- Email: [email protected]
Lessons Learned from Past Accidents
71
II.1
LESSONS L E A R N E D FROM PAST ACCIDENTS
Andrew G. Rushton
This section aims - in the form of a selection of "milestone" major industrial accidents - to restate some of the lessons that can be learned from past major industrial accidents, to emphasise that the opportunity to learn many of these lessons recurs and to link some of these lessons to the provisions of the 'Seveso II Directive' [1]. Some of the lessons that can be learned from four major industrial accidents (at Flixborough, Seveso, Bhopal, and on the Piper Alpha platform) are presented. Despite the variety of the accident locations, the intended activities and the immediate causes of the accidents, the strong overlap between the lessons that can be learned is clear. The ability to prevent major accidents relies not only on good technical abilities but also on the combination of several general principles. These include inherently safer design, defence in depth, safety management and planning for control and mitigation. These principles are applicable to all sectors of the process industry. Whilst, of course, there will continue to be new lessons to be learned, it can be expected that the next major industrial accident in Europe will present some of the same lessons that we have already had the opportunity to learn. The avoidance of major accidents requires the widespread application of the general lessons learned from past accidents, as well as the widespread communication of the more specific lessons applicable to particular activities. The 'Seveso Directive' aims to achieve both of these objectives. The relationships between some of the lessons that can be leamed from past accidents and the provisions of the Directive are presented.
1.
O B J E C T I V E AND I N T R O D U C T I O N
A short reminder of the salient features of four major accidents will be presented, along with a selection of the lessons that can be learned. A detailed analysis of the accidents and a comprehensive account of the lessons that can be learned is not the objective here. References to more complete descriptions of the accidents are cited below. The "lessons learned" that are presented draw largely on the description of each incident given in reference [2]. The major accidents which will be considered are those which occurred at Flixborough [3], Seveso [4,5] and Bhopal [6-8] and on the Piper Alpha platform [9,10]. These four accidents have been highly influential in the formulation of public opinion and policy, in Europe and throughout the world. There is no intention to suggest that the lessons to be learned from other accidents are less significant, but these four are sufficient to the purpose of this discussion. It should also be emphasised that many lessons can be learned from accidents with few or no tragic consequences, but tragedy undoubtedly spurs the mobilisation of resources aimed at defining the lessons to be learned and creates a willingness to learn in the community.
72 There are substantial differences between the accident locations, the intended activities carried out on each site and the technicalities of the immediate causes of the accidents. Nevertheless, it will clearly be seen that there is significant overlap between the lessons that can be learned from each and all of these disasters. There are a number of principles which are generally applicable to the avoidance of major accidents and some of these are briefly outlined. Some of the lessons from the four disasters will b~e restated in summary and in relation to the provisions of the 'Seveso Directive'. As discussed in Section L2 the aim of the Directive is to ensure the creation and maintenance of the essential components of major accident prevention throughout the process industries. This is to be achieved by identifying the sources of possible major accidents, by requiring a demonstration that the essential components are in place to prevent and to mitigate the consequences of major accidents and by establishing a database of lessons learned, from accidents and near misses, so that these are documented and disseminated.
2.
FLIXBOROUGH
At Flixborough, North East England, on the 1st of June 1974, there was a massive explosion (Table 11.1.1). A cloud containing an estimated 30 tonnes of fuel (mostly cyclohexane) which was mixed with the air above the Nypro chemical plant had been ignited.
Table II. 1.1: Flixborough, the Disaster Profile Date : 1st June 1974 Process : Liquid phase oxidation of hydrocarbon Location : North East England Event : Massive explosion Fatalities: 28 _Injuries :............................................................36 ................................................................................................................................................................................................................................
The immediate and secondary effects of this explosion led to twenty eight deaths, many major injuries and the virtual demolition of the site. There were also many injuries and much structural damage (to dwellings and other property) off-site. The fires burned for ten days. Bodies were still being recovered from the debris after fourteen days. The fire-fighting was on the same scale as that of the largest wartime fires in London. The Flixborough plant (Figure lI.l.1) included large liquid filled reactors in which cyclohexane was oxidised in the presence of a catalyst. The reaction was incomplete, so several reactors were used in series, each overflowing into the next (lower) reactor through a short connecting pipe. There was a large re-cycle stream by which outflow from the train of reactors eventually returned as inflow. This meant that a typical molecule passed through the
73
reactor series more that once before conversion to the oxidation products. The amount of reacting material was much larger than would have been necessary in a more effective reaction system.
Figure ILl.l: The Flixborough Plant, a Simplified Diagram of the Cyclohexane Oxidation Section (Reprintedfrom R.J. Parker, The Flixborough Disaster, 1975, Crown copyright is reproduced with the permission of the Controller of Her Majesty's Stationery Office)
.............................. To f:~m
J
W ~a
0
I! II
9
9l
.~ !:
:l " . . . .". ::
" ~
l
~.L:: : .::i "
:i
|
R ~2t ~ r o I
"~
: i:
~i, :' 9
- "
: ~
iii
i
9 )~!i!!..... !"
:!
i:
voh)i
:t!
1
8|ock
~alv) on by,
!~m
11
.
.
.
we~xi~
......).,.
,+~:o, dw~):
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
74 The reaction conditions were not extreme. The normal operating temperature was around 428 K and the normal operating pressure was less than 9 bar. However, the material was flammable and was being contained as a liquid above its normal boiling point. In these circumstances a leak can produce a large mass flowrate, because of the liquid outflow at the leak site, and generate a large flammable cloud, because of the spontaneous vaporisation of the leaked material at atmospheric pressure. There had been a problem with one of the reactors (a crack) and it had been decided to temporarily replace this reactor with a "by-pass" pipe, in the place of the removed, faulty reactor. The by-pass was quickly built and installed and the likely failure of this by-pass soon became the focus of the official inquiry into the accident (Figure 11.1.2). The by-pass had been operated successfully for two months prior to the disaster.
Figure 11.1.2: The Flixborough Reactor By-Pass (Reprinted from R.J. Parker, The Flixborough Disaster, 1975, Crown copyright is reproduced with the permission of the Controller of Her Majesty's Stationery Office)
75
To allow for thermal expansion, because the base of each reactor was fixed in place, the short inter-connecting pipes which joined the outlet nozzle of one reactor to the inlet nozzle of the next were fitted with a bellows. A bellows is simply a specialised section of pipe with a flexible corrugated wall that is able to accommodate changes in axial length. The normal inter-connections were horizontal (each pair of bellows-connected nozzles being lower than the one before), but the by-pass was constructed with a sloped middle section in order to bridge the vertical gap between the nozzles it was intended to connect. The unbalanced horizontal forces that result from such an arrangement led to stresses on the bellows and bypass arrangement for which it was not designed. As summarised in Table II. 1.2 there are three prominent theories of how the massive release was brought about:
Table 11.1.2: Flixborough, the Critical Event and Theories Critical event
Loss of containment of about 30000 kg hydrocarbon
Theories
Massive failure of bellows 200 mm pipe failure Water roll-over, see [ 18]
The first theory assumes the direct failure of the by-pass. This theory was accepted in the official report. A second theory concerned the possibility of a smaller leak, and subsequent fire, that led to the eventual failure of the by-pass. A third theory suggested that a cool water layer, in the base of the reactor upstream of the by-pass, had mixed into the hot reactor contents leading to a sudden pressure rise and failure of the by-pass. It is still uncertain how, at this detailed technical level, the critical event in the accident occurred. On the other hand, there were many more general lessons to be learned from the Flixborough disaster. This disaster shook the United Kingdom (UK) authorities into recognising the potential for on-site and off-site devastation from the process industries. A major inquiry ensued, but also the establishment of the UK Advisory Committee on Major Hazards whose remit was to look at the broader question of how major accident hazards could be and should be controlled throughout industry. The work of the inquiry and committee contributed to a number of legal measures in the UK and also to the first European Directive on major hazard control [ 11 ]. Some general lessons that can be learned from the Flixborough disaster are listed in Table
II. 1.3 and are then briefly discussed.
76
Table 11.1.3: Flixborough, Some Lessons that Can Be Learned Public control of major hazard installations Siting of major hazard installations Regulations for pressure vessels and systems The management of major hazard installations Control of plant and process modifications Limitation of inventory Limitation of exposure Relative priority of safety and production Use of standards and codes of practice Benefits of more intense reactors Change-of-use control of major hazard installations
The Need for Public Control of Major Hazard Installations It was evident that chemical plants presenting major accident hazards needed to have some element of public control. The public authorities should at least be informed of the potential and have the opportunity to demand assurances that relevant precautions are in place.
The Need to Control the Siting of Major Hazard Installations It was evident that the development of sites with the potential for major accidents should be controlled in relation to other neighbouring uses. Equally, the development of other activity in the vicinity of major accident hazards needs to be controlled.
Regulations for Pressure Vessels and Systems Because of frequent accidents with steam and air pressure vessels in the early days of modern industry in the UK, there were regulations in place concerning these vessels. The Flixborough accident demonstrated the relevance of requiring good practice in relation to all pressure vessels and also the need to extend the regulations to other parts of pressurised systems.
The Management of Major Hazard Installations The importance of having the necessary personnel, and the dangers of management practices becoming inappropriate to the nature of the activity being carried out were highlighted. The managerial decisions that led to the operation of the plant in the conditions (both technical and administrative) in which it failed had contributed to the accident.
77
Control of Plant and Process Modifications The plant had been modified by the introduction of the by-pass, and also the process had been altered in relation to the means of operation of the reactors (the process modifications are not described above). The plant (equipment) modification had clearly contributed to the disaster, but it was also recognised that a process modification could undermine the integrity of an otherwise well-designed plant.
Limitation of Inventory The potential for an accident depends critically on how much of a hazardous substance is present (or can be generated). One characteristic of the Flixborough process was that large quantities of hazardous material were being stored and employed. Limiting, as a design objective, the quantities of materials in storage and in processes was recognised as desirable, in order to limit the potential consequences of an accident.
Limitation of Exposure The disaster occurred on a Saturday. The office block on site was demolished by the explosion. Had the accident occurred during a normal working day, the fatalities from the accident could have been ten times greater. It was clear, with hindsight, that there was no need for these office personnel to be on the site. The more general principle is that the exposure of people to major accident hazards should be controlled.
Relative Priority of Safety and Production The speed with which the by-pass was brought into use, when the causes of the problem in the original reactor had not been established, suggested that the relative priority of safety and production had become inappropriate. Some other features of the background to the accident reinforced this view. The need to create and to maintain a "culture" in which the priority of safety is clear, and also the difficulties of achieving this, were recognised.
Use of Standards and Codes of Practice The inappropriate use of the bellows in the by-pass arrangement, the insufficient support provided for the by-pass (really only sufficient for it erection not its use) and other features of the accident indicated that codes and standards had been breached.
Each of the lessons that can be learned from Flixborough is independently of value. Many (including all those above) do not rely on the detail of how the Flixborough disaster was precipitated and are therefore relevant to all major accident hazards. Additionally, all the theories of how the massive failure of the bellows could have occurred are instructive - even though they cannot all have been correct.
