Human Factors in Process Safety: Design Work for Real People
Reduce process-safety error by improving task design, procedures, staffing, controls, handovers, and the conditions in which people make decisions.
Human Factors in Process Safety: Design Work for Real People
An operator receives a high-level alarm during a difficult startup. The alarm banner contains six active alarms, two standing nuisance alarms, and one tag that uses a different name from the procedure. The operator chooses the wrong response.
Calling that event "operator error" explains little. The useful questions concern the conditions around the decision: alarm design, procedure quality, workload, training, interface labels, staffing, supervision, and time pressure.
Human factors in process safety examines how people interact with equipment, information, tasks, and organisations. The aim is to design work so that the safe action remains clear and achievable when conditions become difficult.
Error is an outcome, not a root cause
Incident reports often stop at phrases such as:
- the operator failed to follow procedure;
- the technician did not identify the hazard;
- the supervisor did not check the isolation;
- the team lost situational awareness.
Each statement names the final action. Investigators still need to ask why the action made sense to the person at that moment.
Check for: - instructions that conflict with the equipment or other procedures;
- labels and displays that use inconsistent terms;
- alarms that arrive too late or in large floods;
- controls that look alike or operate in opposite directions;
- staffing that leaves one person handling competing tasks;
- shift handovers that omit temporary equipment states;
- production pressure that makes shortcuts normal;
- training that covers routine work but not abnormal conditions.
This approach does not remove personal responsibility. It gives managers and engineers more control options than telling people to "be careful".
Identify safety-critical tasks
A safety-critical task is a task where human performance can initiate, prevent, detect, control, or mitigate a major incident.
Examples include:
- lining up a unit before startup;
- transferring a flammable or toxic material;
- isolating equipment for maintenance;
- responding to a high-high level or loss-of-cooling alarm;
- bypassing and restoring an interlock;
- sampling a hazardous process;
- issuing and accepting a permit to work;
- handing over an abnormal plant condition.
Use the HAZOP, BowTie, incident history, operating procedures, and maintenance plan to identify these tasks. Then observe people performing them in the field. The written method and real method often differ.
The Energy Institute's guidance on safety-critical task analysis provides a structured route for identifying error opportunities and strengthening task controls.
Analyse the task, not the worker
Break the task into steps and review each step against six questions:
| Area | Review question |
|---|---|
| Information | Can the person find and understand the required information? |
| Controls | Can they identify and operate the correct control? |
| Feedback | Does the plant show that the action had the intended result? |
| Time | Is there enough time to diagnose and act? |
| Coordination | Do roles, communication, and handovers prevent gaps? |
| Recovery | Can the person detect and correct an error before consequences escalate? |
| Pay attention to rare tasks. Operators may perform an emergency shutdown or manual trip response only during a drill or real upset. Frequency does not indicate importance. |
Procedures need field testing
A technically correct procedure can still fail in use. Test it with the people who perform the work.
Good procedures:
- use the same equipment names and tag numbers as the field;
- place warnings before the hazardous action;
- state operating limits and the response to deviations;
- separate expected indications from required actions;
- include hold points, independent checks, and communication steps;
- fit the conditions in which people will read them, including PPE, lighting, noise, and screen size.
Do not make every action a long checklist. Add checks where omission or sequence error can defeat a safeguard.
Design alarms for decisions
An alarm should require a timely operator response. If no response is needed, the signal may belong in a status display or event log.
Review:
- alarm priority and consequence;
- clear tag descriptions;
- set points and available response time;
- alarm floods during startup, shutdown, and trips;
- standing and suppressed alarms;
- required response in the operating procedure;
- training for combined or escalating alarms.
A high alarm count can hide the one signal that tells the operator to prevent loss of containment.
Manage fatigue, workload, and staffing
Fatigue affects attention, memory, reaction time, and judgement. Workload can become too high during abnormal operations and too low during stable periods, when vigilance drops.
Assess:
- shift length and overtime;
- night work and rotation patterns;
- travel and call-out demands;
- simultaneous maintenance and startup tasks;
- minimum staffing for field checks and control-room response;
- competence mix on each shift;
- recovery time after demanding events.
Organisational changes that alter these conditions belong in the Management of Change process.
Strengthen handovers and permits
Shift handover should cover plant status, inhibited safeguards, temporary changes, open permits, isolations, abnormal readings, outstanding actions, and work that can affect another team.
The outgoing and incoming staff should review critical equipment in the field when the risk warrants it. A logbook entry alone may not convey a complex temporary line-up.
Permit-to-work systems also rely on human performance. Our permit-to-work guide covers role clarity, task-specific controls, coordination, and closure.
Use workers as design partners
Operators and maintainers know where tools do not fit, labels cannot be read, procedures conflict, and alarms create noise. Involve them during design, HAZOP, procedure review, incident investigation, and PSSR.
This supports the worker-participation principles discussed in our MHI risk assessment guide and improves the quality of technical decisions.
Measure conditions, not blame
Useful indicators include:
- overdue safety-critical procedure reviews;
- alarm floods and standing alarms;
- safety-critical tasks without analysis;
- handover quality findings;
- fatigue-rule exceedances;
- repeated permit or isolation deviations;
- actions raised and closed by frontline teams.
A falling injury rate does not prove that major-incident controls can withstand a difficult startup or maintenance error.
MMRisk can integrate human factors into HAZOPs, BowTie reviews, procedures, training, and process-safety audits. Contact MMRisk when a critical task depends on perfect human performance.
Related resources
- Process safety culture
- HAZOP nodes and design intent
- Worker participation in MHI risk assessments
- BowTie analysis and barrier health