Process safety

From processdesign
Jump to: navigation, search

Authors: Anne Disabato, [2014] Tim Hanrahan, [2014] Brian Merkle, [2014] , Spencer Saldana [2015] and Evan Rosati [2016]

Stewards: David Chen, Jian Gong, and Fengqi You

Date Presented: January 19, 2014



The safe design and operation of facilities is of paramount importance to every company that is involved in the manufacture of fuels, chemicals, and pharmaceuticals. Process safety focuses on the prevention of dangerous situations, such as fires, explosions, and the release of chemicals.

The American Institute of Chemical Engineers emphasizes a culture of process safety through four pillars (American Institute of Chemical Engineers, 2015):

1. Commitment to Process Safety: a workforce that is actively involved and an organization that fully supports process safety as a core value will tend to do the right things in the right way at the right time – even when no one else is looking

2. Understanding Hazard and Risk: the foundation of a risk-based approach which will allow an organization to use this information to allocate limited resources in the most effective manner

3. Manage Risk: the ongoing execution of risk based process safety tasks. Risk management can help a company to better deal with the resultant risks and sustain long-term accident free and profitable operations

4. Learn from Experience: Metrics provide direct feedback on the workings of RBPS systems, and leading indicators provide early warning signals of ineffective process safety results. Organizations must use their mistakes and those of others as motivation for action and view as opportunities for improvement.

For the prevention and management of specific safety hazards, such as fires, explosions, or the release of toxic chemicals, please see Process Hazards.

Layers of Plant Safety

Safety and loss prevention can be expressed in "layers" of plant safety in terms of design and implementation.[1] Each higher layer can be activated if a lower level fails. This creates a system with subsequent levels of safety to help prevent catastrophe from occurring. This diagram shows the important of safety in process design. If a process is designed to be inherently safe, additional safety "controls" will be less important and a chemical plant will be overall safer. The goal of safety is not to reach the top of the triangle, but to stay as close to the bottom as possible. This shows the importance of inherently safe design and safety legislation and regulations to provide guidelines for safety and health concerns. Regulations provide a baseline for engineers to operate when designing a chemical plant. They have brought safety to the forefront of design, when engineers have the maximum degree of freedom for implementation, and are no longer considered to be an afterthought or strictly a controls issue. Plants can be designed to be safe without the extensive use of future adaptation, safety controls, or emergency response. Although you can never eliminate these upper layers of process safety, by designing a process smartly and safely, engineers can reduce the consequences of "walking up" the process safety ladder or triangle.

Triangle Diagram on Increasing Plant Safety Mechanisms
Layers of Plant Safety Triangle Diagram

Safety Legislation

International Regulations

International regulations can be considered as best practice standards that are adopted by governments through treaties and establishment through United Nation resolutions. Most international regulation agencies can only register complaints for violations, but can not implement sanctions or fines to infracting parties.

International Labour Organization (ILO)

After the dissolution of the League of Nations in 1946, the ILO became the first specialized agency of the United Nations upon its founding in December of that same year. [2] The ILO attempts to develop labor standards for workers in all industries. The unique tripartite structure of the ILO gives an equal voice to workers, employers and governments to ensure that the views of the social partners are closely reflected in labour standards and in shaping policies and programs. [3] The ISO has established International Labour Standards on Occupational Safety and Health, which has developed more than 40 standards specifically dealing with occupational heath and safety.[4]. The important conventions are listed below:

Occupational Safety and Health Convention, 1981 and Protocol of 2002

  1. The convention provides for the adoption of national occupational safety and health policy by each participating nation-state. It includes actions taken by governments and within enterprise that operate within the governmental spaces to promote the improvement of occupational safety and health to therefore improve working conditions.
  2. The additional Protocol in 2002 calls for the establishment and period review of procedures for recording and notification of occupational accidents along with the publication of related statistics associated with the accidents. This Protocol is similar to the Emergency Planning and CommunityRight-To-Know Act instituted in the United States (see below).

Occupational Heath Services Convention, 1985

  1. Establishment of enterprise-level occupational health services which are entrusted with preventative functions and which are responsible for advising the employer, the workers, and their representatives in the organization on maintaining a safe and healthy work environment.

Promotional Framework for Occupational Safety and Heath Convention, 2006

  1. Aims to promote a preventative safety and health culture and to progressively achieve a safe and healthy working environment for all.
  2. Requires ratifying nation-states to develop, in consultation with the most representative organizations of employees and workers, including workers unions, a national policy, a national system, and a national program on occupational health and safety.
  3. This should be developed in accordance to the Occupational Heath Services Convention, 1985 and take into account other ILO standards.
  4. National systems shall provide the infrastructure for implementing national policy and programs, such as domestic laws, regulations, authority bodies, and compliance mechanisms.

