ARTICLE IN PRESS

Reliability Engineering and System Safety 92 (2007) 17641773

www.elsevier.com/locate/ress

Integrating human factors into process hazard analysis

S.G. Kariuki, K. Lowe
Technische Universitat Berlin, Institute of Process and Plant Technology, Sekr. TK0-1, StraX e des 17. Juni 135, 10623 Berlin, Germany
Available online 19 January 2007

Abstract
A comprehensive process hazard analysis (PHA) needs to address human factors. This paper describes an approach that systematically
identies human error in process design and the human factors that inuence its production and propagation. It is deductive in nature
and therefore considers human error as a top event. The combinations of different factors that may lead to this top event are analysed. It
is qualitative in nature and is used in combination with other PHA methods. The method has an advantage because it does not look at
the operator error as the sole contributor to the human failure within a system but a combination of all underlying factors.
r 2007 Elsevier Ltd. All rights reserved.
Keywords: Process hazard analysis; Human factors; Human error; Analytical hierarchy process

1. Introduction
Statistics show that majority of accidents (over 80%) in
the chemical and petro-chemical industries have human
failure as a primary cause [1,2]. A survey conducted by the
Technische Universitat Berlin (TUB) indicates that 64% of
total incidents are due to human failure [3]. Texas City
Disaster in 1947, Bhopal in 1984, Piper Alpha disaster in
1988 and Texaco Renery re 1994 all have human errors
either as a direct cause or indirect cause. Regulators have
realised that the role of human in the system safety is not
being sufciently addressed and therefore have moved in to
intervene. The Seveso II directive, whose aim is prevention
of major hazards, calls on operating companies to
demonstrate that human factors have adequately been
addressed during the design of a plant. ISO 13407, the
standard for human-centred design processes for interactive
systems states that, The application of human factors and
ergonomics to interactive systems design enhances effectiveness and efciency, improves human working conditions,
and counteracts possible adverse effects of use on human
health, safety and performance [4].
The failure to sufciently address human-related issues
during the process hazard analysis (PHA) is contributed by
two factors. First is that much emphasis has been on the
Corresponding author.

E-mail address: katharina.loewe@tu-berlin.de (K. Lowe).

0951-8320/$ - see front matter r 2007 Elsevier Ltd. All rights reserved.
doi:10.1016/j.ress.2007.01.002

technical design. Most designers are interested in developing process plants with high reliability. Therefore, hazards
arising from the technical failures dominate risk analysis.
Yet, safety of a process plant is inuenced by the quality of
design, operational and organisational factors. Secondly,
most of the work on human failure focuses on symptoms of
human error rather than the underlying causes [5].
Literature review shows that a lot of work has been done
on human error analysis and human error prediction.
Human reliability analysis (HRA) deals with deviation of
numerical operator error probabilities for the use in fault
tree analysis [6]. Not long ago an investigation into
individual accidents usually concluded with an active
failure, that is, a human failure with an immediate adverse
effect [7]. Absolute quantication in HRA tended to be
biased against the actual source of human failure. Moreover, the available HRA data is plagued with uncertainties.
This calls for a more systematic and comprehensive
qualitative method for identifying sources and consequences of human failure. Unless we understand all these
indirect factors that lead to direct human failure, there are
slim prospects of reducing accidents or incidents caused by
operator errors.
This paper introduces a systematic method that goes a
step further than modelling the sharp end human error. It
captures the design and organisational factors that
inuences the operator performance. This methodology
will be used in the PHA to introduce the design/operator

