ccps2019 PDF

.
03&*/$*%&/545)"5
%&'*/&130$&444"'&5:
.03&*/$*%&/545)"5
%&'*/&130$&444"'&5:
$&/5&3'03$)&.*$"-130$&444"'&5:
PGUIF
".&3*$"/*/45*565&0'$)&.*$"-&/(*/&&34
/FX:PSL /:
This edition first published 2020
© 2020 the American Institute of Chemical Engineers
A Joint Publication of the American Institute of Chemical Engineers and John Wiley & Sons, Inc.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or
transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or
otherwise, except as permitted by law. Advice on how to obtain permission to reuse material from
this title is available at http://www.wiley.com/go/permissions.
The rights of CCPS to be identified as the author of the editorial material in this work have been
asserted in accordance with law.
Registered Office
John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA
Editorial Office
111 River Street, Hoboken, NJ 07030, USA
For details of our global editorial offices, customer services, and more information about Wiley
products visit us at www.wiley.com.
Wiley also publishes its books in a variety of electronic formats and by print-on-demand. Some
content that appears in standard print versions of this book may not be available in other formats.
Limit of Liability/Disclaimer of Warranty
While the publisher and authors have used their best efforts in preparing this work, they make no
representations or warranties with respect to the accuracy or completeness of the contents of this
work and specifically disclaim all warranties, including without limitation any implied warranties
of merchantability or fitness for a particular purpose. No warranty may be created or extended by
sales representatives, written sales materials or promotional statements for this work. The fact that
an organization, website, or product is referred to in this work as a citation and/or potential source
PGGVSUIFSJOGPSNBUJPOEPFTOPUNFBOUIBUUIFpublisher and authors endorse the information or
TFSWJDFTUIFPSHBOJ[BUJPO XFCTJUF PSQSPEVDUNBZQSPWJEFor recommendations it may make. This
XPSLJTTPMEXJUIUIFVOEFSTUBOEJOHUIBUUIFQVCMJTIFSJTOPUFOHBHFEin rendering professional
TFSWJDFT5IFBEWJDFBOETUSBUFHJFTDPOUBJOFEIFSFJONBZOPUCFTVJUBCMFGPSZPVSsituation. You
TIPVMEDPOTVMUXJUIBTQFDJBMJTUXIFSFBQQSPQSJBUF'VSUIFS SFBEFSTTIPVMECFBXBSFUIBUwebsites
MJTUFEJOUIJTXPSLNBZIBWFDIBOHFEPSEJTBQQFBSFECFUXFFOXIFOUIJTXPSLXBTXSJUUFOBOE
XIFOJUJTSFBE/FJUIFSUIFQVCMJTIFSOPSBVUIPSTTIBMMCFMJBCMFGPSBOZMPTTPGQSPGJUPSBOZPUIFS
DPNNFSDJBMEBNBHFT JODMVEJOHCVUOPUMJNJUFEUPTQFDJBM JODJEFOUBM DPOTFRVFOUJBM PSPUIFS
EBNBHFT
Library of Congress Cataloging-in-Publication Data is available.

ISBN: 9781119561347
$PWFS%FTJHO8JMFZ

Printed in the United States of America

10 9 8 7 6 5 4 3 2 1
More Incidents that Define Process
Safety
It is our sincere intention that the information presented in this

document will lead to an even more impressive safety record for
the entire industry; however, neither the American Institute of
Chemical Engineers (AIChE), its consultants, CCPS Technical
Steering Committee and Subcommittee members, their
employers, their employers’ officers and directors, warrant or
represent, expressly or by implication, the correctness or
accuracy of the content of the information presented in this
document. As between (1) AIChE, its consultants, CCPS Technical
Steering Committee and Subcommittee members, their
employers, their employers’ officers and directors, and (2) the
user of this document, the user accepts any legal liability or
responsibility whatsoever for the consequence of its use or
misuse. and stayed internal to organization
2 More Incidents that Define Process Safety
Table of Contents
1 ........................................................................................................... 41
Introduction ....................................................................................... 41
1.1 WHY A SECOND VOLUME? ..................................................... 41
1.2 CCPS RISK BASED PROCESS SAFETY ELEMENTS.................. 42
1.3 HUMAN PERFORMANCE......................................................... 48
1.4 ORGANIZATION OF THIS BOOK............................................. 48
1.5 Engineering Design ................................................................. 49
1.6 How To Use The Book ............................................................ 50
1.7 Final Note ................................................................................. 50
2 ........................................................................................................... 52
Reactive Chemical Incidents ............................................................ 52
2.1 Introduction ............................................................................. 52
2.2 T2 Laboratories Runaway Reaction and Explosion, Florida,
US, 2007 .......................................................................................... 53
2.3 HOECHST GRIESHEIM RUNAWAY REACTION, GERMANY,
1993 ................................................................................................. 60
2.4 ARCO CHANNELVIEW EXPLOSION, TEXAS, US, 1990 .......... 64
2.5 AMMONIUM NITRATE INCIDENTS ........................................ 68
2.6 WEST FERTILIZER COMPANY AN EXPLOSION, TEXAS, US,
2013..................................................................................................69
2.7 RUI HAI INTERNATIONAL LOGISTICS AN EXPLOSION,
TIANJIN, CHINA, 2015 .................................................................... 78
2.8 PORT NEAL AMMONIUM NITRATE EXPLOSION, IOWA, US,
1994................................................................................................. 81
2.9 HICKSON & WELCH JET FLAME, UK, 1992 ............................ 86
2.10 OTHER INCIDENTS ................................................................ 92
2.11 ADDITIONAL RESOURCES .................................................... 93
.PSF*ODJEFOUTUIBU%FGJOF1SPDFTT4BGFUZ 3
3 ........................................................................................................... 96
Fire Incidents ..................................................................................... 96
3.1 INTRODUCTION....................................................................... 96
3.2 HOEGANAES METAL DUST FIRES, TENNESSEE, US, 2011... 97
3.3 CHEVRON RICHMOND REFINERY FIRE, CALIFORNIA, US,
2012 .............................................................................................. 105
3.4 VALERO-MCKEE LPG REFINERY FIRE, TEXAS, US, 2007 ..... 115
3.5 BLSR DEFLAGRATION AND FIRE, TEXAS, US, 2003 ............ 121
3.6 SIMILAR INCIDENTS .............................................................. 127
4 ......................................................................................................... 131
Explosion Incidents ......................................................................... 131
4.1 INTRODUCTION..................................................................... 131
4.2 BUNCEFIELD STORAGE TANK OVERFLOW AND EXPLOSION,
UK, 2005 ....................................................................................... 135
4.3 PETROLEUM OIL LUBRICANTS EXPLOSION, JAIPUR, INDIA
2009 .............................................................................................. 145
4.4 CELANESE PAMPA EXPLOSION, TEXAS, US, 1987 ............. 151
4.5 WILLIAMS OLEFINS HEAT EXCHANGER RUPTURE,
LOUISIANA, US, 2013 .................................................................. 158
4.6 IMPERIAL SUGAR DUST EXPLOSION, GEORGIA, US, 2008165
4.7 HAYES LEMMERZ DUST EXPLOSION, INDIANA, US, 2003 173
4.8 VARANUS ISLAND PIPELINE EXPLOSION, AUSTRALIA, 2008
....................................................................................................... 182
4.9 NATURAL GAS PURGING EXPLOSIONS .............................. 189
4.10 OIL STORAGE TANK EXPLOSION, ITALY, 2006 ................. 194
4.11 NDK CRYSTAL VESSEL RUPTURE, ILLINOIS, 2009.............199
4.12 SIMILAR INCIDENTS ............................................................ 205
4.13 ADDITIONAL RESOURCES .................................................. 205

5 ......................................................................................................... 209
Environmental and Toxic Release Incidents ................................ 209
5.1 INTRODUCTION ..................................................................... 209
5.2 BP MACONDO WELL/TRANSOCEAN DEEPWATER HORIZON
FIRE, EXPLOSION, AND ENVIRONMENTAL RELEASE, GULF OF
MEXICO, US, 2010 ........................................................................ 210
5.3 FREEDOM INDUSTRIES, INC. CHEMICAL SPILL, WEST
VIRGINIA, US 2014 ....................................................................... 222
5.4 MILLARD REFRIGERATED ANHYDROUS AMMONIA RELEASE,
ALABAMA, US, 2010..................................................................... 228
5.5 DUPONT METHYL MERCAPTAN RELEASE, TEXAS, US, 2014
....................................................................................................... 234
5.6 DUPONT PHOSGENE RELEASE, WEST VIRGINIA, US, 2010
....................................................................................................... 242
5.7 DPC ENTERPRISES, L.P. CHLORINE RELEASE, MISSOURI, US,
2002............................................................................................... 249
5.8 GEORGIA-PACIFIC HYDROGEN SULFIDE POISONING,
ALABAMA, US, 2002..................................................................... 257
5.9 CITGO HF RELEASE AND FIRE, TEXAS, US, 2009 ................ 262
5.10 HUBE GLOBAL HF RELEASE IN GUMI, SOUTH KOREA, 2012
....................................................................................................... 265
5.11 OTHER INCIDENTS .............................................................. 270
5.12 ADDITIONAL RESOURCES .................................................. 270
6 ......................................................................................................... 272
Transportation Incidents................................................................ 272
6.1 INTRODUCTION ..................................................................... 272
6.2 MONTREAL, MAINE & ATLANTIC RAILWAY DERAILMENT
AND FIRE, QUEBEC, CANADA, 2013 .......................................... 273
6.3 NORFOLK SOUTHERN COLLISION AND HAZARDOUS

MATERIALS RELEASE, SOUTH CAROLINA, US, 2005 ................ 280
6.4 GAYLORD CHEMICAL NITROGEN TETROXIDE RELEASE,
LOUISIANA, US, 1995 .................................................................. 284
6.5 PACIFIC GAS AND ELECTRIC COMPANY PIPELINE RUPTURE
AND FIRE, CALIFORNIA, US, 2010 .............................................. 288
6.6 ADDITIONAL PIPELINE RELEASES........................................ 294
6.7 AIR FRANCE FLIGHT AF 447 RIO DE JANEIRO TO PARIS, 2009
....................................................................................................... 299
6.8 OTHER INCIDENTS ................................................................ 302
7 ......................................................................................................... 304
Non-Oil/Chemical Incidents ........................................................... 304
7.1 INTRODUCTION..................................................................... 304
7.2 FUKUSHIMA DAIICHI NUCLEAR POWER PLANT RELEASE,
JAPAN, 2011.................................................................................. 305
7.3 SEWOL FERRY SINKING, SOUTH KOREA, 2014 .................. 312
7.4 PIKE RIVER COAL MINE EXPLOSION, SOUTH ISLAND, NEW
ZEALAND, 2010 ............................................................................ 318
7.5 BIG BRANCH MINE EXPLOSION, WEST VIRGINIA, US, 2010
....................................................................................................... 323
7.6 UNIVERSITY LABORATORY INCIDENTS ............................... 327
7.7 MARS CLIMATE ORBITER MISHAP, 1999 ............................ 334
7.8 OTHER INCIDENTS ................................................................ 336
Appendix 1 ....................................................................................... 338
References ....................................................................................... 342
*OEFY ................................................................................................. 358
List of Figures
Figure 1.2-1. Risk Based Process Safety (RBPS) approach

Figure 2.2-1. A portion of the 3-inch thick reactor (courtesy CSB).
Figure 2.2-2. T2 Laboratories blast (courtesy CSB).
Figure 2.2-3. T2 Reactor.
Figure 2.3-1. Reaction Sequence for Hoechst Griesheim Runaway
Reaction. This reaction is exothermic, with a heat of reaction of
140 kJ/mole (132.7 BTU/mole) 2-chloronitrobenzene.
Figure 2.4-1. Process flow diagram of the wastewater tank
(courtesy CEP).
Figure 2.6-1. Fertilizer building overview (courtesy CSB).
Figure 2.6-2. Southwest view of Fertilizer Building (adapted from
CSB).
Figure 2.6-3. WFC and community growth (courtesy CSB).
Figure 2.6-4. Overview of damaged EFC (courtesy CSB).
Figure 2.6-5. Apartment complex damage (courtesy CSB video).
Figure 2.6-6. Soot accumulation on FGAN pile (courtesy CSB
video).
Figure 2.7-1. The crater from 2015 Tianjin explosion (courtesy
Shutterstock).
Figure 2.8-1. Neutralizer and rundown tank, source (courtesy
EPA).
Figure 2.8-2. AN plant area after the explosion (courtesy EPA).
Figure 2.9-1. Control room and office building after a jet flame
impact (courtesy HSE).
Figure 2.9-2. 360 base still (courtesy HSE).
Figure 2.9-3. Still base and control room (courtesy HSE).
Figure 3.2-1. Fine powdered metal collected from the Hoeganaes
plant (penny shown for scale) (courtesy CSB).
Figure 3.2-2. Computer graphic of maintenance workers

inspecting bucket elevator (courtesy CSB).
Figure 3.2-3. The scene of January 2011 incident (courtesy CSB).
Figure 3.2-4. Iron dust on rafters and overhead surfaces,
February 3, 2011 (courtesy CSB).
Figure 3.2-5. Hole in 4-inch piping after the May 27, 2011 incident
(courtesy CSB).
Figure 3.3-1. Vapor cloud and ignition seen from Marin County
(courtesy CSB).
Figure 3.3-2. Atmospheric separation process flow diagram
(courtesy OSHA).
Figure 3.3-3. Timeline (courtesy CSB).
Figure 3.3-4. Location of the leak (courtesy CSB).
Figure 3.3-5. Ruptured Crude Unit #4-sidecut pipe at Chevron
refinery (courtesy CSB).
Figure 3.3-6. Chevron’s new Leak Response Protocol (courtesy
CSB).
Figure 3.4-1. Process Flow Diagram of PDA unit (courtesy CSB).
Figure 3.4-2. Abandoned propane mix control station (courtesy
CSB).
Figure 3.4-3. Crack in the propane mix control station piping
(courtesy CSB).
Figure 3.4-4. Photograph of damaged PDA unit, showing the
location of butane sphere and chlorine cylinders (courtesy CSB).
Figure 3.5-1. Typical vacuum truck used to haul oilfield waste
liquids (courtesy CSB).
Figure 3.5-2. Disposal/washout pad, hydraulic pumps and
wooden stop beam (courtesy CSB).
Figure 3.5-3. Layout of disposal/washout pad, vacuum trucks,
and injuries (courtesy CSB).
Figure 3.5-4. Damaged trucks and disposal/washout pit area

(courtesy CSB).
Figure 4.1-1. Relationships between the different types of
explosions. It is possible for several to occur with any incident
(courtesy Crowl 2003).
Figure 4.2-1. Buncefield storage depot after the explosion and
fires (courtesy Buncefield).
Figure 4.2-2. Buncefield storage depot before the explosion
(courtesy Buncefield).
Figure 4.2-3. Buncefield site – the extent of vapor cloud (gray
line) (courtesy HSE).
Figure 4.2-4. Breakup of liquid into drops spilling from tank top
(adapted from HSE).
Figure 4.2-5. Fires at CAPECO site (courtesy CSB).
Figure 4.3-1. Jaipur site before explosion (courtesy HSE).
Figure 4.3-2. Jaipur site after explosion (courtesy HSE).
Figure 4.3-3. Burning storage tanks at Jaipur (courtesy SK Roy,
HSE for IOC).
Figure 4.3-4. Pipeline schematic (courtesy SK Roy, HSE for IOC).
Figure 4.3-5. Hamer blind valve after explosion (courtesy SK Roy,
HSE for IOC).
Figure 4.4-1. Oxidation reactor after the explosion (courtesy
Celanese).
Figure 4.4-2. One of several units impacted by explosion
(courtesy Celanese).
Figure 4.4-3. Schematic of oxidation reactor (courtesy Celanese).
Figure 4.4-4. Predicted flammable vapor cloud from reactor
explosion (courtesy Celanese).
Figure 4.5-1. Fireball in Williams Geismar plant (courtesy CSB).
Figure 4.5-2. Schematic of propylene fractionator (adapted from

CSB).
Figure 4.5-3. Reboiler B after the explosion (courtesy CSB).
Figure 4.5-4. Example of car seal on a valve handle
(www.totallockout.com/online-store/car-seals-2/ (accessed
November 19, 2015)) (courtesy CSB).
Figure 4.5-5. Ruptured heat exchanger at Goodyear Texas plant
(courtesy CSB).
Figure 4.6-1. Imperial Sugar refinery after the explosion
(courtesy CSB).
Figure 4.6-2. Imperia Sugar facility before the explosion.
Granulated sugar storage silos and packing buildings are circled.
Raw sugar warehouses in lower right (Chatham County, GA GIS
photo) (CSB 2009a)
Figure 4.6-3. Imperial Sugar Refinery after the explosion
(courtesy CSB).
Figure 4.6-4. Motor cooling fins and fan guard covered with
sugar dust; large piles of sugar cover the floor (courtesy CSB).
Figure 4.6-5. Secondary dust explosion (courtesy U.S. OSHA).
Figure 4.7-1. Reverberatory furnace at Hayes Lemmerz plant
(courtesy CSB).
Figure 4.7-2. Dust collection system at Hayes Lemmerz plant
(courtesy CSB.
Figure 4.7-3. Dust collector and drop box remains after the
explosion (courtesy CSB).
Figure 4.8-1. Pipeline fires at Varanus Island (courtesy Bills and
Agostini).
Figure 4.8-2. Ruptured 12” sales gas line (courtesy Bills and
Agostini).
Figure 4.9-1. Gas-fired water heater piping and likely release
points (courtesy CSB).
Figure 4.9-2. ConAgra Plant explosion aftermath (courtesy CSB).

Figure 4.9-3. Location of natural gas outlet (oval) at Kleen Energy
(courtesy CSB).
Figure 4.10-1 Outdoor storage tanks after explosions (courtesy
Marmo).
Figure 4.10-2 Indoor storage facility after explosions (courtesy
Marmo).
Figure 4.10-3. Schematic of tank farm (adapted from Marmo).
Figure 4.11-1. Ruptured vessel and damaged building at NDK
(courtesy CSB).
Figure 4.11-2. Cross section of crystallization vessel (not to scale)
(courtesy CSB).
Figure 5.2-1. Fire on Deepwater Horizon, source (courtesy CSB).
Figure 5.2-2. Location of mud-gas separator and diverter lines
(courtesy CSB).
Figure 5.2-3. Macondo Well blowout preventer, source (courtesy
CSB).
Figure 5.3-1 – Flow path from Freedom Industries to West
Virginia American Water Kanawha Valley Treatment Plant
(courtesy CSB).
Figure 5.3-2 – Layout of Freedom Industries site (courtesy CSB).
Figure 5.4-1 – Location of Millard Refrigerated on Theodore,
Alabama Industrial Canal (courtesy CSB).
Figure 5.5-1 – DuPont building housing the Lannate® unit
(courtesy CSB).
Figure 5.5-2 – Location where drain valves were opened.
Figure 5.6-1 – Photo of hose used to transfer phosgene (courtesy

CSB)
Figure 5.7-1 – Failed chlorine transfer hose and release (courtesy
CSB).
Figure 5.8-1 – Layout of tank truck unloading station (courtesy
CSB).
Figure 5.10-1 – Hube Global and surrounding area (courtesy
Korea Institute of Public Administration).
Figure 5.10-2 – Hube Global HF release (courtesy of Korea
Institute of Public Administration).
Figure 5.10-3 – Crop damage due to Hube Global HF release
(courtesy of Korea Institute of Public Administration). The sign in
this photograph reads "Hydrofluoric Acid release accident
disaster area. Absolutely no consumption or use. ~ Gumi City
Safety Counsel."
Figure 6.2-1. Lac-Megantic tank cars with breaches to their shells.
Figure 6.2-2. DOT-117 Train car (courtesy DOT).
Figure 6.3-1. Norfolk Southern Railway freight train derailment
site (courtesy NTSB).
Figure 6.5-1. PG&E pipeline rupture and fire in San Bruno
(courtesy NTSB).
Figure 6.5-2. Weld in failed PG&E pipeline (courtesy NTSB).
Figure 6.5-3. Properly made weld (courtesy NTSB).
Figure 6.6-1. Burned vegetation along the creek from Olympic
pipeline release and fire (courtesy NTSB).
Figure 7.2-1. Fukushima Daiichi nuclear reactor design (courtesy
IAEA).
Figure 7.2-2. Fukushima Daiichi incident progression (courtesy

IAEA).
Figure 7.2-3. Fukushima Daiichi nuclear power plant elevations
(courtesy Tokyo Electric Power Company) (OP: Sea level at
Onahama Port).
Figure 7.3-1. Sewol Ferry capsizing and sinking (courtesy South
Korea Coast Guard & South Korea Media, Straits Times graphic
adapted from AFP).
Figure 7.4-1. Pike River Mine (courtesy stuff.co.nz).
Figure 7.5-1. Shearer cutting coal (courtesy GIIP).
Figure 7.6-1. Flammability range of hydrogen, oxygen and
carbon dioxide as was handled in the University of Hawaii
incident (courtesy UC).
Figure 7.6-2. Swiss cheese model representing potential failures
in university chemical laboratory process safety management
(courtesy CSB).
ACRONYMS AND ABBREVIATIONS
ABET Accreditation Board for Engineering and

Technology, Inc. (US)
AFPM American Fuel and Petrochemical

Manufacturers
AIChE American Institute of Chemical Engineers
AIHA American Industrial Hygiene Association
ALARP As Low As Reasonably Practicable
AMF Automatic Mode Function
AN Ammonium Nitrate
API American Petroleum Institute
APTAC Automatic Pressure Tracking Adiabatic

Calorimeter®
ARC Accelerating Rate Calorimeter™
ASME American Society of Mechanical Engineers
ATC Air Traffic Control
ATG Automatic Tank Gauging
BEA Bureau of Investigation and Analysis (France)
BLEVE Boiling Liquid Expanding Vapor Explosion
BOEMRE Bureau of Ocean Energy Management

Regulation and Enforcement
BOP Blowout Preventer

BS&W Basic Sediment and Water
BSEE Bureau of Environmental Enforcement (US)
BSR Blind Shear Ram
CalEPA California Environmental Protection Agency
CCPS Center for Chemical Process Safety
CFR Code of Federal Registry (US)
COMAH Control of Major Accident Hazards (UK)
COO Conduct of Operations
CP Cathodic Protection
CRW Chemical Reactivity Worksheet
CSB Chemical Safety and Hazard Investigation

Board (US)
DDT Deflagration to Detonation Transition
DDT Dichlorodiphenyltrichloroethane
DHS Department of Homeland Security (US)
DMP Department of Mines and Petroleum

(Australia)
DNT Dinitrotoluene
DOCEP Department of Consumer and Employment

Protection (Australia)
DOIR Department of Industry and Resources

(Australia)
DOJ Department of Justice (US)
DOT Department of Transportation (US)
EIV Emergency Isolation Valve
EPCRA Emergency Planning and Community Right-to-

Know Act (US)
EPA Environmental Protection Agency (US)
ERPG Emergency Response Planning Guideline (US)
ERS Emergency Relief System
ERT Etowah River Terminal, LLC
ESD Emergency Shutdown System
ETC Energy Technology Center Chevron
EU European Union
FGAN Fertilizer Grade Ammonium Nitrate
FMG FM Global
FRC Flame retardant clothing
GE General Electric Company
H2S Hydrogen Sulfide
HAZMAT Hazardous Materials
HAZOP Hazard and Operability Study
HCl Hydrogen Chloride

HDPE High-density polyethylene
HF Hydrofluoric Acid
HIRA Hazard Identification and Risk Analysis
HOV Hand Operated Valve
HSE Health & Safety Executive (UK)
IAEA International Atomic Energy Agency
ICC International Code Council
IDLH Immediately Dangerous to Life and Health
IDPS Incidents that Define Process Safety
IFC International Fire Code
IFGC International Fuel Gas Code
IHLS Independent High-Level Switch
LEL Lower Explosive Limit
LOPC Loss of Primary Containment
LPG Liquefied Petroleum Gas
LPO Liquid phase oxidation
LRP Leak Response Protocol (Chevron)
MAWP Maximum Allowable Working Pressure
MEC Minimum Explosion Concentration
MCHM Methylcychohexanemethanol
MCMT Methylcyclopentadienyl manganese tricarbonyl
MCO Mars Climate Orbiter
MCPD methylcyclopentadiene
MI Mechanical Integrity
MIC Methyl isocyanate
MIIB Major Incident Investigation Board (UK)
MMA Montreal, Main & Atlantic Railway
MMS Mineral Management Service (US)
MNT Mononitrotoluene
MOC Management of Change
MOM Ministry of Manpower (Singapore)
MoP&NG Ministry of Petroleum and Natural Gas (India)
MOV Motor Operated Valve
MSD Material Safety Data
MSHA Mining Health and Safety Administration (US)
NAIIC Nuclear Accident Independent Investigation

Commission
NASA National Aeronautics and Space Administration
NaSH Sodium hydrosulfide
NDK Nihon Dempa Kogyo Company

NEC National Electrical Code
NEP National Emphasis Program (US)
NFPA National Fire Protection Association
NOPSA National Offshore Petroleum Safety Authority

(Australia)
NPDES National Pollutant Discharge Elimination

System (US)
NTSB National Transportation and Safety Board
OGJ Oil and Gas Journal
ONRR Office of Natural Resources Revenues
OMS Operating Management System (BP)
OSHA Occupational Safety and Health Administration

(US)
P&ID Piping and Instrumentation Diagram
PA Public Address
PDA Propane Deasphalting
PFD Process Flow Diagram
PGERA Petroleum and Geothermal Energy Resources

Act (Western Australia)
PG&E Pacific Gas and Electric Company
PHA Process Hazard Analysis

PHMSA Pipeline and Hazard Materials Safety

Administration (US)
PMI Positive Material Identification
PPA Petroleum and Pipeline Act (Western Australia)
PPE Personal Protective Equipment
PRV Pressure Relief Valve
PSLA Petroleum Submerged Lands Act (Western

Australia)
PSM Process Safety Management
PSSR Pre-Start-up Safety Review
PSV Pressure safety valve
PTFE Polytetrafluoroethylene
QA Quality Assurance
RBPS Risk Based Process Safety (CCPS)
RHIL Rui Hai International Logistics
RMP Risk Management Plan
RSOV Remote Shutoff Valves
SABIC Saudi Basic Industries Corporation
SADT Self-Accelerating Decomposition Temperature
SERC State Emergency Response Committee
SCADA Supervisory Control and Data Acquisition

SCBA Self-contained Breathing Apparatus
SCC Stress Corrosion Cracking
SDS Safety Data Sheet
SGL Sales gas pipeline
SOP Safe Operating Procedure
SWA Stop Work Authority
SWP Safe Work Practices
TEPCO Tokyo Electric Power Company
TGAN Technical Grade Ammonium Nitrate
TNT Trinitrotoluene
TWA PEL Time Weighted Average Permissible Exposure

Limit
UEL Upper Explosive Limit
UK United Kingdom
US United States
VBR Variable Bore Rams
VCE Vapor Cloud Explosion
VSP Vent Sizing Package™
WFC West Fertilizer Company
WVAW West Virginia American Water

WVDEP West Virginia Department of Environmental

Protection
GLOSSARY
Many of these terms and definitions are taken from the CCPS
Glossary, which is continually updated. Please check the glossary
at www.aiche.org/ccps/resources/glossary for the most current
definition.
Asset Integrity The condition of an asset that is properly

designed and installed in accordance
with specifications and remains fit for
purpose.
Atmospheric A storage tank designed to operate at

Storage Tank any pressure between ambient
pressure and 0.5 psig (3.45 kPa gauge).
Boiling Liquid A type of rapid phase transition in which

Expanding Vapor a liquid contained above its atmospheric
Explosion (BLEVE) boiling point is rapidly depressurized,
causing a nearly instantaneous
transition from liquid to vapor with a
corresponding energy release. A BLEVE
of flammable material is often
accompanied by a large aerosol fireball,
since an external fire impinging on the
vapor space of a pressure vessel is a
common cause. However, it is not
necessary for the liquid to be flammable
to have a BLEVE occur.
Combustible Dust A finely divided combustible particulate

solid that presents a flash-fire hazard or
explosion hazard when suspended in air
or the process specific oxidizing
medium over a range of concentrations.
Combustible A term used to classify certain liquids

Liquid that will burn on the basis of flash
points. The National Fire Protection
Association (NFPA) defines a
combustible liquid as any liquid that has
a closed-cup flash point above 100°F
(37.8°C) (NFPA 30). There are three
subclasses, as follows; Class II liquids
have flash points at or above 100°F
(37.8°C) but below 140°F (60°C). Class III
liquids are subdivided into two
additional subclasses; Class IIIA: Those
having flash points at or above 140° F
(60°C) but below 200°F (93.4°C), Class IIIB:
Those having flash points at or above
200°F (93.4°C). The Department of
Transportation (DOT) defines
combustible liquids as those having
flash points above 140°F (60.5°C) and
below 200°F (93.4°C).
Conduct of The embodiment of an organization’s

Operations (COO) values and principles in management
systems that are developed,
implemented, and maintained to (1)
structure operational tasks in a manner
consistent with the organization's risk
tolerance, (2) ensure that every task is
performed deliberately and correctly,
and (3) minimize variations in
performance.
Confined Space A confined space has limited or

restricted means for entry or exit and is
not designed for continuous occupancy.
Confined spaces include, but are not
limited to, tanks, vessels, silos, storage
bins, hoppers, vaults, pits, manholes,
tunnels, equipment housings, ductwork,

pipelines, etc. (OSHA 2019)
Deflagration Combustion that propagates by heat

and mass transfer through the
unreacted medium at a velocity less
than the speed of sound.
Detonation A release of energy caused by the

propagation of a chemical reaction in
which the reaction front advances into
the unreacted substance at greater than
sonic velocity in the unreacted material.
Emergency An EIV is a special category of valve that

Isolation Valve is dedicated to the purpose of isolating
(EIV) large inventories of flammable or toxic
material from sources or equipment
whose relative likelihood of significant
leakage is high. (AIChE.confex.com)
Emergency The Emergency Planning and

Planning and Community Right-to-Know Act (EPCRA)
Community Right- of 1986 was created to help
to-Know Act communities plan for chemical
(EPCRA) emergencies. It also requires industry to
report on the storage, use and releases
of hazardous substances to federal,
state, and local governments. EPCRA
requires state and local governments,
and Indian tribes to use this information
to prepare their community from
potential risks.
Explosion The bursting or rupture of an enclosure

or container due to the development of
internal pressure from a deflagration.
Flammable Liquids Any liquid that has a closed-cup flash

point below 100°F (37.8°C), as
determined by the test procedures
described in NFPA 30 and a Reid vapor
pressure not exceeding 40 psia (2068.6
mm Hg) at 100°F (37.8°C), as determined
by ASTM D 323, Standard Method of
Test for Vapor Pressure of Petroleum
Products (Reid Method). Class IA liquids
shall include those liquids that have
flash points below 73°F (22.8°C) and
boiling points below 100°F (37.8°C). Class
IB liquids shall include those liquids that
have flash points below 73°F (22.8°C) and
boiling points at or above 100°F (37.8°C).
Class IC liquids shall include those
liquids that have flash points at or above
73°F (22.8°C), but below 100°F (37.8°C).
(NFPA 30).
Hazard Analysis The identification of undesired events

that lead to the materialization of a
hazard, the analysis of the mechanisms
by which these undesired events could
occur and usually the estimation of the
consequences.
Hot Work Any operation that uses flames or can

produce sparks (e.g., welding).
Incident An event, or series of events, resulting in

one or more undesirable consequences,
such as harm to people, damage to the
environment, or asset/business losses.
Such events include fires, explosions,
releases of toxic or otherwise harmful
substances, and so forth.
Incident A systematic approach for determining

