Safety in Design E-Book

Table of Contents

Cover

Preface

Acknowledgments

Chapter 1: Introduction

1.1 Introduction

1.2 Intrinsic Continuous Process Safeguarding

1.3 The Flixborough Accident in the United Kingdom in 1974

1.4 The Seveso Emission in Italy in 1976

1.5 The Bhopal Emission in India in 1984

1.6 Concluding Remarks

References

Chapter 2: Procedural, Active, and Passive Safety

2.1 Introduction

2.2 Definitions

2.3 Four Failures of Emergency Power Units

2.4 The Failure of the Blowout Preventer ( BOP ) at the Gulf Oil Explosion in 2010

2.5 The Safeguarding of Formula One Races

2.6 Dust Explosion Relief Venting

References

Chapter 3:

Safety Improvements over the Years

3.1 Introduction

3.2 Transport

3.3 Industry

3.4 Society

References

Chapter 4: Safety Aspects Need Attention

4.1 Introduction

4.2 Transport

4.3 Society

References

Chapter 5: Make Accidents and Incidents Virtually Impossible

5.1 Introduction

5.2 Transport

5.3 Society

References

Chapter 6: Design with Ample Margins

6.1 Introduction

6.2 Transport

6.3 Society

References

Chapter 7: The Risks of Enclosed Spaces

7.1 Introduction

7.2 Transport

7.3 Industry

7.4 Society

References

Chapter 8: Examples from the Chemical Industry

8.1 Introduction

8.2 Runaway Reaction at T2 Laboratories at Jacksonville, Florida in the United States in 2007

8.3 Reactions with Epoxides

8.4 Explosions at Shell Moerdijk at Moerdijk in The Netherlands in 2014

8.5 DSM Melamine Plant Explosion at Geleen in The Netherlands in 2003

8.6 Dryer Explosion in a Dow Plant at King's Lynn, Norfolk in the United Kingdom in 1976

References

Chapter 9: Gas Explosions

9.1 Introduction

9.2 Flashing Inflammable Liquids

9.3 Mexico City in 1984

9.4 Nijmegen in The Netherlands in 1978

9.5 Los Alfaques in Spain in 1978

9.6 Viareggio in Italy in 2009

9.7 A Narrow Escape at Tilburg in The Netherlands in 2015

9.8 Diemen in The Netherlands in 2014

References

Chapter 10: Nuclear Power Stations

10.1 Introduction

10.2 Pressurized Water Reactors (PWRs) and Boiling Water Reactors (BWRs)

10.3 Three Mile Island (TMI)

10.4 Fukushima Unit 1

10.5 High‐temperature Gas‐cooled Reactors (HTGRs)

10.6 Comparison Between Light Water Reactors (LWRs, i.e. PWRs and BWRs) and HTGRs

References

Index

End User License Agreement

List of Tables

Chapter 07

Table 7.1 Concentrations of oxygen, phosphine, and carbon monoxide in the Thermphos Furnace after the accident.

Table 7.2 Analytical data of air in dairy cattle livestock farms during mixing – averages of the highest values measured at the farms.

Chapter 09

Table 9.1 Cylindrical storage vessels of the Pemex LPG installation.

Chapter 10

Table 10.1 Timeline of the accident at Three Mile Island.

Table 10.2 Timeline of the events in Unit 1 of Fukushima Daiichi.

Table 10.3 Operational and technical data of AVR and THTR‐300.

Table 10.4 Operational and technical data of HTR‐10 and HTR‐PM

[27, 28]

.

Table 10.5 Operational and technical data of Peach Bottom Unit No. 1 and Fort St. Vrain.

List of Illustrations

Chapter 02

Figure 2.1 Deepwater Horizon BOP.

Figure 2.2 Explosion vent.

Figure 2.3 Dust explosion relief venting.

Figure 2.4 Dust explosion relief venting detail.

Chapter 03

Figure 3.1 A Comet 1 aircraft.

Figure 3.2 Cotton mill with water tower.

Figure 3.3 Clamp‐on ultrasonic flow meter.

Figure 3.4 Dutch sea barrier (Maeslantkering).

Chapter 04

Figure 4.1 Flashes from a burning bus on natural gas in The Netherlands.

Figure 4.2 A light truck with trailer were hit by a gust of wind in Germany.

Figure 4.3 A Dual Bloc wheel.

Figure 4.4 NTSB Materials Engineer Matt Fox examines the casing of the battery involved in the JAL Boeing 787 fire incident at Boston.

Figure 4.5 A hydrofoil.

Figure 4.6 Subsidence in cm expected in Groningen in 2070.

Figure 4.7 The fire started at the membrane pump.

Chapter 05

Figure 5.1 Train/truck and trailer collision – Event Number 1.

Figure 5.2 Train/truck and trailer collision – Event Number 2.

Figure 5.3 An inflatable castle.

