The Flixborough disaster was an explosion at a chemical plant close to the village of Flixborough, North Lincolnshire, England on Saturday, 1 June 1974. It killed 28 people and seriously injured 36 out of a total of 72 people on site at the time. The casualty figures could have been much higher, if the explosion had occurred on a weekday, when the main office area would have been occupied. A contemporary campaigner on process safety wrote "the shock waves rattled the confidence of every chemical engineer in the country".[A]
The disaster involved (and may well have been caused by) a hasty modification. There was no on-site senior manager with mechanical engineering expertise (virtually all the plant management had chemical engineering qualifications); mechanical engineering issues with the modification were overlooked by the managers who approved it, nor was the severity of the potential consequences of its failure appreciated.
Flixborough led to a widespread public outcry over process plant safety. Together with the passage of the Health and Safety at Work Act in the same year it led to (and is often quoted in justification of) a more systematic approach to process safety in UK process industries, and – in conjunction with the Seveso disaster and the consequent EU 'Seveso directives' – to explicit UK government regulation of plant processing or storing large inventories of hazardous materials, currently (2014) by the Control of Major Accident Hazards Regulations 1999 (COMAH).
The chemical works, owned by Nypro UK (a joint venture between Dutch State Mines (DSM) and the British National Coal Board (NCB)) had originally produced fertiliser from by-products of the coke ovens of a nearby steelworks. Since 1967, it had instead produced caprolactam, a chemical used in the manufacture of nylon 6.[a] The caprolactam was produced from cyclohexanone. This was originally produced by hydrogenation of phenol, but in 1972 additional capacity was added, built to a DSM design in which hot liquid cyclohexane was partially oxidised by compressed air. The plant was intended to produce 70,000 tpa (tons per annum) of caprolactam but was reaching a rate of only 47,000 tpa in early 1974. Government controls on the price of caprolactam put further financial pressure on the plant.
It was a failure of this plant that led to the disaster. A major leak of liquid from the reactor circuit caused the rapid formation of a large cloud of flammable hydrocarbon. When this met an ignition source (probably a furnace at a nearby hydrogen production plant[B]) there was a massive fuel-air explosion. The plant control room collapsed, killing all 18 occupants. Nine other site workers were killed, and a delivery driver died of a heart attack in his cab. Fires started on-site which were still burning ten days later. Around 1,000 buildings within a mile radius of the site (in Flixborough itself and in the neighbouring villages of Burton upon Stather and Amcotts) were damaged, as were nearly 800 in Scunthorpe (three miles away); the blast was heard over thirty miles away in Grimsby and Hull. Images of the disaster were soon shown on television, filmed by BBC and Yorkshire Televisionfilmstocknews crews who had been covering the Appleby-Frodingham Gala in Scunthorpe that afternoon.
The plant was re-built but cyclohexanone was now produced by hydrogenation of phenol (Nypro proposed to produce the hydrogen from LPG; in the absence of timely advice from the Health and Safety Executive (HSE) planning permission for storage of 1200 te LPG at Flixborough was initially granted subject to HSE approval, but HSE objected); as a result of a subsequent collapse in the price of nylon it closed down a few years later. The site was demolished in 1981, although the administration block still remains. The site today is home to the Flixborough Industrial Estate, occupied by various businesses and Glanford Power Station.
The foundations of properties severely damaged by the blast and subsequently demolished can be found on land between the estate and the village, on the route known as Stather Road. A memorial to those who died was erected in front of offices at the rebuilt site in 1977. Cast in bronze, it showed mallards alighting on water. When the plant was closed, the statue was moved to the pond at the parish church in Flixborough. During the early hours of New Year's Day 1984, the sculpture was stolen. It has never been recovered but the plinth it stood on, with a plaque listing all those who died that day, can still be found outside the church.
The cyclohexane oxidation process is still operated in much the same plant design in the Far East.
In the DSM process, cyclohexane was heated to about 155 °C (311 °F) before passing into a series of six reactors. The reactors were constructed from mild steel with a stainless steel lining; when operating they held in total about 145 tonnes of flammable liquid at a working pressure of 8.6 bar gauge (0.86 MPa gauge; 125 psig).[b] In each of the reactors, compressed air was passed through the cyclohexane, causing a small percentage of the cyclohexane to oxidise and produce cyclohexanone, some cyclohexanol also being produced. Each reactor was slightly (approximately 14 inches, 350 mm) lower than the previous one, so that the reaction mixture flowed from one to the next by gravity through nominal 28-inch bore (DN 700 mm) stub pipes with inset bellows.[C] The inlet to each reactor was baffled so that liquid entered the reactors at a low level; the exiting liquid flowed over a weir whose crest was somewhat higher than the top of the outlet pipe. The mixture exiting reactor 6 was processed to remove reaction products, and the unreacted cyclohexane (only about 6% was reacted in each pass) then returned to the start of the reactor loop.
Although the operating pressure was maintained by an automatically controlled bleed valve once the plant had reached steady state, the valve could not be used during start-up, when there was no air feed, the plant being pressurised with nitrogen. During start-up the bleed valve was normally isolated and there was no route for excess pressure to escape; pressure was kept within acceptable limits (slightly wider that those achieved under automatic control) by operator intervention (manual operation of vent valves). A pressure-relief valve acting at 11 kg/cm2 (156 psi) gauge was also fitted.
Reactor 5 leaks and is bypassed
Two months prior to the explosion, the number 5 reactor was discovered to be leaking. When lagging was stripped from it, a crack extending about 6 feet (1.8 m) was visible in the mild steel shell of the reactor. It was decided to install a temporary pipe to bypass the leaking reactor to allow continued operation of the plant while repairs were made. In the absence of 28-inch nominal bore pipe (DN 700 mm), 20-inch nominal bore pipe (DN 500 mm) was used to fabricate the bypass pipe for linking reactor 4 outlet to reactor 6 inlet. The new configuration was tested for leak-tightness at working pressure by pressurisation with nitrogen. For two months after fitting the bypass was operated continuously at temperature and pressure and gave no trouble. At the end of May (by which time the bypass had been lagged) the reactors had to be depressurised and allowed to cool in order to deal with leaks elsewhere. The leaks having been dealt with, early on 1 June attempts began to bring the plant back up to pressure and temperature.