Investigation the causes of an incident and
developing recommendations that
address the causes to help prevent or
mitigate future incidents. See also Root
cause analysis and Apparent cause
analysis.
Interlock A protective response which is initiated

by an out-of-limit process condition. An
instrument which will not allow one part
of a process to function unless another
part is functioning. A device such as a
switch that prevents a piece of
equipment from operating when a
hazard exists. To join two parts together
in such a way that they remain rigidly
attached to each other solely by physical
interference. A device to prove the
physical state of a required condition
and to furnish that proof to the primary
safety control circuit.
Lower Explosive That concentration of a combustible

Limit (LEL) material in air below which ignition will
not occur. It is often, interchangeably
called Lower Flammability Limit (LFL)
and for dusts, the Minimum Explosible
Concentration (MEC).
Loss of Primary An unplanned or uncontrolled release of

Containment material from primary containment,
(LOPC) including non-toxic and nonflammable
materials (e.g., steam, hot condensate,
nitrogen, compressed CO2 or
compressed air).
Management of A management system to identify,

Change (MOC) review, and approve all modifications to
equipment, procedures, raw materials,
and processing conditions, other than
replacement in kind, prior to
implementation to help ensure that
changes to processes are properly
analyzed (for example, for potential
adverse impacts), documented, and
communicated to employees affected.
Management A formally established set of activities

System designed to produce specific results in a
consistent manner on a sustainable
basis.
Maximum The maximum gauge pressure

Allowable Working permissible at the top of a completed
Pressure (MAWP) vessel in its normal operating position at
the designated coincident temperature
specified for that pressure. The pressure
is the least of the values for the internal
or external pressure as determined by
the vessel design rules for each element
of the vessel using actual nominal
thickness, exclusive of additional metal
thickness allowed for corrosion and
loading other than pressure. The MAWP
is the basis for the pressure setting of
the pressure relief devices that protect
the vessel. The MAWP is normally
greater than the design pressure but
can be equal to the design pressure
when the design rules are used only to
calculate the minimum thickness for
each element and calculations are not
made to determine the value of the

MAWP. (API RP 520)
Mechanical A management system focused on

Integrity ensuring that equipment is designed,
installed, and maintained to perform the
desired function.
Minimum The minimum explosible concentration

Explosion is the lowest concentration of dust or
Concentration powder that will ignite on contact with
(MEC) an ignition source and propagate a dust
explosion. (www.bre.co.uk)
Near-Miss An event in which an accident (that is,

property damage, environmental
impact, or human loss) or an
operational interruption could have
plausibly resulted if circumstances had
been slightly different.
Operating Written, step-by-step instructions and

Procedures information necessary to operate
equipment, compiled in one document
including operating instructions,
process descriptions, operating limits,
chemical hazards, and safety equipment
requirements.
Operational A PSM program element associated with

Readiness efforts to ensure that a process is ready
for start-up/restart. This element
applies to a variety of restart situations,
ranging from restart after a brief
maintenance outage to restart of a
process that has been mothballed for
several years.
OSHA Process A US regulatory standard that requires

Safety the use of a 14-element management
Management system to help prevent or mitigate the
(OSHA PSM) effects of catastrophic releases of
chemicals or energy from processes
covered by the regulations 49 CFR
1910.119.
Pressure Relief A pressure relief device which is

Valve (PRV) designed to reclose and prevent the
further flow of fluid after normal
conditions have been restored.
Pre-Start-up A systematic and thorough check of a

Safety Review process prior to the introduction of a
(PSSR) highly hazardous chemical to a process.
The PSSR must confirm the following:
Construction and equipment are in
accordance with design specifications;
Safety, operating, maintenance, and
emergency procedures are in place and
are adequate; A process hazard analysis
has been performed for new facilities
and recommendations and have been
resolved or implemented before start-
up, and modified facilities meet the
management of change requirements;
and training of each employee involved
in operating a process has been
completed.
Process A Process Safety Management (PSM)

Knowledge program element that includes work
Management activities to gather, organize, maintain,
and provide information to other PSM
program elements. Process safety
knowledge primarily consists of written
documents such as hazard information,
process technology information, and

equipment-specific information.
Process safety knowledge is the product
of this PSM element.
Process Safety The common set of values, behaviors,

Culture and norms at all levels in a facility or in
the wider organization that affect
process safety.
Process Safety An event that is potentially catastrophic,

Incident/Event i.e., an event involving the release/loss
of containment of hazardous materials
that can result in large-scale health and
environmental consequences.
Process Safety Physical, chemical, and toxicological

Information (PSI) information related to the chemicals,
process, and equipment. It is used to
document the configuration of a
process, its characteristics, its
limitations, and as data for process
hazard analyses.
Process Safety A management system that is focused

Management on prevention of, preparedness for,
(PSM) mitigation of, response to, and
restoration from catastrophic releases
of chemicals or energy from a process
associated with a facility.
Process Safety Comprehensive sets of policies,

Management procedures, and practices designed to
Systems ensure that barriers to episodic
incidents are in place, in use, and
effective.
Reactive Chemical A substance that can pose a chemical

reactivity hazard by readily oxidizing in
air without an ignition source

(spontaneously combustible or
peroxide forming), initiating or
promoting combustion in other
materials (oxidizer), reacting with water,
or self-reacting (polymerizing,
decomposing or rearranging). Initiation
of the reaction can be spontaneous, by
energy input such as thermal or
mechanical energy, or by catalytic action
increasing the reaction rate.
Risk Management EPA’s accidental release prevention rule,

Program (RMP) which requires covered facilities to
Rule prepare, submit, and implement a risk
management plan.
Risk Based Process The Center for Chemical Process Safety’s

Safety (RBPS) (CCPS) PSM system approach that uses
risk-based strategies and
implementation tactics that are
commensurate with the risk-based need
for process safety activities, availability
of resources, and existing process safety
culture to design, correct, and improve
process safety management activities.
Safe Work An integrated set of policies,

Practices (SWP) procedures, permits, and other systems
that are designed to manage risks
associated with non-routine activities
such as performing hot work, opening
process vessels or lines, or entering a
confined space.
Supervisory SCADA refers to industrial control

Control and Data systems used to control infrastructure
processes (water treatment, wastewater
Acquisition treatment, gas pipelines, wind farms,

(SCADA) etc.), facility-based processes (airports,
space stations, ships, etc.), or industrial
processes (production, manufacturing,
refining, power generation, etc.).
Shelter-in-Place A process for taking immediate shelter

in a location readily accessible to the
affected individual by sealing a single
area (an example being a room) from
outside contaminants and shutting off
all HVAC systems.
Stop Work All staff and contractors on a plant site

Authority (SWA) have the Authority and Obligation to
stop work when an unsafe condition or
act is observed that could affect the
safety of personnel and/or the
environment.
Upper Explosive The highest concentration of a vapor or

Limit (UEL) gas (the highest percentage of the
substance in air) that will produce a flash
of fire when an ignition source (heat, arc,
or flame) is present. See also Lower
Explosive Limit. At concentrations
higher than the UEL, the mixture is too
rich to burn. Also known as the Upper
Flammability Limit.
Vapor Cloud The explosion resulting from the ignition

Explosion (VCE) of a cloud of flammable vapor, gas, or
mist in which flame speeds accelerate to
sufficiently high velocities to produce
significant overpressure.
ACKNOWLEDGMENTS
The American Institute of Chemical Engineers (AIChE) and the

Center for Chemical Process Safety (CCPS) express their
appreciation and gratitude to all members of the More Incidents
that Define Process Safety subcommittee and their CCPS member
companies for their generous support and technical contributions
in the preparation of this book.
Subcommittee Members:
Sean Dee Exponent
Tony Downes Honeywell
Rhian Drath Morgan BP
Rajender Dahiya AIG
Jerry Forest Celanese
Cheryl Grounds CCPS – Staff Consultant
Melissa Holliday Dow
Derek Miller Air Products
Albert Ness CCPS – Staff Consultant
David Prior Honeywell
Bhavesh Shukla Michelman
Karen Tancredi Chevron
Tracy Whipple BP
The collective industrial experience of the subcommittee

members makes this book especially valuable to all who strive to
learn from incidents, take action to prevent their recurrence and
improve process safety performance.
The book committee wishes to express their appreciation to
Albert Ness and Cheryl Grounds of CCPS for their contributions in
authoring this book.
Before publication, all CCPS books are subjected to a
thorough peer review process. CCPS gratefully acknowledges the
thoughtful comments and suggestions of the peer reviewers.
Their work enhanced the accuracy and clarity of these guidelines.
Peer Reviewers:
Dave Fargie BP
Jennifer Leas Michelman
Pete Lodal Eastman Chemical
Jack McCavit JL McCavit Consulting, LLC
Gene Meyer Kraton Corporation
Jordi Costa Sala Celanese
Lydia Wilkinson Celanese
Although the peer reviewers have provided many

constructive comments and suggestions, they were not asked to
endorse this book and were not shown the final manuscript
before its release.
PREFACE
The Center for Chemical Process Safety (CCPS) was created by the
AIChE in 1985 after the chemical disasters in Mexico City, Mexico,
and Bhopal, India. The CCPS is chartered to develop and
disseminate technical information for use in the prevention of
major chemical accidents. The Center is supported by more than
180 chemical process industry sponsors who provide the
necessary funding and professional guidance to its technical
committees. The major product of CCPS activities has been a
series of guidelines to assist those implementing various
elements of a process safety and risk management system. This
book is part of that series.
The AIChE has been closely involved with process safety and
loss control issues in the chemical and allied industries for more
than five decades. Through its strong ties with process designers,
constructors, operators, safety professionals, and members of
academia, AIChE has enhanced communications and fostered
continuous improvement of the industry’s high safety standards.
AIChE publications and symposia have become information
resources for those devoted to process safety and environmental
protection.
The integration of process safety into the engineering
curricula is an ongoing goal of the CCPS. To this end, CCPS created
the Safety and Chemical Engineering Education committee, which
develops training modules for process safety. One textbook
covering the technical aspects of process safety for students
already exists; however, there is no textbook covering the
concepts of process safety management and the need for process
safety for students. The CCPS Technical Steering Committee
initiated the creation of this book to assist colleges and

universities in meeting this challenge and to aid chemical
engineering programs in meeting recent accreditation
requirements for including process safety into the chemical
engineering curricula.
Foreword
Bhopal. BP Texas City. Piper Alpha. Longford. The Titanic.

Chernobyl. If you’ve spent any time in process safety, you no
doubt have at least a passing familiarity with these disasters. They
have been the subject of investigation reports, books, and even
movies. They capture the public imagination not only because the
human and environmental cost was so high, but also because we
learn in the retelling that each of these was preventable. We in the
process safety community study them so that we can direct our
efforts to preventing incidents of this magnitude in the future. We
aim to turn hindsight into foresight.
Risk-based process safety, regulations, guidance, codes, and

standards provide a framework for the safe operation of even the
highest hazard industries, yet incidents continue to occur. As a
Board Member and acting head of the U.S. Chemical Safety and
Hazard Investigation Board (CSB), I have borne witness to several
major process safety incidents during my tenure. Some of the
incidents in this book were still under investigation by the CSB
when I joined in 2015. In addition to overseeing our active
investigations, I have pored over past CSB reports hoping to gain
some insight into why, despite all the guidance, all the efforts of
groups like the
Center for Chemical Process Safety, and all the case histories,
process safety incidents continue to occur. I wish I could say I have
an easy answer.
Instead, what I believe will continue to advance process safety

are a recommitment to its fundamental principles and a continual
effort to learn from past incidents. People who have worked in an
industry long enough may have their own personal experience
with a major process safety incident. Indeed, I know many
engineers who transitioned into process safety or incident

investigation after their facility experienced a major incident,
often involving a fatality or serious injuries. Safety, which had
been part of their training as engineers, became deeply personal
to them. But the younger generation will not have had these
experiences, nor should we expect them to have to go through a
tragic ordeal to put process safety principles at the forefront of
their thinking during every task on every day. That’s where case
studies come in.
Sharing lessons from major incidents allows us to discover the

gaps in our safety management systems so they can be closed to
prevent similar incidents in the future. This book makes a vital
contribution to this goal by presenting case studies from incidents
in multiple sectors—including oil and gas, chemical
manufacturing, transportation, mining, nuclear, even space
exploration—and from around the world. They can be broadly
characterized as technological incidents and, though they don’t all
involve process safety, we can apply lessons from PSM to each
one of them. It is essential when analyzing an incident to probe
deeper than an equipment malfunction or seemingly
questionable human decision to get at the underlying factors.
Each case in this volume describes the incident from both a
technical and human perspective, grounding the incident in the
fundamental principles of process safety. Taken together, the
cases reinforce the importance of process hazard analysis,
management of change, emergency planning and response, and
other elements of risk-based process safety.
Some of these cases demonstrate that, while compliance with

industry-specific standards and regulations is essential, it may be
insufficient to prevent an incident. Indeed, the CSB’s case history
includes incidents that involved substances or processes not
adequately addressed by existing regulations or standards.
Examples in this book include the West Fertilizer Company
explosion, the combustible dust explosions at Hoeganaes

Corporation and Imperial Sugar, and the Chevron
Richmond Refinery fire. Where we have identified these gaps,

we have issued formal recommendations to close them. In many
of these cases, faithful adherence to the elements of risk-based
process safety may have prevented the incident even in the
absence of a standard or regulation.
As a repository of information about past incidents, this book

can provide the foundation for a renewed commitment to process
safety among experienced professionals as well as illustrating its
importance to those entering the workforce. I encourage readers
of this book who intend to use it in an educational context to bring
these cases to life for the audience. Actively engage the learner in
the content so that it comes alive for them.
There are stories behind every one of these incidents. Stories of

loss, injury or death that don’t leap off the page when looking only
at the technical descriptions. But it is in the telling of a story that
people learn and remember these important lessons. It is in the
telling of a story that we turn hindsight into foresight.
Kristen M. Kulinowski, Ph.D.
Board Member and Interim Executive Authority
U.S. Chemical Safety and Hazard Investigation Board

Chapter 1 Introduction 41
Introduction
“Organizations have no memory – only people do.”

Trevor Kletz
1.1 WHY A SECOND VOLUME?

Incidents that Define Process Safety (IDPS) (CCPS 2008) is one of the
most popular books in the CCPS collection. Clearly, there is a
desire to learn from incidents in the process safety community.
So, what makes a second volume necessary?
First, the international growth of the chemical and
petrochemical industries, especially in Asia. Incidents from
around the world are included in both of these books. This second
volume includes incidents from China, India, Japan, United
Kingdom, and the United States.
Second, the passage of more than ten years has created a new
audience less versed in the historical record. If you go into a
chemical engineering classroom today and ask, “How many
people here have heard of Bhopal?” almost no one will raise their
hand. Yet Bhopal was the worst industrial accident in history.
Third, and most troubling; incidents keep happening. Some of
the same types of incidents are being repeated. It is hoped that
by continuing to make people aware of these incidents and
creating an opportunity to learn from them, that people will take
actions to prevent their recurrence.
At the time Incidents that Define Process Safety was being
written, CCPS was developing a new generation of process safety
management elements that were presented in the book
Guidelines for Risk Based Process Safety (RBPS) (CCPS 2007). The
.PSF*ODJEFOUTUIBU%FGJOF1SPDFTT4BGFUZ
By $$14
¥5IF"NFSJDBO*OTUJUVUFPG$IFNJDBM&OHJOFFST
incident descriptions in this book will identify management

system failures aligned with the RBPS elements.
1.2 CCPS RISK BASED PROCESS SAFETY ELEMENTS

Elements of process safety management (PSM) were encoded in
documents such as Guidelines for Implementing Process Safety
Management Systems (CCPS 1994) and in regulations including the
United States OSHA’s Process Safety Management of Highly
Hazardous Chemicals regulation (OSHA 1992). Both of these
documents are credited with improving process safety.
In the mid-2000s, CCPS developed and published Guidelines
for Risk Based Process Safety (RBPS) (CCPS 2007) to move to the
next generation of process safety management. RBPS recognizes
that not all hazards are equal and emphasizes that the resources
devoted to PSM should be appropriate to the hazards and risks of
a given operation, in addition to meeting regulations and codes.
RBPS also added several elements to the management of process
safety.
There are twenty elements of RBPS, divided into four “pillars”:
Pillar I. Commit to Process Safety
Pillar II. Understand Hazards and Risk
Pillar III. Manage Risk
Pillar IV. Learn from Experience.
The pillars and elements of the CCPS RBPS framework are shown
in Figure 1.2-1. These pillar and element numbers will be referred
to, as needed, during the incident discussions.
Figure 1.2-1 Risk Based Process Safety (RBPS) approach
1.2.1 Pillar I - Commit to Process Safety

This is the cornerstone of process safety excellence.
Organizations generally do not improve without strong
leadership and solid commitment. The entire organization must
make the same commitment. The five elements in this pillar are:
1. Process Safety Culture.
Process safety culture is a commonly held set of values, norms,
and beliefs. It can be stated as “How we do things around here,”
“What do we expect here,” and “How we behave when no one is
watching.”
2. Compliance with Standards.
Compliance with standards requires identifying, developing, and
implementing standards. Standards should be developed for
both new construction and existing equipment. These can be
internal and external standards, national and international codes
and standards, and local jurisdiction regulations and laws.
3. Process Safety Competency.
Process safety competency requires creating, developing, and
maintaining process safety knowledge; continuously improving
that knowledge and competency; ensuring that appropriate
process safety information is available to people who need it; and

consistently applying that knowledge.
4. Workforce Involvement.
Workforce involvement is active participation of company and
contractor workers in the design, development, implementation,
and continuous improvement of process safety in the workplace.
5. Stakeholder Outreach.
Stakeholder outreach strives to make relevant process safety
information available to a variety of organizations, including the
neighboring community, local emergency responders, and other
companies in the industry.
1.2.2 Pillar II - Understand Hazards and Risk

Organizations that understand their hazards and risks are better
able to allocate resources in the most effective manner to manage
those risks. The two elements in this pillar are:
6. Process Knowledge Management.
Process knowledge management involves activities associated
with compiling, cataloging, and making process safety
information (PSI) available. It also includes understanding the
information, not simply compiling data.
7. Hazard Identification and Risk Analysis (HIRA).
HIRA encompasses all activities involved in identifying hazards
and evaluating risks at facilities, throughout their life cycle, to
make certain that risks to employees, the public, and the
environment are managed within the organization’s risk
tolerance.
1.2.3 Pillar III - Manage Risk

The “Manage Risk” pillar focuses on three issues: safely operating
and maintaining processes that pose the risk, managing changes
to those processes to ensure that the risk remains tolerable, and
preparing for, responding to, and managing incidents that do

occur. The nine elements in this pillar are;
8. Operating Procedures.
Operating Procedures requires written instructions for all phases
of operation, including routine, non-routine, and emergency.
Good procedures also describe the process, hazards, tools,
protective equipment, and controls in sufficient detail so that
operators understand the hazards, can verify that controls are in
place, and can confirm that the process responds in an expected
manner.
9. Safe Work Practices (SWP).
SWP covers non-routine work and is often supplemented with
permits. These fill the gap between operating and maintenance
procedures and the hazards and risks specific to the work being
conducted at the time.
10. Asset Integrity and Reliability.
Asset integrity and reliability is the systematic implementation of
inspections, tests, and maintenance to ensure that equipment
and safety-critical devices will be functional for their intended
application throughout their life.
11. Contractor Management.
Contractor management is a system of controls to ensure that
contracted services support both safe facility operations and the
company’s process safety and personal safety performance goals.
This element includes the selection, acquisition, use, and
monitoring of such contracted services.
12. Training and Performance Assurance.
Training and performance assurance involves practical
instruction in job and task requirements and methods.
Performance assurance provides a means by which workers
demonstrate that they have understood the training and can
apply it in practical situations.
13. Management of Change (MOC).

MOC strives to ensure that changes to a process do not
inadvertently introduce new hazards or unknowingly increase
risks. This includes a review and authorization process for
identifying and evaluating proposed changes to facility design,
operations, organization, or activities prior to implementation;
ensuring that potentially affected personnel are notified of the
change; and that procedures, process safety knowledge, and
other key information are kept up to date.
14. Operational Readiness.
Operational readiness ensures that an operation is verified to be
in a safe condition and ready for restart, regardless of how long
the operation was shut down.
15. Conduct of Operations.
Conduct of operations is the execution of operational and
management tasks in a deliberate and structured manner.
Conduct of operations addresses management systems.
Operational discipline addresses the execution of the conduct of
operations. Operational discipline is the performance of all tasks
correctly every time. Workers at every level are expected to
perform their duties with alertness, due thought, full knowledge,
sound judgment, and a proper sense of pride and accountability.
Conduct of operations and operational discipline are closely tied
to an organization’s culture
16. Emergency Management.
Emergency management includes planning for possible
emergencies; providing resources to execute the plan; practicing
and improving the plan; training or informing employees,
contractors, neighbors, and local authorities; and effectively
communicating with stakeholders in the event an incident does
occur.
1.2.4 Pillar IV - Learn from Experience

Learning from experience involves identifying learnings, sharing
them so that others may learn, and taking action. Learnings are
sought from internal and external sources of information. The last
four elements are in this pillar:
17. Incident Investigation.
Incident investigation includes investigating incidents, and the
trending of incident investigation data to identify recurring
incidents. This process also manages the documentation and
resolution of recommendations generated by the investigations.
18. Measurement and Metrics.
Measurement and metrics establishes performance and
efficiency indicators to monitor the effectiveness of the RBPS
management system and its constituent elements and work
activities. It addresses which leading and lagging indicators to
consider, how often to collect data, and what to do with the
information to help ensure responsive, effective RBPS
management system operation.
19. Auditing.
Audits are intended to evaluate that the implementation and
effectiveness of management systems are performing as
intended and offer findings and recommendations for
weaknesses found.
20. Management Review and Continuous Improvement.
Management review and continuous improvement is the routine
evaluation of whether management systems are performing as
intended and producing the desired results as efficiently as
possible. It is an ongoing “due diligence” review by management
that fills the gap between day-to-day work activities and periodic
formal audits.
1.3 HUMAN PERFORMANCE

As Dr. Trevor Kletz, renowned safety advisor and high-risk
industry expert, stated, “For a long time, people were saying that
most accidents were due to human error, and this is true in a
sense, but it’s not very helpful. It’s a bit like saying that falls are
due to gravity.” Too often incident investigations conclude with
the finding of “human error.” A good investigation will continue
on from this point to ask why the human took that action. Was the
operator following a procedure that was incorrect? Was the
operator performing the work in the way he thought best because
he had never been trained on that task? Was it difficult to perform
that work because the design of the equipment did not provide
adequate access? Was the site short-staffed so he was too busy
to give the task the attention it warranted? Was the operator
pressured because leadership had stated targets based on
production and been silent on safety targets?
The reason why the human took that action often lies in the
management systems that define the company’s operations.
Human performance issues will likely be due to such RBPS
elements as Process Safety Culture, Workforce Involvement,
Training and Performance Assurance, Conduct of Operations, or
Operating Procedures.
As we strive to learn from incidents, our efforts should be
directed to keeping the human in mind as we design and manage
operations. This will aim to support the human in a successful
operation and potentially preventing an incident.
The CCPS book Human Factors Methods for Improving
Performance in the Process Industries provides information on
human factors as it applies to process safety. (CCPS 2007a)
1.4 ORGANIZATION OF THIS BOOK

The first volume in this series, Incidents that Define Process Safety,
was organized by major process element failures. In this second
volume, the incident descriptions recognize the management
system failures contributing to the incident. The book chapters

are organized by the incident type:
Chapter 2 – Reactive Chemical Incidents
Chapter 3 – Fire Incidents
Chapter 4 – Explosion Incidents
Chapter 5 - Toxic and Environmental Release Incidents
Chapter 6 – Transportation Incidents
Chapter 7 - Non-Oil/Chemical Incidents
Many incidents relate to more than one category. For
example, an uncontrolled chemical reaction can cause a toxic
release, fire, and/or explosion. An environmental release could
also cause a fire and explosion. Judgment was used in selecting
the single chapter in which an incident is described.
Management system failures are described for each incident
based on publicly available evidence, avoiding speculation. For
example, one could infer that process safety culture deficiencies
existed in most of the companies or facilities involved. However,
unless there is written evidence of this, process safety culture is
not listed.
1.5 ENGINEERING DESIGN

When working through the RBPS elements, it can be challenging
to identify where engineering design fits in. The CCPS Guidelines
on Engineering Design for Process Safety, 2nd edition (CCPS 2012)
includes reference to RBPS at the end of the Foundational
Concepts section (Chapter 2), specifically noting the importance
of process safety culture, compliance with standards, workforce
involvement, hazard identification and risk assessment,
management review, and continuous improvement. For example,
in Section 2.2 - T2 Laboratories Runaway Reaction and Explosion,
the batch reactor design was deficient in many respects
(inadequate pressure relief, insufficient safeguards against

cooling failure). The failed design was due to inadequate process
safety knowledge.
1.6 HOW TO USE THE BOOK

One approach for the use of this book is to simply read it to learn
about the incidents and how RBPS impacts an operation. A
second approach is to leverage these incident descriptions for use
in process safety presentations within your organization. Each
incident is preceded by a selection of “Key Points” highlighting the
RBPS elements involved in that incident. Presentations can be
organized around a particular RBPS element or by incident type.
A third approach is to look for incidents in a certain industry to
learn about what is most similar to your operations. It is also good
to recognize that lessons can be applied to many different
industries in different parts of the world. The matrix provided in
Appendix 1 shows the relationships between incidents in this
book, the RBPS elements, and the industries in which they
occurred.
1.7 FINAL NOTE
The majority of the incidents discussed in this book occurred in
the United States and were investigated/reported on by the US
Chemical Safety and Hazard Investigation Board (CSB). Incidents
from other countries are included but were more challenging to
describe because of a lack of public availability of factual
investigative information. Federal bodies in the US, UK, and many
EU countries are very good at investigating, reporting, and
disseminating information on major incidents; however, they are
limited in the number of incidents they can investigate. In
addition, the availability of investigation reports from the
companies that suffered the incidents is notably scarce, especially
in the US. It is a credit to those agencies and companies who do
share investigation data and a request to those who don’t
currently do so, as this information sharing assists with advancing
process safety for the whole world. We, the collaborative
industrial CCPS team working on this book, hope that other

companies and national agencies will begin sharing so that we all
may continue to learn.
Reactive Chemical Incidents
2.1 INTRODUCTION
“Safely conducting chemical reactions is a core competency of the
chemical industry” (CSB 2002) states the executive summary of a
US Chemical Safety Board (CSB) study of reactive chemical
incidents. Yet, reactive chemical incidents continue to occur. This
study reviewed 167 incidents in the US over a twenty-one-year
period. A few statistics:
Forty-eight (29%) resulted in a total of 108 fatalities.
37% resulted in toxic gas emissions.
30% of the incidents affected the public.
Over 50% involved chemicals not covered by U.S. OSHA or
EPA regulations.
36% were due to chemical incompatibilities.
35% were due to runaway reactions.
10% were due to thermally sensitive or impact-sensitive
materials.
70% occurred in the chemical industry, 30% occurred in
other industries.
More than 65% occurred in storage or other process
equipment.
25% occurred in chemical reactors.
More than 90% involved reactive hazards that were
documented in publicly available literature.
This chapter describes four incidents involving reactors, two
involving bulk storage, and one in a wastewater tank. Resources
for managing chemical reactivity hazards are provided at the end
of the chapter.
By $$14
Chapter 2 Reactive Chemical Incidents 53
2.2 T2 LABORATORIES RUNAWAY REACTION AND EXPLOSION,

FLORIDA, US, 2007
2.2.1 Summary
A runaway reaction during the production of
methylcyclopentadienyl manganese tricarbonyl (MCMT) at T2
Laboratories, Inc. resulted in the rupture of the reactor on
December 19, 2007. The resulting explosion caused four T2
employee fatalities and injured thirty-two people: four T2
employees and twenty-eight people at nearby businesses. Pieces
of the reactor were found one mile away. Thirty-two structures
were damaged. Figure 2.2-1 shows a section of the reactor,
weighing approximately 907 kg (2,000 lb) that damaged a building
121 m (400 ft.) away from the reactor. The explosion was heard,
and the overpressure felt 24 km (15 mi.) away in downtown
Jacksonville, Florida. (see Figure 2.2-2).
Figure 2.2-1 A portion of the 3-inch thick reactor (courtesy CSB).

Figure 2.2-2 T2 Laboratories blast (courtesy CSB).
After the event, the CSB estimated the explosion was

equivalent to 635 kg (1,400 lb) of TNT (CSB 2009).
A key outcome of this event was a recommendation by the
Chemical Safety Board that the Accreditation Board for
Engineering and Technology, Inc. (ABET), include awareness of
chemical reactivity hazards in the chemical engineering
curriculum. The ABET now requires the chemical engineering
curriculum to include “control of chemical, physical, and/or
biological processes, including the hazards associated with these
processes.” (ABET 2015, p. 11).
Key Points
Process Safety Competency – Ensure someone on the job
understands process safety. We work with many intelligent
people, but that does not mean that they understand process
safety. Without someone on the site to ask the right questions,
process safety may be lacking.
Hazard Identification and Risk Analysis – What if? It’s a very

simple and powerful question. Use it to help identify potential
hazards, and once those hazards are identified, then put
protections in place.
Incident Investigation – If an operation yields an unexpected
result, ask why? By investigating and understanding why
deviations occur you may see the path leading to a potential
incident. More importantly, you will be equipped to take
appropriate actions to avoid those incidents.
2.2.2 Description
Background. T2 Laboratories Inc. opened in 1996 as a solvent-
blending business. It was founded by a chemical engineer and a
chemist. One of their products was a blend of purchased MCMT,
a gasoline additive. In 2004, T2 began producing MCMT, which
became their primary product by 2007.
Process. The runaway reaction occurred during the first step of the
MCMT process. This was a reaction between
methylcyclopentadiene (MCPD) dimer and sodium in diethylene
glycol dimethyl ether (diglyme).
MCPD and diglyme were charged to a 9.3 m3 (2,450 gal.)
reactor. Sodium metal was then added manually through a valve
at the top of the reactor (see Figure 2.2-3). The heat was applied
to the reactor using hot oil at 182°C (360°F) to melt the sodium
and initiate the reaction to make methylcyclopentene. Hydrogen
was a by-product, vented through a pressure control valve. At
99°C (210°F), the agitator was started (by this time the sodium
should have melted). At 149°C (300°F), the heat was turned off.
Since the reaction was known to be exothermic, cooling was
applied at 182°C (360°F).
What Happened. After eliminating other possible causes, the CSB
concluded that loss of cooling was the immediate cause of the
runaway reaction. The reactor was cooled by adding water to the
jacket and allowing it to boil off (see Figure 2.2-3).
Why it Happened. The cooling system, necessary to control the

exothermic reaction, could have been totally incapacitated or
severely impaired by a number of single failures: loss of water
from supply, a drain valve left open or partially open, failure of the
valve actuators, blockage in the supply line, temperature sensor
failure, or mineral buildup in the jacket (CSB 2009).
Figure 2.2-3 T2 Reactor (courtesy CSB).

