Final Report Summary - TOSCA (Total Operation management for Safety Critical Activities)
Executive Summary:
The Total Operations Management for Safety Critical Activities (TOSCA) project is an European Project funded within the context of the 7th Framework Programme and aimed at developing an innovative approach able to integrate and enhance safety, quality and productivity.
The scope of TOSCA is to establish an economically suitable framework in which the most innovative tools and techniques (advanced 3D software, virtual reality, innovative theoretical models, updated information exchange protocols, etc.) are operated together in order to take advantage of the possible synergies in processing standards requirements, fulfilling regulations, improving safety and enhancing productivity.
The TOSCA T-model (Figure 1) has been developed to illustrate the TOSCA approach to Total Safety Management. This model is based around a central ‘Common Operational Picture’ (COP) that holds information regarding the operational system, and is used to support risk assessment and safety management. The information held in the COP may be represented in different ways but should be accessible to all stakeholders involved in a project or operation in order to analyse and communicate risk, and to support training and procedure design.
Two loops are connected to the COP, the design loop and the operational loop. Both feed information to and use information from the COP. The design loop considers both physical plant design as well as the design of critical tasks and activities for workers. Formal risk assessment techniques, dynamic risk modelling, and rapid prototyping are methods used to support design risk assessments. Critical activities covers change management and the provision of appropriate procedures and training to workers. The operational loop focuses on the monitoring and management of risk during the operational phase, in particular in terms of safety performance indicators (SPIs), training during operations, and communications.
Common Operational Picture: The Common Operational Picture is the information and knowledge about the operational system used to support risk assessment and safety management. It may be represented in different ways but should be accessible to all stakeholders involved in a project in order to analyse and communicate risk, and to support training and procedure design. The development of TOSCA COP has been focused on understanding the current state of the art in tools and methods used to represent the system being analysed, the tools used for risk assessment, and the form the risk registry whenever present may take. This work allowed highlighting what aspects of the above safety critical organizations may need to improve, and relevant needs have been reflected in the development of the new TOSCA system.
TSM for Design: This section is seeking to understand how risk is assessed at the design stage, specifically through formal risk assessment techniques, dynamic risk modelling techniques, and rapid prototyping. Dynamic risk modelling involves the development of a model of risk to calculate risk levels, compute performance indicators, and perform sensitivity analysis of risk mitigation measures. Rapid prototyping involves the creation of a representation (physical or virtual) of a system or component for evaluation purposes. The scope is to understand how organisations may need to improve risk assessment at the design stage.
TSM for Critical Activities: The critical tasks considered are the phase of a project when major changes may be introduced to an organisation, and this section seeks to understand how such changes are managed in order to reduce risk. Some organisations may have a formal protocol to follow for managing change, while others may simply use existing channels of communication and/or training. In the deliverable, an attempt was made to understand how organisations manage safety in defining and designing critical tasks and what their future needs are for improvement in this area.
TSM for Operations: This section focuses on monitoring and management of risk during the operational phase. What is needed is a clearer understanding of how risks are currently monitored, for example through incident reporting or safety performance indicators (SPIs), how training is used to manage risk in the operational phase, and how changes are communicated outside of major projects/commissioning. The scope is also to seek understanding how to address effectively future needs of organizations in these areas.
Project Context and Objectives:
TOSCA (Total Operations Management for Safety Critical Activities) is concerned with the integration of industrial operations into a total performance management system. Within TOSCA safety, quality and productivity are addressed in an integrated way during the lifecycle of projects or products. TOSCA’s industrial domain of application concerns process control industries (e.g. chemical industries, power generation, offshore oil & gas platforms, etc.) that may vary in size, regulatory and cultural aspects. TOSCA examines vulnerabilities of the technical, human and organizational processes that may have an impact in safety, quality and productivity.
Only few attempts at multi-level analysis have been found in the research literature (e.g. IRISK , ARAMIS) and in industry best practices (Chemical Industries Association 2008) that examine system safety in ways that integrate risk at the individual, group and organizational levels. To improve companies’ safety performance it is necessary to develop methods and tools to cope with the complexity of risk generation and event propagation. In addition, the management of safety needs to be integrated into the activity workflow of operations management, if safe outcomes are to be assured.
The requirements for safety management in existing and upcoming standards and regulations (for example Seveso III directive, ISO 31000, OHSA 18001, the Risk Governance Framework for Nanotechnology ) call for a proactive strategic approach, demonstrating a capacity to anticipate risks and keep safety at the center of changes driven by commercial competition. This is particularly true in process control industries where prevention and mitigation are the only ways forward and where the complexity of organizations requires a ‘system of systems’ perspective. However, industrial organizations find it increasingly difficult to integrate their diverse functional units within a system of total operations management. They lack a good way to assess, monitor and improve in practical terms the safety, resilience and flexibility throughout the lifecycles of products or services.
The objective of TOSCA is to deliver a “ready to apply” integrated methodology that comprises a modelling approach, an integrated set of methods and supporting IT tools for total performance management in all phases of design, operation, maintenance activities that are carried out by plant personnel or sub-contractors. This has been done in accordance with ISO 31000 and its transferability across different domains and organizational sizes has been demonstrated through a set of 13 test beds.
The test beds required that safety-related activities were supported in all aspects of planning, organizing, implementation and re-evaluation to achieve specific goals and sustain safety within the TOSCA framework. These aspects of safety project management have been applied to high-level managerial activities as well as lower level operations with the use of compatible business process management tools, risk assessment tools, and knowledge management tools (e.g. simulation facilities, workshops, interviews). Although TOSCA focus was on safety-critical activities (e.g. start-up operations, process transients, changes of product specifications inspection & maintenance operations, and emergency response etc.), the proposed solution was proved capable to recording and analyzing of ‘everyday’ safety problems and occupational safety issues.
More in detail the general objectives of TOSCA are:
• Deliver a methodology and a set of toolsets to manage safety-critical activities through the phases of Operations, Safety and Quality Management; in this way, safety, quality and productivity are integrated into a total performance management system.
• Incorporate innovative “knowledge management” methodologies to generate, store and update risk-related data from various sources (e.g. plant procedures and drawings, safety warnings, near miss reports, operator practices on the job, and authority requirements). In this sense, knowledge from safety practitioners and operators are integrated with formal knowledge of how a target system works.
• Incorporate advanced concepts and techniques for modelling the role of human and organizational factors in risk analysis with emphasis on resilience and capabilities for timely detection, communication, reporting and recovery of variations and disruptions.
• Utilise emerging technologies to enhance the gathering, modelling and management of risk-relevant data (e.g. virtual and augmented reality, computer aided design, information systems and enterprise resource planning).
• Provide facilities for learning and updating the risk reduction tools to enable adaptation to new changes in the organizational environment. This is related to several aspects of organizational learning and interactive design of systems.
The work program has been organized according to six main work packages (plus a work package dedicated to project management), according to the phases needed in a Plan-Do-Check-Act cycle. All the work-packages have been completed in the first half of the project available time and then they have been subsequently reiterated in the remaining 18 months to demonstrate transferability and allow a complete cycle for improvement and finalization purposes.
Definition of Requirements and application of relevant recommendations: Identification of end user needs and best practices in respect to actual effective implementation of Total Safety, Quality and Operations management for SME according to ISO 31000 has been carried out during the first period of the project; recommendations and suggestions from this analysis have been implemented throughout the whole project. Particular emphasis has been put on the modularization of the TOSCA solution in order to allow the potential customers (SME in particular) a relevant cost saving, in selecting only those modules of the TOSCA toolbox really interesting for their needs and field of application.
Demonstration and validation of tool with case studies: A total of 11 working cases have been performed and finalized as case studies to support the actual development and implementation of the TOSCA methodology at different levels of application. The selection and definition of working cases has been carried out during the first period of the project. Objective of the second period was to demonstrate the transferability of the proposed solution through the implementation of the methods and tool to different field of application. Moreover, a continuous stream of information has been provided and assured from the demonstration activities to the methodological and IT development work packages (and vice-versa) to allow for a continuous development.
Development of TOSCA methodology: Development of the first draft of the TOSCA methodology and application to the first working cases has been carried out during the first period of the project. Objective of the second period for this specific work package was the tailoring and fine-tuning of the methodology in compliance with highlights and observations obtained from transferability study on work cases.
Development and integration of TOSCA tools: As per the TOSCA methodology development, TOSCA tools have been defined and structured in the first 18 months of the project. Objective of the second period was to improve the usability and reliability of the tools, and implement all the suggestions and recommendation arisen from the transferability exercise and the modularization requirement.
Evaluation and Standardization: This work package had two aims: (i) to deliver feedback, useful for refining and improving the project outcome, during the project lifecycle, and (ii) to provide evidence about the fitness for purpose of the TOSCA approach at the end of the project. The TOSCA approach has been finalized for impact on standardization and end user practices, developing a continuous training to disseminate TOSCA to SME, based on feedback obtained from the evaluation seminars and workshops.
Impact, training and dissemination: This work package reviewed how TOSCA model addresses industry needs also under the aspects of how SMEs can take up norms and standards in their daily life. Further it defined and implemented an integrated strategy for impact and dissemination. This captured the project outputs and detailed how to communicate and exploit them within target audiences in industry as well as research communities. The finalized TOSCA approach has been therefore used for developing a continuous training to disseminate TOSCA to SMEs.
Project Results:
COMMON OPERATIONAL PICTURE
COP is the information and knowledge about the operational system used to support risk assessment and safety management. It may be represented in different ways but should be accessible to all stakeholders involved in a project in order to analyses and communicate risk, and to support training and job design. This concept is aligned with Human Centered Design best practices, as outlined in ISO9241-210. TOSCA supports three overall safety functions:
(i) task design and functional hazards analysis,
(ii) operational risk screening, and
(iii) quantified risk assessment
Task design and high-level functional hazard analysis: There is a requirement for a participatory approach to hazard identification and control that stems from a functional analysis - not only of the technical equipment - but also of the organizational work system involved in the safety critical activities. This high-level functional hazard analysis must also provide input to more detailed risk models to be applied in following steps. Unfortunately, existing BPM tools have focused on system effectiveness and failed to take into account management decisions and organizational processes that may have side-effects on safety in the long term. TOSCA modified BPM tools have been therefore tailored to deliver a high-level functional hazard analysis able to support the decision making process and compatible (and integrated) with other “standard” risk models. Two approaches are proposed within the TOSCA toolbox:
(i) The Task HAZID tool (TCD) that supports the analysis of all operations contributing to system goals and records many performance measurements to optimize workflow efficiency and safety.
(ii) The Work-IS tool (INERIS) that identifies how task roles are distributed to operators, how safety resources are used to manage hazards, and how information flows across different organizational units.
Operational risk screening: The results of the high-level functional hazard analysis and risk registry are fed into bow-tie diagrams in order to identify important technical and human barriers that prevent or control industrial hazards. Data can be obtained from detailed task and error analyses, revision of operating procedures, and near misses reports. Bow-tie analysis is commonly used by Small & Medium Enterprises and it is easy to learn. A risk matrix approach is suggested to allow safety analysts to reach a decision whether barrier failures should be analysed further and quantified in the following step.
Quantified risk assessment: For complex scenarios, there is a need to perform a quantified risk analysis using a variety of tools for consequence and likelihood assessment such as:
(i) Traditional fault trees and OSQAR (Operational Safety barriers, Quantification and Assessment of Risks, INERIS) that allows risk modelling with graphical facilities and includes calculation of frequency propagation based on the initiating event and the level of confidence of safety barriers (e.g. propagation probabilities, duration of events, uncertainties, etc.).