At about 16:53 on Saturday 1 June 1974, there was a massive release of hot cyclohexane in the area of the missing reactor 5, followed shortly by ignition of the resulting cloud of flammable vapour[D] and a massive explosion[E] in the plant. It virtually demolished the site. Since the accident took place at a weekend there were relatively few people on site: of those on-site at the time, 28 were killed and 36 injured. Fires continued on-site for more than ten days. Off-site there were no fatalities, but 50 injuries were reported and about 2,000 properties damaged.[d]
The occupants of the works laboratory had seen the release and evacuated the building before the release ignited; most survived. None of the 18 occupants of the plant control room survived, nor did any records of plant readings. The explosion appeared to have been in the general area of the reactors and after the accident only two possible sites for leaks before the explosion were identified: "the 20 inch bypass assembly with the bellows at both ends torn asunder was found jack-knifed on the plinth beneath" and there was a 50-inch long split in nearby 8-inch nominal bore stainless steel pipework".[e]
Court of Inquiry
Immediately after the accident, New Scientist commented presciently on the normal official response to such events, but hoped that the opportunity would be taken to introduce effective government regulation of hazardous process plants.
Disasters on the scale of last Saturday's tragic explosion ... at Flixborough tend to provoke a brief wave of statements that such things must never happen again. With the passage of time these sentiments are diluted into bland reports about human error and everything being well under control – as happened with the Summerland fire. In the Flixborough case, there is a real chance that the death toll could trigger meaningful changes in a neglected aspect of industrial safety.
The Secretary of State for Employment set up a Court of Inquiry to establish the causes and circumstances of the disaster and identify any immediate lessons to be learned, and also an expert committee to identify major hazard sites and advise on appropriate measures of control for them. The Inquiry sat for 70 days in the period September 1974 – February 1975, and took evidence from over 170 witnesses.[f] In parallel, an Advisory Committee on Major Hazards was set up to look at the longer term issues associated with hazardous process plant.
Circumstances of the disaster
The report of the court of inquiry was critical of the installation of the bypass pipework on a number of counts: although plant and senior management were chartered engineers (mostly chemical engineers) the post of Works Engineer which had been occupied by a chartered mechanical engineer had been vacant since January 1974 and at the time of the accident there were no professionally qualified engineers in the works engineering department. Nypro had recognised this to be a weakness and identified a senior mechanical engineer in an NCB subsidiary as available to provide advice and support if requested.[g] At a meeting of plant and engineering managers to discuss the failure of Reactor 5, the external mechanical engineer was not present. The emphasis was upon prompt restart and – the inquiry felt – although this did not lead to the deliberate acceptance of hazards, it led to the adoption of a course of action whose hazards (and indeed engineering practicalities) were not adequately considered or understood. The major problem was thought to be getting reactor 5 moved out of the way. Only the plant engineer was concerned about restarting before the reason for the failure was understood, and the other reactors inspected.[h][F] The difference in elevation between reactor 4 outlet and reactor 6 inlet was not recognised at the meeting. At a working level the offset was accommodated by a dog-leg in the bypass assembly; a section sloping downwards inserted between (and joined with by mitre welds) two horizontal lengths of 20-inch pipe abutting the existing 28-inch stubs. This bypass was supported by scaffolding fitted with supports provided to prevent the bellows having to take the weight of the pipework between them, but with no provision against other loadings.[G] The Inquiry noted on the "design" of the assembly:
No-one appreciated that the pressurised assembly would be subject to a turning moment imposing shear forces on the bellows for which they are not designed. Nor did anyone appreciate that the hydraulic thrust on the bellows (some 38 tonnes at working pressure) would tend to make the pipe buckle at the mitre joints. No calculations were done to ascertain whether the bellows or pipe would withstand these strains; no reference was made to the relevant British Standard, or any other accepted standard; no reference was made to the designer's guide issued by the manufacturers of the bellows; no drawing of the pipe was made, other than in chalk on the workshop floor; no pressure testing either of the pipe or the complete assembly was made before it was fitted.[i]
The Inquiry noted further that "there was no overall control or planning of the design, construction, testing or fitting of the assembly nor was any check made that the operations had been properly carried out". After the assembly was fitted, the plant was tested for leak-tightness by pressurising with nitrogen to 9 kg/cm2; i.e. roughly operating pressure, but below the pressure at which the system relief valve would lift and below the 30% above design pressure called for by the relevant British Standard.[j]
Cause of the disaster
The 20-inch bypass was therefore clearly not what would have been produced or accepted by a more considered process but controversy developed (and became acrimonious) as to whether its failure was the initiating fault in the disaster (the 20-inch hypothesis, argued by the plant designers (DSM) and the plant constructors; and favoured by the court's technical advisers), or had been triggered by an external explosion resulting from a previous failure of the 8-inch line (argued by experts retained by Nypro and their insurers).
