10

Developing Effective Recommendations

Using structured approaches such as those presented in the preceding chapter, an investigation team identifies the multiple system-related incident causes. These approaches provide the mechanism for understanding the interaction and impact of management system deficiencies. When the investigators understand what happened, how it happened, and why it happened, they can develop recommendations to correct immediate, contributing, and root causes. Effective recommendations identify changes in management systems that will eliminate the multiple management system-related causes of the incident. Effective recommendations can reduce risk by improving the process technology, upgrading the operating or maintenance procedures or practices, and most critically, upgrading the management systems. Recommendations that correct management system failures should eliminate or substantially reduce the risk of recurrence of the incident and other similar incidents. This critical step is necessary to achieve the ultimate benefits from an incident investigation. This chapter develops characteristics of high quality recommendations necessary for achieving successful implementation. The first section is a presentation of the major concepts related to recommendations, such as attributes of good recommendations, management of change, and inherent safety. The second section expands on the attributes and presents a systematic discussion of the flowchart for recommendations.

10.1. Major Issues

Figure 10-1 presents an overview of the activities in this chapter beginning with the multiple system-related causes already identified. Each system
251

252

Guidelines for Investigating Chemical Process Incidents

FIGURE 10-1. Incident investigation recommendation flowchart.

cause selected should be addressed by a recommended preventive or mitigating action item or comment. Each cause is examined individually. Proposed actions to prevent a recurrence of the incident are evaluated for technical merit. The incident investigation team develops recommended actions, and then presents these recommendations to the management team responsible for accepting (or rejecting) these recommendations. Recommendations should be written clearly and should be practical to implement. Recommendations that target improvements to the inherent safety of the process design are preferred to those that merely add extra protection features. All recommendations will potentially change management systems; therefore, it is necessary for the team to consider the implications of those changes when developing recommendations.

10

Developing Effective Recommendations

253

Recommendations should undergo a management of change evaluation to identify and consider the impact and risks associated with any changes. It is imperative that the management of change evaluation be completed before implementing recommendations.

10.2. Developing Effective Recommendations

10.2.1. Team Responsibilities The incident investigation team is responsible for developing practical recommendations and submitting them to management. It is then the responsibility of management to approve, modify, reject, communicate, implement, and follow-up on the recommendations, including: allocating sufficient personnel and capital resources for timely completion and implementing changes and following up with those affected by the changes to assure measures are working as expected. 10.2.2. Attributes of Good Recommendations A well-written recommendation specifically describes and defines successful completion in clear and measurable terms. Satisfactory completion of the recommended action should be easy to recognize, that is, you should clearly know when the corrective action is finished. Vague or ambiguous terms do not belong in a written recommendation. Terms such as appropriate safeguards or improve the quality of training should be avoided unless they are expanded upon and specifically define performance terms. Recommendations should be written in such a way that they transfer full responsibility and ownership to the receiving department. They should engage the reader to think about the recommendation before merely acting on it. Recommendation writers should avoid assertive or prescriptive statements that simply direct the recipient to carry out an activity. For example, instead of Rewrite the operating procedures a recommendation might suggest Conduct a step-by-step review of the reactor charging operating procedures with a multidisciplined team and update the procedures as necessary. The incident investigation team identified several steps in which details seem to be missing: purging, blocking in reactant A, and disconnecting trailer. The team may also make appropriate higher-level recommendations such as,

254

Guidelines for Investigating Chemical Process Incidents

Ensure there is a system to review and update procedures on an annual basis and after changes occur, or Ensure a system is in place to enforce existing and modified procedures in the field. Clearly written recommendations allow little opportunity for confusion. The owner is fully responsible for understanding and managing the follow-up. A good practice is to word the recommendation as a standalone thought that includes an explanation of why it was made, specifying the consequences to be avoided. Ambiguously worded recommendations are subjective. They could be open to different interpretations and obscure the intent of the writer. Recommendations concerning restart of operations are often developed before the final report is published. This is a management decision, but may or may not be part of the incident investigation scope. Nevertheless, these recommendations should be clearly written, understood by all, and be approved and accepted by the management organization responsible for safe operation of the facility. Restart criteria deserve special attention and are addressed in further detail later in the chapter. Appendixes D and E contain two reportsAppendix D is one on a fictitious fire and explosion incident and Appendix E is one from an actual incident. The recommendations contained in the reports are typical of the range of detail that can be found in recommendations that address changes in management systems. Five attributes of a successful recommendation are 1. It addresses a root cause of the incident (that is, it fixes the problem). 2. It clearly states the intended action, why it is needed, and what it should accomplish. 3. It is practical, feasible, and achievable. 4. It adds or strengthens a layer of protection. 5. It eliminates or decreases risks, consequences, or the probability of either one. Sometimes several specific causes or recommendations related to each other will be consolidated into a general statement. The preventive action items would appear as individual distinct recommendations, yet a general description may appear as an observation or conclusion. For clarity, there is a distinction between findings and conclusions.(8) Findings are restricted to known facts (information, data). Conclusions state judgments derived from evaluations made by the investigators.

