downsizing exercise will reduce the overall number of experienced
personnel including safety in the near future. The policy of not replacing retired
personnelmeansthere will be fewer peopleto do the sameamount of job that

could createstressandlow moraleamongworkers.
0 Early signsof deteriorationin PSMS e.g. falling behindthe scheduleto review

the current work procedureswhich are supposedto be conducted yearly as
specifyin the written work standards
8.2.4 Multinational influenceson site specificPSMS
PRRAA Audit resultsshowedthat the previousmultinationalowner did impart their

experienceand implement a safetysystemwhich benefitedthe current local owner
who took over the site. Suchevidencescanbe found in PSMS resultsdiscussionin
Table4.2 Section4.5.2 in Chapter4 aswell in PIFs discussionin Table 5.15 Section
5.4.4 Chapter5. Strong safetyorganisation,comprehensive training and adequate
written work standards
and work procedures are the critical features. Furthermore
beingthe first largescalechemicalplantin Malaysiathe companymore or lessset the
work standardandbecame
traininggroundof manytechnical who
personnel work for
a numberof chemicalplantsbuild laterin Malaysia.
At the same time the company also introduced a fixed division of work into
departmentslike operation and technical support which includes project, maintenance,
electrical and instrumentation and safety. Technical personnel who joined the
company are put under apprenticeshipstyle of training under the specific department
for a lifetime long career. This type of training producesworkers with good specialist
knowledge and worked well in large scaleorganisationwith non-competitive business
environment. However under current highly competitive businessenvironment such

rigid division of work hinders the flexibility of the company to compete, e.g. through
multi-skilling. It also creates discontent among the technical support personnel who
over the years get less promotional chancesas compared to their in
counterpart the
operations.

8.2.5 The different effectiveness of ammonia road tanker loading task on the
two sites
Despite carrying out a similar task, i. e. ammonia road tanker loading operation the
effectivenessof the plan and proceduresused to execute the task is different between
the two sites. Evidence to support the findings can be seenfrom the summary of PIF
analysisin Table 5.15 and the detailedPEFanalysisin Appendix 6.
The Hierarchical Task Analysis (HTA) has revealedthat Site B has a better work plan
and procedures to successfullyundertake the task of ammonia road tanker loading

operation as compared to Site A. The work plan and procedures in place is
appropriate and comprehensivewhich would be able to reduce the chances of the
operator making planning errors. The usage of specialist (i. e. maintenancecrew) to
carry out the connection and disconnection of filling hoses also reduces the chances
of operational errors. Error recovery is enhancedby better process safety hardware,
e.g. the use of weight trip system to prevent overfilling of road tanker and the
presenceof independentchecksby the maintenancecrew of certain critical tasks such
as the venting-off filling line prior to disconnection. However the use of maintenance
crew at Site B to carry out the filling hose connection and disconnection increasethe
duration of filling as compared to Site A due to the waiting period for their
availability.
8.2.6 PIFs situation at Site A is better than Site B
The research showed that PIFs situations differ on the two sites. Evidence to
support the findings can be seen from the summary of PIF analysis in Table 5.15,
the detailed PIF analysis in Appendix 6 and PSMS audit results in Section 4.5.2 of
Chapter 4. The difference for eachof PIF under considerationis given as follows;
o Experience
SiteB operatorhasbetterexperience
than Site A. Good training programme,low
turnoverfrom job securityandjob specialisationof operatorat SiteB contributed
to this factor. Howeverthe multi-skillingapproachbeing implementedon Site A

has indicated a positive impact on the operator performance as compared to Site
B.
0 Procedure
Site A has inadequateproceduresas comparedto Site B. The proceduresare

poorly written, lack depthandaremostlynot compatiblewith the actualtasksthat
needto be executedon-site. Unlike SiteB, this site did not havethe benefitof the
experienceand resourcesof a multinational organisationin preparing and
implementingeffectiveworking procedures.Lack of resourcesalsominimisedthe
effort to up date the resourcesregularly. It was also noted that this trend
beginningto take placeat SightB.
0 Stress
Time stressfor ammonia tanker loading operationsis higher on at Site A as

comparedto Site B. Site A carry loads not only road tankersbut also lorry
mountedskid tanks. As the major movementof ammoniais using rail tanker to

its sistercompanySiteBs do very few of road tanker loading. Work stressthat
arisesfrom the needto performfairly demandingphysicalactivitiesunder hot and

humid environment involving hazardoussubstancesis higher at Site A as the
loadingbay is not providedwith solarcanopyasbeingprovidedat SiteB.
* Feedback
Lack of processcontrol automationpreventedoperatorsat Site A from getting

the necessaryinformationthat could tell that they are in error mode. It also
reducedthe ability to recover error or to minimiseits consequences through
remote operations. Critical information on plant status has to be gathered
manuallysomeof which requireslooking at smalldial gaugesat heightunder hot
tropical sun. The maincontrol room providedmost of the critical informationat
Site B. It also allowedcertainrecoveriesto be madein the event of failuresof
manual operations.

