Report PDF - Vijay Ravisankar
advertisement
A REPORT ON HAZARD IDENTIFICATION, RISK ASSESSMENT AND ACCIDENT INVESTIGATION ANALYSIS BY R VIJAY 2010A1PS324H CHEMICAL ENGINEERING R SANKARA NARAYANAN 2010A1PS332H CHEMICAL ENGINEERING Prepared in partial fulfillment of the Practice School-I Course AT CENTRAL LEATHER RESEARCH INSTITUTE Adyar,chennai A PRACTICE SCHOOL –I STATION OF BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE, PILANI i BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE PILANI (RAJASTHAN) Practice School Division Station: CENTRAL LEATHER RESEARCH INSTITUTE (CLRI) Center: Chennai Duration: 50 DAYS Date of Start: 21st May, 2012 Date of Submission: 9th July, 2012 ID No./Name/Discipline of Students 2010A1PS324H/ R.VIJAY/ CHEMICAL ENGINEERING 2010A1PS332H/ R.SANKARA NARAYANAN/ CHEMICAL ENGINEERING Name and Designation of the expert: Mr. V.SREENIVAS , Scientist, CISRA Name of PS faculty: Dr. R.Srinivasan Project Areas: Industrial safety and Risk Analysis ABSTRACT This project deals with studying the essential guidelines to be followed by chemical process industries in the areas of hazard evaluation techniques and quantitative risk analysis. In addition, chemical accident investigation reports of the U.S. Chemical Safety Board (CSB) are studied, and reasons for the accidents to have occurred are analyzed. The project is divided into three sections: 1. Hazard evaluation techniques: various hazard analysis techniques are discussed. ii 2. Chemical Process Quantitative Risk Analysis (CPQRA): various accident models, incident frequency analysis and the concept of risk estimate are discussed. 3. Chemical accident investigations: sequence of events, findings and recommendations of the CSB are discussed. Signature of Students Date Signature of PS Faculty Date BIRLA INSTITUTE OF TECHONOLOGY AND SCIENCE PILANI (RAJASTHAN) PRACTICE SCHOOL DIVISION iii CENTRAL LEATHER RESEARCH INSTITUTE (Council of Scientific and Industrial Research ) Adyar , Chennai 600 020, India CERTIFICATE This is to certify that the project entitled ―Hazard Identification, Risk Assessment and Accident Investigation Analysis‖ is a bonafide work of R VIJAY (2010A1PS324H), B.E. (Hons.) Chemical Engineering and R SANKARA NARAYANAN (2010A1PS332H), B.E. (Hons.) Chemical Engineering, Birla Institute of Technology and Science – PILANI, Hyderabad Campus. The work embodied in this project has been done by the candidate under my guidance and supervision at CISRA, Central Leather Research Institute, Chennai from 21.05.2012 to 09.07.2012 iv ACKNOWLEDGEMENT Firstly, I would like to thank Prof. BrijendraNath Jain, Vice-Chancellor, BITS, Pilani for supporting Practice School. I would like to thank Prof. Niranjan Swain, Dean, Practice School, Dr. P.Srinivasan, Incharge, PS Planning and Development Cell and Dr. KVG Chandrasekhar of University, Industry Linkages division for their continuous support and guidance throughout the practice school program. I would like to thank Dr. R.Srinivasan, our PS instructor, Mr.Dinesh Chowdhary Dasari, our student co-ordinator and Mr. M. Vinodh Kumar, Scientist at CLRI for being with me throughout the PS program, guiding me and making the PS program more productive. I would like to thank my mentor, Mr. V. Sreenivas, Senior Scientist, Cell for Industrial Safety and Risk Analysis, CLRI for giving me such an interesting project and guiding me in the right direction. I would also like to thank Mr. K.C. Velappan, Senior Principal Scientist, Chemical Engineering Department, CLRI for permitting me to carry out the project at CISRA. v LIST OF ABBREVIATIONS CSB Chemical Safety Board OSHA Occupational Safety and Health Administration CCPS Center for Chemical Process Safety CPQRA Chemical Process Quantitative Risk Assessment HAZOP Hazard and Operability Studies PSM Process Safety Management BLEVE Boiling Liquid Vapour Explosion AIChE American Institute of Chemical Engineers vi Table of Contents Introduction ……………………………………………………………………………………….…1 1. Hazard Evaluation Techniques ……………………………………...…………………….…… 2 1.1Introduction ………………………………………………………………………………..… . 2 1.2 Scenario Based Hazard Evaluation Technique……..………………………………………….3 1.2.1What-if Analysis………………………………………………… …………………….…4 1.2.2 What-if/checklist Analysis………………………………………………...……… ….….5 1.2.3 Hazard and Operability Studies (HAZOP)…………………………..….………………..7 1.2.4 Failure Modes and Effects Analysis (FMEA)………….………………………………...8 1.2.5 Fault Tree Analysis (FTA) ………………………………….…………………………. 10 1.2.6 Event Tree Analysis (ETA) …………………………………………………………… 12 1.2.7 Cause Consequence Analysis (CCA) ………………………………………………….. 15 1.2.8 Bow Tie Analysis (BTA) ……………………………………………………… …....... 17 2. Chemical Process Quantitative Risk Analysis (CPQRA)………………..…………………….19 2.1Introduction …………………………………………………………………………………. .19 2.2 Source Models ……………………………………………………………………………......20 2.2.1 Discharge Rate Model ……………………………………………………………….. ...20 2.2.2 Flash and Evaporation………………………………………………………………….. 23 2.2.3 Dispersion Models .…………………………………………………………….……..... 25 2.3 Explosions and Fires………………………………………………………………………......26 2.3.1 Vapour Cloud Explosions (VCE) …………………………………………………...…. 26 2.3.2 Flash Fires ………….……….………………………………………………………...... 27 2.3.3 Physical Explosion …………………….………………………………………...……... 27 2.3.4 BLEVE and Fireball …….……..…………………………………………………...…... 29 2.3.5 Confined Explosions ……………………….………………………………………... ... 30 2.3.6 Pool Fires ……………………………………………………………………………….. 32 2.3.7 Jet Fires …………………………………………………………………………………. 33 vii 2.4 Effect Models ………………………………………………………………………………… 34 2.4.1 Toxic Gas Effects ……………………………………………………………….….........34 2.4.2 Thermal Effects ……………………………………………………………………........ 35 2.4.3 Explosion Effects ………………………………………………………………………. 36 2.5 Event Probability and Failure Frequency Analysis ……………………..………………….…37 2.5.1 Frequency Modelling Techniques ……………………………….………………………38 2.6 Measurement, Calculation and Presentation of Risk Estimates ……………….…………….. 41 2.6.1 Risk Measures ………………………………………………………………………….. 42 2.6.2 Risk Presentation ……………………………………….…………………...………….. 43 2.6.3 Selection of Risk Measures and Presentation Formats …..……………,…………..…… 46 3. Accident Investigation Studies ……………………………………..…………………...………. 47 3.1 BP Texas City Refinery Disaster …………………………………..………...……………..... 47 3.2 Accidents Related to Combustible Dust Explosion ………………………….………………..54 3.2.1 Dust Explosion at the Imperial Sugar Refinery ……………………..………………... ..55 3.2.2 Dust Explosion at West Pharmaceutical Services …………………………………… ...57 3.2.3 Dust Explosions at CTA Acoustics, Inc. …………………………..……………….... ...59 3.3 Accidents related to Reactive Hazards …………………………………...….…………….... .62 3.3.1 Runaway Chemical Reaction and VCE at Synthron, LLC …………..………………..... 62 3.3.2 BP Amoco Chemical Plant Disaster ……………………………………….…………… 64 3.3.3 MFG Chemical Toxic Chemical Vapour Cloud Release ……………...…..………....... .66 3.3.4 First Chemical Corporation …………………………………………..……………….... 67 3.3.5 Runaway reaction leading to Disaster at Bayer Corp. ………………………………..... 69 3.3.6 Runaway Chemical Reaction at T2 Lab ……………….…………………………......... 71 3.4 Accidents Related to Emergency Preparedness ….……………….……………………...….. 73 3.4.1 Fire at Xcel Power Plant ……………………………………………………………..... 73 3.4.2 Herrig Brothers propane tank explosion ……………………………………….……… 75 3.4.3 Vinyl Chloride explosion and fire: Formosa Plastics Corp. ………..………….…….….76 3.4.4 Emergency in Apex …………………………………………………………….……... .79 viii 3.5 Accidents Related to Hot work …………………………………….…………………….…… .. 81 3.5.1 Bethune Point Waste Water Plant Explosion ………….………………………………. 81 3.5.2 Death in Oil-Field Partridge Raleigh Incident ……………..………………………….. 82 3.5.3 Explosion at DuPont Manufacturing Plant, Buffalo ………..…………………….…..…84 3.6 Accidents Related to Dangers of Flammable Gas Accumulation ..………..………………… 86 3.7 Accidents Related to Vehicle Impact Hazards ………………………………………………. 88 3.8 Static Sparks at Barton Facility ……………………………………………………………… 90 3.9 Nitrogen Asphyxiation Hazard: Valero Refinery tragedy …………………………………… 92 3.10 Fire from Ice: Propane explosion at Valero Explosion ………………………………..…… 94 3.11 Ethylene Oxide Explosion at Sterigenics International …………………………………….. 96 3.12 Blast waves at Danvers Facility: Explosion at CAI Ink Facility ……………………..…….. 98 3.13 Propane Explosion at Little General ………………………………………………………. 100 3.14 Phosgene Release at DuPont ……………………………………………………………… 102 4. Overall Conclusion ……………………………………………………………………………. 104 5. Bibliography ……………………………………………………………………...……………. 105 ix INTRODUCTION A hazard is defined as a condition, event, or circumstance that could lead to or contribute to an unplanned or undesirable event. A hazard analysis is used as the first step in a process used to assess risk. The result of a hazard analysis is the identification of risks. Preliminary risk levels can be provided in the hazard analysis. The validation, more precise prediction and acceptance of risk is determined in the Risk assessment (analysis). The main goal of both hazard analysis and risk analysis is to provide the best selection of means of controlling or eliminating the risk. Chemical process quantitative risk analysis (CPQRA) is a methodology designed to provide management with a tool to help evaluate overall process safety in the chemical process industry. CPQRA provides a quantitative method to evaluate risk and to identify areas for cost-effective risk reduction. The terms ―chemical accident‖ or ―chemical incident‖ refer to an event resulting in the release of a substance or substances hazardous to human health and/or the environment in the short or long term. Such events include fires, explosions, and leakages of toxic or hazardous materials that can cause people illness, injury, disability or death. In 1990, the U.S. Chemical Safety and Hazard Investigation Board (CSB) was established to determine the root causes of chemical accidents and issue safety recommendations to prevent the chemical accidents from occurring again. The CSB also organizes workshops on a number of issues related to preparing for, preventing, and responding to chemical accidents. 1 CHAPTER 1 HAZARD EVALUATION TECHNIQUES A hazard is a physical or chemical condition that has the potential for causing harm to people, property, or the environment. A hazard evaluation is an organized effort to identify and analyze the significance of hazardous situations associated with a process or activity. Specifically, hazard evaluations are used to pinpoint weaknesses in the design and operation of facilities that could lead to hazardous material releases, fires, or explosions. These studies provide organizations with information to help them improve the safety and manage the risk of their operations. 1.1 INTRODUCTION Hazard evaluations usually focus on process safety issues, like the acute effects of unplanned chemical releases on plant personnel or the public. These studies complement more traditional industrial health and safety activities, such as protection against slips or falls, use of personal protective equipment, monitoring for employee exposure to industrial chemicals, and so forth. Although hazard evaluations typically analyze potential equipment failures and human errors that can lead to incidents, the studies can also highlight gaps in the management systems of an organization's process safety program. An important prerequisite for performing a hazard evaluation is the identification of process hazards, since hazards that are not identified cannot be further studied. High-quality hazard evaluations require the combined efforts of a multidisciplinary team. The hazard evaluation team uses the combined experience and judgment of its members along with available data to determine whether the identified problems are serious enough to warrant change. If so, they may recommend a particular solution or suggest that further studies be performed. Using hazard evaluation methods can help organizations better understand the risks associated with a process and how to reduce the frequency and severity of potential incidents. An incident is defined as an unplanned event or sequence of events that either resulted in or had the potential to result in adverse impacts. Thus, an incident sequence is a series of events that can transform the threat posed by a process hazard into an actual occurrence. 2 The loss event is the point of time in an incident sequence when an irreversible physical event occurs that has the potential for loss and harm impacts. Examples include opening of a non-reclosing emergency relief device such as a rupture disk, release of a hazardous material to the environment, ignition of flammable vapours or an ignitable dust cloud. Any device, system or action that would likely interrupt the chain of events following an initiating cause is known as a safeguard. A preventive safeguard intervenes after an initiating cause occurs and prevents the loss event from ensuing. A mitigative safeguard acts after the loss event has occurred and reduces the loss event impacts. Thus, preventive safeguards affect the likelihood of occurrence of the loss event, whereas mitigative safeguards lessen the severity of consequences of the loss event. The following are the limitations of hazard evaluation techniques: 1. Completeness: There can never be a guarantee that all incident situations, causes, and effects have been considered. 2. Reproducibility: Various aspects of hazard evaluations are sensitive to analyst assumptions. Different experts, using identical information, may generate different results when analyzing the same problem. 3. Inscrutability: The inherent nature of some hazard evaluation techniques makes the results difficult to understand and use. 4. Relevance of experience: A hazard evaluation team may not have an appropriate base of experience from which to assess the significance of potential incidents. 5. Subjectivity: Hazard analysts must use their judgment when extrapolating from their experience to determine whether a problem is important. 1.2 SCENARIO BASED HAZARD EVALUATION TECHNIQUE Hazard evaluation techniques are excellent choices for performing detailed analyses of a wide range of hazards during the design phase of a chemical process and during routine operation. Some of the common hazard evaluation techniques are: 1) What-If Analysis 2) What-If/Checklist Analysis 3) Hazard and Operability(HAZOP) Studies 4) Failure Modes and Effects Analysis(FMEA) 5) Fault Tree Analysis(FTA) 3 6) Event Tree Analysis(ETA) 7) Cause-Consequence Analysis(CCA) and Bow-Tie Analysis We shall examine each of these techniques in detail. 1.2.1 WHAT-IF ANALYSIS The What-If Analysis technique is a brainstorming approach in which a group of experienced people familiar with the subject process ask questions or voice concerns about possible undesired events. Purpose The purpose of a What-If Analysis is to identify hazards, hazardous situations, or specific event sequences that could produce undesirable consequences. An experienced group of people identifies possible abnormal situations, their consequences, and existing safeguards, then suggests alternatives for risk reduction where improvement opportunities are identified or where safeguards are judged to be inadequate. The method can involve examination of possible deviations from the design, construction or operating intent. It requires a basic understanding of the process intention, along with the ability to mentally combine possible deviations from the design intent that could result in an incident. Description The What-If Analysis concept encourages the hazard evaluation team to think of questions that begin with ―What-If.‖ However, any process safety concern can be voiced, even if it is not phrased as a question. For example: I am concerned about having the wrong material delivered, what if pump A stops running during start-up? , what if the operator opens valve B instead of A? Usually, the scribe records all of the questions on a chart pad, marking board, or computer. Then the questions may be divided into specific areas of investigation (usually related to consequences of concern), such as electrical safety, fire protection, or personnel safety. Each area is subsequently addressed by a team of knowledgeable people. The questions are formulated based on experience and applied to existing drawings and process descriptions. 4 Analysis Procedure After the scope of the study is defined, the What-If Analysis consists of the following steps: first, preparing for the review; second, performing the review; and third, documenting the results. Preparing for the review. The information required to perform a What-If Analysis consists of chemical data, process descriptions, drawings and operating procedure. It is important that all the information is up to date and available to the hazard evaluation team. Performing the review. The review meetings should begin with a basic explanation of the process, given by plant staff having overall plant and process knowledge plus expertise relevant to the team’s investigation area. The presentation should also describe the plant’s safety precautions, safety equipment, and health control procedures. The subject process is reviewed by members of the team who vocalize potential safety concerns. Documenting the results. Documentation is the key to transforming the team’s findings into measures for hazard elimination or reduction. Table given below is an example What-If Analysis worksheet. Such a table makes the documentation easier and more organized. 1.2.2 WHAT-IF/CHECKLIST ANALYSIS The What-If/Checklist Analysis technique combines the creative, brainstorming features of the What-If Analysis method with the systematic features of the Checklist Analysis method. A Checklist Analysis uses a written list of items or steps to verify the status of a system. Purpose The purpose of a What-If/Checklist Analysis is to identify hazards, consider the general types of incidents that can occur in a process or activity, evaluate in a qualitative fashion the effects of these incidents, and determine whether the safeguards against these potential incident situations appear adequate. 5 Description This hybrid method capitalizes on the strengths and compensates for the individual shortcomings of the separate approaches. For example, the Checklist Analysis method is an experience-based technique, and the quality of a hazard evaluation performed using this approach is highly dependent on the experience of the checklist’s authors. If the checklist is not complete, then the analysis may not effectively address a hazardous situation. The WhatIf Analysis portion of the technique encourages the hazard evaluation team to consider potential abnormal situations and consequences that are beyond the experience of the authors of a good checklist, and thus are not covered on the checklist. Conversely, the checklist portion of this technique lends a more systematic nature to the What-If Analysis. Like most other hazard evaluation techniques, the method works best when performed by a team experienced in the subject process. This technique is generally used to analyze the most common hazards that exist in a process. Analysis Procedure A What-If/Checklist Analysis consists of the following steps: (1) preparing for the review, (2) developing a list of What-If questions and issues, (3) using a checklist to cover any gaps, (4) evaluating each of the questions and issues, and (5) documenting the results. Preparing for the review. For a What-If/Checklist Analysis, the hazard evaluation team leader assembles a qualified team, determines the physical and analytical scope for the proposed study, and, if the process/activity is rather large, divides it into physical areas, or tasks to provide some order to the review of the process. Developing a list of What-If questions and issues. Hazard evaluation team meets to develop questions and issues involving potential incident situations. Using a checklist to cover any gaps. Once the team has identified all of the questions and issues it can in a particular area of the process or activity, the hazard evaluation team leader will use the checklist prepared. The team considers each checklist item to see whether any other potential incident situations or concerns arise. The issues are evaluated in the same way as the What-If questions. Evaluating each of the questions and issues. After developing questions and issues involving potential incident situations, the team considers each incident situation or safety concern and qualitatively determines the potential effects of the incident implied by the situation or concern; and lists existing safeguards to prevent, mitigate, or contain the effects 6 of the potential incident. The team then evaluates the significance of each situation and determines whether a particular safety improvement option should be recommended. Documenting the results. The results of a What-If/Checklist Analysis are documented in the same way as the results for a What-If Analysis. 1.2.3 HAZARD AND OPERABILITY (HAZOP) STUDIES The Hazard and Operability (HAZOP) Study or HAZOP Analysis technique was developed to identify and evaluate safety hazards in a process plant, and to identify operability problems which, although not hazardous, could affect the plant’s ability to achieve design productivity. Purpose The purpose of a HAZOP Study is to carefully review a process or operation in a systematic fashion to determine whether deviations from the design or operational intent can lead to undesirable consequences. This technique can be used for continuous or batch processes and can be adapted to evaluate written procedures. The HAZOP team lists potential causes and consequences of the deviation as well as existing safeguards protecting against the deviation. When the team determines that inadequate safeguards exist for a credible deviation, it usually recommends that action be taken to reduce the risk. Description Use of the HAZOP Study technique requires a detailed source of information concerning the design and operation of a process. Thus, it is most often used to analyze processes during or after the detailed design stage. In a HAZOP Study, an interdisciplinary team uses a creative, systematic approach to identify hazard and operability problems resulting from deviations from the process’s design intent that could lead to undesirable consequences. An experienced team leader systematically guides the team through the plant design using a fixed set of words (called ―guide words‖). These guide words are applied at specific points or ―study nodes‖ in the plant design and are combined with specific process parameters to identify potential deviations from the plant’s intended operation. For example, the guide word ―No‖ combined with the process parameter ―Flow‖ results in the deviation ―No Flow.‖ Analysis Procedure The analysis procedure consists of the following steps: (1) preparing for the review, (2) performing the review, and (3) documenting the results. 7 Preparing for the review. This step is of great importance to achieve success in the HAZOP study. The amount of preparation depends upon the size and complexity of the process being analyzed. Performing the review. The HAZOP Study technique requires that a process drawing or procedure be divided into study nodes, process sections, or operating steps and that the hazards of the process be addressed using the guide words. As the team applies all of the relevant guide words to each process section or step, they record either (1) the deviation with its causes, consequences, safeguards, and actions, or (2) the need for more complete information to evaluate the deviation. Documenting the results. Normally, the results of HAZOP meetings are recorded in a tabular format as shown below. 1.2.4 FAILURE MODES AND EFFECTS ANALYSIS A Failure Modes and Effects Analysis (FMEA) tabulate failure modes of equipment and their effects on a system or plant. Purpose The purpose of an FMEA is to identify single equipment and system failure modes and each failure mode’s potential effect(s) on the system or plant. This analysis typically generates recommendations for increasing equipment reliability, thus improving process safety. Description Failure Modes and Effects Analysis evaluates how equipment can fail and the effects these failures can have on a process. These failure descriptions provide analysts with a basis for determining where changes can be made to improve a system design. During a FMEA, hazard analysts describe potential consequences and relate them only to equipment failures; they rarely investigate damage or injury that could arise if the system operated successfully. 