More incidents that define process safety [First edition] 9781119561347, 1119561345

"More Incidents that Define Process Safety book describes over 50 incidents which have had a significant impact on

326 85 32MB

English Pages pages cm [369] Year 2020

Report DMCA / Copyright

DOWNLOAD PDF FILE

Table of contents :
MORE INCIDENTS THAT DEFINE PROCESS SAFETY......Page 3
Table of Contents......Page 8
List of Figures......Page 12
Acronyms and Abbreviations......Page 19
Glossary......Page 28
Acknowledgments......Page 40
Preface......Page 42
Foreword......Page 44
1.1 WHY A SECOND VOLUME?......Page 47
1.2 CCPS RISK BASED PROCESS SAFETY ELEMENTS......Page 48
1.2.1 Pillar I - Commit to Process Safety......Page 49
1.2.3 Pillar III - Manage Risk......Page 50
1.2.4 Pillar IV - Learn from Experience......Page 53
1.4 ORGANIZATION OF THIS BOOK......Page 54
1.5 ENGINEERING DESIGN......Page 55
1.7 FINAL NOTE......Page 56
2.1 INTRODUCTION......Page 58
2.2.1 Summary......Page 59
2.2.2 Description......Page 61
2.2.3 Management System Failures......Page 63
2.3.1 Summary......Page 66
2.3.2 Description......Page 67
2.3.3 Management System Failures......Page 68
2.4.1 Summary......Page 70
2.4.2 Description......Page 71
2.4.3 Management System Failures......Page 73
2.5 AMMONIUM NITRATE INCIDENTS......Page 74
2.6.1 Summary......Page 75
2.6.2 Description......Page 76
2.6.3 Management System Failures......Page 81
2.7.1 Summary......Page 84
2.7.2 Description......Page 85
2.7.3 Management System Failures......Page 86
2.8.1 Summary......Page 87
2.8.2 Description......Page 88
2.8.3 Management System Failures......Page 91
2.9.1 Summary......Page 92
2.9.2 Description......Page 93
2.9.3 Management System Failures......Page 96
2.10 OTHER INCIDENTS......Page 98
2.11 ADDITIONAL RESOURCES......Page 99
3.1 INTRODUCTION......Page 102
3.2.2 Description......Page 103
3.2.3 Management System Failures......Page 108
3.3.1 Summary......Page 111
3.3.2 Description......Page 112
3.3.3 Management System Failures......Page 118
3.4.1 Summary......Page 121
3.4.2 Description......Page 122
3.4.3 Management System Failures......Page 125
3.5.1 Summary......Page 127
3.5.2 Description......Page 129
3.5.3 Management System Failures......Page 132
3.6.1 Shell Refinery Fire, Singapore, 2011......Page 133
3.7 ADDITIONAL RESOURCES......Page 134
4.1 INTRODUCTION......Page 137
4.2.1 Summary......Page 141
4.2.2 Description......Page 143
4.2.3 Management System Failures......Page 147
4.2.4 Similar Incident......Page 149
4.3.1 Summary......Page 151
4.3.2 Description......Page 154
4.3.3 Management System Failures......Page 155
4.4.1 Summary......Page 157
4.4.2 Description......Page 159
4.4.3 Management System Failures......Page 162
4.5.2 Description......Page 164
4.5.3 Management System Failures......Page 168
4.5.4 Similar Incident......Page 170
4.6.1 Summary......Page 171
4.6.2 Description......Page 174
4.6.3 Management System Failures......Page 177
4.7.1 Summary......Page 179
4.7.2 Description......Page 180
4.7.3 Management System Failures......Page 186
4.8.1 Summary......Page 188
4.8.2 Description......Page 189
4.8.3 Management System Failures......Page 192
4.9.1 Summary......Page 195
4.9.2 Description......Page 196
4.9.3 Management System Failures......Page 198
4.10.1 Summary......Page 200
4.10.2 Description......Page 202
4.10.3 Management System Failures......Page 204
4.11.1 Summary......Page 205
4.11.2 Description......Page 207
4.11.3 Management System Failures......Page 210
4.13 ADDITIONAL RESOURCES......Page 211
5.1 INTRODUCTION......Page 215
5.2.1 Summary......Page 216
5.2.2 Description......Page 218
5.2.3 Management System Failures......Page 222
5.3.1 Summary......Page 228
5.3.2 Description......Page 229
5.3.3 Management System Failures......Page 233
5.4.1 Summary......Page 234
5.4.2 Description......Page 236
5.4.3 Management System Failures......Page 239
5.5.1 Summary......Page 240
5.5.2 Description......Page 241
5.5.3 Management System Failures......Page 245
5.6.1 Summary......Page 248
5.6.2 Description......Page 249
5.6.3 Management System Failures......Page 252
5.7.1 Summary......Page 255
5.7.2 Description......Page 257
5.7.3 Management System Failures......Page 262
5.8.1 Summary......Page 263
5.8.2 Description......Page 264
5.8.3 Management System Failures......Page 266
5.9.2 Description......Page 268
5.9.3 Management System Failures......Page 270
5.10.1 Summary......Page 271
5.10.2 Description......Page 272
5.10.3 Management System Failures......Page 274
5.12 ADDITIONAL RESOURCES......Page 276
6.1 INTRODUCTION......Page 278
6.2.1 Summary......Page 279
6.2.2 Description......Page 281
6.2.3 Management System Failures......Page 284
6.3.1 Summary......Page 286
6.3.2 Description......Page 287
6.3.3 Management System Failures......Page 289
6.4.1 Summary......Page 290
6.4.2 Description......Page 291
6.4.3 Management System Failures......Page 292
6.5.1 Summary......Page 294
6.5.2 Description......Page 295
6.5.3 Management System Failures......Page 299
6.6.1 Summary......Page 300
6.6.2 Description......Page 301
6.6.3 Management System Failures......Page 304
6.7.2 Description......Page 305
6.7.3 Management System Failures......Page 307
6.8 OTHER INCIDENTS......Page 308
6.9 ADDITIONAL RESOURCES......Page 309
7.1 INTRODUCTION......Page 310
7.2.1 Summary......Page 311
7.2.2 Description......Page 312
7.2.3 Management System Failures......Page 316
7.3.1 Summary......Page 318
7.3.2 Description......Page 319
7.3.3 Management System Failures......Page 321
7.4.1 Summary......Page 324
7.4.2 Description......Page 325
7.4.3 Management System Failures......Page 327
7.5.2 Description......Page 329
7.5.3 Management System Failures......Page 331
7.6.1 Summary......Page 333
7.6.2 Description......Page 334
7.6.3 Management System Failures......Page 337
7.7.2 Description......Page 340
7.7.3 Management System Failures......Page 341
7.8 OTHER INCIDENTS......Page 342
7.9 ADDITIONAL RESOURCES......Page 343
Appendix 1: Matrix relating incidents, industries, and RBPS elements......Page 344
References......Page 348
Index......Page 364
EULA......Page 369
Recommend Papers

More incidents that define process safety [First edition]
 9781119561347, 1119561345

  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Citation preview

MORE INCIDENTS THAT DEFINE

PROCESS SAFETY

.03&*/$*%&/545)"5 %&'*/&130$&444"'&5:

.03&*/$*%&/545)"5 %&'*/&130$&444"'&5:

$&/5&3'03$)&.*$"-130$&444"'&5: PGUIF  ".&3*$"/*/45*565&0'$)&.*$"-&/(*/&&34 /FX:PSL /: 

This edition first published 2020 © 2020 the American Institute of Chemical Engineers

A Joint Publication of the American Institute of Chemical Engineers and John Wiley & Sons, Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by law. Advice on how to obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions. The rights of CCPS to be identified as the author of the editorial material in this work have been asserted in accordance with law. Registered Office John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA Editorial Office 111 River Street, Hoboken, NJ 07030, USA For details of our global editorial offices, customer services, and more information about Wiley products visit us at www.wiley.com.

Wiley also publishes its books in a variety of electronic formats and by print-on-demand. Some content that appears in standard print versions of this book may not be available in other formats. Limit of Liability/Disclaimer of Warranty While the publisher and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives, written sales materials or promotional statements for this work. The fact that an organization, website, or product is referred to in this work as a citation and/or potential source PGGVSUIFSJOGPSNBUJPOEPFTOPUNFBOUIBUUIFpublisher and authors endorse the information or TFSWJDFTUIFPSHBOJ[BUJPO XFCTJUF PSQSPEVDUNBZQSPWJEFor recommendations it may make. This XPSLJTTPMEXJUIUIFVOEFSTUBOEJOHUIBUUIFQVCMJTIFSJTOPUFOHBHFEin rendering professional TFSWJDFT5IFBEWJDFBOETUSBUFHJFTDPOUBJOFEIFSFJONBZOPUCFTVJUBCMFGPSZPVSsituation. You TIPVMEDPOTVMUXJUIBTQFDJBMJTUXIFSFBQQSPQSJBUF'VSUIFS SFBEFSTTIPVMECFBXBSFUIBUwebsites MJTUFEJOUIJTXPSLNBZIBWFDIBOHFEPSEJTBQQFBSFECFUXFFOXIFOUIJTXPSLXBTXSJUUFOBOE XIFOJUJTSFBE/FJUIFSUIFQVCMJTIFSOPSBVUIPSTTIBMMCFMJBCMFGPSBOZMPTTPGQSPGJUPSBOZPUIFS DPNNFSDJBMEBNBHFT JODMVEJOHCVUOPUMJNJUFEUPTQFDJBM JODJEFOUBM DPOTFRVFOUJBM PSPUIFS EBNBHFT Library of Congress Cataloging-in-Publication Data is available.  ISBN: 9781119561347

$PWFS%FTJHO8JMFZ  Printed in the United States of America  10 9 8 7 6 5 4 3 2 1

More Incidents that Define Process Safety

It is our sincere intention that the information presented in this document will lead to an even more impressive safety record for the entire industry; however, neither the American Institute of Chemical Engineers (AIChE), its consultants, CCPS Technical Steering Committee and Subcommittee members, their employers, their employers’ officers and directors, warrant or represent, expressly or by implication, the correctness or accuracy of the content of the information presented in this document. As between (1) AIChE, its consultants, CCPS Technical Steering Committee and Subcommittee members, their employers, their employers’ officers and directors, and (2) the user of this document, the user accepts any legal liability or responsibility whatsoever for the consequence of its use or misuse. and stayed internal to organization

2

More Incidents that Define Process Safety

Table of Contents 1 ........................................................................................................... 41 Introduction ....................................................................................... 41 1.1 WHY A SECOND VOLUME? ..................................................... 41 1.2 CCPS RISK BASED PROCESS SAFETY ELEMENTS.................. 42 1.3 HUMAN PERFORMANCE......................................................... 48 1.4 ORGANIZATION OF THIS BOOK............................................. 48 1.5 Engineering Design ................................................................. 49 1.6 How To Use The Book ............................................................ 50 1.7 Final Note ................................................................................. 50 2 ........................................................................................................... 52 Reactive Chemical Incidents ............................................................ 52 2.1 Introduction ............................................................................. 52 2.2 T2 Laboratories Runaway Reaction and Explosion, Florida, US, 2007 .......................................................................................... 53 2.3 HOECHST GRIESHEIM RUNAWAY REACTION, GERMANY, 1993 ................................................................................................. 60 2.4 ARCO CHANNELVIEW EXPLOSION, TEXAS, US, 1990 .......... 64 2.5 AMMONIUM NITRATE INCIDENTS ........................................ 68 2.6 WEST FERTILIZER COMPANY AN EXPLOSION, TEXAS, US, 2013..................................................................................................69 2.7 RUI HAI INTERNATIONAL LOGISTICS AN EXPLOSION, TIANJIN, CHINA, 2015 .................................................................... 78 2.8 PORT NEAL AMMONIUM NITRATE EXPLOSION, IOWA, US, 1994................................................................................................. 81 2.9 HICKSON & WELCH JET FLAME, UK, 1992 ............................ 86 2.10 OTHER INCIDENTS ................................................................ 92 2.11 ADDITIONAL RESOURCES .................................................... 93

.PSF*ODJEFOUTUIBU%FGJOF1SPDFTT4BGFUZ

3

3 ........................................................................................................... 96 Fire Incidents ..................................................................................... 96 3.1 INTRODUCTION....................................................................... 96 3.2 HOEGANAES METAL DUST FIRES, TENNESSEE, US, 2011... 97 3.3 CHEVRON RICHMOND REFINERY FIRE, CALIFORNIA, US, 2012 .............................................................................................. 105 3.4 VALERO-MCKEE LPG REFINERY FIRE, TEXAS, US, 2007 ..... 115 3.5 BLSR DEFLAGRATION AND FIRE, TEXAS, US, 2003 ............ 121 3.6 SIMILAR INCIDENTS .............................................................. 127 3.7 ADDITIONAL RESOURCES .................................................... 128 4 ......................................................................................................... 131 Explosion Incidents ......................................................................... 131 4.1 INTRODUCTION..................................................................... 131 4.2 BUNCEFIELD STORAGE TANK OVERFLOW AND EXPLOSION, UK, 2005 ....................................................................................... 135 4.3 PETROLEUM OIL LUBRICANTS EXPLOSION, JAIPUR, INDIA 2009 .............................................................................................. 145 4.4 CELANESE PAMPA EXPLOSION, TEXAS, US, 1987 ............. 151 4.5 WILLIAMS OLEFINS HEAT EXCHANGER RUPTURE, LOUISIANA, US, 2013 .................................................................. 158 4.6 IMPERIAL SUGAR DUST EXPLOSION, GEORGIA, US, 2008165 4.7 HAYES LEMMERZ DUST EXPLOSION, INDIANA, US, 2003 173 4.8 VARANUS ISLAND PIPELINE EXPLOSION, AUSTRALIA, 2008 ....................................................................................................... 182 4.9 NATURAL GAS PURGING EXPLOSIONS .............................. 189 4.10 OIL STORAGE TANK EXPLOSION, ITALY, 2006 ................. 194 4.11 NDK CRYSTAL VESSEL RUPTURE, ILLINOIS, 2009.............199 4.12 SIMILAR INCIDENTS ............................................................ 205

4

More Incidents that Define Process Safety

4.13 ADDITIONAL RESOURCES .................................................. 205 5 ......................................................................................................... 209 Environmental and Toxic Release Incidents ................................ 209 5.1 INTRODUCTION ..................................................................... 209 5.2 BP MACONDO WELL/TRANSOCEAN DEEPWATER HORIZON FIRE, EXPLOSION, AND ENVIRONMENTAL RELEASE, GULF OF MEXICO, US, 2010 ........................................................................ 210 5.3 FREEDOM INDUSTRIES, INC. CHEMICAL SPILL, WEST VIRGINIA, US 2014 ....................................................................... 222 5.4 MILLARD REFRIGERATED ANHYDROUS AMMONIA RELEASE, ALABAMA, US, 2010..................................................................... 228 5.5 DUPONT METHYL MERCAPTAN RELEASE, TEXAS, US, 2014 ....................................................................................................... 234 5.6 DUPONT PHOSGENE RELEASE, WEST VIRGINIA, US, 2010 ....................................................................................................... 242 5.7 DPC ENTERPRISES, L.P. CHLORINE RELEASE, MISSOURI, US, 2002............................................................................................... 249 5.8 GEORGIA-PACIFIC HYDROGEN SULFIDE POISONING, ALABAMA, US, 2002..................................................................... 257 5.9 CITGO HF RELEASE AND FIRE, TEXAS, US, 2009 ................ 262 5.10 HUBE GLOBAL HF RELEASE IN GUMI, SOUTH KOREA, 2012 ....................................................................................................... 265 5.11 OTHER INCIDENTS .............................................................. 270 5.12 ADDITIONAL RESOURCES .................................................. 270 6 ......................................................................................................... 272 Transportation Incidents................................................................ 272 6.1 INTRODUCTION ..................................................................... 272 6.2 MONTREAL, MAINE & ATLANTIC RAILWAY DERAILMENT AND FIRE, QUEBEC, CANADA, 2013 .......................................... 273

.PSF*ODJEFOUTUIBU%FGJOF1SPDFTT4BGFUZ

5

6.3 NORFOLK SOUTHERN COLLISION AND HAZARDOUS MATERIALS RELEASE, SOUTH CAROLINA, US, 2005 ................ 280 6.4 GAYLORD CHEMICAL NITROGEN TETROXIDE RELEASE, LOUISIANA, US, 1995 .................................................................. 284 6.5 PACIFIC GAS AND ELECTRIC COMPANY PIPELINE RUPTURE AND FIRE, CALIFORNIA, US, 2010 .............................................. 288 6.6 ADDITIONAL PIPELINE RELEASES........................................ 294 6.7 AIR FRANCE FLIGHT AF 447 RIO DE JANEIRO TO PARIS, 2009 ....................................................................................................... 299 6.8 OTHER INCIDENTS ................................................................ 302 6.9 ADDITIONAL RESOURCES .................................................... 303 7 ......................................................................................................... 304 Non-Oil/Chemical Incidents ........................................................... 304 7.1 INTRODUCTION..................................................................... 304 7.2 FUKUSHIMA DAIICHI NUCLEAR POWER PLANT RELEASE, JAPAN, 2011.................................................................................. 305 7.3 SEWOL FERRY SINKING, SOUTH KOREA, 2014 .................. 312 7.4 PIKE RIVER COAL MINE EXPLOSION, SOUTH ISLAND, NEW ZEALAND, 2010 ............................................................................ 318 7.5 BIG BRANCH MINE EXPLOSION, WEST VIRGINIA, US, 2010 ....................................................................................................... 323 7.6 UNIVERSITY LABORATORY INCIDENTS ............................... 327 7.7 MARS CLIMATE ORBITER MISHAP, 1999 ............................ 334 7.8 OTHER INCIDENTS ................................................................ 336 7.9 ADDITIONAL RESOURCES .................................................... 337 Appendix 1 ....................................................................................... 338 References ....................................................................................... 342 *OEFY ................................................................................................. 358

6

More Incidents that Define Process Safety

List of Figures Figure 1.2-1. Risk Based Process Safety (RBPS) approach Figure 2.2-1. A portion of the 3-inch thick reactor (courtesy CSB). Figure 2.2-2. T2 Laboratories blast (courtesy CSB). Figure 2.2-3. T2 Reactor. Figure 2.3-1. Reaction Sequence for Hoechst Griesheim Runaway Reaction. This reaction is exothermic, with a heat of reaction of 140 kJ/mole (132.7 BTU/mole) 2-chloronitrobenzene. Figure 2.4-1. Process flow diagram of the wastewater tank (courtesy CEP). Figure 2.6-1. Fertilizer building overview (courtesy CSB). Figure 2.6-2. Southwest view of Fertilizer Building (adapted from CSB). Figure 2.6-3. WFC and community growth (courtesy CSB). Figure 2.6-4. Overview of damaged EFC (courtesy CSB). Figure 2.6-5. Apartment complex damage (courtesy CSB video). Figure 2.6-6. Soot accumulation on FGAN pile (courtesy CSB video). Figure 2.7-1. The crater from 2015 Tianjin explosion (courtesy Shutterstock). Figure 2.8-1. Neutralizer and rundown tank, source (courtesy EPA). Figure 2.8-2. AN plant area after the explosion (courtesy EPA). Figure 2.9-1. Control room and office building after a jet flame impact (courtesy HSE). Figure 2.9-2. 360 base still (courtesy HSE). Figure 2.9-3. Still base and control room (courtesy HSE). Figure 3.2-1. Fine powdered metal collected from the Hoeganaes plant (penny shown for scale) (courtesy CSB).

.PSF*ODJEFOUTUIBU%FGJOF1SPDFTT4BGFUZ

7

Figure 3.2-2. Computer graphic of maintenance workers inspecting bucket elevator (courtesy CSB). Figure 3.2-3. The scene of January 2011 incident (courtesy CSB). Figure 3.2-4. Iron dust on rafters and overhead surfaces, February 3, 2011 (courtesy CSB). Figure 3.2-5. Hole in 4-inch piping after the May 27, 2011 incident (courtesy CSB). Figure 3.3-1. Vapor cloud and ignition seen from Marin County (courtesy CSB). Figure 3.3-2. Atmospheric separation process flow diagram (courtesy OSHA). Figure 3.3-3. Timeline (courtesy CSB). Figure 3.3-4. Location of the leak (courtesy CSB). Figure 3.3-5. Ruptured Crude Unit #4-sidecut pipe at Chevron refinery (courtesy CSB). Figure 3.3-6. Chevron’s new Leak Response Protocol (courtesy CSB). Figure 3.4-1. Process Flow Diagram of PDA unit (courtesy CSB). Figure 3.4-2. Abandoned propane mix control station (courtesy CSB). Figure 3.4-3. Crack in the propane mix control station piping (courtesy CSB). Figure 3.4-4. Photograph of damaged PDA unit, showing the location of butane sphere and chlorine cylinders (courtesy CSB). Figure 3.5-1. Typical vacuum truck used to haul oilfield waste liquids (courtesy CSB). Figure 3.5-2. Disposal/washout pad, hydraulic pumps and wooden stop beam (courtesy CSB). Figure 3.5-3. Layout of disposal/washout pad, vacuum trucks, and injuries (courtesy CSB).

8

More Incidents that Define Process Safety

Figure 3.5-4. Damaged trucks and disposal/washout pit area (courtesy CSB). Figure 4.1-1. Relationships between the different types of explosions. It is possible for several to occur with any incident (courtesy Crowl 2003). Figure 4.2-1. Buncefield storage depot after the explosion and fires (courtesy Buncefield). Figure 4.2-2. Buncefield storage depot before the explosion (courtesy Buncefield). Figure 4.2-3. Buncefield site – the extent of vapor cloud (gray line) (courtesy HSE). Figure 4.2-4. Breakup of liquid into drops spilling from tank top (adapted from HSE). Figure 4.2-5. Fires at CAPECO site (courtesy CSB). Figure 4.3-1. Jaipur site before explosion (courtesy HSE). Figure 4.3-2. Jaipur site after explosion (courtesy HSE). Figure 4.3-3. Burning storage tanks at Jaipur (courtesy SK Roy, HSE for IOC). Figure 4.3-4. Pipeline schematic (courtesy SK Roy, HSE for IOC). Figure 4.3-5. Hamer blind valve after explosion (courtesy SK Roy, HSE for IOC). Figure 4.4-1. Oxidation reactor after the explosion (courtesy Celanese). Figure 4.4-2. One of several units impacted by explosion (courtesy Celanese). Figure 4.4-3. Schematic of oxidation reactor (courtesy Celanese). Figure 4.4-4. Predicted flammable vapor cloud from reactor explosion (courtesy Celanese). Figure 4.5-1. Fireball in Williams Geismar plant (courtesy CSB).

.PSF*ODJEFOUTUIBU%FGJOF1SPDFTT4BGFUZ

9

Figure 4.5-2. Schematic of propylene fractionator (adapted from CSB). Figure 4.5-3. Reboiler B after the explosion (courtesy CSB). Figure 4.5-4. Example of car seal on a valve handle (www.totallockout.com/online-store/car-seals-2/ (accessed November 19, 2015)) (courtesy CSB). Figure 4.5-5. Ruptured heat exchanger at Goodyear Texas plant (courtesy CSB). Figure 4.6-1. Imperial Sugar refinery after the explosion (courtesy CSB). Figure 4.6-2. Imperia Sugar facility before the explosion. Granulated sugar storage silos and packing buildings are circled. Raw sugar warehouses in lower right (Chatham County, GA GIS photo) (CSB 2009a) Figure 4.6-3. Imperial Sugar Refinery after the explosion (courtesy CSB). Figure 4.6-4. Motor cooling fins and fan guard covered with sugar dust; large piles of sugar cover the floor (courtesy CSB). Figure 4.6-5. Secondary dust explosion (courtesy U.S. OSHA). Figure 4.7-1. Reverberatory furnace at Hayes Lemmerz plant (courtesy CSB). Figure 4.7-2. Dust collection system at Hayes Lemmerz plant (courtesy CSB. Figure 4.7-3. Dust collector and drop box remains after the explosion (courtesy CSB). Figure 4.8-1. Pipeline fires at Varanus Island (courtesy Bills and Agostini). Figure 4.8-2. Ruptured 12” sales gas line (courtesy Bills and Agostini). Figure 4.9-1. Gas-fired water heater piping and likely release points (courtesy CSB).

10

More Incidents that Define Process Safety

Figure 4.9-2. ConAgra Plant explosion aftermath (courtesy CSB). Figure 4.9-3. Location of natural gas outlet (oval) at Kleen Energy (courtesy CSB). Figure 4.10-1 Outdoor storage tanks after explosions (courtesy Marmo). Figure 4.10-2 Indoor storage facility after explosions (courtesy Marmo). Figure 4.10-3. Schematic of tank farm (adapted from Marmo). Figure 4.11-1. Ruptured vessel and damaged building at NDK (courtesy CSB). Figure 4.11-2. Cross section of crystallization vessel (not to scale) (courtesy CSB). Figure 5.2-1. Fire on Deepwater Horizon, source (courtesy CSB). Figure 5.2-2. Location of mud-gas separator and diverter lines (courtesy CSB). Figure 5.2-3. Macondo Well blowout preventer, source (courtesy CSB). Figure 5.3-1 – Flow path from Freedom Industries to West Virginia American Water Kanawha Valley Treatment Plant (courtesy CSB). Figure 5.3-2 – Layout of Freedom Industries site (courtesy CSB). Figure 5.4-1 – Location of Millard Refrigerated on Theodore, Alabama Industrial Canal (courtesy CSB). Figure 5.5-1 – DuPont building housing the Lannate® unit (courtesy CSB). Figure 5.5-2 – Location where drain valves were opened.

.PSF*ODJEFOUTUIBU%FGJOF1SPDFTT4BGFUZ

11

Figure 5.6-1 – Photo of hose used to transfer phosgene (courtesy CSB) Figure 5.7-1 – Failed chlorine transfer hose and release (courtesy CSB). Figure 5.8-1 – Layout of tank truck unloading station (courtesy CSB). Figure 5.10-1 – Hube Global and surrounding area (courtesy Korea Institute of Public Administration). Figure 5.10-2 – Hube Global HF release (courtesy of Korea Institute of Public Administration). Figure 5.10-3 – Crop damage due to Hube Global HF release (courtesy of Korea Institute of Public Administration). The sign in this photograph reads "Hydrofluoric Acid release accident disaster area. Absolutely no consumption or use. ~ Gumi City Safety Counsel." Figure 6.2-1. Lac-Megantic tank cars with breaches to their shells. Figure 6.2-2. DOT-117 Train car (courtesy DOT). Figure 6.3-1. Norfolk Southern Railway freight train derailment site (courtesy NTSB). Figure 6.5-1. PG&E pipeline rupture and fire in San Bruno (courtesy NTSB). Figure 6.5-2. Weld in failed PG&E pipeline (courtesy NTSB). Figure 6.5-3. Properly made weld (courtesy NTSB). Figure 6.6-1. Burned vegetation along the creek from Olympic pipeline release and fire (courtesy NTSB). Figure 7.2-1. Fukushima Daiichi nuclear reactor design (courtesy IAEA).

12

More Incidents that Define Process Safety

Figure 7.2-2. Fukushima Daiichi incident progression (courtesy IAEA). Figure 7.2-3. Fukushima Daiichi nuclear power plant elevations (courtesy Tokyo Electric Power Company) (OP: Sea level at Onahama Port). Figure 7.3-1. Sewol Ferry capsizing and sinking (courtesy South Korea Coast Guard & South Korea Media, Straits Times graphic adapted from AFP). Figure 7.4-1. Pike River Mine (courtesy stuff.co.nz). Figure 7.5-1. Shearer cutting coal (courtesy GIIP). Figure 7.6-1. Flammability range of hydrogen, oxygen and carbon dioxide as was handled in the University of Hawaii incident (courtesy UC). Figure 7.6-2. Swiss cheese model representing potential failures in university chemical laboratory process safety management (courtesy CSB).

.PSF*ODJEFOUTUIBU%FGJOF1SPDFTT4BGFUZ

ACRONYMS AND ABBREVIATIONS ABET

Accreditation Board for Engineering and Technology, Inc. (US)

AFPM

American Fuel and Petrochemical Manufacturers

AIChE

American Institute of Chemical Engineers

AIHA

American Industrial Hygiene Association

ALARP

As Low As Reasonably Practicable

AMF

Automatic Mode Function

AN

Ammonium Nitrate

API

American Petroleum Institute

APTAC

Automatic Pressure Tracking Adiabatic Calorimeter®

ARC

Accelerating Rate Calorimeter™

ASME

American Society of Mechanical Engineers

ATC

Air Traffic Control

ATG

Automatic Tank Gauging

BEA

Bureau of Investigation and Analysis (France)

BLEVE

Boiling Liquid Expanding Vapor Explosion

BOEMRE

Bureau of Ocean Energy Management Regulation and Enforcement

BOP

Blowout Preventer

13

14

More Incidents that Define Process Safety

BS&W

Basic Sediment and Water

BSEE

Bureau of Environmental Enforcement (US)

BSR

Blind Shear Ram

CalEPA

California Environmental Protection Agency

CCPS

Center for Chemical Process Safety

CFR

Code of Federal Registry (US)

COMAH

Control of Major Accident Hazards (UK)

COO

Conduct of Operations

CP

Cathodic Protection

CRW

Chemical Reactivity Worksheet

CSB

Chemical Safety and Hazard Investigation Board (US)

DDT

Deflagration to Detonation Transition

DDT

Dichlorodiphenyltrichloroethane

DHS

Department of Homeland Security (US)

DMP

Department of Mines and Petroleum (Australia)

DNT

Dinitrotoluene

DOCEP

Department of Consumer and Employment Protection (Australia)

DOIR

Department of Industry and Resources (Australia)

.PSF*ODJEFOUTUIBU%FGJOF1SPDFTT4BGFUZ

DOJ

Department of Justice (US)

DOT

Department of Transportation (US)

EIV

Emergency Isolation Valve

EPCRA

Emergency Planning and Community Right-toKnow Act (US)

EPA

Environmental Protection Agency (US)

ERPG

Emergency Response Planning Guideline (US)

ERS

Emergency Relief System

ERT

Etowah River Terminal, LLC

ESD

Emergency Shutdown System

ETC

Energy Technology Center Chevron

EU

European Union

FGAN

Fertilizer Grade Ammonium Nitrate

FMG

FM Global

FRC

Flame retardant clothing

GE

General Electric Company

H2S

Hydrogen Sulfide

HAZMAT

Hazardous Materials

HAZOP

Hazard and Operability Study

HCl

Hydrogen Chloride

15

16

More Incidents that Define Process Safety

HDPE

High-density polyethylene

HF

Hydrofluoric Acid

HIRA

Hazard Identification and Risk Analysis

HOV

Hand Operated Valve

HSE

Health & Safety Executive (UK)

IAEA

International Atomic Energy Agency

ICC

International Code Council

IDLH

Immediately Dangerous to Life and Health

IDPS

Incidents that Define Process Safety

IFC

International Fire Code

IFGC

International Fuel Gas Code

IHLS

Independent High-Level Switch

LEL

Lower Explosive Limit

LOPC

Loss of Primary Containment

LPG

Liquefied Petroleum Gas

LPO

Liquid phase oxidation

LRP

Leak Response Protocol (Chevron)

MAWP

Maximum Allowable Working Pressure

MEC

Minimum Explosion Concentration

MCHM

Methylcychohexanemethanol

.PSF*ODJEFOUTUIBU%FGJOF1SPDFTT4BGFUZ

17

MCMT

Methylcyclopentadienyl manganese tricarbonyl

MCO

Mars Climate Orbiter

MCPD

methylcyclopentadiene

MI

Mechanical Integrity

MIC

Methyl isocyanate

MIIB

Major Incident Investigation Board (UK)

MMA

Montreal, Main & Atlantic Railway

MMS

Mineral Management Service (US)

MNT

Mononitrotoluene

MOC

Management of Change

MOM

Ministry of Manpower (Singapore)

MoP&NG

Ministry of Petroleum and Natural Gas (India)

MOV

Motor Operated Valve

MSD

Material Safety Data

MSHA

Mining Health and Safety Administration (US)

NAIIC

Nuclear Accident Independent Investigation Commission

NASA

National Aeronautics and Space Administration

NaSH

Sodium hydrosulfide

NDK

Nihon Dempa Kogyo Company

18

More Incidents that Define Process Safety

NEC

National Electrical Code

NEP

National Emphasis Program (US)

NFPA

National Fire Protection Association

NOPSA

National Offshore Petroleum Safety Authority (Australia)

NPDES

National Pollutant Discharge Elimination System (US)

NTSB

National Transportation and Safety Board

OGJ

Oil and Gas Journal

ONRR

Office of Natural Resources Revenues

OMS

Operating Management System (BP)

OSHA

Occupational Safety and Health Administration (US)

P&ID

Piping and Instrumentation Diagram

PA

Public Address

PDA

Propane Deasphalting

PFD

Process Flow Diagram

PGERA

Petroleum and Geothermal Energy Resources Act (Western Australia)

PG&E

Pacific Gas and Electric Company

PHA

Process Hazard Analysis

.PSF*ODJEFOUTUIBU%FGJOF1SPDFTT4BGFUZ

19

PHMSA

Pipeline and Hazard Materials Safety Administration (US)

PMI

Positive Material Identification

PPA

Petroleum and Pipeline Act (Western Australia)

PPE

Personal Protective Equipment

PRV

Pressure Relief Valve

PSLA

Petroleum Submerged Lands Act (Western Australia)

PSM

Process Safety Management

PSSR

Pre-Start-up Safety Review

PSV

Pressure safety valve

PTFE

Polytetrafluoroethylene

QA

Quality Assurance

RBPS

Risk Based Process Safety (CCPS)

RHIL

Rui Hai International Logistics

RMP

Risk Management Plan

RSOV

Remote Shutoff Valves

SABIC

Saudi Basic Industries Corporation

SADT

Self-Accelerating Decomposition Temperature

SERC

State Emergency Response Committee

SCADA

Supervisory Control and Data Acquisition

20

More Incidents that Define Process Safety

SCBA

Self-contained Breathing Apparatus

SCC

Stress Corrosion Cracking

SDS

Safety Data Sheet

SGL

Sales gas pipeline

SOP

Safe Operating Procedure

SWA

Stop Work Authority

SWP

Safe Work Practices

TEPCO

Tokyo Electric Power Company

TGAN

Technical Grade Ammonium Nitrate

TNT

Trinitrotoluene

TWA PEL

Time Weighted Average Permissible Exposure Limit

UEL

Upper Explosive Limit

UK

United Kingdom

US

United States

VBR

Variable Bore Rams

VCE

Vapor Cloud Explosion

VSP

Vent Sizing Package™

WFC

West Fertilizer Company

WVAW

West Virginia American Water

.PSF*ODJEFOUTUIBU%FGJOF1SPDFTT4BGFUZ

WVDEP

West Virginia Department of Environmental Protection

21

22

More Incidents that Define Process Safety

GLOSSARY Many of these terms and definitions are taken from the CCPS Glossary, which is continually updated. Please check the glossary at www.aiche.org/ccps/resources/glossary for the most current definition.

Asset Integrity

The condition of an asset that is properly designed and installed in accordance with specifications and remains fit for purpose.

Atmospheric Storage Tank

A storage tank designed to operate at any pressure between ambient pressure and 0.5 psig (3.45 kPa gauge).

Boiling Liquid Expanding Vapor Explosion (BLEVE)

A type of rapid phase transition in which a liquid contained above its atmospheric boiling point is rapidly depressurized, causing a nearly instantaneous transition from liquid to vapor with a corresponding energy release. A BLEVE of flammable material is often accompanied by a large aerosol fireball, since an external fire impinging on the vapor space of a pressure vessel is a common cause. However, it is not necessary for the liquid to be flammable to have a BLEVE occur.

Combustible Dust

A finely divided combustible particulate solid that presents a flash-fire hazard or explosion hazard when suspended in air or the process specific oxidizing medium over a range of concentrations.

.PSF*ODJEFOUTUIBU%FGJOF1SPDFTT4BGFUZ

23

Combustible Liquid

A term used to classify certain liquids that will burn on the basis of flash points. The National Fire Protection Association (NFPA) defines a combustible liquid as any liquid that has a closed-cup flash point above 100°F (37.8°C) (NFPA 30). There are three subclasses, as follows; Class II liquids have flash points at or above 100°F (37.8°C) but below 140°F (60°C). Class III liquids are subdivided into two additional subclasses; Class IIIA: Those having flash points at or above 140° F (60°C) but below 200°F (93.4°C), Class IIIB: Those having flash points at or above 200°F (93.4°C). The Department of Transportation (DOT) defines combustible liquids as those having flash points above 140°F (60.5°C) and below 200°F (93.4°C).

Conduct of Operations (COO)

The embodiment of an organization’s values and principles in management systems that are developed, implemented, and maintained to (1) structure operational tasks in a manner consistent with the organization's risk tolerance, (2) ensure that every task is performed deliberately and correctly, and (3) minimize variations in performance.

Confined Space

A confined space has limited or restricted means for entry or exit and is not designed for continuous occupancy. Confined spaces include, but are not limited to, tanks, vessels, silos, storage bins, hoppers, vaults, pits, manholes,

24

More Incidents that Define Process Safety

tunnels, equipment housings, ductwork, pipelines, etc. (OSHA 2019) Deflagration

Combustion that propagates by heat and mass transfer through the unreacted medium at a velocity less than the speed of sound.

Detonation

A release of energy caused by the propagation of a chemical reaction in which the reaction front advances into the unreacted substance at greater than sonic velocity in the unreacted material.

Emergency Isolation Valve (EIV)

An EIV is a special category of valve that is dedicated to the purpose of isolating large inventories of flammable or toxic material from sources or equipment whose relative likelihood of significant leakage is high. (AIChE.confex.com)

Emergency Planning and Community Rightto-Know Act (EPCRA)

The Emergency Planning and Community Right-to-Know Act (EPCRA) of 1986 was created to help communities plan for chemical emergencies. It also requires industry to report on the storage, use and releases of hazardous substances to federal, state, and local governments. EPCRA requires state and local governments, and Indian tribes to use this information to prepare their community from potential risks.

Explosion

The bursting or rupture of an enclosure or container due to the development of internal pressure from a deflagration.

.PSF*ODJEFOUTUIBU%FGJOF1SPDFTT4BGFUZ

25

Flammable Liquids

Any liquid that has a closed-cup flash point below 100°F (37.8°C), as determined by the test procedures described in NFPA 30 and a Reid vapor pressure not exceeding 40 psia (2068.6 mm Hg) at 100°F (37.8°C), as determined by ASTM D 323, Standard Method of Test for Vapor Pressure of Petroleum Products (Reid Method). Class IA liquids shall include those liquids that have flash points below 73°F (22.8°C) and boiling points below 100°F (37.8°C). Class IB liquids shall include those liquids that have flash points below 73°F (22.8°C) and boiling points at or above 100°F (37.8°C). Class IC liquids shall include those liquids that have flash points at or above 73°F (22.8°C), but below 100°F (37.8°C). (NFPA 30).

Hazard Analysis

The identification of undesired events that lead to the materialization of a hazard, the analysis of the mechanisms by which these undesired events could occur and usually the estimation of the consequences.

Hot Work

Any operation that uses flames or can produce sparks (e.g., welding).

Incident

An event, or series of events, resulting in one or more undesirable consequences, such as harm to people, damage to the environment, or asset/business losses. Such events include fires, explosions, releases of toxic or otherwise harmful substances, and so forth.

26

More Incidents that Define Process Safety

Incident Investigation

A systematic approach for determining the causes of an incident and developing recommendations that address the causes to help prevent or mitigate future incidents. See also Root cause analysis and Apparent cause analysis.

Interlock

A protective response which is initiated by an out-of-limit process condition. An instrument which will not allow one part of a process to function unless another part is functioning. A device such as a switch that prevents a piece of equipment from operating when a hazard exists. To join two parts together in such a way that they remain rigidly attached to each other solely by physical interference. A device to prove the physical state of a required condition and to furnish that proof to the primary safety control circuit.

Lower Explosive Limit (LEL)

That concentration of a combustible material in air below which ignition will not occur. It is often, interchangeably called Lower Flammability Limit (LFL) and for dusts, the Minimum Explosible Concentration (MEC).

Loss of Primary Containment (LOPC)

An unplanned or uncontrolled release of material from primary containment, including non-toxic and nonflammable materials (e.g., steam, hot condensate, nitrogen, compressed CO2 or compressed air).

.PSF*ODJEFOUTUIBU%FGJOF1SPDFTT4BGFUZ

27

Management of Change (MOC)

A management system to identify, review, and approve all modifications to equipment, procedures, raw materials, and processing conditions, other than replacement in kind, prior to implementation to help ensure that changes to processes are properly analyzed (for example, for potential adverse impacts), documented, and communicated to employees affected.

Management System

A formally established set of activities designed to produce specific results in a consistent manner on a sustainable basis.

Maximum Allowable Working Pressure (MAWP)

The maximum gauge pressure permissible at the top of a completed vessel in its normal operating position at the designated coincident temperature specified for that pressure. The pressure is the least of the values for the internal or external pressure as determined by the vessel design rules for each element of the vessel using actual nominal thickness, exclusive of additional metal thickness allowed for corrosion and loading other than pressure. The MAWP is the basis for the pressure setting of the pressure relief devices that protect the vessel. The MAWP is normally greater than the design pressure but can be equal to the design pressure when the design rules are used only to calculate the minimum thickness for each element and calculations are not

28

More Incidents that Define Process Safety

made to determine the value of the MAWP. (API RP 520) Mechanical Integrity

A management system focused on ensuring that equipment is designed, installed, and maintained to perform the desired function.

Minimum Explosion Concentration (MEC)

The minimum explosible concentration is the lowest concentration of dust or powder that will ignite on contact with an ignition source and propagate a dust explosion. (www.bre.co.uk)

Near-Miss

An event in which an accident (that is, property damage, environmental impact, or human loss) or an operational interruption could have plausibly resulted if circumstances had been slightly different.

Operating Procedures

Written, step-by-step instructions and information necessary to operate equipment, compiled in one document including operating instructions, process descriptions, operating limits, chemical hazards, and safety equipment requirements.

Operational Readiness

A PSM program element associated with efforts to ensure that a process is ready for start-up/restart. This element applies to a variety of restart situations, ranging from restart after a brief maintenance outage to restart of a process that has been mothballed for several years.

.PSF*ODJEFOUTUIBU%FGJOF1SPDFTT4BGFUZ

29

OSHA Process Safety Management (OSHA PSM)

A US regulatory standard that requires the use of a 14-element management system to help prevent or mitigate the effects of catastrophic releases of chemicals or energy from processes covered by the regulations 49 CFR 1910.119.

Pressure Relief Valve (PRV)

A pressure relief device which is designed to reclose and prevent the further flow of fluid after normal conditions have been restored.

Pre-Start-up Safety Review (PSSR)

A systematic and thorough check of a process prior to the introduction of a highly hazardous chemical to a process. The PSSR must confirm the following: Construction and equipment are in accordance with design specifications; Safety, operating, maintenance, and emergency procedures are in place and are adequate; A process hazard analysis has been performed for new facilities and recommendations and have been resolved or implemented before startup, and modified facilities meet the management of change requirements; and training of each employee involved in operating a process has been completed.

Process Knowledge Management

A Process Safety Management (PSM) program element that includes work activities to gather, organize, maintain, and provide information to other PSM program elements. Process safety knowledge primarily consists of written documents such as hazard information,

30

More Incidents that Define Process Safety

process technology information, and equipment-specific information. Process safety knowledge is the product of this PSM element. Process Safety Culture

The common set of values, behaviors, and norms at all levels in a facility or in the wider organization that affect process safety.

Process Safety Incident/Event

An event that is potentially catastrophic, i.e., an event involving the release/loss of containment of hazardous materials that can result in large-scale health and environmental consequences.

Process Safety Information (PSI)

Physical, chemical, and toxicological information related to the chemicals, process, and equipment. It is used to document the configuration of a process, its characteristics, its limitations, and as data for process hazard analyses.

Process Safety Management (PSM)

A management system that is focused on prevention of, preparedness for, mitigation of, response to, and restoration from catastrophic releases of chemicals or energy from a process associated with a facility.

Process Safety Management Systems

Comprehensive sets of policies, procedures, and practices designed to ensure that barriers to episodic incidents are in place, in use, and effective.

Reactive Chemical

A substance that can pose a chemical reactivity hazard by readily oxidizing in

.PSF*ODJEFOUTUIBU%FGJOF1SPDFTT4BGFUZ

31

air without an ignition source (spontaneously combustible or peroxide forming), initiating or promoting combustion in other materials (oxidizer), reacting with water, or self-reacting (polymerizing, decomposing or rearranging). Initiation of the reaction can be spontaneous, by energy input such as thermal or mechanical energy, or by catalytic action increasing the reaction rate. Risk Management Program (RMP) Rule

EPA’s accidental release prevention rule, which requires covered facilities to prepare, submit, and implement a risk management plan.

Risk Based Process Safety (RBPS)

The Center for Chemical Process Safety’s (CCPS) PSM system approach that uses risk-based strategies and implementation tactics that are commensurate with the risk-based need for process safety activities, availability of resources, and existing process safety culture to design, correct, and improve process safety management activities.

Safe Work Practices (SWP)

An integrated set of policies, procedures, permits, and other systems that are designed to manage risks associated with non-routine activities such as performing hot work, opening process vessels or lines, or entering a confined space.

Supervisory Control and Data

SCADA refers to industrial control systems used to control infrastructure processes (water treatment, wastewater

32

More Incidents that Define Process Safety

Acquisition (SCADA)

treatment, gas pipelines, wind farms, etc.), facility-based processes (airports, space stations, ships, etc.), or industrial processes (production, manufacturing, refining, power generation, etc.).

Shelter-in-Place

A process for taking immediate shelter in a location readily accessible to the affected individual by sealing a single area (an example being a room) from outside contaminants and shutting off all HVAC systems.

Stop Work Authority (SWA)

All staff and contractors on a plant site have the Authority and Obligation to stop work when an unsafe condition or act is observed that could affect the safety of personnel and/or the environment.

Upper Explosive Limit (UEL)

The highest concentration of a vapor or gas (the highest percentage of the substance in air) that will produce a flash of fire when an ignition source (heat, arc, or flame) is present. See also Lower Explosive Limit. At concentrations higher than the UEL, the mixture is too rich to burn. Also known as the Upper Flammability Limit.

.PSF*ODJEFOUTUIBU%FGJOF1SPDFTT4BGFUZ

Vapor Cloud Explosion (VCE)

33

The explosion resulting from the ignition of a cloud of flammable vapor, gas, or mist in which flame speeds accelerate to sufficiently high velocities to produce significant overpressure.

34

More Incidents that Define Process Safety

ACKNOWLEDGMENTS

The American Institute of Chemical Engineers (AIChE) and the Center for Chemical Process Safety (CCPS) express their appreciation and gratitude to all members of the More Incidents that Define Process Safety subcommittee and their CCPS member companies for their generous support and technical contributions in the preparation of this book. Subcommittee Members: Sean Dee

Exponent

Tony Downes

Honeywell

Rhian Drath Morgan

BP

Rajender Dahiya

AIG

Jerry Forest

Celanese

Cheryl Grounds

CCPS – Staff Consultant

Melissa Holliday

Dow

Derek Miller

Air Products

Albert Ness

CCPS – Staff Consultant

David Prior

Honeywell

Bhavesh Shukla

Michelman

Karen Tancredi

Chevron

Tracy Whipple

BP

.PSF*ODJEFOUTUIBU%FGJOF1SPDFTT4BGFUZ

35

The collective industrial experience of the subcommittee members makes this book especially valuable to all who strive to learn from incidents, take action to prevent their recurrence and improve process safety performance. The book committee wishes to express their appreciation to Albert Ness and Cheryl Grounds of CCPS for their contributions in authoring this book. Before publication, all CCPS books are subjected to a thorough peer review process. CCPS gratefully acknowledges the thoughtful comments and suggestions of the peer reviewers. Their work enhanced the accuracy and clarity of these guidelines.

Peer Reviewers: Dave Fargie

BP

Jennifer Leas

Michelman

Pete Lodal

Eastman Chemical

Jack McCavit

JL McCavit Consulting, LLC

Gene Meyer

Kraton Corporation

Jordi Costa Sala

Celanese

Lydia Wilkinson

Celanese

Although the peer reviewers have provided many constructive comments and suggestions, they were not asked to endorse this book and were not shown the final manuscript before its release.

36

More Incidents that Define Process Safety

PREFACE

The Center for Chemical Process Safety (CCPS) was created by the AIChE in 1985 after the chemical disasters in Mexico City, Mexico, and Bhopal, India. The CCPS is chartered to develop and disseminate technical information for use in the prevention of major chemical accidents. The Center is supported by more than 180 chemical process industry sponsors who provide the necessary funding and professional guidance to its technical committees. The major product of CCPS activities has been a series of guidelines to assist those implementing various elements of a process safety and risk management system. This book is part of that series. The AIChE has been closely involved with process safety and loss control issues in the chemical and allied industries for more than five decades. Through its strong ties with process designers, constructors, operators, safety professionals, and members of academia, AIChE has enhanced communications and fostered continuous improvement of the industry’s high safety standards. AIChE publications and symposia have become information resources for those devoted to process safety and environmental protection. The integration of process safety into the engineering curricula is an ongoing goal of the CCPS. To this end, CCPS created the Safety and Chemical Engineering Education committee, which develops training modules for process safety. One textbook covering the technical aspects of process safety for students already exists; however, there is no textbook covering the concepts of process safety management and the need for process safety for students. The CCPS Technical Steering Committee

.PSF*ODJEFOUTUIBU%FGJOF1SPDFTT4BGFUZ

initiated the creation of this book to assist universities in meeting this challenge and to engineering programs in meeting recent requirements for including process safety into engineering curricula.

37

colleges and aid chemical accreditation the chemical

38

More Incidents that Define Process Safety

Foreword

Bhopal. BP Texas City. Piper Alpha. Longford. The Titanic. Chernobyl. If you’ve spent any time in process safety, you no doubt have at least a passing familiarity with these disasters. They have been the subject of investigation reports, books, and even movies. They capture the public imagination not only because the human and environmental cost was so high, but also because we learn in the retelling that each of these was preventable. We in the process safety community study them so that we can direct our efforts to preventing incidents of this magnitude in the future. We aim to turn hindsight into foresight. Risk-based process safety, regulations, guidance, codes, and standards provide a framework for the safe operation of even the highest hazard industries, yet incidents continue to occur. As a Board Member and acting head of the U.S. Chemical Safety and Hazard Investigation Board (CSB), I have borne witness to several major process safety incidents during my tenure. Some of the incidents in this book were still under investigation by the CSB when I joined in 2015. In addition to overseeing our active investigations, I have pored over past CSB reports hoping to gain some insight into why, despite all the guidance, all the efforts of groups like the Center for Chemical Process Safety, and all the case histories, process safety incidents continue to occur. I wish I could say I have an easy answer. Instead, what I believe will continue to advance process safety are a recommitment to its fundamental principles and a continual effort to learn from past incidents. People who have worked in an industry long enough may have their own personal experience with a major process safety incident. Indeed, I know many

.PSF*ODJEFOUTUIBU%FGJOF1SPDFTT4BGFUZ

39

engineers who transitioned into process safety or incident investigation after their facility experienced a major incident, often involving a fatality or serious injuries. Safety, which had been part of their training as engineers, became deeply personal to them. But the younger generation will not have had these experiences, nor should we expect them to have to go through a tragic ordeal to put process safety principles at the forefront of their thinking during every task on every day. That’s where case studies come in. Sharing lessons from major incidents allows us to discover the gaps in our safety management systems so they can be closed to prevent similar incidents in the future. This book makes a vital contribution to this goal by presenting case studies from incidents in multiple sectors—including oil and gas, chemical manufacturing, transportation, mining, nuclear, even space exploration—and from around the world. They can be broadly characterized as technological incidents and, though they don’t all involve process safety, we can apply lessons from PSM to each one of them. It is essential when analyzing an incident to probe deeper than an equipment malfunction or seemingly questionable human decision to get at the underlying factors. Each case in this volume describes the incident from both a technical and human perspective, grounding the incident in the fundamental principles of process safety. Taken together, the cases reinforce the importance of process hazard analysis, management of change, emergency planning and response, and other elements of risk-based process safety. Some of these cases demonstrate that, while compliance with industry-specific standards and regulations is essential, it may be insufficient to prevent an incident. Indeed, the CSB’s case history includes incidents that involved substances or processes not adequately addressed by existing regulations or standards. Examples in this book include the West Fertilizer Company

40

More Incidents that Define Process Safety

explosion, the combustible dust explosions at Hoeganaes Corporation and Imperial Sugar, and the Chevron Richmond Refinery fire. Where we have identified these gaps, we have issued formal recommendations to close them. In many of these cases, faithful adherence to the elements of risk-based process safety may have prevented the incident even in the absence of a standard or regulation. As a repository of information about past incidents, this book can provide the foundation for a renewed commitment to process safety among experienced professionals as well as illustrating its importance to those entering the workforce. I encourage readers of this book who intend to use it in an educational context to bring these cases to life for the audience. Actively engage the learner in the content so that it comes alive for them. There are stories behind every one of these incidents. Stories of loss, injury or death that don’t leap off the page when looking only at the technical descriptions. But it is in the telling of a story that people learn and remember these important lessons. It is in the telling of a story that we turn hindsight into foresight.

Kristen M. Kulinowski, Ph.D. Board Member and Interim Executive Authority U.S. Chemical Safety and Hazard Investigation Board

Chapter 1 Introduction

41

1 Introduction “Organizations have no memory – only people do.” Trevor Kletz

1.1 WHY A SECOND VOLUME? Incidents that Define Process Safety (IDPS) (CCPS 2008) is one of the most popular books in the CCPS collection. Clearly, there is a desire to learn from incidents in the process safety community. So, what makes a second volume necessary? First, the international growth of the chemical and petrochemical industries, especially in Asia. Incidents from around the world are included in both of these books. This second volume includes incidents from China, India, Japan, United Kingdom, and the United States. Second, the passage of more than ten years has created a new audience less versed in the historical record. If you go into a chemical engineering classroom today and ask, “How many people here have heard of Bhopal?” almost no one will raise their hand. Yet Bhopal was the worst industrial accident in history. Third, and most troubling; incidents keep happening. Some of the same types of incidents are being repeated. It is hoped that by continuing to make people aware of these incidents and creating an opportunity to learn from them, that people will take actions to prevent their recurrence. At the time Incidents that Define Process Safety was being written, CCPS was developing a new generation of process safety management elements that were presented in the book Guidelines for Risk Based Process Safety (RBPS) (CCPS 2007). The

42

More Incidents that Define Process Safety

incident descriptions in this book will identify management system failures aligned with the RBPS elements.

