The Flixborough disaster was an explosion at a chemical plant close to the village of Flixborough, North Lincolnshire, England, on Saturday, 1 June 1974. It killed 28 and seriously injured 36 of the 72 people on site at the time. The casualty figures could have been much higher if the explosion had occurred on a weekday, when the main office area would have been occupied. [1] [2] A contemporary campaigner on process safety wrote "the shock waves rattled the confidence of every chemical engineer in the country". [3] [A]
The disaster involved (and may well have been caused by) a hasty equipment modification. Although virtually all of the plant management personnel had chemical engineering qualifications, there was no on-site senior manager with mechanical engineering expertise. Mechanical engineering issues with the modification were overlooked by the managers who approved it, and the severity of potential consequences due to its failure were not taken into account.
Flixborough led to a widespread public outcry over process safety. Together with the passage of the UK Health and Safety at Work Act in the same year, it led to (and is often quoted in justification of) a more systematic approach to process safety in UK process industries. UK government regulation of plant processing or storing large inventories of hazardous materials is currently under the Control of Major Accident Hazards Regulations 1999 (COMAH). In Europe, the Flixborough disaster and the Seveso disaster in 1976 led to development of the Seveso Directive in 1982 (currently Directive 2012/18/EU issued in 2012).
The chemical works, owned by Nypro UK (a joint venture between Dutch State Mines (DSM) and the British National Coal Board (NCB)) had originally produced fertiliser from by-products of the coke ovens of a nearby steelworks. Since 1967, it had instead produced caprolactam, a chemical used in the manufacture of nylon 6. [a] The caprolactam was produced from cyclohexanone. This was originally produced by hydrogenation of phenol, but in 1972 additional capacity was added, built to a DSM design in which hot liquid cyclohexane was partially oxidised by compressed air. The plant was intended to produce 70,000 tons per annum (tpa) of caprolactam but was reaching a rate of only 47,000 tpa in early 1974. Government controls on the price of caprolactam put further financial pressure on the plant. [2]
It was a failure of the cyclohexane plant that led to the disaster. A major leak of liquid from the reactor circuit caused the rapid formation of a large cloud of flammable hydrocarbon. When this met an ignition source (probably a furnace at a nearby hydrogen production plant [B] ) there was a massive fuel-air explosion. The plant control room collapsed, killing all 18 occupants. Nine other site workers were killed, and a delivery driver died of a heart attack in his cab. Fires started on-site which were still burning ten days later. Around 1,000 buildings within a 1-mile (1.6 km) radius of the site (in Flixborough itself and in the neighbouring villages of Burton upon Stather and Amcotts) were damaged, as were nearly 800 in Scunthorpe 3 miles (4.8 km) away; the blast was heard over 35 miles (56 km) away in Grimsby, Hull and Saltfleet. Images of the disaster were soon shown on television, filmed by BBC and Yorkshire Television filmstock news crews who had been covering the Appleby-Frodingham Gala in Scunthorpe that afternoon.
The plant was re-built but cyclohexanone was now produced by hydrogenation of phenol (Nypro proposed to produce the hydrogen from LPG; [7] in the absence of timely advice from the Health and Safety Executive (HSE) planning permission for storage of 1,200 te LPG at Flixborough was initially granted subject to HSE approval, but HSE objected [8] ); as a result of a subsequent collapse in the price of nylon it closed down a few years later. The site was demolished in 1981, although the administration block still remains. The site today is home to the Flixborough Industrial Estate, occupied by various businesses and Glanford Power Station.
The foundations of properties severely damaged by the blast and subsequently demolished can be found on land between the estate and the village, on the route known as Stather Road. A memorial to those who died was erected in front of offices at the rebuilt site in 1977. Cast in bronze, it showed mallards alighting on water. When the plant was closed, the statue was moved to the pond at the parish church in Flixborough. During the early hours of New Year's Day 1984, the sculpture was stolen. It has never been recovered but the plinth it stood on, with a plaque listing all those who died that day, can still be found outside the church.
