Back to Basics
The ChE as
Sherlock Holmes:
Investigating Process Incidents
James A. Klein Investigating process incidents to understand
ABS Group
what happened and why provides vital information
that will help prevent future incidents.
“There is nothing more deceptive than
an obvious fact.”
— Sherlock Holmes
S
herlock Holmes is a fictional consulting detective cre-
ated by Sir Arthur Conan Doyle in 1887 (1), ultimately
appearing in over 50 novels and short stories, many of
which have been popularized in movies and on television.
He is renowned for his powers of observation and his ability
to develop significant insights into the causes and perpe-
trators of difficult criminal cases that others miss — often
figuring out what happened when no one else can. In process
safety, we similarly need to analyze what happened when
process incidents occur so we can determine what went
wrong and how future incidents can be prevented.
Sometimes after a process safety incident, what hap-
pened may seem obvious. Usually, though, many things
have to go wrong for a serious incident to occur, and one
or more of the causes may not be obvious. Even if some
of them do seem obvious, our view is often incomplete or
simply wrong. As a result, incident investigations must rely
on appropriate investigation techniques to ensure that the
lessons learned from an incident are valid and effective.
The processes of solving criminal cases and investigating
process incidents are not very different at a high level. Both
*This article is based on a paper presented at the AIChE 2015 Spring
Meeting and 11th Global Congress on Process Safety, April 2015.
28  www.aiche.org/cep  October 2016  CEP
involve looking for clues and evidence. Both involve identi-
fying and analyzing various possibilities to determine what
most likely happened and what didn’t.
Process investigations can serve as a tool to ensure such
an incident does not happen again. While we may lack the
personal skills, insights, and confidence of Holmes, we can
learn from him, learn from process incidents, and, ultimately,
contribute to improved process safety performance.
An incident is an unplanned sequence of events with the
potential for undesirable consequences (2). Process safety
incidents involve process hazards, such as toxicity, flamma-
bility, and reactivity, that can lead to hazardous events, such
as toxic releases, fires, and runaway reactions. A catastrophic
incident might involve a large explosion or toxic release
with multiple consequences, such as injuries, environmental
harm, and/or business disruption. For example, an explo-
sion and fire at a polyvinyl chloride (PVC) manufacturing
facility killed five workers and seriously injured three others
(Figure 1) (3).
A near-miss incident is one with the potential for sig-
nificant consequences if it were to progress, but did not due
to the actions of safeguards, emergency response, or other
factors.
You can learn from all types of process safety incidents.
When something unplanned or unexpected occurs, the
consequences should be identified to determine whether
an investigation is appropriate. Incident investigations
must identify and document important facts about what
Copyright © 2016 American Institute of Chemical Engineers (AIChE)

happened; determine what might have caused the incident;
and make recommendations to prevent such incidents from
occurring in the future. Investigations are a mechanism for
learning from actual operating experience, providing con-
tinuing feedback on process safety program effectiveness,
and identifying where improvements are needed. Keeping
track of the types, severities, and causes of incidents can
help you gauge how well process safety programs are work-
ing, how they can be improved, and the lessons that were
learned from the incidents (4).
Investigating process incidents
“The tragedy has been so uncommon,
so complete and of such personal
importance, to so many people, that
we are suffering from a plethora of
surmise, conjecture, and hypothesis. The difficulty
is to detach the framework of fact — of absolute
undeniable fact — from the embellishments of
theorists and reporters. Then, having established
ourselves upon this sound basis, it is our duty to
see what inferences may be drawn …”
— Sherlock Holmes
After a significant process incident, especially if there
have been fatalities, severe injuries, and major equipment
damage, site employees may be highly emotional and
under stress. Some may jump to conclusions about what
happened. Some may have a vested interest in assigning
blame for what happened. Threats of job loss, regulatory
Copyright © 2016 American Institute of Chemical Engineers (AIChE)
t Figure 1. An explosion at a PVC manufacturing facility
resulted in five fatalities and ignited PVC resins stored in an
adjacent warehouse. Concerns about the ensuing smoke
forced a two-day community evacuation. Source: (3).
involvement, and legal action may exist. Under
these circumstances, it is difficult to ascertain the
framework of fact about what happened and how
it can be prevented in the future.
