Lessons Learned from Recent Process Safety Incidents

These five incidents demonstrate how seemingly small mistakes or temporary lapses in judgment can result in disaster.

Failures of process safety management (PSM) systems are deadly and costly. Major accidents have emphasized the need for process safety within the chemical and petrochemical industries. For example, the founding of the Center for Chemical Process Safety (CCPS) was a response by industry to the methyl isocyanate release at Bhopal, India, in 1984 that killed over 2,000 people and injured tens of thousands. A fire and explosion at a PEMEX LPG terminal in Mexico City, also in 1984, killed more than 600 people and injured around 7,000.

Major environmental damage has also been caused by process safety incidents. The firefighting efforts during a fire in a Sandoz warehouse in Basel, Switzerland, in 1986 caused the release of many different chemicals, including pesticides, because responders failed to contain the water runoff. The release caused massive destruction to aquatic life in the Rhine River as far as 250 miles away; fishing was banned for six months. The environmental consequences of the Exxon Valdez spill in 1989 and the Deepwater Horizon incident in 2010 have been well-documented.

Engineers and students can obtain safety incident reports from several sources. One useful source is the U.S. Chemical Safety and Hazard Investigation Board (CSB). The CSB is a government agency charged with investigating chemical accidents at industrial facilities. The reports of their investigations are available for download from the CSB website (www.csb.gov). Additionally, the CSB has created a series of videos about many process safety incidents.

The CCPS book Incidents that Define Process Safety (I) discusses many more events. The book also describes events from industries other than chemicals and petrochemicals, demonstrating that many PSM concepts are universal in their relevance to safe operations.

This article describes five accidents that have occurred over the past 25 years that are less well-known than the Bhopal and Deepwater Horizon incidents. Major disasters - like the one that occurred in Bhopal - are sometimes referred to as black swans (2). These types of incidents have a low likelihood of occurring again in our lifetime.

Accidents such as those discussed in this article are more likely to occur. These incidents demonstrate that even small mistakes can have disastrous consequences. Therefore, it is imperative that engineers learn from previous incidents to reduce their likelihood of recurring.

Swiss cheese model

Accidents almost always have more than one cause. For many years, safety experts have used the Swiss cheese model (3) to help managers and workers in the process industries understand the events, failures, and decisions that can lead to a catastrophic incident or near miss. According to this model (Figure 1), each layer of protection is depicted as a slice of Swiss cheese, and the holes in the cheese represent potential failures in the protection layers, such as:

  • human errors
  • management decisions
  • single-point equipment failures or malfunctions
  • knowledge deficiencies
  • management system inadequacies, such as a failure to perform hazard analyses, failure to recognize and manage changes, or inadequate follow-up on previously experienced incident warning signs.

Incidents are typically the result of multiple failures to address hazards effectively - represented by the holes in successive slices aligning. A management system may include physical safety devices or planned activities that protect and guard against failure. An effective PSM system has the effect of reducing the number of holes and the sizes of the holes in each of the system's layers, thereby reducing the likelihood that they will align.

See the process safety training video Managing Human Error featuring Professor James Reason.

i. ARCO Channelview explosion: Use MOC for wastewater tank maintenance

A wastewater tank at the ARCO chemical plant in Channel view, TX, exploded during the restart of a compressor on July 5, 1990. The nitrogen purge had been significantly reduced during maintenance, and a temporary oxygen analyzer failed to detect the buildup of a flammable atmosphere in the tank. When the compressor was restarted, flammable vapors were sucked into the compressor and ignited. The flashback of the flame into the headspace of the tank caused an explosion that killed 17 people. Damages were estimated to be $100 million (4).

Event details. The 900,000-gal wastewater tank contained process wastewater from propylene oxide and styrene processes (Figure 2). There were thousands of feet of piping upstream of the tank where peroxides and caustic could mix. A nitrogen purge kept the vapor space inert, and an off-gas compressor drew the hydrocarbon vapors off before the waste was disposed of in a deep well.

The tank was taken out of service so the nitrogen blanket compressor could be repaired. During this time, the normal flow of nitrogen purge gas to the tank was reduced to a minimum. Workers installed a temporary oxygen analyzer between two roof beams in the tank, and they planned to add a nitrogen purge if a high oxygen level was detected.

Within the tank, decomposition of the peroxides generated dangerous levels of oxygen. However, the air in the headspace of the tank was stagnant and the analyzer did not detect the oxygen buildup because it was in a dead zone. Occasional nitrogen purging was inadequate to prevent the formation of a flammable atmosphere in the headspace and in the piping to the compressor.