The cyclohexane oxidation process is still operated in much the same plant design in the Far East. [4]
In the DSM process, cyclohexane was heated to about 155 °C (311 °F) before passing into a series of six reactors. The reactors were constructed from mild steel with a stainless steel lining; when operating they held in total about 145 tonnes of flammable liquid at a working pressure of 8.6 bar gauge (0.86 MPa gauge; 125 psig). [b] In each of the reactors, compressed air was passed through the cyclohexane, causing a small percentage of the cyclohexane to oxidise and produce cyclohexanone, some cyclohexanol also being produced. Each reactor was slightly (approximately 14 inches, 350 mm) lower than the previous one, so that the reaction mixture flowed from one to the next by gravity through nominal 28-inch bore (700mm DN) stub pipes with inset bellows. [C] The inlet to each reactor was baffled so that liquid entered the reactors at a low level; the exiting liquid flowed over a weir whose crest was somewhat higher than the top of the outlet pipe. [9] The mixture exiting reactor 6 was processed to remove reaction products, and the unreacted cyclohexane (only about 6% was reacted in each pass) then returned to the start of the reactor loop.
Although the operating pressure was maintained by an automatically controlled bleed valve once the plant had reached steady state, the valve could not be used during start-up, when there was no air feed, the plant being pressurised with nitrogen. During start-up the bleed valve was normally isolated and there was no route for excess pressure to escape; pressure was kept within acceptable limits (slightly wider than those achieved under automatic control) by operator intervention (manual operation of vent valves). A pressure-relief valve acting at 11 kgf/cm2 (11 bar; 156 psi) gauge was also fitted.
Two months prior to the explosion, the number 5 reactor was discovered to be leaking. When lagging was stripped from it, a crack extending about 6 feet (1.8 m) was visible in the mild steel shell of the reactor. It was decided to install a temporary pipe to bypass the leaking reactor to allow continued operation of the plant while repairs were made. In the absence of 28-inch nominal bore pipe (700mm DN), 20-inch nominal bore pipe (500mm DN) was used to fabricate the bypass pipe for linking reactor 4 outlet to reactor 6 inlet. The new configuration was tested for leak-tightness at working pressure by pressurisation with nitrogen. For two months after fitting the bypass was operated continuously at temperature and pressure and gave no trouble. At the end of May (by which time the bypass had been lagged) the reactors had to be depressurised and allowed to cool in order to deal with leaks elsewhere. The leaks having been dealt with, early on 1 June attempts began to bring the plant back up to pressure and temperature.
At about 16:53 on 1 June 1974, there was a massive release of hot cyclohexane in the area of the missing reactor 5, followed shortly by ignition of the resulting huge cloud of flammable vapour [D] and a massive explosion [E] in the plant. The explosion virtually demolished the site. As it was a weekend there were relatively few people on site: of the 72 people on-site at the time, 28 were killed and 36 injured. Fires burned on-site for more than ten days. Off-site there were no fatalities, but 50 injuries were reported and about 2,000 properties damaged. [d]
The occupants of the works laboratory had seen the release and evacuated the building before the release ignited; most survived. None of the 18 occupants of the plant control room survived, nor did any records of plant readings. The explosion appeared to have been in the general area of the reactors and after the accident only two possible sites for leaks before the explosion were identified: "the 20 inch bypass assembly with the bellows at both ends torn asunder was found jack-knifed on the plinth beneath" and there was a 50-inch long split in nearby 8-inch nominal bore stainless steel pipework". [e]
Immediately after the accident, New Scientist commented presciently on the normal official response to such events, but hoped that the opportunity would be taken to introduce effective government regulation of hazardous process plants.
Disasters on the scale of last Saturday's tragic explosion ... at Flixborough tend to provoke a brief wave of statements that such things must never happen again. With the passage of time these sentiments are diluted into bland reports about human error and everything being well under control – as happened with the Summerland fire. In the Flixborough case, there is a real chance that the death toll could trigger meaningful changes in a neglected aspect of industrial safety. [13]
The Secretary of State for Employment set up a Court of Inquiry to establish the causes and circumstances of the disaster and identify any immediate lessons to be learned, and also an expert committee to identify major hazard sites and advise on appropriate measures of control for them. The inquiry, chaired by Roger Parker QC, sat for 70 days in the period September 1974 – February 1975, and took evidence from over 170 witnesses. [f] In parallel, an Advisory Committee on Major Hazards was set up to look at the longer-term issues associated with hazardous process plants.
