Sunday, July 30, 2017

eJSA (electronic Job Safety Analysis) - A new name for a screwdriver?

The title of another article in the May issue of Hydrocarbon Processing had me thinking a bit about who does what in our refineries or chemical plants. The title was "Prevent human-created hazards with improved job safety analysis" by Mike Sawyer and Pathum Jayawardena.
The nature of refineries and chemical plants are processing of flammable and toxic substance. Such substances pose a hazards if they are not handled properly. But the above mentioned article made me think: Who creates the hazards?
And Sawyer and Jayawardena er right, the hazards are created by humans! The humans who design our refineries and chemical plants. They go on to argue, that since the harzards are created by humans, then they can be controlled by humans, and they furthers state, that the needed engineering is sound, practicable and available (Did they get the sequence wrong?). Therefore, they conclude, the reason we continue to have incidents, is that incomplete and inappropriate implementation of the engineered preventive measures. So there is a problem with the engineering.
A very simple advice about what to do before you start a job.
To my surprise they go on to suggest that the solution to the problem is job safety analysis. Do they mean job safety analysis of the engineering job? No. They actually appear to think, that the solution to an engineering problem is job safety analysis.
JSA is all about stopping up, and thinking before you start a job. Commonly JSA is performed as dry run of the job to be done. The dry run is performed away from the hazards, e.g. in a meeting room, and the purpose is clearly to make the person, who is going to do the job aware of the hazards and how to avoid the negative consequences of the hazards. However, in these modern IT times the authors suggest to use an electronic JSA or eJSA. A plus for the eJSA should be, that participants don't have to all be in the same location.

Here Sawyer and Jayawerdena appear to increase both ressource usage and bureaucracy by stating, that a trained hazard analysis facilitator should guide all involved through the analysis. Wait a minute! What is a hazard analysis facilitator? It is a position, which I have not heard about before. I think it would be more appropriate to use a JSA facilitator. In the company I started my career they were called supervisors. Then the authors state that a member of management or a designated representative must sign the form prior to the work being performed. Do they really mean the eJSA form? I think the permit to work forms used in all refineries and chemical plants I have been in, is the form that gives permission to actually carry out the job, and that form is - depending on severity of the hazards - normally signed by the shift superintendent.

Layout of Permit to Work System.
Specific types of permits may change from site to  site
The next suggestions are a bit fuzzy to me. Sawyer and Jayawerdena suggest that "eJSA should provide a database of pre-determined prevention techniqies, and goes on to discuss details of the eJSA form - or is it a database?

Conclusion: What Sawyer and Jayawerdena are discussing in their article in the May issue of Hydrocarbon Processing is normally called a Permit to Work (PW) system. And if a job requires personnel to perform highly hazardous jobs, then the PW form include a JSA.

PS: Maybe it is not a good idea to have school teachers write articles in Hydrocarbon Processing. At least that is my opinion.

Saturday, July 29, 2017

How can you improve human performance? Or should you try something else?

In the May issue of Hydrocarbon Processing the article "Human reliability - a disruptive innovation" by Barry Snider set focus on the humans in our refineries and chemical plants with the point of view, that basically we pay to much attention to the reliability (performance) physical objects and too little to the reliability (performance) of humans We extensively measure the former at a huge cost, but spends little understanding, measuring, monitoring and improving the reliability (performance) of humans. Mr. Snider goes on to state, that this requires knowledge of the sciences of organization and behavioral psychology. Somehow I think the author don't clearly understand the difference between failures and failure mechanisms.

Mr Snider states "Just as chemical, mechanical, electrical and thermal stresses produce failure mechanisms in equipment, then psychological, emotional, physical and social stresses produce failure mechanisms in human behavior", and goes on to list contributing factors like miscommunication, complacency, distraction, pressure, resource allocation, lack of knowledge, lack of awareness, stress, fatigue, lack of assertiveness, lack of teamwork and normalization of deviance. These factors are all person related factors.  Unfortunately the source of information is aviation. In the process industry factors,which influence human behavior are called Performance Influencing Factors (PIF). PIF's include job factors, person factors and organisational factors.

Mr. Snider goes on to cite well known models of human behavior, such as Jens Rasmussen's stepladder model, which actually describe human action-decision in different tasks ranging from skill-based over rule-based to knowledge based. Unfortunately his then focus on the THERP model. THERP stands for the human error rate prediction, and this is a linear task model which is mainly suited for skill-based task analysis. Many tasks performed by humans in refineries and chemical plants fall int he categories rule-based and knowledge-based. The accident model shown above is from the HSE in the UK.