Chemicals Convention, 1990

  1. Provides for the adoption and implementation of a coherent policy on the safety in the use of chemicals at work, including production, handling, storage, and transport.
  2. Also includes best practices for the disposal and treatment of waste chemicals and the release of chemicals resulting from work activities, maintenance, and cleaning of equipment.
  3. In addition, it allocates specific responsibilities to suppliers and exporting states.
  4. Chemicals shall be evaluated to determine their level of hazards and employers shall make these hazards known to their employees.

International Organization for Standardization (ISO)

The ISO is an international organization for standardization on topics ranging from quality management, environmental management, social responsibility, risk management, etc. ISO standards are adopted world-wide by organizations and governments as accepted and known standards for production. Many of the practices are self-regulating as costumers often demand certain standards from companies they purchase from.[5] The ISO is developing its own occupational health and safety framework shown below.

ISO 45001 Occupational Health and Safety Management Systems[6]

  1. Designed to help organizations reduce the burden of occupational injuries and diseases by providing a framework to improve employee safety, reduce workplace risks, and create better, safer working conditions.
  2. Currently under development by a committee of occupational health and safety experts who will follow management systems approaches of ISO 4001 and ISO 9001.
  3. Will embody other International Standards such as the ILO's Occupational Health and Safety Guidelines.
  4. The expected publication will be released in October, 2016.

US Safety Regulations

Over time chemical industry regulations have been developed to ensure that the best safety practices are followed to maintain the health of both people and the environment. The development of most regulations is based around the idea that organizations have both a legal and moral obligation to safeguard the health and welfare of its employees and the public.[1] The extent of legislation varies across regions around the globe. In the United States, chemical accidents have led to the creation of regulation boards and safety oriented societies such as the Center for Chemical Plant Safety of the American Institute of Chemical Engineers to aid in the development and implementation of pant safety. [7] In the US, the major federal laws relating to chemical plant safety and their regulations are as follows:

The Occupational Safety and Health Act, 1970

The OSH Act is administer by the Occupational Safety and Health Administration (OSHA) (see below). The Act covers all employers and their employees in the United States with coverage provided either directly by the Federal Occupational Safety and Heath Administration or by an OSHA-approved state job safety and health plan.[8] The main provisions of the act are listed below.

  1. Employers must supply place of employment free from toxic chemicals, excessive noise mechanical dangers, or unsanitary conditions.
  2. This involves the implementation of engineering controls to limit exposure to hazards and toxic substances and implementing administrative controls.
  3. For employees, employers must provide personal protective equipment (PPE) and training, including communications of known hazards.
  4. The Occupational Safety and Health Administration (OSHA) was established to promote best practices, inspect facilities for hazard analysis, set standards, and enforce the law.
  5. The National Institute of Occupational Safety and Health (NIOSH) was established to be an independent research institute (now under the Centers for Disease Control).
  6. The Act also encourages states to develop and operate their own job safety and health programs with OSHA as a monitoring agency for these "state plans," which operate under the authority of state law. The standards developed by state plans need to be at least as effective as the federal regulations.[9]
  7. Federal OSHA standards are categorized into four categories: General Industry, Construction, Maritime Terminals, Long-shoring, and Agriculture.

The Toxic Substances Control Act (TSCA), 1976

The main qualifications of the TSCA were to provide the EPA with regulating power of chemicals, specifically pertaining to the chemical industry and not including foods, drugs, cosmetics, or pesticides. [10]

  1. The Environmental Protection Agency (EPA) is required to regulate 75,000 chemical substances used in industry.
  2. The EPA has jurisdiction over the safety of the sale or development of new chemicals in the United States, including the requirement for pre-manufacture notification for new chemical substances before manufacture.
  3. The TSCA also addresses the production, importation, use, and disposal of specific chemicals including polychlorinated biphenyls (PCBs), asbestos, radon, and lead-based paint.[11]
  4. Everyone has the right and obligation to report information about any health or environmental effects caused by a chemical. This is especially important for organizations as they are required to report information to the EPA if a chemical substance is found to have substantial risk of injury to health or the environment.

Frank R. Lautenberg Chemical Safety for the 21st Century Act, 2015

The Toxic Substances Control Act will be revised in 2015 under this new act proposed to Congress. This Act is an attempt to eliminate some of the flaws associated with the TSCA.