ARTICLE IN PRESS
S.G. Kariuki, K. Lowe / Reliability Engineering and System Safety 92 (2007) 17641773

mismatches and management deciencies. These two

contribute to what is referred to as latent errors or
conditions [7,8].
2. The state-of-the-art of HRA
Currently there are several HRA methods in use
worldwide. Some of them were developed during the early
applications of HRA in nuclear power plants. The most
widely used are THERP [9] and success likelihood index
method, SLIM [10]. There are other recent developments
known as second-generation HRA methods like cognitive
reliability and error analysis method (CREAM) [11] and a
technique for human event analysis (ATHEANA) [12],
which mostly focus on cognitive error causes and mechanisms [13]. All these methods aim at transforming human
error events into human error probabilities (HEPs). The
limitations of the current HRA related to this study could
be summarised as follows:






HRA methodologies are not able to effectively identify

various causes of human errors. The observable results
of human actions are the main point of focus [14].
Inadequacy of data for human error analysis [11].
Effects of organisational, managerial and safety cultures
are not adequately considered in HRA [15].
There is no guidance on how to handle the performance
shaping factors (PSFs) associated with each human
error event [16].

It has been noted that the HRA in the nuclear industry is

more mature than in the chemical process industry. Some
of the methods have been tested in the nuclear domain but
we cannot borrow this on one to one basis because the
operating conditions and demands in both industries are
different.
3. Process hazard analysis
PHA is a systematic identication of potential hazards
and critical accident scenarios associated with processing of
hazardous chemicals. A comprehensive PHA should be
able to eliminate or control process hazards during the life
cycle of the plant. Both engineering and administrative
measures that are in place to control process parameters
should be addressed. How these controls are degraded by
technical failures, human failures or external events to lead
to undesired event(s) constitutes an elaborate PHA. Fig. 1
shows the accident causation model. This is key to
understanding the kind of barriers that are needed to
contain the propagation of an unwanted event. On the far
right of Fig. 1 are the barriers against undesired events.
Those that contain human error elements in them are
highlighted in bold letters.
The model shows that the basic initiating events of any
unwanted event are mechanical failure, human failure or
external events or a combination thereof. Human beings are

1765

the weakest link in any engineering system [17]. This is due to

the fact that all engineering systems rely on human
intervention in some respect. However, most PHA methods
do not give human failure the weight it deserves as a major
contributor to unwanted events. Human failure is more
complex than just a single operator action. To comprehensively address human failure, a broader perspective of process
plant should be envisaged. This includes the management,
procedures, training and other factors that have an inuence
on the base error [6]. It is critical to exhaustively identify all
the potential underlying causes of major undesired events
that can be attributed to the human operator.
A typical PHA comprises of the following:
(i) Identication of potential hazards.
All chemical and physical characteristics of the process
with the energy potential to cause damage to people,
property or environment should be identied. Hazards
exist when energy is stored beyond ambient levels. This
includes high temperature, high pressure etc. Humanrelated hazards are those that are related to the
operation of the plant and may cause degradation of
the system.
(ii) Evaluation of engineering and/or administrative controls applicable to the process hazards. This includes
evaluation of all human factors.
Initiating events could lead to process deviations. If a
deviation proceeds uncorrected it may lead to an
accident event. Engineering and administrative controls and protective measures should be evaluated to
establish how well the system could resist degradation
due to an initiating event. These controls include
alarms, procedures, operator training and emergency
relief among others. Human factors are important
when analysing the situations where the operator
interacts with the system. All factors that inuence his/
her performance should be analysed. However, there
are limited systematic methods for the inclusion of
human factors into the PHA. A tool for this purpose
has recently been developed by the American Petroleum Institute [18].
(iii) Identication of the potential consequences of failure
of the controls.
Consequence identication and analysis is important
in establishing the mitigation strategies. To undertake
a PHA, one of the following methods or a combination are widely used: what-if analysis, HAZOP,
checklists, failure mode and effect analysis, event tree
and/or fault tree analysis. In the process industry,
HAZOP is the most widely used.
4. Human factors
As indicated earlier, statistics show that human failure is
a major cause of undesired events in process industries.
However, the role insufcient design plays towards these
incident causations and the contributions of management

ARTICLE IN PRESS
1766

S.G. Kariuki, K. Lowe / Reliability Engineering and System Safety 92 (2007) 17641773