The 20-inch hypothesis
Tests on replica bypass assemblies showed that bellows squirm could occur at pressures below the safety valve setting, but that squirm did not lead to a leak (either from damage to the bellows or from damage to the pipe at the mitre welds) until well above the safety valve setting. However theoretical modelling suggested that the expansion of the bellows as a result of squirm would lead to a significant amount of work being done on them by the reactor contents, and there would be considerable shock loading on the bellows when they reached the end of their travel. If the bellows were 'stiff' (resistant to squirm), the shock loading could cause the bellows to tear at pressures below the safety valve setting; it was not impossible that this could occur at pressures experienced during start-up, when pressure was less tightly controlled. (Plant pressures at the time of the accident were unknown since all relevant instruments and records had been destroyed, and all relevant operators killed).[k] The Inquiry concluded that this ("the 20-inch hypothesis") was 'a probability' but one 'which would readily be displaced if some greater probability' could be found.[l]
The 8-inch hypothesis
Detailed analysis suggested that the 8-inch pipe had failed due to creep cavitation at a high temperature while the pipe was under pressure. Failure had been accelerated by contact with molten zinc and there were indications that an elbow in the pipe had been at significantly higher temperature than the rest of the pipe.[m] The hot elbow led to a non-return valve held between two pipe flanges by twelve bolts. After the disaster, two of the twelve bolts were found to be loose; the inquiry concluded that they were probably loose before the disaster. Nypro argued that the bolts had been loose, there had consequently been a slow leak of process fluid onto lagging leading eventually to a lagging fire, which had worsened the leak to the point where a flame had played undetected upon the elbow, burnt away its lagging and exposed the line to molten zinc, the line then failing with a bulk release of process fluid which extinguished the original fire, but subsequently ignited giving a small explosion which had caused failure of the bypass, a second larger release and a larger explosion. Tests failed to produce a lagging fire with leaked process fluid at process temperatures; one advocate of the 8-inch hypothesis then argued instead that there had been a gasket failure giving a leak with sufficient velocity to induce static charges whose discharge had then ignited the leak.[H]
The inquiry conclusion
The 8-inch hypothesis was claimed to be supported by eyewitness accounts and by the apparently anomalous position of some debris post-disaster. The inquiry report took the view that explosions frequently throw debris in unexpected directions and eyewitnesses often have confused recollections. The inquiry identified difficulties at various stages of the accident development in the 8-inch hypothesis, their cumulative effect being considered to be such that the report concluded that overall the 20-inch hypothesis involving 'a single event of low probability' was more credible than the 8-inch hypothesis depending upon 'a succession of events, most of which are improbable'.[n]
Lessons to be learned
The inquiry report identified 'lessons to be learned' which it presented under various headings; 'General observation' (relating to cultural issues underlying the disaster), 'specific lessons' (directly relevant to the disaster, but of general applicability) are reported below; there were also 'general' and 'miscellaneous lessons' of less relevance to the disaster. The report also commented on matters to be covered by the Advisory Committee on Major Hazards.
- Plant – where possible – should be designed so that failure does not lead to disaster on a timescale too short to permit corrective action.
- Plant should be designed and run to minimise the rate at which critical management decisions arise (particularly those in which production and safety conflict).
- Feedback within the management structure should ensure that top management understand the responsibilities of individuals and can ensure that their workload, capacity and competence allow them to effectively deal with those responsibilities
The disaster was caused by 'a well designed and constructed plant' undergoing a modification that destroyed its technical integrity.
- Modifications should be designed, constructed, tested and maintained to the same standards as the original plant
When the bypass was installed, there was no works engineer in post and company senior personnel (all chemical engineers) were incapable of recognising the existence of a simple engineering problem, let alone solving it
- When an important post is vacant special care should be taken when decisions have to be taken which would normally be taken by or on the advice of the holder of the vacant post
- All engineers should learn at least the elements of other branches of engineering than their own[I]
Matters to be referred to the Advisory Committee
No one concerned in the design or construction of the plant envisaged the possibility of a major disaster happening instantaneously.[J] It was now apparent that such a possibility exists where large amounts of potentially explosive material are processed or stored. It was 'of the greatest importance that plants at which there is a risk of instant as opposed to escalating disaster be identified. Once identified measures should be taken both to prevent such a disaster so far as is possible and to minimise its consequences should it occur despite all precautions.'[o] There should be coordination between planning authorities and the Health and Safety Executive, so that planning authorities could be advised on safety issues before granting planning permission; similarly the emergency services should have information to draw up a disaster plan.
The inquiry summarised its findings as follows:
We believe, however, that if the steps we recommend are carried out, the risk of any similar disaster, already remote, will be lessened. We use the phrase "already remote" advisedly for we wish to make it plain that we found nothing to suggest that the plant as originally designed and constructed created any unacceptable risk. The disaster was caused wholly by the coincidence of a number of unlikely errors in the design and installation of a modification. Such a combination of errors is very unlikely ever to be repeated. Our recommendations should ensure that no similar combination occurs again and that even if it should do so, the errors would be detected before any serious consequences ensued.[p]
Response to Inquiry Report
Controversy as to immediate cause
Nypro's advisers had put considerable effort into the 8-inch hypothesis, and the inquiry report put considerable effort into discounting it. The critique of the hypothesis spilled over into criticism of its advocates: 'the enthusiasm for the 8-inch hypothesis felt by its proponents has led them to overlook obvious defects which in other circumstances they would not have failed to realise'.[q] Of one proponent the report noted gratuitously that his examination by the court 'was directed to ensuring that we had correctly appreciated the main steps in the hypothesis some of which appeared to us in conflict with facts which were beyond dispute'.[r] The report thanked him for his work in assembling eyewitness evidence but said his use of it showed 'an approach to the evidence which is wholly unsound'.[s]
The proponent of the 8-inch gasket failure hypothesis responded by arguing that the 20-inch hypothesis had its share of defects which the inquiry report had chosen to overlook, that the 8-inch hypothesis had more in its favour than the report suggested, and that there were important lessons that the inquiry had failed to identify:
[T]he Court's commitment for the 20-inch hypothesis led them to present their conclusions in a way that does not help the reader to assess contrary evidence. The Court could still be right that a single unsatisfactory modification caused the disaster but this is no reason for complacency. There are many other lessons. It is to be hoped that the respect normally accorded to the findings of a Court of Inquiry will not inhibit chemical engineers in looking beyond the report in their endeavours to improve the already good safety record of the chemical industry.
The Flixborough inquiry findings have not been accorded the normal respect; one critic of them was able to note after a flurry of articles on the 25th anniversary:
In view of the Court of Inquiry's qualified conclusion, the cause of the accident has been the subject of considerable controversy, especially as to the actual failure process (e.g., Ball, 1975, 1976; Butler, 1975; Cox, 1976; Gugan, 1976; King, 1977; Warner, 1975; Warner and Newland, 1975); the amount of cyclohexane released, and whether the unconfined vapor cloud formed in the release detonated (e.g., Gugan, 1978, 1980; Ale and Bruning, 1980a, b; Fu and Eyre, 1980; Phillips, 1981). The debate and argument continue to this day (e.g.,Gugan, 2000; Hoiset et al., 2000; King, 2000; Kletz, 2000; Swan, 2000).
