GCPS 2021

__________________________________________________________________________

Process Safety Analysis Considering Human Factors in High Tech

Industries

Josué Eduardo Maia França

Linnaeus University, Kalmar, Sweden
Petrobras, Rio de Janeiro, Brazil
josue.maia@gmail.com

Erik Hollnagel
Jönköping University, Jönköping, Sweden
hollnagel.erik@gmail.com

Prepared for Presentation at

American Institute of Chemical Engineers
2021 Spring Meeting and 17th Global Congress on Process Safety
Virtual
April 18 - 22, 2021

AIChE shall not be responsible for statements or opinions contained

in papers or printed in its publications
GCPS 2021
__________________________________________________________________________

Process Safety Analysis Considering Human Factors in High Tech

Industries

Josué Eduardo Maia França

Linnaeus University, Kalmar, Sweden
Petrobras, Rio de Janeiro, Brazil
josue.maia@gmail.com

Erik Hollnagel
Jönköping University, Jönköping, Sweden
hollnagel.erik@gmail.com

Keywords: Human Factors; LOPC; FRAM; space shuttle; oil rig

Abstract

Since the first missions and until today, the aerospace industry has been making significant
technological advances and developments, working in the edge of innovation and technology.
Despite the considerable advances in this sector, the degree of complexity and the risks
associated are inherent to the process. In this sense, the development of safety strategies,
including human factors approach, is a way to promote process safety in the design of the
projects, construction, operation, and maintenance, in land, air and space. Although NASA had
implemented several safety barriers in their operations since its beginning, some major accidents
occurred, notably Columbia (2003) and Challenger (1986). At the same time, workplaces in the
oil and gas (O&G) industry have evolved to become part of the modern complex sociotechnical
system that characterizes onshore and offshore facilities today. The intense interactions between
workers, systems, equipment, and processes have made companies in this sector more
productive, but significant and complex risks have also emerged. This industry has a history of
several accidents, such as Piper Alpha (1988), Texas City Refinery (2005) and Deepwater
Horizon (2010), causing heavy losses and global geopolitical changes. All these accidents, in
aerospace and O&G industries, involved machines and system that are operating in the very limit
of engineering, specially in the sharp end of the operations. Having both industries as
background, this study presents a human factor approach to assess two relevant accidents, using
the FRAM (Functional Resonance Analysis Method) to perform this analysis.

1 Introduction
Since the first industrial revolution in Europe, technological evolution has been a constant in the
evolution of work systems, in the most diverse industries. Of the various industrial segments that
participated in this evolution, two has some prominence, both because of the technology
GCPS 2021
__________________________________________________________________________

employed, as well as for the capacitation required for the operation of their systems: the
aerospace and petrochemical industries. Comparing this two industrial segment, in a range of 60
years of technical evolution, the offshore drilling industry has built up the capability to drill in
locations ranging from coastal shallows, swamps, rivers and lakes to pack ice, deep water and
exposed locations subject to extreme weather conditions, while the aerospace industry have
developed fly-by-wire aircrafts, reusable launching rockets and populated Mars with high-tech
exploration vehicles [1] [2]. But it had a cost, a high cost that caused at the same time, process
losses, business termination, sociocultural changes, and fatalities. Although the aerospace
industry had implemented several safety barriers in their operations since its beginning, some
major accidents occurred, notably Challenger (1986) and Columbia (2003). In the other hand, the
petrochemical segment also had considerable incidents, such as Piper Alpha (1988), Texas City
Refinery (2005) and Deepwater Horizon (2010), causing heavy losses and global geopolitical
changes. All these accidents involved machines and system that are operating in the very limit of
engineering.