10

Developing Effective Recommendations

255

10.3. Types of Recommendations

Successful recommendations decrease the risk of an occurrence by reducing the frequency or decreasing or eliminating the consequences of an occurrence. The following sections describe methods to decrease risk and give examples. There are several different approaches to categorizing recommendations, for example: Recommendations targeted at reducing the probability of a given incident (for example, increasing preventive maintenance inspection programs to reduce the probability of simultaneous failure of critical circulating pumps and back-up pumps) Recommendations for minimizing personnel exposures (for example, minimizing duration of exposure or relocating noncritical groups of workers to areas remote from potential blast zones) Recommendations to change OR-gates to AND-gates. These ANDgate recommendations will result in a lower frequency of occurrences than OR-gates. (For example, if an overflow was caused by the failure of a single level controlleran OR-gate with transmitter failure, valve failure, leads pluggeda second level transmitter could be used to shut a remote valve on high level. This would add an AND-gate to the tree so that it would take a failure of both systems to result in an overflow.) Recommendations intended to eliminate or reduce the consequences of a given incident (for example, reducing inventories of hazardous materials) 10.3.1. Inherent Safety Recommendations that lead to inherently safer designs are preferred to those limited to adding-on extra mitigation or prevention features. (1) Inherently safer designs limit reliance on human performance, equipment reliability, or properly functioning preventive maintenance programs for successful prevention of an incident. Inherently safer design changes yield greater economic benefits if they are implemented during the early design phases. Nevertheless, the incident investigation team should consider them when developing recommendations. Intrinsic and passive safety design features are by nature more reliable than design features that depend on a consistent performance of a physical or human system.(2) Passive designs reduce the probability of an occurrence occurring or minimize the severity of the adverse consequences without the requirement for successful operation of devices, con-

256

Guidelines for Investigating Chemical Process Incidents

trols, procedures, or interlocks. Some examples of general strategies (3) for increasing inherent safety are: Reduction of Inventories: Advancements in process control and changing acceptable risk standards may have removed the initial justification for large inventories of hazardous raw materials or products. For example, tight quality control of on-time deliveries of hazardous raw materials may allow for a one or two day supply on hand versus a one- or two-week supply. Substitution: Sometimes substitution of a less hazardous material is feasible. For example, many chlorinating systems for water purification have recently converted from pressurized cylinders of liquid chlorine to a pelletized, hypochlorite salt. Intensification: Sometimes it is possible to achieve significant reductions in reactor size (and inventory) with improved mixing technology. Another example of intensification is changing from a batch operation to a smaller scale continuous operation. Change: It may be possible to use a totally different process or method to accomplish the same objectives. The incident investigation team should evaluate the inherent safety features of recommendations. Changes can be either beneficial or detrimental, so investigators should be alert for inherently unsafe features in recommendations. Two common examples of design changes that can increase overall risks are the use of flexible joints and the use of glass (rotameters, bulls eyes, sight glasses, or additional control room windows).(4) Seal-less pumps are generally considered to be inherently safer than pumps with mechanical seals. The failure mode of any recommended new valves should be carefully considered. Most valves should be designed to fail to a closed position, although there are some exceptions, such as cooling water control valves. 10.3.2. Hierarchies and Layers of Recommendations The concept of multiple layers of protection (barriers) has widespread support throughout the chemical processing industry. By providing sufficient layers of protection against an accident scenario, the potential risk associated with that accident can be avoided or at least reduced. For a given scenario, only one layer must work successfully for the consequence to be prevented. However, since no layer is perfectly effective, multiple layers of protection must be provided to render the risk of the accident tolerable. Well-known process safety expert Trevor Kletz identifies three layers of barrier considerations for recommendations as follows(5):