The HSE website currently (2014) says "During the late afternoon on 1 June 1974 a 20 inch bypass system ruptured, which may have been caused by a fire on a nearby 8-inch pipe". In the absence of a strong consensus for either hypothesis other possible immediate causes have been suggested.[K]
Post-enquiry forensic engineering – two-stage rupture of bypass
The enquiry noted the existence of a small tear in a bellows fragment, and therefore considered the possibility of a small leak from the bypass having led to an explosion bringing the bypass down. It noted this to be not inconsistent with eyewitness evidence, but ruled out the scenario because pressure tests showed the bellows did not develop tears until well above the safety valve pressure.[t] This hypothesis has however been revived, with the tears being caused by fatigue failure at the top of the reactor 4 outlet bellows because of flow-induced vibration of the unsupported bypass line. Finite element analysis has been carried out (and suitable eyewitness evidence adduced) to support this hypothesis.
Post-enquiry forensic engineering – the 'water hypothesis'
The reactors were normally mechanically stirred but reactor 4 had operated without a working stirrer since November 1973; free phase water could have settled out in unstirred reactor 4 and the bottom of reactor 4 would reach operating temperature more slowly than the stirred reactors. It was postulated that there had been bulk water in reactor 4 and a disruptive boiling event had occurred when the interface between it and the reaction mixture reached operating temperature. Abnormal pressures and liquor displacement resulting from this (it was argued) could have triggered failure of the 20-inch bypass.[L][M].
Dissatisfaction with other aspects of the Inquiry Report
The plant design had assumed that the worst consequence of a major leak would be a plant fire and to protect against this a fire detection system had been installed. Tests by the Fire Research Establishment had shown this to be less effective than intended. Moreover, fire detection only worked if the leak ignited at the leak site; it gave no protection against a major leak with delayed ignition, and the disaster had shown this could lead to multiple worker fatalities. The plant as designed therefore could be destroyed by a single failure and had a much greater risk of killing workers than the designers had intended. Critics of the inquiry report therefore found it hard to accept its characterisation of the plant as 'well-designed'.3 The HSE (through the Department of Employment) had come up with a 'shopping list' of about 30 recommendations on plant design, many of which had not been adopted (and a few explicitly rejected[v]) by the Inquiry Report; the HSE inspector who acted as secretary to the inquiry spoke afterwards of making sure that the real lessons were acted upon. More fundamentally, Trevor Kletz saw the plant as symptomatic of a general failure to consider safety early enough in process plant design, so that designs were inherently safe – instead processes and plant were selected on other grounds then safety systems bolted on to a design with avoidable hazards and unnecessarily high inventory. 'We keep a lion and build a strong cage to keep it in. But before we do so we should ask if a lamb might do.'
If the UK public were largely reassured to be told the accident was a one-off and should never happen again, some UK process safety practitioners were less sanguine. Critics felt that the Flixborough explosion was not the result of multiple basic engineering design errors unlikely to coincide again; the errors were rather multiple instances of one underlying cause: a complete breakdown of plant safety procedures (exacerbated by a lack of relevant engineering expertise, but that lack was also a procedural shortcoming).
ICI Petrochemicals: 'A new world where new methods are needed'
The Petrochemicals Division of Imperial Chemical Industries (ICI) operated many plants with large inventories of flammable chemicals at its Wilton site (including one in which cyclohexane was oxidised to cyclohexanone and cyclohexanol). Historically good process safety performance at Wilton had been marred in the late 1960s by a spate of fatal fires caused by faulty isolations/handovers for maintenance work. Their immediate cause was human error but ICI felt that saying that most accidents were caused by human error was no more useful than saying that most falls are caused by gravity. ICI had not simply reminded operators to be more careful, but issued explicit instructions on the required quality of isolations, and the required quality of its documentation. The more onerous requirements were justified as follows:
Why do we need the HOC[O] rules on the isolation and identification of equipment for maintenance? They were introduced about 2 years ago, but Billingham managed for 45 years without them. During those 45 years there were no doubt many occasions when fitters broke into equipment and found it had not been isolated, or broke into the wrong line because it had not been identified positively. But pipe-lines were mostly small, and the amount of flammable gas or liquid on the plant was not usually large. Now pipe-lines are much larger and the amount of gas or liquid that can leak out is much greater. Several serious incidents in the last 3 years have shown that we dare not risk breaking into lines that are not properly isolated. As plants have got larger we have moved ... into a new world where new methods are needed.[P]
In accordance with this view, post-Flixborough (and without waiting for the Inquiry Report), ICI Petrochemicals instituted a review of how it controlled modifications. It found that major projects requiring financial sanction at a high level were generally well-controlled, but for more (financially) minor modifications there was less control and this had resulted in a past history of 'near-misses' and small-scale accidents, few of which could be blamed on chemical engineers.[Q] To remedy this, not only were employees reminded of the principal points to consider when making a modification (both on the quality/compliance of the modification itself and on the effect of the modification on the rest of the plant), but new procedures and documentation were introduced to ensure adequate scrutiny. These requirements applied not only to changes to equipment, but also to process changes. All modifications were to be supported by a formal safety assessment. For major modifications this would include an 'operability study'; for minor modifications a checklist-based safety assessment was to be used, indicating what aspects would be affected, and for each aspect giving a statement of the expected effect. The modification and its supporting safety assessment then had to be approved in writing by the plant manager and engineer. Where instruments or electrical equipment were involved signatures would also be needed from the relative specialist (instrument manager or electrical engineer). A Pipework Code of Practice was introduced specifying standards of design construction and maintenance for pipework – all pipework over 3"nb (DN 75 mm) handling hazardous material would have to be designed by pipework specialists in the design office. The approach was publicised outside ICI; while the Pipework Code of Practice on its own would have combatted the specific fault(s) that led to the Flixborough disaster, the adoption more generally of tighter controls on modifications (and the method by which this was done) were soon recognised to be prudent good practice.[R] In the United Kingdom, the ICI approach became a de facto standard for high-risk plant (partly because the new (1974) Health and Safety at Work Act went beyond specific requirements on employers to state general duties to keep risks to workers as low as reasonably practicable and to avoid risk to the public so far as reasonably practicable; under this new regime the presumption was that recognised good practice would inherently be 'reasonably practicable' and hence should be adopted, partly because key passages in reports of the Advisory Committee on Major Hazards were clearly supportive).