The report of the court of inquiry was critical of the installation of the bypass pipework on a number of counts: although plant and senior management were chartered engineers (mostly chemical engineers), the post of Works Engineer which had been occupied by a chartered mechanical engineer had been vacant since January 1974, and at the time of the accident there were no professionally qualified engineers in the works engineering department. Nypro had recognised this to be a weakness and identified a senior mechanical engineer in an NCB subsidiary as available to provide advice and support if requested. [g] At a meeting of plant and engineering managers to discuss the failure of reactor 5, the external mechanical engineer was not present. The emphasis was upon prompt restart and – the inquiry felt – although this did not lead to the deliberate acceptance of hazards, it led to the adoption of a course of action whose hazards (and indeed engineering practicalities) were not adequately considered or understood. The major problem was thought to be getting reactor 5 moved out of the way. Only the plant engineer was concerned about restarting before the reason for the failure was understood, and the other reactors inspected. [h] [F] The difference in elevation between reactor 4 outlet and reactor 6 inlet was not recognised at the meeting. At a working level the offset was accommodated by a dog-leg in the bypass assembly; a section sloping downwards inserted between (and joined with by mitre welds) two horizontal lengths of 20-inch pipe abutting the existing 28-inch stubs. This bypass was supported by scaffolding fitted with supports provided to prevent the bellows having to take the weight of the pipework between them, but with no provision against other loadings. [G] The Inquiry noted on the design of the assembly:
No-one appreciated that the pressurised assembly would be subject to a turning moment imposing shear forces on the bellows for which they are not designed. Nor did anyone appreciate that the hydraulic thrust on the bellows (some 38 tonnes at working pressure) would tend to make the pipe buckle at the mitre joints. No calculations were done to ascertain whether the bellows or pipe would withstand these strains; no reference was made to the relevant British Standard, or any other accepted standard; no reference was made to the designer's guide issued by the manufacturers of the bellows; no drawing of the pipe was made, other than in chalk on the workshop floor; no pressure testing either of the pipe or the complete assembly was made before it was fitted. [i]
The Inquiry noted further that "there was no overall control or planning of the design, construction, testing or fitting of the assembly nor was any check made that the operations had been properly carried out". After the assembly was fitted, the plant was tested for leak-tightness by pressurising with nitrogen to 9 kg/cm2; i.e. roughly operating pressure, but below the pressure at which the system relief valve would lift and below the 30% above design pressure called for by the relevant British Standard. [j]
The claim argued by experts retained by Nypro and their insurers [3] was that the disaster's cause was that the 20-inch bypass was not what would have been produced or accepted by a more considered process. Controversy developed (and became acrimonious) as to whether its failure was the initiating fault in the disaster (the 20-inch hypothesis, argued by the plant designers (DSM) and the plant constructors; and favoured by the court's technical advisers [3] ), or had been triggered by an external explosion resulting from a previous failure of the 8-inch line. [3]
Tests on replica bypass assemblies showed that deformation of the bellows could occur at pressures below the safety valve setting, but that this deformation did not lead to a leak (either from damage to the bellows or from damage to the pipe at the mitre welds) until well above the safety valve setting. However theoretical modelling suggested that the expansion of the bellows as a result of this would lead to a significant amount of work being done on them by the reactor contents, and there would be considerable shock loading on the bellows when they reached the end of their travel. If the bellows were 'stiff' (resistant to deformation), the shock loading could cause the bellows to tear at pressures below the safety valve setting; it was not impossible that this could occur at pressures experienced during start-up, when pressure was less tightly controlled. (Plant pressures at the time of the accident were unknown since all relevant instruments and records had been destroyed, and all relevant operators killed). [k] The Inquiry concluded that this ("the 20-inch hypothesis")[ clarification needed ] was 'a probability' but one 'which would readily be displaced if some greater probability' could be found. [l]
Detailed analysis suggested that the 8-inch pipe had failed due to "creep cavitation"[ jargon ] at a high temperature while the pipe was under pressure. The metal of the pipe would have experienced hard-to-detect deformation, microscopic cracks, and structural weakness as a result, increasing the likelihood of failure. Failure had been accelerated by contact with molten zinc; there were indications that an elbow in the pipe had been at significantly higher temperature than the rest of the pipe. [m] The hot elbow led to a non-return valve held between two pipe flanges by twelve bolts. After the disaster, two of the twelve bolts were found to be loose; the inquiry concluded that they were probably loose before the disaster. Nypro argued that the bolts had been loose, there had consequently been a slow leak of process fluid onto lagging leading eventually to a lagging fire, which had worsened the leak to the point where a flame had played undetected upon the elbow, burnt away its lagging and exposed the line to molten zinc, the line then failing with a bulk release of process fluid which extinguished the original fire, but subsequently ignited giving a small explosion which had caused failure of the bypass, a second larger release and a larger explosion. Tests failed to produce a lagging fire with leaked process fluid at process temperatures; one advocate of the 8-inch hypothesis then argued instead that there had been a gasket failure giving a leak with sufficient velocity to induce static charges whose discharge had then ignited the leak. [H]
The 8-inch hypothesis was claimed to be supported by eyewitness accounts and by the apparently anomalous position of some debris post-disaster. The inquiry report took the view that explosions frequently throw debris in unexpected directions and eyewitnesses often have confused recollections. The inquiry identified difficulties at various stages of the accident development in the 8-inch hypothesis, their cumulative effect being considered to be such that the report concluded that overall the 20-inch hypothesis involving 'a single event of low probability' was more credible than the 8-inch hypothesis depending upon 'a succession of events, most of which are improbable'. [n]
The inquiry report identified 'lessons to be learned' which it presented under various headings; 'General observation' (relating to cultural issues underlying the disaster), 'specific lessons' (directly relevant to the disaster, but of general applicability) are reported below; there were also 'general' and 'miscellaneous lessons' of less relevance to the disaster. The report also commented on matters to be covered by the Advisory Committee on Major Hazards.