1.2 CCPS RISK BASED PROCESS SAFETY ELEMENTS Elements of process safety management (PSM) were encoded in documents such as Guidelines for Implementing Process Safety Management Systems (CCPS 1994) and in regulations including the United States OSHA’s Process Safety Management of Highly Hazardous Chemicals regulation (OSHA 1992). Both of these documents are credited with improving process safety. In the mid-2000s, CCPS developed and published Guidelines for Risk Based Process Safety (RBPS) (CCPS 2007) to move to the next generation of process safety management. RBPS recognizes that not all hazards are equal and emphasizes that the resources devoted to PSM should be appropriate to the hazards and risks of a given operation, in addition to meeting regulations and codes. RBPS also added several elements to the management of process safety. There are twenty elements of RBPS, divided into four “pillars”: Pillar I. Commit to Process Safety Pillar II. Understand Hazards and Risk Pillar III. Manage Risk Pillar IV. Learn from Experience. The pillars and elements of the CCPS RBPS framework are shown in Figure 1.2-1. These pillar and element numbers will be referred to, as needed, during the incident discussions.

Chapter 1 Introduction

43

Figure 1.2-1 Risk Based Process Safety (RBPS) approach 1.2.1 Pillar I - Commit to Process Safety This is the cornerstone of process safety excellence. Organizations generally do not improve without strong leadership and solid commitment. The entire organization must make the same commitment. The five elements in this pillar are: 1. Process Safety Culture. Process safety culture is a commonly held set of values, norms, and beliefs. It can be stated as “How we do things around here,” “What do we expect here,” and “How we behave when no one is watching.” 2. Compliance with Standards. Compliance with standards requires identifying, developing, and implementing standards. Standards should be developed for both new construction and existing equipment. These can be internal and external standards, national and international codes and standards, and local jurisdiction regulations and laws. 3. Process Safety Competency. Process safety competency requires creating, developing, and maintaining process safety knowledge; continuously improving that knowledge and competency; ensuring that appropriate

44

More Incidents that Define Process Safety

process safety information is available to people who need it; and consistently applying that knowledge. 4. Workforce Involvement. Workforce involvement is active participation of company and contractor workers in the design, development, implementation, and continuous improvement of process safety in the workplace. 5. Stakeholder Outreach. Stakeholder outreach strives to make relevant process safety information available to a variety of organizations, including the neighboring community, local emergency responders, and other companies in the industry.

1.2.2 Pillar II - Understand Hazards and Risk Organizations that understand their hazards and risks are better able to allocate resources in the most effective manner to manage those risks. The two elements in this pillar are: 6. Process Knowledge Management. Process knowledge management involves activities associated with compiling, cataloging, and making process safety information (PSI) available. It also includes understanding the information, not simply compiling data. 7. Hazard Identification and Risk Analysis (HIRA). HIRA encompasses all activities involved in identifying hazards and evaluating risks at facilities, throughout their life cycle, to make certain that risks to employees, the public, and the environment are managed within the organization’s risk tolerance.

1.2.3 Pillar III - Manage Risk The “Manage Risk” pillar focuses on three issues: safely operating and maintaining processes that pose the risk, managing changes to those processes to ensure that the risk remains tolerable, and

Chapter 1 Introduction

45

preparing for, responding to, and managing incidents that do occur. The nine elements in this pillar are; 8. Operating Procedures. Operating Procedures requires written instructions for all phases of operation, including routine, non-routine, and emergency. Good procedures also describe the process, hazards, tools, protective equipment, and controls in sufficient detail so that operators understand the hazards, can verify that controls are in place, and can confirm that the process responds in an expected manner. 9. Safe Work Practices (SWP). SWP covers non-routine work and is often supplemented with permits. These fill the gap between operating and maintenance procedures and the hazards and risks specific to the work being conducted at the time. 10. Asset Integrity and Reliability. Asset integrity and reliability is the systematic implementation of inspections, tests, and maintenance to ensure that equipment and safety-critical devices will be functional for their intended application throughout their life. 11. Contractor Management. Contractor management is a system of controls to ensure that contracted services support both safe facility operations and the company’s process safety and personal safety performance goals. This element includes the selection, acquisition, use, and monitoring of such contracted services. 12. Training and Performance Assurance. Training and performance assurance involves practical instruction in job and task requirements and methods. Performance assurance provides a means by which workers demonstrate that they have understood the training and can apply it in practical situations.

46

More Incidents that Define Process Safety

13. Management of Change (MOC). MOC strives to ensure that changes to a process do not inadvertently introduce new hazards or unknowingly increase risks. This includes a review and authorization process for identifying and evaluating proposed changes to facility design, operations, organization, or activities prior to implementation; ensuring that potentially affected personnel are notified of the change; and that procedures, process safety knowledge, and other key information are kept up to date. 14. Operational Readiness. Operational readiness ensures that an operation is verified to be in a safe condition and ready for restart, regardless of how long the operation was shut down. 15. Conduct of Operations. Conduct of operations is the execution of operational and management tasks in a deliberate and structured manner. Conduct of operations addresses management systems. Operational discipline addresses the execution of the conduct of operations. Operational discipline is the performance of all tasks correctly every time. Workers at every level are expected to perform their duties with alertness, due thought, full knowledge, sound judgment, and a proper sense of pride and accountability. Conduct of operations and operational discipline are closely tied to an organization’s culture 16. Emergency Management. Emergency management includes planning for possible emergencies; providing resources to execute the plan; practicing and improving the plan; training or informing employees, contractors, neighbors, and local authorities; and effectively communicating with stakeholders in the event an incident does occur.

Chapter 1 Introduction

47

1.2.4 Pillar IV - Learn from Experience Learning from experience involves identifying learnings, sharing them so that others may learn, and taking action. Learnings are sought from internal and external sources of information. The last four elements are in this pillar: 17. Incident Investigation. Incident investigation includes investigating incidents, and the trending of incident investigation data to identify recurring incidents. This process also manages the documentation and resolution of recommendations generated by the investigations. 18. Measurement and Metrics. Measurement and metrics establishes performance and efficiency indicators to monitor the effectiveness of the RBPS management system and its constituent elements and work activities. It addresses which leading and lagging indicators to consider, how often to collect data, and what to do with the information to help ensure responsive, effective RBPS management system operation. 19. Auditing. Audits are intended to evaluate that the implementation and effectiveness of management systems are performing as intended and offer findings and recommendations for weaknesses found. 20. Management Review and Continuous Improvement. Management review and continuous improvement is the routine evaluation of whether management systems are performing as intended and producing the desired results as efficiently as possible. It is an ongoing “due diligence” review by management that fills the gap between day-to-day work activities and periodic formal audits.

48

More Incidents that Define Process Safety

1.3 HUMAN PERFORMANCE As Dr. Trevor Kletz, renowned safety advisor and high-risk industry expert, stated, “For a long time, people were saying that most accidents were due to human error, and this is true in a sense, but it’s not very helpful. It’s a bit like saying that falls are due to gravity.” Too often incident investigations conclude with the finding of “human error.” A good investigation will continue on from this point to ask why the human took that action. Was the operator following a procedure that was incorrect? Was the operator performing the work in the way he thought best because he had never been trained on that task? Was it difficult to perform that work because the design of the equipment did not provide adequate access? Was the site short-staffed so he was too busy to give the task the attention it warranted? Was the operator pressured because leadership had stated targets based on production and been silent on safety targets? The reason why the human took that action often lies in the management systems that define the company’s operations. Human performance issues will likely be due to such RBPS elements as Process Safety Culture, Workforce Involvement, Training and Performance Assurance, Conduct of Operations, or Operating Procedures. As we strive to learn from incidents, our efforts should be directed to keeping the human in mind as we design and manage operations. This will aim to support the human in a successful operation and potentially preventing an incident. The CCPS book Human Factors Methods for Improving Performance in the Process Industries provides information on human factors as it applies to process safety. (CCPS 2007a)

1.4 ORGANIZATION OF THIS BOOK The first volume in this series, Incidents that Define Process Safety, was organized by major process element failures. In this second volume, the incident descriptions recognize the management

Chapter 1 Introduction

49

system failures contributing to the incident. The book chapters are organized by the incident type: Chapter 2 – Reactive Chemical Incidents Chapter 3 – Fire Incidents Chapter 4 – Explosion Incidents Chapter 5 - Toxic and Environmental Release Incidents Chapter 6 – Transportation Incidents Chapter 7 - Non-Oil/Chemical Incidents Many incidents relate to more than one category. For example, an uncontrolled chemical reaction can cause a toxic release, fire, and/or explosion. An environmental release could also cause a fire and explosion. Judgment was used in selecting the single chapter in which an incident is described. Management system failures are described for each incident based on publicly available evidence, avoiding speculation. For example, one could infer that process safety culture deficiencies existed in most of the companies or facilities involved. However, unless there is written evidence of this, process safety culture is not listed.

1.5 ENGINEERING DESIGN When working through the RBPS elements, it can be challenging to identify where engineering design fits in. The CCPS Guidelines on Engineering Design for Process Safety, 2nd edition (CCPS 2012) includes reference to RBPS at the end of the Foundational Concepts section (Chapter 2), specifically noting the importance of process safety culture, compliance with standards, workforce involvement, hazard identification and risk assessment, management review, and continuous improvement. For example, in Section 2.2 - T2 Laboratories Runaway Reaction and Explosion, the batch reactor design was deficient in many respects

50

More Incidents that Define Process Safety

(inadequate pressure relief, insufficient safeguards against cooling failure). The failed design was due to inadequate process safety knowledge.

1.6 HOW TO USE THE BOOK One approach for the use of this book is to simply read it to learn about the incidents and how RBPS impacts an operation. A second approach is to leverage these incident descriptions for use in process safety presentations within your organization. Each incident is preceded by a selection of “Key Points” highlighting the RBPS elements involved in that incident. Presentations can be organized around a particular RBPS element or by incident type. A third approach is to look for incidents in a certain industry to learn about what is most similar to your operations. It is also good to recognize that lessons can be applied to many different industries in different parts of the world. The matrix provided in Appendix 1 shows the relationships between incidents in this book, the RBPS elements, and the industries in which they occurred. 1.7 FINAL NOTE The majority of the incidents discussed in this book occurred in the United States and were investigated/reported on by the US Chemical Safety and Hazard Investigation Board (CSB). Incidents from other countries are included but were more challenging to describe because of a lack of public availability of factual investigative information. Federal bodies in the US, UK, and many EU countries are very good at investigating, reporting, and disseminating information on major incidents; however, they are limited in the number of incidents they can investigate. In addition, the availability of investigation reports from the companies that suffered the incidents is notably scarce, especially in the US. It is a credit to those agencies and companies who do share investigation data and a request to those who don’t currently do so, as this information sharing assists with advancing process safety for the whole world. We, the collaborative

Chapter 1 Introduction

51

industrial CCPS team working on this book, hope that other companies and national agencies will begin sharing so that we all may continue to learn.

52

More Incidents that Define Process Safety

2 Reactive Chemical Incidents 2.1 INTRODUCTION “Safely conducting chemical reactions is a core competency of the chemical industry” (CSB 2002) states the executive summary of a US Chemical Safety Board (CSB) study of reactive chemical incidents. Yet, reactive chemical incidents continue to occur. This study reviewed 167 incidents in the US over a twenty-one-year period. A few statistics: Forty-eight (29%) resulted in a total of 108 fatalities. 37% resulted in toxic gas emissions. 30% of the incidents affected the public. Over 50% involved chemicals not covered by U.S. OSHA or EPA regulations. 36% were due to chemical incompatibilities. 35% were due to runaway reactions. 10% were due to thermally sensitive or impact-sensitive materials. 70% occurred in the chemical industry, 30% occurred in other industries. More than 65% occurred in storage or other process equipment. 25% occurred in chemical reactors. More than 90% involved reactive hazards that were documented in publicly available literature. This chapter describes four incidents involving reactors, two involving bulk storage, and one in a wastewater tank. Resources for managing chemical reactivity hazards are provided at the end of the chapter.

Chapter 2 Reactive Chemical Incidents

53

2.2 T2 LABORATORIES RUNAWAY REACTION AND EXPLOSION, FLORIDA, US, 2007

2.2.1 Summary A runaway reaction during the production of methylcyclopentadienyl manganese tricarbonyl (MCMT) at T2 Laboratories, Inc. resulted in the rupture of the reactor on December 19, 2007. The resulting explosion caused four T2 employee fatalities and injured thirty-two people: four T2 employees and twenty-eight people at nearby businesses. Pieces of the reactor were found one mile away. Thirty-two structures were damaged. Figure 2.2-1 shows a section of the reactor, weighing approximately 907 kg (2,000 lb) that damaged a building 121 m (400 ft.) away from the reactor. The explosion was heard, and the overpressure felt 24 km (15 mi.) away in downtown Jacksonville, Florida. (see Figure 2.2-2).

Figure 2.2-1 A portion of the 3-inch thick reactor (courtesy CSB).

54

More Incidents that Define Process Safety

Figure 2.2-2 T2 Laboratories blast (courtesy CSB). After the event, the CSB estimated the explosion was equivalent to 635 kg (1,400 lb) of TNT (CSB 2009). A key outcome of this event was a recommendation by the Chemical Safety Board that the Accreditation Board for Engineering and Technology, Inc. (ABET), include awareness of chemical reactivity hazards in the chemical engineering curriculum. The ABET now requires the chemical engineering curriculum to include “control of chemical, physical, and/or biological processes, including the hazards associated with these processes.” (ABET 2015, p. 11).

Key Points Process Safety Competency – Ensure someone on the job understands process safety. We work with many intelligent people, but that does not mean that they understand process safety. Without someone on the site to ask the right questions, process safety may be lacking.

Chapter 2 Reactive Chemical Incidents

55

Hazard Identification and Risk Analysis – What if? It’s a very simple and powerful question. Use it to help identify potential hazards, and once those hazards are identified, then put protections in place. Incident Investigation – If an operation yields an unexpected result, ask why? By investigating and understanding why deviations occur you may see the path leading to a potential incident. More importantly, you will be equipped to take appropriate actions to avoid those incidents.

2.2.2 Description Background. T2 Laboratories Inc. opened in 1996 as a solventblending business. It was founded by a chemical engineer and a chemist. One of their products was a blend of purchased MCMT, a gasoline additive. In 2004, T2 began producing MCMT, which became their primary product by 2007. Process. The runaway reaction occurred during the first step of the MCMT process. This was a reaction between methylcyclopentadiene (MCPD) dimer and sodium in diethylene glycol dimethyl ether (diglyme). MCPD and diglyme were charged to a 9.3 m3 (2,450 gal.) reactor. Sodium metal was then added manually through a valve at the top of the reactor (see Figure 2.2-3). The heat was applied to the reactor using hot oil at 182°C (360°F) to melt the sodium and initiate the reaction to make methylcyclopentene. Hydrogen was a by-product, vented through a pressure control valve. At 99°C (210°F), the agitator was started (by this time the sodium should have melted). At 149°C (300°F), the heat was turned off. Since the reaction was known to be exothermic, cooling was applied at 182°C (360°F). What Happened. After eliminating other possible causes, the CSB concluded that loss of cooling was the immediate cause of the runaway reaction. The reactor was cooled by adding water to the jacket and allowing it to boil off (see Figure 2.2-3).

56

More Incidents that Define Process Safety

Why it Happened. The cooling system, necessary to control the exothermic reaction, could have been totally incapacitated or severely impaired by a number of single failures: loss of water from supply, a drain valve left open or partially open, failure of the valve actuators, blockage in the supply line, temperature sensor failure, or mineral buildup in the jacket (CSB 2009).

Figure 2.2-3 T2 Reactor (courtesy CSB).

Chapter 2 Reactive Chemical Incidents

57

Without cooling, the temperature would continue to rise. Subsequent testing showed that a second exothermic reaction occurred at 199°C (390°F). This reaction was more energetic than the first—and desired—reaction. The owner/operators of T2 Laboratories did not know about this second reaction. This reaction generated enough pressure, very rapidly, to burst the reactor, rated for 41.4 bar (600 psig).

2.2.3 Management System Failures I. Commit to Process Safety 1. Process Safety Culture. In hindsight, it seems the owners of T2 did not understand process safety or how to build a strong process safety culture. 2. Compliance with Standards. T2 was not in compliance with the U.S. OSHA Hazard Communication Standard. There is no written evidence that T2 had a confined space entry, lock-out/tag-out, personal protective equipment program, or employee training program. 3. Process Safety Competency. As stated earlier, T2 was started by a chemical engineer and a chemist. Neither had experience designing and running processes involving chemical reactions. The chemist tested the chemistry in the lab and developed the process based on patent literature provided by a company called Advanced Fuel Development Technologies, who wanted T2 to manufacture MCMT for them. This lack of experience showed itself in several ways. The chemist did the laboratory testing at a 1-liter scale and did not observe extreme exothermic behavior. A fundamental concept that needs to be understood when scaling up an exothermic reaction is that the energy released increases with the cube of the reactor diameter, while the heat transfer area increases with the square of the diameter (without additional area

58

More Incidents that Define Process Safety

from internal coils). Therefore, the rate and amount of heat generated increases faster than the ability to remove it. The need for cooling was discovered during process upsets in the first few batches (see Incident Investigation), not during the laboratory tests. The owners did not do any reaction testing such as adiabatic calorimetry (e.g., Accelerating Rate Calorimeter™ (ARC), Vent Sizing Package™ (VSP), Phi-Tec, or Automatic Pressure Tracking Adiabatic Calorimeter® (APTAC)), although this type of testing had been good engineering practice for years. (Note for reader: The CSB report includes discussions on the fact that process safety was not part of the chemical engineering curriculum in almost 90% of universities at the time of the incident. In its report, the CSB recommended to the AIChE and the Accreditation Board for Engineering and Technology, Inc. (ABET) that awareness of reactive chemical hazards be part of the baccalaureate program (CSB, 2009). This recommendation was implemented by the ABET in 2014 after AIChE’s Safety and Chemical Engineering Education (SAChE) Committee established guidance for the ABET accreditation protocols. After ABET’s implementation, the CSB noted that the action exceeded CSB expectations.) II. Understand Hazards and Risk 7. Hazard Identification and Risk Analysis. Even though a design consultant recommended that T2 do a Hazard and Operability (HAZOP) study on the process, T2 apparently did not do one. If the MCMT process had been reviewed by a competent PHA team, questions such as, “what happens if the temperature is too high?” or “what if the cooling fails?” would have come up. These questions would lead to recommendations such as: determine what the safe operating temperature is; determine what happens if it is exceeded, investigate how can we make the cooling system more reliable, or determine what other safeguards can be provided against high temperature and pressure?

Chapter 2 Reactive Chemical Incidents

59

Determining the answers to these questions could also have led to a better understanding of the emergency relief requirements. The emergency relief system (ERS) was based on the maximum rate of hydrogen generation in normal operation (CSB 2009). The ERS was inadequate for the reaction that occurred. After subsequent testing in a VSP, the CSB determined that the second exothermic reaction was so fast that the reactor could not have been successfully protected by a relief device. The only way to protect the reactor from overpressuring was to vent the reactor during the first reaction and allow the energy to be removed by boiling off the diglyme solvent and MCPD. III. Manage Risk 13. Management of Change (MOC). After one year of production, the batch size was increased by onethird, without a safety review. However, without the needed competency to recognize reactive chemical hazards, a MOC would not have helped. 16. Emergency Management. T2 did not warn emergency responders of the presence of MCMT on site. MCMT is toxic by inhalation and skin contact. IV. Learn from Experience 17. Incident Investigation. Prior to the explosion, there had been unexpected exotherms in three of the first ten batches during the first reaction step, when the process was scaled up to the main reactor. After the first exotherm (in Batch 1), the response was to adjust the batch recipe and to add cooling to the operating procedures. Uncontrolled exotherms also occurred in Batches 5 and 10. Nevertheless, after Batch 11, the process scale-up was considered successful. The owners did not recognize that the previous exotherms were actually near-misses which could have had more severe consequences, and therefore failed to further investigate the causes of these exotherms.

60

More Incidents that Define Process Safety

The CSB investigation report and a video showing the T2 Laboratories explosion can be found on the CSB website.

2.3 HOECHST GRIESHEIM RUNAWAY REACTION, GERMANY, 1993

2.3.1 Summary On February 22, 1993, a runaway reaction occurred at the Hoechst plant in Griesheim, Germany. The reactor’s pressure safety valve (PSV) opened and about 9 metric tons (10 tons) of the reaction mixture were released, covering 30 hectares (74 acres) around the plant with a yellow deposit. As a result of this incident, Germany’s Technical Committee on Plant Safety was created to determine the minimum knowledge required to run a chemical process. Their report, Leitfaden Erkennen und Beherrschen exothermer chemischer Reaktionen (Guidelines recognizing and mastering exothermic reactions” (TAABMU 1994), influenced chemical industry regulation in Germany (Gustin 2001). Media coverage of this event may have been a factor in Hoechst’s withdrawal from chemical manufacturing (Kepplinger and Hartung 1995).

Figure 2.3-1. Reaction Sequence for Hoechst Griesheim Runaway Reaction. This reaction is exothermic, with a heat of reaction of 140 kJ/mole (132.7 BTU/mole) 2-chloronitrobenzene.

Chapter 2 Reactive Chemical Incidents

61

Key Points Process Safety Competency – Consider what might go wrong and design against it. If there is an important operational sequence, design out the potential for inadvertent misoperation. If it is not possible to design it out, then design in controls. Conduct of Operations – COO is not just for operators, but also applies to the work conducted by managers, engineers, and other employees who design, implement, and oversee process operations. Ensure all involved conduct their work diligently. The design work could have easily included interlocks to prevent the operating errors that occurred in this incident.

2.3.2 Description Background. The chemical reaction involved was one between 1chloro-2-nitrobenzene (also called 2-chloronitrobenzene) and methanolic caustic soda to produce ortho nitroanisole (Figure 2.31). Process. The process was conducted in a 36 m3 (9510 gal.) reactor at 80°C (176°F) and 10 bar-a (145 psia). Methanol and 2chloronitrobenzene were added to the reactor with the agitator running. Following the chemical addition, the agitator was turned off and the level in the reactor checked through an open manhole cover. The cover was replaced, and the agitator was restarted. The mixture was heated to 80°C (176°F), and nitrogen was applied to raise the reactor pressure to 3 bar (43.5 psi). This reduced the oxygen concentration in the headspace to 8 vol%; some oxygen was required to prevent unwanted secondary reactions. The methanol and the caustic solution were then added, and cooling was applied manually as necessary to control the reactor temperature at 80°C (176°F). What Happened. During the batch in question, operators had to apply heating to the reactor to maintain a temperature of 80°C (176°F) instead of applying cooling, as was normal at this point in

62

More Incidents that Define Process Safety

the batch. When the methanol and caustic addition was complete, the batch was sampled for conversion. At this time, operators discovered that the agitator was turned off, so they proceeded to start it. As soon as mixing was started, a runaway reaction occurred, raising the temperature to about 160°C (320°F) and the pressure to 16 barg (232 psig). The reactor had a PSV set at 16 barg (232 psig), which opened, leading to the release of the reactor contents as described in the summary. Why it Happened. The investigation found that the agitator was not restarted after the level check. This led to a buildup of unmixed and unreacted material in the reactor. A sample that had been taken for conversion showed only 45% conversion of 2chloronitrobenzene. Therefore, more than half of the charge was available to react. When the agitator was restarted, the rapid mixing caused the entire mixture to react immediately. This exothermic reaction was further driven by the heat which had previously been manually applied. Compounding the problem, the high temperature triggered a secondary decomposition reaction that had a heat of reaction of 390 kJ/mole (93 kcal/mole), further accelerating the exotherm and buildup of pressure in the reactor.

2.3.3 Management System Failures I. Commit to Process Safety 3. Process Safety Competency. The immediate cause of this incident, restarting a stopped agitator, has been the cause of incidents in other chemical industries. For example, reviewing the literature about nitration reactions, the failure mode of inadvertently starting an agitator in the middle of a batch instead of the beginning of a batch was one of several common causes of runaway nitration reactions. Process designers recognized the potential of an agitator failure to cause problems and provided an alarm for agitator

Chapter 2 Reactive Chemical Incidents

63

failure; however, it is believed that the alarm did not detect a failure because the agitator had not been turned on. However, the process designers failed to recognize some other key safety features, or layers of protection, that would have prevented this accident. First, they did not provide interlocks that could have stopped the feeds to the reactor and prevented heat from being applied in the event of no agitation. Checking the level by opening the manway of a reactor partially filled with a flammable material is an unsafe way to run a reaction. Not only is the operator exposed to toxic vapors when the manway is opened; but also, if the manway is not sealed properly, flammable vapors could escape into the operating area as the batch is heated up. Reactor levels should have been performed automatically. The design of the PSV was not based on a runaway reaction and thus did not consider a large release of potentially toxic materials. As a result, the need for an effluent containment and treatment system was not considered. By not recognizing the potential for a toxic release scenario and planning for it, the runaway reaction escalated into a release with significant environmental consequences. III. Manage Risk 12. Training and Performance Assurance. The operators opening a partially filled reactor prompts the question of what kind of training the operators received before running the reaction. Did they know that the lack of heat being released was a sign that the reaction had stalled? If they did know the implications of the process information they were given, then the decision to continue feeds goes back to a COO issue. 15. Conduct of Operations. Continuing to add the 2-chloronitrobenzene with no sign of reaction, and in fact, adding heat when cooling was usually needed, is a sign of poor COO. Why did the operator forget to start

64

More Incidents that Define Process Safety

the agitator? We can only speculate as to why. It is possible the operators were not properly trained or did not respond as they were supposed to, or perhaps no process hazard identification study had been performed. In an exothermic process, operators should be trained to stop the process and seek expert support if the process is not running normally. Conduct of operations applies to everyone involved with running chemical processes: managers, design engineers, operators and technicians. The technical staff could have designed safeguards for the process to prevent or at least detect an error such as no agitation before starting feeds.

2.4 ARCO CHANNELVIEW EXPLOSION, TEXAS, US, 1990 2.4.1 Summary A wastewater tank containing process wastewater with hydrocarbons and peroxides exploded during the restart of an off-gas compressor. The normal nitrogen purge had been reduced during the maintenance period, and a temporary oxygen analyzer failed to detect excessive oxygen in the tank vapor space. When the compressor was restarted, a flammable mixture of hydrocarbons and oxygen was pulled in and ignited. The flashback of the flame into the headspace of the tank ignited the confined vapors and an explosion occurred. The explosion caused seventeen fatalities. ARCO spent $20 million replacing the unit and installing safety enhancements (ARCO 1991), and also paid about $3.5 million in penalties (OGJ 1991). This incident was one of those cited in the Background section of the U.S. OSHA PSM rule as justification for the need for the PSM rule (OSHA 1992).

Chapter 2 Reactive Chemical Incidents

65

Key Points Process Safety Competency – What is safe? Conducting operations safely depends on designing, documenting and following the planned response when safe operating parameters are exceeded. Ensure all involved are competent to conduct their work with process safety in mind. Asset Integrity and Reliability – Make sure equipment will work when it is needed. Critical equipment must be designed, tested, and maintained to ensure that it will function as intended to prevent a process safety incident.

2.4.2 Description Background. ARCO acquired the Channelview complex in 1980. The plant produced propylene oxide, methyl tertiary butyl ether, and styrene monomer. Process. The 3,407 m3 (900,000 gal) wastewater tank contained process wastewater from propylene oxide and styrene processes. Peroxide and caustic byproducts from these processes traveled through thousands of feet of piping to the tank where they mid. There was normally a layer of hydrocarbons on the surface of the water. Also, oxygen was formed in the tank due to decomposition of the hydrocarbon peroxides in the tank. A nitrogen purge was used to keep the vapor space inert, and an off-gas compressor drew the hydrocarbon vapors off before the waste layer was disposed of in a deep well. Figure 2.4-1 shows the process scheme. What Happened. The tank was taken out of service to repair the nitrogen blanket compressor. However, even though flow into the tank had ceased, it had not been emptied and oxygen was still forming due to the decomposition of peroxides in the tank. A temporary oxygen analyzer was installed between two roof beams and provisions were made to add a nitrogen purge if a high oxygen level was detected. During this time, the oxygen analyzer failed, giving incorrect low readings and the normal flow of

66

More Incidents that Define Process Safety

nitrogen purge gas to the tank was reduced. About 34 hours before the explosion, the nitrogen sweep stopped. Therefore, the nitrogen purge was inadequate to prevent a flammable atmosphere from being formed in the headspace and in piping to the compressor. When the compressor was restarted, flammable vapors were drawn in and ignited. Flames flashed back to the tank, causing an explosion in the head space. This incident illustrates that reactive chemical incidents can occur at any point in a process. It is as important to understand and manage the risks of reactive chemistry in auxiliary operations, such as this wastewater tank, with the same level of rigor as any other intentional chemistry-related unit operation. When the unit was rebuilt, the new wastewater tank was pressurized and vent gas was sent to a flare, eliminating the need for a compressor. Redundant oxygen analyzers were installed, and a backup supply of nitrogen was provided. The preventive maintenance program for oxygen analyzers and other safetycritical equipment was improved. Critical process safety operating parameters were identified for continuous monitoring.

Figure 2.4-1 Process flow diagram of the wastewater tank (courtesy CEP).

Chapter 2 Reactive Chemical Incidents

67

Why it happened. Organic peroxides present a fire and explosion hazard. The double oxygen bond (-C-O-O-C-) of the peroxy group makes organic peroxides both useful and hazardous. The peroxy group is chemically unstable, and can easily decompose, giving off heat at a rate that increases as the temperature rises. Peroxides can decompose very rapidly or explosively if they are exposed to only slight heat, friction, mechanical shock, or contamination with incompatible materials. Many organic peroxides give off flammable vapors when they decompose. These vapors can easily catch fire. In the waste storage tank, the presence of organic peroxides created a flammable atmosphere, which found an ignition source at the compressor (a source of heat, and friction). The design of the safety system was inadequate. There was only one oxygen analyzer in the system, and it failed, reducing and eventually stopping the nitrogen flow. The loss of nitrogen sweep was not noticed.

2.4.3 Management System Failures I. Commit to Process Safety 3. Process Safety Competency. The use of one oxygen analyzer created a safety-critical system with a single point of failure. When designing safety systems, engineers should consider the level of reliability of safety-critical systems and provide the necessary redundancy. Safe operating parameters—in this case oxygen levels and nitrogen flow rates— also need to be identified and monitored by operating personnel. III. Manage Risk 10. Asset Integrity and Reliability. Safety-critical equipment should be identified, and a preventive maintenance program should be put in place to regularly test such equipment to ensure it is functioning as intended.

68

More Incidents that Define Process Safety

2.5 AMMONIUM NITRATE INCIDENTS Ammonium nitrate (AN) deserves a special mention in More Incidents that Define Process Safety. Incidents involving the manufacture and storage of AN continue to occur, even though there is a long history of such incidents from which to learn. To illustrate this, the CSB compiled a table of twenty-two events at stationary facilities, dating back to 1916, in its report on the West Fertilizer explosion, covered in Section 2.6 (CSB 2016). Three incidents involving AN were described in Incidents that Define Process Safety (CCPS 2008). One of those incidents, the explosion of the SS Grandcamp in Texas City in 1947, was the worst industrial accident in the history of the US. There were at least 578 fatalities, and 178 were listed as missing. More AN incidents have occurred since. Three more incidents, two involving storage and handling and one involving the manufacture of AN, are described in the following sections. The manufacturing incident occurred in 1994, however the storage and handling incidents occurred after publication of Incidents that Define Process Safety. AN, which is an oxidizer, is typically available in two forms, fertilizer grade (FGAN) and technical grade (TGAN). FGAN is sold as a liquid or as high-density prills. TGAN consists of low-density prills. AN handling and storage is covered by U.S. OSHA’s Blasting and Explosive Agents standard (OSHA 1998) and by the Australian Standard The storage and handling of oxidizing agents (Standards Australia 1995). AN will not burn; however, it melts at 170°C (337°F) and rapidly decomposes. Above 260°C (500°F) AN becomes sensitive to shock. Pure AN is stable and explodes only under certain circumstances: When contaminated with low percentages (more than 0.2%) of combustible material (e.g. packing materials, seeds, oil); When contaminated with certain inorganics (e.g. chlorides, acids, caustic, some metals);

Chapter 2 Reactive Chemical Incidents

69

When confined at high temperatures (e.g. in a fire); When heated to the decomposition temperature (AN melts and becomes more sensitive to shock). AN prills absorb moisture, leading to caking, which creates a form of self-confinement and compression. In a fire, AN releases toxic gas such as nitric acid, ammonia, nitrogen oxides, and nitrous oxide. (EPA 2015, CSB 2016).

2.6 WEST FERTILIZER COMPANY AN EXPLOSION, TEXAS, US, 2013 2.6.1 Summary On April 17, 2013, a fire occurred at the West Fertilizer Company in West, Texas, which triggered an explosion of about 27 metric tons (30 tons) FGAN at 7:51 p.m. The explosion registered as a 2.1 on the Richter scale. There were fifteen fatalities—twelve were emergency responders; three were members of the public. One of the public fatalities was in a nursing home (from a stressinduced heart attack) and the other two were in an apartment complex. The overpressure from the blast damaged 150 buildings off-site, including four schools, a nursing home (later demolished), an apartment complex, and 350 private residences (142 beyond repair) (CSB 2016). This was a significant incident in the US, due to the extensive public impact, and the prevalence of FGAN storage and handling facilities in the US. The CSB identified over 1,300 facilities handling AN within close proximity to a community. The United States president issued Executive Order EO-13650. This established a working group consisting of the U.S. Department of Homeland Security (DHS), the U.S. Environmental Protection Agency (EPA), and the U.S. Departments of Labor (under which the U.S. OSHA is located), Justice, Agriculture, and Transportation. The purpose of the working group was to improve the identification and response to the risks of chemical facilities (EO 2013).

70

More Incidents that Define Process Safety

Key Points Process Safety Culture – Ensure all involved value process safety. A poor safety culture will have consequences. It could be anything from a loss of insurance coverage to a tremendous loss of life, both of which occurred at West Fertilizer. Stakeholder Involvement – Work together to prevent incidents. It is important that local planners understand the hazards of facilities and that enforcement agencies identify shortfalls in neighboring compliance. Stakeholders communicating with each other can create a mutual understanding on managing risks. Emergency Management – Ensure emergency responders understand the hazards. Inform your local emergency responders of the risks at your site so that when they respond to help you, and they are not put in harm’s way.

2.6.2 Description Background. West Fertilizer Company (WFC) stored and handled AN in a fertilizer building, along with several other fertilizers, including diammonium phosphate, ammonium sulfate, and potash. The fertilizer building was a wood-frame building. AN was stored in two plywood bins. Figure 2.6-1 shows an overview of the building layout, and Figure 2.6-2 provides an exterior view of the building with the Primary AN bin superimposed on it. In addition to receiving and storing the various fertilizers, West Fertilizer also made fertilizer blends, delivered, and sometimes applied the fertilizers. West Fertilizer also stored and handled anhydrous ammonia in two pressurized storage tanks. In 1962, when the facility was first built, it was surrounded by open land. As the town grew over the years, WFC was surrounded by residences and schools (Figure 2.6-3). This contributed to the high impact of this incident.

Chapter 2 Reactive Chemical Incidents

71

Figure 2.6-1 Fertilizer building overview (courtesy CSB).

Figure 2.6-2 Southwest view of Fertilizer Building (adapted from CSB). What Happened. In addition to the fifteen fatalities, more than 260 people were injured. Most of these people were within 457 to 610 m (1,500 to 2,000 ft.) of the explosion (CSB 2016). It is easy to imagine many more casualties had the fire and explosion occurred in the daytime, when the schools were occupied.

72

More Incidents that Define Process Safety

Figure 2.6-3 WFC and community growth (courtesy CSB).

Figure 2.6-4 Overview of damaged EFC (courtesy CSB).

Chapter 2 Reactive Chemical Incidents

73

WFC itself was destroyed (see Figure 2.6-4). An FGAN railcar was overturned. Fortunately, the two anhydrous ammonia tanks on site were not damaged. There was a large amount of off-site property damage. Severely damaged were: An apartment complex, 122 m (450 ft.) from WFC (2 fatalities, completely destroyed, see Figure 2.6-5); An intermediate school, 168 m (552 ft.) from WFC; A nursing home, 183 m (600 ft.) from WFC (1 fatality, so badly damaged it had to be demolished); A high school, 385 ft. (1,263 ft.) for WFC. Why it Happened. The cause of the fire itself remains unknown. The ATF concluded that the cause was arson (Ellis 2016), although CSB developed three theories as to why the AN exploded that did not involve arson (CSB 2016). The first scenario is that during the early part of the fire, soot and other organics contaminated the FGAN and served to keep heat in. This could have caused the formation of hot liquid FGAN at the top of the pile (see Figure 2.6-6). The liquid layer could have produced oxidizing gases, which would have created a cloud of oxidizers; NO2, O2 and HNO3 are the decomposition products of AN. This gas cloud may then have detonated. The second scenario is that the detonation was caused by heat from the exterior walls of the bin. Photos show that just prior to the detonation, the exterior walls of the bin were penetrated, which allowed more air in and caused the fire to become even hotter. There could have been some melting of the FGAN along the exterior wall. The third scenario focuses on an elevator pit; a bucket elevator was used to unload FGAN and other materials. There could have been FGAN remnants in the pit. FGAN could have spilled into the pit if the wall of the AN bin collapsed. The remnants of FGAN could have been contaminated by burning rubber and the falling FGAN, plus the confinement by concrete

74

More Incidents that Define Process Safety

elevator walls might have caused the detonation. This is considered the least likely scenario.

Figure 2.6-5 Apartment complex damage (courtesy CSB video).

Figure 2.6-6 Soot accumulation on FGAN pile (courtesy CSB video).

Chapter 2 Reactive Chemical Incidents

75

2.6.3 Management System Failures The RBPS management systems are interlinked, and the West Fertilizer explosion shows how important this linkage is. I. Commit to Process Safety 1. Process Safety Culture. Prior to 2009, WFC had insurance through Triangle Insurance Company. In 2009 Triangle stopped insuring WFC because of losses and a lack of compliance with Triangle’s recommendations from their loss control surveys. Several of the recommendations involved electrical problems, such as corroded wires and grounds. In one of its evaluations, a Triangle consultant noted that WFC had no safety program and “had no positive safety culture” (CSB 2016). 2. Compliance with Standards. AN is covered by the U.S. OSHA’s Blasting and Explosive Agents standard (OSHA 1998); however, this is not widely known throughout the fertilizer industry. AN is also covered by NFPA 495, Code for the Manufacture, Transportation, Storage, and Use of Explosives and Blasting Agents (NFPA 1970) and NFPA 400, Hazardous Material Code (NFPA 2016). Prior to 2002, AN was covered by NFPA 490 Code for the Storage of Ammonium Nitrate (NFPA 2002). The CSB reported that the fertilizer industry itself acknowledged that it was not well known in the fertilizer industry that the U.S. OSHA Explosives standard covers AN (CSB 2016). The U.S. OSHA did not have a history of citing fertilizer facilities under the Blasting and Explosive Agents standard, contributing to this lack of knowledge. This contributed to a lack of process safety knowledge in the industry, which in turn contributed to inadequate hazard identification and emergency response planning. A weakness in the U.S. OSHA standard is that it allows the use of wood “protected against impregnation by ammonium nitrate” for the walls of the bin (the floor must be non-combustible) [OSHA

76

More Incidents that Define Process Safety

1998 Section (i)(4)(ii)(b)]. The CSB notes other countries do not permit this. In the Chemical Advisory issued after the incident (EPA 2015), buildings constructed of non-combustible materials are “strongly preferred.” CSB recommended that the U.S. OSHA addresses this by making some changes in the standard, such as a name change or defining the scope at the beginning of the standard, and starting a US National Emphasis Program (NEP) for AN. NFPA 400 was updated in 2016 and now requires buildings be of non-combustible construction, and contain automatic sprinklers, and fire detection systems, the last two being retroactive requirements. AN is not covered by either the U.S. OSHA PSM or U.S. EPA RMP regulations. This means that facilities handling AN are not required by law to have a formal process safety management program. The lack of a PSM program led to several safety management gaps. 5. Stakeholder Outreach. There was no information sharing between WFC, emergency responders, and the community. The lack of process safety knowledge on WFC’s part contributed to this. Without an understanding of the potential hazards at the WFC facility, there was no motivation to prevent the community from building up near the facility. The U.S. EPA (2015a) issued some guidance about the Emergency Planning and Community Right-to-Know Act (EPCRA) that stemmed from EO-13650. This guidance reminded State Emergency Response Committees (SERCs) that EPCRA authorized them to designate additional facilities (beyond those handling listed extremely hazardous substances) to be subject to emergency planning notification. II. Understand Hazards and Risk 6. Process Knowledge Management. Since AN was not on the PSM or RMP highly hazardous chemicals lists, and because the fertilizer industry was not familiar with the

Chapter 2 Reactive Chemical Incidents

77

U.S. OSHA Blasting and Explosives Agents standard, neither the WFC management and employees nor the emergency responders, were familiar with AN hazards. There was no record that WFC consulted the AN Safety Data Sheet during the incident. The emergency responders did not know that AN could detonate. Process safety knowledge includes collecting and disseminating information and learnings from incidents with similar technologies and chemicals from throughout the industry. As noted in Section 2.5, there is a long history of AN-related incidents that AN producers and handlers need to learn from. In 2009, a fire occurred at another facility in Texas that stored and handled AN. The firefighters decided not to fight the fire but instead they evacuated the area. About 80,000 people were evacuated. A review of that emergency response was conducted, and an after-action report was issued that emphasized the need for emergency responders to “reflect on protection, response, and recovery activities” that occurred in the 2009 fire (CSB 2016). This report was apparently not known by the West Fire Department. 7. Hazard Identification and Risk Analysis. The absence of AN from the PSM and RMP rules led to no PHA being conducted on the AN handling and storage system. A properly conducted PHA would have addressed consequences of a fire and could have led to a better understanding of the hazards of AN by WFC’s management and personnel. III. Manage Risk 16. Emergency Management. The absence of AN from the PSM and RMP rules led to no emergency planning, which also would have been required by these regulations. When responding, the fire department initially tried to fight the fire, but only the fire engines internal tanks could be used until a hose could be connected to the hydrant 488 m (1,600 ft.) away. They did not have enough hose to reach the fire. The decision to evacuate was about to be made when the

78

More Incidents that Define Process Safety

explosion occurred. Development of an emergency response plan may have helped reduce the consequences of the event: the plant could have installed better storage conditions and fire protection, the city could have added a fire hydrant nearer to the plant, or the response could have been to evacuate the area and let the plant burn, which would have saved lives.

2.7 RUI HAI INTERNATIONAL LOGISTICS AN EXPLOSION, TIANJIN, CHINA, 2015 2.7.1 Summary An explosion occurred around 11:30 p.m. on August 12, 2015, at the Rui Hai International Logistics (RHIL) storage facility in Tianjin, China. The explosion registered as a 2.9 on the Richter scale. The entire facility was destroyed. There were 170 fatalities (99 firefighters and 11 policemen), and about 800 people were injured. The blast affected 17,000 households and 779 businesses (Figure 2.7-1). The waterways and soil nearby were severely polluted. An early estimate of losses was $1.5 billion (Huang & Zhang 2015), (Hernandez 2016). Following the investigation, 123 people were arrested. This was one of the worst industrial incidents in China, (Trembley 2016). Key Points Process Safety Culture – Apply process safety culture concepts to all stakeholders. When an operating site has a poor safety culture, and uses political influence to avoid regulatory enforcement, there can be no confidence that the process is safe. Compliance with Standards – Follow the rules. Standards are developed based on best practices and learnings. Deciding not to comply with standards and regulations can be reckless. If you think that a standard doesn’t work for your application, then communicate with the standard’s authors to discuss the situation.

Chapter 2 Reactive Chemical Incidents

79

2.7.2 Description Background. RHIL was started by two men; one the son of a local police chief and the other an executive at a chemical firm. Tianjin was a rapidly growing area and the facility eventually grew to 4.5 hectares (11 acres) in size. The warehouses were known for “shoddy construction” (Jacobs, Hernandez & Buckley 2015). Process. The facility stored more than 40 hazardous chemicals (Zeng 2015), including 800 tonnes (882 tons) of AN, 700 tonnes (772 tons) of sodium cyanide, 200 tonnes (220 tons) of nitrocellulose as well as various metal powders. What Happened. A fire was observed in the facility at 10:50 p.m. The first responders arrived by 11:06 p.m. and others arrived

Figure 2.7-1 The crater from 2015 Tianjin explosion (courtesy Shutterstock).

80

More Incidents that Define Process Safety

about 10 minutes later. Investigation showed that the fire started when nitrocellulose improperly stored near AN became too dry and self-ignited. The first explosion occurred at 11:34 p.m., registering 2.3 on the Richter scale. The second explosion occurred thirty seconds later and registered 2.9. Based on the size of the crater, about 100 m (328 ft.) in diameter, approximately 726 metric ton (800 ton) of AN were involved. Why It Happened. The investigation found that the fire started in dry nitrocellulose containers that became overheated. Nitrocellulose, used as a propellant called “guncotton,” is a highly flammable solid. Even used nitrocellulose containers are considered hazardous. The safety data sheet (SDS) for nitrocellulose states that containers should be tightly sealed and kept in a well-ventilated area, separate from oxidizing materials such as AN. A nitrocellulose brochure recommends using nonsparking tools and states that nitrocellulose damped with water or alcohol has a shelf life of two years, after which decomposition and fire can occur. If the damping agent dries out, the nitrocellulose is sensitive to impact and heat (DowWolff).

2.7.3 Management System Failures I. Commit to Process Safety 1. Process Safety Culture. In most incidents in this book, a poor process safety culture can be attributed to ignorance, such as not understanding the difference between process safety and occupational safety, a lack of knowledge of process safety hazards, or, at worst, a lack of any sense of vulnerability to potential hazards. In the case of the Tianjin explosion, the lack of process safety culture was reflected in the disregard of safety rules and good practices. In addition, officials abused their power (Tembley 2016). 2. Compliance with Standards.

Chapter 2 Reactive Chemical Incidents

81

As mentioned earlier, 123 people were arrested as a result of this incident. RHIL violated existing rules and permits and used political influence to protect itself from close scrutiny. It ignored good practices and regulations in the manner that it stored chemicals. It stored more chemicals than allowed by their permits. Their warehouses were known for shoddy construction and outdated equipment (Jacobs, Hernandez & Buckley 2015). A safety review, that was required by authorities to obtain a storage permit, was done in a questionable manner since it was performed by a private contractor who was selected and paid for by RHIL.

2.8 PORT NEAL AMMONIUM NITRATE EXPLOSION, IOWA, US, 1994 2.8.1 Summary On December 13, 1994, an explosion occurred in the AN portion of a fertilizer plant in a process vessel known as a neutralizer. The explosion occurred while the AN process was shut down with AN solution remaining in several vessels. Multiple factors contributed to the explosion, including strongly acidic conditions in the neutralizer, the application of 13.79 barg (200 psig) steam to the vessel, and a lack of monitoring of the AN plant when the process was shut down with materials left in the process vessels. The explosion resulted in four fatalities and eighteen people injured. Serious damage in other parts of the plant resulted in the release of nitric acid to the ground and anhydrous ammonia into the air (EPA 1996).

Key Points Hazard Identification and Risk Analysis – Identify process hazards so that you can manage them. Without first identifying the hazards, the hazard management controls and systems will not be implemented, and the risk will not be managed.

82

More Incidents that Define Process Safety

Operating Procedures – Make sure procedures cover all aspects of the operation, including temporary shutdowns or holds.

2.8.2 Description Background. The Port Neal, Iowa, plant produced nitric acid, ammonia, ammonium nitrate, urea, and urea-ammonium nitrate. In the neutralizer, ammonia from the urea plant off-gas or from ammonia storage tanks was added through a bottom sparger and 55% nitric acid was added through a sparge ring in the middle of the vessel. The product, 83% AN, was sent to a rundown tank via an overflow line for transfer to storage. See Figure 2.8-1 for a process flow diagram of the neutralizer and rundown tank. A pH probe in the overflow line to the rundown tank was used to control the nitric acid flow to the neutralizer in order to maintain the pH at 5.5 - 6.5. The temperature in the neutralizer was maintained at about 131°C (267°F) by the evaporation of water and ammonia. Both vessels were vented to a scrubber, where the vapors were absorbed by 55–65% nitric acid and makeup water to make 50% AN. A stream of 50% AN was sent back to the neutralizer. What Happened. About two weeks prior to the event, the pH probe was found to be defective, and the plant was controlled by manually taking samples for pH. Two days prior to the event, the pH was determined to be -1.5 (sic) and was not brought into the acceptable range until about 1:00 a.m. on December 12. The AN plant was shut down at about 3:00 p.m. on the afternoon of December 12, because the nitric acid plant was out of service. At about 3:30 p.m., operators purged the nitric acid feed line to the neutralizer with air. At about 7:00 p.m., operators pumped scrubber solution to the neutralizer. At about 8:30 p.m., 13.8 bar (200 psig) steam, which is about 197°C (387°F), was applied through the nitric acid feed line to the nitric acid sparger to prevent backflow of AN into the nitric acid line. The explosion in the neutralizer occurred at

Chapter 2 Reactive Chemical Incidents

83

about 6:00 a.m. on the morning of the 13th. Figure 2.8-2 shows the aftermath of the explosion.

Figure 2.8-1 Neutralizer and rundown tank, source (courtesy EPA).

84

More Incidents that Define Process Safety

Figure 2.8-2 AN plant area after the explosion (courtesy EPA).

Why It Happened. Liquid AN is known to become more sensitive to decomposition, deflagration, and detonation by: Low pH levels, High temperatures, Low-density areas (e.g., caused by gas bubbles), Physical confinement, Contaminants such as chlorides and metals, Confinement by means of a sufficient mass of AN by itself. Calculations showed that the nitric acid line clearing would have lowered the pH to about 0.8 at the time of the shutdown. The steam sparge remained on for 9 hours. Calculations showed that it provided enough heat to raise the solution to its boiling point after two hours. The air and steam sparge created gas bubbles in the solution. Chlorides, carried over from the nitric acid plant, were also found to be present in the AN solution. These circumstances provided the conditions necessary for decomposition and detonation of the AN (EPA, 1996). The U.S. EPA investigation concluded the conditions that led to the explosion occurred due to the lack of operating procedures. There were no procedures on how to put the vessels in a safe

Chapter 2 Reactive Chemical Incidents

85

state during shutdown, or for monitoring the pH and temperature in the process vessels during the shutdown. There were also no procedures being used to monitor for the presence of chloride salts and/or oil in the reaction mass that could further increase the sensitivity of AN to dangerous decomposition conditions. The U.S. EPA found that other AN producers either emptied the process vessels during a shutdown or maintained the pH above 6.0. Also, other producers either did not allow steam sparges or, if steam sparges were done, they conducted them under direct supervision to ensure that the duration of steam sparging was kept to a minimum. The U.S. EPA also noted that no hazard analysis had been done on the AN plant, and that personnel interviewed “indicated they were not aware of many of the hazards of ammonium nitrate.” 2.8.3 Management System Failures II. Understand Hazards and Risk 7. Hazard Identification and Risk Analysis. No hazard assessment of the AN process had been done. The lack of a hazard identification study led to personnel not understanding the conditions that could lead AN decomposition. It also led to a lack of safeguards that would have prevented the decomposition. An effective PHA of the shutdown step would have revealed to the operating staff that the pH of the neutralizer could not be measured at low neutralizer levels, and that the temperature of the neutralizer could not be accurately known without continuous circulation in the tank. A complete hazard identification study would have covered backflow of AN into the nitric acid line and better design solutions could have been identified.

86

More Incidents that Define Process Safety

III. Manage Risk 8. Operating Procedures. Operating procedures need to cover all phases of operation. This event was directly tied to a lack of shutdown procedures and the lack of equipment monitoring requirements during the shutdown. Without this key information, operators performed actions that first sensitized the AN solution to decomposition, and then provided the energy needed to initiate the decomposition reaction.

2.9 HICKSON & WELCH JET FLAME, UK, 1992 2.9.1 Summary A fire occurred at the Hickson & Welch nitrotoluene plant in Castleford, UK, in September 1992. When a vessel containing residual dinitrotoluene (DNT) and nitrocresols from a batch still was opened for cleaning, a jet flame was released that resulted in five fatalities. The jet flame first destroyed a control room/office building (Figure 2.9-1) and then impinged upon the main office building in which there were sixty-three people. One of the five fatalities was in this office building. H&W paid £500,000 ($638,203) in fines and costs in 1993. This incident provides important lessons on reactive chemical management, facility siting, the potential effects of jet flames, and the hazards that can be posed by abnormal operations. Key Points Operating Procedures – Ensure operating procedures address all phases of an operation. There are hazards, sometimes different ones, in various phases of start-up, operation, shutdown, cleaning, catalyst change, and emergencies. In documenting all phases, procedures can address the specific hazards of each phase and how to control them.

Chapter 2 Reactive Chemical Incidents

87

Management of Change – Never assume that changes are small inconsequential. New or unusual operations always need to undergo an MOC review. 2.9.2 Description Background. Hickson & Welch was founded in 1931 and became publicly held in 1951. In its history, it manufactured dyes, dichlorodiphenyltrichloroethane (DDT), and timber preservatives. Process. The Meissner plant made mononitrotoluene (MNT). Isomers of MNT and the by-product dinitrotoluene (DNT) were separated by a series of stripping steps. The final distillation left a residue containing DNT and nitrocresols that were transferred to a 45.5 m3 (12,021 gal) horizontal storage tank called the 60 still base. A final vacuum strip was done in the still base to recover the last of the MNT. The 60 still base contained steam coils for heating. The temperature was supposed to be controlled using 6.9 bar (100 psig) steam at 170°C (338°F). However, an existing pressure regulator was not working properly, so the steam

Figure 2.9-1 Control room and office building after a jet flame impact (courtesy HSE).