2 Loss of Containment in High Tech Industries

High tech industries are workplace characterized by an intense interaction between technology,
system, and workers, being a complex interconnection between these elements, designed to
achieve specific goals. In another words, it is a complex sociotechnical system, where there is a
massive interaction between people and equipment driven by technology. The notion of
sociotechnical systems is concerned with interdependencies both internally and externally.
Internally, self-regulating groups are dependent on one another to achieve the desired output
from the whole system. Externally, interacts with environment, social and legal regulations,
weather, being open to disturbances or disruptions, sometimes with undesirable demands that
cause instability. This dynamic instability is generally referred to as risk and, in extreme cases,
can lead to a crisis [3]. Indeed, internal and external disruptions in combined consonance, under
an organizational culture of near misses by-passing, lead for Challenger space shuttle disaster in
1986. Several years later, the same combined consonance, under the same organizational culture,
caused the Deepwater Horizon oil rig explosion and sinking in 2010. Despite being distant in
time - 24 years - and in the industrial segment - aerospace and O&G - both accidents have
several characteristics in common. Of these, the most prominent are the high technology it
employs, high professional qualification and the culture, mistaken at the time, that anything was
possible, if the schedule was maintained.

2.1 Challenger space shuttle disaster in 1986

The loss of containment of solid fuel in one of the SRB (Solid Rocket Booster) in the Challenger
thrusters, caused by an elastic resilience failure of a 1/4 inch of diameter and 40 feet long rubber
O-ring, was the last event, of a complex and intricate chain of events, that caused the shuttle
explosion. Besides the O-ring malfunction, the official investigation report STS-51L from NASA
found a flawed decision-making process: inadequate procedures for reporting problems and
faulty information flows throughout organization. Yet, communications problems were
GCPS 2021
__________________________________________________________________________

identified, once that the report of the O-rings problems, from the contractor Morton-Thiokol,
have not properly reached all the hierarchical levels or was misinterpreted [4]. This report
contained relevant information, from previous years, and previous flights, that the O-rings could
be compromised in low temperatures. This rubber piece was a key element of all system, once
the Morton-Thiokol SRB were composed by four hull segments filled with powdered aluminum
(fuel) and ammonium perchlorate (oxidizer) [5]. These segments were assembled vertically in
the launch site, having these O-ring rubber seals installed between each fuel segment, as
presented by Figure 1 (a) the orthographic view of the O-ring, (b) the schematic view of the O-
ring, and (c) O-ring seal being installed at the lunch site.

(a) (b)

(c) (d)
Figure 1: The O-ring characteristics, installation, and previous malfunctions.
Source: Junge & Leckart, 2020.

The Figure 1 (d) present a picture of one of several reports done by Morton-Thiokol to NASA,
showing the LOPC (Loss of Primary Containment) of the O-ring, trespassing the primary and
redundancy protections provided by the set. According with NASA internal regulation, the
compromise of the redundant barrier is a sufficient reason for grounding launches. But in fact,
the perception that this LOPC would be within the safe limits of operation, believed by NASA,
was pressured by them to Morton-Thiokol, in a contractual relationship [5]. This pressure
between companies, hiring and contractor, is also very present in the O&G and contributed to
Deepwater Horizon accident as well. As the shuttle ascended, one set of these O-rings, on a
lower part of the right SRB, due the freezing temperatures of the environment, have not enough
elastic resilience to seal the joint, allowing a loss of containment. Hot gases bathed the hull of the
cold external tank full of liquid oxygen and hydrogen until the tank ruptured. At 73 seconds after
GCPS 2021
__________________________________________________________________________

liftoff, at an altitude of 9 miles, the shuttle was torn apart by an explosion. In the Figure 2 is
possible to see, in the black circle, the mentioned plume originated by the O-ring failure.

Figure 2: The loss of containment (“plume”) during liftoff.

Source: Junge & Leckart, 2020.