10

Developing Effective Recommendations

257

First layer remedies use immediate technical recommendations targeted to prevent a particular incident. Consider the case where an employee is injured by inhalation exposure while taking a liquid chlorine process sample. First-layer recommendations would address such items as changes to the sampling procedure, refresher training, and selection and use of personal protective respiratory equipment. Second layer recommendations focus on avoiding the hazard. A deeper and broader perspective is used for this second layer, and often the focus is on improving the normal barrier measures placed between the person and the hazard. Typical remedies for the above chlorine incident might include modifications to the sampling apparatus, sampling at a different location, or perhaps an in-line analyzer, which would eliminate the need for manual sampling. Root causes are addressed in the third layer by identifying changes in the management systems. These third-layer recommendations act to prevent not only this particular incident, but also similar ones. Preventive measures, which result in changes in management systems, are in theory more consistent and enduring. For example, if an incident occurred due to an out-of-date operating procedure on a particular process plant, updating that procedure will only prevent the specific recurrence at that plant. However, if the management system is changed to ensure that all operating procedures on all plants are accurate and up-to-date, then similar incidents at other plants will be prevented as would dissimilar occurrences cause by out-of-date procedures. A general sequence of safety layers has also been proposed, as shown in Figure 10-2.(6) This sequence starts with soft then hard engineering, progresses through maintenance, inspection, and operating practices, to instrumentation, overpressure protection, and emergency response. Each layer is a management system in itself and may contain latent failures. As another example, in the chlorine exposure case the investigators would consider such items as: 1. Improvements in the methods in which process sampling is established. (Who participates in the decision? What are the criteria for determining location method and devices? Who authorizes? Is there a periodic audit or reevaluation?) 2. Improvements in the management system for establishing, evaluating, and monitoring standard operating procedures. (Are the procedures adequate, understood, and consistently performed? Is the task still necessary?)

258

Guidelines for Investigating Chemical Process Incidents

FIGURE 10-2. Layers of safety.(6)

3. Is there a routine mechanism such as Job Safety Analysis (JSA) in which tasks such as this are systematically reviewed for potential hazards? JSA is a procedure that systematically identifies: (1) job steps, (2) specific hazards associated with each job step, and (3) safe job procedures associated with each step to minimize accident potential. Multiple layers of protection are a concept incorporated in the American Chemistry Council Process Safety Code of Management Practices.(7) Management Practice number 15 endorses sufficient layers of protection through technology, facilities, and personnel to prevent escalation from a single failure to a catastrophic occurrence. This approach can be applied to multiple system root causes when the investigation team evaluates

10

Developing Effective Recommendations

259

potential remedies. These layers offer guidance in selecting practical recommendations. The key issue is that causes addressed in recommendations must address system-based issues, and the team must always look for multiple causes and corrections. 10.3.3. Commendation /Disciplinary Action Whenever an investigation reveals an employee action worthy of commendation, the incident investigation team should point this out in their comments. Cool rational actions in the middle of an emergency often limit the consequences of an incident. Those employees who demonstrate this type of response should be recognized and commended. Incident investigations should very rarely result in disciplinary actions. The team should assume that disciplinary actions are not part of the investigative outcome. Even the perceived threat of disciplinary action has detrimental effect on an investigation and may discourage cooperation during interviews. 10.3.4. The No-Action Recommendation There may be rare occasions where a particular cause is identified but no accompanying recommendation is submitted. After thorough analysis and deliberation of available existing information, the incident investigation team may decide not to issue a recommendation addressing a particular cause. This decision may be based on a valid and documented quantitative probability assessment verifying that the risk of recurrence is too low to warrant further action, or the cause may be outside of the control of the organization. An example would be a part falling off an aircraft flying at 20,000 feet and striking a tank of flammable material. Even in the case of a no-action decision, the fault and the decision to take no action should be documented. The logic of the decision-making should be documented, along with any facts and reference documents. 10.3.5. The Incompletely Worded Recommendation Another special case is the incompletely worded recommendation, where the investigation team recommends evaluation of an existing safeguard. It is common for an investigation team to generate a recommendation to confirm that an existing physical system (or administrative measure such as written procedures or training program) does provide adequate protection. In these instances, the team should specify what action should be taken if the safeguard is found to be inadequate. If the team only specifies

260

Guidelines for Investigating Chemical Process Incidents

an action such as review the startup procedure, then the implemented action may or may not meet the teams intentions. The team should include instructions to describe what specific action is needed if the existing safeguard is found to be inadequate.

