Académique Documents
Professionnel Documents
Culture Documents
34
In this example, there are two detection systems and two reaction opportunities. These yield three paths that lead to no adverse consequences and four paths that lead to failure with overflow as the consequence. The point is that sometimes there are more opportunities for things to go wrong than to go right. When a system or process fails, it may be difficult to trace the reasons for its failure. Based on available historic incident data, the anatomy of a major incident is rarely simple and rarely results from a single root cause. Serious incidents typically involve a complex sequence of occurrences and conditions. This sequence can include: equipment faults, latent unsafe conditions, environmental circumstances, and most importantly, human errors.
3.1.1. Three Phases of Process-Related Incidents The progression of any process-related incident could be described as occurring in three different phases: (1) 1. Change from normal operating state into a state of abnormal (or disturbed) operation. An example is the tank level deviation in Figure 3-1.
35
2. Breakdown of the control of the abnormal operating phase. An example is the distributive control system (DCS) not compensating properly in Figure 3-1. Another example is the operator not detecting the deviation in Figure 3-1. 3. Loss of control of energy accumulations. An example is the operator not responding in Figure 3-1. The four potential contributors to the incident causes in all three phases are: 1. 2. 3. 4. Equipment Process systems Humans The organization
The second phase may involve a breakdown of a barrier function. A barrier function is a safety feature such as a shutdown valve or containment system, a procedure, or the communication system. When these safety systems fail, the incident then evolves from an undesirable occurrence to a near miss and, if enough barriers fail, the incident could finally progress to a minor or major accident or operational interruption depending upon the consequences or circumstances. The potential consequence of an incident is a function of the following five factors: Inventory of hazardous material: type and amount Energy factor: energy of chemical reaction or of material state Time factor: the rate of release, its duration, and the warning time Intensity-distance relation: the distance over which the hazard may cause injury or damage 5. Exposure factor: a factor that mitigates the potential effects of an incident 1. 2. 3. 4.
3.1.2. The Importance of Latent Failures Historic incident data show that latent failures, also called latent conditions, have played an important role in incident causation. The term latent failure implies the condition is dormant or hidden. Normally the latent failure can be revealed before an incident through testing or auditing during typical operations within the process as shown in Figure 3-2. There is always a possibility, however, that a latent failure may remain hidden during testing. There are several reasons a latent failure may not be detected.
36
It was not activated by the test used. The test was deficient, gave wrong results, or did not test the system properly. The test activity itself activates failure upon the next use of the process The deficiency was communicated poorly. Latent component failures, human errors, and related unsafe acts and errors are all results of weaknesses in our management systems. This is why the terms root cause and management system weaknesses are used interchangeably. The term latent failure or latent error is still used in some academic settings.
37
These theories have encouraged development of techniques that support systematic incident investigation. 3.2.1. Domino Theory of Causation A classic incident theory is H.W. Heinrichs domino theory of causation, which has had a significant influence on practical incident investigation. (2) Many adaptations of Heinrichs original proposal have been developed by later researchers. Heinrich labeled his five dominoes as follows: 1. 2. 3. 4. 5. ancestry and social environment, fault or person, unsafe act, unsafe condition, and injury.
Heinrichs approach is to identify, evaluate, and work on the middle dominoes, not just the last one or two dominoes in the line. The domino theory has significant limitations. The basic assumption is that there is a linear relationship between causation and progression. In other words, one occurrence follows another and ends in an incident. In the context of process-related incidents, this assumption is not always valid. Often parallel occurrences coincide to result in an incident rather than occurring as purely sequential occurrences. Nevertheless, the domino theory can provide a useful conceptual framework for simple incidents. This theory led to the Updated Domino Theory by Kuhlmann, Seven-Domino Sequence by Marcum, Relabeled Five-Domino Sequence by Bird, Modified Domino by Weaver, and Relabeled Five-Domino Sequence by Adams. 3.2.2. System Theory Today one of the most widely accepted and adapted incident theory relies on the system theory developed by Recht. (3) According to this theory, an incident is seen as an abnormal effect or result of the technological or management system. System theory analyzes the structure and state of a physical system for its elements and their interdependencies. A physical system is either a technological system or a human factors system. The theory provides: a framework for analyzing system requirements and constraints, detailed descriptions of component processes, and detailed descriptions of operational and task event sequences including environmental conditions.