The disaster was caused by 'a well designed and constructed plant' undergoing a modification that destroyed its mechanical integrity.
When the bypass was installed, there was no works engineer in post and company senior personnel (all chemical engineers) were incapable of recognising the existence of a simple engineering problem, let alone solving it
No one concerned in the design or construction of the plant envisaged the possibility of a major disaster happening instantaneously. [J] It was now apparent that such a possibility exists where large amounts of potentially explosive material are processed or stored. It was 'of the greatest importance that plants at which there is a risk of instant as opposed to escalating disaster be identified. Once identified measures should be taken both to prevent such a disaster so far as is possible and to minimise its consequences should it occur despite all precautions.' [o] There should be coordination between planning authorities and the Health and Safety Executive, so that planning authorities could be advised on safety issues before granting planning permission; similarly the emergency services should have information to draw up a disaster plan.
The inquiry summarised its findings as follows:
We believe, however, that if the steps we recommend are carried out, the risk of any similar disaster, already remote, will be lessened. We use the phrase "already remote" advisedly for we wish to make it plain that we found nothing to suggest that the plant as originally designed and constructed created any unacceptable risk. The disaster was caused wholly by the coincidence of a number of unlikely errors in the design and installation of a modification. Such a combination of errors is very unlikely ever to be repeated. Our recommendations should ensure that no similar combination occurs again and that even if it should do so, the errors would be detected before any serious consequences ensued. [p]
Nypro's advisers had put considerable effort into the 8-inch hypothesis, and the inquiry report put considerable effort into discounting it. The critique of the hypothesis spilled over into criticism of its advocates: 'the enthusiasm for the 8-inch hypothesis felt by its proponents has led them to overlook obvious defects which in other circumstances they would not have failed to realise'. [q] Of one proponent the report noted gratuitously that his examination by the court 'was directed to ensuring that we had correctly appreciated the main steps in the hypothesis some of which appeared to us in conflict with facts which were beyond dispute'. [r] The report thanked him for his work in assembling eyewitness evidence but said his use of it showed 'an approach to the evidence which is wholly unsound'. [s]
The proponent of the 8-inch gasket failure hypothesis responded by arguing that the 20-inch hypothesis had its share of defects which the inquiry report had chosen to overlook, that the 8-inch hypothesis had more in its favour than the report suggested, and that there were important lessons that the inquiry had failed to identify:
[T]he Court's commitment for the 20-inch hypothesis led them to present their conclusions in a way that does not help the reader to assess contrary evidence. The Court could still be right that a single unsatisfactory modification caused the disaster but this is no reason for complacency. There are many other lessons. It is to be hoped that the respect normally accorded to the findings of a Court of Inquiry will not inhibit chemical engineers in looking beyond the report in their endeavours to improve the already good safety record of the chemical industry. [6]
The HSE website as of 2014 said that "During the late afternoon on 1 June 1974 a 20 inch bypass system ruptured, which may have been caused by a fire on a nearby 8-inch pipe". [1] In the absence of a strong consensus for either hypothesis other possible immediate causes have been suggested. [K]
The enquiry noted the existence of a small tear in a bellows fragment, and therefore considered the possibility of a small leak from the bypass having led to an explosion bringing the bypass down. It noted this to be not inconsistent with eyewitness evidence, but ruled out the scenario because pressure tests showed the bellows did not develop tears until well above the safety valve pressure. [t] This hypothesis has however been revived, with the tears being caused by fatigue failure at the top of the reactor 4 outlet bellows because of flow-induced vibration of the unsupported bypass line. Finite element analysis has been carried out (and suitable eyewitness evidence adduced) to support this hypothesis. [9] [17]
The reactors were normally mechanically stirred but reactor 4 had operated without a working stirrer since November 1973; free phase water could have settled out in unstirred reactor 4 and the bottom of reactor 4 would reach operating temperature more slowly than the stirred reactors. It was postulated that there had been bulk water in reactor 4 and a disruptive boiling event had occurred when the interface between it and the reaction mixture reached operating temperature. Abnormal pressures and liquor displacement resulting from this (it was argued) could have triggered failure of the 20-inch bypass. [18] [L] [M]