8 A FMEA is not as efficient as other methods such as HAZOP studies in identifying an exhaustive list of combinations of equipment failures that lead to incidents, as it examines all failure modes that result in safe outcomes as well as those that can lead to loss events. Analysis Procedure The FMEA procedure contains three steps: (1) defining the study problem, (2) performing the review, and (3) documenting the result. Defining the study problem. This step identifies the specific items to be included in the FMEA and the conditions under which they are analyzed. Defining the problem involves (1) establishing an appropriate level of resolution for the study and (2) defining the boundary conditions for the analysis. The level of resolution determines the extent of detail included in the FMEA. If a plantlevel hazard is being addressed, the FMEA should focus on the failure modes of individual systems and their subsequent effects. Defining the analysis boundary conditions includes identifying the plant and/or systems that are the subject of the analysis, collecting latest reference information, etc. Performing the review. The FMEA should be performed in a deliberate, systematic manner to reduce the possibility of omissions and to enhance the completeness of the FMEA. One way to help ensure a thorough and efficient review is to develop a consistent format for recording the FMEA results. Having a standard FMEA table format helps make the information contained in the FMEA tables consistent and helps maintain the defined level of resolution. Table below shows the format for a FMEA table. Documenting the results. The documentation of the FMEA review is a systematic and consistent tabulation of the effects of equipment failures within a process or system. 9 1.2.5 FAULT TREE ANALYSIS Fault Tree Analysis (FTA) is a deductive technique that focuses on one particular incident or main system failure, and provides a method for determining causes of that event. Purpose The purpose of an FTA is to identify combinations of equipment failures and human errors that can result in an incident. FTA is well suited for analyses of highly redundant systems. For systems particularly vulnerable to single failures that can lead to incidents, it is better to use a single-failure-oriented technique such as FMEA or HAZOP Study. FTA is often employed in situations where another hazard evaluation technique (e.g., HAZOP Study) has pinpointed an important incident of interest that requires more detailed analysis. Description The fault tree is a graphical model that displays the various combinations of equipment failures and human errors that can result in the main system failure of interest (called the Top event). The strength of FTA as a qualitative tool is its ability to identify the combinations of basic equipment failures and human errors that can lead to an incident. This allows the hazard analyst to focus preventive or mitigative measures on significant basic causes to reduce the likelihood of an incident. A fault tree is a graphical model that illustrates combinations of failures that will cause one specific failure of interest, called a Top Event Fault Tree Analysis is a deductive technique that uses Boolean logic symbols (i.e., AND gates, OR gates) to break down the causes of a Top event into basic equipment failures and human errors (called basic events). Analysis Procedure There are four steps an analyst must take to perform a Fault Tree Analysis: (1) defining the problem, (2) constructing the fault tree, (3)analyzing the fault tree model qualitatively, and (4) documenting the results. Defining the problem. To define the problem, both a Top event and boundary conditions for the analysis must be selected. These boundary conditions include: System physical bounds 10 Not allowed events Level of resolution Existing conditions Initial conditions Other assumptions Constructing the Fault Tree. Fault tree construction begins at the Top event and proceeds, level by level; until all fault events have been traced to their basic contributing causes (basic events). The analyst begins with the Top event and, for the next level, uses deductive cause and effect reasoning to determine the immediate, necessary, and sufficient causes that result in the Top event. Normally, these are not basic causes, but are intermediate faults that require additional development. If the analyst can immediately determine the basic causes of the Top event, the problem may be too simple for Fault Tree Analysis and could be evaluated by other methods (such as FMEA). Analyzing the Fault Tree model. The completed fault tree provides useful information by displaying how failures interact to result in an incident. However, even an experienced analyst cannot identify directly from the fault tree all of the combinations of failures that can lead to the incident of interest. The fault tree solution method has four steps: (1) uniquely identify all gates and basic events,(2) resolve all gates into sets of basic events, (3) remove duplicate events within sets, and (4) delete all supersets (sets that contain other sets). The result of the procedure is a list of minimal cut sets for the fault tree. Documenting the results. The final step in performing a Fault Tree Analysis is to document the results of the study. The hazard analyst should provide a description of the system analyzed a discussion of the problem definition, a list of assumptions, the fault tree model that were developed, lists of minimal cut sets, and an evaluation of the significance of the MCSs. In addition, any recommendations that arise from the FTA should be presented. 11 1.2.6 EVENT TREE ANALYSIS An event tree graphically shows all of the possible outcomes following the success or failure of protective systems, given the occurrence of a specific initiating cause (equipment failure or human error). Event trees are also used to study other events, such as starting at a loss event and evaluating mitigation systems. Purpose Event trees are used to identify the various incidents that can occur in a complex process. After these individual event sequences are identified, the specific combinations of failures that can lead to the incidents can then be determined using Fault Tree analysis. Description The results of the Event Tree Analysis are event sequences; that is, sets of failures or errors that lead to an incident. An Event Tree Analysis is well suited for analyzing complex 12 processes that have several layers of safety systems or emergency procedures in place to respond to specific initiating events. Analysis Procedure The general procedure for Event Tree Analysis contains six steps: (1) identifying the initiating causes or loss events of interest that can result in the type of incident or impact of concern, (2) identifying the safeguards designed to respond to the initiating cause or loss event, (3) constructing the event tree, (4) describing the resulting event sequence outcomes, (5) determining the event sequence minimal cut sets, and (6) documenting the results Identifying a starting event of interest. Initiating event is an important part of Event Tree Analysis. The event of interest, the initiating event if a traditional event tree will be referred to as the starting event. The starting event could also be an intermediate event, such as a process upset condition. If the starting event is an initiating cause, it should be a system or equipment failure or human error that could result in the effects of interest, depending on how well the system or operators respond to the event. Identifying the safeguards designed to respond to the starting event. The safeguards that respond to the initiating cause or loss event can be thought of as the plant’s defences against the potential consequences of the starting event. These safeguards may include, but are not limited to: Alarms that alert the operator when the initiating cause occurs Operator actions to be performed in response to alarms or as required by procedures Protective systems that automatically respond to the initiating cause Automatic isolation or other mitigation safeguards intended to limit loss event impacts In particular, these safeguards influence the ultimate effects of any incident resulting from the starting event. The analyst should identify, in the chronological order in which they are expected to respond, all safeguards that can protect against or mitigate the effect of the starting event. The descriptions of these safeguards should state their intended purpose. The successes and failures of the safeguards are accounted for in the event tree. Constructing the Event Tree. The event tree displays the development of event sequences, beginning with the starting event and proceeding to the control and safety system responses. The results are clearly defined incidents that can result from the initiating cause. An analyst tries to lay out actions of the safeguards chronologically, although many times the events may 13 occur almost simultaneously. The analyst should carefully factor in the normal process control response to upset conditions when evaluating the safety system response to upsets. The first step in constructing the event tree is to enter the starting event and safeguards that apply to the analysis. In particular, these safeguards influence the ultimate effects of any incident resulting from the starting event. The analyst should identify, in the chronological order in which they are expected to respond, all safeguards that can protect against or mitigate the effect of the starting event. The descriptions of these safeguards should state their intended purpose. The successes and failures of the safeguards are accounted for in the event tree. The next step is to evaluate the safeguard. Normally only two possibilities are considered: success or failure of the safeguard. The analyst should assume that the initiating cause has occurred, define the success/failure criteria for the safeguard, and decide whether the success or failure of the safeguard affects the course of the incident. If the incident is affected, the event tree divides into two paths to distinguish between the success and failure of the safeguard. Normally, success of the function is denoted by an upward path, and failure of the function, by a downward path. If the safeguard does not affect the course of the incident, the incident path proceeds, with no branch point, to the next safeguard. Letters (for example, A,B, C, or D) are used to indicate success of the safeguard, and ―bars‖ over the letters indicate failure of the function. Every branch point developed in the event tree creates additional incident paths that must be evaluated individually for each of the subsequent safety systems. When evaluating a safeguard on an incident path, the analyst must assume the previous successes and failures have occurred as dictated by the path. Describing the resulting incident sequence outcomes. The next step of the Event Tree Analysis procedure is to describe the various outcomes of the incident sequences. The sequences will represent the variety of outcomes that can follow the initiating cause. One or more of the sequences may represent a safe recovery and a return to normal operations, or an orderly shutdown. The sequences of importance, from a safety viewpoint, are those that result in consequences of concern. Determining incident sequence minimal cut sets. Incident sequences in an event tree can be analyzed in the same way that fault trees are analyzed to determine their minimal cut sets. Each incident sequence represents a logical ―ANDing‖ of the initiating cause and subsequent safety system failures. Thus, each sequence can be thought of as a separate fault tree with the incident sequence description as the Top event, followed by an AND gate containing the 14 initiating cause and all of the contributing safety system failures. The safety system failures and their associated logic models must assume that the defined successes of subsequent safeguards have occurred. Documenting the results. The final step in performing an Event Tree Analysis is to document the results of the study. The hazard analyst should provide a description of the system analyzed, a discussion of the problem definition, including the incident initiating causes analyzed, a list of assumptions, the event tree model(s) that were developed, lists of incident sequence minimal cut sets, a discussion of the consequences of the various incident sequences, and an evaluation of the significance of the incident sequence MCS. In addition, any recommendations that arise from the Event Tree Analysis should be presented. 1.2.7 CAUSE CONSEQUENCE ANALYSIS A Cause-Consequence Analysis (CCA) is a blend of the Fault Tree Analysis and Event Tree Analysis techniques. Purpose As the name suggests, the purpose of a Cause-Consequence Analysis is to identify the basic causes and consequences of potential incidents. Description Cause-Consequence Analysis (CCA) combines the inductive reasoning features of Event Tree Analysis with the deductive reasoning features of Fault Tree Analysis. A major strength of a Cause-Consequence Analysis is its use as a communication tool. The cause consequence diagram displays the relationships between the incident outcomes (consequences) and their basic causes. This technique is most commonly used when the failure logic of the analyzed incidents is rather simple, since the graphical form, which combines both fault trees and event trees on the same diagram, can become quite detailed. Analysis Procedure A general procedure for CCA contains six steps: (1) selecting an event or type of incident situation to be evaluated, (2) identifying the safeguards (systems, operator actions, etc.) that influence the course of the incident resulting from the event, (3) developing the event 15 sequence paths resulting from the event (Event Tree Analysis), (4) developing the combinations of intermediate events and safeguard failures to determine their basic causes (Fault Tree Analysis), (5) evaluating the event sequence minimal cut sets, and (6) documenting the result. Selecting an event to be evaluated. The events analyzed in Cause-Consequence Analysis can be defined in two ways: Top event (as in a Fault Tree analysis) Intermediate event (e.g., a deviation defined for HAZOP Studies). Identifying safeguards and developing event sequence paths. These steps are the same as those performed in Event Tree Analysis. The various event sequence paths are constructed based on the chronological successes and failures of the appropriate safeguards. The primary difference between Event Tree and Cause-Consequence Analysis is the symbols used in the diagram. No corresponding symbol is normally used in the event tree diagram. Developing the intermediate and safeguard failure events to determine basic causes. In this step, the analyst actually applies Fault Tree Analysis techniques to the starting event and safeguard failure events represented in the event tree portion of the cause-consequence diagram. Each fault description is treated as if it were a fault tree Top event or intermediate event. The analysts should describe the outcomes of each incident sequence in the Cause-Consequence model. Evaluating the incident sequence minimal cut sets. The incident sequence minimal cut sets are determined in a manner similar to fault tree minimal cut sets. The incident sequence is composed of a sequence of events, each of which is a Top event for a fault tree that is part of the cause-consequence diagram. For an incident sequence to occur, all of the events in the sequence must occur. An incident sequence fault tree is constructed by connecting all the safeguard failures to an AND logic gate, with the incident sequence occurrence as the new Top event. The standard fault tree solution technique can then be used to determine the incident sequence minimal cut sets. This process can be repeated for all incident sequences identified in the CCA. Evaluating the results of the CCA is a two-step process. First, the incident sequences are ranked based on their severity and importance to plant safety. Then, for each important incident sequence, the incident sequence minimal cut sets can be ranked to determine the most important basic causes. Documenting the results. The final step in performing a Cause-Consequence Analysis is to document the results of the study. The hazard analyst should provide a description of the system analyzed, a discussion of the problem definition including the incident initiating causes analyzed, a list of assumptions, the cause-consequence diagrams that were developed, 16 lists of incident sequence minimal cut sets, a discussion of the consequences of the various incident sequences, and an evaluation of the significance of the incident sequence MCS. In addition, any recommendations that arise from the CCA should be presented. 1.2.8 BOW TIE ANALYSIS A less formal variation of Cause-Consequence Analysis is the "Bow-Tie'' technique. It similarly combines two methodologies presented in earlier sections, Fault Tree Analysis and Event Tree Analysis, and uses the format of an incident investigation and root cause analysis technique known as Causal Factors Charting. The Bow-Tie analysis offers a cost-effective approach for a screening hazard evaluation of processes that are well understood. This approach is a qualitative hazard evaluation technique ideally suited for the initial analysis of an existing process, or application during the middle stages of a process design. The Bow-Tie technique in its visual form makes the analysis easy to understand, and can show what safeguards protect against particular initiating causes and loss event consequences. In the Bow-Tie method, the loss event is the equivalent of both (1) a Fault Tree Analysis Top event for deductively determining initiating causes and identifying preventive safeguards, and (2) an Event Tree Analysis starting point for studying loss event consequences and identifying mitigative safeguards. 17 18 CHAPTER 2 CHEMICAL PROCESS QUANTITATIVE RISK ANALYSIS (CPQRA) Chemical process quantitative risk analysis (CPQRA) is a methodology designed to provide management with a tool to help evaluate overall process safety in the chemical process industry. Management systems such as engineering codes, checklists and process safety management (PSM) provide layers of protection against accidents. However, the potential for serious incidents cannot be totally eliminated. CPQRA provides a quantitative method to evaluate risk and to identify areas for cost-effective risk reduction. 2.1 INTRODUCTION Many hazards may be identified and controlled or eliminated through use of qualitative hazard analysis. Qualitative studies typically identify potentially hazardous events and their causes. In some cases, where the risks are clearly excessive and the existing safeguards are inadequate, corrective actions can be adequately identified with qualitative methods. CPQRA is used to help evaluate potential risks when qualitative methods cannot provide adequate understanding of the risks and more information is needed for risk management. It can also be used to evaluate alternative risk reduction strategies. The basis of CPQRA is to identify incident scenarios and evaluate the risk by defining the probability of failure, the probability of various consequences and the potential impact of those consequences. The risk is defined in CPQRA as a function of probability or frequency and consequence of a particular accident scenario: Risk = F(s, c, f) s = hypothetical scenario c= estimated consequence(s) l = estimated frequency 19 All chemical processes have a risk potential. In order to manage risks effectively, they must be estimated. Since risk is a combination of frequency and consequence, source modelling is a necessary step in the risk management process. 2.2 SOURCE MODELS Source models are used to quantitatively define the release scenario by estimating discharge rates, total quantity released (or total release duration), extent of flash and evaporation from a liquid pool and aerosol formation. 2.2.1 DISCHARGE RATE MODEL BACKGROUND Purpose Most of the hazardous incidents occur from the release of flammable or toxic material from its normal containment. These may be from cracks to piping, open vents etc. The leak maybe that of a gas, liquid or a two phase gas-liquid release. The estimates from the discharge rate model are essential as inputs for the other models. Philosophy The main philosophy behind the discharge rate model is to select the minimal discharge rate and to maximize the relief area via selection of a minimal mass flux model. Applications Discharge rate models are the first stage in developing a majority of consequence estimates used by the CPQRA. The main application of interest involves two categories of process release: emergency engineered releases (e.g. relief vales), emergency unplanned releases (e.g. containment failures). DESCRIPTION Description of Technique The first step in the procedure is to determine an appropriate scenario. Several important issues must be considered at this point in the analysis. These include: release phase, thermodynamic path and endpoint, hole size, leak duration, and other issues. Release Phase: Discharge rate models require a careful consideration of the phase of the released material. The phase of the discharge depends on the release process and 20 can be determined by using thermodynamic diagrams or data, or a vapour-liquid equilibrium model, and the thermodynamic path during the release. Thermodynamic Path and Endpoint: The specification of the endpoint and the thermodynamic pathway used to reach the endpoint is important to the development of the source model. Hole Size: A primary input to any discharge calculation is the hole size. For releases through a relief system, the actual valve or pipe dimension can be used. For releases through holes, the hole size must be estimated. There are no official guidelines available for selection of hole size. Leak Duration: The Department of Transportation (1980) LNG Federal Safety Standards specified 10-min leak duration. Other analysts use a shorter duration. Actual release duration may depend on the detection and reaction time for automatic isolation devices and response time of the operators for manual isolation. The rate of valve closure in longer pipes can influence the response time. Other Issues: Other special issues to consider when analyzing discharges include the following: • Time dependence of transient releases • Reduction in flow • Inventory in the pipe or process between the leak and any isolation device. LIQUID DISCHARGE THROUGH A HOLE IN A TANK INPUT DATA REQUIRED: 1) Tank Pressure above liquid (barg) 2) Pressure outside hole (barg) 3) Liquid Density (kg/m3) 4) Liquid level above hole (m) 5) Hole Diameter (mm) OUTPUT DATA: 1) Exit Velocity (m/s) 2) Mass Flow rate (kg/s) LIQUID TRAJECTORY FROM A HOLE INPUT DATA REQUIRED: 1) Liquid velocity at the hole (m/s) 2) Height of hole above the ground (m) OUTPUT DATA: 1) Time taken to reach the ground (s) 21 2) Horizontal distance from hole (m) LIQUID DISCHARGE THROUGH A PIPING SYSETM INPUT DATA REQUIRED: 1) Fluid Density (kg/m3) 2) Fluid Viscosity (kg/m-s) 3) Diameter of pipe (m) 4) Roughness of pipe (mm) 5) Pressure at point 1 (Pa) 6) Pressure at point 2 (Pa) 7) Velocity at point 1(m/s) 8) Height of point 1 (m) 9) Height of point 2 (m) 10) Length of pipe (m) 11) Net pump energy (kW) OUTPUT DATA: 1) Calculated discharge velocity (m/s) 2) Calculated Discharge rate (kg/s) GAS DISCHARGE THORUGH A PIPING SYSTEM INPUT DATA REQUIRED: 1) Heat capacity ratio of gas 2) Hole size (mm) 3) Pressure upstream (bar abs) 4) Pressure downstream (bar abs) 5) Temperature (K) 6) Gas molecular weight OUTPUT DATA: 1) Mass flow rate (kg/s) GAS DISCHARGE THROUGH A PIPING SYSTEM INPUT DATA REQUIRED: 1) Heat