Anda di halaman 1dari 16

Appendix E

Example Case StudyMore Bang for the Buck: Getting the Most from Accident Investigations
S. E. Anderson and R. W. Skloss
Rohm and Haas Texas Incorporated Deer Park, Texas

Presented at the 25th Annual Loss Prevention Symposium, August 18-22, 1991 Session: Case Histories
Copyright 1992 assigned to AIChE Used by Permission for Educational Purposes

ABSTRACT

An incident investigation system based on a combination of fault tree analysis logic and the Deming principles of systems and quality was developed during a three-year period. The system was given an excellent test in the investigation of the explosion of a tank car filled with methacrylic acid. In this case, the event tree constructed during the investigation was easily converted into a fault tree. The fault tree so constructed was then used to evaluate the effectiveness of proposed corrective changes to the production, loading, and analytical systems before the changes were actually implemented. By making use of these tools to guide the inclusion of feedback loops (AND-gates in fault tree terminology), the intrinsic safety of the methacrylic acid production and shipping system was greatly enhanced at a relatively low cost.

Introduction
Obtaining the best results from supervisors investigations of incidents that occur in the plant environment has been a goal of many safety professionals for many years, and the goal has often been quite elusive. In 1983, Plant Management became convinced of the merits of the accident causa395

396

Guidelines for Investigating Chemical Process Incidents

tion theory of Dan Petersen1 and decided to create a task group to attempt once more to develop an accident investigation technique that would achieve the following improvements: Improve quality of investigations Force the investigator to go beneath the surface to the underlying causes Foster attempts to find as many of the causes as practicable Improve documentation of the investigations Increase utility for training and information sharing Increase uniformity of investigations Improve utility of recommended corrective actions Toward this end, the task group (called the Accident Investigation Committee, or AIC) was put together from a group of carefully chosen individuals to bring together the desired mix of skills and expertise. The chosen individuals contributed a broad range of experiences: 1. 2. 3. 4. Safety professionals A unit manager A day foreman (second line manager) An experienced process engineer skilled in hazard analysis

During about three years of development and testing, the AIC tried and screened a number of different approaches. The one that met most of the performance requirements was based on the marriage of fault tree analysis technology and Demings concepts of quality and systems; we called it the Multiple-Cause, Systems-Oriented Incident Investigation (MCSOII) technique. From fault tree analysis we obtained a semirigorous technique that forces the participants to look more deeply into the layers of accident causation than they otherwise would, and from Deming came the idea that a failure in the plant system can produce a failure in safety, and that all such failures are amenable to the same kinds of systems analysis and correction. As a result of the AICs efforts, we now have a process for investigating accidents in which we construct an event tree for each incident. The tree is quite similar to a fault tree from the quantitative risk analysis discipline, except that in the investigations we often sacrifice some structural rigor to get the most results in a reasonable time. Basically, the process uses a team to reconstruct the chronology of the incident and to construct the event tree. We try to include those who are most familiar with what actually happened, including the injured person(s) if any. We use the same basic method to investigate process failures, spills, injuries, or any other system failures. Emphasizing the system aspects of the failure removes much of

Appendix E

Example Case Study: Getting the Most from Accident Investigations

397

the confrontational aspects of such proceedings, and facilitates achieving comprehensive results. The event trees, which are obtained, contain much information, communicate it in an easily understood form, are very useful in training, and can easily be converted to fault trees if desired. After the investigation process described above had been in use for several years, an incident occurred that afforded a unique opportunity to use the system to its fullest and demonstrate the great potential of the process.

The Incident
Chronology At 4:30 A.M. on July 21, 1988, a plant protection officer making rounds saw and heard vapors emitting from the relief valve on tank car UTLX 647014. This report indicated that the contents of the car, technical methacrylic acid (TMAA) were reacting, and that we had a serious situation. The car was in a marshalling yard awaiting transfer to a terminal. Cars filled with hazardous materials, which were near the reacting car, were removed, and empty cars were moved into position on its south side and west end. Remote fire monitors were placed into position on the north side and directed at the relief valve and the dome in an effort to control vapor emissions during the remainder of the reaction. The east end of the car could not be reached. Fortunately, the car at that end was empty. Personnel were kept away from the car as much as possible from the time vapor emissions were noticed. At about 12:25 A.M. on July 22 (about 20 hours after the problem became known), the car ruptured. Effects The forces released when the tank car skin ruptured were quite impressive. Parts of the car were found 250300 yards (228274 meters) away from the skin. The wheels of the car were driven into the ground about 2 feet (61 cm) while the wheels were still on the rails. The skin of the car was essentially flattened, with the impressions of the two rails clearly seen through the skin. The sound of the explosion was heard about 10 miles away. The overhead 138,000-volt electrical lines were severed, and the arcs resulted in two small grass fires. Plants connected to these electrical lines were shut down. There was no fire from the polymerization. In addition to the car that was destroyed, nearby cars were also damaged. Foam-like polymer covered an area about 200 by 50 yards (182 by 46 meters). Because of the precautions we had taken, there were no injuries.