  1. One of the biggest flaws in the TSCA is the fact that a new chemical can be used without first demonstrating safety, the idea that chemicals are safe until proven unsafe.[12]
  2. The new bill would require safety testing before chemical implementation.
  3. It gives the EPA more defined power on the regulation of chemical substances and the Sustainable Chemical Program will be established. This brings the TSCA into the modern era of the chemical industry.[13]

The Emergency Planning and Community Right-to-Know Act (EPCRA), 1986[14]

The Act was passed by Congress in response to concerns regarding the environmental and safety hazards posed by the storage and handling of toxic chemicals. This legislation was developed as a result of the 1984 chemical disaster in Bhopal, India.[15]

  1. All facilities manufacturing, processing, or storing hazardous chemicals must make plans for major incidents if they were to occur and the plans must be made public so that local communities can be properly informed.
  2. All facilities must also produce Material Safety Data Sheets (MSDSs) to state and local officials as well as local fire departments.
  3. Local governments should help prepare emergency plans and review the plans annually.
  4. State governments are required to oversee and coordinate local planning efforts.
  5. Emergency Notification: Facilities must immediately report accidental releases of chemicals and "hazardous substances" in quantities greater than Reportable Quantities (RQs) defined under the Comprehensive Environmental Response, Compensation, and Liability Act to state and local officials with this information then being available to the public.
  6. Annually, facilities must complete and submit a toxic chemical release inventory form.

Clean Air Act Amendments of 1990

This Amendment to the original Clean Air Act of 1970 was designed to curb three major threats to the nation's environment and health of citizens: acid rain, urban air pollution, and toxic air emissions.[16]

  1. Established the U.S. Chemical Safety and Hazard Investigation Board, and independent federal agency with the goal of ensuring worker and public safety through the prevention or minimization of the effects of chemical accidents. [17]
  2. Attempt to determine the roots and contributing causes of accidents and then provide briefs on the accidents.
  3. Led to the development of cap and trade systems for air pollutants.
  4. Gave the government significantly more power to control air emissions and administer admissions permits.

Additional Legislative Information

For more details on environmental legislation pertaining to release of materials to the environment or the regulations of the loss of containment, see Environmental concerns.

In addition to the above federal regulations, various states and other municipalities also have enacted legislation for the regulation of chemical plants. These include more specific safety items, such as local fire codes or even put into place stricter aspects of the federal regulations. [1]

Any process design or plant design must always meet the requirements of local and federal mandates and regulations. Without doing so, the wellbeing of plant employees and even the public can be placed into serious jeopardy.

Safety Organizations and Terminology



The Occupational Safety and Health Administration (OSHA) is a federal agency that focuses on the enforcement of safety and health legislation.


The Environmental Protection Agency (EPA) is a U.S. agency whose purpose is the protection of the health of both humans and the environment through the writing and enforcement of regulatory laws.


The Department of Transportation (DOT) oversees federal highway, air, and maritime transportation, and can be involved in the safe transport of chemicals.


The Department of Energy (DOE) is a governmental department tasked with the advancement of energy technology in the United States.



Health, Safety, and Environmental - This term refers to all health, safety, and environmental concerns that arise at each stage of the design process. Companies are required to analyze each part of the process from an HS&E perspective to create a safe and healthy work environment.


Material Safety and Data Sheet - Every chemical has an MSDS which contains all the information regarding safe handling and how to deal with spills or other accidents involving the substance. Relevant information includes how to identify the substance, hazard information, and how to handle spills, fires, and exposure, among other things.


Failure Mode and Effects Analysis - FMEA is an early stage approach to identifying critical technical risks using a semi-quantitative procedure. The analysis encompasses safety, environmental, and operational feasibility. When performing FMEA, engineers look to see places in a potential design that could fail, and then quantify how likely that failure is, how severe the results would be, and then offer potential solutions to minimize the risk. A step-by-step guide to performing FMEA is shown below (Northwestern University, 2014):

  1. Brainstorm for failure modes
  2. For each FM, rate severity of impact (SEV, 1 - 10).
  3. For each FM, brainstorm for possible causes (there may be multiple).
  4. For each cause, rate likelihood of occurring (OCC, 1 - 10).
  5. Rate the probability that the systems currently in place will detect and prevent the problem before it has an impact (DET, 10 - 1). Do not assume that something that will be added to the design later will take care of the problem.
  6. Overall Risk Probability Number RPN = SEV x OCC x DET. Most practitioners use the 1,4,7,10 scale below to increase granularity. Note that the DET scale is inverse to SEV and OCC.


Figure 1: Suggested scale to be used for quantifying risk and detection of failures in FMEA. Taken from ChE 351 Slides.

The sum of all information collected is implemented into a spreadsheet like the one shown below:


Figure 2: Example spreadsheet used to organize FMEA data.


Hazard and Operability Study - For more information regarding HAZOP, please refer to Process Hazards.