Fig. 1. Propagation of an accident scenario.

failures towards human error occurrence are not often

considered.
To sufciently address human failure, a human factors
approach is necessary. Human factors refer to environmental, organisational and job factors, and human and
individual characteristics, which inuence behaviour at
work in a way that can affect health and safety [19]. It takes
human as an integral part of plant design and procurement
from the earliest stages.
Fig. 2 [20], shows that an undesired event is a result of
latent conditions and active errors. Latent conditions do
not immediately affect the functioning of the system but in
combination with other factors like active operator error
and/or a local trigger (high temperature, high pressure)
they could result to a disaster. Latent conditions are results
of less-than-adequate design and management decisions [8].
5. Integration of human factors into PHA
Integrating human factors analysis into PHA helps to
identify, understand, control and prevent human-related
failures that can result to incidents or accidents during the
operation and/or maintenance of a process plant. The
methodology being developed acts as a systematic way that
the process hazard analyst would include HF in the PHA.
It involves identication and description of factors that
may positively or negatively affect human performance and

Fig. 2. Human factors contribution to undesired events.

therefore inuence the likelihood of operator error e.g.

well-labelled equipment is easy to locate. It is a simplied
hazard analysis method that provides means for evaluating

ARTICLE IN PRESS
S.G. Kariuki, K. Lowe / Reliability Engineering and System Safety 92 (2007) 17641773

1767

human-related hazardous scenarios and identifying human

factors that inuence each part of the scenarios. Operations
related errors could occur when the:

Table 1
Human factors areas of interest
Factors

Attributes

(a) Plants operations require physical, perceptual or

cognitive abilities that exceed those of the operator.
(b) Plant has inconsistent characteristics against expectation of the operator.
(c) Operating environment affects the physical, perceptual
or cognitive abilities of the operator.

Organisation (ORG)

A1 Human factors and safety policy

A2 Organisational culture
A3 Management of change
A4 Organisational learning (audit and
reviews)
A5 Line management and supervision

Information (INF)

B1 Training
B2 Procedures and procedure
development
B3 Communication
B4 Labels and signs
B5 Documentation

Job design (JD)

C1
C2
C3
C4

Work schedules
Stafng
Shifts and overtime
Manual handling

Human system interface (HSI)

D1
D2
D3
D4
D5

Design of controls
Displays
Field control panels
Tools (hand)
Equipment and valves

Task environment (TE)

E1
E2
E3
E4

Lighting
Noise
Temperatures
Toxicity

Workplace design (WD)

F1 Facility layout
F2 Workstation conguration
F3 Accessibility

Operator characteristics (OP)

G1
G2
G3
G4

A human factors analysis need to be introduced into the

PHA at the outset of a project to make sure that all humanrelated hazards have been analysed, reviewed and integrated. This approach strives to eliminate, where possible,
or minimise characteristics of a system (part of the plant or
whole plant) that require extensive cognitive, physical or
sensory skills or those that may require extensive training
or may lead to frequent error, health hazards or property
loss through accidents. Table 1 shows the areas of interest
for human factors consideration during the PHA. Where
operator actions/responses are needed, all these factors
need to be considered because they directly affect operator
performance. Some of these methods are considered as
PSFs in HRA methods but most that fall under organisation and facility design are rarely or never considered.
The same case applies to an accident scenario. The
accident propagation model in Fig. 1 could be simplied to
three steps, see Fig. 3. For each accident scenario, factors
leading to initiating and inuencing pivotal events should
be identied. Completeness of analysis of factors (referred
to as contributing factors) that inuence these events are
key to successful hazard analysis. This is because the
frequency of the end impact event is the intersection of
frequencies of the initiating event and pivotal events 1 to N.
Pivotal events could prevent, protect or mitigate the
deviation or aggravate the situation. Human-related
initiating events could be triggered by various factors.
These factors could originate from organisational failures,
facility design error or operator error. The rst two are
referred to as workplace factors. The initiating events could
be identied by methods like HAZOP and fault tree
analysis. Although HAZOP has been widely used as a
hazard identication method it has been criticised for
putting too much emphasis on hardware failure while
ignoring the operation related hazards [6]. A systematic
approach to analyse the situation that may lead to human
error is required. The approach should be able to predict
the conditions that support the occurrence of error. This
means we are shifting our attention from the error itself
and focusing at the factors that support the occurrence of
the error. One method for error analysis based on operator
actions is being developed elsewhere [21]. It is a method
that is based on task analysis.
Initiating events could be single or a combination of
events. For instance, a fault tree analysis of ammable liquid
storage tank [22], see Fig. 4, found that the following basic