398

Guidelines for Investigating Chemical Process Incidents

The Investigation
On-the-spot photographs and videotapes were taken as soon as light permitted. Samples of polymer from different areas of the car were also collected. Records of loading and lab results for production and loading were also assembled. File samples were retrieved for testing. A 13-person team was formed to investigate the incident. The team was made up of persons from the AIC as well as from each group involved in producing, loading, analyzing, and shipping TMAA. The Facts and Findings The car had been loaded on July 11, 1988, and the temperature had been in the 90 to 98F range (3033C.) between loading and the explosion. The car was one of six that were being accumulated for combination in a ships deep tank for subsequent export. These cars were stainless steel. This was the first time TMAA was loaded in cars that were not internally coated. File samples from the destroyed car indicated low levels of inhibitor (at the process rundown levels, not shipping levels). Other cars were sampled and found to be normal. Some of the polymer was found to contain about 300 ppm iron. The polymer was dehydrated to a significant degree. There was also almost no odor of MAA in the area covered with the polymer, indicating virtually complete conversion. The Event Tree The team developed the event tree from the facts in hand. It was clear that the car had exploded because of a polymerization. The first layer of significant causation we reached for the polymerization was as follows (see also Figure 1): The MAA in the car had ineffective inhibitor. Either the inhibitor had not been added or it was ineffective. The car had been held at moderately-high temperature for several days. The polymer showed evidence of iron contamination at levels high enough to promote polymerization. (Iron is a known promoter of polymerization.) Each of these causes was followed to an end point by repeatedly asking why something happened. Branches are ended when no more questions

Appendix E

Example Case Study: Getting the Most from Accident Investigations

399

FIGURE 1. Event tree for an MAA tank car explosion.

400

Guidelines for Investigating Chemical Process Incidents

about why something happened can be asked, or when we reach a reason like It is naturally hot in Southeast Texas in the summer. These are called primal events in fault tree terminology. In our system, possible causes are followed even though we may not think they apply to a particular incident. This makes the incident investigation event tree more valuable for future applications, such as in training, because more than one scenario is included in the result. Thus we followed the branch dealing with contamination causing inhibitor deactivation to its conclusion; even though we did not think contamination was a cause in this case, it could have been. The detailed trees are shown as Figures 25.

The Causes Identified


The primary causes of this event were a direct result of systems, which resulted in a low level of TMAA stability. We had enjoyed freedom from accidents for years because a great many people worked very hard to see that everything was in order; however, there were not enough systems with built-in safeguards to ensure that the probability of failure was as low as we really wanted. This analysis pointed out the need for systems studies and subsequent improvements if we were to be satisfied with future performance. Space will not allow detailed discussion of all problems found and their ramifications; however, key deficiencies are listed below without comment: 1. Technical methacrylic acid was not a product we sold outside the company. It had largely been considered analogous to Glacial MAA, but it had important differences. TMAA had a layer of dilute sulfuric acid that separated out upon standing. This dilute acid layer was very corrosive to ferrous materials. No product code had been assigned to this material. No unique specifications for stability and inhibitor content had been established. (Again, handled by analogy.) 2. GMAA was routinely shipped in stainless steel cars; when lined cars became scarce, TMAA was loaded into stainless steel cars without hesitation or review. The corrosion of the stainless steel by the acid layer was thought to have promoted the polymerization, but the cause was the low level of inhibitor; if the inhibitor level had been correct, the presence of the iron would not have mattered.

Appendix E

Example Case Study: Getting the Most from Accident Investigations

401

FIGURE 2. Branch 1 of event tree (inhibitor branch).