78 From the Flixborough disaster alone it can be concluded that there are general lessons that need to be applied to all hazardous industrial activities. The application of these lessons will reduce the frequency and consequences of major accidents. The lessons may be applied to activities which have little or nothing in common with the technical features of the Flixborough plant or process. There are also specific lessons which need to be documented and disseminated to improve particular aspects of industrial practice. These will be of less general applicability, but will help to reduce the frequency of critical events which contribute to the occurrence of major accidents.
3.
SEVESO
Near Seveso, in Northern Italy, a "runaway" reaction occurred in a small pharmaceuticals plant (Table 11.1.4).
Table 11.1.4: Seveso, the Disaster Profile Date : Process: Location: Event: Fatalities: Other:
9th July 1976 Batch chemistry Northern Italy Toxic release No direct human fatalities, a number of abortions 3000+ animal deaths, 500+ evacuations exceeding 6 months [ 19]
The reaction produced heat and the heat promoted the reaction, leading to increased pressure in the reactor. As can be seen from Figure 11.1.3, a pressure relief device operated and the contents of the reactor were vented to atmosphere:
79
Figure 11.1.3: The Seveso Plant, a simplified diagram of the reactor system (Reprinted with permission, from J. Sambeth, "What Really Happened at Seveso ", Chemical Engineering, Vo190 (10), 1983 [20])
T
Vent l i ~
C
TCB
i
Earlier that day, the intended process of the plant had been interrupted at the end of the working week. A batch of material, believed by those carrying out the operations to be stable, had been left inside the reactor, with the intention to resume the operations later. The reactor vented some hours after intentional operations at the plant had ceased. Subsequent consideration of the likely contents of the reactor at the time of venting suggested that, perhaps, two kilograms among the several tonnes in the reactor could have been converted to TCDD (2,3,7,8-tetra-chloro-dibenzo-para-dioxin). TCDD is one of a series of ultra-toxic materials, commonly called dioxins. This material (a solid at ambient conditions) was deposited on vegetation across a large area of land (Figure II. 1.4).
~~
~
~D
0
S~
O
O
9
9
~~ ~ S~
~llo
0
~J
O
~S
0
0
O
0
~D Q
~S
~mio
!
~o
81
In the aftermath of the accident it was clear that a disaster of potentially immense dimensions had been encountered in a totally unsatisfactory way. The toxicity to humans of TCDD is still largely unknown. The estimated toxicity, inferred from experimental results of animal exposure, suggested a probably lethal dose in the order of 10-9 of body-weight. This equates to around 0.1 mg for a large adult. Thus, in principle, the quantity released at Seveso was sufficient to lead to massive fatalities. Of course, the scaling from animal studies is highly uncertain and the mechanisms necessary for fatal delivery of the toxin may not operate in a particular accident. Also, the number of people exposed in the affected area effectively limits the possible consequences. Nevertheless, the maloperation of a small pharmaceuticals plant had presented a threat of a scale which was not openly acknowledged in advance and against which the protections and planned responses were inappropriate. The primary theory of how the reactor came to be vented concerns an exothermic reaction that was unknown at the time (Table 11.1.5).
Table II. 1.5: Seveso, the Critical Event and Theory Critical event
Loss of containment of a reaction mass including about 2 kg of tetrachloro-dibenzo-para-dioxin (TCDD)
Theory
Venting to atmosphere of a runaway reaction initiated by steam heating
The reaction would not have been observed in normal operation and the circumstances that allowed it to occur were brought about by the unusual suspension of operations in midprocess. It is believed that the reaction was initiated by steam in the heating coil around the reactor. This may have led to a local temperature in the reactor, probably near the liquid surface, which allowed the exothermic reaction to take hold and, eventually, spread throughout the reactor. The pressure relief device, intended to protect the reactor from other pressure sources, had the effect of delaying the release. This delay increased the temperature which was reached before venting, which would consequently promote the production of TCDD, and increased the energy with which venting occurred, which would consequently increase the area which became contaminated with TCDD. The obvious question, following Seveso, was "What other installations present hazards of this scale which are unacknowledged, inadequately protected against and for which no appropriate mitigatory plans exist?". Some lessons that can be learned from the Seveso disaster are listed in Table II. 1.6:
82
Table II. 1.6: Seveso, Some Lessons that Can Be Learned
Public control of major hazard installations Siting of major hazard installations Acquisition of companies operating hazardous processes Hazard of ultra-toxic substances Hazard of undetected exothermic reactions Hazard of prolonged holding of reaction mass Control and protection of chemical reactors Inherently safer design of chemical processes Planning for emergencies Hazards from substances that can be formed during maloperation
A particular feature of this accident is that the material of most concern was normally present at the installation in trace quantities only. The need to consider hazards from materials that can be produced in foreseeable maloperation (as well as those normally stored or processed) was established. The effect of the Seveso disaster on the European Community echoed that of Flixborough in the UK. The realisation that industrial activities could present hazards on this scale, and the recognition of the poor level of prevention, preparedness and response that existed, led directly to Directive 82/501/EEC of the Council of the European Union, [ 11 ], which became widely known as the 'Seveso Directive'. Later the lessons learned from the accidents discussed here will be presented in relation to the new 'Seveso II Directive', 96/82/EC, [ 1].
83 4.
BHOPAL
In Bhopal, India, a large quantity of highly toxic gas was released into the atmosphere above a pesticide plant (Table 11.1.7).
Table II. 1.7: Bhopal, the Disaster Profile Date : Process : Location: Event: Fatalities: Injuries:
3~/December 1984 Pesticide production India Toxic release 1754 immediate, 2000+ delayed 20 000+ hospitalised, 50 000+ minor injuries
The toxic cloud swept across the highly populated area near the plant (Figure II. 1.5) and very many people were soon overcome. The direct human consequences of this disaster were on a scale unprecedented in the chemical industry.
84
Figure II. 1.5: Bhopal, Affected Area (Reprinted from the Journal of Hazardous Materials, Vol 17 No 1, M.P. Singh and S. Ghosh, "Bhopal Gas Tragedy: Model simulation of the dispersion scenario" 1987, with kind permission of Elsevier Science - NL, Sara Burgerhartstraat 25, 1055 KV Amsterdam, The Netherlands [21 ]) Towams ~ u | t u r a | ~nstitute
R~ar
T~ar~
,
~E
/
iDGAH
l
MtLLS
'O
:Minster ~s GAS A F F ~ ~ AR~
340~N ~ N
L
ZBS~N,-
r,-........
(45 rain.) A~|ed
w~mJ d ~ t ~ n s
for
w
" ~,
/
(1)
85
The most likely explanation of the initiation of the Bhopal disaster is the introduction of water to a methyl isocyanate (MIC) storage tank (Table 11.1.8).
Table 11.1.8: Bhopal, the Critical Event and Theories Critical event
Loss of containment of 40 000 kg methyl iso-cyanate (MIC)
Theories
Pressure relief of storage tank after a water-initiated runaway reaction caused by sabotage? water washing? other?
One theory considered the possibility of water from a washing operation passing into the tank. There is a separate possibility that the water was introduced to the tank as an act of sabotage. The debate over how water may have entered the tank should not obscure the wider lessons that can be learned. At Bhopal, a number of protections and precautions that could have mitigated (if not prevented) the disaster were found to be inappropriate or disused at the time of need. For example, it had been intended that any flow from the storage vent could be directed to a "scrubber" for treatment or to a flare for incineration. Neither option was available at the time of the incident. The consequences were magnified because the actions needed in response to such an incident had not been planned in advance or practised. In the aftermath of Bhopal, it once again became clear that the detailed technical failures that triggered or contributed to the accident existed within a situation which, more generally, echoed the features of earlier accidents. The provision and maintenance of protection was inappropriate to the hazard. The consequences of the accident were magnified by the state of public policy, which had been developed without knowledge of the scale of the hazard, and by the lack of planning, which led to fatally inappropriate responses to the accident. For example, the growth in the local resident population could have been controlled if the scale of the potential hazard had been recognised. Perhaps more clearly than earlier accidents, the Bhopal disaster pointed to the benefits of inherently safer approaches to chemical production, [ 12]. At Bhopal the material released was a hazardous intermediate, the storage of which was convenient but not essential. Intermediates in a chemical process are typically more reactive than the associated raw materials and products. It is often this reactivity that makes the intermediate so useful in accomplishing the chemical changes. The corollary of this is that intermediates are often more hazardous, because flammability and (often) toxicity are manifestations of reactivity.
86 There were, at the time of Bhopal, other operators who had avoided the storage of MIC. Instead, within their facilities, there were small quantities of MIC in transit (by pipe) from a producing unit to a consuming unit. After the disaster, the practical and technical objections which had led to bulk storage of MIC, at Bhopal and elsewhere, were quickly revisited. Soon the storage of MIC around the world had been drastically reduced. The search for alternative routes to chemical production using less hazardous intermediates was promoted. Arguably, these reviews of storage policy and route selection should have been more widespread. The equivalence between a reported accident and one's own activity has to be very strong to elicit the appropriate response. The reduction of inventory of highly toxic materials other than MIC has been less pronounced. One objective of public policy should therefore be the formulation and dissemination of lessons learned from accidents in as generally applicable a form as possible. Some of the lessons that can be learned from the Bhopal disaster are listed in Table II. 1.9:
Table 11.1.9: Bhopal, Some Lessons that Can Be Learned
Public control of major hazard installations Siting of major hazard installations Hazard of highly toxic substances Hazard of water in plants Hazard of runaway reaction in storage Maintenance of equipment and instrumentation The management of major hazard installations Control of plant and process modifications Limitation of inventory Limitation of exposure Planning for emergencies Information for authorities and public Relative priority of safety and production Change-of-use control of major hazard installations
Bhopal is a stark example of what will happen if we fail to learn the lessons that can be learned from past accidents, particularly if we fail to identify the hazard potential of industrial sites.
87
5.
PIPER A L P H A
On the Piper Alpha platform, in the UK sector of the North Sea oil field, late on the 6th July 1988 a small quantity of readily vaporised liquid hydrocarbon was released and subsequently exploded (Table II.1.10). The immediate effects disabled communications and many of the automatic and other protective devices on board.
Table II.1.10." Piper Alpha, the Disaster Profile Date 9 Process 9 Location 9 Event" Fatalities 9
6 th July 1988 Oil and gas production and separation North Sea (UK sector) Explosions, fires, fireballs 167
The technical investigation, in trying to establish the triggering events, focused on the known status of equipment prior to the critical event, believed to be the release of "condensate" into the gas compression module, module C (Figure 11.1.6).
Figure 11.1.6: Piper Alpha Rig (Reproduced with permission from: R. Sylvester-Evans, "'Background'- to the Piper Alpha Tragedy" in "Piper Alpha: Lessonsfor life-cycle safety management" IChemE Sympos.Series No 122, 1990)
: -.-
~Wltm,$ ."
i .i ~
i L :i,:
:W~
'*'*
--
=:~
/'
i
:
~
]
~
~
i~~=~............e ................... .......... o
''
~
~
.ml
.....
~ 5!
...................... ~e:....................~~~
......................... ~. y:::::-:::-:----
,,L
--:;-
| : k II o.,
...........
