Case History: Explosions at a Refinery Due to Inadequate Process Safety Culture

A very large oil refinery experienced a series of explosions in March 2005, leading to 15 fatalities and 180 injuries. The dollar losses were also significant: $1.6 billion to compensate victims, a fine of $87 million from the U.S. Occupational Safety and Health Administration (OSHA), and a $50 million fine for violations of environmental regulations.

This incident was due to a major tower release of gasoline that resulted in a vapor cloud explosion.³ The discharge from a relief flowed to a disposal system with an atmospheric vent, expelling the material to the atmosphere. The U.S. Chemical Safety Board (CSB) found that the company’s inadequate process safety culture was the root cause of this incident, which resulted in many fatalities and large facility and environmental losses.⁴ See Section 1-3.

³“Texas City Refinery.” 2017. http://en.wikipedia.org/wiki/Texas_City_Refinery_(BP)#Legal_action.

⁴“BP Texas City Incident: Baker Review.” www.hse.gov.uk/leadership/bakerreport.pdf.

The CSB found that the company had (1) a work environment that encouraged operations personnel to deviate from established procedures, (2) a lack of emphasis on effective communication for shift changes and hazardous operations, (3) ineffective supervisory oversight and technical assistance during unit startup, (4) insufficient staffing, (5) inadequate operator training, and (6) a failure to establish safe operating limits.

Case History: Dust Explosions at a Pharmaceutical Plant Due to Inadequate Training on the Use of Standards

In January 2003, an explosion in a pharmaceutical plant killed 6 employees and injured 38, including 2 fire fighters who responded to the incident.⁵ Primary and secondary dust explosions ignited fires throughout the facility.

⁵“Dust Explosion at West Pharmaceutical Services.” 2017. www.csb.gov/assets/document/West_Digest.pdf.

The CSB investigation found that a major dust hazard had developed in the plant over a period of years.⁶ Combustible dust had accumulated on hidden surfaces above the production area, creating the fuel for the massive explosions and fires. Due to a poor design of the ventilation system, the dust was drawn above a false ceiling where the dust accumulated. The dust gradually accumulated to a thickness of about one-half inch on the ceiling tiles.

⁶Center for Chemical Process Safety. Introduction to Process Safety for Undergraduates and Engineers (New York, NY: American Institute of Chemical Engineers, 2016), p. 16.

The root cause of the incident was a lack of compliance with standards. The designers and operators were inadequately trained in compliance to standards. Several organizations provide readily available standards to identify and control hazards due to dusts.

Case History: An Explosion of a Blender Due to Inadequate Knowledge of Chemical Process Safety

In April 1995, a blender containing a mixture of reactive chemicals exploded at a specialty chemical plant in Lodi, New Jersey.⁷ Five employees were killed, and more were injured. Property damage was about $20 million. Three hundred residents of the neighboring community were evacuated, and other businesses in the area were destroyed. The cause of the incident was the inadvertent addition of water to a water-activated reactive chemical. The root cause was the lack of process safety competency since the operators were not aware of this hazard and did not have the correct information to handle it properly.

⁷“EPA/OSHA Joint Chemical Accident Investigation Report.” https://archive.epa.gov/emergencies/docs/chem/web/pdf/napp.pdf.

Case History: A Fatality in a Ribbon Blender Due to an Inadequate Lock-Out/Tag-Out Permit System

Two maintenance workers were replacing part of a ribbon in a large ribbon mixer.⁸ The main switch was left energized; the mixer was stopped with one of three start–stop buttons. As one mechanic was completing his work inside the mixer, another operator on an adjoining floor pushed, by mistake, one of the other start–stop buttons. The mixer started, killing the mechanic between the ribbon flight and the shell of the vessel.

⁸Case Histories of Accidents in the Chemical Industry, Vol. 2 (Washington, DC: Manufacturing Chemists’Association, January 1969), p. 225.