Figure 5.4 Drain of a water basin.

Chapter 06

Figure 6.1 Coach accident in Sierre tunnel.

Figure 6.2 Concorde aircraft.

Figure 6.3 STS‐1 (Columbia) at liftoff.

Figure 6.4 Crashed Turkish Airlines Flight TK1951.

Figure 6.5 Terminal 2E at Roissy‐Charles de Gaulle Airport – Top view.

Figure 6.6 Terminal 2E at Roissy‐Charles de Gaulle Airport – Cross‐section.

Chapter 07

Figure 7.1 Ship Lady Irina.

Figure 7.2 Top view of the phosphorus furnace. Ovenuitgang, Furnace exit.

Figure 7.3 Cross section of the phosphorus furnace. Werkvloer, shop‐floor; Electrode‐opening, opening for electrode; vulpijp, filling pipe; Betondeksel, concrete lid; Chamollestenen, Chamolle stones; Steunring, support ring; Wandkoeling, wall cooling; Koolstofstenen, carbon stones; Stampmassa, pound mass; IJzersteenkoeling, cooling for iron stone; Ringgoot, annular drain; Bodemkoeling, bottom cooling.

Figure 7.4 Approximate reproduction of the situation during the accident at Makkinga in 2013. (1) Slurry silo; (2) container filled with water; (3) tractor and car with pump; (4) breathing air compressor; (5) tankcar for slurry transfer; (6) opened manhole in silo roof.

Chapter 08

Figure 8.1 Equation of the chemical reaction between epichlorohydrin and an N‐substituted aniline.

Figure 8.2 Continuous trickle‐bed Reactor No. 2 with gas/liquid separator.

Figure 8.3 The salt furnace of a melamine plant.

Figure 8.4 Double‐coned contact dryer.

Chapter 09

Figure 9.1 Tankfarm of the Pemex LPG installation.

Figure 9.2 The Pemex site after the explosion.

Figure 9.3 Location of the filling station at Nijmegen. A translation of the words in the figure follows: Text of the figure from top to bottom and from the left to the right: Weiland, pasture; Benzinestation, gas station; Verkeerslichten, traffic lights; Begroeing, overgrowth; Spoorlijn, railroad; Wijchen and Nijmegen are, respectively, a village and a town; Takenhofplein and Spijkerhofplein are street names.

Figure 9.4 A longitudinal crack.

Figure 9.5 Aerial view of the camping Los Alfaques.

Figure 9.6 The damaged LPG wagon at Viareggio. The photograph shows the hole and the pole.

Figure 9.7 Situation after the collision between the wagon and the passenger‐train.

Figure 9.8 The passenger‐train passed a stop sign and hit the freight‐train on Track 912 B. A translation of the words in the figure follows. Text of the left‐hand side of the figure from top to bottom: Station Tilburg Universiteit, railway station Tilburg University; Perron, platform; Richting west (naar Breda en Kijfhoek), direction west (to Breda and Kijfhoek); Emplacement Tilburg Goederen, railway yard Tilburg goods. Text of the right‐hand side of the figure from top to bottom: Richting oost (naar station Tilburg, Eindhoven en Chemelot), direction east (to railway station Tilburg, Eindhoven and Chemelot); Goederentrein vanaf Chemelot, freight‐train from Chemelot; Goederentrein vanaf Kijfhoek, freight‐train from Kijfhoek; Reizigerstrein, passenger‐train; Botsing, collision.

Figure 9.9 The crash absorbers of the wagon were hardly damaged.

Figure 9.10 This photograph shows damaged crash absorbers (the tubes) that have been damaged by a collision and have absorbed energy.

Figure 9.11 This photograph shows a provision to prevent a wagon or carriage to climb up against a crash absorber.

Figure 9.12 Schematic representation of a gas connection at apartment building De Beukenhorst. A translation of the words in the figure follows: Lift, elevator; Buitengevel flatgebouw, outer front apartment building; Stijgleiding, ascending line; Liftput, elevator pit; Entrée, entrance; Aansluitleiding, connecting line; Doorvoerbuis, guiding line; Fundering, foundation.

Figure 9.13 Timeline of the Diemen accident.

Chapter 10

Figure 10.1 The hydrogen atom.

Figure 10.2 A nuclear power station equipped with a BWR.

Figure 10.3 The nuclear power station TMI‐2 at Harrisburg in the United States.

Figure 10.4 Fukushima Unit 1 – a nuclear power station with a BWR.

Figure 10.5 Fukushima Unit 1 – Isolation Condenser A.

Figure 10.6 Prismatic block reactor at the left and pebble bed reactor at the right. Text of the figure from top to bottom: Brandstofballen, fuel spheres; diameter 60 mm, 60 mm diameter; Gecoate brandstofkern, coated fuel particle; Brandstof cilindertje lengte 38 mm, fuel compact 38 mm tall; Prismatisch blok lengte 580 mm, prismatic block 580 mm tall; Prismatische uitvoering, prismatic configuration; Pebble bed uitvoering, pebble‐bed configuration.