Without cooling, the temperature would continue to rise.

Subsequent testing showed that a second exothermic reaction
occurred at 199°C (390°F). This reaction was more energetic than
the first—and desired—reaction. The owner/operators of T2
Laboratories did not know about this second reaction. This
reaction generated enough pressure, very rapidly, to burst the
reactor, rated for 41.4 bar (600 psig).
2.2.3 Management System Failures
I. Commit to Process Safety

In hindsight, it seems the owners of T2 did not understand
process safety or how to build a strong process safety culture.
T2 was not in compliance with the U.S. OSHA Hazard
Communication Standard. There is no written evidence that T2
had a confined space entry, lock-out/tag-out, personal protective
equipment program, or employee training program.
As stated earlier, T2 was started by a chemical engineer and a
chemist. Neither had experience designing and running
processes involving chemical reactions. The chemist tested the
chemistry in the lab and developed the process based on patent
literature provided by a company called Advanced Fuel
Development Technologies, who wanted T2 to manufacture
MCMT for them. This lack of experience showed itself in several
ways.
The chemist did the laboratory testing at a 1-liter scale and did
not observe extreme exothermic behavior. A fundamental
concept that needs to be understood when scaling up an
exothermic reaction is that the energy released increases with the
cube of the reactor diameter, while the heat transfer area
increases with the square of the diameter (without additional area
from internal coils). Therefore, the rate and amount of heat

generated increases faster than the ability to remove it. The need
for cooling was discovered during process upsets in the first few
batches (see Incident Investigation), not during the laboratory
tests.
The owners did not do any reaction testing such as adiabatic
calorimetry (e.g., Accelerating Rate Calorimeter™ (ARC), Vent
Sizing Package™ (VSP), Phi-Tec, or Automatic Pressure Tracking
Adiabatic Calorimeter® (APTAC)), although this type of testing had
been good engineering practice for years.
(Note for reader: The CSB report includes discussions on the
fact that process safety was not part of the chemical engineering
curriculum in almost 90% of universities at the time of the
incident. In its report, the CSB recommended to the AIChE and the
Accreditation Board for Engineering and Technology, Inc. (ABET)
that awareness of reactive chemical hazards be part of the
baccalaureate program (CSB, 2009). This recommendation was
implemented by the ABET in 2014 after AIChE’s Safety and
Chemical Engineering Education (SAChE) Committee established
guidance for the ABET accreditation protocols. After ABET’s
implementation, the CSB noted that the action exceeded CSB
expectations.)
II. Understand Hazards and Risk
7. Hazard Identification and Risk Analysis.

Even though a design consultant recommended that T2 do a
Hazard and Operability (HAZOP) study on the process, T2
apparently did not do one. If the MCMT process had been
reviewed by a competent PHA team, questions such as, “what
happens if the temperature is too high?” or “what if the cooling
fails?” would have come up. These questions would lead to
recommendations such as: determine what the safe operating
temperature is; determine what happens if it is exceeded,
investigate how can we make the cooling system more reliable, or
determine what other safeguards can be provided against high
temperature and pressure?
Determining the answers to these questions could also have

led to a better understanding of the emergency relief
requirements. The emergency relief system (ERS) was based on
the maximum rate of hydrogen generation in normal operation
(CSB 2009). The ERS was inadequate for the reaction that
occurred. After subsequent testing in a VSP, the CSB determined
that the second exothermic reaction was so fast that the reactor
could not have been successfully protected by a relief device. The
only way to protect the reactor from overpressuring was to vent
the reactor during the first reaction and allow the energy to be
removed by boiling off the diglyme solvent and MCPD.
III. Manage Risk
13. Management of Change (MOC).

After one year of production, the batch size was increased by one-
third, without a safety review. However, without the needed
competency to recognize reactive chemical hazards, a MOC would
not have helped.
T2 did not warn emergency responders of the presence of MCMT
on site. MCMT is toxic by inhalation and skin contact.
IV. Learn from Experience

Prior to the explosion, there had been unexpected exotherms in
three of the first ten batches during the first reaction step, when
the process was scaled up to the main reactor. After the first
exotherm (in Batch 1), the response was to adjust the batch recipe
and to add cooling to the operating procedures. Uncontrolled
exotherms also occurred in Batches 5 and 10. Nevertheless, after
Batch 11, the process scale-up was considered successful. The
owners did not recognize that the previous exotherms were
actually near-misses which could have had more severe
consequences, and therefore failed to further investigate the
causes of these exotherms.
The CSB investigation report and a video showing the T2

Laboratories explosion can be found on the CSB website.
2.3 HOECHST GRIESHEIM RUNAWAY REACTION, GERMANY, 1993
2.3.1 Summary
On February 22, 1993, a runaway reaction occurred at the
Hoechst plant in Griesheim, Germany. The reactor’s pressure
safety valve (PSV) opened and about 9 metric tons (10 tons) of the
reaction mixture were released, covering 30 hectares (74 acres)
around the plant with a yellow deposit.
As a result of this incident, Germany’s Technical Committee
on Plant Safety was created to determine the minimum
knowledge required to run a chemical process. Their report,
Leitfaden Erkennen und Beherrschen exothermer chemischer
Reaktionen (Guidelines recognizing and mastering exothermic
reactions” (TAABMU 1994), influenced chemical industry
regulation in Germany (Gustin 2001). Media coverage of this event
may have been a factor in Hoechst’s withdrawal from chemical
manufacturing (Kepplinger and Hartung 1995).
Figure 2.3-1. Reaction Sequence for Hoechst Griesheim Runaway

Reaction. This reaction is exothermic, with a heat of reaction of
140 kJ/mole (132.7 BTU/mole) 2-chloronitrobenzene.
Key Points
Process Safety Competency – Consider what might go wrong
and design against it. If there is an important operational
sequence, design out the potential for inadvertent mis-
operation. If it is not possible to design it out, then design in
controls.
Conduct of Operations – COO is not just for operators, but also
applies to the work conducted by managers, engineers, and
other employees who design, implement, and oversee process
operations. Ensure all involved conduct their work diligently.
The design work could have easily included interlocks to
prevent the operating errors that occurred in this incident.
2.3.2 Description
Background. The chemical reaction involved was one between 1-
chloro-2-nitrobenzene (also called 2-chloronitrobenzene) and
methanolic caustic soda to produce ortho nitroanisole (Figure 2.3-
1).
Process. The process was conducted in a 36 m3 (9510 gal.) reactor
at 80°C (176°F) and 10 bar-a (145 psia). Methanol and 2-
chloronitrobenzene were added to the reactor with the agitator
running. Following the chemical addition, the agitator was turned
off and the level in the reactor checked through an open manhole
cover. The cover was replaced, and the agitator was restarted. The
mixture was heated to 80°C (176°F), and nitrogen was applied to
raise the reactor pressure to 3 bar (43.5 psi). This reduced the
oxygen concentration in the headspace to 8 vol%; some oxygen
was required to prevent unwanted secondary reactions. The
methanol and the caustic solution were then added, and cooling
was applied manually as necessary to control the reactor
temperature at 80°C (176°F).
What Happened. During the batch in question, operators had to
apply heating to the reactor to maintain a temperature of 80°C
(176°F) instead of applying cooling, as was normal at this point in
the batch. When the methanol and caustic addition was complete,
the batch was sampled for conversion. At this time, operators
discovered that the agitator was turned off, so they proceeded to
start it. As soon as mixing was started, a runaway reaction
occurred, raising the temperature to about 160°C (320°F) and the
pressure to 16 barg (232 psig). The reactor had a PSV set at 16
barg (232 psig), which opened, leading to the release of the
reactor contents as described in the summary.
Why it Happened. The investigation found that the agitator was not
restarted after the level check. This led to a buildup of unmixed
and unreacted material in the reactor. A sample that had been
taken for conversion showed only 45% conversion of 2-
chloronitrobenzene. Therefore, more than half of the charge was
available to react. When the agitator was restarted, the rapid
mixing caused the entire mixture to react immediately. This
exothermic reaction was further driven by the heat which had
previously been manually applied.
Compounding the problem, the high temperature triggered a
secondary decomposition reaction that had a heat of reaction of
390 kJ/mole (93 kcal/mole), further accelerating the exotherm and
buildup of pressure in the reactor.

The immediate cause of this incident, restarting a stopped
agitator, has been the cause of incidents in other chemical
industries. For example, reviewing the literature about nitration
reactions, the failure mode of inadvertently starting an agitator in
the middle of a batch instead of the beginning of a batch was one
of several common causes of runaway nitration reactions.
Process designers recognized the potential of an agitator
failure to cause problems and provided an alarm for agitator
failure; however, it is believed that the alarm did not detect a

failure because the agitator had not been turned on.
However, the process designers failed to recognize some
other key safety features, or layers of protection, that would have
prevented this accident. First, they did not provide interlocks that
could have stopped the feeds to the reactor and prevented heat
from being applied in the event of no agitation.
Checking the level by opening the manway of a reactor
partially filled with a flammable material is an unsafe way to run
a reaction. Not only is the operator exposed to toxic vapors when
the manway is opened; but also, if the manway is not sealed
properly, flammable vapors could escape into the operating area
as the batch is heated up. Reactor levels should have been
performed automatically.
The design of the PSV was not based on a runaway reaction
and thus did not consider a large release of potentially toxic
materials. As a result, the need for an effluent containment and
treatment system was not considered. By not recognizing the
potential for a toxic release scenario and planning for it, the
runaway reaction escalated into a release with significant
environmental consequences.
III. Manage Risk

The operators opening a partially filled reactor prompts the
question of what kind of training the operators received before
running the reaction. Did they know that the lack of heat being
released was a sign that the reaction had stalled? If they did know
the implications of the process information they were given, then
the decision to continue feeds goes back to a COO issue.
Continuing to add the 2-chloronitrobenzene with no sign of
reaction, and in fact, adding heat when cooling was usually
needed, is a sign of poor COO. Why did the operator forget to start
the agitator? We can only speculate as to why. It is possible the

operators were not properly trained or did not respond as they
were supposed to, or perhaps no process hazard identification
study had been performed. In an exothermic process, operators
should be trained to stop the process and seek expert support if
the process is not running normally.
Conduct of operations applies to everyone involved with
running chemical processes: managers, design engineers,
operators and technicians. The technical staff could have
designed safeguards for the process to prevent or at least detect
an error such as no agitation before starting feeds.
2.4 ARCO CHANNELVIEW EXPLOSION, TEXAS, US, 1990
2.4.1 Summary
A wastewater tank containing process wastewater with
hydrocarbons and peroxides exploded during the restart of an
off-gas compressor. The normal nitrogen purge had been
reduced during the maintenance period, and a temporary oxygen
analyzer failed to detect excessive oxygen in the tank vapor space.
When the compressor was restarted, a flammable mixture of
hydrocarbons and oxygen was pulled in and ignited. The
flashback of the flame into the headspace of the tank ignited the
confined vapors and an explosion occurred. The explosion caused
seventeen fatalities. ARCO spent $20 million replacing the unit
and installing safety enhancements (ARCO 1991), and also paid
about $3.5 million in penalties (OGJ 1991).
This incident was one of those cited in the Background section
of the U.S. OSHA PSM rule as justification for the need for the PSM
rule (OSHA 1992).
Key Points
Process Safety Competency – What is safe? Conducting
operations safely depends on designing, documenting and
following the planned response when safe operating
parameters are exceeded. Ensure all involved are competent to
conduct their work with process safety in mind.
Asset Integrity and Reliability – Make sure equipment will work
when it is needed. Critical equipment must be designed, tested,
and maintained to ensure that it will function as intended to
prevent a process safety incident.
2.4.2 Description
Background. ARCO acquired the Channelview complex in 1980.
The plant produced propylene oxide, methyl tertiary butyl ether,
and styrene monomer.
Process. The 3,407 m3 (900,000 gal) wastewater tank contained
process wastewater from propylene oxide and styrene processes.
Peroxide and caustic byproducts from these processes traveled
through thousands of feet of piping to the tank where they mid.
There was normally a layer of hydrocarbons on the surface of the
water. Also, oxygen was formed in the tank due to decomposition
of the hydrocarbon peroxides in the tank. A nitrogen purge was
used to keep the vapor space inert, and an off-gas compressor
drew the hydrocarbon vapors off before the waste layer was
disposed of in a deep well. Figure 2.4-1 shows the process
scheme.
What Happened. The tank was taken out of service to repair the
nitrogen blanket compressor. However, even though flow into the
tank had ceased, it had not been emptied and oxygen was still
forming due to the decomposition of peroxides in the tank. A
temporary oxygen analyzer was installed between two roof
beams and provisions were made to add a nitrogen purge if a high
oxygen level was detected. During this time, the oxygen analyzer
failed, giving incorrect low readings and the normal flow of
nitrogen purge gas to the tank was reduced. About 34 hours

before the explosion, the nitrogen sweep stopped. Therefore, the
nitrogen purge was inadequate to prevent a flammable
atmosphere from being formed in the headspace and in piping to
the compressor. When the compressor was restarted, flammable
vapors were drawn in and ignited. Flames flashed back to the
tank, causing an explosion in the head space.
This incident illustrates that reactive chemical incidents can
occur at any point in a process. It is as important to understand
and manage the risks of reactive chemistry in auxiliary operations,
such as this wastewater tank, with the same level of rigor as any
other intentional chemistry-related unit operation.
When the unit was rebuilt, the new wastewater tank was
pressurized and vent gas was sent to a flare, eliminating the need
for a compressor. Redundant oxygen analyzers were installed,
and a backup supply of nitrogen was provided. The preventive
maintenance program for oxygen analyzers and other safety-
critical equipment was improved. Critical process safety operating
parameters were identified for continuous monitoring.
Figure 2.4-1 Process flow diagram of the wastewater tank

(courtesy CEP).
Why it happened. Organic peroxides present a fire and explosion

hazard. The double oxygen bond (-C-O-O-C-) of the peroxy group
makes organic peroxides both useful and hazardous. The peroxy
group is chemically unstable, and can easily decompose, giving off
heat at a rate that increases as the temperature rises. Peroxides
can decompose very rapidly or explosively if they are exposed to
only slight heat, friction, mechanical shock, or contamination with
incompatible materials. Many organic peroxides give off
flammable vapors when they decompose. These vapors can easily
catch fire.
In the waste storage tank, the presence of organic peroxides
created a flammable atmosphere, which found an ignition source
at the compressor (a source of heat, and friction).
The design of the safety system was inadequate. There was
only one oxygen analyzer in the system, and it failed, reducing and
eventually stopping the nitrogen flow. The loss of nitrogen sweep
was not noticed.

The use of one oxygen analyzer created a safety-critical system
with a single point of failure. When designing safety systems,
engineers should consider the level of reliability of safety-critical
systems and provide the necessary redundancy. Safe operating
parameters—in this case oxygen levels and nitrogen flow rates—
also need to be identified and monitored by operating personnel.
III. Manage Risk

Safety-critical equipment should be identified, and a preventive
maintenance program should be put in place to regularly test
such equipment to ensure it is functioning as intended.
2.5 AMMONIUM NITRATE INCIDENTS

Ammonium nitrate (AN) deserves a special mention in More
Incidents that Define Process Safety. Incidents involving the
manufacture and storage of AN continue to occur, even though
there is a long history of such incidents from which to learn. To
illustrate this, the CSB compiled a table of twenty-two events at
stationary facilities, dating back to 1916, in its report on the West
Fertilizer explosion, covered in Section 2.6 (CSB 2016).
Three incidents involving AN were described in Incidents that
Define Process Safety (CCPS 2008). One of those incidents, the
explosion of the SS Grandcamp in Texas City in 1947, was the
worst industrial accident in the history of the US. There were at
least 578 fatalities, and 178 were listed as missing. More AN
incidents have occurred since.
Three more incidents, two involving storage and handling and
one involving the manufacture of AN, are described in the
following sections. The manufacturing incident occurred in 1994,
however the storage and handling incidents occurred after
publication of Incidents that Define Process Safety.
AN, which is an oxidizer, is typically available in two forms,
fertilizer grade (FGAN) and technical grade (TGAN). FGAN is sold
as a liquid or as high-density prills. TGAN consists of low-density
prills. AN handling and storage is covered by U.S. OSHA’s Blasting
and Explosive Agents standard (OSHA 1998) and by the Australian
Standard The storage and handling of oxidizing agents (Standards
Australia 1995).
AN will not burn; however, it melts at 170°C (337°F) and
rapidly decomposes. Above 260°C (500°F) AN becomes sensitive
to shock. Pure AN is stable and explodes only under certain
circumstances:
When contaminated with low percentages (more than
0.2%) of combustible material (e.g. packing materials,
seeds, oil);
When contaminated with certain inorganics (e.g.
chlorides, acids, caustic, some metals);
When confined at high temperatures (e.g. in a fire);

When heated to the decomposition temperature (AN
melts and becomes more sensitive to shock).
AN prills absorb moisture, leading to caking, which creates a
form of self-confinement and compression. In a fire, AN releases
toxic gas such as nitric acid, ammonia, nitrogen oxides, and
nitrous oxide. (EPA 2015, CSB 2016).
2.6 WEST FERTILIZER COMPANY AN EXPLOSION, TEXAS, US, 2013
2.6.1 Summary
On April 17, 2013, a fire occurred at the West Fertilizer Company
in West, Texas, which triggered an explosion of about 27 metric
tons (30 tons) FGAN at 7:51 p.m. The explosion registered as a 2.1
on the Richter scale. There were fifteen fatalities—twelve were
emergency responders; three were members of the public. One
of the public fatalities was in a nursing home (from a stress-
induced heart attack) and the other two were in an apartment
complex. The overpressure from the blast damaged 150 buildings
off-site, including four schools, a nursing home (later
demolished), an apartment complex, and 350 private residences
(142 beyond repair) (CSB 2016).
This was a significant incident in the US, due to the extensive
public impact, and the prevalence of FGAN storage and handling
facilities in the US. The CSB identified over 1,300 facilities handling
AN within close proximity to a community. The United States
president issued Executive Order EO-13650. This established a
working group consisting of the U.S. Department of Homeland
Security (DHS), the U.S. Environmental Protection Agency (EPA),
and the U.S. Departments of Labor (under which the U.S. OSHA is
located), Justice, Agriculture, and Transportation. The purpose of
the working group was to improve the identification and response
to the risks of chemical facilities (EO 2013).
Key Points
Process Safety Culture – Ensure all involved value process safety.
A poor safety culture will have consequences. It could be any-
thing from a loss of insurance coverage to a tremendous loss
of life, both of which occurred at West Fertilizer.
Stakeholder Involvement – Work together to prevent incidents.
It is important that local planners understand the hazards of
facilities and that enforcement agencies identify shortfalls in
neighboring compliance. Stakeholders communicating with
each other can create a mutual understanding on managing
risks.
Emergency Management – Ensure emergency responders
understand the hazards. Inform your local emergency
responders of the risks at your site so that when they respond
to help you, and they are not put in harm’s way.
2.6.2 Description
Background. West Fertilizer Company (WFC) stored and handled
AN in a fertilizer building, along with several other fertilizers,
including diammonium phosphate, ammonium sulfate, and
potash. The fertilizer building was a wood-frame building. AN was
stored in two plywood bins. Figure 2.6-1 shows an overview of the
building layout, and Figure 2.6-2 provides an exterior view of the
building with the Primary AN bin superimposed on it.
In addition to receiving and storing the various fertilizers,
West Fertilizer also made fertilizer blends, delivered, and
sometimes applied the fertilizers. West Fertilizer also stored and
handled anhydrous ammonia in two pressurized storage tanks.
In 1962, when the facility was first built, it was surrounded by
open land. As the town grew over the years, WFC was surrounded
by residences and schools (Figure 2.6-3). This contributed to the
high impact of this incident.
Figure 2.6-1 Fertilizer building overview (courtesy CSB).
Figure 2.6-2 Southwest view of Fertilizer Building (adapted from

CSB).
What Happened. In addition to the fifteen fatalities, more than 260

people were injured. Most of these people were within 457 to 610
m (1,500 to 2,000 ft.) of the explosion (CSB 2016). It is easy to
imagine many more casualties had the fire and explosion
occurred in the daytime, when the schools were occupied.
Figure 2.6-3 WFC and community growth (courtesy CSB).
Figure 2.6-4 Overview of damaged EFC (courtesy CSB).

WFC itself was destroyed (see Figure 2.6-4). An FGAN railcar

was overturned. Fortunately, the two anhydrous ammonia tanks
on site were not damaged.
There was a large amount of off-site property damage.
Severely damaged were:
An apartment complex, 122 m (450 ft.) from WFC (2
fatalities, completely destroyed, see Figure 2.6-5);
An intermediate school, 168 m (552 ft.) from WFC;
A nursing home, 183 m (600 ft.) from WFC (1 fatality, so
badly damaged it had to be demolished);
A high school, 385 ft. (1,263 ft.) for WFC.
Why it Happened. The cause of the fire itself remains unknown.
The ATF concluded that the cause was arson (Ellis 2016), although
CSB developed three theories as to why the AN exploded that did
not involve arson (CSB 2016).
The first scenario is that during the early part of the fire, soot
and other organics contaminated the FGAN and served to keep
heat in. This could have caused the formation of hot liquid FGAN
at the top of the pile (see Figure 2.6-6). The liquid layer could have
produced oxidizing gases, which would have created a cloud of
oxidizers; NO2, O2 and HNO3 are the decomposition products of
AN. This gas cloud may then have detonated.
The second scenario is that the detonation was caused by
heat from the exterior walls of the bin. Photos show that just prior
to the detonation, the exterior walls of the bin were penetrated,
which allowed more air in and caused the fire to become even
hotter. There could have been some melting of the FGAN along
the exterior wall.
The third scenario focuses on an elevator pit; a bucket
elevator was used to unload FGAN and other materials. There
could have been FGAN remnants in the pit. FGAN could have
spilled into the pit if the wall of the AN bin collapsed. The
remnants of FGAN could have been contaminated by burning
rubber and the falling FGAN, plus the confinement by concrete
elevator walls might have caused the detonation. This is

considered the least likely scenario.
Figure 2.6-5 Apartment complex damage (courtesy CSB video).
Figure 2.6-6 Soot accumulation on FGAN pile (courtesy CSB

video).

The RBPS management systems are interlinked, and the West
Fertilizer explosion shows how important this linkage is.

Prior to 2009, WFC had insurance through Triangle Insurance
Company. In 2009 Triangle stopped insuring WFC because of
losses and a lack of compliance with Triangle’s recommendations
from their loss control surveys. Several of the recommendations
involved electrical problems, such as corroded wires and grounds.
In one of its evaluations, a Triangle consultant noted that WFC had
no safety program and “had no positive safety culture” (CSB 2016).
AN is covered by the U.S. OSHA’s Blasting and Explosive Agents
standard (OSHA 1998); however, this is not widely known
throughout the fertilizer industry. AN is also covered by NFPA 495,
Code for the Manufacture, Transportation, Storage, and Use of
Explosives and Blasting Agents (NFPA 1970) and NFPA 400,
Hazardous Material Code (NFPA 2016). Prior to 2002, AN was
covered by NFPA 490 Code for the Storage of Ammonium Nitrate
(NFPA 2002).
The CSB reported that the fertilizer industry itself
acknowledged that it was not well known in the fertilizer industry
that the U.S. OSHA Explosives standard covers AN (CSB 2016). The
U.S. OSHA did not have a history of citing fertilizer facilities under
the Blasting and Explosive Agents standard, contributing to this
lack of knowledge. This contributed to a lack of process safety
knowledge in the industry, which in turn contributed to
inadequate hazard identification and emergency response
planning.
A weakness in the U.S. OSHA standard is that it allows the use
of wood “protected against impregnation by ammonium nitrate”
for the walls of the bin (the floor must be non-combustible) [OSHA
1998 Section (i)(4)(ii)(b)]. The CSB notes other countries do not

permit this. In the Chemical Advisory issued after the incident
(EPA 2015), buildings constructed of non-combustible materials
are “strongly preferred.” CSB recommended that the U.S. OSHA
addresses this by making some changes in the standard, such as
a name change or defining the scope at the beginning of the
standard, and starting a US National Emphasis Program (NEP) for
AN.
NFPA 400 was updated in 2016 and now requires buildings be
of non-combustible construction, and contain automatic
sprinklers, and fire detection systems, the last two being
retroactive requirements.
AN is not covered by either the U.S. OSHA PSM or U.S. EPA
RMP regulations. This means that facilities handling AN are not
required by law to have a formal process safety management
program. The lack of a PSM program led to several safety
management gaps.
There was no information sharing between WFC, emergency
responders, and the community. The lack of process safety
knowledge on WFC’s part contributed to this. Without an
understanding of the potential hazards at the WFC facility, there
was no motivation to prevent the community from building up
near the facility. The U.S. EPA (2015a) issued some guidance about
the Emergency Planning and Community Right-to-Know Act
(EPCRA) that stemmed from EO-13650. This guidance reminded
State Emergency Response Committees (SERCs) that EPCRA
authorized them to designate additional facilities (beyond those
handling listed extremely hazardous substances) to be subject to
emergency planning notification.

Since AN was not on the PSM or RMP highly hazardous chemicals
lists, and because the fertilizer industry was not familiar with the
U.S. OSHA Blasting and Explosives Agents standard, neither the

WFC management and employees nor the emergency
responders, were familiar with AN hazards. There was no record
that WFC consulted the AN Safety Data Sheet during the incident.
The emergency responders did not know that AN could detonate.
Process safety knowledge includes collecting and
disseminating information and learnings from incidents with
similar technologies and chemicals from throughout the industry.
As noted in Section 2.5, there is a long history of AN-related
incidents that AN producers and handlers need to learn from. In
2009, a fire occurred at another facility in Texas that stored and
handled AN. The firefighters decided not to fight the fire but
instead they evacuated the area. About 80,000 people were
evacuated. A review of that emergency response was conducted,
and an after-action report was issued that emphasized the need
for emergency responders to “reflect on protection, response,
and recovery activities” that occurred in the 2009 fire (CSB 2016).
This report was apparently not known by the West Fire
Department.
The absence of AN from the PSM and RMP rules led to no PHA
being conducted on the AN handling and storage system. A
properly conducted PHA would have addressed consequences of
a fire and could have led to a better understanding of the hazards
of AN by WFC’s management and personnel.
III. Manage Risk

The absence of AN from the PSM and RMP rules led to no
emergency planning, which also would have been required by
these regulations. When responding, the fire department initially
tried to fight the fire, but only the fire engines internal tanks could
be used until a hose could be connected to the hydrant 488 m
(1,600 ft.) away. They did not have enough hose to reach the fire.
The decision to evacuate was about to be made when the
explosion occurred. Development of an emergency response plan

may have helped reduce the consequences of the event: the plant
could have installed better storage conditions and fire protection,
the city could have added a fire hydrant nearer to the plant, or the
response could have been to evacuate the area and let the plant
burn, which would have saved lives.
2.7 RUI HAI INTERNATIONAL LOGISTICS AN EXPLOSION, TIANJIN,

CHINA, 2015
2.7.1 Summary
An explosion occurred around 11:30 p.m. on August 12, 2015, at
the Rui Hai International Logistics (RHIL) storage facility in Tianjin,
China. The explosion registered as a 2.9 on the Richter scale. The
entire facility was destroyed. There were 170 fatalities (99
firefighters and 11 policemen), and about 800 people were
injured. The blast affected 17,000 households and 779 businesses
(Figure 2.7-1). The waterways and soil nearby were severely
polluted. An early estimate of losses was $1.5 billion (Huang &
Zhang 2015), (Hernandez 2016). Following the investigation, 123
people were arrested. This was one of the worst industrial
incidents in China, (Trembley 2016).
Key Points
Process Safety Culture – Apply process safety culture concepts
to all stakeholders. When an operating site has a poor safety
culture, and uses political influence to avoid regulatory
enforcement, there can be no confidence that the process is
safe.
Compliance with Standards – Follow the rules. Standards are
developed based on best practices and learnings. Deciding not
to comply with standards and regulations can be reckless. If
you think that a standard doesn’t work for your application,
then communicate with the standard’s authors to discuss the
situation.
2.7.2 Description
Background. RHIL was started by two men; one the son of a local
police chief and the other an executive at a chemical firm. Tianjin
was a rapidly growing area and the facility eventually grew to 4.5
hectares (11 acres) in size. The warehouses were known for
“shoddy construction” (Jacobs, Hernandez & Buckley 2015).
Process. The facility stored more than 40 hazardous chemicals
(Zeng 2015), including 800 tonnes (882 tons) of AN, 700 tonnes
(772 tons) of sodium cyanide, 200 tonnes (220 tons) of
nitrocellulose as well as various metal powders.
What Happened. A fire was observed in the facility at 10:50 p.m.
The first responders arrived by 11:06 p.m. and others arrived
Figure 2.7-1 The crater from 2015 Tianjin explosion (courtesy

Shutterstock).
about 10 minutes later. Investigation showed that the fire started

when nitrocellulose improperly stored near AN became too dry
and self-ignited. The first explosion occurred at 11:34 p.m.,
registering 2.3 on the Richter scale. The second explosion
occurred thirty seconds later and registered 2.9. Based on the size
of the crater, about 100 m (328 ft.) in diameter, approximately 726
metric ton (800 ton) of AN were involved.
Why It Happened. The investigation found that the fire started in
dry nitrocellulose containers that became overheated.
Nitrocellulose, used as a propellant called “guncotton,” is a highly
flammable solid. Even used nitrocellulose containers are
considered hazardous. The safety data sheet (SDS) for
nitrocellulose states that containers should be tightly sealed and
kept in a well-ventilated area, separate from oxidizing materials
such as AN. A nitrocellulose brochure recommends using non-
sparking tools and states that nitrocellulose damped with water
or alcohol has a shelf life of two years, after which decomposition
and fire can occur. If the damping agent dries out, the
nitrocellulose is sensitive to impact and heat (DowWolff).