An effective incident investigation process,
as shown in Figure 2, can help overcome these
difficulties (2). The steps for investigating process
incidents are:
1. Report unusual occurrences to determine
whether an incident has occurred. Companies
should establish a simple process for prompt
reporting and train all employees on what should
be reported. If potential incidents are not reported,
then potential learnings that could help prevent
future incidents will be lost.
2. Determine the extent of investigation
required, based on management review of the initial inci-
dent report and classification criteria in incident inves-
tigation program guidance. Some small events without
significant potential consequences, such as low-hazard
liquid spills, may not warrant an extensive investigation,
although metrics should be kept that track the number and
types of such occurrences. Events with either significant
consequences or the potential for significant consequences
may be investigated using different techniques appropri-
p Figure 2. Follow these steps to conduct an incident investigation.
Source: Adapted from (2).
CEP  October 2016  www.aiche.org/cep  29
Back to Basics
ate for the type of incident, as determined by the incident
classification.
3. Form a qualified incident investigation team. The
team should include members with relevant operational,
maintenance, and engineering experience and skill in using
effective investigation methods. Additional participants,
such as contractors or technical experts, should be involved
in the investigation as needed.
4. Collect and preserve evidence to support the investiga-
tion immediately following an incident. For example:
• collect samples
• isolate equipment that has failed
• take pictures of the operating area and equipment posi-
tions (e.g., valve and switch positions)
• collect data from control systems
• interview personnel
• collect documents (e.g., management of change [MOC]
forms, inspection records, process hazard analyses [PHAs]).
This information is used to establish a chronology of
events and to provide facts for use in the investigation.
5. Analyze the evidence that has been collected using
appropriate investigation methods to determine the causes of
the incident, as discussed in the following sections.
6. Develop recommendations that address the causes of
the incident. Recommendations should be specific for all
identified causes and should clearly document the actions
to be taken. Develop interim actions, if needed, to provide
temporary improvements while recommendations are being
implemented.
7. Document and share, as appropriate, the investigation
results.
8. Track all recommendations to make sure they are
implemented within a reasonable time.
9. Maintain data on incident types, severities, and
causes using appropriate metrics to help measure process
safety performance and to identify additional improvement
opportunities.
Why trees — Identifying root causes
“When you have eliminated the
impossible, whatever remains, however
improbable, must be the truth.”
— Sherlock Holmes
Once evidence related to an incident has been collected
and preserved, the investigation team must analyze the evi-
dence to determine what happened and why. This involves
developing a chronology of events, or timeline, from
available instrumentation records, personnel interviews, and
other sources. Various incident investigation methodologies
may be used to determine the causes of the incident. Causes
30  www.aiche.org/cep  October 2016  CEP
such as equipment failure and human error are readily
observable. However, underlying management system root
causes and safety culture and leadership issues are often at
the heart of process incidents (Figure 3). An incident may
be caused by (2, 5):
• equipment causal factors (P) — physical equipment
failures, such as pump, valve, mixer, or relief valve failures
• human causal factors (H) — human errors, such as an
employee not following procedures, using incorrect tools, or
incorrectly using personal protective equipment
• management system root causes (S) — management
system failures that allowed the equipment and/or human
causal factors to occur or exist through failures to prevent,
detect, and/or correct them; many of these are related to gaps
in process safety system elements, such as incomplete proce-
dures, poor preventive maintenance, ineffective training, or
incorrect risk analysis
• safety culture and leadership issues. Often the under­
lying cause of management system failures, an organiza-
tion’s safety culture can be influenced by factors such as
provision or allocation of resources, production priorities,
and major organizational changes. Many investigations will
not focus on developing recommendations at this level due
to the potential difficulties in identifying issues and/or imple-
menting improvements; however, it is beneficial to consider
these issues during the incident investigation.
Investigation techniques can range from simpler meth-
ods, such as 5-whys, to more-detailed root-cause methods,
such as cause-and-effect tree analysis (why tree). The
method selected should be appropriate for the complexity
and severity of the incident.
