3

An Overview of Incident Causation Theories

Every incident has one or more root causes. To understand what these are and how they interact, an investigator must use a systematic approach. As a rule, the benefits of this systematic approach result from: implementing sound process safety management principles and applying consistent and accurate investigative effort. To be effective the investigation must apply an approach which is based on basic incident causation theories and use tested data analysis techniques. Investigating incidents to determine root causes and make recommendations can be as much an art as a science. Within the industry, best practices in incident investigation have evolved substantially in the last 20 years. This chapter provides a brief overview of some of the more relevant causation theories. Several theories of incident causation exist and each has associated investigation techniques. Incident investigators use their judgment to make adaptations to selected techniques based on the size and complexity of the investigation effort. Judgment based on knowledge and experience is important in determining how and why an incident occurred.

3.1. Stages of a Process-Related Incident

Investigators can systematically analyze data from past incidents to identify lessons learned and develop incident stereotypes. This makes it possible to develop a model displaying the anatomy of a process-related incident using a conceptual framework. Figure 3-1 provides a tool to help us understand incident causation.
33

34

Guidelines for Investigating Chemical Process Incidents

FIGURE 3-1. Event tree for a process-related incident.

In this example, there are two detection systems and two reaction opportunities. These yield three paths that lead to no adverse consequences and four paths that lead to failure with overflow as the consequence. The point is that sometimes there are more opportunities for things to go wrong than to go right. When a system or process fails, it may be difficult to trace the reasons for its failure. Based on available historic incident data, the anatomy of a major incident is rarely simple and rarely results from a single root cause. Serious incidents typically involve a complex sequence of occurrences and conditions. This sequence can include: equipment faults, latent unsafe conditions, environmental circumstances, and most importantly, human errors.

3.1.1. Three Phases of Process-Related Incidents The progression of any process-related incident could be described as occurring in three different phases: (1) 1. Change from normal operating state into a state of abnormal (or disturbed) operation. An example is the tank level deviation in Figure 3-1.

An Overview of Incident Causation Theories

35

2. Breakdown of the control of the abnormal operating phase. An example is the distributive control system (DCS) not compensating properly in Figure 3-1. Another example is the operator not detecting the deviation in Figure 3-1. 3. Loss of control of energy accumulations. An example is the operator not responding in Figure 3-1. The four potential contributors to the incident causes in all three phases are: 1. 2. 3. 4. Equipment Process systems Humans The organization

The second phase may involve a breakdown of a barrier function. A barrier function is a safety feature such as a shutdown valve or containment system, a procedure, or the communication system. When these safety systems fail, the incident then evolves from an undesirable occurrence to a near miss and, if enough barriers fail, the incident could finally progress to a minor or major accident or operational interruption depending upon the consequences or circumstances. The potential consequence of an incident is a function of the following five factors: Inventory of hazardous material: type and amount Energy factor: energy of chemical reaction or of material state Time factor: the rate of release, its duration, and the warning time Intensity-distance relation: the distance over which the hazard may cause injury or damage 5. Exposure factor: a factor that mitigates the potential effects of an incident 1. 2. 3. 4.

3.1.2. The Importance of Latent Failures Historic incident data show that latent failures, also called latent conditions, have played an important role in incident causation. The term latent failure implies the condition is dormant or hidden. Normally the latent failure can be revealed before an incident through testing or auditing during typical operations within the process as shown in Figure 3-2. There is always a possibility, however, that a latent failure may remain hidden during testing. There are several reasons a latent failure may not be detected.

36

Guidelines for Investigating Chemical Process Incidents

FIGURE 3-2. Latent (hidden) failure.

It was not activated by the test used. The test was deficient, gave wrong results, or did not test the system properly. The test activity itself activates failure upon the next use of the process The deficiency was communicated poorly. Latent component failures, human errors, and related unsafe acts and errors are all results of weaknesses in our management systems. This is why the terms root cause and management system weaknesses are used interchangeably. The term latent failure or latent error is still used in some academic settings.