Many of the operator improvement activities I am aware of in refineries and chemical plant appear to focus on the improvement of individual skills and behavior. I wonder if by chancing from focusing on individuals to focus on improving teams the hydrocarbon industry could make significant gains in process safety, environmental protection and human health? A team could be as small as a shift team or as large as a process operating team, e.g. the team operating a polyethylene plant or a team operating a number of gas crackers. Take a look at the following information about high performing teams at Google, and please let me know what you think.

Google is one of the companies, which have focused on human performance, and especially team performance. They studied 180 teams, and on Google's Re:Work website Julia Rozovsky outline the five key characteristics of enhanced teams:
  1. Dependability: We count on each other to do high quality work on time.
  2. Structure and clarity: Goals, roles, and execution plans on our team are clear.
  3. Meaning: We are working on something that is personally important for each of us.
  4. Impact: We fundamentally believe that the work we're doing matters.
  5. Psychological safety: We take risks on this team without feeling insecure or embarrassed.
Michael Schneider at Inc. expands on the fifth characteristic. He states, that teams with psychological safe environments ahd employees who were less likely to leave, more likely to harness the power of diversity, and who were ultimately more successful,
I wonder if we - and especially safety professionals - have focused too much on the differences between  teams in a chemical plant or refinery, e.g. a team operating team for a gas cracker or a polyethylene plant, and the teams working at Google. However, I cannot think why the five characteristics listed above should not also apply to teams in process plants. Can you?
I keep coming back to on of Michael Schneider's remarks about psychological safety:
"But imagine a different setting. A situation in which everyone is safe to take risks, voice their opinions, and ask judgement-free questions. A culture where managers provide air cover and create safe zones so employees can let down their gards. That's psychological safety."
When I think back on my work-life, then I definitely see periods with a psychological safe environment, and periods with a psychological unsafe environment. And in retrospect it appears as if I performed better in the former environment.

Tuesday, July 25, 2017

Do you act, when you spot an unsafe situation?

In the May 2017 issue of Hydrocarbon Processing the situation below was used at the start of a section called "Business Trends", and in the text the challenges of improving plant reliability and performance is discussed. The text ends with the words: "..,one glaring omission can be shown to have the most dynamic improvement in the shortest time, and a the lowest cost of implementation - human reliability.
What do you think about the situation in the picture? I immediately get concerned with a number of things. First does this illustrate the thinking about human reliability at the editorial office of the publication? What is the man on the lower level doing there? Why is he looking at the workers above him? Is he shouting instructions to them? Why are the platform safety bars not at the right level to prevent falling down? Why are the worker manually handling an seemingly heavy iron I-beam? 
What would you do if you encountered this situation on a walk around your facility? Does similar situation occur across the world?
In my view the situations raise so many questions, that is should only have been used to illustrate an article about increasing occupational safety. Or maybe in a series of pictures illustrating the worlds worst safety practices.

Ph D student on diesel engine test stand
A few years ago a company sponsoring research in the CAPEC group at the Department of Chemical Engineering at the Technical University of Denmark started its presentation, by showing a picture form the Department Annual Report of a PhD-student on a diesel engine test stand (se above), and stated "..This is the behavior be don't encourage in our new employees." (Take a close look at what she is holding on to and stepping on!)

I think we can only improve human reliability by making the human work environment safer. That means having safety bars at a proper level on platforms. Instructing worker, that when working at heights, then a safety wire is attached from the worker to the platform. And don't stand directly below people working on a platform. And all the other little things, which some of us just take for granted.

Tuesday, May 30, 2017

Are embedded software safe enough? or Do you program/configure some of your systems using proprietary wireless programming units?

To day the Danish engineering new site reported some experiences of a Norwegian security researcher personally have had with a page pager. Page makers are life saving devices for people with certain hearth faults. How they contain embedded software and wireless interfaces unknown to the patient user. Here is a partial translation of the report from