(ii) SPAcCo (Probabilistic Solver Coupled to Consequences, D’Appolonia/Polytechnic of Torino) that allows safety analysts to verify all accident sequences that a system can undergo on the basis of a logical-probabilistic model of the system.
(iii) Advanced consequence modeling including Dynamic Process Simulation (University of Bologna) to analyze the effect of the incidental event on the process parameters, and Computational Flow Dynamics (CFD) (D’Appolonia) to analyze the external effect (dispersion, fire, explosion etc.). The advanced modeling is fulfilled by means of commercial software deeply integrated in the TOSCA toolbox.
In QRA, there is a need to provide test facilities with workplace prototyping tools that create virtual workplaces so that operators would be able to interact with equipment in a virtual representation (3D or VR system) of the technical system. The partners of TOSCA made available to the consortium their existing rapid prototyping tools that have been integrated within the scope of the project. Other functions of the rapid prototyping tools include: visualisation of accident sequences, recording the interactions of operators, the incorporation of information from near misses, and so on.
These methods and tools are used on a modular basis which depends on the needs of the SMEs and their application area.
RISK REGISTER IN TOSCA
The risk registry acts as a central repository for risk information, capable of holding information on different hazard types, including process, occupational, financial, human resources, etc. In order to maintain safe operations, organisations must continuously review and monitor their risks. This means that the results of safety studies must be translated into a format that can be analysed, reviewed and acted upon, and new data about the level of risk continuously collected to keep the safety information up to date. A risk database, or risk register, is a central tool for organisations to use to monitor and reduce risks, both those identified during initial safety assessments and those emerging during operations (Whipple & Pitblado, 2010). The risk register contains all analysed risks and prioritise the areas that require managerial attention and typically contains information describing each risk, an assessment of the likelihood and consequences, a ranking according to a risk matrix, the risk owner, and information on the mitigations to be put in place (Filippin & Dreher, 2004). When populated with information on each risk, including risk ranking, the risk register can be analysed to present the risk profile for different aspects of the organisation (Filippin & Dreher, 2004). When reviewed and updated over time, it can also be analysed to present trends within the risk profile and focus management attention on the highest risk activities or facilities (Whipple & Pitblado, 2010). In order to successfully develop a risk registry that provides an accurate level of risk within a process, there is a requirement for real time data on risk to be input into a risk registry.
TOSCA TSM FOR DESIGN OF PLANTS OR SAFETY CRITICAL ACTIVITIES
The need and application for design review in TOSCA.
Risk and safety management should be considered throughout the whole lifecycle of a system, starting with the design phase. This view is proposed by ISO 31010 (ISO, 2009) which states that risk assessment should be conducted during the design phase to ensure that system risks are tolerable and to help refine the design. The consideration of safety at this stage is at the core of the Inherently Safer Design (ISD) approach (Kletz, 1998); Human Centred Design (HCD) also seeks to create designs that minimize human errors. TOSCA allows integrating the two approaches by supporting Inherently Safer Design with the use of new technologies such as 3D modelling and simulations (4D simulations) and at the same time supporting design review with Human Factors or Human Centred approaches such as task analysis and Ergonomic reviews directed towards improving both the physical environments (e.g. maintainability of equipment, accessibility etc.) and the cognitive aspects (e.g. human decision making, provision of information, etc.).
Optimisation Tool for Planning and Design
4D process simulation is a technology which allows for complex tasks and systems to be modelled in exacting detail giving the Safety Analyst a realistic environment to form and test hypothesis, and train operators using a trial and error approach, something that can seldom be done on a real plant. Task analysis is used to describe and evaluate the human interactions in a system. As such, it forms the basis of human factors risk assessments. More and more studies have highlighted that this critical first step of the analysis has often been neglected leaving the design stage without structured information about the tasks and contexts to be addressed (Leva et al., 2009). Within this context the analysis of the task and its description is among the main inputs required for the development of the 4D simulation The environment in which the tasks or system exist and the tools and materials used are modelled in 3D. The tasks themselves as well as system and individual element behaviour are then modelled with respect to time, thus creating a four dimensional or 4D model of the system. 4D process simulation has been used extensively in discrete manufacturing for production and facility analysis and optimization. Process industries such petroleum and nuclear are now also beginning to use 4D process simulation for similar operational improvement studies. The expected benefits of the tool include the ability to visualise current procedures in order to define improved new procedures, identifying and modelling risks to the delivery of the project, and improving the planned delivery of the project.
Critical Activity Design.
Aligned with the aspect above that may be more directed towards plant or equipment design review, special consideration is also given to the planning of safety critical activities and tasks. The critical tasks considered in this section are the ones at the core of operations for SMEs where major changes may be introduced to an organisation, and this section seeks to understand how such changes can be managed in order to reduce risk. Some organisations may have a formal protocol to follow for managing change, while others may simply use existing channels of communication and/or training. In approaching the issue, an attempt was made to understand how organisations manage safety in defining and designing critical tasks and what can be done to imrpove this area starting from practical examples.
Human Factors Design Review.
Human Factors Engineering (HFE) focuses on the application of human factors knowledge to the design and construction of socio-technical systems. The objective is to ensure systems are designed so as to optimise the human contribution to production and minimise potential for design-induced risks to health, personal or process safety or environmental performance (OGP, 2011). The ISO standard ISO 9241-210 (2010), Ergonomics of human-system interaction, requires that all new facilities projects apply the principles of Human Factors Engineering (HFE) during early design stages. In practice this means ensuring, as a minimum, that every new facilities project is screened in collaboration with the end users to identify whether there are any “hotspots” (risks, issues or opportunities) associated with the scope of the design project that justify further HFE activities. Further standards detail these activities, including physical and cognitive ergonomic assessments of the operator tasks, the equipment they will use to complete those tasks, and the environment in which they will be undertaken. The benefits of a Human Factors review include (OGP, 2011):
• Reduction in CAPEX by contributing to more efficient design and avoiding the need for expensive changes and/or re-work late in design.
• Reducing the need for re-work or change during or after construction
• Reduction in life cycle costs of operating and maintaining facilities (OPEX).
• Improvements in HSE performance, and reduced operational HSE risk.
• Enhanced user commitment (‘buy in’) often resulting in faster approval cycles.
To support the challenging task of the design team there are number of standards able to provide some guidance on the minimum requirements in terms of human centred design: for example, ISO 6385 – Ergonomic Principles in the Design of Work Systems (2004) outlines how technological, economic, organisational, and human factors can affect the work behaviour and well-being of people within a work system. The general principle underlying the standard is that interactions between people and the components of the work system (e.g. tasks, equipment, workspace and environment) should be considered during the design stages. Each design stage is described and appropriate ergonomic principles and methods for each stage are listed. ISO 11064 - Ergonomic Design of Control Centres (2006) provides nine principles for the ergonomic design of control centres and guidance on specific aspects of control room design, including layout, workstation design, controls and displays, and environmental requirements. ISO 12100 – Safety of Machinery (2010) suggests a five step methodology to perform risk assessment at design stage and the overall strategy requires designers to take into account the safety of machinery for their whole life cycle, considering usability, maintainability and cost efficiency. EEMUA 191 (1999) is an industrial standard developed by the Engineering Equipment and Materials Users’ Association to support the design of alarm systems taking into account the requirements of the human operator receiving and responding to those alarms, while EEMUA 201 (2010) is focused on the design of HMIs and gives guidance on areas such as display hierarchies, the design of the screen format, and the attributes of the environment which may affect the use of the HMI. These standards define the minimum requirements and it is the decision of the designers on how to optimize and utilize the systems to increase the satisfactory level of the users. This systematic approach is fairly generic and does not provide technical support for the designers. While it recommends foreseeing the design uses nonetheless there is no discussion regarding the methodology to conduct this verification. Increasingly rapid prototyping and participatory approaches are proposed as methods to evaluate the design. These approaches have been commonly used for products that will be produced in large numbers (Sinclair, 2005), although it has traditionally been more costly and time consuming to apply this approach to the design of a control room, limiting the ability to apply these methods in this context. However a possible substitution for prototyping can be provided by the use of 3D models of the buildings, structures, or control room. Reviews of these models can be undertaken with the involvement of the operators. The 3D model is a more natural representation that does not require decoding of 2D technical drawings and thus facilitates the operator in identifying potential issues regarding the proposed design. This approach can be considered as an example of human centred participatory design, able to support a better understanding of the user’s needs and a more solid starting point for the designers to deliver a safer design. Such participatory reviews of designs do not negate the need for guidance for designers at an earlier stage as they should be facilitated as early as possible in optimising their design for human operation. The above-mentioned standards can be used in combination with 3D participatory review, however the process has not been detailed or suggested clearly in any of the before mentioned standards. So while on the one hand the ISO 9241-210 (2010), Ergonomics of Human-System Interaction, requires participatory human centred approaches it does not provide technical details on what specific aspects should be considered and how to concretely carry out such a process, the link with the more specific standards such as ISO11064 for the Ergonomic Design of Control Centres and or the ISO 12100 (2010) on Safety of Machinery is not structured or suggested in any clear way and as a result companies must introduce internal standards to tackle the problem.
TOSCA TSM FOR OPERATIONS
The need for Total Safety Management in operations.
Safety Critical Organisations, especially SME, must still improve their capabilities to address safety “not as a stand-alone activity that is separate from the main activities and processes of the organization” but as an integrated part of total performance management (Lancaster et al., 2003). Furthermore, it is essential that to understand how weaknesses in technical processes combine with flaws in organisational interfaces and give rise to significant losses and major industrial accidents. Traditional Risk Assessments and Probabilistic Safety Assessments have not provided robust solutions because they have not been embedded within a ‘total operations’ or ‘performance management’ framework to deliver solutions that are both innovative and safe. It is not sufficient that production systems are reliable (i.e. their failure probability is acceptably low) but they must also be resilient and capable of recovering from irregular variations, disruptions and degradation of working conditions. It is often the case that system vulnerability and resilience arise from the same interactions between socio-technical dimensions.
Only a few attempts at multi-level analysis have been found in the research literature (e.g. IRISK (Papazoglou et al, 2003), ARAMIS (Duijim & Goossens, 2006)) and in industry best practices (Chemical Industries Association, 2008) that examine system safety in ways that integrate risk at the individual, group and organisational levels. To improve companies’ safety performance it is necessary to develop methods and tools to cope with the complexity of risk generation and event propagation. In addition, the management of safety needs to be integrated into the activity workflow of operations management, if safe outcomes are to be assured.
The requirements for safety management in existing and upcoming standards and regulations (for example Seveso III directive, ISO 31000) call for a proactive strategic approach, demonstrating a capacity to anticipate risks and keep safety at the centre of changes driven by commercial competition. However, industrial organisations find it increasingly difficult to integrate their diverse functional units within a system of total operations management. They lack a good way to assess, monitor and improve in practical terms the safety, resilience and flexibility throughout the lifecycles of products or services.
What is needed is a clearer understanding of how risks are currently monitored, for example through incident reporting or safety performance indicators (SPIs), how training is used to manage risk in the operational phase, and how changes are communicated outside of major projects/commissioning. We seek to understand how to address effectively future needs of organisations in these areas through the development of the Operational set of products described in the following sections.
Knowledge Management System
The TOSCA tools for risk management may take a large amount of time to use because they require access to many different types of plant and equipment data, human performance data, risk analysis data, and safety management information. To alleviate the burden of accessing and using this amount of risk information, TOSCA built a knowledge management system able to gather various types of data both at the ‘risk assessment’ and the ‘risk mitigation levels.
