Flixborough disaster

The Flixborough disaster was an explosion at a chemical plant close to the village of Flixborough, North Lincolnshire, England on Saturday, 1 June 1974. It killed 28 people and seriously injured 36 out of a total of 72 people on site at the time. The casualty figures could have been much higher if the explosion had occurred on a weekday, when the main office area would have been occupied.[1][2] A contemporary campaigner on process safety wrote "the shock waves rattled the confidence of every chemical engineer in the country".[3][upper-alpha 1]

Memorial to those who died in the disaster

The disaster involved (and may well have been caused by) a hasty modification. There was no on-site senior manager with mechanical engineering expertise (virtually all the plant management had chemical engineering qualifications); mechanical engineering issues with the modification were overlooked by the managers who approved it, nor was the severity of the potential consequences of its failure appreciated.

Flixborough led to a widespread public outcry over process safety. Together with the passage of the UK Health and Safety at Work Act in the same year, it led to (and is often quoted in justification of) a more systematic approach to process safety in UK process industries. UK government regulation of plant processing or storing large inventories of hazardous materials is currently under the Control of Major Accident Hazards Regulations 1999 (COMAH). In Europe, the Flixborough disaster and the Seveso disaster in 1976 led to development of the Seveso Directive in 1982 (currently Directive 2012/18/EU issued in 2012).

Overview

Another view of the memorial

The chemical works, owned by Nypro UK (a joint venture between Dutch State Mines (DSM) and the British National Coal Board (NCB)) had originally produced fertiliser from by-products of the coke ovens of a nearby steelworks. Since 1967, it had instead produced caprolactam, a chemical used in the manufacture of nylon 6.[lower-alpha 1] The caprolactam was produced from cyclohexanone. This was originally produced by hydrogenation of phenol, but in 1972 additional capacity was added, built to a DSM design in which hot liquid cyclohexane was partially oxidised by compressed air. The plant was intended to produce 70,000 tpa (tons per annum) of caprolactam but was reaching a rate of only 47,000 tpa in early 1974. Government controls on the price of caprolactam put further financial pressure on the plant.[2]

It was a failure of the cyclohexane plant that led to the disaster. A major leak of liquid from the reactor circuit caused the rapid formation of a large cloud of flammable hydrocarbon. When this met an ignition source (probably a furnace at a nearby hydrogen production plant[upper-alpha 2]) there was a massive fuel-air explosion. The plant control room collapsed, killing all 18 occupants. Nine other site workers were killed, and a delivery driver died of a heart attack in his cab. Fires started on-site which were still burning ten days later. Around 1,000 buildings within a mile radius of the site (in Flixborough itself and in the neighbouring villages of Burton upon Stather and Amcotts) were damaged, as were nearly 800 in Scunthorpe (three miles away); the blast was heard over thirty miles away in Grimsby and Hull. Images of the disaster were soon shown on television, filmed by BBC and Yorkshire Television filmstock news crews who had been covering the Appleby-Frodingham Gala in Scunthorpe that afternoon.

The plant was re-built but cyclohexanone was now produced by hydrogenation of phenol (Nypro proposed to produce the hydrogen from LPG;[7] in the absence of timely advice from the Health and Safety Executive (HSE) planning permission for storage of 1200 te LPG at Flixborough was initially granted subject to HSE approval, but HSE objected[8]); as a result of a subsequent collapse in the price of nylon it closed down a few years later. The site was demolished in 1981, although the administration block still remains. The site today is home to the Flixborough Industrial Estate, occupied by various businesses and Glanford Power Station.

The foundations of properties severely damaged by the blast and subsequently demolished can be found on land between the estate and the village, on the route known as Stather Road. A memorial to those who died was erected in front of offices at the rebuilt site in 1977. Cast in bronze, it showed mallards alighting on water. When the plant was closed, the statue was moved to the pond at the parish church in Flixborough. During the early hours of New Year's Day 1984, the sculpture was stolen. It has never been recovered but the plinth it stood on, with a plaque listing all those who died that day, can still be found outside the church.

The cyclohexane oxidation process is still operated in much the same plant design in the Far East.[4]

The disaster

The plant

In the DSM process, cyclohexane was heated to about 155 °C (311 °F) before passing into a series of six reactors. The reactors were constructed from mild steel with a stainless steel lining; when operating they held in total about 145 tonnes of flammable liquid at a working pressure of 8.6 bar gauge (0.86 MPa gauge; 125 psig).[lower-alpha 2] In each of the reactors, compressed air was passed through the cyclohexane, causing a small percentage of the cyclohexane to oxidise and produce cyclohexanone, some cyclohexanol also being produced. Each reactor was slightly (approximately 14 inches, 350 mm) lower than the previous one, so that the reaction mixture flowed from one to the next by gravity through nominal 28-inch bore (700mm DN) stub pipes with inset bellows.[upper-alpha 3] The inlet to each reactor was baffled so that liquid entered the reactors at a low level; the exiting liquid flowed over a weir whose crest was somewhat higher than the top of the outlet pipe.[9] The mixture exiting reactor 6 was processed to remove reaction products, and the unreacted cyclohexane (only about 6% was reacted in each pass) then returned to the start of the reactor loop.