Lock-out/tag-out (LOTO) procedures were developed to prevent incidents of this kind. A padlocked switch at the starter box disconnect, with the key in the mechanic’s pocket, can prevent this type of incident. After the switch gear lock-out, the mechanic should also verify the dead circuit by testing all switches. The root cause of this incident was a lack of workplace involvement, since other workers in adjacent areas were not aware of how their operations might affect other units.

Case History: Increased Consequences in an Adjacent Community Due to Inadequate Outreach

In December 2007, an explosion of a 2450-gallon chemical reactor killed 4 four employees and injured 32, including 4 employees and 28 members of the public who were working in adjacent companies. The explosion damaged buildings within one-quarter mile of the facility. It occurred during the production of the 175th batch of MCMT, a gasoline additive. The direct cause of this incident was a loss of sufficient cooling during the reaction process, which resulted in an uncontrolled runaway reaction leading to excessive temperatures and pressures.⁹ Adjacent companies were not aware of the hazards associated with this operation and did not have proper protection or emergency response.

⁹T2 Laboratories. “Runaway Reaction.” 2017. http://www.csb.gov/t2-laboratories-inc-reactive-chemicalexplosion/.

Case History: A Runaway Reaction and Explosion Due to Inadequate Process Knowledge Management

The previous case history on stakeholder outreach is also relevant to this element. The CSB found that the company’s management (including one chemist and one chemical engineer) did not understand the runaway reaction hazards associated with producing MCMT. The major technical deficiencies were the dependence on a single temperature controller and an undersized pressure relief. These professionals did not understand and appreciate the importance of redundant controls when controlling potential runaway reactions, nor did they have the necessary knowledge regarding properly sizing pressure relief for runaway reactions. Three of the engineers who designed this plant had MS degrees in chemical engineering, but no industrial experience or education on process hazards and their control. The CSB recommended that undergraduate programs in chemical engineering include hazard recognition as part of the curriculum.

Case History: A Chemical Release and Fire Due to Inadequate Identification of Brittle Metal Failure

In September 1998, a gas plant at Longford in Victoria, Australia, suffered a major fire.^10-12 Two men were killed and the state’s gas supply was interrupted for two weeks, causing chaos in the local industry and considerable hardship in homes that were dependent on the plant’s gas. A valve on a warm liquid (known as the “lean oil”) failed to close, allowing a metal heat exchanger to become very cold and therefore brittle. When operators reintroduced the warm lean oil, the cold metal fractured and released a large quantity of gas that found an ignition source. In 2004, the company was ordered to distribute $32.5 million to businesses that suffered property damage during this incident. The major reason for this incident was the lack of hazard identification and risk analysis. A risk study was planned for three years prior to this incident but not conducted.

¹⁰A. Hopkins. “Lessons from Esso’s Gas Plant Explosion at Longford.” 2017. http://www.futuremedia.com.au/docs/Lessons%20from%20Longford%20by%20Hopkins.PDF.

¹¹Center for Chemical Process Safety. Introduction to Process Safety for Undergraduates and Engineers (New York, NY: American Institute of Chemical Engineers, 2016), p. 22.

¹²Wikipedia. “Esso Longford gas explosion.” 2017. https://en.wikipedia.org/wiki/Esso_Longford_gas_explosion.

Case History: A Fatality from a Runaway Reaction Due to Inadequate Training on the Use of Procedures

In August 1997, a plant experienced a runaway reaction with a phenol–formaldehyde polymerization reactor.¹³ The result was one fatality and seven injuries, along with environmental damage. The runaway reaction was triggered when, contrary to standard operating procedures, all the raw materials and catalyst were charged to the reactor at once, resulting in all the charged material reacting almost instantaneously. The procedure correctly specified the use of a semi-batch reaction procedure in which the reactants are added slowly to the reactor, controlling the rate of heat release. The root cause of this incident was the lack of administrative controls to ensure that operators are trained to use standard operating procedures appropriately.

¹³Environmental Protection Agency. How to Prevent Runaway Reactions, Report 550-F99-004. August 1999. www.epa.gov.

