DP systems' tolerance to human error: an international collaboration
Article published in the Regulator | Issue 4: 2017
Since 2016, NOPSEMA has raised concerns about dynamic positioning (DP) systems with the offshore petroleum industry. Our concern is that DP systems’ auto-position modes are susceptible to inadvertent deactivation. This concern originated from a loss-of-position incident in June 2016. It is not an isolated event; NOPSEMA is now aware of 16 similar incidents internationally. All of these had the potential to result in a major accident event.
Examples of loss-of-position incidents
In the Australian incident, the operator of a vessel’s DP system placed a notepad on the console which pressed down on the ‘surge’ button twice, unintentionally deactivating the auto-position mode. With the crew unaware, the vessel drifted off-location while a diver was working on the seabed. The diver alerted vessel personnel, as he followed his umbilical and walked with the drifting vessel, avoiding obstacles along the way. Fortunately, the diver was unharmed, but if the umbilical had snagged on subsea infrastructure, the diver could have died. A subsequent inspection by NOPSEMA determined that the incident was the result of human error made possible by a weakness in the design of the DP system (see Safety alert 62, available at www.nopsema.gov.au/safety/safety-alerts).
In the United States, a drill ship in the Gulf of Mexico unintentionally drifted off position while dealing with a well kick. The US Coast Guard Outer Continental Shelf National Centre of Expertise (OCSNCE) stated that the DP operator inadvertently deactivated the auto-position mode by accidentally double-pressing the manual button while reaching across the console. Upon realising the mistake, the operator re-engaged the auto-positioning to bring the ship back into position. The US Coast Guard OCSNCE stated the incident was the result of ‘human error with a mix of ergonomics’.
In the United Kingdom, a semi-submersible drilling rig lost control of its position for several minutes due to an accidental disengagement of the DP system while drilling. Although the loss of position was immediately noticed by personnel, it took them six minutes to realise that the auto-positioning system had been disengaged. In response to the emergency, the drill pipe was sheared and the lower marine riser package was disconnected. The UK Health and Safety Executive attributed both the loss of position and inadequate crew response to the ‘poor ergonomic design of the control system’.
If further control measures had failed in either the United States or United Kingdom incidents, a well blowout could have occurred, potentially resulting in multiple fatalities and a significant environmental incident.
What the industry should consider
Centralised control systems need to be resilient against human error. A single, inadvertent act by an operator should not lead to an emergency with a high probability of fatalities. Control systems should also provide adequate feedback to operators to allow them to promptly identify the issue and take appropriate action.
Facility operators are reminded to check their systems to ensure they are not susceptible to this type of designinduced human error. They should also ensure that suitable controls are in place to prevent, identify and adequately recover from the error. Operators should talk to DP manufacturers about having more robust controls in the design of their DP systems. For example, tactile differentiation (error prevention) of safety-critical switches, action confirmation dialogue boxes, provision of a high-visibility display (error identification and recovery) and audible alarms or warnings. Other industries, such as aviation, may have systems that could provide solutions (e.g. aircraft auto-pilot controls).
DP manufacturers are encouraged to review the built-in safeguards of their systems to ensure they provide sufficient protection, feedback and recovery against this type of design-induced operator error, noting that the three incidents above all had a double-press requirement for deactivating the auto-position mode.
What is the IRF doing?
In October 2017, at the International Regulators Forum (IRF) AGM in Denmark, NOPSEMA presented the latest information on the risks posed by design-induced human error in DP systems.
The presentation, relying on publicly available information, showed that the frequency of unintended and undetected DP system deactivation is significantly greater when viewed from an international perspective. The risk of death or other major accident event is also greater. NOPSEMA’s presentation showed that measures to reduce risks are available, but these are not necessarily widely known or adopted. As a result, these risks are not being reduced to ALARP.
At the AGM, the IRF endorsed the need to maintain focus on this issue and to share information about risk areas. NOPSEMA agreed to write to DP system suppliers and industry bodies to inform them of the outcomes of the AGM and IRF member countries agreed to take action appropriate to their regulatory regimes.
NOPSEMA has also delivered the presentation at industry conferences in Asia and the United States, and written to DP system suppliers to make them aware of this work. We have requested their responses as to how they are addressing this issue.