8.2.7 Critical task predicted by PHEA is similar for the two sites
Results from the PIHEA conducted showed that use of consequences(i. e. severity
and frequency) provides a simple and effective means to predict tasks that under
strong influence of human error. However lack of site specific information on the
two attributes, e.g. from accidents or near miss records forced the use of expert
judgement which at best lacks transparency. For both sites tasks associatedwith the
connection and disconnection of filling hoses, the establishment of correct filling

weight to prevent overfilling and the movement of road tanker that could result in
collisions and hose pull away has been identified as those most likely to fail due to
human errors. Evidence to support the findings can be seen in Table 5.12 and in
Appendix 5. The analysisalso allowed appropriate recommendationsto be made to
reduce the impact of human error through the appropriate error reduction strategies.
The recommendationsmade vary for the two sites depending on PSMS available on
each site as shown in Table 5.13 and Table 5.14. Using PRRVIA technique the
relevant key audit areas and the control loop levels within the PSMS for each site
could be determined. This approach also indicated one possible means to integrate
human error with PSMS.
8.2.8 HEN value strongly influenced by PIFs.
Proper selection of PIFs is important as they provided the basis for determining the
IHEPsvalues. Assigning appropriate rating of these PIFs for each tasks also needs
careful judgement as shown in Table 5.17 and Table 5.18. This could only make
possible by a thorough qualitative analysis prior to human error quantification
exercises.Evidence to support the findings can be seenin Table 5.22 and Table 5.23.
8.2.9 Calibration points influenced the IEIEPscalculated using SLIM
Selecting appropriate calibration points for IHEPscalculation using SLIM was found
to be one of the main difficulty of the quantification exercises. They strongly

influenced the outcome of IHEPsvalues for all tasks under consideration. Sensitivity
runs using calibration points obtained from various sources showed a maximum
difference is about a factor of 30 for the values of IHEPscalculated as shown in Table

5.22 and Table 5.23. However taking into consideration the large differences
with humanerror databasesuchdifferenceis acceptable.

normallyassociated
8.2.10 Site A has higher HEPs as compared to Site B
Results of BEPs calculated using SLIM techniques in Table 5.22 and Table 5.23
showed that Site A has higher value of IHEPs,as compared to Site B for identical
tasks. This finding suggestedthat the ammoniaroad tanker loading operation Site A
is subject to a higher influence of humanerror as comparedto Site B.
8.2.11 Site specific PSMS performance increases off-site risk for Site A
Results of QRA run using RISKAT software are shown in Table 6.16 for Site A and
Table 6.18 for Site B. Analysis of the results yield the following findings:
Off-site risk calculatedby RISKAT using generic failure rate for Site A was less when
site specific PSMS is

performance not taken into consideration. This evidence is
shown in Table 6.16. The difference of risk results between baseline QRA using
generic failure rate, i. e. without Modification Factor (Run No. AI) and the one using
Poor Modification (Run No. A2) is about a factor of 2 or 200% based on individual
risk distance of 10E-06. As Site A is judged to have poor PSMS performance, the
use of generic failure rate for QRA underestimatedthe actual risk posed by ammonia
road tanker loading operation.
8.2.12 Site specific PSMS performance does not affect off-site risk for Site B
As Site B is judged to have an Average PSMS performance,the use of generic failure
rate for QRA is appropriate. These mean that site specific PSMS performance does
not affect off-site risk for Site B. This evidenceis shown in Table 6.16. However any
attempt to equate its PSMS performance with Site C which belongs to same owner
will have resulted in underestimatingthe actual risk posed by ammonia road tanker
loading operation by about a factor of almost 4. This can be seen when comparing
the difference of risk results between baseline QRA using generic failure rate, i. e.
without Modification Factor (Run No. B I) and the one using Good Modification
(Run No. B3) which is about a factor of 4 based on individual risk distance of
IOE-06. This showed that even though the two sites belong to the same owner they
not necessarilypossessimilarPSMS performance. So there is a needto conduct a
separatePSMS audit for eachsite to avoid making a wrong assumption.
8.2.13 Site specific weather data is a dominant factor in QRA
The site specific weather data is one the most dominant factor influencing the off-site
risk level at the two sites. The evidence can be seen at individual risk distance of
IOE-06 from in Table 6.16 for Site A and from in Table 6.19 for Site B. For Site A
the use of UX weather data (Run No. AlO) resulted an overprediction by a factor of
3 when compared to baselineQRA using FTA approach in Run No. A4. Meanwhile
for Site B the use of UX weather data (Run No. B 10) resulted an overprediction by a
factor of about 2 when compared to baseline QRA using FTA approach in Run
No. B4. So more resources should be allocated in establishing such data if fairly
accurate and reliable QRA results need to be used to assist decision making, e.g. for
land use planning. This finding seemsto agreewith findings by other researchersuch
as Kukkonen (Kukkonen et al, 1993) and Marshall (Marshall et al, 1995). This is
especiallytrue in developing countries with a lack of reliable weather data for QRA in
place. Any developing country still without the necessarylocal weather data should
make its development of top priority when QRA is used as a tool to assist decision
making for land use planning.
8.2.14 Site specific organisational factors influence QRA results
TIHERP and HEART nominal data baseprovides an equivalent of the generic human
error rates or human error probability or IHEPS. SLIM generatedIHEPs is a mean

to explicitly consideredthe site specific organisationalinfluences (in the form of PIFs)
such as work stress, training and experience of personnel and availability of good
operating procedures on IHEPs.Result of QRA runs using these 'generic human error
rates' for Site A showed a higher off-site risk values by a factor of about 1.2 as
compared to using SLIM generatedhuman error rates. However result of QRA runs
using these 'generic human error rates' for Site B showed almost the same off-site
risk values as comparedto using SLIM generatedhuman error rates. Such evidences
can be seenin Table 6.7 (Runs No. A5 and A6) for Site A and Table 6.10 (Runs No.
B5 and B6) for Site B and their summaryin Table 6.13. Eventhough the difference is