Physical characteristics
Attention/motivation
Fitness for duty
Skills and knowledge

Fig. 3. Progression of an initiating event.

events contained human failure elements in them: basic event

B1: insufcient volume in tank; B2: level alarm fails or
ignored; B3: wrong material fed into tank; B4: truck tank not
sampled before unloading and B5: unloading frequency.

ARTICLE IN PRESS
1768

S.G. Kariuki, K. Lowe / Reliability Engineering and System Safety 92 (2007) 17641773

The top event major ammable release has a

frequency of 3.2  102 yr1. This value is the summation
of all minimum cut-sets. Basic events B1, B2 and B5 make
one minimum cut-set which has a frequency value of
1  102 yr1. Using FussellVesely (FV) level of importance this cut-set contribute to 94% of the top event
occurrence. The failure reduction strategies require that all
the factors that contribute to the occurrence and propagation of these human-related failures be given an in-depth
analysis. Most emphasis should be on the human factors
related to basic events B1 (Pr 1  102) and B2
(Pr 1  102). Basic event B5 (frequency 300/yr) may
not be included in the error reduction strategy because it
would be difcult to inuence the number of unloading per
year. It is dependent on operational requirements and
therefore beyond the boundaries of hazard analysis.
Each of the initiating events identied above could be as
a result of either direct operator error and/or workplace
factors. For any human-related initiating event human
error event is a function of workplace factors and operator
characteristics.

The variables in Table 2 are individual attributes

emanating from workplace and operator characteristics
that affect the initiating events identied earlier. The whole
list is shown in Table 1. The attributes will be assigned a
weight oi, which represents how each contribute towards
human error occurrence. For instance, lack of or poor
training may have a bigger weight than operator experience. Normally in process safety assessment, factors
contributing to human-related failures are not analysed
in details they deserve. Analysis starts from initiating
events that could be error of commission or omission. The
factors contributing to human error events and hence
unwanted events that need to be analysed include less than
adequate design, awed procedures, less than adequate
training, and less than adequate resources among others.
6. Implementation of the new approach
After the initiating events or hazardous conditions have
been identied, the analysts maps the results as shown in
Table 2 and this sets a starting point for analysis of human

Fig. 4. Fault tree analysis of a major spill [22].

ARTICLE IN PRESS
S.G. Kariuki, K. Lowe / Reliability Engineering and System Safety 92 (2007) 17641773

1769

Table 2
Human factors analyses chart
Basic events

Information

Organisation

Human-system
interface

Inadequate
volume in tank
to unload truck
Operator
doesnt see the
level alarm
Wrong material
in truck tank