Although the operating pressure was maintained by an automatically controlled bleed valve once the plant had reached steady state, the valve could not be used during start-up, when there was no air feed, the plant being pressurised with nitrogen. During start-up the bleed valve was normally isolated and there was no route for excess pressure to escape; pressure was kept within acceptable limits (slightly wider than those achieved under automatic control) by operator intervention (manual operation of vent valves). A pressure-relief valve acting at 11 kg/cm2 (11 bar; 156 psi) gauge was also fitted.

Reactor 5 leaks and is bypassed

Two months prior to the explosion, the number 5 reactor was discovered to be leaking. When lagging was stripped from it, a crack extending about 6 feet (1.8 m) was visible in the mild steel shell of the reactor. It was decided to install a temporary pipe to bypass the leaking reactor to allow continued operation of the plant while repairs were made. In the absence of 28-inch nominal bore pipe (700mm DN), 20-inch nominal bore pipe (500mm DN) was used to fabricate the bypass pipe for linking reactor 4 outlet to reactor 6 inlet. The new configuration was tested for leak-tightness at working pressure by pressurisation with nitrogen. For two months after fitting the bypass was operated continuously at temperature and pressure and gave no trouble. At the end of May (by which time the bypass had been lagged) the reactors had to be depressurised and allowed to cool in order to deal with leaks elsewhere. The leaks having been dealt with, early on 1 June attempts began to bring the plant back up to pressure and temperature.

The explosion

At about 16:53 on Saturday 1 June 1974, there was a massive release of hot cyclohexane in the area of the missing reactor 5, followed shortly by ignition of the resulting cloud of flammable vapour[upper-alpha 4] and a massive explosion[upper-alpha 5] in the plant. It virtually demolished the site. Since the accident took place at a weekend there were relatively few people on site: of those on-site at the time, 28 were killed and 36 injured. Fires continued on-site for more than ten days. Off-site there were no fatalities, but 50 injuries were reported and about 2,000 properties damaged.[lower-alpha 4]

The occupants of the works laboratory had seen the release and evacuated the building before the release ignited; most survived. None of the 18 occupants of the plant control room survived, nor did any records of plant readings. The explosion appeared to have been in the general area of the reactors and after the accident only two possible sites for leaks before the explosion were identified: "the 20 inch bypass assembly with the bellows at both ends torn asunder was found jack-knifed on the plinth beneath" and there was a 50-inch long split in nearby 8-inch nominal bore stainless steel pipework".[lower-alpha 5]

Court of Inquiry

Immediately after the accident, New Scientist commented presciently on the normal official response to such events, but hoped that the opportunity would be taken to introduce effective government regulation of hazardous process plants.

Disasters on the scale of last Saturday's tragic explosion ... at Flixborough tend to provoke a brief wave of statements that such things must never happen again. With the passage of time these sentiments are diluted into bland reports about human error and everything being well under control – as happened with the Summerland fire. In the Flixborough case, there is a real chance that the death toll could trigger meaningful changes in a neglected aspect of industrial safety.[13]

The Secretary of State for Employment set up a Court of Inquiry to establish the causes and circumstances of the disaster and identify any immediate lessons to be learned, and also an expert committee to identify major hazard sites and advise on appropriate measures of control for them. The inquiry sat for 70 days in the period September 1974 – February 1975, and took evidence from over 170 witnesses.[lower-alpha 6] In parallel, an Advisory Committee on Major Hazards was set up to look at the longer-term issues associated with hazardous process plants.

Circumstances of the disaster

The report of the court of inquiry was critical of the installation of the bypass pipework on a number of counts: although plant and senior management were chartered engineers (mostly chemical engineers), the post of Works Engineer which had been occupied by a chartered mechanical engineer had been vacant since January 1974, and at the time of the accident there were no professionally qualified engineers in the works engineering department. Nypro had recognised this to be a weakness and identified a senior mechanical engineer in an NCB subsidiary as available to provide advice and support if requested.[lower-alpha 7] At a meeting of plant and engineering managers to discuss the failure of reactor 5, the external mechanical engineer was not present. The emphasis was upon prompt restart and – the inquiry felt – although this did not lead to the deliberate acceptance of hazards, it led to the adoption of a course of action whose hazards (and indeed engineering practicalities) were not adequately considered or understood. The major problem was thought to be getting reactor 5 moved out of the way. Only the plant engineer was concerned about restarting before the reason for the failure was understood, and the other reactors inspected.[lower-alpha 8][upper-alpha 6] The difference in elevation between reactor 4 outlet and reactor 6 inlet was not recognised at the meeting. At a working level the offset was accommodated by a dog-leg in the bypass assembly; a section sloping downwards inserted between (and joined with by mitre welds) two horizontal lengths of 20-inch pipe abutting the existing 28-inch stubs. This bypass was supported by scaffolding fitted with supports provided to prevent the bellows having to take the weight of the pipework between them, but with no provision against other loadings.[upper-alpha 7] The Inquiry noted on the design of the assembly:

No-one appreciated that the pressurised assembly would be subject to a turning moment imposing shear forces on the bellows for which they are not designed. Nor did anyone appreciate that the hydraulic thrust on the bellows (some 38 tonnes at working pressure) would tend to make the pipe buckle at the mitre joints. No calculations were done to ascertain whether the bellows or pipe would withstand these strains; no reference was made to the relevant British Standard, or any other accepted standard; no reference was made to the designer's guide issued by the manufacturers of the bellows; no drawing of the pipe was made, other than in chalk on the workshop floor; no pressure testing either of the pipe or the complete assembly was made before it was fitted.[lower-alpha 9]