quite small the results indicated that site specific organisational (in the form of PIFs)
influencesthe generichumanerror rateswhich in turn affectthe QRA results.
8.2.14 PRIMA Audit provides a viable alternative to assessedsite specific

organisational impact on QRA
The PR][MA Audit producesModification Factors (MF) which were used to obtained
site specific generic failure rate which takes into account the site specific PSMS
performance. Results of QRA using these factors showed a significant difference of
off-site risk for Site A which was assessedto have a Poor PSMS performance in
term of individual risk, increasedby a about a factor of 2. Site B which was assessed
to have an Average PSMS performance in term of individual risk showed only a
small difference of about a factor of 1.2.
Similarly the SLIM calculatedBEPs that takes into considerationthe site specific
factors that influencedhuman error rates. While TIHERPand BEART databases
providedthe generichumanerror rates. Comparingthe off-site risk resultsfor site A
using the genericandsite specificBEPs showed a differenceof about a factor of 1.2
while Site B showedinsignificantdifferences.The resultsshowedthat similarto site
specificPSMS performance,the site specifichumanerror ratesalso affect the QRA
results(increasethe risk) eventhoughlesspronouncesthan the former.
As such the results appearto suggestthat despite its simplistic approach, the PRIMA
Audit technique seem capable of predicting the direction of effect of site specific
organisational characteristics (which include human error) on QRA results,

comparable to the more rigorous approach of using fault tree modeling which
requires the decomposition of hardware and humanfailure rates and establishingtheir
respectivevalues.

8.3 Conclusions
The researchhasmet its mainobjectivesassetin the researchmethodology:
9 to study the impact of PSMS performanceon off-site risk
* to investigate the contribution of Human Error to off-site risk
e to look into the possibilityof linking PSMS and HumanError analysisthrough

PRDvlA Audit
Severalother conclusionscould be madefrom resultsand findings of the research.

However it shouldbe stressedherethat they are only basedon the MHI sitesunder
investigation. Further study would needto be carried out to verify whether they
representnationwidesituationof MHI in Malaysia.
-p PRIMA audit, SLIM and RISKA T were found suilable to be usedfor developing
countrieswith minor modifications
* Thereis a needto takeinto considerationsite specificPSMSperformanceit) QRA

as theyexertsignificant influenceon QRAresults
Multinational company provided positive contribution in PSMS performance at

leastfor the sites under study. It also providedpositive contribution in managing
human error through better training, able to keep experience personnel and
preparing good operatingprocedures.
v Theinfluenceof humanerror on QRA is complex,while humanactionsincreases

systemfailurerate, theyalsoprovide recoveryin the eventof haraMarefailures
# QRA requires reasonablygood site specific weather data as it is strongly

influencedthe outcomeof therisk resultsespeciallyfor toxic materials. Thereis a
needto developgoodweatherdata whichis quite scarcein developingcountries.

7he attempt to integrate PSMS and HEA audit through PIF from PRIMA audit is
partly successfulat least at the organisational (global) level, which could be used
to provide 'weighting' (as in SLIM) for an overall PIF influence. However the
present PRIMA audit questionnaires structure is not able to facilitate a

comprehensivePIF analysis which is neededto assesstask specific HEP.
8.4 Suggestions for Further Work

A numberof limitationshavebeenencountered
that preventmore definiteconclusion
being made. Theselimitations were noticedthrough the actualpracticalexperience
in carrying out the field work, the use of qualitativeand quantitativetechniqueto
analysedata collectedfrom field studywhich includedthe use of relevantcomputer

code and finally through attemptsmadeto link the complex relationshipbetween
PSMS, HumanError and QRA. Theselimitationsin the author'sopinion could be
reducedby conductingfurther analysison a number of areasthat could further
findings.
strengthenthe research's
As the researchinvolvedthreedistinctareas,the suggestionsfor further work will be

given for eacharea. These be
could carried
suggestions out by a separateexerciseor
by combining a few together. The suggestionsgiven are looking purely from
researchpoint of view without consideringthe resourcesrequirement,i.e. manpower,
time, and cost. Obviously some suggestioncould be implementedwith minimum
resourceswhile othersrequiremuchmore.
8.4.1 PSMS Auditing
The following further works are suggestedfor PSMS audit using PRIMA;
aj Conducting similar PSMS audits on other MRI
ThreeNIM were auditedduringthe researchexercises.While the threesitesroughly

representthe crosssectionof MHI in Malaysia,more similarauditson otherWH are
neededin order to answerseveralquestionsarisingfrom the current research. First

is whetherotherMM which is moreautomated(i.e. lessmanualoperationwith more
complex process system) than ammonia loading operations will provide similar
results. Secondlywhether NEM ownedby big Malaysiannational corporationPSMS
performanceis similarto thoseownedby the multinational.Thirdly by what marginis
the risk from MFH that handlesflammableand explosive hazards(such as gas
by
processingplant) would affected PSMSperformance.So by conductingmore
be
audits on a cross sectionof other WH installationssome of the above mentioned
questionscouldbe answered.
b) Conduct PRIMA Audit using different set of auditors
As the audit relies heavily on humanjudgementby the team members,a separate

by
audit conducted differentaudit teamson a samesitewill providedsomeindication
on the reliabilityof PRRvIAtechnique.
cj The use of loss data

containment basethat reflectthe in
scenarios developin
countries for PRIMA Modification Factor
Modification factors used in PRRvfA to modify generic failure rate currently is based
on weighting provided by data baseson the loss of containment of pressure vessels

and piping mainly obtained from developed country. In developing countries like
Malaysia the percentageof contribution of eachkey audit area may differ significantly
as suggestedthe current data base. This could be due to different quality of design,
operation and maintenance in developing countries that would result in different
percentageof contribution to the loss containmentdata base. So the use of a suitable

data base that reflect the country specific situation would yield more accurate
modification factor in PRIMA Audit.