capacity ratio of gas 2) Gas molecular weight 3) Temperature (K) 4) Pressure at point 1 (Pa) 5) Pressure at point 2 (Pa) 6) Pipe diameter (m) 7) Pipe length (m) 8) Pipe roughness (mm) 22 OUTPUT DATA: 1) Mass flow rate (kg/s) TWO PHASE FLASHING FLOW THROUGH A PIPE INPUT DATA REQUIRED: 1) Ambient Temperature (K) 2) Saturation Pressure (bar gauge) 3) Storage Pressure (bar gauge) 4) Downstream Pressure (bar gauge) 5) Critical Pipe length (m) 6) Pipe length (m) 7) Discharge Co-efficient 8) Heat of vaporization (J/kg) 9) Volume change on vaporization (m3/kg) 10) Heat capacity (J/kg-K) 11) Liquid Density (kg/m3) OUTPUT DATA: 2.2.2 1) Combined mass flux (kg/m2s) FLASH AND EVAPORATION BACKGROUND Purpose The purpose of flash and evaporation models is to estimate the total vapour that forms a cloud, for use as input to dispersion models. Philosophy If the liquid released is superheated, then the amount of vapour and liquid produced during flashing can be calculated from thermodynamics assuming a suitable path. Applications Spilling of liquids is common during loss of containment incidents in the chemical process industries. Thus, flash and evaporation models are essential in CPQRA. DESCRIPTION Description of Technique Superheated liquid release estimation. The flash from a superheated liquid released to atmospheric pressure can be estimated in a number of ways. If the initial and final state of the 23 release is quiescent, then the initial and final enthalpies are the same. For pure materials, such as steam, thermodynamic data table can be used. Aerosol Estimation. A common practice for estimating aerosol formation is to assume that the aerosol fraction is equal to some multiple of the fraction flashed, typically 1 or 2. ISENTHALPIC FLASH FRACTION INPUT DATA REQUIRED: 1) Ambient Temperature (K) 2) Boiling point temp. At pressure (K) 3) Heat Capacity (kJ/kg-K) 4) Heat of vaporization (kJ/kg) OUTPUT DATA: 1) Flash Fraction BOILING POOL VAPORIZATION INPUT DATA REQUIRED: 1) Thermal diffusivity of soil (m2/s) 2) Thermal conductivity of soil (W/m-K) 3) Temperature of boiling pool (K) 4) Temperature of soil (K) 5) Heat of vaporization (J/kg) 6) Time (s) 7) Pool area (m2) OUTPUT DATA: 1) Heat flux from ground (J/m2 s) 2) Evaporative flux (kg/m2 s) 3) Total evaporation rate (kg/s) 24 2.2.3 DISPERSION MODELS BACKGROUND Purpose Neutral and positively buoyant plume or puff models are used to predict average concentration and time profiles of flammable or toxic materials downwind of a source. Philosophy Atmospheric diffusion is a random mixing process driven by turbulence in the atmosphere. The concentration at any point downwind of a source is well approximated by a concentration profile in both the horizontal and vertical dimensions. Applications It is used extensively in the prediction of atmospheric dispersion of pollutants. They are applicable in risk analyses for neutral and positively buoyant emissions as the models have been validated over a wide range of emission characteristics and downwind distances. DESCRIPTION Description of Technique Gaussian dispersion: The method applies only for neutrally buoyant clouds and provides an estimate of average downwind vapour concentrations. Since the concentrations predicted are time averages, it must be considered that local concentrations might be greater than this average; this result is important when estimating dispersion of highly toxic or flammable materials where local concentration fluctuations might have a significant impact on the consequences. Averaging time corrections can be applied. A complete development of the fundamental equations is presented elsewhere. Puff Model. The puff model describes near instantaneous releases of material. The solution depends on the total quantity of material released, the atmospheric conditions, the height of the release above ground, and the distance from the release. PUFF RELEASE INPUT DATA REQUIRED: 1) Total release (kg) 2) Molecular weight 25 3) Temperature (K) 4) Pressure (atm) 5) Release height (m) 6) Distance downwind (m) 7) Distance off wind (m) 8) Distance from ground (m) OUTPUT DATA: 1) Downwind concentration (kg/m3) 2.3 EXPLOSIONS AND FIRES 2.3.1 VAPOUR CLOUD EXPLOSIONS (VCE) BACKGROUND Purpose When a large amount of flammable vaporizing liquid or gas is rapidly released, a vapour cloud forms and disperses with the surrounding air. The release can occur from a storage tank, process, transport vessel, or pipeline. If this cloud is ignited before the cloud is diluted below its lower flammability limit (LFL), a VCE or flash fire will occur. Philosophy First, the release material must be flammable. Second, a cloud of sufficient size must form prior to ignition, with ignition delays of from 1 to 5 min considered the most probable for generating vapour cloud explosions. Third, a sufficient amount of the cloud must be within the flammable range. Fourth, sufficient confinement or turbulent mixing of a portion of the vapour cloud must be present. Application VCE models have been applied for incident analysis and in risk analysis predictions. DESCRIPTION Description of Technique 26 Important parameters in analyzing combustion incidents are the properties of the material: lower and upper flammable limits (LFL and UFL), flash point, auto ignition temperature, heat of combustion, molecular weight, and combustion stoichiometry. TNT EQUIVALENCY OF VAPOUR CLOUD INPUT DATA REQUIRED: 1) TNT Mass (kg) 2) Distance from blast (m) OUTPUT DATA: 1) Overpressure (kPa) 2) Impulse (Pa s) 2.3.2 FLASH FIRES A flash fire is the non-explosive combustion of a vapour cloud resulting from a release of flammable material into the open air. Experiments have shown that vapour clouds only explode in areas where intensely turbulent combustion develops and only if certain conditions are met. Major hazards from flash fires are from thermal radiation and direct flame contact. Flash fire models if based on flame radiation are subject to large error if radiation is estimated incorrectly. 2.3.3 PHYSICAL EXPLOSION BACKGROUND Purpose When a vessel containing a pressurized gas ruptures, the resulting stored energy is released. This energy can produce a shock wave and accelerate vessel fragments. If the contents are flammable it is possible that ignition of the released gas could result in additional consequence effects. Philosophy A physical explosion relates to the catastrophic rupture of a pressurized as filled vessel. The rupture could occur due to Failure of pressure regulating equipment, reduction in vessel thickness, reduction in vessel strength, internal runaway reaction. Applications 27 In general, these types of failures result in risk to in-plant personnel. However, vessel fragments can be accelerated to significant distances. This study is considered for projectile damage effects on other process vessels. DESCRIPTION Description of Technique Several methods relate directly to calculation of a TNT equivalent energy and use of shock wave correlations. There are various expressions that can be developed for calculating the energy released when a gas initially having a volume, V, expands in response to a decrease in pressure from a pressure, P1, to atmospheric pressure, P0. ENERGY EXPLOSION FOR A COMPRESSED GAS INPUT DATA REQUIRED: 1) Vessel Volume (m3) 2) Vessel Pressure (bar abs) 3) Final pressure of expanding gas (bar abs) 4) Ambient Pressure (bar abs) 5) Heat Capacity of expanding gas 6) Temperature of gas (K) OUTPUT DATA: 1) Moles of gas in vessel (gm-moles) 2) Energy of explosion (Joules) 3) TNT equivalent (kg TNT) VELOCITY OF FRAGMENTS FROM A VESSEL RUPTURE INPUT DATA REQUIRED: 1) Total mass of vessel (kg) 2) Total volume of vessel (m3) 3) Number of fragments 4) Mass fraction of the fragments 5) Pressure of gas within vessel (MPa) 6) Ambient Pressure (MPa) 7) Temperature of gas within vessel (K) 8) Heat capacity ratio of gas within vessel 9) Molecular weight of gas within vessel OUTPUT DATA: 1) Velocity of fragment (m/s) 28 2.3.4 BLEVE AND FIREBALL BACKGROUND Purpose A boiling liquid expanding vapour explosion (BLEVE) occurs when there is a sudden loss of containment of a pressure vessel containing a superheated liquid or liquefied gas. There are methods used to calculate the effects of the vessel rupture and the fireball that results if the released liquid is flammable and is ignited. Philosophy A BLEVE is a sudden release of a large mass of pressurized superheated liquid to the atmosphere. The primary cause is usually an external flame impinging on the shell of a vessel above the liquid level, weakening the container and leading to sudden shell rupture. A pressure relief valve does not protect against this mode of failure, since the shell failure is likely to occur at a pressure below the set pressure of the relief system. It should be noted, however, that a BLEVE can occur due to any mechanism that results in the sudden failure of containment, including impact by an object, corrosion, manufacturing defects, internal overheating, etc. The sudden containment failure allows the superheated liquid to flash, typically increasing its volume over 200 times. If the released liquid is flammable, a fireball may result. Applications BLEVE models are often required for risk analysis at chemical plants and for major accident investigation. DESCRIPTION Description of Technique The calculation of BLEVE incidents is a stepwise procedure. The first step should be pressure and fragment determination, as this applies to all BLEVE incidents (whether for flammable materials or not). For flammable materials the prediction of thermal intensity from fireballs should also be considered. This requires a determination of the fireball diameter and duration. BLEVE THERMAL FLUX 29 INPUT DATA REQUIRED: 1) Initial flammable mass (kg) 2) Water partial pressure in air (Pa) 3) Radiation Fraction, R 4) Distance from fireball center to ground (m) 5) Heat of combustion of fuel (kJ/kg) OUTPUT DATA: 1) Maximum fireball diameter (m) 2) Fireball combustion duration (s) 3) Center height of fireball (m) 4) Surface emitted flux (kW/m2) 5) Path length 6) Transmissivity BLAST FRAGMENTS FROM BLEVE INPUT DATA REQUIRED: 1) Diameter of sphere (m) 2) Vessel failure Pressure (kPa abs) 3) Vessel liquid fill fraction 4) Vessel wall thickness (cm) 5) Vessel wall density (kg/m3) 6) Temperature (K) 7) Ambient Pressure (kPa abs) 8) Drag coefficient of fragment OUTPUT DATA: 1) Energy of explosion (kg TNT) 2) Initial velocity of fragments (m/s) 3) Theoretical max range (m) 2.3.5 CONFINED EXPLOSIONS BACKGROUND Purpose Confined explosions refer to deflagrations or other sources of rapid chemical reaction which are constrained within vessels and buildings. Dust explosions, vapour explosions within low strength vessels and buildings, thermal decompositions, and runaway reactions within process vessels and equipment are the various categories of confined explosions. 30 Philosophy The design of process vessels subject to internal pressure, design of vessels to contain internal deflagrations and design of relief systems for both low strength enclosures and process vessels are the various issues to be dealt with due to the danger of confined explosions. Applications Most CPQRAs consider the risk implications of confined explosion effects. Few studies have also been done on the damage effects on process vessels due to confined explosions. DESCRIPTION Description of Technique The technique is based on the determination of the peak pressure. Where this is sufficient to cause vessel failure, the consequences can be determined. The explosion of a flammable mixture in a process vessel or pipework may be a deflagration or a detonation. Detonation is the more violent form of combustion. A deflagration is a less violent form of combustion but it has the potential to become a detonation. OVERPRESSURE FROM COMBUSTION IN A VESSEL INPUT DATA REQUIRED: 1) Volume of vessel (m3) 2) Temperature (K) 3) Shock wave overpressure (kPa) 4) Energy of combustion (kcal/g-mole) OUTPUT DATA: 1) Total mass of fuel (kg) 2) Total energy of combustion (kcal) 3) Distance from blast (m) 31 2.3.6 POOL FIRES BACKGROUND Purpose Pool fires tend to be localized in effect and are mainly of concern in establishing the potential for domino effects and employee safety zones, rather than for community risk. The primary effects of such fires are due to thermal radiation from the flame source. Issues of inter tank and interplant spacing, thermal insulation, fire wall specification, etc., can be addressed on the basis of specific consequence analyses for a range of possible pool fire scenarios. Philosophy A pool fire may result via a number of scenarios. It begins typically with the release of flammable material from process equipment. If the material is liquid, stored at a temperature below its normal boiling point, the liquid will collect in a pool. The geometry of the pool is dictated by the surroundings but an unconstrained pool in an open, flat area is possible. If the liquid is stored under pressure above its normal boiling point, then a fraction of the liquid will flash into vapour, with unflashed liquid remaining to form a pool in the vicinity of the release. Applications Pool fire models have been applied to a large variety of combustible and flammable materials. DESCRIPTION Description of Technique The pool fire models consist of different types of sub models which are used for calculation of various different parameters during a pool fire. Some of the models are burning rate, pool size, flame geometry including height tilt and drag, flame surface emitted power, geometric view factor with respect to receiving source, atmospheric transmissivity, and received thermal flux RADIATION FROM A BURNING POOL INPUT DATA REQUIRED: 1) Liquid Leakage Rate (m3/s) 2) Heat of combustion of liquid (kJ/kg) 3) Heat of vaporization of liquid (kJ/kg) 32 4) Boiling point of liquid (K) 5) Ambient Temperature (K) 6) Liquid Density (kg/m3) 7) Constant heat capacity of liquid (kJ/kg-K) 8) Dike Diameter (m) 9) Receptor distance from pool (m) 10) Relative humidity 11) Radiation efficiency OUTPUT DATA: 2.3.7 1) Thermal Flux at receptor (kW/m2) JET FIRES BACKGROUND Purpose Jet fires typically result from the combustion of a material as it is being released from a pressurized process unit. The main concern, similar to pool fires, is in local radiation effects. Applications The most common application of jet fire models is the specification of exclusion zones around flares. DESCRIPTION Description of Technique Jet fire modelling is not as well developed as for pool fires, but several reviews have been published. Jet fire modelling incorporates many mechanisms, similar to those considered for pool fires. RADIANT FLUX FROM A JET FIRE INPUT DATA REQUIRED: 1) Distance from flame (m) 2) Hole Diameter (mm) 3) Leak height above ground (m) 4) Gas pressure (bar gauge) 5) Ambient Temperature (K) 6) Relative Humidity 33 7) Heat capacity ratio for gas 8) Heat of combustion for gas (kJ/kg) 9) Molecular weight of gas 10) Flame temperature (K) 11) Discharge coefficient of hole 12) Ambient Pressure (Pa) 13) Fuel mole fraction at stoichiometric 14) Moles of reactant per mole of product 15) Molecular weight of air 16) Fraction of total energy converted OUTPUT DATA: 1) Flux at receptor location (kW/m2) 2.4 EFFECT MODELS 2.4.1 TOXIC GAS EFFECTS BACKGROUND Purpose Toxic effect models are employed to assess the consequences to human health as a result of exposure to a known concentration of toxic gas for a known period of time. Philosophy The object of the toxic effects model is to determine whether an adverse health outcome can be expected following a release and, if data permit, to estimate the extent of injury or fatalities that are likely to result. DESCRIPTION Description of Technique To determine the possible health consequences of a toxic release incident outcome, dispersion models are used to develop a contour map describing the concentration of gas as a function of time, location, and distance from the point of release. This is a reasonably simple process for a continuous release since the concentration is constant at a fixed point. FATALITIES DUE TO MOVING PUFF INPUT DATA REQUIRED: 1) Time 34 2) Wind Speed 3) Total Release 4) Step Increment 5) Release Height 6) No. of increments 7) Molecular Weights 8) Temperature OUTPUT DATA: 1) Probit 2)Percent Fatalities 2.4.2 THERMAL EFFECTS BACKGROUND Purpose To estimate the likely injury or damage to people and objects from thermal radiation due to incident outcomes. Philosophy Thermal effect modelling is more straightforward than toxic effect modelling. A substantial body of experimental data exists and forms the basis for effect estimation. Two approaches are used: Simple tabulations or charts based on experimental results Theoretical models based on the physiology of skin burn response Applications Thermal effect modelling is widely used in chemical plant design and CPQRA. DESCRIPTION Description of Technique The effect of thermal radiation on structures depends on whether they are combustible or not and the nature and duration of the exposure. Thus, wooden materials will fail due to combustion, whereas steel will fail due to thermal lowering of the yield stress. Many steel structures under normal load will fail rapidly when raised to a temperature of 500-60O0C, 35 whereas concrete will survive for much longer. Flame impingement on a structure is more severe than thermal radiation. 2.4.3 EXPLOSION EFFECTS BACKGROUND Purpose Explosion effect models predict the impact of blast overpressure and projectiles on people and objects. Philosophy Most effect models for explosions are based on either the blast overpressure alone, or a combination of blast overpressure, duration, and/or specific impulse. The blast overpressure, impulse and duration are determined using a variety of models, including TNT equivalency, multi-energy and Baker-Strehlow methods. Applications Virtually all CPQBJVs of systems containing large inventories of flammable or reactive materials will need to consider explosion effects. Some analyses may also need to consider condensed phase explosions or detonations of unstable materials. DESCRIPTION Description of Technique Explosion effects have been studied for many years, primarily with respect to the layout and siting of military munitions stockpiles. Explosion effects are classified according to effects on structures and people. RANGE FOR A TNT BLAST INPUT DATA REQUIRED: 1) Mass of TNT (kg) OUTPUT DATA: 1) Range of blast (m) 36 2.5 EVENT PROBABILITY AND FAILURE FREQUENCY ANALYSIS It describes techniques used to calculate incident frequencies and subsequent consequence probabilities. Incident Frequencies from the Historical Record BACKGROUND Purpose The number of recorded incidents can be divided by the exposure period (e.g., plant years, pipeline mile-years) to estimate a failure estimate of the frequency. This is a straightforward technique that provides directly the top event frequency. Technology A number of criteria have to be satisfied for the historical likelihood to be meaningful. These include sufficient and accurate records and applicability of the historical data to the particular process under review. If these criteria are met, which is often difficult, the frequency information is relatively straightforward to calculate. Applications The historical frequency technique is applicable for a number of important cases in CPQRA. It is often used early in the design stage, before details of plant systems and safeguards are defined. The technique is ideal where failure causes are very diverse and difficult to predict, such as with transportation incidents. DESCRIPTION The historical approach is summarized by a five-step methodology. 1. Define context: Provides a clear specification of the incidents for which frequency estimates are sought. 2. Review source data: Source data found in company records, government, or industry group statistics should be reviewed for completeness and independence. 3. Check data applicability: The historical record may include data over long periods of time (5 or more years). It is necessary to review incident descriptions and discard those failures not relevant to the plant and scenario under review. 37 4. Calculate incident frequency: When the data are confirmed as applicable and the incidents and exposure are consistent, the historical frequency can be obtained by dividing the number of incidents by the exposed population. 5. Validate frequency: It is often possible to compare the calculated incident frequency with a known population of plant or equipment not used for data generation. This is a useful check as it can highlight an obvious mistake or indicate that some special feature has not received adequate treatment. 2.5.1 FREQUENCY MODELLING TECHNIQUES The main techniques for modelling the likelihood of incidents and the probabilities of outcomes in CPQRA are: fault tree analysis (FTA), which is used to estimate incident frequencies (e.g., major leakage of a flammable material), and event tree analysis, which may be used to quantitatively estimate the distribution of incident outcomes (e.g., frequencies of explosions, pool fires, flash fires, safe dispersal). FAULT TREE ANALYSIS BACKGROUND An essential goal of a CPQRA is to establish the frequency of the identified hazardous incidents. The historical record provides the most straightforward technique for this purpose, subject to the conditions of applicability and adequacy of records and databases. Where the historical information cannot be used, a mechanistic model of plant component data and operator response can be employed. In CPQRAs the analyst normally calculates a number of different reliability characteristics. A few of these are expected number of failures per year, probability of failure on demand, and unreliability. Purpose Fault tree analysis permits the hazardous incident (top event) frequency to be estimated from a logic model of the failure mechanisms of a system. The model is based on the combinations of failures of more basic system components, safety systems, and human reliability. Technology The underlying technology is the use of a combination of relatively simple logic gates (usually AND and OR gates) to synthesize a failure model of the plant. A basic assumption in FTA is that all failures in a system are binary in nature. That is, a component or operator 38 either performs successfully or fails completely. In addition, the system is assumed to be capable of performing its task if all subcomponents are working. Applications It has found application in the chemical process industry, to address safety and reliability problems, during the past few decades. To date, the most common application in the process industry has been in the area of reliability, and the analysis of complex interlock or control systems. DESCRIPTION The usual objectives of applying FTA to a chemical process are one or more of the following: estimation of the frequency of occurrence of the incident determination of the combinations of equipment failures, operating conditions, environmental conditions, and human errors that contribute to the incident identification of remedial measures for the improvement of reliability or safety The procedure for undertaking FTA consists of several steps. 1. System description and choice of system boundary 2. Hazard identification and selection of the top event 3. Construction of the fault tree 4. Qualitative examination of structure 5. Quantitative evaluation of the fault tree EVENT TREE ANALYSIS BACKGROUND Purpose An event tree is a graphical logic model that identifies and quantifies possible outcomes following an initiating event. The event tree provides systematic coverage of the time sequence of event propagation. Technology Event tree structure is the same as that used in decision tree analysis. Each event following the initiating event is conditional on the occurrence of its precursor event. Outcomes of each precursor event are most often binary (SUCCESS or FAILURE, YES or NO), but can also include multiple outcomes(e.g., 100%, 20%, or 0% closure of a control valve). 