11

Incident Investigation Incident Investigation Logic Tree MethodsLogic Tree Methods

Dennis C. HendershotDennis C. HendershotRohm and Haas Company, retiredRohm and Haas Company, retired

SACHE WorkshopSACHE WorkshopSeptember 2005September 2005

Bristol, PABristol, PA

22

Purpose of Incident Purpose of Incident InvestigationsInvestigations

System improvementsSystem improvements Not choosing scapegoatsNot choosing scapegoats

You must set the tone!You must set the tone!

33

Logic TreeLogic Tree

Start with the incident as the top eventStart with the incident as the top event It may be useful to start with a generic It may be useful to start with a generic

top treetop tree– Damaging agent in a locationDamaging agent in a location– Employee or equipment in locationEmployee or equipment in location– Employee or equipment in contact with Employee or equipment in contact with

damaging agent long enough to causedamaging agent long enough to cause InjuryInjury DamageDamage

44

Generic Top Level Logic TreeGeneric Top Level Logic Treefor Incident Investigationsfor Incident Investigations

Injured (or damaged Injured (or damaged equipment) inequipment) in

contact withcontact withCausative agentCausative agent

AND

A

Injury or Equipment Damage

AND

Causative agentPresent (fire,

pressure,chemical)

AND

B

OR

Contact with causative agent

long enoughto cause injury

C

55

Logic TreeLogic Tree

Choose one second level eventChoose one second level event– Determine causesDetermine causes– Draw causing events on logic treeDraw causing events on logic tree– Keep asking "Why?" andKeep asking "Why?" and– Draw causes on treeDraw causes on tree

Follow one branch to basic (root) system causeFollow one branch to basic (root) system cause– IncludesIncludes

TrainingTraining Management systemsManagement systems CultureCulture

Repeat for the other eventsRepeat for the other events

66

"AND" Gate"AND" GateAll events entering this box must be All events entering this box must be true in order for this event to be truetrue in order for this event to be true

Event A Event B

AND

77

Test the Logic at Each StepTest the Logic at Each StepAll events entering this box must be All events entering this box must be true in order for this event to be truetrue in order for this event to be true

Event A Event B

AND

• For each event, ask, “If this event does not happen, would the event above occur?”

• If no, the event stays as a cause. • If yes, the event is not a cause.

88

"OR" Gate"OR" GateIf any event entering this box is If any event entering this box is

true, then this event is truetrue, then this event is true

Event A Event B

OR

99

When to StopWhen to Stop

At System LevelAt System Level– Broader areas affected than this incidentBroader areas affected than this incident– Systems, rather than peopleSystems, rather than people

Typical: management systems, design systems, Typical: management systems, design systems, training systemstraining systems

When needed expertise is lackingWhen needed expertise is lacking– May need instrument expert (or vendor expert) to May need instrument expert (or vendor expert) to

explain why a control device failed a certain way.explain why a control device failed a certain way.– May need manufacturer when we can't figure out May need manufacturer when we can't figure out

why cooling tower fan blades are failing. why cooling tower fan blades are failing.

1010

Writing EventsWriting Events

Stick to the FactsStick to the Facts

Avoid drawing conclusionsAvoid drawing conclusions

Clearly label conclusionsClearly label conclusions

Indicate direct quotations of Indicate direct quotations of witnesseswitnesses

1111

Stick to FactsStick to Facts

Box SaysBox Says– ““Goggle area" sign too high to see easilyGoggle area" sign too high to see easily

Facts AreFacts Are– Sign is highSign is high

Conclusions DrawnConclusions Drawn– Signs cannot be easily seenSigns cannot be easily seen

1212

Determining CausesDetermining Causes

Generic logic treeGeneric logic tree Top level eventTop level event Second level eventsSecond level events Keep askingKeep asking "WHY?""WHY?" "AND" gates"AND" gates "OR" gates"OR" gates Common mode failuresCommon mode failures System level causesSystem level causes Test the logicTest the logic

1313

Test the LogicTest the Logic Test the logic against the sequence of Test the logic against the sequence of

events and the facts. events and the facts. Does the tree support the facts? Does the tree support the facts?