Training,
procedures

Supervision

Displays

Training

Training, labels
and signs

Displays

Supervision

Task
environment

Workplace
design

Operator
characteristics
Skills and
knowledge

Lighting noise

Accessibility

Valve design

failure contribution to process risk. Each factor inuencing

the occurrence of human failure is identied. Fig 5
represents the procedure to identify the underlying human
factors. One initiating event is analysed at a time. Each
factor is considered to determine how much it could
inuence the initiating event. The factors identied to have
a high inuence are given rst priority, second priority
goes to moderate and low gets the last priority. The
reason for this classication is to limit the number of
attributes to a manageable level. The results in Table 2
show the attributes with the biggest inuence on the human
error events that were identied earlier.
The quality of the results depends on the knowledge of
the analyst on how each of the underlying factors could
play a role in inuencing the occurrence and propagation
of human failure. The reason for the seven categories
namely information, organisation, humansystem interface, task environment, workplace design and work design
operator characteristics is because of their different weights
on accident causation. Selecting basic event inadequate
volume in tank to unload truck, for example, the
corresponding attributes acquire the following weights:
training o1, procedures o2, supervision checks o3, displays
o4 and operator skills and knowledge o5. These weights
are going to be determined by analytical hierarchy process
(AHP).
The AHP method was developed by Saaty [23] for
solving multi-attribute decision problems. It uses a
hierarchical structure to decompose a problem into
attributes and then guide decision makers through a series
of pair-wise comparison judgements to express relative
strength of impact of the attributes in the hierarchy.
These judgements are translated into numbers. The rst
step of AHP is to identify attributes that inuence decision
or system behaviour. Structuring the problem hierarchically is guided by no specic rule and therefore allows
the user to construct own model. Next step is determining the relative inuence of each attribute on the
system performance. Saaty and Kearns [24] provided a
numerical judgement scale 19. Each attribute is judged
how important it is in dominating the other. The questions asked could take the form When comparing
different attributes, which attribute is more important (in
achieving the goal)? All identied attributes are compared

Work design

Work schedules
stafng

Physical
characteristics,
stress
Inattention

against each other in a matrix pair-wise comparison

to express the relative preference among the factors/
attributes. This is an n  n square matrix. From the
matrix of pair-wise comparison weighted eigenvectors
are added component-wise to obtain an overall unidimensional scale for priorities i.e. o1, o2, y, on [24]. The
results reect judgmental perception of the relative
importance.
Peoples feelings and preferences remain inconsistent and
intransitive and may lead to perturbations in the eigenvectors calculations. Saaty [25] provided an index to check for
consistency of the pair-wise comparisons. He dened
consistency ratio CR as the ratio of the consistency index
CI to an average consistency index RI, therefore
CR CI=RI:

(1)

The resulting CR should lie between 0pCRp0.1,

otherwise the matrix is inconsistent. The resulting RI also
known as random consistency index is obtained from large
number of simulation runs and is dependent on the order
of the matrix n. Table 3 shows RI for matrices of order
110 obtained by approximating random indices using a
sample size of 500 [26].
The consistency index can be directly calculated from the
comparison matrix:
CI

lmax  n
,
n1

(2)

where lmax is the greatest eigenvalue of the matrix of pairwise comparison and n the order of the matrix. After these
weights have been obtained, a rating of each attribute of
the system being analysed is required. These are the
performance measures of the system and they indicate the
general characteristics in terms of operability and maintainability. High operability and maintainability means
consistency of errorless task performance. The better they
are the lesser the risk.
Lets take an example of inadequate volume in tank to
unload truck. The attributes identied as critical for this
human error event are training o1, procedures o2, supervision checks o3, displays o4 and operator skills and
knowledge o5. The resulting 5  5 matrix of pair-wise
construction is shown in Table 4.

ARTICLE IN PRESS
S.G. Kariuki, K. Lowe / Reliability Engineering and System Safety 92 (2007) 17641773

1770

Fig. 5. Procedure to identify the human factors underlying human error event.