Safety Integrity Levels - The SIL is the relative level of risk-reduction provided by a safety function, or to specify a target level of risk reduction. A SIL is determined based on a number of qualitative factors such as development process and safety life cycle management. Several methods are used such as risk matrices, risk graphs, layers of protective analysis (LOPA). Three levels of safety integrity are assigned depending on the “availability” of the safety instrumented system (SIS), as shown below (Towler et al., 2012):


Figure 3: Table of safety integrity levels based on availability of system. Taken from (Towler et al., 2012).

Redundant system means instrumentation is duplicated; higher level of redundancy of trip systems give higher SIL. The required SIL should be determined during a process hazard analysis and depends on risk of operator exposure and injury.

1 Instrument

  • if it signals, plant goes down
  • Probability of incident = probability of instrument failure
  • Probability of spurious trip = false positive rate of one instrument

2 Instruments

  • 1 out of 2 voting (1oo2): one instrument signals, plant goes down
    • Probability of incident reduced by duplication
    • Probability of spurious trip doubled
  • 2oo2 voting
    • Probability of incident worse than single instrument (twice likelihood that system is down)
    • Probability of spurious trip reduced

3 Instruments

  • 2oo3 voting
    • Best overall trade-off between reducing incident rate and spurious trip rate
    • One malfunctioning instrument does not cause trip or prevent detection of real incident

Safe Design

Inherently Safe Design

Inherently safe design of a particular process can be achieved by adhering to the following six strategies (Turton et al., 2003):

1. Substitution: Avoid using or producing hazardous materials on the plant site. If the hazardous material is an intermediate product, for example, alternate chemical reaction pathways might be used. In other words, the most inherently safe strategy is to avoid the use of hazardous materials.

2. Intensification: Attempt to use less of the hazardous materials. In terms of a hazardous intermediate, the two processes could be more closely coupled, reducing or eliminating the amount of intermediate produced. The inventories of hazardous feeds or products can be reduced by enhanced scheduling techniques such as just-in-time (JIT) manufacturing.

3. Attenuation: Reducing, or attenuating, the hazards of materials can often be affected by lowering the temperature or adding stabilizing additives. By using materials under less hazardous conditions, the potential consequences of a leak can be reduced.

4. Containment: If the hazardous materials cannot be eliminated, they at least should be stored in vessels with mechanical integrity beyond any reasonably expected temperature or pressure excursion. This is an old but effective strategy to avoid leaks. However, it is not as inherently safe as substitution, intensification, or attenuation.

5. Control: If a leak of hazardous material does occur, there should be safety systems that reduce the effects. For example, chemical facilities often have emergency isolation of the site from the normal storm sewers, and large tanks for flammable liquids are surrounded by dikes that prevent any leaks from spreading to to other areas of the plant. Scrubbing systems and relief systems in general are in this category. They are essential, because they allow controlled, safe release of hazardous materials, rather than an uncontrolled release from a vessel rupture.

6. Survival: If leaks of hazardous materials do occur and they are not contained or controlled, the personnel (and the equipment) must be protected. This lowest level of the hierarchy includes fire fighting, gas masks, and so on. Although essential to the total safety of the plant, the greater the reliance on survival of leaks rather than elimination of leaks, the less inherently safe the facility.

Safety Legislation and Process Design

Inherent Process Plant Safety

Through the enactment of safety regulation shown above, process design has inherently become safer. These regulations have made safety the first and foremost important concern when designing a new chemical plant. In general, the safety of a process relies on multiple layers of protection, but the first and most important layer of protection has become the process design feature. Greater tolerances are built into the designing of processes to more effectively prevent catastrophic failures or chemical leakage. The best approach to prevent accidents is to add process design features, involving chemistry and physics, to prevent hazardous situations.

Examples of Inherently Safe Process Design[18]
  1. Vapor Release: Vapor released from spills can be minimized by designing dikes so that flammable and toxic materials will not accumulate around leaking tanks. This also prevents potential flammable materials from building up and causing an explosion.
  2. Containment Building: Design can be important for the containment of toxic spills. With the addition of automatic or remote controls, personnel can leave the area if a spill or breach occurs, while the area can be continuously monitored.
  3. Solvent Substitution: Safety through Substitution - Substituting design with safer, less hazardous materials. Designing process for use with less toxic or flammable solvents. For example, water-based paints and adhesives as well as aqueous or dry flowable formulations for agricultural chemicals opposed to more volatile solvents that release VOCs.
  4. Design for Lower Temperature and Pressure Safety through Moderation - use a hazardous material under less hazardous conditions such as lower pressure and temperature conditions. This can lower the level of catastrophe if downstream safety processes do fail.