Advisory Committee on Major Hazards
Dissatisfaction with existing regulatory regime
The terms of reference of the Court of Inquiry did not include any requirement to comment on the regulatory regime under which the plant had been built and operated, but it was clear that it was not satisfactory. Construction of the plant had required planning permission approval by the local council; while "an interdepartmental procedure enabled planning authorities to call upon the advice of Her Majesty's Factory Inspectorate when considering applications for new developments which might involve a major hazard" (there was no requirement for them to do so), since the council had not recognised the hazardous nature of the plant they had not called for advice. As the New Scientist commented within a week of the disaster:
There are now probably more than a dozen British petrochemical plants with a similar devastation-potential to the Nypro works at Flixborough. Neither when they were first built, nor now that they are in operation, has any local or government agency exercised effective control over their safety. To build a nuclear power plant, the electricity industry must provide a detailed safety evaluation to the Nuclear Inspectorate before it receives a licence. On the other hand, permission for highly hazardous process plants only involves satisfying a technically unqualified local planning committee, which lacks even the most rudimentary powers once the plant goes on stream. ... The Factory Inspectorate has standing only where it has promulgated specific regulations
Terms of Reference and personnel
The ACMH's terms of reference were to identify types of (non-nuclear) installations posing a major hazard, and advise on appropriate controls on their establishment, siting, layout, design, operation, maintenance and development (including overall development in their vicinity). Unlike the Court of Inquiry, its personnel (and that of its associated working groups) had significant representation of safety professionals, drawn largely from the nuclear industry and ICI (or ex-ICI)
Suggested regulatory framework
In its first report (issued as a basis for consultation and comment in March 1976), the ACMH noted that hazard could not be quantified in the abstract, and that a precise definition of 'major hazard' was therefore impossible. Instead[w] installations with an inventory of flammable fluids above a certain threshold or of toxic materials above a certain 'chlorine equivalent' threshold should be ' notifiable installations '. A company operating a notifiable installation should be required to survey its hazard potential, and inform HSE of the hazards identified and the procedures and methods adopted (or to be adopted) to deal with them.
HSE could then chose to – in some cases (generally involving high risk or novel technology) – require[x] submission of a more elaborate assessment, covering (as appropriate) "design, manufacture, construction, commissioning, operation and maintenance, as well as subsequent modifications whether of the design or operational procedures or both". The company would have to show that "it possesses the appropriate management system, safety philosophy, and competent people, that it has effective methods of identifying and evaluating hazards, that it has designed and operates the installation in accordance with appropriate regulations, standards and codes of practice, that it has adequate procedures for dealing with emergencies, and that it makes use of independent checks where appropriate"
For most 'notifiable installations' no further explicit controls should be needed; HSE could advise and if need be enforce improvements under the general powers given it by the 1974 Health and Safety at Work Act (HASAWA), but for a very few sites explicit licensing by HSE might be appropriate;[y] responsibility for safety of the installation remaining however always and totally with the licensee.
Ensuring safety of 'major hazard' installations
HASAWA already required companies to have a safety policy, and a comprehensive plan to implement it. ACMH felt that for major hazard installations[z] the plan should be formal and include
- the regulation by company procedures of safety matters (such as: identification of hazards, control of maintenance (through clearance certificates, permits to work etc.), control of modifications which might affect plant integrity, emergency operating procedures, access control)
- clear safety roles (for e.g. the design and development team, production management, safety officers)
- training for safety, measures to foster awareness of safety, and feedback of information on safety matters
Safety documents were needed both for design and operation. The management of major hazard installations must show that it possessed and used a selection of appropriate hazard recognition techniques,[S] had a proper system for audit of critical safety features, and used independent assessment where appropriate.
The ACMH also called for tight discipline in the operation of major hazard plants:
The rarity of major disasters tends to breed complacency and even a contempt for written instructions. We believe that rules relevant to safety must be everyday working rules and be seen as an essential part of day-to-day work practice. Rules, designed to protect those who drew them up if something goes wrong, are readily ignored in day-to-day work. Where management lays down safety rules, it must also ensure that they are carried out. We believe that to this end considerable formality is essential in relation to such matters as permits to work and clearance certificates to enter vessels or plant areas. In order to keep strong control in the plant, the level of authority for authorisations must be clearly defined. Similarly the level of authority for technical approval for any plant modification must also be clearly defined. To avoid the danger of systems and procedures being disregarded, there should be a requirement for a periodic form of audit of them.[aa]
The ACMH's second report (1979) rejected criticisms that since accidents causing multiple fatalities were associated with extensive and expensive plant damage the operators of major hazard sites had every incentive to avoid such accidents and so it was excessive to require major hazard sites to demonstrate their safety to a government body in such detail:
We would not contest that the best run companies achieve high standards of safety, but we believe this is because they have .... achieved what is perhaps best described as technical discipline in all that they do.
We believe that the best practices must be followed by all companies and that we have reached a state of technological development where it is not sufficient in areas of high risk for employers merely to demonstrate to themselves that all is well. They should now be required to demonstrate to the community as a whole that their plants are properly designed, well constructed and safely operated.