The Inquiry noted further that "there was no overall control or planning of the design, construction, testing or fitting of the assembly nor was any check made that the operations had been properly carried out". After the assembly was fitted, the plant was tested for leak-tightness by pressurising with nitrogen to 9 kg/cm2; i.e. roughly operating pressure, but below the pressure at which the system relief valve would lift and below the 30% above design pressure called for by the relevant British Standard.[lower-alpha 10]

Cause of the disaster

The 20-inch bypass was therefore clearly not what would have been produced or accepted by a more considered process, but controversy developed (and became acrimonious) as to whether its failure was the initiating fault in the disaster (the 20-inch hypothesis, argued by the plant designers (DSM) and the plant constructors; and favoured by the court's technical advisers[3]), or had been triggered by an external explosion resulting from a previous failure of the 8-inch line (argued by experts retained by Nypro and their insurers[3]).

The 20-inch hypothesis

Tests on replica bypass assemblies showed that deformation of the bellows could occur at pressures below the safety valve setting, but that this deformation did not lead to a leak (either from damage to the bellows or from damage to the pipe at the mitre welds) until well above the safety valve setting. However theoretical modelling suggested that the expansion of the bellows as a result of this would lead to a significant amount of work being done on them by the reactor contents, and there would be considerable shock loading on the bellows when they reached the end of their travel. If the bellows were 'stiff' (resistant to deformation), the shock loading could cause the bellows to tear at pressures below the safety valve setting; it was not impossible that this could occur at pressures experienced during start-up, when pressure was less tightly controlled. (Plant pressures at the time of the accident were unknown since all relevant instruments and records had been destroyed, and all relevant operators killed).[lower-alpha 11] The Inquiry concluded that this ("the 20-inch hypothesis") was 'a probability' but one 'which would readily be displaced if some greater probability' could be found.[lower-alpha 12]

The 8-inch hypothesis

Detailed analysis suggested that the 8-inch pipe had failed due to "creep cavitation" at a high temperature while the pipe was under pressure. Failure had been accelerated by contact with molten zinc; there were indications that an elbow in the pipe had been at significantly higher temperature than the rest of the pipe.[lower-alpha 13] The hot elbow led to a non-return valve held between two pipe flanges by twelve bolts. After the disaster, two of the twelve bolts were found to be loose; the inquiry concluded that they were probably loose before the disaster. Nypro argued that the bolts had been loose, there had consequently been a slow leak of process fluid onto lagging leading eventually to a lagging fire, which had worsened the leak to the point where a flame had played undetected upon the elbow, burnt away its lagging and exposed the line to molten zinc, the line then failing with a bulk release of process fluid which extinguished the original fire, but subsequently ignited giving a small explosion which had caused failure of the bypass, a second larger release and a larger explosion. Tests failed to produce a lagging fire with leaked process fluid at process temperatures; one advocate of the 8-inch hypothesis then argued instead that there had been a gasket failure giving a leak with sufficient velocity to induce static charges whose discharge had then ignited the leak.[upper-alpha 8]

The inquiry conclusion

The 8-inch hypothesis was claimed to be supported by eyewitness accounts and by the apparently anomalous position of some debris post-disaster. The inquiry report took the view that explosions frequently throw debris in unexpected directions and eyewitnesses often have confused recollections. The inquiry identified difficulties at various stages of the accident development in the 8-inch hypothesis, their cumulative effect being considered to be such that the report concluded that overall the 20-inch hypothesis involving 'a single event of low probability' was more credible than the 8-inch hypothesis depending upon 'a succession of events, most of which are improbable'.[lower-alpha 14]

Lessons to be learned

The inquiry report identified 'lessons to be learned' which it presented under various headings; 'General observation' (relating to cultural issues underlying the disaster), 'specific lessons' (directly relevant to the disaster, but of general applicability) are reported below; there were also 'general' and 'miscellaneous lessons' of less relevance to the disaster. The report also commented on matters to be covered by the Advisory Committee on Major Hazards.

General observation

  • Plant – where possible – should be designed so that failure does not lead to disaster on a timescale too short to permit corrective action.
  • Plant should be designed and run to minimise the rate at which critical management decisions arise (particularly those in which production and safety conflict).
  • Feedback within the management structure should ensure that top management understand the responsibilities of individuals and can ensure that their workload, capacity and competence allow them to effectively deal with those responsibilities

Specific lessons

The disaster was caused by 'a well designed and constructed plant' undergoing a modification that destroyed its technical integrity.

  • Modifications should be designed, constructed, tested and maintained to the same standards as the original plant

When the bypass was installed, there was no works engineer in post and company senior personnel (all chemical engineers) were incapable of recognising the existence of a simple engineering problem, let alone solving it

  • When an important post is vacant, special care should be taken when decisions have to be taken which would normally be taken by or on the advice of the holder of the vacant post
  • All engineers should learn at least the elements of branches of engineering other than their own[upper-alpha 9]

Matters to be referred to the Advisory Committee

No one concerned in the design or construction of the plant envisaged the possibility of a major disaster happening instantaneously.[upper-alpha 10] It was now apparent that such a possibility exists where large amounts of potentially explosive material are processed or stored. It was 'of the greatest importance that plants at which there is a risk of instant as opposed to escalating disaster be identified. Once identified measures should be taken both to prevent such a disaster so far as is possible and to minimise its consequences should it occur despite all precautions.'[lower-alpha 15] There should be coordination between planning authorities and the Health and Safety Executive, so that planning authorities could be advised on safety issues before granting planning permission; similarly the emergency services should have information to draw up a disaster plan.