A culture that “We can achieve anything, we put man on the moon!”, rooted in all of NASA’s
hierarchical structures, while making it possible to reach the limits of engineering and
technology, allowed a myopic impression that small signs, near missions, LOPC were not that
relevant to safety. The several reports from Morton-Thiokol to NASA technically explained all
the scenarios, having in few of them a clear “red alert” that if hat if the launching schedule was
maintained, postponing the redesign of the joints, it would increase the likelihood of a
catastrophic failure [4]. In addition, critical information that the launch should be canceled when
the ambient temperature is below 53oF has also been systematically ignored [5]. In the day of the
lunch, the local temperature in Florida was around 38 oF, dangerously below the safety
recommendation. Analyzing all this information, under the human factors perspective, which
will be explained shortly thereafter, it is possible to see that this accident had issues in the four
dimensions of this approach: environmental, due the freezing temperatures; technological, due
the O-ring resilience; individual, due the flawed decision-making process; and organizational,
due the constrains in the business relationship between hiring and contractor.

2.2 Deepwater Horizon oil rig disaster in 2010

On April 20, 2010, the blowout of the Macondo offshore oil well, acquired by BP (British
Petroleum), resulted in explosions and an uncontrollable fire onboard the oil rig Deepwater
Horizon. Eleven people lost their lives, 17 were seriously injured, and 115 of the 126 onboard
evacuated. The oil rig sank 36 hours later, and the Macondo well discharged hydrocarbons into
the Gulf of Mexico for nearly three months before it was contained, resulting in the worst
environmental disaster of USA offshore area, being one of the largest ecological disasters ever
GCPS 2021
__________________________________________________________________________

experienced [7]. At the time of the explosion, the well was to be drilled to 18.360 feet below sea
level and subsequent completion to be set as production well. Production casing was being run
and cemented at the time of the accident, and the drilling company haven’t performed a regular
test of integrity, adequately waiting for cement curing, because the drilling plan was delayed and
the BP’s schedule should be maintained [8]. This accident involved the same pressure between
companies, noted in Challenger’s disaster, being in this case BP, the owner (lease) of the oil
field, Halliburton, the cementing contractor and Transocean, the oil rig owner and operator. In
the beginning of 2000, BP implementing structural and organizational changes, modifying his
company culture and business driven, specially through mergers (Standard Oil, Arco, Amoco).
After taking over Amoco in 1999, BP started a worldwide cost-reduction program, ordering 25
percent cuts in refineries and pipelines that led, according to various reports, to a major accident
at Texas City, Texas, in 2005 and a major spill the next year at a Prudhoe Bay, Alaska, pipeline
[9]. This business relationship between BP, Transocean and Halliburton in Deepwater Horizon is
presented in Figure 3.

Figure 3: The relationship between BP, Transocean, and Halliburton in Deepwater Horizon.
Source: CSB, 2010.

These mergers and this dependency of contractors gave to BP business agility in the O&G
industry, but also provided an inadequate view of risks for the level of complexity of the
sociotechnical systems that formed their workplaces. Loss of Primary Containment (LOPC),
being ignored or considered “normal”, significantly altered the safety of their industrial plants. In
Deepwater Horizon, near misses and signs which precedes accidents were reported several times
but were ignored or misunderstood. The US Coast Guard had issued pollution citations eighteen
times between 2000 and 2010, and had investigated sixteen fires and other incidents, however all
organizations considered these incidents typical for GoM platforms. Some serious incidents were
also reported, including one in 2008 in which 77 people were evacuated from the oil rig when it
tilted and began to sink after a section of pipe was incorrectly removed from the platform’s
ballast system [11]. According with former workers, LOPC of hydrocarbons, drilling fluid and
other substances were constantly observed onboard, despite of being reported and fixed several
times [12].

