Safety Critical Task Analysis

Andrew Livingston, Shaista Bibi and Conor Crowley provide practical advice on this key risk management technique

HUMAN error is often cited as the cause of many accidents, from Chernobyl and Three Mile Island, to Deepwater Horizon. Many aeroplane incidents are similarly put down to human failure, including the recent Boeing 737-Max8 crashes. However, it’s never quite as simple as that, and in many cases, the human is the most flexible and adaptive part of the system and can often prevent a major incident.

A prime example of this was Captain Sullenberger’s amazing emergency landing in the Hudson River, US, in 2009, when the plane suddenly became a glider as the engines were taken out by birds. The flight crew had never been trained to glide an airliner; they had never been trained to land in the water; and they had never been trained to land without power. Despite this, Sullenberger and the crew quickly and calmly assessed the situation, decided that a ditching in the Hudson was the best course of action and executed it successfully.

Interestingly, there was an automation aspect to the landing that is not widely known. To minimise the vertical impact velocity, Sullenberger had planned to pull the nose up to the upper limit just before landing, but this was prevented by the plane’s software, which stopped his nose-up command 3.5 degrees short of the upper limit. Consequently, the vertical impact speed was higher than it would otherwise have been, and the rear fuselage structure was breached to the extent that a flight attendant was injured, and water entered the plane. In this case then, automation that was intended to improve safety and comfort hindered the most adaptable part of the system: the pilot.

As engineers, it’s not enough for us to just accept human error as a fact of life and do nothing to address it. In fact, there is much we can do in design and operation of our facilities that can make a significant difference to the likelihood and consequences of any potential error.

SCTA

Safety critical task analysis (SCTA) is a powerful tool in our toolkit and can play a big part in our efforts to make things better and easier. Its purpose is not necessarily to identify opportunities to remove the human from the system, but to ensure the operator is effectively supported via the identification of improvements such as those related to system, equipment, environment and task design, operational arrangements, procedures, and training, which in turn should lead to improved safety, environmental, and cost performance.

In major accident hazard (MAH) industries, managing human failure is a key component of risk management. SCTA concerns the tasks in which human failure could undermine the control of MAH events or affect the mitigation of, or recovery from them. It is the barriers that are established to mitigate MAH risks which are reliant on human performance that are the focus of the assessment.

No matter how well barriers and lines of defence are established, if the impact of the interaction of people with those barriers is not assessed then they may well be defeated due to ineffective inspection, maintenance and operations. As highlighted by the HSE, we need to manage human error “as robustly as technical and engineering measures”.

Extensive and authoritative guidance on SCTA is available from the Energy Institute and the HSE (see further reading) and more besides within those documents. The aim of this article is not to review that guidance but to provide an overview of the SCTA process and based on project experience, to highlight some practical issues for consideration associated with a few key steps in that process.

Table 1 (adapted from Reference 1) presents an overview of the SCTA process.

Firstly, how should we go about identifying the safety critical tasks?

Steps 1 and 2

In some of our projects, the identification of MAHs and barrier risk assessment has been supported by reviews of bowtie analyses and other safety studies as key inputs to the SCTA. In other projects where such studies were unavailable, the initial identification of MAHs was based on attendance at HAZOPs and dedicated workshops which involved subject matter experts and operators who understand the process, the risks and how the work is done in practice.

When assessing the effectiveness of barriers, we have to identify those which are reliant on human performance, as staff will have a key role in the operation, testing and maintenance of barriers. Activities which contribute toward the effectiveness of the barriers are identified as safety critical tasks, as any human errors associated with the execution of these critical tasks could lead, directly or indirectly, to major safety and/or environmental incidents and accidents.

Safety critical tasks can be grouped into three types:

• Pre-initiators – maintenance, testing and calibration tasks in which a human failure could lead to the loss of a safety function in a line of protection.
• Initiators – tasks in which a human failure could lead to the occurrence of a MAH event.
• Post-initiators – tasks required in response to a MAH event in which a human failure could result in failure to control, mitigate or recover from the event.

From this review, the relevant procedures associated with the control and mitigation of each MAH are identified. It is important that the procedures are those used directly by staff on site rather than reference manuals, training material and policy documentation. We also need to consider if there are other safety critical tasks which are not covered by procedures and ensure these are clearly defined. Examples of safety critical tasks typically associated with MAH controls are listed in Table 2.

On a large site there may be several types of MAH and many safety and environmentally-critical tasks associated with barriers. This means that the SCTA process can be resource intensive if a quality outcome is to be achieved, so it is important that we focus effort on identifying where the impact of human error would be high, screening and prioritising the identified safety critical tasks to reduce the most significant risks in a cost-effective manner. The depth of analysis needs to be appropriate to the severity of the consequences of failure of the task.

Once a safety critical task inventory is compiled the tasks should be prioritised based on the consequences of task failure and the degree of human involvement. Simple risk matrices with guidance tables are included in Reference 1.