At the ‘risk assessment’ level, the knowledge management system manages data about the following issues pertaining to system functioning (i.e. a sort of Data Model) and operator performance (i.e. a sort of Task Model):
• Functional descriptions of sub-systems and plant equipment
• P&ID of process equipment
• Dangerous substances
• Failure modes and effects
• Operational hazards
• Sequence of task steps
• Existing operating procedures, checklists and work permits
• Policies for task allocation
• Inspection regimes and maintenance planning policies
These sources of information are derived from the task models and data models used in linked TOSCA methods. TOSCA relies on a comprehensive Risk Model in order to identify critical safety activities and provide estimates of risk levels in chemical installations. The knowledge management system rely on the ‘bow-ties’ technique to identify critical barriers where human have a significant role to play. For quantitative predictions, SPAcCo method has been integrated in TOSCA toolbox. QRA databases can be externally linked to the TOSCA system. Finally, all risk information derived from the Data model (e.g. equipment failures), the Task model (e.g. human deviations) and the Risk Model (e.g. barrier failures) are used to feed the Risk Registry. It is conceivable that other sorts of information about product quality and environmental issues can also be stored in this knowledge management system so that are integrated in the risk registry and make several tradeoff decisions. At the risk mitigation level, it is possible to expand the ‘knowledge management’ system to cover information that can be used for mitigating risks and improving safety. TOSCA developed dynamic workflows to serve the needs of coordination with contractors and maintenance planning. In this sense, the knowledge management system can be expanded in order to build a basis for team coordination. For maintenance planning and monitoring, the workflow system can be used online by technicians to plan their inspections, allocate tasks to people, write their work permits, communicate with operational staff, log the status of equipment and record progress. At the risk mitigation level, the knowledge management system is able to assist Man-Machine-Interface design and the RWTD design (i.e. the Right-Way-To-Do the job). On the one hand, for instance, the knowledge system can store 3D sketches and pictures of equipment and control panels which can be evaluated in terms of user-friendliness, reliability and safety issues. On the other hand, the knowledge system can be used in an RWTD approach for the design of operating procedures and job aids. For instance, the knowledge management system can store existing operating procedures (i.e. in textual and diagrammatic formats) or task allocation rules and evaluate their effectiveness.
Maintenance Planning and Management
The method is built on Computerised Maintenance Management Systems and it is focused on safety barrier management identified within the risk models. The goal of this tool is to plan and monitor all the operations needed to manage the barrier requirements using the workflow solution. The methodology is developed to specifically focus on barriers but to integrate with existing approaches in organisations.
Capitalization and transfer of professional knowledge and know-how: Training
Capitalizing existing knowledge
The TOSCA approach to training is based on a specific method, called BEST PRACTICES (B.P.) which allows capitalizing the main knowledge on how to manage a critical task, from a Human Factors point of view, based on safety analyses (risk assessment and Task Analysis).
A B.P. is a solution (among others) to the problem of integrating various requirements and challenges that operators must be able to take into account in the space and time where they should be able to complete the tasks of the Safety Human Barriers (SHB) under consideration. These requirements are reviewed by risk analyses relating to production, quality, safety, the environment, etc. A B.P. is an arrangement of these requirements in a set of tasks, more or less flexible, according to a strategy adapted to the situation.
In the TOSCA Methodology, a Best Practice meets three criteria:
1. All requirements, challenges and QHSE must be considered. If one of these dimensions is missing, the so-called best practice cannot have a long life span as it will be justly contested by one or other of the interested parties. It is not a question of ‘doing safety’ on one hand, ‘production’ on the other, and then ‘quality’ but of conducting activities with the required level of quality while ensuring safety. The strength of the best practice resides in the fact that compromises are managed, so that the operator does not need to apply different rules to correctly carry out the work.
2. The conditions for the operation are specified: its acceptable duration, what to do in case this acceptable duration is exceeded (stoppage, informing management, specific analysis of specific risks), the additional safety to be put in place, the nature of information to be processed and transmitted (with a defined transmission circuit for information), etc.
3. The B.P. must be appropriable by those responsible for their application or the checking of their correct application. They must be able to make a diagnostic for the feasibility of actions planned: checking the compatibility of operations with the concrete conditions for their execution, (availability of human and material resources, etc., synchronisation of tasks often defined separately from one another and allocated to individuals ‘isolated’ from one another). They must share in advance a minimum representation of the situation to be managed, with a maximum ability to understand and anticipate. In other terms, they must share strategies, rules, action scenarios, characterised by objectives, sub-objectives, facilities, context elements and possible disruptions to be anticipated.
Because of the third criteria, the level of abstraction of a B.P. is much lower than that generally followed by engineers, as the interfaces must be described – what must be seen, touched, heard, felt, said, handled – and the specific conditions for actions in time and space. A B.P. must be the connection between the way operators think about and go through their activity and the analyses of engineers (risk analyses, task analyses, performance factor analyses, feedback, etc.). The concept of the B.P. makes it possible to question the authority of procedures as an untouchable reference for safety management: there is a need to interpret and adapt procedures to the multiple constraints and objectives of the reality, when a SHB must be implemented. It enables both the procedure (essential reference) and the understanding of the challenges by those involved (operators and managers) to be enriched.
Training on Best Practices (Revia™ Training)
For training workers on these Best Practices with 3D simulators, TOSCA uses Revia™ Training. Reviatech training simulators are based on Revia™ technology, developed by Reviatech researchers and engineers to create interactive 3D simulations designed for industry-specific training.
It uses open-source components and industrial technologies allowing it to offer results and dependability in line with industrial standards.
Revia Training stands out from its competitors' solutions thanks to an innovation: The updatable training.
This allows:
- operators to train through lessons and practice on virtual exercises,
- trainers to create and update the training content for operators, using the simulator in "creation" mode.
Using the software workshops, trainers can create training material and assemble learning paths composed of:
- Virtual tour, presentation of the process,
- Step-by-step interactive lessons,
- Interactive quiz,
- Virtual settings exercises,
- Practical application on faults, malfunctions, incident diagnostics, etc.
Performance tracking and traceability of the training
Trainers can organize training sessions and monitor the progress of the workers using:
- Progression panel for each operator
- Performance indicators (scores, time spent, detailed errors)
- Simulation replay of the training session
This software is a way for trainers to be autonomous on all aspects of the practical training.
Potential Impact:
INTRODUCTION
Since the beginning of the project, the outcomes of TOSCA were expected to have relevant societal implications. Process Industries are becoming more and more complex because of different factors:
• New technologies and products are continually developed and improved
• In the globalization age, markets for products become more international
• Mergers, acquisitions and changes in partnerships happen regularly.
This determined a lot of challenges on process industries and their ability to properly manage all the risks. It is worth to underline that up to now, changes in the process industries have been mainly of a technological nature and many human, organizational and systemic factors were taken into account at a late stage in system development. On the contrary, in the framework of modern globalisation and new international market, the process industries have to cope both with technological and societal changes. The challenge faced by TOSCA was to be able to anticipate and manage complex system interactions before they are manifest in operational emergencies and use operational experience more effectively as a preventive resource.
The objective of the project was to deliver a “ready to apply” integrated risk information system comprising a modelling approach, a risk methodology and a set of IT tools for total performance management in running, outsourcing and subcontracting safety critical activities recommended in the ISO 31000) that is transferable across different domains and organizational sizes.
The methodology, tools and case studies developed in the project aimed at supporting in the prediction of short and long term effects of changes and safety-related decisions and they have been conceived as lifelong learning systems including the experience feedback aspect. These tools and associated methods are considered an added value in particular for the European SMEs, in order to substantially reduce the number of accidents in Europe and the case studies have been focused on several industrial sectors in order to wider the impact of the project.
The key objectives of Tosca in terms of impact have been:
• Improving the total safety paradigm and promoting an accident free production environment as well as making safety a driver in managing plant changes and introducing new technologies.
• Building an approach that is self-sustainable and transferrable to more than one industrial sector and domains.
• Provide a reference protocol for information exchange to better manage organizational interfaces (e.g. Plant owner and contractors) and a feasible way to include operators from all organizational layers into the risk assessment and monitoring process
• Translate the complex technical outcomes of risk assessment into common operational pictures and good practices to be shared by the entire community of stakeholders involved in an initiative.
• Deliver a set of transferable tools and technological solutions to enable SME to transform and transfer digital contents currently available in specific license-free software into exchangeable collaborative formats, easily readable, and user friendly
• Deliver a multilingual tool able to integrate all kind of norms and standards and allowing SMEs to access the description of norms ‘at a finger’s tip’ and where relevant during the daily work.
• Having a relevant impact on standardization activities at European Level
• Widely disseminating and exploiting the project results to transform Europe towards a more risk informed and innovation accepting society
TOSCA SOCIAL IMPACTS
One of the key objectives of TOSCA was to improve the total safety paradigm and promoting an accident free production environment. Eurostat usually presents main statistics about non-fatal and fatal accidents at work in the European Union (EU):
• non-fatal accidents at work, also called serious accidents, are those implying at least four calendar days of absence from work (ESAW framework)
• fatal accidents at work are those leading to the death of the victim within one year
Latest available statistical data refer to year 2012, when almost 2.5 million of non-fatal accidents plus 3.515 fatal accidents occurred in the EU-28 within workplaces. From such figures it also possible to notice that men are much more victims of accidents at work than women (78.5 % for non-fatal accidents and 95.6 % for fatal accidents).
Data about accidents at work can be analyzed also calculating the ‘incidence rate’, namely the number of accidents in relation to the number of persons employed. Results are provided in the Figure 3 and Figure 4 below, revealing respectively that in the EU-28 occurred, on average, 2.44 fatal accidents per 100 000 persons employed in 2012, while there were 1.702 non-fatal accidents per 100 000 persons employed in the same year.
Since fatal accidents are quite rare events, the incidence rates can vary greatly from one year to the next, in particular in some of the smaller EU Member States: this explains the significant differences between 2011 and 2012 in some Member States in Figure 3 (e.g. Malta, Romania, France or Luxembourg).
Regarding the Figure 4about non-fatal accidents, a preamble can be done: the European Member States adopting insurance based accident reporting systems (mainly southern and western countries) register higher incidence of non-fatal accidents at work respect to countries with legal obligation systems, where victims are covered by the general social security system. The latter are mostly the eastern European Member States which reported in fact the lowest incidence rates (e.g. Romania, Bulgaria, Latvia, Lithuania, etc.). This fact explains the great difference between incidence rates for fatal and non-fatal accidents existing in the two following graphs, at first glance inconsistent especially for the eastern countries.
In this framework, TOSCA has a relevant impact on increasing the worker safety and on improving the total safety paradigm and promoting an accident free production environment, on making safety a driver in managing plant changes as well as introducing new technologies. As a matter of fact between the relevant results of the project, it has to be mentioned the tools for the risk assessment able to improve the identification of hazard and barriers. These tools includes, task analysis, critical tasks identification (i.e human interventions aimed to prevent or mitigate major accidental events), illustration of relevant workflow etc.
Furthermore tools for the design facilities have been developed. These tools allow solving conflicts between safety and productions by combining production and manpower planning and by exploiting virtual reality features.
In the framework of TOSCA, specific tools taking care of critical activities design have been developed too. These tools are able to provide 3D representation of workplace by illustrating the right way to do the job and supporting the operators on managing critical tasks. It is evident the huge impact that TOSCA solutions can have on the safety of workers and on preventing accident at work place.