Guide

Cover

Table of Contents

Begin Reading

Pages

C1

vi

xi

xii

xiii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

109

110

111

112

113

114

115

116

117

118

119

120

108

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

173

203

204

205

E1

Safety in Design

Copyright

This edition first published 2018

© 2018 John Wiley & Sons Inc.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by law. Advice on how to obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions.

The right of C.M. van 't Land to be identified as the author of this work has been asserted in accordance with law.

Registered Office

John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA

Editorial Office

111 River Street, Hoboken, NJ 07030, USA

For details of our global editorial offices, customer services, and more information about Wiley products visit us at www.wiley.com.

Wiley also publishes its books in a variety of electronic formats and by print-on-demand. Some content that appears in standard print versions of this book may not be available in other formats.

Limit of Liability/Disclaimer of Warranty

In view of ongoing research, equipment modifications, changes in governmental regulations, and the constant flow of information relating to the use of experimental reagents, equipment, and devices, the reader is urged to review and evaluate the information provided in the package insert or instructions for each chemical, piece of equipment, reagent, or device for, among other things, any changes in the instructions or indication of usage and for added warnings and precautions. While the publisher and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives, written sales materials or promotional statements for this work. The fact that an organization, website, or product is referred to in this work as a citation and/or potential source of further information does not mean that the publisher and authors endorse the information or services the organization, website, or product may provide or recommendations it may make. This work is sold with the understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained herein may not be suitable for your situation. You should consult with a specialist where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

Library of Congress Cataloging-in-Publication Data

Names: Land, C.M. van 't, 1937- author.

Title: Safety in design / C.M. van 't Land, Van 't Land Processing.

Description: First edition. | Hoboken, NJ : John Wiley & Sons, Inc., [2018] | Includes bibliographical references and index. | Description based on print version record and CIP data provided by publisher; resource not viewed.

Identifiers: LCCN 2018016234 (print) | LCCN 2018019826 (ebook) | ISBN 9781118745694 (Adobe PDF) | ISBN 9781118745588 (ePub) | ISBN 9781118745557 (hardcover)

Subjects: LCSH: Nuclear reactors-Safety measures. | Nuclear reactors-Design and construction. | Chemical engineering-Safety measures.

Classification: LCC TK9152 (ebook) | LCC TK9152 .L36 2018 (print) | DDC 621.48/35-dc23

LC record available at https://lccn.loc.gov/2018016234

Cover design by Wiley

Cover image: Courtesy of Connexxion Holding NV, Hilversum, The Netherlands

Preface

This book emanates from the production of organic peroxides. The Dutch multinational Akzo Nobel, for which I worked as a chemical engineer between 1968 and 2000, manufactures these compounds.

In 1969, a Dutch company named Noury & Van der Lande became part of Akzo Nobel. That company had discovered around 1920 that dibenzoyl peroxide, a solid particulate material, can remove the yellowish color of flour. The finding was patented worldwide, licenses were given, and the industrial production of dibenzoyl peroxide was started. The production of synthetic plastics has increased since the 1940s, resulting in the increasing importance of organic peroxides as initiators of the radical polymerization of vinyl monomers. Noury & Van der Lande also started the production of organic peroxides for this application.

The expression “peroxides” is short for “superoxides.” It indicates that the compound contains relatively much oxygen. All or part of this oxygen is “active oxygen”. The active oxygen causes the desired action at the application of the organic peroxides. For example, the bleaching of flour is caused by the liberation of “active oxygen,” oxidizing carotene to colorless compounds. A further example, at the manufacture of polymers, is the decomposition of organic peroxides at relatively low temperatures to form free radicals. The free radicals act as initiators for polymerization reactions.

Explosions and fires at the manufacture and the handling of these compounds have happened in the past. Peroxides are characterized by the presence of the peroxo group –O–O–. In organic peroxides, this group is bound to at least one carbon atom, or is bound to a carbon atom via a different atom. The presence of the peroxo group causes the thermal instability of organic peroxides. It also, in many instances, causes the sensitivity to impact, friction, and other chemicals. For example, dry dibenzoyl peroxide is very sensitive to impact, and serious accidents caused by this sensitivity have happened with this material in the past.

In retrospect, the most serious accidents within Noury & Van der Lande and Akzo Nobel occurred between 1935 and 1975. In this period, the production increased from tens to hundreds of metric tpa per product. The majority of serious accidents occurred during the reactions to produce organic peroxides.