8.4.2 Human Error Analysis
The following further works are suggestedfor Human Error Analysis;
a) Use of other quantificationtechniquesto calculateHEPs
The contributionof humanerror on off-site risk in the study was obtainedusing the
SLIM technique.Theuseof othertechniquesuchasBEART or TIHERPwill provide
different set of IHEPsvalueson humanactivity associatedwith ammoniaroad tanker
loading operations.These IHEPsvalues then could be comparedwith the ones
obtainedusing SLIM techniqueand checkingthe differencesof off-site risk results
whenusingthesevaluesasinput for QRA.
b) To inclUdePsycbologicalError Mode (REhn in Human Error Analysis
The HumanError analysisconductedfor the researchonly consideredthe operator
error in the form of ExternalError Mode (EEM). It is concernedwith predicting

failure of planning,actions,checking,selectionandcommunications.However it did
not considerthe other error mode,i.e. the PsychologicalError Mode (PEM). This
type of error dealwith higherlevel of error, mostlyin the cognitive domainsuchas
lapse of attention, stereotypefixation and stimulusoverload (Kirwan, 1994). The
inclusion of PEM in HEA will provide better insight of underlying causesthat
influencethe operatorin committingan error. This in turn could allow more effective
error reductionstrategiesbe recommended.
8.4.3 Quantitative Risk Assessment(QRA)

The following furtherworks aresuggested
for QRA
a) Conduct QRA on MRI with different process
The ammoniaroad tanker loadingoperationson which the QRA were conductedis

fairly simpleprocessthat involvedquite a lot of humanoperation. It would be useful
to find out the differenceswhen QRA is conductedon more complexprocesswith
high degreeof processautomation,wherehumanoperationsaremainlyin supervisory
roles.The type of humanerror associated

with suchprocesswill be differentandtheir

influencesof humanerror on off-site risk would be different. Such a study would
allow the influence of process automation over manual operation in reducing human
error to be fully explored.
Investigating the influence of PSMS performanceand Human Error
for on-site risk
The researchthat hasbeenconductedspecificallylooked at the PSMS performance

and HumanError influenceon off-site risk. As such only humanerrors that could
were taken into account.However the BEA analysis
result in large consequences
indicated that the effects of human error are mainly towards low and medium
consequences eventsthat would not leadto off-site risk. As sucheventscould pose

risk to workers on-site, it would be useful to investigatetheir influenceof human
error on on-siterisk.
c. Compare ORA results using PSMS Management Factor and QRA using vdth
site specific failure rate using processsafejy hardware approach
HSE has carried out an initial study where the site specificfailure rate is modified
using processsafetyhardwareapproach(Gould et al, 1997). The rational of this

approachis that processsafetyhardwareis more permanenton a specific site as
comparedto PSMS. This is due to much easier changing of personnel and
proceduresthat madeup the site specificPSMS. Comparisonof resultsfrom the two
approaches would highlightthe differencesin QRA resultsfor the a particularsite. It
could thenbe to
used assist decision makingwhether to invest in process hardware or
the improvementof sitePSMS(for examplethroughbetter proceduresand training)
in order to reducerisk from the site.
8.4.4. Integrating PSMS and Human Error Analysis
The current research look at the possibility of linking the PSMS assessmentwith
Human Errror assessmentthrough Performance Influencing Factor (PIFs). Site
specific PIFs are shaped by the characteristicsof people, tasks and organisation that
influence human performance. As PRRVIA audit also looks for similar factors to
assesssite specific PSMS performance this information could be used to evaluate the

overall PIF situation. However result of the analysis that has been carried out
showed that information madeavailablefrom PRIMA Audit results is not sufficient to
make critical analysisof the site PlFs. So a more rigorous approach is needed. The
Influence Diagram approach(Phillips et al 1985, and Embrey, 1992) could be capable
of providing the interelationship between managementinfluences, immediate causes

and operational errors. The approachis also claimed to be able to quantify the effect
of organisational influences on risk arising from human error. However the need to
collect data from each site to develop site specific form of generic model requires
large resourceswhich is beyond the scope of the present study. Where resource is
not a constraint this approachis worth pursuing.

References
AIChE (1993). Guidelines for Auditing Process Safety Management Systems.

Center for Chemical Process Safety of The American Institute of Chemical
Engineers.New York.
AIChE (1994). Guidelinesfor PreventingHumanError hi ProcessSafety.Center

for Chemical Process Safety of The American Institute of Chemical Engineers.
New York.
Allum, S. and Wells, G.F. (1993). Short-Cut Risk Assessment. Trans IChemE, Vol
71, Part B, August 1993.
Barnes, M. (1990). TheHinkeley Point Public Inquires, Vol.6, The risk of accidents
Basri, J. (1996). Auditing Process Safety Management Systemfor Major Hazard

Risk Assessment-A Malaysian Experience. The Third Annual European
Conferenceon Risk and Crisis Management. 25-27 February 1996. Bradford,
U. K.
Bayer (1991). Application of Probabilistic Risk Assessment: The selection of

Appropriate Tool.RiskAnalysisVol 11,No 2,1991p239-247.
Bellamy, L. J. (1983). NeglectedIndividual, Social and Organisational Factor in