The 5-why method typically starts by questioning the
primary consequences of the incident that occurred, such
Equipment
and Human
Causal Factors
More Observable
Causes
Underlying Root
Causes
Management
System
Root Causes
Safety Culture and
Leadership Issues
p Figure 3. Effective incident investigations identify the underlying root
causes of the incident, in addition to the more readily observable equipment
and human causal factors. Source: Adapted from (2).
Copyright © 2016 American Institute of Chemical Engineers (AIChE)
as “Why did a release of chlorine occur?” Based on the
answer, such as a transfer hose failed, an additional why
question is asked, such as “Why did the transfer hose fail?”
Typically, at least five why questions are asked until root
causes of the incident are identified. In this example, failure
to properly specify which hose should have been purchased,
due to miscommunication with a vendor, might be one of
the causes. Additional questions, such as “Why was the
incorrect hose not identified when received or before use?”
would also be appropriate to evaluate why the specification
error was not detected. Multiple 5-why question sets can
also be used if needed for different incident factors, such
as “Why was an operator near the chlorine cylinders?” or
“Why were the cylinders stored at that location?”
For complex incidents, the more-rigorous why tree
method is often used to help ensure that the incident investi-
gation is comprehensive and unbiased. The why tree method
employs the following steps:
1. Identify the top event of interest (e.g., a serious injury
due to exposure to a hazardous chemical).
2. Determine what could have caused the top event of
interest by asking why and using cause-and-effect logic. The
investigation team should brainstorm to identify possible
causes (hypotheses) of the event.
3. For each hypothesis, the team should collect and
document confirming and contradicting data. Confirming
data support the conclusion that the hypothesis was a cause
of the effect (or why question); contradicting data refute the
conclusion.
4. Based on the confirming and contradicting data, the
team confirms or eliminates the hypothesis. Remaining
hypotheses are possible causes until they can either be
eliminated or confirmed based on additional investigation.
In some cases, it may be difficult to confirm or eliminate a
hypothesis; if needed, the team can rely on their relevant
experience to decide or to assign probabilities for the likeli-
hood of the hypothesis.
5. Continue to ask why and develop and eliminate
hypotheses for each question until management system root
causes are identified, based on hypotheses that are confirmed
by the data available.
6. Ask why at least one more time to determine whether
other possible management system root causes or safety
culture or leadership issues can be identified.
Figure 4 shows a simple why tree for an operator fatality.
Note that the why tree for this example is not fully devel-
oped, and “other observations” or “other causes” are used
for simplicity. The top event is the operator fatality, and
previous investigation has already found that the fatality was
due to exposure to a toxic chemical.
Employees observed a toxic chemical being vented from
a cylinder in the storage area, so the first hypothesis (i.e.,
the fatality occurred from a toxic release from a cylinder)
appears to be correct. From this starting point, ask the
question “Why was the toxic chemical released from the cyl-

Cause-and-Effect Logic
C ause-and-effect logic is used in a why tree to help
ensure that appropriate hypotheses explaining
incident causes are developed. Here is an example of
cause-and-effect logic:
Effect: The car stopped.
Potential causes (hypotheses): (1) It ran out of gas.
(2) The driver braked. (3) The engine failed. (4) The oil had
just been changed. (5) The driver had been shopping.
Logic test: Each of the first three hypotheses makes
sense as an individual cause. However, Hypothesis 4
involves a large step in logic, and Hypothesis 5 has no
apparent connection to the car stopping. It’s possible that
insufficient oil could lead to the car stopping, but only if it
causes the engine failure of Hypothesis 3. An error during
the oil change, such as failure to replace the oil or secure
the drain plug, could cause insufficient oil.
At each level in the why tree, all potential causes
should be listed and the cause-and-effect logic should be
tested. Hypotheses are listed using OR logic (the hypoth-
esis can produce the effect by itself) or AND logic (multi-
ple hypotheses must exist simultaneously to produce the p Figure 4. After an operator fatality, a why tree can be used to investigate
effect). OR logic is assumed in the figures. the incident and help determine the reasons it occurred. Note that this why
tree is not fully developed, and “other causes” are noted for simplicity.