Control Systems Safety

Legislation has also added to subsequent layers of controls such as environmental process controls have been added to prevent release to nearby air and water systems, which would endanger surrounding ecosystems and human populations.

Assessing Preliminary Design

While pilot plants are necessary to design effective plant equipment, there are some dangers associated with the industrial scale of chemical plants. Scaling up without accurate literature and experimental data can be very dangerous.

In every step of process design, the Health, Safety, and Environmental (HS&E) analysis must be carried out with the available technical information (Biegler et al., 1997).



Figure 4: General steps in the design process and analysis to be carried out at each stage. Taken from (Biegler et al., 1997).

Economic Cost of Safety

Price of Safety installations and fire protection systems range from .5 to 1.6 % of fixed-capital investment of a plant; but expenditures are often much higher than this and it is difficult to estimate these expenditures for a given plant

In addition, designers also examine the economic impact of safety and maintenance issues. For instance, they may determine that the plant reactor configuration can be improved, and with improved operator training facilities, it can run with improved safety. These hidden costs must be considered when determining the economic feasibility of operation (Biegler et al., 1997).

Benefits of Inherent Safety Over Conventional Safety

The outdated method of implementing safety into process design came very late in the design process. The physical entities in the process or the process itself was changed very little and the conventional safety methods included implementing controls. Inherent process safety is instead developed very early in the design process and can lead to very significant cost savings overall. The comparison comes when looking at two ratios for safety costs, the Conventional Safety Cost Index (CSCI) CSCI=\frac{C_{conventional safety}}{C_{loss}} and the Inherent Safety Cost Index (ISCI) ISCI=\frac{C_{inherent safety}}{C_{loss}}. The values of safety cost are easy to determine as they are any additive change to a standard design. The difficulty comes with calculating the cost of losses as this must be an additive loss associated of assets, production, environmental cleanup, and potential human health losses. A diagram of the methods to calculate cost due to losses is shown below:[19]

Cost in Process Failures
Methods for Calculating Process Losses Costs

Other Process Safety Considerations

The safety and well-being of the consumers using the eventual product should be considered in process safety. The risks involved in using a product should be clearly communicated to the consumer by industrial leaders.

Human Error is another safety risk that is difficult to quantify. The intervention of well-trained operators is a vital layer in process safety (Peters et al., 2003).

Case Study: Production of Ultrapure Hydrogen

A hydrogen production plant with a box steam reformer
A hydrogen production plant with a box steam reformer

To walk through the process safety considerations when designing a chemical plant, the relatively simple example of a high purity hydrogen generation will be examined. First, various technologies are researched to determine the options that best meet the economic, physical, environmental, and safety constraints of the project. For this project, steam reforming, autothermal reforming, and partial oxidation were investigated. Technologies that lack widespread implementation have inherent safety risks as they have higher uncertainties associated with reliability, feasibility, and cost. Autothermal reforming requires oxygen and not a commercially popular method. Partial oxidation requires no catalyst, but requires high process temperatures and is a complex process to implement. After each process was analyzed and scored in a decision matrix, steam reforming was chosen as the base process technology. It was selected because it is a safe, well-known, low-emission, traditional process in use all over the world for the production of hydrogen. Steam reforming produces minimal waste compared to the alternative processes, and is capable of producing the necessary 100 MMscfd of 99.999% hydrogen gas. It is important to remember that both local and global environmental emissions are capable of harming the general public, so they should be considered safety concerns in the same way worker hazards are. Next, various reactor types, catalysts, and separation methods were evaluated with the base process chosen. In all, seven different processing stages were assessed including the initial heating of feed, the steam reformation reactor, the high and low temperature water shift reactors, the amine plant, the methanation reactor, the gas compression and cooling train, and the pressure swing adsorption unit.

Although worker safety is always the first priority in a plant, there are inherent risk associated with high temperature and pressure processes. Close attention was paid to make the preliminary plant design as inherently safe as possible. Preliminary FMEA and HAZOP analyses were conducted to identify the highest priority risks. Hazards were mitigated by substituting less hazardous materials when possible, opting to store only the necessary hazardous materials on site, lowering temperatures when possible, adding catastrophic failure controls, maximizing plant control automation when economically feasible, and necessitating worker personal protective equipment. Finally, FMEA and HAZAP analyses were repeated. These steps were repeated multiple times until a sufficient reduction in risk had been achieved.