According to BP’s official report [13], a bubble of methane gas escaped from the well and shot
up the drill column, expanding quickly as it burst through several seals and barriers before
exploding, causing the blowout, followed by a fire that engulfed the platform. The ignition
source, preliminary pointed by BP, was the released gas entering the air intakes of the diesel
generators and engulfing the deck area where the exhaust outlets for the main generators were
GCPS 2021
__________________________________________________________________________

emitting hot exhaust gas. Analyzing the reports issued by the Chemical Safety Board [10], the
National Commission on the BP Deepwater Horizon Oil Spill and Offshore Drilling [14], and the
National Oceanic and Atmospheric Administration [12], it is possible to list some major factors
that contributed to this accident, whose are: 1. Reduced diameter casing, compromising mud
circulation; 2. The valves which prevented cement backflow did not close properly; 3.
Cementing curing was inadequate (earlier); 4. Wrong interpretation of the pressure test; 5. Rising
oil and gas parameters were not properly monitored; 6. Fail-safe system in the BOP was unable
to close.

Forensic analysis of the BOP determined that a set of massive blades known as blind shear rams
- designed to slice through the pipe carrying oil - had malfunctioned because the pipe had bent
under the pressure of the rising gas and oil. The blind shear rams were activated sooner than
determined by procedures, puncturing the pipe, but not enough to slice and close the well [15].
This accident caused a loss of containment of 4.9 million of barrels of oil, during 87 days of
leakage. In 2021 there were still actions to recover marine life [12]. In the Figure 4, is possible to
see the ROV subsea footage of the uncontrolled well. According to NNOA, this is the biggest
disaster in the history of the North American offshore oil industry.

Figure 4: Subsea footage of the uncontrolled well of Deepwater Horizon.

Source: CSB, 2011.

Analyzing all this information, under the human factors perspective, which will be explained
shortly thereafter, it is possible to see that this accident had issues in the four dimensions of this
approach: environmental, due the offshore operations conditions; technological, due the BOP
malfunctioning; individual, due the wrong interpretation of the pressure test; and organizational,
due the constrains in the business relationship between BP, Transocean, and Halliburton.
GCPS 2021
__________________________________________________________________________

3 Human Factors Approach in Process Safety Analysis

The Human Factors approach is not only a human element analysis of a given scenario; it is
much more than this. It is a comprehensive and systemic analysis of all the factors that may
affected human performance, having this approach from the human element, and not only
focusing on it. In this sense, Human Factors are all factors that can influence human performance
in their work activities. These factors act together, merged, and may be technological,
environmental, organizational, and individual, among others. Notice that a human factors
analysis considers four major segments, not only limited to the individual, which could lead to a
simply and mistaken analysis of human errors. Indeed, a human fail, which is included here in
the individual dimension, will always be present, however in much smaller proportions than
previously considered. This becomes clear when the analysis of human factors identifies
technological, environments and organizational elements that causes accidents and influence
human performance. In Figure 5 is presented a graphic representation of this approach.

Figure 5: Graphic representation of Human Factors.

Source: França et al., 2020.

The idea that during the events leading up to accidents, people are acting in a way that makes
sense to them at the time. All their knowledge, training, experience, organizational culture, and
input from the environment combine to influence the decisions made and the actions taken. For
the International Association of O&G Producers, in a simple way, “Human Factors addresses the
interaction of people with other people, with facilities and with management systems in the
workplace” [18]. Additionally, integrated with the human factors approach, there is the natural
evolution of workplaces, especially due to the technological evolution of machines, devices and
systems. As a result, and also part of this evolution, the modern complex sociotechnical systems
emerge, where through technology, workplaces are locals where there is intense interaction
between workers, machines, environments, systems and processes [19].

Analyzing the accidents presented here in this research, Challenger (1986) and Deepwater
Horizon (2010), within a Human Factors perspective, it is possible to identify elements, in
addition to the individual ones, that contributed to these accidents. Therefore, it is possible to
provide preventive and mitigating barriers to process safety, understanding the process scenario
in all its dimensions: technological, environmental, individual, and organizational. However,
once these accidents occurred in complex socio-technical systems, it is needed a tool, a
methodology, that adequately models these systems. The Functional Resonance Analysis Method
GCPS 2021
__________________________________________________________________________

(FRAM) is a methodology for analyzing and describing the nature of workday activities.
Because of its structure, it can be used to analyze past events in a complex system, such as an
accident investigation, as well as possible future events, such as the human factors recognition
and analysis in a drilling unit of an offshore drilling rig [17]. Considering the Challenger
accident analysis and documents presented here, as well as using the FRAM, the modeling of
this event, considering the four dimensions of Human Factors (individual, technological,
environmental, and organizational), is presented in Figure 6.

