IChemE SYMPOSIUM SERIES NO. 153 # 2007 IChemE

INCIDENT INVESTIGATION BASED ON CAUSALITY NETWORKS

Yukiyasu Shimada1, Rafael Batres2, Tetsuo Fuchino3 and Toshinori Kawabata1

1Chemical Safety Research Group, National Institute of Occupational Safety and Health, 1-4-6, Umezono, Kiyose,

Tokyo 204-0024, Japan; Tel.: þ81-42-494-6230, Fax: þ81-42-491-7846, e-mail: shimada@s.jniosh.go.jp2Department of Production Systems Engineering, Toyohashi University of Technology, 1-1, Hibarigaoka, Tempakucho,

Toyohashi, Aichi 441-8580, Japan; Tel.: þ81-532-44-6716, Fax: þ81-543-44-6690, e-mail: rbp@pse.tut.ac.jp3Department of Chemical Engineering, Tokyo Institute of Technology, 2-12-1, Oookayama, Meguro-ku, Tokyo 152-8552,

Japan; Tel.: þ81-3-5734-2474, Fax: þ81-3-5734-2474, e-mail: fuchino@chemeng.titech.ac.jp

The most significant role that incident investigation can play is to prevent disasters by learning from

accidents, near misses, and the like. This paper presents a method to guide the construction of

possible incident scenarios by facilitating the identification of missing information. This method

is based on the concept of “causality networks” which are representations of causality (the path

between the root cause and the final consequences) using a shared and common understanding

that can be communicated between members of the team and implemented in computational knowl-

edge bases. Causality networks can be built graphically and then converted to a formal represen-

tation that can be used directly in a number of inference software packages that in many cases

are freely available. The graphical representation enables visualization and analysis. The formal

representation facilitates not only information searching (in the database sense) but also new

knowledge extraction which is possible thanks to the logic algorithms that are implemented in

the software.

KEYWORDS: incident investigation, causality network, plant abnormal scenario, process safety

management

INTRODUCTIONThe most significant role that incident investigation can playis to prevent disasters by learning from accidents, nearmisses, and the like. There is an enormous amount of infor-mation available on past accidents in the form of incidentreports available as documents and managed by database.Engineers who perform safety analysis can benefit fromthis information. However, accidents similar to those thatoccurred in the past painstakingly continue to happen.

Current practices in incident investigation are depen-dent on the investigator’s personal background and training.Loosely speaking, there could be cases in which the numberof identified causes matches the number of investigators.Furthermore, there is a need that all the members of anoperating investigation team share a common languagethat supports their investigations objectives efficiently andaccurately [1]. Causal analysis techniques such as “causalfactor charts” provide a graphical means of representingthe sequence of events leading to hazards. However, suchdiagrams can bias investigators towards the representationof observable events rather than the contributing factorsthat made those events more likely.

We have proposed a method to guide the constructionof possible scenarios by facilitating the identification ofpossible missing information [5]. This method is based onthe concept of “causality networks” which are represen-tations of causality (the path between the root cause andthe final consequences) using a shared and common under-standing that can be communicated between members of theteam and implemented in computational knowledge bases.

1

Finally an example based on an explosion of an isomeriza-tion unit illustrates the scenario representation method.

EXISTING CAUSAL ANALYSIS TECHNIQUESThe main role of an incident investigation is to identify andaddress all of the causes of an incident from the initiatingevents to the final consequences based on the evidences gath-ered at the accident site and interviews. This task involves theconstruction of possible cause-and-effect relationships whichcan be represented using some of the techniques outlinedbelow.

TIMELINEA timeline is a method for mapping and tracking the chrono-logical chain of the various occurrences in an incident.CCPS notes that two types of occurrences can be distin-guished: those that are passive items, such as the pumpwas running, the pipe was corroded, and those that areactive, such as the pump started up or the pipe failed.