Case History: Runaway Reaction and Explosion Due to Inadequate Procedures

A plant manufactured a dye by mixing and reacting two chemicals.¹⁴ On April 8, 1998, a runaway reaction caused an explosion and flash fires that injured nine workers. The resulting high temperature led to a secondary runaway decomposition reaction, causing the explosion. The runaway reaction was triggered by starting the reaction at a temperature higher than specified in the normal operating procedure. In scaling up the process from the laboratory phase to production scale, this company also changed the process from a semi-batch process to a batch process. Operating procedures were inadequate—that is, they did not cover the safety consequences of deviations from normal operating limits, such as runaway reactions, or specify steps to be taken to avoid or recover from such deviations.

¹⁴U.S. Chemical Safety Board. Chemical Manufacturing Incident, Report 1998-06-I-NY. www.chemsafety.gov/reports/2000/morton/index.htm.

Case History: An Explosion Due to a Missing Hot-Work-Permit System

On July 17, 2001, an explosion occurred at a plant in Delaware City, Delaware.^{15, 16} A crew was welding a grating on a catwalk in a sulfuric acid storage tank farm when a spark from the welding ignited flammable vapors in one of the adjacent storage tanks. A maintenance contractor was killed, and eight others were injured. The incident also resulted in significant damage to nearby aquatic life.

¹⁵“Motiva Enterprises Accident.” 2001. http://www.csb.gov/assets/1/19/Motiva_Final_Report.pdf.

¹⁶Center for Chemical Process Safety. Introduction to Process Safety for Undergraduates and Engineers (New York, NY: American Institute of Chemical Engineers, 2016), p. 26.

This incident was the result of inadequate safe work practices—in particular, no hot work permit to control ignition sources. Hazards in areas adjacent to the welding should have been identified, evaluated, and controlled prior to the start of the welding.

Case History: A Catastrophic Pipe Rupture Due to an Inadequate Asset Integrity Program

On August 6, 2012, a refinery in Richmond, California, experienced a catastrophic pipe rupture.¹⁷ The ruptured 8-inch pipe released flammable light gas oil, which then partially vaporized into a large vapor cloud. Two minutes following the release, an explosion occurred. Six employees suffered minor injuries during the incident and subsequent emergency response efforts. Approximately 15,000 people from the surrounding communities sought medical treatment at nearby medical facilities. The rupture was due to the failure of a short pipe section due to a corrosion mechanism known as sulfidation corrosion. The plant was aware of the hazard and did have an ultrasonic testing program to measure pipe wall thicknesses. However, the pipe that failed was a short length that was not tested.

¹⁷Chevron U.S.A. 2017. file:///C:/Users/Owner/Downloads/Chevron_Final_Investigation_Report_2015-01-28%20(1).pdf.

The main cause of this incident was the failure of the plant’s program for verifying asset integrity and reliability.

Case History: Fire and Fatalities in a Tunnel Due to Poor Management of Contractors

On October 2, 2007, five people were killed and three others injured when a chemical fire occurred 1000 feet underground in a tunnel. The fire started when industrial painting contractors were recoating a portion of an enclosed tunnel with a highly flammable epoxy coating product. The fire trapped five workers who were killed by smoke inhalation inside the tunnel. The CSB report¹⁸ stated that contractors did not receive comprehensive formal safety training—specifically, training on company policies and practices, site-specific instruction addressing confined space safety, and the handling of flammable liquids.

¹⁸U.S. Chemical Safety and Hazard Investigation Board. “Contractor Safety Digest.” 2018.

Case History: An LPG Leak and BLEVE Due to Inadequate Training

On January 4, 1966, operators were attempting to drain water out of the bottom of a liquid propane tank.^19,20 They partially opened two valves in series at the bottom of the tank. As a result of propane evaporation, the temperature was cold enough to freeze open both valves. The subsequent continuous release of liquified petroleum gas (LPG) caught fire and created conditions for a boiling liquid expanding vapor explosion (BLEVE), and a large explosion occurred. Eighteen people were killed and 81 were injured. The major cause of the incident was the lack of training and performance assurance: The operators were not trained to properly handle this situation.