10.4. The Recommendation Process

10.4.1. Select One Cause The process of developing recommendations is summarized in Figure 10-1. Starting with the set of multiple causes determined previously in Chapter 9, each cause is evaluated individually to consider actions that would prevent (or satisfactorily mitigate) a recurrence. Ideally, each recommendation should cover just one item and spell out precisely what action is recommended.(9) 10.4.2. Develop and Examine Preventive Actions The incident investigation team should strive to find recommendations that: prevent a recurrence (actually fix the problem), are reasonably achievable, are compatible with other organizational objectives such as profitability, protecting the community and environment, and are measurable, clearly worded, and describe specific outcomes. Recommendations can focus on changes to improve: physical systems, such as hardware, equipment, and tools, software systems, such as procedures, methods, training, or overall management systems. A hierarchical perspective can be applied. Preventive measures that increase inherent safety are generally considered the most effective approach. See examples for assessing the effectiveness of individual recommendations in Figure 10-3. 10.4.3. Perform a Completeness Test The next activity in the sequence is to check for completeness, such as, Have all the identified causes been addressed? The incident investigation team should remember that the multiple causes are not all necessarily located at the bottom of the logic tree structure. Sometimes causes may be

FIGURE 10-3. Example recommendations and assessment strategies.(10)

262

Guidelines for Investigating Chemical Process Incidents

identified from occurrences or combinations of events from upper levels of the logic tree structure. 10.4.4. Establish Criteria to Resume Operations The decision authority and responsibility for restart rests with site and corporate management. Depending upon the scope of the investigation, the incident investigation team may be requested to assist by identifying any recommendations that should be implemented before resumption of operations. If so, then the team should clearly specify the minimum acceptable criteria recommended for safe resumption of operations. This list should be in writing and may contain a special checklist of items to be verified and completed before attempted restart. If a specific authorization or waiver of constraint is needed, this fact should be clearly indicated and communicated. For most process safety related incidents, the remaining or adjacent sections of the facility will be in operable condition. Thus, the question of restart criteria may be an early task for the team. The topic is often addressed in stages. Initially there may be many restrictions because there will be many unanswered questions. Initial restrictions can be gradually lifted as information becomes more available. Some restrictions on operating parameters (such as flow rates, pressures or temperatures) may continue for extended periods. There will be occasions where restart authorization, prior notification, or coordination with other organizations is required. Regulatory agencies such as federal and state health, safety, and environmental regulators, as well as some municipal agencies (such as fire departments, hazardous material response (HAZMAT) teams, building officials, local emergency planning committees, and others) are examples of outside organizations that may have specific jurisdiction authority over restart. These communications and coordination activities are usually sensitive and can sometimes require more time than originally expected. It is a good practice to verify and document communications of this nature. It is also a good practice to develop a specific checklist of outside parties that should be notified regarding the restart activities. This cooperation and coordination is worth the extra effort. If the team identifies a specific change that must be made before restart, then the recommended change should be evaluated using the sites management of change procedures before restart begins for potential hazards and impacts on the system. These immediate recommendations might receive less than the required amount of scrutiny because of the circumstances, especially if most of the facility is intact and apparently ready to restart. There may be a tendency for short-range thinking, such as considering resuming operations just until the next planned outage (that may be

10

Developing Effective Recommendations

263

in the very near future). The team should maintain consistent standards of diligence and discipline when these pressures arise and insist that all changes be evaluated using the sites management of change procedures. Restart criteria recommendations should receive the same degree of scrutiny as the final and formal recommendations. The management-of-change and pre-startup safety review implications of each restart recommendation should be considered and evaluated for possible adverse consequences. Some common changes encountered in restart criteria recommendations include: changes in operating procedures or instructions (should be in writing and specific), changes in control instrumentation set points for alarms, and changes in expected emergency response actions by on-duty operations personnel. Team participation in startup activities also offers a special opportunity to verify that completion of the recommended action items was done as intended and that those employees operating the unit understand the implications. 10.4.5. Prepare to Present Recommendations While preparing to present the recommendations to management, the incident investigation team should perform some analysis. Related recommendations may be grouped by: Priority Systems affected Time frame for implementation Cost (or level of approval required) Need for outside resources (such as further research or special expertise)

Identify and anticipate challenges to successful implementation. Although the impact of each recommendation should have been largely identified during the course of recommendation development, look at this aspect again. The team should research and resolve expected questions and concerns from line management. If information is available to compare the recommendations to other similar operating processes, then this information should be taken into consideration when preparing to present the recommendations to management.

