Transcript Incident Investigation Logic Tree Methods

Incident Investigation
Logic Tree Methods
Dennis C. Hendershot
Rohm and Haas Company, retired
SACHE Workshop
September 2005
Bristol, PA
1
Purpose of Incident
Investigations
System improvements
 Not choosing scapegoats


You must set the tone!
2
Logic Tree
Start with the incident as the top event
 It may be useful to start with a generic top
tree

– Damaging agent in a location
– Employee or equipment in location
– Employee or equipment in contact with
damaging agent long enough to cause
 Injury
 Damage
3
Generic Top Level Logic Tree
for Incident Investigations
Injury or Equipment
Damage
AND
Injured (or damaged
equipment) in
contact with
Causative agent
Causative agent
Present (fire,
pressure,
chemical)
AND
AND
A
B
Contact with
causative agent
long enough
to cause injury
OR
C
4
Logic Tree

Choose one second level event
– Determine causes
– Draw causing events on logic tree
– Keep asking "Why?" and
– Draw causes on tree
Follow one branch to basic (root) system
cause
– Includes
 Training
 Management systems
 Culture
5
"AND" Gate
All events entering this box must be true in
order for this event to be true
AND
Event A
Event B
6
Test the Logic at Each Step
All events entering this box must be true in
order for this event to be true
AND
Event A
Event B
• For each event, ask, “If this event does not happen,
would the event above occur?”
• If no, the event stays as a cause.
• If yes, the event is not a cause.
7
"OR" Gate
If any event entering this box is
true, then this event is true
OR
Event A
Event B
8
When to Stop

At System Level
– Broader areas affected than this incident
– Systems, rather than people
Typical: management systems, design systems,
training systems

When needed expertise is lacking
– May need instrument expert (or vendor expert) to
explain why a control device failed a certain way.
– May need manufacturer when we can't figure out why
cooling tower fan blades are failing.
9
Writing Events

Stick to the Facts

Avoid drawing conclusions

Clearly label conclusions

Indicate direct quotations of witnesses
10
Stick to Facts

Box Says
– “Goggle area" sign too high to see easily

Facts Are
– Sign is high

Conclusions Drawn
– Signs cannot be easily seen
11
Determining Causes
Generic logic tree
 Top level event
 Second level events
 Keep asking "WHY?"
 "AND" gates
 "OR" gates
 Common mode failures
 System level causes
 Test the logic

12
Test the Logic
Test the logic against the sequence of events and
the facts.
 Does the tree support the facts?

– does the tree explain all the facts?
Is the tree supported by the facts;
 are additional facts or assumptions needed to
support the tree?
 The events below each gate must be necessary
and sufficient to cause each event
 If there are gaps, modify the tree or get more
facts.

13
Recommendations

Look at each bottom level event.
– Attempt to make a recommendation to prevent that
event from occurring, or
– To mitigate it, if it does occur.

Look at structure of tree.
– Attempt to add "AND" gates to the tree.

Selection basis for recommendations:
– Protection provided
– Frequency of challenge,
– Cost of recommendation.