The approach advocated by the ACMH was largely followed in subsequent UK legislation and regulatory action, but following the release of chlordioxins by a runaway chemical reaction at Seveso in northern Italy in July 1976, 'major hazard plants' became an EU-wide issue and the UK approach became subsumed in EU-wide initiatives (the Seveso Directive in 1982, superseded by the Seveso II Directive in 1996). A third and final report was issued when the ACMH was disbanded in 1983.
- ^Various authors have compared it with the Tay Bridge disaster in one aspect or other
- ^the conclusion of the official Inquiry, but this has been queried, given the pattern of deposition of soot from the explosion
- ^i.e. the fatal modification did not introduce the bellows (a point not always appreciated by popular retellings)
- ^or of that part of it within flammability limits Visualisations of the output of CFD modelling of the release showing the upper and lower flammable limit envelopes can be found in for both the inquiry's favoured failure scenario and Venart's
- ^As of 2014 a TNT equivalence of 15 or 16 t with no error band seems to be a standard value on popularising websites but estimation of TNT equivalence is inherently inexact. The explosion was estimated to be equivalent to 15–45 t TNT at the Inquiry.[c] 16±2 t at 45 m above ground level was the best-fit estimate of – the gist of their paper is given in the 2nd Report of the Advisory Committee on Major Hazards. TNT equivalence is now thought less useful than more modern approaches to characterisation of vapour cloud explosions and there are no directly comparable estimates of TNT equivalence for the Buncefield event. However, gives a graphical presentation of the raw data (overpressure inferred from damage vs distance from explosion source) for Flixborough (Fig 3.1.2) (in which the data is bounded by TNT equivalent curves for 11.2 t and 60t) and for the Buncefield fire (Fig 3.4.1). For any given distance where the comparison can be made, Flixborough gives a higher estimated over-pressure than Buncefield, and (other things being equal – overpressure estimation techniques might have changed so much in 30 years that the comparison is meaningless) is therefore presumably to be judged the larger explosion.
- ^A leak had developed on the air feed to the reactor, and a water spray had been put on it as a prudent precaution against hot cyclohexane reaching the leak site. The water spray had been nitrate dosed and after the crack was discovered DSM advised that nitrates were known to promote stress corrosion cracking of mild steel. There had been no similar air leaks (and consequently no similar water sprays) on the other reactors.
- ^and the pipework lifted about 6 mm at plant operating temperature because of thermal expansion of the reactors
- ^All gasket materials in the area had been destroyed by the fire, so there was no direct evidence for or against a preceding gasket fault; the plant was known to have suffered leaks elsewhere because the wrong type of gasket had been fitted.
- ^More a long-term solution than an immediate lesson, but a long-held belief of the inquiry's vice-chairman Joseph Pope
- ^ICI Petrochemicals Safety Newsletter 60 (January 1974) summarised a published 1973 conference paper as follows: Unconfined vapour cloud explosions had been experienced since the 1930s; by the early 1970s there had been about 100 known incidents, with about 5 more every year. Significant overpressures could be developed where the release was large, and ignition delayed: at Pernis in 1968 pipebridges had been blown down
- ^Press reporting of both has included the suggestion that the new hypothesis clears the dead operators of the slur of having caused the accident; in fact none of the competing theories makes that claim – unless it is felt that the inquiry report's explicit refusal to blame 'pilot error' by the dead is really an implicit invitation to others to do so
- ^Although this is not commented upon in the reference, the basic physics would suggest that interfacial boiling could be triggered not only by increasing temperature with pressure steady but also by -with temperature steady – reducing pressure e.g. by manual venting
- ^Experimental work carried out for HSE in 2000 confirmed that the vapour pressure of cyclohexane at 155oC is well below plant operating pressure; likewise that of water, but the vapour pressure of immiscible liquids is nearly additive and at operating temperature the sum of vapour pressures would exceed operating pressure – the work was not on a large enough scale to resolve whether disruptive boiling by this mechanism would have created forces large enough to fail the bypass
- ^In addition, King takes the crack on reactor 5 to indicate mechanical design problems: he notes that post-inquiry work on behalf of HSE showed that nitrate stress corrosion cracking only occurs in mild steel in areas subject to abnormal stress; the failure of reactor 5 therefore required not only the presence of nitrate in the cooling water, but some inadequacy in the reactor design leading to high local stress. (The crack skirted a 28" branch,[u] and King is reported elsewhere to have claimed an HSE source had told him that the reactors had been designed against a 9 t thrust upon these branches, not the 38t thrust the inquiry noted the bypass 'design' to have ignored)
- ^(ICI) Heavy Organic Chemicals (Division); the predecessor of ICI Petrochemicals Division
- ^The change in scale was real and much larger than anything experienced since (in 1956 a typical ethylene plant might have a capacity of 30, 000 tpa; in 1974 ICI and BP planned an ethylene plant with a capacity of 500, 000 tpa; as of 2014 an 830,000 tpa unit is still one of the largest in Europe) but it subsequently transpired that Billingham had had similar rules, but they had fallen into disuse
- ^e.g. for one pipe work mod "the plant engineer had not considered it necessary to consult the piping experts, as the pipe was straight, without any bends... As at Flixborough there was a failure to recognise the circumstances in which expert advice should have been sought" – the problem being spotted pre-use by the traditional informal safeguard of a senior engineer walking the plant to have a look at what his subordinates were doing
- ^but not necessarily best practice: some adopters of the approach have felt -or been made to feel- a danger of a group mindset where no off-plant personnel are involved (and the safety culture is not that of ICI) and therefore added a requirement for approval by a responsible person off-plant to ensure that the interests of production are not allowed to override those of safety
- ^this from para 61, where the examples given included 'operability studies'
Report of Court of Inquiry
- ^p 2
- ^p 3
- ^para 89 pp 13–14
- ^para 1 p 1
- ^p 14
- ^Appendix III p 50
- ^p 4
- ^paras 54–59 pp7–8
- ^p 9
- ^p 10 BS 3351
- ^Appendix II pp 46–49
- ^p 32
- ^para 219 p36
- ^para 226, pp 37–38
- ^para 172 p 29
- ^para 141 p 21
- ^para 113 p17
- ^Plate 7
- ^para 203 p 33
- ^para 29
- ^para 31
- ^para 35
- ^paras 58-9
- ^para 63
- ^ ab"Flixborough (Nypro UK) Explosion 1st June 1974: Accident Summary". Health and Safety Executive. Retrieved 25 June 2014.