39 Applications Event trees have found widespread applications in risk analyses for both the nuclear and chemical industries. Two distinct applications can be identified. The pre incident application examines the systems in place that would prevent incident-precursors from developing into incidents. The event tree analysis of such a system is often sufficient for the purposes of estimating the safety of the system. The post incident application is used to identify incident outcomes. Human reliability analysis uses event tree techniques. DESCRIPTION Pre incident event trees can be used to evaluate the effectiveness of a multi element protective system. A post incident event tree can be used to identify and evaluate quantitatively the various incident outcomes (e.g., flash fire).The sequence in which an event 40 tree analysis is conducted is shown below in the form of a logic diagram. 2.6 MEASUREMENT, CALCULATION AND PRESENTATION OF RISK ESTIMATES Risk estimate can be determined from the information and resources available and from the intended audience. In this section, we consider commonly used risk measures, formats used for presenting risk estimates, and guidelines for selection of the risk measure(s) and presentation format(s) to meet the objectives of a study. 41 2.6.1 RISK MEASURES Risk may be defined as a measure of economic loss, human injury or environmental damage in terms of both the likelihood and the magnitude of the loss, injury or damage. In CPQRA, a number of numerically different measures of risk can be derived from the same set of incident frequency and consequence data. These different risk measures characterize risk from different viewpoints, for example: • Risk to an individual vs. risk to a group • Risk to varying populations • Simple risk measures containing less information vs. complex measures containing a great deal of information about risk distribution. Three commonly used ways of combining incident frequency and consequence data to produce risk estimates are: 1. Risk indices 2. Individual risk measures 3. Societal risk measures Risk indices are single numbers or tabulations of numbers which are correlated to the magnitude of risk. Some risk indices are relative values with no specific units. Other risk indices are calculated from various individual or societal risk data sets. Risk indices are easy to explain and present, but contain less information than other, more complex measures. Individual risk measures can be single numbers or a set of risk estimates for various individuals or geographic locations. In general, they consider the risk to an individual who may be in the effect zone of an incident or set of incidents. The size of the incident, in terms of the number of people impacted by a single event, does not affect individual risk, Individual risk measures can be single numbers, tables of numbers, or various graphical summaries. Societal risk measures are single number measures, tabular sets of numbers, or graphical summaries which estimate risk to a group of people located in the effect zone of an incident or set of incidents. Some societal risk measures are designed to reflect the observation that people tend to be more concerned about the risk of large incidents than small incidents, and may place a greater weight on large incidents. 42 2.6.2 RISK PRESENTATION The large quantity of frequency and consequence information generated by a CPQRA must be integrated into a presentation that is relatively easy to understand and use. Different presentation methods are used to describe the different risk estimates. Risk indices Risk indices are single-number measurements and are thus, normally presented in tables like the one shown below. Individual risk Common forms of presentation of individual risk are risk contour plots and individual risk profiles, also known as risk transects. The risk contour plot shows individual risk estimates at specific points on a map. Risk contours ("isorisk" lines) connect points of equal risk around 43 the facility. Places of particular vulnerability (e.g., schools, hospitals, population concentrations) may be quickly identified. The individual risk profile (risk transect) is a plot of individual risk as a function of distance from the risk source. This plot is two-dimensional (risk vs distance)and is a simplification of the individual risk contour plot. Individual risk profiles (transects) can also be used to show risk in a particular direction of interest, for example in the direction of a control building. 44 Societal risk Societal risk addresses the number of people who might be affected by hazardous incidents. The presentation of societal risk was originally developed for the nuclear industry. A common form of societal risk is known as an F-N (frequency-number) curve. An F-N curve is a plot of cumulative frequency versus consequences (expressed as number of fatalities). A logarithmic plot is usually used because the frequency and number of fatalities range over several orders of magnitude. It is also common to show contributions of selected incidents to the total F-N curve as this is helpful for identification of major risk contributors. 45 2.6.3 SELECTION OF RISK MEASURES AND PRESENTATION FORMATS Factors to be considered in the risk measures to be presented include the following: 1. Study objectives. 2. Required depth of study 3. End uses 4. Population at risk Factors to be considered while deciding the presentation format are: 1. User requirements 2. User knowledge 3. Effectiveness of communicating results 4. Need for comparative presentations 46 CHAPTER 3 ACCIDENT INVESTIGATION STUDIES CHEMICAL SAFETY BOARD The U.S. Chemical Safety and Hazard Investigation Board, also known as the Chemical Safety Board or CSB, is an independent U.S. federal agency charged with investigating industrial chemical accidents. Headquartered in Washington, D.C., the agency's board members are appointed by the United States President and confirmed by the United States Senate. The principal role of the chemical safety board is to investigate accidents to determine the conditions and circumstances which led up to the event and to identify the cause(s) so that similar events might be prevented. Videos of these investigations are produced, in which the reasons for the disaster to have occurred are analyzed. Chemical disasters being mainly repetitive in nature can be understood better if actual reasons for a particular disaster to have occurred are found out. Detailed investigation reports are also published by CSB. 3.1 BP TEXAS CITY REFINERY DISASTER (15 killed, 180 injured) Incident Synopsis At about 1.20 pm on 23 May, 2005, several explosions and a fire occurred in the BP (British Petroleum) Refinery in Texas City, USA. Explosions and fires killed 15 people and injured another 180, and resulted in financial losses exceeding $1.5 billion. The incident occurred during the startup of an isomerisation (ISOM) unit when a raffinate splitter tower was overfilled; pressure relief devices opened, resulting in a flammable liquid geyser from a blowdown stack that was not equipped with a flare. The release of flammables led to an explosion and fire. All of the fatalities occurred in or near office trailers located close to the blowdown drum. A shelter-in-place order was issued that required 43,000 people to remain indoors. Houses were damaged as far away as three-quarters of a mile from the refinery. 47 Isomerization is a refining process that alters the fundamental arrangement of atoms in the molecule without adding or removing anything from the original material. At the BP Texas City refinery, the ISOM unit converted straight-chain normal pentane and hexane into higher octane branched-chain isopentane and isohexane for gasoline blending and chemical feedstocks. The ISOM unit boosts the octane rating of gasoline and consists of four sections: one of which is a raffinate splitter. The raffinate splitter section took raffinate, a non-aromatic, primarily straight-chain hydrocarbon mixture from the Aromatics Recovery Unit (ARU) and separated it into light and heavy components. About 40 percent of the raffinate feed was recovered as light raffinate (primarily pentane/hexane). The remaining raffinate feed was recovered as heavy raffinate, which was used as a chemicals feedstock, or blended into unleaded gasoline. The raffinate splitter section could process up to 45,000 barrels per day of raffinate feed. The incident occurred while the raffinate splitter section of the refinery’s ISOM unit was being restarted after a maintenance turnaround that lasted one month. During this startup, the 170 foot high tower was overfilled with liquid and highly flammable gasoline components were released from a raffinate splitter tower. Let us have a look at the sequence of events that led to this tragic accident. Sequence of Events 0200 hours on March 23, 2005 Gasoline components were sent to the raffinate splitter tower. Normal level of liquid gasoline in the tower was to be 6.5 feet. A level indicator would relay information regarding level of gasoline in the tower to the control room. This level indicator had a range from 0 to 10 feet. If the level of gasoline in the tower was above 10 feet, the level indicator would not be able to show this information. At 2 a.m., the first alarm was triggered when the level of gasoline in the tower reached 10 feet. 0330 hours The feed to the raffinate splitter tower was stopped but level indicator continued to show level of gasoline inside the tower to be 10 feet, when the actual level was close to 13 feet. 0950 hours The feed to the tower was resumed. The valve that controlled liquid outflow from the tower was left closed by operators in the control room. This occurred because of the conflicting instructions given to the operator. Thus, the level of gasoline was increasing steadily in the 48 raffinate splitter tower. Ten minutes later, burners in the furnace beneath the tower were switched on to heat up the feed. At this point the actual level was 138 feet whereas the level indicator showed that it was below 10 feet and falling. 1240 hours A high pressure alarm got activated and operators switched off two burners in the furnace to lower temperature and thereby reduce the pressure inside the tower. The valve to control pressure in the pipe was not functioning. The operator used manual chain valve to divert gases in the tower to a blowdown drum which would vent them to the atmosphere. 1300 hours Valve that controlled liquid outflow from the tower opened by operator in the control room. This was done to reduce temperature in the tower but it had the opposite effect. A temperature gradient was created between the bottom and top of the tower. The temperature of the feed was raised by about 150 degrees Celsius inside the tower. 1305 hours The feed liquid started boiling and expanded. The level of gasoline in the tower was now almost 170 feet. 1310 hours The liquid overflowed from the top of the tower through the pipe intended to transfer gases to the blowdown drum. 1314 hours A great pressure was exerted on the emergency valves in the pipe. Three of them open and liquid flowed out of them. Some of the liquid leaked to the process sewer after overflowing from the blowdown drum. The alarm to indicate overflow in the blowdown drum did not go off. Liquid erupted from the top of the blowdown drum. This eruption lasted for about 1 minute and the liquid forms a vapour cloud after striking the ground. This vapour cloud expanded over the facility. 49 1320 hours The vapour cloud exploded after being ignited by a ignition source, most likely the engine of a pickup truck located 25 feet from the blowdown drum. The first explosion triggered several other explosions throughout the facility. CSB Findings The CSB report dated 20th March 2007 contained the following findings. 1. BP’s budget reduction policy was a major factor. 2. Irregular top leadership changes at the facility hindered proper implementation of safety management systems. 3. BP’s faulty Process Safety Management (PSM) systems led to the disaster. 4. Location of trailers close to the ISOM unit led to the casualties. 5. Antiquated equipment design of blowdown drum contributed to the disaster. 6. Human factors like fatigue, absence of supervisor caused the disaster. We shall examine each of these factors in detail. 1. BP’s budget reduction policy After BP’s merger with Amoco in 1998, it acquired the Texas City refinery. The merger had serious financial implications for BP as it ordered a 25% reduction in fixed costs at all its’ refineries. In BP’s internal audits, the effect of the budget reduction was often highlighted. 1. In 2002, refinery manager of the Texas City facility pointed out that infrastructure at the facility was in a state of complete decline. No action was taken in response. 2. Several studies about the potential for major site incident at TCR (Texas City Refinery) were presented to the top brass of BP in London. No action was taken. 3. A 2002 report found that integrity and reliability issues at TCR were linked with reduction in maintenance spending. No corrective measures were taken. 4. A 2002 study found that condition of infrastructure and assets at TCR were Chequebook mentality was shown as reason for the reason. Chequebook refers to spending only money available at present instead of poor. mentality increasing allocation. 5. In March 2004, a BP audit found that 34 units of BP including TCR suffer from widespread tolerance of non compliance with basic health, safety and 50 budget environmental rules, poor implementation of PSM systems, lack of leadership, competence and understanding. 6. In 2004, following three major accidents at TCR, maintenance spending for 04 was increased. However this was done as a response to serious meet environment regulation and not for long overdue 2003- accidents and to preventive maintenance. 7. A BP survey conducted a few days prior to the accident found that the level of a possible catastrophe among TCR employees was exceptionally high. fear of The survey concluded that a major incident would occur if the pressure for production, time pressure and understaffing were not addressed. No action was taken following this survey. 2. Irregular top leadership changes From 1998 to 2005, there were about 7 top leadership changes at TCR. This meant that there was never enough time for any top level manager to implement PSM properly. The top level managers were interested only in budget systems compliance and not in process safety. 3. Faulty PSM systems at BP TCR 1. Process safety measures are estimated using two parameters: leading and lagging. Leading parameter predicts the likelihood of an accident before it occurs. For e example, the percentage of maintenance of machines that is overdue. Lagging parameter measures events that have already occurred. For example, fires, explosions that have occurred at the facility in the past. CSB investigation found that BP did not effectively use leading and lagging parameters. BP’s pay policy rewarded managers primarily on the basis of controlling costs. 2. Reporting and learning culture is another key component of PSM systems. It refers to the culture of reporting of incidents at facilities to top management and the ability of the company to learn from those incidents. The reporting and BP’s TCR facility was not effective because several for a possible catastrophe were ignored. BP’s own learning culture at warnings of the potential internal audits often highlighted the precarious nature of the safety systems at the TCR facility. 3. The organizational structure at BP was such that the process safety manager was at a very low level and did not have the authority or resources to take corrective measures to prevent possible incidents. 51 4. Bonus criteria at BP were related only to reducing costs and this often meant that proper safety guidelines were not followed. 5. BP dismantled Amoco’s superior centralized safety structure following the ` merger in 1998. 6. CSB found that there were as many as 19 instances of abnormal functioning of the ISOM unit from 1999 to 2004, but no corrective action was taken. 8 l leakagesof hazardous materials took place from 1999 to 2004 but only 3 of them ere investigated. 4. Location of trailers Maintenance activities were being conducted in other units when the disaster took place. Maintenance personnel were housed in several trailers located close to the ISOM unit. According to BP policy, occupants of trailers inside facility must be evacuated before startup of any process inside the facility. But at TCR, the occupants of the trailers were not even informed about the startup of the ISOM unit. The trailers were made of metal and wood and they caught fire easily during the accident. 13 trailers caught fire and 27 were damaged. Proximity to maintenance sites was the reason for trailers to be located close to the ISOM unit, not safety. The close proximity of the trailers to the ISOM unit led to the casualties. If proper industry guidelines for location of trailers were followed, the casualties could have been avoided. 5. Antiquated equipment design 1. The CSB found that the raffinate tower did not have modern design safeguards. Also, it was found that the level indicator of the raffinate tower malfunctioned because it was calibrated based on data published in 1975 for a different liquid in a different process. 2. Amoco safety guidelines stipulate that blowdown systems that discharge to the atmosphere should not be permitted. Instead, flares must be used. These guidelines were ignored after the merger with BP. 3. From 1998, several proposals were made to the top management to replace the blowdown drum, but all proposals were ignored. 6. Human factors 1. The CSB investigation found that the Control room operators were working 12 shifts for 29 days prior to the accident. The operators faced a cumulative more than 43 hours. Thus, fatigue was a major factor that led to hour sleep debt of the accident. 2. Control room operators deviated from written procedures. The operators felt that if the level of gasoline in the tower was less than prescribed limit, it would lead 52 to increased costs for the furnace. The operators were unaware of the dangers if the level was increased above the standard 6.5 feet. The outflow valve from the tower was kept in manual mode and not the prescribed automatic mode. 3. Poorly designed computer system meant that the operator was not able to find the exact level of gasoline inside the tower. The amount of flow of liquid in and out of tower was also not shown on the control panel. 4. Amoco ensured that there were 2 operators in the control room at all times. The budget reduction policy of BP reduced the number of operators to one. This increased the workload of operator in the control room. 5. Key instructions on sending feed into tower were given over phone and radio. These verbal instructions were often rushed and vague. This meant that the day shift operator did not have reliable information about the startup from the night shift operator. Logbook entries were vague and provided unreliable information. On the day of the accident, the logbook contained the following entry, ―Isom brought in some raff to unit, to pack raff with‖. This meant that communication problems cropped up regularly at the ISOM unit. 6. The day shift supervisor who had the proper training and was aware of the dangers of overfilling the tower arrived one hour late and left at 10.50 p.m. to to a family emergency. No supervisor was assigned to replace him. This was attend a violation of BP’s own policy which states that a supervisor must be present at the control room at all times. CSB Recommendations The CSB made the following recommendations to the BP Texas City Refinery: 1. Evaluate PSM systems using proper parameters. 2. Maintain an open and trusting safety culture. 3. Ensure that work trailers are located as per industry guidelines. 4. Ensure that equipment and procedures are made up to date. 5. Make changes in organizational structure and ensure that budget decisions do not compromise safety. 6. Correct causes of human error like fatigue, improper communication etc. Conclusion 53 The disaster at BP TCR occurred due to a combination of various factors, mainly improper functioning of equipment and improper location of work trailers. The disaster could have been prevented if BP had followed appropriate PSM systems. After the accident, BP followed the recommendations of the CSB and other independent audit agencies to make the TCR a safe place to work. 3.2 ACCIDENTS RELATED TO COMBUSTIBLE DUST EXPLOSIONS Fine dust particles from any solid materials (organic/metals/non-metals) will burn/explode if dispersed in sufficient concentrations. Polishing, grinding, transporting, and shaping many of these materials can produce very small particles, which can become airborne and settle on surfaces of various equipments which when disturbed can generate potentially explosive dust clouds. Even very small amounts of dust particles can be hazardous. The NFPA warns that more than 1/32 of an inch of dust over 5 percent of a room’s surface area presents a significant explosion hazard. 54 A dust explosion requires the following 5 elements for it to burn/explode. They are represented by the Dust Explosion Pentagon below 3.2.1 Dust Explosion at the Imperial Sugar Refinery (14 Killed, 36 Injured) Incident Synopsis On February 7, 2008, at around 7:15 p.m., a series of sugar dust explosions at the Imperial Sugar manufacturing facility in Port Wentworth, Georgia, resulted in 14 worker fatalities. 36 workers were treated for burns and injuries. The explosions and subsequent fires destroyed the sugar packing buildings, and silos, and severely damaged other equipments in the sugar refining process area. The explosions occurred due to the accumulations of sugar dust within an enclosed space which found an unknown ignition source and ignited. This caused a violent explosion causing more dust which had accumulated on other surfaces to disperse and ignite causing extensive property damage to the industry. 55 Sequence of Events The Imperial Sugar facility converts raw cane sugar into granulated sugar. A system of screw and belt conveyors, and bucket elevators transported granulated sugar from the refinery to 3 sugar storage silos. It was then transported through conveyors and bucket elevators to sugar processing areas and sugar packaging machines. Sugar products were packaged in 4 story packing buildings that surrounded the silos The CSB determined that the first dust explosion initiated in the enclosed belt conveyor below the sugar silos. The cover panels on the belt conveyor allowed explosive concentrations of sugar dust to accumulate inside the enclosure. An unknown source ignited the sugar dust, causing a violent explosion. The explosion lofted sugar dust that had accumulated on the floors and elevated horizontal surfaces, propagating more dust explosions through the buildings. Secondary dust explosions occurred throughout the packing buildings, parts of the refinery, and the bulk sugar loading buildings. The pressure waves from the explosions heaved thick concrete floors and collapsed brick walls, blocking stairwell and other exit routes. The resulting fires destroyed the packing buildings, silos and other buildings and equipments of the facility. CSB Findings 1. Sugar conveying equipment was not designed or maintained to minimize the release of sugar and sugar dust into the work area. 2. An overheated bearing in the steel belt conveyor most likely ignited a primary dust explosion. 3. Inadequate housekeeping practices resulted in significant accumulations of combustible granulated and powdered sugar and combustible sugar dust on the floors and elevated surfaces throughout the packing buildings. This dust added fuel to the primary explosion causing a secondary explosion which was believed to be main cause for the 14 fatalities. 4. Imperial Sugar emergency evacuation plans were inadequate. Emergency notifications inside the refinery and packaging buildings were announced only to personnel using 2-way radios and cell phones. Many workers had to rely on face-to-face verbal alerts in the event of an emergency. Also, the company did not conduct emergency evacuation drills. 