88

More Incidents that Define Process Safety

pressure was being controlled manually. A relief valve in the steam line was supposed to open at 6.9 bar (100 psig) but was malfunctioning and actually opened at 9.3 bar (135 psig), so the temperature was actually about 180°C (356°F). After the distillation, the residue was cooled and transferred to a truck for transport to an incinerator for disposal. What happened. The still base was installed in 1961. A process change made in 1988 apparently led to a buildup of residue in the still, causing extended stripping times. By the day of the incident, the residue depth was 34 cm (13 in). The vessel itself was 2.7 m (8.8 ft.) in diameter. A decision was made to clean out the residue through the manway at the end of the still base (Figure 2.9-2). Steam was applied to the sludge, with instructions to keep the temperature below 90°C (194 °F). The manway was opened, and a sample taken for visual examination. Operators began raking out sludge with an iron rake. After a little more than an hour, steam was shut off, and an order was given to shut off the steam feed line to the still. At this time, the temperature reading was 48°C (118°F). About 20 minutes later, the jet flame erupted from the manway. The manway struck the control room, and the jet flame, which lasted 25 seconds, was about 4.7 m (15.4 ft.) in diameter as it hit the control room wall, 13.4 m (44 ft.) from the manway (Figure 2.9-3). The flame destroyed the scaffolding where people had recently been standing to clean out the sludge and severely damaged the nearby control room, causing two immediate fatalities and two fatalities after hospitalization. Then the jet flame impacted an office building (Figure 2.9-1), igniting fires in it. Most people in the office building were able to escape, but one person died from smoke inhalation. Two other employees were injured, and nineteen firefighters also had to be admitted to the hospital. Why it Happened. MNT, DNT, and the nitrocresols are toxic, and decompose energetically when subjected to heat or contacted with strong acids and bases. Hickson & Welch were aware of this and developed thermal stability tests which they used to set a maximum temperature for the sludge before cleanout. Studies by

Chapter 2 Reactive Chemical Incidents

89

the HSE support the theory that heat from the steam heaters could have initiated self-heating of the residue, causing a thermal runaway that could have reached temperatures of 500°C (932°F), well above the auto-ignition temperatures of MNT isomers and the decomposition products. The temperature probe in the vessel was not in the sludge itself but above it. Therefore, the temperature being recorded was that of the vessel atmosphere, not the sludge. Most of the casualties occurred in the control room, which was located only 13.4 m (44 ft.) away from the still base and was directly in the line of fire. One lesson that can be learned here is the need to examine the location of control rooms and other occupied buildings with respect to potential hazards.

Figure 2.9-2 360 base still (courtesy HSE).

90

More Incidents that Define Process Safety

Figure 2.9-3 Still base and control room (courtesy HSE). 2.9.3 Management System Failures In this incident, the lack of Hazard Identification and Risk Analysis, combined with a lack of operating procedures that addressed non-routine tasks such as sludge cleanout, led to a very hazardous situation. I. Commit to Process Safety 2. Compliance with Standards. Although not in effect at the time, locating a control room and office so close to a process would not comply with modern facility siting standards. II. Understand Hazards and Risk 7. Hazard Identification and Risk Analysis. Although Hickson & Welch understood the reactivity hazards of nitrotoluenes and the residue, no hazard review was performed

Chapter 2 Reactive Chemical Incidents

91

on the still cleanout. Hazard reviews need to be conducted on all phases of an operation. A hazard review would have enabled them to develop a safe procedure. For example, they could have recognized the need to have redundant temperature probes, close the feed line to the vessel to prevent entry of flammable vapors, stop steam flow into the heating bayonets, and find a safer way to remove the residue than using an iron rake (which could have potentially caused electrostatic sparks). They also might have decided to analyze the residue for thermal stability before removal to understand the degree of hazard involved. III. Manage Risk 8. Operating Procedures. Hickson and Welch had no written procedures for cleaning vessels. Again, the lesson here is the need to have written procedures for all phases of operation. Modern PSM programs recognize this, but abnormal operations such as start-up, shutdown, maintenance, and in this case, cleanout, warrant emphasis because the risk during these modes can be much higher than during normal operation. Applying PHA tools such as a procedural HAZOP can uncover risks that may be overlooked in a PHA done for normal operations and it can identify important safeguards to safely manage these risks. 10. Asset Integrity and Reliability. The malfunctioning steam regulator was known to be malfunctioning but was not repaired. Instead the plant relied on operators to control steam pressure manually. The operators relied on seeing steam start to emerge from a PSV set at 6.9 bar (100 psi) as their guide; however, this PSV was malfunctioning. It should be noted that PSVs are not intended to be normal control devices. Because the steam regulator and the PSV were critical, they should have been included in a routine maintenance plan to check and replace (or service) them periodically to maintain reliability.

92

More Incidents that Define Process Safety

13. Management of Change. This was the first time the plant had performed this cleanout operation. The procedure was conducted using safe work permits, although they did not cover all aspects of the operation. The people issuing the permits probably had no idea about the potential reactive chemical hazards. An MOC review could have identified the hazards and triggered a more formal hazard assessment.

2.10 OTHER INCIDENTS Seven reactive chemical incidents were described in Incidents that Define Process Safety (CCPS 2008): Rohm & Haas road tanker explosion, Teesside, UK, January 3, 1976; Bartlo Packaging Inc., pesticide explosion, West Helena, Arkansas, May 8, 1997; Napp Technologies Inc. explosion, Lodi, New Jersey, April 21, 1995; Concept Sciences Inc. explosion, Allentown, Pennsylvania, February 19, 1999; Nissan Explosion, Japan, June 10, 2000; Morton International, Inc., explosion, Paterson, New Jersey, April 8, 1998; Azote de France AN explosion, Toulouse, France, September 21, 2001. Below are two additional reactive chemical incidents investigated by the CSB that have occurred since the publication of Incidents that Define Process Safety. 1. Synthron LLC Chemical Explosion, Morganton, North Carolina, US, January 31, 2006. A runaway chemical reaction occurred, causing a vapor cloud explosion and fires that killed one person and injured fourteen others. The explosion destroyed the facility and damaged structures in the nearby community. The company

Chapter 2 Reactive Chemical Incidents

93

increased the batch size of an acrylic monomer polymerization by adding all the extra monomer to the batch at once without determining the effect of the increased heat load. The heat load doubled and overwhelmed the cooling capacity of the reactor, resulting in a runaway reaction (CSB 2007). 2. Bayer CropScience Runaway Reaction and Pressure Vessel Explosion, Institute, West Virginia, US, August 28, 2008. During the restart of a methomyl unit, a runaway reaction occurred in the residue treater, a 17 m3 (4,500 gal.) pressure vessel, causing a vessel rupture that released about 8.3 m3 (2,200 gal.) of flammable solvents and toxic residues. Two people died and eight were injured. Residue containing solvent was added to the vessel before the clean solvent was added, and then heated to the operating temperature. The residue decomposed, causing the explosion. During the startup, safety-critical interlocks had been bypassed (CSB 2011).

2.11 ADDITIONAL RESOURCES The following books and resources are available for helping to understand reactive chemical hazards. Chemical Reactivity Worksheet (CRW) 4.0. The CSB reactive chemical investigation report found that 36% of reactive chemical incidents involved chemical incompatibilities. The CRW includes a reactivity prediction worksheet that you use to virtually "mix" chemicals to simulate accidental chemical mixtures and learn what dangers could arise from the accidental mixing. For example, if the reaction is predicted to generate gases, the CRW will list the potential gaseous products, along with literature citations related to the prediction. The CRW has two modules: one discusses known incompatibilities between certain chemicals and common absorbents which are used in the cleanup of small spills, and the other contains information about known incompatibilities between certain chemicals and materials that are used in the

94

More Incidents that Define Process Safety

construction of containers, pipes, and valving systems on industrial chemical sites. (www.aiche.org/ccps/resources/crw-overview) Bretherick’s Handbook of Reactive Chemical Hazards, 7th Ed. (Bretherick & Urban 2006). Bretherick’s is a 2-volume set of all reported risks such as explosion, fire, toxic, or high-energy events that result from chemical reactions gone astray, with extensive referencing to the primary literature. Essential Practices for Managing Chemical Reactivity Hazards (CCPS 2003). This book provides technical guidance to help small and large companies to identify, address, and manage chemical reactivity hazards. This book includes a flowchart developed for this book. It guides the user through an analysis of the potential for chemical reactivity accidents. The article Screen Your Facilities for Chemical Reactivity Hazards (Johnson and Lodal 2003) summarizes the book and flowchart. Guidelines for Safe Warehousing of Chemicals (CCPS 1998). This book provides an understanding of the potential dangers inherent in warehousing chemicals. It offers a performance-based approach to hazards such as health effects, environmental pollution, fire, and explosion It presents practical means to minimize the risk of these hazards to employees, the surrounding population, the environment, property, and business operations. These basic precepts can be used to evaluate the risks in initial or existing designs for warehousing facilities on a manufacturing site, for freestanding off-site buildings, and for strictly chemical or mid-use storage. Guidelines for Chemical Reactivity Evaluation and Application to Design (CCPS 1995). This book provides principles and strategies for the evaluation of chemical reactions, and for using this information in process design and management. Designing and Operating Safe Chemical Reaction Processes (Health and Safety Executive (HSE) (2009). This free document is for those responsible for the development, design, and operation of chemical plants and processes. It provides

Chapter 2 Reactive Chemical Incidents

95

information on the assessment of chemical reaction hazards for batch and semi-batch processes, and for the design, operation, and modification of chemical reaction processes. Chemical Reaction Hazards: A Guide to Safety (Barton & Rogers 1997). This book describes how to assess reactive chemical hazards before designing a plant. There are over 100 case studies. A Checklist for Inherently Safer Chemical Reaction Process Design and Operation (CCPS 2004). CCPS developed a reactive chemicals checklist in 2004. The steps in this list guide the user through the steps of reactive hazard identification and reactor process design considerations. The Risk Analysis Screening Tool (RAST) software and the Chemical Hazard Engineering Fundamentals (CHEF) documentation were developed through the collaborative efforts of volunteers from member companies of the Center for Chemical Process Safety (CCPS) and the European Process Safety Centre. RAST is a screening tool intended to provide users with guidance to assess and help prioritize their company-specific process safety risks by: Effectively performing a Hazards Identification and Risk Assessment (HIRA) Effectively developing incident scenarios based on specific process hazards and operating conditions Providing qualitative Process Hazards Analysis (PHA) Teams with scenarios that can be used in a Hazards and Operability Study (HAZOP), and Fill the void between the qualitative PHA and a Quantitative Risk Assessment with the capability to perform a semi-quantitative Layer of Protection Analysis.

96

More Incidents that Define Process Safety

3 Fire Incidents 3.1 INTRODUCTION Safe handling of flammable and combustible (ignitable) materials is a core competency for the process industries and many others. Flammable releases within congested areas, such as a refinery or chemical complex, or in a building, can lead to explosions (Chapter 4). This chapter will start with a description of a series of metal dust fires at Hoeganaes Corporation because the lack of understanding of the hazards of combustible dust hazards is a frequently recurring problem. The other case studies involve incidents from the oil production and refining industry. This is not surprising given that this industry handles large amounts of flammable materials in complex production operations and the consequences of fires can be very significant. CSB has produced videos that describe the incidents at Hoeganaes, Chevron, and Valero. The videos are excellent learning and safety meeting tools. A few topics appear in multiple incidents in this chapter and are worth highlighting. Emergency Isolation Valves (EIV). In three incidents, the Valero-McKee, Shell, and CITGO refinery fires, fires lasted for days because of the lack of EIVs. When compared with the cost of potential damage, EIVs have high cost/benefit ratio. Compliance with Standards. Of the six incidents described, lack of compliance with standards and regulations was a factor in three: the Hoeganaes metal dust fires, the BLSR Operating Ltd. deflagration, and the CITGO Refinery fire. Auxiliary Operations. Two incidents, the BLSR deflagration and the Shell Refinery fire, involved operations that are not typical for a traditional chemical or petrochemical plant. The Shell Refinery fire is an example of the need to treat all operations with respect for process safety.

Chapter 3 Fire Incidents

97

3.2 HOEGANAES METAL DUST FIRES, TENNESSEE, US, 2011 3.2.1 Summary In 2011, Hoeganaes suffered a series of dust flash fires and a hydrogen explosion that led to a secondary dust flash fire that together caused five fatalities and injured three others (CSB 2011b). The Hoeganaes facility located near Nashville, Tennessee, receives scrap metal and converts it into metal powders after melting and adding various materials to it.

Key Points Process Safety Competency – Understand how process safety underpins all the other elements of process safety. Without understanding what might go wrong, there is no driver to put in place the barriers to prevent such an incident. Compliance with Standards – Build on the experience of others. Standards, regulations, codes, and other guidance documents are created from both the good and bad experiences of others. Incident Investigation – Don’t just investigate. Learn! The purpose of an incident investigation is to learn what happened so that it can be prevented in the future. Choosing not to investigate, or investigating and choosing not to take action, is choosing to risk having an unfortunate repeat.

3.2.2 Description Background. Hoeganaes Corporation melts scrap steel to produce atomized steel and iron powders. The Gallatin, Tennessee, facility has increased their production more than six-fold since beginning operations in the 1980s. Process. Hoeganaes’s main product is a powder that is 99% iron. The process involves melting the iron, then cooling and milling it

98

More Incidents that Define Process Safety

to make a coarse powder. They feed the powder through an annealing furnace, called a “band furnace,” that consists of a 30 meter (100 ft.) long conveyor belt. The furnace has a hydrogenrich atmosphere that reduces oxides and prevents oxidation. Hydrogen is supplied through pipes located in a trench in the floor, which is covered by metal plates. Product from the furnace, called a cake, is sent to a cake breaker and then crushed into a powder with a particle size of 45–150 microns (Figure 3.2-1).

Figure 3.2-1. Fine powdered metal collected from the Hoeganaes plant (penny shown for scale) (courtesy CSB).

Figure 3.2-2. Computer graphic of maintenance workers inspecting bucket elevator (courtesy CSB).

Chapter 3 Fire Incidents

99

What Happened. First incident. On January 31, 2011, operators thought the belt on a bucket elevator used to transfer the powder had become misaligned, which can cause the motor to shut down due to the increased torque. A maintenance mechanic and an electrician came to inspect the equipment (Figure 3.2-2). They did not believe the belt was off track and requested the operator to restart the motor. When the motor started, the vibrations dispersed powder that was on the equipment and floor (Figure 3.2-3). A flash fire occurred almost immediately, engulfing the two workers. Both employees sustained severe burn injuries on a large portion of their bodies and eventually died because of their injuries. Second incident. On March 29, 2011, a Hoeganaes engineer and a contractor were replacing igniters on a band furnace. They had difficulty reconnecting a gas line, and the engineer used a hammer to force the connection. The hammering dispersed large amounts of combustible dust on surrounding surfaces, which ignited almost immediately. The engineer suffered first and second-degree burns, while the contractor was able to escape. The engineer was wearing flame-resistant clothing, (FRC) which may have helped prevent a more serious injury. Figure 3.2-4 is a photo taken at the Hoeganaes plant on February 3, 2011, about two months before this incident, showing the dust that had collected on the surrounding surfaces. Third Incident. On May 27, 2011, operators near a band furnace identified a gas leak coming from a trench that contained piping for hydrogen, nitrogen, and cooling water runoff pipes, in addition to a vent pipe for the furnaces. Mechanics were sent to find and repair the leak. One area operator stood by as the mechanics sought out the source of the leak. Although maintenance personnel knew that hydrogen piping was in the same trench, they presumed that the leak was nonflammable nitrogen because

100

More Incidents that Define Process Safety

Figure 3.2-3. The scene of January 2011 incident (courtesy CSB). of a recent leak in a nitrogen pipe elsewhere in the plant. However, in this case, the source of the leak was a line containing hydrogen. The trench covers were too difficult to lift without machinery. A forklift was used to lift a cover near the leak. As the cover was pulled up by the forklift, friction created sparks, and an explosion occurred. The hydrogen explosion dispersed large quantities of iron dust from rafters and other surfaces in the upper reaches of the building (Figure 3.2-4). Portions of this dust ignited, creating multiple dust flash fires in the area. Three employees died from the burns they suffered in the fire. Later a large hole (approximately 8 cm by 18 cm [3 in by 7 in]) in a corroded section of hydrogen piping was found (Figure 3.2-5).

Chapter 3 Fire Incidents

1 1

Why it Happened. Hoeganaes believed that the metal dust was a weak explosion hazard and so put few mitigation systems in place. Although there was an NFPA standards addressing combustible metals, they did not use the guidance in this practice.

Figure 3.2-4. Iron dust on rafters and overhead surfaces, February 3, 2011 (courtesy CSB).

102

More Incidents that Define Process Safety

Figure 3.2-5. Hole in 4-inch piping after the May 27, 2011 incident (courtesy CSB). 3.2.3 Management System Failures The findings of the CSB report can be broken down into the following process safety pillars and elements: I. Commit to Process Safety 2. Compliance with Standards. Codes covering Hoeganaes’s operations include (dates listed for the codes are for the current editions): NFPA 484, Standard for Combustible Metals (NFPA 2015); NFPA 497, Recommended Practice for the Classification of Flammable Liquids, Gases, or Vapors of Hazardous (Classified) Locations for Electrical Installations in Chemical Process Areas (NFPA 2017a); NFPA 499, Classification of Combustible Dusts and of Hazardous (Classified) Locations for Electrical Installation in Chemical Process Areas (NFPA 2017b). Hoeganaes did not follow many of the provisions of these codes.

Chapter 3 Fire Incidents

1 3

At the time of the incident, NFPA 484 described several requirements for the Hoeganaes facility regarding building construction, manufacturing and processing, storage, housekeeping, electrical, and personal protective equipment. These provisions are in place to help ensure the safe handling of combustible metal dusts. Poor housekeeping can contribute to hazards associated with electrical installations. The National Electrical Code (NEC, NFPA 70) includes special requirements for electrical installations in areas where hazardous materials are present. Both flammable gases (such as hydrogen) and combustible dusts are included in the hazardous materials discussed within the NEC. Much of the guidance and requirements in the NEC is based on recommended practices for classification of hazards and hazardous locations (NFPA 70, 497, and 499). Although not a direct cause of ignition in these incidents, the accumulation of dust within the facility could result in additional hazards related to the use of non-classified electrical equipment in potentially hazardous locations. This further demonstrates the lack of process safety knowledge on the part of the organization. II. Understanding Hazards and Risk 6. Process Knowledge Management. The series of incidents at Hoeganaes underscores the importance of understanding hazards and risk and managing the risk. A key step in determining the appropriate hazard management approach for a facility is to understand and document the potential hazard that needs to be controlled. The hazards associated with metals dusts were well documented in the industry prior to the incidents at the facility; however, Hoeganaes operated in a manner that indicated a lack of knowledge of good dust handling practices. According to the CSB report, a routine insurance audit of the facility in late 2008 noted the need for improved housekeeping due to the explosion hazard presented by powdered metal dusts. The audit also recommended that if the metal dust was

104

More Incidents that Define Process Safety

determined to be explosible, an independent dust hazard analysis and a study of suitable dust mitigation techniques be performed, suggesting they had not already done so. In early 2009, Hoeganaes had several samples of its metal dust tested for explosibility. The results indicated that the dust was combustible, but represented a weak explosion hazard, and was very difficult to ignite (high ignition energy). While the dust testing results triggered an operator training program on combustible dust hazard recognition, additional hazard mitigation controls were not evaluated or adopted. As a result, the combustible dust hazards at the facility remained largely unmitigated. After the incidents, the CSB had combustibility tests done on the Hoeganaes dust. Tests done on the dusts indicate that the iron dust was a weak explosion hazard and relatively hard to ignite, confirming the results Hoeganaes obtained previously. Combustible dusts are frequently assessed on their explosibility, i.e., their rate of pressure rise and total overpressure generated. A key lesson here is that even a weakly explosive and hard-toignite dust is still combustible and therefore still hazardous due to its flash-fire hazards, capable of causing fatalities when ignited. In this case, even though Hoeganaes had the necessary information, they did not fully understand the hazards and risks of combustible dusts. Safe handling of combustible dusts requires an understanding of the materials’ combustibility hazards and appropriate safeguards to manage the associated risks. The importance of housekeeping in a solids-handling facility cannot be overstated. A saying among people familiar with combustible dust hazards is that the three most important precautions are housekeeping, housekeeping, and housekeeping. The large quantities of combustible dust present in the facility, shown in Figures 3.2-3, and 3.2-4, exacerbated all three incidents. Baghouse filtration systems that were supposed to control dust were frequently out of service. The CSB investigators observed that the baghouses leaked when the bags were pulsed. Improvement of housekeeping in several areas of the facility was another recommendation made by the insurer in 2008.

Chapter 3 Fire Incidents

1 5

IV. Learn from Experience 17. Incident Investigation. Learning from experience is another pillar of the CCPS Risk Based Process Safety management principles. The Hoeganaes plant had an incident in 1992 that was very similar to the third incident in 2011. A hydrogen explosion in a furnace dispersed accumulated dust and created a flash fire that severely burned an employee (burns covered over 90% of his body, and he spent a year in a burn unit). In 1996, a metal dust fire (ignited by a cutting operation) occurred in a dust collector, resulting in employee injury due to smoke inhalation. The CSB also noted that operators and mechanics rarely reported flash fires or near-misses that periodically occurred at the facility. Hoeganaes did not learn from its own incidents and near-misses and did not encourage employees to report near-misses. Such reporting could have resulted in improvements in the facility’s hazard analysis and mitigation that may have ultimately prevented or reduced the consequences of future incidents.

3.3 CHEVRON RICHMOND REFINERY FIRE, CALIFORNIA, US, 2012 3.3.1 Summary On August 6, 2012, a piping failure of a 20 cm (8 in.) line occurred at the Chevron Richmond Refinery and subsequently ignited, causing a large fire. The fire engulfed nineteen operators and maintenance personnel, but fortunately all escaped. The smoke plume was visible for miles (Figure 3.3-1). Chevron initiated a Community Warning System Level 3 alert. At or around the same time, a shelter-in-place warning for the cities of Richmond, North Richmond, and San Pablo was issued. A number of people sought treatment, with most cases involving minor complaints of nose, throat, or eye irritation, or respiratory issues. This incident led to a CSB recommendation that the American Petroleum Institute (API) strengthen the language of API RP 939-

106

More Incidents that Define Process Safety

C: Guidelines for Avoiding Sulfidation (Sulfidic) Corrosion Failures in Oil Refineries (API 2009). The state of California formed a working group to study ways to improve oversight of refineries (CalEPA 2014). Along with many other recommendations, one outcome was establishment of an interagency task force to coordinate activities of the many agencies that cover refineries. As a result, California is implementing PSM regulations for refineries.

Key Points Process Safety Culture – Embrace process safety culture from the highest levels in the organization down, not from the bottom up. Otherwise employees will not be sure if management really believes process safety is important. Asset Integrity and Reliability – Understand corrosion damage mechanisms. Make sure that proper metallurgy and inspection protocols are used to minimize the potential for corrosion. Emergency Management – Stand clear! There have been countless instances where people move in close to see the situation, seemingly unaware of the hazards and risks. Crowd control, and even positioning of responders, should be clearly addressed in emergency response plans and drills.

3.3.2 Description Background. Chevron is a large international company with their headquarters in San Ramon, California. At the time, Chevron operated seven refineries, five of which are in the United States.

Chapter 3 Fire Incidents

1 7

Figure 3.3-1. Vapor cloud and ignition seen from Marin County (courtesy CSB). Process. The crude oil separation process is the start of the oilrefining process. Crude oil is heated and separated into several fractions by distillation (see Figure 3.3-2 for a generic PFD of the crude oil separation process). At the Richmond refinery, the light gas oil fraction from the Crude Unit, called the Crude Unit #4 sidecut, was drawn off the column through a 51-centimeter (20in.) line, which was then split into a 30-centimeter (12 in.) line and a 20-centimeter (8-in.) line. The Crude Unit #4 sidecut conditions were 338°C (640°F) and 3.8 barg (55 psig). What Happened. Figure 3.3-3, a timeline for the incident, provides a brief, illustrated summary of the events leading to the release and fire. The leak was discovered in the Crude Unit #4 sidecut at 3:50 PM (see Figure 3.3-4). The operator who discovered the leak then notified the head operator and a shift leader. Shortly afterward, the plant fire department was called to provide assistance. Approximately 15 minutes after the discovery of the leak, the fire department took command of the incident and set up a hot zone of 6 m by 6 m (20 ft. by 20 ft.) around the leak. At around the same time, the board operator began reducing the feed rate in the Crude Unit #4 sidecut, per the refinery’s normal shutdown procedure.

108

More Incidents that Define Process Safety

Other refinery personnel, including managers, engineers, and inspectors, came to the area to assist in determining how to respond to the leak. The fire department performed gas testing and determined the atmosphere around the leak was not flammable. Believing the leak to be minor in nature, operations and fire department personnel decided to remove insulation from an area of the pipe downstream of the leak to determine whether it could be repaired while running. The fire department set up fire monitors outside of the hot zone to cover the leak area as a precaution.

Figure 3.3-2. Atmospheric separation process flow diagram (courtesy OSHA).

Chapter 3 Fire Incidents

Figure 3.3-3. Timeline (courtesy CSB).

Figure 3.3-4. Location of the leak (courtesy CSB).

1 9

110

More Incidents that Define Process Safety

When firefighters tried to remove the insulation near an elbow downstream from the component that failed, a small flash fire ignited. That fire was quickly extinguished. The fire department next tried to remove the insulation, near the elbow downstream of the component that failed, with a stream of water from fire hoses. After shutting the water off to assess the insulation removal, the firefighters observed that the volume of the leaking material was increasing, and a decision was made to initiate an emergency shutdown of the unit. Moments later, a white cloud formed and enveloped the Crude Unit #4 and the personnel in the vicinity and downwind processing plants. The leak ignited approximately two minutes later. Why it happened. The loss of containment was caused by sulfidation corrosion, which causes the thinning of steel due to a reaction between iron and sulfur. Sulfidation corrosion is due to the reaction between sulfur compounds, especially H2S, and iron at temperatures of 232–427°C (450–800°F). In pipes, this damage mechanism causes gradual thinning of materials that over time may result in the failure of piping.

Figure 3.3-5. Ruptured Crude Unit #4-sidecut pipe at Chevron refinery (courtesy CSB).

Chapter 3 Fire Incidents

111

Crude oil commonly contains sulfur compounds, such as hydrogen sulfide (H2S), that can lead to sulfidation corrosion in steel piping and components. Carbon steel, and other lowchromium steels (i.e., < 0.1% chromium), have a lower degree of resistance to sulfidation corrosion. For this reason, continual monitoring and consideration of high-chromium-content steel alloys are important aspects of sulfidation corrosion management. The American Petroleum Institute (API) publishes a Recommended Practice (RP) about it: 939-C Guidelines for Avoiding Sulfidation (Sulfidic) Corrosion Failures in Oil Refineries (API 2009). API 939C states that using higher alloy steel to protect against sulfidation corrosion is preferable to relying on inspection, but, as a recommended practice, 939-C does not require either replacement of low-alloy steels or 100% inspection. Standard inspection methodologies call for measurement of pipe thickness at a certain number of permanent monitoring locations. Prior to the fire, the Richmond refinery had increased the number of condition monitoring locations (CMLs) on the individual circuit to nineteen, within the Crude Unit #4 sidecut that ultimately failed. However, there were no CMLs on the pipe component that ultimately failed. There are many factors that affect sulfidation corrosion. For instance, lower silicon content can result in increased rates of sulfidation corrosion in carbon steel piping. However, carbon steel piping was not manufactured to meet a specified minimum silicon content until the mid-1980s. As a result, piping installed prior to that time may have varying silicon content. Post-incident testing determined the Crude Unit #4 sidecut component that failed contained lower silicon levels than other sections of the Crude Unit #4 sidecut. Relying on the expanded inspection data at the 19 CML locations, as well as non-CML locations, did not reveal the extent of corrosion of the piping component that failed. Figure 3.3-5 is a photo of the ruptured pipeline.

112

More Incidents that Define Process Safety

3.3.3 Management System Failures I. Commit to Process Safety 1. Process Safety Culture. The CSB noted that the Chevron safety program used a “bottomup approach, relying on individual personal assertions and initiatives to implement important new safety programs.” CSB also stated, “The failure to prevent this incident is indicative of a fragmented process safety management approach that placed responsibility to implement key process safety recommendations on lower-level employees without sufficient recommendationapproval and funding authority” (CSB 2015). 2. Compliance with Standards. Several American Petroleum Institute (API) recommended practices cover sulfidation corrosion: API RP 939-C: Guidelines for Avoiding Sulfidation (Sulfidic) Corrosion Failures in Oil Refineries; API RP 571: Damage Mechanisms Affecting Fid Equipment in the Refining Industry; API 570: Piping Inspection Code: In-Service Inspection, Rating, Repair, and Alteration of Piping Systems; API RP 578: Material Verification Program for New and Existing Alloy Piping Systems; API RP 574: Inspection Practices for Piping System Components. The CSB noted that these codes were not consistent in their treatment of sulfidic corrosion. API 939-C does not specify the need for 100% component inspection. CBS recommended 939-C incorporate this, and that the other codes refer to it. One code, (API 570) states that sulfidation corrosion is a uniform phenomenon and that 100% inspection is not necessary. As of the writing of this book, the CSB recommendations to API have not been implemented.

Chapter 3 Fire Incidents

113

III. Manage Risk 10. Asset Integrity and Reliability. Asset integrity helps ensure that equipment remains fit for use until it is retired. In 2009, Chevron updated inspection strategies for sulfidation corrosion. This guidance went beyond the codes and standards in existence at that time and recommended performing a one-time 100% component inspection on certain piping to look for sulfidation corrosion. While the Richmond refinery began the process of implementing the 2009 guidelines, the recommendation to perform a one-time 100% component inspection had not been built into the inspection plan for all of the piping circuits potentially susceptible to sulfidation corrosion at the time of the August 6, 2012, incident. Rather than performing 100% component inspection, the Richmond refinery’s reliability group instead recommended replacement of three carbon steel circuits within the Crude Unit #4 sidecut with higher alloy steel during the 2011 turnaround. After conducting additional expanded inspections during the 2011 turnaround, two of the three circuits were replaced. However, the turnaround team concluded the expanded inspection data demonstrated that the third circuit that ultimately failed had sufficient remaining life and therefore did not warrant replacement. The inspector thereafter placed that circuit on an increased inspection frequency. There was no recommendation to perform 100% component inspection on the circuit that remained in place, nor was there a process in place at the Richmond refinery to assess whether and to what extent to turn the ETC 100% component inspection guidance into a refinery policy. 16. Emergency Management. The Richmond refinery operator guidance on how to respond to leaks was lengthy and potentially unclear prior to the August 2012

114

More Incidents that Define Process Safety

fire. Believing the leak was minor, refinery personnel continued to evaluate the leak in the vicinity of the leak. As a result, the fire truck deployed to the area, while outside the established hot zone, was ultimately destroyed in the fire. Efforts to determine the size of the leak, using a pike pole, and eventually blasting with fire hoses, made the leak worse. In response to these problems, the Richmond refinery developed a new Leak Response Protocol (LRP), see Figure 3.3-6. This new protocol is intended to be clearer, with less steps, in an effort to make it easier to implement in response to a leak.

Figure 3.3-6. Chevron’s new Leak Response Protocol (courtesy CSB).

Chapter 3 Fire Incidents

115

3.4 VALERO-MCKEE LPG REFINERY FIRE, TEXAS, US, 2007 3.4.1 Summary On February 16, 2007, an LPG release from cracked piping in the propane deasphalting (PDA) unit of Valero’s McKee refinery ignited. The resulting fire burned for about two days. There were four serious injuries, the entire refinery had to be evacuated, there was $50 million in property damage, and the refinery was shut down for two months. This incident illustrates the concept of “knock-on” effects, i.e., new incidents triggered by the initial incident. This fire triggered two near-misses, whose consequences could have been worse with slight changes in conditions, such as wind direction. The heat from the fire triggered a release of 1,134 kg (2,500 lb.) of chlorine from three one-ton cylinders and blistered the paint on a nearby butane storage sphere (CSB 2008a).

Key Points Compliance with Standards – Use good practices to prevent potential failures. When designing equipment to control a hazard, consider the mechanism and likelihood that the equipment could fail. If the consequences of failure are significant, multiple or more robust controls could be warranted. Hazard Identification and Risk Analysis – Do a good job on hazard identification. Operator participation is essential, and alternating revalidation with a complete redo is often a good idea. If the team fails to consider topics such as facility siting and dead legs, then those potential hazards will remain unidentified and uncontrolled. Management of Change – Understand how changes can impact existing protection systems. Unmanaged change can introduce new hazards and render existing protections ineffective. In this case, an abandoned line from a piping modification was not reviewed.

116

More Incidents that Define Process Safety

3.4.2 Description Background. The Valero-McKee Refinery was originally built in 1933 and has been modified over the years. The refinery joined Valero as part of the Ultramar Diamond Shamrock merger in 2001. Process. The PDA unit removes paving-grade asphalt from heavy bottoms from the oil fractionation unit. Liquid propane is the extraction solvent. The unit operates at about 34.5 bar (500 psi). The PFD in Figure 3.4-1 illustrates the steps in the process. What Happened. On the morning of the incident, the temperature dropped to -14°C (6°F), causing water in a dead-leg to freeze and subsequently cracking the pipe (Figure 3.4-3). When the temperature rose in the afternoon, the ice thawed, and the release of propane vapor began. The estimated release rate was 2,041 kg (4,500 lb.) per hour. The wind blew the propane vapor cloud toward a boiler, which was the likely ignition source. The resulting jet fire impacted a steel support column that had not been fireproofed, causing it to collapse. This led to further piping failures and releases of combustible petroleum products, which further fueled the fire. High winds hindered emergency response efforts to fight the fire. These factors led to the evacuation of the entire refinery 15 minutes after the fire started, which likely saved lives. The fire heated three 907 kg (1 ton) chlorine cylinders, causing the fusible plugs to melt and release about 2,268 kg (2.5 tons) of chlorine. Chlorine was used as a biocide in cooling towers. The paint on a nearby 1590 m3 (420,000 gal.) butane storage sphere blistered due to fire. The heat prevented emergency responders from accessing nearby fire monitors to protect the sphere. Fortunately, the wind direction was away from the sphere, keeping flames from affecting it even more. Figure 3.4-4 shows location of chlorine shed and butane storage tank with respect to the PDA unit. The main feeds and fuel gas supply to the refinery were shut off. Eventually emergency response teams were able to enter the

Chapter 3 Fire Incidents

117

Figure 3.4-1. Process Flow Diagram of PDA unit (courtesy CSB).

Figure 3.4-2. Abandoned propane mix control station (courtesy CSB).

118

More Incidents that Define Process Safety

area and shut off other fuel sources, although chlorine and sulfuric acid leaks hampered this effort. The fire burned for two days. Why it Happened. About 15 years before the incident, a process modification occurred, and the original control station was abandoned in place. (Figure 3.4-2) This created a dead-leg into which water and propane could collect (the propane contained small amounts of water). To compound the problem, a foreign object had become lodged in the 25 cm (10 in.) gate valve, preventing it from being fully closed.

Figure 3.4-3. Crack in the propane mix control station piping (courtesy CSB).

Chapter 3 Fire Incidents

119

Figure 3.4-4. Photograph of damaged PDA unit, showing the location of butane sphere and chlorine cylinders (courtesy CSB).

3.4.3 Management System Failures I. Commit to Process Safety 2. Compliance with Standards. Relying on a single standard control valve to isolate a system is not good practice. Many incidents have been caused by a leaking valve. Good engineering practice, at a minimum, would have been to install a blind in the system. An inherently safer practice would have been to remove the abandoned pipe. Indeed, one inherently safer design principle is simplification: the design of facilities and processes to eliminate unnecessary

120

More Incidents that Define Process Safety

complexity and reduce the chance for errors (CCPS 2009). A checklist of inherently safer technologies includes the alternative “elimination of all unnecessary cross connections” (CCPS 2009). Another inherently safer design strategy is a substitution, i.e., substituting hazardous materials with less hazardous ones. The Valero refinery used chlorine as a biocide for cooling towers, which was released when the chlorine cylinders were exposed to the heat from the fire. Biocides that are less hazardous than chlorine could have been used, eliminating this hazard altogether. This fire was a jet fire, i.e., one coming from a pressurized source. Shutting off the fuel supply will stop a jet fire. The refinery did not have sufficient Remote Shutoff Valves (RSOVs), which impeded control of the fire, allowing it to burn for two days before being extinguished. (The operators had to shut down the main feeds and fuel gas supply.) The Valero refinery had an Emergency Isolation Valve (EIV) Standard. This called for emergency isolation valves on units containing more than 4,536 kg (10,000 lb.) of a material like propane. A PHA in 1996 recommended installing EIVs in the PDA unit, but the action was not implemented (CSB 2008a). II. Understand Hazards and Risk 7. Hazard Identification and Risk Analysis. A PHA had been conducted on the process, however, the PHA was inadequate. For example, the U.S. OSHA PSM standard, which covers this process, requires that facility siting be addressed in the PHA. However, the risks associated with the location of the chlorine shed were not addressed. The hazards of the dead-leg were also not recognized. Correct application of HAZOP guidewords could have identified this hazard. Interviews conducted during the investigation discovered that operators were not effectively engaged in the 2006 PHA (CSB 2008a). Note that this PHA would have been a revalidation, as there was one in 1996, and, presumably in 2001.

Chapter 3 Fire Incidents

121

A properly conducted PHA revalidation would check if recommendations from previous PHAs had been implemented. Also, alternating revalidations with complete redoing of the PHA is a good idea (Young and Oelner 2018). The 2006 PHA did not apply the Valero EIV standard nor did it confirm previous PHA recommendations had been implemented. Thus 1996 PHA recommendations that EIVs be installed were not reviewed. III. Manage Risk 13. Management of Change. An MOC was not performed when the piping change was made. A formal MOC review could have identified the potential hazards of a dead-leg.

3.5 BLSR DEFLAGRATION AND FIRE, TEXAS, US, 2003 3.5.1 Summary During unloading of a vacuum truck (Figure 3.5-1) into an open pit, hydrocarbons in basic sediment and water from oil exploration and production ignited. Two trucks were destroyed, and the unloading area was seriously damaged. This event is notable for two things. First, the flammability hazard of the wastewater was not widely recognized in the recovery business. This is also not always recognized in the chemical process industry. Second, auxiliary operations, such as vacuum truck loading and unloading, can create hazards that need to undergo a risk analysis like any other potentially hazardous operation.

122

More Incidents that Define Process Safety

Figure 3.5-1. Typical vacuum truck used to haul oilfield waste liquids (courtesy CSB).

Key Points Compliance with Standards – Don’t forget the basics. Some standards are very basic, but that does not mean that they are not important. Workers have a right to know what materials they are handling. They should have access to SDS’s and instruction on how to safely handle hazardous materials. Operating Procedures – Procedures are not just about the process. Operating procedures should address all aspects that could present a hazard. Controlling ignition sources is a fundamental aspect of safe operations. Vehicles are an ignition source that must be controlled where flammable materials may be present.

Chapter 3 Fire Incidents

123

3.5.2 Description Background. The BLSR facility has been in operation since the mid1980s. It is permitted by the Texas Railroad Commission to operate waste injection wells. Process. The gas stream from an exploration and production (E&P) operation (Noble Energy in this case) contains solids, water, and liquid hydrocarbons. This mixture goes through separators that separate the water and hydrocarbons (as a condensate). The condensate still contains water and is stored in tanks, where the water is separated from the hydrocarbons, with the water being the bottom layer, basic sediment and water (BS&W). The E&P company sells the top layer to refineries. Two or three times a week a vacuum truck operated by a waste hauler draws off the BS&W layer for disposal at an approved site. The vacuum truck operator conducts the entire operation: identifying the tank, connecting the truck, drawing off the BS&W layer, and disconnecting the truck. In this case, T&L Environmental Services was the truck operator, and BLSR operated the disposal site. At the BLSR facility, there were separate tanks for collecting what was considered by the truck driver to be clean fresh water, saltwater, and condensate. There was also an open disposal/washout pad. BS&W was usually unloaded at the disposal/washout pad. This pad (Figure 3.5-2) was a covered, 14.6 m by 19.8 m (48 ft. by 65 ft.) pit with pumps and equipment for handling drilling mud and viscous materials from E&P and pipeline operations (Figure 3.5-3). Drivers were supposed to unload “dirty” water (containing solids such as drilling mud) at the disposal and washout pad. What Happened. On the afternoon of January 13, 2003, two vacuum trucks collected BS&W from the tanks at Noble Energy. The amount of BS&W was recorded by the operator at Noble Energy as 7.3 m3 (46 barrels). The vacuum truck driver reported that 7.9 m3 (50 barrels) were removed. The trucks backed up to the disposal pit, informed the BLSR operators the trucks were ready for unloading, and went to a shed

124

More Incidents that Define Process Safety

for drivers, leaving the truck engines running. At the time, the drilling mud in the pit was being diluted with water using the hydraulic pumps to recirculate the pit contents. The valves on the trucks were opened to drain the BS&W. After three to five minutes, eyewitnesses said that one of the truck engines began to violently race and that black smoke was blowing from the exhaust. Backfiring was heard, prompting the truck drivers to leave the shed and begin running toward the trucks. The second truck engine also began to race. At that point, ignition occurred, and there was a deflagration. There were three fatalities resulting from burns from the incident (two BLSR employees and a truck driver; one after fortysix days). Three BLSR employees were also seriously burned. Figure 3.5-4 shows the damaged trucks and disposal pit area. Why it Happened. BS&W in the storage tanks always contains some flammable hydrocarbons. The actual flashpoint of any given truckload of BS&W depends on how much time the organic and

Figure 3.5-2. Disposal/washout pad, hydraulic pumps and wooden stop beam (courtesy CSB).

Chapter 3 Fire Incidents

125

Figure 3.5-3. Layout of disposal/washout pad, vacuum trucks, and injuries (courtesy CSB). aqueous layers in the tank have to settle and separate, how rapidly the tank is drained, and how the truck driver drains the tank. Given the average hold times and the lack of set procedures, the liquid in the trucks will likely always be flammable. Samples taken by the CSB of BS&W from the Noble Energy site had a flashpoint of -1°C (30°F). This flammable material was emptied into an open pit in an area with no provisions for ignition control, allowing the flammable vapor to freely disperse and find an ignition source, in this case, the truck engines.

126

More Incidents that Define Process Safety

Figure 3.5-4. Damaged trucks and disposal/washout pit area (courtesy CSB).

3.5.3 Management System Failures I. Commit to Process Safety 2. Compliance with Standards. Noble Energy and BLSR did not comply with the U.S. OSHA hazard communication standards that requires and employer to communicate with and train workers about the hazards of handling flammable liquids. Noble Energy did not supply SDS’s for the BS&W. BLSR did not comply with standards about electrical equipment and control of ignition sources in an area handling flammable liquids. The shipper did not comply with DOT shipping regulations to properly identify the BS&W as a flammable liquid. II. Understand Hazards and Risk 6. Process Knowledge Management.

Chapter 3 Fire Incidents

127

None of the companies involved knew or understood that they were handling a flammable material. The E&P owner/operator (Noble Energy) should have known about the flammability hazards and communicated this information to the field operators. Because of this failure to recognize or communicate the applicable hazards, both the waste transport company (T&L) and the disposal company (BLSR) treated the waste liquid as nonflammable. III. Manage Risk 8. Operating Procedures. Noble Energy did not have written procedures for loading waste trucks. Consequently, trucks contained varying amounts of flammable material, depending on how the waste tanks were drained. BLSR did not have written procedures for determining where a waste truck was unloaded, for truck unloading, or for emergency response. As a result, not only was the truck unloaded with the engine running but when the truck engine began to overspeed (a sign that flammable vapors had entered the diesel engine), employees ran toward the hazard rather than away from it. 11. Contractor Management. Noble Energy did not inform the waste hauler contractor of hazards, nor did they provide them with hazard information in the form of an SDS. Checking that contractors are qualified to do the job is also a part of contractor management.

3.6 SIMILAR INCIDENTS 3.6.1 Shell Refinery Fire, Singapore, 2011 On September 28, 2011, a fire occurred at the Royal Dutch Shell oil refinery on Pulau Bukom. The fire began near a system of pipelines carrying various petroleum products. Reports stated the fire occurred when naphtha oil from a pipeline was being drained

128

More Incidents that Define Process Safety

into an open plastic tray, allowing a flammable vapor cloud to develop. The Singapore Ministry of Manpower (MOM) noted that no gas monitors were used during the operation. They concluded that a static spark likely ignited the naphtha vapor. The fire covered a 176 m by 65 m (577 ft. by 213 ft.) area and lasted for thirty-two hours before being extinguished. In this case, Shell did not follow adequate Safe Work Permit procedures (MOM 2011, MOM 2011b).

3.6.2 CITGO Refinery Fire, Texas, US, 2009 On July 19, 2009, a release of flammable hydrocarbons occurred in a hydrogen fluoride (HF) alkylation unit at CITGO’s Corpus Christi East Refinery. The hydrocarbon vapor cloud spread to an adjacent unit and ignited. The fire led to the release of about 19,051 kg (42,000 lb.) of HF. An HF water mitigation system was activated and captured most of the HF. CITGO reported that the water (99.9% removal efficiency) did not capture 13.6 kg (30 lb.) of HF. The CSB stated that a 90% efficiency, which it believes was a more reasonable factor, would have meant using a 90% removal efficiency, 1,905 kg (4,200 lb) would have been released. The fire caused multiple injuries and lasted for several days. The cause of the initial release was a control valve that failed to close, leading to shaking of the process recycle piping at two threaded connections (CSB 2009). The CSB noted that CITGO had not performed regular safety audits of the HF alkylation as recommended by API RP 751, Safe Operation of Hydrofluoric Acid Alkylation Units.

3.7 ADDITIONAL RESOURCES The following resources are available for helping to understand and protect against fire hazards. National Fire Protection Association (NFPA) codes. The NFPA is a trade association that generates many codes addressing fire and electrical hazards. The codes are often adopted by local

Chapter 3 Fire Incidents

129

authorities, making the code legally enforceable in that jurisdiction. These codes are a good source fire protection and suppression knowledge. Of note are: NFPA 30 Flammable and Combustible Liquids Code, and NFPA 70 National Electrical Code. There are numerous other codes addressing water and foam suppression sprinkler systems, storage systems, and fire pumps. American Petroleum Institute (API) recommended practices. The API is an industry trade association. API committees have generated recommended practices that address many segments of the oil and natural gas industry. A number of these recommended practices address process safety and fire protection. Of note are: API RP 752 Management of Hazards Associated with Location of Process Plant Permanent Buildings, API RP 753 Management of Hazards Associated with Location of Process Plant Portable Buildings, and API RP 2001 Fire Protection in Refineries. FM Global Property Loss Prevention Data Sheets. FM Global is an insurance company that has used its loss experience to generate data sheets on a number of topics. These data sheets are intended to reduce the chance of property damage. Topics of interest include industrial boilers, gas turbines, and extinguishing systems. Guidelines for Evaluating Process Plant Buildings for External Explosions, Fires, and Toxic Releases, 2nd Edition (CCPS 2012a). Siting of permanent and temporary buildings in process areas requires careful consideration of potential effects of explosions and fires arising from accidental release of flammable materials. This book, updated from the 1996 edition, provides a singlesource reference that explains the American Petroleum Institute (API) permanent (752) and temporary (753) building recommended practices and details how to implement them. New coverage on toxicity and updated standards are also included.

130

More Incidents that Define Process Safety

Guidelines for Vapor Cloud Explosion, Pressure Vessel Burst, BLEVE and Flash Fire Hazards, 2nd Edition (CCPS 2011). This guide provides an overview of methods for estimating the characteristics of VCEs, flash fires, and boiling liquid expanding vapor explosions (BLEVEs) for practicing engineers. It has been updated to include advanced modeling technology, especially with respect to vapor cloud modeling and the use of computational fluid dynamics. The text also reviews past experimental and theoretical research and methods that may be used to estimate consequences. This manual is heavily illustrated with photos, charts, tables, and diagrams.

Chapter 4 Explosion Incidents

131

4 Explosion Incidents 4.1 INTRODUCTION CCPS defines an explosion as “a release of energy that causes a pressure discontinuity or blast wave,” NFPA defines it as “the bursting or rupture of an enclosure or container due to the development of internal pressure from a deflagration.” There are two major kinds of explosions: physical and chemical (Figure 4.1.1). Physical explosions are caused by the release of mechanical energy. The term “physical explosion” includes vessel ruptures, BLEVEs, and rapid phase transition. A vessel rupture occurs from a material defect or from a pressurization that exceeds the mechanical strength of the vessel. BLEVE is defined by CCPS as “a type of rapid phase transition in which a liquid contained above its atmospheric boiling point is rapidly depressurized, causing a nearly instantaneous transition from liquid to vapor with a corresponding energy release. A BLEVE of flammable material is often accompanied by a large aerosol fireball, since an external fire impinging on the vapor space of a pressure vessel is a common cause. However, it is not necessary for the liquid to be flammable in order to have a BLEVE occur”. A rapid phase transition can occur when a material is exposed to a heat source. This increases the material’s volume, which increases the pressure in the container. Chemical explosions are caused by chemical reactions and can be uniform or propagating reactions. Uniform reactions occur throughout the space of the reaction mass, such as a runaway reaction in a reactor. A propagating reaction, e.g. combustion, moves through the mass of the reactant, such as in a VCE. A deflagration occurs when the speed of the reaction front is less than the speed of sound. A detonation occurs when the speed of the reaction front is equal to or greater than the speed of sound.

132

More Incidents that Define Process Safety

When the chemical reaction occurs in the solid or liquid phase, it is called a “condensed phase explosion.” The book Understanding Explosions (Crowl 2003) provides information on explosions to those involved with the design, operation, maintenance, and management of chemical processes. Table 4.1 provides examples of the various types of explosions and notes where they are described in this book. Figure 4.1-1 summarizes the types of explosions and their causes. This figure also illustrates that some incidents can involve multiple types of the explosion, for example, a vessel rupture leading to a BLEVE.

Figure 4.1-1. Relationships between the different types of explosions. It is possible for several to occur with any incident (courtesy Crowl 2003).

Chapter 4 Explosion Incidents

133

EXPLOSION TYPE

EXAMPLES

Rapid phase transition

Hot oil pumped into a vessel containing water (note: no incidents of this type included)

BLEVE

Vessel isolated from its pressure relief device Section 4.5 – Williams Geismar Heat Exchanger Rupture/Explosion Rupture of a flammable gas railcar exposed to fire (note: no incidents of this type included)

Vessel rupture

Mechanical failure of a vessel at high pressure Section 4.11 – NDK Vessel Rupture Failure of a relief device during overpressure Section 4.5 – Williams Geismar Heat Exchanger Rupture/Explosion

Uniform reaction (aka condensed phase explosions)

Runaway reactions Section 2.2 – T2 Labs Reaction/Explosion Section 2.8 – Port Neal Ammonium Nitrate Decomposition reactions Section 2.6 – West Fertilizer Section 2.7 – Tianjin Explosion

134

More Incidents that Define Process Safety

Propagating reactions Deflagrations (flame front advances at < speed of sound in the unburned cloud)

Combustion of flammable vapors or dust

Detonation (flame front advances at speed of sound in the unburned cloud)

Combustion of flammable vapors

Section 4.6 – Imperial Sugar Dust Explosion Section 4.7 – Hayes Lemmerz Dust Explosion Section 4.8 – Varanus Island Pipeline Rupture/Explosion Section 4.9 – Multiple Natural Gas Explosions Section 4.10 – Oil Storage Tank Explosion

Section 4.2 – Buncefield Section 4.3 – Jaipur

Table 4.1 Examples of various types of explosions (adapted from Crowl 2003).

Note to Readers: In the previous chapters, similar incidents were listed as a separate section at the end of the chapter. In the case of explosions, there are so many other examples that only a few similar incidents were selected and were combined with the full descriptions of the incident they were similar to.

Chapter 4 Explosion Incidents

135

4.2 BUNCEFIELD STORAGE TANK OVERFLOW AND EXPLOSION, UK, 2005 4.2.1 Summary A delivery of gasoline (petrol) from a pipeline into a storage tank in the Buncefield depot began on Sunday morning, December 11, 2005. The level control and shutoff systems in place failed to operate. The tank overflowed, and gasoline cascaded down the side of the tank. The Major Incident Investigation Board (MIIB) reported that up to 272 metric tons (300 tons) of gasoline had escaped from the tank (MIIB 2008a). About forty-five minutes after the release started, a series of explosions took place. The main explosion appears to have been centered on car parking lots just west of the depot. This explosion was massive and generated overpressures higher than would have been expected in a normal VCE. Some have speculated it was a deflagration to detonation transition (DDT) event. Forty-three people were injured and about 2,000 were evacuated from the area. If the incident had happened on a weekday, it could have resulted in more injuries and even fatalities. The explosions caused the largest fire in peacetime Europe, engulfing more than twenty large storage tanks over a large part of the Buncefield depot. The fire burned for five days, destroying most of the depot (Figure 4.2-1). In addition to destroying large parts of the depot, there was widespread damage to surrounding property and disruption to local communities. Houses close to the depot were destroyed, and others suffered severe structural damage. Buildings as far as 8 km (5 miles) from the depot suffered damage such as broken windows and damaged walls and ceilings. The MIIB estimated the cost of the incident was £1 billion (about $1.35 billion as of mid2017).

136

More Incidents that Define Process Safety

Figure 4.2-1. Buncefield storage depot after the explosion and fires (courtesy Buncefield).

The occurrence of a detonation, which produces much higher overpressures than a deflagration, was a surprise to experts who, prior to the event, did not expect a gasoline tank farm VCE could make the deflagration to detonation transition. The MIIB recommended that research be done to understand why the DDT occurred. The results of this research are documented in the Buncefield Explosion Mechanism Phase 1 (Health and Safety Executive (HSE) 2009a).

Key Points Process Safety Culture – Do not “live with” frequent instrument failures. A good process safety culture investigates to find out what is causing the failures and addresses the problem. Thus, the barrier against a process safety incident remains healthy.

Chapter 4 Explosion Incidents

137

Compliance with Standards – A process should be designed with layers of protection sufficient for the magnitude of the risk. Management of Change – A large change in throughput is a change that should be managed. Changes should be evaluated to understand implications on equipment, operations, and provision of adequate staffing.