My former colleague, the late Hans Gerritsen, proposed a method to improve the protection of the manufacture and handling of organic peroxides significantly. The method is called intrinsic continuous process safeguarding. The safeguarding is based on chemical and physical properties of reaction systems, and an activation of protection systems is not required. The method is also applicable to other chemical production systems. It is discussed in Chapter 1.

Hans Gerritsen also, at Deventer in The Netherlands in 1985, drew my attention to the fact that the methodology can be applied to all types of human activity, and that is what this book is about.

Acknowledgments

I am grateful to Jan de Groot, who read the manuscript and, in doing so, made useful suggestions. Jan is the retired Head of Akzo Nobel's Safety Laboratory.

I am also grateful to retired professor Ad Verkooijen, who read Chapter 10 titled “Nuclear Power Stations”. His comments enabled me to improve its contents.

Thanks are also due to many people providing information and figures. Their help was invaluable. Most people are open and supportive.

I am greatly indebted to my wife, Annechien, for her constant encouragement and patience.

1Introduction

1.1 Introduction

A concept developed for the chemical industry can also be applied to other fields. This concept is called intrinsic continuous process safeguarding and is discussed in Section 1.2. It is related to the concept of inherently safer design. How the application of the concepts of inherently safer design and intrinsic continuous process safeguarding could have prevented three serious accidents in the chemical industry or mitigated its effects is briefly indicated in Sections 1.3–1.5. Section 1.6 contains concluding remarks.

1.2 Intrinsic Continuous Process Safeguarding

The danger of explosions, evolution of toxic gases, etc., comes with the large‐scale manufacture of certain chemicals. The prevention or control of undesirable reactions in processes is discussed in a paper [1]. The aim of intrinsic continuous process safeguarding is to obtain stable reaction systems that, within very wide limits, are not endangered by human errors or equipment failures. The approach has shown its merits at the manufacture of organic peroxides. It is related to the concept of inherently safer design [2]. Intrinsic continuous process safeguarding is compared to extrinsic process safeguarding in the paper mentioned earlier [1]. The latter safeguarding starts working upon a signal. Extrinsic process safeguarding is appropriate only as complementary and secondary protection: As complementary safeguarding by providing protection in places through which entering the hazardous area is improbable and as secondary protection by drawing up a second line of defense behind the intrinsic protection line.

Several serious accidents occurred in plants of the chemical industry in the second half of the previous century. Explosions, fires, and the emission of toxic materials were experienced. Three of these accidents will be discussed shortly in the following paragraphs. Kletz formulated the concept of inherently safer design, which encompasses hazard elimination and hazard reduction, for the first time in 1978 [3]. It was concerned with the safeguarding of the manufacture of chemicals. Our paper [1] also concerned the safeguarding of the manufacture of chemicals. The principles of these two related approaches can be used to formulate a generally applicable design strategy for the chemical industry. It is briefly indicated how the concepts of inherently safer design and intrinsic continuous process safeguarding could have either prevented the accidents in the chemical industry, described in the following paragraphs, or could have mitigated its effects.

1.3 The Flixborough Accident in the United Kingdom in 1974

This accident occurred near a small village called Flixborough in a plant having a capacity of 70 000 tons of caprolactam per annum [4]. Caprolactam is an intermediate for the manufacture of Nylon 6 and Nylon 66. The village is in Lincolnshire and located south of Hull at England's east coast. The date of the accident is June 1, 1974. The accident comprised an explosion in the plant followed by fires. The name of the company involved was Nypro. It was jointly owned 55% by Dutch State Mines (DSM) and 45% by the National Coal Board (NCB) of England. Of those working on the site at the time, 28 were killed and 36 suffered injuries. Injuries and damages outside the works were widespread, but no one was killed. Fifty‐three people were recorded outside the works as casualties. The 24‐ha plant was almost completely destroyed. Outside the works, property damage extended over a wide area. The Report of the Court of Inquiry [4] states that the cause of the disaster was the ignition and rapid acceleration of deflagration, possibly to the point of detonation, of a massive vapor cloud formed by the escape of cyclohexane from the air oxidation plant under at least a pressure of 8.8 kg cm−2 and at a temperature of 155 °C. In this plant, cyclohexane was, by means of a continuous process, converted into a mixture of cyclohexanol and cyclohexanone. Cyclohexanone was the intermediate product of the air oxidation plant. The Court estimates that the explosion was of the equivalent force to that of some 15–45 tons TNT. The cyclohexane oxidation plant contained six continuously stirred tank reactors in series. Prior to the accident, a reactor had to be removed for repair and the gap was bridged by a temporary 20‐in. pipe, connected by a bellows at each end and inadequately supported on temporary scaffolding. The pipe collapsed. The escaping cyclohexane was a flashing liquid. At atmospheric pressure, its boiling point is 80.8 °C. Approximately one‐quarter of the escaping cyclohexane, having a temperature of 155 °C, evaporated on escaping. The remaining three quarters thereby cooled down to, in principle, the boiling point at atmospheric pressure, that is, 80.8 °C. Much of the remaining liquid formed a spray. The large cloud formed made the explosion possible. The source of the ignition was probably a hot surface in the hydrogen plant of the caprolactam plant.

