“Fear is often our immediate response to uncertainty.”  — Gabrielle Bernstein

In 2001, when the CCPS book, Layer of Protection Analysis: Simplified Process Risk Assessment, “the purple book”, stated that human response is “a relatively weak protection layer” and “less reliable than engineering controls”, many people were willing to accept that piece of conventional wisdom. Some have gone so far as to say that no credit should be taken for human response during LOPA. Human response is all there is in many situations, however, so many welcome the book’s follow-up assertion, that “not crediting human actions under well-defined conditions is too conservative”.

The question then becomes one of how much credit to take for human response. People performing risk assessments, especially those performing LOPA, want rules.

Published Tables

There are tables that are often cited in various LOPA procedures. Table 6.5 in the purple book, “Examples of Human Action IPLs”, suggests a probability of failure on demand (PFD) of 0.1 for human action.  This is for human action with 10 minutes response time, for human response to BPCS indication or alarm with 40 minutes response time, and for human action with 40 minutes response time. So, a PFD of 0.1 for human action when the response time is 10 minutes? Or 40 minutes? Less than? Or more than?

The CCPS Guidelines for Initiating Events and Independent Protection Layers in Layer of Protection Analysis (2015) offers more detail. In Data Table 5.46, “Human response to an abnormal condition”, the recommendation is a PFD of 0.1, when there is “sufficient time available to respond.”

Then, in Data Table 5.47, “Human response to an abnormal condition with…>24 hours to accomplish the required response action”, the CCPS Guidelines offers a lower PFD of 0.01 when the time to respond is less than “it takes for [the] event to become unavoidable” and there is at least 24 hours for the response.

How Much Time Do You Have?

Most policies that we see in regard to LOPA address human action by defining the amount of credit to take based on response time. A 10-minute response time gets a PFD of 0.1. A 24-hour response time gets a PFD of 0.01. The policies never talk about how much time there is available to respond.

This is the process safety time, Tprocess safety.

The process safety time is the time from the onset of a problem until the time that the problem manifests as a hazardous event. Before a LOPA team can consider any human response as an independent layer of protection, the LOPA team must first determine the Tprocess safety. Only then will it have a basis for determining whether there is sufficient time to respond.

At a maximum, the response time, Tresponse, must be less than the process safety time.

How Much Time Do You Need?

Once the LOPA team has determined the process safety time, it must determine the process response time before it can estimate the PFD of the human response.

The response time is the sum of the time to detect the onset of the problem, the time to decide what the response should be, the time to act or execute the response, and the time for the response to take effect.

Tresponse = Tdetect + Tdecide + Tact + Ttake effect

Tdetect: The team should explicitly describe how the onset of the problem will be detected and how long it will take to detect the onset of the problem. When the team is unable to explicitly describe how the onset of the problem will be detected, no credit should be taken for the human response as an IPL.

Tdecide: The team should explicitly describe how the decision will be made on the appropriate response to the problem. When the decision requires troubleshooting to determine appropriate action, it will take more time to decide than when the decision is based on a drilled and practiced response based on a written procedure with “never exceed, never deviate responses.” When the team is unable to explicitly describe how the decision to act will be made, no credit should be taken for the human response as an IPL.

Tact: The team should explicitly describe the action or actions that will be required in response to the problem. When there is a range of possible responses, the action requiring the longest time should be considered when evaluating the human response as an IPL. When the team is unable to explicitly describe the required response or responses, no credit should be taken for the human response as an IPL.

Ttake effect: The team should estimate the time it will take for the response to take effect. In many cases, this will be a negligible contribution to the total response time.

Out of the Blocks

Many LOPA teams are overly optimistic when estimating how much time it takes to respond to an abnormal condition.

The current world record for running the mile is 3:43.13, set by Hicham El Guerrouj on July 7, 1999. The women’s record is 4:12.33, set by Sifan Hassan on July 12, 2019. A normal walking speed, on the other hand, is 3 mph, or 20 minutes per mile. Which would be more appropriate for estimating the time to travel a mile on foot in response to an abnormal condition?

Photo credit:  Erik van Leeuwen CC BY_SA 4.0

A response to an abnormal condition rarely, if ever, starts out of the blocks. Operators are not queued up, ready to take on an emergency. Which means that while it may be possible to get something done in 4 minutes, there needs to be buffer time to handle the fear and uncertainty that comes with an emergency.

Buffer Time

The probability of failure depends on buffer time, Tbuffer: how much less the response time is than the process safety time. When response time is exactly equal to process safety time and buffer time is zero, the probability of failure approaches 100%.

Tbuffer = Tprocess safety – Tresponse

One approach to buffer time is to treat the “response time” mentioned in the tables from the CCPS books as buffer time. That is how we have done it in the past. A human response with a buffer time of 10 minutes has a PFD of 0.1. Based on data that has been published, we have argued that a human response with a buffer time of 40 minutes has a PFD of 0.01.

Increasingly, though, it seems that while buffer time is the difference between process safety time and response time, the PFD is not dependent on the absolute value of that time. Instead, the PFD is dependent on buffer time as a fraction of process safety time.

A Different Approach to Human Response

With that in mind, we would like to suggest a new table, based on buffer time as a fraction of process safety time:

Buffer Time

Comments

PFD

RRF

≤ 0.5 Tprocess safety

When the buffer time is half or less of the process safety time (the response time is more than half of the process safety time), the LOPA team should assume that the response will fail. This is true whether the process safety time is 1 sec (closing a drain valve upon inadvertently opening it) or 1 day (responding to reaction that is slowly going out of control).

1 x 100

1

> 0.5 Tprocess safety

When the buffer time is greater than half the process safety time (the response time is half or less of the process safety time), the LOPA team may assume that the response will succeed 90% of the time, again, regardless of the process safety time.

1 x 10-1

10

> 0.9 Tprocess safety

When the buffer time is greater than 90% of the process safety time (the response time is only 10% or less of the process safety time), the LOPA team may assume that the response will succeed 99% of the time.

1 x 10-2

100

 

In no case should a human response be considered more reliable than the components comprising it. For instance, if the human response is to an alarm in the BPCS, the greatest RRF for the human response is 10, the maximum RRF for a BPCS.

We welcome comments.