Case Study: Bhopal Disaster

The dispersal of the deadly cloud of gas from the Union Carbide plant in the Indian city of Bhopal
The dispersal of the deadly cloud of gas from the Union Carbide plant in the Indian city of Bhopal

On December 3, 1984 at the India Limited Pesticide Plant owned by Union Carbide in Bhopal, India, water entered a storage vessel containing over 80,000 lbs. of methyl isocyanate (MIC), a chemical intermediate in the pesticide synthesis process. This reaction caused a rapid increase in temperature accompanied by boiling, which caused toxic MIC vapors to escape from the tank. In addition, the MIC-water reaction produced methylamine and carbon dioxide gases among other toxic products which also contributed to the pressure increase (Union Carbide Corporation, 1967). These vapors passed into a scrubber and flare system that were not working at the time due to inadequate maintenance and safety practices. As a result of this accident, approximately 25 tons of MIC vapor were released, killing over 3,800 immediately and injuring roughly 20,000 in the surrounding area.

As a result of the incident, Union Carbide was forced to pay $470 million, as well as fund a hospital in Bhopal that was used specifically to treat victims of the disaster. Cleanup of the plant site and other legal action are still being determined to this day. Bhopal sparked a worldwide discussion on chemical process safety, and caused Congress to create the U.S. Chemical Safety Board (CSB). The CSB has since cited the following reasons as causes for the disaster:

  • No process hazard analysis
  • Poorly maintained equipment and safety system
  • Lack of emergency response planning
  • Inadequate training for operators

The CSB has pushed chemical safety reform since its conception, urging the chemical industry to produce inherently safer designs, use better quality equipment, and develop more thorough risk management plans. A major criticism of the process was its lack of inherent safe design. Because MIC was an intermediate, there was no reason to keep large quantities in storage. A modern design would use the intermediate as it is made (Eckerman et al., 2005).

Although chemical process safety has come a long way since 1984, industrial chemical giants still battle problems similar to Bhopal until this day. In 2008, a disaster similar to the one in Bhopal could have occurred in a plant originally designed by Union Carbide located in Institute, West Virginia after a runaway reaction caused a pressure buildup in a waste treatment vessel. The vessel exploded, killing two plant workers. Fortunately, the explosion missed a large MIC storage vessel which could have been hit by shrapnel and released tons of MIC (Blanc et al., 2009) In 2013, an ammonium nitrate explosion killed 15 and seriously injured 200 in West Texas in a blast radius similar to the one experienced in Bhopal (U.S.Chemical Safety Board, 2014).

Case Study: Deepwater Horizon Explosion and Oil Spill

The burning Deepwater Horizon oilrig after an explosion caused by a design failure in the blowout preventer
The burning Deepwater Horizon oilrig after an explosion caused by a design failure in the blowout preventer

On April 20, 2010 on the Deepwater Horizon offshore drilling rig located in the Macondo Prospect, multiple explosions killed 11 workers and seriously injured 17. The rig burned for two days before sinking into the Gulf of Mexico. Key safety failures caused the well to spew 5 million barrels of oil into the Gulf of Mexico over the next 87 days making the incident the largest offshore oil spill in U.S. history. Finally, the well was sealed by a “static kill,” the injection of heavy fluids and cement, at the leak point 5,000 feet below the surface.

The key safety failure identified by the CSB was the blowout preventer (BOP) failure. This device that is meant to prevent the filling of annular space between the borehole and the well casing is both electrically and hydraulically powered. It is connected to a rig by a large diameter pipe called a riser. The system contains multiple pipe rams and annular preventers designed to prevent annular space buildup.

On the first night of the incident, a “kick” occurred and a mixture of oil, water, and gases began to build up in the wall and climb up the shaft. Drilling mud was injected to prevent kicks by creating a barrier. An upper annular preventer was also engaged when the buildup was discovered, but it failed. A pipe ram was activated and succeeded. However, an immense pressure buildup caused the drill pipe to buckle so it was forced off center. This buckling was later explained as a result of effective compression. This phenomenon is caused by microscopic irregularities and bends in the pipe material resulting in a higher surface area on one side of the pipe. Because the pipe was off-center, the final failsafe, the Automatic Mode Function (AMF) or deadman could not effectively shear the pipe and seal the well. This redundant control system comprised of a yellow pod and blue pod work independently to seal the well in the event of catastrophic failure when communications, electric power, and hydraulic pressure connections are cut. Both the yellow and blue pods contained 9 volt and 27 volt batteries which power solenoid valves. Unfortunately, the blue pod was miswired, so its 27 volt power supply was drained when it was to cause the blind shear blades to cut the pipe. Fortunately, a 9 volt battery in the yellow pod was also miswired which caused the blind shear ram to be engaged. However, this only partially sealed the well because of the pipe buckling. The flammable mixture erupted onto the surface of the platform and found an ignition source triggering a massive explosion. The spill was temporarily contained by a cap, and relief wells were eventually used to seal the well months later (U.S.Chemical Safety Board, 2014).