CAUSAL FACTOR CHARTA causal factor chart is a graphical display of the chronologyof the incident and it is used to represent the possiblesequence of occurrences. A causal factor chart distinguishesbetween passive and active items. The active items areenclosed in rectangles, and the passive items in ovals.Active items describe an action and must be described withone noun or verb. Each active item should be derived from

IChemE SYMPOSIUM SERIES NO. 153 # 2007 IChemE

the one preceding it. Passive items describe states orcircumstances rather than occurrences. Although the distinc-tion between active and passive occurrences is a clear benefitof this technique, the technique is ambiguous in regards to thedifference between passive items representing temporalbounding events (such as valve was closed) and participatingentities (such as fog in the area).

CAUSALITYIncident information encompasses two kinds of information,namely chronological ordering of occurrences and causationinformation. Causation implies the act of an agentthat produces a change of state. Consequently, scenario rep-resentation methods should distinguish between both kindsof information. From an analysis of incident reports it canbe observed that some causes or effects have a temporaldimension. For example, explosions, runaway reactions,mixing operations, each has a beginning and an ending.Beginnings and endings are entities with zero extent intime. However, current methods cannot distinguish betweenzero-extent time entities (events) and entities with temporaldimensions (activities).

Shoham lists properties of causation some of whichare listed here [4]:

1. Causation is antisymmetric. A cannot cause B if B is thecause of A

2. Causation is antireflexive. A cannot cause itself.3. Causes cannot succeed their effects in time. A(s) causes

A(t)) s � t4. Entities participating in the causal relation have a tem-

poral dimension. For example, explosions, runawayreactions, mixing operations, all have a beginning andan ending.

Domotor adds the property of transitivity [2]: If A causes Band B is the cause of C, then A is also the cause of C.

Figure 1. Symbols used

2

CAUSALITY NETWORKSIn order to create and visualize causality information, wehave introduced the concept of causality network whichare based on the ISO 15926 standard that defines a formatfor the representation of knowledge about process plants[5]. ISO 15926 Part 2 (standardized as ISO 15926-2:2003)specifies an “lingua franca” for long-term data integration,access and exchange. It was developed in ISO TC184/SC4-Industrial Data by the EPISTLE consortium (1993-2003) and designed to support the evolution of datathrough time. The core of the standard defines 200 conceptsincluding a meta-model for extending the definitionsthrough what is known as a Reference Data Library (about20,000 concepts from the engineering domain) [3]. Thestandard includes the definition of kinds and structures ofobjects, properties, events, processes and relations whichcan be used in the integration of material property data,equipment information, maintenance activities, etc.Furthermore, not only does ISO 15926 record the processplant as it exists at an instant but also it does record howthe plant changes as a result of normal (e.g. maintenance)or abnormal activities. This is critical during the analysisof contributing causes.

Causality information contained in the accident reportis represented by means of causality networks that arecomposed of activities and events. A causality network iscomposed of the following elements:

1. Activities are enclosed by rectangles. Activities invol-ving changes of process variables are complementedwith the letter P at the lower right corner of the rec-tangle. Activities representing operations and controlactivities include the letter O at the lower right cornerof the rectangle

2. Events are shown by ovals3. Participating entities are enclosed by hexagons4. Causal relations are represented as solid arrows ident-

ified by the word “cause of event”. A cause of event

in a causality network

Figure 2. BP incident scenario (Diagram 1)

Figure 3. BP incident scenario (Diagram 2)

IChemE SYMPOSIUM SERIES NO. 153 # 2007 IChemE

3

Figure 4. BP incident scenario (Diagram 3)

IChemE SYMPOSIUM SERIES NO. 153 # 2007 IChemE

indicates that the caused (event) is caused by thecauser (activity)

5. Temporal relations (beginning and ending) are rep-resented as solid line with a filled circle identified byeither the words “beginning” or “ending”. A beginningrelation marks the temporal start of an activity or phys-ical objects. An ending relation marks the end of a poss-ible individual.

6. The participation relation is represented as a solid linewith an empty circle identified by the word “partici-pation”. A participation relation is a part-whole relationthat indicates that physical objects are resources, instru-ments, or performers of an activity

7. Chronological information from the timeline can beadded next to the activities or events.

4

EXAMPLEDuring the start-up of Isomerization Unit on March 23,2005, explosions and fires occurred, incurring in fifteenfatalities and harming over 170 persons in the Texas CityRefinery, operated by BP Products North America Inc. [6].