After maintenance was completed, a failed attempt to restart the compressor drew flammable vapors into the suction line of the compressor. When the compressor was successfully restarted, the flammable vapors were ignited and flame flashed back to the tank, causing an explosion.

Causes. The wastewater tank was not considered part of the operating plant. Hence, the management and workers did not understand that a chemical reaction was taking place in the tank, generating oxygen. The lack of understanding enabled a series of poor decisions, such as discontinuing the nitrogen purge, poor design and location of the temporary oxygen probe, no management of change (MOC) review of the these decisions, and no pre-startup safety review.

Key lessons. Keep in mind that the chemicals that enter any wastewater tank are still prone to reaction. Ensure that proper MOC procedures are followed before any maintenance work is performed. In this incident, the workers did not know that a chemical reaction that could produce an oxygen buildup was taking place in the tank. Therefore, they did not comprehend the importance of continuing an effective nitrogen purge.

2. Terra Industries ammonium nitrate explosion: Monitor equipment during shutdown

On Dec. 13, 1994, a massive explosion occurred in the ammonium nitrate (AN) portion of Terra Industries' fertilizer plant in Port Neal, IA (Figure 3). The explosion occurred after the process had been shut down and ammonium nitrate solution was left in several vessels. Multiple factors contributed to the explosion, including strongly acidic conditions in the neutralizer, application of 200-psig steam to the neutralizer vessel, and lack of monitoring of the plant when the process was shut down with materials in the process vessels. Four people were killed and 18 injured. Serious damage to other parts of the plant caused the release of nitric acid into the ground and anhydrous ammonia into the air (5).

Event details. The plant produced nitric acid, ammonia, ammonium nitrate, urea, and urea-ammonium nitrate. Ammonia from the urea plant off-gas or from ammonia storage tanks was added to the neutralizer through a sparger in the bottom of the vessel, and 55% nitric acid was added through a sparging ring in the middle of the vessel. The product, 83% AN, was sent to a rundown tank via an over- flow line for transfer to storage. A pH probe located in the overflow line controlled the nitric acid flow to the neutralizer to maintain the pH at 5.5-6.5. The temperature in the neutralizer was maintained at about 267°F. Both the neutralizer and rundown tank were vented to a scrubber, where the vapors were absorbed by 55-65% nitric acid and makeup water to produce 50% ammonium nitrate. A stream of 50% AN was recycled back to the neutralizer.

About two weeks prior to the event, the pH probe in the overflow line was found to be defective, at which time the plant switched to manual pH sampling. Two days prior to the event, the pH was measured as 1.5 and was not brought into the acceptable range until about 1:00 am on Dec. 12.

The AN plant was shut down at about 3:00 pm on Dec. 12 because the nitric acid plant was out of service. At about 3:30 pm, operators purged the nitric acid feed line to the neutralizer with air. At about 7:00 pm, operators pumped the scrubber solution to the neutralizer. Then, 200-psig steam (which is around 387°F) was applied through the nitric acid feed line to the nitric acid sparger to prevent backflow of AN into the nitric acid line. The explosion occurred at about 6:00 am on Dec. 13.

AN is known to become more sensitive to decomposition, deflagration, and detonation at low pH levels, at high temperatures, in low-density areas {e.g., in areas containing gas bubbles), in confined spaces, and in the presence of contaminants, such as chlorides. Calculations showed that the nitric acid line clearing would have lowered the pH at the time of the shutdown to about 0.8. The steam sparge was left on for 9 hr, providing enough heat to raise the solution to its boiling point in about 2 hr. The air and steam sparge created gas bubbles in the solution. Chlorides, carried over from the nitric acid plant, were also present in the AN solution.

Causes. The U.S. Environmental Protection Agency (EPA) investigation concluded that the conditions that led to the explosion occurred due to the lack of safe operating procedures. There were no procedures for putting the vessels into a safe state at shutdown, or for monitoring the process vessels during shutdown. The EPA found that other producers either emptied the process vessels during a shutdown or maintained the pH above 6.0. Also, other producers either did not allow steam sparges or, if steam sparges were used, they were conducted under direct supervision of operators.

The EPA also noted that no hazard analysis had been done on the AN plant, and that personnel interviewed "indicated they were not aware of many of the hazards of ammonium nitrate" (5).

Key lessons. Operating procedures need to cover all phases of operation. In this event, the lack of procedures for shutdown and monitoring the equipment during shutdown led operators to perform actions that sensitized the AN solution and provided energy to initiate the decomposition reaction.