In most incidents in this book, a poor process safety culture can
be attributed to ignorance, such as not understanding the
difference between process safety and occupational safety, a lack
of knowledge of process safety hazards, or, at worst, a lack of any
sense of vulnerability to potential hazards. In the case of the
Tianjin explosion, the lack of process safety culture was reflected
in the disregard of safety rules and good practices. In addition,
officials abused their power (Tembley 2016).
As mentioned earlier, 123 people were arrested as a result of this

incident. RHIL violated existing rules and permits and used
political influence to protect itself from close scrutiny. It ignored
good practices and regulations in the manner that it stored
chemicals. It stored more chemicals than allowed by their
permits. Their warehouses were known for shoddy construction
and outdated equipment (Jacobs, Hernandez & Buckley 2015).
A safety review, that was required by authorities to obtain a
storage permit, was done in a questionable manner since it was
performed by a private contractor who was selected and paid for
by RHIL.
2.8 PORT NEAL AMMONIUM NITRATE EXPLOSION, IOWA, US,

1994
2.8.1 Summary
On December 13, 1994, an explosion occurred in the AN portion
of a fertilizer plant in a process vessel known as a neutralizer. The
explosion occurred while the AN process was shut down with AN
solution remaining in several vessels. Multiple factors contributed
to the explosion, including strongly acidic conditions in the
neutralizer, the application of 13.79 barg (200 psig) steam to the
vessel, and a lack of monitoring of the AN plant when the process
was shut down with materials left in the process vessels. The
explosion resulted in four fatalities and eighteen people injured.
Serious damage in other parts of the plant resulted in the release
of nitric acid to the ground and anhydrous ammonia into the air
(EPA 1996).
Key Points
Hazard Identification and Risk Analysis – Identify process
hazards so that you can manage them. Without first identifying
the hazards, the hazard management controls and systems will
not be implemented, and the risk will not be managed.
Operating Procedures – Make sure procedures cover all

aspects of the operation, including temporary shutdowns or
holds.
2.8.2 Description
Background. The Port Neal, Iowa, plant produced nitric acid,
ammonia, ammonium nitrate, urea, and urea-ammonium nitrate.
In the neutralizer, ammonia from the urea plant off-gas or from
ammonia storage tanks was added through a bottom sparger and
55% nitric acid was added through a sparge ring in the middle of
the vessel. The product, 83% AN, was sent to a rundown tank via
an overflow line for transfer to storage. See Figure 2.8-1 for a
process flow diagram of the neutralizer and rundown tank. A pH
probe in the overflow line to the rundown tank was used to
control the nitric acid flow to the neutralizer in order to maintain
the pH at 5.5 - 6.5. The temperature in the neutralizer was
maintained at about 131°C (267°F) by the evaporation of water
and ammonia. Both vessels were vented to a scrubber, where the
vapors were absorbed by 55–65% nitric acid and makeup water
to make 50% AN. A stream of 50% AN was sent back to the
neutralizer.
What Happened. About two weeks prior to the event, the pH probe
was found to be defective, and the plant was controlled by
manually taking samples for pH.
Two days prior to the event, the pH was determined to be -1.5
(sic) and was not brought into the acceptable range until about
1:00 a.m. on December 12. The AN plant was shut down at about
3:00 p.m. on the afternoon of December 12, because the nitric
acid plant was out of service. At about 3:30 p.m., operators
purged the nitric acid feed line to the neutralizer with air. At
about 7:00 p.m., operators pumped scrubber solution to the
neutralizer. At about 8:30 p.m., 13.8 bar (200 psig) steam, which
is about 197°C (387°F), was applied through the nitric acid feed
line to the nitric acid sparger to prevent backflow of AN into the
nitric acid line. The explosion in the neutralizer occurred at
about 6:00 a.m. on the morning of the 13th. Figure 2.8-2 shows
the aftermath of the explosion.
Figure 2.8-1 Neutralizer and rundown tank, source (courtesy

EPA).
Figure 2.8-2 AN plant area after the explosion (courtesy EPA).
Why It Happened. Liquid AN is known to become more sensitive to

decomposition, deflagration, and detonation by:
Low pH levels,
High temperatures,
Low-density areas (e.g., caused by gas bubbles),
Physical confinement,
Contaminants such as chlorides and metals,
Confinement by means of a sufficient mass of AN by itself.
Calculations showed that the nitric acid line clearing would have
lowered the pH to about 0.8 at the time of the shutdown. The
steam sparge remained on for 9 hours. Calculations showed that
it provided enough heat to raise the solution to its boiling point
after two hours. The air and steam sparge created gas bubbles in
the solution. Chlorides, carried over from the nitric acid plant,
were also found to be present in the AN solution. These
circumstances provided the conditions necessary for
decomposition and detonation of the AN (EPA, 1996).
The U.S. EPA investigation concluded the conditions that led
to the explosion occurred due to the lack of operating procedures.
There were no procedures on how to put the vessels in a safe
state during shutdown, or for monitoring the pH and temperature

in the process vessels during the shutdown. There were also no
procedures being used to monitor for the presence of chloride
salts and/or oil in the reaction mass that could further increase
the sensitivity of AN to dangerous decomposition conditions.
The U.S. EPA found that other AN producers either emptied
the process vessels during a shutdown or maintained the pH
above 6.0. Also, other producers either did not allow steam
sparges or, if steam sparges were done, they conducted them
under direct supervision to ensure that the duration of steam
sparging was kept to a minimum.
The U.S. EPA also noted that no hazard analysis had been
done on the AN plant, and that personnel interviewed “indicated
they were not aware of many of the hazards of ammonium
nitrate.”

No hazard assessment of the AN process had been done. The lack
of a hazard identification study led to personnel not
understanding the conditions that could lead AN decomposition.
It also led to a lack of safeguards that would have prevented the
decomposition. An effective PHA of the shutdown step would
have revealed to the operating staff that the pH of the neutralizer
could not be measured at low neutralizer levels, and that the
temperature of the neutralizer could not be accurately known
without continuous circulation in the tank. A complete hazard
identification study would have covered backflow of AN into the
nitric acid line and better design solutions could have been
identified.
III. Manage Risk
Operating procedures need to cover all phases of operation. This
event was directly tied to a lack of shutdown procedures and the
lack of equipment monitoring requirements during the
shutdown. Without this key information, operators performed
actions that first sensitized the AN solution to decomposition, and
then provided the energy needed to initiate the decomposition
reaction.
2.9 HICKSON & WELCH JET FLAME, UK, 1992
2.9.1 Summary
A fire occurred at the Hickson & Welch nitrotoluene plant in
Castleford, UK, in September 1992. When a vessel containing
residual dinitrotoluene (DNT) and nitrocresols from a batch still
was opened for cleaning, a jet flame was released that resulted in
five fatalities. The jet flame first destroyed a control room/office
building (Figure 2.9-1) and then impinged upon the main office
building in which there were sixty-three people. One of the five
fatalities was in this office building. H&W paid £500,000 ($638,203)
in fines and costs in 1993. This incident provides important
lessons on reactive chemical management, facility siting, the
potential effects of jet flames, and the hazards that can be posed
by abnormal operations.
Key Points
Operating Procedures – Ensure operating procedures address
all phases of an operation. There are hazards, sometimes
different ones, in various phases of start-up, operation,
shutdown, cleaning, catalyst change, and emergencies. In
documenting all phases, procedures can address the specific
hazards of each phase and how to control them.
Management of Change – Never assume that changes are

small inconsequential. New or unusual operations always need
to undergo an MOC review.
2.9.2 Description
Background. Hickson & Welch was founded in 1931 and became
publicly held in 1951. In its history, it manufactured dyes,
dichlorodiphenyltrichloroethane (DDT), and timber preservatives.
Process. The Meissner plant made mononitrotoluene (MNT).
Isomers of MNT and the by-product dinitrotoluene (DNT) were
separated by a series of stripping steps. The final distillation left a
residue containing DNT and nitrocresols that were transferred to
a 45.5 m3 (12,021 gal) horizontal storage tank called the 60 still
base.
A final vacuum strip was done in the still base to recover the
last of the MNT. The 60 still base contained steam coils for
heating. The temperature was supposed to be controlled using
6.9 bar (100 psig) steam at 170°C (338°F). However, an existing
pressure regulator was not working properly, so the steam
Figure 2.9-1 Control room and office building after a jet flame
impact (courtesy HSE).
pressure was being controlled manually. A relief valve in the

steam line was supposed to open at 6.9 bar (100 psig) but was
malfunctioning and actually opened at 9.3 bar (135 psig), so the
temperature was actually about 180°C (356°F). After the
distillation, the residue was cooled and transferred to a truck for
transport to an incinerator for disposal.
What happened. The still base was installed in 1961. A process
change made in 1988 apparently led to a buildup of residue in the
still, causing extended stripping times. By the day of the incident,
the residue depth was 34 cm (13 in). The vessel itself was 2.7 m
(8.8 ft.) in diameter.
A decision was made to clean out the residue through the
manway at the end of the still base (Figure 2.9-2). Steam was
applied to the sludge, with instructions to keep the temperature
below 90°C (194 °F). The manway was opened, and a sample
taken for visual examination. Operators began raking out sludge
with an iron rake. After a little more than an hour, steam was shut
off, and an order was given to shut off the steam feed line to the
still. At this time, the temperature reading was 48°C (118°F). About
20 minutes later, the jet flame erupted from the manway. The
manway struck the control room, and the jet flame, which lasted
25 seconds, was about 4.7 m (15.4 ft.) in diameter as it hit the
control room wall, 13.4 m (44 ft.) from the manway (Figure 2.9-3).
The flame destroyed the scaffolding where people had
recently been standing to clean out the sludge and severely
damaged the nearby control room, causing two immediate
fatalities and two fatalities after hospitalization. Then the jet flame
impacted an office building (Figure 2.9-1), igniting fires in it. Most
people in the office building were able to escape, but one person
died from smoke inhalation. Two other employees were injured,
and nineteen firefighters also had to be admitted to the hospital.
Why it Happened. MNT, DNT, and the nitrocresols are toxic, and
decompose energetically when subjected to heat or contacted
with strong acids and bases. Hickson & Welch were aware of this
and developed thermal stability tests which they used to set a
maximum temperature for the sludge before cleanout. Studies by
the HSE support the theory that heat from the steam heaters
could have initiated self-heating of the residue, causing a thermal
runaway that could have reached temperatures of 500°C (932°F),
well above the auto-ignition temperatures of MNT isomers and
the decomposition products.
The temperature probe in the vessel was not in the sludge
itself but above it. Therefore, the temperature being recorded was
that of the vessel atmosphere, not the sludge.
Most of the casualties occurred in the control room, which
was located only 13.4 m (44 ft.) away from the still base and was
directly in the line of fire. One lesson that can be learned here is
the need to examine the location of control rooms and other
occupied buildings with respect to potential hazards.
Figure 2.9-2 360 base still (courtesy HSE).

Figure 2.9-3 Still base and control room (courtesy HSE).

In this incident, the lack of Hazard Identification and Risk Analysis,
combined with a lack of operating procedures that addressed
non-routine tasks such as sludge cleanout, led to a very
hazardous situation.

Although not in effect at the time, locating a control room and
office so close to a process would not comply with modern facility
siting standards.

Although Hickson & Welch understood the reactivity hazards of
nitrotoluenes and the residue, no hazard review was performed
on the still cleanout. Hazard reviews need to be conducted on all

phases of an operation. A hazard review would have enabled
them to develop a safe procedure. For example, they could have
recognized the need to have redundant temperature probes,
close the feed line to the vessel to prevent entry of flammable
vapors, stop steam flow into the heating bayonets, and find a
safer way to remove the residue than using an iron rake (which
could have potentially caused electrostatic sparks). They also
might have decided to analyze the residue for thermal stability
before removal to understand the degree of hazard involved.
III. Manage Risk
Hickson and Welch had no written procedures for cleaning
vessels. Again, the lesson here is the need to have written
procedures for all phases of operation. Modern PSM programs
recognize this, but abnormal operations such as start-up,
shutdown, maintenance, and in this case, cleanout, warrant
emphasis because the risk during these modes can be much
higher than during normal operation. Applying PHA tools such as
a procedural HAZOP can uncover risks that may be overlooked in
a PHA done for normal operations and it can identify important
safeguards to safely manage these risks.
The malfunctioning steam regulator was known to be
malfunctioning but was not repaired. Instead the plant relied on
operators to control steam pressure manually. The operators
relied on seeing steam start to emerge from a PSV set at 6.9 bar
(100 psi) as their guide; however, this PSV was malfunctioning. It
should be noted that PSVs are not intended to be normal control
devices. Because the steam regulator and the PSV were critical,
they should have been included in a routine maintenance plan to
check and replace (or service) them periodically to maintain
reliability.
13. Management of Change.

This was the first time the plant had performed this cleanout
operation. The procedure was conducted using safe work
permits, although they did not cover all aspects of the operation.
The people issuing the permits probably had no idea about the
potential reactive chemical hazards. An MOC review could have
identified the hazards and triggered a more formal hazard
assessment.
2.10 OTHER INCIDENTS

Seven reactive chemical incidents were described in Incidents that
Define Process Safety (CCPS 2008):
Rohm & Haas road tanker explosion, Teesside, UK,
January 3, 1976;
Bartlo Packaging Inc., pesticide explosion, West Helena,
Arkansas, May 8, 1997;
Napp Technologies Inc. explosion, Lodi, New Jersey, April
21, 1995;
Concept Sciences Inc. explosion, Allentown, Pennsylvania,
February 19, 1999;
Nissan Explosion, Japan, June 10, 2000;
Morton International, Inc., explosion, Paterson, New
Jersey, April 8, 1998;
Azote de France AN explosion, Toulouse, France,
September 21, 2001.
Below are two additional reactive chemical incidents
investigated by the CSB that have occurred since the publication
of Incidents that Define Process Safety.
1. Synthron LLC Chemical Explosion, Morganton, North
Carolina, US, January 31, 2006.
A runaway chemical reaction occurred, causing a vapor cloud
explosion and fires that killed one person and injured
fourteen others. The explosion destroyed the facility and
damaged structures in the nearby community. The company
increased the batch size of an acrylic monomer

polymerization by adding all the extra monomer to the batch
at once without determining the effect of the increased heat
load. The heat load doubled and overwhelmed the cooling
capacity of the reactor, resulting in a runaway reaction (CSB
2007).
2. Bayer CropScience Runaway Reaction and Pressure Vessel
Explosion, Institute, West Virginia, US, August 28, 2008.
During the restart of a methomyl unit, a runaway reaction
occurred in the residue treater, a 17 m3 (4,500 gal.) pressure
vessel, causing a vessel rupture that released about 8.3 m3
(2,200 gal.) of flammable solvents and toxic residues. Two
people died and eight were injured. Residue containing
solvent was added to the vessel before the clean solvent was
added, and then heated to the operating temperature. The
residue decomposed, causing the explosion. During the start-
up, safety-critical interlocks had been bypassed (CSB 2011).
2.11 ADDITIONAL RESOURCES

The following books and resources are available for helping to
understand reactive chemical hazards.
Chemical Reactivity Worksheet (CRW) 4.0. The CSB reactive
chemical investigation report found that 36% of reactive chemical
incidents involved chemical incompatibilities. The CRW includes a
reactivity prediction worksheet that you use to virtually "mix"
chemicals to simulate accidental chemical mixtures and learn
what dangers could arise from the accidental mixing. For
example, if the reaction is predicted to generate gases, the CRW
will list the potential gaseous products, along with literature
citations related to the prediction.
The CRW has two modules: one discusses known
incompatibilities between certain chemicals and common
absorbents which are used in the cleanup of small spills, and the
other contains information about known incompatibilities
between certain chemicals and materials that are used in the
construction of containers, pipes, and valving systems on

industrial chemical sites.
(www.aiche.org/ccps/resources/crw-overview)
Bretherick’s Handbook of Reactive Chemical Hazards, 7th Ed.
(Bretherick & Urban 2006). Bretherick’s is a 2-volume set of all
reported risks such as explosion, fire, toxic, or high-energy events
that result from chemical reactions gone astray, with extensive
referencing to the primary literature.
Essential Practices for Managing Chemical Reactivity Hazards
(CCPS 2003). This book provides technical guidance to help small
and large companies to identify, address, and manage chemical
reactivity hazards. This book includes a flowchart developed for
this book. It guides the user through an analysis of the potential
for chemical reactivity accidents. The article Screen Your Facilities
for Chemical Reactivity Hazards (Johnson and Lodal 2003)
summarizes the book and flowchart.
Guidelines for Safe Warehousing of Chemicals (CCPS 1998). This
book provides an understanding of the potential dangers
inherent in warehousing chemicals. It offers a performance-based
approach to hazards such as health effects, environmental
pollution, fire, and explosion It presents practical means to
minimize the risk of these hazards to employees, the surrounding
population, the environment, property, and business operations.
These basic precepts can be used to evaluate the risks in initial or
existing designs for warehousing facilities on a manufacturing
site, for freestanding off-site buildings, and for strictly chemical or
mid-use storage.
Guidelines for Chemical Reactivity Evaluation and Application to
Design (CCPS 1995). This book provides principles and strategies
for the evaluation of chemical reactions, and for using this
information in process design and management.
Designing and Operating Safe Chemical Reaction Processes
(Health and Safety Executive (HSE) (2009). This free document
is for those responsible for the development, design, and
operation of chemical plants and processes. It provides
information on the assessment of chemical reaction hazards for

batch and semi-batch processes, and for the design, operation,
and modification of chemical reaction processes.
Chemical Reaction Hazards: A Guide to Safety (Barton & Rogers
1997). This book describes how to assess reactive chemical
hazards before designing a plant. There are over 100 case studies.
A Checklist for Inherently Safer Chemical Reaction Process
Design and Operation (CCPS 2004). CCPS developed a reactive
chemicals checklist in 2004. The steps in this list guide the user
through the steps of reactive hazard identification and reactor
process design considerations.
The Risk Analysis Screening Tool (RAST) software and the
Chemical Hazard Engineering Fundamentals (CHEF)
documentation were developed through the collaborative efforts
of volunteers from member companies of the Center for Chemical
Process Safety (CCPS) and the European Process Safety Centre.
RAST is a screening tool intended to provide users with guidance
to assess and help prioritize their company-specific process safety
risks by:
Effectively performing a Hazards Identification and Risk
Assessment (HIRA)
Effectively developing incident scenarios based on specific
process hazards and operating conditions
Providing qualitative Process Hazards Analysis (PHA)
Teams with scenarios that can be used in a Hazards and
Operability Study (HAZOP), and
Fill the void between the qualitative PHA and a
Quantitative Risk Assessment with the capability to
perform a semi-quantitative Layer of Protection Analysis.
Fire Incidents
3.1 INTRODUCTION
Safe handling of flammable and combustible (ignitable) materials
is a core competency for the process industries and many others.
Flammable releases within congested areas, such as a refinery or
chemical complex, or in a building, can lead to explosions
(Chapter 4). This chapter will start with a description of a series of
metal dust fires at Hoeganaes Corporation because the lack of
understanding of the hazards of combustible dust hazards is a
frequently recurring problem. The other case studies involve
incidents from the oil production and refining industry. This is not
surprising given that this industry handles large amounts of
flammable materials in complex production operations and the
consequences of fires can be very significant. CSB has produced
videos that describe the incidents at Hoeganaes, Chevron, and
Valero. The videos are excellent learning and safety meeting tools.
A few topics appear in multiple incidents in this chapter and
are worth highlighting.
Emergency Isolation Valves (EIV). In three incidents, the
Valero-McKee, Shell, and CITGO refinery fires, fires lasted
for days because of the lack of EIVs. When compared with
the cost of potential damage, EIVs have high cost/benefit
ratio.
Compliance with Standards. Of the six incidents described,
lack of compliance with standards and regulations was a
factor in three: the Hoeganaes metal dust fires, the BLSR
Operating Ltd. deflagration, and the CITGO Refinery fire.
Auxiliary Operations. Two incidents, the BLSR deflagration
and the Shell Refinery fire, involved operations that are
not typical for a traditional chemical or petrochemical
plant. The Shell Refinery fire is an example of the need to
treat all operations with respect for process safety.
By $$14
Chapter 3 Fire Incidents 97
3.2 HOEGANAES METAL DUST FIRES, TENNESSEE, US, 2011
3.2.1 Summary
In 2011, Hoeganaes suffered a series of dust flash fires and a
hydrogen explosion that led to a secondary dust flash fire that
together caused five fatalities and injured three others (CSB
2011b). The Hoeganaes facility located near Nashville, Tennessee,
receives scrap metal and converts it into metal powders after
melting and adding various materials to it.
Key Points
Process Safety Competency – Understand how process safety
underpins all the other elements of process safety. Without
understanding what might go wrong, there is no driver to put in
place the barriers to prevent such an incident.
Compliance with Standards – Build on the experience of others.
Standards, regulations, codes, and other guidance documents
are created from both the good and bad experiences of others.
Incident Investigation – Don’t just investigate. Learn! The
purpose of an incident investigation is to learn what happened so
that it can be prevented in the future. Choosing not to investigate,
or investigating and choosing not to take action, is choosing to
risk having an unfortunate repeat.
3.2.2 Description
Background. Hoeganaes Corporation melts scrap steel to produce
atomized steel and iron powders. The Gallatin, Tennessee, facility
has increased their production more than six-fold since beginning
operations in the 1980s.
Process. Hoeganaes’s main product is a powder that is 99% iron.
The process involves melting the iron, then cooling and milling it
to make a coarse powder. They feed the powder through an

annealing furnace, called a “band furnace,” that consists of a 30
meter (100 ft.) long conveyor belt. The furnace has a hydrogen-
rich atmosphere that reduces oxides and prevents oxidation.
Hydrogen is supplied through pipes located in a trench in the
floor, which is covered by metal plates. Product from the furnace,
called a cake, is sent to a cake breaker and then crushed into a
powder with a particle size of 45–150 microns (Figure 3.2-1).
Figure 3.2-1. Fine powdered metal collected from the Hoeganaes

plant (penny shown for scale) (courtesy CSB).
Figure 3.2-2. Computer graphic of maintenance workers

inspecting bucket elevator (courtesy CSB).
What Happened.
First incident. On January 31, 2011, operators thought the belt on

a bucket elevator used to transfer the powder had become
misaligned, which can cause the motor to shut down due to the
increased torque. A maintenance mechanic and an electrician
came to inspect the equipment (Figure 3.2-2).
They did not believe the belt was off track and requested the
operator to restart the motor. When the motor started, the
vibrations dispersed powder that was on the equipment and floor
(Figure 3.2-3).
A flash fire occurred almost immediately, engulfing the two
workers. Both employees sustained severe burn injuries on a
large portion of their bodies and eventually died because of their
injuries.
Second incident. On March 29, 2011, a Hoeganaes engineer and a
contractor were replacing igniters on a band furnace. They had
difficulty reconnecting a gas line, and the engineer used a
hammer to force the connection. The hammering dispersed large
amounts of combustible dust on surrounding surfaces, which
ignited almost immediately. The engineer suffered first and
second-degree burns, while the contractor was able to escape.
The engineer was wearing flame-resistant clothing, (FRC) which
may have helped prevent a more serious injury. Figure 3.2-4 is a
photo taken at the Hoeganaes plant on February 3, 2011, about
two months before this incident, showing the dust that had
collected on the surrounding surfaces.
Third Incident. On May 27, 2011, operators near a band furnace
identified a gas leak coming from a trench that contained piping
for hydrogen, nitrogen, and cooling water runoff pipes, in addition
to a vent pipe for the furnaces. Mechanics were sent to find and
repair the leak. One area operator stood by as the mechanics
sought out the source of the leak. Although maintenance
personnel knew that hydrogen piping was in the same trench,
they presumed that the leak was nonflammable nitrogen because
Figure 3.2-3. The scene of January 2011 incident (courtesy CSB).
of a recent leak in a nitrogen pipe elsewhere in the plant.

However, in this case, the source of the leak was a line containing
hydrogen.
The trench covers were too difficult to lift without machinery.
A forklift was used to lift a cover near the leak. As the cover was
pulled up by the forklift, friction created sparks, and an explosion
occurred. The hydrogen explosion dispersed large quantities of
iron dust from rafters and other surfaces in the upper reaches of
the building (Figure 3.2-4). Portions of this dust ignited, creating
multiple dust flash fires in the area. Three employees died from
the burns they suffered in the fire. Later a large hole
(approximately 8 cm by 18 cm [3 in by 7 in]) in a corroded section
of hydrogen piping was found (Figure 3.2-5).
Chapter 3 Fire Incidents 1 1
Why it Happened. Hoeganaes believed that the metal dust was a

weak explosion hazard and so put few mitigation systems in
place. Although there was an NFPA standards addressing
combustible metals, they did not use the guidance in this practice.
Figure 3.2-4. Iron dust on rafters and overhead surfaces,

February 3, 2011 (courtesy CSB).
Figure 3.2-5. Hole in 4-inch piping after the May 27, 2011
incident (courtesy CSB).

The findings of the CSB report can be broken down into the
following process safety pillars and elements:

Codes covering Hoeganaes’s operations include (dates listed for
the codes are for the current editions):
NFPA 484, Standard for Combustible Metals (NFPA 2015);
NFPA 497, Recommended Practice for the Classification of
Flammable Liquids, Gases, or Vapors of Hazardous (Classified)
Locations for Electrical Installations in Chemical Process Areas
(NFPA 2017a);
NFPA 499, Classification of Combustible Dusts and of Hazardous
(Classified) Locations for Electrical Installation in Chemical
Process Areas (NFPA 2017b).
Hoeganaes did not follow many of the provisions of these
codes.
At the time of the incident, NFPA 484 described several

requirements for the Hoeganaes facility regarding building
construction, manufacturing and processing, storage,
housekeeping, electrical, and personal protective equipment.
These provisions are in place to help ensure the safe handling of
combustible metal dusts.
Poor housekeeping can contribute to hazards associated with
electrical installations. The National Electrical Code (NEC, NFPA 70)
includes special requirements for electrical installations in areas
where hazardous materials are present. Both flammable gases
(such as hydrogen) and combustible dusts are included in the
hazardous materials discussed within the NEC. Much of the
guidance and requirements in the NEC is based on recommended
practices for classification of hazards and hazardous locations
(NFPA 70, 497, and 499). Although not a direct cause of ignition in
these incidents, the accumulation of dust within the facility could
result in additional hazards related to the use of non-classified
electrical equipment in potentially hazardous locations. This
further demonstrates the lack of process safety knowledge on the
part of the organization.
II. Understanding Hazards and Risk

The series of incidents at Hoeganaes underscores the importance
of understanding hazards and risk and managing the risk. A key
step in determining the appropriate hazard management
approach for a facility is to understand and document the
potential hazard that needs to be controlled. The hazards
associated with metals dusts were well documented in the
industry prior to the incidents at the facility; however, Hoeganaes
operated in a manner that indicated a lack of knowledge of good
dust handling practices.
According to the CSB report, a routine insurance audit of the
facility in late 2008 noted the need for improved housekeeping
due to the explosion hazard presented by powdered metal dusts.
The audit also recommended that if the metal dust was
determined to be explosible, an independent dust hazard analysis

and a study of suitable dust mitigation techniques be performed,
suggesting they had not already done so. In early 2009,
Hoeganaes had several samples of its metal dust tested for
explosibility. The results indicated that the dust was combustible,
but represented a weak explosion hazard, and was very difficult
to ignite (high ignition energy). While the dust testing results
triggered an operator training program on combustible dust
hazard recognition, additional hazard mitigation controls were
not evaluated or adopted. As a result, the combustible dust
hazards at the facility remained largely unmitigated.
After the incidents, the CSB had combustibility tests done on
the Hoeganaes dust. Tests done on the dusts indicate that the
iron dust was a weak explosion hazard and relatively hard to
ignite, confirming the results Hoeganaes obtained previously.
Combustible dusts are frequently assessed on their explosibility,
i.e., their rate of pressure rise and total overpressure generated.
A key lesson here is that even a weakly explosive and hard-to-
ignite dust is still combustible and therefore still hazardous due
to its flash-fire hazards, capable of causing fatalities when ignited.
In this case, even though Hoeganaes had the necessary
information, they did not fully understand the hazards and risks
of combustible dusts. Safe handling of combustible dusts requires
an understanding of the materials’ combustibility hazards and
appropriate safeguards to manage the associated risks.
The importance of housekeeping in a solids-handling facility
cannot be overstated. A saying among people familiar with
combustible dust hazards is that the three most important
precautions are housekeeping, housekeeping, and housekeeping.
The large quantities of combustible dust present in the facility,
shown in Figures 3.2-3, and 3.2-4, exacerbated all three incidents.
Baghouse filtration systems that were supposed to control dust
were frequently out of service. The CSB investigators observed
that the baghouses leaked when the bags were pulsed.
Improvement of housekeeping in several areas of the facility was
another recommendation made by the insurer in 2008.

Learning from experience is another pillar of the CCPS Risk Based
Process Safety management principles. The Hoeganaes plant had
an incident in 1992 that was very similar to the third incident in
2011. A hydrogen explosion in a furnace dispersed accumulated
dust and created a flash fire that severely burned an employee
(burns covered over 90% of his body, and he spent a year in a
burn unit). In 1996, a metal dust fire (ignited by a cutting
operation) occurred in a dust collector, resulting in employee
injury due to smoke inhalation. The CSB also noted that operators
and mechanics rarely reported flash fires or near-misses that
periodically occurred at the facility. Hoeganaes did not learn from
its own incidents and near-misses and did not encourage
employees to report near-misses. Such reporting could have
resulted in improvements in the facility’s hazard analysis and
mitigation that may have ultimately prevented or reduced the
consequences of future incidents.
3.3 CHEVRON RICHMOND REFINERY FIRE, CALIFORNIA, US, 2012
3.3.1 Summary
On August 6, 2012, a piping failure of a 20 cm (8 in.) line occurred
at the Chevron Richmond Refinery and subsequently ignited,
causing a large fire. The fire engulfed nineteen operators and
maintenance personnel, but fortunately all escaped.
The smoke plume was visible for miles (Figure 3.3-1). Chevron
initiated a Community Warning System Level 3 alert. At or around
the same time, a shelter-in-place warning for the cities of
Richmond, North Richmond, and San Pablo was issued. A number
of people sought treatment, with most cases involving minor
complaints of nose, throat, or eye irritation, or respiratory issues.
This incident led to a CSB recommendation that the American
Petroleum Institute (API) strengthen the language of API RP 939-
C: Guidelines for Avoiding Sulfidation (Sulfidic) Corrosion Failures in

Oil Refineries (API 2009). The state of California formed a working
group to study ways to improve oversight of refineries (CalEPA
2014). Along with many other recommendations, one outcome
was establishment of an interagency task force to coordinate
activities of the many agencies that cover refineries. As a result,
California is implementing PSM regulations for refineries.
Key Points
Process Safety Culture – Embrace process safety culture from
the highest levels in the organization down, not from the
bottom up. Otherwise employees will not be sure if
management really believes process safety is important.
Asset Integrity and Reliability – Understand corrosion damage
mechanisms. Make sure that proper metallurgy and inspection
protocols are used to minimize the potential for corrosion.
Emergency Management – Stand clear! There have been
countless instances where people move in close to see the
situation, seemingly unaware of the hazards and risks. Crowd
control, and even positioning of responders, should be clearly
addressed in emergency response plans and drills.
3.3.2 Description
Background. Chevron is a large international company with their
headquarters in San Ramon, California. At the time, Chevron
operated seven refineries, five of which are in the United States.
Figure 3.3-1. Vapor cloud and ignition seen from Marin County
(courtesy CSB).
Process. The crude oil separation process is the start of the oil-
refining process. Crude oil is heated and separated into several
fractions by distillation (see Figure 3.3-2 for a generic PFD of the
crude oil separation process). At the Richmond refinery, the light
gas oil fraction from the Crude Unit, called the Crude Unit #4
sidecut, was drawn off the column through a 51-centimeter (20-
in.) line, which was then split into a 30-centimeter (12 in.) line and
a 20-centimeter (8-in.) line. The Crude Unit #4 sidecut conditions
were 338°C (640°F) and 3.8 barg (55 psig).
What Happened. Figure 3.3-3, a timeline for the incident, provides
a brief, illustrated summary of the events leading to the release
and fire. The leak was discovered in the Crude Unit #4 sidecut at
3:50 PM (see Figure 3.3-4). The operator who discovered the leak
then notified the head operator and a shift leader. Shortly
afterward, the plant fire department was called to provide
assistance. Approximately 15 minutes after the discovery of the
leak, the fire department took command of the incident and set
up a hot zone of 6 m by 6 m (20 ft. by 20 ft.) around the leak. At
around the same time, the board operator began reducing the
feed rate in the Crude Unit #4 sidecut, per the refinery’s normal
shutdown procedure.
Other refinery personnel, including managers, engineers, and

inspectors, came to the area to assist in determining how to
respond to the leak. The fire department performed gas testing
and determined the atmosphere around the leak was not
flammable.
Believing the leak to be minor in nature, operations and fire
department personnel decided to remove insulation from an area
of the pipe downstream of the leak to determine whether it could
be repaired while running. The fire department set up fire
monitors outside of the hot zone to cover the leak area as a
precaution.
Figure 3.3-2. Atmospheric separation process flow diagram

(courtesy OSHA).
Figure 3.3-3. Timeline (courtesy CSB).
Figure 3.3-4. Location of the leak (courtesy CSB).