Management will address each recommendation
and document what was done.
14
Peroxide Drum Explosion
1998 Loss Prevention Symposium Paper 6c
15
MCSOII Logic Tree (1)
Drum of DTBP
explodes
OR
Decomposition of
DTBP
Fire inside drum
causes pressure
External heat or
fire causes
pressure in drum
due to vapor
pressure only
To "C"
OR
DTBP will
decompose
before boiling see decompostion
branch
Contamination
To "A"
External heat
To "B"
Material old (past
shelf life)
Static Discharge
Material was well
within
manufacturer's
storage time
recommendations.
Does not directly
cause
decomposition can ignite a fire
16
MCSOII Logic Tree (2)
"A"
Contamination of
DTBP
OR
DTBP arrives
contaminated from
supplier
DTBP
contaminated in
storage area
Water
contamination
Dirt, etc., w hen
opening drum
Letter of analysis
indicates drum
meets
specifications
DTBP drum w as
sealed w hen
brought to building
Water w ould
separate as a
layer, does not
impact stability
"Normal"
contamination w ith
small amounts of
dirt has not been a
problem
Sabatoge intentional
contamination or
heating of DTBP
drums
From valves and
fittings attached to
DTBP drum
Foreign material
added to drum
w hile in mix room
OR
Material spilled
onto/into drum
w hile in upright
position
Contamination
from steel drum or
liner
Supplier confirms
that the drum w as
appropriate for
DTBP storage
Cannot be ruled
out
Supplier
recommends
stainless steel
fittings, but fittings
on drum w ere
bronze
Material poured
back into drum
(operating error)
Inventory other
material handled
in area
17
MCSOII Logic Tree (3)
"B"
External Heat
OR
Fire near DTBP
drum
Drum exposed to
heat somew here
in transit af ter
manufacture
No evidence of
bulging or
pressure in drum
w hen opened or
used
Steam or other
external heat
source
Electrical heating
f rom conduit,
sw itch gear
No steam or hot
oil/w ater in the
area. No space
heaters in area.
OR
Fire in drip pan
under drum spigot
Weigh up area,
scale, absorbant
This area w as
heavily burned.
The f ront corner of
the table w as
exposed to high
heat. Only the
underside had
soot.
Pallet of bags of
combustible solid
near the drum
Drums of other
combustible
liquids in area
Appears to have
caught f ire af ter
the drum
exploded.
These drums are
still intact, no
evidence that they
w ere involved in
the f ire
18
MCSOII Logic Tree (4)
"C"
Fire inside drum
causes pressure
AND
Fuel - DTBP
Ignition Source
Air - normally
present in the
drum, w hich is
vented to
atmosphere
OR
DTBP w ill self
ignite if heated
suf f iciently.
Static Discharge
The drum w as
grounded during
material transf ers
When the
explosion
occurred there
w as no material
being transf erred material had not
been transf erred
f or several hours.
Other ignition
sources in mix
room (cutting,
w elding, etc.)
No ignition
sources at the
time of the
incident could be
identif ied.
Electrical
equipment spark
To ignite the DTBP
inside the drum, an
external flammable vapor
cloud w ould be required.
There is no evidence that
there w as an external
cloud bef ore the drum
ruptured.
19
Logic Tree Advantages

More structure

Good display of facts

Encourages “Out of the Box” thinking

Displays cause and effect

Shows simultaneous events

Captures common mode failures
20
Logic Tree Disadvantages

Can get bogged down in discussions about the
logic structure
– Requires good facilitator to manage discussions
– If something appears to be important, get it written
down somewhere, worry about detailed logic later
Logic can become complex, if too rigorous
 Can miss deep cultural issues
 Some background items might not fit easily in
the tree (impact many branches)

21
Some Incident Investigation
Resources and Articles

Book:
– Center for Chemical Process Safety (CCPS) (2003). Guidelines for
Investigating Chemical Process Incidents. 2nd Edition. American Institute of
Chemical Engineers, New York.

Papers and Articles
– Anderson, S. E., and R. W. Skloss (1992). “More Bang for the Buck: Getting
the Most From Accident Investigations.” Plant/ Operations Progress 11, 3
(July), 151-156.
– Anderson, S. E., A. M. Dowell, and J. B. Mynaugh (1992). “Flashback From
Waste Gas Incinerator into Air Supply Piping.” Plant/Operations Progress 11,
2 (April), 85-88.
– Antrim, R. F., M. T. Bender, M. B. Clark, L. Evers, D. C. Hendershot, J. W.
Magee, J. M. McGregor, P. C. Morton, J. G. Nelson, and C. Q. Zeszotarski
(1998). “Peroxide Drum Explosion and Fire.” Process Safety Progress 17, 3
(Fall)), 225-231.
22
Incident Investigation Exercises

Incident 1 – Emergency relief system
catch tank rupture
– Groups 1, 3, 5

Incident 2 – Sodium hydroxide dilution
tank eruption
– Groups 2, 4
23