¹⁹Center for Chemical Process Safety. Introduction to Process Safety for Undergraduates and Engineers (New York, NY: American Institute of Chemical Engineers, 2016), p. 32.

²⁰“Fire and Explosion of LPG Tanks at Feysin, France.” 2017. http://www.sozogaku.com/fkd/en/hfen/HC1300001.pdf.

Case History: An Explosion Due to Missing Management of Change Procedure

An incident occurred in Flixborough, England, on June 1, 1974.²¹ The Flixborough plant produced caprolactam, a basic raw material for the production of nylon. The process in which the incident occurred consisted of six reactors in series. In these reactors, cyclohexane was oxidized to cyclohexanone and then to cyclohexanol using injected air in the presence of a catalyst. Prior to this incident, it was discovered that the fifth reactor needed to be removed due to a crack in the vessel wall. It was decided to continue operating by connecting reactor 4 directly to reactor 6 in the series. The connection was made temporarily with readily available 20-inch pipe stock and with flexible bellows sections at both ends.

²¹“Flixborough Explosion 1st June 1974.” http://www.hse.gov.uk/comah/sragtech/caseflixboroug74.htm.

This temporary piping also had an inadequate support that allowed flexing as a result of internal fluctuating reactor pressures. After a short period, the bypass connection failed. An estimated 30 tons of cyclohexane volatilized and formed a large vapor cloud; this cloud was then ignited by an unknown source. The resulting explosions leveled the entire plant. Twenty-eight people died, and 36 others were injured. The major cause of this incident was the lack of using a management of change (MOC) safety procedure. The design for the temporary pipe section was drawn on the floor of the machine shop without further review.

Case History: A Fatality in a Ribbon Blender Due to an Inadequate Pre-Startup Safety Review

This case history is the same as that in Section 14-4 for workplace involvement. In this case history, a ribbon blender was being repaired by a maintenance worker inside the unit. The blender was activated by another operator on another floor. This case highlights additional requirements before startups to ensure that the system is safe prior to startup.

Oftentimes inadequacies in two or more RBPS elements are needed to initiate incidents. In the ribbon blender incident, the fatality could have been prevented with the adequate practices of any one of the following three RBPS elements: safe work practices (use the LOTO practice to prevent startup problems), workplace involvement (include workers in reviews and decisions to emphasize practices to protect their safety), and operational readiness (walk the line to identify pre-startup problems before initiating startup).

Case History: Explosions in a Refinery Due to Inadequate Conduct of Operations

On January 21, 1997, an explosion and fire occurred at the hydrocracker unit of a refinery in Martinez, California, resulting in one death, 46 worker injuries, and precautionary sheltering-in-place for the surrounding community.^22,23 The incident involved the release and autoignition of a mixture of flammable hydrocarbons and hydrogen that were under high temperature and pressure. An overheated pipe ruptured.

²²“EPA Report: Tosca Avon Refinery in Martinez, California.” November 1998.

²³Center for Chemical Process Safety. Introduction to Process Safety for Undergraduates and Engineers (New York, NY: American Institute of Chemical Engineers, 2016), p. 37.

Prior to the incident, a temperature excursion occurred, but readings were ignored because temperature readings were historically unreliable. Radio communications from the field were ignored because they were routinely inaudible. The operators continued to run the plant, even when the process information was unreliable.

Case History: A Toxic Release Due to Inadequate Conduct of Operations

On December 3, 1984, a pesticide plant in Bhopal, India, released an estimated 40 metric tons of methyl isocyanate (MIC) into the atmosphere.^{24, 25} An estimated 3000 local community residents died, and more than 10,000 were injured.

²⁴ Wikipedia. “Bhopal disaster.” https://en.wikipedia.org/wiki/Bhopal_disaster.