Copyright © 2016 American Institute of Chemical Engineers (AIChE) CEP  October 2016  www.aiche.org/cep  31
Back to Basics

inder?” The investigation team must brainstorm the answer

to this question with credible causes (hypotheses) based on
cause-and-effect logic. The team assesses each hypothesis
based on the confirming and contradicting data that were
collected as evidence. Evidence is then documented as sup-
porting or disputing each hypothesis.
Hypotheses that are contradicted or proven false by the
data are not considered further (Figure 5). For example, the
team hypothesized that the toxic release from the cylinder
was caused by a cylinder failure, a transfer hose failure,
or possibly other causes that are not listed in this example.
Examination and testing of the cylinder and the transfer
hose confirmed that the hose failed, so the team was able to
eliminate the cylinder failure hypothesis.
At each level in the why tree, additional why questions
are asked, additional hypotheses are developed using cause-
and-effect logic, and hypotheses are supported or eliminated
based on confirming or contradicting evidence. If evidence
confirming or eliminating a hypothesis is not available,
the team can use their knowledge (or that of consultants,
if involved) to decide whether to confirm or eliminate the
hypothesis or to assign probabilities for its likelihood.
In Figure 5, hypotheses for the transfer hose failure
include it was an old hose, it was not correctly connected to
p Figure 5. After a hypothesis is disproven based on factual evidence and
the cylinder, it was the wrong hose, or other possible causes. investigation, it can be eliminated from the why tree.
The investigation team reviewed the available data and
determined that the wrong transfer hose was used, which If the team uncovers additional observations, such as a
allowed them to eliminate the other hypotheses. This process similar chemical release that occurred the previous year, then
continues until the management system root causes have the process should be repeated until the root causes have
been identified. been found for all relevant observations. Was the previous
Identifying the management system root causes is the incident investigated effectively and were recommendations
most beneficial way to prevent future incidents, because appropriate and resolved? Ultimately, the need to identify the
they have a broader impact on process safety at an entire root causes requires a thorough incident investigation that
site or within an organization. For example, if training is looks deeply into what went wrong rather than a super­ficial
ineffective, asking why it is ineffective can lead to signif- focus on what is apparent or obvious about the incident.
icant training improvements. If only obvious equipment Trained why tree leaders, either internal staff or external
failures or human causal factors are considered, one pump consultants, are often used because the method can seem
might be fixed or one operator might be retrained, but the complex if it is not practiced often (which hopefully is the
system-level improvements that could reduce overall pump case for most team members because there are few incidents
failures or operator errors will likely be overlooked. needing to be investigated).
In Figure 5, the transfer hose specification was deter- Brainstorming with cause-and-effect logic to identify
mined to have been incorrectly changed by an engineer as possible hypotheses is a powerful method for identifying
part of an MOC request. Further investigation of this simple incident causes that may not be obvious. This method goes
example would evaluate why this system failure occurred, beyond the simpler approach of the 5-why method. Con-
why the incorrect hose specification was not corrected as structing a why tree for all relevant observations provides
part of the MOC reviews, and why it was not detected when a comprehensive investigation that does not focus solely
the hose was received. Whenever the management system on the obvious top event of interest. For example, a why
root cause is determined, it is useful to ask why at least one tree could be developed for the observation that a similar
more time to determine whether more can be learned about incident occurred previously (as noted above), a chemical
why the system failure occurred, such as another manage- storage location had been changed recently, required per-
ment system root cause or issues related to safety culture or sonal protective equipment (PPE) had been modified, or an
leadership. operator was working alone for the first time.

32  www.aiche.org/cep  October 2016  CEP Copyright © 2016 American Institute of Chemical Engineers (AIChE)
 Hazard
Top
Event
Threats
Preventive Barriers
Process Hazards Hazardous Events
Toxicity Toxic Releases
Flammability Fires and Explosions
Reactivity Out-of-Control Reactions
p Figure 6. A bow tie diagram can be used to investigate the sequence and the success
or failure of protective layers to prevent and mitigate process incidents. Source: (8).