When firefighters tried to remove the insulation near an

elbow downstream from the component that failed, a small flash
fire ignited. That fire was quickly extinguished. The fire
department next tried to remove the insulation, near the elbow
downstream of the component that failed, with a stream of water
from fire hoses. After shutting the water off to assess the
insulation removal, the firefighters observed that the volume of
the leaking material was increasing, and a decision was made to
initiate an emergency shutdown of the unit. Moments later, a
white cloud formed and enveloped the Crude Unit #4 and the
personnel in the vicinity and downwind processing plants. The
leak ignited approximately two minutes later.
Why it happened. The loss of containment was caused by
sulfidation corrosion, which causes the thinning of steel due to a
reaction between iron and sulfur. Sulfidation corrosion is due to
the reaction between sulfur compounds, especially H2S, and iron
at temperatures of 232–427°C (450–800°F). In pipes, this damage
mechanism causes gradual thinning of materials that over time
may result in the failure of piping.
Figure 3.3-5. Ruptured Crude Unit #4-sidecut pipe at Chevron

refinery (courtesy CSB).
Crude oil commonly contains sulfur compounds, such as

hydrogen sulfide (H2S), that can lead to sulfidation corrosion in
steel piping and components. Carbon steel, and other low-
chromium steels (i.e., < 0.1% chromium), have a lower degree of
resistance to sulfidation corrosion. For this reason, continual
monitoring and consideration of high-chromium-content steel
alloys are important aspects of sulfidation corrosion
management.
The American Petroleum Institute (API) publishes a
Recommended Practice (RP) about it: 939-C Guidelines for Avoiding
Sulfidation (Sulfidic) Corrosion Failures in Oil Refineries (API 2009).
API 939C states that using higher alloy steel to protect against
sulfidation corrosion is preferable to relying on inspection, but, as
a recommended practice, 939-C does not require either
replacement of low-alloy steels or 100% inspection.
Standard inspection methodologies call for measurement of
pipe thickness at a certain number of permanent monitoring
locations. Prior to the fire, the Richmond refinery had increased
the number of condition monitoring locations (CMLs) on the
individual circuit to nineteen, within the Crude Unit #4 sidecut
that ultimately failed. However, there were no CMLs on the pipe
component that ultimately failed.
There are many factors that affect sulfidation corrosion. For
instance, lower silicon content can result in increased rates of
sulfidation corrosion in carbon steel piping. However, carbon
steel piping was not manufactured to meet a specified minimum
silicon content until the mid-1980s. As a result, piping installed
prior to that time may have varying silicon content.
Post-incident testing determined the Crude Unit #4 sidecut
component that failed contained lower silicon levels than other
sections of the Crude Unit #4 sidecut. Relying on the expanded
inspection data at the 19 CML locations, as well as non-CML
locations, did not reveal the extent of corrosion of the piping
component that failed. Figure 3.3-5 is a photo of the ruptured
pipeline.

The CSB noted that the Chevron safety program used a “bottom-
up approach, relying on individual personal assertions and
initiatives to implement important new safety programs.” CSB
also stated, “The failure to prevent this incident is indicative of a
fragmented process safety management approach that placed
responsibility to implement key process safety recommendations
on lower-level employees without sufficient recommendation-
approval and funding authority” (CSB 2015).
Several American Petroleum Institute (API) recommended
practices cover sulfidation corrosion:
API RP 939-C: Guidelines for Avoiding Sulfidation (Sulfidic)
Corrosion Failures in Oil Refineries;
API RP 571: Damage Mechanisms Affecting Fid Equipment in the
Refining Industry;
API 570: Piping Inspection Code: In-Service Inspection, Rating,
Repair, and Alteration of Piping Systems;
API RP 578: Material Verification Program for New and Existing
Alloy Piping Systems;
API RP 574: Inspection Practices for Piping System Components.
The CSB noted that these codes were not consistent in their
treatment of sulfidic corrosion. API 939-C does not specify the
need for 100% component inspection. CBS recommended 939-C
incorporate this, and that the other codes refer to it. One code,
(API 570) states that sulfidation corrosion is a uniform
phenomenon and that 100% inspection is not necessary. As of the
writing of this book, the CSB recommendations to API have not
been implemented.
III. Manage Risk

Asset integrity helps ensure that equipment remains fit for use
until it is retired.
In 2009, Chevron updated inspection strategies for sulfidation
corrosion. This guidance went beyond the codes and standards in
existence at that time and recommended performing a one-time
100% component inspection on certain piping to look for
sulfidation corrosion. While the Richmond refinery began the
process of implementing the 2009 guidelines, the
recommendation to perform a one-time 100% component
inspection had not been built into the inspection plan for all of the
piping circuits potentially susceptible to sulfidation corrosion at
the time of the August 6, 2012, incident.
Rather than performing 100% component inspection, the
Richmond refinery’s reliability group instead recommended
replacement of three carbon steel circuits within the Crude Unit
#4 sidecut with higher alloy steel during the 2011 turnaround.
After conducting additional expanded inspections during the
2011 turnaround, two of the three circuits were replaced.
However, the turnaround team concluded the expanded
inspection data demonstrated that the third circuit that ultimately
failed had sufficient remaining life and therefore did not warrant
replacement. The inspector thereafter placed that circuit on an
increased inspection frequency. There was no recommendation
to perform 100% component inspection on the circuit that
remained in place, nor was there a process in place at the
Richmond refinery to assess whether and to what extent to turn
the ETC 100% component inspection guidance into a refinery
policy.
The Richmond refinery operator guidance on how to respond to
leaks was lengthy and potentially unclear prior to the August 2012
fire. Believing the leak was minor, refinery personnel continued to

evaluate the leak in the vicinity of the leak. As a result, the fire
truck deployed to the area, while outside the established hot
zone, was ultimately destroyed in the fire. Efforts to determine the
size of the leak, using a pike pole, and eventually blasting with fire
hoses, made the leak worse.
In response to these problems, the Richmond refinery
developed a new Leak Response Protocol (LRP), see Figure 3.3-6.
This new protocol is intended to be clearer, with less steps, in an
effort to make it easier to implement in response to a leak.
Figure 3.3-6. Chevron’s new Leak Response Protocol (courtesy

CSB).
3.4 VALERO-MCKEE LPG REFINERY FIRE, TEXAS, US, 2007
3.4.1 Summary
On February 16, 2007, an LPG release from cracked piping in the
propane deasphalting (PDA) unit of Valero’s McKee refinery
ignited. The resulting fire burned for about two days. There were
four serious injuries, the entire refinery had to be evacuated,
there was $50 million in property damage, and the refinery was
shut down for two months. This incident illustrates the concept of
“knock-on” effects, i.e., new incidents triggered by the initial
incident. This fire triggered two near-misses, whose
consequences could have been worse with slight changes in
conditions, such as wind direction. The heat from the fire
triggered a release of 1,134 kg (2,500 lb.) of chlorine from three
one-ton cylinders and blistered the paint on a nearby butane
storage sphere (CSB 2008a).
Key Points
Compliance with Standards – Use good practices to prevent
potential failures. When designing equipment to control a
hazard, consider the mechanism and likelihood that the
equipment could fail. If the consequences of failure are
significant, multiple or more robust controls could be warranted.
Hazard Identification and Risk Analysis – Do a good job on
hazard identification. Operator participation is essential, and
alternating revalidation with a complete redo is often a good
idea. If the team fails to consider topics such as facility siting and
dead legs, then those potential hazards will remain unidentified
and uncontrolled.
Management of Change – Understand how changes can impact
existing protection systems. Unmanaged change can introduce
new hazards and render existing protections ineffective. In this
case, an abandoned line from a piping modification was not
reviewed.
3.4.2 Description
Background. The Valero-McKee Refinery was originally built in
1933 and has been modified over the years. The refinery joined
Valero as part of the Ultramar Diamond Shamrock merger in
2001.
Process. The PDA unit removes paving-grade asphalt from heavy
bottoms from the oil fractionation unit. Liquid propane is the
extraction solvent. The unit operates at about 34.5 bar (500 psi).
The PFD in Figure 3.4-1 illustrates the steps in the process.
What Happened. On the morning of the incident, the temperature
dropped to -14°C (6°F), causing water in a dead-leg to freeze and
subsequently cracking the pipe (Figure 3.4-3). When the
temperature rose in the afternoon, the ice thawed, and the
release of propane vapor began. The estimated release rate was
2,041 kg (4,500 lb.) per hour.
The wind blew the propane vapor cloud toward a boiler, which
was the likely ignition source. The resulting jet fire impacted a
steel support column that had not been fireproofed, causing it to
collapse. This led to further piping failures and releases of
combustible petroleum products, which further fueled the fire.
High winds hindered emergency response efforts to fight the fire.
These factors led to the evacuation of the entire refinery 15
minutes after the fire started, which likely saved lives.
The fire heated three 907 kg (1 ton) chlorine cylinders, causing
the fusible plugs to melt and release about 2,268 kg (2.5 tons) of
chlorine. Chlorine was used as a biocide in cooling towers.
The paint on a nearby 1590 m3 (420,000 gal.) butane storage
sphere blistered due to fire. The heat prevented emergency
responders from accessing nearby fire monitors to protect the
sphere. Fortunately, the wind direction was away from the
sphere, keeping flames from affecting it even more. Figure 3.4-4
shows location of chlorine shed and butane storage tank with
respect to the PDA unit.
The main feeds and fuel gas supply to the refinery were shut
off. Eventually emergency response teams were able to enter the
Figure 3.4-1. Process Flow Diagram of PDA unit (courtesy CSB).
Figure 3.4-2. Abandoned propane mix control station (courtesy

CSB).
area and shut off other fuel sources, although chlorine and
sulfuric acid leaks hampered this effort. The fire burned for two
days.
Why it Happened. About 15 years before the incident, a process
modification occurred, and the original control station was
abandoned in place. (Figure 3.4-2) This created a dead-leg into
which water and propane could collect (the propane contained
small amounts of water). To compound the problem, a foreign
object had become lodged in the 25 cm (10 in.) gate valve,
preventing it from being fully closed.
Figure 3.4-3. Crack in the propane mix control station piping

(courtesy CSB).
Figure 3.4-4. Photograph of damaged PDA unit, showing the

location of butane sphere and chlorine cylinders (courtesy CSB).

Relying on a single standard control valve to isolate a system is
not good practice. Many incidents have been caused by a leaking
valve. Good engineering practice, at a minimum, would have been
to install a blind in the system. An inherently safer practice would
have been to remove the abandoned pipe.
Indeed, one inherently safer design principle is simplification:
the design of facilities and processes to eliminate unnecessary
complexity and reduce the chance for errors (CCPS 2009). A

checklist of inherently safer technologies includes the alternative
“elimination of all unnecessary cross connections” (CCPS 2009).
Another inherently safer design strategy is a substitution, i.e.,
substituting hazardous materials with less hazardous ones. The
Valero refinery used chlorine as a biocide for cooling towers,
which was released when the chlorine cylinders were exposed to
the heat from the fire. Biocides that are less hazardous than
chlorine could have been used, eliminating this hazard altogether.
This fire was a jet fire, i.e., one coming from a pressurized
source. Shutting off the fuel supply will stop a jet fire. The refinery
did not have sufficient Remote Shutoff Valves (RSOVs), which
impeded control of the fire, allowing it to burn for two days before
being extinguished. (The operators had to shut down the main
feeds and fuel gas supply.)
The Valero refinery had an Emergency Isolation Valve (EIV)
Standard. This called for emergency isolation valves on units
containing more than 4,536 kg (10,000 lb.) of a material like
propane. A PHA in 1996 recommended installing EIVs in the PDA
unit, but the action was not implemented (CSB 2008a).

A PHA had been conducted on the process, however, the PHA was
inadequate. For example, the U.S. OSHA PSM standard, which
covers this process, requires that facility siting be addressed in
the PHA. However, the risks associated with the location of the
chlorine shed were not addressed. The hazards of the dead-leg
were also not recognized. Correct application of HAZOP
guidewords could have identified this hazard.
Interviews conducted during the investigation discovered that
operators were not effectively engaged in the 2006 PHA (CSB
2008a). Note that this PHA would have been a revalidation, as
there was one in 1996, and, presumably in 2001.
A properly conducted PHA revalidation would check if

recommendations from previous PHAs had been implemented.
Also, alternating revalidations with complete redoing of the PHA
is a good idea (Young and Oelner 2018). The 2006 PHA did not
apply the Valero EIV standard nor did it confirm previous PHA
recommendations had been implemented. Thus 1996 PHA
recommendations that EIVs be installed were not reviewed.
III. Manage Risk

An MOC was not performed when the piping change was made.
A formal MOC review could have identified the potential hazards
of a dead-leg.
3.5 BLSR DEFLAGRATION AND FIRE, TEXAS, US, 2003
3.5.1 Summary
During unloading of a vacuum truck (Figure 3.5-1) into an open
pit, hydrocarbons in basic sediment and water from oil
exploration and production ignited. Two trucks were destroyed,
and the unloading area was seriously damaged. This event is
notable for two things. First, the flammability hazard of the
wastewater was not widely recognized in the recovery business.
This is also not always recognized in the chemical process
industry. Second, auxiliary operations, such as vacuum truck
loading and unloading, can create hazards that need to undergo
a risk analysis like any other potentially hazardous operation.
Figure 3.5-1. Typical vacuum truck used to haul oilfield waste

liquids (courtesy CSB).
Key Points
Compliance with Standards – Don’t forget the basics. Some
standards are very basic, but that does not mean that they are
not important. Workers have a right to know what materials
they are handling. They should have access to SDS’s and
instruction on how to safely handle hazardous materials.
Operating Procedures – Procedures are not just about the
process. Operating procedures should address all aspects that
could present a hazard. Controlling ignition sources is a
fundamental aspect of safe operations. Vehicles are an ignition
source that must be controlled where flammable materials
may be present.
3.5.2 Description
Background. The BLSR facility has been in operation since the mid-
1980s. It is permitted by the Texas Railroad Commission to
operate waste injection wells.
Process. The gas stream from an exploration and production (E&P)
operation (Noble Energy in this case) contains solids, water, and
liquid hydrocarbons. This mixture goes through separators that
separate the water and hydrocarbons (as a condensate). The
condensate still contains water and is stored in tanks, where the
water is separated from the hydrocarbons, with the water being
the bottom layer, basic sediment and water (BS&W). The E&P
company sells the top layer to refineries. Two or three times a
week a vacuum truck operated by a waste hauler draws off the
BS&W layer for disposal at an approved site. The vacuum truck
operator conducts the entire operation: identifying the tank,
connecting the truck, drawing off the BS&W layer, and
disconnecting the truck. In this case, T&L Environmental Services
was the truck operator, and BLSR operated the disposal site.
At the BLSR facility, there were separate tanks for collecting
what was considered by the truck driver to be clean fresh water,
saltwater, and condensate. There was also an open
disposal/washout pad. BS&W was usually unloaded at the
disposal/washout pad. This pad (Figure 3.5-2) was a covered, 14.6
m by 19.8 m (48 ft. by 65 ft.) pit with pumps and equipment for
handling drilling mud and viscous materials from E&P and
pipeline operations (Figure 3.5-3). Drivers were supposed to
unload “dirty” water (containing solids such as drilling mud) at the
disposal and washout pad.
What Happened. On the afternoon of January 13, 2003, two
vacuum trucks collected BS&W from the tanks at Noble Energy.
The amount of BS&W was recorded by the operator at Noble
Energy as 7.3 m3 (46 barrels). The vacuum truck driver reported
that 7.9 m3 (50 barrels) were removed.
The trucks backed up to the disposal pit, informed the BLSR
operators the trucks were ready for unloading, and went to a shed
for drivers, leaving the truck engines running. At the time, the
drilling mud in the pit was being diluted with water using the
hydraulic pumps to recirculate the pit contents. The valves on the
trucks were opened to drain the BS&W. After three to five
minutes, eyewitnesses said that one of the truck engines began
to violently race and that black smoke was blowing from the
exhaust. Backfiring was heard, prompting the truck drivers to
leave the shed and begin running toward the trucks. The second
truck engine also began to race. At that point, ignition occurred,
and there was a deflagration.
There were three fatalities resulting from burns from the
incident (two BLSR employees and a truck driver; one after forty-
six days). Three BLSR employees were also seriously burned.
Figure 3.5-4 shows the damaged trucks and disposal pit area.
Why it Happened. BS&W in the storage tanks always contains some
flammable hydrocarbons. The actual flashpoint of any given
truckload of BS&W depends on how much time the organic and
Figure 3.5-2. Disposal/washout pad, hydraulic pumps and

wooden stop beam (courtesy CSB).
Figure 3.5-3. Layout of disposal/washout pad, vacuum trucks,

and injuries (courtesy CSB).
aqueous layers in the tank have to settle and separate, how

rapidly the tank is drained, and how the truck driver drains the
tank. Given the average hold times and the lack of set procedures,
the liquid in the trucks will likely always be flammable. Samples
taken by the CSB of BS&W from the Noble Energy site had a
flashpoint of -1°C (30°F). This flammable material was emptied
into an open pit in an area with no provisions for ignition control,
allowing the flammable vapor to freely disperse and find an
ignition source, in this case, the truck engines.
Figure 3.5-4. Damaged trucks and disposal/washout pit area

(courtesy CSB).

Noble Energy and BLSR did not comply with the U.S. OSHA hazard
communication standards that requires and employer to
communicate with and train workers about the hazards of
handling flammable liquids. Noble Energy did not supply SDS’s for
the BS&W. BLSR did not comply with standards about electrical
equipment and control of ignition sources in an area handling
flammable liquids. The shipper did not comply with DOT shipping
regulations to properly identify the BS&W as a flammable liquid.

None of the companies involved knew or understood that they

were handling a flammable material. The E&P owner/operator
(Noble Energy) should have known about the flammability
hazards and communicated this information to the field
operators. Because of this failure to recognize or communicate
the applicable hazards, both the waste transport company (T&L)
and the disposal company (BLSR) treated the waste liquid as
nonflammable.
III. Manage Risk
Noble Energy did not have written procedures for loading waste
trucks. Consequently, trucks contained varying amounts of
flammable material, depending on how the waste tanks were
drained. BLSR did not have written procedures for determining
where a waste truck was unloaded, for truck unloading, or for
emergency response. As a result, not only was the truck unloaded
with the engine running but when the truck engine began to
overspeed (a sign that flammable vapors had entered the diesel
engine), employees ran toward the hazard rather than away from
it.
Noble Energy did not inform the waste hauler contractor of
hazards, nor did they provide them with hazard information in the
form of an SDS. Checking that contractors are qualified to do the
job is also a part of contractor management.
3.6 SIMILAR INCIDENTS
3.6.1 Shell Refinery Fire, Singapore, 2011

On September 28, 2011, a fire occurred at the Royal Dutch Shell
oil refinery on Pulau Bukom. The fire began near a system of
pipelines carrying various petroleum products. Reports stated the
fire occurred when naphtha oil from a pipeline was being drained
into an open plastic tray, allowing a flammable vapor cloud to

develop. The Singapore Ministry of Manpower (MOM) noted that
no gas monitors were used during the operation. They concluded
that a static spark likely ignited the naphtha vapor. The fire
covered a 176 m by 65 m (577 ft. by 213 ft.) area and lasted for
thirty-two hours before being extinguished. In this case, Shell did
not follow adequate Safe Work Permit procedures (MOM 2011,
MOM 2011b).
3.6.2 CITGO Refinery Fire, Texas, US, 2009

On July 19, 2009, a release of flammable hydrocarbons occurred
in a hydrogen fluoride (HF) alkylation unit at CITGO’s Corpus
Christi East Refinery. The hydrocarbon vapor cloud spread to an
adjacent unit and ignited. The fire led to the release of about
19,051 kg (42,000 lb.) of HF. An HF water mitigation system was
activated and captured most of the HF. CITGO reported that the
water (99.9% removal efficiency) did not capture 13.6 kg (30 lb.) of
HF. The CSB stated that a 90% efficiency, which it believes was a
more reasonable factor, would have meant using a 90% removal
efficiency, 1,905 kg (4,200 lb) would have been released. The fire
caused multiple injuries and lasted for several days.
The cause of the initial release was a control valve that failed
to close, leading to shaking of the process recycle piping at two
threaded connections (CSB 2009). The CSB noted that CITGO had
not performed regular safety audits of the HF alkylation as
recommended by API RP 751, Safe Operation of Hydrofluoric Acid
Alkylation Units.

The following resources are available for helping to understand
and protect against fire hazards.
National Fire Protection Association (NFPA) codes. The NFPA
is a trade association that generates many codes addressing fire
and electrical hazards. The codes are often adopted by local
authorities, making the code legally enforceable in that

jurisdiction. These codes are a good source fire protection and
suppression knowledge. Of note are:
NFPA 30 Flammable and Combustible Liquids Code, and
NFPA 70 National Electrical Code.
There are numerous other codes addressing water and foam
suppression sprinkler systems, storage systems, and fire pumps.
American Petroleum Institute (API) recommended practices.
The API is an industry trade association. API committees have
generated recommended practices that address many segments
of the oil and natural gas industry. A number of these
recommended practices address process safety and fire
protection. Of note are:
API RP 752 Management of Hazards Associated with Location
of Process Plant Permanent Buildings,
of Process Plant Portable Buildings, and
API RP 2001 Fire Protection in Refineries.
FM Global Property Loss Prevention Data Sheets. FM Global is
an insurance company that has used its loss experience to
generate data sheets on a number of topics. These data sheets
are intended to reduce the chance of property damage. Topics of
interest include industrial boilers, gas turbines, and extinguishing
systems.
Guidelines for Evaluating Process Plant Buildings for External
Explosions, Fires, and Toxic Releases, 2nd Edition (CCPS 2012a).
Siting of permanent and temporary buildings in process areas
requires careful consideration of potential effects of explosions
and fires arising from accidental release of flammable materials.
This book, updated from the 1996 edition, provides a single-
source reference that explains the American Petroleum Institute
(API) permanent (752) and temporary (753) building
recommended practices and details how to implement them.
New coverage on toxicity and updated standards are also
included.
Guidelines for Vapor Cloud Explosion, Pressure Vessel Burst,

BLEVE and Flash Fire Hazards, 2nd Edition (CCPS 2011). This guide
provides an overview of methods for estimating the
characteristics of VCEs, flash fires, and boiling liquid expanding
vapor explosions (BLEVEs) for practicing engineers. It has been
updated to include advanced modeling technology, especially
with respect to vapor cloud modeling and the use of
computational fluid dynamics. The text also reviews past
experimental and theoretical research and methods that may be
used to estimate consequences. This manual is heavily illustrated
with photos, charts, tables, and diagrams.
Chapter 4 Explosion Incidents 131
Explosion Incidents
4.1 INTRODUCTION
CCPS defines an explosion as “a release of energy that causes a
pressure discontinuity or blast wave,” NFPA defines it as “the
bursting or rupture of an enclosure or container due to the
development of internal pressure from a deflagration.” There are
two major kinds of explosions: physical and chemical (Figure
4.1.1).
Physical explosions are caused by the release of mechanical
energy. The term “physical explosion” includes vessel ruptures,
BLEVEs, and rapid phase transition. A vessel rupture occurs from
a material defect or from a pressurization that exceeds the
mechanical strength of the vessel. BLEVE is defined by CCPS as “a
type of rapid phase transition in which a liquid contained above
its atmospheric boiling point is rapidly depressurized, causing a
nearly instantaneous transition from liquid to vapor with a
corresponding energy release. A BLEVE of flammable material is
often accompanied by a large aerosol fireball, since an external
fire impinging on the vapor space of a pressure vessel is a
common cause. However, it is not necessary for the liquid to be
flammable in order to have a BLEVE occur”. A rapid phase
transition can occur when a material is exposed to a heat source.
This increases the material’s volume, which increases the
pressure in the container.
Chemical explosions are caused by chemical reactions and
can be uniform or propagating reactions. Uniform reactions occur
throughout the space of the reaction mass, such as a runaway
reaction in a reactor. A propagating reaction, e.g. combustion,
moves through the mass of the reactant, such as in a VCE. A
deflagration occurs when the speed of the reaction front is less
than the speed of sound. A detonation occurs when the speed of
the reaction front is equal to or greater than the speed of sound.
By $$14
When the chemical reaction occurs in the solid or liquid phase, it

is called a “condensed phase explosion.”
The book Understanding Explosions (Crowl 2003) provides
information on explosions to those involved with the design,
operation, maintenance, and management of chemical
processes. Table 4.1 provides examples of the various types of
explosions and notes where they are described in this book.
Figure 4.1-1 summarizes the types of explosions and their causes.
This figure also illustrates that some incidents can involve
multiple types of the explosion, for example, a vessel rupture
leading to a BLEVE.
Figure 4.1-1. Relationships between the different types of

explosions. It is possible for several to occur with any incident
(courtesy Crowl 2003).
EXPLOSION TYPE EXAMPLES
Rapid phase Hot oil pumped into a vessel containing

transition water (note: no incidents of this type
included)
BLEVE Vessel isolated from its pressure relief

device
Section 4.5 – Williams Geismar
Heat Exchanger
Rupture/Explosion
Rupture of a flammable gas railcar
exposed to fire (note: no incidents of
this type included)
Vessel rupture Mechanical failure of a vessel at high

pressure
Section 4.11 – NDK Vessel
Rupture
Failure of a relief device during
overpressure
Section 4.5 – Williams Geismar
Heat Exchanger
Rupture/Explosion
Uniform reaction Runaway reactions

(aka condensed
Section 2.2 – T2 Labs
phase explosions)
Reaction/Explosion
Section 2.8 – Port Neal
Ammonium Nitrate
Decomposition reactions
Section 2.6 – West Fertilizer
Section 2.7 – Tianjin Explosion
Propagating
reactions
Deflagrations Combustion of flammable vapors or

(flame front dust
advances at <
Section 4.6 – Imperial Sugar
speed of sound in
Dust Explosion
the unburned
Section 4.7 – Hayes Lemmerz
cloud)
Dust Explosion
Section 4.8 – Varanus Island
Pipeline Rupture/Explosion
Section 4.9 – Multiple Natural
Gas Explosions
Section 4.10 – Oil Storage Tank
Explosion
Detonation (flame Combustion of flammable vapors

front advances at
Section 4.2 – Buncefield
speed of sound in
Section 4.3 – Jaipur
the unburned
cloud)
Table 4.1 Examples of various types of explosions (adapted from

Crowl 2003).
Note to Readers: In the previous chapters, similar incidents were

listed as a separate section at the end of the chapter. In the case
of explosions, there are so many other examples that only a few
similar incidents were selected and were combined with the full
descriptions of the incident they were similar to.
4.2 BUNCEFIELD STORAGE TANK OVERFLOW AND EXPLOSION,

UK, 2005
4.2.1 Summary
A delivery of gasoline (petrol) from a pipeline into a storage tank
in the Buncefield depot began on Sunday morning, December 11,
2005. The level control and shutoff systems in place failed to
operate. The tank overflowed, and gasoline cascaded down the
side of the tank. The Major Incident Investigation Board (MIIB)
reported that up to 272 metric tons (300 tons) of gasoline had
escaped from the tank (MIIB 2008a). About forty-five minutes
after the release started, a series of explosions took place. The
main explosion appears to have been centered on car parking lots
just west of the depot. This explosion was massive and generated
overpressures higher than would have been expected in a normal
VCE. Some have speculated it was a deflagration to detonation
transition (DDT) event.
Forty-three people were injured and about 2,000 were
evacuated from the area. If the incident had happened on a
weekday, it could have resulted in more injuries and even
fatalities. The explosions caused the largest fire in peacetime
Europe, engulfing more than twenty large storage tanks over a
large part of the Buncefield depot. The fire burned for five days,
destroying most of the depot (Figure 4.2-1). In addition to
destroying large parts of the depot, there was widespread
damage to surrounding property and disruption to local
communities. Houses close to the depot were destroyed, and
others suffered severe structural damage. Buildings as far as 8 km
(5 miles) from the depot suffered damage such as broken
windows and damaged walls and ceilings. The MIIB estimated the
cost of the incident was £1 billion (about $1.35 billion as of mid-
2017).
Figure 4.2-1. Buncefield storage depot after the explosion and

fires (courtesy Buncefield).
The occurrence of a detonation, which produces much higher

overpressures than a deflagration, was a surprise to experts who,
prior to the event, did not expect a gasoline tank farm VCE could
make the deflagration to detonation transition. The MIIB
recommended that research be done to understand why the DDT
occurred. The results of this research are documented in the
Buncefield Explosion Mechanism Phase 1 (Health and Safety
Executive (HSE) 2009a).
Key Points
Process Safety Culture – Do not “live with” frequent instrument
failures. A good process safety culture investigates to find out
what is causing the failures and addresses the problem. Thus,
the barrier against a process safety incident remains healthy.
Compliance with Standards – A process should be designed

with layers of protection sufficient for the magnitude of the risk.
Management of Change – A large change in throughput is a
change that should be managed. Changes should be evaluated
to understand implications on equipment, operations, and
provision of adequate staffing.
4.2.2 Description
Background. The Buncefield depot is a large tank farm near Hemel
Hempstead in Britain. The Buncefield depot was constructed in
1968. At the time of the incident, there were three sites at the
depot operated by Hertfordshire Oil Storage (a joint venture
between Total and Chevron), British Pipeline Agency (a joint
venture between Shell and BP), and BP.
Process. The Buncefield depot, or tank farm, was a large site that
stored gasoline, heating oil, and aviation fuel in over twenty-five
storage tanks (Figure 4.2-2). The fuels were received via two 0.25
m (10 in.) and one 0.36 m (14 in.) pipelines. Gasoline and heating
oil from the tanks were offloaded into trucks for delivery, and the
jet fuel was sent out by pipeline. The depot was about 4.8 km (3
mi) away from the center of the nearest town, Hemel Hempstead.
The storage tank involved was Tank 912. Tank 912 was a 6,000 m3
(1.6 million gal.) floating roof tank with an automatic tank gauging
(ATG) system that was monitored in the control room.
From the control room, operators could operate the
appropriate valves to shut off and/or divert flow from Tank 912 to
other tanks. The high and high-high level alarms could be
set/changed by the supervisors. Tank 912 also had an
independent high-level switch (IHLS) that would stop the incoming
flow at a high-high level by closing the inlet valves and provide an
audible and visual alarm in the control room.
What Happened. The tank started receiving gasoline containing
10% isobutene at a rate of about 550 m3/hr (145,294 gal/hr).
around 7:00 p.m. on Saturday evening. At 3:00 a.m. on Sunday,
the tank was about 2/3 full, but the level gauge stopped recording
any further increase in level despite filling continuing. The
independent high-level switch (IHLS) shutdown also failed to stop
flows to the tank. At about 5:20 a.m. the tank began to overflow
and flow into the tank continued, even increasing in rate to about
890 m3/hr. (235,113 gal/hr.).
As fuel continued to overflow from Tank 912, a vapor cloud up
to 2 m (6.6 ft.) tall, and covering an area of about 500 by 350 m
(1640 by 1148 ft.) formed, engulfing a large portion of the facility
(Figure 4.2-3) (HSE 2017). The first explosion occurred at 6:01 a.m.
Initially, the ignition source was hard to determine. Candidates
included a pump house, heaters in the emergency generator
building, and car engines (witnesses stated their cars began to run
erratically, (i.e. surging due to drawing in fugitive gasoline vapors).
Subsequent analysis (see below) has settled on the pump house
as the initial site of ignition. Further explosions occurred,
eventually engulfing the entire facility in fire.
Figure 4.2-2. Buncefield storage depot before the explosion

(courtesy Buncefield).
Figure 4.2-3. Buncefield site – the extent of vapor cloud (gray

line) (courtesy HSE).
Why it happened. The IHLS did not function because a test lever
for the switch had not been locked in the neutral position. The
lever enabled testing of the high-level and low-level function of
the IHLS. Failure to lock the lever in the middle position allowed it
to slip into the low-level test position, thereby disabling the high-
level function.
Experts were surprised by the severity of the damage
resulting from the explosion given the low level of congestion at
the site. The extent of the damage led experts to conclude that a
DDT occurred. This conclusion led to recommendations to
conduct further study of DDT mechanisms.
Figure 4.2-4. Breakup of liquid into drops spilling from tank top
(adapted from HSE).
The following factors contributed to the DDT:

Mist formation as the gasoline spilled over the top of the
storage tank;
Low or no wind causing little dispersion and dilution of the
flammable cloud;
Strong ignition source from the pump house;
Obstruction by hedgerows and trees, providing an
elongated path for DDT.
Mist formation. Normally, a spill of a liquid from a storage tank
would be modeled as evaporation from the pool created by the
spill. As the gasoline spilled from the top of Tank 912, liquid
droplets formed, enabling transport of air into the vapor cloud
(Figure 4.2-4). (Mists can also increase the hazard of a flammable
release because they can ignite at temperatures below their
flashpoint, although that was not the case in this incident.)
Low or no wind speed. A lack of wind meant the cloud did not
disperse. When dispersion occurs, the concentration of vapor in
the cloud is reduced by entrainment of air. At Buncefield, the lack
of dispersion led to the formation of a large vapor cloud. Nearly
all of the vapor cloud was in the flammable range.
Strong ignition source. The pump house was located near Tank 912
and was completely engulfed by the vapor cloud. The ignition
source in the pump house led to an explosion inside the pump
house. This explosion created a strong ignition source that also
created turbulence around the pump house, leading to a strong
external explosion and the DDT.
Congestion due to vegetation. There were hedgerows near the
pump house that served as obstruction and congestion in the
vapor cloud. Also, there was a tree-lined street next to the facility
that caused further acceleration of the flame front and led to
detonation. It came as a surprise to investigators that vegetation
could do this, in effect acting similarly to a pipe rack.
Note on detonations. The report, Review of vapour cloud explosion
incidents (HSE, 2017), has challenged the conclusion that the
Buncefield explosion, and several others, was a detonation, based
on the nature of some of the physical damage at the explosion
sites. It hypothesizes that there can be a mechanism in between
a VCE and a detonation, and the HSE has called for further
investigation of this phenomenon. Interested readers can obtain
and read the HSE report. For brevity, this book will continue to
refer to the Buncefield and Jaipur explosions as detonations. The
important thing to remember is that with these types of events,
the potential damage may be much worse than the commonly
used consequence models might indicate.