4.2.2 Description Background. The Buncefield depot is a large tank farm near Hemel Hempstead in Britain. The Buncefield depot was constructed in 1968. At the time of the incident, there were three sites at the depot operated by Hertfordshire Oil Storage (a joint venture between Total and Chevron), British Pipeline Agency (a joint venture between Shell and BP), and BP. Process. The Buncefield depot, or tank farm, was a large site that stored gasoline, heating oil, and aviation fuel in over twenty-five storage tanks (Figure 4.2-2). The fuels were received via two 0.25 m (10 in.) and one 0.36 m (14 in.) pipelines. Gasoline and heating oil from the tanks were offloaded into trucks for delivery, and the jet fuel was sent out by pipeline. The depot was about 4.8 km (3 mi) away from the center of the nearest town, Hemel Hempstead. The storage tank involved was Tank 912. Tank 912 was a 6,000 m3 (1.6 million gal.) floating roof tank with an automatic tank gauging (ATG) system that was monitored in the control room. From the control room, operators could operate the appropriate valves to shut off and/or divert flow from Tank 912 to other tanks. The high and high-high level alarms could be set/changed by the supervisors. Tank 912 also had an independent high-level switch (IHLS) that would stop the incoming flow at a high-high level by closing the inlet valves and provide an audible and visual alarm in the control room. What Happened. The tank started receiving gasoline containing 10% isobutene at a rate of about 550 m3/hr (145,294 gal/hr). around 7:00 p.m. on Saturday evening. At 3:00 a.m. on Sunday,

138

More Incidents that Define Process Safety

the tank was about 2/3 full, but the level gauge stopped recording any further increase in level despite filling continuing. The independent high-level switch (IHLS) shutdown also failed to stop flows to the tank. At about 5:20 a.m. the tank began to overflow and flow into the tank continued, even increasing in rate to about 890 m3/hr. (235,113 gal/hr.). As fuel continued to overflow from Tank 912, a vapor cloud up to 2 m (6.6 ft.) tall, and covering an area of about 500 by 350 m (1640 by 1148 ft.) formed, engulfing a large portion of the facility (Figure 4.2-3) (HSE 2017). The first explosion occurred at 6:01 a.m. Initially, the ignition source was hard to determine. Candidates included a pump house, heaters in the emergency generator building, and car engines (witnesses stated their cars began to run erratically, (i.e. surging due to drawing in fugitive gasoline vapors). Subsequent analysis (see below) has settled on the pump house as the initial site of ignition. Further explosions occurred, eventually engulfing the entire facility in fire.

Figure 4.2-2. Buncefield storage depot before the explosion (courtesy Buncefield).

Chapter 4 Explosion Incidents

139

Figure 4.2-3. Buncefield site – the extent of vapor cloud (gray line) (courtesy HSE). Why it happened. The IHLS did not function because a test lever for the switch had not been locked in the neutral position. The lever enabled testing of the high-level and low-level function of the IHLS. Failure to lock the lever in the middle position allowed it to slip into the low-level test position, thereby disabling the highlevel function. Experts were surprised by the severity of the damage resulting from the explosion given the low level of congestion at the site. The extent of the damage led experts to conclude that a DDT occurred. This conclusion led to recommendations to conduct further study of DDT mechanisms.

140

More Incidents that Define Process Safety

Figure 4.2-4. Breakup of liquid into drops spilling from tank top (adapted from HSE). The following factors contributed to the DDT: Mist formation as the gasoline spilled over the top of the storage tank; Low or no wind causing little dispersion and dilution of the flammable cloud; Strong ignition source from the pump house; Obstruction by hedgerows and trees, providing an elongated path for DDT. Mist formation. Normally, a spill of a liquid from a storage tank would be modeled as evaporation from the pool created by the spill. As the gasoline spilled from the top of Tank 912, liquid droplets formed, enabling transport of air into the vapor cloud (Figure 4.2-4). (Mists can also increase the hazard of a flammable release because they can ignite at temperatures below their flashpoint, although that was not the case in this incident.) Low or no wind speed. A lack of wind meant the cloud did not disperse. When dispersion occurs, the concentration of vapor in the cloud is reduced by entrainment of air. At Buncefield, the lack of dispersion led to the formation of a large vapor cloud. Nearly all of the vapor cloud was in the flammable range.

Chapter 4 Explosion Incidents

141

Strong ignition source. The pump house was located near Tank 912 and was completely engulfed by the vapor cloud. The ignition source in the pump house led to an explosion inside the pump house. This explosion created a strong ignition source that also created turbulence around the pump house, leading to a strong external explosion and the DDT. Congestion due to vegetation. There were hedgerows near the pump house that served as obstruction and congestion in the vapor cloud. Also, there was a tree-lined street next to the facility that caused further acceleration of the flame front and led to detonation. It came as a surprise to investigators that vegetation could do this, in effect acting similarly to a pipe rack. Note on detonations. The report, Review of vapour cloud explosion incidents (HSE, 2017), has challenged the conclusion that the Buncefield explosion, and several others, was a detonation, based on the nature of some of the physical damage at the explosion sites. It hypothesizes that there can be a mechanism in between a VCE and a detonation, and the HSE has called for further investigation of this phenomenon. Interested readers can obtain and read the HSE report. For brevity, this book will continue to refer to the Buncefield and Jaipur explosions as detonations. The important thing to remember is that with these types of events, the potential damage may be much worse than the commonly used consequence models might indicate.

4.2.3 Management System Failures I. Commit to Process Safety 1. Process Safety Culture. The ATG system had malfunctioned (not registering a level change) fourteen times in the three months prior to December 11. Each time, it had been repaired by either the operators or the maintenance crew. Sometimes, the failure was not even logged. The willingness to continue to operate with such an unreliable

142

More Incidents that Define Process Safety

level control is indicative of a poor safety culture and is an example of normalization of deviance. 2. Compliance with Standards. The land use planning standards in the UK assumed that facility operators were in compliance with appropriate requirements. The MIIB recommended using a risk-based approach to land use planning and requiring the operators to develop a risk management plan. The level control system was inadequate for the system. There was only one computer to monitor the ATG system for all of the tanks. And there was no backup system. In addition, there was no alarm to indicate an inconsistency between the level in a tank and the incoming flow. The site operators did not have access to independent flow rate information. There was no flow indication at all for two of the three incoming lines. In a welldesigned control system, the operators should have been able to see that even though the level indication was not changing, flow was still coming into the tank. The MIIB recommended that automatic, high integrity overflow prevention systems, independent of the tank level system, be installed, in accordance with current best standards (IEC 61511). The MIIB also recommended that the receiving site have ultimate control of the storage site rather than the transmitting site. II. Understand Hazards and Risk 7. Hazard Identification and Risk Analysis. Prior to this incident, the scenario that occurred at Buncefield had been considered not credible. Since land use planning in the UK was based on the worst credible case, the scenario was not part of the Land Use Planning process. Subsequently, guidance has been updated with improved standards for gasoline storage depots.

Chapter 4 Explosion Incidents

143

III. Manage Risk 8. Operating Procedures. The operating procedures were inadequate. They were not detailed enough (e.g., no safe operating limits were included), and the supervisors on each shift used the available level alarms differently. 10. Asset Integrity and Reliability. The IHLS failed to close the inlet valve because the test lever was not secured. It is imperative that safety-critical devices such as this switch be tested on a regular basis and also that they be placed back into service properly. The staff did not have procedures for putting the switch back into operation. This incident led the HSE to issue an alert on how to test the switch. The MIIB recommended that these storage sites improve their maintenance systems and conduct regular proof testing. 13. Management of Change. In 2002 there was a large increase in throughput to the facility when an adjacent facility was shut down. There was no MOC done to check if the control systems and staffing levels were adequate to handle the increased throughput. The IHLS was installed in 2004. Its design allowed the failure to occur. The failure mode could have been eliminated if an MOC review had been performed when the switch was installed.

4.2.4 Similar Incident CAPECO Storage Tank Overflow and Explosion, Puerto Rico, 2009. This incident is similar to the Buncefield event and to the Jaipur Oil Terminal event, which is the next incident discussed in this chapter. A storage tank was being filled, and the overfill protection failed. An aerosol mist was created during the tank overflow. Dike valves had been left open, allowing liquid gasoline to spread. Twenty-six minutes after the overflow started, the vapor cloud ignited, causing a large explosion that registered 2.9 on the

144

More Incidents that Define Process Safety

Richter scale. It was later determined that about 757 m3 (200,000 gal.) had been released. Seventeen of forty-eight tanks at the site were damaged, and the fires burned for sixty hours (Figure 4.2-5). About 300 homes and businesses up to 2 km (1.25 mi.) away were damaged, and thousands of gallons of runoff (oil, suppression foam) were released to the environment (CSB 2015b). The CSB has a video describing this incident.

Key Points Process Safety Culture – Make commercial plans with operational safety in mind. The plant had a contractual obligation to fill tanks according to a schedule determined by a planning department. A good process safety culture ensures that production needs do not compromise safety. Asset Integrity and Reliability – Maintain the integrity of equipment that serves in the prevention or mitigation of process safety incidents. In this case, on-line monitoring was unreliable because transmitters were frequently out of service. Emergency Management – Plan and train with local emergency responders. In this case, training of personnel to fight fires involving multiple tanks was inadequate. Coordination with local firefighters and emergency responders is essential to ensure that both the plans and the execution of the plans are sufficient for incidents.

Chapter 4 Explosion Incidents

145

Figure 4.2-5. Fires at CAPECO site (courtesy CSB).

4.3 PETROLEUM OIL LUBRICANTS EXPLOSION, JAIPUR, INDIA 2009 4.3.1 Summary On October 29, 2009, an explosion occurred at the Petroleum Oil Lubricants Terminal at Sanganer in Jaipur, India. The explosion was caused by an unabated release of mineral spirits (petrol) from a valve which had continued for over an hour. There were eleven fatalities, six on site and five off-site. The facility was destroyed as the fire spread to every tank at the terminal. The fire burned for eleven days because the decision was made to allow the fire to burn itself out rather than to risk additional lives fighting it. Damages were estimated at RS 280 crore ($44 million). Figures 4.3-1 and 4.3-2 show before and after pictures of the terminal, and Figure 4.3-3 shows some of the burning storage tanks. There is evidence (Johnson, 2012) that this explosion also transitioned to a detonation, similar to the Buncefield explosion (Section 4.2). The incident resulted in recommendations for legislation for land use around hazardous installations and reviewing all major

146

More Incidents that Define Process Safety

accident hazard installations per the existing Manufacture, Storage and Import of Hazardous Chemicals Rules 1989 (MoP&NG (Ministry of Petroleum and Natural Gas) Committee 2010).

Key Points Conduct of Operations – Equipment should be designed to prevent loss of containment (LOC) or adequate layers of protection should be installed to reduce the likelihood of LOC. Tank levels are continually changing, thus there are many opportunities for the level to be exceeded if there are not sufficient layers of protection in place. Emergency Management – An emergency management plan should address challenges in addition to the original event. A first priority should be the rescue of personnel and  UIF  SJTLT PG entering an unsafe situation before evaluating the consequences.

Figure 4.3-1. Jaipur site before explosion (courtesy HSE).

Chapter 4 Explosion Incidents

147

Figure 4.3-2. Jaipur site after explosion (courtesy HSE).

Figure 4.3-3. Burning storage tanks at Jaipur (courtesy SK Roy, HSE for IOC).

148

More Incidents that Define Process Safety

4.3.2 Description Background. The Indian Oil Company operated a large oil terminal near Jaipur, India. The pipelines division was located in the northwest corner of the site. Process. The Indian Oil Corporation terminal received and transferred petrochemicals. In this event, the intent was to transfer gasoline from a storage tank in the terminal to another facility. What Happened. A pipeline from a gasoline storage tank was being lined up for transfer to another site (Figure 4.3-4). The procedure was to ensure the MOV and HOV were closed, reverse the position of the Hamer blind valve, open the HOV, and open the MOV gradually (to be sure there was no leakage from the Hamer blind valve). It is believed the MOV was opened first, and then the Hamer blind valve was opened. The leak began as soon as the Hamer blind valve was opened. The fumes from the leak overwhelmed the operator. A nearby shift officer saw the incapacitated line operator and tried to help, but he was also overcome by the fumes. A second operator came over to help, and he was also overwhelmed by the fumes. Thus, the leak was able to go on for about 75 minutes and released about 1,000 metric tons (1102 tons)

Figure 4.3-4. Pipeline schematic (courtesy SK Roy, HSE for IOC).

Chapter 4 Explosion Incidents

149

before it found an ignition source, which could have been a vehicle or from general purpose electrical equipment. Why it Happened. The design of the Hamer blind valve allowed for a large opening at the valve bonnet every time the valve’s position was changed. The operating procedure was set up to prevent this from happening by isolating the valve when the position was charged. This design allowed one mistake to cause a release. The lack of a remote emergency shutoff, and the inappropriate response by other operators, allowed the leak to go on for over an hour. With such a large vapor cloud, it is not possible to control all ignition sources. One theory is that the transition to a detonation occurred due to ignition of vapor inside a control room that then initiated a detonation of the vapor cloud outside of the control room. Another theory is that the explosion initiated in a pump house (similar to Buncefield), thus triggering the detonation of the vapor cloud outside the pump house.

4.3.3 Management System Failures III. Manage Risk 15. Conduct of Operations. Conduct of operations applies to all levels in the organization. For design engineers, it means choosing equipment that is appropriate for the operation and designing the system to account for potential equipment failures. The Hamer blind valve had a design weakness, when its position was reversed there was an opening in the top of the valve (Figure 4.3-5). In essence, every time this valve was operated, a line break was being performed. Normally, a safe work permit would be required for such an operation. In this case, a review of the procedure could have been done ahead of time to include precautions, such as a respirator, for protection from vapors. If the designer believed that this type of valve was needed, the system design should have included safeguards against what should have been

150

More Incidents that Define Process Safety

Figure 4.3-5. Hamer blind valve after explosion (courtesy SK Roy, HSE for IOC). a known hazard, i.e., a line being opened while not isolated from the storage tank. Safeguards, such as a remote shutoff valve, an interlock to prevent changing position unless the MOV and HOV were closed, and LEL detectors, could be part of the design. The immediate cause of this incident was not following the standard operating procedures. Although operating discipline is important, alternative designs that eliminate the leak point would be inherently safer. In the hierarchy of controls, eliminating the hazard through inherently safer design is most effective, engineering controls are next, and finally, administrative controls.

Chapter 4 Explosion Incidents

151

16. Emergency Management. When someone sees a person on the ground or in distress, human nature is to respond to the person in need. In a chemical plant, however, this is NOT the correct thing to do. The sequence of first responders becoming disabled or dying while responding to an unconscious person has occurred in several documented nitrogen exposure incidents (see CSB 2003 and 2013a). In refineries, the presence of hydrogen sulfide (H2S), poisonous, odorless gas from leaks in many refinery unit operations, can result in similar tragedies. In a chemical plant, employees need to be trained on the proper emergency response techniques, which may vary, depending on the nature of the hazards at the plant.

4.4 CELANESE PAMPA EXPLOSION, TEXAS, US, 1987 4.4.1 Summary An explosion occurred in a reactor at the Celanese Pampa, Texas, plant on November 14, 1987 that led to a release and vapor cloud explosion. There were three fatalities and thirty-nine injuries. Extensive property damage occurred in the immediate area, and severe damage occurred throughout the plant. The firehouse that contained the fire trucks was damaged so the trucks could not be driven out. Fid firefighting equipment was also damaged, making it more difficult to control the fires. Figures 4.4-1 and 4.4-2 show the extent of the damage caused by the explosions (J. Forest, personal communication, July 2016). As a result of the learnings from this incident, Celanese implemented a comprehensive twenty-one-element process safety program similar to the twenty elements of the CCPS RBPS program.

152

More Incidents that Define Process Safety

Figure 4.4-1. Oxidation reactor after the explosion (courtesy Celanese).

Figure 4.4-2. One of several units impacted by explosion (courtesy Celanese).

Chapter 4 Explosion Incidents

153

Key Points Process Safety Competency – Humans are an important part of the system. Understand human factors. Designing operations to help a human succeed can help to avoid process safety incidents. Hazard Identification and Risk Analysis – Hazard identification methods should include human failures just as they do equipment failures. When a single human action may cause significant undesired consequences, there is a risk that warrants management.

4.4.2 Description Background. The Celanese plant was built in 1952 and produced acetic acid. Process. The unit involved was a liquid phase oxidation (LPO) reactor in which butane was oxidized in the presence of air and a catalyst to make acetic acid and byproducts. This was an exothermic reaction. The reactor product was sent to several downstream units in the Pampa plant to make products that included acetic acid, acetic anhydride, and methyl ethyl ketone. The reactor operated at a relatively high temperature and pressure. Figure 4.4-3 is a schematic of the reactor.

154

More Incidents that Define Process Safety

Figure 4.4-3. Schematic of oxidation reactor (courtesy Celanese). What Happened. On November 14th, 1987, the reactor was prepared to start up following a shutdown the previous day due to a problem in the steam system. Following the normal start-up process, the operators began heating the reactor contents. As the reactor approached start-up temperature, an explosion occurred in the air sparger inside the reactor. The explosion ruptured the 20 cm (8 in.) diameter air piping at two places outside of the reactor and at one place inside of the reactor. The reactor contents rapidly vaporized into the atmosphere. About 25 to 30 seconds after the initial explosion, a VCE occurred. The ignition source for the vapor cloud was thought to be the gas-fired boilers located immediately across the road from the reactor. Extensive property damage occurred in the immediate area and severe damage occurred throughout the plant. Figure 4.4-4, shows the calculated extent of the flammable vapor cloud, extending to the boiler area. Why it Happened. On November 13th, a problem with the steam system occurred in the Pampa plant that led to the decision to shut down the reactor in question. The shutdown procedure was: 1) close the air supply to the reactor with double block valves, 2) open a bleed valve to further prevent air entry, and 3) then purge

Chapter 4 Explosion Incidents

155

the reactor with inert gas. Shutting off the air and purging with inert gas were essential to ensure the reactor atmosphere was not flammable and to prevent backflow of the reaction mixture into the air line. There were three ways to shut down the reactor: A shutdown system designed to automatically shut down if safe limits were exceeded; A manual button that activated the shutdown system; Three manual buttons: one button to activate the double block, another to activate the bleed, and a third to activate the purge. On the day of the incident, the operator chose to shut down the reactor using the three manual buttons on the control panel. The activation of these three buttons was equivalent to the activation of the manual shutdown button or the automatic shutdown. The first step was to close the process air valves to the reactor. The second step was to open the air bleed after the air to the reactor was blocked in. The third step was to activate the timed nitrogen purge. The operator pushed the first two buttons but mistakenly did not push the inert gas purge button. The standard operating procedure for this critical step was not followed by the operator. Failure to initiate the inert gas purge allowed the contents of the reactors, including the catalyst, to enter the air sparger system. Personnel did not realize that the chemicals were in the air sparger pipe. Some of the reactor contents remained in the pipe for about a day. As the reactor was started upon November 14th and approached start-up temperature, an explosion occurred in the air sparger inside the reactor. Oxygen was available because the reactor had not been purged, fuel was available from the reactor contents, and the ignition source was probably the catalyst that was plated on the inside of the air sparger.

156

More Incidents that Define Process Safety

4.4.3 Management System Failures I. Commit to Process Safety 3. Process Safety Competency. The shutdown system activated an indicator light when the shutdown started, and another light when the shutdown and purge were complete, when either the automatic system or the one-button manual system was activated. However, when the three-button manual shutdown was used, there was no automatic status feedback. In order to detect the lack of inert gas purge, the next shifts would have had to detect the absence of the purge from the computer activity log printed in another room. This incident is an example of a situation in which a single human inaction led to major incident. Failures such as this have taught us that it is imperative to design process systems such that a single human error cannot lead to potentially catastrophic consequences. In addition, feedback systems are crucial for critical actions. II. Understand Hazards and Risk 7. Hazard Identification and Risk Analysis. In a Process Safety Review conducted prior to the event, the independent manual shutdown buttons were identified as a potential source of human error. No changes were recommended. The consequences of not purging the air sparger were well understood, but the review team underestimated the likelihood of the human error. As a result of the Pampa incident, Celanese implemented a detailed risk assessment and risk management methodology to identify and mitigate risks, including the ones described at Pampa. Another aspect of the process safety management system includes rigorous controls around safety instrumented systems designed to mitigate similar hazards.

Chapter 4 Explosion Incidents

157

III. Manage Risk 15. Conduct of Operations. The initiating event was that the operator neglected to start the inert gas purge cycle during shutdown. This was included in the procedure to shut down the reactor, but this step was not performed. There was no feedback system to alert the operator of this error. This human omission of a single procedural step resulted in a catastrophic incident. Humans do make mistakes. Where the consequences of a single human error are catastrophic, there should be multiple layers of protection put in place to reduce the risk.

Figure 4.4-4. Predicted flammable vapor cloud from reactor explosion (courtesy Celanese).

158

More Incidents that Define Process Safety

4.5 WILLIAMS OLEFINS HEAT EXCHANGER RUPTURE, LOUISIANA, US, 2013 4.5.1 Summary On June 13, 2013, a reboiler on a fractionation tower in the Williams Geismar Olefins plant ruptured due to the expansion of liquid propane in the heat exchanger, which had been isolated from its pressure relief valve. The released propane ignited, resulting in a large fireball (Figure 4.4-1). There were two fatalities, and 167 people were injured. The plant was down for eighteen months (CSB 2013). The business interruption and repair costs were $343M (insured) plus $73M (uninsured) (ICIS 2013). Williams paid $34 million as a result of lawsuits from the incident. (LexisNexis 2016).

Key Points Management of Change – Conduct a safety review appropriate to the hazards before a change is made. Operating Procedures – Procedures need to be written for all phases of an operation, including switching to a spare piece of equipment. Asset Integrity and Reliability - Fouling of reboilers is a common occurrence. Establish a cleaning schedule for heat exchangers so they can be cleaned at an appropriate time, without disruption to the process. 4.5.2 Description Background. The Williams Companies owns natural gas interests, pipelines, and processing facilities in North America. The Geismar Olefins plant was built in 1967. It was bought by Williams in 1999. At the time the incident, it was operated by Williams Olefins and jointly owned by Williams Olefins and Saudi Basic Industries Corporation (SABIC).

Chapter 4 Explosion Incidents

159

Process. The plant had a propylene fractionator tower designed to separate propylene (overhead product) from propane (bottoms product).

Figure 4.5-1. Fireball in Williams Geismar plant (courtesy CSB).

160

More Incidents that Define Process Safety

The tower was driven by two external reboilers. Hot quench water at 85°C (185°F) on the tube side of the heat exchanger vaporized the propane mixture (95% propane, balance propylene, and C4s) on the shell side. The original design intent was to operate with both reboilers. In 2001, valves were installed to enable operation with only one reboiler. The other reboiler was set up as a spare to allow one reboiler to be cleaned without having to shut down the unit (Figure 4.5-2). What Happened. On the day of the incident, Reboiler A was in operation and Reboiler B was the spare. Flow to Reboiler A dropped, possibly due to fouling. Quench water was likely opened to Reboiler B. Three minutes after the quench water was started to Reboiler B, it exploded (Figure 4.5-3), ignited, and caused a fireball.

Figure 4.5-2. Schematic of propylene fractionator (adapted from CSB).

Chapter 4 Explosion Incidents

161

Why it Happened. When the system was modified in 2001 to run with one reboiler, block valves were installed on each line between the shell side of the reboilers and the column. Installation of these block valves made it possible to isolate the shell side of the reboilers from the PSV on the column. This was indeed the case with the out-of-service reboiler. During the sixteen months that Reboiler B was out of service, propane likely leaked into the reboiler through the gate valve between the bottom of the column and the reboiler, or the valve may have been inadvertently opened. When the hot quench water entered Reboiler B, the propane liquid expanded until the internal pressure exceeded the heat exchangers maximum allowable working pressure (MAWP).

Figure 4.5-3. Reboiler B after the explosion (courtesy CSB).

162

More Incidents that Define Process Safety

4.5.3 Management System Failures III. Manage Risk 8. Operating Procedures. The plant did not have an operating procedure for putting the reboiler into service, even though it would have been an expected operation. Instead, the plant relied upon a generic SOP for reboiler restart. A procedure specific to these reboilers could have included a check on the position of the valves before restart and the proper sequence to be followed in opening the process side valves before introducing hot quench water. Note that the generic reboiler procedure assumed the process to be on the tube side, whereas these particular propylene reboilers had the process on the shell side. 10. Asset Integrity and Reliability. Fouling of the reboilers was a known issue, and it is a common situation in industry that exchangers and reboilers require maintenance at a higher frequency than the rest of the unit. Where block valves are provided for safe isolation of equipment, they should never isolate a pressure vessel from its pressure relief device. 13. Management of Change. The MOC review was done after the valves were installed. When it was done, the hazard of isolating the reboilers from the PRV was not identified, and a PHA of the change was not required. 15. Conduct of Operations. There are several examples of poor conduct of operations. Plant personnel used checklists to perform both the MOC review and the pre-start-up safety review (PSSR). The checklists contained questions about whether any valves needed to be carsealed open (Figure 4.5-4), if operating procedures needed to be updated, or whether any operator training was needed. These were answered “no”. There was a question that asked “PRVs lined up and block valves car-sealed open? Pressure release systems in

Chapter 4 Explosion Incidents

163

place and operational and traced where appropriate?” (CSB 213) which was left unanswered. These misses, along with the fact that the review was done after the changes were already in service, are signs of people going through the motions of a paperwork exercise without careful evaluation—poor conduct of operations. A later PHA in 2006 identified the problem of the reboilers being isolated from the PRV and recommended that process valves be locked open on each reboiler. Only the valve on the inservice reboiler was locked open. Even so, the recommendation was marked as completed in 2010. A good practice is to have an internal verification process to be sure the closure met the intent of the recommendation. In 2008, an engineering firm did a relief valve engineering analysis of the plant and identified the need to seal open the block valves for the reboilers. This recommendation was not addressed. Action item management is an important aspect of Conduct of Operations. The provision of a clear path—that cannot be isolated between equipment that can be overpressured and its relief device—is required by codes.

164

More Incidents that Define Process Safety

Figure 4.5-4. Example of car seal on a valve handle (www.totallockout.com/online-store/car-seals-2/ (accessed November 19, 2015)) (courtesy CSB). 4.5.4 Similar Incident Goodyear Heat Exchanger Rupture and Ammonia Release, Texas, US, 2008. A heat exchanger rupture and ammonia release occurred because the relief system was left isolated after maintenance (Figure 4.5-5). There was one fatality; six people were injured. Anhydrous ammonia was used for cooling on the shell side of the exchanger. A block valve and rupture disk were located under the shell side relief valve. Maintenance workers closed the block valve to replace the rupture disk but forgot to reopen it. Later, an operator closed another block valve to isolate the exchanger in order to clean the tubes with steam. The steam heated the ammonia and the heat exchanger, now without pressure relief, burst (CSB 2011c).

Chapter 4 Explosion Incidents

165

Figure 4.5-5. Ruptured heat exchanger at Goodyear Texas plant (courtesy CSB).

4.6 IMPERIAL SUGAR DUST EXPLOSION, GEORGIA, US, 2008 4.6.1 Summary A large primary dust explosion, followed by a series of secondary dust explosions, occurred at the Imperial Sugar refinery in Port Wentworth, Georgia in February 2008. The consequences included fourteen fatalities and thirty-six injuries. The explosions destroyed the facility (Figure 4.6-1). Imperial Sugar settled with OSHA on a $6 million fine. This incident provides important lessons in understanding the hazards created when combustible dust is released outside of the process equipment into a building or structure. The explosions at Imperial Sugar turned national attention to the hazards of combustible dust in the chemical and agricultural industries. It also triggered the U.S. OSHA National Emphasis Program (NEP) for solids-handling facilities. A NEP is a program by

166

More Incidents that Define Process Safety

OSHA to protect workers in industries that have been determined to present higher risks to people and the environment. In addition to the combustible dust NEP, OSHA has NEPs on Process Safety management and Isocyanates. A complete investigative report and a video describing the event are available from the Chemical Safety Board (CSB 2009a).

Figure 4.6-1. Imperial Sugar refinery after the explosion (courtesy CSB).

Chapter 4 Explosion Incidents

167

Figure 4.6-2. Imperial Sugar facility before the explosion. Granulated sugar storage silos and packing buildings are circled. Raw sugar warehouses in lower right (Chatham County, GA GIS photo) (CSB 2009a)

Key Points Process Safety Competency – Apply what you know. Knowledge alone is not enough. You must apply what you know about safe handling of material hazards.

Conduct of Operations – Clean up! According to the old saying: “The three most important operations in a plant handling combustible dusts are housekeeping, housekeeping, and housekeeping.” Incident Investigation – Pay attention to near-misses. Nearmisses are the voice of the process telling you “I’m broken, fix me.”

168

More Incidents that Define Process Safety

4.6.2 Description Background. Imperial Sugar Company purchased the Port Wentworth facility in 1997. The facility refined raw sugar into granulated sugar and sugar products. Process. The sugar refinery was housed inside a four-story building, with the silos extending from the ground to above the top floor (Figure 4.6-2). In this process, raw cane sugar was converted into granulated and powdered sugar. The refinery had dozens of belt conveyors, screw conveyors, bucket elevators, mills, as well as packaging equipment. Granulated sugar was stored in three large 374 m3 (13,200 ft3) silos. From the silos, granulated sugar was conveyed to the powdered sugar mills, to packaging equipment, to specialty sugar production, or to the bulk sugar building. At the powdered sugar process, belt conveyors and bucket elevators conveyed the granulated sugar to the powdered sugar mills. In 2007, steel panel enclosures were installed on the horizontal belt conveyors to protect the sugar from contamination. What Happened. The first explosion likely occurred in a belt conveyor located underneath the silos. The ignition source may have been an overheated bearing or belt support. The belt enclosure allowed the formation of dust clouds above the Minimum Explosion Concentration (MEC) of the sugar dust in the interior of the silo tunnel, providing fuel for the explosion. The pressure wave from the initial explosion spread throughout the building, dislodging sugar dust that had accumulated in various parts of the building due to leaks from the sugar processing equipment. The dislodged dust ignited and created fireballs, resulting in several secondary explosions throughout the building. These explosions were powerful enough to buckle the concrete floors and create flying debris. The explosions continued for fifteen minutes after the initial explosion. The CSB report notes that secondary explosions occurred on all four floors of the building. (See Figures 4.6-1 and 4.6-3)

Chapter 4 Explosion Incidents

169

Why it Happened. When the conveyors were enclosed, fugitive dust that had previously settled out and accumulated on the floor was instead contained inside the enclosure. This allowed the formation of flammable dust clouds which could be ignited (overheated bearings and belt supports are a common source of ignition in solids-handling equipment). The CSB report stated that the sugar handling equipment was not adequately sealed, resulting in large quantities of sugar being spilled onto the floors or escaping into the rooms. An internal inspection noted that “tons of spilled sugar had to be routinely removed from the floors and returned to the refinery for reprocessing”. This gives an idea of the amount of sugar dust routinely spilled. See Figure 4.6-4 for an example of conditions within the plant. When handling dusts, the dust can accumulate on surfaces in a process rack or building, such as the floors, beams, and light fixtures. Frequently the dust that leaks out from equipment is the finest (smallest particle size) of the dust being released. With combustible dusts, the explosion severity is usually inversely proportional to the particle size, i.e., smaller particle size has higher explosion severity. Also, dust with smaller particle size is usually easier to ignite than the same quantity of dust with a larger particle size. An initial event, such as an explosion in a piece of equipment, creates both a fireball and a pressure wave that can easily disperse and ignite these deposits. This creates a secondary explosion or explosions (see Figure 4.6-5). These secondary explosions can cause damage and injuries comparable to large vapor cloud explosions. For facilities handling combustible dust, a good housekeeping program is as equally important—if not more important—as a hot work permit program.

170

More Incidents that Define Process Safety

Figure 4.6-3. Imperial Sugar Refinery after the explosion (courtesy CSB).

Figure 4.6-4. Motor cooling fins and fan guard covered with sugar dust; large piles of sugar cover the floor (courtesy CSB).

Chapter 4 Explosion Incidents

171

Figure 4.6-5. Secondary dust explosion (courtesy U.S. OSHA). 4.6.3 Management System Failures I. Commit to Process Safety 2. Compliance with Standards. The Imperial Sugar facility did not fully comply with NFPA 499– Recommended Practice for the Classification of Combustible Dusts and of Hazardous (Classified) Locations for Electrical Installations in Chemical Process Areas. Given the amount of dust that Imperial Sugar allowed to accumulate on a regular basis, many parts of the plant should have been classified Class II, Division 1. Imperial Sugar did not classify hazardous areas. The CSB notes that although there were some properly rated electrical devices in hazardous areas, there were non-rated electrical devices in the same area. Imperial Sugar did not comply with NFPA 499, 654 and the NEC. They did not classify hazardous areas and they used nonrated devices in what should have been classified areas. 3. Process Safety Competency. Competency is closely linked to the RBPS element Process Knowledge Management, but this incident illustrates the difference between knowledge and competency. There was evidence that employees had knowledge of the hazards of combustible dust; QA and safety personnel were aware of the U.S. OSHA’s National Emphasis Program on dusts.

172

More Incidents that Define Process Safety

An explosion in a dust collector ten days prior to this incident had been safely vented. Also, fugitive dust collection systems were utilized for collecting emissions. Competency infers application of such knowledge. Neither management nor employees of Imperial Sugar appear to have fully appreciated the hazards of combustible dusts. Housekeeping was inadequate. The housekeeping that was done was frequently done improperly, e.g. using compressed air to clean dust deposits (a hazardous practice in itself as it creates a flammable dust cloud); and the fugitive duct collection equipment was not properly maintained. II. Understand Hazards and Risk 7. Hazard Identification and Risk Analysis. Hazard reviews were conducted by Zurich Services (Imperial Sugar’s insurance carrier), but they failed to identify the hazard of dust accumulation. III. Manage Risk 10. Asset Integrity and Reliability. The fugitive dust collection system was inadequate and poorly maintained. Dust accumulations throughout the building resulted in the secondary explosions that destroyed the entire building and led to the fatality. 12. Training and Performance Assurance. Initial and annual safety training was done, but it seems to have been focused on occupational safety. Safety training had not covered the hazard of dust accumulations since 2005. 13. Management of Change. The belt conveyor was enclosed without conducting a management of change (MOC) review. The lack of hazard awareness, ignoring of near-misses, and lack of an MOC review led to the creation of an unprotected enclosure that contained

Chapter 4 Explosion Incidents

173

combustible dust clouds. An MOC review, performed by competent people knowledgeable about dust explosion hazards, would have evaluated the need for explosion protection such as venting, suppression, or inerting, within such an enclosure. 15. Conduct of Operations. Written housekeeping programs were not effectively implemented. The cleaning process did not always include elevated surfaces. Dust collection system design and lack of maintenance may have contributed to the fugitive emissions, but no action was taken to reduce leaks or repair the fugitive dust collection system. Also, there had been many small fires in this and other Imperial Sugar locations, which did not lead to larger fires or explosions. These may have caused the staff to become complacent regarding the hazards of combustible dust. This phenomenon is known as “normalization of deviance.” IV. Learn from Experience 17. Incident Investigation. As previously mentioned, this facility and other Imperial Sugar refineries had experienced many small fires and near-misses. For example, operators in this facility had noted that buckets in the bucket elevators sometimes broke loose and fell to the bottom of the elevator. In one case, this initiated a fire. Ten days prior to this incident, there had been an explosion in a dust collector. These near-misses and the explosion were warning signs that were not heeded.

4.7 HAYES LEMMERZ DUST EXPLOSION, INDIANA, US, 2003 4.7.1 Summary On October 29, 2003, a dust explosion occurred in a dust collection system at an aluminum wheel manufacturing plant in Huntingdon, Indiana (CSB 2005). The explosion propagated into other equipment and into the manufacturing building. One

174

More Incidents that Define Process Safety

person, who was engulfed in flames, died from burns, and a total of six people were injured, two critically. This was one of three explosions that occurred in 2003. The other two, an explosion at West Pharmaceuticals in North Carolina, and CTA Acoustics in Kentucky were described in Incidents that Define Process Safety (CCPS 2008). These explosions led the CSB to conduct a study of the phenomenon of dust explosions. The resulting report, Combustible Dust Hazard Study (CSB 2006) included recommendations for the NFPA to create a combustible dust standard and for U.S. OSHA to conduct a National Emphasis Program (NEP) on combustible dust hazards. These recommendations were implemented. The NFPA standard is NFPA 652–Standard on the Fundamentals of Combustible Dust (NFPA 2016).

Key Points Process Knowledge Management–Understand your process, its hazards, and how to manage them. Regardless of whether you built or designed it, you cannot ignore this responsibility. Incident Investigation–Maintain a chronic sense of unease. Normalization of deviance is very dangerous. When nearmisses become part of normal operations, you have a problem. Find out why these near-misses are happening and take action to prevent a bigger incident. 4.7.2 Description Background. Hayes Lemmerz International owns a number of companies, including Hayes Lemmerz International–Huntington, that manufacture cast aluminum alloy wheels. Process. The plant manufactures aluminum automotive wheels. Scrap aluminum from the machining of the wheels creates aluminum chips. These chips are recovered using a process designed by Premelt Systems Inc. who has built more than fifty such systems.

Chapter 4 Explosion Incidents

175

The scrap aluminum is coated with oil and water from the machining process. It is collected and chopped into chips about 6.4 mm (0.25 in.) long. The chips are centrifuged, dried to remove the oil and water, collected in a hopper, and further dried in a rotary kiln. The chips have some small particles attached by the oil and water. Drying in the kiln detaches these particles and creates more by breaking down some of the chips. From this point on the process stream contains some amount of combustible dust. The chips and dust are air conveyed through a 15.2 cm (6 in.) duct to a cyclone, where the solids drop to a reverberating furnace. The air and fine dust stream go to a dust collection system. Figure 4.7-1 shows the cyclone, furnace, and exhaust stream. The aluminum chips are melted in the vortex box, where a pump is used to create a vortex with the molten aluminum. This provides better mixing of the chips into the molten aluminum. At Hayes Lemmerz, this part of the system was located indoors. The top outlet of the chip feed cyclone goes through a spark box, then outside of the building into a drop box and a dust collector (see Figure 4.7-2). Note the presence of a slide gate valve; more will be said about that later. The spark box had a baffle plate to remove large embers or heavy objects, the drop box provided a place for heavy particles to drop out of the air stream, and the dust collector trapped the fines. The dust collector had pleated filter cartridges which were air-pulsed to dislodge accumulate dust, and it was equipped with explosion vents. This system was installed three years after the rest of the chip melt system. The original design had the air stream discharged directly into the building; however, dust accumulation from the chip cyclone exhaust led the company to install the dust collection system. The design and construction were handled by Premelt Systems Inc. Other plants using the chip melt process apparently did not have this problem (the CSB contacted one other plant that confirmed this). What Happened. On the day of the incident, operators noticed the duct connecting the fume hood to the fume separator was glowing red due to a fire inside it. They shut down the chip feed

176

More Incidents that Define Process Safety

system and allowed the fire to burn out; this was the usual response to this event, which had happened before. After the fire stopped, they cleaned the system, waited at least two hours, and then restarted the feed system. About ten minutes later, an employee noticed chips falling out of the spark box, indicating that a crust had formed on the vortex and chips were overflowing into the dust collection system duct. Immediately after this, a fireball came out of the furnace, totally engulfing one employee. As the fireball grew, a contractor on the building roof heard a boom and was knocked down. As he fell, he witnessed the roof panels being blown off. Another contractor, who had been working inside a trailer near the drop box, was also knocked down by the boom. When he looked out, he saw the dust collector was on fire. He tried to exit the trailer by a rear door, but it was blocked, so he exited out a side door. A plant alarm was sounded, and the plant evacuated. The Huntington fire chief knew the plant handled molten aluminum, and the responders thus used the appropriate means, Class D fire extinguishers, to put out the fires.

Figure 4.7-1. Reverberatory furnace at Hayes Lemmerz plant (courtesy CSB).

Chapter 4 Explosion Incidents

177

Figure 4.7-2. Dust collection system at Hayes Lemmerz plant (courtesy CSB).

The employee engulfed by the fireball died from his burns a day later. Another employee who had been near the furnace suffered severe burns over half his body and was hospitalized for weeks. A third employee suffered minor burns and returned to work. Four other workers had minor injuries and were treated by the emergency responders. The dust collector was destroyed by the fire that engulfed it. In addition to the explosion vents opening, maintenance panels were also blown open, indicating the explosion vents were not adequate for the explosion. The drop box was ruptured by the explosion (see Figure 4.7-3). One section of it hit the trailer, blocking the rear door, which is why the person trying to exit the trailer could not open the rear door.

178

More Incidents that Define Process Safety

Figure 4.7-3. Dust collector and drop box remains after the explosion (courtesy CSB). Other combustibles in the building caught fire, causing damage to much of the equipment in the building. As mentioned earlier, roof panels were blown off the building; wall panels were also blown off. The trailer also caught fire, causing some highpressure gas cylinders inside to rupture. Fortunately, the local fire chief was familiar with the plant because of previous visits. The fire was extinguished using the proper type of extinguishers for a metal fire, Class D. Based on eye witness accounts and the nature of the damage, the CSB concluded the following chain of events occurred:

Chapter 4 Explosion Incidents

179

1. Ignition occurred in the dust collector. 2. The dust collector ruptured due to the explosion and became engulfed in fire. 3. The explosion propagated to the drop box and ruptured it. 4. The explosion propagated through the duct to the furnace. 5. A fireball emerged from the furnace. 6. Accumulated dust in the building was suspended and a second explosion occurred. 7. The explosion continued to propagate into upstream equipment (the dry chip hopper). Why it Happened. Initial explosion: Dust collectors are the source of many dust explosions. FM Global statistics indicate that about 40% of their recorded dust explosions originated in dust collectors (FMG 2013). Dust collectors usually contain the smallest dust particles in the process, and hence those with the highest explosivity and lowest minimum ignition energy (easiest to ignite). If the collector is a pulsed collector, then a combustible dust atmosphere is present much of the time. A metal dust sample taken from the Hayes Lemmerz plant by the CSB had a Kst (explosivity) of 131 bar-m/sec. The CSB could not definitely identify the ignition source. This is a frequent occurrence with dust explosions: the FM Global data shows that in 21% of dust explosions, the ignition source was unknown (FMG 2013). The CSB narrowed the suspect list down to a thermite reaction between aluminum and iron oxide, an impact spark from steel objects in the chip feed, or a burning ember from the furnace. Explosion propagation: Particulate solids-handling systems are basically combinations of different types of equipment connected by ductwork that transfer the particulate solids. When an explosion occurs in one equipment item, the flame and pressure wave will travel through the ducts to the other equipment items. The flame provides a strong ignition source while the pressure wave causes any settled solids to be suspended, creating

180

More Incidents that Define Process Safety

increased initial pressure for the subsequent explosion. The higher initial pressure makes the subsequent explosion even more powerful. This is known as pressure piling. To protect equipment in such linked systems, some type of explosion isolation equipment needs to be installed in the system. This can be in the form of chemical barriers that suppress the explosion or mechanical barriers that close when the explosion is detected. In Figure 4.7-2, there is a slide gate valve in the duct between the cyclone chip feed and the drop box. This was intended to be such a valve, but the employees at Hayes Lemmerz did not know this. Eventually, the valve actuator was disabled. With no other explosion isolation in the system, the initial explosion propagated through the entire upstream system. The flames and pressure wave also entered the work area around the furnace. Secondary explosions. Dust leaked from the chip melt system, and the CSB investigators observed dust accumulations on horizontal surfaces in the building, some up to several inches deep. The phenomenon of secondary explosions was described in Section 4.6.2 Description— Imperial Sugar explosion, (see Figure 4.6-5). A lack of good housekeeping led to the building explosion. 4.7.3 Management System Failures The management system failures for this incident are similar— and in some aspects, almost identical—to those for the Imperial Sugar explosion. I. Commit to Process Safety 2. Compliance with Standards. The facility did not fully comply with NFPA 651–Standard for Machining and Finishing of Aluminum or with NFPA 484–Standard for Combustible Metals. Given the amount of dust that was allowed to accumulate on a regular basis, many parts of the plant should have been classified Class II, Division 1. 3. Process Safety Competency.

Chapter 4 Explosion Incidents

181

The chip melt and dust collection systems were not the main part of the business. The engineers at Hayes Lemmerz admitted they did not have the knowledge to understand the chip melt and dust collection systems. Neither management nor employees knew of the hazards of accumulated dust; the housekeeping program was not adequate for the situation; housekeeping was frequently done improperly, e.g. using compressed air to clean dust deposits (a hazardous practice that creates a flammable dust cloud); and the fugitive dust collection equipment was not properly maintained. II. Understand Hazards and Risk 6. Process Knowledge Management. Managers and employees at Hayes Lemmerz admitted they did not understand the risk created by dust accumulations. Documentation of the dust collector design was not kept by Hayes Lemmerz. Hayes Lemmerz relied on the contractors, Premelt Inc., and an engineering firm to design the system and make sure it corresponded to codes. 7. Hazard Identification and Risk Analysis. No hazard identification/risk analysis was carried out when the dust collection system was installed. This led to a system that was essentially unprotected against the risk of dust explosions. III. Manage Risk 8. Operating Procedures. The procedures did not include proper response to upset or nonroutine situations. There were no written emergency procedures. 10. Asset Integrity and Reliability. The dust collection system was inadequate and poorly maintained. Dust accumulations resulted in the secondary explosions that destroyed the entire building and led to the fatality.

182

More Incidents that Define Process Safety

12. Training and Performance Assurance. The employees received formal training for operating and maintaining the chip melt and dust collection systems only when the systems were installed. As personnel changed, they had no training to identify when the system was not operating properly. 13. Management of Change. The dust collection system was installed some years after the chip melt system was installed. No MOC was done for either system (see Hazard Identification and Risk Analysis). 15. Conduct of Operations. Hayes Lemmerz relied on an engineering design firm to design and install the system. They did not have a process to oversee the design to ensure the dust collection system was designed with adequate safety systems. IV. Learn from Experience 17. Incident Investigation. There were near-misses in the facility. Fires in the ducts were common enough that employees had a “normal” response to them (see What Happened). Bright flashes in the furnace sidewell during start-up were common occurrences. Dust was released from the system on a regular basis. In a properly run process, these events should not happen on a routine basis. There was also no system for reporting and investigating these events. They were considered “normal.”

4.8 VARANUS ISLAND PIPELINE EXPLOSION, AUSTRALIA, 2008 4.8.1 Summary On June 3, 2008, a 0.3 m (12 in.) natural gas line ruptured due to external corrosion. The released material exploded and caused another 0.3 m (12 in.) gas line that was about a 0.3 m (1 ft) away to rupture. About an hour later, a 41 cm (16 in.), a 15 cm (6 in.)

Chapter 4 Explosion Incidents

183

and two 10 cm (4 in.) gas lines ruptured (Figure 4.8-1). The result was nearly A$60 million (about US$46 million) in plant damages. Western Australia lost its gas supply for two months, causing an A$3 billion (US $2.3 billion) loss to its economy. The plant took more than one year to return to full production. The incident led to the identification of weaknesses in the regulatory and standards regimes.

Key Points Process Safety Culture – The operating company believed this event was unforeseeable. Just because it hasn’t happened in your memory, does not mean it is inconceivable. Process Safety Competency – The operating company relied on contractors to supplement staffing in safety technical positions. All tasks and skills, especially those managing the facility risks, must be addressed, whether through a company or contracted staff. Asset Integrity and Reliability – Keep it in the pipe. Use good practices and diligently conduct pipeline inspections.

4.8.2 Description Background. Varanus Island was operated by a subsidiary of Apache Corporation. Apache was also the majority shareholder. Process. Hydrocarbons were piped to the Varanus Island gas production facility, run by Apache Energy, from offshore facilities. After separation and purification, natural gas was piped to Western Australia in 0.3 m (12 in.) and 0.4 m (16 in.) undersea sales gas pipelines (SGL). Crude oil was shipped out by tankers. A total of six pipelines came into and out of the production facility at a beach on the north-northeast side of the island. What Happened. The 0.3 m (12 in.) SGL ruptured at a section between low and high tide on the beach. The cause of the rupture

184

More Incidents that Define Process Safety

was a failure of the corrosion protection that allowed external corrosion to occur (Figure 4.8-2). There was no obvious ignition source; it may have been from pieces of the pipeline hitting each other or other objects. A 0.3 m (12 in.) incoming line was 22 cm (9 in.) away. It ruptured almost immediately due to mechanical and thermal impact. A 0.4 m (16 in.) SGL and 0.15 m (6 in.) gas line failed about an hour later due to the heat radiation and perhaps impact from the explosion and fire. These pipelines failed on an embankment closer to the plant. Three water monitors were activated to protect the plant from the fires. At the time of the event, the wind was blowing across the beach. These factors helped protect the plant from further damage. Why it happened. The pipeline was in an area that was frequently exposed to salt water and high ambient temperatures. It was protected by a 0.45 cm (0.18 in.) asphalt enamel anti-corrosion

Figure 4.8-1. Pipeline fires at Varanus Island (courtesy Bills and Agostini).

Chapter 4 Explosion Incidents

185

Figure 4.8-2. Ruptured 12” sales gas line (courtesy Bills and Agostini). coating and a 0.25 cm (1 in.) concrete outer coating. There was also a cathodic protection (CP) system in place. The outer coating prevented visual inspection of the anti-corrosion coating and external corrosion of the pipeline. Several contractors recommended using smart pigs to inspect the line, but Apache never implemented these recommendations. (Pigging is the practice of using devices called pigs to clean and inspect pipelines. Smart pigs are equipped with sensors to detect cracks, bad welds, and corrosion in a pipeline.) A corrosion expert hired by the investigation commission identified four possible corrosion scenarios for the anti-corrosion coating failure: 1. Lack of adhesion during application 2. Interference with other structures–direct current (i.e., current flowing between the nearby pipelines because they have different potentials) 3. Interference with other structures–alternating current (potentially due to loss of grounding)

186

More Incidents that Define Process Safety 4. Cathodic disbondment due to CP overprotection–use of magnesium anodes results in high voltage potential, and hydrogen evolution from the steel would have been possible

4.8.3 Management System Failures I. Commit to Process Safety 1. Process Safety Culture. Apache argued that the incident was unforeseeable. The report states, “Apache does not appear willing to examine organizational or cathodic protection issues that may have contributed to the explosion, with a view to minimizing the likelihood of the occurrence of a similar event at Varanus Island or other similar facilities.” (Bills and Agostini 2009, p. 16) 2. Compliance with Standards. Several regulations and regulatory agencies covered the Varanus production facility and pipelines: The Varanus Island facilities were licensed by the Western Australia Petroleum and Pipeline Act (PPA) and enforced by the Department of Industry and Resources (DOIR); The pipeline on the land was covered by Western Australia Petroleum and Geothermal Energy Resources Act (PGERA) and enforced by DOIR. DOIR received technical advice from the Department of Consumer and Employment Protection (DOCEP); The pipelines from the Varanus Island low water mark to the mainland low water mark was regulated by the Western Australia Petroleum Submerged Lands Act (PSLA) and enforced by the National Offshore Petroleum Safety Authority (NOPSA). NOPSA also covered the offshore production facilities connected to Varanus Island. This made it difficult to determine which authority should have been providing regulatory oversight for pipeline safety, particularly at the point where it transitioned from the island to

Chapter 4 Explosion Incidents

187

the ocean. A recommendation of the investigation was that Department of Mines and Petroleum (DMP) “ensure there is clarity in its regulations of safety across oil and gas and other highhazard industries…and there is an obligation upon operators to apply the most appropriate standard to reduce risk to ALARP in accordance with good industry practice.” (Bills and Agostini 2009) 3. Process Safety Competency. The investigating team found that Apache had a minimum level of staffing in safety technical positions. Apache relied on contractors for this. This reliance led to “a degraded ability to recognize, follow up, and respond adequately to specialist reports and risk warnings.” (Bills and Agostini 2009) III. Manage Risk 10. Asset Integrity and Reliability. Apache received a great deal of input regarding inspection of the pipeline: In 1991 the original specifications for the 0.3 m (12 in.) SGL recommended it be monitored with an “intelligent pig.” In 1996 Apache’s own Statutory Inspection Manual called for inspections at least once a year and stated that inspections could include the use of an intelligent pig. In 1997 a CP review by Westcor Energy, a contractor, recommended a Direct Current Voltage Gradient survey when a new pipeline was installed parallel to the 12-in. SGL. It also stated that it was not possible to determine the need for an intelligent pig inspection from the CP survey results, but that they were mandatory on that type of pipeline. In 1998 a corrosion risk assessment was done by Stratex Pty, a contractor, which noted the potential for external corrosion at the shoreline and stated that intelligent pigging of the line was needed due to that hazard. In February 2000 Apache issued Production Facilities Integrity Corrosion Management Strategy. This required

188

More Incidents that Define Process Safety intelligent pigging when a new line was installed and scheduling pigging to inspect the pipeline. In April 2000 JP Kenny, a contractor, developed an inspection strategy, stating that the 0.3 m (12 in.) SGL should have an internal inspection every five years by ultrasonic methods. Apache received a recommended inspection program with these tests of the 0.3 m (12 in.), SGL included. In May 2000, the contractor QCL International audited Apache’s asset integrity programs. Their report, with respect to pipelines, stated “it was not possible to ascertain the accuracy/quality of the data collected” and that they “could not answer a lot of the questions related to data gathering, and could not show evidence of compliance with the procedure regarding frequency of data gathering and accuracy of data.” (Bills and Agostini 2009, p. 27) In 2002 and 2003, the contractor Auscor Pty did CP protection surveys of the pipelines, but only covered the pipeline on the mainland end. In 2004 QCL did another review of the pipelines and stated in its report that the shore zones of the pipelines have not been included in the scope of inspections. Their report stated “No inspection data was available for the onshore section on Varanus Island or the shore zones at Varanus Island and the mainland. This has resulted in increased risk rankings in these sections.” (Bills and Agostini 2009, p. 29) In 2004, Netlink Inspection Services did a visual inspection of the 0.3 m (12 in.) SGL and found that the outer coating had a “minor crack” in it.

The explosion could have been avoided if Apache had paid attention to these reports. However, Apache never inspected line using an intelligent pig and did not follow up on the problem identified in 2004. This lack of follow-up is an indication of a poor safety culture as well as inadequate asset integrity management.