Conclusion

The inquiry summarised its findings as follows:

We believe, however, that if the steps we recommend are carried out, the risk of any similar disaster, already remote, will be lessened. We use the phrase "already remote" advisedly for we wish to make it plain that we found nothing to suggest that the plant as originally designed and constructed created any unacceptable risk. The disaster was caused wholly by the coincidence of a number of unlikely errors in the design and installation of a modification. Such a combination of errors is very unlikely ever to be repeated. Our recommendations should ensure that no similar combination occurs again and that even if it should do so, the errors would be detected before any serious consequences ensued.[lower-alpha 16]

Response to Inquiry Report

Controversy as to immediate cause

Nypro's advisers had put considerable effort into the 8-inch hypothesis, and the inquiry report put considerable effort into discounting it. The critique of the hypothesis spilled over into criticism of its advocates: 'the enthusiasm for the 8-inch hypothesis felt by its proponents has led them to overlook obvious defects which in other circumstances they would not have failed to realise'.[lower-alpha 17] Of one proponent the report noted gratuitously that his examination by the court 'was directed to ensuring that we had correctly appreciated the main steps in the hypothesis some of which appeared to us in conflict with facts which were beyond dispute'.[lower-alpha 18] The report thanked him for his work in assembling eyewitness evidence but said his use of it showed 'an approach to the evidence which is wholly unsound'.[lower-alpha 19]

The proponent of the 8-inch gasket failure hypothesis responded by arguing that the 20-inch hypothesis had its share of defects which the inquiry report had chosen to overlook, that the 8-inch hypothesis had more in its favour than the report suggested, and that there were important lessons that the inquiry had failed to identify:

[T]he Court's commitment for the 20-inch hypothesis led them to present their conclusions in a way that does not help the reader to assess contrary evidence. The Court could still be right that a single unsatisfactory modification caused the disaster but this is no reason for complacency. There are many other lessons. It is to be hoped that the respect normally accorded to the findings of a Court of Inquiry will not inhibit chemical engineers in looking beyond the report in their endeavours to improve the already good safety record of the chemical industry.[6]

The HSE website currently (2014) says "During the late afternoon on 1 June 1974 a 20 inch bypass system ruptured, which may have been caused by a fire on a nearby 8-inch pipe".[1] In the absence of a strong consensus for either hypothesis other possible immediate causes have been suggested.[upper-alpha 11]

Post-enquiry forensic engineering – two-stage rupture of bypass

The enquiry noted the existence of a small tear in a bellows fragment, and therefore considered the possibility of a small leak from the bypass having led to an explosion bringing the bypass down. It noted this to be not inconsistent with eyewitness evidence, but ruled out the scenario because pressure tests showed the bellows did not develop tears until well above the safety valve pressure.[lower-alpha 20] This hypothesis has however been revived, with the tears being caused by fatigue failure at the top of the reactor 4 outlet bellows because of flow-induced vibration of the unsupported bypass line. Finite element analysis has been carried out (and suitable eyewitness evidence adduced) to support this hypothesis.[9][17]

Post-enquiry forensic engineering – the 'water hypothesis'

The reactors were normally mechanically stirred but reactor 4 had operated without a working stirrer since November 1973; free phase water could have settled out in unstirred reactor 4 and the bottom of reactor 4 would reach operating temperature more slowly than the stirred reactors. It was postulated that there had been bulk water in reactor 4 and a disruptive boiling event had occurred when the interface between it and the reaction mixture reached operating temperature. Abnormal pressures and liquor displacement resulting from this (it was argued) could have triggered failure of the 20-inch bypass.[18][upper-alpha 12][upper-alpha 13].

Dissatisfaction with other aspects of the Inquiry Report

The plant design had assumed that the worst consequence of a major leak would be a plant fire and to protect against this a fire detection system had been installed. Tests by the Fire Research Establishment had shown this to be less effective than intended.[6] Moreover, fire detection only worked if the leak ignited at the leak site; it gave no protection against a major leak with delayed ignition, and the disaster had shown this could lead to multiple worker fatalities. The plant as designed therefore could be destroyed by a single failure and had a much greater risk of killing workers than the designers had intended. Critics of the inquiry report therefore found it hard to accept its characterisation of the plant as 'well-designed'.[upper-alpha 14] The HSE (through the Department of Employment) had come up with a 'shopping list' of about 30 recommendations on plant design,[3] many of which had not been adopted (and a few explicitly rejected[lower-alpha 22]) by the Inquiry Report; the HSE inspector who acted as secretary to the inquiry spoke afterwards of making sure that the real lessons were acted upon.[6] More fundamentally, Trevor Kletz saw the plant as symptomatic of a general failure to consider safety early enough in process plant design, so that designs were inherently safe – instead processes and plant were selected on other grounds then safety systems bolted on to a design with avoidable hazards and unnecessarily high inventory. 'We keep a lion and build a strong cage to keep it in. But before we do so we should ask if a lamb might do.'[21]