The ATG system had malfunctioned (not registering a level
change) fourteen times in the three months prior to December
11. Each time, it had been repaired by either the operators or the
maintenance crew. Sometimes, the failure was not even logged.
The willingness to continue to operate with such an unreliable
level control is indicative of a poor safety culture and is an

example of normalization of deviance.
The land use planning standards in the UK assumed that facility
operators were in compliance with appropriate requirements.
The MIIB recommended using a risk-based approach to land use
planning and requiring the operators to develop a risk
management plan.
The level control system was inadequate for the system.
There was only one computer to monitor the ATG system for all
of the tanks. And there was no backup system. In addition, there
was no alarm to indicate an inconsistency between the level in a
tank and the incoming flow. The site operators did not have
access to independent flow rate information. There was no flow
indication at all for two of the three incoming lines. In a well-
designed control system, the operators should have been able to
see that even though the level indication was not changing, flow
was still coming into the tank.
The MIIB recommended that automatic, high integrity
overflow prevention systems, independent of the tank level
system, be installed, in accordance with current best standards
(IEC 61511). The MIIB also recommended that the receiving site
have ultimate control of the storage site rather than the
transmitting site.

Prior to this incident, the scenario that occurred at Buncefield had
been considered not credible. Since land use planning in the UK
was based on the worst credible case, the scenario was not part
of the Land Use Planning process. Subsequently, guidance has
been updated with improved standards for gasoline storage
depots.
III. Manage Risk
The operating procedures were inadequate. They were not
detailed enough (e.g., no safe operating limits were included), and
the supervisors on each shift used the available level alarms
differently.
The IHLS failed to close the inlet valve because the test lever was
not secured. It is imperative that safety-critical devices such as this
switch be tested on a regular basis and also that they be placed
back into service properly. The staff did not have procedures for
putting the switch back into operation.
This incident led the HSE to issue an alert on how to test the
switch. The MIIB recommended that these storage sites improve
their maintenance systems and conduct regular proof testing.
In 2002 there was a large increase in throughput to the facility
when an adjacent facility was shut down. There was no MOC done
to check if the control systems and staffing levels were adequate
to handle the increased throughput. The IHLS was installed in
2004. Its design allowed the failure to occur. The failure mode
could have been eliminated if an MOC review had been
performed when the switch was installed.
4.2.4 Similar Incident

CAPECO Storage Tank Overflow and Explosion, Puerto Rico, 2009.
This incident is similar to the Buncefield event and to the Jaipur
Oil Terminal event, which is the next incident discussed in this
chapter. A storage tank was being filled, and the overfill protection
failed. An aerosol mist was created during the tank overflow. Dike
valves had been left open, allowing liquid gasoline to spread.
Twenty-six minutes after the overflow started, the vapor cloud
ignited, causing a large explosion that registered 2.9 on the
Richter scale. It was later determined that about 757 m3 (200,000

gal.) had been released. Seventeen of forty-eight tanks at the site
were damaged, and the fires burned for sixty hours (Figure 4.2-5).
About 300 homes and businesses up to 2 km (1.25 mi.) away were
damaged, and thousands of gallons of runoff (oil, suppression
foam) were released to the environment (CSB 2015b). The CSB
has a video describing this incident.
Key Points
Process Safety Culture – Make commercial plans with
operational safety in mind. The plant had a contractual
obligation to fill tanks according to a schedule determined by a
planning department. A good process safety culture ensures
that production needs do not compromise safety.
Asset Integrity and Reliability – Maintain the integrity of
equipment that serves in the prevention or mitigation of
process safety incidents. In this case, on-line monitoring was
unreliable because transmitters were frequently out of service.
Emergency Management – Plan and train with local emergency
responders. In this case, training of personnel to fight fires
involving multiple tanks was inadequate. Coordination with
local firefighters and emergency responders is essential to
ensure that both the plans and the execution of the plans are
sufficient for incidents.
Figure 4.2-5. Fires at CAPECO site (courtesy CSB).
4.3 PETROLEUM OIL LUBRICANTS EXPLOSION, JAIPUR, INDIA

2009
4.3.1 Summary
On October 29, 2009, an explosion occurred at the Petroleum Oil
Lubricants Terminal at Sanganer in Jaipur, India. The explosion
was caused by an unabated release of mineral spirits (petrol) from
a valve which had continued for over an hour. There were eleven
fatalities, six on site and five off-site. The facility was destroyed as
the fire spread to every tank at the terminal. The fire burned for
eleven days because the decision was made to allow the fire to
burn itself out rather than to risk additional lives fighting it.
Damages were estimated at RS 280 crore ($44 million). Figures
4.3-1 and 4.3-2 show before and after pictures of the terminal,
and Figure 4.3-3 shows some of the burning storage tanks. There
is evidence (Johnson, 2012) that this explosion also transitioned
to a detonation, similar to the Buncefield explosion (Section 4.2).
The incident resulted in recommendations for legislation for land
use around hazardous installations and reviewing all major
accident hazard installations per the existing Manufacture, Storage

and Import of Hazardous Chemicals Rules 1989 (MoP&NG (Ministry
of Petroleum and Natural Gas) Committee 2010).
Key Points
Conduct of Operations – Equipment should be designed to
prevent loss of containment (LOC) or adequate layers of
protection should be installed to reduce the likelihood of LOC.
Tank levels are continually changing, thus there are many
opportunities for the level to be exceeded if there are not
sufficient layers of protection in place.
Emergency Management – An emergency management plan

should address challenges in addition to the original event. A
first priority should be the rescue of personnel and UIF
SJTLT PG entering an unsafe situation before evaluating the
consequences.
Figure 4.3-1. Jaipur site before explosion (courtesy HSE).

Figure 4.3-2. Jaipur site after explosion (courtesy HSE).
Figure 4.3-3. Burning storage tanks at Jaipur (courtesy SK Roy,

HSE for IOC).
4.3.2 Description
Background. The Indian Oil Company operated a large oil terminal
near Jaipur, India. The pipelines division was located in the
northwest corner of the site.
Process. The Indian Oil Corporation terminal received and
transferred petrochemicals. In this event, the intent was to
transfer gasoline from a storage tank in the terminal to another
facility.
What Happened. A pipeline from a gasoline storage tank was being
lined up for transfer to another site (Figure 4.3-4). The procedure
was to ensure the MOV and HOV were closed, reverse the position
of the Hamer blind valve, open the HOV, and open the MOV
gradually (to be sure there was no leakage from the Hamer blind
valve). It is believed the MOV was opened first, and then the
Hamer blind valve was opened. The leak began as soon as the
Hamer blind valve was opened.
The fumes from the leak overwhelmed the operator. A nearby
shift officer saw the incapacitated line operator and tried to help,
but he was also overcome by the fumes. A second operator came
over to help, and he was also overwhelmed by the fumes. Thus,
the leak was able to go on for about 75 minutes and released
about 1,000 metric tons (1102 tons)
Figure 4.3-4. Pipeline schematic (courtesy SK Roy, HSE for IOC).

before it found an ignition source, which could have been a

vehicle or from general purpose electrical equipment.
Why it Happened. The design of the Hamer blind valve allowed for
a large opening at the valve bonnet every time the valve’s position
was changed. The operating procedure was set up to prevent this
from happening by isolating the valve when the position was
charged. This design allowed one mistake to cause a release. The
lack of a remote emergency shutoff, and the inappropriate
response by other operators, allowed the leak to go on for over
an hour. With such a large vapor cloud, it is not possible to control
all ignition sources. One theory is that the transition to a
detonation occurred due to ignition of vapor inside a control
room that then initiated a detonation of the vapor cloud outside
of the control room. Another theory is that the explosion initiated
in a pump house (similar to Buncefield), thus triggering the
detonation of the vapor cloud outside the pump house.
III. Manage Risk

Conduct of operations applies to all levels in the organization. For
design engineers, it means choosing equipment that is
appropriate for the operation and designing the system to
account for potential equipment failures. The Hamer blind valve
had a design weakness, when its position was reversed there was
an opening in the top of the valve (Figure 4.3-5).
In essence, every time this valve was operated, a line break was
being performed. Normally, a safe work permit would be required
for such an operation. In this case, a review of the procedure
could have been done ahead of time to include precautions, such
as a respirator, for protection from vapors. If the designer
believed that this type of valve was needed, the system design
should have included safeguards against what should have been
Figure 4.3-5. Hamer blind valve after explosion (courtesy SK Roy,

HSE for IOC).
a known hazard, i.e., a line being opened while not isolated from
the storage tank. Safeguards, such as a remote shutoff valve, an
interlock to prevent changing position unless the MOV and HOV
were closed, and LEL detectors, could be part of the design.
The immediate cause of this incident was not following the
standard operating procedures. Although operating discipline is
important, alternative designs that eliminate the leak point would
be inherently safer. In the hierarchy of controls, eliminating the
hazard through inherently safer design is most effective,
engineering controls are next, and finally, administrative controls.

When someone sees a person on the ground or in distress,
human nature is to respond to the person in need. In a chemical
plant, however, this is NOT the correct thing to do. The sequence
of first responders becoming disabled or dying while responding
to an unconscious person has occurred in several documented
nitrogen exposure incidents (see CSB 2003 and 2013a). In
refineries, the presence of hydrogen sulfide (H2S), poisonous,
odorless gas from leaks in many refinery unit operations, can
result in similar tragedies. In a chemical plant, employees need to
be trained on the proper emergency response techniques, which
may vary, depending on the nature of the hazards at the plant.
4.4 CELANESE PAMPA EXPLOSION, TEXAS, US, 1987
4.4.1 Summary
An explosion occurred in a reactor at the Celanese Pampa, Texas,
plant on November 14, 1987 that led to a release and vapor cloud
explosion. There were three fatalities and thirty-nine injuries.
Extensive property damage occurred in the immediate area, and
severe damage occurred throughout the plant. The firehouse that
contained the fire trucks was damaged so the trucks could not be
driven out. Fid firefighting equipment was also damaged, making
it more difficult to control the fires. Figures 4.4-1 and 4.4-2 show
the extent of the damage caused by the explosions (J. Forest,
personal communication, July 2016).
As a result of the learnings from this incident, Celanese
implemented a comprehensive twenty-one-element process
safety program similar to the twenty elements of the CCPS RBPS
program.
Figure 4.4-1. Oxidation reactor after the explosion (courtesy

Celanese).
Figure 4.4-2. One of several units impacted by explosion

(courtesy Celanese).
Key Points
Process Safety Competency – Humans are an important part of
the system. Understand human factors. Designing operations
to help a human succeed can help to avoid process safety
incidents.
Hazard Identification and Risk Analysis – Hazard identification
methods should include human failures just as they do
equipment failures. When a single human action may cause
significant undesired consequences, there is a risk that
warrants management.
4.4.2 Description
Background. The Celanese plant was built in 1952 and produced
acetic acid.
Process. The unit involved was a liquid phase oxidation (LPO)
reactor in which butane was oxidized in the presence of air and a
catalyst to make acetic acid and byproducts. This was an
exothermic reaction. The reactor product was sent to several
downstream units in the Pampa plant to make products that
included acetic acid, acetic anhydride, and methyl ethyl ketone.
The reactor operated at a relatively high temperature and
pressure. Figure 4.4-3 is a schematic of the reactor.
Figure 4.4-3. Schematic of oxidation reactor (courtesy Celanese).
What Happened. On November 14th, 1987, the reactor was

prepared to start up following a shutdown the previous day due
to a problem in the steam system. Following the normal start-up
process, the operators began heating the reactor contents. As the
reactor approached start-up temperature, an explosion occurred
in the air sparger inside the reactor. The explosion ruptured the
20 cm (8 in.) diameter air piping at two places outside of the
reactor and at one place inside of the reactor. The reactor
contents rapidly vaporized into the atmosphere. About 25 to 30
seconds after the initial explosion, a VCE occurred. The ignition
source for the vapor cloud was thought to be the gas-fired boilers
located immediately across the road from the reactor.
Extensive property damage occurred in the immediate area
and severe damage occurred throughout the plant. Figure 4.4-4,
shows the calculated extent of the flammable vapor cloud,
extending to the boiler area.
Why it Happened. On November 13th, a problem with the steam
system occurred in the Pampa plant that led to the decision to
shut down the reactor in question. The shutdown procedure was:
1) close the air supply to the reactor with double block valves, 2)
open a bleed valve to further prevent air entry, and 3) then purge
the reactor with inert gas. Shutting off the air and purging with
inert gas were essential to ensure the reactor atmosphere was
not flammable and to prevent backflow of the reaction mixture
into the air line. There were three ways to shut down the reactor:
A shutdown system designed to automatically shut down
if safe limits were exceeded;
A manual button that activated the shutdown system;
Three manual buttons: one button to activate the double
block, another to activate the bleed, and a third to activate
the purge.
On the day of the incident, the operator chose to shut down
the reactor using the three manual buttons on the control panel.
The activation of these three buttons was equivalent to the
activation of the manual shutdown button or the automatic
shutdown. The first step was to close the process air valves to the
reactor. The second step was to open the air bleed after the air to
the reactor was blocked in. The third step was to activate the
timed nitrogen purge.
The operator pushed the first two buttons but mistakenly did
not push the inert gas purge button. The standard operating
procedure for this critical step was not followed by the operator.
Failure to initiate the inert gas purge allowed the contents of the
reactors, including the catalyst, to enter the air sparger system.
Personnel did not realize that the chemicals were in the air
sparger pipe. Some of the reactor contents remained in the pipe
for about a day.
As the reactor was started upon November 14th and
approached start-up temperature, an explosion occurred in the
air sparger inside the reactor. Oxygen was available because the
reactor had not been purged, fuel was available from the reactor
contents, and the ignition source was probably the catalyst that
was plated on the inside of the air sparger.

The shutdown system activated an indicator light when the
shutdown started, and another light when the shutdown and
purge were complete, when either the automatic system or the
one-button manual system was activated. However, when the
three-button manual shutdown was used, there was no
automatic status feedback. In order to detect the lack of inert gas
purge, the next shifts would have had to detect the absence of the
purge from the computer activity log printed in another room.
This incident is an example of a situation in which a single
human inaction led to major incident. Failures such as this have
taught us that it is imperative to design process systems such that
a single human error cannot lead to potentially catastrophic
consequences. In addition, feedback systems are crucial for
critical actions.

In a Process Safety Review conducted prior to the event, the
independent manual shutdown buttons were identified as a
potential source of human error. No changes were
recommended. The consequences of not purging the air sparger
were well understood, but the review team underestimated the
likelihood of the human error.
As a result of the Pampa incident, Celanese implemented a
detailed risk assessment and risk management methodology to
identify and mitigate risks, including the ones described at
Pampa. Another aspect of the process safety management
system includes rigorous controls around safety instrumented
systems designed to mitigate similar hazards.
III. Manage Risk

The initiating event was that the operator neglected to start the
inert gas purge cycle during shutdown. This was included in the
procedure to shut down the reactor, but this step was not
performed. There was no feedback system to alert the operator
of this error. This human omission of a single procedural step
resulted in a catastrophic incident. Humans do make mistakes.
Where the consequences of a single human error are
catastrophic, there should be multiple layers of protection put in
place to reduce the risk.
Figure 4.4-4. Predicted flammable vapor cloud from reactor

explosion (courtesy Celanese).
4.5 WILLIAMS OLEFINS HEAT EXCHANGER RUPTURE, LOUISIANA,

US, 2013
4.5.1 Summary
On June 13, 2013, a reboiler on a fractionation tower in the
Williams Geismar Olefins plant ruptured due to the expansion of
liquid propane in the heat exchanger, which had been isolated
from its pressure relief valve. The released propane ignited,
resulting in a large fireball (Figure 4.4-1). There were two fatalities,
and 167 people were injured. The plant was down for eighteen
months (CSB 2013). The business interruption and repair costs
were $343M (insured) plus $73M (uninsured) (ICIS 2013). Williams
paid $34 million as a result of lawsuits from the incident.
(LexisNexis 2016).
Key Points
Management of Change – Conduct a safety review appropriate
to the hazards before a change is made.
Operating Procedures – Procedures need to be written for all
phases of an operation, including switching to a spare piece of
equipment.
Asset Integrity and Reliability - Fouling of reboilers is a
common occurrence. Establish a cleaning schedule for heat
exchangers so they can be cleaned at an appropriate time,
without disruption to the process.
4.5.2 Description
Background. The Williams Companies owns natural gas interests,
pipelines, and processing facilities in North America. The Geismar
Olefins plant was built in 1967. It was bought by Williams in 1999.
At the time the incident, it was operated by Williams Olefins and
jointly owned by Williams Olefins and Saudi Basic Industries
Corporation (SABIC).
Process. The plant had a propylene fractionator tower designed to

separate propylene (overhead product) from propane (bottoms
product).
Figure 4.5-1. Fireball in Williams Geismar plant (courtesy CSB).

The tower was driven by two external reboilers. Hot quench water
at 85°C (185°F) on the tube side of the heat exchanger vaporized
the propane mixture (95% propane, balance propylene, and C4s)
on the shell side. The original design intent was to operate with
both reboilers. In 2001, valves were installed to enable operation
with only one reboiler. The other reboiler was set up as a spare to
allow one reboiler to be cleaned without having to shut down the
unit (Figure 4.5-2).
What Happened. On the day of the incident, Reboiler A was in
operation and Reboiler B was the spare. Flow to Reboiler A
dropped, possibly due to fouling. Quench water was likely opened
to Reboiler B. Three minutes after the quench water was started
to Reboiler B, it exploded (Figure 4.5-3), ignited, and caused a
fireball.
Figure 4.5-2. Schematic of propylene fractionator (adapted from

CSB).
Why it Happened. When the system was modified in 2001 to run

with one reboiler, block valves were installed on each line
between the shell side of the reboilers and the column.
Installation of these block valves made it possible to isolate the
shell side of the reboilers from the PSV on the column. This was
indeed the case with the out-of-service reboiler.
During the sixteen months that Reboiler B was out of service,
propane likely leaked into the reboiler through the gate valve
between the bottom of the column and the reboiler, or the valve
may have been inadvertently opened. When the hot quench
water entered Reboiler B, the propane liquid expanded until the
internal pressure exceeded the heat exchangers maximum
allowable working pressure (MAWP).
Figure 4.5-3. Reboiler B after the explosion (courtesy CSB).

III. Manage Risk
The plant did not have an operating procedure for putting the
reboiler into service, even though it would have been an expected
operation. Instead, the plant relied upon a generic SOP for
reboiler restart. A procedure specific to these reboilers could have
included a check on the position of the valves before restart and
the proper sequence to be followed in opening the process side
valves before introducing hot quench water. Note that the generic
reboiler procedure assumed the process to be on the tube side,
whereas these particular propylene reboilers had the process on
the shell side.
Fouling of the reboilers was a known issue, and it is a common
situation in industry that exchangers and reboilers require
maintenance at a higher frequency than the rest of the unit.
Where block valves are provided for safe isolation of equipment,
they should never isolate a pressure vessel from its pressure relief
device.
The MOC review was done after the valves were installed. When
it was done, the hazard of isolating the reboilers from the PRV was
not identified, and a PHA of the change was not required.
There are several examples of poor conduct of operations.
Plant personnel used checklists to perform both the MOC
review and the pre-start-up safety review (PSSR). The checklists
contained questions about whether any valves needed to be car-
sealed open (Figure 4.5-4), if operating procedures needed to be
updated, or whether any operator training was needed. These
were answered “no”. There was a question that asked “PRVs lined
up and block valves car-sealed open? Pressure release systems in
place and operational and traced where appropriate?” (CSB 213)

which was left unanswered. These misses, along with the fact that
the review was done after the changes were already in service,
are signs of people going through the motions of a paperwork
exercise without careful evaluation—poor conduct of operations.
A later PHA in 2006 identified the problem of the reboilers
being isolated from the PRV and recommended that process
valves be locked open on each reboiler. Only the valve on the in-
service reboiler was locked open. Even so, the recommendation
was marked as completed in 2010. A good practice is to have an
internal verification process to be sure the closure met the intent
of the recommendation.
In 2008, an engineering firm did a relief valve engineering
analysis of the plant and identified the need to seal open the block
valves for the reboilers. This recommendation was not addressed.
Action item management is an important aspect of Conduct of
Operations. The provision of a clear path—that cannot be isolated
between equipment that can be overpressured and its relief
device—is required by codes.
Figure 4.5-4. Example of car seal on a valve handle

(www.totallockout.com/online-store/car-seals-2/ (accessed
November 19, 2015)) (courtesy CSB).
4.5.4 Similar Incident

Goodyear Heat Exchanger Rupture and Ammonia Release, Texas,
US, 2008. A heat exchanger rupture and ammonia release
occurred because the relief system was left isolated after
maintenance (Figure 4.5-5). There was one fatality; six people
were injured. Anhydrous ammonia was used for cooling on the
shell side of the exchanger. A block valve and rupture disk were
located under the shell side relief valve. Maintenance workers
closed the block valve to replace the rupture disk but forgot to
reopen it. Later, an operator closed another block valve to isolate
the exchanger in order to clean the tubes with steam. The steam
heated the ammonia and the heat exchanger, now without
pressure relief, burst (CSB 2011c).
Figure 4.5-5. Ruptured heat exchanger at Goodyear Texas plant

(courtesy CSB).
4.6 IMPERIAL SUGAR DUST EXPLOSION, GEORGIA, US, 2008
4.6.1 Summary
A large primary dust explosion, followed by a series of secondary
dust explosions, occurred at the Imperial Sugar refinery in Port
Wentworth, Georgia in February 2008. The consequences
included fourteen fatalities and thirty-six injuries. The explosions
destroyed the facility (Figure 4.6-1). Imperial Sugar settled with
OSHA on a $6 million fine. This incident provides important
lessons in understanding the hazards created when combustible
dust is released outside of the process equipment into a building
or structure.
The explosions at Imperial Sugar turned national attention to
the hazards of combustible dust in the chemical and agricultural
industries. It also triggered the U.S. OSHA National Emphasis
Program (NEP) for solids-handling facilities. A NEP is a program by
OSHA to protect workers in industries that have been determined

to present higher risks to people and the environment. In addition
to the combustible dust NEP, OSHA has NEPs on Process Safety
management and Isocyanates.
A complete investigative report and a video describing the
event are available from the Chemical Safety Board (CSB 2009a).
Figure 4.6-1. Imperial Sugar refinery after the explosion

(courtesy CSB).
Figure 4.6-2. Imperial Sugar facility before the explosion.

Granulated sugar storage silos and packing buildings are
circled. Raw sugar warehouses in lower right (Chatham County,
GA GIS photo) (CSB 2009a)
Key Points
Process Safety Competency – Apply what you know. Knowledge
alone is not enough. You must apply what you know about safe
handling of material hazards.
Conduct of Operations – Clean up! According to the old saying:

“The three most important operations in a plant handling
combustible dusts are housekeeping, housekeeping, and
housekeeping.”
Incident Investigation – Pay attention to near-misses. Near-
misses are the voice of the process telling you “I’m broken, fix
me.”
4.6.2 Description
Background. Imperial Sugar Company purchased the Port
Wentworth facility in 1997. The facility refined raw sugar into
granulated sugar and sugar products.
Process. The sugar refinery was housed inside a four-story
building, with the silos extending from the ground to above the
top floor (Figure 4.6-2). In this process, raw cane sugar was
converted into granulated and powdered sugar. The refinery had
dozens of belt conveyors, screw conveyors, bucket elevators,
mills, as well as packaging equipment. Granulated sugar was
stored in three large 374 m3 (13,200 ft3) silos. From the silos,
granulated sugar was conveyed to the powdered sugar mills, to
packaging equipment, to specialty sugar production, or to the
bulk sugar building. At the powdered sugar process, belt
conveyors and bucket elevators conveyed the granulated sugar to
the powdered sugar mills. In 2007, steel panel enclosures were
installed on the horizontal belt conveyors to protect the sugar
from contamination.
What Happened. The first explosion likely occurred in a belt
conveyor located underneath the silos. The ignition source may
have been an overheated bearing or belt support. The belt
enclosure allowed the formation of dust clouds above the
Minimum Explosion Concentration (MEC) of the sugar dust in the
interior of the silo tunnel, providing fuel for the explosion.
The pressure wave from the initial explosion spread
throughout the building, dislodging sugar dust that had
accumulated in various parts of the building due to leaks from the
sugar processing equipment. The dislodged dust ignited and
created fireballs, resulting in several secondary explosions
throughout the building. These explosions were powerful enough
to buckle the concrete floors and create flying debris. The
explosions continued for fifteen minutes after the initial
explosion. The CSB report notes that secondary explosions
occurred on all four floors of the building. (See Figures 4.6-1 and
4.6-3)
Why it Happened. When the conveyors were enclosed, fugitive dust

that had previously settled out and accumulated on the floor was
instead contained inside the enclosure. This allowed the
formation of flammable dust clouds which could be ignited
(overheated bearings and belt supports are a common source of
ignition in solids-handling equipment).
The CSB report stated that the sugar handling equipment was
not adequately sealed, resulting in large quantities of sugar being
spilled onto the floors or escaping into the rooms. An internal
inspection noted that “tons of spilled sugar had to be routinely
removed from the floors and returned to the refinery for
reprocessing”. This gives an idea of the amount of sugar dust
routinely spilled. See Figure 4.6-4 for an example of conditions
within the plant.
When handling dusts, the dust can accumulate on surfaces in
a process rack or building, such as the floors, beams, and light
fixtures. Frequently the dust that leaks out from equipment is the
finest (smallest particle size) of the dust being released. With
combustible dusts, the explosion severity is usually inversely
proportional to the particle size, i.e., smaller particle size has
higher explosion severity. Also, dust with smaller particle size is
usually easier to ignite than the same quantity of dust with a
larger particle size. An initial event, such as an explosion in a piece
of equipment, creates both a fireball and a pressure wave that can
easily disperse and ignite these deposits. This creates a secondary
explosion or explosions (see Figure 4.6-5). These secondary
explosions can cause damage and injuries comparable to large
vapor cloud explosions. For facilities handling combustible dust, a
good housekeeping program is as equally important—if not more
important—as a hot work permit program.
Figure 4.6-3. Imperial Sugar Refinery after the explosion

(courtesy CSB).
Figure 4.6-4. Motor cooling fins and fan guard covered with
sugar dust; large piles of sugar cover the floor (courtesy CSB).
Figure 4.6-5. Secondary dust explosion (courtesy U.S. OSHA).

The Imperial Sugar facility did not fully comply with NFPA 499–
Recommended Practice for the Classification of Combustible Dusts
and of Hazardous (Classified) Locations for Electrical Installations in
Chemical Process Areas. Given the amount of dust that Imperial
Sugar allowed to accumulate on a regular basis, many parts of the
plant should have been classified Class II, Division 1. Imperial
Sugar did not classify hazardous areas. The CSB notes that
although there were some properly rated electrical devices in
hazardous areas, there were non-rated electrical devices in the
same area. Imperial Sugar did not comply with NFPA 499, 654 and
the NEC. They did not classify hazardous areas and they used non-
rated devices in what should have been classified areas.
Competency is closely linked to the RBPS element Process
Knowledge Management, but this incident illustrates the
difference between knowledge and competency.
There was evidence that employees had knowledge of the
hazards of combustible dust; QA and safety personnel were
aware of the U.S. OSHA’s National Emphasis Program on dusts.
An explosion in a dust collector ten days prior to this incident had

been safely vented. Also, fugitive dust collection systems were
utilized for collecting emissions.
Competency infers application of such knowledge. Neither
management nor employees of Imperial Sugar appear to have
fully appreciated the hazards of combustible dusts.
Housekeeping was inadequate. The housekeeping that was done
was frequently done improperly, e.g. using compressed air to
clean dust deposits (a hazardous practice in itself as it creates a
flammable dust cloud); and the fugitive duct collection equipment
was not properly maintained.