Chapter 4 Explosion Incidents

189

4.9 NATURAL GAS PURGING EXPLOSIONS 4.9.1 Summary Two natural gas explosions, at ConAgra Foods in North Carolina and Kleen Energy in Connecticut, occurred within eight months of each other, with ten fatalities and more than 100 injuries. One led to the release of about 8,165 kg (18,000 lb) of ammonia to the surrounding environment. Both caused extensive physical damage to buildings. Both were caused when new gas lines containing air used to pressure test the line were purged with natural gas. The purge discharged into confined areas with no monitoring, no control of ignition sources, and no access control to minimize the number of people exposed to the hazard. During their investigation of these incidents, the CSB found at least four other similar incidents of this nature (CSB 2009c, CSB 2010). Gas purging was a common practice in the industry. These incidents led the International Code Council (ICC) and its members to revise the International Fire Code (IFC) and the International Fuel Gas Code (IFGC) to prohibit the practice of gas purging and to comply with requirements of NFPA 56 – Standard for Fire and Explosion Prevention During Cleaning and Purging of Flammable Gas Piping Systems.

Key Points Process Safety Competency – Do not accept a hazardous practice as normal. A good understanding of process safety would identify this hazard and seek safer alternatives. Safe Work Practices – Give careful thought to potential hazards when completing a work permit. Is the scale of the hazard understood? Are the controls specified in the permit sufficient to control the hazard? In this case, hot work permits were either not used or inadequate for the scale of the predictable natural gas release.

190

More Incidents that Define Process Safety

Incident Investigation – Investigate near-misses. Understand the hazards. Implement controls to prevent the potential big incident. Near-misses are an indication that you are on the path to a more destructive incident.

4.9.2 Description What Happened. ConAgra Foods Explosion and Ammonia Release, North Carolina, 2009. A gas line to a new water heater in a utility room at the ConAgra Foods plant was being purged with natural gas. The 7.6 cm (3 in.) line was routed for 36.5 m (120 ft) along the top of the building from an existing 15.2 cm (6 in.) main into the building that housed the water heater. Several openings located near the heater allowed the natural gas to be vented directly into the utility room during purging of the 7.6 cm (3 in.) line (Figure 4.9-1). Although the room was equipped with an exhaust fan, no one had analyzed the sufficiency of the existing exhaust equipment. Several purging cycles were conducted because the employees were having difficulty lighting the water heater. The site relied on employees to smell the natural gas as its only means of detection. Some employees did, some did not, but the natural gas odor did not concern anyone, because this was considered a normal activity. At about 11:25 a.m., the natural gas found an ignition source. The resulting explosion caused three fatalities inside the building and critically burned four others. Seventy-one people were sent to the hospital, including three firefighters exposed to ammonia released from the plant’s ammonia refrigeration system as a result of the explosion. (Figure 4.9-2). Kleen Energy Systems Explosion, Connecticut, 2010. A natural gas purge was being conducted at a power plant that was under construction. The gas exited through a horizontal outlet that was less than 6 m (20 ft) above the ground and was located between two large structures. Although the company tried to control ignition sources, their attempt was inadequate. Electrical power

Chapter 4 Explosion Incidents

191

was on, welding operations were ongoing, diesel heaters were running, and the gas purging activity itself could have produced static electricity or sparks caused by impacts from the gas blowing. Eventually, the natural gas ignited and exploded due to the congestion created by the buildings, enabling the fire to become an explosion (Figure 4.9-3).

Figure 4.9-1. Gas-fired water heater piping and likely release points (courtesy CSB).

Figure 4.9-2. ConAgra Plant explosion aftermath (courtesy CSB).

192

More Incidents that Define Process Safety

Why it Happened. In both events, large volumes of natural gas were deliberately released into areas that confined the release. Efforts to control ignition sources were either inadequate or nonexistent. No efforts were made to monitor the release to warn if the natural gas levels were above the LFL. Efforts to limit the number of people exposed to the hazard were ineffective. 4.9.3 Management System Failures I. Commit to Process Safety 2. Compliance with Standards. The standards at the time of the incident allowed cleaning with natural gas. As noted in the summary, codes are being revised due to knowledge gained from these types of incidents. 3. Process Safety Competency. Purging of new gas lines with natural gas following an air pressure test was an accepted practice despite the fact that it is dangerous and has caused incidents. There are safer line-cleaning methods available. The CSB identified five similar incidents that occurred between 2001 and 2008: 2001. A natural gas blow at a power station in Lorain, Ohio, was vented through a three-foot stack, shooting flames 9–12 m (30–40 ft) in the air. 2003. An explosion and fire at a natural gas power plant in Fairfield, California, after natural gas was vented within 3 m (10 ft) of a building. 2005. An explosion occurred at a school in Porterville, California, that injured two workers. 2007. An explosion occurred in Cheyenne, Wyoming, that injured two workers. 2008. An explosion at a hotel in San Diego, California, injured fourteen workers. Safer methods, used by about half of the companies the CSB surveyed, include pigging with air or nitrogen, air blows, nitrogen blows, steam blows, water, and chemical cleaning.

Chapter 4 Explosion Incidents

193

Figure 4.9-3. Location of natural gas outlet (oval) at Kleen Energy (courtesy CSB). The workers conducting these operations were unaware that they were creating an explosion hazard by releasing a flammable vapor into a semi-enclosed or congested area. The hazard created by a flammable release inside an enclosed space is easy to recognize. However, not everyone realizes that a semi-enclosed, congested area can be just as hazardous. A safety review by experts, or release modeling, is called for in such circumstances. Workers in this situation incorrectly thought that smell alone was an adequate method for detecting the presence of gas. However, odor sensitivity varies among people, and people can be desensitized to odors. Moreover, reliance on a person’s sense of smell requires that they be placed directly in the line of fire. III. Manage Risk 9. Safe Work Practices. The reports do not state whether any safe work permits were issued for the operations. If they were, they did not include requirements such as monitoring for the presence of flammable

194

More Incidents that Define Process Safety

materials, control of ignition sources, and limiting the presence of unnecessary personnel. IV. Learn from Experience 17. Incident Investigation. The list of incidents in the Process Safety Culture section shows that companies have not been effectively communicating the results of incident investigations with others in the chemical industry. Improvement in this area would facilitate learning from the experience of other companies and ultimately reducing the number of similar incidents.

4.10 OIL STORAGE TANK EXPLOSION, ITALY, 2006 4.10.1 Summary An explosion occurred in a crude olive oil storage tank in Spoleto, Italy, while workers were welding above the tank. Crude olive oil contains up to 5% hexane from a solvent extraction process. The explosion released the contents of the tank, which caught fire. About an hour later, the fire caused explosions in two other crude olive oil storage tanks. The resulting fire damaged the entire tank farm (Figures 4.10-1 and 4.10-2) and the explosion propelled the two tanks about 60–90 m (196–295 ft). There were four fatalities (Marmo, et al. 2013).

Chapter 4 Explosion Incidents

195

Key Points Process Safety Knowledge–Understand the hazards of the materials you handle. They may not be as harmless as they seem. The material involved (crude olive oil) in this case was not considered to be flammable despite the presence of residual hexane. Hazard Identification and Risk Analysis—Identify hazards so that you can then protect against them. Since the crude olive oil material in this case was not considered flammable, there was no HIRA conducted. This led to inadequate tank design, inadequate SWP, and weak Emergency Management.

Figure 4.10-1 Outdoor storage tanks after explosions (courtesy Marmo).

196

More Incidents that Define Process Safety

Figure 4.10-2 Indoor storage facility after explosions (courtesy Marmo). 4.10.2 Description Background. A number of oil refineries in this region of Italy process olive oil. Process. The refinery produced edible olive oil from crude pomace olive oil. Pomace olive oil is obtained by extracting residual oil from pressed olives using hexane (the oil obtained from the pressing is virgin olive oil). The pomace olive oil was received from multiple suppliers and contained varying amounts of hexane. At the facility, hexane was removed by either chemical or physical processes. Then it was deodorized by a low-pressure, hightemperature stripping step. The facility also made soaps from inedible oil. Hexane is a flammable material with a flash point of -26°C (14.8°F). The flash point of mid isohexane isomers is -18°C (-0.4°F). Crude olive oil can contain up to 5 wt.% hexane. Various grades of olive oil were stored in atmospheric tanks in a tank farm. Figure 4.10-3 is a schematic of the tank farm layout. Tanks 93–107 were 645 m3 (170,390 gal) each and were located

Chapter 4 Explosion Incidents

197

outdoors. Tanks 77–88 were 365 m3 (96,423 gal) each and were located indoors. The tanks contained various grades of olive oil: Tanks 86, 93, 94, 95 and 103—pomace olive oil Tanks 87. 89, 96 and 100—refined oil Tanks 81-85, and 87—virgin oil Tanks 101, 102, and 104–107—lampante oil (an inedible grade of oil) What Happened. On the day of the incident, Tank 95 was less than 10% full, Tank 93 was about 25% full, and Tank 94 was about 50% full. Four contractors were welding supports to the top of Tank 95 for a footbridge to cover tanks 93–96. Ignition occurred in Tank 95, lifting the tank about 10 m (33 ft) into the air and killing the four contractors. The tank fell back near its original position and its contents were released and caught fire. The fire engulfed tanks 93 and 94, and their contents ignited after about an hour. The explosion lifted these two tanks off their pads, and they landed 60–80 m (197–262 ft) away. Tank 93 landed on the roof of the finished product warehouse and tank 94 landed near the byproducts warehouse. Why it Happened. Samples from Tank 95 were available from the plant’s lab and had been tested for hexane level and flashpoint. The tank contained about 1.5 wt.% hexane and had a flashpoint of 29°C (84°F). Two mechanisms were identified for the tank headspace to accumulate sufficient hexane to ignite: During the day, the tank’s surfaces were heated above 30°C (86 °F) by the sun. In addition, the tanks were purged with air in order to mix different batches of oil. This likely entrained hexane into the vapor space. During the night, hexane vapors condensed on the internal surfaces of the headspace. The hot tank skin temperature and purging with air enabled the headspace of the tanks to become enriched with hexane. With a flammable mixture in the headspace, welding provided a strong ignition source in Tank 95, and the resultant external fire around Tanks 93 and 94 generated temperatures high enough to ignite their headspaces.

198

More Incidents that Define Process Safety

Figure 4.10-3. Schematic of tank farm (adapted from Marmo).

4.10.3 Management System Failures II. Understand Hazards and Risk 6. Process Knowledge Management. The crude olive oil was not considered flammable by the Spoleto site, even though there was residual hexane. Although companies doing the extraction were aware of the flammability hazard of hexane. In this sense, the

Chapter 4 Explosion Incidents

199

incident was similar to the BLSR Deflagration and Fire – Section 3.5. 7. Hazard Identification and Risk Analysis. Since the crude pomace oil was not considered flammable, no HIRA were done. This led to a process design without adequate safeguards against flammability, such as inerting the tanks. Also, the safe work permit for the welding operations was either inadequate or missing entirely, it would have been inadequate without the knowledge of the flammability hazard. Finally, the lack of hazard understanding resulted in a lack of firefighting systems that could have contained the initial fire and prevented other tanks from heating to the point of explosion. III. Manage Risk 10. Asset Integrity and Reliability. Existing guidance for safe welding practices should have been reviewed prior to welding on the tanks. NFPA 51B–Standard for Fire Prevention During Welding, Cutting and Other Hot Work ANSI Z49-1–Safety in Welding, Cutting and Allied Processes AWS F4.1–Recommended Safe Practices for the Preparation for Welding and Cutting of Containers and Piping

4.11 NDK CRYSTAL VESSEL RUPTURE, ILLINOIS, 2009 4.11.1 Summary On December 7, 2009, a 2,068 bar (30,000 psi) pressure vessel ruptured during a crystal growing process, likely due to a combination of stress corrosion cracking (SCC) and temper embrittlement. SCC is the formation of cracks through the

200

More Incidents that Define Process Safety

simultaneous action of applied stresses and a corrosive environment (NACE 2010). Temper embrittlement can occur in heat-treated steels. A 3,900 kg (8,600 lb) piece of the vessel landed 133 m (435 ft) away, damaging an office building and injuring one person inside it. A steel beam from the facility fatally struck a truck driver at a rest stop 198 m (650 ft) away. There was severe damage (Figure 4.11-1) to the facility (CSB 2013b). The CSB produced a video describing this incident.

Key Points Process Safety Culture. Listen to the advice of others. Try to understand their concerns. You might learn something and prevent an incident. This company also chose to continue operations after being warned by its insurer not to do so. Compliance with Standards. Standards exist for a reason. Comply with them. In this case, the original vessel did not comply with the appropriate ASME standard. This company was able to get a waiver but then did not comply with the requirements of the waiver. They also violated the ASME standard by welding cracks in one of the vessels. With a waiver comes with the responsibility to comply with it. Incident Investigation. Recommendations are a gift. Understand their intent, take action, and verify that the hazard was addressed. NDK management did not implement the findings of an incident investigation, despite strong recommendations from an outside consultant and its insurer.

Chapter 4 Explosion Incidents

201

Figure 4.11-1. Ruptured vessel and damaged building at NDK (courtesy CSB). 4.11.2 Description Background. Nihon Dempa Kogyo (NDK) Co. was founded in Japan and produces synthetic crystal products. The Belvidere, Illinois, facility began operation in 2003. Process. NDK’s facility consisted of six large-pressure vessels. The process was operated in vessels with walls that were 20.5 cm (8.1 in.) thick. The top was 46.3 cm (18.25 in.) thick and the bottom 41.3 cm (16.25 in.) (Figure 4.11-2). The vessels had an MAWP of 2,068 bar (30,000 psi) and maximum operating temperature of 399°C (750°F). The six vessels were supposed to be constructed to meet the ASME Boiler and Pressure Vessel Code using SA-723 Grade 2 steel. However, the fabricator could not certify that the

202

More Incidents that Define Process Safety

first three vessels vessel were compliant with the ASME code for the type of steel used. They were able to certify the next three. NDK petitioned the Illinois Boiler and Pressure Vessel Safety Division for permission to use the three uncertified vessels because they were acceptable at the operating temperature of 371°C (700°F). After a review by an independent third party, the state approved the vessels. The vessel designer recommended that annual inspections be done after the approval was granted. NDK relied on a protective coating created by the formation of an acmite layer (sodium iron silicate) during the process to prevent SCC. The process itself was simple, akin to making dinner in a pressure cooker. Mined quartz crystals were inserted into the vessel, 3 m3 (800 gal) of 4% sodium hydroxide and a small amount of lithium nitrate was added, and then a rack of seed crystals was suspended at the top of the vessel. The vessel was sealed and heated to 371°C (700°F) with electric heaters. The mined crystals dissolved in the solution and pure quartz crystals formed on the seeds. A typical batch processed for 120–150 days, at which point the vessel was allowed to return to ambient temperature, the pure crystals were removed, and the caustic solution transferred to a holding tank. What Happened. The vessel in question, Vessel 2, was operating at 2,000 bar (29,000 psi) and 120 days into the 150-day cycle when it ruptured. The consequences are described in the Summary. Why it Happened. Examination of vessel fragments revealed cracks in the metal that were likely caused by SCC from exposure to caustic. Traces of impurities from the mined quartz (silicon, aluminum, titanium, sulfur and chloride) were found in the cracks. Impact tests showed the fragments had up to 50% lower strength than had been observed in the original tests. Investigators concluded, that the acmite coating did not provide adequate protection against SCC.

Chapter 4 Explosion Incidents

203

Figure 4.11-2. Cross section of crystallization vessel (not to scale) (courtesy CSB).

204

More Incidents that Define Process Safety

4.11.3 Management System Failures I. Commit to Process Safety 1. Process Safety Culture. The CSB report stated, “NDK’s approach to safety was informal, lacking formalized job training, standard operating procedures, and an incident and injury notification and investigation program.” (CSB 2013b). After a near-miss in 2007, in which hot caustic sprayed out of a pressure sensor connection of Vessel 6, the investigation found small cracks in the lid of the vessel, and a consultant hired by NDK concluded that the cracks were due to SCC. Both the consultant and NDK’s insurer agreed that the vessels should not be returned to service without thorough inspections. The insurer also stated that they reserved the right to deny claims for future damages. NDK continued operation without the recommended inspections. 2. Compliance with Standards. When NDK was given permission to use Vessels 1 – 3, it was with the condition that the vessels be inspected annually. There is no documentation to show NDK did this. When cracks were discovered in Vessel 6, NDK welded the cracks, despite the ASME code forbidding welding SA-723 forged steel. NDK either did not know, or failed to act on, this provision of the standard. IV. Learn from Experience 17. Incident Investigation. The incident investigation process described in a flowchart in RBPS (CCPS 2007) includes the step “Implement recommendations and ensure follow up”. As stated in the Process Safety Culture section, NDK did not do this after the 2007 near miss, despite strong warnings from both an outside consultant and their insurer.

Chapter 4 Explosion Incidents

205

4.12 SIMILAR INCIDENTS Several Explosions were described in 2008 book Incidents that Define Process Safety: Pemex LPG Terminal, Mexico City, Mexico, November 19, 1984. Texaco Oil Refinery Explosion and Fire, Milford Haven, UK, July 24, 1994. Total FCCU Explosion, La Mede, France, November 9, 1992. Elf Refinery BLEVE, Feyzin, France, January 4, 1996. Esso Longford Gas Plant Explosion, Australia, September 1998. BP Grangemouth Hydrocracker Explosion, UK, March 22, 1987. BP Isomerization Unit Explosion, Texas City, Texas, USA, March 23, 2005. Motiva Enterprises LLC, Delaware, USA, July 17, 2001. The Hexane storage tank explosion, Section 4.10, is almost identical in nature to the Motiva event. Phillips Pasadena, Texas, USA, October 23, 1989. Piper Alpha Platform, North Sea, UK, July 6, 1988.

4.13 ADDITIONAL RESOURCES The following resources are available for helping to understand and protect against explosion hazards. Understanding Explosions, Crowl. This CCPS concept book provides a practical understanding of explosion fundamentals, including the different types of explosions, the explosive and flammable behavior of materials, and the hazards related to fires and explosions. It also discusses practical methods to prevent and minimize the probability and consequence of an explosion during routine use of flammable, combustible and/or reactive materials. National Fire Protection Association (NFPA) codes. The NFPA is a trade association that generates many codes addressing fire and electrical hazards. Local authorities often adopt the NFPA

206

More Incidents that Define Process Safety

codes, thus making the code legally enforceable in that jurisdiction. These codes are a good source of knowledge addressing fire protection and suppression. Of note are: NFPA 30 Flammable and Combustible Liquids Code, NFPA 70 National Electrical Code, NFPA 56 Standard for Fire and Explosion Prevention During Cleaning and Purging of Flammable Gas Piping Systems, NFPA 61 Standard for the Prevention of Fires and Dust Explosions in Agricultural and Food Processing Facilities, NFPA 68 Standard on Explosion Protection by Deflagration Venting, and NFPA 654 Standard for the Prevention of Fire and Dust Explosions from the Manufacturing, Processing, and Handling of Combustible Particulate Solids. American Petroleum Institute (API) recommended practices. The API is an industry trade association. API committees have generated recommended practices that address many segments of the oil and natural gas industry. A number of these recommended practices address process safety and fire protection. Of note are: API RP 752 Management of Hazards Associated with Location of Process Plant Permanent Buildings, API RP 753 Management of Hazards Associated with Location of Process Plant Portable Buildings, API 520 Sizing, Selection, and Installation of PressureRelieving Devices, and API 521 Pressure-Relieving and Depressuring Systems. FM Global property loss prevention data sheets. FM Global is an insurance company that has used its loss experience to generate data sheets on several topics. These data sheets are intended to reduce the chance of property damage. Topics of interest include industrial boilers, gas turbines, and extinguishing systems. Guidelines for Evaluating Process Plant Buildings for External Explosions, Fires, and Toxic Releases, 2nd Edition (CCPS 2012a). Siting of permanent and temporary buildings in process areas

Chapter 4 Explosion Incidents

207

requires careful consideration of potential effects of explosions and fires arising from accidental release of flammable materials. This book, which updates the 1996 edition, provides a singlesource reference that explains the American Petroleum Institute (API) permanent (752) and temporary (753) building recommended practices and details how to implement them. New coverage on toxicity and updated standards are also highlighted. Practical and easy-to-use, this reliable guide is a must-have for implementing safe building practices. Guidelines for Vapor Cloud Explosion, Pressure Vessel Burst, BLEVE and Flash Fire Hazards, 2nd Edition (CCPS 2011). This guide provides an overview of methods for estimating the characteristics of VCEs, flash fires, and BLEVEs for practicing engineers. It has been updated to include advanced modeling technology, especially with respect to vapor cloud modeling and the use of computational fluid dynamics. The text also reviews past experimental and theoretical research and methods to estimate consequences. Heavily illustrated with photos, charts, tables, and diagrams, this manual is an essential tool for safety, insurance, regulatory, and engineering students and professionals. Guidelines for Combustible Dust Hazard Analysis (CCPS 2017). This book describes how to conduct a Combustible Dust Hazard Analysis (CDHA) for processes handling combustible solids. The book explains how to do a dust hazard analysis either by using a compliance-based approach (based on compliance with existing consensus standards) or by using a risk-based approach. Examples in the book help the user to understand how to do a combustible dust hazard analysis. Guidelines for Pressure Relief and Effluent Handling Systems, 2nd Edition (CCPS 2017a). Providing in-depth guidance on how to design and rate emergency pressure relief systems, Guidelines for Pressure Relief and Effluent Handling Systems incorporates the current best designs from the Design Institute for Emergency Relief Systems as well as American Petroleum Institute (API) standards. Presenting a methodology that helps properly size all the components in a pressure relief system, the book includes

208

More Incidents that Define Process Safety

software: the CCFlow suite of design tools and the new Superchems for DIERS Lite software, making this an essential resource for engineers designing chemical plants, refineries, and similar facilities.

Chapter 5 Environmental and Toxic Release Incidents

209

5 Environmental and Toxic Release Incidents 5.1 INTRODUCTION The CCPS definition of process safety includes fires, explosions, and toxic releases. However, far more attention is spent on understanding fire and explosion risks than on toxic risks. Ironically, toxic releases have led to some of the most harmful incidents. Toxic releases can travel great distances and linger for long periods of time, potentially impacting members of the public. The Seveso release (1976) harmed thousands of inhabitants and livestock. This incident prompted creation of the Seveso Directive legislation in Europe, which addresses major accident hazards. Another toxic release, the Bhopal incident, is widely recognized as the worst chemical industry incident in history, causing thousands of fatalities and injuring tens of thousands in the neighboring community. CCPS was created following the Bhopal incident. The Sandoz warehouse fire in Switzerland was fatal to wildlife and impacted community water supplies along the Rhine River, prompting changes in international law to protect such waterways. In addition to the human, wildlife, and waterways impact, toxic releases also garner significant media coverage and consequential negative corporate impact. The Deepwater Horizon accident in the Gulf of Mexico is the largest accidental oil spill on record. This incident spurred the reorganization of government agencies overseeing offshore safety as well as the creation of new regulations. As noteworthy as some of these incidents may be, some of the causal factors are quite mundane. Two of the incidents discussed in this chapter involved loading/unloading operations using hoses that were not replaced as planned. One incident involved the integrity of secondary containment. These facts highlight the importance of operating diligence, mechanical

210

More Incidents that Define Process Safety

integrity, layers of protection, and inherently safer design in the prevention of potentially significant environmental and toxic release incidents. One incident highlights the potential hazards of indoor releases. An additional concern in two of these incidents is that workers and emergency responders were affected because they were unaware of the hazards of the chemicals that were released. 5.2 BP MACONDO WELL/TRANSOCEAN DEEPWATER HORIZON FIRE, EXPLOSION, AND ENVIRONMENTAL RELEASE, GULF OF MEXICO, US, 2010 5.2.1 Summary Most of the information in this section was published in a report by the Bureau of Ocean Energy Management Regulation and Enforcement (BOEMRE 2011), the BP report (BP 2010), the CSB reports (CSB 2014a, b, c, and d), and the Transocean report (TO 2011). At approximately 9:50 p.m. on the evening of April 20, 2010, an undetected influx of hydrocarbons escalated to a blowout on the Deepwater Horizon rig at the Macondo Well. A cement barrier was set in the process of temporarily abandoning the well for future production. Tests of the cement barrier integrity were misinterpreted, and the cement barrier failed, allowing hydrocarbons to flow up the wellbore, through the riser and onto the rig, resulting in the blowout. Shortly after the blowout, hydrocarbons that had flowed onto the rig floor through a mudgas vent line ignited. Flowing hydrocarbons fueled a fire on the rig that continued to burn until the rig sank on April 22 (Figure 5.2-1). Eleven people died, and seventeen were seriously injured. Over the next 87 days, an estimated five million barrels of oil were discharged from the Macondo Well into the Gulf of Mexico (BOEMRE 2011). This was one of the worst environmental incidents in US history. The aftermath of the incident was devastating on the Gulf Coast region economy, and studies of the environmental impact continue to this day. BP, Transocean, and

Chapter 5 Environmental and Toxic Release Incidents

211

MOEX Offshore LLC (10% owner of the well) agreed to pay the following fines (DOJ, 2015): $5.5 billion as a Clean Water Act penalty, 80% of which goes to restoration efforts (BP) $8.1 billion for natural resource damages (BP) $600 million for other claims (BP) $4 billion in criminal fines (BP) $90 million for violations of the Clean Water Act (MOEX) $400 million as a Clean Water Act penalty (Transocean Deepwater Inc.) At the time, Mineral Management Service (MMS) managed both the revenue management and safety and environmental protection. The incident prompted a reorganization for offshore drilling regulations; the creation of the Office of Natural Resources Revenues (ONRR), responsible for the revenue function; the BOEMRE, responsible for resource planning and leasing; and the Bureau of Safety and Environmental Enforcement (BSEE), responsible for safety and environmental protection (CSB 2014).

Key Points Process Safety Culture – The way we do things around here. What is that ‘way’ and where is ‘here’? Understanding what the culture actually is ‘on the shop floor’ and if it is consistent across a company may identify opportunities for improvement. Asset Integrity and Reliability – Is that last line of defense truly a defense? The integrity of barriers that are critical to safety and safe shutdown should be assured through systematic analysis and maintenance. Contractor Management - Have a clear interface. Many workplaces involve multiple contractors and numerous interfaces. Is there complete clarity on who is handling what? Are communication paths defined and used so that all are informed?

212

More Incidents that Define Process Safety

Figure 5.2-1. Fire on Deepwater Horizon, source (courtesy CSB). 5.2.2 Description Background. The Macondo Well was owned by BP (leaseholder and operator). Transocean was the owner and operator of Deepwater Horizon, the drilling rig. Halliburton was responsible for the well monitoring and cementing operations. Cameron, contracted by Transocean, was responsible for providing testing and repairs for the blowout preventer (BOP), a key safety and environmental protection layer. There were other subcontractors involved as well, but those mentioned here were the main parties. Process. At the time of the incident, the well was being temporarily shut down, with the intention of being reopened for production at a later date, a process known as temporary abandonment. The production casing, a high-strength steel pipe set in a well to ensure well integrity and allow future production, was installed on April 18-19. The bottom of the well was in a laminated sand-shale zone, an area that has an increased likelihood of cement channeling, which can prevent a strong bond (BOEMRE 2011). What Happened. On April 19, cementing began. The purpose of the cement is to seal the well and prevent hydrocarbons from flowing

Chapter 5 Environmental and Toxic Release Incidents

213

out of the well. The cement operation was monitored by comparing the amount of material flowing into the well with what comes out. The crew believed they had seen a full return of everything that went in, indicating a successful cementing job. After the cementing was completed, a positive well integrity test was run to see if there was outflow from the well to its surroundings. This well passed the positive test. The positive well test cannot test if the cement is sealing the well at the very bottom. A negative pressure test can and was conducted. The test was repeated several times with negative results, but eventually the pressure stopped increasing. The final test, a cement bond log, was cancelled on the belief the cement barrier injection was successful. After determining that the cementing was successful, the crew began to complete the temporary abandonment procedures. During this time, the well was supposed to be monitored for abnormalities, specifically, a “kick” (an unwanted influx of hydrocarbon into the well). Kicks are detected by imbalances in the drilling mud inflow and outflow of the well. During this time, volume in some of the tanks and pits was increasing. Eventually, the blowout occurred. Gas alarms began sounding on the rig. The general alarm system was not activated automatically, so after the gas alarms went off, the control room had to manually sound the general alarm. Personnel were told to abandon the rig 12 minutes after the first gas alarm went off. The BOP, a large (17 m [57 ft] tall and 363 metric tons [400 tons]) apparatus at the ocean floor, is designed to seal a well in an emergency. The BOP had variable bore rams (VBR) designed to seal around the drill pipe and annulars designed to close around the drill pipe (Figure 5.2-3). The annulars and VBR were activated by the crew. It also had a blind shear ram (BSR), designed to cut the drill pipe and seal the well. The BSR was not activated by the crew. All of these failed to seal the well. Why it Happened. BP evaluated several options for plugging the well, however, no risk assessment was done for the chosen plan

214

More Incidents that Define Process Safety

(CSB 2014a, 26). During the drilling of the well, there had been significant losses of drilling mud into the formation. BP engineers and Halliburton studied how to do the cementing in a way that would minimize additional losses. To do this they used a different cement mixture than had been originally planned, a foamed cement slurry that is injected with nitrogen bubbles. An MOC review was not done on the change. After the blowout, investigations showed the cement mixture was not stable. The conclusion that the cement job was successful was based, in part, on the use of the displacement procedure. This procedure assumed a 96.1% volumetric efficiency for a pump stroke. Later analysis showed the actual efficiency was 89-91%. This difference resulted in less seawater being pumped than was thought which left space in and below the BOP. After the cementing was completed, a positive well integrity test was run to see if there was outflow from the well to its surroundings. This well passed the positive test. The positive well test cannot test if the cement is sealing the well at the very bottom. A negative pressure test was conducted, although it was not called for in the abandonment plans and was not required by regulations. The results of the negative pressure test showed that drill pipe pressure was increasing; this was an indication the cement barrier had failed, and material was flowing into it. The test was repeated several times and eventually, the pressure did stop increasing. Not believing the results, a member of the crew of the rig put forward a theory (which became known as the bladder effect) to explain the differences, and the well leaders accepted it. A final test, a cement bond log, was cancelled on the belief the cement barrier injection was successful. The BOEMRE investigation states that the “central cause of the blowout was failure of a cement barrier in the production casing string” (BOEMRE 2011). An extremely simplified explanation of this behavior is that, based on the original monitoring of material in and out, and the successful positive test, the crew believed the cement job was successful, and any evidence to the contrary was rationalized

Chapter 5 Environmental and Toxic Release Incidents

215

away. A more thorough description of this “confirmation bias” is given in CSB (2014c). During the temporary abandonment operations, when the well was supposed to be monitored for kicks, the crew began directing the mud to two pits instead of one, and from them to other pits and from the rig to another ship, reducing the ability to rapidly detect a kick. A mudlogger, an employee from a different contractor, was supposed to do this monitoring. He questioned directing the mud to two pits, but was told this was how it was done, and let the matter go at that. The result was that a kick was hard to detect, so when the kick did occur, it was not detected. This was a violation of the rig owner’s policies regarding well monitoring. During this time, the pit level rose by 15.8 m3 (4,190 gal) in 15 minutes. The crew’s response was to try to bleed off pressure by opening the well, an indication they still did not know that the well was actually flowing. The hydrocarbon flow in the well eventually pushed all the mud out of the well and flowed onto the rig. The blowout could have been sent to diverter lines that would have directed it off of the rig (Figure 5.2-2), which would have reduced the likelihood of ignition of the release and reduced the consequences if ignition did occur. However, procedures on when to use the diverter instead of the mud-gas separator were overly complicated (the normal procedure to switch to overboard flow took ten steps) (BOEMRE 2011, CSB 2014d). As the alarms were sounding, the engine room operators called for instructions but were never told to shut down the engines. The engines were later determined to be the likely ignition source. There were three ways to operate the BOP in an emergency mode. The explosions likely disabled the first method. Later investigation showed that the second method, which should have worked automatically without operator action, likely did not function due to critical control pods on the BOP that were faulty. One had a fault in the solenoid valve, and one had insufficient

216

More Incidents that Define Process Safety

Figure 5.2-2. Location of mud-gas separator and diverter lines (courtesy CSB). battery charge. Finally, a remote-operated vehicle was used to close the blind shear rams, but by this time (33 hours later), the drill pipe had buckled in the BOP and was forced outside of the zone of the blades of the BSR. (See the link for CSB website in the Links section for a video describing the BOP operation and why it failed.)

5.2.3 Management System Failures I. Commit to Process Safety 1. Process Safety Culture. The characteristics of a good process safety culture include maintaining a sense of vulnerability and establishing a learning/questioning environment (Baker Panel Safety Review Panel [Baker Panel], 2007). The Baker Panel report was the result

Chapter 5 Environmental and Toxic Release Incidents

217

of a survey of BP refineries after the 2005 explosion at the Texas City refinery. BP was in the process of implementing the recommendations of the Baker Panel. In 2008, BP overhauled its management system and developed a new system called the Operating Management System Framework (OMS), and by 2009, OMS was about 80% implemented. BP intended to have OMS applicable to drilling rigs. However, BP’s requirements were just being rolled out when the Macondo Well was drilled and were not applied to the Macondo Well. The confirmation bias, which prevented the crew from recognizing the failure of the negative pressure test as valid, is another symptom of a lack of a learning/questioning environment and a lack of a sense of vulnerability. Further illustrating this point was the BOEMRE report statement that “in the weeks leading up to the blowout on April 20, the BP Macondo team made a series of operational decisions that reduced costs and increased risk” and that the investigation team “found no evidence that the cost-cutting and time-saving decisions were subjected to the various formal risk assessment processes that BP had in place.” 2. Compliance with Standards. Both BP and Transocean did not adequately implement their own process safety management policies. Both had MOC guidelines that were not followed during the abandonment procedure. The CSB noted Transocean’s “minimal guidance and unclear expectations of the risk management tools its personnel should use”. The crew at Macondo Well did not apply the techniques identified as Transocean’s risk management tools: HAZID/HAZOP, Major Hazard Risk Assessment, Safety Case, and Operation Integrity Case. These tools were supposed to demonstrate the risk was As Low As Reasonably Practicable (ALARP), but Transocean did not provide guidance on what tools to use.

218

More Incidents that Define Process Safety

III. Manage Risk 8. Operating Procedures. The Deepwater Horizon crew was not supplied with a procedure for testing the cement barrier. The crew did not, therefore, have a criterion for deciding if the test was positive or negative, or actions to take following a negative test (CSB 2014a). The abandonment procedure was written 24 hours in advance, partly due to the fact that the nature of the strata at the bottom of the well could not be known until the well was drilled. No MOC or process hazard review was done for the procedure, with the exception of an occupational safety review. 10. Asset Integrity and Reliability. The BOP was not managed as safety critical equipment, though it was the only equipment on the rig designed to be able to stop a blowout. One of each pair of redundant solenoid systems was inoperable at the time of the blowout. The BOP was overdue for vendor-recommended preventive maintenance, and no effective testing or monitoring process was in place to confirm the availability of the redundant systems in the emergency automatic mode function (AMF)/deadman system if called upon to function (CSB 2014b). 11. Contractor Management. An offshore drilling rig employs many contractors, hence communications and management of the relationship between owner and the various contractors is very important. The CSB report (2014d, p. 168) states, referring to BP and Transocean, that “while both companies had more rigorous corporate policies for risk management, neither assumed effective responsibility for ensuring their implementation at Macondo.” One safeguard against a blowout was supposed to be the monitoring of well conditions by the mudlogger. The mudlogger was from a subcontractor. He was not included in the discussions that occurred during the well testing, so was unaware there had been issues with the negative pressure test, diminishing his

Chapter 5 Environmental and Toxic Release Incidents

219

reliability as a safeguard. When he raised concerns about the outflow being directed to multiple locations, they were dismissed or ignored. 13. Management of Change. The temporary abandonment procedure was changed several times, but no MOC review was done on any changes. Changes included using foamed cement (which is known to be less stable than non-foamed cement), and the cement leftover from a previous well. 15. Conduct of Operations. Hazardous processes should be designed with multiple safeguards. BOPs are designed with multiple rams that close in various ways and are intended to shut off the flow from the well. At the time of the incident, Transocean had BOPs with two BSRs on eleven out of fourteen of its rigs, and BP had two BSRs on all of the other rigs it was leasing. The Deepwater Horizon rig only had one BSR. One article (Barstow, et al. 2010) notes that the failure rate of BOPs is 45%. (That figure is based on a study by Det Norske Veritas; it was not noted if the failed BOPs in the study had one or two BSRs). Relying on such a vulnerable layer of protection as the final layer is an example of poor engineering design or perhaps management, depending on who approved the BOP design. One could argue that reliance on the BOP may have reduced the crew’s “sense of vulnerability” as they believed it was the ultimate layer of protection, when, in fact, it was a flawed safeguard. Transocean relied upon operator response to sound alarms rather than automated shutdowns for its most critical safeguards against catastrophic reservoir blowout and gas in the riser, yet when the blowout actually occurred, the operating staff hesitated to engage them. The delay in activating the general alarm and the failure to shut down the two operating diesel generators, which seem to be the likely ignition source, shows a failure of COO. In addition, the valves to divert flow from the inboard mud separators to the outboard emergency discharges were remotely

220

More Incidents that Define Process Safety

operated but required operator action. A robust design would have automated this. This is another example of inadequate engineering design. (The CSB’s conclusion was that Transocean was concerned about preventing environmental releases from inadvertent discharges of drilling mud to the ocean.) Finally, it seems unclear when and by whom the final safeguard, the BSR, was actuated, only that it failed to seal off the well pipe. Neither BP nor Transocean ensured there were sufficient, robust safeguards in place. IV. Learn from Experience 17. Incident Investigation. The Deepwater Horizon well blowout was an informative illustration of the need for learning from experience. The simplest example of not learning from experience concerns an earlier kick at the Macondo Well. The kick had occurred on March 8, 2010. It was not detected for thirty minutes. Detection and response to a kick is a key safety barrier in well operations. The failure to detect the kick of March 8 should have been investigated. This was required by BP’s internal requirements. The failure to do an investigation was cited as a contributing cause to the incident by the BOEMRE report A further example of not learning the lessons from similar incidents is the 2008 blowout which occurred on a BP rig in the Caspian Sea. It was reported to be due to a poor cement job. It resulted in 211 people being evacuated from the rig and the field being shut down for 4 months. In the risk matrix for the Macondo Well, an uncontrolled well incident was considered a medium risk event (cost of $ 1-3 million). A well kick and blowout were not considered as well control failure events. In December 2009, an event similar to the Deepwater Horizon’s occurred on an offshore rig operated by Transocean in the United Kingdom. The crew had finished displacing mud and conducted a pressure test. They stopped monitoring and were surprised when mud began flowing onto the rig. In this event, they

Chapter 5 Environmental and Toxic Release Incidents

221

were able to shut down the well. Transocean, the owner and operator of the drilling rig, prepared a presentation on this event and issued an operations advisory to its North Sea fleet. However, the lessons from these events were not learned by the crew and engineers running the Deepwater Horizon.

Figure 5.2-3. Macondo Well blowout preventer, source (courtesy CSB).

222

More Incidents that Define Process Safety

5.3 FREEDOM INDUSTRIES, INC. CHEMICAL SPILL, WEST VIRGINIA, US 2014 5.3.1 Summary On January 9, 2014, Freedom Industries chemical storage and distribution facility in Charleston, West Virginia, an aboveground storage tank experienced a leak that flowed into the Elk River. Upon arrival at the site, West Virginia Department of Environmental Protection (WVDEP) inspectors discovered what was later identified as methylcyclohexanemethanol (crude MCHM) and polyglycol ethers (PPH, stripped) leaking from an aboveground storage tank. The chemicals flowed 2.4 km (1.5 mi) to the intake of the West Virginia American Water (WVAW) water treatment facility and contaminated the drinking water distribution system, prompting a do-not-use order across portions of nine counties. Refer to Figure 5.3-1. Over 350 emergency room visits were recorded in the first few days of the incident. The do-not-use order also resulted in closures of many businesses, schools, and public offices. This incident garnered national news coverage. CSB recommendations were made to the local water works company as well as the American Water Works Association. The tanks have been removed from the Freedom Industries site and only the office/warehouse, garage, and storage buildings remain. Freedom Industries entered into a Voluntary Remediation Program in late February 2015, and the land has since undergone extensive remediation. Freedom Industries executives and managers were convicted of criminal charges related to violating the Clean Water Act, negligently discharging refuse matter in violation of the Refuse Act and failing to have a pollution prevention plan. (CSB 2017) Two were sentenced to federal prison and the remaining four received three years of probation.

Chapter 5 Environmental and Toxic Release Incidents

223

Key Points Compliance with Standards – Learn from industry standards. They contain many hard-won learnings. Even if you are not ‘regulated’ to comply with a certain standard, it may still be a great resource. Asset Integrity and Reliability – Maintain equipment integrity. Equipment will start degrading the day it is installed. Inspection and maintenance of process and storage equipment (in this case, tanks) as well as layers of protection (in this case, dikes) are necessary to ensure the integrity of the system. Emergency Management – Plan for the unlikely event, be transparent about the possibilities, and involve the potential stakeholders. Emergency plans should include information on all chemicals involved, drills should include external emergency responders that may be involved, and drill experiences should be used to improve the emergency response plans.

5.3.2 Description Background. Freedom Industries provided specialty chemicals for the mining, steel, and cement industries. Freedom Industries had ownership of the facility for only nine days prior to the incident, having merged with the Etowah River Terminal, LLC (ERT). At the site in Charleston, Freedom Industries stored and sold ShurFlot 944, a mixture containing methylcychohexanemethanol (crude MCHM) and polyglycol ethers (PPH, stripped), in addition to calcium chloride and glycerin.

224

More Incidents that Define Process Safety

Figure 5.3-1 – Flow path from Freedom Industries to West Virginia American Water Kanawha Valley Treatment Plant (courtesy CSB).

Process. The incident involved three 175 m3 (46,200 gal) tanks (395, 396, and 397). Tank 396 held 88.5% crude MCHM, 7.3% PPH, stripped, and 4.2% water by weight on the day of the incident. Tank 397 was a blend tank that was used to mix crude MCHM and PPH, stripped to produce ShurFlot 944, the blend that leaked into the river. The ShurFlot 944 SDS stated that it is composed of a blend of alcohols, glycol ethers, and carboxylates and that it can cause skin, eye, and respiratory irritation and is harmful if swallowed. The SDS for crude MCHM stated that it contained a mixture of six different chemical compounds, including 4-MCHM and water. 4-MCHM (CH3C6H10CH2OH) is made up the highest percentage of the crude MCHM and was the main chemical that entered the drinking water supply. Crude MCHM is used in the froth flotation

Chapter 5 Environmental and Toxic Release Incidents

225

Figure 5.3-2 – Layout of Freedom Industries site (courtesy CSB). process to remove impurities from coal (such as shale and clay). It acts as a foaming agent to bind to organic matter. Twelve days following discovery of the leak, Freedom identified that PPH, stripped, was also present in tank 396 at the time of the leak. PPH, stripped, is a mixture of propylene glycol phenyl ether and di-propylene glycol phenyl ether. The Freedom Industries SDS for PPH stated that it causes skin and serious eye irritation, and handlers are instructed to avoid inhaling PPH, stripped vapors. It is also a combustible liquid. What Happened. Approximately 42 m3 (11,000 gal) of the mixture of crude MCHM and PPH, stripped, leaked from tank 396 through two small holes on the tank floor. The holes were caused by pitting corrosion that had degraded the thickness of the floor from the tank interior.

226

More Incidents that Define Process Safety

The chemicals then moved under the tank, through a failed dike, along a damaged underground culvert, and into the river. Refer to Figure 5.3-2. The WVAW water treatment process was not capable of fully treating and removing the chemicals, resulting in the contaminated drinking water. Since shutting down the water supply would have also meant a loss of firefighting water, WVAW issued a do-not-use order when chemical odors were detected in the treated water. Community officials initially had only the SDS information on which base risk estimates and communications. This resulted in neighboring residents being given changing and conflicting information, which increased public concern about the safety of the drinking water. Why it happened. Internal inspection of Tank 396 revealed two holes in the tank floor caused by pitting corrosion, as well as other pits and crevices. Pitting corrosion is confined to a point or small area that takes the form of cavities, and the rate of pitting corrosion may be many times greater than the rate of general corrosion. Because it is localized, pitting corrosion can only be reliably detected by periodic internal inspections. The CSB found evidence that the tank bottom had been replaced at some point, and experts estimated that the second floor was at least 25 years old but were unable to determine the exact age of the tank bottom or when pit initiation occurred. Extremely cold weather conditions in early January 2014 may have caused a frost-heaving effect in the ground surrounding the Freedom tanks. Frost heaving occurs when the freezing of watersaturated soil causes the deformation and upward thrust of the ground surface. This possibly led to the flexing or movement of the tank bottom in the vicinity of the holes. The movement could have provided enough bending on the bottom plates to possibly dislodged debris blocking flow through the bottom holes. Once the material became dislodged, the pressure from filled tank 396 may have enabled the sudden gushing flow of liquid from the tank bottom.

Chapter 5 Environmental and Toxic Release Incidents

227

5.3.3 Management System Failures I. Commit to Process Safety 2. Compliance with Standards. Freedom Industries is subject to the requirements of the West Virginia/National Pollutant Discharge Elimination System (NPDES) General Water Pollution Control Permit’s Stormwater Pollution Prevention Plan and the Groundwater Protection Rule. These require spill prevention and protection plans to reduce the potential for leaks from such tanks and secondary containment. There was no evidence that Freedom Industries or ERT implemented a Stormwater Pollution Prevention Plan or Groundwater Protection Plan. Freedom Industries believed they were not covered by the federal Spill Prevention, Control, and Countermeasure (SPCC) Rule, as this rule is only applicable to facilities that store oil. It was later discovered that Freedom Industries stored fatty acid on site, and thus the SPCC rule was applicable, and they should have had a SPCC plan. Finally, when the spill occurred, Freedom had no containment or leak mitigation supplies on hand beyond a single bag of absorbent, which was not adequate for a leak of this size. III. Manage Risk 10. Asset Integrity and Reliability. CSB found no documentation of prior maintenance or inspections by Freedom Industries or ERT that would have identified and addressed the internal corrosion in tank 396 since its installation in 1938. There was no inspection of the secondary containment system integrity, nor repair of the secondary containment wall, despite knowing the wall cracked, nor did the site have a leak prevention plan or leak detection system to notify employees of tank leaks. From a compliance perspective, the API standards are typically regulated for petroleum-based products only. However, from a learning point of view, these standards and others that

228

More Incidents that Define Process Safety

may not be “required” can be a very good source of information and best practice to inform additional areas. In this case, API 650, “Welded Tanks for Oil Storage” and 653, “Tank Inspection, Repair, Alteration, and Reconstruction”, may have guided the construction, maintenance, and inspection of these atmospheric storage tanks. Facilities storing chemicals should establish inspection programs, including the inspection and maintenance of tanks with an aim to prevent leaks. 16. Emergency Management. WVAW did not issue the do-not-use order because they believed their system could effectively treat the water, based on the misinformation it received about the quantity of crude MCHM released and its properties. Additionally, the SDS for crude MCHM contained little information on which to understand the risk to humans. Based on this information, WVAW believed their system could effectively treat the chemicals. Also, twelve days after the leak was discovered, Freedom Industries identified an additional chemical present in the leaked mixture. This delay and subsequent change in information communicated to the public created concern and distrust. Facilities handling chemicals with the potential for a leak into a waterway should liaise with local emergency responders to ensure that the chemical characteristics are understood and can be immediately communicated in case of an emergency.

5.4 MILLARD REFRIGERATED ANHYDROUS AMMONIA RELEASE, ALABAMA, US, 2010 5.4.1 Summary On August 23, 2010, at the Millard Refrigerated Services facility in Theodore, Alabama, hydraulic shock caused a roof-mounted 0.3 m (12 in.) suction pipe to catastrophically fail, leading to the release of more than 14,515 kg (32,000 lb) of anhydrous ammonia. The ammonia cloud traveled downwind, impacting crew on the ships docked at Millard and, across the river, impacting more than 800 contractors at a Deepwater Horizon oil

Chapter 5 Environmental and Toxic Release Incidents

229

spill cleanup site. One Millard employee sustained injuries after losing consciousness. Nine ship crew members and 143 off-site contractors downwind reported exposure. Of the exposed victims, thirty-two required hospitalization and four were placed in intensive care. The Department of Justice and the US Environmental Protection Agency (EPA) settled with Millard Refrigerated Services regarding alleged violations of the Clean Air Act, Emergency Planning and Community Right-to-Know Act, and Comprehensive Environmental Response, Compensation, and Liability Act violations. Millard is set to pay a $3 million penalty for the violations that exposed the contractors. (CSB 2015c) (DOJ 2015b)

Key Points Process Knowledge Management – Consider abnormal operations. Design and operation, including that of control systems, should include consideration of both normal and abnormal operations, such as utility failure or cycle interruption. Changes to that design should be managed and controlled. Hazard Identification and Risk Analysis – How big is the risk? The greater the volume in a single system, the greater the potential release. Although it may be easier to group process equipment or tankage under a single control system, if there is a failure, the release may include the volume of the entire system. This risk should be identified and analyzed. Emergency Management – Use emergency shutdown systems in emergencies! Manually operated emergency shutdown systems should be used immediately. If there is a desire to first verify the situation, then this time delay and its consequences should be analyzed and clearly communicated in procedures and training.

230

More Incidents that Define Process Safety

Figure 5.4-1 – Location of Millard Refrigerated on Theodore, Alabama Industrial Canal (courtesy CSB). 5.4.2 Description Background. Millard Refrigerated Services operated as a marine export facility that sent frozen meat abroad. The site is located on the Theodore Industrial Canal in Theodore, Alabama. Refer to Figure 5.4-1. Millard operated a 64,864 kg (143,000 lb) ammonia refrigeration system that supplied five product storage freezers and three blast freezers. Anhydrous ammonia (NH3) is a colorless gas at normal temperature and pressure, with a characteristic pungent odor. The American Industrial Hygiene Association (AIHA) Emergency Response Planning Guidelines Level 2 (ERPG) for ammonia is 150

Chapter 5 Environmental and Toxic Release Incidents

231

ppm. The ERPG is the maximum airborne concentration below which nearly all individuals can be exposed for up to 1 hour without experiencing or developing serious adverse health effects or adverse symptoms that could impair an individual’s ability to take protective action. Process. The refrigeration system at the Millard facility was a closed system designed to handle liquid ammonia between a minimum temperature of -40°C (-40°F) and a maximum temperature of 43°C (110°F). The normal design system operating pressure ranged between 223 mm (8.8 in.) of mercury (Hg) vacuum and 14.5 barg (210 psig). The refrigeration system cooled the freezers as the ammonia changed phase from a liquid to a vapor. The ammonia vapor was then condensed back into a liquid. During cooling, moisture from the air builds up on the external surface of the evaporator coil in the form of frost, which can reduce its heat transfer efficiency. A hot gas defrost cycle is a common technique used to periodically melt the accumulated frost from the evaporator coil surfaces by interrupting the normal cooling mode and circulating hot gaseous refrigerant from the compressor discharge through the coil to warm the evaporator surface. What Happened. On the afternoon before the incident, the refrigeration system experienced a loss of power for more than 7 hours. When starting up after the power outage, the operator manually cleared an alarm in the refrigeration system which interrupted an evaporator defrost that was in mid-cycle prior to the power outage. This caused the evaporator to switch directly from defrost mode into refrigeration mode without bleeding hot gas from the evaporator coil. The manual clearing of the alarm had caused a reset of the control system. Therefore, the control system did not bleed the high-pressure hot gas from the coil. Instead, it signaled the suction stop valve and liquid feed valves to simultaneously open in order to return the evaporator to cooling mode operation, allowing the low-temperature liquid and hot gas to mix in the

232

More Incidents that Define Process Safety

same pipe. The mixing caused the hot gas to rapidly condense to a liquid, creating hydraulic shocks that ruptured both the evaporator piping manifold and the low-temperature suction piping on the roof. Immediately upon discovering the release, two Millard employees went to the roof to manually close the isolation valves. They attempted to isolate the source of the leak, but all other equipment connected to the low-temperature suction header was still in operation. One Millard employee and more than 152 off-site workers, including nine crew members of a ship docked at the Millard facility, sustained injuries as a result of ammonia exposure. Of the 153 reported exposures from this incident, a total of thirty-two workers were admitted to the hospital, and four were placed in intensive care. Why it happened. The rapid opening of a valve between the highpressure and low-pressure areas caused shock to the ammonia system. The coil rapidly depressurized, causing refrigerant liquid and vapor to accelerate into the downstream suction piping. The gas quickly condensed to a liquid, leading to shock when voids of trapped gas built up pressure and then rapidly condensed, creating a vacuum. The creation of the vacuum reduces the volume, allowing fluid from other parts of the system to rush in at high velocity. Then, when this fluid hits a corner or end of a pipe, it stops suddenly, potentially damaging that piece of pipe. The Millard failure was likely caused by a combination of the condensation shock and the high velocity liquid impact. A contributing factor in this incident was the configuration of the blast freezer evaporators at the Millard facility. Specifically, multiple evaporator units were connected to a single control valve group. This allowed an excessively large volume of high-pressure gas to be introduced to the suction line during restart.

Chapter 5 Environmental and Toxic Release Incidents

233

5.4.3 Management System Failures II. Understand Hazards and Risk 6. Process Knowledge Management. The control system contained a software error that permitted the system to go to refrigeration mode without bleeding the high pressure from the coil or preventing the low-temperature suction valve from opening. In normal operation, this error went undetected. This error was enabled by a lack of restricted access for control system modifications. It was also noted that the pump-out time at the beginning of the defrost cycle was less than originally intended. This may have resulted in not fully clearing the residual liquid ammonia from the evaporator coil. Software logic should consider both normal and abnormal operations such as a power outage or cycle interruption. System modifications, including software logic changes or manual overrides, should be controlled, through the use of password protection. Changes in system operations, such as time for operational steps, should be subject to a MOC process. 7. Hazard Identification and Risk Analysis. Each evaporator coil at Millard had an aggregate capacity of 0.4 m3 (15 ft3) of liquid ammonia or gas with a total of 1.7 m3 (60 ft3) of ammonia for each blast freezer valve control bank. By grouping four large blast freezer evaporators together with one set of control valves, the opportunity for a large volume flow through the suction line enabled the failure. For the design of systems handling toxic materials, avoid grouping large portions of the process under a single control. While this may simplify operations, it increases the volume, and thus potential impact, of any toxic release.