– does the tree explain all the facts? does the tree explain all the facts? Is the tree supported by the facts; Is the tree supported by the facts; are additional facts or assumptions needed are additional facts or assumptions needed

to support the tree?to support the tree? The events below each gate must be The events below each gate must be

necessary and sufficient to cause each necessary and sufficient to cause each eventevent

If there are gaps, modify the tree or get If there are gaps, modify the tree or get more facts.more facts.

1414

RecommendationsRecommendations Look at each bottom level event.Look at each bottom level event.

– Attempt to make a recommendation to prevent that Attempt to make a recommendation to prevent that event from occurring, or event from occurring, or

– To mitigate it, if it does occur.To mitigate it, if it does occur. Look at structure of tree.Look at structure of tree.

– Attempt to add "AND" gates to the tree.Attempt to add "AND" gates to the tree. Selection basis for recommendations:Selection basis for recommendations:

– Protection providedProtection provided– Frequency of challenge, Frequency of challenge, – Cost of recommendation.Cost of recommendation.

Management will address each recommendation Management will address each recommendation and document what was done.and document what was done.

1515

Peroxide Drum ExplosionPeroxide Drum Explosion1998 Loss Prevention Symposium Paper 6c1998 Loss Prevention Symposium Paper 6c

16

MCSOII Logic Tree (1)Drum of DTBP

explodes

Decomposition ofDTBP

External heat orfire causes

pressure in drumdue to vaporpressure only

OR

OR

Fire inside drumcauses pressure

To "C"

Contamination External heatMaterial old (past

shelf life)Static Discharge

To "A" To "B"Does not directly

causedecomposition -can ignite a fire

DTBP willdecompose

before boiling -see decompostion

branch

Material was wellwithin

manufacturer'sstorage time

recommendations.

17

MCSOII Logic Tree (2)

From valves andfittings attached to

DTBP drum

Contamination ofDTBP

DTBP arrivescontaminated from

supplier

"A"

OR

DTBPcontaminated in

storage area

Watercontamination

Dirt, etc., whenopening drum

Water wouldseparate as a

layer, does notimpact stability

Letter of analysisindicates drum

meetsspecifications

DTBP drum wassealed when

brought to building

"Normal"contamination withsmall amounts of

dirt has not been aproblem

Contaminationfrom steel drum or

liner

Supplier confirmsthat the drum was

appropriate forDTBP storage

Sabatoge -intentional

contamination orheating of DTBP

drums

Cannot be ruledout

Supplierrecommends

stainless steelfittings, but fittings

on drum werebronze

OR

Foreign materialadded to drum

while in mix room

Material spilledonto/into drumwhile in upright

position

Material pouredback into drum

(operating error)

Inventory othermaterial handled

in area

18

MCSOII Logic Tree (3)"B"

OR

External Heat

Fire near DTBPdrum

Steam or otherexternal heat

source

Drum exposed toheat somewhere

in transit aftermanufacture

Electrical heatingfrom conduit,switch gear

No steam or hotoil/water in the

area. No spaceheaters in area.

No evidence ofbulging or

pressure in drumwhen opened or

used

OR

Fire in drip panunder drum spigot

Appears to havecaught fire after

the drumexploded.

Weigh up area,scale, absorbant

Pallet of bags ofcombustible solid

near the drum

Drums of othercombustible

liquids in area

This area washeavily burned.

The front corner ofthe table was

exposed to highheat. Only theunderside had

soot.

These drums arestill intact, no

evidence that theywere involved in

the fire

19

MCSOII Logic Tree (4)

AND

"C"

OR

Fire inside drumcauses pressure

Fuel - DTBPAir - normallypresent in thedrum, which is

vented toatmosphere

Ignition Source

Static DischargeDTBP will selfignite if heated

sufficiently.