56 CSB Recommendations The CSB made certain recommendations to certain companies/organizations to prevent any kind of future accidents at this facility or anywhere else. The CSB recommended the following: 1. Recommended the Imperial sugar factory to apply certain standards to the procedure and design at the facility to increase its safety. 2. Recommended the AIB international to incorporate combustible dust hazard awareness into employee and member companies’ training programs, such as the Safety and Health Management Systems training course. 3. Recommended the American Bakers Association to actively promote improvements in combustible dust hazard awareness and control throughout the wholesale baking industry by publishing bulletins or safety guidance that address combustible dust issues. 4. Recommended the Risk Insurance Management Society, Inc to develop and implement combustible dust hazard awareness training for all facility audit personnel, and incorporate combustible dust hazard identification in the audit protocols. 5. Recommended the Zurich Services Corporation to ensure that all risk engineers are trained in the hazards of combustible dust, and that refresher training occurs at regular intervals. 6. Recommended the OSHA to create a comprehensive standard to reduce or eliminate hazards from fire and explosion from combustible powders and dust. 3.2.2 Dust Explosion at West Pharmaceutical Services (6 Killed, 38 Injured) Incident Synopsis On January 29, 2003, a powerful explosion and fire ripped through the West Pharmaceutical Services rubber-manufacturing plant in Kinston, North Carolina, taking the lives of six employees, and injuring 38 others including two fire fighters who responded to the accident. The blast occurred without warning at1:28 p.m. during a routine workday and could be heard 25 miles from the plant. Coated rubber strips which were the part of the manufacturing process were blown dry with fans making the Polyethylene dust become airborne in the process creating a serious hazardous situation. 57 Sequence of Events West Pharmaceutical is one of the world’s largest manufacturers of rubber components for drug vials and syringes, and the Kinston facility was a major employer in North Carolina’s Lenoir County. At the plant, batches of rubber were compounded in mixers, rolled into strips, and then either moulded or shipped off site. To reduce the stickiness of the rubber, the strips were conveyed through a tank containing very fine talc-like polyethylene powder mixed with water. The coated rubber strips were then blown dry with fans. Polyethylene dust became airborne in the process and settled on surfaces around the production area. The company provided supplies for medical use and therefore had cleanliness as a high priority and continuously cleaned dust from visible areas. However the dust travelled upward and settles in area above the ceiling above the production area. These dust particles would be visible only during maintenance was never noticed and gradually build to 1.25 to 1.5 inches on the ceiling tiles, ducts, beams and other surfaces in the vicinity. One of the several possible ignition sources caused the dust particles to catch fire and cause a huge explosion. Extensive damage was caused to the facility which made it impossible to determine the source of ignition. The CSB believed it could be an overheated batch of rubber, an electrical fault, hot lighting ballast, or a spark from an electric motor. The first explosion dispersed other dust accumulations into the air around the production area and ignited them, causing a devastating cascade of fires and explosions. CSB Findings 1. Rubber Process created hidden dangers like that of releasing dust into the surroundings 2. Combustible dust hazards were overlooked by the facility 3. Proper Fire Safety standards were not followed by the facility, the facility had electrical fixtures and wiring in the production area that were only for domestic use and not for use around combustible dust. CSB Recommendations The CSB made certain recommendations to certain companies/organizations to prevent any kind of future accidents at this facility or anywhere else. following: 58 The CSB recommended the 1. The CSB recommended that all West Pharmaceutical facilities handling combustible powders should revise its procedures for reviewing new materials to ensure that hazards are identified, controlled, and communicated to workers. 2. The CSB urged the North Carolina Department of Labor to identify manufacturing industries at risk for dust explosions and develop an educational outreach program on dust hazards. 3. The CSB urged the North Carolina Building Code Council require mandatory compliance with the national fire codes for combustible powders, and institute appropriate training program for state and local code officials 3.2.3 Dust Explosion at the CTA Acoustics, Inc. (7Killed, 37 Injured) Incident Synopsis On February 20, 2003, dust explosion at the CTA Acoustics, Inc. (CTA) facility in Corbin, Kentucky, killed seven and injured 37 workers. This incident caused extensive damage to the production area of the 302,000-square-foot plant. Nearby homes and an elementary school were evacuated, and a 12-mile section of Interstate 75 was closed. The largest CTA customer, Ford Motor Company, temporarily suspended operations at four automobile assembly plants because CTA had produced acoustic insulation products for those plants, as well as for other industrial and automotive clients. It was determined that combustible phenolic resin dust that had accumulated throughout the facility fuelled the explosion. Sequence of Events The 302,000-square-foot CTA facility is located just outside the Corbin city limits in Laurel County, Kentucky. The facility employed 561 full-time personnel at the time of the incident. Operations employees worked rotating 12-hour shifts, while the mechanical department and administrative support staff worked 5-day, 8-hour shifts. The production lines in facility used a process technology that used shoddy cotton and phenolic resin for the manufacture of acoustical and thermal insulation. In the 1990s, fiberglass began replacing the shoddy cotton in CTA insulation products, a changeover that was essentially complete by 2001. This process was carried out on different lines of the facility which were numbered from 401 to 405. It was likely that combustible phenolic resin fueled the fire and resin. Line 405 was operated with the oven doors open due to a malfunction of temperature control equipment. 59 Combustible material in the oven likely caught on fire, and the flames then ignited a combustible dust cloud outside the oven. Improper safety methods lead to the spreading of fire and causing more fire and explosion. CSB Findings 1. Combustible phenolic resin dust fuelled the fire and explosions. 2. Lack of effective firewalls and blast-resistant physical barriers allowed the fire and explosions to spread to nonproduction areas of the facility. 3. CTA management was aware of the explosive potential of combustible dust, but did not implement effective measures to prevent explosions or communicate the explosion hazard to the general work force. 4. Lack of housekeeping on elevated flat surfaces allowed combustible dust to build up to unsafe levels. 5. The Kentucky Office of Occupational Safety and Health conducted comprehensive inspections of the facility in previous years but did not issue citations regarding combustible dust hazards. CSB Recommendations The CSB made certain recommendations to certain companies/organizations to prevent any kind of future accidents at this facility or anywhere else. The CSB recommended the following: 1. Recommended the CTA Acoustics, Inc. to ensure phenolic resin-handling facilities are designed to prevent the spread of fires or explosions involving combustible dust. Options include measures such as the use of firewalls and blast-resistant construction 2. Recommended the Certain Teed Corporation to Ensure that company design standards—applicable to facilities that handle combustible dusts— incorporate good engineering practices to prevent dust explosions 3. Recommended the Borden Chemical, Inc. to communicate the findings and recommendations of this report to your customers that purchase phenolic resin. 4. Recommended the Kentucky Office of Occupational Safety and Health to enhance the training program for compliance officers regarding the recognition and prevention of combustible dust explosion hazards. 60 5. Recommended the FM Global to incorporate the findings and recommendations of this report in your training of employees who conduct inspections at facilities that may handle combustible dusts. 6. Recommended the Kentucky Office of Housing, Buildings, and Construction to identify sites that handle combustible dusts when facilities apply for new or modified construction permits, and use this information to help prioritize establishments that will be inspected by the fire marshal. Conclusion The main factor which caused this explosion was the accumulation of dust on the surfaces of various equipments which added fuel to the already burning fire causing a secondary explosion. This could have been prevented by following proper safety management techniques like housekeeping and other kinds of preventive measures for dust accumulation. Therefore it is up to the management to make sure that they have proper safety measures in place and any kind of small accidents are also taken care of and measures are taken to prevent the smallest of accidents. 61 3.3 ACCIDENTS RELATED TO REACTIVE HAZARDS: DANGERS OF UNCONTROLLED CHEMICAL REACTIONS 3.3.1 Runaway Chemical Reaction and Vapour Cloud Explosion at Synthron, LLC (1Killed, 14 Injured) Incident Synopsis A runaway chemical reaction and subsequent vapor cloud explosion and fires destroyed the Synthron, LLC facility in North Carolina and damaged structures in the nearby community on January 31, 2006. Synthron manufactured a variety of powder coating and paint additives by polymerizing acrylic monomers in a 1,500 gallon reactor. The company had received an order for slightly more of an additive than the normal size. Plant managers scaled up the reaction to produce the required larger amount of polymer, and added all of the additional monomer needed into the reactor altogether. This more than doubled the rate of energy release in the reactor, exceeded the cooling capacity of the reactor condenser and caused a runaway reaction, which formed a vapor cloud. This vapor cloud exploded and destroyed the facility and damaged other sites. The U.S. Chemical Safety Board (CSB) found that the reactor lacked basic safeguards to prevent, detect, and mitigate runaway reactions, and that essential safety management practices were not in place. Sequence of Events A two step process was followed at Synthron to produce paint additives. 1. Operators partially filled the reactor with acrylic monomer and solvent. The reactor would be left undisturbed for several hours for the chemical reaction to take place. 2. Operators would then fill the reactor with the remaining monomer and the product would be formed. 62 Both the steps mentioned above generated heat and an overhead heat exchanger kept the reaction under control. Synthron had received an order to make an additive Modarez MFP-BH with a 12% increase in size with normal additive. Instead of manufacturing the product by producing two smaller batches by the usual two step process, managers decided to manufacture the additive in one step itself to save time and effort. This meant that the monomer contents would be added entirely all at once. On the day of the accident, all of the monomer was added to the reactor in the first step itself. The temperature and pressure inside the reactor rose uncontrolled. The high pressure caused the gasket on the hatch of the reactor to fail releasing highly flammable gas into the facility. Workers heard a loud hissing sound and saw vapor spewing out from the reactor and rushed out of the building. One of the workers attempted to go back and turn on the emergency cooling system but it was too late and a massive explosion occurred. CSB Findings The CSB determined that the key factors leading to this incident included: 1. Ineffective control of product recipe changes. In planning the MFP-BH batch, Synthron managers made several changes that greatly increased the heat released by the reaction in the reactor and the potential for a runaway reaction to occur. These changes were to increase the total amount of monomer in the reactor by 45% and to increase the concentration of monomer by 27%. 2. A lack of hazard recognition. When performing reactive chemistry, companies should maintain a high degree of awareness of the hazards involved. Appropriate means for characterizing industrial chemical reactions include determining the heat generation rate as a function of temperature, and the potential for excessive monomer or initiator accumulation in the reactor. Failure to control these critical characteristics can lead to runaway reactions. 3. A lack of automatic safeguards to prevent or mitigate the effects of loss of control over the reaction. Safeguards that could have prevented or mitigated this incident, but were not installed at Synthron include high pressure alarms to notify operators of problems early in the reaction when action to control the reaction might still have been possible and automatic emergency cooling water flow to the reactor jacket. 4. Inadequate emergency plans drills. At the time of the accident, none of the production employees were evacuated to a safe location. Operating procedure did not specify employees’ 63 actions in the event of a chemical release or loss of reactor control. Employees were not trained on the Emergency Action Plan and evacuation drills were not conducted. CSB Recommendations This incident provides important lessons for manufacturers with operations involving reactive chemistry.CSB recommended that the manufacturers: 1. Identify and characterize reactive hazards to systematically evaluate what can go wrong, including loss of cooling, instrument malfunction, and other credible failure scenarios. 2. Implement, document, and maintain adequate safeguards against the identified failure scenarios. CSB also recommended to Protex International, the owners of the facility to: 1. Train its personnel on reactive hazards, safe operating limits, and the consequences of deviations. 2. Train personnel on emergency evacuation alarms and procedures, and conduct emergency drills. 3. Conduct periodic audits of program implementation to identify and address weaknesses. 3.3.2 BP Amoco Chemical Plant Disaster (3 Killed) Incident Synopsis On March 13, 2001 a vapour cloud explosion rocked the BP Amoco Chemical Plant, a plastics manufacturing unit in Georgia, USA killing 3 maintenance workers. The BP Amoco Chemical Plant manufactured high performance nylon. This accident teaches us that slow chemical reactions that do not produce much heat are dangerous. Sequence of Events Manufacturing high performance nylon involves heating raw material in reactor and using extruder to create solid pellets. During startup operation, unused plastic in the reactor is diverted away from the extruder to a 750 gallon waste tank. The contents of this waste tank are allowed to cool over a period of time and workers then open up the tank to remove this unused plastic. On the day of the accident, during the afternoon startup, a mechanical failure in the extruder meant that more than the usual amount of unused plastic was diverted to the waste tank. However, on the day of the accident this unusually large amount of waste plastic 64 was diverted for a very long period of time. Operators of the plant noticed this mechanical failure late and abandoned startup but by this time waste tank was overflowing with molten plastic. This molten plastic blocked emergency pressure relief lines. As a consequence of this block, it became impossible to determine whether the pressure inside the tank was high or not. Over time, the outside of the waste tank cooled down but inside a 3-5 inches thick hardened plastic layer was formed. The core of this mass of plastic was molten and here gas bubbles were formed due to decomposition reaction which were trapped inside the hardened plastic. This presence of molten liquid was unknown to the operators. Three maintenance workers opened the lid of the tank to clean it. They had removed about half of the screws bolted to the lid when the gas inside the plastic layer burst out creating a pool of molten plastic. The molten plastic severely burnt the three workers leading to their deaths. The explosion caused a leak in the oil piping which ignited 6 minutes later. CSB Findings 1. The CSB investigation determined that top management at BP Amoco was aware of the hazardous reaction chemistry of the polymer but did not pass on this information to plant operators. This lack of communication between the top brass and plant operators is a commonly cited cause of reactive incidents within the CSB data. 2. The BP Amoco incident involved an endothermic (or heat consuming) reaction rather than the more commonly recognized exothermic (or heat producing) runaway chemical reaction. The plant operators were unaware of the hazards of endothermic reactions. CSB Recommendations CSB recommended to BP Amoco Chemical Plant to: 1. Provide plant workers with adequate information about the hazards associated with the chemical processes. 2. Improve communication process between top management and plant operators. 65 3.3.3 MFG Chemical Toxic Chemical Vapour Cloud Release (154 Treated, 5 Hospitalized for Toxic Chemical exposure) Incident Synopsis On April 12, 2004 a runaway chemical reaction during the production of triallylcyanurate at MFG Chemical, Inc. in Dalton, Georgia released highly flammable and toxic allyl alcohol and toxic allyl chloride into the nearby community, forcing the evaluation of about 200 families. One worker received chemical burns and about 154 people, including 15 ambulance and police personnel required treatment for chemical exposure. Incorrect scale up of chemical reaction from to laboratory to production was one of the chief reasons for the release. Sequence of Events MFG Chemical manufactured about 35,000 pounds of plastic additive called trialocyanurate(TAC).In a 30 gallon test reactor, allyl alcohol and cyanuric chloride when required amount of fuel was added. A significant amount of heat was generated in this reaction which was controlled by a water cooling jacket. When MFG Chemical conducted this reaction in a 4000 gallon reactor for production purpose, the heat generated was too high for the cooling jacket to control. Pressure and temperature rose to dangerous levels when the reaction was carried out. A gasket of the reactor blew up releasing highly toxic allyl chloride and highly flammable and highly toxic allyl alcohol to the atmosphere. Ten seconds later, emergency pressure relief rupture disk burst open releasing more of these vapours. These toxic vapours spread into nearby residential neighbourhood leading to evacuation of around a half mile radius of the plant. CSB Findings 1. MFG Chemical did not understand or anticipate the reactive chemistry hazards associated with TAC. They did not conduct a comprehensive literature search of the reactive chemistry hazards involved in TAC production 2. MFG Chemical did not install high temperature or high pressure alarms to alert the operators. 3. MFG Chemical did not use toxic material containment devices, such as an emergency vent vapour collection to control a toxic release. 66 4. Dalton City Police Department procedures did not adequately describe how to protect emergency responders from toxic exposure. CSB Recommendations To MFG Chemical, Inc. the CSB recommended: 1. Develop written procedures that require a comprehensive hazard analysis of new processes, especially those involving reactive chemistry. 2. Provide EPA (U.S. Environment Protection Agency) Risk Management Evaluation and OSHA (Occupational Safety and Health Administration) Safety Management Program Training to personnel. To City Of Dalton the CSB recommended: 1. Establish, equip and train a hazardous materials response team. 2. Revise Fire and Police department procedures and training to clearly define facility and evacuation zone access control responsibilities when hazardous materials are involved in an emergency. 3.3.4 First Chemical Corporation Incident Synopsis Early in the morning of October 13, 2002, a 145-foot-tall chemical distillation tower exploded at the First Chemical Corporation plant in Pascagoula, Mississippi, injuring three workers and hurling large pieces of debris that damaged plant equipment and ignited fires. Sequence of Events Five weeks prior to the accident, the company temporarily shut down the MNT distillation process. During the shutdown, 1,200 gallons of MNT were left inside the tower, which continued to be heated by steam pipes. Later, operators closed the steam supply valves to the MNT tower and shut off the facility steam system. During the days leading up to the explosion, the hot MNT began to decompose, forming unstable chemicals. On October 12, a liquid-level alarm activated from high on the tower, but no action was taken. The following morning, the rumbling began. The tower was used to distil MNT, a material that is chemically related to TNT and it can become explosive when exposed to high temperatures. At about 5:00 a.m. on October 13, plant workers heard a loud rumbling noise and observed a smoky substance venting rapidly from the MNT distillation tower. The concerned workers 67 took shelter inside the control room, but the room was located just 50 feet from the base of the tower. A short time later the tower exploded violently. All three workers in the control room were knocked to the ground and showered with broken glass. The force of the explosion blew off the upper 35 feet of the tower and sent tons of debris flying up to a mile away. One piece of the tower punctured a storage tank approximately 500 feet away that contained more than 100,000 gallons of MNT, igniting a fire that burned for about three hours. Several fires broke out on the plant grounds and along a nearby highway as hot debris rained down. CSB Findings 1. The CSB found that the facility lacked an effective system for evaluating hazards and for sharing safety information between different facility operations 2. The company’s instructions to its employees did not provide effective guidance on how to shut off the steam supply to the MNT distillation tower. 3. The facility did not have adequate safety measures, sometimes referred to as layers of protection, to prevent a major explosion involving MNT. The tower lacked high temperature alarms and interlocks that could have warned operators and automatically shut down the heating source. CSB Recommendations The CSB made certain recommendations to certain companies/organizations to prevent any kind of future accidents at this facility or anywhere else. The CSB recommended the following: 1. The Board recommended that the First Chemical facility establish a program for analyzing the hazards of reactive chemical processes, install appropriate safety equipment and warning systems, revise operating procedures, and improve preventive maintenance programs. 2. The Board recommended that Jackson County officials update their community notification system to ensure that residents are immediately notified of serious accidents and are informed about how to respond. 