,..,
88 Maintenance activities, earlier on the day of the disaster, had created a situation in which continued operation of the platform relied on the running of a single reciprocating pump - the condensate pump - for which there would normally be a "back-up". The normally used pump had been stopped, in preparation for routine maintenance, and its parallel pair (normally the "back-up" pump) was on duty. Reciprocating pumps commonly have an associated automatic pressure relief valve. The relief valve prevents over-pressure of the downstream pipework. This is achieved, typically, by passing liquid from the delivery side of the pump to an upstream vessel, in the event of high delivery pressure from the pump. The relief valve on the normally used pump had been removed for testing. Shortly before the explosion, the condensate pump on duty tripped (that is to say, it automatically stopped). The pattern of the alarms that occurred between the pump stopping and the explosion, together with eye witness accounts were not decisive in establishing the means by which the release of fuel occurred. Several theories were developed (Table II.1.11).
Table II.1.11: Piper Alpha, the Critical Event and Theories Critical event
Loss of containment of < 100 kg light hydrocarbons ("condensate")
Theories
Pump started without relief + flange leak at relief valve site or auto-ignition Hydrate formation and blockage L i uid at i n!e t to com ressor . . . . . . . . . . . . . . . . . . . .
..............
These technical theories, investigated as possible explanations for the critical event, included a flange leak at the site of one or other of the relief valves, auto-ignition in the pipework as a cause of subsequent condensate leakage, hydrate formation and blockage leading to condensate leakage and liquid entering a compressor intended for gas only. It is believed that an attempt was made to start the normally used pump, without its relief valve in place. A leak from the attachment flange of the missing relief valve, possibly aggravated by insufficient tightening of the temporary blank on the flange, was the theory in which the official inquiry placed most confidence. As before, the various technical theories all provide valuable information relevant to the prevention of future accidents. At the same time the wider lessons that can be learned from the disaster are independent of the details of how, technically, the critical event occurred.
89 Some of the lessons that can be learned from the Piper Alpha disaster are shown in Table 11.1.12.
Table 11.1.12: Piper Alpha, Some Lessons that Can Be Learned Regulatory control of offshore installations The management of major hazard installations Fall-back states in plant operation Permit-to-work systems Isolation of plant for maintenance Limitation of inventory Limitation of exposure Destruction of protective equipment by explosion Emergency shutdown Planning for emergencies Opportunities for escape
The Piper Alpha disaster reflects the great difficulties that arise in offshore engineering. For example, three practices : the use of physical separation distances (as used onshore to help prevent "domino" effects), the provision of opportunities for escape and the provision of assistance during an incident, are all much more difficult to achieve offshore. The lessons that are more specifically concerned with offshore engineering problems are not considered further here. The need to resolve conflicting safety issues was highlighted. Two examples concern the firewalls and the fire-fighting system. The fire-walls between the modules, intended to delay the spread of fire, in the event became destructive missiles. This magnified the damage of the initial explosion, destroyed much of the mitigatory equipment and severed fuel pipes which contributed to the subsequent fires. A defence against fire thus became a contributory factor in the escalation of an explosion. The practice of disarming the automatic fire-fighting pumps during diving operations had developed. The hazard to divers, who could be trapped at the suction to the pumps in the event of false alarms, had been a factor in the development of this practice. The development of this practice shows both the need for a systematic approach to the management of different risks and, separately, the need for a deliberate balance to be achieved between the certainty of automatic defences operating when needed and the hazards associated with their spurious operation.
90 The immediate loss of communications following the initial explosion was critical. Piper Alpha was linked to other platforms in the oil field by pipelines of oil and gas. From and through these pipelines, fuel flowed to Piper Alpha during the disaster (Figure H.1.7).
Figure II. 1.7: Piper Alpha Field (Reproduced with permission from 9R. Sylvester-Evans, "'Background' - to the Piper Alpha Tragedy" in "Piper Alpha: Lessons for life-cycle safety management", IChemE Sympos.Series No 122, 1990)
~S
:TO
%
%
Continued communications could have prompted actions on other platforms to limit the fuel entering Piper Alpha and could have allowed the re-appraisal of the situation by those aboard. Many of those on board apparently acted on the assumption that evacuation by helicopter remained possible. Such an evacuation was clearly seen to be impossible by nearby observers. The disablement of the control and response systems, combined with the heat and black smoke from fires following the initial explosion, led to almost complete paralysis of organised action on board the platform. Many of those who survived did so because they acted outside the recommended procedures. The procedures were inappropriate to the scale of the incident.
91 On Piper Alpha there were "layers" of protection intended to prevent the occurrence of critical events and to limit their consequences, but these were stripped away in actions prior to the event or rendered inoperable by the immediate effects of the initial explosion. The need to ensure that the "layers" of protection are not vulnerable to the incidents against which they are intended to defend is clearly established. One contributor to the accident was a lack of confidence in the back-up electrical power systems. The perception that these systems would fail coupled with the desire to avoid loss of power may have promoted some of the actions that led to the disaster. The need to have fallback states in which the operators have confidence was established. Another contributory factor was the vulnerability of some protections to the critical event. For example, there were four pipes intended to carry fire-fighting water when required. These four pipes were severed in the initial explosion. What could have been regarded as a substantial protection, in prospect, proved, in the event, to be useless. This illustrates the need for diversity in protective systems. Diversity, here, means the ability to achieve an objective by different means (by differences of principle, route, operation etc.). Diversity in protective functions renders the protection less vulnerable to defeat by a single event. (The severing of these pipes was not the only reason that the fire-fighting system was ineffective, but the other reasons are not discussed here). Yet again the lessons to be learned echo those from the accidents discussed above. There were technical lessons, specific to the kinds of operation undertaken, but also general lessons that have much wider applicability. Many of these more general lessons are relevant to onshore activity, but were accentuated by the particularly difficult circumstances of offshore engineering.
6.
ELEMENTS OF P R E V E N T I O N AND MITIGATION OF M A J O R ACCIDENTS
The ability to prevent major accidents relies not only on good technical abilities (which may be very specific to the activity) but also on the combination of several general principles. These are inherently safer design (including separation distances), defence in depth from critical incidents (by multiple layers of protection), good management and preparedness to respond to and to mitigate the consequences of incidents. The principles of inherent safety have been described in [ 12]. The essential idea is to reduce or eliminate the hazard presented by an activity. To the extent that an activity is inherently safe, we do not rely on mechanisms (physical or managerial) for protection. Achieving acceptable levels of safety by inherently safer design is most desirable because, generally, inherent safety cannot be compromised by the degeneration of management (of maintenance, operation, etc.). "Defence in depth" is used here to describe the design of an activity such that the occurrence of an incident requires the combination of a number of facts (usually failures or interventions). Elsewhere I have used the expression "layers of protection" to express a similar idea, but
92 "layers of protection" could include response to the incident, whereas I use "defence in depth" in relation to measures that aim to prevent the critical event in an incident. Using the defence in depth approach, it is unlikely that single failures and interventions will lead directly to an incident. Provided that due attention is given to maintaining the defences then an acceptable level of safety can usually be obtained. However, inherently safer approaches are to be preferred as accident histories show that defences can fall into disrepair quickly and without provoking attention (see [13] for detailed discussion). If a plant is designed with defence in depth, then Figure 11.1.8 shows how the dynamic balance between failure and repair of defences can lead to an incident (in response to a final disturbance).
Figure 11.1.8: Defence in Depth A schematic illustration of the dynamic balance between failure and repair of defences that can lead to an incident (in response to a final disturbance), developed from [131
DEFENCE
IN
DEPTH TiME
:
.........................................................................
.
.
.............
..-::^ ::::....:.:::-::~.~...;.::::.::.::::::-....-...:.--
............
.-.~_.;~.
DIS~RBANCE !r .I
P(H ZARD)l .....
t' FAILURE
,~ REPAIR
The success of the defence in depth approach relies, therefore, on the systems - usually management systems - which reveal and repair the defences. If these systems become relaxed then a combination of failures can lead to vulnerability, and a single final disturbance can then lead to an incident. The Flixborough report [3] called for more consideration of what it termed "second chance design", which is a form of defence in depth. Safety management has been a major topic of discussion in recent years, [14]. The role of management is critical in accident prevention because, whatever defences may be in place at a
93 Underlying successful hazard control is an appreciation of human factors, that is how humans managerial problem to accept a proposed design (with a mix of inherently safe and defencein-depth features) and it is a managerial problem to commit the resources to the maintenance of the defences and to the planning for incident control and mitigation and their practice. In general it is a managerial responsibility to control decision-making. The range of decisions is very diverse, for example in relation to proposed changes in operation or in response to a change of plant condition. Underlying successful hazard control is an appreciation of human factors, that is to say how humans can reasonably be expected to participate in the activities at a hazardous facility. Many accident investigations show that human action (or lack of action) plays a crucial part in the evolution of many incidents, but it is generally necessary to create and to maintain systems which are tolerant to the way people can reasonably be expected to behave, [ 15]. Analysis of past accidents shows that planning for incident control and mitigation can alter the scale of an accident enormously. Sadly this planning has been shown to be lacking in organisations whose other abilities have been highly regarded. There is, therefore, great emphasis in the 'Seveso II Directive' on the establishment, in advance, of suitable responses to major accidents. This is another area in which much development has occurred in recent years and a review of practice in the European Union Member States has recently been conducted by the European Commission's Joint Research Centre [16]. These principles of inherent safety, defence in depth, safety management and planning for incident control and mitigation are applicable to all sectors of the process industry. A key to reducing the frequency of major accidents is, therefore, to document the principles of inherent safety, defence in depth, safety management systems and planning for incident mitigation both in general, for application to all major accident hazards, and in detail, for consistent and appropriate application to specific major accident hazards. Most well-engineered systems have a number of "layers" of defence which should prevent major incidents. Well-managed facilities will have further "layers" of control and mitigation (including planning for and practising responses to incidents) which should prevent an incident becoming a disaster. Whilst we do continually learn new lessons from the acts that lead to a major incident or accident, most often we "re-learn" that major accidents follow the non-existence of, or a failure to maintain (in the broad sense), these layers of protection. Additionally we "re-learn" that the best protection lies in limiting the potential for harm by use of inherently safer alternatives. Codes and standards make a great contribution to accident prevention, but they are reactive to relatively high frequency events and lag behind experience. The dissemination of lessons learned from accidents is a necessary supplement to these codes and standards if the repetition of the circumstances that contribute to major accidents is to be avoided.
94 In many cases, major accidents have been preceded by near misses with almost identical characteristics. In some cases the near miss has been identical in all respects up to the critical event, and only good fortune has led to the lack of tragic consequences. The importance of near-miss reporting and the dissemination of information about near misses is clear.
7.
THE E U R O P E A N C O U N C I L RESPONSE
The 'Seveso II Directive' is aimed at the control of major accident hazards involving dangerous substances. It is a direct attempt to both promote the learning of the general lessons from past accidents and to promote the capture and dissemination of the many other more specific lessons that can be learned from past accidents and near misses (now and in the future). The first is chiefly to be achieved by the formal requirements of the Directive which, if complied with, will cover many of the general lessons, the second is to be achieved through the establishment of the Major Accident Reporting System (MARS). The operation of MARS which is also a requirement of the Directive, is discussed in detail in Section IV.2. The Competent Authorities of the Member States are required to contribute accident data to MARS and, following the implementation of the new Directive, the access to this data will be quite open. The relationship between some of the lessons that can be learned from the disasters discussed above and the provisions of the Directive are presented in Table 11.1.13.