If the UK public were largely reassured to be told the accident was a one-off and should never happen again, some UK process safety practitioners were less confident. Critics felt that the Flixborough explosion was not the result of multiple basic engineering design errors unlikely to coincide again; the errors were rather multiple instances of one underlying cause: a complete breakdown of plant safety procedures (exacerbated by a lack of relevant engineering expertise, but that lack was also a procedural shortcoming).[5]

ICI Petrochemicals response

The Petrochemicals Division of Imperial Chemical Industries (ICI) operated many plants with large inventories of flammable chemicals at its Wilton site (including one in which cyclohexane was oxidised to cyclohexanone and cyclohexanol). Historically good process safety performance at Wilton had been marred in the late 1960s by a spate of fatal fires caused by faulty isolations/handovers for maintenance work.[22] Their immediate cause was human error but ICI felt that saying that most accidents were caused by human error was no more useful than saying that most falls are caused by gravity.[4] ICI had not simply reminded operators to be more careful, but issued explicit instructions on the required quality of isolations, and the required quality of its documentation.[22] The more onerous requirements were justified as follows:

Why do we need the HOC[upper-alpha 15] rules on the isolation and identification of equipment for maintenance? They were introduced about 2 years ago, but Billingham managed for 45 years without them. During those 45 years there were no doubt many occasions when fitters broke into equipment and found it had not been isolated, or broke into the wrong line because it had not been identified positively. But pipe-lines were mostly small, and the amount of flammable gas or liquid on the plant was not usually large. Now pipe-lines are much larger and the amount of gas or liquid that can leak out is much greater. Several serious incidents in the last 3 years have shown that we dare not risk breaking into lines that are not properly isolated. As plants have got larger we have moved ... into a new world where new methods are needed.[23][upper-alpha 16]

In accordance with this view, post-Flixborough (and without waiting for the Inquiry Report), ICI Petrochemicals instituted a review of how it controlled modifications. It found that major projects requiring financial sanction at a high level were generally well-controlled, but for more (financially) minor modifications there was less control and this had resulted in a past history of 'near-misses' and small-scale accidents,[26] few of which could be blamed on chemical engineers.[upper-alpha 17] To remedy this, not only were employees reminded of the principal points to consider when making a modification (both on the quality/compliance of the modification itself and on the effect of the modification on the rest of the plant), but new procedures and documentation were introduced to ensure adequate scrutiny. These requirements applied not only to changes to equipment, but also to process changes. All modifications were to be supported by a formal safety assessment. For major modifications this would include an 'operability study'; for minor modifications a checklist-based safety assessment was to be used, indicating what aspects would be affected, and for each aspect giving a statement of the expected effect. The modification and its supporting safety assessment then had to be approved in writing by the plant manager and engineer. Where instruments or electrical equipment were involved signatures would also be needed from the relative specialist (instrument manager or electrical engineer). A Pipework Code of Practice was introduced specifying standards of design construction and maintenance for pipework – all pipework over 3"nb (DN 75 mm) handling hazardous material would have to be designed by pipework specialists in the design office.[26] The approach was publicised outside ICI; while the Pipework Code of Practice on its own would have combatted the fault or faults that led to the Flixborough disaster, the adoption more generally of tighter controls on modifications (and the method by which this was done) were soon recognised to be prudent good practice.[upper-alpha 18] In the United Kingdom, the ICI approach became a de facto standard for high-risk plant (partly because the new (1974) Health and Safety at Work Act went beyond specific requirements on employers to state general duties to keep risks to workers as low as reasonably practicable and to avoid risk to the public so far as reasonably practicable; under this new regime the presumption was that recognised good practice would inherently be 'reasonably practicable' and hence should be adopted, partly because key passages in reports of the Advisory Committee on Major Hazards were clearly supportive).

Advisory Committee on Major Hazards

Dissatisfaction with existing regulatory regime

The terms of reference of the Court of Inquiry did not include any requirement to comment on the regulatory regime under which the plant had been built and operated, but it was clear that it was not satisfactory. Construction of the plant had required planning permission approval by the local council; while "an interdepartmental procedure enabled planning authorities to call upon the advice of Her Majesty's Factory Inspectorate when considering applications for new developments which might involve a major hazard"[27] (there was no requirement for them to do so), since the council had not recognised the hazardous nature of the plant[3] they had not called for advice. As the New Scientist commented within a week of the disaster:

There are now probably more than a dozen British petrochemical plants with a similar devastation-potential to the Nypro works at Flixborough. Neither when they were first built, nor now that they are in operation, has any local or government agency exercised effective control over their safety. To build a nuclear power plant, the electricity industry must provide a detailed safety evaluation to the Nuclear Inspectorate before it receives a licence. On the other hand, permission for highly hazardous process plants only involves satisfying a technically unqualified local planning committee, which lacks even the most rudimentary powers once the plant goes on stream. ... The Factory Inspectorate has standing only where it has promulgated specific regulations[13]

Terms of Reference and personnel

The ACMH's terms of reference were to identify types of (non-nuclear) installations posing a major hazard, and advise on appropriate controls on their establishment, siting, layout, design, operation, maintenance and development (including overall development in their vicinity). Unlike the Court of Inquiry, its personnel (and that of its associated working groups) had significant representation of safety professionals, drawn largely from the nuclear industry and ICI (or ex-ICI)

Suggested regulatory framework

In its first report[28] (issued as a basis for consultation and comment in March 1976), the ACMH noted that hazard could not be quantified in the abstract, and that a precise definition of 'major hazard' was therefore impossible. Instead[lower-alpha 23] installations with an inventory of flammable fluids above a certain threshold or of toxic materials above a certain 'chlorine equivalent' threshold should be ' notifiable installations '. A company operating a notifiable installation should be required to survey its hazard potential, and inform HSE of the hazards identified and the procedures and methods adopted (or to be adopted) to deal with them.