"The Norwegian security researcher Marie Moe recently talked about "Hacking my own heart" at the Copenhagen Cybercrime Conference. Five years ago she passed out due to a heart failure, and was given a page maker. As an employee at NorCERT in Norway Ms. Moe soon got a interest in her newly implanted device.At the time many she asked many questions of the doctors, including some about the safety of the hardware and software, which then made her heart beat."
"She decided to search for information herself, and found a technical manual on heart hardening using Google. In this she discovered, that the pace maker had two wireless communication options. One was an NFC interface to give programming access to the device, and that one she was aware of. It could be used for diagnosis, and by touching a screen on the programming device a doctor could make the heart go faster or slower or even stop. The second wireless interface could communicate over several meters, and was intended to send telemetric information via a box in the home to a server on the internet. The intended user was the health and pharma industry, but not the patient or her doctor. Ms. Moe remarked, that given the certification process such devices are subject to, then the technology providing the internet connectivity would properly be 15 years old."
"At one point while climbing som stairs Ms. Moe suddenly felt like an 80-year old. She later had the same experience while running for a bus. After several months of pacemaker studies it turned out that there was an error in the pacemaker interface In the default configuration the pacemaker was set to an upper pulse of 160 beats per minute. So men this was reached the pacemaker would change the pulse to just 80 beats per minute. It turned out that the NFC programming device showed a different max-pulse level that what was actually programmed into the pacemaker."
"Ms. Moe had another bug experience last year on the way to a conference in Amsterdam, when she could suddenly see her chest muscles move. It was properly caused by cosmic radiation, which caused bit flips in the memory of the device, so it could not access memory as intended. Since the different pacemaker manufacturers use different and non-compatible devices for programming Ms. Moe had to wait for proper equipment to arrive, to factory reset her pacemaker. That naturally re-introduced the old bug, which Ms. Moe had discovered earlier."
"So how is software on a pacemaker being updated? Well, a USB-key from the provider is inserted in the programming unit, which then uploads the code to the pacemaker.  At the end of the presentation Ms. Moe showed herself in a half marathon, so the pacemaker is working today."
Why is this story relevant for the process safety and control community? Because of the multitude of electronic programmable devices, which have entered the process industry during the past twenty years, and just sit out there in the plants during their thing, without anyone thinking about bugs.

The question, which spring to mind after reading about Ms. Moes experience with radiation influencing her pacemaker, is whether the smart instrumentation in our modern plants can experience similar malfunctions? If or when they do, and we then prepared to deal with them?

Source of original story in Danish here: 

Saturday, April 15, 2017

CSB is fighting for its life - fight with it!

The new American president have apparently decide in his suggested budget to remove anything, which he don't understand, and use the money on the military - at least that is how I read what has been reported in the media (even though the president want us to believe, that we can't trust the media). One of the things the president don't understand is the role the Chemical Safety Board (CSB) plays in saving Americans by investigating a few of the many accidents, that each year just happens at US chemical and refining facilities.

The CSB has an annual budget of just US$ 11,000,000 which help protect American workers.By comparison the budget for protecting the American people is US$ 580,300,000,000 - or more than US$ 66,000,000 each hour of the year or US$ 11,000,000 every 10 minutes. That is six times the CSB budget. Both the US CSB and tthe US Military help protect Americans, and that is the message, which the US president needs to understand.

I am not always pleased with the focus of the investigation reports and case studies issued by the CSB. Those viewpoints were presented at the 2013 International Symposium on Loss Prevention and Safety Prevention in Florence, Italy in a paper titled "How Could CSB Investigation Reports Be Improved?" (copy can be requested by email to However, although there may be things to improve at the CSB is contribute improved process safety for workers and neighbors of chemical facilities. One example of this the CSB investigation of the explosion on August 28th, 2008 at Bayer Crop Sciences in Institute West Virginia. This facility used to be owned by Union Carbide, but was after the 1984 disaster in Bhopal, India involving the release of highly toxic methyl isocyanate acquired by Dow Chemical in 2001. Later the facility in Institute was acquired by Bayer, and at the time of the incident it was part of Bayer's Crop Sciences Division.

However, even in 2008 methyl isocyanate (MIC) was still used at facility in Insittute, and a tank with MIC barely escaped damage in the 2008 explosion. However, today MIC is no longer used at the Institute facility. This in my view can be credited to the CSB investigation report, which was highly critical of the continued use of MIC at the Institute facility. Other companies, such as DuPont, after 1984 moved quickly to eliminate any storage of the intermediate MIC at their facilities worldwide. Dow Chemical and Bayer was slower to do this, but has caught up. Today, thanks in part to the CSB investigation of the 2008 explosion it is safer to live in Institute, West Virginia than it has been for many years.

Institute is in the Khanawha Valley, which in the late eighties and early nineties became very known in international safety community for a local group of volunteers, which forced companies in the area to tell their neighbors - and hence the world about the toxic chemicals at their facilities and the worst case events, which they could cause.  The result was the creation of Local Emergency Planning  Committees, and also in Sarnia's Chemical Valley a similar initiative to have companies tell the public about the impact on the community of possible worst case accidents, and the efforts of industry to avoid such events.

The idea that safety pays is not new. Some years ago the European Process Safety Centre had a video on this subject created, which you can view and order here (watching the video online requires Flash 8, so it won't work in Chrome). I am happy that the CSB now - a bit late - also beet the same drum. Read about that here in CSB's own words. Help save the CSB by sharing messages such as this one in the process safety community - and if you are American maybe also share these messages with your representatives in Congress.

PS: Thanks in part to the European Union in Europe we a different approach to process safety, than the US. Authorities here don't prescribe solutions, just tell companies, that they are not allowed to kill people or pollute the environment if they want to keep their licence to operate.