95
Table 11.1.13: Selected Lessons, from the Disasters at Flixborough, Seveso and Bhopal and on the Piper Alpha Platform, and the Corresponding Provisions in the European Council Directive 96/82/EC ('Seveso II Directive ') "Lessons" from Past Accidents Public control of major hazard installations Hazards from substances that can be formed during maloperation Limitation of inventory*
Article(s) of the Directive All 2
Information for authorities and public The management of major hazard installations Control of plant and process modifications Planning for emergencies Learning from accidents and near misses+
7
Planning for emergencies Siting of major hazard installations Limitation of exposure
9
Change-of-use control of major hazard installations
10
Information for authorities and public Planning for emergencies
11
Siting of major hazard installations Limitation of exposure
12
Information for authorities and public Planning for emergencies
13
Planning for emergencies
14
Learning from accidents and near misses
15
Learning from accidents and near misses
19
The limitation of inventory is encouraged by the qualifying quantities set for each hazardous material (or class of material) and the increased duties that are incurred by having larger inventories. This is an indirect but significant pressure to discourage unnecessary (but perhaps convenient) inventories. "Learning from accidents and near misses" was not listed specifically in the table of lessons that can be leamed from the individual disasters considered, but it is of course a pre-requisite of learning any of the lessons and so is included in this table.
96 8.
CONCLUSIONS
There are no risk free industries and there is no perfect system for major accident prevention. However, a study of past accidents shows that they generally result from (or are magnified by) the conjunction of a number of factors. Any one of these factors, had it been altered, could have resulted in a reduction or elimination of the accident consequences. A systematic and conscientious effort to examine and continuously to review these factors, to put in place and keep in place the elements of effective hazard control, is likely to be rewarding in reducing the frequency of major accidents and their consequences. The success of this activity is most likely where the basis of safety is inherently safer design of any or all parts of the process, since this is the approach which is least susceptible to deterioration of management and equipment. Some generally applicable lessons that can be learned from four major industrial accidents have been presented. These lessons can be summarised as the need for inherent safety, defence in depth, safety management and planning for mitigation. For each of the disasters described there is an overlap in the lessons that can be learned. It follows that in the past our ability or willingness to "learn" from accidents has been deficient. In addition there are myriad detailed lessons (both technical and managerial) that can be learned from the study of these and other disasters and near misses. It is reasonable to expect that the next major accident in Europe will reinforce some of the same lessons that we have already had the opportunity to learn, [17]. The widespread application of the general lessons learned from past accidents, as well as the widespread communication of the more specific lessons applicable to particular activities has great potential for the avoidance of major accidents. In this context, the European Commission's mandatory accident notification scheme, MARS, which also allows voluntary notification of near misses, should play a valuable role. Avoiding major accidents requires persistent effort. This effort must ensure the feedback of information to those responsible for operating major hazard sites and establish requirements to prevent the recurrence of situations in which accidents can occur. The new 'Seveso II Directive', on the control of major accident hazards involving dangerous substances, is a key step towards the achievement of this objective.
97 REFERENCES
,
.
.
10. 11.
12. 13.
14. 15. 16. 17. 18. 19.
Council Directive 96/82/EC of 9 December 1996 on the control of major-accident hazards involving dangerous substances, Official Journal of the European Communities, Luxembourg, 1997. F.P. Lees, Loss Prevention in the Process Industries, 2na Edn, Butterworth-Heinemann, Oxford, 1996. R.J. Parker, The Flixborough Disaster, Report of the Court of Inquiry, HMSO, London, 1975. B. Orsini, Parliamentary Commission of Inquiry on the Escape of Toxic Substances on 10 July 1976 at the ICMESA Establishment and the Consequent Potential Dangers to Health and the Environment due to Industrial Activity, Final Report, Rome, 1977. (Note that the following entry is a translation of this into English). B. Orsini, Seveso, HSE, London, 1980. (Note that this is a translation into English of Orsini 1977 above). Council of Scientific and Industrial Research, India, Report on Scientific Studies on the Release Factors related to Bhopal Toxic Gas Leakage, Government of India, 1985. Union Carbide Corporation, Bhopal Methyl Cyanide Incident, Investigation Team Report, UCC, Danbury, CT, 1985. A.S. Kalelkar, Investigation of Large Magnitude Accidents - Bhopal as a Case Study. Preventing Major Chemical and Related Process Accidents, IChemE Symposium Series No 110, 1988. The Honourable Lord Cullen, The Public Inquiry into the Piper Alpha Disaster, HMSO, London, 1990. R. Sylvester-Evans, 'Background'- to the Piper Alpha Tragedy. Piper Alpha: Lessons for life-cycle safety management, IChemE Symposium Series No 122, 1990. Council Directive 82/501/EEC of 24 June 1982 on the Major Accident Hazards of certain industrial activities, Official Journal of the European Communities, Luxembourg, 1982. (Note that subsequent amendments were made which are not listed here, but can be found in the consolidated version of the Directive in Appendix V.2). T.A. Kletz, Plant design for safety, a user-friendly approach, Hemisphere, New York, 1990. J. Rasmussen, Safety Control and Risk Management: topics for cross-disciplinary research and development, Preventing Major Chemical and Related Process Accidents, IChemE Symposium Series No 110, 1988. European Process Safety Centre, Safety Management Systems, IChemE, Rugby, 1994. T.A. Kletz, An engineer's view of human error, 2"d Edn, IChemE, Rugby, 1991. B. De Marchi, Review of Chemical Emergencies Management in the EU Member States, European Commission, JRC, Ispra, 1996. T.A. Kletz, Lessons from disaster, how organisations have no memory and accidents recur, IChemE, Rugby, 1993. R. King, Flixborough - the role of water re-examined. Process Engineering, Sept., 1975. B. De Marchi, S. Funtowicz and J. Ravetz, Seveso: A paradoxical classic disaster, in: The long road to recovery, ed. J.K. Mitchell, UNUP, 1996.
98 20.
21.
J. Sambeth, What Really Happened at Seveso. Chemical Engineering 90 (10), 1983. M.P. Singh, S. Ghosh, Bhopal Gas Tragedy: Model simulation of the dispersion scenario, The Journal of Hazardous Materials 17 (1), 1987.
99
Risk Assessment & Management in the Context of the 'Seveso Directive' European Commission,JRC
Lessons Learned from Past Accidents A.G. R u s h t o n , D e p a r t m e n t of C h e m i c a l E n g i n e e r i n g Loughborough University, UK
Lessons Learned from Past Accidents
9 A s e l e c t i o n of " m i l e s t o n e " i n d u s t r i a l accidents - Flixborough, UK -
-
Seveso, Italy Bhopal, India
- Piper Alpha, North Sea
100
Flixborough
9 Date" 1st June 1974 9 Process" Liquid p h a s e oxidation of hydrocarbon 9 Location" N o r t h East E n g l a n d 9 Event" Massive explosion 9 Fatalities 928, Injuries" 36
Flixborough 9 Loss of c o n t a i n m e n t of about 30 000 kg cyclohexane Theories: Massive failure of bellows 200mm pipe failure Water roll-over -
-
-
101
Flixborough" Lessons learned
9 Public control of major hazard installations 9 Siting of major hazard installations 9 Regulations for pressure vessels and systems 9 The management of major hazard installations 9 Control of plant and process modifications
Flixborough: Lessons learned
9 Limitation of inventory 9 Limitation of exposure 9 Relative priority of safety a n d production 9 Use of s t a n d a r d s and codes of practice
102
Seveso
9 Date" 9th July 1976 9 Process" Batch chemistry 9 Location" N o r t h e r n Italy 9 Event" Toxic release 9 Fatalities 9N o direct h u m a n fatalities, a n u m b e r of abortions
Seveso
9 Loss of c o n t a i n m e n t of a " b r e w " including about 2 kg of tetra-chlorod i b e n z o -p a ra -d i o x i n (TCDD) ~ Theory" Pressure relief of a r u n a w a y reaction initiated b y heating coils
103
Seveso: L e s s o n s L e a r n e d
Public control of major hazard installations 9 Siting of major hazard installations 9 Acquisition of companies operating hazardous processes 9 Hazard of ultra-toxic substances Hazard of undetected exotherms
Seveso: L e s s o n s L e a r n e d
9 Hazard of prolonged holding of reaction mass 9 Control and protection of chemical reactors 9 Inherently safer design of chemical processes 9 Planning for emergencies
104
Bhopal 9 Date : 3rd December 1984 9 Process" Pesticide p r o d u c t i o n 9 Location" India 9 E v e n t : Toxic release 9 Fatalities :
1754 immediate, 2000+ delayed,
9 Injuries"
+20 000 hospitalized +50 000 m i n o r injuries
Bhopal 9 Loss of c o n t a i n m e n t of 40 000 k g m e t h y l i s o - c y a n a t e (MIC) 9 Theories" -
Pressure relief of storage tank after water initiated runaway reaction caused by ~ sabotage / water washing / other
105
Bhopal: Lessons Learned
9 Public control of major h a z a r d installations 9 Siting of major h a z a r d installations 9 H a z a r d of highly toxic substances 9 H a z a r d of w a t e r in plants 9 H a z a r d of r u n a w a y reaction in storage 9 M a i n t e n a n c e of e q u i p m e n t a n d instrumentation
Bhopal: Lessons Learned
9 9 9 9 9
Management of major hazard installations Control of plant and process modifications Limitation of inventory Limitation of exposure Planning for emergencies
9 Information for authorities and public 9 Relative priority of safety and production
106
Piper Alpha 9 Date" 6th July 1988 9 Process" Oil a n d gas p r o d u c t i o n a n d separation 9 Location" N o r t h Sea (UK sector) 9 Event" Explosions, fires, fireballs 9 Fatalities : 167
Piper Alpha 9 Loss of c o n t a i n m e n t of <100 kg light hydrocarbons ("condensate") 9 Theories" Pump started without relief + -
~ Flange leak at relief valve site ~ Auto-ignition
- Hydrate formation and blockage - Liquid to compressor
107
Piper Alpha" Lessons Learned
9 Regulatory control of offshore installations 9 Management of major hazard installations 9 Fall-back states in plant operation 9 Permit-to-work systems 9 Isolation of plant for maintenance
Piper Alpha: Lessons Learned
9 Limitation of inventory 9 Limitation of exposure 9 Destruction of protective equipment by explosion 9 Emergency Shutdown 9 Planning for emergencies
108
Lessons Learned: Concluding Remarks 9 No risk-free activity 9 Security of inherently safer design 9 Codes and standards are reactive to high frequency events and lag behind experience 9 The importance of the "human factor" in design and operation 9 Safety management (of defence in depth)
Lessons Learned: Concluding Remarks
9 Influence of circumstances on outcome importance of "near-miss" reporting -
9 Should this talk be titled "Lessons NOT Learned from Past Accidents" ?
II.1
LESSONS L E A R N E D FROM PAST ACCIDENTS
Andrew G. Rushton
This section aims - in the form of a selection of "milestone" major industrial accidents - to restate some of the lessons that can be learned from past major industrial accidents, to emphasise that the opportunity to learn many of these lessons recurs and to link some of these lessons to the provisions of the 'Seveso II Directive' [1]. Some of the lessons that can be learned from four major industrial accidents (at Flixborough, Seveso, Bhopal, and on the Piper Alpha platform) are presented. Despite the variety of the accident locations, the intended activities and the immediate causes of the accidents, the strong overlap between the lessons that can be learned is clear. The ability to prevent major accidents relies not only on good technical abilities but also on the combination of several general principles. These include inherently safer design, defence in depth, safety management and planning for control and mitigation. These principles are applicable to all sectors of the process industry. Whilst, of course, there will continue to be new lessons to be learned, it can be expected that the next major industrial accident in Europe will present some of the same lessons that we have already had the opportunity to learn. The avoidance of major accidents requires the widespread application of the general lessons learned from past accidents, as well as the widespread communication of the more specific lessons applicable to particular activities. The 'Seveso Directive' aims to achieve both of these objectives. The relationships between some of the lessons that can be leamed from past accidents and the provisions of the Directive are presented.