Before 1972, cyclohexanone was produced at Flixborough via the liquid‐phase hydrogenation of phenol. The latter process is a safer process than the air oxidation process. The reason is that it proceeds at temperatures below the atmospheric boiling point of the reaction liquids. Specifically, the boiling points at atmospheric pressure of phenol, cyclohexanol, and cyclohexanone are, respectively, 181.75, 161.1, and 156.5 °C. From a safety point of view, the oxidation process introduced a new dimension. Large quantities of cyclohexane had to be circulated through the reactors under a working pressure of 8.8 kg cm−2 and at a temperature of 155 °C. Any escape from the plant was therefore potentially dangerous. As stated above, the temporary 20‐in. pipe in the oxidation plant was inadequately supported. However, a similar error in a liquid‐phase phenol hydrogenation plant would not have had comparable consequences.

1.4 The Seveso Emission in Italy in 1976

This accident occurred near a small village called Meda near Seveso, a town of about 17 000 inhabitants some 15 miles from Milan in Italy [5]. The accident happened on July 10, 1976. It comprised the emission of a white cloud drifting from the works from which materials settled out downwind. Among the substances deposited was a very small amount of 2,3,7,8‐tetrachlorodibenzo‐p‐dioxin (TCCD), which is also known as dioxin, although there are more dioxins. This specific dioxin is one of the most toxic substances known. The process that gave rise to the accident was the production of 2,4,5‐trichlorophenol (TCP) in a batch reactor. TCP is used for herbicides and antiseptics. The name of the company involved was ICMESA. It used a process developed by Givaudan, which was itself owned by Hoffmann La Roche. These last two companies are Swiss companies, whereas the former one is Italian.

People fell ill and animals died in the contaminated area over the days following July 7, 1976. People were evacuated from the area affected. There were no deaths of humans directly attributable to TCCD.

The reactor from which the emission took place was a 13 875‐l vessel equipped with a stirrer and with a steam jacket supplied with steam at 12 bara. The boiling point of water at 12 bara is 188 °C.

The reactions to produce TCP had been started at 16.00 h on July 9, 1976. This date was a Friday. At 05.00 h on July 10, 1976, the batch was interrupted. The background was the closure of the plant for the weekend. At that point in time, the first chemical reaction had been completed. A distillation step followed the first chemical reaction; it comprised the removal of part of ethylene glycol (a solvent) from the reactor. The latter step had been started but had not been completed. The heat required for this distillation was supplied via a jacket. Steam entering the jacket came from a turbine. Because of the approaching weekend, the steam turbine was on reduced load and, although the steam pressure was 8 bara, its temperature had risen to about 300 °C. The interruption of the batch comprised the stopping of the heating and the stirring. At 05.00 h on July 10, 1976, the batch temperature was 158 °C. The upper section of the reactor wall, not wetted by the reactor contents, had, at that time, a temperature higher than 158 °C. The latter temperature was caused by the relatively high steam temperature. Based on this fact, Theofanous [6] proposed a sequence for the reaction runaway. The residual heat in the upper reactor section raised the temperature of the top layer of the liquid to 200–220 °C by radiation, a temperature high enough to initiate a runaway reaction leading to decomposition. Such a hot spot could develop because the stirring had been stopped. At 12.37 h on July 10, 1976, the bursting disk on the reactor ruptured and the emission took place.

The high temperature of the heating medium is, safetywise, an aspect. Noticeable decomposition reactions of the reaction mixture concerned already start at 185 °C. Limiting the temperature of the heating medium to, e.g. 165 °C, would have been appropriate. As to the manufacturing of TCP, it would have been better to bring the batch to completion. However, with a reduced heating medium temperature, the process would probably not have been endangered by human error.

1.5 The Bhopal Emission in India in 1984

This accident occurred at Bhopal in India in a plant manufacturing carbamate pesticides [7, 8]. It is by far the worst accident that has ever occurred in the chemical industry. Bhopal is located in Central India in the state of Madhya Pradesh. At the time of the emission, the town had 800 000 inhabitants. The plant was located at the outskirts of Bhopal. The date of the accident is December 3, 1984. The name of the company concerned was Union Carbide India Ltd (UCIL). The emission comprised the release of gaseous methyl isocyanate (MIC) through a nonfunctioning vent gas scrubber having a height of 30 m onto housing adjoining the site. The chemical is extremely toxic. MIC was an intermediate at the manufacture of Sevin, an insecticide. MIC could escape because it became inadvertently or deliberately contaminated with water in a storage tank. An exothermic reaction between MIC and water occurred. The reaction heat caused the evaporation of the compound. An aspect is that MIC's boiling point at atmospheric pressure is 38 °C. The rising pressure in the storage tank caused a relief valve to open. The inadvertent contamination with water due to a flushing (washing) operation is generally considered more probable than the deliberate contamination.