Hazard reviews were conducted by Zurich Services (Imperial
Sugar’s insurance carrier), but they failed to identify the hazard of
dust accumulation.
III. Manage Risk

The fugitive dust collection system was inadequate and poorly
maintained. Dust accumulations throughout the building resulted
in the secondary explosions that destroyed the entire building
and led to the fatality.
Initial and annual safety training was done, but it seems to have
been focused on occupational safety. Safety training had not
covered the hazard of dust accumulations since 2005.
The belt conveyor was enclosed without conducting a
management of change (MOC) review. The lack of hazard
awareness, ignoring of near-misses, and lack of an MOC review
led to the creation of an unprotected enclosure that contained
combustible dust clouds. An MOC review, performed by

competent people knowledgeable about dust explosion hazards,
would have evaluated the need for explosion protection such as
venting, suppression, or inerting, within such an enclosure.
Written housekeeping programs were not effectively
implemented. The cleaning process did not always include
elevated surfaces. Dust collection system design and lack of
maintenance may have contributed to the fugitive emissions, but
no action was taken to reduce leaks or repair the fugitive dust
collection system. Also, there had been many small fires in this
and other Imperial Sugar locations, which did not lead to larger
fires or explosions. These may have caused the staff to become
complacent regarding the hazards of combustible dust. This
phenomenon is known as “normalization of deviance.”

As previously mentioned, this facility and other Imperial Sugar
refineries had experienced many small fires and near-misses. For
example, operators in this facility had noted that buckets in the
bucket elevators sometimes broke loose and fell to the bottom of
the elevator. In one case, this initiated a fire. Ten days prior to this
incident, there had been an explosion in a dust collector. These
near-misses and the explosion were warning signs that were not
heeded.
4.7 HAYES LEMMERZ DUST EXPLOSION, INDIANA, US, 2003
4.7.1 Summary
On October 29, 2003, a dust explosion occurred in a dust
collection system at an aluminum wheel manufacturing plant in
Huntingdon, Indiana (CSB 2005). The explosion propagated into
other equipment and into the manufacturing building. One
person, who was engulfed in flames, died from burns, and a total
of six people were injured, two critically. This was one of three
explosions that occurred in 2003. The other two, an explosion at
West Pharmaceuticals in North Carolina, and CTA Acoustics in
Kentucky were described in Incidents that Define Process Safety
(CCPS 2008). These explosions led the CSB to conduct a study of
the phenomenon of dust explosions. The resulting report,
Combustible Dust Hazard Study (CSB 2006) included
recommendations for the NFPA to create a combustible dust
standard and for U.S. OSHA to conduct a National Emphasis
Program (NEP) on combustible dust hazards. These
recommendations were implemented. The NFPA standard is
NFPA 652–Standard on the Fundamentals of Combustible Dust
(NFPA 2016).
Key Points
Process Knowledge Management–Understand your process, its
hazards, and how to manage them. Regardless of whether you
built or designed it, you cannot ignore this responsibility.
Incident Investigation–Maintain a chronic sense of unease.
Normalization of deviance is very dangerous. When near-
misses become part of normal operations, you have a problem.
Find out why these near-misses are happening and take action
to prevent a bigger incident.
4.7.2 Description
Background. Hayes Lemmerz International owns a number of
companies, including Hayes Lemmerz International–Huntington,
that manufacture cast aluminum alloy wheels.
Process. The plant manufactures aluminum automotive wheels.
Scrap aluminum from the machining of the wheels creates
aluminum chips. These chips are recovered using a process
designed by Premelt Systems Inc. who has built more than fifty
such systems.
The scrap aluminum is coated with oil and water from the
machining process. It is collected and chopped into chips about
6.4 mm (0.25 in.) long. The chips are centrifuged, dried to remove
the oil and water, collected in a hopper, and further dried in a
rotary kiln. The chips have some small particles attached by the
oil and water. Drying in the kiln detaches these particles and
creates more by breaking down some of the chips. From this point
on the process stream contains some amount of combustible
dust.
The chips and dust are air conveyed through a 15.2 cm (6 in.)
duct to a cyclone, where the solids drop to a reverberating
furnace. The air and fine dust stream go to a dust collection
system. Figure 4.7-1 shows the cyclone, furnace, and exhaust
stream. The aluminum chips are melted in the vortex box, where
a pump is used to create a vortex with the molten aluminum. This
provides better mixing of the chips into the molten aluminum. At
Hayes Lemmerz, this part of the system was located indoors.
The top outlet of the chip feed cyclone goes through a spark
box, then outside of the building into a drop box and a dust
collector (see Figure 4.7-2). Note the presence of a slide gate valve;
more will be said about that later. The spark box had a baffle plate
to remove large embers or heavy objects, the drop box provided
a place for heavy particles to drop out of the air stream, and the
dust collector trapped the fines. The dust collector had pleated
filter cartridges which were air-pulsed to dislodge accumulate
dust, and it was equipped with explosion vents. This system was
installed three years after the rest of the chip melt system. The
original design had the air stream discharged directly into the
building; however, dust accumulation from the chip cyclone
exhaust led the company to install the dust collection system. The
design and construction were handled by Premelt Systems Inc.
Other plants using the chip melt process apparently did not have
this problem (the CSB contacted one other plant that confirmed
this).
What Happened. On the day of the incident, operators noticed the
duct connecting the fume hood to the fume separator was
glowing red due to a fire inside it. They shut down the chip feed
system and allowed the fire to burn out; this was the usual
response to this event, which had happened before. After the fire
stopped, they cleaned the system, waited at least two hours, and
then restarted the feed system. About ten minutes later, an
employee noticed chips falling out of the spark box, indicating
that a crust had formed on the vortex and chips were overflowing
into the dust collection system duct. Immediately after this, a
fireball came out of the furnace, totally engulfing one employee.
As the fireball grew, a contractor on the building roof heard a
boom and was knocked down. As he fell, he witnessed the roof
panels being blown off. Another contractor, who had been
working inside a trailer near the drop box, was also knocked down
by the boom. When he looked out, he saw the dust collector was
on fire. He tried to exit the trailer by a rear door, but it was
blocked, so he exited out a side door. A plant alarm was sounded,
and the plant evacuated. The Huntington fire chief knew the plant
handled molten aluminum, and the responders thus used the
appropriate means, Class D fire extinguishers, to put out the fires.
Figure 4.7-1. Reverberatory furnace at Hayes Lemmerz plant

(courtesy CSB).
Figure 4.7-2. Dust collection system at Hayes Lemmerz plant

(courtesy CSB).
The employee engulfed by the fireball died from his burns a

day later. Another employee who had been near the furnace
suffered severe burns over half his body and was hospitalized for
weeks. A third employee suffered minor burns and returned to
work. Four other workers had minor injuries and were treated by
the emergency responders.
The dust collector was destroyed by the fire that engulfed it.
In addition to the explosion vents opening, maintenance panels
were also blown open, indicating the explosion vents were not
adequate for the explosion. The drop box was ruptured by the
explosion (see Figure 4.7-3). One section of it hit the trailer,
blocking the rear door, which is why the person trying to exit the
trailer could not open the rear door.
Figure 4.7-3. Dust collector and drop box remains after the
explosion (courtesy CSB).
Other combustibles in the building caught fire, causing

damage to much of the equipment in the building. As mentioned
earlier, roof panels were blown off the building; wall panels were
also blown off. The trailer also caught fire, causing some high-
pressure gas cylinders inside to rupture.
Fortunately, the local fire chief was familiar with the plant
because of previous visits. The fire was extinguished using the
proper type of extinguishers for a metal fire, Class D.
Based on eye witness accounts and the nature of the damage,
the CSB concluded the following chain of events occurred:
1. Ignition occurred in the dust collector.

2. The dust collector ruptured due to the explosion and
became engulfed in fire.
3. The explosion propagated to the drop box and ruptured
it.
4. The explosion propagated through the duct to the
furnace.
5. A fireball emerged from the furnace.
6. Accumulated dust in the building was suspended and a
second explosion occurred.
7. The explosion continued to propagate into upstream
equipment (the dry chip hopper).
Why it Happened.
Initial explosion: Dust collectors are the source of many dust

explosions. FM Global statistics indicate that about 40% of their
recorded dust explosions originated in dust collectors (FMG
2013). Dust collectors usually contain the smallest dust particles
in the process, and hence those with the highest explosivity and
lowest minimum ignition energy (easiest to ignite). If the collector
is a pulsed collector, then a combustible dust atmosphere is
present much of the time. A metal dust sample taken from the
Hayes Lemmerz plant by the CSB had a Kst (explosivity) of 131
bar-m/sec. The CSB could not definitely identify the ignition
source. This is a frequent occurrence with dust explosions: the FM
Global data shows that in 21% of dust explosions, the ignition
source was unknown (FMG 2013). The CSB narrowed the suspect
list down to a thermite reaction between aluminum and iron
oxide, an impact spark from steel objects in the chip feed, or a
burning ember from the furnace.
Explosion propagation: Particulate solids-handling systems are
basically combinations of different types of equipment connected
by ductwork that transfer the particulate solids. When an
explosion occurs in one equipment item, the flame and pressure
wave will travel through the ducts to the other equipment items.
The flame provides a strong ignition source while the pressure
wave causes any settled solids to be suspended, creating
increased initial pressure for the subsequent explosion. The

higher initial pressure makes the subsequent explosion even
more powerful. This is known as pressure piling. To protect
equipment in such linked systems, some type of explosion
isolation equipment needs to be installed in the system. This can
be in the form of chemical barriers that suppress the explosion or
mechanical barriers that close when the explosion is detected. In
Figure 4.7-2, there is a slide gate valve in the duct between the
cyclone chip feed and the drop box. This was intended to be such
a valve, but the employees at Hayes Lemmerz did not know this.
Eventually, the valve actuator was disabled. With no other
explosion isolation in the system, the initial explosion propagated
through the entire upstream system. The flames and pressure
wave also entered the work area around the furnace.
Secondary explosions. Dust leaked from the chip melt system, and
the CSB investigators observed dust accumulations on horizontal
surfaces in the building, some up to several inches deep. The
phenomenon of secondary explosions was described in Section
4.6.2 Description— Imperial Sugar explosion, (see Figure 4.6-5). A
lack of good housekeeping led to the building explosion.
The management system failures for this incident are similar—
and in some aspects, almost identical—to those for the Imperial
Sugar explosion.

The facility did not fully comply with NFPA 651–Standard for
Machining and Finishing of Aluminum or with NFPA 484–Standard
for Combustible Metals. Given the amount of dust that was
allowed to accumulate on a regular basis, many parts of the plant
should have been classified Class II, Division 1.
The chip melt and dust collection systems were not the main part
of the business. The engineers at Hayes Lemmerz admitted they
did not have the knowledge to understand the chip melt and dust
collection systems. Neither management nor employees knew of
the hazards of accumulated dust; the housekeeping program was
not adequate for the situation; housekeeping was frequently
done improperly, e.g. using compressed air to clean dust deposits
(a hazardous practice that creates a flammable dust cloud); and
the fugitive dust collection equipment was not properly
maintained.

Managers and employees at Hayes Lemmerz admitted they did
not understand the risk created by dust accumulations.
Documentation of the dust collector design was not kept by Hayes
Lemmerz. Hayes Lemmerz relied on the contractors, Premelt Inc.,
and an engineering firm to design the system and make sure it
corresponded to codes.
No hazard identification/risk analysis was carried out when the
dust collection system was installed. This led to a system that was
essentially unprotected against the risk of dust explosions.
III. Manage Risk
The procedures did not include proper response to upset or non-
routine situations. There were no written emergency procedures.
The dust collection system was inadequate and poorly
maintained. Dust accumulations resulted in the secondary
explosions that destroyed the entire building and led to the
fatality.

The employees received formal training for operating and
maintaining the chip melt and dust collection systems only when
the systems were installed. As personnel changed, they had no
training to identify when the system was not operating properly.
The dust collection system was installed some years after the chip
melt system was installed. No MOC was done for either system
(see Hazard Identification and Risk Analysis).
Hayes Lemmerz relied on an engineering design firm to design
and install the system. They did not have a process to oversee the
design to ensure the dust collection system was designed with
adequate safety systems.

There were near-misses in the facility. Fires in the ducts were
common enough that employees had a “normal” response to
them (see What Happened). Bright flashes in the furnace sidewell
during start-up were common occurrences. Dust was released
from the system on a regular basis. In a properly run process,
these events should not happen on a routine basis. There was
also no system for reporting and investigating these events. They
were considered “normal.”
4.8 VARANUS ISLAND PIPELINE EXPLOSION, AUSTRALIA, 2008
4.8.1 Summary
On June 3, 2008, a 0.3 m (12 in.) natural gas line ruptured due to
external corrosion. The released material exploded and caused
another 0.3 m (12 in.) gas line that was about a 0.3 m (1 ft) away
to rupture. About an hour later, a 41 cm (16 in.), a 15 cm (6 in.)
and two 10 cm (4 in.) gas lines ruptured (Figure 4.8-1). The result
was nearly A$60 million (about US$46 million) in plant damages.
Western Australia lost its gas supply for two months, causing an
A$3 billion (US $2.3 billion) loss to its economy. The plant took
more than one year to return to full production. The incident led
to the identification of weaknesses in the regulatory and
standards regimes.
Key Points
Process Safety Culture – The operating company believed this
event was unforeseeable. Just because it hasn’t happened in
your memory, does not mean it is inconceivable.
Process Safety Competency – The operating company relied on
contractors to supplement staffing in safety technical positions.
All tasks and skills, especially those managing the facility risks,
must be addressed, whether through a company or contracted
staff.
Asset Integrity and Reliability – Keep it in the pipe. Use good
practices and diligently conduct pipeline inspections.
4.8.2 Description
Background. Varanus Island was operated by a subsidiary of
Apache Corporation. Apache was also the majority shareholder.
Process. Hydrocarbons were piped to the Varanus Island gas
production facility, run by Apache Energy, from offshore facilities.
After separation and purification, natural gas was piped to
Western Australia in 0.3 m (12 in.) and 0.4 m (16 in.) undersea
sales gas pipelines (SGL). Crude oil was shipped out by tankers. A
total of six pipelines came into and out of the production facility
at a beach on the north-northeast side of the island.
What Happened. The 0.3 m (12 in.) SGL ruptured at a section
between low and high tide on the beach. The cause of the rupture
was a failure of the corrosion protection that allowed external

corrosion to occur (Figure 4.8-2). There was no obvious ignition
source; it may have been from pieces of the pipeline hitting each
other or other objects. A 0.3 m (12 in.) incoming line was 22 cm (9
in.) away. It ruptured almost immediately due to mechanical and
thermal impact. A 0.4 m (16 in.) SGL and 0.15 m (6 in.) gas line
failed about an hour later due to the heat radiation and perhaps
impact from the explosion and fire. These pipelines failed on an
embankment closer to the plant. Three water monitors were
activated to protect the plant from the fires. At the time of the
event, the wind was blowing across the beach. These factors
helped protect the plant from further damage.
Why it happened. The pipeline was in an area that was frequently
exposed to salt water and high ambient temperatures. It was
protected by a 0.45 cm (0.18 in.) asphalt enamel anti-corrosion
Figure 4.8-1. Pipeline fires at Varanus Island (courtesy Bills and

Agostini).
Figure 4.8-2. Ruptured 12” sales gas line (courtesy Bills and
Agostini).
coating and a 0.25 cm (1 in.) concrete outer coating. There was

also a cathodic protection (CP) system in place. The outer coating
prevented visual inspection of the anti-corrosion coating and
external corrosion of the pipeline.
Several contractors recommended using smart pigs to inspect
the line, but Apache never implemented these recommendations.
(Pigging is the practice of using devices called pigs to clean and
inspect pipelines. Smart pigs are equipped with sensors to detect
cracks, bad welds, and corrosion in a pipeline.) A corrosion expert
hired by the investigation commission identified four possible
corrosion scenarios for the anti-corrosion coating failure:
1. Lack of adhesion during application
2. Interference with other structures–direct current (i.e.,
current flowing between the nearby pipelines because
they have different potentials)
3. Interference with other structures–alternating current
(potentially due to loss of grounding)
4. Cathodic disbondment due to CP overprotection–use of

magnesium anodes results in high voltage potential, and
hydrogen evolution from the steel would have been
possible

Apache argued that the incident was unforeseeable. The report
states, “Apache does not appear willing to examine organizational
or cathodic protection issues that may have contributed to the
explosion, with a view to minimizing the likelihood of the
occurrence of a similar event at Varanus Island or other similar
facilities.” (Bills and Agostini 2009, p. 16)
Several regulations and regulatory agencies covered the Varanus
production facility and pipelines:
The Varanus Island facilities were licensed by the Western
Australia Petroleum and Pipeline Act (PPA) and enforced
by the Department of Industry and Resources (DOIR);
The pipeline on the land was covered by Western Australia
Petroleum and Geothermal Energy Resources Act (PGERA)
and enforced by DOIR. DOIR received technical advice
from the Department of Consumer and Employment
Protection (DOCEP);
The pipelines from the Varanus Island low water mark to
the mainland low water mark was regulated by the
Western Australia Petroleum Submerged Lands Act (PSLA)
and enforced by the National Offshore Petroleum Safety
Authority (NOPSA). NOPSA also covered the offshore
production facilities connected to Varanus Island.
This made it difficult to determine which authority should
have been providing regulatory oversight for pipeline safety,
particularly at the point where it transitioned from the island to
the ocean. A recommendation of the investigation was that

Department of Mines and Petroleum (DMP) “ensure there is
clarity in its regulations of safety across oil and gas and other high-
hazard industries…and there is an obligation upon operators to
apply the most appropriate standard to reduce risk to ALARP in
accordance with good industry practice.” (Bills and Agostini 2009)
The investigating team found that Apache had a minimum level of
staffing in safety technical positions. Apache relied on contractors
for this. This reliance led to “a degraded ability to recognize, follow
up, and respond adequately to specialist reports and risk
warnings.” (Bills and Agostini 2009)
III. Manage Risk

Apache received a great deal of input regarding inspection of the
pipeline:
In 1991 the original specifications for the 0.3 m (12 in.) SGL
recommended it be monitored with an “intelligent pig.”
In 1996 Apache’s own Statutory Inspection Manual called
for inspections at least once a year and stated that
inspections could include the use of an intelligent pig.
In 1997 a CP review by Westcor Energy, a contractor,
recommended a Direct Current Voltage Gradient survey
when a new pipeline was installed parallel to the 12-in.
SGL. It also stated that it was not possible to determine
the need for an intelligent pig inspection from the CP
survey results, but that they were mandatory on that type
of pipeline.
In 1998 a corrosion risk assessment was done by Stratex
Pty, a contractor, which noted the potential for external
corrosion at the shoreline and stated that intelligent
pigging of the line was needed due to that hazard.
In February 2000 Apache issued Production Facilities
Integrity Corrosion Management Strategy. This required
intelligent pigging when a new line was installed and

scheduling pigging to inspect the pipeline.
In April 2000 JP Kenny, a contractor, developed an
inspection strategy, stating that the 0.3 m (12 in.) SGL
should have an internal inspection every five years by
ultrasonic methods. Apache received a recommended
inspection program with these tests of the 0.3 m (12 in.),
SGL included.
In May 2000, the contractor QCL International audited
Apache’s asset integrity programs. Their report, with
respect to pipelines, stated “it was not possible to
ascertain the accuracy/quality of the data collected” and
that they “could not answer a lot of the questions related
to data gathering, and could not show evidence of
compliance with the procedure regarding frequency of
data gathering and accuracy of data.” (Bills and Agostini
2009, p. 27)
In 2002 and 2003, the contractor Auscor Pty did CP
protection surveys of the pipelines, but only covered the
pipeline on the mainland end.
In 2004 QCL did another review of the pipelines and
stated in its report that the shore zones of the pipelines
have not been included in the scope of inspections. Their
report stated “No inspection data was available for the
onshore section on Varanus Island or the shore zones at
Varanus Island and the mainland. This has resulted in
increased risk rankings in these sections.” (Bills and
Agostini 2009, p. 29)
In 2004, Netlink Inspection Services did a visual inspection
of the 0.3 m (12 in.) SGL and found that the outer coating
had a “minor crack” in it.
The explosion could have been avoided if Apache had paid
attention to these reports. However, Apache never inspected line
using an intelligent pig and did not follow up on the problem
identified in 2004. This lack of follow-up is an indication of a poor
safety culture as well as inadequate asset integrity management.
4.9 NATURAL GAS PURGING EXPLOSIONS
4.9.1 Summary
Two natural gas explosions, at ConAgra Foods in North Carolina
and Kleen Energy in Connecticut, occurred within eight months of
each other, with ten fatalities and more than 100 injuries. One led
to the release of about 8,165 kg (18,000 lb) of ammonia to the
surrounding environment. Both caused extensive physical
damage to buildings. Both were caused when new gas lines
containing air used to pressure test the line were purged with
natural gas. The purge discharged into confined areas with no
monitoring, no control of ignition sources, and no access control
to minimize the number of people exposed to the hazard. During
their investigation of these incidents, the CSB found at least four
other similar incidents of this nature (CSB 2009c, CSB 2010).
Gas purging was a common practice in the industry. These
incidents led the International Code Council (ICC) and its
members to revise the International Fire Code (IFC) and the
International Fuel Gas Code (IFGC) to prohibit the practice of gas
purging and to comply with requirements of NFPA 56 – Standard
for Fire and Explosion Prevention During Cleaning and Purging of
Flammable Gas Piping Systems.
Key Points
Process Safety Competency – Do not accept a hazardous
practice as normal. A good understanding of process safety
would identify this hazard and seek safer alternatives.
Safe Work Practices – Give careful thought to potential hazards
when completing a work permit. Is the scale of the hazard
understood? Are the controls specified in the permit sufficient
to control the hazard? In this case, hot work permits were either
not used or inadequate for the scale of the predictable natural
gas release.
Incident Investigation – Investigate near-misses. Understand

the hazards. Implement controls to prevent the potential big
incident. Near-misses are an indication that you are on the path
to a more destructive incident.
4.9.2 Description
What Happened.
ConAgra Foods Explosion and Ammonia Release, North Carolina,

2009. A gas line to a new water heater in a utility room at the
ConAgra Foods plant was being purged with natural gas. The 7.6
cm (3 in.) line was routed for 36.5 m (120 ft) along the top of the
building from an existing 15.2 cm (6 in.) main into the building that
housed the water heater. Several openings located near the
heater allowed the natural gas to be vented directly into the utility
room during purging of the 7.6 cm (3 in.) line (Figure 4.9-1).
Although the room was equipped with an exhaust fan, no one had
analyzed the sufficiency of the existing exhaust equipment.
Several purging cycles were conducted because the
employees were having difficulty lighting the water heater. The
site relied on employees to smell the natural gas as its only means
of detection. Some employees did, some did not, but the natural
gas odor did not concern anyone, because this was considered a
normal activity. At about 11:25 a.m., the natural gas found an
ignition source. The resulting explosion caused three fatalities
inside the building and critically burned four others. Seventy-one
people were sent to the hospital, including three firefighters
exposed to ammonia released from the plant’s ammonia
refrigeration system as a result of the explosion. (Figure 4.9-2).
Kleen Energy Systems Explosion, Connecticut, 2010. A natural
gas purge was being conducted at a power plant that was under
construction. The gas exited through a horizontal outlet that was
less than 6 m (20 ft) above the ground and was located between
two large structures. Although the company tried to control
ignition sources, their attempt was inadequate. Electrical power
was on, welding operations were ongoing, diesel heaters were

running, and the gas purging activity itself could have produced
static electricity or sparks caused by impacts from the gas
blowing. Eventually, the natural gas ignited and exploded due to
the congestion created by the buildings, enabling the fire to
become an explosion (Figure 4.9-3).
Figure 4.9-1. Gas-fired water heater piping and likely release

points (courtesy CSB).
Figure 4.9-2. ConAgra Plant explosion aftermath (courtesy CSB).

Why it Happened. In both events, large volumes of natural gas

were deliberately released into areas that confined the release.
Efforts to control ignition sources were either inadequate or
nonexistent. No efforts were made to monitor the release to warn
if the natural gas levels were above the LFL. Efforts to limit the
number of people exposed to the hazard were ineffective.

The standards at the time of the incident allowed cleaning with
natural gas. As noted in the summary, codes are being revised
due to knowledge gained from these types of incidents.
Purging of new gas lines with natural gas following an air pressure
test was an accepted practice despite the fact that it is dangerous
and has caused incidents. There are safer line-cleaning methods
available. The CSB identified five similar incidents that occurred
between 2001 and 2008:
2001. A natural gas blow at a power station in Lorain,
Ohio, was vented through a three-foot stack, shooting
flames 9–12 m (30–40 ft) in the air.
2003. An explosion and fire at a natural gas power plant
in Fairfield, California, after natural gas was vented within
3 m (10 ft) of a building.
2005. An explosion occurred at a school in Porterville,
California, that injured two workers.
2007. An explosion occurred in Cheyenne, Wyoming, that
injured two workers.
2008. An explosion at a hotel in San Diego, California,
injured fourteen workers.
Safer methods, used by about half of the companies the CSB
surveyed, include pigging with air or nitrogen, air blows, nitrogen
blows, steam blows, water, and chemical cleaning.
Figure 4.9-3. Location of natural gas outlet (oval) at Kleen Energy

(courtesy CSB).
The workers conducting these operations were unaware that

they were creating an explosion hazard by releasing a flammable
vapor into a semi-enclosed or congested area. The hazard created
by a flammable release inside an enclosed space is easy to
recognize. However, not everyone realizes that a semi-enclosed,
congested area can be just as hazardous. A safety review by
experts, or release modeling, is called for in such circumstances.
Workers in this situation incorrectly thought that smell alone was
an adequate method for detecting the presence of gas. However,
odor sensitivity varies among people, and people can be
desensitized to odors. Moreover, reliance on a person’s sense of
smell requires that they be placed directly in the line of fire.
III. Manage Risk
9. Safe Work Practices.

The reports do not state whether any safe work permits were
issued for the operations. If they were, they did not include
requirements such as monitoring for the presence of flammable
materials, control of ignition sources, and limiting the presence of

unnecessary personnel.

The list of incidents in the Process Safety Culture section shows
that companies have not been effectively communicating the
results of incident investigations with others in the chemical
industry. Improvement in this area would facilitate learning from
the experience of other companies and ultimately reducing the
number of similar incidents.
4.10 OIL STORAGE TANK EXPLOSION, ITALY, 2006
4.10.1 Summary
An explosion occurred in a crude olive oil storage tank in Spoleto,
Italy, while workers were welding above the tank. Crude olive oil
contains up to 5% hexane from a solvent extraction process. The
explosion released the contents of the tank, which caught fire.
About an hour later, the fire caused explosions in two other crude
olive oil storage tanks. The resulting fire damaged the entire tank
farm (Figures 4.10-1 and 4.10-2) and the explosion propelled the
two tanks about 60–90 m (196–295 ft). There were four fatalities
(Marmo, et al. 2013).
Key Points
Process Safety Knowledge–Understand the hazards of the
materials you handle. They may not be as harmless as they
seem. The material involved (crude olive oil) in this case was not
considered to be flammable despite the presence of residual
hexane.
Hazard Identification and Risk Analysis—Identify hazards so
that you can then protect against them. Since the crude olive
oil material in this case was not considered flammable, there
was no HIRA conducted. This led to inadequate tank design,
inadequate SWP, and weak Emergency Management.
Figure 4.10-1 Outdoor storage tanks after explosions (courtesy

Marmo).
Figure 4.10-2 Indoor storage facility after explosions (courtesy

Marmo).
4.10.2 Description
Background. A number of oil refineries in this region of Italy
process olive oil.
Process. The refinery produced edible olive oil from crude pomace
olive oil. Pomace olive oil is obtained by extracting residual oil
from pressed olives using hexane (the oil obtained from the
pressing is virgin olive oil). The pomace olive oil was received from
multiple suppliers and contained varying amounts of hexane. At
the facility, hexane was removed by either chemical or physical
processes. Then it was deodorized by a low-pressure, high-
temperature stripping step. The facility also made soaps from
inedible oil.
Hexane is a flammable material with a flash point of -26°C (-
14.8°F). The flash point of mid isohexane isomers is -18°C (-0.4°F).
Crude olive oil can contain up to 5 wt.% hexane.
Various grades of olive oil were stored in atmospheric tanks
in a tank farm. Figure 4.10-3 is a schematic of the tank farm layout.
Tanks 93–107 were 645 m3 (170,390 gal) each and were located
outdoors. Tanks 77–88 were 365 m3 (96,423 gal) each and were
located indoors. The tanks contained various grades of olive oil:
Tanks 86, 93, 94, 95 and 103—pomace olive oil
Tanks 87. 89, 96 and 100—refined oil
Tanks 81-85, and 87—virgin oil
Tanks 101, 102, and 104–107—lampante oil (an inedible
grade of oil)
What Happened. On the day of the incident, Tank 95 was less than
10% full, Tank 93 was about 25% full, and Tank 94 was about 50%
full. Four contractors were welding supports to the top of Tank 95
for a footbridge to cover tanks 93–96. Ignition occurred in Tank
95, lifting the tank about 10 m (33 ft) into the air and killing the
four contractors. The tank fell back near its original position and
its contents were released and caught fire. The fire engulfed tanks
93 and 94, and their contents ignited after about an hour. The
explosion lifted these two tanks off their pads, and they landed
60–80 m (197–262 ft) away. Tank 93 landed on the roof of the
finished product warehouse and tank 94 landed near the
byproducts warehouse.
Why it Happened. Samples from Tank 95 were available from the
plant’s lab and had been tested for hexane level and flashpoint.
The tank contained about 1.5 wt.% hexane and had a flashpoint
of 29°C (84°F). Two mechanisms were identified for the tank
headspace to accumulate sufficient hexane to ignite: During the
day, the tank’s surfaces were heated above 30°C (86 °F) by the sun.
In addition, the tanks were purged with air in order to mix
different batches of oil. This likely entrained hexane into the vapor
space. During the night, hexane vapors condensed on the internal
surfaces of the headspace. The hot tank skin temperature and
purging with air enabled the headspace of the tanks to become
enriched with hexane. With a flammable mixture in the
headspace, welding provided a strong ignition source in Tank 95,
and the resultant external fire around Tanks 93 and 94 generated
temperatures high enough to ignite their headspaces.
Figure 4.10-3. Schematic of tank farm (adapted from Marmo).