Because there had been no hazard identification study, personnel did not know about the conditions that sensitize AN to decomposition. A hazard assessment of the shutdown step would have revealed that the pH of the neutralizer could not be measured if there was no solution flowing through the overflow line, and that the temperature of the neutralizer could not be accurately measured without any circulation in the tank. A complete hazard identification study would have covered backflow of ammonium nitrate into the nitric acid line, and better design solutions could have been identified.

3. Partridge-Raleigh oilfield explosion: Beware of hot work and flammable gases

On June 5, 2006, three contract workers were killed and a fourth worker was seriously injured in an explosion and fire at the Partridge-Raleigh oilfield in Mississippi. The contractors, who were employees of Stringer Oilfield Services, were tasked with installing a pipe between two oil produc- tion tanks (Figure 4). Welding sparks ignited flammable vapor that was escaping from an open-ended pipe near the welding activity (6).

Event details. Contract workers were connecting piping between two recently moved tanks (Tanks 3 and 4 in Figure 4). Several days earlier, crude oil residue was removed from Tank 4 and the tank was flushed with water. However, the contractors did not clean out or purge the crude oil residue from Tank 2 or Tank 3.

Before starting to weld, the welder checked for flammable vapors in Tank 4 by inserting a lit welding torch into it, an unsafe act known as flashing the tank. Then, as the CSB report (6) states, "The foreman climbed to the top of Tank 4. Two other maintenance workers climbed on top of Tank 3; they then laid a ladder on the tank roof, extending it across the 4-ft space between Tanks 3 and 4, and held the ladder steady for the welder. The welder attached his safety harness to the top of Tank 4 and positioned himself on the ladder (6)." Figure 5 illustrates the workers' locations.

Almost immediately after the welder started welding, flammable hydrocarbon vapor that was venting from the open-ended pipe attached to Tank 3 ignited. The fire flashed back into Tank 3, spread through the overflow connecting pipe from Tank 3 to Tank 2, and caused Tank 2 to explode. The lids of both tanks were blown off and the two maintenance workers and foreman were thrown off the tanks to the ground. The welder was thrown off the ladder, but his harness prevented him from falling to the ground.

Causes. The root cause of this incident was hot work being conducted in the presence of a flammable atmosphere without using any safe work permitting procedure. A gas detector should have been used to test for flammable vapor. The open pipe on Tank 3 was not capped or isolated. All of the tanks were interconnected, and some of the tanks still contained flammable residue and crude oil.

Key lessons. Safe work practices, such as hot work permits, are necessary to ensure a safe work environment when hazardous chemicals, in this case flammable vapors, are present. The contractor, Stringer's Oilfield Services, did not require the use of safe work procedures, specifically hot work permits in this case.

Contractors need to be managed in such a way as to ensure they know about and use safe work practices. The owner of the wells and tanks, Partridge-Raleigh, relied on contractors to do most of its well commissioning work, such as installing tanks, pumps, and piping - this is a common practice. Partridge-Raleigh did not, however, manage the contractors to make sure they used safe work practices.

Companies need to be aware of and follow best industry practices. Several National Fire Protection Association (NFPA) and American Petroleum Institute (API) guidelines cover this situation. If Partridge-Raleigh or Stringer's Oilfield Services had adopted any of these industry standards, this incident could have been prevented:

* NFPA 326, "Standard for the Safeguarding of Tanks and Containers for Entry, Cleaning, or Repair" (2005)

* NFPA 5IB, "Standard for Fire Prevention During Welding, Cutting, and Other Hot Work" (2003)

* API Recommended Practice 2009, "Safe Welding, Cutting and Hot Work Practices in the Petroleum and Petro- chemical Industries" (2002)

* API 74, "Recommended Practice for Occupational Safety for Onshore Oil and Gas Production Operations" (2001).

4. Formosa Plastics vinyl chloride release: Follow correct operating procedures and protocols

On April 23,2004, an explosion and fire at the Formosa Plastics Corp. plant in Illiopolis, IL, killed five workers and seriously injured two others. The event destroyed most of the polyvinyl chloride (PVC) manufacturing facility and ignited PVC resins stored in an adjacent warehouse (7). Concerns about the ensuing smoke from the fire forced a two-day community evacuation.

Vinyl chloride monomer (VCM) - a highly flammable chemical and known carcinogen - is the primary raw material in the PVC manufacturing process. The Formosa Plastics facility used VCM to manufacture PVC resins. VCM served as the fuel for the initial explosion and fire.

Event details. The facility produced PVC by heating VCM, water, suspending agents, and reactor initiators under pressure in a batch reactor. There were 24 reactors in a building, and the reactors were put in groups of 4, with a control station for every two reactors (Figure 6). When a reaction was complete, the PVC solution was transferred through the bottom valve to a vessel for the next step in the process.