Human Reliability Assessment.Reliability '83. Proceedingof the 4th National
Reliability Conference,Binningham, U. K. Vol. 1. pp.2B/5/1 to 2B/5/1 1.
Bellamy, L. J., Geyer T. A. W., and Astley J.A. (1989). Evaluation of the Hunian
Contributionto PipeworkandIn-line EquipmentFaihire Frequencies.HSE
Contract ResearchReport No 89/15. HSE Publishing. ISBSN 0717603245
Bellamy, L. J, Wright, M. S and Hurst, N. W. (1993). History andDevelopmew of
a SafetyManagement
Auditfor Incorporationinto QuantitativeRiskAssessment.
In InternationalProcessSafetyManagement
Workshop,22-24 September.
CEC(1995). Auditing and Safety Managementfor Safe Operations and Land Use
Planning: A Cross-National Comparison and Validation Exercises. A Report
for the Commissionof the European Community. 20 December 1995.
CEC (1982). European Community Directive on the Major hazards of Certain

Industrial activilies, 82/501/EEC, official journal of the European Community,
L230.
CRVLAH(1984). The Control of Industrial Major Accidents Hazards Regulations

1984. HMSO. London.
Cox, SJ and Tait, N.R.S., (1991). Reliability, Safetyand Risk Management- An

Integrated Approach. Butterworth-Heinemann.
Comer, M. K., Kozinsky, E. J., Eckel, J.S. and Miller D. P. Human reliability Data
Bank for Nuclear Power Plant Operation:A Data Batik Conceptand System
Description. NUREG/CR-3518. UNRC. Washington D. C.
Cullen, S.J. (1994). Health and Safety: A Burden on Business?. Process Safety and
Environmental Protection Journal, VoL 72, No Bl. p3-9. February 1994.
Davoudian, G., Wui, S.J. and Aspostolakis, G. (1994). Incorporating Organisational
through the Analysis of Work Process.Reliability

Factors Into Risk Assessment
Engineering and SystemSafety. Vol. 45, pp107-125
Deshotels, R., and Dejmek, M. (1995). Choosing the Level of Detail for Hazard
Identification. ProcessSafetyProgress.Vol. 14, No. 3. July 1995. pp218-224
DNV (1994). SAFETI UserManualfor DOSHMalaysia. DNV Technica.London.
DOE (1992). DOE Order 5480.23, Nuclear Safety Analysis Reports. U. S.

Department of Energy, Attachment 1, p 16.
DOP (1990). Risk Criteriafor land UsePlanning. New South Wales Department of
Planning (DOP).
DOSH (1993). The ManagementEmergencyResponsePlan at Major Hazards

Installation Survey. Internal Report. MIH(S) 127/296/17/1.
DOSH (1994). The Occupational Safety and Health at Work Act 1994. Malaysian
Government. Government's Printer 1994.
A PhD Thesisby J-Basri 259

DOSH (1995). The Control of Major Hazards Regulations 1994. Malaysian
Governmem.GovernmentPrinter 1995.
DOSH (1996). Vessels,Piping and ComponentDatafor QRA.. Intenial Database,

Major HazardDivison. Department of Occupational Safety and Health Malaysia
DOSH(1996) StatislikPembaikaiiDatidatigdatiPetigatidiiiigTekatiatiTakBerapi
Ibu Pejabat 1990 - 1996 (Repair of Boilers and Unfired Pressure Vessels -
DOSHHQ Statistics1990-1996.Departmentof OccupationalSafetyand Health,
Malaysia.
Embrey, D. E., Humphreys, P.C., Rosa, E. A., Kirwan, N., and Rea, K. (1984). SLIM-
MAUD: An Approach to AssessingHuman Error Probabilities Using Structured
Expert Judgement.NUREGICR-3518. USNCR. Washington D. C.
Embrey, D. E. (1986). SHERPA: A SystematicHuman Error Reliability Prediction

Approach. Proceeding of the American Nuclear Society International Topical
Meeting on Advancesin Human Factors in Nuclear Power Systems.
Embrey, D. E. (1992). Incorporating Management and Organisational fiactors into

Probabilistic Safety Assessment. Reliability Engineering and System Safety. 38
(1992) pp199-208
Embrey D. E., Kontogiannis, T, and Green, M. (1994): Guidelhies for Prevetiling

,
Human Error in Process Safety. Center for Chemical Process Safety, American
Instituteof Chen-dcal
Engineers,New York.
Fairhurst, S. and Turner, R.M. (1993). ToxicologicalAssessmentin Relation to

Major Hazards. Joumal of Hazardous Materials, Vol. 33. (1993). pp215-227-
Elsevier SciencePublisher. Amsterdam.
FMD (1967). Yhe Factories and Machinery Act 1967. Malaysian Govemment.
Goverment's Printer 1970.
Gano,D.L(I 987). Root causeand how tofind it. WashingtonPower SupplySystem

News. 1987.
Finney, D. J. (1971). ProbitAnalysis. 3rd.Edition. CambridgePress.

