It has been suggested that this site offer Q&A insights with some questions and answers given by the community of people that visit this site. If you have a question, please either send it in to firstname.lastname@example.org, or just comment to this post. As this site’s main author, I can attribute a lot of my new learning to practitioners weighing in on a topic, so please consider it. I tend to get asked HU questions all the time, and I will do my best to include some of those conversations for you to experience. If you have an answer or recommendation to add to my response, please feel encouraged to respond. The goal is not to critique each other’s advice, as much as it is to build on it and drive to real, workable solutions for real problems. This is what we do, right? Members of this site will get priority to any questions submitted.
Question 1 – Clearance Orders
We are working on a procedure enhancement to improve human performance as it relates to returning equipment to service after a clearance has been released.
We had an incident where equipment under clearance (lock-out, tag-out) was put back into service, but the clearance had not been released. This action was the result of a single human error (failure to verify the clearance was released). Our goal is to develop clearance controls that prevent a single human error from re-energizing equipment that is under clearance to workers.
We have come up with the following enhancements:
- Add “Verify clearance released” as step #1 to the return-to-service side of every clearance, which requires the Transmission System Operator to document with a time stamp that he verified that the clearance has been released by all personnel. This action is expected to take place immediately prior to returning the equipment to service.
- Create an electronic database for tracking all issued clearances. This database will be updated and maintained by the Transmission System Operators.
Our question to you is… do either (or both) of these enhancements meet the human performance definition of additional layers of protection, in the sense that it now takes two or more human errors to cause an unwanted result?
Answer 1 – Clearance Orders
Do you have any feedback you would share with this T&D group?
This is how I answered (note that I spoke with him on the phone to get more situation context):
These are the procedures that govern our CO process at my nuclear station. I could get you more nuclear station CO procedures, if you are interested. Typical nuclear plant CO processes have physical layers of review and independence, but ultimately it is governed by software.
As a review, ask yourself this question – Is error a cause or a consequence?
Error – What caused the person to leave the site without closing out CO? (There could be more unidentified errors here)
Error – Why did the Operator put the name in the Restoration area? Why didn’t they cross it out or start a new form? (Is there protocol for this situation?)
Error – What led to an Operator to believe it was closed out without all the blocks being filled in? (root out all complacency in the CO process)
Considerations discussed on the phone call:
Recommended solution: Software guided process with interlocks to prevent continuing without all fields complete.
Recommended enhancement: a non-qualified Independent review step to ensure all areas are complete prior to closing a CO out.
Recommended enhancement: review SOPs for a person going on administrative or other type of leave prior to completion of their work on a CO.
Recommended enhancement: remind Operators how important their piece of the process is with either a stand-down to discuss operator errors that can and have caused injury, or whatever has a known level of emotional impact within the group (affective training).
Even though it wasn’t exactly what you wanted to hear, thank you for getting me involved – it is a clear indication that you and your team care whenever you ask for outside assistance, and I can really appreciate the pursuit of excellence from your organization,
Some video clips on Lockout Tagout:
Lockout Tagout Training Video (OSHA 1910.147) from Panduit
Root Cause Corner
Below contribution submitted by Dana Cooley, President, SeaState Group, Inc. “Fix-It-Once®”
This term appears in INPO’s “anatomy” of an event, but it usually brings to mind only the first of three possibilities. Make sure that any cause evaluations you influence consider all of them:
Outright failure – The defense was penetrated, damaged, neutralized, overwhelmed, or outsmarted by the equipment or human failure mechanism. The barrier was in place, but it proved to be ineffective. Examples: peer review of submittal to regulator, a sun-damaged waste pond liner, illegible hand-made warning signs.
Available, not used – The defense existed, but persons or processes circumvented, ignored, bypassed, removed, disabled, or defeated it. This is often a supervisory issue. Examples: switchyard manipulation without a 40 cal protective suit, waived QC hold point, operable surveillance camera turned off.
Feasible. not provided – A defense was practicable and successful somewhere else, but your organization did not adopt it. This is always a management shortcoming. Examples: electronic vs. paper log taking, positive behavior recognition, predictive maintenance.
Wishing you a great weekend and a safe week!