402

Guidelines for Investigating Chemical Process Incidents

FIGURE 3. Branch 2 of event tree (inhibitor deactivated branch).

Appendix E

Example Case Study: Getting the Most from Accident Investigations

403

FIGURE 5. Branch 4 of event tree (warm storage branch)

408

FIGURE 7. New Inhibitor System for TMAANo Challenges.

410

Guidelines for Investigating Chemical Process Incidents

Extensive work by the SST and all groups related to the TMAA system resulted in several additional basic systems changes that were implemented in the final version of the tree that was analyzed. These included the following: 1. The method for analyzing for inhibitor in TMAA was improved dramatically. This reduced the probability of error in that area and also increased the likelihood of appropriate action based on analytical results. 2. The inhibitor content of the rundown was increased to a level that was sufficient to ensure that the product could pass stability even if no additional inhibitor were added to the tank. This, in effect, added another And gate to the system. 3. Lab procedures were changed to assure that stability was always run on every sample regardless of inhibitor content. This added still more And gates to the tree. 4. Procedures for releasing shipments were improved, and a feedback loop was added to ensure that the surveyors did not accept tank cars for export without proper documentation. (Another And gate.) The tree for this system was designated Improved Inhibitor SystemNo Challenges (Figure 8). Probability calculated from this fault tree indicated that fewer than 3 out of 10,000,000 cars would fail with this system. Again, these changes were relatively simple and cost very little to implement. I should mention again that we do not claim that these probabilities are accurate, but because the fault trees and the input data are consistent the comparisons remain meaningful and the results are dramatic. The next generation system used an on-line analyzer to monitor the inhibitor concentration in the rundown continuously. This system would virtually have a vanishingly small probability of out of spec inhibitor.

The Results
1. This investigation/systems analysis/fault tree analysis of this incident provided an excellent opportunity to demonstrate the power of the investigation method and the ease with which it may be adapted to a systems analysis for facilitating improvements and corrective actions. 2. The power of systems-oriented thinking was clearly shown by the dramatic improvements, which were obtained by relatively simple and inexpensive changes.

Appendix E

Example Case Study: Getting the Most from Accident Investigations

411

3. A thorough understanding of systems is necessary if basic changes are to be made. This concept is the foundation of the Rohm and Haas Texas system for process safety management: Know what you want to do. But that is another story.2 4. The SST work has been the basis for a complete revision of the monomer handling systems in the plant. In particular, we have looked at all of them to make sure that there were enough feedback loops (And gates in fault tree terminology) to ensure adequate inhibitor levels. The more loops there are, the greater the assurance. Examples of increasing integrity are given below: 1. Sample well-mixed car contents and receive results before releasing. 2. AND load only from tank containing correct material (that has been verified by sample results). 3. AND run down from the process at a safe inhibitor level. Verify by sampling. 4. AND use on-line inhibitor analyzer to verify performance of inhibitor addition systems. 5. Guidelines for monomer systems were developed and are in place (Table 1). 6. Once a polymerization incident is in progress, there are no known effective mitigation procedures. TABLE 1 Monomer Handling Guidelines Recommended by the SST
1. No dry inhibitor should be added to any shipping container unless the container is gas-free 2. No inhibitor adjustment should be made without confirmatory feedback 3. Never assume that stability will pass 4. Analytical techniques must be statistically capable to be reliable 5. All monomers should be run down containing enough inhibitor to pass stability test 6. All monomers should be loaded at the inhibitor shipping specification to ensure a feedback loop 7. A tracking system is needed to account for all loaded containers of monomer

412

FIGURE 8. Improved Inhibitor System for TMAANo Challenges.

414 Acknowledgments

Guidelines for Investigating Chemical Process Incidents

The authors are grateful to the following groups and individuals for their candor, expertise, and dedication to the task of investigating this accident, analyzing the systems, and implementing the appropriate changes: A. M. Dowell; members of the AIC and the SST; plant and unit management; and the terminal personnel and surveyors who work in the shipping system.

References
1. Petersen, D. Techniques of Safety Management, 2nd ed. New York: McGraw-Hill, 1978. 2. Anderson, S. E. Dowell, A. M. III, and Martin, D. K. An Audit System for Process Safety. Paper presented at the Texas Chemical Council Process Safety Seminar, June 4, 1990.