68 3.3.5 Runaway Reaction Leading to Disaster at Bayer Corp. (2 Killed) Incident Synopsis On 28th August, 2008 at about 10.35 p.m. a massive explosion occurred at the Bayer Corp Science Plant in West Virginia, U.S.A. The explosion startled residents of the nearby neighbourhood and massive evacuations were conducted. Fires raged for over 4 hours and 2 workers were killed. Sequence of Events The Bayer facility in West Virginia manufactured agricultural pesticides and chemicals. The accident occurred in a facility where methomyl and larvin pesticides were produced. During the summer of 2008, the methomyl and larvin units were shut down for maintenance. A steel vessel called a residue treater was replaced during the maintenance. In this vessel, residual methomyl was decomposed at high temperature to produce a solvent which was later used as fuel. This process was a exothermic reaction releasing a large amount of heat. Thus, the conditions inside the reactor had to be controlled carefully to prevent a runaway reaction. Startup operations of the various units were commenced on 23rd August, 2008. Five days later, the residue treater was brought on line. As a safety procedure it had to be pre-filled with clean solvent for the first time to prevent dangerous build up of methomyl during startup. A safety interlock would prevent methomyl from going inside the residue treater if the temperature was too low. Contrary to safety procedure and with managers’ knowledge, operators bypassed the safety interlock password. They did this as they believed that the required temperature would not be reached inside the vessel. On the day of the accident, operators forgot to pre-fill vessel with clean solvent. Methomyl was then introduced into the vessel. As methomyl decomposed, more heat was produced than usual and this rise in temperature exponentially increased rate of decomposition reaction producing more heat in the process. Around 10 p.m. the temperature inside the residue treater had crossed the safety limit but this was not noticed by the operators who were dealing with startup of other units in the facility. By 10.25 p.m. a pressure alarm went off in the residue treater, but the operator mistakenly believed that pressure had increased due to block in the vent pipe, which was not the case. He radioed two outside operators to rectify the problem by setting cooling to full on the control panel located 69 near the vessel. By this time the runaway reaction could not be controlled and at 10.33 p.m., the residue treater exploded causing a massive fire. CSB Findings 1. On the day of the accident, problems with crystallizer had increased the concentration of methomyl leading to more heat generation. 2. Operator mistakenly believed that pressure increased due block in the vent pipe. This incident had occurred several times in the past but no preventive measures were taken. 3. Operators were not provided information about dangers that could arise if safety interlock was bypassed. 4. Bayer did not share information with emergency responders about nature of the blast. This meant that the residents had to be evacuated with a hazardous leakage being the reason. 5. Debris from the blast stuck a container containing MIC (methyl isocyanate), the deadly gas which killed thousands in Bhopal. But fortunately, the gas did not leak. CSB Recommendations The CSB made the following recommendations to Bayer: 1. Review PSM standards in all facilities. 2. Impart proper training to personnel. 3. Store MIC as per industry guidelines and take proper steps to prevent falling debris from damaging container with MIC. 4. Give out proper information about hazard to emergency responders. To the West Virginia Fire and Safety Department: 1. Conduct regular inspections of all facilities in its jurisdiction. 70 3.3.6 Runaway Chemical Reaction at T2 Lab (4 Killed, 32 Injured) Incident Synopsis On 19th December, 2007 a powerful explosion and fire occurred at the T2 Lab in Florida, U.S.A. The accident, which claimed the lives of four people and injured 32 others, was caused by a runaway chemical reaction. Extensive property damage of nearby community was also reported. Sequence of Events The T2 facility manufactured MCMT, a gasoline additive in a 2500 gallon reactor. An operator controlled the manufacturing process in the control room. Liquid chemicals and sodium metal were heated in the reactor and mixed with an agitator. This reaction produced hydrogen gas which was vented to the atmosphere. In normal conditions, when the temperature in the reactor reached 3000F, an operator in the control room would shut off the heating system. The temperature in the reactor would however rise due to the exothermic nature of the reaction. At 3600F, operators would periodically add water to cooling jackets. This water would boil and thus, heat would be removed from the reactor. On the day of the accident, a malfunction in the cooling system occurred. The temperature in the reactor could not be controlled and a runaway reaction occurred. This runaway reaction exponentially increased the temperature and pressure inside the reactor. This was noticed by the control room operator, who informed the owners of the facility. The two owners reached the site immediately. One owner went in search of a mechanic, while the other instructed all employees to stay clear of the reactor, due to the possibility of fire hazard. This owner then went proceeded to the control room. Meanwhile, pressure inside the reactor reached 400 lb/in2. This high pressure boosted the rupture disk and employees heard a sound like a jet engine. This was due to the release of high pressure gas from the reactor. A few seconds later, a massive explosion occurred which damaged buildings as far as 1500 m away. The debris of the reactor rocketed a mile away. The co- owner and operator in the control room died due to the blast. Two operators further away died due to debris falling on them. 71 CSB Findings 1. The CSB determined that incorrect scale up of reaction from laboratory level to production level was the primary reason for the accident. T2 developed the MCMT process using a 1 litre reactor and then scaled up the reactor volume to 2500 gallons. 2. After producing 41 batches of MCMT, T2 increased the batch size volume by 33%. This was done without conducting any laboratory tests. 3. Only simple cooling system like water from city sources was used. No backup cooling system was installed. CSB Recommendations The CSB made the following recommendations to T2 Lab: 1. Develop effective operating procedures and training programs for its employees. 2. Carefully manage any changes in existing processes. 3. Develop proper emergency preparedness techniques like conducting evacuation drills. To AIChE (American Institute of Chemical Engineers), the CSB recommended: 1. Introduce chapter on dangers of improper scale up of chemical reactions in its process safety curriculum. Conclusion The 6 disasters discussed above highlight the dangers of runaway chemical reactions. All the disasters could have been prevented if the personnel were provided proper training on the reactive hazards associated with the chemicals they were dealing with. Another key factor for the prevention of such accidents is the implementation of appropriate PSM systems. 72 3.4. ACCIDENTS RELATED TO EMERGENCY PREPAREDNESS 3.4.1. Fire at Xcel Power Plant (5 Killed, 3 Injured) Incident Synopsis On 2nd October, 2007 5 contract painters died after being trapped by a chemical fire inside Xcel hydroelectric plant in Colorado, U.S.A. The fire occurred due to the use of combustible coatings and solvents. Sequence of Events Xcel Energy’s hydroelectric plant was located in a remote mountainous town in Colorado. A 4000 feet tunnel called a penstock was used to carry water between upper and lower reservoirs in the plant. The penstock was slightly inclined at one end and very steep at the other end. At the lower or less inclined end, water flowed through large turbines to generate electricity. Over the years, the penstock’s inner lining had deteriorated. In 2007, Xcel contracted with RPI, an industrial painting company to recoat a large section near the lower reservoir. Work began in September 2007. The penstock was a difficult place to enter and exit. Before painting began, a door was cut into lower end. On the day of the accident, RPI workers brought 10 gallons of highly flammable methyl ethyl ketone (MEK), to be used as a solvent in the painting operation. The solvent was also used to clean equipment and hoses. After 1 p.m., 11 workers began coating a section of wall more than 1400 feet inside the penstock. To apply the new two part epoxy coating, workers used a specialized sprayer. The workers found that the epoxy was not adhering evenly on the wall of the penstock. One RPI foreman decided to clean and remove the sprayer from the penstock. The workers began cleaning all the equipment and hoses using MEK. Some workers noted strong odour of MEK. This was due to formation of a vapour cloud, which spread throughout the work area. At about 2 p.m., the vapour cloud ignited, most likely due by static electricity from one of the spraying machine hoppers. A flash fire ensued and it spread rapidly, open buckets of MEK placed nearby, acting as fuel. 5 workers were cut off from the exit due to the fire. The remaining workers on the other side ran to the exit to locate fire extinguishers and instructed control room to call emergency 73 responders. The trapped men fled deeper into the penstock to escape the smoke from the fire and called for help using their radios. Workers tried to fight the fire with fire extinguishers but were forced to turn back due to the thick smoke. At 2.11 p.m., local emergency personnel arrived at the site but they could do nothing as they were not trained to conduct a rescue operation in such a hazardous environment. The trapped workers fled even deeper into the tunnel, but were forced to halt when they reached the inclined section of the tunnel, which was too steep to climb. Responders tried to drive into the tunnel in an all terrain vehicle, but the thick smoke again blocked their way. At 3 p.m., emergency responders drove up to the upper reservoir and lowered air bottles and respirators, through a hatch. A specialized rescue team arrived at 3.40 p.m. and were followed by a specialized mine rescue unit half an hour later. The teams prepared for entry but it proved to be too late. The 5 workers had died due to smoke inhalation an hour earlier. CSB Findings The CSB investigation found that the accident highlighted three key safety issues: 1. Lack of regulatory limits to bring flammable material into permit required confined spaces. The CSB found that 53 serious accidents occurred from 1993 with 45 fatalities, due to flammable atmosphere, leading to fire accidents in permit required confined spaces. 2. Xcel’s flawed process of contractor selection. RPI did not have an acceptable safety record even by Xcel’s own standards. Initially, Xcel had selected another contractor, but did not give them the contract due to their higher cost demands. 3. Lack of emergency preparedness. The workers were able to respond 45 minutes after the accident. This time was sufficient enough for a rescue operation to be carried out, had a specialized rescue team were on site. CSB Recommendations To the Colorado State, the CSB recommended: 1. Develop a new fire fighter training certification program for confined space rescue. 2. Develop rules governing selection and disqualification of contractors based on their safety records. 74 3.4.2 Herrig Brothers Propane Tank Explosion Incident Synopsis On April 9, 1998, two volunteer firefighters were killed and seven other people were injured when a glazing 18,000 gallon propane tank exploded at the Herrig Brothers poultry farm in Albert City, Iowa. Sequence of Events The propane tank fire started after two teenagers driving an all-terrain vehicle (ATV) plowed into unprotected propane piping at the farm. This aboveground piping ran from the propane storage tank to vaporizers, which fuelled heaters located in barns and other farm structures. The 42 foot long, cigar-shaped storage tank contained propane liquid and vapour under pressure, and the tank was about half full at the time of the incident. The collision severed one pipe and damaged another, triggering a significant propane leak under the tank. About five minutes later, propane vapour began leaking from the damaged pipes ignited and burst into flames, engulfing the tank and beginning to heat the propane inside. The firefighters decided to let the tank fire burn itself out. Shortly after their arrival, firefighters approached the sides of the flaming tank and began spraying the surrounding buildings to prevent the spread of fire. Just seven minutes later, the burning propane tank ruptured completely, experiencing a Boiling Liquid Expanding Vapour Explosion or BLEVE. The propane tank was blown into at least 36 pieces, some of which flew 100 feet or more. Some of the shrapnel struck firefighters; other pieces smashed into buildings. CSB Findings 1. The CSB found the initial fire likely could have been avoided by protecting the above ground propane piping from a motor vehicle collision. 2. Flawed design of propane system. 3. The CSB determined that better training could have prevented the firefighter deaths and injuries. The firefighters were not prepared for the dangers of a BLEVE, where tank debris can fly in any direction, not just from the ends. CSB Recommendations The CSB made certain recommendations to certain companies/organizations to prevent any kind of future accidents at this facility or anywhere else. following: 75 The CSB recommended the 1. The board recommended the Iowa state fire marshal to ensure full implementation of the National Fire Protection Association’s standard on propane handling and storage. 2. The board recommended the Nation Propane Gas Association to revise its videos, manuals, and other training materials to provide appropriate instruction on responding to potential tank BLEVEs. 3. The board recommended the Herrig brothers farm to install fencing or barriers to protect above the ground propane pipes from vehicular damage. Conclusion The two accidents discussed above reiterate the importance of emergency responders being ready to respond to a disaster. In both the accidents, proper training should have been provided to the workers and emergency responders. The importance of workers being aware of the dangers of the chemicals they deal with is also highlighted. 3.4.3 Vinyl Chloride Explosion and Fire: Formosa Plastics Corp. (5 Killed, 3 Injured) Incident Synopsis On 23rd April, 2004 an explosion occurred and a fire broke out at the Formosa Plastics Corp. facility in Illinois, U.S.A. claiming the lives of 5 workers and severely injuring 3 others. Evacuation of about 150 of the nearby residents took place. This accident shows the importance of handling vinyl chloride safely. Sequence of Events The Formosa facility in Illinois manufactured PVC (Poly Vinyl Chloride), a plastic material used to make credit cards, pipes etc. PVC was manufactured in 24 large vessels cum reactors, arranged in groups of 4. In each vessel, thousands of pounds of highly flammable and toxic vinyl chloride was heated under high temperature and pressure to produce PVC. The vessels were housed in a building comprising of an upper level and a lower level. An operator controlled the process from a panel on upper level. When the process in a reactor was over, the product of the relevant reactor was transferred out. After this, an operator on the upper level would clean the reactor using a high pressure water blaster. The operator would then go to the lower level and open bottom valve and drain valve of the reactor. The water emptied into a drain from the drain valve. 76 On the day of the accident, an operator started cleaning reactor 306. When the cleaning process was completed, he went downstairs but instead of turning left to reach reactor 306, he turned right and began opening reactor 310’s valves. In reactor 310, process of producing PVC was going on. The drain valve opened but reactor bottom valve remained shut. This was due to an interlock which blocked air supply to an actuator. This interlock was designed was a safety measure to prevent accidental release of PVC when the reactor was under pressure. The operator decided to bypass the safety interlock as he believed that there was some problem in the bottom valve. He disconnected the existing air supply hose and connected one with continuous air supply, which was to be used only in the event of an emergency. Highly flammable and toxic vinyl chloride rushed onto the floor. This produced a low rumbling noise, like a jet engine. Workers smelt vinyl chloride gas and an alarm was triggered. The shift supervisor on the lower level rushed to the upper level as he believed he could stop the release. He told operators to open valves to open valves which would relieve the pressure. The supervisor and an operator tried to reach lower level through the stairs but thick vinyl chloride fumes blocked their way. The supervisor decided to use an exterior stairwell while the operator remained on the upper level. Just then, vinyl chloride ignited and exploded. The primary explosion triggered more explosions. Five operators died and 3 others, including the supervisor suffered serious injuries. CSB Findings The accident occurred because an operator opened the wrong valve. But, the CSB investigation revealed that human error was not the only cause, poor operating procedures and antiquated equipment design contributed equally to the accident. 1. Following standard plant design guidelines and standard safety procedures could have minimized the impact of human error. 2. Grouping reactors in similar groups of four increased chances of human error. 3. More safety locks and procedures could have prevented the operator from opening wrong valve. 4. Intercom/radio should have been used among the operators for communicating the status of the different reactor. 5. A 1992 hazard analysis of the plant pointed out that the interlock on the bottom reactor valve could be misused. Additional safeguards were recommended but never adopted. Another hazard analysis in 1999 also highlighted the danger if the bottom valve of a reactor in the process of producing PVC was opened, but it incorrectly 77 concluded that the safety interlock was sufficient to prevent such an event from occurring. 6. Employees lacked adequate training as they should have promptly left the building when the release took place, instead of trying to contain the release. CSB Recommendations The CSB made the following recommendations to Formosa Plastics Corp.: 1. Review design and operation of all PVC producing facilities. 2. Improve chemical process design to minimize consequences of human error. 3. Improve control of safety interlocks. 4. Improve emergency actions including prompt evacuation with periodic drills. Conclusions The accident at the Formosa facility was caused by a worker opening a wrong valve. It is easy to place the entire blame for the accident on human error. The effects of the accident however could have been mitigated by following proper plant design and conducting prompt evacuation. 78 3.4.4 Emergency in Apex: Fire at EQ Hazardous Waste Transport Facility (30 treated for respiratory disorder) Incident Synopsis On 5th October, 2006 a major fire broke out at the EQ (Environmental Quality Company) in Apex, North Carolina, U.S.A. Thousands of residents of the nearby community were evacuated due to thick haze formation. This accident highlights the dangers of improper storage of hazardous materials. Sequence of Events The EQ hazardous waste transport facility stored large quantities of hazardous waste for their treatment and subsequent disposal. Similar quantities of hazardous waste were packed in large containers and were stacked together in different bays. On the day of the accident, one bay stored returns from retail stores like paints, pesticides etc., another stored chemical oxidizers and the remaining bays stored flammable and corrosive chemicals and lab wastes. In the chemical oxidizer bay, a large box containing chemical oxygen generators was placed. The oxygen generators were removed from aircraft routine maintenance systems. Drums of solid chlorine based pool chemicals were stacked on top of the box, containing generators. On the night of the 5th of October, 2006, a resident who was driving by the facility called up emergency responders to report a haze and a strong chlorine smell. The Apex Fire Department sent in teams to investigate the cause. Inside the facility, a fire had started in the oxidizer bay and had spread with the chemical oxygen accelerating the blaze. The fire quickly spread to the other bays, igniting the flammable liquids. Massive fireballs rose several hundred feet into the air alarming the nearby residents. The plant manager was unable to provide information on the different chemicals stored in the facility. The Fire Department, lacking information on the chemicals released ordered a mass evacuation of the town. The Fire Department decided that the best course of action was to let the fire burn itself out. 79 CSB Findings The CSB investigation revealed that: 1. NFPA guidelines state that waste oxygen generators are to be safely discharged of their contents before being transported. This simple action was not followed and it could have reduced the effects of the disaster. 2. EQ had designed curbs to control spills in their storage facility. Firewalls were not installed in the facility. The firewalls could have prevented the fire from spreading to other bays, containing flammable liquids. 3. Only fire protection system in the facility was portable fire extinguishers, which were of no use if the facility was unmanned, as was the case when the accident occurred. 4. Presence of automatic fire detection and suppression systems, alarms etc. could have mitigated the consequences of the accident. 5. The plant manager was unable to provide information on the different chemicals stored in the facility. This was due to the lack of written documentation of the chemicals stored. This meant that emergency responders did not know how to respond to the effects of the accident. CSB Recommendations The CSB made the following recommendations to the NFPA: 1. Develop specific code for hazardous waste facilities for fire prevention, detection, control and suppression. 2. Develop regulation that makes it mandatory for hazardous waste facilities to provide nearby residents and emergency responders with written information on chemicals stored. Conclusions The accident at the EQ facility could have been prevented by installing firewalls to stop the fire from spreading. Presence of automatic fire detection and suppression could have mitigated the consequences of the accident. Lastly, this accident teaches us the importance of local residents being aware of the possible hazards associated with facilities operating in their area. 80 3.5 3.5.1 ACCIDENTS RELATED TO HOT WORK Bethune Point Waste Water Plant Explosion (2 Killed, 1 Seriously Injured) Incident Synopsis On 11th January, 2006 an explosion occurred and a fire broke out at the Bethune Point waste water treatment facility in Daytona Beach, Florida, U.S.A. Two workers were killed and a third seriously injured in the accident. The accident occurred due to the use of a cutting torch above a storage tank containing highly flammable methanol. Sequence of Events The Bethune Point waste water plant was operated by the City of Daytona Beach. The facility treated 13 million gallons of waste water daily. Methanol was used as an additive in this treatment. On the day of the accident, workers were attempting to remove a hurricane damaged steel roof, which covered two storage tanks, one empty and other containing 3000 gallon of methanol. Two workers were on a metal basket operated by a crane. The third worker was controlling the crane. Oxy-acetylene torch was used to cut the roof into small sections. Methanol vapour, which is invisible, vented through the tank into space above the tank. Due to the high temperature during the day, methanol inside tank was at high pressure and came out through a ruptured plastic pipe connected to top of tank and through two level valves located at the bottom of the tank. The vapour ignited due to the sparks from the torch. Flames from the fire burnt the crane operator who died. One of the workers in the metal basket died when he jumped off and the other managed to survive, but had serious burn injuries. An explosion occurred and a fire spread through the facility. CSB Findings 1. A device called flame arrester was present in the tank. This device was designed to prevent outside fire from igniting the methanol tank. The CSB found that the plates of the flame arrester, which were made of aluminium, were badly corroded by methanol. Thus, the flame arrester which could have mitigated the effects of the disaster was damaged. 