After the transfer, the reactor was purged of hazardous gases and cleaned by power washing through an open manway. The wash water was emptied to a drain through the reactor's bottom valve and a drain valve. All of these steps were done manually.

On the day of the incident, the reaction and the power washing had been completed in reactor D306 and the operator went downstairs to drain the reactor. It is believed that, at the bottom of the stairway, he turned in the wrong direction, toward an identical set of four reactors that were in the reaction phase of the process (Figure 7). By mistake, the operator likely attempted to empty reactor D310 by opening the bottom and drain valves. The bottom valve, however, was interlocked to remain closed when the reactor pressure was above 10 psi. Because this tank was currently processing a batch of PVC at high pressure, the valve did not open.

In case of an emergency (such as reactor over pressure), operators could follow an emergency transfer procedure that required them to open the bottom valve and the transfer valve to connect the reactor to an empty reactor. However, during an emergency transfer, the reactor pressure is greater than 10 psi, and the safety interlock would prevent the opening of the bottom valve. Therefore, the company added a manual interlock bypass so that operators could open the valve and reduce reactor pressure in an emergency. The bypass incorporated quick-connect fittings on air hoses so that operators could disconnect the valve actuator from its controller and open the valve by connecting an emergency air hose directly to the actuator.

It is likely that the operator thought he was at the correct reactor (D306) and that its bottom valve was not functioning. When the bottom valve did not open, he switched to the backup air supply and overrode the interlock. He did not contact the upstairs reactor operator or shift foreman to check the status of the reactor before doing this.

Once the bottom valve was opened, VCM poured out of the reactor and the building rapidly filled with liquid and vapor. A deluge system in the building activated and a shift supervisor came to the area to investigate. The VCM detectors in the building were reading above their maximum measurable levels. The shift foreman and reactor operators took measures to slow the release, rather than evacuate. The VCM vapors found an ignition source and several explosions occurred. The ensuing fire spread to the PVC warehouse and burned for hours, sending a plume of acrid smoke into a nearby community.

Causes. The operator overrode an interlock, which led to a release of hot, pressurized VCM. Formosa Plastics did not have comprehensive written standards, such as requiring shift supervisor approval, for managing interlocks on the vessels. Employees were unprepared for a major accident at the facility.

Several factors made this incident more likely to occur:

  • The reactor groupings had similar layouts (Figure 7).
  • The operators on the lower levels were not given radios, which would have made communication with the reactor control operators on the upper level easier. (Similar Formosa plants had radios or an intercom system.)
  • Formosa eliminated an operator group leader position and gave its responsibilities to the shift supervisors, who were not always as available as the group leaders used to be.

Key lessons. Operators and engineers must follow operating procedures and protocols intelligently, and, when the process moves outside the operating envelope, stop work, get experienced advice as needed, and shut down as appropriate. The Formosa operator should have obtained supervisory approval to override the interlock.

Furthermore, in this event, the operators had to cope with an error-prone design - the reactor layout made it easier for a mix-up to occur. An emergency transfer procedure required bypassing the bottom valve interlock, so an easy means was provided to do this. Engineers who design and run plants should try to provide engineering controls and monitor shift notes and logs for instances of interlock bypassing. In this case, a reactor status indication on the operating floor could have been provided, and morerigorous enforcement of operating procedures and interlock management implemented.

Operators were not given tools (radios for communication between floors) to make it easier for them to follow their procedures. It is management's responsibility to provide the tools and controls necessary for operators to do their jobs safely.

When Formosa Plastics took over the plant, it made staffing changes, such as reductions in staff and changes in responsibilities. It did not conduct a formal management of organizational change review to analyze the impact of these changes.

This explosion also illustrates the importance of emergency response planning. When the VCM release occurred, gas detectors in the building and a deluge system were activated. Operators responded by trying to mitigate the release. The proper response to these activations would have been to evacuate.

5. Hoeganaes combustible dust flash fires: Make housekeeping a priority

In 2011, a series of iron dust flash fires and a hydrogen explosion occurred at the Hoeganaes facility located in Gallatin, TN. The plant specialized in melting and converting scrap metal to various metal powders. These three incidents killed a total five people and injured three others.

The Hoeganaes facility's main product is a powder that is 99% iron. The process involves melting the iron, then cooling and milling it into a coarse powder. The powder is sent through an annealing furnace on a 100-ft-long conveyor belt. The furnace has a hydrogen atmosphere to reduce oxides and prevent oxidation. Hydrogen is supplied through pipes located in a trench in the floor, which is covered by metal plates. The product from the furnace, called a cake, is sent to a cake breaker and then crushed into a powder with a particle size of 45-150 pm.