The rating is represented by r1, r2, y, rn. They are

assigned a scale 17, where 1 represents the worst and 7
represents outstanding, see Table 5.
From weights o and performance measures r, the quality
index of human factors behind each human error event is
calculated. The representation is as follows:
Human factors index:
b o1 r1 o2 r2    on rn =rmax o1 o2    on ,
,
n
n
X
X
oi ri rmax
oi ,

i1

i1

since

n
X

i1
Xn
i1

,
oi ri

rmax ,

oi 1,

where oi is the weight of each attribute and, ri the value

function (performance measure) of attribute xi.
b obtains a maximum value of 100% or 1. As the
value of b approaches maximum the better the HF
conditions in the plant or system being analysed. It will
be reasonable to assume that as b approaches the
maximum value, human reliability is increased and this

ARTICLE IN PRESS
S.G. Kariuki, K. Lowe / Reliability Engineering and System Safety 92 (2007) 17641773

means that possibility of error occurrence is minimised.

The vice versa applies.
Pivotal events illustrated in Fig. 3 include those that
prevent, control and protect the system from being
degraded by an initiating event, and mitigate the consequences. Events triggered by human failure could be
eliminated or reduced through training, better equipment
design, and better environmental working conditions
among others shown in Table 2.
For each of the initiating events, the corresponding
human factors-based protection measures are identied.
The initiating event inadequate volume in tank to unload
truck training, procedures, supervision, displays and
operator skills and knowledge as the main protection
factors. These protection measures are obtained through
analysts knowledge and judgment. The quality of these
measures dictates the integrity of the human factors to
protect against the production, propagation, and severity
of unwanted events.
Table 6 provides an example of main characteristics of
some of these factors that the analysts should consider. The
hazard analysts will look qualitatively into how effective
these protective factors are and determine if improved or
additional protection is required.
The rationale behind rating of the protective measures is
based on the process industries safety management,
PRISM, human factors guidelines as well as expert
judgment. PRISM is a just concluded European Union
project that was started with the aim of improving safety in
the European process industries through raising awareness
of, and sharing experience in, the application of human
Table 3
Values for random consistency index
Size of matrix, n

Random consistency index, RI

1
2
3
4
5
6
7
8
9
10

0
0
0.52
0.89
1.11
1.25
1.35
1.40
1.45
1.49

1771

factors approaches. In addition, the network aimed to

stimulate the development and improvement of human
factor approaches in order to address industry-relevant
problems in batch and continuous process industries. The
authors of this paper developed a guideline incorporation
of human factors in the design process [27].
The human factors inuencing the initiating event are
tabulated. These factors identied for each initiating event
at different points of analysis eventually form a standardised generic list that an analyst would use for different
types of human failures. The analyst qualies these factors
based on how well they are considered and integrated
within the plant being analysed. The analysis is based on a
seven-point Likert scale. The factors that do not meet
reference standards are given 1 while the factors that meet
all/most the standards are given 7, see Table 3. It is worth
noting that grade 7 does not imply that all the factors have
been considered with 100 per cent accuracy but indicates
that at least the most important requirements have been
met. As an example, the human factors inuencing the
initiating event inadequate volume in tank to unload
truck are illustrated in Table 7.
Although one analyst may be perfectly capable of
assigning qualifying grades to the factors under consideration, it is only prudent that the nal grading is a consensus
of several analysts. The rationale column in Table 7 is
included to give evidence on the decision to assign certain
grade to the human factors being considered. In the given
example, the rating of each human factor contributing to
the initiating event is multiplied by the predened weight.
The total weighted score is divided by maximum score
that could be obtained to calculate the degree of
compliance. The degree of compliance indicates the
strength of the human factors in preventing, controlling

Table 5
Rating of attributes
Fails to meet any standards

Outstanding
Excellent
Very good
Good, average
Below average
Poor

7
6
5
4
3
2

Meets all/most standards

Very poor

Table 4
Relative weights of factors affecting a human error event

Training
Procedures
Supervision
Displays
Skills and knowledge

Training

Procedures

Supervision

Displays

Skills and knowledge

Calculated relative weight

1
1/3
1/4
1/3
1/5

3
1
1/4
1/3
1/5

4
1
1
1
1/3

3
2
1
1
1/2

5
3
3
2
1

0.48
0.20
0.13
0.13
0.06

CR 0.009

ARTICLE IN PRESS

4.61
65

0.24

 Based on design solutions

 Covers demands arising from the task
 Hazards from process operations are

0.52

Training

Guidelines

0.65

Factors

Weighted
score, oi, ri

Table 6
Human factors inuencing insufcient volume in tank

0.80

S.G. Kariuki, K. Lowe / Reliability Engineering and System Safety 92 (2007) 17641773