234

More Incidents that Define Process Safety

III. Manage Risk 16. Emergency Management. The use of the emergency stop button located in the Millard control room would have shut down the compressors and pumps, stopped the ammonia circulation and decreased the volume released. However, the Millard emergency procedure instructed personnel to first find and isolate the leak, stating that the emergency stop button was for use in natural disasters and when deemed necessary by authorized personnel. Because the operator did not immediately activate the emergency stop button, the release quantity was greatly increased. In the event of a hazardous release, emergency shutdown systems should be activated immediately. Where procedures advise that the leak should first be located, the consequences of this potential time delay should be analyzed and included in risk analyses. 5.5 DUPONT METHYL MERCAPTAN RELEASE, TEXAS, US, 2014 5.5.1 Summary On November 15, 2014, a release of 10,886 kg (24,000 lb) of methyl mercaptan from the third floor of the building that housed DuPont’s LaPorte, TX, Lannate® process resulted in methyl mercaptan concentrations that were above the level considered “immediately dangerous to life and health” (IDLH) in the building. Area personnel activated the building evacuation alarm and requested rescue via the plant emergency communication system. The Site Emergency Response Team responded to the area for search and rescue. Site personnel placed calls to 911, and external agencies also responded to the site. The Site Emergency Response Team members stopped the release and isolated the process. The release resulted in four employee fatalities, three personnel injuries, and three other personnel chemical exposures. There were no off-site injuries or exposures. In 2016,

Chapter 5 Environmental and Toxic Release Incidents

235

DuPont announced that it will close the La Porte plant, which has been shut down since the gas leak (CSB 2015d).

Key Points Hazard Identification and Risk Analysis – Look beyond the P&ID. Are there surrounding features such as a building or a fence that could increase the risk or limit emergency response? Is the “vent to safe location” really safe–or is it in an area that operators may need to access? Operating Procedures – Use operational discipline when using operating procedures. Following procedures every time, such as walking the line, can help to avoid likely errors such as misalignment of valves. Emergency Response – Put human nature aside for a moment. It is human nature to respond to another person’s need for help. However, in a toxic release situation, it is imperative for the safety of the emergency responders, as well as that of the victim, that the responders first assess the situation and protect themselves. Otherwise, all may become victims.

5.5.2 Description Background. At the La Porte plant, DuPont made insecticides, herbicides, and other products. In the Lannate® unit, methyl mercaptan was reacted with other chemicals to create the insecticide Lannate®. Refer to Figure 5.5-1. Process. The process of making Lannate® is not the key process involved in this incident. Instead, it was the chemistry of slurries and hydrates are key. The reaction between methyl mercaptan and other chemicals can create a slurry. This slurry is typically cleared by flushing the lines with hot water. Hydrates are an icelike, solid substance that can be created when a hydrocarbon and water are mid below a certain temperature. Lines blocked with hydrates can be challenging to clear.

236

More Incidents that Define Process Safety

Figure 5.5-1 – DuPont building housing the Lannate® unit (courtesy CSB). What Happened. On November 10, 2014, the Lannate® unit was shut down due to a problem with the reactor. On November 12, attempts made to restart the unit were unsuccessful due to a slurry blockage in the line that had been cleared by flushing lines with hot water. During this clearing, a valve had inadvertently been left open to the methyl mercaptan feed line that connected to the methyl mercaptan storage tank. It is estimated that 907 kg (2,000 lb) of water flowed through this open valve, into the feed line, and into the tank. There were consistently cold ambient temperatures that week. The water mid with the methyl mercaptan, forming a hydrate that blocked the feedline. On November 14, the operators attempted to clear the hydrate by flowing hot water onto the blocked pipeline and

Chapter 5 Environmental and Toxic Release Incidents

237

heating it above 11°C (52 °F), the temperature at which the hydrate should revert to methyl mercaptan and water. The feed line was connected by valves to the vent header at three points along the line. With the Lannate® unit shutdown, a fourth valve located between the feed line and the reactor system had been closed in order to prevent methyl mercaptan from entering the reactors. In this configuration, there was no flow path for the methyl mercaptan except into the vent header. At the end of the day shift, the operators communicated the plan for clearing the hydrate to the night shift. As a result of troubleshooting and clearing activities, valves leading to the vent header from the methyl mercaptan feed line had been left open, creating an interconnection from the methyl mercaptan feed line to the vent header. The positions of the three valves were not communicated during the shift change. Refer to Figure 5.5-2. The night shift operators attempted to clear the remaining blockage and then attempted to start up the unit, which involved starting the methyl mercaptan pump and opening an additional valve from the feed line to the reactor system. The start-up attempt was not successful, as the blockage remained. They closed the additional valve to the reactor and then took a break in the control room. They left the hot water hoses and the methyl mercaptan pump on. Why it happened. The hydrate blockage cleared while the operators took a break, allowing the methyl mercaptan to flow into the feed line. It then took the path of least resistance and flowed into the vent header. The vent header connects with process equipment inside the Lannate® building. Operations personnel began to observe pressure increases in the process vessels connected to the vent header and did not realize the pressure was caused by methyl mercaptan because vent header pressure increases were typically associated with condensate collecting in the vent header. Instructions were to drain liquid from the vent system daily.

238

More Incidents that Define Process Safety

Figure 5.5-2 –Depiction Showing Location Where Drain Valves Were Opened. These drain valves released toxic methyl mercaptan into the manufacturing building. Methyl mercaptan detectors on the first and fourth floors detected high concentrations of methyl mercaptan shortly after the release began. This depiction is a simplified graphic of the manufacturing building and does not show the location of Operator 1 (courtesy CSB). Operators were sent to drain the vent system of liquid. They opened valves intending to release the condensate, but instead liquid methyl mercaptan was released into the building. It quickly vaporized and exposed the workers who had been attempting to drain the liquid from the vent system. These are classic errors during line-up and shift hand-over communications. According to an American Fuel & Petrochemical Manufacturers (AFPM) study, 30% of losses of primary containment (LOPCs) are due to line-up errors (AFPM, 2017).

Chapter 5 Environmental and Toxic Release Incidents

239

Given the challenge and time involved in clearing the hydrates, a number of valves had been operated over a number of shifts. There was no operational continuity in communicating the current operating state (line-up) of the plant. Good operating discipline would include operator shift hand-over notes and positive verification of the line-up before starting up. Other tools include bypass boards noting the location of open bleed valves and flags on open bleed valves.

5.5.3 Management System Failures II. Understand Hazards and Risk 6. Process Knowledge Management. The DuPont La Porte insecticide business unit also used methyl isocyanate (MIC). Following the Bhopal incident, DuPont made modifications to implement inherently safer design principles for MIC, including an open building structure with equipment to direct potential toxic leaks to an incinerator. However, DuPont did not apply these same principles to the methyl mercaptan equipment. The Lannate® process was located inside a building. Companies sometimes enclose toxic chemical manufacturing equipment inside a specially designed containment building, with the intention to contain any potential leaks in the building and route the toxic vapor to a destruction device such as an incinerator or scrubber. There was no documentation of the design intent of this building. DuPont stated that it was not a containment building. If toxic vapors were collected in the building, they would be discharged from the roof. However, the building’s ventilation system was ineffective. The building’s stairways had fire doors that were often propped open, and the building ventilation fans were not operational at the time of the incident. A previous audit of DuPont La Porte’s Process Safety Management system found that the ventilation system was not being tested as required,

240

More Incidents that Define Process Safety

despite the ventilation fans being classified as process safety critical. Engineering solutions to mitigate process safety risks through inherently safer design should have been developed to address both the process equipment and also the surrounding area that may be affected by a release of toxic chemicals. In this case, the structure housing the Lannate® process, the discharge location of the pressure relief system (or use of a destruction system), and the design of the air ventilation system should have been considered. 7. Hazard Identification and Risk Analysis. Performing process hazard reviews is fundamental to the identification and consideration of potential process safety risks. PHAs should be conducted on a routine basis and should include operators and others familiar with the unit’s potential hazards. PHAs should have identified the risk of operator exposure to methyl mercaptan when draining condensate from a manual drain valve in the vent header, a daily task, and either eliminated the need for draining condensate or provided a safe means to do so. Likewise, the abnormal operation of clearing a plug in the methyl mercaptan feed line should have triggered a procedural PHA with process-knowledgeable employees to identify potential hazards, raise safeguards, and ultimately to determine if the procedure could be performed safely. III. Manage Risk 8. Operating Procedures. The operators created a strategy to resolve the hydrate blockage. However, they did not consider the potential blockage of relief paths in this strategy. Operating procedures should include troubleshooting and other non-routine activities. The lead-up to this incident, like so many others, took place over a number of shifts. In this instance, the operators were not aware of the positions of all of the valves. This reinforces the importance of clear and complete shift turnover communications and also the

Chapter 5 Environmental and Toxic Release Incidents

241

importance of walking down the line to verify the state of the process. 13. Management of Change. DuPont had previously evaluated the potential off-site concentrations from a release of methyl mercaptan through the relief valves on the top of the methyl mercaptan storage tank due to a fire. These relief valves discharge to the atmosphere. The analysis found that the fireproofing could reduce the relief and avoid ERPG 3 concentrations off-site. However, at the time of the incident, the fireproofing insulation had been removed. No MOC was found for the removal of the fireproofing. Management of change reviews should be conducted on changes that may impact the function of the pressure relief system. In some cases, features like fireproofing insulation or provision of a separation distance may not be readily recognized as an important part of a pressure relief scenario. An MOC may help to make this clear. 16. Emergency Management. At the time of the incident, there were three methyl mercaptan detectors located in the building, but the only alarm was in the control room. The workers located outside of the control room had no way to know if a building gas detector was in alarm. Three of the four fatalities occurred after the initial release when workers entered the building without proper PPE to respond to the first victim’s call for help. The Emergency Response Team was not notified that the incident involved a toxic release, so they arrived on scene without proper equipment. This resulted in a 90minute delay in rescue personnel entering the building. They did bring five-minute escape masks, which are intended for a short escape to a safe location but not for emergency response operations during a release. Detection and alarm equipment should be provided to warn of the release of highly toxic materials. Emergency response procedures and training should make it clear to emergency responders that when highly toxic chemicals may be present, they should review the situation and protect themselves before they

242

More Incidents that Define Process Safety

respond, so as to avoid becoming victims themselves. This is similar to the emergency response in the Jaipur incident described in Chapter 4.

5.6 DUPONT PHOSGENE RELEASE, WEST VIRGINIA, US, 2010 5.6.1 Summary On January 22 and 23, 2010, three separate incidents at the DuPont plant in Belle, West Virginia triggered notification of outside emergency response agencies. One involved the release of methyl chloride, one the release of oleum, and one the release of phosgene. The incident involving the release of phosgene gas led to the fatal exposure of a worker performing routine duties in an area where phosgene cylinders were stored and used. The phosgene incident occurred when a hose used to transfer phosgene from a 0.9 metric ton (1 ton) cylinder to a process catastrophically failed and sprayed a worker in the face while he was checking the weight of the cylinder. Coworkers immediately responded to the worker’s call for help. Initially, the worker that had been sprayed with phosgene showed no symptoms of exposure. However, his condition deteriorated rapidly, and he died the next night. Delayed onset of symptoms is consistent with phosgene exposure. In 1988, DuPont conducted risk assessments of the Belle phosgene plant. Using internal company criteria, decisions were made, and no potentially inherently safer approaches were undertaken. The CSB investigation also examined concerns raised by emergency response organizations regarding the timeliness and quality of information provided to response personnel (CSB 2011d).

Chapter 5 Environmental and Toxic Release Incidents

243

Key Points Compliance with Standards – Listen to your colleagues. Company standards often codify the learnings of many of your colleagues over many years of operation. Follow their guidance. If the guidance seems to not make sense or to be out of date, then use a MOC or deviation process to ensure that all aspects of this guidance are recognized and analyzed before a change is made or the guidance is not used. Asset Integrity and Reliability – Take care of the systems that take care of you. Changes in a maintenance management system, whether computerized or manual, should be managed and potential unintended consequences should be considered. These systems should have sufficient redundancy to ensure tracking and timely scheduling of preventive maintenance for safety-critical equipment. Incident Investigation – Know when to escalate. Incident reporting and investigation procedures are typically clear on what and to whom information is to be communicated. It sometimes takes hours or days to go through the process. But occasionally the situation identified could have imminent consequences. The procedures also need to be clear about how and when to escalate the process to avoid potential imminent consequences.

5.6.2 Description Background. DuPont’s Crop Protection business area is responsible for the development, manufacture, and sale of fungicides, herbicides, insecticides, and seed treatments globally. The DuPont Belle plant is located in Belle, West Virginia, about 13 km (8 mi) east of Charleston, the state capital. The plant occupies about 293 hectares (723 acres) along the Kanawha River and sits in an industrial, commercial, and residential use area. Process. The process unit runs on a campaign basis and is divided into a “front end” and “back end.” The front-end process makes

244

More Incidents that Define Process Safety

five isocyanate intermediate products. Phosgene is fed from 0.9 metric ton (1 ton) cylinders to the front end of the process to produce five intermediate products. The phosgene cylinders are stored in a naturally ventilated, partially walled storage shed. Two cylinders are staged on weigh scales and each is connected to the process with (polytetrafluoroethylene) PTFE 304 stainless-steel overbraid hoses. One hose transfers liquid phosgene to a steam vaporizer, and one provides 4.8 barg (70 psig) nitrogen to the cylinder. The scales record the cylinder weight. An alarm notifies the board operator when the cylinder is empty, and the operator then instructs field operators to switch cylinders. This switch is completed by opening valves to the full cylinder and closing valves to the empty cylinder. Site operating procedures do not require enhanced PPE, such as a fullyencapsulated suit and breathing air, for this operation. Under normal operating conditions, the process consumes two to three cylinders of phosgene per day. The Standard Operating Procedures (SOPs) require operators to don a fully-encapsulated suit with supplied breathing air when they replace an empty cylinder with a full cylinder. Phosgene is colorless and highly toxic and has a characteristic odor of freshly cut hay or grass. It has a boiling point of 8°C (46° F), making it liquid in cold weather and, gas in warmer weather. At room temperature, phosgene is heavier than air. The U.S. OSHA 8-hour TWA PEL for phosgene is 0.1 ppm. Injury may occur before phosgene odor is detected. Liquid phosgene contact with skin can also cause severe chemical burns at higher doses. Inhaled phosgene slowly undergoes hydrolysis and forms HCl, which results in upper respiratory irritation and burning sensations, cough, and chest oppressions. Symptoms may not appear until several hours after exposure. Phosgene also reacts with proteins in the pulmonary bronchioles and alveoli, disrupting the blood-air barrier in the lungs and resulting in increased lung fluid. Pulmonary edema can be present in victims as long as 40 hours after exposure and may last days, depending on the concentration and duration of the exposure.

Chapter 5 Environmental and Toxic Release Incidents

245

What happened. On January 23, 2010, a stainless-steel braided transfer hose, connected to a partially filled but not in service 1ton phosgene cylinder, failed catastrophically. When the release occurred, an operator was in the phosgene shed inspecting the status of the phosgene cylinder. He was sprayed across the chest and face with liquid phosgene that remained in the hose from a previous transfer operation. DuPont estimates that about 0.9 kg (2 lb) of phosgene were released to the atmosphere when the hose failed. The sprayed operator immediately called for help using the public-address phone in the phosgene shed. His dosimeter badge was discolored, indicating an exposure. The exposed worker washed his face and hands while waiting in the medical center. He did not use a safety shower, nor was he decontaminated in any other method. He was given clean coveralls. One confirmed and one possible phosgene exposure occurred after the initial release as a coworker responded to the victim in the shed and drove him to the medical center. Possible sources of this exposure were either phosgene vapor in the atmosphere or contact with the victim’s clothing. Why it happened. Common practice was to use plastic ties or metal clamps to attach tags indicating their intended service to hoses. One manufacturer used plastic adhesive tape to secure this identification information to the hose. The corrosion on the two hoses was under the area where the adhesive tag had been secured. The hoses had a core constructed of permeable PTFE and a braided 304-stainless steel exterior. The tape over this hose design allowed stress corrosion cracking (SCC) to occur. Refer to Figure 5.6-1. The permeable PTFE inner core allowed the phosgene to diffuse, which was then trapped on the stainlesssteel braid by the adhesive tape. The phosgene gas converted to HCl which corroded the 304-stainless steel overbraid. At the time of the incident, the phosgene hose isolation valves were closed, trapping phosgene in the hose and pipe. The corrosion of the hose, the hose length of service, and the thermal

246

More Incidents that Define Process Safety

expansion of the trapped phosgene caused the hose failure that sprayed the worker who happened to be nearby. 5.6.3 Management System Failures I. Commit to Process Safety 2. Compliance with Standards. A DuPont standard delineating acceptable construction materials for flexible hoses in highly toxic material service had listed three hoses for use in phosgene service. However, the Belle facility did not use any of the specified hoses. The hose used was not suitable for phosgene service. DuPont engineers voiced concern regarding the materials of construction for phosgene hoses, but these concerns were overruled based on the planned frequent changeout of the hoses. Standards, whether industrial or company specific, should be followed. Deviations from and changes to the standards should be subject to MOC. 3. Process Safety Competency. The Belle facility made the decision to deviate from the DuPont standard recommended hose construction for phosgene handling. It is important for those making decisions regarding facility design, changes to equipment, operating procedures, engineering controls, construction materials, PPE, procedures, maintenance, emergency response, and release detection and alarms to clearly understand the potential chemical hazards so that they can take these hazards into account in their designs. In this instance, the hazards associated with thermal expansion of entrapped liquid in piping and equipment were not well understood. II. Understand Hazards and Risk 7. Hazard Identification and Risk Analysis. PHAs were conducted on the phosgene cylinder feed system and vaporizer four times between 1994 and 2009. The 2009 PHA team

Chapter 5 Environmental and Toxic Release Incidents

247

Figure 5.6-1 – Photo of hose used to transfer phosgene (courtesy CSB) reviewed changes since the 2004 PHA, previous phosgene release incidents, and recommended corrective actions. The team identified a potential phosgene release from the cylinder transfer hoses if the hoses were incorrectly connected or inadvertently disconnected while the cylinder feed valve remained open. Thermal expansion was not considered. Although the team did consider the phosgene and water causing corrosion to stainless steel in other parts of the plant, this was not considered on the hoses. There had been previous phosgene leaks through PTFE at the plant, but this was not considered when analyzing the hoses. PHAs should include consideration of all potential hazards on all of the equipment within the scope of the study. A rigorous approach should be taken to avoid overlooking small piping or hoses. In the 2004 PHA, the team identified scenarios that could result in plant-wide or off-site consequences and made a

248

More Incidents that Define Process Safety

recommendation to install a shed enclosure around the cylinders. The original recommendation due date of December 2005 was extended four times and had not been completed at the time of the incident. The U.S. OSHA PSM standard requires companies to establish systems that resolve PHA recommendations in a timely manner. III. Manage Risk 10. Asset Integrity and Reliability. The DuPont SOPs specified changing the phosgene hoses every thirty days. However, work orders showed that this was not occurring routinely. The hoses involved in the incident were in service for more than six months. An SAP system was used to support maintenance at the Belle facility. It issued the work orders to change out the phosgene hoses per the specified frequency. In 2006, SAP data associated with the phosgene hoses was changed and SAP stopped issuing the work orders. The plant personnel were not aware that SAP had stopped issuing the work orders. With SAP not issuing the work orders, maintenance notifications to change the hoses were not generated. Maintenance management systems, computerized or not, should have sufficient redundancy to ensure tracking and timely scheduling of preventive maintenance for safety-critical equipment. Changes in maintenance management systems that relate to safety-critical equipment should be subject to MOC. 16. Emergency Management. One, potentially two, workers were exposed to phosgene after the initial exposure. The site did not have alarms in the phosgene shed or a radio/telephone system dedicated to emergencies. This resulted in limited ability to give information to emergency responders in a timely manner. Facility emergency response protocols should require that a responsible and accountable employee always be available (all shifts, all days) to provide timely and accurate information to the emergency responders.

Chapter 5 Environmental and Toxic Release Incidents

249

IV. Learn from Experience 17. Incident Investigation. On the morning of the phosgene incident, maintenance personnel replaced a phosgene hose because of a suspected flow restriction. The phosgene hose was removed and decontaminated. The adhesive tag came off showing a damaged stainless-steel braid and collapsed PTFE liner. Operators planned to inform supervisors about the damaged hose on the following Monday. Incident and near miss reporting and investigation systems should be thorough enough to recognize those critical incidents that could potentially lead to a an imminent event or to the escalation of an event. This should include the requirement to notify appropriate levels of authority immediately, regardless of the day of the week or the time of the day. 19. Auditing. An additional opportunity to learn of this potential failure occurred during a DuPont audit, where it was found that the phosgene hoses were not of the types specified in the DuPont SOP.

5.7 DPC ENTERPRISES, L.P. CHLORINE RELEASE, MISSOURI, US, 2002 5.7.1 Summary On the morning of August 14, 2002, a chlorine transfer hose failed, releasing 21,772 kg (48,000 lb) of chlorine over a three-hour period during a railroad tank car unloading operation at DPC Enterprises, L.P., near Festus, Missouri. Refer to Figure 5.7-1. The facility repackages bulk dry liquid chlorine into 0.9 metric ton (1 ton) containers and 68 kg (150 lb) cylinders for commercial, industrial, and municipal use in the St. Louis metropolitan area.

250

More Incidents that Define Process Safety

Chlorine is a toxic chemical. Concentrations as low as ten parts per million are classified as “immediately dangerous to life or health.” The wind direction on the day of the release carried the majority of the chlorine plume away from neighboring residential areas; however, some areas were evacuated. Sixtythree people from the surrounding community sought medical evaluation at the local hospital for respiratory distress, and three were admitted for overnight observation. The release affected hundreds of other nearby residents and employees, and the community was advised to shelter-in-place for 4 hours. Traffic was halted on Interstate 55 for 1.5 hours. Three DPC workers received minor skin exposure to chlorine during cleanup activities (CSB 2003b).

Key Points Asset Integrity and Reliability – Did you get what you paid for? It is often difficult to simply visually determine if that pipe, hose, or valve is what you thought you were purchasing. Positive Material Identification (PMI) should be used to verify that materials are delivered as specified, especially where the use of an incorrect material may lead to failure. Emergency Management – We are in it together. Recognize and test the assets and limitations of the neighboring emergency response capabilities in your emergency response plans and drills. Asset Integrity and Reliability – Will your ESD system work in an emergency? ESD system design should consider the operating and environmental conditions, including that of upstream equipment that might impact the system. ESD system testing should verify that the entire system works, from a sensor or button to the closing of a valve.

Chapter 5 Environmental and Toxic Release Incidents

251

Figure 5.7-1 – Failed chlorine transfer hose and release (courtesy CSB).

5.7.2 Description Background. DPC Enterprises bought the Festus repackaging facility in 1998 and added chlorine detectors and an ESD system to the chlorine repackaging area. The facility is part of the DX Distribution Group network of eighteen repackaging and distribution companies. DPC Festus is located on an 8-acre site in the Plattin Creek Valley of Jefferson County, Missouri. The facility receives bulk dry liquid chlorine in 82 metric ton (90 ton) tank cars and repackages it into 68 kg (150 lb) cylinders and 0.9 metric ton (1 ton) containers. DPC Festus employs twelve full-time personnel, including four packaging operators (packagers), four truck drivers, two

252

More Incidents that Define Process Safety

administrative staff, a sales representative, and an operations manager. The chlorine repackaging process is a one-shift operation, typically running weekdays from 6:00 a.m. to 4:00 p.m. At the end of the day, all tank car valves are manually closed, chlorine in the piping system is directed to the bleach production process, a vacuum is pulled, and the ESD button is pressed to close all ESD valves. The chlorine transfer hoses remain connected to the tank car overnight. Process. Chlorine is a toxic chemical. Chlorine exposure occurs through inhalation or through skin or eye contact. When inhaled in high concentrations, chlorine gas causes suffocation, constriction of the chest, tightness in the throat, and edema of the lungs. At around 1,000 parts per million (ppm), it is likely to be fatal after a few deep breaths. According to the National Institute for Occupational Safety and Health, chlorine gas concentrations of 10 ppm are classified as "immediately dangerous to life or health" (IDLH). Depending on a number of factors—such as release volume, terrain, temperature, humidity, atmospheric stability, and wind direction and speed—a chlorine gas plume can travel several miles in a short time at concentrations well above IDLH. At room temperature, chlorine is a greenish-yellow gas. Its pungent and irritating bleach-like odor provides warning of high concentrations. Chlorine gas can be detected by smell at concentrations well below 1 ppm. The chlorine repackaging process operation involves the following: Connecting an 82-metric ton (180,000 lb) chlorine tank car to one of three unloading stations; Transferring liquid chlorine from the tank car through the process piping system to filling stations; Loading the filled 68 kg (150 lb) cylinders and 1-ton containers onto trucks for distribution; Cleaning and preparing empty cylinders and containers for reuse.

Chapter 5 Environmental and Toxic Release Incidents

253

In addition to repackaging chlorine, the Festus facility also runs a continuous bleach manufacturing process. A chlorine tank car has four manually operated, one-inch valves and a pressure relief device mounted within a protective dome on top of the tank. Two valves are used for liquid chlorine discharge, and two valves are connected to the vapor space; however, at DPC Festus, one of these valves supplied “pad air” to pressurize the tank car during chlorine unloading, and the other was not in use. An excess flow valve that closes when the rate of flow exceeds 6804 kg/hr (15,000 lb/hr), is located beneath each liquid valve. Liquid chlorine is withdrawn from inside the tank car through eduction pipes attached to the excess flow valves. The facility operated one of the three unloading stations at a time. DPC specifications call for each chlorine transfer hose assembly to be constructed of a PTFE (Teflon®) inner liner (plastic), a Hastelloy C-276 structural reinforcement braid layer (metal) for pressure containment, and a high-density polyethylene (HDPE) spiral guard for abrasion protection. The DPC Festus ESD system is designed to shut off accidental releases of chlorine from the repackaging system. The ESD system is activated either automatically or manually by several ESD buttons located throughout the facility. At detection of 5 ppm chlorine, the system alarms, with flashing lights and an audio alarm. At concentrations of 10 ppm, the ESD valves are automatically closed and a higher decibel audio alarm sounds. Each tank car station is equipped with five ESD valves with local indication of valve position. The ESD system is manually activated at the end of each day; however, the DPC standard operating procedures did not require verification that the ESD valves closed using the local indicators. What happened. On August 12, 2002, a tank car containing 81,647 kg (180,000 lb) of chlorine was connected to station #3, which served all chlorine filling operations until the time of the release on August 14. The facility repackaging production records indicate that the car contained 36287 kg (80,000 lb) of chlorine at the time

254

More Incidents that Define Process Safety

of the incident. It was later determined that 21,772 kg (48,000 lb) of chlorine had been released. The chlorine repackaging system is on standby during morning and afternoon breaks, lunch, and cylinder change-outs. In both standby and shutdown modes, the chlorine transfer hoses remain connected to the tank car. Early on August 14, four DPC packagers, a truck driver, and the operations manager started up the chlorine filling and container preparation operations for the day. Mid-morning, two of the packagers and the truck driver went to the designated smoking area outside the repackaging building; the others remained in the breakroom. Twenty minutes later, the three men outside heard a loud pop (rupture of the 2.5 cm (1 in) chlorine transfer hose) and observed a continuous release of chlorine at tank car station #3. They immediately evacuated the area. The leak activated an area chlorine detection monitor audio alarm. The employees in the breakroom tried to identify the leak source but found chlorine entering the repackaging building and evacuated the building. The operations manager pushed the ESD button as he exited in an attempt to manually shut off the chlorine release. However, the release continued for nearly 3 hours, until HAZMAT personnel closed the tank car valves. DPC had four self-contained breathing apparatus (SCBA) units. The packagers were trained on use of the SCBA and on how to respond to a chlorine release; however, the SCBAs were not maintained and arranged for easy access, so the packagers were not able to grab the SCBAs as they left the building. The nine DPC personnel working evacuated within ten minutes. Seven followed the emergency plans to the assembly point, two did not but were contacted on the radio. DPC Festus had no sirens or other community-wide alert systems to notify the estimated 1,500 people that live and work within a 1.6 km (1 mi) radius of the plant. A drive-through “bull horn” notification, followed by door-to-door evacuation, was conducted at a neighboring mobile home park and residential

Chapter 5 Environmental and Toxic Release Incidents

255

area. It took emergency response personnel over one hour to evacuate the areas. Sixty-three people from the surrounding community sought medical evaluation at the local hospital; three persons were admitted and released the following day. Three workers also received minor skin exposure to chlorine during cleanup activities after the release. Why it happened. Hastelloy C-276 and 316L stainless-steel structural braiding are identical in appearance. DPC relied on information from the supplier to verify that the chlorine transfer hose met required specifications; the lack of an internal Quality Assurance (QA) management system, including verification of braid material, allowed the incorrect hose to be installed and left in operation until it failed. Inspection of the ESD valves showed ferric chloride corrosion product on the valve balls that prevented the valves from closing properly. The valve balls were constructed of Monel, which is resistant to moisture-induced corrosion in chlorine service. The corrosion products came from upstream at the pad air supply and tank car assemblies, as well as from parts of the plant liquid and pad air carbon steel piping. The DPC personnel did not understand the causes and effects of moisture-induced corrosion in the chlorine repackaging system and so were not alerted to deteriorating equipment conditions. According to the Chlorine Institute, the excess flow valve is designed to close automatically against the flow of liquid chlorine if the valve is broken off in transit. It may close if a catastrophic leak involving a broken connection occurs, but it is not designed to act as an emergency shutoff device during transfer. The tank car excess flow valves were designed to close only if the flow rate exceeds their set point of 6804 kg/hr (15,000 lb/hr). These valves remained open during the release.

256

More Incidents that Define Process Safety

5.7.3 Management System Failures III. Manage Risk 10. Asset Integrity and Reliability. The DPC QA management system did not ensure that chlorine transfer hoses met required specifications prior to installation and use. Companies should develop and implement a quality assurance management system, such as PMI, to confirm that equipment is of the appropriate construction for its intended use. PMI is a chemical analysis that verifies the percentage of metals (e.g., iron, nickel) in various alloys, such as stainless steel and Hastelloy. A PMI program can be used to verify critical part components as a final check prior to shipping, receiving, and use. The DPC testing and inspection program did not include procedures to ensure that the process emergency shutdown (ESD) system would operate as designed. The ESD testing procedures did not require verification that the valves closed. The mechanical integrity (MI) program failed to detect corrosion in the chlorine transfer and pad air systems before it caused operational and safety problems. Companies should implement procedures and practices to ensure the emergency shutdown (ESD) system operates properly, including the verification that the ESD valves will close to shut down the flow. Companies should implement a mechanical integrity (MI) program that ensures critical process equipment and components are designed, fabricated, installed, inspected, tested, and maintained in a manner that preserves the originally intended integrity of the equipment. Furthermore, management should provide adequate oversight to ensure that only trained and qualified personnel carry out these activities. Preventive maintenance and inspection programs should consider the various operating conditions that may be seen over the life cycle of the equipment. These operating conditions may include changes in environmental conditions, chemical composition or, in this case, exposure to corrosion products that migrated from other parts of the system.

Chapter 5 Environmental and Toxic Release Incidents

257

16. Emergency Management. Lack of clear emergency response plans and supporting equipment resulted in additional exposure to neighboring residents and businesses. Companies should develop, communicate, test, and learn from the use of emergency response plans. The roles and responsibilities of emergency response personnel should be clearly described. These plans should include local emergency responders and should accurately reflect their capabilities and resources, including community notification systems. Drills should be coordinated to involve local emergency response authorities.

5.8 GEORGIA-PACIFIC HYDROGEN SULFIDE POISONING, ALABAMA, US, 2002 5.8.1 Summary On January 16, 2002, hydrogen sulfide (H2S) gas leaked from a sewer manway at the Georgia-Pacific Naheola Mill in Pennington, Alabama. Several people working near the manway were exposed to the gas. There were two contractor fatalities, and seven people were injured. Choctaw County paramedics who transported the victims to the hospitals also reported symptoms of H2S exposure. The CSB called on the Agency for Toxic Substances and Disease Registry, the Pulp and Paper associations, and the associated unions to consider and communicate the risks of hydrogen sulfide exposure (CSB 2003c). This incident prompted the CSB to release a Safety Bulletin that warns of the dangers of sodium hydrosulfide and to recommend safe practices to prevent accidents when handling the chemical. The CSB found forty-five accidents associated with sodium hydrosulfide that have caused thirty-two fatalities and 176 injuries since 1971.

258

More Incidents that Define Process Safety

Key Points Hazard Identification and Risk Analysis – Be careful with what you are mixing! The need to analyze chemical reactivity may be more obvious in the process unit. However, the potential for chemical reactions with potential hazardous results in utility systems such as in drains and vents should not be overlooked. Emergency Management – Right to know. Make sure all involved (designers, operators, emergency responders, etc.) know what materials are on site, where they are located, how to handle them, and emergency procedures in case of accidental release. Management of Change – Little things add up. Over the years, adding a little connection here or there may result in a significant change. Changes, big or small, should be analyzed so that hazards may be identified.

5.8.2 Description Background. The Georgia-Pacific Naheola Mill is located in Pennington, Alabama, approximately 201 km (125 mi) north of Mobile and 241 km (150 mi) southwest of Birmingham. The mill began operation in 1958, went through a series of mergers and acquisitions, and now operates as Fort James Operating Company, a fully owned subsidiary of Georgia-Pacific Corporation. The Naheola Mill produces over 589,670 metric tons (650,000 tons) of paper, paperboard, and pulp annually. Approximately 1,475 employees work at the mill. Process. The Naheola Mill uses the Kraft process to produce pulp. In this process, wood chips are treated with a liquor of sodium hydroxide and sodium sulfide that chemically breaks them down into pulp. The liquor is recycled, and fresh chemicals are added, including sodium hydrosulfide (NaSH). The pulp is sold as pulp and, after processing, as tissue, towels, and paperboard.

Chapter 5 Environmental and Toxic Release Incidents

259

The NaSH is delivered by tank truck and stored on site. The Naheola Mill may go several months without a delivery and then bring in several tank trucks in a short span of time to replenish the supply. NaSH is delivered to an unloading station located in a typically unoccupied area near the maintenance shops, between the chemical area and the wastewater treatment area. Fuel oil and caustic are unloaded in the same area. Refer to Figure 5.8-1.

Figure 5.8-1 – Layout of tank truck unloading station (courtesy CSB). What happened. Sodium hydrosulfide was being unloaded on January 15–16. Construction employees were working on a project in the vicinity of the tank truck unloading station. The unloading station consists of a large concrete pad sloped to a collection drain. A shallow concrete oil pit containing unloading pumps and associated process piping is located directly next to the pad and collection drain. This pit collects rainwater, condensate, and chemical spills from the unloading station. Fifteen tank trucks of NaSH had been unloaded in the 24 hours prior to the incident, resulting in some NaSH being in the oil pit along with water. An operator drained some liquid from the

260

More Incidents that Define Process Safety

pit to avoid having the construction crew stand in the fluid-filled pit. On the day of the incident, more tank trucks arrived carrying NaSH. During the unloading process, approximately 19 l (5 gal) of NaSH were spilled from these three tanks to the collection drain. At the same time, sulfuric acid was being added to the acid sewer to control pH downstream in the effluent area. The NaSH that had been spilled to the oil pit and the collection drain drained to the sewer and reacted with the sulfuric acid to form H2S. The cloud of H2S gas leaked through a gap in the seal of a manway near the construction workers. The two fatalities were contractors; seven other people were injured due to H2S exposure. Six Choctaw County paramedics who transported the victims also reported symptoms of H2S exposure. 5.8.3 Management System Failures II. Understand Hazards and Risk 7. Hazard Identification and Risk Analysis. There was no management of the chemicals in the oil pit, including no hazard review nor chemical reactivity control. During the truck unloading process, several potential sources of NaSH could leak and drain through the oil pit or collection drain to the acid sewer. The NaSH safety data sheet states that its interaction with acid will produce H2S. Companies should identify potential chemical reactions. This analysis should include not only the main process where the chemical is used, but also other systems where chemicals may collect and interact, such as sewers and vent systems. Safeguards should be put in place to decrease the likelihood or consequences of such interactions.

Chapter 5 Environmental and Toxic Release Incidents

261

III. Manage Risk 8. Operating Procedures. Operating procedures for NaSH tank truck unloading and oil pit operations did not warn of the hazard of mixing NaSH with acids or the hazard of allowing NaSH to enter sewers. Companies should ensure that operating procedures warn of the hazards of the chemicals being handled, including the hazards of mixing chemicals. 13. Management of Change. Modifications to the acid sewer over a period of several years included connections to the chlorine dioxide sewer, to the sewer from the truck unloading area, and to the containment area known as the oil pit. These changes were not managed with a formal MOC process, and there was no hazard evaluation nor consideration of the potential chemical reactions. The potential for H2S evolution was not identified; therefore, no detectors or alarms were placed in the oil pit area. Companies should apply good engineering and process safety principles to all areas handling toxic materials, including process sewer systems. This should include hazard reviews and management of change (MOC) analyses. 16. Emergency Management. Since H2S was not identified as a hazard, there were no detectors or alarms in the area to warn of a release. Personnel had only their sense of smell to indicate the possible presence of H2S; however, smell is not a reliable indicator for H2S because the gas causes olfactory fatigue. Companies should identify areas where toxic materials could be present or generated and provide safeguards (including detectors and alarms) to minimize exposure. Personnel should be trained to recognize the presence of toxic materials and the appropriate emergency response practices for conducting a rescue operation. The victims were not decontaminated at the scene, because this was not required in the local procedures. Company

262

More Incidents that Define Process Safety

emergency response plans should include procedures for decontaminating personnel when necessary for their own safety and also for the safety of emergency responders. 5.9 CITGO HF RELEASE AND FIRE, TEXAS, US, 2009 5.9.1 SUMMARY A fire in the alkylation unit at CITGO's Corpus Christi refinery led to a release of hydrofluoric acid (HF). One worker was critically burned. One other employee was treated for possible HF exposure during emergency response activities. The CSB investigation raised questions regarding the adequacy of the water mitigation system supply (CSB).

Key Points Emergency Management – Plan for the worst. Emergency response plans and equipment should consider the worst-case events. When an incident could continue for many hours or days, backup systems may be required. These backup systems should be tested and maintained to ensure they will function when called into service. Auditing – Consider audits as a gift. Audits enable the identification of potential problems before an incident occurs. Audit protocols often include learnings from across a company or industry. The gift of audit findings should be welcomed, even sought. 5.9.2 DESCRIPTION Background. CITGO’s refineries in Corpus Christi, Texas, and Lemont, Illinois, include HF alkylation units. Processes using 454 kg (1,000 lb) or more of HF must comply with the US Occupational Safety and Health Administration (U.S. OSHA) Process Safety Management Standard for Highly Hazardous Chemicals (29 CFR 1910.119) and the US Environmental Protection Agency (EPA)

Chapter 5 Environmental and Toxic Release Incidents

263

Chemical Accident Prevention Program (40 CFR 68). In addition, HF is listed as an extremely hazardous substance for the purposes of emergency planning under the U.S. EPA EPCRA. Process. Alkylation units convert low-molecular-weight hydrocarbons into higher octane hydrocarbons used in gasoline. The catalyst used in alkylation units is either sulfuric or hydrofluoric acid. HF is a corrosive, highly toxic chemical that can severely burn skin, eyes, and other tissue. CITGO installed an HF water mitigation system after a 1977 alkylation unit release and fire. The water mitigation system was intended to wash the HF release out of the air to protect the downwind community. What Happened. On July 19, 2009, a control valve failed when an internal plug unthreaded from the valve stem, closing the valve. This sudden and nearly complete flow blockage caused violent shaking of the process recycle piping, resulting in failure of two threaded connections and a release of hydrocarbons. The hydrocarbon cloud reached an adjacent unit and ignited. The resulting fire caused multiple other failures and burned for several days. Only one bypass valve was installed in the system. It was a manually operated valve and was inaccessible following the hydrocarbon release. CITGO reported approximately 19 metric tons (21 tons) of the released HF was captured by the HF water mitigation system and 14 kg (30 lb) were not captured. Studies have shown that these water mitigation systems are 90 to 95% efficient or less. Using these efficiencies, the release would have been about 1.8 metric tons (2 tons).

264

More Incidents that Define Process Safety

5.9.3 Management System Failures III. Manage Risk 16. Emergency Management. The Alkylation Unit PHA assumed that the HF mitigation system was available to minimize the consequences of an HF release. During the incident, salt water from the Corpus Christi ship channel was pumped into the CITGO fire water system to backfill the fire water supply tank. Multiple failures occurred during the salt water transfer, including multiple ruptures of the barge-toshore transfer hoses and two water pump engine failures. Water supplies used for firefighting or toxic cloud mitigation should be designed to provide adequate supplies for the duration of a potential incident through storage capacity and/or a backup system. The entire system, including any backup water supply arrangements, should be periodically tested to ensure they function to their design specifications. IV. Learn from Experience 19. Auditing. API RP 751, Safe Operation of Hydrofluoric Acid Alkylation Units, recommends refineries audit the safety of HF alkylation operations every three years. API 751 details elements to be included as part of a comprehensive audit plan. CITGO had never conducted an API RP 751 safety audit of HF alkylation operations. Companies should take benefit from the learnings provided in industry guidance documents. HF alkylation unit operations should be audited using API RP 751 by a lead auditor with an extensive knowledge of HF hazards, HF alkylation units, and API RP 751.

Chapter 5 Environmental and Toxic Release Incidents

265

Figure 5.10-1 – Hube Global and surrounding area (courtesy Korea Institute of Public Administration).

5.10 HUBE GLOBAL HF RELEASE IN GUMI, SOUTH KOREA, 2012 5.10.1 Summary On September 27, 2012, eight metric tons (8.8 tons) of hydrofluoric acid (HF) was released at the Hube Global plant in Gumi, South Korea. The incident resulted in five fatalities, eighteen injuries, three thousand residents seeking medical treatment, 212 hectares (534 acres) of damaged crops, and more than thirty-nine livestock being exposed and destroyed. The incident prompted the Korean government to create a “Comprehensive Plan for Chemical Safety” that introduced off-site consequence analysis as well as other requirements. It also prompted changes to promote cooperation between emergency responders, including governmental agencies (Korea Institute of Public Administration).

266

More Incidents that Define Process Safety

Key Points Compliance with Standards – Having and using a safety management system is fundamental. Regulatory entities and companies both need to commit to process safety. Emergency Management – Cooperate. Emergency response often calls upon several different organizations that may not work closely in their day-to-day work. Planning and conducting drills will highlight areas where cooperation may be improved.

5.10.2 Description Background. The Hube Global plant is located in Gumi, South Korea, about 200 km (124 mi) from Seoul. The commercial area was originally developed with the goal of attracting high-tech firms but now includes other industries, primarily manufacturing. Refer to Figure 5.10-1. In 2008, Hube Global, a South KoreanChinese joint venture headquartered in Seoul, opened the plant to supply raw materials to the electronics, chemicals, cosmetics, pharmaceuticals, and biotech sectors. Process. Hydrofluoric acid is used to produce chemical precursors for the pharmaceutical industry and also has other industrial applications. HF is highly toxic, and exposure can be fatal or cause serious damage to the skin, lungs, heart, bones, and nervous system. What Happened. Investigation reporting of this incident is limited. The incident occurred during the unloading of an HF delivery tanker when the delivering vessel was pressurized, pushing the HF into the receiving vessel. A security video camera recorded two workers on top of the receiving vessel. It appears that the operator opened the valve before the connection was complete. The HF release, which was estimated at eight tons, engulfed the workers. The delivering vessel was reportedly not clearly marked, leaving the emergency responders unaware of the toxic HF contents, which resulted in further exposure to the responders and broader community. Refer to Figure 5.10-2.

Chapter 5 Environmental and Toxic Release Incidents

267

Figure 5.10-2 – Hube Global HF release (courtesy of Korea Institute of Public Administration).

Figure 5.10-3 – Crop damage due to Hube Global HF release (courtesy of Korea Institute of Public Administration). The sign in this photograph reads "Hydrofluoric Acid release accident disaster area. Absolutely no consumption or use. ~ Gumi City Safety Counsel."

268

More Incidents that Define Process Safety

The initial government response to the accident and slow evacuation of nearby residents was criticized by the Korean media. On October 8, the South Korean government designated the area around the plant as a “special disaster zone.” Refer to Figure 5.10-3.

5.10.3 Management System Failures I. Commit to Process Safety 2. Compliance with Standards. There was a Process Safety Management (PSM) system in place to prevent major industrial accidents such as chemical plant explosion, fire, and leakage; however, Hube Globe was originally not covered by the regulation. They were covered as of 2009 but did not submit the report to the Ministry of Employment and Labor. The Ministry of Environment required that when dealing with hazardous materials, such as hydrofluoric acid, the person in charge needs to control the leak by using counteragent; however, Hube Globe was not equipped with a counteragent. Companies should comply with process safety regulations, including reporting and emergency response requirements. 5. Stakeholder Outreach. Under the Toxic Chemical Control Act, nearby residents should have been informed of the Self-Prevention Plan in advance; however, Hube Globe was not subject to public disclosure and thus the residents nearby were not aware that Hube Globe plant handled hazardous materials. Companies should ensure that neighbors who could potentially be impacted by fires, explosions, or toxic releases are aware of the chemicals handled at the site, their associated hazards, and appropriate emergency response measures.

Chapter 5 Environmental and Toxic Release Incidents

269

III. Manage Risk 16. Emergency Management. Firefighters who initially responded to the Hube Global incident may not have been aware of HF acid hazards or how to protect against them. The first firefighters on the scene wore typical firefighting bunker gear, which is not appropriate for HF exposure. Facilities handling HF should ensure that workers and emergency responders are provided with appropriate PPE so that they can attempt to isolate the release and respond to the emergency. At the time of the accident, neither the Gumi city government nor the Hube Global plant had supplies of slaked lime, an agent used to neutralize the acid. Slaked lime was not deployed at the accident scene until the day after the leak. Water mitigation systems may be used to wash the HF cloud out of the air to protect downwind employees and neighbors. The emergency response involved government agencies (one focusing on fires and explosions, and one had chemical accident investigation equipment) and the Army who had personnel and equipment for neutralizing chemicals in terror attacks. The local fire department requested support from the Army; however, the Army rejected the request because the accident was not a terror attack. Following the accident, the National Institute of Chemical Safety enhanced cooperation among government agencies related with chemical safety including sharing information. Emergency response plans should be drilled. These drills will serve to highlight any areas for improved cooperation between the responding agencies.

270

More Incidents that Define Process Safety

5.11 OTHER INCIDENTS Five environmental and toxic release incidents were described in the first edition of this book. ICMESA chemical release, Seveso, Italy, July 10, 1976 (2,4,5-trichlorophenol, ethylene glycol, and chlorinated phenols. 2,3,7,8-tetrachloro-dibenzo-para-dioxin (TCDD). Dioxin first came to widespread attention during the Vietnam War when it was identified as a component of Agent Orange. Union Carbide methyl isocyanate release, Bhopal, India, December 3, 1984 Marathon Oil Refinery HF release, Texas City, Texas, October 30, 1987 Sinking of the “Erika”, Bay of Biscay, France, December 12, 1999 Motiva Enterprises LLC sulfuric acid tank failure, Delaware City, Delaware, July 17, 2001

5.12 ADDITIONAL RESOURCES The following books and resources are available to help understand the prevention of environmental and toxic releases. “Chemical Reactivity Resources” The chemical reactivity resources listed in Chapter 2 may also be helpful in the avoidance of reactions that can generate toxic releases. Guidelines for Asset Integrity Management (CCPS 2016). This book is an update and expansion of topics covered in Guidelines for Mechanical Integrity Systems (2006). The new book is consistent with the RBPS and Life Cycle approaches and includes details on failure modes and mechanisms. Also, example testing and inspection programs are included for various types of equipment and systems. Guidance and examples are provided for selecting and maintaining critical safety systems. Guidelines for Engineering Design for Process Safety, 2nd Edition (CCPS 2012). The book focuses on process safety issues in the

Chapter 5 Environmental and Toxic Release Incidents

271

design of chemical, petrochemical, and hydrocarbon processing facilities. It discusses how to select designs that can prevent or mitigate the release of flammable or toxic materials, which could lead to a fire, explosion, or environmental damage. Guidelines for Chemical Transportation Safety, Security and Risk Management (CCPS 2008a). This CCPS Guideline book outlines current transportation risk analysis software programs and demonstrates several available risk assessment programs for land transport by rail, truck, and pipeline for consequences that may affect the public or the environment. Topics include loading and unloading and operating procedures to reduce human error.

272

More Incidents that Define Process Safety

6 Transportation Incidents 6.1 INTRODUCTION Incidents that Define Process Safety (CCPS 2008) included a number of transportation incidents in the marine and aviation sectors. This chapter will focus primarily on train and pipeline incidents. Unlike incidents that occur in a facility such as a refinery, chemical plant, or offshore platform, transportation incidents may occur anywhere along a vast pipeline route or transportation corridor. These pass through open countryside, but also through communities and densely populated cities where, if an incident occurs, the consequences can be great. The CCPS RPBS element of Stakeholder Outreach is very important in transportation risk management. Many pipeline incidents have occurred due to damage from mechanical digging equipment, such as a backhoe, that was inflicted years before the incident. Having open conversation and tools for people to understand where pipelines are can greatly aid in preventing accidental damage. Whether from damage or from aging, understanding the integrity of a pipeline system that spans thousands of miles is a challenge, especially since the original construction data may no longer be available. Ensuring that integrity management systems are robust and based on good data has been the subject of regulation following incidents described in this chapter. Considering the expanse of pipeline networks, planning for and managing an emergency can be daunting since a release can occur anywhere along their route. This means that stakeholder outreach and emergency response should work together to make sure that the location of the incident can be pinpointed, that the potentially impacted people can quickly be made aware of the

Chapter 6 Transportation Incidents

273

situation, and that plans are clear on how to verify the emergency situation is rendered safe, and how to clean up the aftermath. A few of the incidents highlight two important elements of the conduct of operations: design expectations and what to do when an operation doesn’t seem right. The key learning here is that if there is an expectation for an operator to respond in a certain way, then that information should be clearly stated, implemented in design/training, and tested. Equally, if an operator is working on a task and it just doesn’t seem right, then he should stop. Stop, think, check it out, plan the appropriate next steps, and then proceed.

6.2 MONTREAL, MAINE & ATLANTIC RAILWAY DERAILMENT AND FIRE, QUEBEC, CANADA, 2013 6.2.1 Summary In the early hours of July 6, 2013, an unattended Montreal, Maine & Atlantic (MMA) Railway train rolled from its overnight parking location and proceeded over seven miles into the town of LacMegantic, where it derailed. The train was carrying crude oil and the resulting fires and explosions fatally injured forty-seven people and destroyed forty buildings and fifty-three vehicles. Refer to Figure 6.2-1. Forty-seven counts of criminal negligence were filed against three MMA employees, and the company declared bankruptcy as a result of this incident (TSB 2013). This incident prompted discussions on the safe rail transportation of crude oil and the DOT final rule in May 2015 to strengthen safe rail transportation of large volumes of flammable liquids (NCSL, 2015).

274

More Incidents that Define Process Safety

Key Points Compliance with Standards – Comply with industry and company standards. Standards include the experience, hard learnings, and even expert calculations of many others. Take their advice and follow the standards. Management of Change – Beware of creeping change. When small changes happen slowly over time, it is easy to overlook them. Eventually the small changes add up to a big change that has not been realized or had the risk managed. Emergency Management – Is it really “all clear?” It’s human nature to want an emergency to be over—to declare it under control. However, when that emergency involves operating equipment, an expert in the control of that equipment should be consulted to verify that the equipment status is truly safe.

Figure 6.2-1. Lac-Megantic tank cars with breaches to their shells (adapted from TSB).

Chapter 6 Transportation Incidents

275

6.2.2 Description Background. The MMA-002 train was traveling from Farnham, Quebec, to Brownville Junction, Maine. The train was made up of seventy-two cars carrying 7.7 million liters (2 million gal) of crude oil (UN1267). Just before midnight on July 5, 2013, the train was parked in Nantes. Process. The 1,433 m (4,700 ft) long train contained seventy-two tank cars loaded with crude oil from the Bakken fields in North Dakota (NTSB 2015). The cars were DOT-111 design. With the fracked crude from primarily Texas and North Dakota, the US was producing more crude oil than it had in thirty years. Transportation of crude oil by rail had increased significantly to move the crude to refineries for processing. Carloads carrying oil in 2014 rose by more than 5,000% when compared with 2008 numbers (NCSL 2015). The fracked crude oils from formations such as the Bakken are of a lower density, flow freely at room temperature, and have a higher proportion of light hydrocarbon fractions resulting in higher API gravities (between 37° and 42°). A Sandia report stated that “No single parameter defines the degree of flammability of a fuel; rather, multiple parameters are relevant.” (Sandia 2015) The attention following this incident is continuing to prompt discussion on the safe transport of various classifications of crude oils. What Happened. The locomotive engineer stopped the train on a downhill grade on the main track. He used the automatic brakes and applied the brakes on the locomotive and the buffer car. He then began to apply the hand brakes and shut down the trailing locomotives. He tested the hand brake by releasing the locomotive automatic brakes but did not release the locomotive independent brakes. He communicated with the rail traffic controller, noting mechanical difficulties he had experienced, including excess smoke and a loss of power in the lead engine. They decided to address these issues in the morning. The locomotive engineer went off-duty to stay in a Lac-Megantic hotel. The taxi driver noted

276

More Incidents that Define Process Safety

the smoke from the smokestack, along with oil droplets. The locomotive engineer stated that he had informed the company of the issue. Just before midnight, a fire was reported on a train at Nantes. A track foreman met with the fire department and was told that the emergency fuel cut-off switch had been used to shut down the lead locomotive. This stopped the fuel to the fire. The firefighters also put the locomotive electrical breakers in the off position. The track foreman and the fire department were in conversation with the rail traffic controller. The locomotive engineer asked the rail traffic controller if he needed to return to the train to start another engine. He was told that the track manager had dispatched a track foreman to the site. The train was left for the night with no engines running. Over the course of the next hour, air pressure bled from the brake system, and the train began to roll downhill. It reached a speed of over 105 kph (65 mph) and traveled the 11.6 km (7.2 mi) to the town of Lac-Megantic, where sixty-three railcars derailed, releasing approximately six million liters (1 million gal) of crude oil. The spill flowed to the lake, ignited, and resulted in the fortyseven fatalities. Why It Happened. The MMA procedure for parking of unattended trains required 9 hand brakes to be set for trains of this length and additional hand brakes to be used if the train was parked on a slope of the grade in Nantes. Canadian rail industry best practice would have been to set 40% of the train hand brakes. Only seven hand brakes were set on this train, and the engineer improperly performed a brake test without releasing the locomotive’s air brakes. When the firefighters responded to the train fire in Nantes, they shut down the locomotive per the firefighting procedure; however, they did not follow the procedure addressing parking the train on the grade. Additionally, they did not contact the locomotive engineer. With none of the other locomotives running, the air in the brake system started to deplete, and an hour later the train began to roll downhill. The train reached 105 kph (65 mph). The track in the Lac-Megantic switch area was rated for only 24 kph (15 mph).