It is worth to underline that TOSCA focused its attention not only on tools able to directly prevent accident but also on solutions aiming at better working conditions by facing human factors issues. In this context, the TOSCA methods and approach for human factor design review are able to ensure that the design of the plant conforms to ergonomic standards and facilitates safe and efficient operation by plant staff. In particular, TOSCA allowed integrating human factors engineering in the design of a new plant ensuring that systems are designed in a way that optimizes the human contribution to production and minimizes potential for design-induced risks to health, personal or process safety or environmental performance.
TOSCA really paid special attention to human factors that are often neglected in standard existing management systems.
The conceived tools include repository giving access to analyst to many different types of plant and equipment data, human performance data, risk analysis data, and safety management information.
Moreover the systems developed by TOSCA cover also maintenance operations and monitoring activities: these tools allow for instance to technicians to plan their inspections, allocate tasks to people, write their work permits, communicate with operational staff, log the status of equipment, record their work progress, the modeling of dynamic workflows of staff responsibilities for a specific task or project.
Furthermore, TOSCA through virtual reality training tool is able to improve the skills and knowledge of personnel in safety critical tasks; the analysis of critical activities and human barriers provides input to the training needs analysis. The impact of these tools on worker safety is relevant at they allow them to practice the real job in a safe work environment.
As far as the risks are concerned, TOSCA methods allow analyzing main company’s risks and assisting the company capacity to manage them: in this context they allow priorities to be established in terms of risk management, and help management to identify and track the mitigations to be put in place to manage the businesses’ risks.
It is evident the social implication of TOSCA solutions and their relevance on enhancing the worker safety and on improving the total safety paradigm.
MAIN ADVANTAGES FROM THE TOSCA TOOLS
Through the application of the TOSCA tool and the transferability through different industrial sectors, the following main advantages have been highlighted:
• The CBMS tool was successfully implemented and it improves risk and safety management across the plants. In addition the IT tool and its implementation contribute to the Common Operational picture, it provides ease of expandability to the whole plant and it is a cost effective approach for the intended purpose by considering the whole project life time (development, implementation, operational use, updates) versus to the old paper based or static documented file alternative. It also allows proper and effective information to the company and site management, transparency in fulfilling the external and internal requirements, as well as auditability on how Inspection and maintenance related activities and equipment performance is assured.
• Critical Activities Design. Risk assessment is improved by mapping the tasks of the workers and systematically identifying possible deviations, antecedents and consequences for each task. The involvement of the workers in the generation of the process map and the analysis of the possible risks increases their personal investment in safe operations, as well as generating a more comprehensive and tailored risk assessment for the job. The analysis developed by TOSCA was shared with the staff, which had the chance to analyses the results and see the clear advantages of the risk assessment. In this way, greater clarity of the tasks executed, facilitating future training and identifying activities that create a higher risk for the workers.
• Human Factors Design Review. The importance to include Human Factor Engineering at the very early stage of systems design as well as existing approaches were tested. The benefits to be gained from the adoption of a proactive approach towards Human Performance in industrial systems have direct implications for the improvement of system operability and maintainability during the whole life-cycle of a system. In addition internal guidelines were developed collaboratively and iteratively with company engineers and provided companies with overall Human Factors Strategy and specific guidelines on Human Factors review workshops. The solution was implemented in form of internal guidelines and documentation and it was also evaluated during the course of research project on two different design projects. In order to perform the basic ergonomic review regarding accessibility and maintainability of equipment a basic physical layout review was achieved using 3D model review. To incorporate ergonomic principles to the design of alarms, a guideline was developed based on available references. Finally the Ergonomic Review of the control room and the Human-Machine Interface (HMI) was performed taking into account those cognitive and physical aspects relevant to support the effective control of the plant through the information provided by the control panel.
• Virtual Reality can be an efficient means of delivering training for process control skills. The VR training system uses a training methodology that is based on the risk assessment framework of TOSCA. It make use of other tools, such as SCOPE and CBMS, in order to perform a task analysis and risk assessment of operation as part training needs analysis (TNA). As a result, this is a risk-based training system, which can be used to make decisions before training is delivered. For instance, if the risk assessment provides evidence that a new safety equipment should be introduced, or new control panels should be designed to minimize risks then this should be respected. After the implementation of the new safety measures, the tasks should be re-appraised and consider the scope for improving the skills of the operators.
• The Optimisation tool consisted of Monte Carlo simulations to provide cost-benefit analysis for additional resources in several case studies. The results of the simulations were compared with the actual results and the approach was positively received and showed its ability to provide an accurate and detailed plan of the proposed works.
• The Risk register was developed collaboratively and iteratively with key stakeholders from different parts of the organisations during a series of workshops. The risk management process was mapped along with the supporting elements of the risk register, including data structures for assets and hazards, rating systems for severity and frequency, and a risk matrix for prioritisation of the identified risks. The Risk Register has been implemented across the entire ESB Generation business and all stations are currently using the Risk Register to manage their risks.
• Dynamic risk assessment helps the end user decide the best technical and operational solutions and evaluate the behavior of the plant at the different process conditions, resulting from one or more faults of the equipment or operational error.
• In the consequence assessment modelling of accidental releases the PHAST and CFD model were compared. The PHAST the model was proved to be more pessimistic (larger impact distances), while the CFD model forecasted shorter impact distances and more rapid final dispersion upon stop of the release. The meaning of this comparison is that more advanced CFD modelling forecasts more intensive pre-dispersion mix of liquid propane with air in terms of vertical impingement with the roof, its vaporization and flow to the ground. This added turbulence is obviously not adequately considered in the stope of conventional UDM (PHAST) modelling.
SOCIO-ECONOMIC IMPACT
Accidents at work and work-related ill health have an impact on individuals, companies and on society . Moreover each of these groups has to face with economic consequences. To establish an estimate of the costs to all stakeholders with regard to work-related accident due to poor or non-occupational safety and health is a very complex task and outside the scope of this deliverable.
However, it is worth to underline that safe production has relevant and direct effects on socio-economic context, environment and overall people welfare. The promotion of a safer production in hazardous installations which has been indicated since the beginning one of the scope of TOSCA, brings to a saving of resources, an improvement of competitiveness and, above all, prevention of illnesses and accident gaining social acceptability.
Victims of accident at work, their family and friends are confronted with important social consequences affecting their quality of life. In particular, if the victims have to face disability and long-term absence, the consequences are considerable and can affect a wide community. Physical and psychological functioning in everyday activity can be affected, self-esteem and self-confidence reduced and family relationships stressed.
TOSCA tools allow to improve the ways in which technologies are used along the plant lifecycle and the ways in which competencies for running plants safely are developed and applied in practice. The positive impact of the project may range from economic savings to improvements in the quality and safety of working life within the productive processes. In practice, reducing the risks associated with operating hazardous plants means to design plants by taking into account technical, human factors and organizational factors.
IMPACT ON EU POLICIES AND STANDARDIZATION
The need to improve working conditions is a priority of the European Commission’s agenda and recent EU polices propose to enhance the safety and quality of working environment, demonstrating the importance of work as fundamental activity in shaping societal progress.
The exploitation of TOSCA results can contribute to the achievement of some important European Union’s key goals, improving conditions of health, safety, quality and productivity within workplaces.
In 2013 the European Commission adopted a new Strategic Framework on Health and Safety at Work 2014-2020 in order to protect the workers from work-related accidents. In this context, the key challenges and strategic objectives for health and safety at work have been identified by presenting also the key actions and instruments to address the problem.
In particular, the Strategic Framework identifies three major health and safety at work challenges:
• Improvement of implementation of existing health and safety rules. In this framework special attention has been paid on the enhancement of capacity of micro and small enterprises to implement efficient risk prevention strategies
• Improvement of the prevention capacity of work related diseases by facing both new and existing risks
• Attention to the ageing of the EU's workforce.
Furthermore the Strategic Framework proposed special actions in under to address the above mentioned challenges, by identifying seven strategic objectives:
• Providing practical support to small and micro enterprises to help them to better comply with health and safety rules.
• Strengthen national health and safety strategies (for instance through policy coordination)
• enhancing enforcement by Member States (e.g. evaluating the performance of national labour inspectorates etc).
• Simplifying existing legislation by eliminating (where possible) unnecessary administrative burdens
• Addressing the ageing of the European workforce and improving prevention new risks such as nanomaterials, green technology and biotechnologies.
• Improving statistical data collection in order to carefully analyze the situation.
• Reinforcing coordination with international organisations (e.g World Health Organisation-WHO)
It is worth to underline the special attention paid by Strategic Framework to the micro and nano enterprises and the relevance on the objective aiming at supporting them on the compliance of the safety rules.
In this context, the outcomes of TOSCA has been specifically focused on the micro and nano enterprises by supporting SMEs in achieving compliance in a complex environment for total safety through low cost integrated IT tools.
As a matter of fact, between the TOSCA objectives there was the delivery a set of transferable tools and technological solutions to enable SME to transform and transfer digital contents currently available in specific license-free software into exchangeable collaborative formats, easily readable, and user friendly.
Furthermore TOSCA aimed at delivering a multilingual tool able to integrate all kind of norms and standards and allowing SMEs to access the description of norms ‘at a finger’s tip’ and where relevant during the daily work.
With respect to this aspect, TOSCApoweredbyPROMIS® platform is offered as OEM server solution under the logo and website of TOSCA. It will link to the TOSCA framework and, where possible, to the single modules developed during the project, allowing to be offered/sold to European SMEs. The exploitation will be facilitated by the integrated machine translation, which will allow translating TOSCA knowledge – after having been structured in the PROMIS® platform- in the languages required. The users are free to select the machine translation they prefer. The integration of the machine translation extends the impact of projects, by enlarging the target users and increasing the benefit brought by the project.
Still in relation with the Strategic Framework, the TOSCA tools demonstrated that safety criteria can be successfully integrated with productivity criteria and make safety a driver for change and innovation.
They are expected to favor the transition of process industry towards a more knowledge-based orientation by making the activities related to design, risk assessment and training more integrated.
STANDARDIZATION
The project has a relevant impact on standardization activities:
• Attendance to the Meeting of ISO/TC 262 «WG2 Core Risk Management Standards»; during the meeting UEAPME provided the TOSCA feedback on revision of ISO 31000;
• Attendance to the Plenary Meeting of ISO/TC 262; TOSCA views on revision of ISO 31000 and ISO/IEC Guide 73 was presented and discussed;
• Attendance to the Meeting of ISO/TC 262 «WG2 Core Risk Management Standards». Inputs on Second CD of the revision of ISO 31000: 2009 were given based on TOSCA approach and philosophy;
• Comments fed to the new ISO 9241 standard on human centred design;
• Inputs on CEN-CWA 16275 “Guidelines for the Selection of Consultants Advising SMEs on Integrated Quality, Environment, Health and Safety Management Systems” have been delivered.
List of Websites:
www.toscaproject.eu
The main contact details:
Marco Pontiggia – Project coordinator
D'Appolonia S.p.A.
Tel. +39 02 51800562
Fax. +39 02 51800563
E-mail: marco.pontiggia@dappolonia.it
Giannicola Loriga
D'Appolonia S.p.A.
Tel. +39 010 3628148
Fax. +39 010 3621078
E-mail: gianni.loriga@dappolonia.it
Maria Chiara Leva
Trinity College - University of Dublin
Tel. +353 18962916
Fax. +353 16712006
E-mail: levac@tcd.ie
Emmanuel Plot
INERIS
Tel. +33 626710739
E-mail: emmanuel.plot@ineris.fr
The Total Operations Management for Safety Critical Activities (TOSCA) project is an European Project funded within the context of the 7th Framework Programme and aimed at developing an innovative approach able to integrate and enhance safety, quality and productivity.