- ^ ab"Catastrophic explosion of a cyclohexane cloud June 1, 1974 Flixborough United Kingdom"(PDF). French Ministry of the Environment – DPPR / SEI / BARPI.
- ^ abcdefKinnersley, Patrick (27 February 1975). "What really happened at Flixborough?". New Scientist. 65 (938): 520–522. ISSN 0262-4079. Retrieved 7 July 2014.
- ^ abcKletz, Trevor A. (2001). Learning from Accidents, 3rd edition. Oxford U.K.: Gulf Professional. pp. 103–9. ISBN 978-0-7506-4883-7.
- ^ abBooth, Richard (1979). "Safety: too important a matter to be left to the engineers? Inaugural lecture given on 22 February 1979"(PDF). Retrieved 27 June 2014. (minor updating when posted on web in 2013)
- ^ abcdCox, J I (May 1976). "Flixborough – Some Additional Lessons". The Chemical Engineer (309): 353–8. Retrieved 26 June 2014. (updated version of original article)
- ^"FLIXBOROUGH CHEMICAL PLANT (REBUILDING)". Hansard HC Deb. 959 cc179-90. 27 November 1978. Retrieved 10 July 2014.
- ^"LIQUEFIED GAS STORAGE (CANVEY ISLAND)". Hansard HC Deb. 965 cc417-30. 27 March 1979. Retrieved 10 July 2014.
- ^ abcdVenart, J E S. "Flixborough The Disaster and Its Aftermath"(PDF). Retrieved 25 June 2014.
- ^Sudee, C; Samuels, D E; O'Brien, T P (1976–77). "The characteristics of the explosion of cyclohexane at the Nypro (UK) Flixborough plant on 1st June 1974". Journal of Occupational Accidents: 203–235.
- ^ abHealth & Safety Commission (1979). Advisory Committee on Major Hazards: Second Report. London: HMSO. ISBN 0 11 883299 9. Retrieved 7 July 2014.
- ^Bauwens, C Regis; Dorofeev, Sergey B. "Effects of the Primary Explosion Site (PES) and Bulk Cloud in VCE Prediction: A Comparison with Historical Accident"(PDF)
Industrial accidents are severe mishaps that result in injuries to people and damage to property or the environment. For example, an explosion or fire at a pyrotechnics manufacturing facility is an industrial accident, as is the accidental release of toxic chemicals to the environment when a storage tank fails. Types of industrial accidents vary from one place to the next, but most are a result of unsafe conditions and unsafe acts.
This article lists notable industrial disasters, which are disasters caused by industrial companies, either by accident, negligence or incompetence. They are a form of industrial accident where great damage, injury or loss of life are caused.
Other disasters can also be considered industrial disasters, if their causes are rooted in the products or processes of industry. For example, the Great Chicago Fire of 1871 was made more severe due to the heavy concentration of lumber industry facilities, wood houses, and fuel and other chemicals in a small area. The Convention on the Trans boundary Effects of Industrial Accidents is designed to protect people and the environment from industrial accidents.The Convention aims to prevent accidents from occurring, to reduce their frequency and severity,and to mitigate their effects. The Convention addresses primarily industrial accidents in one country that affect the population or the environment of another country. The Convention was drafted following the Seveso disaster and Sandoz disaster.
Energy industry accidents;
- October 1957: The Windscale fire, the worst nuclear accident in Great Britain's history, released substantial amounts of radioactive contamination into the surrounding area at Windscale, Cumberland (now Sellafield, Cumbria).
- May 1962: The Centralia, Pennsylvania coal mine fire began, forcing the gradual evacuation of the Centralia borough. The fire continues to burn in the abandoned borough.
- March 1967: The Torrey Canyon supertanker was shipwrecked off the west coast of Cornwall, England, causing an environmental disaster. This was the first major oil spill at sea.
- August, 1975: The Banqiao Dam failed in the Henan Province of China due to extraordinarily heavy rains and poor construction quality of the dam, which was built during the Great Leap Forward. The flood immediately killed over 100,000 people, and another 150,000 died of subsequent epidemic diseases and famine, bringing the total death toll to around 250,000 and making it the worst technical disaster ever.
- March 16, 1978: The Amoco Cadiz, a VLCC owned by the company Amoco (now merged with BP) sank near the northwest coast of France, resulting in the spilling of 68,684,000 US gallons of crude oil (1,635,000 barrels). This is the largest oil spill from an oil tanker in history.
- March 28, 1979: Three Mile Island accident. Partial nuclear meltdown. Mechanical failures in the non-nuclear secondary system, followed by a stuck-open pilot-operated relief valve in the primary system, allowed large amounts of reactor coolant to escape. Plant operators initially failed to recognize the loss of coolant, resulting in a partial meltdown. The reactor was brought under control but not before up to 481 PBq (13 million curies) of radioactive gases were released into the atmosphere.
- June 3, 1979: Ixtoc I oil spill. The Ixtoc I exploratory oil well suffered a blowout resulting in the third-largest oil spill and the second-largest accidental spill in history.
- November 20, 1980: A Texaco oil rig drilled into a salt mine transforming Lake Peigneur, a freshwater lake before the accident, into a saltwater lake.
- February 15, 1982: Newfoundland, Canada. The mobile offshore oil rig Ocean Ranger was struck by a rogue wave off the coast of Newfoundland, Canada and sank with the loss of all 84 crew.
- July 23, 1984: Romeoville, Illinois, Union Oil refinery explosion killed 19 people.
- November 19, 1984: San Juanico Disaster. An explosion at a liquid petroleum gas tank farm killed hundreds and injured thousands in San Juanico, Mexico.
