President's Message From the Editor's Desk TBD In the Spotlight: Enhancing Human Reliability of System Operators through Checks Unidentified Hazard: Organizational Culture as a Prerequisite to System Safety System Safety Needs NASCAR Communication Gains from Losses: Is Your System Safety Solution "Weatherproof?" Book Review: Hazard Analysis Techniques for System Safety, Wiley, 2005, by Clifton A. Ericson II. Human Factors Engineering Applications in Patient Safety Chapter News Mark Your Calendar About this Journal Classifieds Advertising in eJSS Contact Us Puzzle







Vol. 46, No. 3 • May-June 2010
In the Spotlight
Enhancing Human Reliability of System Operators through Checks

by David M. Clarke
Derby, U.K.

Pages 1 | 2 | 3 | 4 | 5

The safety of complex, hazardous systems, such as chemical plants, nuclear power plants and transport systems, is dependent to a large extent on the reliability with which teams of human operators make appropriate decisions and carry out necessary actions during operations, maintenance and other activities [Refs. 1-4]. The minimization of operator errors is therefore an important system safety objective. While preventive approaches (reduction of error probability and associated consequences) have predominated to date, an important alternative is the support of recovery from errors.

An opportunity to recover errors is presented when one operator (often a supervisor) checks the work of another. Researchers and practitioners have given little attention to the nature of such checks and their systematic support through system design. Therefore, the principal objectives of this paper are to:
  • Provide a characterization of checks (their basic nature and safety significance)
  • Present a model of the checking process, detailing the steps in the process, along with local workplace and organizational factors that influence the reliability of the steps
  • Use the model of the checking process to a) highlight the vulnerability to failure of checks under typical conditions, b) evaluate their role in design for safety, c) provide guidance on system design approaches to promote effective checking (this is required, since the potential for operator errors frequently cannot be eliminated and checks, despite their limitations, are often an appropriate means for promoting error recovery) and d) comment on reliability claims for checks included in system safety assessments.
In this paper, examples of checks from different settings are given. However, most of the discussion is generic, or domain independent, because the underlying issues are relevant to many different industries and systems.

Checks and their Significance

The checks of interest in this paper have the following characteristics:
  • The work of one operator is checked by another
  • The checks are required by a procedure or by standard operational practice
  • The checks take place during normal operation, maintenance and other routine activities. As noted in Ref. 5, team dynamics during normal and emergency operation are different, and checks in emergencies are not considered here
  • The checks are carried out as work is taking place, or soon after the work is completed (within a critical time interval, which in practice can be interpreted as any time up to the end of the shift in which the work was performed). An important feature of such checks is that the person who carried out the work is usually known to the checker, or at least, the checker knows the technical level of the worker. The result is that psychological aspects of directly checking someone else's work come into play, which can strongly influence the effectiveness of a check.
The following are examples of checks in complex hazardous systems:
  • A technician working on a railway system completes a wiring task and the work is visually inspected by a supervisor to ensure that it has been completed satisfactorily
  • Workers in a chemical plant are required to complete preparations before they can carry out maintenance safely. A maintenance supervisor checks that such preparations have been carried out before the work begins
  • A supervisor carries out an "over the shoulder" check of an operation carried out by a worker at an assembly plant
  • Physicians, pharmacists and nurses in a hospital carry out checks of each other's work in the process of prescribing, dispensing and administering drugs. For example, a nurse may check that a drug has been accurately dispensed by a pharmacist
From these examples, it can be seen that checking is part of the normal duties of many different people with a variety of roles and job titles within complex systems…. Checks are commonly carried out by supervisors when monitoring the work of subordinates. However, subordinates can also check the work of their superiors, and people in different work areas can check each other's work.
From these examples, it can be seen that checking is part of the normal duties of many different people with a variety of roles and job titles within complex systems. The term "checker" is used in this paper to refer to individuals, such as those highlighted in the examples above, who fulfill a checking function as part of their work. Checks are commonly carried out by supervisors when monitoring the work of subordinates. However, subordinates can also check the work of their superiors, and people in different work areas can check each other's work.

The safety significance of checks can be indicated through reference to an incident and an accident in which unsuccessful checks were contributors to failure on both occasions. In the first example [Ref. 6], a tank contained a liquid that could be discharged only when a particular concentration was below a certain value. The liquid was tested, but the concentration, which was too high, was misread. The supervisor (the checker) assumed that the tester was competent and did not notice the incorrect reading, also misreading the value. The tank was therefore discharged under inappropriate conditions. A second example is provided by events preceding a major accident on the U.K. railways [Ref. 7]. An electrician did not carry out a wiring task satisfactorily. A supervisor should have identified the shortfall through checks, but failed to do so. The electrician's error and the supervisor's failure to carry out appropriate checks contributed to a collision that resulted in 35 deaths and many injuries.

Model of the Checking Process

Presented below is a sequential model of the checking process, which encompasses the steps in the checking process, as well as local and organizational factors that influence the reliability of the steps. The model uses generic terms and is applicable across different industries, systems and roles.

A typical checking process contains the following steps:
  • Initiation of check
  • Error detected by checker
  • Error indicated to operator
  • Error explained (identification of what has gone wrong)
  • Error corrected
Depending on the specific check concerned, the precise sequence of events that take place from initiation of a check to correction of an error can vary. An important variation occurs when error explanation is simultaneous with error detection; for example, when a supervisor directly observes an incorrect action at the time it is carried out by an operator.

The reliability of each of the steps in the checking process is influenced by a range of local and organizational factors (See Table 1). To illustrate, the likelihood of error detection is influenced by the level of visibility of an error, which can be increased by the presence of alerting factors that highlight an error's consequences.

A human interaction with a system passes through the three stages of planning, execution and outcome. In general, an error can occur and be recovered at any of these stages [Ref. 8].

next page »























Copyright © 2010 by the System Safety Society. All rights reserved. The double-sigma logo is a trademark of the System Safety Society. Other corporate or trade names may be trademarks or registered trademarks of their respective holders.