HSE could then choose to – in some cases (generally involving high risk or novel technology) – require[lower-alpha 24] submission of a more elaborate assessment, covering (as appropriate) "design, manufacture, construction, commissioning, operation and maintenance, as well as subsequent modifications whether of the design or operational procedures or both". The company would have to show that "it possesses the appropriate management system, safety philosophy, and competent people, that it has effective methods of identifying and evaluating hazards, that it has designed and operates the installation in accordance with appropriate regulations, standards and codes of practice, that it has adequate procedures for dealing with emergencies, and that it makes use of independent checks where appropriate"

For most 'notifiable installations' no further explicit controls should be needed; HSE could advise and if need be enforce improvements under the general powers given it by the 1974 Health and Safety at Work Act (HASAWA), but for a very few sites explicit licensing by HSE might be appropriate;[lower-alpha 25] responsibility for safety of the installation remaining however always and totally with the licensee.

Ensuring safety of 'major hazard' installations

HASAWA already required companies to have a safety policy, and a comprehensive plan to implement it. ACMH felt that for major hazard installations[lower-alpha 26] the plan should be formal and include

  • the regulation by company procedures of safety matters (such as: identification of hazards, control of maintenance (through clearance certificates, permits to work etc.), control of modifications which might affect plant integrity, emergency operating procedures, access control)
  • clear safety roles (for e.g. the design and development team, production management, safety officers)
  • training for safety, measures to foster awareness of safety, and feedback of information on safety matters

Safety documents were needed both for design and operation. The management of major hazard installations must show that it possessed and used a selection of appropriate hazard recognition techniques,[upper-alpha 19] had a proper system for audit of critical safety features, and used independent assessment where appropriate.

The ACMH also called for tight discipline in the operation of major hazard plants:

The rarity of major disasters tends to breed complacency and even a contempt for written instructions. We believe that rules relevant to safety must be everyday working rules and be seen as an essential part of day-to-day work practice. Rules, designed to protect those who drew them up if something goes wrong, are readily ignored in day-to-day work. Where management lays down safety rules, it must also ensure that they are carried out. We believe that to this end considerable formality is essential in relation to such matters as permits to work and clearance certificates to enter vessels or plant areas. In order to keep strong control in the plant, the level of authority for authorisations must be clearly defined. Similarly the level of authority for technical approval for any plant modification must also be clearly defined. To avoid the danger of systems and procedures being disregarded, there should be a requirement for a periodic form of audit of them.[lower-alpha 27]

The ACMH's second report (1979) rejected criticisms that since accidents causing multiple fatalities were associated with extensive and expensive plant damage the operators of major hazard sites had every incentive to avoid such accidents and so it was excessive to require major hazard sites to demonstrate their safety to a government body in such detail:

We would not contest that the best run companies achieve high standards of safety, but we believe this is because they have .... achieved what is perhaps best described as technical discipline in all that they do. We believe that the best practices must be followed by all companies and that we have reached a state of technological development where it is not sufficient in areas of high risk for employers merely to demonstrate to themselves that all is well. They should now be required to demonstrate to the community as a whole that their plants are properly designed, well constructed and safely operated.[11]

The approach advocated by the ACMH was largely followed in subsequent UK legislation and regulatory action, but following the release of chlordioxins by a runaway chemical reaction at Seveso in northern Italy in July 1976, 'major hazard plants' became an EU-wide issue and the UK approach became subsumed in EU-wide initiatives (the Seveso Directive in 1982, superseded by the Seveso II Directive in 1996). A third and final report was issued when the ACMH was disbanded in 1983.

Footage of the incident appeared in the film Days of Fury (1979), directed by Fred Warshofsky and hosted by Vincent Price.[29]

gollark: > smh accidentally created a welcoming environment for trans people I guess???Don't give yourself too much credit.
gollark: θ you, jabu.
gollark: Alternatively, orbital mind scanning lasers.
gollark: There are lots of correlated sets of beliefs because politics, so leveraging those might work.
gollark: Hmmm, yes, fair.