The plant design had assumed that the worst consequence of a major leak would be a plant fire and to protect against this a fire detection system had been installed. Tests by the Fire Research Establishment had shown this to be less effective than intended. [6] Moreover, fire detection only worked if the leak ignited at the leak site; it gave no protection against a major leak with delayed ignition, and the disaster had shown this could lead to multiple worker fatalities. The plant as designed therefore could be destroyed by a single failure and had a much greater risk of killing workers than the designers had intended. Critics of the inquiry report therefore found it hard to accept its characterisation of the plant as 'well-designed'. [N] The HSE (through the Department of Employment) had come up with a 'shopping list' of about 30 recommendations on plant design, [3] many of which had not been adopted (and a few explicitly rejected [v] ) by the Inquiry Report; the HSE inspector who acted as secretary to the inquiry spoke afterwards of making sure that the real lessons were acted upon. [6] More fundamentally, Trevor Kletz saw the plant as symptomatic of a general failure to consider safety early enough in process plant design, so that designs were inherently safe – instead processes and plant were selected on other grounds then safety systems bolted on to a design with avoidable hazards and unnecessarily high inventory. 'We keep a lion and build a strong cage to keep it in. But before we do so we should ask if a lamb might do.' [21]
If the UK public were largely reassured to be told the accident was a one-off and should never happen again, some UK process safety practitioners were less confident. Critics felt that the Flixborough explosion was not the result of multiple basic engineering design errors unlikely to coincide again; the errors were rather multiple instances of one underlying cause: a complete breakdown of plant safety procedures (exacerbated by a lack of relevant engineering expertise, but that lack was also a procedural shortcoming). [5]
The Petrochemicals Division of Imperial Chemical Industries (ICI) operated many plants with large inventories of flammable chemicals at its Wilton site (including one in which cyclohexane was oxidised to cyclohexanone and cyclohexanol). Historically good process safety performance at Wilton had been marred in the late 1960s by a spate of fatal fires caused by faulty isolations/handovers for maintenance work. [22] Their immediate cause was human error but ICI felt that saying that most accidents were caused by human error was no more useful than saying that most falls are caused by gravity. [4] ICI had not simply reminded operators to be more careful, but issued explicit instructions on the required quality of isolations, and the required quality of its documentation. [22] The more onerous requirements were justified as follows:
Why do we need the [ICI Heavy Organic Chemicals Division] [O] rules on the isolation and identification of equipment for maintenance? They were introduced about two years ago, but Billingham managed for 45 years without them. During those 45 years there were no doubt many occasions when fitters broke into equipment and found it had not been isolated, or broke into the wrong line because it had not been identified positively. But pipe-lines were mostly small, and the amount of flammable gas or liquid on the plant was not usually large. Now pipe-lines are much larger and the amount of gas or liquid that can leak out is much greater. Several serious incidents in the last three years have shown that we dare not risk breaking into lines that are not properly isolated. As plants have got larger we have moved ... into a new world where new methods are needed. [23] [P]
In accordance with this view, post-Flixborough (and without waiting for the Inquiry Report), ICI Petrochemicals instituted a review of how it controlled modifications. It found that major projects requiring financial sanction at a high level were generally well-controlled, but for more (financially) minor modifications there was less control and this had resulted in a past history of 'near-misses' and small-scale accidents, [26] few of which could be blamed on chemical engineers. [Q] To remedy this, not only were employees reminded of the principal points to consider when making a modification (both on the quality/compliance of the modification itself and on the effect of the modification on the rest of the plant), but new procedures and documentation were introduced to ensure adequate scrutiny. These requirements applied not only to changes to equipment, but also to process changes. All modifications were to be supported by a formal safety assessment. For major modifications this would include an 'operability study'; for minor modifications a checklist-based safety assessment was to be used, indicating what aspects would be affected, and for each aspect giving a statement of the expected effect. The modification and its supporting safety assessment then had to be approved in writing by the plant manager and engineer. Where instruments or electrical equipment were involved signatures would also be needed from the relative specialist (instrument manager or electrical engineer). A Pipework Code of Practice was introduced specifying standards of design construction and maintenance for pipework – all pipework over 3"nb (DN 75 mm) handling hazardous material would have to be designed by pipework specialists in the design office. [26] The approach was publicised outside ICI; while the Pipework Code of Practice on its own would have combatted the fault or faults that led to the Flixborough disaster, the adoption more generally of tighter controls on modifications (and the method by which this was done) were soon recognised to be prudent good practice. [R] In the United Kingdom, the ICI approach became a de facto standard for high-risk plant (partly because the new (1974) Health and Safety at Work Act went beyond specific requirements on employers to state general duties to keep risks to workers as low as reasonably practicable and to avoid risk to the public so far as reasonably practicable; under this new regime the presumption was that recognised good practice would inherently be 'reasonably practicable' and hence should be adopted, partly because key passages in reports of the Advisory Committee on Major Hazards were clearly supportive).