The White House Office of Energy and Climate Change Policy called the Deepwater Horizon oil spill the “worst environmental disaster the US has faced (BBC News, 2010). Over 8,000 species were estimated to be affected by the spill due to the toxicity of petroleum released, oxygen depletion, and the large quantities of Corexit, an oil dispersant used in an untested manner that is toxic to marine life (Biello et al., 2010; Butler, 2011; Froomkin, 2010).

BP, Transocean, and Halliburton were the major entities implicated in this tragedy. Investigations after the incident show that essential safety documentation including risk management and emergency procedure information were missing. Accusations were mainly aimed at BP with charges of recklessness and gross negligence (CNN Money, 2012). In January 2013, Transocean was ordered to pay $1.4 billion for US Clean Water Act violations. BP was ordered to pay $2.4 billion, but additional penalties could reach $20 billion (Department of Justice Office of Public Affairs, 2013).

Case Study: Texas City Refinery Explosion

Emergency response workers fight secondary fires caused by the isomerization unit explosion at the Texas City refinery
Emergency response workers fight secondary fires caused by the isomerization unit explosion at the Texas City refinery

On March 23, 2005 at a BP refinery in Texas City, Texas a hydrocarbon vapor cloud ignited, killing 15 workers and seriously injuring 170 others. Over the course an 11 hour period, a combination of control failures, mismanagement, and worker fatigue resulted in the buildup and release of extremely hot, combustible vapor. The key process unit in this disaster was an isomerization unit, located next to wooden trailers for workers servicing an ultracracker unit.

In the early morning on March 23rd, operators initiated startup and pumped raffinate (liquid hydrocarbons) into a raffinate splitter tower used to separate gasoline components. A liquid level indicator and multiple high level alarms monitored the tower liquid level. The level indicator could only measure up to 9 feet of liquid, and the written process called for a liquid level of about 6.5 feet. However, operators routinely filled the tower over 9 feet to minimize fluctuations and to prevent damage to a furnace. Hours later, the first high level alarm was activated and the liquid level rose, but a second alarm higher up the tower failed to trigger. The feed was halted when the liquid had risen to a level of about 13 feet, operators had no way of knowing the exact height. The lead operator relayed the startup activities to another operator and left the facility an hour before his shift ended. The morning operator arrived at 6 am to start his thirtieth consecutive day working a 12-hour shift and read a logbook that read, “Isom* Brought in some raff to unit, to pack raff with.” The day shift operator arrived an hour late, so he could not be briefed by the night shift supervisor. Recirculation then commenced in the tower, and more liquid was added to the tower. Additionally, conflicting instructions caused a liquid level regulating valve to remain closed for several hours, so liquid could not leave the tower. The furnace was then lit, and the supervisor left to attend a family medical emergency.

At noon, the liquid level had risen to 98 feet, but the improperly calibrated liquid level indicator read 8.4 feet. At 12:41 pm, a high pressure alarm caused workers to manually open a chain valve to relieve pressure by using the units pressure relief system to vent vapor into the atmosphere using an obsolete blowdown drum. Heat was also reduced in the furnace to reduce pressure. When operators became concerned about outflow rate, the liquid level regulating valve was opened to release liquid from the tower to storage. This caused the liquid in the tower to begin to boil and spill into the overhead vapor line exerting extreme pressures on the pressure relief system. At 1:14 pm, the three relief valves opened sending the liquid to the blowdown drum which overflowed into a municipal sewer setting off alarms, but a key level indicator in the blowdown drum failed. Flammable liquid erupted from the blowdown drum, formed a massive vapor cloud, and found an ignition source from a nearby idling pickup truck. The colossal blast ignited fires throughout the refinery and over half the workers in the wooden trailers adjacent to the unit were killed immediately (U.S.Chemical Safety Board, 2008).

Investigations after the incident cited multiple failures to implement safety recommendations at the Texas City Refinery. Among these, the blowdown drum was to be replaced by a modern flare to burn off hydrocarbons. However, BP’s budget cuts prevented its replacement. The training and treatment of workers was also called into question, as fatigue, poor communication, and inadequate documentation likely contributed to the disaster. Decisions like the one to operate an unsafe liquid level in order to prevent furnace damage also demonstrate the company’s fixation on the bottom line. BP was eventually fined $21 million by OSHA (New York Times, 2010; U.S.Chemical Safety Board, 2008).