The number of people killed is officially 3787 [8] but is in actual fact much higher. Many more were wounded.

For the purpose of our present discussion, it is relevant to remark that a hazard and operability study of the plant might have revealed ways in which MIC could be contaminated by water. It would then be possible to prevent water to come into contact with MIC. Further main points are that a Sevin process route exists at which MIC is not obtained as an intermediate, that the intermediate storage was rather large, that several plant systems were not in working order, that the plant was not maintained properly, and that housing was too close to the plant.

1.6 Concluding Remarks

Intrinsic continuous process safeguarding is a safeguarding originating from the core of the process and is consequently directly and completely based on the reaction system and the reaction conditions; the safeguarding is based on chemical and physical properties [1].

Over time, people have invented and developed intrinsically protected approaches in many types of human activities. Two examples of such approaches will be discussed briefly. The first example concerns collecting mushrooms. The Amanita phalloides (a very toxic mushroom) may be mistaken for the champignon mushroom (edible). The color of both mushrooms tends toward white. An intrinsically protected, or, in other words, an inherently safer way of collecting mushrooms is to collect chanterelles, edible yellow mushrooms. The false chanterelles exist; however, they are edible, just not tasty. The Jack O’Lantern mushroom also appears similar to the chanterelle. The latter poisonous mushroom is usually found in woodland in North America. Although not lethal, consuming the Jack O’Lantern mushroom leads to strong complaints. Still, the collection of chanterelles is safer than the collection of champignon mushrooms.

The second example is given by Mannan [3]. A double‐track railroad, with a dedicated track for each direction of travel, is inherently safer than a single track for both directions of travel.

References

[1] Gerritsen, H.G. and van ’t Land, C.M. (1985). Intrinsic continuous process safeguarding.

Industrial & Engineering Chemistry Process Design and Development

24: 893–896.

[2] Mannan, S. (2005).

Lees' Loss Prevention in the Process Industries: Hazards Identification, Assessment, and Control

, 32/1–32/24. Amsterdam, Boston: Elsevier Butterworth‐Heinemann.

[3] Mannan, S. (2005).

Lees' Loss Prevention in the Process Industries: Hazards Identification, Assessment, and Control

, 32/2–32/3. Amsterdam, Boston: Elsevier Butterworth‐Heinemann.

[4] Court of Inquiry (1975).

The Flixborough Disaster

. London: Her Majesty's Stationary Office.

[5] Mannan, S. (2005).

Lees' Loss Prevention in the Process Industries: Hazards Identification, Assessment, and Control

, Appendix 3/1–3/13. Amsterdam, Boston: Elsevier Butterworth‐Heinemann.

[6] Theofanous, T.G. (1983). The physicochemical origins of the Seveso accident – I.

Chemical Engineering Science

38: 1615–1629.

[7] Mannan, S. (2005).

Lees' Loss Prevention in the Process Industries: Hazards Identification, Assessment, and Control

,

Appendix 5/1–5/11. Amsterdam, Boston: Elsevier Butterworth‐Heinemann.

[8] Pietersen, C.M. (2009).

After 25 Years: The Two Largest Industrial Disasters Concerning Dangerous Substances, LPG Disaster Mexico‐City and Bhopal Tragedy

, 63–91. Nieuwerkerk aan den IJssel, The Netherlands: Gelling Publishing (in Dutch).

2Procedural, Active, and Passive Safety

2.1 Introduction

How the safety in the chemical industry can be improved by the application of intrinsic continuous process safeguarding was discussed in Chapter 1. The concept was compared with extrinsic process safeguarding, which starts working upon a signal. It is, for other fields in society, useful to distinguish between procedural, active, and passive safety. Their definitions are given in Section 2.2. In Section 2.3, four examples of emergency power units that failed to come into action are dealt with. Three examples concern hospitals and one example a chemical plant. An emergency power unit is an active safety measure, as it starts working upon a signal. The failure of the blowout preventer (BOP) (an active safety measure) during the Gulf Oil accident in 2010 is discussed in Section 2.4. Section 2.5 deals with the safeguarding of Formula One races by means of mainly passive safety measures. Finally, Section 2.6 discusses explosion panels, also called bursting disks. These parts are designed to give in, if, due to a dust explosion, the subsequent pressure in a piece of equipment surpasses a predetermined value. Safeguarding by these components is continuously present.

2.2 Definitions

The definitions in this paragraph are borrowed from Kletz’ and Amyotte’s book [1]. A procedural safety method is a method activated by a human. The extinction of a fire by a fireman is an example. Of course, to avoid fires, preventive measures should be considered first. The use of materials that cannot take fire is an example. Complete cities burned down in the middle ages because the houses were made out of wood. Still, we cannot completely avoid the occurrence of fires, and to cope with the effects by means of a procedure is a possibility. However, the fire brigade may come in too late.