2. The corroded condition of the flame arrester could have been discovered and replaced if regular inspections were carried out. The CSB found that the City of Daytona Beach was 81 not aware of the need to inspect the flame arrester and had not inspected it for the past 13 years, when it was installed. 3. Piping used was made of PVC, a plastic material which ruptured when pressure inside tank became high. If the pipes were made of steel, the accident could have been avoided. 4. Workers who were removing the steel roof had been trained for only about one hour in the past two years and were unaware of doing hot work near flammable methanol tank. Hot work refers to conducting operations like welding, cutting near flammable materials. The sparks produced during welding, cutting can act as ignition source. CSB Recommendations The CSB made the following recommendations to various agencies: 1. Florida State: Enact legislation to ensure workplace health and safety programs are conducted for public sector employees in the state. 2. City of Daytona Beach: Train and educate workers about hazards related to hot work and conduct regular inspections of its facilities. 3. NFPA (National Fire Protection Agency) and OSHA (Occupational Safety and Health Administration): Restrict use of plastic in piping systems for flammable liquids. 3.5.2 Death in the Oil-Field Partridge Raleigh Incident Incident Synopsis On June 5th,2006 at around 8:30 am , an explosion took place at the Partridge-Raleigh oilfield in Raleigh, Mississippi. This happened when the Stringer’s Oilfield services contract workers were installing a pipe from two production tanks to the third. Welding Sparks ignited a flammable vapours escaping from an open ended pipe about four feet from the contract workers welding activity. The explosion killed 3 workers and seriously injured a fourth one. 82 Sequence of Events On the day of the incident, the welder inserted a lit oxy-acetylene welding torch into the hatch and then into the open nozzle on the opposite side of tank 4 to verify that all flammable vapour was removed from the tank before welding began. The welder was not aware that this act, called ―flashing‖ the tank, was an unsafe practice. Next, one of the workers climbed to the top of tank 4. Two other maintenance workers, climbed on top of tank 3; they then laid a ladder on the tank roof, extending it across the 4 foot space between tank 3 and 4, and held the ladder steady for the welder. The welder attached his safety harness to the top of tank 4 and positioned himself on the ladder. Almost immediately after the welder started welding, flammable hydrocarbon vapour venting from the open-ended pipe that was attached to tank 3 ignited. The fire, which immediately flashed back into tank 3, spread through the overflow connecting pipe from tank 3 to tank 2, causing tank 2 to explode. The lids of both tanks were blown off. The three workers standing atop the tanks were thrown by the force of the explosion and fell to the ground. The welder was also thrown off the ladder, but he was wearing a safety harness that prevented him from falling to the ground. CSB Findings 1. Stringer’s did not require the use of safe hot work procedures such as those found in API 2009, in preparing and conducting the welding operation on the day of the incident. 2. Stringer’s workers did not isolate tanks 2 and 3, which contained flammable vapor, prior to beginning the welding operation. 3. The contractor crew did not use safe work procedures for working on elevated surfaces such as the tanks. CSB Recommendations 83 The CSB made certain recommendations to certain companies/organizations to prevent any kind of future accidents at this facility or anywhere else. The CSB recommended the following: 1. The CSB recommended the Stringer’s Oil Field Services, Inc. to develop and implement written procedures to ensure safe work practices during hot work, tank cleaning, and work allocations. 2. The CSB recommended the Partridge-Raleigh, LLC to establish written health and safety performance standards and performance metrics 3. The CSB recommended the Mississippi State Oil & Gas Board to establish a program to identify and refer to the federal Occupational Safety and Health Administration (OSHA) potentially unsafe health and safety conditions observed during board field inspections of well sites and drilling operations. Conclusions Unsafe work practices used by the contractors in charge of welding were the major reasons behind this accident. The failure of the Partridge-Raleigh to give information to the workers about the presence of flammable materials within one the tanks was also a reason for this accident to occur. 3.5.3 Explosion at DuPont Manufacturing Plant, Buffalo (1 Killed, 1 Injured) Incident Synopsis On 9th November, 2010 a power explosion shook the Dupont Chemical manufacturing plant in Buffalo, U.S.A. A contract worker was performing welding operation on a tank, which unknown to him contained flammable gas. The worker was killed and a foreman was burnt due to the explosion. Sequence of Events The Dupont facility manufactured a polymer called Tedlar, which was used in solar panels. Tedlar is produced when flammable vinyl fluoride gas is converted into slurry of Polyvinyl Fluoride (PVF) in water. The slurry is passed through two separators. Compressors recycled unreacted vinyl fluoride gas. A flash tank released residual vinyl fluoride gas into the atmosphere. The slurry is transferred to one of three insulated holding tanks, usually tank 3. Tanks 1 and 2 were reserved for slurry overflow. Tank 1 normally remained empty. 84 On 22nd October, 2010 the Tedlar manufacturing unit underwent shutdown. Asbestos insulation for tanks 1 and 2 were to be removed. Contactors were engaged to repair the supports. The insulation for tank 2 was replaced during the shutdown. For tank 1, however, delay in sourcing parts meant that its insulation could be replaced when plant operations resumed. On 7th November, 2010 operators locked all 5 valves leading to and fro tank 1 in closed position to stop potential slurry flow. The agitator motor was also locked out. But, the flow of flammable vinyl fluoride gas was not stopped. The operators incorrectly believed that the gas could not reach the slurry tanks in any way. The CSB found that agitator controls for tank 1 was heavily corroded and as a result, vinyl fluoride gas remained in the tank. Thus, flammable vinyl fluoride gas was able to travel from tanks 2 and 3 into tank 1. On the day of the accident, maintenance personnel tested the atmosphere above tanks 1 and 2. No flammable gas was detected and hotwork was scheduled to begin. Around 9 a.m., two workers began hotwork on tank 1. The welder connected his safety harness to tank agitator support and was on top of the lid of tank1. The foreman was supervising the operation and was standing near the lid of tank 1. At 11 a.m., the welder was repairing corroded portions of agitator pipe beams directly above the flammable gas. A hole around the agitator shaft could have provided pathway for ignition. Sparks from the welding provided ignition and a massive explosion occurred. The lid of the tank blew off, killing the welder. CSB Findings 1. Dupont operators should have checked for flammable vapour inside tank 1. Had they done so, they would have discovered dangerous levels of flammable gas and the accident could have been avoided. 2. A 2009 Dupont process hazard analysis wrongly concluded that vinyl fluoride gas could never reach the slurry tanks in dangerous quantities. 3. Prior to the accident, Dupont had installed a liquid trap, which was a device designed to prevent flow of gas from flash tank. However, the CSB investigation revealed that a hole in the liquid trap acted as an additional pathway for the vinyl fluoride gas to flow into the tanks. 4. No formal management of change reviews were conducted as similar accidents had occurred at the facility due to hotwork in the last decade. 85 5. Malfunction in compressor increased concentration of vinyl fluoride in slurry, thereby increasing extent of explosion. CSB Recommendations The CSB made the following recommendations to Dupont: 1. Conduct atmospheric monitoring tests inside tanks before and during hotwork. 2. Require all process piping including venting on tanks to be positively isolated before conducting any hotwork. 3. Use non spark creating process wherever possible. 4. Provide proper training to its employees. 3.6 ACCIDENT RELATED TO DANGERS OF FLAMMABLE GAS ACCUMULATION: Explosion at Asco Plant (3 Killed, 1 injured) Incident Synopsis On 25th January, 2005 an explosion took place in the ASCO (Acetylene Services Company) in New Jersey, U.S.A. Three workers were killed and a fourth was injured. The explosion occurred due to acetylene gas accumulation. Sequence of Events The ASCO plant produced acetylene from the reaction of calcium carbide with water in a reactor called acetylene generator. Water was fed to the reactor from city sources or recycled water. Water pressure in the piping was normally sufficient to prevent acetylene from flowing backwards. A device called check valve ensured that backflow of acetylene did not occur. In normal operation, water flowed from the check valve to the acetylene generator. A plug in the check valve was designed to block flow of acetylene gas if backflow occurred. Recycled water was stored in several large outdoor tanks connected by wooden panels, thereby forming a shed. A drain valve on the recycled water line drained into the ground inside the shed. On the night of 24th January, 2005, the drain valve was left open to prevent the water line from freezing due to the low temperatures in the region. The next day, city water was used 86 initially as reactor feed. Operators then closed this valve and opened the recycled water valve but for some strange reason did not switch on the recycled water supply. During this time, backflow of acetylene gas occurred. The check valve did not function properly and backflow occurred. Acetylene gas then flowed through the check valve, into the recycled water line and came out through the drain valve into the wooden shed. A propane space heater was located inside the wooden shed. The hot surface of the heater acted as the ignition source when the concentration of the gas increased inside the shed. A massive explosion resulted which flattened the water tanks and created a blast wave. Three workers who were shovelling snow near the shed died and a fourth worker was injured due to the blast wave. CSB Findings 1. The CSB determined that the check valve did not function properly because its design was faulty and the plug designed to stop backflow was misaligned. This allowed acetylene gas to flow back into the recycled water line. 2. The CSB investigation revealed that the ASCO facility did not follow written procedures. If operators were provided with checklists, they would not have forgotten to switch on the recycled water supply. 3. The acetylene gas in the accident vented out into the wooden shed which had potential ignition source. OSHA guidelines state that vessels and pipes with acetylene should be vented only to safe locations. CSB Recommendations The CSB made the following recommendations to ASCO and other acetylene manufacturing companies: 1. Ensure that the latest safety procedures are followed. 2. Select appropriate check valve and conduct periodic inspections of the check valve. 3. Implement effective PSM programs i.e. provide operators with checklists. Conclusions The explosion at the ASCO plant could have been prevented by following standard safety procedures. The accident would not have occurred, had proper PSM programs been implemented. The importance of conducting periodic inspections of equipment used is also highlighted. 87 3.7 ACCIDENT RELATED TO VEHICLE IMPACT HAZARDS: Fire and Explosion at Formosa Plastics Corp. (2 injured) Incident Synopsis On 6th October, 2005 an occurred at the Formosa Plastics facility at Point Comfort, Texas, U.S.A. causing a fire to break out which triggered explosions across the plant. The accident was caused when a vehicle struck a valve containing liquid propylene. This seemingly harmless error destroyed the facility and burnt two workers. Sequence of Events The Formosa’s Point Comfort facility was the company’s largest facility and manufactured plastic products. The accident took place in a unit called ―Olefins-2‖, which used furnaces to convert natural gases like naphtha into liquids like propylene and ethylene. This unit contained thousands of pipes and stored several flammable liquids and gases in vessels. On the day of the accident, a forklift was towing a trailer containing air cylinders, which were to be used in plant maintenance. The driver of the vehicle reversed the forklift and the trailer into an opening supporting a pipe rack. When the vehicle was being reversed, the right front corner of the trailer struck a valve protruding from a strainer with piping system, containing highly flammable liquid propylene. The valve was torn off from the strainer and propylene began rushing out forming a large pool of liquid. A vapour cloud was also formed, which spread over a large section of the plant. An operator heard the release, took stock of the situation and informed the control room. Operators in the control room began shutting down other operations. They vented flammable gas from pipes and equipment into a flare system where they could be safely burnt. Workers tried to shut down a manual valve to prevent more propylene from escaping but were unable to do so due to the thick vapour cloud. The vapour cloud ignited a few moments later and a massive vapour was produced which spread across the facility rapidly. The fire destroyed one side of a structure which contained pipes taking flammable gases to the flare. If the flammable gases had reached the flare, the effects of the disaster could have been reduced. About 7 million gallons of water were used by the fire department to control the fire. CSB Findings 88 1. Formosa did not have any plans in place to respond to accidental release of hazardous chemicals. The CSB observed that had automatic isolation valves been installed at strategic locations, the effects of the disaster could have been mitigated. 2. The facility did not a plan to protect vulnerable equipment from damage by vehicle impact. Concrete posts should have been installed to protect protruding pipes and valves. 3. Some steel beams at the facility were fireproofed and they survived the fire. The pipes were not fireproofed and they were destroyed in the fire. 4. Workers at the facility were not provided with any kind of protective clothing. If protective clothing was used by the workers, human casualties would not have occurred. CSB Recommendations The CSB made the following recommendations to Formosa Plastics Corp.: 1. Revise policies and procedures for analyzing hazards. Hazard analyses must consider: 1. Vehicle impact damage. 2. Fireproofing of pipes. 3. Mechanisms to control hazardous material releases. 2. Ensure that workers wear flame resistant clothing in units that are at risk from flash fires. To CCPS (Centre for Chemical Process Safety), the CSB recommended: 1. Strengthen hazard evaluation guidelines to include vehicle impact hazards and isolation of equipment during emergencies. Conclusions The accident at the Formosa plant was caused by a relatively harmless incident, a vehicle striking a valve. The consequences however were severe. This accident teaches a key lesson to the chemical process industry on the importance of including vehicle impact hazards in their hazard analyses, a component which is often overlooked. This accident also strengthens the case for the installation of mechanisms to control releases of hazardous chemicals. 89 3.8 STATIC SPARKS AT BARTON FACILITY Incident Synopsis On July 17, 2007, at about 9 a.m., a fire and series of explosions occurred at the Barton Solvents Wichita facility in Valley center, Kansas distribution facility. Eleven residents and one firefighter received medical treatment. The incident happened due to the accumulation of static sparks which ignited the flammable solvents. The Barton facility was a wholesale distributer of industrial chemical and solvents. The facility consisted of large number of tanks in which large quantities of flammable liquid was stored. Sequence of Events On the day of the accident, a static spark ignited inside the tank containing flammable liquid during the transfer of flammable solvent from a lorry to the tank. The initial fire started in the packaging area while a 300-gallon portable steel tank was being filled with ethyl acetate, a flammable solvent. An operator placed the fill nozzle in the fill opening on top of the tank and suspended a steel weight on the nozzle to keep it in place. After opening the valve to begin the filling process. As the tank was filling, the operator heard a ―popping‖ sound and turned to see the tank engulfed in flames and the fill nozzle laying on the floor discharging ethyl acetate. The fire spread rapidly to the wood-framed warehouse, igniting a large volume of flammable and combustible liquids. A large plume of smoke and rocketing barrels and debris triggered an evacuation of the businesses surrounding the facility. CSB Findings 1. The tank contained an ignitable vapour-air mixture in its head space 2. Stop-start filling, air in the transfer piping, and sediment and water caused a rapid static charge accumulation inside the VM&P naphtha tank. 3. The tank had a liquid level gauging system float with a loose linkage that likely separated and created a spark during filling. 4. The MSDS for the VM&P naphtha involved in this incident did not adequately communicate the explosive hazard. 90 CSB Recommendations The CSB made certain recommendations to certain companies/organizations to prevent any kind of future accidents at this facility or anywhere else. The CSB recommended the following: 1. Recommended OSHA to evaluate flammable liquids to determine their potential to accumulate static electricity and form ignitable vapour-air mixtures within the storage tanks. 2. Recommended ANSI to provide conductivity testing data for materials that are static accumulators and that may from ignitable vapour-air mixtures within the storage tank. 3. Recommended the Barton facility to use anti-static or purging agents to prevent the storage on static electricity within the tank and also make sure that the grounding is done properly. CSB also recommended the facility to reduce the pumping flow rate because it decreases the potential for a static ignition. Conclusions The causes due to this explosion were mainly due to lack of proper safety methods to prevent the accumulation of static charge within the storage tank allowing an ignition to take place. Lack of anti static agents or other methods to prevent the accumulation and also the use of a risky metal piece as the level detector were all causes for this explosion. Also the position of one tank very close to another caused a cascading kind of effect, spreading fire to all the tanks and causing a large number of explosions. The company didn’t have enough safety practices in place to prevent such an accident. 91 3.9 NITROGEN ASPHYXIATION HAZARDS: VALERO REFINERY TRAGEDY (2 Killed) Incident Synopsis On 5th November, 2005 two workers died at the Valero refinery, Delaware, U.S.A. This accident highlights the hazards associated with nitrogen asphyxiation. Sequence of Events The Valero refinery at Delaware processes 180,000 barrels of crude oil daily. Nitrogen is used to remove flammable oxygen from pipes and other equipment. At the time of the accident, the facility’s reactor R1 was shut down for maintenance. A large pipe elbow was removed creating an opening surrounded by large steel bolts on a platform in the reactor. The opening was covered with plywood. Nitrogen flowed into the reactor and exited through the opening. On 5th November, 2005 maintenance workers had arrived to reinstall the pipe elbow. Two workers removed plywood from the opening and cleaned the edge around the opening. They noticed that a roll of duct pipe was lying inside the reactor, at a depth of around 5 feet. The installation of the pipe elbow had to be suspended till the tape was removed, as Valero’s cleanliness policy had to be observed. The process of removing the roll of duct tape from the reactor entailed presence of special crew and other formalities. This process would take several hours and the two workers decided to remove the tape themselves. One worker tried to hook the roll with a long, flexible wire but was unsuccessful. He then sat on a ledge in the opening to remove the tape. The CSB came up with two scenarios that describe what happened next. In scenario 1, the worker intentionally lowered himself into the reactor to remove the tape and then lost consciousness due to oxygen deprivation. In scenario 2, the worker fell into the reactor accidently while attempting to remove the tape, and then lost consciousness due to oxygen deprivation. A foreman and the other worker try to help the collapsed worker. The foreman lowered a ladder into the reactor and went inside the reactor. He also lost consciousness due to lack of oxygen and collapsed. Company emergency responders arrive at the scene and see the two workers lie motionless inside the reactor. A hand held meter is thrust into the reactor. It showed oxygen content to be less than 1%, an extremely low concentration. Wearing supplied air breathing equipment, one responder entered the reactor and using a rescue hoist, the two workers are 92 removed from the reactor. The time elapsed between collapse of first worker and rescue of the workers was 10 minutes. Attempts to revive the men were unsuccessful. CSB Findings 1. The CSB conducted tests which revealed that a person needs at least 19% oxygen concentration in air to breathe without discomfort. The natural atmosphere contains 21% oxygen concentration. The atmosphere inside the reactor had oxygen concentration less than 1%, a drastic reduction from the required concentration. In the absence of oxygen, blood lacking required amount of oxygen goes to the brain, which affects ones’ judgement and co-ordination. This condition is called oxygen deprivation. 2. The CSB investigation revealed that industry safety guidelines, Valero safety procedures and OSHA standards do not adequately warn of the hazards associated with oxygen deprivation. 3. The opening had a warning sign which read, ―Confined Space. Do not enter without permit.‖ However there was no warning given to the workers about the presence of nitrogen, which being an odourless and colourless gas could not be recognized by the workers. 4. Lack of proper training as the second worker went into the reactor to save his colleague but fell victim himself. Standard confined space entry procedures were not followed by the second worker. CSB Recommendations The CSB recommended that: 1. For work to be done around confined areas, proper training and awareness of the dangers of oxygen deprivation should be given to the workers. 2. CSB recommends the following information to be given to the workers: 1. Nitrogen inhalation rapidly overcomes victim. 2. Any worker attempting rescue must strictly follow standard confined space entry procedures to avoid further loss of life. 3. Use warning signs and barricades around confined spaces which give adequate information about oxygen deprivation. 93 Conclusions The Valero refinery disaster highlights the importance of workers being aware of the potential hazards of working in confined spaces. The dangers of nitrogen asphyxiation are reiterated. Lastly, this accident is an important lesson to chemical process industry on following standard emergency rescue procedures. 3.10 FIRE FROM ICE: PROPANE EXPLOSION AT VALERO REFINERY Incident Synopsis On Feb 15th, 2007, a fire broke out at the propane deasphalting unit at the Valero Refinery, Texas. 