A novel investigation approach linking to risk assessment
A novel incident investigation approach provides information on both management system and risk barrier failures
ROBIN PITBLADO and MARK FISHER
Det Norske Veritas
Viewed : 4323
Accident investigation has been thought of as a well-developed process. It is mandated in offshore safety management system standards, including API RP 75 (2004)1 and the new US BOEMRE SEMS (2010) regulation.2 It is an integral element of the onshore OSHA 1910 Process Safety Management regulation and the international safety standard OHSAS 18001. It underpins the lessons learned aspect of safety management so that management and staff can understand the causation of prior incidents and act to prevent their recurrence.
Today, most incident investigations methods drive towards what is termed root causes, although the meaning of this varies according to the context. In many mechanical failure incidents, the root cause is a technical fault — wrong material, excessive vibration, and so on. However, most investigators regard root cause as the underlying safety management system deficiency that allowed the incident to occur. The specific cause is usually termed the direct or immediate cause. A root cause is a fundamental, underlying, system-related reason why an incident occurred that identifies correctable failures in the management systems. There is typically more than one root cause for every process safety incident.
A problem with the focus on systems failure is that it tends to focus too much on the safety management system and not enough on the risk controls that have degraded or failed and allowed the incident to occur. This article describes an investigation approach that combines a management system root cause technique with barrier-based risk assessment, the bow tie method, allowing identification of deficiencies to both, as well as direct improvement actions to the management system and to the risk assessment.
The reason for the focus on management system root causes was a belief in the early 1990s that process safety could be improved by a factor of five or better by enhancement to safety management systems (EPA justification to Congress supporting the Risk Management Plan regulations). In fact, this degree of improvement did not occur6 and improvements for major accidents were much more incremental. This is believed to be due to a lack of focus on barriers (also termed safeguards or controls) designed to interrupt an accident sequence before the final consequence occurs. This focus on barriers is often driven by risk assessments and it forms a key part of the North Sea safety regimes in the UK and Norway. It is also a key part of nuclear safety based on the IAEA Defence in Depth concept.
Broadribb3 identifies three main incident investigation approaches:
• Domino Theory of Causation
• System Theory or Multiple-Causation Theory
• Hazard-Barrier-Target Theory
A good example of the first is the Loss Causation Model developed by Bird et al.4 The system approach might use detailed models to describe the operation and failure of a system. The hazard barrier approach is based on ideas of the so-called Swiss cheese model. The BSCAT approach described here includes elements of all three methods.
SCAT and BSCAT were created with the intent of driving to root causes using less expert investigators, such as process supervisors, who do the first level of incident investigation for all incidents. More serious incidents, such as fatality events, would use more experienced investigators, and they might use more complex techniques, but that is not necessary. It is unlikely that a single technique would meet the needs of every incident.
What is a root cause and how does it differ to immediate cause?
One of the earliest safety management systems, International Safety Rating System (ISRS), was developed by Frank Bird, a safety and accident investigation specialist. He was an early developer of systematic approaches to safety management based on detailed analyses of industrial accidents. His research and that of Heinrick in the 1930s showed that 90% of accidents were attributed to employee fault, about 9% to an Act of God, and only about 1% to employer fault. This clearly did not help identify how to prevent such accidents in the future, as the general solution tended to be “be more careful”.
The development of underlying causes is often termed root cause investigation; however, this term is used in many different ways, and DNV has found that it can be confusing. In the mechanical integrity world, root cause investigation often means identifying some scientific or technical mechanism for failure not adequately addressed in operational procedures. This might be due to incorrect material of construction, metal fatigue or chemical attack. These studies rarely address management system deficiencies.
One model for root cause analysis is the well-established Loss Causation Model (Bird, et al, 2003). This shows a progression like a set of dominos falling over, each leading to the next domino to fall (see Figure 1).
In explaining how an accident occurs, the progression would start on the left side with some systematic lack of control (defined here as due to inadequate system, standards or compliance) and this leads to a basic cause (due to problems with personal or job factors) and this leads to the immediate cause (due to substandard acts or conditions), and this progresses to the incident and on to the ultimate loss to people, property or the environment. When carrying out a specific incident investigation, the figure is applied in the reverse order, starting with the loss and analysing each block in turn until it tracks back to the root cause — the lack of control. This model is called the systematic cause analysis technique (SCAT).
This approach works well for incidents and accidents, and it provides a very clear linkage between every accident event and the underlying management system deficiencies. The SCAT tool is populated with the full structure of ISRS to make it easy to link to specific elements and sub-elements in the management system. But there is no need to be operating the ISRS system to analyse accidents using this approach. A standardised SCAT recording sheet was used for tracking the accident progression from the loss down to the lack of control, and this was efficient to complete and well handled by both safety staff and supervisors.
Add your rating:
Current Rating: 1