The terms of reference of the Court of Inquiry did not include any requirement to comment on the regulatory regime under which the plant had been built and operated, but it was clear that it was not satisfactory. Construction of the plant had required planning permission approval by the local council; while "an interdepartmental procedure enabled planning authorities to call upon the advice of Her Majesty's Factory Inspectorate when considering applications for new developments which might involve a major hazard" [27] (there was no requirement for them to do so), since the council had not recognised the hazardous nature of the plant [3] they had not called for advice. As the New Scientist commented within a week of the disaster:
There are now probably more than a dozen British petrochemical plants with a similar devastation-potential to the Nypro works at Flixborough. Neither when they were first built, nor now that they are in operation, has any local or government agency exercised effective control over their safety. To build a nuclear power plant, the electricity industry must provide a detailed safety evaluation to the Nuclear Inspectorate before it receives a licence. On the other hand, permission for highly hazardous process plants only involves satisfying a technically unqualified local planning committee, which lacks even the most rudimentary powers once the plant goes on stream. ... The Factory Inspectorate has standing only where it has promulgated specific regulations [13]
The ACMH's terms of reference were to identify types of (non-nuclear) installations posing a major hazard, and advise on appropriate controls on their establishment, siting, layout, design, operation, maintenance and development (including overall development in their vicinity). Unlike the Court of Inquiry, its personnel (and that of its associated working groups) had significant representation of safety professionals, drawn largely from the nuclear industry and ICI (or ex-ICI)
In its first report [28] (issued as a basis for consultation and comment in March 1976), the ACMH noted that hazard could not be quantified in the abstract, and that a precise definition of 'major hazard' was therefore impossible. Instead [w] installations with an inventory of flammable fluids above a certain threshold or of toxic materials above a certain 'chlorine equivalent' threshold should be ' notifiable installations '. A company operating a notifiable installation should be required to survey its hazard potential, and inform HSE of the hazards identified and the procedures and methods adopted (or to be adopted) to deal with them.
HSE could then choose to – in some cases (generally involving high risk or novel technology) – require [x] submission of a more elaborate assessment, covering (as appropriate) "design, manufacture, construction, commissioning, operation and maintenance, as well as subsequent modifications whether of the design or operational procedures or both". The company would have to show that "it possesses the appropriate management system, safety philosophy, and competent people, that it has effective methods of identifying and evaluating hazards, that it has designed and operates the installation in accordance with appropriate regulations, standards and codes of practice, that it has adequate procedures for dealing with emergencies, and that it makes use of independent checks where appropriate"
For most 'notifiable installations' no further explicit controls should be needed; HSE could advise and if need be enforce improvements under the general powers given it by the 1974 Health and Safety at Work Act (HASAWA), but for a very few sites explicit licensing by HSE might be appropriate; [y] responsibility for safety of the installation remaining however always and totally with the licensee.
HASAWA already required companies to have a safety policy, and a comprehensive plan to implement it. ACMH felt that for major hazard installations [z] the plan should be formal and include
Safety documents were needed both for design and operation. The management of major hazard installations must show that it possessed and used a selection of appropriate hazard recognition techniques, [S] had a proper system for audit of critical safety features, and used independent assessment where appropriate.