1.
O B J E C T I V E AND I N T R O D U C T I O N
A short reminder of the salient features of four major accidents will be presented, along with a selection of the lessons that can be learned. A detailed analysis of the accidents and a comprehensive account of the lessons that can be learned is not the objective here. References to more complete descriptions of the accidents are cited below. The "lessons learned" that are presented draw largely on the description of each incident given in reference [2]. The major accidents which will be considered are those which occurred at Flixborough [3], Seveso [4,5] and Bhopal [6-8] and on the Piper Alpha platform [9,10]. These four accidents have been highly influential in the formulation of public opinion and policy, in Europe and throughout the world. There is no intention to suggest that the lessons to be learned from other accidents are less significant, but these four are sufficient to the purpose of this discussion. It should also be emphasised that many lessons can be learned from accidents with few or no tragic consequences, but tragedy undoubtedly spurs the mobilisation of resources aimed at defining the lessons to be learned and creates a willingness to learn in the community.
72 There are substantial differences between the accident locations, the intended activities carried out on each site and the technicalities of the immediate causes of the accidents. Nevertheless, it will clearly be seen that there is significant overlap between the lessons that can be learned from each and all of these disasters. There are a number of principles which are generally applicable to the avoidance of major accidents and some of these are briefly outlined. Some of the lessons from the four disasters will b~e restated in summary and in relation to the provisions of the 'Seveso Directive'. As discussed in Section L2 the aim of the Directive is to ensure the creation and maintenance of the essential components of major accident prevention throughout the process industries. This is to be achieved by identifying the sources of possible major accidents, by requiring a demonstration that the essential components are in place to prevent and to mitigate the consequences of major accidents and by establishing a database of lessons learned, from accidents and near misses, so that these are documented and disseminated.
2.
FLIXBOROUGH
At Flixborough, North East England, on the 1st of June 1974, there was a massive explosion (Table 11.1.1). A cloud containing an estimated 30 tonnes of fuel (mostly cyclohexane) which was mixed with the air above the Nypro chemical plant had been ignited.
Table II. 1.1: Flixborough, the Disaster Profile Date : 1st June 1974 Process : Liquid phase oxidation of hydrocarbon Location : North East England Event : Massive explosion Fatalities: 28 _Injuries :............................................................36 ................................................................................................................................................................................................................................
The immediate and secondary effects of this explosion led to twenty eight deaths, many major injuries and the virtual demolition of the site. There were also many injuries and much structural damage (to dwellings and other property) off-site. The fires burned for ten days. Bodies were still being recovered from the debris after fourteen days. The fire-fighting was on the same scale as that of the largest wartime fires in London. The Flixborough plant (Figure lI.l.1) included large liquid filled reactors in which cyclohexane was oxidised in the presence of a catalyst. The reaction was incomplete, so several reactors were used in series, each overflowing into the next (lower) reactor through a short connecting pipe. There was a large re-cycle stream by which outflow from the train of reactors eventually returned as inflow. This meant that a typical molecule passed through the
73
reactor series more that once before conversion to the oxidation products. The amount of reacting material was much larger than would have been necessary in a more effective reaction system.
Figure ILl.l: The Flixborough Plant, a Simplified Diagram of the Cyclohexane Oxidation Section (Reprintedfrom R.J. Parker, The Flixborough Disaster, 1975, Crown copyright is reproduced with the permission of the Controller of Her Majesty's Stationery Office)
.............................. To f:~m
J
W ~a
0
I! II
9
9l
.~ !:
:l " . . . .". ::
" ~
l
~.L:: : .::i "
:i
|
R ~2t ~ r o I
"~
: i:
~i, :' 9
- "
: ~
iii
i
9 )~!i!!..... !"
:!
i:
voh)i
:t!
1
8|ock
~alv) on by,
!~m
11
.
.
.
we~xi~
......).,.
,+~:o, dw~):
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
74 The reaction conditions were not extreme. The normal operating temperature was around 428 K and the normal operating pressure was less than 9 bar. However, the material was flammable and was being contained as a liquid above its normal boiling point. In these circumstances a leak can produce a large mass flowrate, because of the liquid outflow at the leak site, and generate a large flammable cloud, because of the spontaneous vaporisation of the leaked material at atmospheric pressure. There had been a problem with one of the reactors (a crack) and it had been decided to temporarily replace this reactor with a "by-pass" pipe, in the place of the removed, faulty reactor. The by-pass was quickly built and installed and the likely failure of this by-pass soon became the focus of the official inquiry into the accident (Figure 11.1.2). The by-pass had been operated successfully for two months prior to the disaster.
Figure 11.1.2: The Flixborough Reactor By-Pass (Reprinted from R.J. Parker, The Flixborough Disaster, 1975, Crown copyright is reproduced with the permission of the Controller of Her Majesty's Stationery Office)
75
To allow for thermal expansion, because the base of each reactor was fixed in place, the short inter-connecting pipes which joined the outlet nozzle of one reactor to the inlet nozzle of the next were fitted with a bellows. A bellows is simply a specialised section of pipe with a flexible corrugated wall that is able to accommodate changes in axial length. The normal inter-connections were horizontal (each pair of bellows-connected nozzles being lower than the one before), but the by-pass was constructed with a sloped middle section in order to bridge the vertical gap between the nozzles it was intended to connect. The unbalanced horizontal forces that result from such an arrangement led to stresses on the bellows and bypass arrangement for which it was not designed. As summarised in Table II. 1.2 there are three prominent theories of how the massive release was brought about:
Table 11.1.2: Flixborough, the Critical Event and Theories Critical event
Loss of containment of about 30000 kg hydrocarbon
Theories
Massive failure of bellows 200 mm pipe failure Water roll-over, see [ 18]
The first theory assumes the direct failure of the by-pass. This theory was accepted in the official report. A second theory concerned the possibility of a smaller leak, and subsequent fire, that led to the eventual failure of the by-pass. A third theory suggested that a cool water layer, in the base of the reactor upstream of the by-pass, had mixed into the hot reactor contents leading to a sudden pressure rise and failure of the by-pass. It is still uncertain how, at this detailed technical level, the critical event in the accident occurred. On the other hand, there were many more general lessons to be learned from the Flixborough disaster. This disaster shook the United Kingdom (UK) authorities into recognising the potential for on-site and off-site devastation from the process industries. A major inquiry ensued, but also the establishment of the UK Advisory Committee on Major Hazards whose remit was to look at the broader question of how major accident hazards could be and should be controlled throughout industry. The work of the inquiry and committee contributed to a number of legal measures in the UK and also to the first European Directive on major hazard control [ 11 ]. Some general lessons that can be learned from the Flixborough disaster are listed in Table
II. 1.3 and are then briefly discussed.
76
Table 11.1.3: Flixborough, Some Lessons that Can Be Learned Public control of major hazard installations Siting of major hazard installations Regulations for pressure vessels and systems The management of major hazard installations Control of plant and process modifications Limitation of inventory Limitation of exposure Relative priority of safety and production Use of standards and codes of practice Benefits of more intense reactors Change-of-use control of major hazard installations
The Need for Public Control of Major Hazard Installations It was evident that chemical plants presenting major accident hazards needed to have some element of public control. The public authorities should at least be informed of the potential and have the opportunity to demand assurances that relevant precautions are in place.
The Need to Control the Siting of Major Hazard Installations It was evident that the development of sites with the potential for major accidents should be controlled in relation to other neighbouring uses. Equally, the development of other activity in the vicinity of major accident hazards needs to be controlled.
Regulations for Pressure Vessels and Systems Because of frequent accidents with steam and air pressure vessels in the early days of modern industry in the UK, there were regulations in place concerning these vessels. The Flixborough accident demonstrated the relevance of requiring good practice in relation to all pressure vessels and also the need to extend the regulations to other parts of pressurised systems.
The Management of Major Hazard Installations The importance of having the necessary personnel, and the dangers of management practices becoming inappropriate to the nature of the activity being carried out were highlighted. The managerial decisions that led to the operation of the plant in the conditions (both technical and administrative) in which it failed had contributed to the accident.
77
Control of Plant and Process Modifications The plant had been modified by the introduction of the by-pass, and also the process had been altered in relation to the means of operation of the reactors (the process modifications are not described above). The plant (equipment) modification had clearly contributed to the disaster, but it was also recognised that a process modification could undermine the integrity of an otherwise well-designed plant.
Limitation of Inventory The potential for an accident depends critically on how much of a hazardous substance is present (or can be generated). One characteristic of the Flixborough process was that large quantities of hazardous material were being stored and employed. Limiting, as a design objective, the quantities of materials in storage and in processes was recognised as desirable, in order to limit the potential consequences of an accident.
Limitation of Exposure The disaster occurred on a Saturday. The office block on site was demolished by the explosion. Had the accident occurred during a normal working day, the fatalities from the accident could have been ten times greater. It was clear, with hindsight, that there was no need for these office personnel to be on the site. The more general principle is that the exposure of people to major accident hazards should be controlled.
Relative Priority of Safety and Production The speed with which the by-pass was brought into use, when the causes of the problem in the original reactor had not been established, suggested that the relative priority of safety and production had become inappropriate. Some other features of the background to the accident reinforced this view. The need to create and to maintain a "culture" in which the priority of safety is clear, and also the difficulties of achieving this, were recognised.
Use of Standards and Codes of Practice The inappropriate use of the bellows in the by-pass arrangement, the insufficient support provided for the by-pass (really only sufficient for it erection not its use) and other features of the accident indicated that codes and standards had been breached.
Each of the lessons that can be learned from Flixborough is independently of value. Many (including all those above) do not rely on the detail of how the Flixborough disaster was precipitated and are therefore relevant to all major accident hazards. Additionally, all the theories of how the massive failure of the bellows could have occurred are instructive - even though they cannot all have been correct.