3.2. Theories of Incident Causation

Theoretical incident concepts and associated models have evolved from investigations into the how and why of case histories. Resulting insights have made it possible to better explain and understand incident causation. There are many other incident causation theories besides the ones presented in this chapter, such as the Process Theory. (See the additional references for this chapter.) Key theories on incident causation discussed in this overview are: 1. Domino Theory of Causation 2. System Theory or Multiple-Causation Theory 3. HazardBarrierTarget Theory

An Overview of Incident Causation Theories

37

These theories have encouraged development of techniques that support systematic incident investigation. 3.2.1. Domino Theory of Causation A classic incident theory is H.W. Heinrichs domino theory of causation, which has had a significant influence on practical incident investigation. (2) Many adaptations of Heinrichs original proposal have been developed by later researchers. Heinrich labeled his five dominoes as follows: 1. 2. 3. 4. 5. ancestry and social environment, fault or person, unsafe act, unsafe condition, and injury.

Heinrichs approach is to identify, evaluate, and work on the middle dominoes, not just the last one or two dominoes in the line. The domino theory has significant limitations. The basic assumption is that there is a linear relationship between causation and progression. In other words, one occurrence follows another and ends in an incident. In the context of process-related incidents, this assumption is not always valid. Often parallel occurrences coincide to result in an incident rather than occurring as purely sequential occurrences. Nevertheless, the domino theory can provide a useful conceptual framework for simple incidents. This theory led to the Updated Domino Theory by Kuhlmann, Seven-Domino Sequence by Marcum, Relabeled Five-Domino Sequence by Bird, Modified Domino by Weaver, and Relabeled Five-Domino Sequence by Adams. 3.2.2. System Theory Today one of the most widely accepted and adapted incident theory relies on the system theory developed by Recht. (3) According to this theory, an incident is seen as an abnormal effect or result of the technological or management system. System theory analyzes the structure and state of a physical system for its elements and their interdependencies. A physical system is either a technological system or a human factors system. The theory provides: a framework for analyzing system requirements and constraints, detailed descriptions of component processes, and detailed descriptions of operational and task event sequences including environmental conditions.

38

Guidelines for Investigating Chemical Process Incidents

It allows for the development of models of complex engineering systems and management structures. These models can be analyzed for inter-relationships between individual elements and the overall system function. Theoretically, there could be as many causes of an incident as there are system components. The term multiple-cause theory,(4) coined by Peterson, is often used instead of system theory. 3.2.3. HazardBarrierTarget Theory The HazardBarrierTarget (HBT) theory, developed by Skiba, provides an interesting view of the multiple-cause or system theory. In HBT, an investigator starts with the understanding that a process has one or more inherent hazards. The hazard is a property of the process such as toxicity of a chemical, stored energy such as pressure much higher or lower than ambient, electrical hazards, etc. The target can be a person or the environment, and in an abstract sense, some interpret the target to be any loss impact. For example, the target could be product and lower quality could be the impact. The barriers are actually layers of protection and prevent the hazard from having a negative impact on the target. One important concept that is stressed in HBT is that all barriers have weaknesses, therefore each barrier has a probability of not working when needed. For example, any process aspect that has a probability of not working when needed is a hole in the barrier. The most important concept for any investigator to learn may be the following statement: No layer of protection is perfect. In fact, all layers of protection are fully dependent on management system implementation to ensure a reasonable probability of working when needed. A hazard must get past all barriers to realize a negative impact on the target. This is always theoretically possible. Therefore, incidents occur when all barriers fail to prevent harm and a near miss occurs when one or more barriers fail. HBT is an excellent teaching tool for incident mechanisms and for describing the probabilistic nature of incidents, even for protected systems. Initially, investigators expanded HBT into an investigative technique. However, after much experimentation it was found to be a poor investigation technique, but an excellent model for describing the occurrence after the investigation is complete. This was because it provides little useful methods or rules for helping the investigator determine a specific sequence of positive and negative occurrences that led to an incident. Other techniques, such as logic tree analysis and causal factor charting are superior incident analysis tools and are discussed in detail in Chapter 9.

An Overview of Incident Causation Theories

39

FIGURE 3-3. HazardBarrierTarget concept.