The ACMH also called for tight discipline in the operation of major hazard plants:
The rarity of major disasters tends to breed complacency and even a contempt for written instructions. We believe that rules relevant to safety must be everyday working rules and be seen as an essential part of day-to-day work practice. Rules, designed to protect those who drew them up if something goes wrong, are readily ignored in day-to-day work. Where management lays down safety rules, it must also ensure that they are carried out. We believe that to this end considerable formality is essential in relation to such matters as permits to work and clearance certificates to enter vessels or plant areas. In order to keep strong control in the plant, the level of authority for authorisations must be clearly defined. Similarly the level of authority for technical approval for any plant modification must also be clearly defined. To avoid the danger of systems and procedures being disregarded, there should be a requirement for a periodic form of audit of them. [aa]
The ACMH's second report (1979) rejected criticisms that since accidents causing multiple fatalities were associated with extensive and expensive plant damage the operators of major hazard sites had every incentive to avoid such accidents and so it was excessive to require major hazard sites to demonstrate their safety to a government body in such detail:
We would not contest that the best run companies achieve high standards of safety, but we believe this is because they have .... achieved what is perhaps best described as technical discipline in all that they do. We believe that the best practices must be followed by all companies and that we have reached a state of technological development where it is not sufficient in areas of high risk for employers merely to demonstrate to themselves that all is well. They should now be required to demonstrate to the community as a whole that their plants are properly designed, well constructed and safely operated. [11]
The approach advocated by the ACMH was largely followed in subsequent UK legislation and regulatory action, but following the release of chlordioxins by a runaway chemical reaction at Seveso in northern Italy in July 1976, 'major hazard plants' became an EU-wide issue and the UK approach became subsumed in EU-wide initiatives (the Seveso Directive in 1982, superseded by the Seveso II Directive in 1996). A third and final report was issued when the ACMH was disbanded in 1983.
Footage of the incident appeared in the film Days of Fury (1979), directed by Fred Warshofsky and hosted by Vincent Price. [29]
A nuclear meltdown is a severe nuclear reactor accident that results in core damage from overheating. The term nuclear meltdown is not officially defined by the International Atomic Energy Agency or by the United States Nuclear Regulatory Commission. It has been defined to mean the accidental melting of the core of a nuclear reactor, however, and is in common usage a reference to the core's either complete or partial collapse.
Cyclohexane is a cycloalkane with the molecular formula C6H12. Cyclohexane is non-polar. Cyclohexane is a colourless, flammable liquid with a distinctive detergent-like odor, reminiscent of cleaning products. Cyclohexane is mainly used for the industrial production of adipic acid and caprolactam, which are precursors to nylon.
Piper Alpha was an oil platform located in the North Sea about 120 miles (190 km) north-east of Aberdeen, Scotland. It was operated by Occidental Petroleum (Caledonia) Limited (OPCAL) and began production in December 1976, initially as an oil-only platform, but later converted to add gas production.
A relief valve or pressure relief valve (PRV) is a type of safety valve used to control or limit the pressure in a system; excessive pressure might otherwise build up and create a process upset, instrument or equipment failure, explosion, or fire.
Process Safety Managementof Highly Hazardous Chemicals is a regulation promulgated by the U.S. Occupational Safety and Health Administration (OSHA). It defines and regulates a process safety management (PSM) program for plants using, storing, manufacturing, handling or carrying out on-site movement of hazardous materials above defined amount thresholds. Companies affected by the regulation usually build a compliant process safety management system and integrate it in their safety management system. Non-U.S. companies frequently choose on a voluntary basis to use the OSHA scheme in their business.
Flixborough is a village and civil parish in North Lincolnshire, England. The population at the 2011 census was 1,664. It is near the River Trent, 3 miles (5 km) north-west from Scunthorpe. The village is noted for the 1974 Flixborough disaster.
The Thermal Oxide Reprocessing Plant, or THORP, is a nuclear fuel reprocessing plant at Sellafield in Cumbria, England. THORP is owned by the Nuclear Decommissioning Authority and operated by Sellafield Ltd, the site licensee.
A chemical accident is the unintentional release of one or more hazardous chemicals, which could harm human health and the environment. Such events include fires, explosions, and release of toxic materials that may cause people illness, injury, or disability. Chemical accidents can be caused for example by natural disasters, human error, or deliberate acts for personal gain. Chemical accidents are generally understood to be industrial-scale ones, often with important offsite consequences. Unintended exposure to chemicals that occur at smaller work sites, as well as in private premises during everyday activities are usually not referred to as chemical accidents.
A Piping and Instrumentation Diagram is a detailed diagram in the process industry which shows process equipment together with the instrumentation and control devices. It is also called as mechanical flow diagram (MFD).
The Texas City refinery explosion occurred on March 23, 2005, when a flammable hydrocarbon vapor cloud ignited and violently exploded at the isomerization process unit of the BP oil refinery in Texas City, Texas, killing 15 workers, injuring 180 others and severely damaging the refinery. All the fatalities were contractors working out of temporary buildings located close to the unit to support turnaround activities. Property loss was $200 million. When including settlements, costs of repairs, deferred production, and fines, the explosion is the world's costliest refinery accident.