See also

Notes

  1. Various authors[4][5] have compared it with the Tay Bridge disaster in one aspect or other
  2. the conclusion of the official Inquiry, but this has been queried, given the pattern of deposition of soot from the explosion[6]
  3. i.e. the fatal modification did not introduce the bellows (a point not always appreciated by popular retellings)
  4. or of that part of it within flammability limits. Visualisations of CFD modelling of the release showing the upper and lower flammable limit envelopes can be found in[9] for both the inquiry's favoured failure scenario and Venart's
  5. The explosion was estimated to be equivalent to 15–45 t TNT at the Inquiry.[lower-alpha 3] 16±2 t at 45 m above ground level was the best-fit estimate of[10] – the gist of their paper is given in the 2nd Report of the Advisory Committee on Major Hazards.[11] TNT equivalence is now thought less useful than more modern approaches to characterisation of vapour cloud explosions and there are no directly comparable estimates of TNT equivalence for the Buncefield event. However,[12] gives a graphical presentation of the raw data (overpressure inferred from damage vs distance from explosion source) for Flixborough (Fig 3.1.2) (in which the data is bounded by TNT equivalent curves for 11.2 t and 60t) and for the Buncefield fire (Fig 3.4.1). Flixborough gives a higher estimated over-pressure than Buncefield.
  6. A leak had developed on the air feed to the reactor, and a water spray had been put on it as a prudent precaution against hot cyclohexane reaching the leak site. The water spray had been nitrate dosed and after the crack was discovered DSM advised that nitrates were known to promote stress corrosion cracking of mild steel. There had been no similar air leaks (and consequently no similar water sprays) on the other reactors.
  7. and the pipework lifted about 6 mm at plant operating temperature because of thermal expansion of the reactors
  8. All gasket materials in the area had been destroyed by the fire, so there was no direct evidence for or against a preceding gasket fault; the plant was known to have suffered leaks elsewhere because the wrong type of gasket had been fitted.[3]
  9. More a long-term solution than an immediate lesson, but a long-held belief of the inquiry's vice-chairman Joseph Pope[14]
  10. ICI Petrochemicals Safety Newsletter 60 (January 1974)[15] summarised a published 1973 conference paper[16] as follows: Unconfined vapour cloud explosions had been experienced since the 1930s; by the early 1970s there had been about 100 known incidents, with about 5 more every year. Significant overpressures could be developed where the release was large, and ignition delayed: at Pernis in 1968 pipebridges had been blown down
  11. Press reporting of both has included the suggestion that the new hypothesis clears the dead operators of the slur of having caused the accident; in fact none of the competing theories makes that claim – unless it is felt that the inquiry report's explicit refusal to blame 'pilot error' by the dead is really an implicit invitation to others to do so
  12. Although this is not commented upon in the reference, the basic physics would suggest that interfacial boiling could be triggered not only by increasing temperature with pressure steady but also by -with temperature steady – reducing pressure e.g. by manual venting
  13. Experimental work carried out for HSE in 2000 confirmed that the vapour pressure of cyclohexane at 155oC is well below plant operating pressure; likewise that of water, but the vapour pressure of immiscible liquids is nearly additive and at operating temperature the sum of vapour pressures would exceed operating pressure – the work was not on a large enough scale to resolve whether disruptive boiling by this mechanism would have created forces large enough to fail the bypass[19]
  14. In addition, King[18] takes the crack on reactor 5 to indicate mechanical design problems: he notes that post-inquiry work on behalf of HSE showed that nitrate stress corrosion cracking only occurs in mild steel in areas subject to abnormal stress; the failure of reactor 5 therefore required not only the presence of nitrate in the cooling water, but some inadequacy in the reactor design leading to high local stress. (The crack skirted a 28" branch,[lower-alpha 21] and King is reported elsewhere[20] to have claimed an HSE source had told him that the reactors had been designed against a 9 t thrust upon these branches, not the 38t thrust the inquiry noted the bypass 'design' to have ignored)
  15. (ICI) Heavy Organic Chemicals (Division); the predecessor of ICI Petrochemicals Division
  16. The change in scale was real and much larger than anything experienced since (in 1956 a typical ethylene plant might have a capacity of 30, 000 tpa; in 1974 ICI and BP planned an ethylene plant with a capacity of 500, 000 tpa;[13] as of 2014 an 830,000 tpa unit is still one of the largest in Europe[24]) but it subsequently transpired that Billingham had had similar rules, but they had fallen into disuse[25]
  17. e.g. for one pipe work mod "the plant engineer had not considered it necessary to consult the piping experts, as the pipe was straight, without any bends... As at Flixborough there was a failure to recognise the circumstances in which expert advice should have been sought" – the problem being spotted pre-use by the traditional informal safeguard of a senior engineer walking the plant to have a look at what his subordinates were doing[26]
  18. but not necessarily best practice: some adopters of the approach have felt -or been made to feel- a danger of a group mindset where no off-plant personnel are involved (and the safety culture is not that of ICI) and therefore added a requirement for approval by a responsible person off-plant to ensure that the interests of production are not allowed to override those of safety
  19. this from para 61, where the examples given included 'operability studies'

References

Report of Court of Inquiry

  1. p 2
  2. p 3
  3. para 89 pp 13–14
  4. para 1 p 1
  5. p 14
  6. Appendix III p 50
  7. p 4
  8. paras 54–59 pp7–8
  9. p 9
  10. p 10 BS 3351
  11. pp18-19
  12. p18
  13. Appendix II pp 46–49
  14. p 32
  15. para 219 p36
  16. para 226, pp 37–38
  17. para 172 p 29
  18. para 141 p 21
  19. para 113 p17
  20. p15
  21. Plate 7
  22. para 203 p 33
  23. para 29
  24. para 31
  25. para 35
  26. paras 58-9
  27. para 63