The scope of TOSCA is to establish an economically suitable framework in which the most innovative tools and techniques (advanced 3D software, virtual reality, innovative theoretical models, updated information exchange protocols, etc.) are operated together in order to take advantage of the possible synergies in processing standards requirements, fulfilling regulations, improving safety and enhancing productivity.
The TOSCA T-model (Figure 1) has been developed to illustrate the TOSCA approach to Total Safety Management. This model is based around a central ‘Common Operational Picture’ (COP) that holds information regarding the operational system, and is used to support risk assessment and safety management. The information held in the COP may be represented in different ways but should be accessible to all stakeholders involved in a project or operation in order to analyse and communicate risk, and to support training and procedure design.
Two loops are connected to the COP, the design loop and the operational loop. Both feed information to and use information from the COP. The design loop considers both physical plant design as well as the design of critical tasks and activities for workers. Formal risk assessment techniques, dynamic risk modelling, and rapid prototyping are methods used to support design risk assessments. Critical activities covers change management and the provision of appropriate procedures and training to workers. The operational loop focuses on the monitoring and management of risk during the operational phase, in particular in terms of safety performance indicators (SPIs), training during operations, and communications.
Common Operational Picture: The Common Operational Picture is the information and knowledge about the operational system used to support risk assessment and safety management. It may be represented in different ways but should be accessible to all stakeholders involved in a project in order to analyse and communicate risk, and to support training and procedure design. The development of TOSCA COP has been focused on understanding the current state of the art in tools and methods used to represent the system being analysed, the tools used for risk assessment, and the form the risk registry whenever present may take. This work allowed highlighting what aspects of the above safety critical organizations may need to improve, and relevant needs have been reflected in the development of the new TOSCA system.
TSM for Design: This section is seeking to understand how risk is assessed at the design stage, specifically through formal risk assessment techniques, dynamic risk modelling techniques, and rapid prototyping. Dynamic risk modelling involves the development of a model of risk to calculate risk levels, compute performance indicators, and perform sensitivity analysis of risk mitigation measures. Rapid prototyping involves the creation of a representation (physical or virtual) of a system or component for evaluation purposes. The scope is to understand how organisations may need to improve risk assessment at the design stage.
TSM for Critical Activities: The critical tasks considered are the phase of a project when major changes may be introduced to an organisation, and this section seeks to understand how such changes are managed in order to reduce risk. Some organisations may have a formal protocol to follow for managing change, while others may simply use existing channels of communication and/or training. In the deliverable, an attempt was made to understand how organisations manage safety in defining and designing critical tasks and what their future needs are for improvement in this area.
TSM for Operations: This section focuses on monitoring and management of risk during the operational phase. What is needed is a clearer understanding of how risks are currently monitored, for example through incident reporting or safety performance indicators (SPIs), how training is used to manage risk in the operational phase, and how changes are communicated outside of major projects/commissioning. The scope is also to seek understanding how to address effectively future needs of organizations in these areas.
Project Context and Objectives:
TOSCA (Total Operations Management for Safety Critical Activities) is concerned with the integration of industrial operations into a total performance management system. Within TOSCA safety, quality and productivity are addressed in an integrated way during the lifecycle of projects or products. TOSCA’s industrial domain of application concerns process control industries (e.g. chemical industries, power generation, offshore oil & gas platforms, etc.) that may vary in size, regulatory and cultural aspects. TOSCA examines vulnerabilities of the technical, human and organizational processes that may have an impact in safety, quality and productivity.
Only few attempts at multi-level analysis have been found in the research literature (e.g. IRISK , ARAMIS) and in industry best practices (Chemical Industries Association 2008) that examine system safety in ways that integrate risk at the individual, group and organizational levels. To improve companies’ safety performance it is necessary to develop methods and tools to cope with the complexity of risk generation and event propagation. In addition, the management of safety needs to be integrated into the activity workflow of operations management, if safe outcomes are to be assured.
The requirements for safety management in existing and upcoming standards and regulations (for example Seveso III directive, ISO 31000, OHSA 18001, the Risk Governance Framework for Nanotechnology ) call for a proactive strategic approach, demonstrating a capacity to anticipate risks and keep safety at the center of changes driven by commercial competition. This is particularly true in process control industries where prevention and mitigation are the only ways forward and where the complexity of organizations requires a ‘system of systems’ perspective. However, industrial organizations find it increasingly difficult to integrate their diverse functional units within a system of total operations management. They lack a good way to assess, monitor and improve in practical terms the safety, resilience and flexibility throughout the lifecycles of products or services.
The objective of TOSCA is to deliver a “ready to apply” integrated methodology that comprises a modelling approach, an integrated set of methods and supporting IT tools for total performance management in all phases of design, operation, maintenance activities that are carried out by plant personnel or sub-contractors. This has been done in accordance with ISO 31000 and its transferability across different domains and organizational sizes has been demonstrated through a set of 13 test beds.
The test beds required that safety-related activities were supported in all aspects of planning, organizing, implementation and re-evaluation to achieve specific goals and sustain safety within the TOSCA framework. These aspects of safety project management have been applied to high-level managerial activities as well as lower level operations with the use of compatible business process management tools, risk assessment tools, and knowledge management tools (e.g. simulation facilities, workshops, interviews). Although TOSCA focus was on safety-critical activities (e.g. start-up operations, process transients, changes of product specifications inspection & maintenance operations, and emergency response etc.), the proposed solution was proved capable to recording and analyzing of ‘everyday’ safety problems and occupational safety issues.
More in detail the general objectives of TOSCA are:
• Deliver a methodology and a set of toolsets to manage safety-critical activities through the phases of Operations, Safety and Quality Management; in this way, safety, quality and productivity are integrated into a total performance management system.
• Incorporate innovative “knowledge management” methodologies to generate, store and update risk-related data from various sources (e.g. plant procedures and drawings, safety warnings, near miss reports, operator practices on the job, and authority requirements). In this sense, knowledge from safety practitioners and operators are integrated with formal knowledge of how a target system works.
• Incorporate advanced concepts and techniques for modelling the role of human and organizational factors in risk analysis with emphasis on resilience and capabilities for timely detection, communication, reporting and recovery of variations and disruptions.
• Utilise emerging technologies to enhance the gathering, modelling and management of risk-relevant data (e.g. virtual and augmented reality, computer aided design, information systems and enterprise resource planning).
• Provide facilities for learning and updating the risk reduction tools to enable adaptation to new changes in the organizational environment. This is related to several aspects of organizational learning and interactive design of systems.
The work program has been organized according to six main work packages (plus a work package dedicated to project management), according to the phases needed in a Plan-Do-Check-Act cycle. All the work-packages have been completed in the first half of the project available time and then they have been subsequently reiterated in the remaining 18 months to demonstrate transferability and allow a complete cycle for improvement and finalization purposes.
Definition of Requirements and application of relevant recommendations: Identification of end user needs and best practices in respect to actual effective implementation of Total Safety, Quality and Operations management for SME according to ISO 31000 has been carried out during the first period of the project; recommendations and suggestions from this analysis have been implemented throughout the whole project. Particular emphasis has been put on the modularization of the TOSCA solution in order to allow the potential customers (SME in particular) a relevant cost saving, in selecting only those modules of the TOSCA toolbox really interesting for their needs and field of application.
Demonstration and validation of tool with case studies: A total of 11 working cases have been performed and finalized as case studies to support the actual development and implementation of the TOSCA methodology at different levels of application. The selection and definition of working cases has been carried out during the first period of the project. Objective of the second period was to demonstrate the transferability of the proposed solution through the implementation of the methods and tool to different field of application. Moreover, a continuous stream of information has been provided and assured from the demonstration activities to the methodological and IT development work packages (and vice-versa) to allow for a continuous development.
Development of TOSCA methodology: Development of the first draft of the TOSCA methodology and application to the first working cases has been carried out during the first period of the project. Objective of the second period for this specific work package was the tailoring and fine-tuning of the methodology in compliance with highlights and observations obtained from transferability study on work cases.
Development and integration of TOSCA tools: As per the TOSCA methodology development, TOSCA tools have been defined and structured in the first 18 months of the project. Objective of the second period was to improve the usability and reliability of the tools, and implement all the suggestions and recommendation arisen from the transferability exercise and the modularization requirement.
Evaluation and Standardization: This work package had two aims: (i) to deliver feedback, useful for refining and improving the project outcome, during the project lifecycle, and (ii) to provide evidence about the fitness for purpose of the TOSCA approach at the end of the project. The TOSCA approach has been finalized for impact on standardization and end user practices, developing a continuous training to disseminate TOSCA to SME, based on feedback obtained from the evaluation seminars and workshops.
Impact, training and dissemination: This work package reviewed how TOSCA model addresses industry needs also under the aspects of how SMEs can take up norms and standards in their daily life. Further it defined and implemented an integrated strategy for impact and dissemination. This captured the project outputs and detailed how to communicate and exploit them within target audiences in industry as well as research communities. The finalized TOSCA approach has been therefore used for developing a continuous training to disseminate TOSCA to SMEs.
Project Results:
COMMON OPERATIONAL PICTURE
COP is the information and knowledge about the operational system used to support risk assessment and safety management. It may be represented in different ways but should be accessible to all stakeholders involved in a project in order to analyses and communicate risk, and to support training and job design. This concept is aligned with Human Centered Design best practices, as outlined in ISO9241-210. TOSCA supports three overall safety functions:
(i) task design and functional hazards analysis,
(ii) operational risk screening, and
(iii) quantified risk assessment
Task design and high-level functional hazard analysis: There is a requirement for a participatory approach to hazard identification and control that stems from a functional analysis - not only of the technical equipment - but also of the organizational work system involved in the safety critical activities. This high-level functional hazard analysis must also provide input to more detailed risk models to be applied in following steps. Unfortunately, existing BPM tools have focused on system effectiveness and failed to take into account management decisions and organizational processes that may have side-effects on safety in the long term. TOSCA modified BPM tools have been therefore tailored to deliver a high-level functional hazard analysis able to support the decision making process and compatible (and integrated) with other “standard” risk models. Two approaches are proposed within the TOSCA toolbox:
(i) The Task HAZID tool (TCD) that supports the analysis of all operations contributing to system goals and records many performance measurements to optimize workflow efficiency and safety.
(ii) The Work-IS tool (INERIS) that identifies how task roles are distributed to operators, how safety resources are used to manage hazards, and how information flows across different organizational units.
Operational risk screening: The results of the high-level functional hazard analysis and risk registry are fed into bow-tie diagrams in order to identify important technical and human barriers that prevent or control industrial hazards. Data can be obtained from detailed task and error analyses, revision of operating procedures, and near misses reports. Bow-tie analysis is commonly used by Small & Medium Enterprises and it is easy to learn. A risk matrix approach is suggested to allow safety analysts to reach a decision whether barrier failures should be analysed further and quantified in the following step.
Quantified risk assessment: For complex scenarios, there is a need to perform a quantified risk analysis using a variety of tools for consequence and likelihood assessment such as:
(i) Traditional fault trees and OSQAR (Operational Safety barriers, Quantification and Assessment of Risks, INERIS) that allows risk modelling with graphical facilities and includes calculation of frequency propagation based on the initiating event and the level of confidence of safety barriers (e.g. propagation probabilities, duration of events, uncertainties, etc.).