In the chemical and process industries, a process has inherent safety if it has a low level of danger even if things go wrong. Inherent safety contrasts with other processes where a high degree of hazard is controlled by protective systems. As perfect safety cannot be achieved, common practice is to talk about inherently safer design. “An inherently safer design is one that avoids hazards instead of controlling them, particularly by reducing the amount of hazardous material and the number of hazardous operations in the plant.”
The 2001 Humber Refinery explosion was a major incident at the then Conoco-owned Humber Refinery at South Killingholme in North Lincolnshire, England. A large explosion occurred on the Saturate Gas Plant area of the site on Easter Monday, 16 April 2001 at approximately 2:20 p.m. There were no fatalities, but two people were injured.
Process safety is an interdisciplinary engineering domain focusing on the study, prevention, and management of large-scale fires, explosions and chemical accidents in process plants or other facilities dealing with hazardous materials, such as refineries and oil and gas production installations. Thus, process safety is generally concerned with the prevention of, control of, mitigation of and recovery from unintentional hazardous materials releases that can have a serious effect to people, plant and/or the environment.
Francis Pearson Lees, usually known as Frank Lees, was a chemical engineer and a professor at Loughborough University who is noted for his contribution to the field of industrial safety.
The San Juanico disaster involved a series of fires and explosions at a liquefied petroleum gas (LPG) tank farm in the settlement of San Juan Ixhuatepec, a municipality of Tlalnepantla de Baz, State of Mexico, Mexico, on 19 November 1984. The facility and the settlement, part of Greater Mexico City, were devastated, with 500–600 victims killed, and 5000–7000 suffering severe burns. It is one of the deadliest industrial disasters in world history, and the deadliest industrial accident involving fires and/or explosions from hazardous materials in a process or storage plant since the Oppau explosion in 1921.
Hydrogen safety covers the safe production, handling and use of hydrogen, particularly hydrogen gas fuel and liquid hydrogen. Hydrogen possesses the NFPA 704's highest rating of four on the flammability scale because it is flammable when mixed even in small amounts with ordinary air. Ignition can occur at a volumetric ratio of hydrogen to air as low as 4% due to the oxygen in the air and the simplicity and chemical properties of the reaction. However, hydrogen has no rating for innate hazard for reactivity or toxicity. The storage and use of hydrogen poses unique challenges due to its ease of leaking as a gaseous fuel, low-energy ignition, wide range of combustible fuel-air mixtures, buoyancy, and its ability to embrittle metals that must be accounted for to ensure safe operation.
Boiling water reactor safety systems are nuclear safety systems constructed within boiling water reactors in order to prevent or mitigate environmental and health hazards in the event of accident or natural disaster.
The Deepwater Horizon investigation included several investigations and commissions, among others reports by National Incident Commander Thad Allen, United States Coast Guard, National Commission on the BP Deepwater Horizon Oil Spill and Offshore Drilling, Bureau of Ocean Energy Management, Regulation and Enforcement, National Academy of Engineering, National Research Council, Government Accountability Office, National Oil Spill Commission, and Chemical Safety and Hazard Investigation Board.
The Fukushima Daiichi reactor, was 1 out of 4 reactors seriously affected during the Fukushima Daiichi nuclear disaster on 11 March 2011. Overall, the plant had 6 separate boiling water reactors originally designed by General Electric (GE), and maintained by the Tokyo Electric Power Company (TEPCO). In the aftermath, Unit 3 experienced hydrogen gas explosions and suffered a partial meltdown, along with the other two reactors in operation at the time the tsunami struck. Reactor 4 had been de-fueled while 5 and 6 were in cold shutdown for planned maintenance.
The Williams Olefins Plant explosion occurred on June 13, 2013 at a petrochemical plant located in Geismar, an unincorporated and largely industrial area 20 miles (32 km) southeast of Baton Rouge, Louisiana. Two workers were killed and 114 injured. The U.S. Occupational Safety and Health Administration (OSHA) and the U.S. Chemical Safety and Hazard Investigation Board (CSB) launched investigations to determine how and why the heat exchanger failed. The Chemical Safety Board concluded that a standby heat exchanger had filled with hydrocarbon. This heat exchanger was isolated from its pressure relief; shortly after the heat exchanger was heated with hot water, the hydrocarbon flashed to vapor, ruptured the heat exchanger, and exploded.
{{cite web}}
: CS1 maint: numeric names: authors list (link)