An active safety method is activated by a signal. For instance, in case of a fire, a water spray is turned on automatically by a smoke, flame, or heat detector. However, the equipment may fail or be turned off.

Both procedural safety methods and active safety methods can be compared to the concept of extrinsic process safeguarding used in the chemical industry as described in Chapter 1.

Finally, a passive safety method is immediately available. In case of a fire, fire‐proof insulation is continuously available and does not need activation by humans or equipment. Passive safety methods can be compared to intrinsic continuous process safeguarding as described in Chapter 1.

Generally speaking, passive safety measures are better than active safety measures because they do not need activation. Active safety measures are better than procedural safety measures because they are already present.

2.3 Four Failures of Emergency Power Units

2.3.1 Introduction

Four failures of emergency power units are discussed in Section 2.3. Emergency power units provide active safety as they start working upon a signal. The safeguarding or protection is not continuously present, and an activation is required. The four different failures of emergency power units to come into action have four different causes. The failure of active safety is in hospitals mostly followed up by procedural safety.

2.3.2 Twenteborg Hospital at Almelo in The Netherlands in 2002

On July 30, 2002, the Twenteborg hospital at Almelo in The Netherlands was struck by lightning [2, 3]. The external electric power supply was interrupted. In such a case, the emergency electric power supply should start automatically. Thus, this provision is an active safety measure. However, the diesel engines of the generators of the emergency power supply did not start because lightning had also damaged the circuitry of the emergency power supply. It took half an hour to repair the external electric power supply. Essential equipment was connected manually to a local accumulator in this period.

2.3.3 Westfries Gasthuis (Hospital) at Hoorn in The Netherlands in 2003

The external electric power supply of the Westfries Gasthuis (hospital) at Hoorn in The Netherlands was interrupted at 22.30 h on November 24, 2003 [4]. The emergency electric power supply should take over automatically in such a case. Similar to the previous case, this provision is an active safety measure. However, because of a faulty relay, the generators of the emergency electric power supply did not start. At 23.00 h, the fire brigade had installed emergency power supply generators for critical departments of the hospital. These departments were, e.g. intensive care, cardiology, and incubators. In the meantime, hospital personnel had taken care of the breathing upon of patients manually (procedural safety). Childbirths and operations did not take place at the time of the interruption of the external electric power supply. The external electric power supply had been fully restored at 03.30 h on November 25, 2003.

A notable aspect is that the emergency electric power supply did not work in spite of the fact that it had been successfully tested in October 2003.

2.3.4 ZGT Hengelo Hospital at Hengelo (O) in The Netherlands in 2011

The electric power supply to the ZGT Hengelo hospital at Hengelo (O) in The Netherlands was interrupted at 08.05 h on May 8, 2011 [5]. The cause was short‐circuiting within the equipment controlling the power supply to the hospital. There was no interruption of the external power supply. The circuitry of the emergency power supply could not detect the interruption of the electric power supply to the hospital and hence did not activate the emergency electric power supply. The electric power supply to the hospital was restored provisionally by the supplier of the external electric power supply shortly past 09.00 h on May 8, 2011. Six patients were breathed upon in Intensive Care at the time of the power interruption. Partly by means of local accumulators and partly manually, the breathing upon of these patients could be continued. Two patients were transferred to a different hospital because they needed kidney dialysis. The supplier of the equipment controlling the power supply to the hospital repaired the short‐circuiting in that piece of equipment in the course of May 8, 2011. The electric circuits were not modified.

2.3.5 Chemical Plant

A power failure occurred in a chemical plant. The activation of the emergency power unit was required to complete certain activities. However, the emergency power unit did not start up. On checking the situation, it appeared that the unit could not be activated as it had been switched off. A message had been attached to the diesel motor reading: “temporarily closed down.” That measure had not been checked with the production staff.

2.3.6 Additional Remarks

In the first case, the Twenteborg hospital at Almelo in The Netherlands, the sequence of events was started by lightning. The immediate cause of the disturbance at the Westfries Gasthuis at Hoorn in The Netherlands was the interruption of the external electric power supply. Furthermore, the problems at ZGT at Hengelo (O) in The Netherlands started with a short‐circuiting within hospital equipment. Finally, the emergency power unit in the chemical plant could not come into action due to a mistake. Thus, we see four different immediate causes of the problems.

