Dynamic position control systems must be tolerant to human error
Article published in the Regulator | Issue 1: 2017
In June 2016, NOPSEMA issued a Safety Alert to bring to industry’s attention the necessity for control systems to be tolerant to human error. The alert followed an incident where a vessel facility drifted off location as a result of human error while a diver was working on the seabed. Rather than being an isolated incident in Australia, NOPSEMA is now aware of two recent similar ‘loss of position’ incidents internationally. Each of these incidents had the potential to result in a major accident event.
In Australia, the operator of the vessel’s dynamic positioning (DP) system placed a notepad on the console which pressed down on the ‘surge’ button twice and unintentionally deactivated the auto-position mode. With the autoposition mode deactivated and the vessel crew unaware, the vessel drifted off location while a diver was working on the seabed. The diver alerted vessel personnel as he followed his umbilical and walked with the drifting vessel, making sure to clear any obstacles on the way. The diver was unharmed but could have been killed if the umbilical had snagged on subsea infrastructure. A subsequent inspection by NOPSEMA determined the incident was the result of human error made possible by a weakness in the design of the DP system (see Safety Alert #62).
In the US, a drill ship in the Gulf of Mexico unintentionally drifted off position while circulating drilling mud following detection of a well kick. The US Coast Guard OCSNCE (Outer Continental Shelf National Centre of Expertise) stated that the DP operator inadvertently deactivated the auto-position mode by accidentally double-pressing the manual button while reaching across the console. Upon realising the mistake, the operator re-engaged the auto-positioning to bring the ship back into position. The US Coast Guard OCSNCE stated the incident was the result of ‘human errors with a mix of ergonomics’.
In the UK, a semisubmersible drilling rig lost control of position for several minutes due to an accidental disengagement of the DP system while drilling. Although the loss of position was immediately noticed by personnel, it took them six minutes to realise the auto positioning system had been disengaged. In response to the emergency, the drill pipe was sheared and the lower marine riser package disconnected. The UK Health and Safety Executive (HSE) attributed both the loss of position and inadequate initial crew response to the ‘poor ergonomic design of the control system’.
It is important to note that if further control measures had failed in either the US or UK incidents it could have led to a blow-out of the well, potentially resulting in multiple fatalities and a significant environmental incident.
What industry should consider
Centralised control systems need to be resilient against human error. No single inadvertent act by an operator should lead to an emergency response situation where there is a high probability of fatalities. Control systems should also provide adequate feedback to operators to allow them to identify the issue promptly and take appropriate recovery action. Facility operators are reminded to check their systems to ensure they are not susceptible to this design-induced human error and ensure that suitable controls are in place to prevent, identify and adequately recover from this type of error. Operators should consider discussing with DP manufacturers more robust controls in the design of their DP systems. For example, tactile differentiation (error prevention) of safety critical switches, action confirmation dialogue boxes, provision of a high visibility display (error identification and recovery) and audible alarms/warnings. Other industries may have systems that could provide solutions e.g. aircraft auto-pilot controls.
Facility operators have a duty of care to take all reasonably practicable steps to ensure equipment at the facility is safe and without risk to health (Clause 9, Schedule 3 to the OPPGS Act).
DP manufacturers are encouraged to review the built in safe guards of their systems to ensure they provide sufficient protection, feedback and recovery against this type of design-induced operator error, noting that all three incidents had a double-press requirement for deactivation of the safety critical auto position mode.
Manufacturers of plant, including control systems, must take reasonably practicable steps to ensure that the plant and equipment is so designed and constructed as to be, when properly used, safe and without risk to health and safety (Clause 12, Schedule 3 to the OPGGS Act).
What NOPSEMA will do
During future planned inspections of DP facilities, NOPSEMA’s inspectors will continue to check control measures for DP systems during inspections. If sufficient protection against this foreseeable human error is not in place then NOPSEMA will consider taking further action in accordance with NOPSEMA’s graduated approach to enforcement.