First incident. On Jan. 31,2011, operators thought that a bucket elevator used to transfer the powder was off track {Le., the belt had become misaligned, which can cause the motor to overheat due to the increased torque). After shutting down the motor, a maintenance mechanic and an electrician inspected the equipment. They did not believe the belt was off track and requested the operator to restart the motor. When the motor started, the vibrations dispersed powder that was on the equipment and floor (Figure 8). A flash fire occurred almost immediately and engulfed the two workers, killing both.

Second incident. On March 29,2011, a Hoeganaes engineer and a contractor were replacing igniters on an annealing furnace. They had difficulty reconnecting a gas line, and the engineer used a hammer to force the connection. Large amounts of dust on surrounding surfaces were dispersed by the hammering and ignited almost immediately. The engineer suffered first- and second-degree bums, while the contractor was able to escape. The engineer was wearing flame-resistant clothing (FRC), which may have helped prevent more serious bums. Figure 9 is a photo taken at the Hoeganaes plant on Feb. 3,2011, about two months before this incident (8). This photo shows how much dust had piled up on the plant's surfaces.

Third incident. On May 27, 2011, operators near an annealing furnace identified a gas leak coming from a trench that contained hydrogen, nitrogen, and cooling water runoff pipes, in addition to a vent pipe for the furnaces. Mechanics were dispatched to find and repair the leak. One area operator stood by as the mechanics searched for the source of the leak. Although maintenance personnel knew that hydrogen piping was in the same trench, they presumed that the leak was nonflammable nitrogen because of a recent leak in a nitrogen pipe elsewhere in the plant. However, in this case the source of the leak was a line containing hydrogen.

The trench covers were too difficult to lift without machinery, so a forklift was used to lift a cover near the leak. As the cover was pulled up by the forklift, friction created sparks and an explosion ensued. The hydrogen explosion dispersed large quantities of iron dust from rafters and other surfaces in the upper reaches of the building (Figure 9). Portions of this dust ignited, creating multiple dust flash fires in the area. Three employees died from the bums they suffered in the fire.

Key lessons. Understanding hazards and risks is one of the pillars of risk-based PSM (9). After the incidents, combustibility tests indicated that the iron dust was a weak explosion hazard and relatively hard to ignite. These findings were similar to results Hoeganaes obtained after an insurance audit in 2008. A lesson here is that even a weakly explosive and hard-to-ignite dust is still combustible, and therefore, still hazardous and capable of causing fatalities when ignited. In this case, even though the company had the necessary information, personnel did not fully understand the hazards and risks of combustible dusts.

Learning from experience is another pillar of risk-based PSM (9). The plant experienced an incident in 1992 that was very similar to the third incident in 2011. A hydrogen explosion in a furnace dispersed accumulated dust and created a flash fire that severely burned an employee (bums covered more than 90% of his body, and he spent a year in a bum unit). Hoeganaes did not learn from its own incident.

The importance of housekeeping in a facility that handles solids cannot be overstated. All three of these incidents were exacerbated by the large quantities of combustible dust present (Figures 8 and 9). Poor housekeeping has been involved in most, if not all, high-consequence dust explosions (10). At the Hoeganaes plant, control of dust emissions and housekeeping were ineffective. Baghouse filtration systems that were installed to control dust were frequently out of service, and the CSB investigators observed that the baghouses leaked when the bags were pulsed. The 2008 insurance audit also noted that housekeeping needed to be improved in several areas. The ineffective dust control and housekeeping enabled dust layers with more than enough dust to fuel the flash fires to accumulate. These deficiencies were contributing factors to all three incidents.

Closing thoughts

These five lesser-known incidents demonstrate the importance of good PSM. Many engineers have learned these lessons the hard way, but their mistakes can help you to avoid similar situations in the future. Trevor Kietz, a world-renowned expert in process safety, is often quoted as saying, "Organizations don't have memory - only people do" (11). By providing these examples, this article is helping you to collect and recall the necessary memories to prevent future accidents.

Most processes are designed with more than one layer of protection. However, no protection or safeguard is 100% perfect, and, like slices of Swiss cheese, there are holes in every layer. Incidents occur when multiple failures - or holes - line up. The goal of PSM is to make the holes as small and as few as possible.

As many of these incidents show, technical competence is not enough to prevent an accident - management systems and company culture also play a key role in process safety.

This article is based on "Chapter 3: The Need for Process Safety," of the Student Handbook for Process Safety, a Center for Chemical Process Safety (CCPS) book due to be published later in 2015. For more information on these and many more process safety incidents, please see that book.

Article source