78 From the Flixborough disaster alone it can be concluded that there are general lessons that need to be applied to all hazardous industrial activities. The application of these lessons will reduce the frequency and consequences of major accidents. The lessons may be applied to activities which have little or nothing in common with the technical features of the Flixborough plant or process. There are also specific lessons which need to be documented and disseminated to improve particular aspects of industrial practice. These will be of less general applicability, but will help to reduce the frequency of critical events which contribute to the occurrence of major accidents.
3.
SEVESO
Near Seveso, in Northern Italy, a "runaway" reaction occurred in a small pharmaceuticals plant (Table 11.1.4).
Table 11.1.4: Seveso, the Disaster Profile Date : Process: Location: Event: Fatalities: Other:
9th July 1976 Batch chemistry Northern Italy Toxic release No direct human fatalities, a number of abortions 3000+ animal deaths, 500+ evacuations exceeding 6 months [ 19]
The reaction produced heat and the heat promoted the reaction, leading to increased pressure in the reactor. As can be seen from Figure 11.1.3, a pressure relief device operated and the contents of the reactor were vented to atmosphere:
79
Figure 11.1.3: The Seveso Plant, a simplified diagram of the reactor system (Reprinted with permission, from J. Sambeth, "What Really Happened at Seveso ", Chemical Engineering, Vo190 (10), 1983 [20])
T
Vent l i ~
C
TCB
i
Earlier that day, the intended process of the plant had been interrupted at the end of the working week. A batch of material, believed by those carrying out the operations to be stable, had been left inside the reactor, with the intention to resume the operations later. The reactor vented some hours after intentional operations at the plant had ceased. Subsequent consideration of the likely contents of the reactor at the time of venting suggested that, perhaps, two kilograms among the several tonnes in the reactor could have been converted to TCDD (2,3,7,8-tetra-chloro-dibenzo-para-dioxin). TCDD is one of a series of ultra-toxic materials, commonly called dioxins. This material (a solid at ambient conditions) was deposited on vegetation across a large area of land (Figure II. 1.4).
~~
~
~D
0
S~
O
O
9
9
~~ ~ S~
~llo
0
~J
O
~S
0
0
O
0
~D Q
~S
~mio
!
~o
81
In the aftermath of the accident it was clear that a disaster of potentially immense dimensions had been encountered in a totally unsatisfactory way. The toxicity to humans of TCDD is still largely unknown. The estimated toxicity, inferred from experimental results of animal exposure, suggested a probably lethal dose in the order of 10-9 of body-weight. This equates to around 0.1 mg for a large adult. Thus, in principle, the quantity released at Seveso was sufficient to lead to massive fatalities. Of course, the scaling from animal studies is highly uncertain and the mechanisms necessary for fatal delivery of the toxin may not operate in a particular accident. Also, the number of people exposed in the affected area effectively limits the possible consequences. Nevertheless, the maloperation of a small pharmaceuticals plant had presented a threat of a scale which was not openly acknowledged in advance and against which the protections and planned responses were inappropriate. The primary theory of how the reactor came to be vented concerns an exothermic reaction that was unknown at the time (Table 11.1.5).
Table II. 1.5: Seveso, the Critical Event and Theory Critical event
Loss of containment of a reaction mass including about 2 kg of tetrachloro-dibenzo-para-dioxin (TCDD)
Theory
Venting to atmosphere of a runaway reaction initiated by steam heating
The reaction would not have been observed in normal operation and the circumstances that allowed it to occur were brought about by the unusual suspension of operations in midprocess. It is believed that the reaction was initiated by steam in the heating coil around the reactor. This may have led to a local temperature in the reactor, probably near the liquid surface, which allowed the exothermic reaction to take hold and, eventually, spread throughout the reactor. The pressure relief device, intended to protect the reactor from other pressure sources, had the effect of delaying the release. This delay increased the temperature which was reached before venting, which would consequently promote the production of TCDD, and increased the energy with which venting occurred, which would consequently increase the area which became contaminated with TCDD. The obvious question, following Seveso, was "What other installations present hazards of this scale which are unacknowledged, inadequately protected against and for which no appropriate mitigatory plans exist?". Some lessons that can be learned from the Seveso disaster are listed in Table II. 1.6:
82
Table II. 1.6: Seveso, Some Lessons that Can Be Learned
Public control of major hazard installations Siting of major hazard installations Acquisition of companies operating hazardous processes Hazard of ultra-toxic substances Hazard of undetected exothermic reactions Hazard of prolonged holding of reaction mass Control and protection of chemical reactors Inherently safer design of chemical processes Planning for emergencies Hazards from substances that can be formed during maloperation
A particular feature of this accident is that the material of most concern was normally present at the installation in trace quantities only. The need to consider hazards from materials that can be produced in foreseeable maloperation (as well as those normally stored or processed) was established. The effect of the Seveso disaster on the European Community echoed that of Flixborough in the UK. The realisation that industrial activities could present hazards on this scale, and the recognition of the poor level of prevention, preparedness and response that existed, led directly to Directive 82/501/EEC of the Council of the European Union, [ 11 ], which became widely known as the 'Seveso Directive'. Later the lessons learned from the accidents discussed here will be presented in relation to the new 'Seveso II Directive', 96/82/EC, [ 1].
83 4.
BHOPAL
In Bhopal, India, a large quantity of highly toxic gas was released into the atmosphere above a pesticide plant (Table 11.1.7).
Table II. 1.7: Bhopal, the Disaster Profile Date : Process : Location: Event: Fatalities: Injuries:
3~/December 1984 Pesticide production India Toxic release 1754 immediate, 2000+ delayed 20 000+ hospitalised, 50 000+ minor injuries
The toxic cloud swept across the highly populated area near the plant (Figure II. 1.5) and very many people were soon overcome. The direct human consequences of this disaster were on a scale unprecedented in the chemical industry.
84
Figure II. 1.5: Bhopal, Affected Area (Reprinted from the Journal of Hazardous Materials, Vol 17 No 1, M.P. Singh and S. Ghosh, "Bhopal Gas Tragedy: Model simulation of the dispersion scenario" 1987, with kind permission of Elsevier Science - NL, Sara Burgerhartstraat 25, 1055 KV Amsterdam, The Netherlands [21 ]) Towams ~ u | t u r a | ~nstitute
R~ar
T~ar~
,
~E
/
iDGAH
l
MtLLS
'O
:Minster ~s GAS A F F ~ ~ AR~
340~N ~ N
L
ZBS~N,-
r,-........
(45 rain.) A~|ed
w~mJ d ~ t ~ n s
for
w
" ~,
/
(1)
85
The most likely explanation of the initiation of the Bhopal disaster is the introduction of water to a methyl isocyanate (MIC) storage tank (Table 11.1.8).
Table 11.1.8: Bhopal, the Critical Event and Theories Critical event
Loss of containment of 40 000 kg methyl iso-cyanate (MIC)
Theories
Pressure relief of storage tank after a water-initiated runaway reaction caused by sabotage? water washing? other?
One theory considered the possibility of water from a washing operation passing into the tank. There is a separate possibility that the water was introduced to the tank as an act of sabotage. The debate over how water may have entered the tank should not obscure the wider lessons that can be learned. At Bhopal, a number of protections and precautions that could have mitigated (if not prevented) the disaster were found to be inappropriate or disused at the time of need. For example, it had been intended that any flow from the storage vent could be directed to a "scrubber" for treatment or to a flare for incineration. Neither option was available at the time of the incident. The consequences were magnified because the actions needed in response to such an incident had not been planned in advance or practised. In the aftermath of Bhopal, it once again became clear that the detailed technical failures that triggered or contributed to the accident existed within a situation which, more generally, echoed the features of earlier accidents. The provision and maintenance of protection was inappropriate to the hazard. The consequences of the accident were magnified by the state of public policy, which had been developed without knowledge of the scale of the hazard, and by the lack of planning, which led to fatally inappropriate responses to the accident. For example, the growth in the local resident population could have been controlled if the scale of the potential hazard had been recognised. Perhaps more clearly than earlier accidents, the Bhopal disaster pointed to the benefits of inherently safer approaches to chemical production, [ 12]. At Bhopal the material released was a hazardous intermediate, the storage of which was convenient but not essential. Intermediates in a chemical process are typically more reactive than the associated raw materials and products. It is often this reactivity that makes the intermediate so useful in accomplishing the chemical changes. The corollary of this is that intermediates are often more hazardous, because flammability and (often) toxicity are manifestations of reactivity.
86 There were, at the time of Bhopal, other operators who had avoided the storage of MIC. Instead, within their facilities, there were small quantities of MIC in transit (by pipe) from a producing unit to a consuming unit. After the disaster, the practical and technical objections which had led to bulk storage of MIC, at Bhopal and elsewhere, were quickly revisited. Soon the storage of MIC around the world had been drastically reduced. The search for alternative routes to chemical production using less hazardous intermediates was promoted. Arguably, these reviews of storage policy and route selection should have been more widespread. The equivalence between a reported accident and one's own activity has to be very strong to elicit the appropriate response. The reduction of inventory of highly toxic materials other than MIC has been less pronounced. One objective of public policy should therefore be the formulation and dissemination of lessons learned from accidents in as generally applicable a form as possible. Some of the lessons that can be learned from the Bhopal disaster are listed in Table II. 1.9:
Table 11.1.9: Bhopal, Some Lessons that Can Be Learned
Public control of major hazard installations Siting of major hazard installations Hazard of highly toxic substances Hazard of water in plants Hazard of runaway reaction in storage Maintenance of equipment and instrumentation The management of major hazard installations Control of plant and process modifications Limitation of inventory Limitation of exposure Planning for emergencies Information for authorities and public Relative priority of safety and production Change-of-use control of major hazard installations
Bhopal is a stark example of what will happen if we fail to learn the lessons that can be learned from past accidents, particularly if we fail to identify the hazard potential of industrial sites.
87
5.
PIPER A L P H A
On the Piper Alpha platform, in the UK sector of the North Sea oil field, late on the 6th July 1988 a small quantity of readily vaporised liquid hydrocarbon was released and subsequently exploded (Table II.1.10). The immediate effects disabled communications and many of the automatic and other protective devices on board.
Table II.1.10." Piper Alpha, the Disaster Profile Date 9 Process 9 Location 9 Event" Fatalities 9
6 th July 1988 Oil and gas production and separation North Sea (UK sector) Explosions, fires, fireballs 167
The technical investigation, in trying to establish the triggering events, focused on the known status of equipment prior to the critical event, believed to be the release of "condensate" into the gas compression module, module C (Figure 11.1.6).
Figure 11.1.6: Piper Alpha Rig (Reproduced with permission from: R. Sylvester-Evans, "'Background'- to the Piper Alpha Tragedy" in "Piper Alpha: Lessonsfor life-cycle safety management" IChemE Sympos.Series No 122, 1990)
: -.-
~Wltm,$ ."
i .i ~
i L :i,:
:W~
'*'*
--
=:~
/'
i
:
~
]
~
~
i~~=~............e ................... .......... o
''
~
~
.ml
.....
~ 5!
...................... ~e:....................~~~
......................... ~. y:::::-:::-:----
,,L
--:;-
| : k II o.,
...........