²⁵Center for Chemical Process Safety. Introduction to Process Safety for Undergraduates and Engineers (New York, NY: American Institute of Chemical Engineers, 2016), p. 110.

The Bhopal incident was caused by water entering a MIC storage tank. This influx led to an exothermic reaction between the MIC and water, heating the contents, causing the pressure to increase, and releasing the MIC vapor.

Significant maintenance deficiencies contributed to this release: (1) a failed pressure and temperature alarm on the storage tank could have initiated corrective actions; (2) a refrigeration system that was not in operation on the storage tank could have prevented or mitigated the accumulated heat and the magnitude of the release; (3) a relief vent scrubber was not operating and could have absorbed the MIC; (4) an existing flare that would have burned the exiting MIC was not operating; and (5) a water curtain at the exit of the flare was not designed correctly to absorb the gas from the flare. These were all conduct of operations issues.

Case History: An Ammonium Nitrate Explosion Due to Inadequate Emergency Management

On April 16, 1947, a large explosion occurred in a cargo ship containing 1400 tons of ammonium nitrate.^{26, 27} A fire occurred, possibly caused by a cigarette, and the fire was not properly extinguished. The resulting explosion killed 581 people, including all but one member of the Texas City fire department. The root cause of the incident was attributed to a grossly deficient emergency management plan. The fire fighters were not aware of the hazards of ammonium nitrate and were not trained to properly handle the situation.

²⁶“Texas City Disaster.” https://en.wikipedia.org/wiki/Texas_City_disaster.

²⁷Center for Chemical Process Safety. Introduction to Process Safety for Undergraduates and Engineers (New York, NY: American Institute of Chemical Engineers, 2016), p. 38.

Case History: An Explosion in a Pesticide Plant Due to Inadequate Emergency Management

On August 28, 2008, a large explosion occurred that killed 2 people and injured 8; 40,000 area residents were requested to shelter-in-place following the event.^{28, 29} A root cause was poor emergency management due to poor communications between the plant, responders, and community leaders. During the incident, the company refused to share critical safety information with the surrounding community. The CSB investigation found that operators were poorly trained, startup procedures were inadequate, and operators, with management approval, bypassed a critical control loop that resulted in a violent runaway reaction.

²⁸“Animation of Bayer Crop Science Pesticide Waste Tank Explosion” [Video]. https://www.csb.gov/videos/.

²⁹“CSB Issues Report on 2008 Bayer Crop Science Explosion: Finds Multiple Deficiencies Led to RunawayChemical Reaction; Recommends State Create Chemical Plant Oversight Regulation.” https://www.csb.gov/csbissues-report-on-2008-bayer-cropscience-explosion-finds-multiple-deficiencies-led-to-runaway-chemical-reactionrecommends-state-create-chemical-plant-oversight-regulation/.

Case History: Space Shuttle Fatalities Caused by Inadequate Incident Investigations

On January 16, 2003, a space shuttle had an in-flight failure that resulted in the deaths of the seven-member crew.³⁰ The root cause of this incident was the failure to adequately investigate abnormal results in previous space shuttle flights.

³⁰“Columbia Accident Investigation Board Report.” http://s3.amazonaws.com/akamai.netstorage/anon.nasa-global/CAIB/CAIB_lowres_full.pdf.

Case History: Explosions in a Sugar Refinery Due to Inadequate Incident Investigations

On February 7, 2008, huge explosions and fires occurred at a sugar refinery, causing 14 deaths and injuring 38 workers.^{31, 32} The company had not taken effective actions over many years to control dust explosion hazards—even as smaller fires and explosions continued to occur in its plants. The company clearly had an inadequate incident investigation process that should have identified and eliminated the causes of these previous incidents, including managed follow-up actions to ensure recommendations were completed. Correcting the causes of the previous incidents would have prevented this incident.