2.4 The Failure of the Blowout Preventer ( BOP ) at the Gulf Oil Explosion in 2010

An accident occurred on the Mobile Offshore Drilling Unit Deepwater Horizon in the Gulf of Mexico on April 20, 2010 [6, 7]. Control of the well was lost on the evening of that day, allowing hydrocarbons to enter the drill pipe and reach the drilling unit, which resulted in explosions and subsequent fires. Eleven crew members died, and others were seriously injured. The fires engulfed and ultimately destroyed the rig, which sank after approximately 36 h. The first of more than four million barrels of oil began gushing uncontrolled into the Gulf of Mexico on April 20, 2010. The flow from the well was stopped using a technique called “top kill” on July 20, 2010. The well was effectively dead after a relief well was completed and cement was pumped into the well to seal it. This was declared to be the case on September 19, 2010.

Regarding the cause, the first two conclusions of the National Commission on the Deepwater Horizon Oil Spill and Offshore Drilling [6] are quoted:

The explosive loss of the Macondo well could have been prevented.

The immediate cause of the Macondo well blowout can be traced to a series of identifiable mistakes made by BP, Halliburton, and Transocean that reveal such systematic failures in risk management that they place in doubt the safety culture of the entire industry.

The oil and gas industry began to move offshore in approximately 1960. The industry first moved into shallow waters and, as from approximately 1980, into deepwater where vast new reserves of oil and gas have been opened up. The Deepwater Horizon drilled the Macondo well under 5000 ft (1524 m) of Gulf water and then over 13 000 ft (3962 m) under the seabed to the reservoir below. The pressure in the water at seabed level is approximately 2250 psi (153 bar), and intervention at the seabed level is only possible by means of remotely operated vehicles (ROVs). The reservoir pressure is also high. The reservoir temperatures are exceeding 200 °F (93.3 °C). It is clear that risks exist if a well gets out of control.

The engineering and design of the well started in 2009. On April 9, 2010, the well was drilled to its final depth of 18 360 ft (5596 m).

In the event of a loss of well control, various components of the BOP stack are functioned in an attempt to seal the well and contain the situation (see Figure 2.1). The lower section of the BOP attaches to the subsea wellhead. Prior to, during, and following the accident, numerous attempts were made to control the well by activating or functioning various components of the BOP. However, these attempts were unsuccessful. At the time of the accident, the drill pipe was present in the wellbore. The portion of the drill pipe between the shearing blades of the blind shear rams (BSRs) of the BOP was off center and held in this position by buckling forces. The BSRs are the only set of rams designed to cut drill pipe and seal the well in the event of a blowout. Because the trapped portion of the drill pipe was off center, the BSRs could not cut the drill pipe.

Figure 2.1 Deepwater Horizon BOP.

Source: Courtesy of Bureau of Safety and Environmental Enforcement, Washington D.C., U.S.A.

Forensic investigations by Det Norske Veritas proved that the BSRs of the BOP had been activated [7]. It is stated in their Executive Summary:

“Of the means available to close the BSRs, evidence indicates that the activation of the BSRs occurred when the hydraulic plunger to the Autoshear valve was successfully cut on the morning of April 22, 2010. However, on the evidence available, closing of the BSRs through activation of the AMF/Deadman circuits cannot be ruled out.”

AMF stands for automatic mode function. The Autoshear valve was cut by an ROV on the morning of April 22, 2012. If closing of the BSRs occurred through activation of the AMF/Deadman circuits, such closing would have occurred earlier than April 22, 2010, e.g. on April 20, 2010. Whether on April 20, 2010 or on April 22, 2010, activation of the BSRs did, as already stated, not lead to the sealing of the well.

The BSRs in the BOP of the Deepwater Horizon were an active safety measure. The safety measure did not function.

The BOP is a last line of defense against the loss of well control.

2.5 The Safeguarding of Formula One Races

The Brazilian Formula One driver Ayrton Senna died in a crash at Imola in Italy on May 1, 1994. Since that accident one further life was lost at Formula One races. A serious accident occurred at Suzaka in Japan on October 5, 2014. The French Formula One driver Jules Bianchi was heavily injured at this accident and died on July 17, 2015. Still, the situation improved considerably if one compares the number of accidents and incidents in the period 1994–2014 to that in the period 1974–1994.

First, passive safety measures for the driver will be mentioned. Possibly, the most important measure in this category is the head restraint Head And Neck Support (HANS) device. It had been realized that a number of fatalities were due to the unrestrained head leading to excessive loads to the neck and base of the skull at frontal impacts. The inventor is Ron Hubbard. HANS was introduced in 2002. From 2003, it became mandatory in Formula One races. HANS became mandatory in other branches of motor sport as well.

The incorporation of a strong cockpit designed to stay intact in the event of an accident is a further passive protection measure. The introduction of fuel tanks made of strong fibers also belongs to this category.

In the mid‐1970s, FIA (Fédération Internationale de l’Automobile) introduced standards for clothing and helmets. Over the years, these standards have become increasingly strict. Suits, shoes, gloves, helmets, seats, and other accessories are now made from a fire‐resistant material.