(ii) SPAcCo (Probabilistic Solver Coupled to Consequences, D’Appolonia/Polytechnic of Torino) that allows safety analysts to verify all accident sequences that a system can undergo on the basis of a logical-probabilistic model of the system.
(iii) Advanced consequence modeling including Dynamic Process Simulation (University of Bologna) to analyze the effect of the incidental event on the process parameters, and Computational Flow Dynamics (CFD) (D’Appolonia) to analyze the external effect (dispersion, fire, explosion etc.). The advanced modeling is fulfilled by means of commercial software deeply integrated in the TOSCA toolbox.
In QRA, there is a need to provide test facilities with workplace prototyping tools that create virtual workplaces so that operators would be able to interact with equipment in a virtual representation (3D or VR system) of the technical system. The partners of TOSCA made available to the consortium their existing rapid prototyping tools that have been integrated within the scope of the project. Other functions of the rapid prototyping tools include: visualisation of accident sequences, recording the interactions of operators, the incorporation of information from near misses, and so on.
These methods and tools are used on a modular basis which depends on the needs of the SMEs and their application area.
RISK REGISTER IN TOSCA
The risk registry acts as a central repository for risk information, capable of holding information on different hazard types, including process, occupational, financial, human resources, etc. In order to maintain safe operations, organisations must continuously review and monitor their risks. This means that the results of safety studies must be translated into a format that can be analysed, reviewed and acted upon, and new data about the level of risk continuously collected to keep the safety information up to date. A risk database, or risk register, is a central tool for organisations to use to monitor and reduce risks, both those identified during initial safety assessments and those emerging during operations (Whipple & Pitblado, 2010). The risk register contains all analysed risks and prioritise the areas that require managerial attention and typically contains information describing each risk, an assessment of the likelihood and consequences, a ranking according to a risk matrix, the risk owner, and information on the mitigations to be put in place (Filippin & Dreher, 2004). When populated with information on each risk, including risk ranking, the risk register can be analysed to present the risk profile for different aspects of the organisation (Filippin & Dreher, 2004). When reviewed and updated over time, it can also be analysed to present trends within the risk profile and focus management attention on the highest risk activities or facilities (Whipple & Pitblado, 2010). In order to successfully develop a risk registry that provides an accurate level of risk within a process, there is a requirement for real time data on risk to be input into a risk registry.
TOSCA TSM FOR DESIGN OF PLANTS OR SAFETY CRITICAL ACTIVITIES
The need and application for design review in TOSCA.
Risk and safety management should be considered throughout the whole lifecycle of a system, starting with the design phase. This view is proposed by ISO 31010 (ISO, 2009) which states that risk assessment should be conducted during the design phase to ensure that system risks are tolerable and to help refine the design. The consideration of safety at this stage is at the core of the Inherently Safer Design (ISD) approach (Kletz, 1998); Human Centred Design (HCD) also seeks to create designs that minimize human errors. TOSCA allows integrating the two approaches by supporting Inherently Safer Design with the use of new technologies such as 3D modelling and simulations (4D simulations) and at the same time supporting design review with Human Factors or Human Centred approaches such as task analysis and Ergonomic reviews directed towards improving both the physical environments (e.g. maintainability of equipment, accessibility etc.) and the cognitive aspects (e.g. human decision making, provision of information, etc.).
Optimisation Tool for Planning and Design
4D process simulation is a technology which allows for complex tasks and systems to be modelled in exacting detail giving the Safety Analyst a realistic environment to form and test hypothesis, and train operators using a trial and error approach, something that can seldom be done on a real plant. Task analysis is used to describe and evaluate the human interactions in a system. As such, it forms the basis of human factors risk assessments. More and more studies have highlighted that this critical first step of the analysis has often been neglected leaving the design stage without structured information about the tasks and contexts to be addressed (Leva et al., 2009). Within this context the analysis of the task and its description is among the main inputs required for the development of the 4D simulation The environment in which the tasks or system exist and the tools and materials used are modelled in 3D. The tasks themselves as well as system and individual element behaviour are then modelled with respect to time, thus creating a four dimensional or 4D model of the system. 4D process simulation has been used extensively in discrete manufacturing for production and facility analysis and optimization. Process industries such petroleum and nuclear are now also beginning to use 4D process simulation for similar operational improvement studies. The expected benefits of the tool include the ability to visualise current procedures in order to define improved new procedures, identifying and modelling risks to the delivery of the project, and improving the planned delivery of the project.
Critical Activity Design.
Aligned with the aspect above that may be more directed towards plant or equipment design review, special consideration is also given to the planning of safety critical activities and tasks. The critical tasks considered in this section are the ones at the core of operations for SMEs where major changes may be introduced to an organisation, and this section seeks to understand how such changes can be managed in order to reduce risk. Some organisations may have a formal protocol to follow for managing change, while others may simply use existing channels of communication and/or training. In approaching the issue, an attempt was made to understand how organisations manage safety in defining and designing critical tasks and what can be done to imrpove this area starting from practical examples.
Human Factors Design Review.
Human Factors Engineering (HFE) focuses on the application of human factors knowledge to the design and construction of socio-technical systems. The objective is to ensure systems are designed so as to optimise the human contribution to production and minimise potential for design-induced risks to health, personal or process safety or environmental performance (OGP, 2011). The ISO standard ISO 9241-210 (2010), Ergonomics of human-system interaction, requires that all new facilities projects apply the principles of Human Factors Engineering (HFE) during early design stages. In practice this means ensuring, as a minimum, that every new facilities project is screened in collaboration with the end users to identify whether there are any “hotspots” (risks, issues or opportunities) associated with the scope of the design project that justify further HFE activities. Further standards detail these activities, including physical and cognitive ergonomic assessments of the operator tasks, the equipment they will use to complete those tasks, and the environment in which they will be undertaken. The benefits of a Human Factors review include (OGP, 2011):
• Reduction in CAPEX by contributing to more efficient design and avoiding the need for expensive changes and/or re-work late in design.
• Reducing the need for re-work or change during or after construction
• Reduction in life cycle costs of operating and maintaining facilities (OPEX).
• Improvements in HSE performance, and reduced operational HSE risk.
• Enhanced user commitment (‘buy in’) often resulting in faster approval cycles.
To support the challenging task of the design team there are number of standards able to provide some guidance on the minimum requirements in terms of human centred design: for example, ISO 6385 – Ergonomic Principles in the Design of Work Systems (2004) outlines how technological, economic, organisational, and human factors can affect the work behaviour and well-being of people within a work system. The general principle underlying the standard is that interactions between people and the components of the work system (e.g. tasks, equipment, workspace and environment) should be considered during the design stages. Each design stage is described and appropriate ergonomic principles and methods for each stage are listed. ISO 11064 - Ergonomic Design of Control Centres (2006) provides nine principles for the ergonomic design of control centres and guidance on specific aspects of control room design, including layout, workstation design, controls and displays, and environmental requirements. ISO 12100 – Safety of Machinery (2010) suggests a five step methodology to perform risk assessment at design stage and the overall strategy requires designers to take into account the safety of machinery for their whole life cycle, considering usability, maintainability and cost efficiency. EEMUA 191 (1999) is an industrial standard developed by the Engineering Equipment and Materials Users’ Association to support the design of alarm systems taking into account the requirements of the human operator receiving and responding to those alarms, while EEMUA 201 (2010) is focused on the design of HMIs and gives guidance on areas such as display hierarchies, the design of the screen format, and the attributes of the environment which may affect the use of the HMI. These standards define the minimum requirements and it is the decision of the designers on how to optimize and utilize the systems to increase the satisfactory level of the users. This systematic approach is fairly generic and does not provide technical support for the designers. While it recommends foreseeing the design uses nonetheless there is no discussion regarding the methodology to conduct this verification. Increasingly rapid prototyping and participatory approaches are proposed as methods to evaluate the design. These approaches have been commonly used for products that will be produced in large numbers (Sinclair, 2005), although it has traditionally been more costly and time consuming to apply this approach to the design of a control room, limiting the ability to apply these methods in this context. However a possible substitution for prototyping can be provided by the use of 3D models of the buildings, structures, or control room. Reviews of these models can be undertaken with the involvement of the operators. The 3D model is a more natural representation that does not require decoding of 2D technical drawings and thus facilitates the operator in identifying potential issues regarding the proposed design. This approach can be considered as an example of human centred participatory design, able to support a better understanding of the user’s needs and a more solid starting point for the designers to deliver a safer design. Such participatory reviews of designs do not negate the need for guidance for designers at an earlier stage as they should be facilitated as early as possible in optimising their design for human operation. The above-mentioned standards can be used in combination with 3D participatory review, however the process has not been detailed or suggested clearly in any of the before mentioned standards. So while on the one hand the ISO 9241-210 (2010), Ergonomics of Human-System Interaction, requires participatory human centred approaches it does not provide technical details on what specific aspects should be considered and how to concretely carry out such a process, the link with the more specific standards such as ISO11064 for the Ergonomic Design of Control Centres and or the ISO 12100 (2010) on Safety of Machinery is not structured or suggested in any clear way and as a result companies must introduce internal standards to tackle the problem.
TOSCA TSM FOR OPERATIONS
The need for Total Safety Management in operations.
Safety Critical Organisations, especially SME, must still improve their capabilities to address safety “not as a stand-alone activity that is separate from the main activities and processes of the organization” but as an integrated part of total performance management (Lancaster et al., 2003). Furthermore, it is essential that to understand how weaknesses in technical processes combine with flaws in organisational interfaces and give rise to significant losses and major industrial accidents. Traditional Risk Assessments and Probabilistic Safety Assessments have not provided robust solutions because they have not been embedded within a ‘total operations’ or ‘performance management’ framework to deliver solutions that are both innovative and safe. It is not sufficient that production systems are reliable (i.e. their failure probability is acceptably low) but they must also be resilient and capable of recovering from irregular variations, disruptions and degradation of working conditions. It is often the case that system vulnerability and resilience arise from the same interactions between socio-technical dimensions.
Only a few attempts at multi-level analysis have been found in the research literature (e.g. IRISK (Papazoglou et al, 2003), ARAMIS (Duijim & Goossens, 2006)) and in industry best practices (Chemical Industries Association, 2008) that examine system safety in ways that integrate risk at the individual, group and organisational levels. To improve companies’ safety performance it is necessary to develop methods and tools to cope with the complexity of risk generation and event propagation. In addition, the management of safety needs to be integrated into the activity workflow of operations management, if safe outcomes are to be assured.
The requirements for safety management in existing and upcoming standards and regulations (for example Seveso III directive, ISO 31000) call for a proactive strategic approach, demonstrating a capacity to anticipate risks and keep safety at the centre of changes driven by commercial competition. However, industrial organisations find it increasingly difficult to integrate their diverse functional units within a system of total operations management. They lack a good way to assess, monitor and improve in practical terms the safety, resilience and flexibility throughout the lifecycles of products or services.
What is needed is a clearer understanding of how risks are currently monitored, for example through incident reporting or safety performance indicators (SPIs), how training is used to manage risk in the operational phase, and how changes are communicated outside of major projects/commissioning. We seek to understand how to address effectively future needs of organisations in these areas through the development of the Operational set of products described in the following sections.
Knowledge Management System
The TOSCA tools for risk management may take a large amount of time to use because they require access to many different types of plant and equipment data, human performance data, risk analysis data, and safety management information. To alleviate the burden of accessing and using this amount of risk information, TOSCA built a knowledge management system able to gather various types of data both at the ‘risk assessment’ and the ‘risk mitigation levels.