Fussel,J.B., Power, G.J., and BannetsR. G. (1974a). Faull Trees: A State of the Art
Discussion. IEEE Transactionon Reliability R-23 (1). p5l-52
Gertman, D. I. and Blackman, H. S. (1994). Human Reliability and Safety Analysis

Handbook. JohnWiley & SonsInc. New York.
Gifford, F.A. (1976). Turbulent Diffusion - Typing Schemes:A Review. Nuclear

Safety 17 (1, January/February).
Gould, T. and Anderson, M. (1997). TheDevelopment of Site Specific Taihire Rates

for Use in Risk Assessments
of Major Hazard Sites.Paperpresentedat Hazard
)GII Seminar, Institution of Chemical Engineer. 22-24 April 1997. Manchester.
England.
HRA(1996). Systemfor Predictive Error Analysis andReduction (SPEAR). Lecture
notes for M. Sc Safety and Loss PreventionCourse. Module 6 on Human

Behaviour and Human Error. The University of Sheffield. 1996
HSE (1974). Health and Safety Work etc, Act 1974. HMSO Publication. London.
HSE (1986). Cmide to the Reporting of byuries, Diseases and Dangerous

OccurrencesRegulations 1985, HSE. 23, HMSO.
HSE (1978). Cativey, A Summary of an Investigation of Polenlial Hazards from

Operations in the CanveyIslandlYhurrock area. HMSO. London.
HSE (1989). Risk Criteriafor Land UsePlanning in the Vicinity ofMajor Industrial
Hazards.HMSO PublicationsLondon.
HSE (1989b). Human Factors in Industrial Safety. HSE Safety Booklet HS(G)48.
HMSO Publications London.
HSE (1989c). Risk Assessmentof the Chlorine Road Tanker Loading Operation at
Hays Chemical Lid, Sandbach Cheshire. HSE Internal Report No.
HSE/SRD/8/l/89.
Humphrey, P. (1988).Humaii Reliability AssessorGuide:An OverviemProceeding

of the Safety and Reliability Society Symposium 1988, Manchester p71-85.
ElsivierApplied Science.London.

Hurst, N. W., Nussey, C. and Pape, R.P. (1989). Development and application of a
Risk Assessment Tool (RISKAT) in the Health and Safety &ecittive (HSE,
).
Chem. Eng. Res. Des. 67.
Hurst, N.W. et al (1990). Organizational,managementand human factors in

quantifiedrisk assessment
-a theoretical
and empirical basisfor modification of
risk estimates. SARSS ConferenceProceeding,Altrincharn. 1990.
Hurst, N.W. et al (1991). A classificationschemefor pipeivorkfaihire to inchide

human sociolechnical errors and their contribution to pipework faihire
frequencies. Journal of HazardousMaterial. pl.59-186. Elsivier SciencePublisher
B. V. 1991.
Hurst, N. W. (1992). N. W.Hurst, R.K. S Hankin, J.A. Wilkinson, C.Nussey and J.C.
Williams. Failure Rate and Incident DatabasesFor Major Hazards. 7th

InternationalSymposiumon LossPreventionandSafetyPromotionin the Process
Industries Italy, May 4th -8th 1992.
Hurst, N. W. (1993). Audithig and Safety Management. Operatimal Safety. Joint

CEC-ESReDa SeminarPaper. Lyon. France. 14-15 October 1993. p105-130
Hurst, N.W., DaviesJ.K.W., Hankin,R. and Simpson,G. (1994). Faihire Ralesfor

Pipework - Underlying Causes.Valve and Pipeline Reliability Seminar. University
of Manchester. I. Mech.E. Feb. 1994.
Hurst, N.W. (1996). Aspect of Risk Managementat Major Hazards sites in

Europe.The Third AnnualEuropeanConferenceandRisk andCrisisManagement.
25-27 February 1996. Bradford, U.K.
Hurst, N. W., Stephen,Y., Donald. I., Gibson, H., Muysellar, A. (1996). Measures
of SafetyManagement Performance and A Ititudes to Safety at Major Hazard Sites.

J. Loss Prev.ProcessInd. Vol. 9(2), pp 161-172
HSE (1989).Risk Criteriafor Land UsePlanning in the Vicinity ofMajor Industrial

Hazards. HMSO PublicationsLondon.
IChemE (1985). Nomenclaturefor Hazard and Risk Assessmentin the Process

Industries. HMSO London.

ILO (1992). Seminar on Work Related Standard for Asia Pacific. Beying.
Intemational Labour Organisation. 11LOPublication. Geneva
ISRS- International Loss Control Institute. Loganville. Georgia. U. S.A.
Jenssen,T.K. (1993). Systemfor GoodManagementPracticesIn Quantified Risk

Analysis. Process SafetyProgress.Vol. 12, No. 3. July 1993. pp 137-142.
Jeremy C.W and Hurst N. W. (1992). A comparative Study of 77zeManagement

Effectiveness of Two Technically Similar Major Hazard Site. Major Hazards-
Onshore and Offshore ConferencePaper, UMIST. Manchester, December 1992.
Kukkonen, A. L., Savolainen, A. L., Valkarna, I., S. Junto., and T. Vesala., (1993).
Long-rangeTransportof AmmoniaReleasedin Major Chemical Accidentsat
Ionava, Lithuania. Journal of HazardousMaterials, 35 (1993). Elsivier Science
PublishersB.V., Amsterdam
Kirwan, B. (1988). A Comparative Evaltiation of Five Human Reliability Assessment

Techidque. Proceeding of The Safety and Reliability Society Symposium 1988,
Manchester 1988 p87-109. Elsivier Applied Science.London.
Kirwan, B (1994). A Guide to Practical Human Reliahility Assessment.Taylor &

Francis, London. pp222-236
Kirwan, B. andAinsworth,L. K., A Guideto TaskAnalysis(1994). Taylor & Francis

Ltd, London. pp 169-217
Kirwan, B., Martin B., Rycraft, H., and Smith, A (1990). Human Error Data
collectionand Data Generation. Journal

of Quality andReliabilityManagement.
Vol. 7, pp34-36
Konstantinov, L. V(1985). Probabilistic Safety Assessment in Nuclear Safety-
InternationalDevelopment.Proceedingof IAEA Seminar on Implications of

Probabilistic RiskAssessmentp3-26.ElsivierApplied Science.London.
Kuo, C. (1994). Realizing engineeringpotential in ocean wealth generation. Joumal
of ProcessMechanical Engineering.Vol 208, No E2, p107-122.