The use of a rigorous methodology, such as a why tree,
also helps eliminate the influence of bias or politics on the
results because it uses cause-and-effect logic with factual
evidence, rather than opinion, to identify incident causes.
Cause-and-effect tree methods involving root cause maps
(5) and similar approaches have been developed to help
make incident investigations comprehensive, consistent, and
effective.
Bow ties — Evaluating protective layers
“To the curious incident of the dog in
the nighttime. The dog did nothing in the
nighttime. That was the curious incident.”
— Sherlock Holmes
A possible drawback of the why tree method is that the
sequence of events, such as the actions of protective layers
that have been provided, is often not evaluated in detail
beyond the event chronology. Protective layers help prevent
and mitigate potential hazardous events, and are imple-
mented based on process hazard and risk analysis. Bow ties
are often used, separately or to supplement the why tree
technique, for investigating incidents (6, 7). The bow tie
method allows a more direct analysis of the protective layers
that existed and whether they worked as designed in the
sequence expected.
Figure 6 is an example of a bow tie diagram (8). A
process hazard in the top middle of the figure causes the
top event, which could be a loss of containment, runaway
reaction, or other event. Various threats, based on physical,
human, or system failures, can cause the top event if the
preventive barriers or protective layers fail. The potential
Copyright © 2016 American Institute of Chemical Engineers (AIChE)
consequences of the top event are shown on the
right side of the figure, depending on the avail-
ability and effectiveness of mitigative barriers and
specific circumstances at the time of the event. The
different pathways give the diagram the shape of a
Consequences
bow tie.
For example, a release of a flammable and
toxic material could result from high pressure in
a column and failure of instrumentation to detect
increasing pressure and other safeguards protect-
Mitigative Barriers ing against high pressure. Depending on the loca-
tion, release conditions, meteorological conditions
Consequences at the time of the release, and the availability and
Fatalities/Injuries effectiveness of mitigative barriers, consequences
Environmental Harm
Property Damage
such as a fire or explosion could occur, which
could cause injuries, fatalities, environmental
harm, and/or property damage.
The bow tie method allows analysis of:
• the sequence of expected protective (preven-
tive and mitigative) layer actions
• which protective layers worked, which failed, and why
• what protective layers could have been provided, but
were not, and why.
The bow tie method provides a visual of the incident that
is useful for understanding what happened, for comparison
to process hazard analysis studies, and for training related to
the incident investigation. Bow tie analysis allows the inci-
dent investigation team to establish whether preventive and
mitigative protection layers worked as designed (Figure 7). If
not, the failure can be investigated, using the 5-why or why
tree method to question why the barrier failed. For example,
the team may ask “Why did the pressure switch fail?” or
“Why was the relief valve designed incorrectly?”
Similarly, the team should consider whether an addi-
tional protective layer could have been provided as part
of the PHA study. If an additional layer could have been
implemented, the team should question why it was not
Effective Barrier
Available Barrier
Available Barrier
Missing Barrier
Failed Barrier
Failed Barrier
Why did
these barriers Was a barrier
fail? missing? Why?
p Figure 7. A bow tie diagram helps an incident investigation team
consider the sequence and effectiveness of protective layers (what
safeguards worked or failed and why), as well as determine why additional
protective layers were not provided (what safeguards could have been
provided but were not and why).
CEP  October 2016  www.aiche.org/cep  33
Back to Basics
provided. For example, the team might ask, “Why wasn’t a
high-­pressure alarm provided?” or “Why did the PHA fail to
identify this scenario?”
As with the why tree method, trained experts and spe-
cialized software can help ensure appropriate application
of the bow tie method. Use of both methods can ensure a
comprehensive incident investigation and help maximize the
lessons learned to prevent future incidents.
Ensuring effective investigations
“You have been very remiss in not coming to
me sooner. You start me on my investigation
with a very serious handicap.”
— Sherlock Holmes
Even with the use of appropriate techniques as discussed,
various problems can reduce the effectiveness of incident
investigations. Some of the problems include:
• Potential incidents are not recognized or reported for
possible investigation.
• The incident investigation team does not include people
with the right experience and skills, including specialists
who may be needed part-time during the investigation.