Direct Citation References

  1. ^ a b c G.P. Towler, R. Sinnott. Chemical Engineering Design: Principles, Practice and Economics of Plant and Process Design. Elsevier, 2012.
  2. ^ ISO Photo Gallery. Accessed February 13, 2016.
  3. ^ ISO "How the ISO Works" Accessed February 13, 2016.
  4. ^ ILO. "International Labour Standards on Occupational Safety and Health". Accessed February 13, 2016.
  5. ^ ISO. Home Page. Accessed February 13, 2016.
  6. ^ ISO 45001. "Occupational heath and safety". Accessed February 13, 2016.
  7. ^ Seider WD, Seader JD, Lewin DR, Seider WD. Product And Process Design Principles: Synthesis, Analysis, and Evaluation. New York: Wiley; 2004.
  8. ^ United States Department of Labor. "Safety and Health Standards: Occupational Safety and Health".
  9. ^ United States Department of Labor. "Safety and Health Standards: Occupational Safety and Health".
  10. ^ Environmental Protection Agency. "Summary of the Toxic Substances Control Act." Accessed February 13, 2016
  11. ^ Environmental Protection Agency. "Summary of the Toxic Substances Control Act." Accessed February 13, 2016
  12. ^ Sheppard, Kate. "Senators Introduce Bill to Overhaul U.S. Chemical Industry." Accessed February 13, 2016
  13. ^ S.697 - 114th Congress (2015-2016): Frank R. Lautenberg Chemical Safety for the 21st Century Act. Accessed January 27, 2016.
  14. ^ US Government Printing Office. Emergency Panning and Community Right to Know. Accessed February 13, 2016
  15. ^ What is EPCRA? EPA. Published November 10, 2015. Accessed January 27, 2016.
  16. ^ Environmental Protection Agency. "1990 Clean Air Act Amendment Summary" Accessed February 13, 2016.
  17. ^ Seider WD, Seader JD, Lewin DR, Seider WD. Product And Process Design Principles: Synthesis, Analysis, and Evaluation. New York: Wiley; 2004.
  18. ^ Crowl, Daniel. Louver, Joseph. Chemical Process Safety: Fundamentals with Applications. IBN: 9780132440554
  19. ^ Kahn, F. Amyotte, Paul. "I2SI: A comprehensive quantitative tool for inherent safety and cost evaluation" . Journal of Loss Prevention. Elsevier.

Additional References

  1. American Institute of Chemical Engineers.
  2. Biello, David (9 June 2010). "The BP Spill's Growing Toll On the Sea Life of the Gulf". Yale Environment 360. Yale School of Forestry & Environmental Studies. Retrieved 2010-06-14.
  3. Blanc, P. Bhopal, 1984 – West Virginia near-miss, 2008. Psychology Today, December 2009.
  4. Butler, J. Steven (3 March 2011). "BP Macondo Well Incident. U.S. Gulf of Mexico. Pollution Containment and Remediation Efforts" (PDF). Lillehammer Energy Claims Conference. BDO Consulting. Retrieved 17 February 2013.
  5. “DOJ accuses BP of ‘gross negligence’ in Gulf oil spill” CNN Money, September 2012.
  6. Eckerman, I. The Bhopal Saga: Causes and Consequences of the World’s Largest Industrial Disaster. Universities Press Private Limited, 2005.
  7. Froomkin, Dan (29 July 2010). "Scientists Find Evidence That Oil And Dispersant Mix Is Making Its Way Into The Foodchain". Huffington Post.
  8. "Gulf of Mexico oil leak 'worst US environment disaster'". BBC News. 30 May 2010.
  9. Investigation Report: BP Refinery Explosion and Fire, U.S. Chemical Safety Board, 2008.
  10. Lyall, Sarah. "In BP’s Record, a History of Boldness and Costly Blunders." New York Times, July 13, 2010.
  11. L.T. Biegler, I.E. Grossmann, A.W. Westerberg. Systematic Methods of Chemical Process Design. Prentice-Hall: Upper Saddle River, 1997.
  12. M.S. Peters, K.D. Timmerhaus. Plant Design and Economics for Chemical Engineers, 5th Ed. McGraw-Hill: New York, 2003.
  13. Northwestern University. Chemical Engineering 351 Lecture Slides.
  14. Reflections on Bhopal After Thirty Years Video, U.S.Chemical Safety Board, December 2014.
  15. R.T. Turton, R.C. Bailie, W.B. Whiting, J.A. Shaeiwitz. Analysis, Synthesis, and Design of Chemical Processes. Prentice Hall: Upper Saddle River, 2003.
  16. Union Carbide Corporation "Methyl Isocyanate" Product Information Publication, F-41443, November 1967.
  17. USCSB Deepwater Horizon Video, U.S.Chemical Safety Board, June 2014.
  18. "Transocean Agrees to Plead Guilty to Environmental Crime and Enter Civil Settlement to Resolve U.S. Clean Water Act Penalty Claims from Deepwater Horizon Incident". Department of Justice Office of Public Affairs. January 3, 2013.