Lees, F.P. (1980). Loss Prevention in Process Chemical Industries. Vol. I and 2.
Butterworth Publishing.London.
LSDM (1992). OrdnanceMapfor TanggaBatu and Perlabuhan Kelang. Malaysian

GovernmentMaps. Land Survey Department of Malaysia
MDM (1996). Meteorological Department of Malaysia. A lor Star Airport Weather

Data - Stability Classes.DOSH InterdepartmentalCommunication.
MEHLG (1992). Royal Enquiry on Bright Sparkler Fire and aplosion Report.
Ministry of HousingandLocal Goverment of Malaysia.
MIHLG (1994). Public Enquiry on Shell Dram Kimia Fire and aplosion Report.
Ministry of Housing and Local Goverment of Malaysia
MSD (1994). Malaysian StatisticsDepartment. Population Consensusfor
Melaka TengahandPerlabuhanKelang.DOSH Interdepartmental

Communication.
Moicni, P. and Orvis, D. (1993). An Approachfor Incorporation of Organisational

Factors into Human Reliability Analysis in PRAs. NUREG/CR-5752, USNRC
(1993)
Modarres,M., Mosleh, A. and Wreathall,J (1992). A Frameivorkfor Assesssitig

hifluence of Orgaidsation on Plant Safety. Reliability and System Safety. Vol. 38
(1992) ppl57-171.
Moore, D.A. (1997). YheuseqfRankingMatrix and Recommendation

Priorilisation
Systemfor ProcessHazard AnalysisStudies. ProcessSafetyProgress.Vol. 16,
No. 2. pp 83-85
McQuaid, J. (1995. Improving the Useof Risk Assessment

hi Govemment. Trans
IChemE, Vol. 73, Part B, November 1995. ppS39-S32.
Nanyan, Z. (1987). Industrial Major Accident Hazards Situation in Malaysia.

Paper presentedat Senýnaron Industrial Major Accidents Hazard Control 24-25
March 1987. Kuala Lumpur. Organisedby The Institution of Engineers

Malaysia and The Factories and Machinery Department of Malaysia.

Nussey, C. et al, (1990). Consequences. Toxic Aspect of 71vo Phase Releases,
Journal. Loss Prev, 3: 156. January 1990
Nussey. C., Pantony, M. F., Smallwood, R.J. (1993). Health and Safety aecutives
Risk AssessmentTool RISKA T. Trans IChernE, Vol 7 1, Part B, February 1993.
pp29-40.
OSHA (1993). Process Safety Management of Highly Hazardous Materials. OSHA

29 CFR Part 1910.119.Federalregister. July 1993. pp364-365.
Schubach,S. (1995). Aermal Radiation Target used in Risk Analysis. Trans

IChemE, Vol. 73, Part B, November 1995. pp265-270
Smith, E. (1994). Yhe Importance of of Safety Management Systems in Risk

ReductiotiandRisk Quatilificatim. InternalPaper.DNV Technica,
London.
Park, K. S.(1987). Human Reliability Advances in Human FactorslErgonomics.

Elsevier, Amsterdam.
Pape, R.P. and Nussey C., (1985). Assessmentof Control of Major Hazards.
IChemE SymposiumSeriesNo. 93
Phillips, L. D., Humphreys, P., Embrey, D. E. and Selby, D. L. (1990). A Socio-
TechnicalApproach to AssessingHumanReliability. In: ItIfluence Diagrams,

Belief Nets and Decisioti Analysis,ed. R.M. Oliver and J.Q. Smith. Wiley. New
York, 1990.
Pasman,H.J. (1995). QuantitativeRisk Assessmentin Europe. Process Safety

Progress. Vol. 14, NoA October 1995 pp 229-231.
Phang, M. C.(1993). Tackling the root causesof processfaihires. Ph.D. Thesis,

Dept. of MechanicalandProcessEngineering.SheffieldUniversity.
Pitbaldo,R.M., Slater,D.H. andWilliams,J.C. (1990). QuantitativeAssessment

of
Process Safety Programs. Plant/OperationsProgress,Vol. 9, No. 3. pp 169-175.
Pontecorvo,A.B. (1965). A MethodofPredicting Reliability. Annalsof Reliability
andMaintainability.Volume4.

Purdy, G. (1993). Risk Analysis of the Transportation ofDangerous Goods by Road
and Rail. Joumal of Hazardous Materials Vol. 33 No. 2. February 1993. pp229-
259
Purdy, G. and Wasilewski, M. Risk Management Strategies for Chlorine

Installations. Journal of Loss Preventionin ProcessIndustries.,Vol.7, No.2.
pp147-156
Raafaat, H. M. N and Abdouni, A.H (1987). Development of an Expert Systemfor

Human Reliability Analysis. International Journal of Occupational Accident.
Vol. 9. No. 2
Rasmussen, J. (1982). Human Error: A Taxonomy for Descrihing Human

Mayiniction in Industrial Installations. Journal of Occupational Accidents, 4.
p311-335.
Rasmussen,J. (1986). Information processing and human-machine interaction: An
approach to Cognitive Engineering. Elsevier, Amsterdam.
Reason, J.T. (1990). Human Error. University Press,Cambridge.
Soukas,J. (1989). Yheidentification of humancontribution ill chemical accidents.