Figure 6: FRAM modelling of the Challenger accident (1986).

Source: Authors, 2020.

Similarly, considering the Deepwater Horizon accident analysis and documents presented here,
as well as using the FRAM, the modeling of this offshore disaster, considering the four
dimensions of Human Factors (individual, technological, environmental, and organizational), is
presented in Figure 7.
GCPS 2021
__________________________________________________________________________

Figure 7: FRAM modelling of the Deepwater Horizon accident (2010).

Source: Authors, 2020.

4 Conclusions
Companies that have workplaces with system and machines that are operating in the very limit of
engineering, requiring several interactions by highly trained workers, characterizes and forms the
so-called complex sociotechnical systems. In this research, analyzing the Challenger and
Deepwater Horizon accidents, could be noticed that despite the different segment - aerospace and
O&G - there are several similarities between the complex sociotechnical system that form both
workplaces. The near misses and small signs of LOPC in both accidents showed that the
organizational culture of a company can undermine safety procedures and barriers, causing a
short-sighted risk perception in the sharp end, feeding the complex chain of events that leads to
an accident with large losses of containment. The FRAM modelling of both accidents showed
that the balance of the business relationship between hiring and contractor is delicate, insofar as
the contractor’s technical-financial interdependency is used as a pressure element, so that rules,
good practices and procedures are interpreted in a more business-friendly manner pending for the
GCPS 2021
__________________________________________________________________________

hiring. In both accidents, this pending was translated into a reduction in the safety of operations
by increasing tolerance to imminent risks.

The complex connections between the functions of the FRAM models presented show that these
analyzes of the organizational dimension of accidents are not something simple, linear, but
something intricate, which depends simultaneously on subjective elements, such as the
companies culture, and objective elements, such as the type of O-ring and the cementation cure
time. Traditional risk assessment tools and methodologies can’t adequately find these complex
sociotechnical relations, which compromises the effective analysis of the accident, or, at worst,
bring a misinterpretation. In this sense, when seeking to promote process safety in workplaces of
high complexity and technology, such as those presented in this research, an analysis of human
factors, in addition of identifying the linear elements present, also identifies the interactions and
complex elements, comprehending technological, individual, environmental and organizational
dimensions. The latter, organizational, weighs on a crucial role for both productive and safety
performance, as can be seen in the developed FRAM models.

Therefore, high tech industries, such as aerospace and O&G, which were studied here, but also
civil aviation, nuclear and maritime shipping, in order to develop an adequate accident analysis,
or an effective risk assessment, that in fact comprehend their workplace complexities and
interactions, it is necessary to simultaneously analyze the organizational, individual,
technological and environmental elements of a company. Losses of containment in the processes
of these industries cannot be mistakenly interpreted as just an aperture where there is a leak, but
rather as the result of a chain of complex events, where worker behavior, company culture,
business decisions and the environmental temperature act together in integrated linked for the
occurrence of an event. The human factors approach, which comprises this dimensions and
interactions, allows an adequate analysis of complex sociotechnical system, identifying micro
and macro elements of the work. With this approach, thus, in addition to adequately dealing with
system’s complexity, it effectively allows the development of solutions for process safety in
high-tech plants, promoting safe and productive operations.