At the ‘risk assessment’ level, the knowledge management system manages data about the following issues pertaining to system functioning (i.e. a sort of Data Model) and operator performance (i.e. a sort of Task Model):
• Functional descriptions of sub-systems and plant equipment
• P&ID of process equipment
• Dangerous substances
• Failure modes and effects
• Operational hazards
• Sequence of task steps
• Existing operating procedures, checklists and work permits
• Policies for task allocation
• Inspection regimes and maintenance planning policies
These sources of information are derived from the task models and data models used in linked TOSCA methods. TOSCA relies on a comprehensive Risk Model in order to identify critical safety activities and provide estimates of risk levels in chemical installations. The knowledge management system rely on the ‘bow-ties’ technique to identify critical barriers where human have a significant role to play. For quantitative predictions, SPAcCo method has been integrated in TOSCA toolbox. QRA databases can be externally linked to the TOSCA system. Finally, all risk information derived from the Data model (e.g. equipment failures), the Task model (e.g. human deviations) and the Risk Model (e.g. barrier failures) are used to feed the Risk Registry. It is conceivable that other sorts of information about product quality and environmental issues can also be stored in this knowledge management system so that are integrated in the risk registry and make several tradeoff decisions. At the risk mitigation level, it is possible to expand the ‘knowledge management’ system to cover information that can be used for mitigating risks and improving safety. TOSCA developed dynamic workflows to serve the needs of coordination with contractors and maintenance planning. In this sense, the knowledge management system can be expanded in order to build a basis for team coordination. For maintenance planning and monitoring, the workflow system can be used online by technicians to plan their inspections, allocate tasks to people, write their work permits, communicate with operational staff, log the status of equipment and record progress. At the risk mitigation level, the knowledge management system is able to assist Man-Machine-Interface design and the RWTD design (i.e. the Right-Way-To-Do the job). On the one hand, for instance, the knowledge system can store 3D sketches and pictures of equipment and control panels which can be evaluated in terms of user-friendliness, reliability and safety issues. On the other hand, the knowledge system can be used in an RWTD approach for the design of operating procedures and job aids. For instance, the knowledge management system can store existing operating procedures (i.e. in textual and diagrammatic formats) or task allocation rules and evaluate their effectiveness.
Maintenance Planning and Management
The method is built on Computerised Maintenance Management Systems and it is focused on safety barrier management identified within the risk models. The goal of this tool is to plan and monitor all the operations needed to manage the barrier requirements using the workflow solution. The methodology is developed to specifically focus on barriers but to integrate with existing approaches in organisations.
Capitalization and transfer of professional knowledge and know-how: Training
Capitalizing existing knowledge
The TOSCA approach to training is based on a specific method, called BEST PRACTICES (B.P.) which allows capitalizing the main knowledge on how to manage a critical task, from a Human Factors point of view, based on safety analyses (risk assessment and Task Analysis).
A B.P. is a solution (among others) to the problem of integrating various requirements and challenges that operators must be able to take into account in the space and time where they should be able to complete the tasks of the Safety Human Barriers (SHB) under consideration. These requirements are reviewed by risk analyses relating to production, quality, safety, the environment, etc. A B.P. is an arrangement of these requirements in a set of tasks, more or less flexible, according to a strategy adapted to the situation.
In the TOSCA Methodology, a Best Practice meets three criteria:
1. All requirements, challenges and QHSE must be considered. If one of these dimensions is missing, the so-called best practice cannot have a long life span as it will be justly contested by one or other of the interested parties. It is not a question of ‘doing safety’ on one hand, ‘production’ on the other, and then ‘quality’ but of conducting activities with the required level of quality while ensuring safety. The strength of the best practice resides in the fact that compromises are managed, so that the operator does not need to apply different rules to correctly carry out the work.
2. The conditions for the operation are specified: its acceptable duration, what to do in case this acceptable duration is exceeded (stoppage, informing management, specific analysis of specific risks), the additional safety to be put in place, the nature of information to be processed and transmitted (with a defined transmission circuit for information), etc.
3. The B.P. must be appropriable by those responsible for their application or the checking of their correct application. They must be able to make a diagnostic for the feasibility of actions planned: checking the compatibility of operations with the concrete conditions for their execution, (availability of human and material resources, etc., synchronisation of tasks often defined separately from one another and allocated to individuals ‘isolated’ from one another). They must share in advance a minimum representation of the situation to be managed, with a maximum ability to understand and anticipate. In other terms, they must share strategies, rules, action scenarios, characterised by objectives, sub-objectives, facilities, context elements and possible disruptions to be anticipated.
Because of the third criteria, the level of abstraction of a B.P. is much lower than that generally followed by engineers, as the interfaces must be described – what must be seen, touched, heard, felt, said, handled – and the specific conditions for actions in time and space. A B.P. must be the connection between the way operators think about and go through their activity and the analyses of engineers (risk analyses, task analyses, performance factor analyses, feedback, etc.). The concept of the B.P. makes it possible to question the authority of procedures as an untouchable reference for safety management: there is a need to interpret and adapt procedures to the multiple constraints and objectives of the reality, when a SHB must be implemented. It enables both the procedure (essential reference) and the understanding of the challenges by those involved (operators and managers) to be enriched.
Training on Best Practices (Revia™ Training)
For training workers on these Best Practices with 3D simulators, TOSCA uses Revia™ Training. Reviatech training simulators are based on Revia™ technology, developed by Reviatech researchers and engineers to create interactive 3D simulations designed for industry-specific training.
It uses open-source components and industrial technologies allowing it to offer results and dependability in line with industrial standards.
Revia Training stands out from its competitors' solutions thanks to an innovation: The updatable training.
This allows:
- operators to train through lessons and practice on virtual exercises,
- trainers to create and update the training content for operators, using the simulator in "creation" mode.
Using the software workshops, trainers can create training material and assemble learning paths composed of:
- Virtual tour, presentation of the process,
- Step-by-step interactive lessons,
- Interactive quiz,
- Virtual settings exercises,
- Practical application on faults, malfunctions, incident diagnostics, etc.
Performance tracking and traceability of the training
Trainers can organize training sessions and monitor the progress of the workers using:
- Progression panel for each operator
- Performance indicators (scores, time spent, detailed errors)
- Simulation replay of the training session
This software is a way for trainers to be autonomous on all aspects of the practical training.
Potential Impact:
INTRODUCTION
Since the beginning of the project, the outcomes of TOSCA were expected to have relevant societal implications. Process Industries are becoming more and more complex because of different factors:
• New technologies and products are continually developed and improved
• In the globalization age, markets for products become more international
• Mergers, acquisitions and changes in partnerships happen regularly.
This determined a lot of challenges on process industries and their ability to properly manage all the risks. It is worth to underline that up to now, changes in the process industries have been mainly of a technological nature and many human, organizational and systemic factors were taken into account at a late stage in system development. On the contrary, in the framework of modern globalisation and new international market, the process industries have to cope both with technological and societal changes. The challenge faced by TOSCA was to be able to anticipate and manage complex system interactions before they are manifest in operational emergencies and use operational experience more effectively as a preventive resource.
The objective of the project was to deliver a “ready to apply” integrated risk information system comprising a modelling approach, a risk methodology and a set of IT tools for total performance management in running, outsourcing and subcontracting safety critical activities recommended in the ISO 31000) that is transferable across different domains and organizational sizes.
The methodology, tools and case studies developed in the project aimed at supporting in the prediction of short and long term effects of changes and safety-related decisions and they have been conceived as lifelong learning systems including the experience feedback aspect. These tools and associated methods are considered an added value in particular for the European SMEs, in order to substantially reduce the number of accidents in Europe and the case studies have been focused on several industrial sectors in order to wider the impact of the project.
The key objectives of Tosca in terms of impact have been:
• Improving the total safety paradigm and promoting an accident free production environment as well as making safety a driver in managing plant changes and introducing new technologies.
• Building an approach that is self-sustainable and transferrable to more than one industrial sector and domains.
• Provide a reference protocol for information exchange to better manage organizational interfaces (e.g. Plant owner and contractors) and a feasible way to include operators from all organizational layers into the risk assessment and monitoring process
• Translate the complex technical outcomes of risk assessment into common operational pictures and good practices to be shared by the entire community of stakeholders involved in an initiative.
• Deliver a set of transferable tools and technological solutions to enable SME to transform and transfer digital contents currently available in specific license-free software into exchangeable collaborative formats, easily readable, and user friendly
• Deliver a multilingual tool able to integrate all kind of norms and standards and allowing SMEs to access the description of norms ‘at a finger’s tip’ and where relevant during the daily work.
• Having a relevant impact on standardization activities at European Level
• Widely disseminating and exploiting the project results to transform Europe towards a more risk informed and innovation accepting society
TOSCA SOCIAL IMPACTS
One of the key objectives of TOSCA was to improve the total safety paradigm and promoting an accident free production environment. Eurostat usually presents main statistics about non-fatal and fatal accidents at work in the European Union (EU):
• non-fatal accidents at work, also called serious accidents, are those implying at least four calendar days of absence from work (ESAW framework)
• fatal accidents at work are those leading to the death of the victim within one year
Latest available statistical data refer to year 2012, when almost 2.5 million of non-fatal accidents plus 3.515 fatal accidents occurred in the EU-28 within workplaces. From such figures it also possible to notice that men are much more victims of accidents at work than women (78.5 % for non-fatal accidents and 95.6 % for fatal accidents).
Data about accidents at work can be analyzed also calculating the ‘incidence rate’, namely the number of accidents in relation to the number of persons employed. Results are provided in the Figure 3 and Figure 4 below, revealing respectively that in the EU-28 occurred, on average, 2.44 fatal accidents per 100 000 persons employed in 2012, while there were 1.702 non-fatal accidents per 100 000 persons employed in the same year.
Since fatal accidents are quite rare events, the incidence rates can vary greatly from one year to the next, in particular in some of the smaller EU Member States: this explains the significant differences between 2011 and 2012 in some Member States in Figure 3 (e.g. Malta, Romania, France or Luxembourg).
Regarding the Figure 4about non-fatal accidents, a preamble can be done: the European Member States adopting insurance based accident reporting systems (mainly southern and western countries) register higher incidence of non-fatal accidents at work respect to countries with legal obligation systems, where victims are covered by the general social security system. The latter are mostly the eastern European Member States which reported in fact the lowest incidence rates (e.g. Romania, Bulgaria, Latvia, Lithuania, etc.). This fact explains the great difference between incidence rates for fatal and non-fatal accidents existing in the two following graphs, at first glance inconsistent especially for the eastern countries.
In this framework, TOSCA has a relevant impact on increasing the worker safety and on improving the total safety paradigm and promoting an accident free production environment, on making safety a driver in managing plant changes as well as introducing new technologies. As a matter of fact between the relevant results of the project, it has to be mentioned the tools for the risk assessment able to improve the identification of hazard and barriers. These tools includes, task analysis, critical tasks identification (i.e human interventions aimed to prevent or mitigate major accidental events), illustration of relevant workflow etc.
Furthermore tools for the design facilities have been developed. These tools allow solving conflicts between safety and productions by combining production and manpower planning and by exploiting virtual reality features.
In the framework of TOSCA, specific tools taking care of critical activities design have been developed too. These tools are able to provide 3D representation of workplace by illustrating the right way to do the job and supporting the operators on managing critical tasks. It is evident the huge impact that TOSCA solutions can have on the safety of workers and on preventing accident at work place.