Chapter 6 Transportation Incidents

277

At the time of the incident, the DOT-111 train car was the standard car for flammable liquids. A number of changes happened during the increased production of fracked crudes, including the number of cars in a single train, the overall volume of crude transported by train, and the properties of the fracked crude itself. The DOT-111 car was not capable of withstanding the impacts experienced in the Lac-Megantic derailment. A 2015 DOT final rule addressed “high-hazard flammable trains” (HHFT) which means “a continuous block of twenty or more tank cars loaded with a flammable liquid or thirty-five or more tank cars loaded with a flammable liquid dispersed through a train.” This rule included provisions on enhanced breaking, enhanced standards for new and existing tank cars, reduced operating speeds, more accurate classification of unrefined petroleum-based products, and rail-routing risk assessment (DOT 2015). The DOT-117 is the new generation of rail car now used for transportation of HHFTs. It includes thicker gauge jackets, head shields, and tank ends and improved valve designs. Refer to Figure 6.2-2.

Figure 6.2-2. DOT-117 Train car (courtesy DOT).

278

More Incidents that Define Process Safety

6.2.3 Management System Failures I. Commit to Process Safety 2. Compliance with Standards. The MMA SOP required a prescribed number of hand brakes to be set, depending on the number of rail cars and the grade of the parking location. The MMA-002 train was not in compliance with this requirement. Additionally, the brake effectiveness check was not performed correctly in that the check was conducted with the air brakes set. Standards, whether regulatory or company, should be followed. When standards are not followed and work is completed based solely on one’s experience or judgment, then the benefit of other person’s experiences, hard learnings, and even expert calculations are a resource and opportunity wasted. III. Manage Risk 10. Asset Integrity and Reliability. The locomotive that failed had engine problems in October 2012, and a repair was made. Two days before the Lac-Megantic incident, the locomotive engineer reported problems with the same engine surging. When the locomotive was parked at Nantes, the smoke and oil spray was noticed by the taxi driver, but the locomotive engineer and the rail traffic controller felt it could wait until morning to be addressed. Nonetheless, this same engine was the only one left running and was the sole source of air pressure for the parked train. After the incident, tests showed that the cam bearing had fractured when the mounting bolt was overtightened after the non-standard repair in October. Repairs should be made following expert direction. “Making do” with materials on hand and over-tightening bolts are frequently noted in accident reports. Additionally, operational issues with equipment that has been repaired should be reported and investigated to ensure that it is fit for continued service.

Chapter 6 Transportation Incidents

279

13. Management of Change. This incident is an example of creeping change in an industry over a number of years. The industry was generally satisfied with the performance of the DOT-111 cars. However, significant changes were being made to the number of cars in a single train, the volume of crude oil being transported, and the properties of the crude oil. The impact of these change on the risk profile were not effectively addressed until this incident prompted the industry to do so. Likewise, the MMA railroad did not perform an adequate risk assessment when they began transporting large trains of flammables. In particular, MMA did not assess the risk of changing to single person train operations or the risk of leaving trains unattended on a grade. In addition to procedural changes, a thorough risk assessment could have recommended several engineered safeguards, including the use of engine auto-start on low air pressure and a software upgrade that would automatically apply full emergency braking upon reaching low air pressure, before the air was completely exhausted. 16. Emergency Management. The emergency response to the train on fire at Nantes was also an opportunity to stop the incident before it progressed, but this opportunity was missed since MMA management assigned a person who had not been trained and qualified as a locomotive engineer to assist the fire department. An emergency scene should not be declared under control until personnel qualified to make that determination are on scene and able to do so. For example, with a house fire, the fire department may work in conjunction with a utility company to determine whether the fire is under control. With operating equipment, experts in the use and control of that particular equipment should be consulted before the scene is declared safe.

280

More Incidents that Define Process Safety

6.3 NORFOLK SOUTHERN COLLISION AND HAZARDOUS MATERIALS RELEASE, SOUTH CAROLINA, US, 2005 6.3.1 Summary On January 6, 2005, a Norfolk Southern Railway freight train collided with another parked Norfolk Southern train. The collision derailed sixteen of the forty-two freight train cars. Among these derailed cars were three tank cars containing chlorine, one of which released chlorine gas. Nine people died from exposure to the chlorine gas and 554 people sought treatment in hospitals. Approximately 5,400 people near the derailment site were evacuated for several days (NTSB,2005).

Key Points Stakeholder Outreach – Speak to your stakeholders. Plan together. Talking among yourselves will likely not provide the best understanding and response. Working together in advance, understanding who all may be involved, and planning together will help support an effective response. Conduct of Operations – Whatever control you are using, make sure it works. If it is an engineered system – maintain it. If it is a procedure – follow it. And if there is a safeguard – make sure there is time for you to identify the issue, time for you to respond, and sufficient time for the device to function properly to prevent an incident. Emergency Management – Be specific in communications. Identify the best means of communication before an incident occurs. Interpret the safety data sheet and plan appropriately. Depending on the potential hazards, emergency communications may require advising people to shelter in place or to seek higher ground.

Chapter 6 Transportation Incidents

281

6.3.2 Description Background. Graniteville is a rural community located in a valley with approximately 5,400 people living within 1.6 km (1 mi) of the accident site. The Norfolk Southern track in the area is not equipped with automatic signals indicating rail switch positions. There are a number of sidings, short sections of track distinct from the main line, servicing the local industries. Process. The process is that of moving train cars on various industry sidings using both the sidings and some sections of main line. What Happened. On the day before the accident, train cars were moved around the various sidings during the day. Shift change occurred in the evening. At 2:39 a.m., a train traveling at 77 kph (48 mph) was unexpectedly diverted onto an industry siding and into a parked train. Refer to Figure 6.3-1. Several railcars ruptured. Approximately 54 metric tons (60 tons) of liquefied chlorine gas was released and rapidly vaporized. The conductor and engineer survived the impact. They exited the train, moved about 91 m (300 ft), traveled a bit further, and laid on the ground. They saw white or gray smoke and smelled chemicals. Winds were light that night, and the chlorine cloud settled in the valley along the track. There were numerous 911 calls as people smelled the gas. The local fire departments responded, sensed the gas, and stood back from the scene. At 2:49 a.m., the fire department asked that the reverse 911 emergency notification system be activated, advising residents to shelter indoors. At 2:57 a.m., the fire department asked that road traffic for a one-mile radius around the site be blocked and reiterated the reverse 911 request. From 3:05 a.m. to 3:40 a.m., the fire department set up an incident command center, moved that center further away, accessed information on the materials in the breached tank cars, and set up a second decontamination center. At 3:50 a.m., firefighters began rescuing people from adjacent industrial sites.

282

More Incidents that Define Process Safety

Figure 6.3-1. Norfolk Southern Railway freight train derailment site (courtesy NTSB). Meanwhile, the reverse-911 system worked, but communication to the local residents was not entirely effective. Some people were told to shelter in place, and some were told to evacuate but were not given any guidance on how or in which direction to go. At 11:00 p.m. on the day of the incident, the emergency responders used a polymer patch on one of the ruptured tank cars. This was the start of the process of containing and then unloading the contents from the damaged railcars. This process was completed on January 18. Why It Happened. The train diverted onto the industry spur because the switch had not been moved to disconnect the spur from the main line. The switches were manual, and there was no mechanism to remind personnel of the switch position before

Chapter 6 Transportation Incidents

283

they left the site. Federal Railroad Administration data has shown that a leading cause of train accidents is improperly lined switches (NTSB 2005). The NTSB concluded that there was not sufficient reaction time for the train engineer to see the signal position banner, react, and stop the train.

6.3.3 Management System Failures I. Commit to Process Safety 5. Stakeholder Outreach. Railroads, like other transportation corridors, often traverse populated areas, and the people in those areas may be impacted by an incident on the traffic corridor at any time of the day or night. This understanding and the details of what types of chemicals might be involved, as well as what the appropriate responses might be, should be communicated and understood by local authorities. This requires cooperation between all the stakeholders involved: the company that owns/produces the chemical, the company transporting the chemical, the local emergency responders, and the neighboring residents. III. Manage Risk 15. Conduct of Operations. The many local sidings in this area were manually switched from the main line. Although this is a railway incident, there are many parallels to an operating process unit and the hierarchy of controls. A better design would have been to automate the switches or to implement an administrative control to keep track of switch position. The switch position signal safeguard that was in place, should have been analyzed to ensure that the signal could be detected, responded to, and been reliable enough to function in sufficient time to prevent the incident.

284

More Incidents that Define Process Safety

16. Emergency Management. While the reverse 911 system worked, it alone was not sufficient to protect the exposed people. Effective communication and cooperation between all stakeholders are required. Planning for effective communication should include such factors as: how to promptly identify materials involved, reviewing and understanding SDS guidance on appropriate emergency response procedures, providing clear and specific direction to residents on how to respond (e.g., direction of travel), and preparing communication channels for use in an emergency.

6.4 GAYLORD CHEMICAL NITROGEN TETROXIDE RELEASE, LOUISIANA, US, 1995 6.4.1 Summary On October 23, 1995, a railroad tank car containing nitrogen tetroxide and water began leaking at the Gaylord Chemical Corporation plant in Bogalusa, Louisiana. Plant personnel and fire responders used water to suppress the vapors. Approximately 3,000 people were evacuated. Of the 4,710 people that were treated at local hospitals, eighty-one were admitted (NTSB 1998).

Key Points Conduct of Operations – If it doesn’t seem right, stop and check! When a measurement looks odd, or a gauge is at its maximum, or a sample is not as expected–take this as a warning. Verify the data before proceeding. In doing so, you may prevent an accident before it happens. Emergency Management – Make sure you clean up. This is important to protect emergency responders, operators, neighbors, and the environment. Many emergencies involve the mishandling of materials that were involved in an incident or that were generated in the emergency.

Chapter 6 Transportation Incidents

285

6.4.2 Description Background. Vicksburg Chemical Company was the shipper of nitrogen tetroxide to Gaylord Chemical Corporation in Bogalusa, Louisiana. Process. Nitrogen tetroxide is a liquefied poisonous gas and oxidizer. When nitrogen tetroxide is mid with water, it reacts to form nitric acid. What Happened. On September 14, nitrogen tetroxide vapors leaking from the tank car were suppressed with water. The Union Tank Car Company replaced four valves and noticed that one valve stem showed significant wear. On September 26, the tank car was loaded with nitrogen tetroxide at the Vicksburg Chemical Company. The tare weight of the car was 4,309 kg (9,500 lb) over the maximum weight noted on the car, but operators saw the new valves and assumed that the car had been rebuilt and that the maximum weight had been increased. They did not verify this assumption. On October 12, the nitrogen tetroxide was transferred into a storage tank at Gaylord. At the same time, material from the storage tanks was being transferred to the plant. Process sensors detected water contamination in the nitrogen tetroxide and triggered interlocks to shut down the chemical reactor. Because of the water contamination, it was decided to switch the rail car unloading into stainless-steel cargo tank trailers. On October 13, a meter used to measure the transfer indicated that the full quantity had been transferred. No other verification of the remaining quantity was made. Vapors started leaking from another cargo tank containing the same material. On October 17 and 20, a number of valves and gaskets on the tank car were replaced because they were determined to be inappropriate for the nitrogen tetroxide and fuming nitric acid. On October 19, Gaylord employees began transferring the remaining material into a cargo tank. The meter indicated over 23 m3 (6,000 gal) had transferred; post-accident calculations determined actually only over 3 m3 (800 gal) transferred. On October 23, a chemical analysis was done on the

286

More Incidents that Define Process Safety

contents of the tank car and, unexpectedly, (since the Gaylord personnel thought the tank car had been emptied of nitrogen tetroxide and any residual diluted with water) the results showed that the material was wet nitrogen tetroxide. The Gaylord personnel assumed the sample was not representative. More water was added to the tank car. The pressure rose to 6.9 bar (100 psig), the maximum calibrated pressure on the gauge. The water was turned off, but the pressure was at its maximum and appeared to be rising. The end of the tank car failed, releasing a large reddish-brown vapor cloud, approximately two and a half hours after the water was added that day. Why It Happened. On October 13, when the tank car was thought to be fully unloaded at Gaylord, water was added to dilute any residual material. After the accident, it was determined that only a small fraction had been offloaded. The carbon steel eduction pipes had been corroded by the nitric acid. On October 19, after the reactor shutdown and material sampling, meters were again used as the only measurement to determine if full unloading had occurred. Water was then added to clean what was thought to be an unloaded tank car. After the accident, it was found that the safety relief device had activated (set pressure at 26 bar (375 psig)) and bands of corrosion were found inside the tank.

6.4.3 Management System Failures III. Manage Risk 8. Operating Procedures. The NTSB indicated that the accident was caused by the lack of adequate procedures on the parts of both the shipping and receiving chemical companies (NTSB, 1998). The shortcomings in these procedures enabled the contamination of the product and the lack of detection of this contamination. Operating procedures should address both normal and abnormal situations. Providing clear direction on how to detect,

Chapter 6 Transportation Incidents

287

verify, and respond to an abnormal situation can help operators recognize deviations and respond appropriately. 15. Conduct of Operations. Measurements were taken using a single device and not verified. Even after the reactor shutdown and the discovery that the eduction tubes had corroded away, a single measuring device was again used with no verification. Testing of the material in the tank car showed that it was wet nitrogen tetroxide, but this was dismissed as not representative. The pressure gauge, which was at its maximum, did not trigger an appropriate response. This is a classic example of a cognitive bias, where the information that doesn’t support the presumed situation is dismissed. Operator training should include an instruction to question the situation before proceeding if things do not look right. Assuming that a device is broken, or a sample is not representative, and not verifying that to be true, is a warning missed. Operators should feel empowered to stop the procedure, question why, and proceed only when it has been determined that it is safe to do so. 16. Emergency Management. The NTSB also found that Gaylord Chemical’s emergency response procedures were inadequate (NTSB, 1998). Gaylord’s adding water and lack of accurately measuring the tank car quantity contributed to the tank car rupture. Emergency response procedures should address more than just fighting the emergency. They should also address how to safely handle and dispose of any hazardous materials that were involved in or generated by the emergency.

288

More Incidents that Define Process Safety

6.5 PACIFIC GAS AND ELECTRIC COMPANY PIPELINE RUPTURE AND FIRE, CALIFORNIA, US, 2010 6.5.1 Summary On September 9, 2010, a Pacific Gas and Electric (PG&E) Company intrastate natural gas pipeline failed catastrophically in a residential area of San Bruno, California. The release of an estimated 1.3 million standard cubic meters (47.6 million standard cubic feet) of gas resulted in a crater that was 22 m (72 ft) long and 8 m (26 ft) wide. A fire ensued, causing eight fatalities, injuring many others, destroying thirty-eight homes, and damaging seventy more. Refer to Figure 6.5-1. The NTSB made recommendations to the US Secretary of Transportation and multiple state agencies and industry associations. The Pipeline Hazardous Materials SA issued an Advisory Bulletin regarding the need to ensure the accuracy of data supporting the maximum allowable operating pressure calculations. Congress introduced several bills that strengthened pipeline safety oversight (NTSB 2011).

Key Points Process Knowledge Management – Make sure you have good data. Garbage in, garbage out. It is imperative to have correct data input to systems that control operations and maintenance. Without correct data, poor decisions will result. Asset Integrity and Reliability – Keep it in the pipe. Having a good system to manage equipment inspection, testing, and maintenance is required to maintain the integrity of the many pieces of equipment. Emergency Management – What’s happening? In an emergency, operators may be swamped with many alarms, work may be ongoing and other units may be impacted. Have plans to promptly identify what the problem is, where it is located, and how to isolate it to minimize the incident.

Chapter 6 Transportation Incidents

289

6.5.2 Description Background. PG&E provides natural gas and electric service to fifteen million people in northern and central California. Process. The PG&E gas facilities include more than 67,592 km (42,000 mi) of natural gas distribution pipelines and 10,300 km (6,400 mi) of transmission pipelines. The pipeline involved in the incident originates at the Milpitas Terminal and flows 74 km (46 mi) to the Martin Station. This PG&E system includes three pipelines and six crossties that allow gas to flow between the pipelines. The supervisory control and data acquisition (SCADA) center is located in PG&E’s San Francisco headquarters and manages the operations of the system. PG&E had experienced a 2008 explosion of a pipeline in Rancho Cordova and a 1981 pipeline leak in San Francisco. The NTSB noted similar factors between these incidents and the San Bruno accident. What Happened. About 3.5 hours before the rupture, uninterrupted power supply work was initiated at the Milpitas Terminal. The technician at the terminal was in contact with the (SCADA) center. They confirmed that the valves on incoming lines would close on loss of power, so they locked the valves open. As the work progressed, the terminal technician and the SCADA center were in contact at each step of the work. During the work, a local control panel lost power. The workers began looking for an alternate power source. Subsequent investigation showed that erratic voltages from redundant power supplies during this work caused erroneous pressure signals, prompting regulating valves to open fully. Less than an hour before the incident, the SCADA center displayed over sixty alarms in a few seconds. Through troubleshooting, they realized that the SCADA center was not receiving accurate data. They recognized that the entire system was overpressured and began changing set points to lower the pressure. High-high pressure alarms continued with pressures

290

More Incidents that Define Process Safety

above 27 bar (386 psig) until just after 6:11, when the rupture occurred.

Figure 6.5-1. PG&E pipeline rupture and fire in San Bruno (courtesy NTSB). The pipeline fractured at the weld joining two short pipe segments. The gas ignited, and a large fire ensued. San Bruno Police arrived in one minute and firefighters arrived in two minutes. The emergency response involved 900 people. Firefighting continued for two days after the gas flow was stopped. PG&E took ninety-five minutes to stop the gas flow. Why It Happened. The 1948 construction records for the pipeline showed 209 radiographed welds, fifteen of which were rejected, and a number of which were “borderline.” There were also notes of construction damage and repairs. The pipeline was tested at 6.9 bar (100 psig) with a soap and water solution on the welds and held at pressure for 48 hours. In 1956, PG&E relocated 564 m (1,851 ft) of the line that had been installed in 1948 to allow for the grading proposed for a new residential housing development. There were no design, construction, or testing records made available to the NTSB on this relocation. In 1961, PG&E relocated 531 m (1,742 ft) of the line

Chapter 6 Transportation Incidents

291

relocated in 1956, including the portion that ruptured in this incident. This section of pipeline was noted in the PG&E graphical information system (GIS) as being installed in 1956 (not 1948). It was noted as a seamless steel pipe API 5L X42 with a wall thickness of 1 cm (0.375 in.). The GIS information came from a 1977 pipeline survey that was based on accounting records, as opposed to engineering records, and the material code was incorrectly copied during the pipeline survey. The pipe was not seamless. PG&E later stated that at the time this pipe was purchased, all 30-inch pipe purchased would have had a longitudinal seam. The pipeline in the location of the rupture was created from six short segments of pipe. Subsequent testing showed that some of the segments did not meet the 1948 PG&E or industry material specifications. There were multiple defects found in the welds joining the segments. In 2008, San Bruno had a contractor replace the existing 6-inch vitrified clay sewer pipe with a 25 cm (10 in.) polyethylene pipe, using pneumatic pipe bursting. This is a widely used method that uses a bursting head to break and push out the existing pipe while simultaneously pulling the new pipe into place. The required notices were made prior to this work, and PG&E mechanic inspected the gas pipeline and was satisfied with the work. The NTSB report reviewed studies on the safe distances for this type of pipe bursting adjacent to utilities (NTSB, 2011). Calculations indicated that the ground vibrations could have deformed the segment where the rupture occurred.

292

More Incidents that Define Process Safety

Figure 6.5-2. Weld in failed PG&E pipeline (courtesy NTSB).

Figure 6.5-3. Properly made weld (courtesy NTSB).

Chapter 6 Transportation Incidents

293

6.5.3 Management System Failures Understand Hazards and Risk 6. Process Knowledge Management. The GIS data was based on accounting data which contained an error. This led to a lack of understanding of the type of pipe, the type of welds, and the pipe age. Many of the subsequent recommendations and legislation following the incident addressed the importance of verifying the data upon which managing systems such as control systems and maintenance systems are based. 7. Hazard Identification and Risk Analysis. The NTSB report (NTSB, 2011) noted that PG&E had experienced a number of leaks due to longitudinal weld defects since 1948. The response to more recent incidents had not met the expectations of the NTSB. PG&E had risk management practices that considered the likelihood and consequences of failure. The failure values were based on industry experience. These values were optimistic compared with PG&E’s experience but were not changed. This resulted in their integrity management program underestimating threats due to external corrosion and design and manufacturing defects. Hazard identification techniques are often required by regulation to include consideration of past incidents, both in the company and in the broader industry. III. Manage Risk 10. Asset Integrity and Reliability. PG&E’s pipeline integrity management system was inadequate. It was based on inaccurate information, failed to consider known weld defects in risk assessment, and used inappropriate inspection methods that could not detect weld defects. Inadequate quality assurance in the 1956 project resulted in a poorly welded pipe section being installed. An inadequate

294

More Incidents that Define Process Safety

pipeline integrity management program failed to detect the defective weld. Refer to Figures 6.5-2 and 6.5-3. Integrity management systems are critical. Ensuring that accurate data is included in the system is imperative to support sound risk analysis and decision-making regarding inspection and maintenance. 16. Emergency Management. PG&E lacked an adequate procedure for addressing large-scale emergencies, including providing clarity on a single point of command. The PG&E control systems caused delays in identifying the pipeline break location. Also, the lack of automatic shutoff valves or remote-control valves delayed isolation of the gas flow. Emergency response procedures should address all emergencies, small and large. In addition, contingency plans should be put in place to address situations when information or systems that are typically used in an emergency but may be offline or out of service.

6.6 ADDITIONAL PIPELINE RELEASES 6.6.1 Summary There have been numerous pipeline releases, in addition to the PG&E San Bruno release described above, that have resulted in human harm, damage to the environment, and destruction of property. While pipelines are frequently thought of traversing open countryside, they are also located in populated areas where the consequence of incidents can be significant. The incidents included below are representative, including toxic, flammable, and explosive consequences.

Chapter 6 Transportation Incidents

295

Key Points Stakeholder Outreach – “Know what’s below” (PHMSA, 2017). You may own or operate a pipeline, but it likely runs under areas where you have little control. Enabling stakeholders to prevent damage can avoid a release. Asset Integrity and Reliability – Is it still in good shape? There are miles and miles of pipelines that are in service for many years. Use a good integrity management system is imperative to ensuring safe and reliable service. Conduct of Operations – Where is it? Pipeline systems are vast. Like all control systems, it is important to design the control system to enable the operator to quickly understand and respond. 6.6.2 Description Three additional pipeline incidents are used to discuss the Key Points in this Section. Olympic Pipeline. On June 10, 1999, an Olympic Pipeline Company pipeline ruptured and released 897 m3 (237,000 gal) of gasoline into a creek in Bellingham, Washington. Over an hour later, the gasoline ignited and burned 2.4 km (1.5 mi) along the creek, causing three fatalities, injuring eight others, and damaging a residence and the Bellingham water treatment plant. Refer to Figure 6.6-1. The pipeline was damaged during excavation works associated with the 1994 water treatment plant modification. Inline inspections indicated damage, but the pipeline was not excavated for further inspection. The NTSB concluded that the pipeline would have been able to withstand the internal pressure at the time of the accident had it not been weakened by the external damage. Bayview Terminal was built and commissioned 6 months before the accident. There were issues with the pressure relief valves, resulting in operational issues that were reported but not

296

More Incidents that Define Process Safety

corrected. On the day of the incident, database development work being performed on the SCADA system while it was online caused it to fail, making it difficult to analyze the pipeline operation (NTSB, 2002). Enterprise Products. On October 27, 2004, Magellan Midstream Partners pipeline, operated by Enterprise Products, ruptured near Kingman, Kansas. Approximately 772 m3 (4,858 bbl) of anhydrous ammonia were released. No people were harmed, but more than 25,000 fish were killed. The investigation identified that the pipe segment that ruptured had four external gouges. Cracks within the gouges penetrated the pipe. It is unclear how the gouges were made. The pipeline operator using the SCADA did not accurately evaluate the data and promptly shutdown the pipeline (NTSB, 2007). Nigerian pipeline. On December 26, 2006, people were scooping fuel from a pipeline that had been hot-tapped by thieves in the Abule Egba area. The fuel ignited, causing hundreds of fatalities and injuries. There have been seven similar pipeline accidents in Nigeria from 1998 to 2006 that have caused thousands of fatalities (BBC, 2006). Background. There are nearly two million kilometers of petroleum pipelines around the world. They supply petrochemicals to refineries and chemical plants and deliver products to ships for transport and to end users. In the United States, the Pipeline and Hazardous Materials Safety Administration (PHMSA) of the Department of Transportation has jurisdiction over pipelines, issuing regulations addressing their construction, operation and maintenance. Also, in the United States, the National Transportation Safety Board (NTSB) has oversight of pipeline accident investigations. Process. Pipelines are typically operated using SCADA systems. SCADA systems gather operating data, operate remote valves, track the pipeline flow, and provide leak detection. It can be challenging to verify pipeline integrity issues simply because pipelines are buried, so conducting a visual inspection requires excavation.

Chapter 6 Transportation Incidents

297

Figure 6.6-1. Burned vegetation along the creek from Olympic pipeline release and fire (courtesy NTSB). What and Why It happened. As can be seen in the pipeline incidents described here, damage done to a pipeline during installation or done by digging equipment in subsequent years is often a factor years later in a pipeline failure. The pipeline company may not be aware of the damage; hence, inspection is critical to ensure the ongoing fitness for service of the pipeline. The SCADA systems are also cited in a number of these incidents as relates to the reliability of the SCADA system and the ability of the operator to interpret and respond to an emergency situation.

298

More Incidents that Define Process Safety

6.6.3 Management System Failures I. Commit to Process Safety 5. Stakeholder Outreach. Pipelines, by their function, connect many stakeholders including owners, operators, neighbors, regulators, and emergency responders. Damage prevention systems such as the PHMSA 811 system— “Know what’s below. Call 811 before you dig.”—can help reduce the likelihood of pipeline damage. As a PHMSA report states, “Damage prevention is a shared responsibility.” (PHMSA, 2017) Sadly, as seen in the Nigerian incident, some damage is intentional and then escalates to involve many other innocent people. III. Manage Risk 10. Asset Integrity and Reliability. Pipelines operate virtually unseen for decades. Using a good integrity management system is imperative for safe pipeline operations. Not only identifying anomalies, but also investigating them, can provide the data necessary to make good decisions regarding continued safe operation. 15. Conduct of Operations. Operating a pipeline is challenging, considering the vast territory that a pipeline may cover. SCADA systems are intended to support these operations. As in all types of control systems, it is important to consider human factors in the design of the system. Can the operator quickly and easily gather and interpret the information to make the correct decision?

Chapter 6 Transportation Incidents

299

6.7 AIR FRANCE FLIGHT AF 447 RIO DE JANEIRO TO PARIS, 2009 6.7.1 Summary Air France flight AF 447 was traveling from Rio de Janeiro to Paris on 31 May 2009. Just over two hours into the flight, the plane stalled and crashed into the Atlantic Ocean, resulting in 228 fatalities. The wreckage was found on April 2, 2011at a depth of 3,900 m (2.4 mi), about 12 km (6.5 nm) from the aircraft’s last transmitted position (BEA 2012).

Key Points Hazard Identification and Risk Analysis – Is now the best time? There are some jobs, or elements within a job, that may pose more risk than normal. Ensure that the right people are on the job and that their mind is on their work at the critical points of the job. Conduct of Operations – Have realistic expectations. If you are expecting specific behaviors to certain operational situations, then make sure that situation can be easily detected and that employees are trained and practiced in that response.

6.7.2 Description Background. The captain had 6,258 flying hours, including sixteen rotations in the South American sector in the preceding two years. There were two co-pilots on the flight. The meteorology over the Atlantic Ocean was normal, although there were some storms in the early hours of the flight path. Process. The plane was an Airbus A 330-203, manufactured in April 2005 with GE engines. The air speed is deduced from measurements from three pitot probes and six static pressure sensors. The probes were equipped with drains and an electrical heating system to prevent icing. The speed of the plane is calculated based on data from these probes and sensors used in

300

More Incidents that Define Process Safety

the flight control systems and the ground proximity warning system. What Happened. At about two hours into the flight, as the captain left to take his in-flight rest despite the storms in the flight path. He commented to the co-pilots that they could not yet climb out of the cloud layer because the temperature was falling more slowly than forecasted, and the log-on to the Dakar, Senegal, air traffic control center had failed. At 2 hr 08 min, the heading was changed slightly, speed reduced, and engine de-icing turned on. At 2 hr 10 min 05 sec, the autopilot and the auto-thrust disconnected. The stall warning came on twice. At 2 hr 10 min 16 sec, the voice recorder captured “we’ve lost the speeds.” In the following seconds, a number of attempted corrective actions were made, but the stall warning came on again. The captain reentered the cockpit at 2 hr 10 min 51 sec. Voice recordings captured “I have no more displays.” The recordings stopped at 2 hr 14 min 28 sec. Why It Happened. If there are excessive quantities of ice crystals at altitudes above 9,144 m (30,000 ft), they can accumulate in the pitot probe tube. As the de-icing struggles to address the quantity, the instrument function is lost for 1 or 2 minutes. This was a known failure in aviation, and it was expected that pilots would identify it and take precautionary measures. During the AF 447 flight, the co-pilots did not correctly identify the problem due to inaccurate data (due to the pitot probe plugging) and the plane’s performance being inconsistent with their mental model of the situation. The voice recordings noted a degradation of the normal practice of clearly stating their actions, which made identification of the problem more difficult. This resulted in taking actions that prompted the stall. AF 447 attempted to contact the Dakar Oceanic air traffic control center (ATC), but these attempts failed due to an absence of the flight plan in the Eurocat system. Eurocat was an air traffic management system being used on an experimental basis at the Dakar Oceanic ATC. The flight control centers noticed the lack of a flight plan and created a virtual one. The various flight control centers communicated with one another about where AF 447

Chapter 6 Transportation Incidents

301

should be based on the virtual flight path. At 5 hr 23 min, they reported the disappearance of the flight.

6.7.3 Management System Failures II. Understand Hazards and Risk 7. Hazard Identification and Risk Analysis. The flight crew identified concerns regarding the storm, but the captain appeared unresponsive to the concerns, as he had not had difficulty with storms in this area on previous flights. He chose this time to take his in-flight rest, despite the fact that this is when the plane would be crossing the storm path. Who is in charge should be taken into consideration when planning to conduct a higher-risk task. An example of this is the Exxon Valdez where the third mate was on the bridge when leaving Prince William Sound. It should be a deliberate decision in choosing the right person with the appropriate education, experience and skill to conduct the more challenging operations. III. Manage Risk 15. Conduct of Operations. The possibility of the pitot probes plugging was known. It was expected that the pilots would promptly identify the situation and take corrective action. A discussion on human factors in the BEA Final Report notes the following are required for a person to successfully identify a problem (BEA 2012): The signs of the problem are sufficiently salient to bring the (operator) out of their preoccupations and priorities in the (operation) in progress; The signs are credible and relevant; The available indications relating to the anomaly are very swiftly identifiable so that the possible immediate actions to perform from memory to stabilize the situation are

302

More Incidents that Define Process Safety triggered, or that the identification of the applicable procedure is done correctly; The memory items are known and sufficiently rehearsed to become automatic reflex associated only with awareness of the anomaly, without the need to construct a more developed understanding of the problem; There are no signals or information available that suggest different actions or that incite the crew to the prior reconstruction of their understanding of the situation.

6.8 OTHER INCIDENTS A number of transportation incidents were described in the first volume of this book. Marine Exxon Valdez Oil Spill, Valdez, Alaska, July 10, 1976 Sinking of the Titanic, North Atlantic, April 15, 1912 Sinking of the Erika, Bay of Biscay, France, December 12, 1999 K-Boats – British Steam-Powered Submarines in WWI, UK, 1914 - 1918 Capsize of the Herald of Free Enterprise, Zeebrugge, Belgium, March 6, 1987 Fire on Board HMS Glasgow, Newcastle-Upon-Tyne, UK, September 23, 1976 Aviation NASA Challenger, Florida, USA, January 28, 1986 Loss of Space Shuttle Columbia, Texas, USA, February 1, 2003 Loss of Boeing 747-131 TWA Flight 800, USA, July 17, 1996 Hindenburg Disaster, Lakehurst, NJ, USA, May 6, 1937 Flight TS 236 Loss of Fuel over the Atlantic, August 24, 2001 Air France Concorde Crash, Paris, France, July 25, 2000 Flash Airlines Boeing 737, Sharm El Sheikh, Egypt, January 3, 2004

Chapter 6 Transportation Incidents

303

6.9 ADDITIONAL RESOURCES The following books and resources are available for helping to understand the prevention of environmental and toxic releases. Guidelines for Asset Integrity Management (CCPS 2016). This book is consistent with RBPS and Life Cycle approaches and includes details on failure modes and mechanisms. Also, example testing and inspection program is included for various types of equipment and systems. Guidance and examples are provided for selecting and maintaining critical safety systems. Guidelines for Engineering Design for Process Safety, 2nd Edition (CCPS 2012). The book focuses on process safety issues in the design of chemical, petrochemical, and hydrocarbon processing facilities. It discusses how to select designs that can prevent or mitigate the release of flammable or toxic materials, which could lead to a fire, explosion, or environmental damage. Guidelines for Chemical Transportation Safety, Security and Risk Management (CCPS 2008a). This CCPS Guideline book outlines current transportation risk analysis software programs and demonstrates several available risk assessment programs for land transport by rail, truck, and pipeline for consequences that may affect the public or the environment. Topics include loading and unloading and operating procedures to reduce human error. Guidelines for Mechanical Integrity Systems (CCPS 2006). In recent years, process safety management system compliance audits have revealed that organizations often have significant opportunities for improving their MI programs. As part of the Center for Chemical Process Safety's Guidelines series, Guidelines for Mechanical Integrity Systems provides practitioners a basic familiarity of MI concepts and best practices. The book recommends efficient approaches for establishing a successful MI program.

304

More Incidents that Define Process Safety

7 Non-Oil/Chemical Incidents 7.1 INTRODUCTION Some people think that lessons are only learned from incidents in industries that are the same as their own. This is a false and limiting opinion. Lessons may be learned from industries, locations, and cultures that are different from your own. In fact, the differences may prompt deeper thinking in finding the root cause that is common across the industries, and, by getting to that root cause, potentially prevent a broader range of incidents in your own situation. It is interesting to note the impact of process safety culture in the incidents in this chapter. These incidents occurred in industries that were not familiar with process safety, but they did have to manage hazards and risks. The culture to do this effectively was lacking. In some cases, it was lacking in the company, in the supporting companies, and in the regulator. Without a strong culture to manage hazards and risks, the other controls to support safe work start to degrade. The other point that stands out in these incidents is that emergency management is just as key as it is in the other incidents described in this book. It is not just about having emergency responders or knowing what number to call to get them; it is about the planning. Identify the various emergency scenarios, assess the resources required to handle the emergency, and practice tabletop and field drills with in-house and external emergency responders to verify the effectiveness of the emergency plan.

Chapter 7 Non-Oil/Chemical Incidents

305

7.2 FUKUSHIMA DAIICHI NUCLEAR POWER PLANT RELEASE, JAPAN, 2011 7.2.1 Summary On March 11, 2011, one of the largest recorded earthquakes occurred off the coast of Japan. This caused a tsunami that caused more than 1,500 fatalities, injured more than 6,000, and many more were missing. The tsunami waves flooded the Fukushima Daiichi nuclear power plant, impacting all six units on site. In the following days, the units overheated, and radioactive material was released, exposing surrounding communities and the environment (IAEA, 2015). People were evacuated within 20 km (12.4 mi) of the site for years. No human fatalities were attributed directly to the incident; however, since the accident, there has been reporting of significant increases in thyroid cancer (NAIIC 2012). The Fukushima Nuclear Accident Independent Investigation Commission (NAIIC) called for reforms in both the electric power industry and the related government and regulatory agencies.

Key Points Stakeholder Outreach – Make sure companies and agencies are working toward the same goal–safety. It is good to have a positive working relationship with other stakeholders. Remember, though, that just because someone says an action is okay does not mean that it is safe. Process Safety Competency – Make sure process safety competency is strong as it underpins many elements in most management systems. If process safety is strong, business management will be also. If the understanding of process safety is weak, then decisions over time will degrade overall risk management.

306

More Incidents that Define Process Safety

Hazard Identification and Risk Analysis – How unlikely is it, really? Potential emergency events can seem unrelated. Analyze scenarios to consider whether one can be prompted by another. If the consequence is very high, then the likelihood should be very low for the risk to be tolerable. Simply deciding an event is unlikely may result in design, procedures, and emergency response falling short.

7.2.2 Description Background. Following the oil crisis of the 1970s, Japan moved to diversify its power sources. By 2010, nuclear power generation provided 29% of the total power generation in Japan. There are five nuclear power plants located on the northeastern coast of Japan. Fukushima Daiichi is operated by Tokyo Electric Power Company (TEPCO). Process. The Fukushima Daiichi design used boiling water reactors. The reactors are a closed loop system. Water boils in the reactor, producing steam that drives turbines to generate electric

Figure 7.2-1. Fukushima Daiichi nuclear reactor design (courtesy IAEA).

Chapter 7 Non-Oil/Chemical Incidents

307

power. The steam is condensed using cold water from the ocean and then fed back to the reactor again. Refer to Figure 7.2-1. What Happened. The Great East Japan Earthquake occurred at 4:46 p.m. It was a magnitude 9.0 and lasted more than two minutes, causing damage to structures and power infrastructure. Units 1, 2, and 3 were running at the time and shut down automatically due to the seismic motion. A tsunami was created by the earthquake, with the waves arriving forty 40 minutes after the initial shock. A wave of 14 to 15 m (46 to 49 ft) overwhelmed the Daiichi seawalls and flooded the site, causing significant damage, loss of power, loss of control, and eventual loss of reactor containment. Following the earthquake, TEPCO set up an emergency response center in Tokyo and an on-site emergency response center at the Daiichi site to manage the response. Evacuation and shelter-in-place orders were issued over the next three days. Why It Happened. After inserting the control rods (rods composed of chemical elements used to control the nuclear fission) to stop the reaction, heat continued to be generated. Cooling systems are run and controlled by electrical power. The earthquake had damaged the off-site power supply, resulting in a total loss of power supply to the plant. This loss of power isolated the units from their turbines, resulting in increased temperature and pressure in the reactors. The operators followed appropriate procedures for the earthquake and loss of power in shutting down, isolating, and activating cooling systems. The tsunami flooded the reactors and turbines, resulting in loss of seawater intake for all units which in turn resulted in a loss of cooling. It also damaged the electrical equipment, including the diesel generators, power distribution, and switchgear, which resulted in the loss of the emergency diesel generators to provide cooling for all but one of the six units. DC power was provided as an additional emergency backup, but the batteries were flooded, and this power supply was lost to most of the units. With the loss of power, the ability to monitor reactor pressure, water level, and other aspects of core cooling was lost for three of the units.

308

More Incidents that Define Process Safety

The operators struggled with the loss of power and were taking various approaches to provide cooling water. With the loss of the ability to monitor the process conditions, the worst-case scenario of a core overheating was assumed, and an evacuation and shelter-in-place order was issued at 9:23 p.m. on March 11. At 11:00 p.m., radiation levels were detected outside the unit. Over most of March 12, efforts were made to restore cooling water and power to the units with no or limited success. At 3:30 p.m. on March 12, an explosion occurred in one unit that damaged emergency water and power supplies and created an abnormal rise in radiation levels. This prompted an extension of the evacuation zone to 20 km (12 mi). On March 13, high radiation levels were detected at a second unit. On March 14, another explosion occurred, injuring workers and damaging equipment. On March 15, explosions occurred in two additional units. The onsite emergency response center ordered the evacuation of all units. The highest radiation readings of the accident were recorded. Residents between the 20 and 30 km (19 mi) radii were ordered to shelter-in-place. Refer to Figure 7.2-2 for an overview of the incident progression.

Chapter 7 Non-Oil/Chemical Incidents

309

Figure 7.2-2. Fukushima Daiichi incident progression (courtesy IAEA).

310

More Incidents that Define Process Safety

7.2.3 Management System Failures I. Commit to Process Safety 3. Process Safety Competency. The Japanese Fukushima NAIIC concluded that knowledge, training, inspection, and instruction were lacking (NAIIC, 2012). This points to a lack of process safety competency to support good practices in each of these areas. Without a deep understanding of process safety, the decisions made, and actions taken in these areas increased the risk of such an incident. Process safety competency underpins many elements in most management systems. Without the mindset of being vulnerable and considering each decision through a risk lens, the day-to-day decisions over the years can add up to poor integrity management, poor practices, and an inability to respond effectively in an emergency. 5. Stakeholder Outreach. The NAIIC also concluded that collusion between the government, regulators, and TEPCO was at the root of the incident (NAIIC, 2012). The government agencies thought to be addressing public safety were found to be promoting nuclear power at the expense of safety. The events and structural damage could have been foreseen. Structural improvements and improved emergency plans were not demanded by the regulator, even though they were aware of the shortfalls. II. Understand Hazards and Risk 7. Hazard Identification and Risk Analysis. The nuclear industry is recognized for its use of probabilistic risk assessment. The Fukushima nuclear power plant was originally designed to withstand a magnitude 8 earthquake. Although the earthquake potential was recognized and addressed in design and procedures, the fact that the design basis was less than the magnitude 9 earthquakes that have occurred along the Pacific

Chapter 7 Non-Oil/Chemical Incidents

311

Figure 7.2-3. Fukushima Daiichi nuclear power plant elevations (courtesy Tokyo Electric Power Company) (OP: Sea level at Onahama Port).

“ring of fire” was not clearly addressed in the risk assessments. Loss of externally supplied power was recognized and addressed in design and procedures. The tsunami potential was recognized but was also underestimated. However, the likelihood that these events could happen simultaneously was not well addressed. The relative elevation of critical systems with respect to sea level left Fukushima Daiichi NPP vulnerable to larger tsunamis. Refer to Figure 7.2-3. In hindsight, it is logical to see how one event can cause the next and thus their simultaneous occurrence is credible. Because the risk of a full loss of power was not recognized, the operators were not provided with appropriate procedures (loss of all power—main, diesel generator, and DC backup).

312

More Incidents that Define Process Safety

III. Manage Risk 16. Emergency Management. The roles and responsibilities of the various regulators and agencies involved in the emergency response were not clear. This enabled the deterioration of the situation at the Fukushima nuclear power plant. Emergency preparedness and crisis management was lacking over the years, which resulted in confusion and inefficient management of the situation during the emergency. An effective emergency response is dependent on the identification of the potential emergency, planning for it, including all those who may be impacted, and putting the systems in place to manage the event if it occurs.

7.3 SEWOL FERRY SINKING, SOUTH KOREA, 2014 7.3.1 Summary On April 16, 2014, the Sewol ferry capsized and sank in the waters off South Korea. Only 172 of the 476 passengers were rescued. The Korea Maritime Safety Tribunal investigated the incident. Over 150 people were jailed, some for murder, and government structures were reorganized as a result of this accident and the emergency response (Kwon 2016).

Key Points Process Safety Culture – Work to make sure all stakeholders have a good process safety culture. Process safety culture, good or bad, can exist in companies you do business with, in the regulator, and in auditors. Where it is good, it can encourage all involved to continuously improve. Where it is bad, it can fail to identify problems and enable the normalization of deviance.

Chapter 7 Non-Oil/Chemical Incidents

313

Conduct of Operations – Know and respect the operating limits. Operating limits are defined for a reason. Disregarding those limits and operating outside of them is setting the scene for an incident. Emergency Management – Practice! Conducting emergency response training and drills will help identify areas for improvement so that the response, if needed, will be successful.

7.3.2 Description Background. The ferry was constructed in 1994 and operated for 18 years without incident. Chonghaejin Marine Company purchased the ferry in 2012 and made extensive modifications, adding cabins to the third, fourth, and fifth decks, increasing weight by 239 metric tons (263 tons), decreasing cargo capacity by half, and increasing the ballast water requirement by four times. The Sewol traveled its 402 km (250 mi) journey in 13.5 hours three times a week. It had made the journey 241 times before the incident. The water temperature was approximately 15°C (59°F), which can cause hypothermia in ninety minutes. Process. The Sewol ferry was a car ferry or roll-on/roll-off (ro-ro) ferry. What Happened. On the day of the accident, the Sewol departed over two hours late, carrying 476 passengers, 124 cars, 45 trucks, and 1,157 metric tons (1,275 tons) of cargo. The third mate was on the bridge. She had one year’s experience in steering ships and had never steered the Sewol through the Maenggol Channel, which is known for its strong underwater currents. The helmsman had six months of experience on the ferry. Orders were given to the helmsman to turn the ferry. He made a quick, sharp turn, and the ferry lost balance, listing twenty degrees into the water. The cargo containers fell to one side of the ferry. The ferry began taking on water through the ro-ro doors at the bow and stern. The Captain went to the bridge and ordered the engines be stopped.

314

More Incidents that Define Process Safety

A passenger made the first emergency call to shore. Coast Guard patrol vessels and helicopters were dispatched. Repeated announcements were made on the ferry’s public address (PA) system for passengers to stay in their cabins. Announcements then ceased, as the crew assumed the PA system had failed. A number of emergency calls were made from various ship crew members using the radio system. Two helmsmen attempted to drop life rafts from the starboard side but were unable to reach them due to the listing of 40 degrees. The first patrol vessel arrived approximately forty minutes after the first distress call and reported there were no passengers on the decks or in the water. They rescued some of the crew. An order was given from the coast guard to announce, “abandon the ferry” and guide passengers to be evacuated. This order was not followed. The third and fourth decks were submerged and dark. A few of the crew members began shouting to passengers to evacuate and helping them from the submerging cabins. The Sewol sank in two and a half hours. Approximately 150 passengers jumped into the water in the final twenty minutes before the ferry capsized. Refer to Figure 7.3-1. Why It Happened. The 1,157 metric tons (1275 tons) of cargo on the transit was more than double the legal limit and was not properly secured. A map was posted showing the loading and securing of cars, trucks, and cargo containers. It was not used, and practices were not verified. The requirements for ballast water were not followed. The ferry crew did not receive safety training, nor did they practice evacuation drills. Personal flotation devices were stored in the cabins and not at the evacuation points. The life rafts were deployed too late, and some failed on deployment. Communications on the ferry, within the coast guard, and between the ferry and the coast guard were incomplete and ineffective.

Chapter 7 Non-Oil/Chemical Incidents

315

Figure 7.3-1. Sewol Ferry capsizing and sinking (courtesy South Korea Coast Guard & South Korea Media, Straits Times graphic adapted from AFP).

7.3.3 Management System Failures I. Commit to Process Safety 1. Process Safety Culture. In this incident, the problems of a poor safety culture did not rest with the operator alone. Chonghaejin Marine made extensive modifications, but those modifications were certified by the Korean Register of Shipping without reviewing the plan for securing the additional vehicles. It was later found that 58 of 66

316

More Incidents that Define Process Safety

vehicles could not be properly secured. Four times the ballast water was required, however, Chonghaejin Marine carried less than half of the ballast water required. The Korean Shipping Association approved the departure based on inaccurate documents and checking only the load line (line on outside of ferry indicating maximum loading) but not the cargo and ballast requirements. III. Manage Risk 12. Training and Performance Assurance. Korean Maritime Law included an exemption that if the ship’s crew had one year of experience, then safety training was not required. This resulted in the crew of the Sewol being exempted from safety training for 7 to 19 years. The coast guard headquarters did not participate in search and rescue training. Training personnel and assuring that they can perform tasks as expected is important. This is easy to say, but also easy to dismiss, as this would be lower on the hierarchy of controls than eliminating the hazard or providing engineering controls. However, emergency response is truly the last chance to mitigate the risk, thus making sure plans, equipment, and people are working as intended is imperative. Additionally, the human response in the stress of an emergency may not be as good as that during normal operations. Having training and experience to rely on can improve the likelihood of a successful emergency response. 15. Conduct of Operations. The Sewol Ferry had an Operation Management Regulations Document as required, but it did not include the topics of ballast water or total load. Paperwork on the ferry loading was routinely falsified, and the ferry was routinely overloaded. There were posted requirements for the loading and securing of vehicles and cargo, but this was ignored. In fact, it was not possible to secure the vehicles as required, yet the ferry had been in operation for years. This is a classic example of normalization of deviance.

Chapter 7 Non-Oil/Chemical Incidents

317

Conduct of operations speaks to formalizing operations and expecting that operations are conducted diligently. Operating procedures describe what the operating limits are and how to stay within them. When operators are not able to conduct operations as expected and that situation is tolerated, the message to the operators is that procedures and other direction can be viewed as optional. Additionally, where operations are not being conducted as expected, it is helpful to ask why. Perhaps it is not the operator ignoring procedures; perhaps the design or the procedure needs improvement. 16. Emergency Management. The crew abandoned the ferry without assisting the passengers. They were unclear on how to respond in the emergency, and made individual decisions on where to stay, what advice to give on the PA system, and what orders to heed. Some of the crew did not know how to use the PA system to broadcast emergency messages to the passengers, so when it didn’t work, they assumed (incorrectly) that it had failed due to the flooding, and no further PA direction was given. The person on watch at the land-based station was not notified of the sharp turn for twenty minutes. The fact that passengers were told to stay in their cabins was not communicated to the coast guard patrol vessels and helicopters, so they initially only rescued those people on the decks. The coast guard headquarters gave orders that the local coast guard district did not follow. The patrol vessels did not communicate directly with the ferry. By rescuing some of the crew first, including the captain, the only means to communicate (cell phones and 2-way radios) with the crew who were helping passengers was lost. The topic of emergency response training is addressed above in the comments on training and assurance. Beyond the training, the conduct of emergency response drills is key in identifying communications, equipment, and working relationships that may not go as planned. By identifying these in a drill, emergency response plans can be continuously improved.

318

More Incidents that Define Process Safety

7.4 PIKE RIVER COAL MINE EXPLOSION, SOUTH ISLAND, NEW ZEALAND, 2010 7.4.1 Summary On November 19, 2010, there was an explosion in the Pike River Coal Mine. There were twenty-nine fatalities. There were three additional explosions in the next nine days before the mine was sealed. A royal commission was established to investigate the incident. This was the twelfth such commission investigating fatal coal mine incidents. The mine now has a new owner. Recommendations have been made for a new regulator with a focus on health and safety, changes to existing regulations and conduct of joint emergency response drills (NZ Royal Commission 2012).

Key Points Contractor Management – Manage your contractors, or you may end up managing an incident. Contractors are often able to cause, prevent, or mitigate an incident. Make sure they are provided with the training, tools, and supervision to do a safe job. Operational Readiness – Are you ready, or just anxious, to start up? A start up can be pushed for by management, can be exciting after months of work, and can be demanding for the workers. Determine what is required for a safe start up and to verify those requirements are in place before the start up. Management Review and Continuous Improvement – Is it really that good? Management, like everyone, likes to hear good news. But they should verify that they are getting accurate and full data about operational safety and risk management so that they can support improvements where needed.

Chapter 7 Non-Oil/Chemical Incidents

319

7.4.2 Description Background. The Pike River Coal Mine is in the Paparoa Range on the West Coast of New Zealand’s South Island near Greymouth. Pike River Coal Ltd. operated the mine, and it was their only mine. The mine was opened in 2008 with the first sales in 2010. The company had overestimated the production forecasts, underestimated the challenge of the geological conditions, and was borrowing money to support operations. Process. Methane gas is naturally occurring in coal. Large volumes can be generated by mining the coal. The LEL and UEL for methane in air are 5% and 15%, respectively. The methane level is controlled through ventilation and atmospheric monitoring. The original mine plan included two fans on the mountain. This was changed to relocate a fan underground. Hydro mining was seen as a way to significantly increase production. It is not a common technique and uses a water jet following a specific cutting sequence to avoid undue release of methane. What Happened. The investigation concluded that a large volume of methane accumulated, potentially from a roof collapse due to hydro mining or from operations in another part of the mine that had reported high methane readings. The ignition sources could have been the electrical system, diesel engines, the main fan, or contraband (cigarettes, watches, and cameras). These were prohibited, and preventive actions had been taken by Pike, but the practices continued. A search and rescue effort was undertaken but was hampered due to lack of planning. Damage to the fans meant that the mine could not be re-ventilated quickly. The emergency response was managed by the police in Wellington. Many decisions were made in Wellington instead of at the mine where the rescue experts were gathered. The response included the police, mining specialists, mine rescue services, and emergency responders. The inability to understand the atmospheric conditions in the mine prevented rescue attempts. Refer to Figure 7.4-1.

320

More Incidents that Define Process Safety

Figure 7.4-1. Pike River Mine (courtesy stuff.co.nz). Why It Happened. Pike River Coal Ltd. had not completed the ventilation and drainage systems to support management of the methane produced by using hydro mining. The New Zealand Department of Labor did not have the resources or focus to make sure that the mine was in compliance with regulations. Normalization of deviance is evidenced by the twenty-one times that levels of methane exceeded the LEL in the months preceding the incident. The decision to move the non-explosion-protected fan underground, into a mine with a potential for an explosive methane atmosphere, was opposed by a ventilation consultant and by some staff, but it was placed there anyway. This fan failed

Chapter 7 Non-Oil/Chemical Incidents

321

in the explosion, and the backup fan in the ventilation shaft was damaged. In October, the width of the hydro mining cut was increased by 50%. An expert consultant identified the risk of a roof collapse. A major roof collapse did occur, and methane readings were high, but an explosion did not occur. Work was continued without assessment of the roof collapse.