,..,
88 Maintenance activities, earlier on the day of the disaster, had created a situation in which continued operation of the platform relied on the running of a single reciprocating pump - the condensate pump - for which there would normally be a "back-up". The normally used pump had been stopped, in preparation for routine maintenance, and its parallel pair (normally the "back-up" pump) was on duty. Reciprocating pumps commonly have an associated automatic pressure relief valve. The relief valve prevents over-pressure of the downstream pipework. This is achieved, typically, by passing liquid from the delivery side of the pump to an upstream vessel, in the event of high delivery pressure from the pump. The relief valve on the normally used pump had been removed for testing. Shortly before the explosion, the condensate pump on duty tripped (that is to say, it automatically stopped). The pattern of the alarms that occurred between the pump stopping and the explosion, together with eye witness accounts were not decisive in establishing the means by which the release of fuel occurred. Several theories were developed (Table II.1.11).
Table II.1.11: Piper Alpha, the Critical Event and Theories Critical event
Loss of containment of < 100 kg light hydrocarbons ("condensate")
Theories
Pump started without relief + flange leak at relief valve site or auto-ignition Hydrate formation and blockage L i uid at i n!e t to com ressor . . . . . . . . . . . . . . . . . . . .
..............
These technical theories, investigated as possible explanations for the critical event, included a flange leak at the site of one or other of the relief valves, auto-ignition in the pipework as a cause of subsequent condensate leakage, hydrate formation and blockage leading to condensate leakage and liquid entering a compressor intended for gas only. It is believed that an attempt was made to start the normally used pump, without its relief valve in place. A leak from the attachment flange of the missing relief valve, possibly aggravated by insufficient tightening of the temporary blank on the flange, was the theory in which the official inquiry placed most confidence. As before, the various technical theories all provide valuable information relevant to the prevention of future accidents. At the same time the wider lessons that can be learned from the disaster are independent of the details of how, technically, the critical event occurred.
89 Some of the lessons that can be learned from the Piper Alpha disaster are shown in Table 11.1.12.
Table 11.1.12: Piper Alpha, Some Lessons that Can Be Learned Regulatory control of offshore installations The management of major hazard installations Fall-back states in plant operation Permit-to-work systems Isolation of plant for maintenance Limitation of inventory Limitation of exposure Destruction of protective equipment by explosion Emergency shutdown Planning for emergencies Opportunities for escape
The Piper Alpha disaster reflects the great difficulties that arise in offshore engineering. For example, three practices : the use of physical separation distances (as used onshore to help prevent "domino" effects), the provision of opportunities for escape and the provision of assistance during an incident, are all much more difficult to achieve offshore. The lessons that are more specifically concerned with offshore engineering problems are not considered further here. The need to resolve conflicting safety issues was highlighted. Two examples concern the firewalls and the fire-fighting system. The fire-walls between the modules, intended to delay the spread of fire, in the event became destructive missiles. This magnified the damage of the initial explosion, destroyed much of the mitigatory equipment and severed fuel pipes which contributed to the subsequent fires. A defence against fire thus became a contributory factor in the escalation of an explosion. The practice of disarming the automatic fire-fighting pumps during diving operations had developed. The hazard to divers, who could be trapped at the suction to the pumps in the event of false alarms, had been a factor in the development of this practice. The development of this practice shows both the need for a systematic approach to the management of different risks and, separately, the need for a deliberate balance to be achieved between the certainty of automatic defences operating when needed and the hazards associated with their spurious operation.
90 The immediate loss of communications following the initial explosion was critical. Piper Alpha was linked to other platforms in the oil field by pipelines of oil and gas. From and through these pipelines, fuel flowed to Piper Alpha during the disaster (Figure H.1.7).
Figure II. 1.7: Piper Alpha Field (Reproduced with permission from 9R. Sylvester-Evans, "'Background' - to the Piper Alpha Tragedy" in "Piper Alpha: Lessons for life-cycle safety management", IChemE Sympos.Series No 122, 1990)
~S
:TO
%
%
Continued communications could have prompted actions on other platforms to limit the fuel entering Piper Alpha and could have allowed the re-appraisal of the situation by those aboard. Many of those on board apparently acted on the assumption that evacuation by helicopter remained possible. Such an evacuation was clearly seen to be impossible by nearby observers. The disablement of the control and response systems, combined with the heat and black smoke from fires following the initial explosion, led to almost complete paralysis of organised action on board the platform. Many of those who survived did so because they acted outside the recommended procedures. The procedures were inappropriate to the scale of the incident.
91 On Piper Alpha there were "layers" of protection intended to prevent the occurrence of critical events and to limit their consequences, but these were stripped away in actions prior to the event or rendered inoperable by the immediate effects of the initial explosion. The need to ensure that the "layers" of protection are not vulnerable to the incidents against which they are intended to defend is clearly established. One contributor to the accident was a lack of confidence in the back-up electrical power systems. The perception that these systems would fail coupled with the desire to avoid loss of power may have promoted some of the actions that led to the disaster. The need to have fallback states in which the operators have confidence was established. Another contributory factor was the vulnerability of some protections to the critical event. For example, there were four pipes intended to carry fire-fighting water when required. These four pipes were severed in the initial explosion. What could have been regarded as a substantial protection, in prospect, proved, in the event, to be useless. This illustrates the need for diversity in protective systems. Diversity, here, means the ability to achieve an objective by different means (by differences of principle, route, operation etc.). Diversity in protective functions renders the protection less vulnerable to defeat by a single event. (The severing of these pipes was not the only reason that the fire-fighting system was ineffective, but the other reasons are not discussed here). Yet again the lessons to be learned echo those from the accidents discussed above. There were technical lessons, specific to the kinds of operation undertaken, but also general lessons that have much wider applicability. Many of these more general lessons are relevant to onshore activity, but were accentuated by the particularly difficult circumstances of offshore engineering.
6.
ELEMENTS OF P R E V E N T I O N AND MITIGATION OF M A J O R ACCIDENTS
The ability to prevent major accidents relies not only on good technical abilities (which may be very specific to the activity) but also on the combination of several general principles. These are inherently safer design (including separation distances), defence in depth from critical incidents (by multiple layers of protection), good management and preparedness to respond to and to mitigate the consequences of incidents. The principles of inherent safety have been described in [ 12]. The essential idea is to reduce or eliminate the hazard presented by an activity. To the extent that an activity is inherently safe, we do not rely on mechanisms (physical or managerial) for protection. Achieving acceptable levels of safety by inherently safer design is most desirable because, generally, inherent safety cannot be compromised by the degeneration of management (of maintenance, operation, etc.). "Defence in depth" is used here to describe the design of an activity such that the occurrence of an incident requires the combination of a number of facts (usually failures or interventions). Elsewhere I have used the expression "layers of protection" to express a similar idea, but
92 "layers of protection" could include response to the incident, whereas I use "defence in depth" in relation to measures that aim to prevent the critical event in an incident. Using the defence in depth approach, it is unlikely that single failures and interventions will lead directly to an incident. Provided that due attention is given to maintaining the defences then an acceptable level of safety can usually be obtained. However, inherently safer approaches are to be preferred as accident histories show that defences can fall into disrepair quickly and without provoking attention (see [13] for detailed discussion). If a plant is designed with defence in depth, then Figure 11.1.8 shows how the dynamic balance between failure and repair of defences can lead to an incident (in response to a final disturbance).
Figure 11.1.8: Defence in Depth A schematic illustration of the dynamic balance between failure and repair of defences that can lead to an incident (in response to a final disturbance), developed from [131
DEFENCE
IN
DEPTH TiME
:
.........................................................................
.
.
.............
..-::^ ::::....:.:::-::~.~...;.::::.::.::::::-....-...:.--
............
.-.~_.;~.
DIS~RBANCE !r .I
P(H ZARD)l .....
t' FAILURE
,~ REPAIR
The success of the defence in depth approach relies, therefore, on the systems - usually management systems - which reveal and repair the defences. If these systems become relaxed then a combination of failures can lead to vulnerability, and a single final disturbance can then lead to an incident. The Flixborough report [3] called for more consideration of what it termed "second chance design", which is a form of defence in depth. Safety management has been a major topic of discussion in recent years, [14]. The role of management is critical in accident prevention because, whatever defences may be in place at a
93 Underlying successful hazard control is an appreciation of human factors, that is how humans managerial problem to accept a proposed design (with a mix of inherently safe and defencein-depth features) and it is a managerial problem to commit the resources to the maintenance of the defences and to the planning for incident control and mitigation and their practice. In general it is a managerial responsibility to control decision-making. The range of decisions is very diverse, for example in relation to proposed changes in operation or in response to a change of plant condition. Underlying successful hazard control is an appreciation of human factors, that is to say how humans can reasonably be expected to participate in the activities at a hazardous facility. Many accident investigations show that human action (or lack of action) plays a crucial part in the evolution of many incidents, but it is generally necessary to create and to maintain systems which are tolerant to the way people can reasonably be expected to behave, [ 15]. Analysis of past accidents shows that planning for incident control and mitigation can alter the scale of an accident enormously. Sadly this planning has been shown to be lacking in organisations whose other abilities have been highly regarded. There is, therefore, great emphasis in the 'Seveso II Directive' on the establishment, in advance, of suitable responses to major accidents. This is another area in which much development has occurred in recent years and a review of practice in the European Union Member States has recently been conducted by the European Commission's Joint Research Centre [16]. These principles of inherent safety, defence in depth, safety management and planning for incident control and mitigation are applicable to all sectors of the process industry. A key to reducing the frequency of major accidents is, therefore, to document the principles of inherent safety, defence in depth, safety management systems and planning for incident mitigation both in general, for application to all major accident hazards, and in detail, for consistent and appropriate application to specific major accident hazards. Most well-engineered systems have a number of "layers" of defence which should prevent major incidents. Well-managed facilities will have further "layers" of control and mitigation (including planning for and practising responses to incidents) which should prevent an incident becoming a disaster. Whilst we do continually learn new lessons from the acts that lead to a major incident or accident, most often we "re-learn" that major accidents follow the non-existence of, or a failure to maintain (in the broad sense), these layers of protection. Additionally we "re-learn" that the best protection lies in limiting the potential for harm by use of inherently safer alternatives. Codes and standards make a great contribution to accident prevention, but they are reactive to relatively high frequency events and lag behind experience. The dissemination of lessons learned from accidents is a necessary supplement to these codes and standards if the repetition of the circumstances that contribute to major accidents is to be avoided.
94 In many cases, major accidents have been preceded by near misses with almost identical characteristics. In some cases the near miss has been identical in all respects up to the critical event, and only good fortune has led to the lack of tragic consequences. The importance of near-miss reporting and the dissemination of information about near misses is clear.
7.
THE E U R O P E A N C O U N C I L RESPONSE
The 'Seveso II Directive' is aimed at the control of major accident hazards involving dangerous substances. It is a direct attempt to both promote the learning of the general lessons from past accidents and to promote the capture and dissemination of the many other more specific lessons that can be learned from past accidents and near misses (now and in the future). The first is chiefly to be achieved by the formal requirements of the Directive which, if complied with, will cover many of the general lessons, the second is to be achieved through the establishment of the Major Accident Reporting System (MARS). The operation of MARS which is also a requirement of the Directive, is discussed in detail in Section IV.2. The Competent Authorities of the Member States are required to contribute accident data to MARS and, following the implementation of the new Directive, the access to this data will be quite open. The relationship between some of the lessons that can be learned from the disasters discussed above and the provisions of the Directive are presented in Table 11.1.13.