³¹“Imperial Sugar Company Dust Explosion and Fire.” https://www.csb.gov/imperial-sugar-companydust-explosion-and-fire/.

³²“CSB Report: Sugar Dust Explosion and Fire.” https://www.csb.gov/assets/1/20/imperial_sugar_report_final_updated.pdf?13902.

The facility management was aware of sugar dust explosion hazards, the importance of properly designed dust-handling equipment and good housekeeping practices to minimize dust accumulation. However, management did not take appropriate actions to minimize and control sugar dust hazards. A root cause of this incident was the failure to adequately investigate incidents and eliminate abnormal results that had caused previous incidents.

Case History: Flight Failure of Mars Orbiter Due to Inadequate Analysis of Flight Path Deviations

On September 23, 1999, the Mars Climate Orbiter was lost during its attempt to enter into orbit around Mars.³³ During the nine-month flight, the flight path had to be adjusted ten times. The navigation team recognized that the results of the maneuvers were not mathematically accurate; that is, actual results were not as predicted. After the incident they discovered that one of the maneuvering calculations was done using the wrong units—specifically, English units versus SI units. The incident could have been prevented if the team had evaluated the reasons for the abnormal deviations during the flight. The purpose of the measurement and metrics element is to identify process problems while operating a plant and adjust performance to prevent incidents. This deficiency was the major cause of the Mars Climate Orbiter incident.

³³“Mars Mishap Investigation Board Report.” http://sunnyday.mit.edu/accidents/MCO_report.pdf.

Case History: Explosions in an Oil Refinery Due to Inadequate Focus on Process Safety Metrics

On March 23, 2005, an incident occurred during the startup of a refinery’s octane-boosting isomerization unit.^{34, 35} Explosions and fires killed 15 people and injured another 180, alarmed the community, and resulted in financial losses exceeding $1.5 billion. A tower was overfilled and a pressure relief device opened, resulting in a flammable liquid geyser from a stack that was not equipped with a flare. The release of flammables led to an explosion and fire. All of the fatalities occurred in or near office trailers located close to the stack.

The company had responded to previous incidents with a variety of metrics aimed at improving safety. However, the focus of these initiatives was on improving procedural compliance and reducing occupational injury rates, while catastrophic safety risks remained unaddressed. Unsafe and antiquated equipment designs were left in place, and unacceptable deficiencies in preventive maintenance were tolerated. The company’s focus was on slips, trips, and falls, rather than management systems, equipment design, and preventive maintenance programs to prevent the risk of major process accidents.

³⁴“CSB Investigation of BP Texas City Refinery Disaster Continues as Organizational Issues Are Probed.”

https://www.csb.gov/csb-investigation-of-bp-texas-city-refinery-disaster-continues-as-organizational-issues-areprobed/.

³⁵“BP Refinery Explosion and Fire.” file:///C:/Users/Owner/Downloads/CSBFinalReportBP%20(1).pdf.

Case History: Explosion in a Gas Plant Due to an Inadequate Audit of Asset Integrity and Reliability

This is the same case history used in Section 14-7 on hazard identification and risk assessment. Following the Longford explosion, the Australian Royal Commission criticized the company’s management system and its auditing process.³⁶ Although the company completed an audit of its management system one year before the incident, the audit failed to uncover the fact that the critical hazard identification procedure (HAZOP) had not been carried out. The audit also failed to identify the problems that caused this explosion.

³⁶A. Hopkins. “Lessons Learned from the Longford Explosion.” http://www.futuremedia.com.au/docs/Lessons%20from%20Longford%20by%20Hopkins.PDF.

Case History: An Explosion Due to the Failure of Many RBPS Elements

The incident presented in Section 14-9 on operating procedures had failures in other RBPS elements, including management of change, asset integrity and reliability, and operating procedures.^{37, 38}

³⁷Chemical Safety Board Investigations. http://www.csb.gov/investigations/completed-investigations/?Type=2.

³⁸Chemical Safety Board Video Room. http://www.csb.gov/videos/.