6th InternationalSymposiumon Loss Preventionand Safety Promotion in the
ProcessIndustries. Oslo,June19-22.
Ratcliffe, K. B. STATAS. Development of an HSE Audit Scheme for Loss of

Cowaitimew Incidew. Part 1. A Loss Containment Model. Loss Prevention
Bulletin No 112,1,1993.
Swain, AD and Guttman,M.E. (1984). Handbookof Human Reliability Analysis
with Emphasis on Nuclear Power Plant Applications. NUREG/CR-1275,US

NuclearRegulatoryCommission,
D.C pg 222.
Taylor, J.R. (1994). Risk Analysisfor Plant, Pipelines and Transport. London:
E andF.N. SponPublications.ISBN 0419190902
Turner, R.M. and Fairhurst, S., 1989, HSE, Specialist Inspector Report No.21,
Bootle U.K.

Tweeddle, T.M. (1992). Balancing Quantitative and Noii-Quaiditalve Risk
TransactionI ChemE, Vol. 70, Part B, May 1992.p70-74
Assessmetit.
Watson,I. and Oakes,F. (1988).Managementin High Risk Industries.Safetyand

Reliability SocietyAnnual Symposium,Altrincham.Manchester.19-20 October
1988.
Whalley and Lihou (1988). Management Factors andSystem Safety. Proceedingof

the Safety and Reliability Society Symposium 1988. Manchester. Elsivier Applied
Science.
William, E.T (1980). YheMeas-uremem

of SafetyPerformance. Garland SPTM
Press,New York, 1988.
Williams, J.C. (1986). BEART -A Proposed Methodfor Assessing and Reducing

Human Error. Proceedings9th Advances in Reliability Technology Symposimn.
pb3/r/1-13. Bradford 1986.
William, J.C, and Hurst N. W. (1992). A Comparative Study of the Management

Effectiveness of Two Technically Sinfifiar Major Hazard Site. Major Hazard-
Onshore and Offshore ConferencesPaper 1992. UMIST. Manchaster
Zimolong, B, (1990). Yhe HEPs of HEP aperl: Empirical evahiation of THERP
and SLIM. International Conferenceon Hazard Identification and Risk Analysis,

Human Factor and Human Reliability in ProcessSafety. Jan 15-17,1992 Orlando,
Florida.

Vol1

Uploaded by

Copyright:

Available Formats

You might also like

Vol1

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Vol1

Uploaded by

Copyright:

Available Formats

Impact of Process Safety Management

Performance and Human Error on Off-Site

A Thesis Submitted to the University of Sheffield for the

Department of Chemical and Process Engineering

the assessmentof the sitesPSMS performanceusing a structured audit technique

with human error potential

Resultsof QuantitativeRisk Assessment

countries like Malaysiawhere there exists significantdifferenceson these factors

The researchdescribedin this thesisprovidesa comparativestudy of the impact of

the assessmentof site safety managementperformance using a structured audit

managementperformanceand humanerror potential

using a structuredaudit techniquecalledPRIMA. Two of the siteswhich

A PhD Thesisby J.Basri

managementperformancein major hazardrisk assessment.

As the control of humanerror is an important aspectin processsafety managementa

operations. The analysisalso yields a quantitativeoutput in the form of Human Error

QuantitativeRisk Assessment (QRA) was carriedout on the two sitesto determine

A PhD Thesis by J. Basri

contributions increasesthe off-site risk distanceto a specified individual risk level of

capable of predicting the effect of site specific organisational characteristics on

consider explicitly its influences, especially in developing countries like Malaysia

company was found to have provided a positive contribution to PSMS performance

A PhDThesisby J.Basri III

types of subject areas i. e. Safety Management Systems,Human Error Analysis and

contributions between systemhardware failures, human error and safety management

provideda means to investigate

A PhD Thesisby J.Basri iv

work and various other governmentagenciesthat haveallowed me to obtainedthe

made many new friends along the way.

Finally in the world full of uncertaintymancould only at bestexplorewhat hasbeen

greatness.While we canplanto anticipatethe future asin the caseof risk assessment,

A PhD Thesisby J.Basri

Chapter 2 Literature Review

A PhD Thesisby J.Basri

A PhD Thesisby J.Basri viii

6.6.4.2 The impact of Human Error on QRA results ............................... 229

A PhD Thesisby J.Basri xi

A PhD Thesisby J.Basri

A PhD Thesisby J.Basri xiii

A PhD Thesisby J.Basri

Table 5.17. Results of SLI Analysis for Site A 152

A PhD Thesisby J.Basri xv

A PhD Thesisby J.Basri XvIll

AIChE American Institute of ChemicalEngineers

A PhD Thesisby J.Basr! xix

A PhD Thesisby J.Basri xx

1.1 Research Topic

Impact of Process Safety ManagementSystemand Human Error on Off-Site Risk

A PhD Thesisby J.Basri I

modifications and providing better mitigative measureswith the aim of reducing

So proper utilization of risk assessmentresults is very important for MIR in Malaysia

Traditionally, Quantitative Risk Assessment(QRA) was developedon a hardware and

engineeringbasedapproachbut lately human factors consideration are seenas at least

an equally important determinantof risk. It is important issuesto consider the extent

techniques has been developed to incorporate safety managementsystem (PSMS)

consequencesanalysis on an ad-hoc basis. There is no formal procedure as yet to

to root causes of failures in process plant operations in developing countries thus