95
Table 11.1.13: Selected Lessons, from the Disasters at Flixborough, Seveso and Bhopal and on the Piper Alpha Platform, and the Corresponding Provisions in the European Council Directive 96/82/EC ('Seveso II Directive ') "Lessons" from Past Accidents Public control of major hazard installations Hazards from substances that can be formed during maloperation Limitation of inventory*
Article(s) of the Directive All 2
Information for authorities and public The management of major hazard installations Control of plant and process modifications Planning for emergencies Learning from accidents and near misses+
7
Planning for emergencies Siting of major hazard installations Limitation of exposure
9
Change-of-use control of major hazard installations
10
Information for authorities and public Planning for emergencies
11
Siting of major hazard installations Limitation of exposure
12
Information for authorities and public Planning for emergencies
13
Planning for emergencies
14
Learning from accidents and near misses
15
Learning from accidents and near misses
19
The limitation of inventory is encouraged by the qualifying quantities set for each hazardous material (or class of material) and the increased duties that are incurred by having larger inventories. This is an indirect but significant pressure to discourage unnecessary (but perhaps convenient) inventories. "Learning from accidents and near misses" was not listed specifically in the table of lessons that can be leamed from the individual disasters considered, but it is of course a pre-requisite of learning any of the lessons and so is included in this table.
96 8.
CONCLUSIONS
There are no risk free industries and there is no perfect system for major accident prevention. However, a study of past accidents shows that they generally result from (or are magnified by) the conjunction of a number of factors. Any one of these factors, had it been altered, could have resulted in a reduction or elimination of the accident consequences. A systematic and conscientious effort to examine and continuously to review these factors, to put in place and keep in place the elements of effective hazard control, is likely to be rewarding in reducing the frequency of major accidents and their consequences. The success of this activity is most likely where the basis of safety is inherently safer design of any or all parts of the process, since this is the approach which is least susceptible to deterioration of management and equipment. Some generally applicable lessons that can be learned from four major industrial accidents have been presented. These lessons can be summarised as the need for inherent safety, defence in depth, safety management and planning for mitigation. For each of the disasters described there is an overlap in the lessons that can be learned. It follows that in the past our ability or willingness to "learn" from accidents has been deficient. In addition there are myriad detailed lessons (both technical and managerial) that can be learned from the study of these and other disasters and near misses. It is reasonable to expect that the next major accident in Europe will reinforce some of the same lessons that we have already had the opportunity to learn, [17]. The widespread application of the general lessons learned from past accidents, as well as the widespread communication of the more specific lessons applicable to particular activities has great potential for the avoidance of major accidents. In this context, the European Commission's mandatory accident notification scheme, MARS, which also allows voluntary notification of near misses, should play a valuable role. Avoiding major accidents requires persistent effort. This effort must ensure the feedback of information to those responsible for operating major hazard sites and establish requirements to prevent the recurrence of situations in which accidents can occur. The new 'Seveso II Directive', on the control of major accident hazards involving dangerous substances, is a key step towards the achievement of this objective.
97 REFERENCES
,
.
.
10. 11.
12. 13.
14. 15. 16. 17. 18. 19.
Council Directive 96/82/EC of 9 December 1996 on the control of major-accident hazards involving dangerous substances, Official Journal of the European Communities, Luxembourg, 1997. F.P. Lees, Loss Prevention in the Process Industries, 2na Edn, Butterworth-Heinemann, Oxford, 1996. R.J. Parker, The Flixborough Disaster, Report of the Court of Inquiry, HMSO, London, 1975. B. Orsini, Parliamentary Commission of Inquiry on the Escape of Toxic Substances on 10 July 1976 at the ICMESA Establishment and the Consequent Potential Dangers to Health and the Environment due to Industrial Activity, Final Report, Rome, 1977. (Note that the following entry is a translation of this into English). B. Orsini, Seveso, HSE, London, 1980. (Note that this is a translation into English of Orsini 1977 above). Council of Scientific and Industrial Research, India, Report on Scientific Studies on the Release Factors related to Bhopal Toxic Gas Leakage, Government of India, 1985. Union Carbide Corporation, Bhopal Methyl Cyanide Incident, Investigation Team Report, UCC, Danbury, CT, 1985. A.S. Kalelkar, Investigation of Large Magnitude Accidents - Bhopal as a Case Study. Preventing Major Chemical and Related Process Accidents, IChemE Symposium Series No 110, 1988. The Honourable Lord Cullen, The Public Inquiry into the Piper Alpha Disaster, HMSO, London, 1990. R. Sylvester-Evans, 'Background'- to the Piper Alpha Tragedy. Piper Alpha: Lessons for life-cycle safety management, IChemE Symposium Series No 122, 1990. Council Directive 82/501/EEC of 24 June 1982 on the Major Accident Hazards of certain industrial activities, Official Journal of the European Communities, Luxembourg, 1982. (Note that subsequent amendments were made which are not listed here, but can be found in the consolidated version of the Directive in Appendix V.2). T.A. Kletz, Plant design for safety, a user-friendly approach, Hemisphere, New York, 1990. J. Rasmussen, Safety Control and Risk Management: topics for cross-disciplinary research and development, Preventing Major Chemical and Related Process Accidents, IChemE Symposium Series No 110, 1988. European Process Safety Centre, Safety Management Systems, IChemE, Rugby, 1994. T.A. Kletz, An engineer's view of human error, 2"d Edn, IChemE, Rugby, 1991. B. De Marchi, Review of Chemical Emergencies Management in the EU Member States, European Commission, JRC, Ispra, 1996. T.A. Kletz, Lessons from disaster, how organisations have no memory and accidents recur, IChemE, Rugby, 1993. R. King, Flixborough - the role of water re-examined. Process Engineering, Sept., 1975. B. De Marchi, S. Funtowicz and J. Ravetz, Seveso: A paradoxical classic disaster, in: The long road to recovery, ed. J.K. Mitchell, UNUP, 1996.
98 20.
21.
J. Sambeth, What Really Happened at Seveso. Chemical Engineering 90 (10), 1983. M.P. Singh, S. Ghosh, Bhopal Gas Tragedy: Model simulation of the dispersion scenario, The Journal of Hazardous Materials 17 (1), 1987.
99
Risk Assessment & Management in the Context of the 'Seveso Directive' European Commission,JRC
Lessons Learned from Past Accidents A.G. R u s h t o n , D e p a r t m e n t of C h e m i c a l E n g i n e e r i n g Loughborough University, UK
Lessons Learned from Past Accidents
9 A s e l e c t i o n of " m i l e s t o n e " i n d u s t r i a l accidents - Flixborough, UK -
-
Seveso, Italy Bhopal, India
- Piper Alpha, North Sea
100
Flixborough
9 Date" 1st June 1974 9 Process" Liquid p h a s e oxidation of hydrocarbon 9 Location" N o r t h East E n g l a n d 9 Event" Massive explosion 9 Fatalities 928, Injuries" 36
Flixborough 9 Loss of c o n t a i n m e n t of about 30 000 kg cyclohexane Theories: Massive failure of bellows 200mm pipe failure Water roll-over -
-
-
101
Flixborough" Lessons learned
9 Public control of major hazard installations 9 Siting of major hazard installations 9 Regulations for pressure vessels and systems 9 The management of major hazard installations 9 Control of plant and process modifications
Flixborough: Lessons learned
9 Limitation of inventory 9 Limitation of exposure 9 Relative priority of safety a n d production 9 Use of s t a n d a r d s and codes of practice
102
Seveso
9 Date" 9th July 1976 9 Process" Batch chemistry 9 Location" N o r t h e r n Italy 9 Event" Toxic release 9 Fatalities 9N o direct h u m a n fatalities, a n u m b e r of abortions
Seveso
9 Loss of c o n t a i n m e n t of a " b r e w " including about 2 kg of tetra-chlorod i b e n z o -p a ra -d i o x i n (TCDD) ~ Theory" Pressure relief of a r u n a w a y reaction initiated b y heating coils
103
Seveso: L e s s o n s L e a r n e d
Public control of major hazard installations 9 Siting of major hazard installations 9 Acquisition of companies operating hazardous processes 9 Hazard of ultra-toxic substances Hazard of undetected exotherms
Seveso: L e s s o n s L e a r n e d
9 Hazard of prolonged holding of reaction mass 9 Control and protection of chemical reactors 9 Inherently safer design of chemical processes 9 Planning for emergencies
104
Bhopal 9 Date : 3rd December 1984 9 Process" Pesticide p r o d u c t i o n 9 Location" India 9 E v e n t : Toxic release 9 Fatalities :
1754 immediate, 2000+ delayed,
9 Injuries"
+20 000 hospitalized +50 000 m i n o r injuries
Bhopal 9 Loss of c o n t a i n m e n t of 40 000 k g m e t h y l i s o - c y a n a t e (MIC) 9 Theories" -
Pressure relief of storage tank after water initiated runaway reaction caused by ~ sabotage / water washing / other
105
Bhopal: Lessons Learned
9 Public control of major h a z a r d installations 9 Siting of major h a z a r d installations 9 H a z a r d of highly toxic substances 9 H a z a r d of w a t e r in plants 9 H a z a r d of r u n a w a y reaction in storage 9 M a i n t e n a n c e of e q u i p m e n t a n d instrumentation
Bhopal: Lessons Learned
9 9 9 9 9
Management of major hazard installations Control of plant and process modifications Limitation of inventory Limitation of exposure Planning for emergencies
9 Information for authorities and public 9 Relative priority of safety and production
106
Piper Alpha 9 Date" 6th July 1988 9 Process" Oil a n d gas p r o d u c t i o n a n d separation 9 Location" N o r t h Sea (UK sector) 9 Event" Explosions, fires, fireballs 9 Fatalities : 167
Piper Alpha 9 Loss of c o n t a i n m e n t of <100 kg light hydrocarbons ("condensate") 9 Theories" Pump started without relief + -
~ Flange leak at relief valve site ~ Auto-ignition
- Hydrate formation and blockage - Liquid to compressor
107
Piper Alpha" Lessons Learned
9 Regulatory control of offshore installations 9 Management of major hazard installations 9 Fall-back states in plant operation 9 Permit-to-work systems 9 Isolation of plant for maintenance
Piper Alpha: Lessons Learned
9 Limitation of inventory 9 Limitation of exposure 9 Destruction of protective equipment by explosion 9 Emergency Shutdown 9 Planning for emergencies
108
Lessons Learned: Concluding Remarks 9 No risk-free activity 9 Security of inherently safer design 9 Codes and standards are reactive to high frequency events and lag behind experience 9 The importance of the "human factor" in design and operation 9 Safety management (of defence in depth)
Lessons Learned: Concluding Remarks
9 Influence of circumstances on outcome importance of "near-miss" reporting -
9 Should this talk be titled "Lessons NOT Learned from Past Accidents" ?