• The investigation is started too late and/or is rushed to
meet reporting deadlines.
Table 1. To complete a successful incident investigation,
follow these steps.
1. Begin the investigation as soon as possible.
2. Collect and preserve evidence immediately.
3. Form an investigation team with appropriate experience.
4. Provide sufficient time for the investigation.
5. Apply appropriate methods to identify incident causes.
6. Apply appropriate methods to evaluate active, failed, and
missing protective layers.
7. Make specific, actionable recommendations for all findings.
8. Document and communicate incident findings.
9. Ensure recommendations are completed in a timely manner.
10. Sustain improvements.
JAMES A. KLEIN (Email: jklein@absconsulting.com) joined ABS Consulting in
2013 as a senior process safety consultant conducting risk and safety
culture assessments, compliance audits, and other process safety ser-
vices. Prior to that, he was a senior process safety competency consul-
tant and PSM co-lead for North America Operations at DuPont and had
33 years of experience in process safety, engineering, and research. He
has over 50 publications, conference presentations, and university talks
and has participated in several CCPS book projects, including as the
committee leader for Conduct of Operations and Operational Discipline
and as a committee member for Risk Based Process Safety. He has a BS
in chemical engineering from MIT, an MS in chemical engineering from
Drexel Univ., and an MS in management of technology from the Univ. of
Minnesota. He has been a member of AIChE since 1984.
34  www.aiche.org/cep  October 2016  CEP
• Potential evidence has not been collected or may have
been discarded (e.g., interviews, samples, equipment).
• Incident investigation methods have not been applied
correctly, stopping at easily observable causes (e.g., equip-
ment failure, human error) rather than searching deeper for
management system root causes and other safety culture and
and leadership issues.
• The investigation has been excessively influenced by
individuals, organizational politics, or other circumstances.
• Recommendations are not provided for all incident
causes (including interim actions if needed before recom-
mendations can be completed).
• Recommendations are not clearly written in terms of
what needs to be done and why, so the person responsible
for follow-up is unsure of the proper action.
• Recommendations are not tracked to closure, and the
action taken is not clearly documented.
• Completed recommendations, such as system or proce-
dural changes, are not sustained.
Instead of succumbing to these problems, follow the cor-
rect procedures in Table 1 to complete an effective incident
investigation.
Proper application of incident investigation steps
and techniques, like the approaches used by Sherlock
Holmes, can enable you to successfully identify incident
causes, which will help maximize the knowledge you
gain from incidents and help prevent future incidents. We
never want serious incidents to occur. Conducting effective
incident investigations helps ensure that they do not occur
again. CEP
Literature Cited
1. Doyle, A. C., “Sherlock Holmes: The Ultimate Collection,”
2nd ed., Maplewood Books (2014).
2. Center for Chemical Process Safety, “Guidelines for Risk
Based Process Safety,” American Institute of Chemical
Engineers, New York, NY, and Wiley, Hoboken, NJ (2007).
3. U.S. Chemical Safety and Hazard Investigation Board,
“Investigation Report: Vinyl Chloride Monomer Explosion,”
Report No. 2004-10-I-IL, Formosa Plastics Corp., Illiopolis, IL
(Mar. 2007).
4. Ness, A., “Lessons Learned from Recent Process Safety
Incidents,” Chemical Engineering Progress, 111 (3), pp. 23–29
(Mar. 2015).
5. Vanden Heuvel, L. N., et al., “Root Cause Analysis Handbook,”
3rd Ed., Rothstein Associates, Inc., Brookfield, CT (2008).
6. Hollnagel, E., “Barriers and Accident Prevention,” Ashgate
Publishing, Aldershot, UK (2004).
7. ABS Consulting, “Thesis Bowtie Software Solution,” www.
abs-group.com/content/documents/Software/thesis-bowtie-risk-­
management-software.pdf (2016).
8. Klein, J. A., and B. K. Vaughen, “Process Safety: Key Concepts
and Practical Approaches,” CRC Press, Boca Raton, FL (2017).
Copyright © 2016 American Institute of Chemical Engineers (AIChE)