5 References
[1] D. McKenzie, “Dealing with risk in offshore drilling,” Stand. Bull. Offshore Spec. Ed.
Oct. 2010, no. 32, pp. 5–11, 2010.
[2] S. Hubbard and B. Nye, “The Rover Becomes Rovers,” in Exploring Mars : Chronicles
from a Decade of Discovery, 1st ed., University of Arizona Press: ProQuest Ebook
Central, 2012, pp. 82–89.
[3] K. Foster, “What Is A Socio-Technical System And Why Is It Important For Risk
Management,” Security Solutions, Sidney, Australia, Nov. 2018.
[4] D. Vaughan, The Challenger Launch Decision: Risky Technology, Culture, and Deviance
at NASA, Enlarged E. New York: University of Chicago Press, 2016.
[5] A. J. McDonald and J. R. Hansen, Truth, Lies, and O-Rings: Inside the Space Shuttle
Challenger Disaster, 1st Ed. Boca Raton, FL: University Press of Florida, 2012.
GCPS 2021
__________________________________________________________________________

[6] D. Junge and S. Leckart, Challenger: The Final Flight. United States: Bad Robot
Productions, 2020.
[7] Transocean, “Macondo well incident Volume I,” vol. I, no. June, 2011, [Online].
Available: http://www.iadc.org/wp-content/uploads/2016/04/TRANSOCEAN-Macondo-
Well-Incident-Investigation-Repport-Volume-I.pdf.
[8] T. Shroder and J. Konrad, Fire on the Horizon: The Untold Story of the Gulf Oil Disaster,
Larger Pri. New York: HarperLuxe, 2011.
[9] C. Perrow, The Next Catastrophe - Reducing Our Vulnerabilities to Natural, Industrial,
and Terrorist Disasters, Kindle Ed. Woodstock, Oxfordshire, UK: Princeton University
Press, 2011.
[10] CSB, “Explosion and Fire at the Macondo Well,” New Orleans, Louisiana, 2010.
[11] B. Cavnar, Disaster on the Horizon: High Stakes, High Risks, and the Story Behind the
Deepwater Well Blowout. 2010.
[12] NOAA, “Deepwater Horizon Oil Spill Final Programmatic Damage Assessment and
Restoration Plan and Final Programmatic Environmental Impact Statement,” 2017.
[Online]. Available: https://oceanconservancy.org/wp-content/uploads/2015/11/Chapter-
4_Injury-to-Natural-Resources1-1.pdf.
[13] R. G. Bea, “Risk Assessment and Management : Challenges of the Macondo Well
Blowout Disaster 1 Looking Back 2 Lessons from Failures of Offshore Oil and Gas
Systems 3 Defining Failures 4 Defining Systems,” Offshore Oil, no. January, pp. 1–41,
2011.
[14] C. Summerhayes, Deep Water - The Gulf Oil Disaster and the Future of Offshore
Drilling, vol. 30, no. 2. Lousiana, US: National Commission on the BP Deepwater
Horizon Oil Spill and Offshore Drilling, 2011.
[15] CSB, “Deepwater Horizon Blowout Preventer Failure Analysis Report - CSB-FINAL
REPORT-BOP (06-02-2014),” New Orleans, Louisiana, 2014.
[16] CSB, “Investigation Report - Drilling Rig Explosion and Fire at the Macondo Well,” New
Orleans, Louisiana, 2011.
[17] J. França, E. Hollnagel, I. J. A. L. dos Santos, and A. N. Haddad, “Analysing human
factors and non-technical skills in offshore drilling operations using FRAM (functional
resonance analysis method),” Cogn. Technol. Work, 2020, doi: 10.1007/s10111-020-
00638-9.
[18] IOGP, “Demystifying Human Factors : Building confidence in human factors
investigation understand facilitate,” 2018.
[19] J. França and E. Hollnagel, “Safety-II Approach in the O&G Industry: Human Factors and
Non-Technical Skills Building Safety,” in Rio Oil & Gas Expo and Conference, Rio de
Janeiro, RJ, Brazil, 2020, 2020, no. December, doi: https://doi.org/10.48072/2525-
7579.rog.2020.497.