2.40

1772

and active sentences

 Identies the location of task

 Right choice of wording. Use of

 Clear and consistent format. Short

Procedures

Rating, ri

covered

familiar words

0.06

0.13

0.20

0.13

Total score
% score

Skills and
knowledge

Displays

Supervision

Training
Inadequate volume in
tank to unload truck

Current condition of system being analysed

The method developed offers a structured way of

analysing human factors during PHA. It covers in details
the hazards that may be induced by human failure resulting
to systems degradation. The advantage of this methodology is that it concentrates on the factors behind the
occurrence of human failure. Giving a percentage degree of
compliance sets a target that the analyst will strive to
achieve. It is able to address these factors in details that
may be otherwise missed out during the normal brainstorming in PHA. It orders the factors inuencing the
performance of the operator in a systematic way and
therefore allows a detailed assessment to take place. Areas
that could be termed as lacking are clearly visible and
therefore the management will know where to focus more
resources on.

Human factor

7. Conclusion

Initiating event

and protecting the production and propagation of humanbased events. Each of the human-initiated events is
analysed the same way. With different events analysed, a
standardised solutions will be obtained because most of the
factors keep re-emerging at different scenarios. The
advantage of this method is that it gives the analysts a
goal that they strive to achieve. Once the factors
contributing the initiating events and/or affecting performance of pivotal events are identied, measures to reduce
accident scenario likelihood can be assessed.
A score of 65% obtained from the hypothetical example
is below average and calls for improvement on most human
factors. If a score of more than 91% were obtained, Table
8, would mean that most issues related to human factors
have been addressed and subsequently human-related
hazard has been reduced or eliminated.

Table 7
Hypothetical example showing rating of factors affecting initiating event inadequate volume in tank to unload truck

together

Procedures

be provided

 Feedback of a control operation

 Displays and controls grouped

0.48

 Displays legible from workstation

 Only most necessary information to

Operator is well trained. There is evidence of training manuals, training programs but
there is no proof of feedback after training is carried out
Procedures exist in the company but are rarely updated. They do not highlight important
modications that have been done on the system
Supervision is strong. Supervisors have to countersign all safety critical operations
including maintenance. However there lack evidence that the supervisor physically
checked the operations before countersigning
Display guage is well designed but they lack basic HF considerations. The scale markers
have unusual progression 3, 7, 9,y
Operators are trained but there are some cases where they do not understand some very
safety critical operations

Display and control design

Weight, oi

 Complete, accurate and available

ARTICLE IN PRESS
S.G. Kariuki, K. Lowe / Reliability Engineering and System Safety 92 (2007) 17641773
Table 8
Overall qualication of inuencing factors
Percentage score