- April 26, 1986: Chernobyl disaster. At the Chernobyl nuclear power plant in Prypiat, Ukraine a test on reactor number four went out of control, resulting in a nuclear meltdown. The ensuing steam explosion and fire killed up to 50 people with estimates that there may be between 4,000 and several hundred thousand additional cancer deaths over time. Fallout could be detected as far away as Canada. The Chernobyl Exclusion Zone, covering portions of Belarus and Ukraine surrounding Prypiat, remains contaminated and mostly uninhabited. Prypiat itself was totally evacuated and remains as a ghost town.
- May 5, 1988: Norco, Louisiana, Shell Oil refinery explosion. Hydrocarbon gas escaped from a corroded pipe in a catalytic cracker and was ignited. Louisiana state police evacuated 2,800 residents from nearby neighborhoods. Seven workers were killed and 42 injured. The total cost arising from the Norco blast is estimated at US$706 million.
- July 6, 1988: Piper Alpha disaster. An explosion and resulting fire on a North Sea oil production platform killed 167 men. The total insured loss was about US$3.4 billion. To date it is rated as the world's worst offshore oil disaster in terms both of lives lost and impact to industry.
- March 24, 1989: Exxon Valdez oil spill. The Exxon Valdez, an oil tanker bound for Long Beach, California, hit Prince William Sound's Bligh Reef, dumping an estimated minimum 10.8 million US gallons (40.9 million litres, or 250,000 barrels) of crude oil into the sea. It is considered to be one of the most devastating human-caused environmental disasters ever to occur. 100,000 to as many as 250,000 seabirds died, as well as at least 2,800 sea otters, approximately 12 river otters, 300 harbor seals, 247 bald eagles, and 22 orcas, and billions of salmon and herring eggs were destroyed.Overall reductions in population have been seen in various ocean animals, including stunted growth in pink salmon populations.Sea otters and ducks also showed higher death rates in following years, partially because they ingested prey from contaminated soil and also from ingestion of oil residues on their hair/feathers due to grooming.The effects of the spill continue to be felt 20 years later.
- March 23, 2005: Texas City Refinery explosion. An explosion occurred at a BP refinery in Texas City, Texas. It is the third largest refinery in the United States and one of the largest in the world, processing 433,000 barrels of crude oil per day and accounting for three percent of that nation's gasoline supply. Over 100 were injured, and 15 were confirmed dead, including employees of Jacobs, Fluor and BP. BP has since accepted that its employees contributed to the accident. Several level indicators failed, leading to overfilling of a knockout drum, and light hydrocarbons concentrated at ground level throughout the area. A nearby running diesel truck set off the explosion.
- December 11, 2005: Hertfordshire Oil Storage Terminal fire. A series of explosions at the Buncefield oil storage depot, described as the largest peacetime explosion in Europe, devastated the terminal and many surrounding properties. There were no fatalities. Total damages have been forecast as £750 million.
- August 17, 2009: Sayano–Shushenskaya power station accident. Seventy-five people were killed at a hydroelectric power station when a turbine failed. The failed turbine had been vibrating for a considerable time. Emergency doors to stop the incoming water took a long time to close, while a self-closing lock would have stopped the water in minutes.
- February 7, 2010: 2010 Connecticut power plant explosion. A large explosion occurred at a Kleen Energy Systems 620-megawatt, Siemens combined cycle gas- and oil- fired power plant in Middletown, Connecticut, United States. Preliminary reports attributed the cause of the explosion to a test of the plant's energy systems.The plant was still under construction and scheduled to start supplying energy in June 2010. The number of injuries was eventually established to be 27. Five people died in the explosion.
- April 20, 2010: Deepwater Horizon oil spill in the Gulf of Mexico. Eleven oil platform workers died in an explosion and fire that resulted in a massive oil spill in the Gulf of Mexico, considered the largest offshore spill in US history.
- March 2011: Fukushima I nuclear accidents in Japan. Regarded as the largest nuclear disaster since the Chernobyl disaster, there were no direct deaths but a few of the plant's workers were severely injured or killed by the disaster conditions resulting from the earthquake.
- October 29, 2012: Hurricane Sandy caused a ConEdison power plant to explode, causing a blackout in most of midtown Manhattan. The blue light emitted from the arc made places as far as Brooklyn glow. No person was killed or injured.
- July 6, 2013: Lac-Mégantic, Quebec Canada. Lac-Mégantic derailment. Forty-seven people were killed when there was a derailment of an oil shipment train. The oil shipment caught fire and exploded, destroying more than thirty buildings. It was the fourth-deadliest rail accident in Canadian history.
Defense industry accidents:
- December 6, 1917: Halifax, Canada. The Halifax explosion. A ship loaded with about 9000 tons of high explosives destined for France caught fire as a result of a collision in Halifax harbour, and exploded. The explosion killed about 2000 and injured about 9000.
- October 4, 1918: T. A. Gillespie Company Shell Loading Plant explosion. An ammunition plant in Sayreville, New Jersey exploded, killing approximately 100 people, destroying 300 buildings and causing $18 million in damages.
- March 1, 1924: 1924 Nixon Nitration Works disaster. A plant for processing ammonium nitrate in Edison, New Jersey exploded, killing 24 people, injuring 100 and destroying several buildings.
- July 17, 1944: Port Chicago Disaster. A munitions explosion that killed 320 people occurred at the Port Chicago Naval Magazine in Port Chicago, California.
- August 9, 1965: Little Rock AFB in Searcy, Arkansas. 53 contract workers were killed during a fire at a Titan missile silo. The cause of the fire was determined to be a welding rod damaging a hydraulic hose allowing hydraulic vapors to leak and spread throughout the silo, which were then ignited by an open flame.
- April 10, 1988: Ojhri Camp. A military storage center in Rawalpindi, Pakistan exploded, killing more than 1,300 people.
- July 11, 2011: Evangelos Florakis Naval Base explosion, Cyprus. The disaster occurred when 98 containers of gunpowder exploded; 13 people were killed, among them the captain of the base, three commanders, twin brothers who were serving there as marines, and six firefighters, 62 people injured and knocked out the island's power station for days.