3.3. Investigations Place in Controlling Risk

System theory can be applied to incident investigation, reliability problems, quality problems, and other business losses. One of several reasons why system theory has received broad recognition relative to incident investigation is that it builds directly on current, verified process safety principles. In process safety, as in all other systems used to control risk to a business, there are three basic keys to controlling the risk (see Figure 3-4): 1. Understanding Risk: To predict incidents, it is important to understand the risk associated with the process or system. In process safety, this is accomplished by identifying the potential incident or loss scenarios, then predicting the magnitude and likelihood of the occurrence. This is often what is done during a process hazard analysis or during management of change hazard reviews. The result is an understanding of the specific barriers, also called layers of protection, necessary to control the risk to a tolerable level.

40

Guidelines for Investigating Chemical Process Incidents

FIGURE 3-4. Universal concept for controlling risk (Kletz).

2. Management Systems: To manage risk, appropriate management systems must be in place to ensure the barriers against incidents remain intact. These preventive, error detection, and mitigation management systems make up the bulk of process safety efforts and include written operating and maintenance procedures, effective training, control of up-to-date process safety information, management of change protocols, performance measurement, auditing, and others. 3. Analyze Weaknesses: To learn from incidents, the final step is to recognize that the incident prediction and management systems are not perfect. Implementing practices to learn from mistakes and allowing continuous improvement to the systems to prevent incidents is essential. These practices are incident reporting and investigation processes. This book focuses on learning lessons from incidents to lower the risk of future major incidents. It is important to use a structured approach to incident investigation that builds on proven and recognized techniques; this makes it easier to develop consistent understanding from incidents and to communicate insights and results from investigations effectively.

3.4. Relationship between Near Misses and Incidents

From the domino theory onward, it has become apparent that there are always less severe precursors to an incident. These can be called near hits, near misses, or close calls. For every incident labeled a near miss, more

An Overview of Incident Causation Theories

41

subtle precursors exist that, if uncovered and resolved earlier, would have prevented the near miss and therefore a subsequent incident. Uncovering and analyzing the precursors to incidents is more cost effective than only investigating losses. Chapter 5 discusses the definition of a near miss and how to get these precursors reported and investigated.

Endnotes
1. US Department of Energy, Accident/Incident Investigation Manual, Second Edition. Idaho Falls, ID: System Safety Development Center, Idaho National Engineering Laboratory 1985. (DOE/SSDC 76-45/27) 2. Heinrich, H.W. Industrial Accident Prevention. New York: McGraw-Hill, 1936. 3. Recht, I.L. System Safety Analysis - A Modern Approach to Safety Problems, National Safety News, December, February, April, June, 196566. 4. Peterson, D. Human-Error Reduction and Safety Management. Goshen, NY: Aloray Inc. Professional & Academic Publisher, 1984.

Additional References
29 CFR 1904, Recording and Reporting Occupational Injuries and Illnesses. Effective January 1, 2002; The US OSHA website for recordkeeping revisions is http://www.osha.gov/recordkeeping/index.html. American Society of Safety Engineers. Dictionary of Terms Used in the Safety Profession, 3rd ed. Des Plains, IA: American Society of Safety Engineers, 1988. Bridges, W. G. Get Near Misses Reported. International Conference and Workshop on Process Industry Incidents, Center for Chemical Process Safety (CCPS)/AIChE, Orlando, FL, October 2000. Center for Chemical Process Safety. Guidelines for Hazard Evaluation Procedures, Second Edition with Worked Examples. New York: American Institute of Chemical Engineers, 1992. Center for Chemical Process Safety. Guidelines for Technical Management of Chemical Process Safety. New York: American Institute of Chemical Engineers, 1989. Greenwood, M., and Woods, H. M. The Incidence of Industrial Accidents with Special Reference to Multiple Accidents, Ind. Fatigue Res. Board, Report 4, HMSO, London, England, 1919. Kepner, C. H., and Tregoe, B. B. The Rational Manager. 2nd ed. Princeton, NJ: Kepner-Tregoe, Inc., 1976. Petersen, D. Techniques of Safety Management, 2nd ed. New York: McGraw-Hill, 1978.