38
It allows for the development of models of complex engineering systems and management structures. These models can be analyzed for inter-relationships between individual elements and the overall system function. Theoretically, there could be as many causes of an incident as there are system components. The term multiple-cause theory,(4) coined by Peterson, is often used instead of system theory. 3.2.3. HazardBarrierTarget Theory The HazardBarrierTarget (HBT) theory, developed by Skiba, provides an interesting view of the multiple-cause or system theory. In HBT, an investigator starts with the understanding that a process has one or more inherent hazards. The hazard is a property of the process such as toxicity of a chemical, stored energy such as pressure much higher or lower than ambient, electrical hazards, etc. The target can be a person or the environment, and in an abstract sense, some interpret the target to be any loss impact. For example, the target could be product and lower quality could be the impact. The barriers are actually layers of protection and prevent the hazard from having a negative impact on the target. One important concept that is stressed in HBT is that all barriers have weaknesses, therefore each barrier has a probability of not working when needed. For example, any process aspect that has a probability of not working when needed is a hole in the barrier. The most important concept for any investigator to learn may be the following statement: No layer of protection is perfect. In fact, all layers of protection are fully dependent on management system implementation to ensure a reasonable probability of working when needed. A hazard must get past all barriers to realize a negative impact on the target. This is always theoretically possible. Therefore, incidents occur when all barriers fail to prevent harm and a near miss occurs when one or more barriers fail. HBT is an excellent teaching tool for incident mechanisms and for describing the probabilistic nature of incidents, even for protected systems. Initially, investigators expanded HBT into an investigative technique. However, after much experimentation it was found to be a poor investigation technique, but an excellent model for describing the occurrence after the investigation is complete. This was because it provides little useful methods or rules for helping the investigator determine a specific sequence of positive and negative occurrences that led to an incident. Other techniques, such as logic tree analysis and causal factor charting are superior incident analysis tools and are discussed in detail in Chapter 9.
39
40
2. Management Systems: To manage risk, appropriate management systems must be in place to ensure the barriers against incidents remain intact. These preventive, error detection, and mitigation management systems make up the bulk of process safety efforts and include written operating and maintenance procedures, effective training, control of up-to-date process safety information, management of change protocols, performance measurement, auditing, and others. 3. Analyze Weaknesses: To learn from incidents, the final step is to recognize that the incident prediction and management systems are not perfect. Implementing practices to learn from mistakes and allowing continuous improvement to the systems to prevent incidents is essential. These practices are incident reporting and investigation processes. This book focuses on learning lessons from incidents to lower the risk of future major incidents. It is important to use a structured approach to incident investigation that builds on proven and recognized techniques; this makes it easier to develop consistent understanding from incidents and to communicate insights and results from investigations effectively.
41
subtle precursors exist that, if uncovered and resolved earlier, would have prevented the near miss and therefore a subsequent incident. Uncovering and analyzing the precursors to incidents is more cost effective than only investigating losses. Chapter 5 discusses the definition of a near miss and how to get these precursors reported and investigated.
Endnotes
1. US Department of Energy, Accident/Incident Investigation Manual, Second Edition. Idaho Falls, ID: System Safety Development Center, Idaho National Engineering Laboratory 1985. (DOE/SSDC 76-45/27) 2. Heinrich, H.W. Industrial Accident Prevention. New York: McGraw-Hill, 1936. 3. Recht, I.L. System Safety Analysis - A Modern Approach to Safety Problems, National Safety News, December, February, April, June, 196566. 4. Peterson, D. Human-Error Reduction and Safety Management. Goshen, NY: Aloray Inc. Professional & Academic Publisher, 1984.
Additional References
29 CFR 1904, Recording and Reporting Occupational Injuries and Illnesses. Effective January 1, 2002; The US OSHA website for recordkeeping revisions is http://www.osha.gov/recordkeeping/index.html. American Society of Safety Engineers. Dictionary of Terms Used in the Safety Profession, 3rd ed. Des Plains, IA: American Society of Safety Engineers, 1988. Bridges, W. G. Get Near Misses Reported. International Conference and Workshop on Process Industry Incidents, Center for Chemical Process Safety (CCPS)/AIChE, Orlando, FL, October 2000. Center for Chemical Process Safety. Guidelines for Hazard Evaluation Procedures, Second Edition with Worked Examples. New York: American Institute of Chemical Engineers, 1992. Center for Chemical Process Safety. Guidelines for Technical Management of Chemical Process Safety. New York: American Institute of Chemical Engineers, 1989. Greenwood, M., and Woods, H. M. The Incidence of Industrial Accidents with Special Reference to Multiple Accidents, Ind. Fatigue Res. Board, Report 4, HMSO, London, England, 1919. Kepner, C. H., and Tregoe, B. B. The Rational Manager. 2nd ed. Princeton, NJ: Kepner-Tregoe, Inc., 1976. Petersen, D. Techniques of Safety Management, 2nd ed. New York: McGraw-Hill, 1978.