3 suffered serious burns, 11 suffered minor injuries. Rapidly moving fire caused the swift evacuation of the entire refinery. The fire caused extensive equipment damage and losses exceeded 50 million dollars. Sequence of Events The propane deasphalting unit used high pressure liquid propane to separate asphalt and gas oil from a petroleum mixture known as pitch. Propane flowed via a vertical pipe and into an extraction tower. Propane also flowed through a second control station and then went to the same extraction tower. In 1990, the second process was stopped using several valves. One of the valves that were used to close the second process was stuck with a metal piece therefore not closing fully allowing some propane to pass through, some water had collected above the propane, the water being heavier than propane went through propane and got stored in the pipe. On Feb 15th temp reached 6 degrees, and the pipe containing the water froze a started forming cracks. After sometime the same day, when the tem rose to some higher temperature, the frozen water at that temp gave way and then high pressure propane gas which was used started flowing out of the cracks. The initial flow rate of propane was estimated to be 4500 pounds/min, and started forming a vapour cloud, and wind pushed the vapour cloud to more distance, this got ignited after some distance and moved its way back to the same tower, this fire then spread to a second jet of fire in the tower , the tower collapsed after sometime due to the intense heat . CSB Findings 94 1. Dead leg must have been removed when it was no longer required or the pipe elbow should have been closed properly using a blind, a metal plate inserted into the pipe flange. 2. Freeze protection could have prevented water filled elbow from fracturing during cold weather. 3. One tone Cl2 containers used to kill bacteria were located only a 100ft from the POA unit. The fire led to the Cl2 gas being released and could have harmed personnel if they were not evacuated immediately 4. Spherical tanks containing LPG were located close to unit. If wind direction had changed, one of the tanks could have failed releasing 151,000 gallons of LPG. CSB Recommendations The CSB made certain recommendations to certain companies/organizations to prevent any kind of future accidents at this facility or anywhere else. The CSB recommended the following: 1. The CSB recommended the API to Develop a new standard procedure for refinery freeze protection which must include setting up a written freeze protection program and a periodic inspection of dead legs and infrequently used equipments. Use remotely operated shutoff valves to prevent jet fires Use more extensive fire proofing of structure and support steel near refinery process units Revise guidelines for LPG facility to ensure deluge systems can be activated during emergency 2. The CSB recommended the Valero Energy Corporation to replace Cl2 with safer biocides for cooling water. Conclusions The release of propane into the atmosphere was more due to the lack of safety management by the company, removal of dead leg when not in use could have prevented this kind of accident which caused large amounts of damage to the facility. Lack of proper emergency methods also led to the spreading of fire to various other parts of the facility. 95 3.11 ETHYLENE OXIDE EXPLOSION AT STERIGENICS INTERNATIONAL (4 Injured) Incident Synopsis On 19th August, 2004 a massive explosion occurred at the Sterigenics International facility in Ontario, California, U.S.A. Four workers were injured and extensive damage to the plant resulted. The accident was caused when ethylene oxide, a highly toxic and flammable gas was ignited. Sequence of Events The Sterigenics facility sterilised medical materials like syringes. The medical materials were loaded into 8 sterilisation chambers, which were controlled by operators in a control room. The chamber door was closed and ethylene oxide gas was passed. The gas penetrated into the materials over a period of few hours. After the sterilisation process, the ethylene oxide gas was removed in two steps. In the first step, half the gas was moved to a scrubber which removed the gas by adding some chemicals. The second step, called gas washing involved removing the remaining ethylene oxide gas. In this step, air and nitrogen were introduced into the chamber, where they mixed with ethylene oxide gas. This mixture was then sent to the scrubber. This process was repeated till the amount of ethylene oxide inside was below explosive levels. A trace amount of ethylene oxide remains in the chamber. This amount of ethylene oxide though small was toxic and was removed by ventilating the chamber. The front door of the chamber was raised by a few inches. This operation led to opening of vent in the rear of the chamber. Air was drawn through the chamber to another pollution control device, a catalytic oxidiser. Here, it was heated as it passed over open flames to remove all traces of ethylene oxide gas. On the day of the accident, operators in the control room were alerted to a problem regarding the amount of ethylene oxide injected into chamber no.7. Operators stopped the sterilisation process and begin steps to remove the gas. Operators then, removed the materials from the chamber. Maintenance personnel were called in, but no problems were found. A test cycle was run by injecting 120 lb of ethylene oxide in the empty chamber. Technicians asked supervisor’s permission to bypass gas washing step to save time. Permission was granted based on the incorrect belief that gas washing step was unnecessary 96 as ethylene oxide gas was not absorbed by the materials and would be removed by the scrubber entirely. The supervisor provided the technicians with a special password to bypass gas washing step. However, the CSB determined that at this time about 60 lb of ethylene oxide gas remained in the chamber. When the chamber door was raised, ventilation procedures were initiated. A large amount of ethylene oxide gas was ignited by the flames from the catalytic oxidiser, causing a powerful explosion. CSB Findings 1. The CSB found that a gas monitoring system was not installed inside the chamber. This could have given information about the correct concentration of ethylene oxide gas in the chamber, thereby preventing the accident. 2. Maintenance technicians were last trained about the need for gas washes in 1997. The maintenance supervisor was hired after 1997 and was thus, unaware of the dangers of skipping this step. 3. All injuries occurred due to the glass shattering in the control room. 4. Sterigenics did not thoroughly evaluate oxidiser explosion hazard. CSB Recommendations The CSB made the following recommendations to Sterigenics International: 1. Additional safeguards like gas monitoring systems, alarms to be installed. 2. Improve employee training and hazard analysis programs. Conclusion The accident at Sterigenics International was caused primarily due to lack of training to the workers on the dangers of ethylene oxide. The accident highlights the importance of following standard procedures in chemical process industries. 97 3.12 BLAST WAVE AT DANVERS: EXPLOSION AT CAI INK FACILITY (10 Injured) Incident Synopsis At 2.46 a.m., on 22nd November 2006, a massive explosion occurred at the CAI manufacturing facility in Massachusetts, U.S.A. Local newspapers described the accident as a miracle as no fatalities occurred. Several buildings in the neighbouring locality were damaged beyond repair. The cause for the accident was the accidental release of ink solvents at the facility. Sequence of Events The CAI facility manufactured ink and paint products. Significant quantities of flammable liquids, nitrocellulose resins etc. were stored in the facility. The CAI produced chemical base for inks in large unsealed tanks, adding dry materials to solvents that was mixed by large agitator blades and heated with steam. To prevent accumulation of dangerous flammable vapour, the production area was ventilated with fresh air, which entered from a ceiling duct and flowed out through four exhaust fans. At night, these exhaust fans were switched off to reduce heat and in response to complaints of noise from the residents of nearby locality. At 1 p.m., on 21st November, 2006 CAI employees began mixing 2000 gallons of ink base in tank no.3. At 3 p.m, the production supervisor opened steam valve and intended to return to close it when temperature inside tank was between 900-1200 F. He then left to help load and unload raw material. At 5 p.m., the temperature of tank was 900F. The production supervisor believed he turned off steam valve and left around 5.30 p.m. At 6 p.m., the last remaining worker turned off fresh air supply and the exhaust fans. The CSB investigation determined that most likely, the production supervisor forgot to turn off the steam valve. In the now empty building, temperature inside the tank continued to rise as about 10,000 lb of liquid was heated and mixed for the next 8 hours and 45 minutes. The prolonged heating caused the highly flammable mixture of propyl alcohol and heptane vapours to be released from the unsealed tank. Heating fans which were switched on, helped disperse the vapour and it remained concentrated inside the building. At 2.46 a.m., the vapour reached an ignition source, possibly an automatic heater switch and exploded. The explosion created a blast wave that spread throughout the neighbourhood. Residents woke up to find shattered glass and damaged ceilings in their homes. 98 CSB Findings 1. The CSB investigation revealed that lack of alarms or other automation systems magnified the human error. 2. The switching off of the exhaust fans ensured the concentration of flammable vapour inside the building. If continuous ventilation was present, the effects of the disaster could have been mitigated. 3. OSHA regulations state that companies storing flammable materials must conduct regular hazard analyses of their facilities. The CSB investigation found that this was not the case at CAI. CSB Recommendations The CSB made the following recommendations to CAI: 1. Conduct regular inspections of its facilities. Last inspection of the facility carried out in 2002, focussed on fire suppression system and did not point out code violations with regard to flammable material storage and handling. 2. Use automatic temperature controls to prevent overheating of tanks. To the NFPA and ICC (International Code Council), the CSB recommended: 1. Prohibit heating of flammable liquids in indoor tanks that are unsealed and do not vent to the outside. Conclusions The explosion at CAI ink facility was caused by a combination of various factors: human error, violation of OSHA regulations and concentration of the flammable gas inside the building. The accident could have been prevented by using automatic alarms and conducting regular inspections. 99 3.13 PROPANE EXPLOSION AT LITTLE GENERAL (4 Killed, 6 Injured) Incident Synopsis On January 30, 2007, a propane explosion at the Little General Store in Ghent, West Virginia, killed two emergency responders and two propane service technicians, and injured six others. The explosion levelled the store, destroyed a responding ambulance, and damaged other nearby vehicles. Sequence of Events On January 30, 2007, a junior propane service technician employed by Appalachian Heating was preparing to transfer liquid propane from an existing tank, owned by Ferrell gas, to a newly installed replacement tank. The existing tank was installed in 1994 directly next to the store’s exterior back wall in violation of West Virginia and U.S. Occupational Safety and Health Administration regulations. When the technician removed a plug from the existing tank’s liquid withdrawal valve, liquid propane unexpectedly released. For guidance, he called his supervisor, a lead technician, who was offsite delivering propane. During this time propane continued releasing, forming a vapour cloud behind the store. The tank’s placement next to the exterior wall and beneath the open roof overhang provided a direct path for the propane to enter the store. About 15 minutes after the release began, the junior technician called 911. A captain from the Ghent Volunteer Fire Department subsequently arrived and ordered the business to close. Little General employees closed the store but remained inside. Additional emergency responders and the lead technician also arrived at the scene. Minutes after the emergency responders and lead technician arrived, the propane inside the building ignited. The resulting explosion killed the propane service technicians and two emergency responders who were near the tank. CSB Findings 1. The propane service technicians, emergency responders, and store employees did not evacuate the area as recommended by nationally accepted guidance for propane emergencies. 2. A defect in the existing tank’s liquid withdrawal valve caused it to malfunction and remain in an open Position 3. The placement of the 500-gallon propane tank against the building’s exterior back wall provided releasing propane a direct path into the store’s interior. 100 4. The junior propane service technician who was servicing the tank on the day of the incident had no formal training and did not recognize the defect in the withdrawal valve. He was also working unsupervised, even though he had been on the job for only one and a half months. 5. Propane safety and emergency training is voluntary for fire department personnel in West Virginia. None of the responders from the Ghent Volunteer Fire Department had specific propane emergency training. CSB Recommendations The CSB made certain recommendations to certain companies/organizations to prevent any kind of future accidents at this facility or anywhere else. The CSB recommended the following: 1. The CSB recommended the Governor and Legislature of the State of West Virginia Require training and qualification of individuals who operate bulk propane plants, dispense and deliver propane, install and service propane systems, and install propane appliances. 2. The CSB recommended the West Virginia Fire Commission Revise the Fire Commission rules and codes to require annual hazardous materials response refresher training for all firefighters in West Virginia. 3. The CSB recommended the National Propane Gas Association to submit a request to the United States Occupational Safety and Health Administration for a letter of interpretation to determine if the Certified Employee Training Program curriculum meets the training requirements 4. The CSB recommended the Association of Public-Safety Communications Officials to develop a guide card for propane emergencies to assist 911 operators in the collection of pertinent information on propane emergencies 5. The CSB recommended the West Virginia Office of Emergency Medical Services Revise the Office of Emergency Medical Services rules and codes to require annual hazardous materials response refresher training for all emergency medical personnel in West Virginia. Conclusion Not following the proper practices coupled with the lack of training of personnel by the propane service company was the primary reason behind this accident. Lack of training of the fire service personnel in case of propane gas emergency cases also cost precious time which eventually led to the death of 4 people. The absence of quick evacuation of the area was also a major factor which led to casualties after the explosion took place. 101 3.14 PHOSGENE RELEASE AT E.I. DUPONT DE NEMOURS & CO., INC. BELLE, WEST VIRGINIA (1 Confirmed exposure, 1 possible exposure) Incident Synopsis On 23rd January, 2010 a phosgene release occurred when a hose used to transfer phosgene from a 1-ton cylinder to a process catastrophically failed and sprayed a worker in the face while he was checking the weight of the cylinder. The employee, who was alone when exposed, was assisted by co-workers who immediately responded to his call for help Initial assessments by the plant’s occupational health nurse indicated that the worker showed no symptoms of exposure prior to transport to the hospital for observation and treatment. A delayed onset of symptoms, consistent with information in phosgene exposure literature, occurred after he arrived at the hospital. His condition deteriorated over the next day and he died from his exposure the next night. Sequence of Events The incident occurred on January 23, 2010, between 1:45 and 2:00 p.m. A stainless steel braided transfer hose connected to a partially filled, but not in service 1-ton phosgene cylinder failed catastrophically in the SLM unit phosgene shed. This incident occurred in the phosgene shed. When the release occurred, an operator was in the phosgene shed inspecting the status of the phosgene cylinder as he anticipated that the active cylinder was nearly empty and would need to be switched. He was sprayed across the chest and face with liquid phosgene remaining in the riverside hose from a previous transfer operation. The worker was immediately given medical assistance and admitted to the hospital but died 4 hours later due to the lethal dose of phosgene that he received. CSB Findings 1. An out-of-service phosgene transfer hose failed, exposing a worker to a lethal dose of phosgene. 2. DuPont did not follow its own standards for the change-out of phosgene transfer hoses. 3. A similar hose failure almost occurred a few hours before the exposure of the worker; however, this near-miss did not prompt an investigation when operators observed the near failure of the hose on the morning of the fatal release. 102 4. Emergency responders did not receive timely and detailed information on how to adequately prepare to respond to the incident. 5. No audible or visual phosgene alarm indication in or around the phosgene shed. CSB Recommendations The CSB made certain recommendations to certain companies/organizations to prevent any kind of future accidents at this facility or anywhere else. The CSB recommended the following: 1. The CSB recommended the Occupational Safety and Health Administration (OSHA) to take sustained measures to minimize the exposure of hazards to workers handling highly toxic gases from cylinders and associated regulators, gages, hoses, and appliances. 2. The CSB recommended the DuPont Belle Plant to Revise the facility emergency response protocol to require that a responsible and accountable DuPont employee always be available (all shifts, all days) to provide timely and accurate information to the Kanawha County Emergency Ambulance Authority (KCEAA) 3. The CSB recommended the American Chemistry Council Phosgene Panel to Revise the Phosgene Safe Practice Guidelines Manual to • Advise against the use of hoses for phosgene transfers that are constructed of permeable cores and materials subject to chlorides corrosion. • Include guidance for the immediate reporting and prompt investigation of all potential (near-miss) phosgene releases. 4. The CSB recommended the Compressed Gas Association, Inc. to Revise, Safe Handling of Compressed Gases in Containers, to include specific requirements for storing and handling highly toxic compressed gas, including enclosure ventilation and alarm requirements Conclusion The phosgene release was one which could have been easily avoided if the company had taken precautions and safety measures when there was a similar phosgene leak a few hours before the one that killed a person. The leak could have been prevented had the company accepted one of the suggestions made during an audit about the material of the hose being used in the transfer of phosgene and made the necessary changes to the same. 4. OVERALL CONCLUSION 103 The majority of the accidents that happened had the same basic reasons due to which the accidents took place. Poor housekeeping methods by the company led to major disasters in many companies. Giving priority to production and profit over importance of chemical process safety by the top level management of the company was common in most of the companies. Improper training methods or lack of training were also reasons for some of the accidents which happened due to simple reasons and could have been avoided. Bypassing of standardized procedures or not following the standard instructions for a particular process led to these incidents which caused huge human as well as property damage. Lack of immediate rescue personnel and also lack of training of the rescue personnel about different possible accidents led to major damage in some industries which could have been minimized had the rescue personnel been trained about different possible incidents that could occur. All of these accidents could have been prevented or atleast the damage could have been minimized if the company had followed some of the standard procedures or rules established by some organizations incharge of putting forward standard rules and regulations. The damage could have been minimized if the companies had given more preference to chemical process safety than just production or profit. 104 5. BIBLIOGRAPHY 1. CSB official website: www.csb.gov 2. Wikipedia: www.wikipedia.org 3. Guidelines for Hazard Evaluation Procedures (3rd Edition), published by Centre for Chemical Process Safety (CCPS) 4. Guidelines for Chemical Process Quantitative Risk Analysis (2nd Edition), published by Centre for Chemical Process Safety (CCPS) 5. U.S. Chemical Safety Board investigation report: Refinery Explosion and Fire at BP Texas, submitted on March 2007 6. U.S. Chemical Safety Board investigation report: Sugar Dust Explosion and Fire at Imperial Sugar Company Georgia, submitted on September 2009 7. U.S. Chemical Safety Board investigation report: Dust Explosion at West Pharmaceutical Services, submitted on September 2004 8. U.S. Chemical Safety Board investigation report: Combustible Dust Fire and Explosions at CTA Acoustics, Inc. at Kentucky, submitted on February 2005 9. U.S. Chemical Safety Board case study: Runaway Chemical Reaction and Vapour Cloud Explosion at Synthron, LLC North Carolina, published on July 31, 2007 10. U.S. Chemical Safety Board investigation report: Thermal Decomposition Incident at BP Amoco Polymers, Inc. Georgia, submitted on June 2002 11. U.S. Chemical Safety Board investigation report: Toxic Chemical Vapour Cloud Release at MFG, Chemical Inc. Georgia, submitted on April 2006 12. U.S. Chemical Safety Board investigation report: Explosion and Fire at First Chemical Corporation, Mississippi, submitted on October 2003 13. U.S. Chemical Safety Board safety video: Bayer Corp disaster 14. U.S. Chemical Safety Board investigation report: T2 Laboratories, Inc. Runaway Reaction at T2 Laboratories Inc. , submitted on September 2009 15. U.S. Chemical Safety Board safety video: Xcel Power Plant disaster 16. U.S. Chemical Safety Board investigation report: Propane Tank Explosion at Herrig Brothers facility, Iowa that occurred on 9th April 1998 17. U.S. Chemical Safety Board investigation report: Methanol Tank Explosion and Fire at Bethune Point Wastewater treatment plant, Florida submitted on March 2007 18. U.S. Chemical Safety Board safety bulletin: Explosion at ASCO facility, published on January 2006 19. U.S. Chemical Safety Board case study: Fire at Formosa Plastics Corporation Texas, published on June 2006 20. U.S. Chemical Safety Board investigation report: Vinyl Chloride Monomer Explosion at Formosa Plastics Corp. Illinois, submitted on March 2007 21. U.S. Chemical Safety Board case study: Fire and Community Evacuation at EQ facility, North Carolina, published on 16th April 2008 22. U.S. Chemical Safety Board case study: Static Spark Ignites Flammable Liquid during Portable Tank Filling Operation at Barton Solvents Iowa, published on September 2008 105 23. U.S. Chemical Safety Board case study: Confined Space Entry - Worker and Wouldbe Rescuer Asphyxiated at Valero refinery Delaware, published on 2nd November 2006 24. U.S. Chemical Safety Board safety video: Fire from Ice 25. U.S. Chemical Safety Board investigation report: Sterigenics California, submitted on March 2006 26. U.S. Chemical Safety Board investigation report: Confined Vapour Cloud Explosion at CAI Inc. Massachusetts, submitted on May 2008 27. U.S. Chemical Safety Board investigation report: Little General Store- Propane Explosion at West Virginia, submitted on September 2008 28. U.S. Chemical Safety Board investigation report: Phosgene Release at E.I. DuPont facility at West Virginia, submitted on September 2011 106
