Errant Notebook Sends Diving Ship Off-Station – HF in Design
The Australian National Offshore Petroleum Safety and Environmental Management Authority (NOPSEMA) has recently published a safety alert on a serious incident to a Dynamic Position (DP) vessel that made an uncommanded movement during a diving operation that highlighted a significant design vulnerability.
The vessel was conducting diving operations 130m from an oil and gas installation when the uncommanded movement occurred.
The loss of position was caused by a deactivation of the forward/aft automatic positioning function by unintentionally deselecting the ‘surge’ button on the DP console located on the bridge which then deactivated the ‘Auto Position’ mode.
The deselection was thought to have occurred by the placement of a notepad on the side of the console.
The vessel drifted off location by over 40 metres and this drift was initially noticed by a diver when his umbilical started to become taut.
Once the DPO (Dynamic Position Operator) became aware of the excursion, the ‘Auto Position’ mode was reactivated causing the vessel to stop moving and remain in position.
The diver was unharmed. However as NOPSEMA note:
A loss of position during diving could cause diver fatalities if their umbilicals or other equipment becomes entangled or snagged on subsea infrastructure during the excursion. A loss of position whilst working in close proximity to a hydrocarbon facility could also potentially cause a collision, leading to a loss of hydrocarbon containment and subsequent fire or explosion.
The NOPSEMA Investigation and Analysis
NOPSEMA’s investigation identified that the auto DP mode buttons (Surge, Sway and Yaw) were located in the left hand corner of the console next to desk space commonly used for completing DP related checklists and logs. Consequently, these buttons were susceptible to accidental activation by personnel.
The inspectors found that although the incident arose by an accidental and unknowing double press of a button by the DPO, the design of the DP system allowed a human error to escalate this act into a dangerous occurrence by neither requiring any positive confirmation of deactivation of ‘Auto Position’ mode nor providing any alarm that required acknowledgment that ‘Auto Position’ mode had been de-activated.
The situation was exacerbated, and recovery impeded, as deselecting the ‘surge’ button automatically deactivates the excursion alarms in that axis and the DP display was no longer providing useful feedback in terms of the loss of position event as the excursion rings started to track with the vessels movement.
NOPSEMA identified the following key lessons (with our emphasis):
Control system interfaces should be designed to account for foreseeable human error. Adequate control measures to prevent and recover from errors should be in place.
For DP vessels, operators need to ensure that suitable controls are in place to prevent a single inadvertent act from leading to a loss of position.
Double press activation for switches with safety critical functions may not be an adequate barrier to prevent an inadvertent action. More robust methods need to be considered.
DP systems can prevent inadvertent operator selection in several other ways including operation of two separate selection devices and using screen based question pop‐ups.
Monitoring tasks are not a human strength; hence control panel operators are heavily reliant on control systems to provide alerts of any unsafe operational conditions, to allow them to problem solve the issue (which is a human strength). Good control system design should account for this.
Switches with safety critical functions should be positioned to avoid accidental activation/deactivation that could cause an unsafe condition.
Facility operators need to ensure that lessons are learned from previous incidents and any additional controls suitably communicated to the workforce. In this case, the vessel had a similar human error induced loss of position event in 2009.
The last point echoes the concept of a failure to learn. This idea has been raised in relation to BP after the 2005 Texas City refinery explosion, prior to the 2010 Macondo / Deepwater Horizon disaster. It is also the subject of a book of the same title by Australian National University Emeritus Professor Andrew Hopkins. We have discussed it in relation to the Shell Moerdijk Explosion and also the Shell Pernis 11.2t Ethylene Oxide Leak.
However, a safety management system that relies heavily on in-service occurrence or hazard reports is one that is abdicating responsibility for proactive equipment, process and procedure risk assessment and design.
The concept of a failure to learn, can also apply to a failure to learn from accidents to other organisations (as we discussed in the case of a US helicopter operator). In the 2008 book Resilience Engineering Perspectives, Volume 1: Remaining Sensitive to the Possibility of Failure, John Wetherall writes:
…one hallmark of a resilient organisation is that it is prepared not only for its own failures those of which it can learn from others – the more resilient it is, the ‘bigger’ are the lessons it has learnt from others.