264

Guidelines for Investigating Chemical Process Incidents

10.4.6. Review Recommendations with Management The next activity as shown on Figure 10-1 is a presentation and review of the recommendations with the members of line management who have responsibility for operation of the affected unit. As discussed previously, management has the responsibility to approve, modify, reject, or implement the recommendations. At this stage of review, before writing the full incident investigation report, only the essential recommendations may have been developed. However, line management are invariably more interested in these key recommendations, and the other less critical recommendations may not be reviewed with management until the report has been drafted. If a recommendation is submitted to correct a safety problem exposed during an investigation, a legal concept sometimes referred to as increased knowledge can then be applied. The concept is based on the idea that additional responsibility accompanies this additional knowledge. Management has a legal duty to respond to all known hazards. This is particularly applicable in the case where a previously unrecognized or underestimated potential hazard becomes evident (or further understood) by the investigation. Failure to resolve the recommendation in a reasonable manner can result in increased liability. Most members of upper and middle management understand this concept. However, others, such as first line supervisors, may not fully realize the possible impact of a decision not to act on a formal safety recommendation. Company legal representatives should be consulted when the management system is established to address these concepts, before a situation of increased knowledge arises.

10.5. Reports and Communications

The recommendations as accepted for implementation are now ready to be documented in formal written reports and communicated, as addressed in Chapter 11. Internal corporate legal departments may suggest separating the report from the recommendations to simplify and streamline potential litigation. The Center for Chemical Process Safety endorses a policy of including the recommendations in the formal report. A single document is more likely to be consistently applied. A single document should communicate the story and causes of the incident better, and thus achieve improved prevention results. If the team conducting the investigation has been chosen for their experience, technical knowledge, and skills, they are best placed to

10

Developing Effective Recommendations

265

develop recommendations to prevent recurrence. In some governmental organizations, however, a separate group, rather than the evidence gathering team, develops the actual recommendations and generates a separate report. This is a common practice for many U.S. governmental agencies, such as the Department of Energy, National Transportation Safety Board, Department of Labor, and Nuclear Regulatory Commission. One basis for this practice is that the evidence-gathering and analysis team is often staffed with highly trained professionals who specialize in physical evidence analysis. These specialists can have a relatively narrowly focused scope of knowledge and may not always be in the best position to formulate recommendations that include changes in management systems. In this case, the recommendations may be separated from the rest of the report. Another reason for separating the recommendations from the rest of the report recognizes the practical aspects of the implementation process in governmental agencies. It is common for higher levels within a federal agency to add to or strengthen the original recommendations. This approach is not recommended for process safety incident investigation. If the team conducting the incident investigation has been chosen for their experience, technical knowledge, and skills, they are best placed to develop the recommendations to prevent a recurrence.

Endnotes
1. Kletz, T. A. Make Plants Inherently Safe Hydrocarbon Processing Magazine. Houston, TX: Gulf Publishing Company, September 1985. 2. Hendershot, D. C. Design of Inherently Safer Chemical Processing Facilities Presentation Paper at Texas Chemical Council Safety Seminar, Process Safety Management Program, 1991. 3. Knowlton, E. R. An Introduction to Hazard and Operability StudiesA Guideword Approach, 7th Printing. Vancouver, British Columbia: Chemetics International Co., 1989. 4. Englund, S. M. Design and Operate Plants for Inherent Safety Chemical Engineering Progress, Part 1, March 1991; Part 2 May 1991. 5. Kletz, T. A. Learning from Accidents in Industry, Boston-London: Butterworths Publishers, 1988. 6. Csengery, L. V., The Time for Process Hazard Analysis Has Arrived. Paper 68d, AIChE Loss Prevention Symposium, 1991. 7. American Chemistry Council. Resource Guide for Implementing the Process Safety Code of Management Practices. Washington, DC, 1990. 8. U.S. Nuclear Regulatory Commission. NUREG-1303, Incident Investigation Manual. Washington, DC, 1988.

266

Guidelines for Investigating Chemical Process Incidents

9. Ferry, T. S. Modern Accident Investigation and Analysis. 2nd Edition. New York: John Wiley & Sons, 1988. 10. ABS Consulting. Incident Investigation/Root Cause Analysis Training: Results Trending and Assessment. Knoxville, TN: ABS Consulting, 2001.

Additional Reference
Center for Chemical Process Safety (CCPS). Inherently Safer Chemical Processes: A Life-Cycle Approach. New York: American Institute of Chemical Engineers, 1996.