On May 2005, an interim report was released andpresented an analysis of the events leading up to the inci-dent. The report identified a number of initiating eventsand enabling conditions, and made a number of early reco-mmendations to prevent the recurrence of a similarincident. In this interim report, the development to theexplosion and fire could be analyzed in detail anddocumented. A chronology of the events leading up to theincident is summarized and some candidates of root causeand accident scenarios are identified.

Figure 5. BP incident scenario (Diagram 4)

IChemE SYMPOSIUM SERIES NO. 153 # 2007 IChemE

CAUSALITY NETWORK FOR BP

INCIDENT SCENARIOCausality networks are used to represent the BP incidentscenario based on the interim report. Figures 2–5 showsthem. Diagram 1 shows an initial accumulation of liquidhydrocarbon in the column. The feed was charged to thestripper unit and the feed was closed. Two kinds of activitiescan be distinguished; activities representing process beha-vior such as “Level increasing” and activities representingcontrol or operation actions such as “Closing feed valve”.

In diagram 2, the feed is reintroduced and the levelreaches a head of 137 ft of hydrocarbon. Liquid levelstops to increase when heavy raffinate leaves from thebottoms of the stripper. The reboilers are lit (Diagram 4),heating the bottoms of the column. As heavy raffinateleaves through the bottoms pipeline, it preheats the feedwhich contributes to the accumulation of heat in the column.

The heat and pressure effects are shown in Diagram3.The heat from burners causes vapor inventory to increase

5

which explains the increase of pressure. The pressure isreleased manually by operator intervention.

In Diagram 4, it can be seen how the decrease ofpressure causes the creation of nucleation sites. The heatfrom the burners causes the pressure in nucleated sites toincrease. Incidentally, the momentary decrease of pressurecauses vapor in nucleated sites to expands which results inrelease of liquid from column overhead relief valveswhich can be associated with the fatal consequences of theaccident.

Based on preliminary opinions by two incident inves-tigators, causality networks present the following advan-tages compared to other representation methods:

1. Graphical representation is easy to understand.2. The distinction between activities, events and participat-

ing entities allows a more unambiguous description ofthe causation, temporal information, and the substances,equipment, personnel involved in the occurrences.

IChemE SYMPOSIUM SERIES NO. 153 # 2007 IChemE

3. Because the causality network is based on ISO 15926,instances in the graph can be integrated with plant data-bases such as those containing equipment data.

CONCLUSIONThis paper introduced a knowledge-based approach forrepresenting accident information which examined theconcept of causality networks as a model to integrated caus-ality information with objects involved in the accident. Andit applied to example incident scenario to evaluate the pro-posed method that describes the scenario causality and par-ticipating physical objects.

Still, many improvements are necessary. Forexample, some features that already exist in causal factorcharts are missing, such as the distinction between presump-tive and factual data.

As future work, ultimate goal is to develop the systemwhich can support engineering activity or safety operation,etc. based on lesson learned from past incident. It isplanned to integrate some of the classes in the accident data-base with the ontology. Thus, the result of search of infor-mation on past incident case example makes it possible toreuse for supporting safety design, safety operation and

6

maintenance activities and preventing the occurrence ofsimilar incidents.

REFERENCES1. Center for Chemical Process Safety, 2003, Guidelines for

investigating chemical incidents, 2nd Ed., Wiley AIChE.

2. Findler, N.V. and Bickmore, T., 1996, On the Concept of

Causality and A Causal modeling system for scientific and

engineering domains, CAMUS, Applied Artificial Intelli-

gence, 10: 455–487.

3. Leal, D., 2005, ISO 15926 - Life Cycle Data for Process

Plant: An overview, oil & gas science and technology –

Rev IFP, 16: 629-637.

4. Shoham, Y., 1988, Reasoning about Change, MIT Press,

Cambridge, Massachusetts.

5. Suzuki, M., Batres, R., Fuchino, T., Shimada, Y. and Chung,

P. W., 2006, A Knowledge-based approach for accident

information retrieval”, Proc. of ESCAPE-16 & PSE2006:

1057–1062.

6. The US Chemical Safety Board, 2005, Fatal accident inves-

tigation report - Isomerization unit explosion, Final report,

Texas City, Texas.