Description of HF defences

91% or more
7690%
6675%
4665%
45% or less

Excellent
Above average
Good, average
Below average
Poor

The PRISM guidelines used to give qualifying grades

have already been validated in an operating set-up. It
means therefore that HF analysis could be done without
necessarily involving a HF expert. AHP is a powerful
technique which is easy to master. It is very useful in
presenting interdependent factors and therefore very useful
for this work.
This work is a part of a research project whose objective
is to integrate human factors into process risk analysis. It
transforms qualitative analysis into quantitative analysis.
We have undertaken a survey in the chemical process to
help to quantify factors that affect human performance.
References
[1] Joschek HI. Risk assessment in the chemical industry. In: Proceeding
of the international topical meeting on probabilistic risk assessment.
New York: American Nuclear Society; 1981.
[2] Bea RG. Human and organizational factors in safety of engineered
systems. In: Conference proceedings for American Society of Safety
Engineers Region III and Texas Safety Association. Texas, 1998.
[3] Lowe K, Kariuki SG. Berucksichtigung des Menschen beim Design
verfahrenstechnischer Anlagen. In: 5. Berliner Werkstatt MenschMaschine-Systeme, Fortschritt-Berichte, vol. 22(16). Berlin, 2004a.
p. 88103.
[4] ISO website: /www.iso.chS.
[5] Vuuren W van. The development of an incident analysis tool for the
medical eld. Report EUT/BDK/85. Eindhoven: Eindhoven University of Technology; 1997.
[6] Centre for Chemical Process Safety (CCPS). Guidelines for preventing human error in process safety. USA, New York: AICHE; 1994.
[7] Reason J. Human error. Cambridge, UK: Cambridge University
Press; 1990.
[8] Reason J. Managing the risks of organizational accidents. Aldershot,
UK: Ashgate Publishing; 2001.

1773

[9] Swain AD, Guttman HE. Handbook of human reliability

with emphasis on nuclear power plants applications, Sandia
National Labs/NUREG CR-1278. Washington, DC, USA: NUREG;
1983.
[10] Embrey DE, Humphreys PC, Rosa EA, Kirwan B, Rea K. SLIMMAUD: an approach to assessing human error probabilities using
structured expert judgement, NUREG/CR-3518. Washington, DC,
USA: NUREG; 1984.
[11] Hollnagel E. CREAMcognitive reliability and error analysis
method. Oxford, UK: Elsevier Science; 1998.
[12] Nuclear Regulatory Commission (NRC) technical basis and implementation guidelines for a technique for human event analysis.
ATHEANA, NUREG-1624, Rev. 1. Rockville, MD, USA: NRC;
2000.
[13] Jung W-D. An empirical evaluation on the limitations of conventional hra and requirements for an advanced methodology. Daejon,
Korea: Korean Atomic Energy Research Institute; 2001.
[14] Dougherty EM. Human reliability analysiswhere shouldst thou
turn? Reliab Eng Syst Saf 1990;29:28399.
[15] Hirschberg H, Dang VN. Critical operator actions and data
issues. Task report by principal working group 5, OECD/NEA,
1996.
[16] Nuclear Regulatory Commission (NRC) evaluation of human
reliability analysis methods against good practices (NUREG-1842).
Washington DC, USA: NRC; 2006.
[17] Turner BA. Man-made disasters. London, UK: Wykeham; 1978.
[18] American Petroleum Institute (API) tool for incorporating human
factors during process hazard analysis (PHA): reviews of plant
designs. Washington, DC, USA: API; 2004.
[19] Health and Safety Executive (HSE). Reducing error and inuencing
behaviour. Great Britain: HSE Books; 1999.
[20] Lowe K, Kariuki SG. Methods for incorporating human
factors during design phase. In: Proceeding of loss prevention
and safety promotion in the process industries. Prague, 2004b,
p. 520515.
[21] Dalijono T, Lowe K, Loher J-H. Development and verication of a
new approach for operator action analysis. Process Saf Environ Prot
2005;83(B4):3317.
[22] Ozog H. Hazard identication, analysis and control. Chem Eng J
1985:16170.
[23] Saaty TL. The analytic hierarchy process. New York, USA:
McGraw-Hill; 1980.
[24] Saaty TL, Kearns KP. Analytic planning: the organization of
systems. USA: Pergamon Press; 1985.
[25] Saaty TL. A scaling method for priorities in hierarchical structures.
J Math Psychol 1977;3:23481.
[26] Saaty TL. Fundamentals of decision making and priority theory with
the analytic hierarchy process. USA: RWS Publications; 2000.
[27] PRISM: Homepage of the EU-project PRISM: /www.
prism-network.orgS.