7.4.3 Management System Failures III. Manage Risk 11. Contractor Management. The Pike workers included numerous long-term contractors and it was recognized that the work induction and supervision of these contractors were not effective. Also, the Pike River Coal Mine employed a high percentage of inexperienced miners and those unfamiliar with the local conditions. There were reports of the workers bypassing safety devices in order to continue operations in the presence of methane. Contractor management can be a challenging topic because there is a limit to how much the company granting the contract can intervene in the contractor’s business. That said, the contracted workers are often able to either cause, prevent, or mitigate an incident. The contracted workers should clearly understand the hazards and proper ways to manage the operational risks. 14. Operational Readiness. Focus on safety and health should start early in the design stages and should be a requirement to obtain a permit. The Pike management team was challenged with operational issues as they worked to increase production and put their focus in these areas. Meanwhile, the health and safety management plan was still in draft, there was no ventilation engineer, the ventilation plan was deficient, and the reported high methane levels were not well

322

More Incidents that Define Process Safety

investigated nor analyzed. High methane levels were causing constant tripping of machinery, which prompted the miners to bypass the sensors. Gas detectors were placed in a few locations throughout the mine: one was broken for months before the incident, and the other could not read above 2.96% methane. In this incident, the drive for increased production was outpacing the safety readiness of the operation. It is important to determine the requirements for a safe operation well before that operation is started and to have a system to verify those requirements have been met. Without a logical and resourced plan, it may not be clear when everything is in place to support safe operations. 16. Emergency Management. Emergency planning was ineffective to the extent that rescue operations could not be undertaken due to the inability to understand and improve the atmospheric conditions in the mine. Emergency planning should plan for the worst-case scenarios. It should recognize that equipment is often damaged in the event. If critical data is needed to support the emergency management, then a means to gather this data should be addressed during emergency planning. This could involve emergency response equipment, or it could identify the need to protect operational equipment against fire, explosion, flooding, or another emergency condition. IV. Learn from Experience 20. Management Review and Continuous Improvement. The Pike board received a monthly report, including a section on health and safety; however, it did not address hazards relevant to a major event such as an explosion. An insurance risk survey had identified concerns regarding the risks of hydro mining and the potential for an explosion. The board did not see this report. They had assumed that the Pike managers would inform them of any major issues.

Chapter 7 Non-Oil/Chemical Incidents

323

7.5 BIG BRANCH MINE EXPLOSION, WEST VIRGINIA, US, 2010 7.5.1 Summary On April 5, 2010, an explosion occurred in the Big Branch Coal Mine in southern West Virginia. There were twenty-nine fatalities and two injuries. Multiple employees and an executive were convicted as a result of the incident.

Key Points Process Safety Culture – Do not normalize deviance. When tolerating shortcomings becomes normal and workers no longer see the point in speaking up about safety issues, the progression toward an incident has likely started. Safe Work Practices – Protect the key risk barriers. Making sure that practices support the integrity of barriers and do not allow people to work-around them, are key to managing risk. Measurement and Metrics – Measure what is important to manage. Metrics should reflect the health of those barriers that have been put in place to manage risk. If metrics solely address production, it is time to review the process safety culture. 7.5.2 Description Background. The Big Branch Coal Mine was owned by Massey Energy and operated by its subsidiary, Performance Coal Company. Work was behind schedule and pressure to produce was high. The miners felt that leaving the job was not an option unless there was an emergency, so they tolerated poor conditions to produce coal (GIIP, 2011). Process. Methane is released in the process of coal mining. Coal dust is generated from the mining, from conveyor belts that transport the coal, and from some coal seams. An industry

324

More Incidents that Define Process Safety

practice is to apply rock dust over the coal dust to prevent coal dust explosions. Refer to Figure 7.5-1. What Happened. The initial explosion involved methane gas released from the coal and ignited by the friction of the shearing operation as it hit the surrounding rocks. The methane explosion caused the coal dust to be dispersed in the air, which then supported subsequent coal dust explosions. The coal dust explosions traveled more than two miles around the various mine tunnels. Reports said it sounded like thunder, went on for minutes, and threw wood cribbing, signs, and other materials around. It damaged the ventilation system and electrical system. The workers died from blast injuries and from carbon monoxide poisoning. The miners attempted to put on their “rescuers”, a selfcontained, self-rescue breathing apparatus which provides less than one hour breathing air. One man stayed with his team for forty-five minutes. He tried to call on the radio and use the tracking device, but there was no response. Mine employees who were in the on-site offices heard the sound of the ventilation fans

Figure 7.5-1. Shearer cutting coal (courtesy GIIP).

Chapter 7 Non-Oil/Chemical Incidents

325

changing and sensed something was wrong. They entered the mine. Calls were made to Massey management and to the Mining Health and Safety Administration (MSHA). MSHA officials set up a command center at the site. The response events were not adequately recorded. At times, it was not clear who was in charge and who was in the mine. Some of the men rescuing others were not trained mine rescuers and were in the mine for four hours following the explosion. Rescuers exiting the mine were not debriefed, which further added to the confusion. Why it happened. The Upper Big Branch mine was a gassy mine and had three previous methane-related events. Coal mine explosions are prevented by minimizing methane accumulation through venting, by controlling ignition sources, and by minimizing coal dust accumulations to prevent a subsequent coal dust explosion should the methane ignite. These were all inadequate at the mine. The mining operations had been shut down for Easter Sunday. The de-watering pumps had failed, and water had accumulated in areas leading to the ventilation fans, which resulted in the air flow being reduced, which allowed methane to accumulate. 7.5.3 Management System Failures I. Commit to Process Safety 1. Process Safety Culture. The normalization of deviance is reviewed in the Governor’s Independent Investigation Panel (GIIP, 2011). The ventilation problems were chronic and had become a part of the normal operation. There were continual water problems, with miners sometimes working in chest-deep water. Miners were sent into the mine without communication or gas detection equipment. Methane readings were falsified. Workers who questioned safety conditions or shutdown operations were intimidated and suspended from work. “It was acceptable at this mine to do

326

More Incidents that Define Process Safety

nothing because identifying unsafe conditions might have meant dedicating man-hours to correcting the problems.” (GIIP, 2011) III. Manage Risk 15. Conduct of Operations. In the Big Branch mine, the ventilation system was inadequate, the coal dust was not managed, and safety equipment was not maintained (GIIP, 2011). The rock dusting equipment at the mine was poorly maintained, and the rock dusting performance was poorly managed and ineffective. The mine was cited every month in 2009 for failure to provide adequate ventilation. Performance Coal Company management told a foreman to disregard a citation for faulty ventilation. MSHA ventilation inspectors suspected the mine of manipulating the ventilation system to pass tests. The ventilation problems from the mine were so significant that it prompted a change in the MSHA policy on issuing violations. The West Virginia Office of Miners’ Health, Safety and Training (WVOMHS&T) investigation identified that regulatory language for coal mine ventilation is inadequate (WVOMHS&T). This illustrates the question of whether compliance is sufficient. Whether in mining or other industries, if the relevant regulations are insufficient, then additional measures should be taken to manage the risks. At the most simplistic level, it is the employer’s responsibility to provide a safe workplace. 16. Emergency Management. The emergency response was challenged by a lack of understanding of who was in the mine at the time of the explosion. The mine’s personnel tracking system was not working, and the backup log system was not maintained. It took days to understand who was in the mine and determine the number of fatalities. Tracking of personnel is fundamental to operations and supports the development of rescue plans. Whether the system

Chapter 7 Non-Oil/Chemical Incidents

327

is manual cards, tags, or electronically managed, a system should be in place. Being able to define how many people are involved is essential for emergency responders and also needed for communications with families. IV. Learn from Experience 18. Measurement and Metrics. Management was able to quote the daily metrics used to measure coal production. There was no measure relating to safety. The adage is that you manage what you measure. There should be measures reflecting the process risk management. Measures addressing personal safety are not sufficient.

7.6 UNIVERSITY LABORATORY INCIDENTS 7.6.1 Summary There have been a number of incidents in university laboratories that resulted in severe injuries and fatalities. The laboratories failed to manage process safety almost in its entirety. These incidents have prompted changes in the way many university laboratories address process safety. The CSB has created a video entitled “Experimenting with Danger” that is aimed at highlighting the hazards at university chemical labs (CSB, 2011e).

328

More Incidents that Define Process Safety

Key Points Process Safety Culture – Make sure process safety is part of your safety culture. Regardless of what culture you are in, if there are process safety hazards, then process safety should be a key part of your culture. Hazard Identification and Risk Analysis – It all starts here. Identify hazards. If you don’t identify the hazard and assess the risk, then you will not be able to put barriers in place and manage the risk. Incident Investigation – If something unexpected happens, question why. Investigate it. You might identify a hazard or a broken barrier. Then document it and share your learning with others. 7.6.2 Description Three incidents are used to discuss the Key Points in this Chapter 1. University of Hawaii. On March 16, 2016, a hydrogen/oxygen explosion occurred at the Manoa campus, resulting in a postdoctoral researcher losing her arm and suffering additional severe injuries. The lab was using hydrogen, oxygen, and carbon dioxide in the green production of bioplastics and biofuels. This gas mixture has a very large flammability range as seen in Figure 7.6-1. The gas mixture was likely ignited by a static discharge involving the researcher, the tank, and a gauge. The equipment was not bonded and grounded, and the gauge was not intrinsically safe (UC, 2016). 2. University of California at Los Angeles. In December 2008, a staff research associate was fatally burned when the t-butyl lithium she was working with caught fire. The plunger on the syringe came loose and the pyrophoric compound spilled on her clothing, igniting spontaneously. No flame-resistant lab coats were used. No hazard assessment was performed and

Chapter 7 Non-Oil/Chemical Incidents

329

hence no subsequent protective equipment identified. There was no written procedure on handling pyrophoric materials (UCLA Newsroom, 2009). 3. Texas Tech. On January 7, 2010, a graduate student suffered severe injuries when nickel hydrazine perchlorate derivative detonated. Texas Tech was working with Northeastern University on explosive threats under a program funded by the US Department of Homeland Security. The students decided to scale up the experiment to make a batch large enough to fully characterize the chemical. The change was not managed. There were no procedures requiring the students to consult with anyone. Clumps occurred in the chemical, and the student used a mortar and pestle, with a bit of added hexane, to break them up. It detonated (CSB, 2010b).

330

More Incidents that Define Process Safety

Figure 7.6-1. Flammability range of hydrogen, oxygen and carbon dioxide as was handled in the University of Hawaii incident (courtesy UC). Background. University chemistry are often used by graduate students conducting research. This brings together a challenging combination. Research chemistry by definition may include unknowns about the chemistry. Students may have limited experience or be performing experiments that may not have been

Chapter 7 Non-Oil/Chemical Incidents

331

previously researched. Also, the university setting is unlike a refinery or chemical plant. They are not accustomed to addressing process safety on a daily basis. Process. The laboratory work typically involves small experiments of bench-scale processes. What and why it happened. Although the chemistry and incident scenario are different in each of these incidents, there are many similarities at the root cause level. Fundamentally, there was no management of process safety, and thus, none of the protections in place.

7.6.3 Management System Failures I. Commit to Process Safety 1. Process Safety Culture. University laboratories have typically focused on occupational safety and may be unaware of the importance and scope of process safety. The U.S. OSHA regulates general chemical hazards but not process safety in university laboratories. The accountability for process safety in the university laboratories may not be clear. Different laboratories may be managed by different university departments, such that the safety department, focused on personnel safety, provides the only consistency. The research-granting agency does not typically prescribe safety requirements. Similar to industry, it is clear that process safety culture starts at the top. When the leaders, whether of a refinery or a university, put time and effort into managing process safety, so will their staff and students. When they don’t, then the other drivers of production—cost management or technical research challenges—will become the daily focus and overshadow the importance of process safety. In addition to high turnover of students, universities often have high turnover of administrators and a strong focus on safety may be lost in the turnover.

332

More Incidents that Define Process Safety

Figure 7.6-2. Swiss cheese model representing potential failures in university chemical laboratory process safety management (courtesy CSB). Process safety is applicable to and important for university laboratories. For example, some process safety topics might include: process safety information (hazardous mixing grid, safe operating limits, ventilation design); hazards analysis; operating manuals; safe work practices (energy isolation); mechanical integrity; and emergency planning. Refer to Figure 7.6-2. Guidance on laboratory safety in secondary schools and academic institutions is available from the American Chemical Society (ACS, 2018).

Chapter 7 Non-Oil/Chemical Incidents

333

III. Manage Risk 7. Hazard Identification and Risk Analysis. There were many similarities in the RBPS elements that were not addressed in these incidents. At the root, though, is not identifying the hazard or assessing the risk. Without this, there were no specific protections in place. The hazards of changes, such as scaling up the chemistry, were not managed. There were no operating procedures in which to document potential hazards. If you don’t identify the hazards and assess the risks, then you will not have the information necessary to manage those hazards and risks. HIRA is the start of understanding what the hazards are, what barriers may be appropriate, what changes might be in illadvised, and what precautions should be included in guidance. IV. Learn from Experience 17. Incident Investigation. In all three incidents, researchers could have learned from previous university incidents. However, universities typically have no system in place to adequately document previous lessons, communicate them, or learn from incidents that occurred in similar research or laboratories. At University of Hawaii at Manoa, cracking noises had been heard when turning the gauge on/off, and the researcher had been shocked previously. A hydrogen explosion in the Earth and Space Sciences Building at Stony Brook University injured one graduate student and one faculty on May 15, 2014. On December 18, 2015, a hydrogen gas cylinder exploded in a chemistry building at Tsinghua University in China, causing the fatality of a postdoctoral researcher (UC 2016).

334

More Incidents that Define Process Safety

7.7 MARS CLIMATE ORBITER MISHAP, 1999 7.7.1 Summary The Mars Climate Orbiter (MCO) was launched on December 11, 1998, and contact was lost on September 23, 1999, as it entered into an orbit around Mars.

Key Points Stakeholder Outreach – Are you speaking the same language? In large projects and complex operations, it is important that people have the same understanding of relevant terminology and are using the same basis such that all the project/operation parts work safely together. Conduct of Operations – Trust. And verify. Conducting good operations and projects requires managers to trust that the competent people on the job will do a good job. They should also understand that people make mistakes. Thus, they should verify that the job, especially the safety aspects, was completed as planned.

7.7.2 Description Background. The Mars Surveyor '98 program included the Mars Climate Orbiter and the Mars Polar Lander, which were launched separately. The intent was to study the weather on Mars. The MCO would also serve as a communication relay for the Mars Polar Lander (NASA, 2018). Process. The Mars Climate Orbiter includes propulsion and equipment modules. The mass at launch is 629 kg (1,387 lb) which includes 291 kg (642 lb) of propellant. What Happened. The spacecraft reached Mars. It passed behind Mars, and contact was not re-established. Some of the spacecraft commands were in English units instead of being converted to

Chapter 7 Non-Oil/Chemical Incidents

335

metric. A navigation error resulted from some spacecraft commands being sent in English units instead of being converted to metric. Due to this error, the MCO would have entered the Martian atmosphere at the incorrect altitude and would have been destroyed on entry. Why it happened. A simple unit conversion error is why it happened. However, understanding why that unit conversion error happened gets into the root causes. Contributing causes listed in the NASA report are: 1. Undetected mismodeling of spacecraft velocity changes 2. Navigation Team unfamiliar with spacecraft 3. Trajectory correction maneuver number five not performed 4. System engineering process did not adequately address transition from development to operations 5. Inadequate communications between project elements 6. Inadequate operations Navigation Team staffing 7. Inadequate training 8. Verification and validation process did not adequately address ground software (NASA, 1999) 7.7.3 Management System Failures III. Manage Risk 11. Contractor Management. NASA projects include a large array of contractors and subcontractors. Keeping the communications flowing well and the project hand-offs happening seamlessly is challenging. This is the same challenge faced by the oil and gas industry when implementing large projects that involve numerous engineering and construction contractors and subcontractors working around the globe to build a single installation. In both cases, keeping everyone communicating and working together well is required to deliver a successful project.

336

More Incidents that Define Process Safety

15. Conduct of Operations. Building on the large number of contractors, the manner in which projects are managed must be controlled to support those communications and hand-offs. In this NASA case, there were ineffective communications between project elements and teams. The systems in place to verify that the project was proceeding as planned did not address all areas. Projects can take years and many people to design and construct. Often, there are business pressures or simply the desire to see the finished product that pushes people to rush through verification steps. It is important to perform a thorough hazard and risk management assessment. Even topics such as consistent language (units) are identified in verification processes. In a small project, this could be realized as a PSSR. In a large project, it could be seen as a detailed verification and certification program that could take weeks to complete. It is easy to understand the importance of focusing on challenging problems. Human nature draws some people into challenging work. But this does not mean that the simplest of topics, such as unit conversion, can be disregarded.

7.8 OTHER INCIDENTS A number of non-oil/chemical incidents were described in the first edition of this book. Three Mile Island Nuclear Reactor Core Meltdown, Pennsylvania, USA, March 28, 1979 NASA Challenger Disaster, Florida, USA, January 28, 1986 Loss of Space Shuttle Columbia, Texas, USA, February 1, 2003 Massive Dust Explosion at Courrieres Mine, France, March 10, 1906 Chernobyl Nuclear Disaster, USSR, April 26, 1986

Chapter 7 Non-Oil/Chemical Incidents

337

7.9 ADDITIONAL RESOURCES The following books and resources are available for helping to address the topics highlighted in the incidents contained in this chapter. Guidelines for Asset Integrity Management (CCPS 2016). This book is consistent with RBPS and Life Cycle approaches and includes details on failure modes and mechanisms. Also, an example testing and inspection program is included for various types of equipment and systems. Guidance and examples are provided for selecting and maintaining critical safety systems. Guidelines for Chemical Laboratory Safety, American Chemical Society. These publications are intended to help educators at the high school and college level. They are designed to develop knowledge, increase awareness, establish strong foundations, and nurture safety culture.

338

More Incidents that Define Process Safety

Appendix 1 Matrix relating incidents, industries, and RBPS elements

Appendix 1

339

340

More Incidents that Define Process Safety

Appendix 1

341

342

More Incidents that Define Process Safety

References ABET 2015. “Criteria for accrediting engineering programs,” Accreditation Board for Engineering and Technology, Baltimore, MD. ACS 2018. “Guidelines for Chemical Laboratory Safety,” viewed July 30, 2018, www.acs.org/content/acs/en/chemicalsafety/guidelines-for-chemical-laboratory-safety.html, American Chemical Society. AFPM. “Safety Portal Event Sharing Database, American Fuel & Petrochemical Manufacturers,” www.afpm.org/safetyportal (accessed December 1, 2017), Login credentials required. Arm-Tex. Viewed on March 12, 2019. www.arm-tex.com/hamerline-blind-valves.html Arco 1991. “A Briefing on the ARCO Chemical Channelview plant July 5, 1990 accident.” ARCO Chemical Company, January 1990. API 2009, API RP 939-C: “Guidelines for Avoiding Sulfidation (sulfidic) corrosion failures in oil refineries, American Petroleum Institute, Washington, D.C. Barton, J. & Rogers, R. 1997. Chemical Reaction Hazards: A Guide to Safety. Institute of Chemical Engineers, Elsevier, Amsterdam, Netherlands. BBC. “Lagos pipeline blast kills scores.” Viewed May 16, 2018. http://news.bbc.co.uk/2/hi/africa/6209845.stm BEA 2012. “Final Report on the accident on 1st June 2009 to the Airbus A330-203 registered F-GZCP operated by Air France flight AF 447 Rio de Janeiro – Paris.” Bureau d’Enquetes et d’Analyses pour la securite de l’aviation civile, July 2012. Bills, Kym and Agostini, David. 2009. “Varanus Island incident investigation,” Government of Western Australia, June. www.slp.wa.gov.au/salesinfo/varanusinquiry.pdf

References

343

BP 2010. “Deepwater Horizon Accident investigation report.” British Petroleum, London, UK, September 8, 2010. Bretherick, L. & Urben, P. 2006. Bretherick's handbook of reactive chemical hazards (seventh edition), Elsevier Ltd., Oxford, UK. Buncefield 2008. “The Buncefield incident, 11 December 2005: the final report of the major incident investigation board,” UK Health and Safety Executive. (www.hse.gov.uk/comah/buncefield/miib-final-volume1.pdf) CalEPA 2014, “Improving public and worker safety at oil refineries, Report of the Interagency Working Group on Refinery Safety.” Sacramento, CA., February. CCPS 1995. “Guidelines for Chemical Reactivity Evaluation and Application to Design.” Center for Chemical Process Safety of the American Institute of Chemical Engineers, New York, NY. CCPS 1998. “Guidelines for Safe Warehousing of Chemicals.” Center for Chemical Process Safety of the American Institute of Chemical Engineers, New York, NY. CCPS 2003. Essential Practices for Managing Chemical Reactivity Hazards. Center for Chemical Process Safety of the American Institute of Chemical Engineers, New York, NY. CCPS 2004. A Checklist for Inherently Safer Chemical Reaction Process Design and Operation, Center for Chemical Process Safety of the American Institute of Chemical Engineers, New York, NY. CCPS 2006. Guidelines for Mechanical Integrity Systems. Center for Chemical Process Safety of the American Institute of Chemical Engineers, New York, NY. CCPS 2005. Building Process Safety Culture Toolkit, www.aiche.org/ccps/topics/elements-processsafety/commitment-process-safety/process-safetyculture/building-safety-culture-tool-kit. Center for Chemical Process Safety of the American Institute of Chemical Engineers, New York, NY.

344

More Incidents that Define Process Safety

CCPS 2007. Guidelines for Risk Based Process Safety. Center for Chemical Process Safety of the American Institute of Chemical Engineers, New York, NY. CCPS 2007a. Human Factors Methods for Improving Performance in the Process Industries. Center for Chemical Process Safety of the American Institute of Chemical Engineers, New York, NY. CCPS 2008. Incidents that Define Process Safety. Center for Chemical Process Safety of the American Institute of Chemical Engineers, New York, NY. CCPS 2008a. Guidelines for Chemical Transportation Safety, Security and Risk Management. Center for Chemical Process Safety of the American Institute of Chemical Engineers, New York, NY. CCPS 2009. Inherently safer chemical processes. Center for Chemical Process Safety of the American Institute of Chemical Engineers, New York, NY. CCPS 2011. Guidelines for Vapor Cloud Explosion, Pressure Vessel Burst, BLEVE and Flash Fire Hazards, 2nd Edition. Center for Chemical Process Safety of the American Institute of Chemical Engineers, New York, NY. CCPS 2012. Guidelines for Engineering Design for Process Safety, 2nd Edition. Center for Chemical Process Safety of the American Institute of Chemical Engineers, New York, NY. CCPS 2012a. Guidelines for Evaluation Process Plant Building for External Explosions, Fires, and Toxic Releases, 2nd Edition. Center for Chemical Process Safety of the American Institute of Chemical Engineers, New York, NY. CCPS 2016. Guidelines for Asset Integrity Management. Center for Chemical Process Safety of the American Institute of Chemical Engineers, New York, NY. CCPS 2017. Guidelines for Pressure Relief and Effluent Handling Systems, 2nd Edition (CCPS 2017). Center for Chemical Process Safety of the American Institute of Chemical Engineers, New York, NY.

References

345

CCPS 2017a. Guidelines for Combustible Dust Hazard Analysis (CCPS 2017). Center for Chemical Process Safety of the American Institute of Chemical Engineers, New York, NY. CCPS 2019. Risk Analysis Screening Tool (RAST) and Chemical Hazard Engineering Fundamentals (CHEF). Center for Chemical Process Safety of the American Institute of Chemical Engineers and European Process Safety Center, New York, NY. CEP 2015. “Lessons Learned from Recent Process Safety Incidents.” Al Ness, Chemical Engineering Progress, March 2015. American Institute of Chemical Engineers, New York, N.Y. Chemistry World. “Questions remain after huge hydrofluoric acid leak.” Viewed February 26, 2019. www.chemistryworld.com/news/questions-remain-afterhuge-hydrofluoric-acid-leak/5611 Crowl, Daniel A. 2003. Understanding explosions. Center for Chemical Process Safety of the American Institute of Chemical Engineers, New York, NY. CSB. “DuPont La Porte Facility Toxic Chemical Release Interim Recommendations.” Chemical Safety Hazard and Investigation Board. Viewed 19 February 2018. www.csb.gov/dupont-laporte-facility-toxic-chemical-release-/ CSB. “CITGO HF Release and Fire in Corpus Christi, Texas Text of Urgent Recommendations.” Chemical Safety Hazard and Investigation Board. Viewed 26 February 2018, www.csb.gov/citgo-refinery-hydrofluoric-acid-release-andfire/ CSB 2002. “Improving Reactive Hazard Management.” Chemical Safety and Hazard Investigation Board, Investigation Report, Report No. 2001-01-H, October. (www.csb.gov/investigations). CSB 2003. “Safety Bulletin – Hazards of nitrogen asphyxiation.” Chemical Safety and Hazard Investigation Board - Board Safety Bulletin, 2003-10-B, June. www.csb.gov/assets/1/19/SBNitrogen-6-11-03.pdf

346

More Incidents that Define Process Safety

CSB 2003b. “Investigation Report Chlorine Release” DPC Enterprises, L.P. Chemical Safety Hazard and Investigation Board, Report No. 2002-04-I-MO, May 2003. CSB 2003c. “Investigation Report Hydrogen Sulfide Poisoning Georgia-Pacific Naheola Mill.” Chemical Safety Hazard and Investigation Board, Report No. 2002-01-I-AL, January 2003. CSB 2004. “Sodium Hydrosulfide: Preventing Harm.” Chemical Safety Hazard and Investigation Board, Safety Bulletin No. 2003-03-B, reprinted November 2004. CSB 2007. “Runaway chemical reaction and vapor cloud explosion.” Chemical Safety and Hazard Investigation Board, Investigation Report, Report No. 2006-04-I-NC, July 31. (www.csb.gov/investigations). CSB 2008. “LPG fire at Valero – McKee Refinery, Chemical Safety and Hazard Investigation” Board, Investigation Report, Report No. 2007-05-I-TX, July. (www.csb.gov/investigations). CSB 2009. “T2 Laboratories, Inc. runaway reaction, Chemical Safety and Hazard Investigation” Board, Investigation Report, Report No. 2008-3-I-FL, September. (www.csb.gov/investigations). CSB 2009a. “Sugar dust explosion and fire, Chemical Safety and Hazard Investigation” Board, Investigation Report, Report No. 2008-3-I-FL, September. (www.csb.gov/investigations). CSB 2009c. “Safety Bulletin: Dangers of Purging Gas Piping into Buildings.” Chemical Safety and Hazard Investigation Board, Investigation Report, Report No. 2009-12-NC, September. CSB 2009c. “Urgent recommendations.” Chemical Safety and Hazard Investigation Board, Investigation Report, December 9. CSB 2010. “Urgent Recommendations.” Chemical Safety and Hazard Investigation Board, June 28.

References

347

CSB 2010b. “Texas Tech University Laboratory Explosion.” Chemical Safety Hazard and Investigation Board, Report No. 2010-05-I-TX, October 19, 2011. CSB 2011. “West fertilizer company fire and explosion.” Chemical Safety and Hazard Investigation Board, Investigation Report, Report No. 2008-05-I-GA, September. (www.csb.gov/investigations). CSB 2011b. “Hoeganaes corporation metal dust fires and hydrogen explosion.” Chemical Safety and Hazard Investigation Board, Case Study, Report No. 2011-04-I-TN, December. (www.csb.gov/investigations). CSB 2011c., “Heat exchanger rupture and ammonia release in Houston, Texas.” Chemical Safety and Hazard Investigation Board, Case Study, Report No. 2008-06-I-TX, January. (www.csb.gov/investigations). CSB 2011d. “Investigation Report E.I. DuPont de Nemours & Co., Inc., Belle, West Virginia.” Chemical Safety Hazard and Investigation Board, Report No. 2010-6-I-WV. September 2011. CSB, 2011e. “Experimenting with Danger, Chemical Safety Hazard and Investigation Board.” Viewed June 11, 2018, www.csb.gov/videoroom/detail.aspx?VID=61 CSB 2013. “Williams Geisner olefins plant: reboiler rupture and fire.” Chemical Safety and Hazard Investigation Board, Case Study, Report No. 2013-03-I-LA, June 5. (www.csb.gov/investigations). CSB 2013a. “Powerpoint presentation on hazards.” Chemical Safety and Hazard Investigation Board, www.csb.gov/assets/1/19/Nitrogen_Asphyxiation_Bulletin_Tr aining_Presentation.pdf CSB 2103b. “High-pressure vessel rupture.” Chemical Safety and Hazard Investigation Board, Case Study, Report No. 2010-04I-IL, November. (www.csb.gov/investigations).

348

More Incidents that Define Process Safety

CSB 2014a. “Explosion and fire at the Macondo Well; Overview.” Chemical Safety and Hazard Investigation Board, Case Study, Report No. 2010-10-I-OS, June 5. (www.csb.gov/investigations). CSB 2014b. “Explosion and fire at the Macondo Well; Vol. 1, Macondo-specific incident events.” Chemical Safety and Hazard Investigation Board, Case Study, Report No. 2010-10I-OS, June 5. (www.csb.gov/investigations). CSB 2014c. “Explosion and fire at the Macondo Well; Vol. 2, Technical findings on the Deepwater Horizon blowout preventer (BOP).” Chemical Safety and Hazard Investigation Board, Case Study, Report No. 2010-10-I-OS, June 5. (www.csb.gov/investigations). CSB 2014d. “Explosion and fire at the Macondo Well; Vol 3, Human, organizational and safety system factors of the Macondo blowout.” Chemical Safety and Hazard Investigation Board, Case Study, Report No. 2010-10-I-OS, June 5. (www.csb.gov/investigations). CSB 2015. “Chevron Richmond refinery pipe rupture and fire.” Chemical Safety and Hazard Investigation Board, Case Study, Report No. 2012-03-I-CA, January. (www.csb.gov/investigations). CSB 2015b. “Caribbean Petroleum tank terminal explosion and multiple tank fires.” Chemical Safety and Hazard Investigation Board, Case Study, Report No. 2010.01.I.PR, October. (www.csb.gov/investigations). CSB 2015c. “Key Lessons for Preventing Hydraulic Shock in Industrial Refrigeration Systems Anhydrous Ammonia Release at Millard Refrigerated Services, Inc.” Chemical Safety Hazard and Investigation Board, Report No. 2010-13-A-AL, January 2015. CSB 2015d. “Transcript 30015_DuPont Public Meeting (9-302015).” Chemical Safety Hazard and Investigation Board, viewed 21 February 2018, www.csb.gov/assets/1/19/Transcript9.pdf

References

349

CSB 2016. “Pesticide chemical runaway reaction: pressure vessel explosion.” Chemical Safety and Hazard Investigation Board, Investigation Report, Report No. 2013-02-I-TX, January. (www.csb.gov/investigations). CSB 2017. “Investigation Report. Chemical Spill Contaminates Public Water Supply in Charleston, West Virginia.” Chemical Safety Hazard and Investigation Board, Report No. 2014-01-IWV, May 2017. DowWolff. “Nitrocellulose Storage and Handling.” DowWolff Cellulosics, (http://msdssearch.dow.com/PublishedLiteratureDOWCOM/ dh_08a6/0901b803808a67fc.pdf?filepath=/82200001.pdf&fromPage=GetDoc) DOJ 2015. “U.S. and five Gulf States reach historic settlement with BP to resolve civil lawsuit over Deepwater Horizon oil spill.” Department of Justice, Office of Public Affairs, October 5. (www.justice.gov/opa/pr/us-and-five-gulf-states-reach-historicsettlement-bp-resolve-civil-lawsuit-over-deepwater) DOJ 2015b. “Georgia-Based Millard Refrigerated Services to Pay $3 Million Civil Penalty for Ammonia Release that Sickened Workers Responding to Deepwater Horizon Oil Spill.” Department of Justice Office of Public Affairs, viewed 7 March 2018, www.justice.gov/opa/pr/georgia-based-millardrefrigerated-services-pay-3-million-civil-penalty-ammoniarelease DuPont. “La Porte Investigation Report Investigation Summary.” Viewed 19 February 2018, www.laporteinvestigationreport.com/summary.html. DOT 2015. “Rule Summary: Enhanced Tank Car Standards and Operational Controls for High-Hazard Flammable Trains.” Department of Transportation, viewed April 11, 2018, www.transportation.gov/mission/safety/rail-rule-summary Dunning, 2009. “Train Wreck and Chlorine Spill in Graniteville South Carolina.” Transportation Research Record Journal of

350

More Incidents that Define Process Safety the Transportation Research Board 2009, DOI: 10.3141/200917, viewed April 11, 2019, www.transportation.gov/sites/dot.dev/files/docs/DISASTER_R ECOVERY_TrainWreckChlorineSpillGranitevilleSC.pdf

Ellis, Ralph. 2016. "Fire that led to Texas fertilizer blast set on purpose, officials say." www.cnn.com. CNN. Retrieved May 11, 2016. EO 2013. “Executive Order 13650 Improving Chemical Facility Safety and Security.” White House, Washington D.C., August 1. FMG 2013. “Prevention and mitigation of combustible dust explosion and fire.” FM Global Data Sheet 7-76, Johnston, RI. GIIP 2011. “Upper Big Branch The April 5, 2010, explosion: a failure of basic coal mine safety practices.” Report to the Governor, Governor’s Independent Investigation Panel, May 2011. Gustin 2001. “How the study of accident case histories can prevent runaway reaction accidents to occur again.” IChemE Symposium series No. 148. Hernandez, J.C. 2016. “Tianjin explosions were result of mismanagement, China finds.” New Yok Times, Feb. 5. HSE 1994. The Fire at Hickson & Welch ltd. UK Health and Safety Executive, ISBN 071760702X, Sudbury, UK. HSE 2009. Designing and operating safe chemical reaction processes. UK Health and Safety Executive. HSE 2009a. Buncefield Explosion Mechanism Phase 1, Vols. 1 and 2. UK Health and Safety Executive. www.hse.gov.uk/research/rrpdf/rr718.pdf HSE 2012. Flammable vapour cloud risks from tank overfilling incidents. RR 937, UK Health and Safety Executive. HSE 2017. Review of vapour cloud explosion incidents. UK Health and Safety Executive. Huang, P. and & Zhang, J. 2015. “Facts related to August 12, 2015 explosion accident in Tianjin, China.” Process Safety Progress, Vol.34, No.4, December.

References

351

HoustonPress. 2016. “DuPont Will Shutter La Porte Plant Where Chemical Leak Killed 4 Workers.” Viewed 7 March 2018. www.houstonpress.com/news/dupont-will-shutter-la-porteplant-where-chemical-leak-killed-4-workers-8291326 IAEA 2015. The Fukushima Daiichi Accident. Technical Volume 1/5 Description and Context of the Accident, ISBN 978–92–0– 107015–9 (set), International Atomic Energy Agency, August 2015. IChemE 2016. “The Sandoz warehouse fire 30 years on.” Issue 251, viewed March 21, 2018. www.icheme.org/shop/lpb/2016/issue%20251/the%20sando z%20warehouse%20fire%2030%20years%20on.aspx ICIS 2013. “US Williams eyes $343 million claim from Geismar business interruption loss.” ICIS, October 13. www.icis.com/resources/news/2013/10/31/9721150/uswilliams-eyes-343m-claim-from-geismar-businessinterruption-loss/ Jacobs, A., Hernandez, J.C. & Buckley, C. 2015. “Behind deadly Tianjin blast, shortcuts and lax rules.” New York Times, Aug. 30. Johnson and Lodal. 2003. “Screen your facilities for chemical reactivity hazards.” Chemical Engineering Progress, pp. 50-58, August. Johnson, D.M. 2012. “Vapor cloud explosion at the IOC terminal in Jaipur.” IChemE Symposium Series No. 158. Hazards XXIII. www.icheme.org/communities/special-interestgroups/safety%20and%20loss%20prevention/resources/haz ards%20archive/hazards%20xxiii.aspx Kepplinger H.M., Hartung U. 1995. "Störfall – Fieber. Wie ein Unfall zum Schlüsselereignis einer Unfallserie wird." Alber-BroschurKommunikation. Verlag Karl Alber GmbH, Freiburg/München. Korea Institute of Public Administration. “Case Study of Collaborative Governance in Korea: National Institute of Chemical Safety.” Viewed 26 February 2018.

352

More Incidents that Define Process Safety http://oecdkorea.org/common/attachfile/attachfileDownload .do?attachNo=00002828

Kwon 2016. “System Theoretic Safety Analysis of the Sewol-Ho Ferry Accident in South Korea. Yisug Kwon”, Submitted to the System Design and Management Program in Partial Fulfillment of the Requirements for the Degree of Master of Science in Engineering and Management at the Massachusetts Institute of Technology, February 2016. Lexis/Nexis. 2016. “Workers Injured In Chemical Plant Explosion Obtain $30 Million Verdicts In Two Louisiana State Court Trials Against Plant Owners/Operators.” LexisNexis December 8. www.lexisnexis.com/jvsubmission/b/case_of_week/archive/2 016/12/08/workers-injured-in-chemical-plant-explosionobtain-30-million-verdicts-in-two-louisiana-state-court-trialsagainst-plant-owners-operators.aspx?Redirected=true Marmo, L., Piccinni, N., Russo, G., Russo, P., Munaro, L. Multiple tank explosions in an edible oil refinery plant: A case study. Chemical Engineering Technology, V. 36, No. 7, p.1131-1137. MIIB 2008a. “The Buncefield incident, Vol. 1.” Major Incident Investigation Board, MIIB 2008b. “The Buncefield incident, Vol. 1.” Major Incident Investigation Board, MOM 2011. “Update on MOM’s investigation on fire at Pulau Bokum.” Singapore Ministry of Manpower Press Release, 2October. www.mom.gov.sg/newsroom/pressreleases/2011/update-on-moms-investigation-on-fire-atpulau-bukom MOM 2011b. “Shell fined $80,000 for 2011 Pulau Bokum refinery fire.” Singapore Ministry of Manpower Press Release, 29October. www.mom.gov.sg/newsroom/pressreleases/2012/shell-fined-80000-for-2011-pulau-bukomrefinery-fire MoPNG Committee. 2010. Constituted by Govt. of India. Independent Inquiry Committee, Report on Indian Oil

References

353

Terminal Fire at Jaipur on 29th October 2009; completed 29th January 2010. Available from http://oisd.nic.in, accessed 19 August 2013. NACE International. 2010. “Stress Corrosion Cracking, NACE Resource Center.” Retrieved from: http://events.nace.org/library/corrosion/Forms/scc.asp. NAIIC 2012. “The official report of The Fukushima Nuclear Accident Independent Investigation Commission.” The National Diet of Japan, 2012. NCSL 2015. “Transporting Crude Oil by Rail: State and Federal Action.” National Conference of State Legislatures, October 30, 2015, viewed April 10, 2018, www.ncsl.org/research/energy/transporting-crude-oil-by-railstate-and-federal-action.aspx NFPA 2015. “NFPA 484 Standard for Combustible Metals.” National Fire Protection Association, Quincy, MA. NFPA 2017a. “NFPA 497 Recommended Practice for the Classification of Flammable Liquids, Gases, or Vapors of Hazardous (Classified) Locations for Electrical Installations in Chemical Process Areas.” National Fire Protection Association, Quincy, MA. NASA 1999. “Mars Climate Orbiter Mishap Investigation Board Phase I Report.” National Aeronautics and Space Administration, November 10, 1999 NASA 2018. Mars Climate Orbiter. NASA Space Science Data Coordinated Archive, viewed June 12, 2018, nssdc.gsfc.nasa.gov/nmc/spacecraftDisplay.do?id=1998-073A NTSB 1998. Hazardous Material Accident Brief. National Transportation Safety Board, Accident No. DCA-96-MZ-001, January 27, 1998. NTSB 2002. Pipeline Rupture and Subsequent Fire in Bellingham, Washington June 10 1999. Pipeline Accident Report NTSB/PAR01/02 PB2002-916502, October 8, 2002.

354

More Incidents that Define Process Safety

NTSB 2005. Collision of Norfolk Southern Freight Train 192 with Standing Norfolk Southern Local Train P22 With Subsequent Hazardous Materials Release at Graniteville, South Carolina. National Transportation Safety Board, NTSB/RAR-05/04, January 6, 2005. NTSB 2007. Pipeline Accident Brief. National Transportation Safety Board, Accident No. DCA05-MP001, June 14, 2007. NTSB 2011. Pacific Gas and Electric Company Natural Gas Transmission Pipeline Rupture and Fire, San Bruno, California, September 9, 2010. National Transportation Safety Board, Accident Report NTSB/PAR-11/01 PB2011-916501, August 20, 2011. NTSB 2015. Improve Rail Tank Car Safety. National Transportation Safety Board. Viewed April 11, 2018, www.ntsb.gov/safety/mwl/Pages/mwl5_2015.aspx NZ Royal Commission. 2012. Royal Commission on the Pike River Coal Mine Tragedy Volume 1 + Overview, ISBN: 978-0-47710378-7, Wellington, New Zealand, October 2012. NFPA 2017b. NFPA 499, Classification of Combustible Dusts and of Hazardous (Classified) Locations for Electrical Installation in Chemical Process Areas. National Fire Protection Association, Quincy, MA. OGJ 1991. “ARCO spells out cause of Channelview blast.” Oil and Gas Journal, January 14. OSHA 1992. Process Safety Management of Highly Hazardous Chemicals; explosives and blasting agents. Federal Register 1992, Vol. 57, No. 36, February 24. OSHA 1998. 29 CFR 1910.109, Blasting and Explosive Agents, Federal Register 33450, June 18. OSHA 1999. Technical Manual – Section IV: Chapter 2 – Petroleum Refining Process, www.osha.gov/dts/osta/otm/otm_iv/otm_iv_2.html

References OSHA 2019. Confined Spaces, viewed April 23, www.osha.gov/SLTC/confinedspaces/index.html.

355 2019,

PHMSA. Damage Prevention. Pipeline and Hazardous Materials Safety Administration, viewed May 17, 2018, primis.phmsa.dot.gov/comm/DamagePrevention.htm PHMSA 2017. A Study on Improving Damage Prevention Technology. US Department of Transportation, Pipeline and Hazardous Materials Safety Administration, August 3, 2017. Qureshi, Tamara. Fatal Toxic Chemical Release at DuPont, U.S. Chemical Safety and Hazard Investigation Board, presented at AIChE 15th. Sandia 2015. Literature Survey of Crude Oil Properties Relevant to Handling and Fire Safety in Transport. Sandia National Laboratories, SAND2015-1823, March 2015. Shutterstock 2015. www.shutterstock.com/editorial/imageeditorial/huge-explosion-rocks-chinese-port-city-of-tianjin-china15-aug-2015-10223415a Standards Australia. 1995. Australian Standard The storage and handling of oxidizing agents. Standards Australia, AS 43261995, ISBN 0 7262 9909 X, 1 The Cresent, Hoebush, NSW 2140, September 1995. Swiss Re Institute 2017. "Natural catastrophes and man-made disasters in 2016: a year of widespread damages." 10-February. http://media.swissre.com/documents/sigma2_2017_en.pdf. Savannahnow 2018. Imperial Sugar tragedy: Repercussions continue 10 years later, Savannah Morning News, February 6, 2018, viewed at www.savannahnow.com/news/2018-0206/imperial-sugar-tragedy-repercussions-continue-10-yearslater. Sax 2012. Sax's dangerous properties of industrial materials, 12th Edition. Richard Lewis, Wiley & Sons, New York, NY. Stuff 2010. Pike River Disaster: Yellow ribbons of hope. Viewed June 8, 2018. http://static.stuff.co.nz/files/minegraphic.jpg.

356

More Incidents that Define Process Safety

TAABMU 1994. "Leitfaden Erkennen und Beherrschen exothermer chemischer Reaktionen (Guidance recognizing and mastering exothermic chemical reactions)." Technischer Ausschuss für Anlagensicherheit (Technical Committee on Plant Safety). TAA-GS-05, December 4. TO 2011. Macondo Well incident. Transocean Investigation Report, Vol. 1, June. Tremblay, J. 2016. “Chinese investigators identify cause Of Tianjin explosion.” Chemical and Engineering News, February 8. TSB 2013. Transportation Safety Board of Canada Railway Investigation Report R13D0054 Runaway and Main-Track Derailment Montreal, Maine & Atlantic Railway Freight Train MMA-002 Mile 0.23, Sherbrooke Subdivision, Lac-Megantic. Transportation Safety Board of Canada, Quebec, 06 July 2013. UC 2016. Report to the University of Hawaii at Manoa on the Hydrogen/Oxygen Explosion of March 16, 2016. UC Center for Laboratory Safety, June 29, 2016. UCLA, 2009. Report to the Chancellor on UCLA Laboratory Safety. University of California at Los Angeles, July 2009. UCLA Newsroom, 2009. Campus receives finding in lab death, recommits to safety. Office of Media Relations, May 4, 2009, viewed June 11, 2018, http://newsroom.ucla.edu/releases/campus-accepts-findingin-lab-90542 White, Ronald. 2015.“UPDATE: Freedom Industries Executives Plead Guilty to...” Viewed 7 March 2018. www.foreffectivegov.org/almost-heaven-west-virginia... USEPA. 1996. Chemical Incident Investigation Report. Terra Industries Inc., Nitrogen Fertilizer Facility, Port Neal, IA, EPA, September. USEPA. 2015. Chemical Advisory, safe storage and handling of solid ammonium nitrate prills. EPA 550-F-15-001, June.

References

357

USEPA 2015a. How to better prepare your community for a chemical emergency. EPA 550-F-15-002, June. USEPA2015b. "Climate Action Benefits: Inland Flooding." 22 June. www.epa.gov/cira/climate-action-benefits-inland-flooding. Vivienne Zeng. August 2015. "3,000 tonnes of dangerous chemicals were stored at Tianjin explosion site, say police." Hong Kong Free Press, August 18. Wikipedia. “2014 Kaohsiung gas explosions.” Viewed May 16, 2018. en.wikipedia.org/wiki/2014_Kaohsiung_gas_explosions WVOMHS&T. Upper Big Branch Mine Disaster Investigative Report Summary. West Virginia Office of Miners’ Health, Safety and Training, Charleston, VW. Young, G. and Oelner, J. 2017. “Don’t do this!” Chemical Engineering Progress, p. 46-53, January.

358

More Incidents that Define Process Safety

INDEX

Air France AF 447, 331 Concorde, 335 ARCO Channelview, 69, 71 Asset Integrity and Reliability, 46, 71, 74, 98, 116, 124, 157, 158, 174, 178, 188, 199, 201, 205, 218, 232, 240, 246, 250, 269, 274, 276, 277, 283, 308, 318, 324, 327, 330 Auditing, 49, 275, 290, 294 Azote de France, Toulouse, 100 Bartlo Packaging, Inc., 100 Bayer CropScience, 101 Bhopal, 37, 39, 42, 230, 264, 300 Big Branch Coal Mine, 357, 358, 359, 360 BLSR Operating Ltd., 105, 106, 134-140, 218 BP Grangemouth, UK, 226 Texas City, TX, 226 Buncefield Depot, 147-159, 163 CAPECO Storage Tank, Puerto Rico, 157, 159 Celanese Pampa, 166, 168, 171 Challenger, FL, 334, 372 Chemical Safety and Hazard Investigation Board (CSB), 14, 39, 41, 53, 55, 57, 58, 62-64, 74, 75, 79, 82, 100, 101, 105, 112-116, 122, 138, 141, 158, 184, 185, 187, 190, 192, 196, 197, 207, 211, 219, 224, 231, 237, 239, 242, 245, 249, 250, 267, 284, 290, 362 Chernobyl, USSR, 39, 372 Chevron Richmond, 115, 117, 122, 124, 126 CITGO, Corpus Christi, 105, 106, 141, 290, 291, 293, 294, 378 Columbia, TX, 335, 372 Combustible dust, 41, 105, 108, 113, 114, 181, 182, 185, 188-191, 196, 228

Index

359

Commit to Process Safety, 43, 44, 61, 67, 73, 81, 87, 97, 112, 122, 132, 139, 155, 171, 187, 197, 204, 210, 224, 238, 250, 272, 297, 308, 313, 330, 343, 349, 360, 366 Compliance with Standards, 44, 61, 81, 86, 87, 97, 105, 106, 112, 123, 127, 132, 135, 139, 150, 155, 187, 198, 204, 210, 219, 224, 238, 246, 250, 269, 272, 295, 297, 304, 308 ConAgra Foods, 207, 208 Concept Sciences, Inc., 100 Conduct of Operations, 14, 24, 48, 50, 66, 68, 160, 164, 173, 178, 179, 183, 189, 199, 241, 310, 313, 314, 317, 327, 330-333, 347, 350, 360, 369, 372 Contractor Management, 46, 140, 233, 240, 352, 355, 370 Courrieres Mine, France, 372 Deepwater Horizon, 230-233, 240-243, 252 DPC Enterprises, 276, 278-283 DuPont Belle Plant, 267, 269, 272, 274 LaPorte Plant, 259 Elf Refinery, France, 226 Emergency isolation valves, 15, 25, 105, 133, 134 Emergency Management, 48, 63, 76, 84, 116, 124, 158, 160, 165, 214, 246, 251, 253, 259, 266, 275, 277, 284, 286, 289, 290, 293, 295, 299, 304, 309, 310, 313, 314, 317, 319, 325, 346, 347, 351, 356, 361 Engineering design, 51, 199, 241, 242 Erika, France, 300 Exxon Valdez, AK, 333, 334 Flash Airlines, Egypt, 335 Flight TS 236, Atlantic, 335 Freedom Industries, Inc., 244-246, 248, 249, 250, 251 Fukushima Daiichi Nuclear Plant, 338, 339, 343, 344, 346 Gaylord Chemical, 314-317 Georgia-Pacific, 284, 286 Goodyear, TX, 180 Hayes Lemmerz, 147, 191, 196, 197, 198, 199 Hazard Identification and Risk Analysis, 16, 45, 46, 58, 62, 84, 88, 92, 97, 103, 127, 133, 156, 168, 171, 188, 198, 199, 214, 218, 253, 257, 260, 265, 273, 286, 288, 324, 331, 333, 339, 343, 363, 368

360

More Incidents that Define Process Safety

Herald of Free Enterprise, 334 Hickson & Welch, 93-96, 98 Hindenburg, NJ, USA, 335 HMS Glasgow, UK, 334 Hoechst Griesheim, 64 Hoeganaes Corporation, 41, 105-115 Hube Global, South Korea, 294-299 Human Factors Methods for Improving Performance in the Process Industries, 50 Imperial Sugar, 41, 147, 181, 184, 187-189, 197, 388 Incident Investigation, 17, 27, 49, 58, 61, 63, 106, 114, 148, 183, 189, 191, 200, 208, 212, 219, 224, 242, 269, 275, 363, 368 Jaipur Lub. Terminal, 147, 155, 157, 159, 162, 267 K-Boats, Submarines, 334 Kleen Energy Systems, 207, 209 Kletz, Trevor, 42, 50 Learn from Experience, 43, 49, 63, 114, 189, 199, 212, 224, 242, 275, 294, 357, 361, 368 Macondo Well, 231, 233, 238, 239, 240, 242, 244, 380, 388 Manage Risk, 43, 46, 63, 68, 73, 84, 93, 98, 124, 134, 140, 157, 164, 173, 178, 188, 199, 205, 212, 218, 240, 250, 259, 265, 274, 283, 289, 293, 299, 308, 313, 316, 324, 330, 333, 346, 350, 355, 360, 368, 370 Management of Change, 18, 28, 48, 63, 94, 100, 134, 157, 178, 189, 199, 235, 238, 240, 241, 257, 266, 269, 272, 275, 289 Management Review and Continuous Improvement, 49, 353, 357 Marathon Oil Refinery, TX, USA, 300 Mars Climate Orbiter, 17, 369, 370, 386 Measurement and Metrics, 49, 357, 361 Millard Refrigerated Service, 252, 254-257, 259, 381, 382 MMA Railroad, 309 MMA Railway, 17, 303, 305, 306, 308, 309, 389 Morton International, Inc., 100 Motiva International, Inc., 226, 300 Napp Technologies, Inc., 100 NDK Crystal, 18, 146, 219-222, 224, 225 Nissan, Japan, 100 Norfolk Southern Rail, 310-312, 386

Index

361

Oil storage tank, Italy, 213 Operating Procedures, 29, 46, 50, 89, 93, 98, 135, 140, 157, 174, 178, 199, 240, 260, 265, 270, 289, 316 Operational Readiness, 29, 48, 352, 356 Pemex LPG Terminal, Mexico, 226 PG&E Pipeline, 19, 318-322, 324, 325 Phillips Pasadena, 226 Pike River Coal Mine, 352 Piper Alpha Platform, UK, 226 Port Neal, IA, 89, 146, 389 Process Knowledge Management, 30, 45, 83, 113, 140, 188, 190, 198, 217, 252, 257, 264, 318, 324 Process Safety Competency, 45, 57, 61, 66, 67, 71, 73, 106, 168, 171, 183, 187, 198, 200, 205, 208, 210, 272, 338, 343 Process Safety Culture, 31, 44, 50, 61, 76, 81, 85, 87, 116, 122, 149, 155, 158, 200, 204, 212, 219, 224, 232, 238, 346, 349, 357, 360, 363, 366, 376 Reactive chemical incidents, 55, 72, 100, 101 Risk Based Process Safety, 20, 32, 43, 44, 49, 50, 51, 53, 81, 166, 188, 224, 300, 335, 368, 373, 374 Rohm & Haas Road Tanker, 100 Safe Work Practices, 21, 32, 46, 214 Sandoz warehouse incident, 230 Seveso, Italy, 230, 300 Sewol Ferry, South Korea, 346, 347, 348, 350, 351 Shell Refinery, Singapore, 141 Stakeholder Outreach, 45, 83, 297, 302, 310, 313, 327, 330, 338, 343, 369 Synthron LLC, 100 T2 Laboratories, Inc., 52, 56, 58, 60, 64, 378 Texaco Oil Refinery, UK, 226 Three Mile Island, PA, 372 Tianjin, China, 85, 87 Titanic, North Atlantic, 39, 334 Total FCCU, France, 226 Training and Performance Assurance, 47, 50, 68, 189, 199, 350 TWA Flight 800, USA, 335

362

More Incidents that Define Process Safety

Understand Hazards and Risk, 43, 45, 62, 83, 92, 97, 133, 139, 156, 171, 188, 198, 217, 257, 264, 273, 288, 324, 333, 343 University laboratory incidents, 379 Valero-McKee, 105, 128 Varanus Island, Australia, 147, 201, 202, 204-206 West Fertilizer Company, TX, 41, 74, 75, 76, 77, 81, 146 Williams Olefins, 174 Workforce Involvement, 45, 50

WILEY END USER LICENSE AGREEMENT Go to www.wiley.com/go/eula to access Wiley’s ebook EULA.