About five minutes after landing, unknown to the pilot and unnoticed by the ship’s crew, the West Navion’s Dynamic Positioning (DP) system reverted to MANUAL heading control and the ship’s heading started to drift slowly to the right. The wind at that time was westerly at 32 kt with gusts to 42 kt, and, as the ship’s heading drifted, the helicopter was subjected to an increasing crosswind component. At 1254 hrs, some seven minutes after the ship’s heading started to drift, the helicopter toppled over to its right.
The co-pilot was seriously injured.
Mathematical analysis of the forces acting on the helicopter indicated that the most significant toppling moments were caused by aerodynamic forces arising from the increasing lateral wind component to which the aircraft was subjected as the ship yawed to the right.
The AAIB investigation identified that like the Australian case there was no alarm of mode change alert to the crew:
Unknown to the crew on the bridge, the ship’s Dynamic Positioning system reverted to manual heading control and the ship’s heading began to drift to the right.
The lack of procedures on the ship to transmit the change in the alert status to the crew of the helicopter, and of any specified procedure available to flight crews concerning action to be taken if control of the ship is lost or degraded whilst on the helideck, denied the pilot an appropriate course of action to ensure the safety of the helicopter.
In 2013 the UK HSE issued a Safety Bulletin on DP Systems: OSD 1-2013 Warning to offshore industry on blocking of data communications in dynamic positioning systems. In this case one diver’s umbilical was trapped and he was recovered unconscious. This followed an incident caused by a technical fault:
A serious incident occurred where a diving support vessel’s dynamic positioning (DP) system, designated as IMO class 2 [see IMO MSC Circular 645], failed resulting in the vessel drifting off position while divers were deployed subsea. Investigations have shown that a probable cause of the DP failure was a single fault which caused blocking of the DP system’s internal data communications.
The HSE say:
…where the safety case claims that a dynamic positioning system achieves IMO Class 2 or better the duty holder for the safety case should investigate the communications architecture for the relevant DP system. If the dynamic positioning functions are dependent on a shared communication medium such as a dual data bus network, then the duty holder should ensure that appropriate measures are in place to prevent a single fault causing failure of the DP system.
More details of DP failures can be found in this report: Analysis of Loss of Position Incidents for Dynamically Operated Vessels. In this case the vessel operator initiated a wide review that examined:
Design of the bell staging to assist the recovery of the unconscious diver;
- The design of rescue equipment and method of recovery of unconscious diver back to the bell;
- The design and provision of diver transponder/locator beacons;
- The design and provision of thermal protective undersuits;
- The specification of diver bailout bottles;
- The assessment and technology of diver re-breather units;
- Provision of addition life support equipment on the seabed for the dive team;
- ROV interface to aid and assist diver recovery;
- Review of existing dive management system procedures and risk assessment criteria;
- DP control system (software and hardware) design, inspection and verification regime;
- DP field entry trials and set up to enable time for driving the vessel in manual mode;
- Enhancement of the understanding and familiarity of manual systems and operation;
- Bridge Team Management and the management of major emergencies / command and control;
- Fully integrated approach to FMEA/FMECA and the schedule and criteria for FMEA/FMECA review;
This story of this incident was subsequently made into a full length feature film, Last Breath:
UPDATE 20 December 2019: Also see The US Navy installed touch-screen steering systems to save money. Ten sailors paid with their lives.
When the USS John S. McCain crashed in the Pacific, the Navy blamed the destroyer’s crew for the loss of 10 sailors. The truth is the Navy’s flawed technology set the McCain up for disaster
Aerossurance is pleased to sponsor the Royal Aeronautical Society Rotorcraft Group 2016 conference on the important and highly topical subject of ‘Automation & Offshore Operations’, to be held 6-7 July 2016 at the RAeS HQ at 4 Hamilton Place, London.
You may also find this article of interest: The ‘Automation Problem’ – A Discussion
In 2010 the UK Maritime and Coastguard Agency, supported by BP Shipping, Teekay Marine Services, and the Standard P&I Club, produced The Human Element: a guide to human behaviour in the shipping industry