It is worth to underline that TOSCA focused its attention not only on tools able to directly prevent accident but also on solutions aiming at better working conditions by facing human factors issues. In this context, the TOSCA methods and approach for human factor design review are able to ensure that the design of the plant conforms to ergonomic standards and facilitates safe and efficient operation by plant staff. In particular, TOSCA allowed integrating human factors engineering in the design of a new plant ensuring that systems are designed in a way that optimizes the human contribution to production and minimizes potential for design-induced risks to health, personal or process safety or environmental performance.
TOSCA really paid special attention to human factors that are often neglected in standard existing management systems.
The conceived tools include repository giving access to analyst to many different types of plant and equipment data, human performance data, risk analysis data, and safety management information.
Moreover the systems developed by TOSCA cover also maintenance operations and monitoring activities: these tools allow for instance to technicians to plan their inspections, allocate tasks to people, write their work permits, communicate with operational staff, log the status of equipment, record their work progress, the modeling of dynamic workflows of staff responsibilities for a specific task or project.
Furthermore, TOSCA through virtual reality training tool is able to improve the skills and knowledge of personnel in safety critical tasks; the analysis of critical activities and human barriers provides input to the training needs analysis. The impact of these tools on worker safety is relevant at they allow them to practice the real job in a safe work environment.
As far as the risks are concerned, TOSCA methods allow analyzing main company’s risks and assisting the company capacity to manage them: in this context they allow priorities to be established in terms of risk management, and help management to identify and track the mitigations to be put in place to manage the businesses’ risks.
It is evident the social implication of TOSCA solutions and their relevance on enhancing the worker safety and on improving the total safety paradigm.
MAIN ADVANTAGES FROM THE TOSCA TOOLS
Through the application of the TOSCA tool and the transferability through different industrial sectors, the following main advantages have been highlighted:
• The CBMS tool was successfully implemented and it improves risk and safety management across the plants. In addition the IT tool and its implementation contribute to the Common Operational picture, it provides ease of expandability to the whole plant and it is a cost effective approach for the intended purpose by considering the whole project life time (development, implementation, operational use, updates) versus to the old paper based or static documented file alternative. It also allows proper and effective information to the company and site management, transparency in fulfilling the external and internal requirements, as well as auditability on how Inspection and maintenance related activities and equipment performance is assured.
• Critical Activities Design. Risk assessment is improved by mapping the tasks of the workers and systematically identifying possible deviations, antecedents and consequences for each task. The involvement of the workers in the generation of the process map and the analysis of the possible risks increases their personal investment in safe operations, as well as generating a more comprehensive and tailored risk assessment for the job. The analysis developed by TOSCA was shared with the staff, which had the chance to analyses the results and see the clear advantages of the risk assessment. In this way, greater clarity of the tasks executed, facilitating future training and identifying activities that create a higher risk for the workers.
• Human Factors Design Review. The importance to include Human Factor Engineering at the very early stage of systems design as well as existing approaches were tested. The benefits to be gained from the adoption of a proactive approach towards Human Performance in industrial systems have direct implications for the improvement of system operability and maintainability during the whole life-cycle of a system. In addition internal guidelines were developed collaboratively and iteratively with company engineers and provided companies with overall Human Factors Strategy and specific guidelines on Human Factors review workshops. The solution was implemented in form of internal guidelines and documentation and it was also evaluated during the course of research project on two different design projects. In order to perform the basic ergonomic review regarding accessibility and maintainability of equipment a basic physical layout review was achieved using 3D model review. To incorporate ergonomic principles to the design of alarms, a guideline was developed based on available references. Finally the Ergonomic Review of the control room and the Human-Machine Interface (HMI) was performed taking into account those cognitive and physical aspects relevant to support the effective control of the plant through the information provided by the control panel.
• Virtual Reality can be an efficient means of delivering training for process control skills. The VR training system uses a training methodology that is based on the risk assessment framework of TOSCA. It make use of other tools, such as SCOPE and CBMS, in order to perform a task analysis and risk assessment of operation as part training needs analysis (TNA). As a result, this is a risk-based training system, which can be used to make decisions before training is delivered. For instance, if the risk assessment provides evidence that a new safety equipment should be introduced, or new control panels should be designed to minimize risks then this should be respected. After the implementation of the new safety measures, the tasks should be re-appraised and consider the scope for improving the skills of the operators.
• The Optimisation tool consisted of Monte Carlo simulations to provide cost-benefit analysis for additional resources in several case studies. The results of the simulations were compared with the actual results and the approach was positively received and showed its ability to provide an accurate and detailed plan of the proposed works.
• The Risk register was developed collaboratively and iteratively with key stakeholders from different parts of the organisations during a series of workshops. The risk management process was mapped along with the supporting elements of the risk register, including data structures for assets and hazards, rating systems for severity and frequency, and a risk matrix for prioritisation of the identified risks. The Risk Register has been implemented across the entire ESB Generation business and all stations are currently using the Risk Register to manage their risks.
• Dynamic risk assessment helps the end user decide the best technical and operational solutions and evaluate the behavior of the plant at the different process conditions, resulting from one or more faults of the equipment or operational error.
• In the consequence assessment modelling of accidental releases the PHAST and CFD model were compared. The PHAST the model was proved to be more pessimistic (larger impact distances), while the CFD model forecasted shorter impact distances and more rapid final dispersion upon stop of the release. The meaning of this comparison is that more advanced CFD modelling forecasts more intensive pre-dispersion mix of liquid propane with air in terms of vertical impingement with the roof, its vaporization and flow to the ground. This added turbulence is obviously not adequately considered in the stope of conventional UDM (PHAST) modelling.
SOCIO-ECONOMIC IMPACT
Accidents at work and work-related ill health have an impact on individuals, companies and on society . Moreover each of these groups has to face with economic consequences. To establish an estimate of the costs to all stakeholders with regard to work-related accident due to poor or non-occupational safety and health is a very complex task and outside the scope of this deliverable.
However, it is worth to underline that safe production has relevant and direct effects on socio-economic context, environment and overall people welfare. The promotion of a safer production in hazardous installations which has been indicated since the beginning one of the scope of TOSCA, brings to a saving of resources, an improvement of competitiveness and, above all, prevention of illnesses and accident gaining social acceptability.
Victims of accident at work, their family and friends are confronted with important social consequences affecting their quality of life. In particular, if the victims have to face disability and long-term absence, the consequences are considerable and can affect a wide community. Physical and psychological functioning in everyday activity can be affected, self-esteem and self-confidence reduced and family relationships stressed.
TOSCA tools allow to improve the ways in which technologies are used along the plant lifecycle and the ways in which competencies for running plants safely are developed and applied in practice. The positive impact of the project may range from economic savings to improvements in the quality and safety of working life within the productive processes. In practice, reducing the risks associated with operating hazardous plants means to design plants by taking into account technical, human factors and organizational factors.
IMPACT ON EU POLICIES AND STANDARDIZATION
The need to improve working conditions is a priority of the European Commission’s agenda and recent EU polices propose to enhance the safety and quality of working environment, demonstrating the importance of work as fundamental activity in shaping societal progress.
The exploitation of TOSCA results can contribute to the achievement of some important European Union’s key goals, improving conditions of health, safety, quality and productivity within workplaces.
In 2013 the European Commission adopted a new Strategic Framework on Health and Safety at Work 2014-2020 in order to protect the workers from work-related accidents. In this context, the key challenges and strategic objectives for health and safety at work have been identified by presenting also the key actions and instruments to address the problem.
In particular, the Strategic Framework identifies three major health and safety at work challenges:
• Improvement of implementation of existing health and safety rules. In this framework special attention has been paid on the enhancement of capacity of micro and small enterprises to implement efficient risk prevention strategies
• Improvement of the prevention capacity of work related diseases by facing both new and existing risks
• Attention to the ageing of the EU's workforce.
Furthermore the Strategic Framework proposed special actions in under to address the above mentioned challenges, by identifying seven strategic objectives:
• Providing practical support to small and micro enterprises to help them to better comply with health and safety rules.
• Strengthen national health and safety strategies (for instance through policy coordination)
• enhancing enforcement by Member States (e.g. evaluating the performance of national labour inspectorates etc).
• Simplifying existing legislation by eliminating (where possible) unnecessary administrative burdens
• Addressing the ageing of the European workforce and improving prevention new risks such as nanomaterials, green technology and biotechnologies.
• Improving statistical data collection in order to carefully analyze the situation.
• Reinforcing coordination with international organisations (e.g World Health Organisation-WHO)
It is worth to underline the special attention paid by Strategic Framework to the micro and nano enterprises and the relevance on the objective aiming at supporting them on the compliance of the safety rules.
In this context, the outcomes of TOSCA has been specifically focused on the micro and nano enterprises by supporting SMEs in achieving compliance in a complex environment for total safety through low cost integrated IT tools.
As a matter of fact, between the TOSCA objectives there was the delivery a set of transferable tools and technological solutions to enable SME to transform and transfer digital contents currently available in specific license-free software into exchangeable collaborative formats, easily readable, and user friendly.
Furthermore TOSCA aimed at delivering a multilingual tool able to integrate all kind of norms and standards and allowing SMEs to access the description of norms ‘at a finger’s tip’ and where relevant during the daily work.
With respect to this aspect, TOSCApoweredbyPROMIS® platform is offered as OEM server solution under the logo and website of TOSCA. It will link to the TOSCA framework and, where possible, to the single modules developed during the project, allowing to be offered/sold to European SMEs. The exploitation will be facilitated by the integrated machine translation, which will allow translating TOSCA knowledge – after having been structured in the PROMIS® platform- in the languages required. The users are free to select the machine translation they prefer. The integration of the machine translation extends the impact of projects, by enlarging the target users and increasing the benefit brought by the project.
Still in relation with the Strategic Framework, the TOSCA tools demonstrated that safety criteria can be successfully integrated with productivity criteria and make safety a driver for change and innovation.
They are expected to favor the transition of process industry towards a more knowledge-based orientation by making the activities related to design, risk assessment and training more integrated.
STANDARDIZATION
The project has a relevant impact on standardization activities:
• Attendance to the Meeting of ISO/TC 262 «WG2 Core Risk Management Standards»; during the meeting UEAPME provided the TOSCA feedback on revision of ISO 31000;
• Attendance to the Plenary Meeting of ISO/TC 262; TOSCA views on revision of ISO 31000 and ISO/IEC Guide 73 was presented and discussed;
• Attendance to the Meeting of ISO/TC 262 «WG2 Core Risk Management Standards». Inputs on Second CD of the revision of ISO 31000: 2009 were given based on TOSCA approach and philosophy;
• Comments fed to the new ISO 9241 standard on human centred design;
• Inputs on CEN-CWA 16275 “Guidelines for the Selection of Consultants Advising SMEs on Integrated Quality, Environment, Health and Safety Management Systems” have been delivered.
List of Websites:
www.toscaproject.eu
The main contact details:
Marco Pontiggia – Project coordinator
D'Appolonia S.p.A.
Tel. +39 02 51800562
Fax. +39 02 51800563
E-mail: marco.pontiggia@dappolonia.it
Giannicola Loriga
D'Appolonia S.p.A.
Tel. +39 010 3628148
Fax. +39 010 3621078
E-mail: gianni.loriga@dappolonia.it
Maria Chiara Leva
Trinity College - University of Dublin
Tel. +353 18962916
Fax. +353 16712006
E-mail: levac@tcd.ie
Emmanuel Plot
INERIS
Tel. +33 626710739
E-mail: emmanuel.plot@ineris.fr