Other references

  1. "Flixborough (Nypro UK) Explosion 1st June 1974: Accident Summary". Health and Safety Executive. Retrieved 25 June 2014.
  2. "Catastrophic explosion of a cyclohexane cloud June 1, 1974 Flixborough United Kingdom" (PDF). French Ministry of the Environment – DPPR / SEI / BARPI.
  3. Kinnersley, Patrick (27 February 1975). "What really happened at Flixborough?". New Scientist. 65 (938): 520–522. ISSN 0262-4079. Retrieved 7 July 2014.
  4. Kletz, Trevor A. (2001). Learning from Accidents, 3rd edition. Oxford U.K.: Gulf Professional. pp. 103–9. ISBN 978-0-7506-4883-7.
  5. Booth, Richard (1979). "Safety: too important a matter to be left to the engineers? Inaugural lecture given on 22 February 1979" (PDF). Retrieved 27 June 2014. (minor updating when posted on web in 2013)
  6. Cox, J I (May 1976). "Flixborough – Some Additional Lessons". The Chemical Engineer (309): 353–8. Retrieved 26 June 2014. (updated version of original article)
  7. "FLIXBOROUGH CHEMICAL PLANT (REBUILDING)". Hansard HC Deb. 959 cc179-90. 27 November 1978. Retrieved 10 July 2014.
  8. "LIQUEFIED GAS STORAGE (CANVEY ISLAND)". Hansard HC Deb. 965 cc417-30. 27 March 1979. Retrieved 10 July 2014.
  9. Venart, J E S. "Flixborough The Disaster and Its Aftermath" (PDF). Retrieved 25 June 2014.
  10. Sudee, C; Samuels, D E; O'Brien, T P (1976–77). "The characteristics of the explosion of cyclohexane at the Nypro (UK) Flixborough plant on 1st June 1974". Journal of Occupational Accidents: 203–235.
  11. Health & Safety Commission (1979). Advisory Committee on Major Hazards: Second Report. London: HMSO. ISBN 0-11-883299-9. Retrieved 7 July 2014.
  12. Bauwens, C Regis; Dorofeev, Sergey B. "Effects of the Primary Explosion Site (PES) and Bulk Cloud in VCE Prediction: A Comparison with Historical Accident" (PDF). Unpublished: presented at American Institute of Chemical Engineers 2013 Spring Meeting 9th Global Congress on Process Safety San Antonio, Texas 28 April – 1 May 2013. Retrieved 26 June 2014.
  13. Tinker, Jon (6 June 1974). "Comment: Flixborough and the Future". New Scientist. 62 (901): 590. Retrieved 8 July 2014.
  14. "Sir Joseph Pope, Engineering Pioneer". University of Nottingham.
  15. "60/6 Explosion of Clouds of Gas or Vapour in the Open Air". ICI Petrochemicals Division Safety Newsletter (60). January 1974. Retrieved 27 June 2014.
  16. Strehlow, R A (1973). "Unconfined vapour cloud explosions – an overview". Symposium (International) on Combustion. 14 (14): 1189–1200. doi:10.1016/S0082-0784(73)80107-9.
  17. Venart, J E S (2007). "Flixborough: A final footnote". Journal of Loss Prevention in the Process Industries. 20 (4): 621–643. doi:10.1016/j.jlp.2007.05.009.
  18. King, Ralph (15 January 2000). "Flixborough 25 years on". Process Engineering.
  19. Snee, T J (2001). "Interaction Between Water and Hot Cyclohexane in Closed Vessels". Process Safety and Environmental Protection. 79 (2): 81–88. doi:10.1205/09575820151095166.
  20. Mannan, Sam, ed. (2005). Lees' Loss Prevention in the Process Industry (3rd edition). Oxford: Butterworth-Heinemann. pp. 2/1–2/17 (Appendix 2: Flixborough). ISBN 9780750675550.
  21. Kletz, Trevor (April 1975). "Supplement to Safety Newsletter 75". Imperial Chemical Industries Limited Petrochemicals Division Safety Newsletter (75). Retrieved 27 June 2014. – the same thought but with the lower-risk animal a cat had appeared immediately post-Flixborough in Safety Newsletter No 67 (July 1974)
  22. Kletz, T., (2000) By Accident – a life preventing them in industry PVF Publications ISBN 0-9538440-0-5
  23. "14/8 Why Do We Need New Rules For Preparing For Maintenance". ICI Petrochemicals Division Safety Newsletter. 14. November 1969. Retrieved 10 July 2014.
  24. "Your guide to the Fife Ethylene Plant" (PDF). Esso UK Limited. Retrieved 8 July 2014.
  25. Kletz, Trevor. "15/7 COMMENTS FROM READERS". ICI Petrochemicals Division Safety Newsletter (15). Retrieved 10 July 2014.
  26. Kletz, Trevor (January 1976). "Must Plant Modifications Lead to Accidents?". Imperial Chemical Industries Limited Petrochemicals Division Safety Newsletter (83). Retrieved 1 July 2014.– reprinted, with slight modifications in Chemical Engineering Progress, Vol 2, No 11, November 1976, p. 48
  27. HC Deb 03 June 1974 vol 874 cc 867-77. "Flixborough (Explosion)". Hansard. Retrieved 8 July 2014.
  28. Health & Safety Commission (1976). Advisory Committee on Major Hazards FIRST REPORT (PDF). London: HMSO. ISBN 0-11-880884-2. Retrieved 9 July 2014.
  29. "Watch Days of Fury (1979) on the Internet Archive".

Further reading

  • Lees' Loss Prevention in the Process Industries: Hazard Identification, Assessment and Control (3rd Edition) ed Sam Mannan, Butterworth-Heinemann, 2004 ISBN 0750675551, 9780750675550

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.