Electricalequipment spark

Other ignitionsources in mixroom (cutting,welding, etc.)

The drum wasgrounded duringmaterial transfers

When theexplosion

occurred therewas no material

being transferred -material had notbeen transferredfor several hours.

No ignitionsources at the

time of theincident could be

identified.

To ignite the DTBPinside the drum, an

external flammable vaporcloud would be required.There is no evidence that

there was an externalcloud before the drum

ruptured.

2020

Logic Tree AdvantagesLogic Tree Advantages More structureMore structure

Good display of factsGood display of facts

Encourages “Out of the Box” thinkingEncourages “Out of the Box” thinking

Displays cause and effectDisplays cause and effect

Shows simultaneous eventsShows simultaneous events

Captures common mode failuresCaptures common mode failures

Shows "AND" - "OR" relationshipsShows "AND" - "OR" relationships

If keep asking "Why?", can lead to deep system problemsIf keep asking "Why?", can lead to deep system problems

2121

Logic Tree DisadvantagesLogic Tree Disadvantages

Can get bogged down in discussions about Can get bogged down in discussions about the logic structurethe logic structure– Requires good facilitator to manage discussionsRequires good facilitator to manage discussions– If something appears to be important, get it If something appears to be important, get it

written down somewhere, worry about detailed written down somewhere, worry about detailed logic laterlogic later

Logic can become complex, if too rigorousLogic can become complex, if too rigorous Can miss deep cultural issuesCan miss deep cultural issues Some background items might not fit Some background items might not fit

easily in the tree (impact many branches)easily in the tree (impact many branches)

2222

Some Incident InvestigationSome Incident InvestigationResources and ArticlesResources and Articles

Book:Book:– Center for Chemical Process Safety (CCPS) (2003). Center for Chemical Process Safety (CCPS) (2003). Guidelines for Guidelines for

Investigating Chemical Process IncidentsInvestigating Chemical Process Incidents. 2. 2ndnd Edition. American Edition. American Institute of Chemical Engineers, New York.Institute of Chemical Engineers, New York.

Papers and ArticlesPapers and Articles– Anderson, S. E., and R. W. Skloss (1992). “More Bang for the Buck: Anderson, S. E., and R. W. Skloss (1992). “More Bang for the Buck:

Getting the Most From Accident Investigations.” Getting the Most From Accident Investigations.” Plant/ Operations Plant/ Operations ProgressProgress 11, 3 (July), 151-156. 11, 3 (July), 151-156.

– Anderson, S. E., A. M. Dowell, and J. B. Mynaugh (1992). Anderson, S. E., A. M. Dowell, and J. B. Mynaugh (1992). “Flashback From Waste Gas Incinerator into Air Supply Piping.” “Flashback From Waste Gas Incinerator into Air Supply Piping.” Plant/Operations ProgressPlant/Operations Progress 1111, 2 (April), 85-88., 2 (April), 85-88.

– Antrim, R. F., M. T. Bender, M. B. Clark, L. Evers, D. C. Hendershot, Antrim, R. F., M. T. Bender, M. B. Clark, L. Evers, D. C. Hendershot, J. W. Magee, J. M. McGregor, P. C. Morton, J. G. Nelson, and C. Q. J. W. Magee, J. M. McGregor, P. C. Morton, J. G. Nelson, and C. Q. Zeszotarski (1998). “Peroxide Drum Explosion and Fire.” Zeszotarski (1998). “Peroxide Drum Explosion and Fire.” Process Process Safety ProgressSafety Progress 17, 17, 3 (Fall)), 225-231.3 (Fall)), 225-231.

2323

Incident Investigation Incident Investigation ExercisesExercises

Incident 1 – Emergency relief system Incident 1 – Emergency relief system catch tank rupturecatch tank rupture– Groups 1, 3, 5Groups 1, 3, 5

Incident 2 – Sodium hydroxide Incident 2 – Sodium hydroxide dilution tank eruptiondilution tank eruption– Groups 2, 4Groups 2, 4