The crude olive oil was not considered flammable by the
Spoleto site, even though there was residual hexane.
Although companies doing the extraction were aware of
the flammability hazard of hexane. In this sense, the
incident was similar to the BLSR Deflagration and Fire –

Section 3.5.
Since the crude pomace oil was not considered
flammable, no HIRA were done. This led to a process
design without adequate safeguards against flammability,
such as inerting the tanks. Also, the safe work permit for
the welding operations was either inadequate or missing
entirely, it would have been inadequate without the
knowledge of the flammability hazard. Finally, the lack of
hazard understanding resulted in a lack of firefighting
systems that could have contained the initial fire and
prevented other tanks from heating to the point of
explosion.
III. Manage Risk

Existing guidance for safe welding practices should have
been reviewed prior to welding on the tanks.
NFPA 51B–Standard for Fire Prevention During Welding,
Cutting and Other Hot Work
ANSI Z49-1–Safety in Welding, Cutting and Allied
Processes
AWS F4.1–Recommended Safe Practices for the
Preparation for Welding and Cutting of Containers and
Piping
4.11 NDK CRYSTAL VESSEL RUPTURE, ILLINOIS, 2009
4.11.1 Summary
On December 7, 2009, a 2,068 bar (30,000 psi) pressure vessel
ruptured during a crystal growing process, likely due to a
combination of stress corrosion cracking (SCC) and temper
embrittlement. SCC is the formation of cracks through the
simultaneous action of applied stresses and a corrosive

environment (NACE 2010). Temper embrittlement can occur in
heat-treated steels. A 3,900 kg (8,600 lb) piece of the vessel landed
133 m (435 ft) away, damaging an office building and injuring one
person inside it. A steel beam from the facility fatally struck a truck
driver at a rest stop 198 m (650 ft) away. There was severe damage
(Figure 4.11-1) to the facility (CSB 2013b). The CSB produced a
video describing this incident.
Key Points
Process Safety Culture. Listen to the advice of others. Try to
understand their concerns. You might learn something and
prevent an incident. This company also chose to continue
operations after being warned by its insurer not to do so.
Compliance with Standards. Standards exist for a reason.
Comply with them. In this case, the original vessel did not
comply with the appropriate ASME standard. This company was
able to get a waiver but then did not comply with the
requirements of the waiver. They also violated the ASME
standard by welding cracks in one of the vessels. With a waiver
comes with the responsibility to comply with it.
Incident Investigation. Recommendations are a gift.
Understand their intent, take action, and verify that the
hazard was addressed. NDK management did not implement
the findings of an incident investigation, despite strong
recommendations from an outside consultant and its insurer.
Figure 4.11-1. Ruptured vessel and damaged building at NDK

(courtesy CSB).
4.11.2 Description
Background. Nihon Dempa Kogyo (NDK) Co. was founded in Japan
and produces synthetic crystal products. The Belvidere, Illinois,
facility began operation in 2003.
Process. NDK’s facility consisted of six large-pressure vessels. The
process was operated in vessels with walls that were 20.5 cm (8.1
in.) thick. The top was 46.3 cm (18.25 in.) thick and the bottom
41.3 cm (16.25 in.) (Figure 4.11-2). The vessels had an MAWP of
2,068 bar (30,000 psi) and maximum operating temperature of
399°C (750°F). The six vessels were supposed to be constructed to
meet the ASME Boiler and Pressure Vessel Code using SA-723
Grade 2 steel. However, the fabricator could not certify that the
first three vessels vessel were compliant with the ASME code for
the type of steel used. They were able to certify the next three.
NDK petitioned the Illinois Boiler and Pressure Vessel Safety
Division for permission to use the three uncertified vessels
because they were acceptable at the operating temperature of
371°C (700°F). After a review by an independent third party, the
state approved the vessels. The vessel designer recommended
that annual inspections be done after the approval was granted.
NDK relied on a protective coating created by the formation of an
acmite layer (sodium iron silicate) during the process to prevent
SCC.
The process itself was simple, akin to making dinner in a
pressure cooker. Mined quartz crystals were inserted into the
vessel, 3 m3 (800 gal) of 4% sodium hydroxide and a small amount
of lithium nitrate was added, and then a rack of seed crystals was
suspended at the top of the vessel. The vessel was sealed and
heated to 371°C (700°F) with electric heaters. The mined crystals
dissolved in the solution and pure quartz crystals formed on the
seeds. A typical batch processed for 120–150 days, at which point
the vessel was allowed to return to ambient temperature, the
pure crystals were removed, and the caustic solution transferred
to a holding tank.
What Happened. The vessel in question, Vessel 2, was operating at
2,000 bar (29,000 psi) and 120 days into the 150-day cycle when it
ruptured. The consequences are described in the Summary.
Why it Happened. Examination of vessel fragments revealed cracks
in the metal that were likely caused by SCC from exposure to
caustic. Traces of impurities from the mined quartz (silicon,
aluminum, titanium, sulfur and chloride) were found in the cracks.
Impact tests showed the fragments had up to 50% lower strength
than had been observed in the original tests. Investigators
concluded, that the acmite coating did not provide adequate
protection against SCC.
Figure 4.11-2. Cross section of crystallization vessel (not to scale)

(courtesy CSB).

The CSB report stated, “NDK’s approach to safety was informal,
lacking formalized job training, standard operating procedures,
and an incident and injury notification and investigation
program.” (CSB 2013b). After a near-miss in 2007, in which hot
caustic sprayed out of a pressure sensor connection of Vessel 6,
the investigation found small cracks in the lid of the vessel, and a
consultant hired by NDK concluded that the cracks were due to
SCC. Both the consultant and NDK’s insurer agreed that the
vessels should not be returned to service without thorough
inspections. The insurer also stated that they reserved the right
to deny claims for future damages. NDK continued operation
without the recommended inspections.
When NDK was given permission to use Vessels 1 – 3, it was with
the condition that the vessels be inspected annually. There is no
documentation to show NDK did this. When cracks were
discovered in Vessel 6, NDK welded the cracks, despite the ASME
code forbidding welding SA-723 forged steel. NDK either did not
know, or failed to act on, this provision of the standard.

The incident investigation process described in a flowchart in
RBPS (CCPS 2007) includes the step “Implement
recommendations and ensure follow up”. As stated in the Process
Safety Culture section, NDK did not do this after the 2007 near
miss, despite strong warnings from both an outside consultant
and their insurer.
4.12 SIMILAR INCIDENTS

Several Explosions were described in 2008 book Incidents that
Define Process Safety:
Pemex LPG Terminal, Mexico City, Mexico, November 19,
1984.
Texaco Oil Refinery Explosion and Fire, Milford Haven, UK,
July 24, 1994.
Total FCCU Explosion, La Mede, France, November 9,
1992.
Elf Refinery BLEVE, Feyzin, France, January 4, 1996.
Esso Longford Gas Plant Explosion, Australia, September
1998.
BP Grangemouth Hydrocracker Explosion, UK, March 22,
1987.
BP Isomerization Unit Explosion, Texas City, Texas, USA,
March 23, 2005.
Motiva Enterprises LLC, Delaware, USA, July 17, 2001.
The Hexane storage tank explosion, Section 4.10, is
almost identical in nature to the Motiva event.
Phillips Pasadena, Texas, USA, October 23, 1989.
Piper Alpha Platform, North Sea, UK, July 6, 1988.

The following resources are available for helping to understand
and protect against explosion hazards.
Understanding Explosions, Crowl. This CCPS concept book
provides a practical understanding of explosion fundamentals,
including the different types of explosions, the explosive and
flammable behavior of materials, and the hazards related to fires
and explosions. It also discusses practical methods to prevent and
minimize the probability and consequence of an explosion during
routine use of flammable, combustible and/or reactive materials.
National Fire Protection Association (NFPA) codes. The NFPA
is a trade association that generates many codes addressing fire
and electrical hazards. Local authorities often adopt the NFPA
codes, thus making the code legally enforceable in that

jurisdiction. These codes are a good source of knowledge
addressing fire protection and suppression. Of note are:
NFPA 30 Flammable and Combustible Liquids Code,
NFPA 70 National Electrical Code,
NFPA 56 Standard for Fire and Explosion Prevention During
Cleaning and Purging of Flammable Gas Piping Systems,
NFPA 61 Standard for the Prevention of Fires and Dust
Explosions in Agricultural and Food Processing Facilities,
NFPA 68 Standard on Explosion Protection by Deflagration
Venting, and
NFPA 654 Standard for the Prevention of Fire and Dust
Explosions from the Manufacturing, Processing, and
Handling of Combustible Particulate Solids.
American Petroleum Institute (API) recommended practices.
The API is an industry trade association. API committees have
generated recommended practices that address many segments
of the oil and natural gas industry. A number of these
recommended practices address process safety and fire
protection. Of note are:
of Process Plant Permanent Buildings,
of Process Plant Portable Buildings,
API 520 Sizing, Selection, and Installation of Pressure-
Relieving Devices, and
API 521 Pressure-Relieving and Depressuring Systems.
FM Global property loss prevention data sheets. FM Global is
an insurance company that has used its loss experience to
generate data sheets on several topics. These data sheets are
intended to reduce the chance of property damage. Topics of
interest include industrial boilers, gas turbines, and extinguishing
systems.
Guidelines for Evaluating Process Plant Buildings for External
Explosions, Fires, and Toxic Releases, 2nd Edition (CCPS 2012a).
Siting of permanent and temporary buildings in process areas
requires careful consideration of potential effects of explosions

and fires arising from accidental release of flammable materials.
This book, which updates the 1996 edition, provides a single-
source reference that explains the American Petroleum Institute
(API) permanent (752) and temporary (753) building
recommended practices and details how to implement them.
New coverage on toxicity and updated standards are also
highlighted. Practical and easy-to-use, this reliable guide is a
must-have for implementing safe building practices.
Guidelines for Vapor Cloud Explosion, Pressure Vessel Burst,
BLEVE and Flash Fire Hazards, 2nd Edition (CCPS 2011). This guide
provides an overview of methods for estimating the
characteristics of VCEs, flash fires, and BLEVEs for practicing
engineers. It has been updated to include advanced modeling
technology, especially with respect to vapor cloud modeling and
the use of computational fluid dynamics. The text also reviews
past experimental and theoretical research and methods to
estimate consequences. Heavily illustrated with photos, charts,
tables, and diagrams, this manual is an essential tool for safety,
insurance, regulatory, and engineering students and
professionals.
Guidelines for Combustible Dust Hazard Analysis (CCPS 2017).
This book describes how to conduct a Combustible Dust Hazard
Analysis (CDHA) for processes handling combustible solids. The
book explains how to do a dust hazard analysis either by using a
compliance-based approach (based on compliance with existing
consensus standards) or by using a risk-based approach.
Examples in the book help the user to understand how to do a
combustible dust hazard analysis.
Guidelines for Pressure Relief and Effluent Handling Systems,
2nd Edition (CCPS 2017a). Providing in-depth guidance on how to
design and rate emergency pressure relief systems, Guidelines
for Pressure Relief and Effluent Handling Systems incorporates
the current best designs from the Design Institute for Emergency
Relief Systems as well as American Petroleum Institute (API)
standards. Presenting a methodology that helps properly size all
the components in a pressure relief system, the book includes
software: the CCFlow suite of design tools and the new

Superchems for DIERS Lite software, making this an essential
resource for engineers designing chemical plants, refineries, and
similar facilities.
Chapter 5 Environmental and Toxic Release Incidents 209
Environmental and Toxic Release Incidents

5.1 INTRODUCTION
The CCPS definition of process safety includes fires, explosions,
and toxic releases. However, far more attention is spent on
understanding fire and explosion risks than on toxic risks.
Ironically, toxic releases have led to some of the most harmful
incidents. Toxic releases can travel great distances and linger for
long periods of time, potentially impacting members of the public.
The Seveso release (1976) harmed thousands of inhabitants and
livestock. This incident prompted creation of the Seveso Directive
legislation in Europe, which addresses major accident hazards.
Another toxic release, the Bhopal incident, is widely recognized as
the worst chemical industry incident in history, causing thousands
of fatalities and injuring tens of thousands in the neighboring
community. CCPS was created following the Bhopal incident. The
Sandoz warehouse fire in Switzerland was fatal to wildlife and
impacted community water supplies along the Rhine River,
prompting changes in international law to protect such
waterways.
In addition to the human, wildlife, and waterways impact,
toxic releases also garner significant media coverage and
consequential negative corporate impact. The Deepwater Horizon
accident in the Gulf of Mexico is the largest accidental oil spill on
record. This incident spurred the reorganization of government
agencies overseeing offshore safety as well as the creation of new
regulations.
As noteworthy as some of these incidents may be, some of
the causal factors are quite mundane. Two of the incidents
discussed in this chapter involved loading/unloading operations
using hoses that were not replaced as planned. One incident
involved the integrity of secondary containment. These facts
highlight the importance of operating diligence, mechanical
By $$14
integrity, layers of protection, and inherently safer design in the

prevention of potentially significant environmental and toxic
release incidents. One incident highlights the potential hazards of
indoor releases. An additional concern in two of these incidents is
that workers and emergency responders were affected because
they were unaware of the hazards of the chemicals that were
released.
5.2 BP MACONDO WELL/TRANSOCEAN DEEPWATER HORIZON
FIRE, EXPLOSION, AND ENVIRONMENTAL RELEASE, GULF OF
MEXICO, US, 2010
5.2.1 Summary
Most of the information in this section was published in a report
by the Bureau of Ocean Energy Management Regulation and
Enforcement (BOEMRE 2011), the BP report (BP 2010), the CSB
reports (CSB 2014a, b, c, and d), and the Transocean report (TO
2011).
At approximately 9:50 p.m. on the evening of April 20, 2010,
an undetected influx of hydrocarbons escalated to a blowout on
the Deepwater Horizon rig at the Macondo Well. A cement barrier
was set in the process of temporarily abandoning the well for
future production. Tests of the cement barrier integrity were
misinterpreted, and the cement barrier failed, allowing
hydrocarbons to flow up the wellbore, through the riser and onto
the rig, resulting in the blowout. Shortly after the blowout,
hydrocarbons that had flowed onto the rig floor through a mud-
gas vent line ignited. Flowing hydrocarbons fueled a fire on the rig
that continued to burn until the rig sank on April 22 (Figure 5.2-1).
Eleven people died, and seventeen were seriously injured.
Over the next 87 days, an estimated five million barrels of oil were
discharged from the Macondo Well into the Gulf of Mexico
(BOEMRE 2011). This was one of the worst environmental
incidents in US history. The aftermath of the incident was
devastating on the Gulf Coast region economy, and studies of the
environmental impact continue to this day. BP, Transocean, and
MOEX Offshore LLC (10% owner of the well) agreed to pay the
following fines (DOJ, 2015):
$5.5 billion as a Clean Water Act penalty, 80% of which
goes to restoration efforts (BP)
$8.1 billion for natural resource damages (BP)
$600 million for other claims (BP)
$4 billion in criminal fines (BP)
$90 million for violations of the Clean Water Act (MOEX)
$400 million as a Clean Water Act penalty (Transocean
Deepwater Inc.)
At the time, Mineral Management Service (MMS) managed
both the revenue management and safety and environmental
protection. The incident prompted a reorganization for offshore
drilling regulations; the creation of the Office of Natural
Resources Revenues (ONRR), responsible for the revenue
function; the BOEMRE, responsible for resource planning and
leasing; and the Bureau of Safety and Environmental Enforcement
(BSEE), responsible for safety and environmental protection (CSB
2014).
Key Points
Process Safety Culture – The way we do things around here.
What is that ‘way’ and where is ‘here’? Understanding what the
culture actually is ‘on the shop floor’ and if it is consistent across
a company may identify opportunities for improvement.
Asset Integrity and Reliability – Is that last line of defense truly
a defense? The integrity of barriers that are critical to safety and
safe shutdown should be assured through systematic analysis
and maintenance.
Contractor Management - Have a clear interface. Many
workplaces involve multiple contractors and numerous
interfaces. Is there complete clarity on who is handling what?
Are communication paths defined and used so that all are
informed?
Figure 5.2-1. Fire on Deepwater Horizon, source (courtesy CSB).
5.2.2 Description
Background. The Macondo Well was owned by BP (leaseholder
and operator). Transocean was the owner and operator of
Deepwater Horizon, the drilling rig. Halliburton was responsible
for the well monitoring and cementing operations. Cameron,
contracted by Transocean, was responsible for providing testing
and repairs for the blowout preventer (BOP), a key safety and
environmental protection layer. There were other subcontractors
involved as well, but those mentioned here were the main parties.
Process. At the time of the incident, the well was being temporarily
shut down, with the intention of being reopened for production
at a later date, a process known as temporary abandonment. The
production casing, a high-strength steel pipe set in a well to
ensure well integrity and allow future production, was installed on
April 18-19. The bottom of the well was in a laminated sand-shale
zone, an area that has an increased likelihood of cement
channeling, which can prevent a strong bond (BOEMRE 2011).
What Happened. On April 19, cementing began. The purpose of the
cement is to seal the well and prevent hydrocarbons from flowing
out of the well. The cement operation was monitored by

comparing the amount of material flowing into the well with what
comes out. The crew believed they had seen a full return of
everything that went in, indicating a successful cementing job.
After the cementing was completed, a positive well integrity
test was run to see if there was outflow from the well to its
surroundings. This well passed the positive test. The positive well
test cannot test if the cement is sealing the well at the very
bottom. A negative pressure test can and was conducted. The test
was repeated several times with negative results, but eventually
the pressure stopped increasing. The final test, a cement bond
log, was cancelled on the belief the cement barrier injection was
successful.
After determining that the cementing was successful, the
crew began to complete the temporary abandonment
procedures. During this time, the well was supposed to be
monitored for abnormalities, specifically, a “kick” (an unwanted
influx of hydrocarbon into the well). Kicks are detected by
imbalances in the drilling mud inflow and outflow of the well.
During this time, volume in some of the tanks and pits was
increasing. Eventually, the blowout occurred.
Gas alarms began sounding on the rig. The general alarm
system was not activated automatically, so after the gas alarms
went off, the control room had to manually sound the general
alarm. Personnel were told to abandon the rig 12 minutes after
the first gas alarm went off.
The BOP, a large (17 m [57 ft] tall and 363 metric tons [400
tons]) apparatus at the ocean floor, is designed to seal a well in an
emergency. The BOP had variable bore rams (VBR) designed to
seal around the drill pipe and annulars designed to close around
the drill pipe (Figure 5.2-3). The annulars and VBR were activated
by the crew. It also had a blind shear ram (BSR), designed to cut
the drill pipe and seal the well. The BSR was not activated by the
crew. All of these failed to seal the well.
Why it Happened. BP evaluated several options for plugging the
well, however, no risk assessment was done for the chosen plan
(CSB 2014a, 26). During the drilling of the well, there had been
significant losses of drilling mud into the formation. BP engineers
and Halliburton studied how to do the cementing in a way that
would minimize additional losses. To do this they used a different
cement mixture than had been originally planned, a foamed
cement slurry that is injected with nitrogen bubbles. An MOC
review was not done on the change. After the blowout,
investigations showed the cement mixture was not stable. The
conclusion that the cement job was successful was based, in part,
on the use of the displacement procedure. This procedure
assumed a 96.1% volumetric efficiency for a pump stroke. Later
analysis showed the actual efficiency was 89-91%. This difference
resulted in less seawater being pumped than was thought which
left space in and below the BOP.
After the cementing was completed, a positive well integrity
test was run to see if there was outflow from the well to its
surroundings. This well passed the positive test. The positive well
test cannot test if the cement is sealing the well at the very
bottom. A negative pressure test was conducted, although it was
not called for in the abandonment plans and was not required by
regulations. The results of the negative pressure test showed that
drill pipe pressure was increasing; this was an indication the
cement barrier had failed, and material was flowing into it. The
test was repeated several times and eventually, the pressure did
stop increasing. Not believing the results, a member of the crew
of the rig put forward a theory (which became known as the
bladder effect) to explain the differences, and the well leaders
accepted it. A final test, a cement bond log, was cancelled on the
belief the cement barrier injection was successful. The BOEMRE
investigation states that the “central cause of the blowout was
failure of a cement barrier in the production casing string”
(BOEMRE 2011).
An extremely simplified explanation of this behavior is that,
based on the original monitoring of material in and out, and the
successful positive test, the crew believed the cement job was
successful, and any evidence to the contrary was rationalized
away. A more thorough description of this “confirmation bias” is

given in CSB (2014c).
During the temporary abandonment operations, when the
well was supposed to be monitored for kicks, the crew began
directing the mud to two pits instead of one, and from them to
other pits and from the rig to another ship, reducing the ability to
rapidly detect a kick. A mudlogger, an employee from a different
contractor, was supposed to do this monitoring. He questioned
directing the mud to two pits, but was told this was how it was
done, and let the matter go at that. The result was that a kick was
hard to detect, so when the kick did occur, it was not detected.
This was a violation of the rig owner’s policies regarding well
monitoring.
During this time, the pit level rose by 15.8 m3 (4,190 gal) in 15
minutes. The crew’s response was to try to bleed off pressure by
opening the well, an indication they still did not know that the well
was actually flowing. The hydrocarbon flow in the well eventually
pushed all the mud out of the well and flowed onto the rig.
The blowout could have been sent to diverter lines that would
have directed it off of the rig (Figure 5.2-2), which would have
reduced the likelihood of ignition of the release and reduced the
consequences if ignition did occur. However, procedures on when
to use the diverter instead of the mud-gas separator were overly
complicated (the normal procedure to switch to overboard flow
took ten steps) (BOEMRE 2011, CSB 2014d).
As the alarms were sounding, the engine room operators
called for instructions but were never told to shut down the
engines. The engines were later determined to be the likely
ignition source.
There were three ways to operate the BOP in an emergency
mode. The explosions likely disabled the first method. Later
investigation showed that the second method, which should have
worked automatically without operator action, likely did not
function due to critical control pods on the BOP that were faulty.
One had a fault in the solenoid valve, and one had insufficient
Figure 5.2-2. Location of mud-gas separator and diverter lines

(courtesy CSB).
battery charge. Finally, a remote-operated vehicle was used to

close the blind shear rams, but by this time (33 hours later), the
drill pipe had buckled in the BOP and was forced outside of the
zone of the blades of the BSR. (See the link for CSB website in the
Links section for a video describing the BOP operation and why it
failed.)

The characteristics of a good process safety culture include
maintaining a sense of vulnerability and establishing a
learning/questioning environment (Baker Panel Safety Review
Panel [Baker Panel], 2007). The Baker Panel report was the result
of a survey of BP refineries after the 2005 explosion at the Texas

City refinery. BP was in the process of implementing the
recommendations of the Baker Panel. In 2008, BP overhauled its
management system and developed a new system called the
Operating Management System Framework (OMS), and by 2009,
OMS was about 80% implemented. BP intended to have OMS
applicable to drilling rigs. However, BP’s requirements were just
being rolled out when the Macondo Well was drilled and were not
applied to the Macondo Well.
The confirmation bias, which prevented the crew from
recognizing the failure of the negative pressure test as valid, is
another symptom of a lack of a learning/questioning environment
and a lack of a sense of vulnerability.
Further illustrating this point was the BOEMRE report
statement that “in the weeks leading up to the blowout on April
20, the BP Macondo team made a series of operational decisions
that reduced costs and increased risk” and that the investigation
team “found no evidence that the cost-cutting and time-saving
decisions were subjected to the various formal risk assessment
processes that BP had in place.”
Both BP and Transocean did not adequately implement their own
process safety management policies. Both had MOC guidelines
that were not followed during the abandonment procedure.
The CSB noted Transocean’s “minimal guidance and unclear
expectations of the risk management tools its personnel should
use”. The crew at Macondo Well did not apply the techniques
identified as Transocean’s risk management tools: HAZID/HAZOP,
Major Hazard Risk Assessment, Safety Case, and Operation
Integrity Case. These tools were supposed to demonstrate the risk
was As Low As Reasonably Practicable (ALARP), but Transocean
did not provide guidance on what tools to use.
III. Manage Risk
The Deepwater Horizon crew was not supplied with a procedure
for testing the cement barrier. The crew did not, therefore, have
a criterion for deciding if the test was positive or negative, or
actions to take following a negative test (CSB 2014a). The
abandonment procedure was written 24 hours in advance, partly
due to the fact that the nature of the strata at the bottom of the
well could not be known until the well was drilled. No MOC or
process hazard review was done for the procedure, with the
exception of an occupational safety review.
The BOP was not managed as safety critical equipment, though it
was the only equipment on the rig designed to be able to stop a
blowout. One of each pair of redundant solenoid systems was
inoperable at the time of the blowout. The BOP was overdue for
vendor-recommended preventive maintenance, and no effective
testing or monitoring process was in place to confirm the
availability of the redundant systems in the emergency automatic
mode function (AMF)/deadman system if called upon to function
(CSB 2014b).
An offshore drilling rig employs many contractors, hence
communications and management of the relationship between
owner and the various contractors is very important. The CSB
report (2014d, p. 168) states, referring to BP and Transocean, that
“while both companies had more rigorous corporate policies for
risk management, neither assumed effective responsibility for
ensuring their implementation at Macondo.”
One safeguard against a blowout was supposed to be the
monitoring of well conditions by the mudlogger. The mudlogger
was from a subcontractor. He was not included in the discussions
that occurred during the well testing, so was unaware there had
been issues with the negative pressure test, diminishing his
reliability as a safeguard. When he raised concerns about the

outflow being directed to multiple locations, they were dismissed
or ignored.
The temporary abandonment procedure was changed several
times, but no MOC review was done on any changes. Changes
included using foamed cement (which is known to be less stable
than non-foamed cement), and the cement leftover from a
previous well.
Hazardous processes should be designed with multiple
safeguards. BOPs are designed with multiple rams that close in
various ways and are intended to shut off the flow from the well.
At the time of the incident, Transocean had BOPs with two BSRs
on eleven out of fourteen of its rigs, and BP had two BSRs on all
of the other rigs it was leasing. The Deepwater Horizon rig only
had one BSR. One article (Barstow, et al. 2010) notes that the
failure rate of BOPs is 45%. (That figure is based on a study by Det
Norske Veritas; it was not noted if the failed BOPs in the study had
one or two BSRs). Relying on such a vulnerable layer of protection
as the final layer is an example of poor engineering design or
perhaps management, depending on who approved the BOP
design. One could argue that reliance on the BOP may have
reduced the crew’s “sense of vulnerability” as they believed it was
the ultimate layer of protection, when, in fact, it was a flawed
safeguard.
Transocean relied upon operator response to sound alarms
rather than automated shutdowns for its most critical safeguards
against catastrophic reservoir blowout and gas in the riser, yet
when the blowout actually occurred, the operating staff hesitated
to engage them. The delay in activating the general alarm and the
failure to shut down the two operating diesel generators, which
seem to be the likely ignition source, shows a failure of COO.
In addition, the valves to divert flow from the inboard mud
separators to the outboard emergency discharges were remotely
operated but required operator action. A robust design would

have automated this. This is another example of inadequate
engineering design. (The CSB’s conclusion was that Transocean
was concerned about preventing environmental releases from
inadvertent discharges of drilling mud to the ocean.) Finally, it
seems unclear when and by whom the final safeguard, the BSR,
was actuated, only that it failed to seal off the well pipe.
Neither BP nor Transocean ensured there were sufficient,
robust safeguards in place.

The Deepwater Horizon well blowout was an informative
illustration of the need for learning from experience. The simplest
example of not learning from experience concerns an earlier kick
at the Macondo Well. The kick had occurred on March 8, 2010. It
was not detected for thirty minutes. Detection and response to a
kick is a key safety barrier in well operations. The failure to detect
the kick of March 8 should have been investigated. This was
required by BP’s internal requirements. The failure to do an
investigation was cited as a contributing cause to the incident by
the BOEMRE report
A further example of not learning the lessons from similar
incidents is the 2008 blowout which occurred on a BP rig in the
Caspian Sea. It was reported to be due to a poor cement job. It
resulted in 211 people being evacuated from the rig and the field
being shut down for 4 months. In the risk matrix for the Macondo
Well, an uncontrolled well incident was considered a medium risk
event (cost of $ 1-3 million). A well kick and blowout were not
considered as well control failure events.
In December 2009, an event similar to the Deepwater
Horizon’s occurred on an offshore rig operated by Transocean in
the United Kingdom. The crew had finished displacing mud and
conducted a pressure test. They stopped monitoring and were
surprised when mud began flowing onto the rig. In this event, they
were able to shut down the well. Transocean, the owner and
operator of the drilling rig, prepared a presentation on this event
and issued an operations advisory to its North Sea fleet. However,
the lessons from these events were not learned by the crew and
engineers running the Deepwater Horizon.
Figure 5.2-3. Macondo Well blowout preventer, source (courtesy

CSB).
5.3 FREEDOM INDUSTRIES, INC. CHEMICAL SPILL, WEST

VIRGINIA, US 2014
5.3.1 Summary
On January 9, 2014, Freedom Industries chemical storage and
distribution facility in Charleston, West Virginia, an aboveground
storage tank experienced a leak that flowed into the Elk River.
Upon arrival at the site, West Virginia Department of
Environmental Protection (WVDEP) inspectors discovered what
was later identified as methylcyclohexanemethanol (crude
MCHM) and polyglycol ethers (PPH, stripped) leaking from an
aboveground storage tank.
The chemicals flowed 2.4 km (1.5 mi) to the intake of the West
Virginia American Water (WVAW) water treatment facility and
contaminated the drinking water distribution system, prompting
a do-not-use order across portions of nine counties. Refer to
Figure 5.3-1. Over 350 emergency room visits were recorded in
the first few days of the incident. The do-not-use order also
resulted in closures of many businesses, schools, and public
offices.
This incident garnered national news coverage. CSB
recommendations were made to the local water works company
as well as the American Water Works Association. The tanks have
been removed from the Freedom Industries site and only the
office/warehouse, garage, and storage buildings remain.
Freedom Industries entered into a Voluntary Remediation
Program in late February 2015, and the land has since undergone
extensive remediation. Freedom Industries executives and
managers were convicted of criminal charges related to violating
the Clean Water Act, negligently discharging refuse matter in
violation of the Refuse Act and failing to have a pollution
prevention plan. (CSB 2017) Two were sentenced to federal prison
and the remaining four received three years of probation.
Key Points
Compliance with Standards – Learn from industry standards.
They contain many hard-won learnings. Even if you are not
‘regulated’ to comply with a certain standard, it may still be a
great resource.
Asset Integrity and Reliability – Maintain equipment integrity.
Equipment will start degrading the day it is installed. Inspection
and maintenance of process and storage equipment (in this
case, tanks) as well as layers of protection (in this case, dikes)
are necessary to ensure the integrity of the system.
Emergency Management – Plan for the unlikely event, be
transparent about the possibilities, and involve the potential
stakeholders. Emergency plans should include information on
all chemicals involved, drills should include external emergency
responders that may be involved, and drill experiences should
be used to improve the emergency response plans.
5.3.2 Description
Background. Freedom Industries provided specialty chemicals for
the mining, steel, and cement industries. Freedom Industries had
ownership of the facility for only nine days prior to the incident,
having merged with the Etowah River Terminal, LLC (ERT). At the
site in Charleston, Freedom Industries stored and sold ShurFlot
944, a mixture containing methylcychohexanemethanol (crude
MCHM) and polyglycol ethers (PPH, stripped), in addition to
calcium chloride and glycerin.
Figure 5.3-1 – Flow path from Freedom Industries to West

Virginia American Water Kanawha Valley Treatment Plant
(courtesy CSB).
Process. The incident involved three 175 m3 (46,200 gal) tanks

(395, 396, and 397). Tank 396 held 88.5% crude MCHM, 7.3% PPH,
stripped, and 4.2% water by weight on the day of the incident.
Tank 397 was a blend tank that was used to mix crude MCHM and
PPH, stripped to produce ShurFlot 944, the blend that leaked into
the river. The ShurFlot 944 SDS stated that it is composed of a
blend of alcohols, glycol ethers, and carboxylates and that it can
cause skin, eye, and respiratory irritation and is harmful if
swallowed.
The SDS for crude MCHM stated that it contained a mixture of
six different chemical compounds, including 4-MCHM and water.
4-MCHM (CH3C6H10CH2OH) is made up the highest percentage
of the crude MCHM and was the main chemical that entered the
drinking water supply. Crude MCHM is used in the froth flotation
Figure 5.3-2 – Layout of Freedom Industries site (courtesy CSB).
process to remove impurities from coal (such as shale and

clay). It acts as a foaming agent to bind to organic matter.
Twelve days following discovery of the leak, Freedom
identified that PPH, stripped, was also present in tank 396 at the
time of the leak. PPH, stripped, is a mixture of propylene glycol
phenyl ether and di-propylene glycol phenyl ether. The Freedom
Industries SDS for PPH stated that it causes skin and serious eye
irritation, and handlers are instructed to avoid inhaling PPH,
stripped vapors. It is also a combustible liquid.
What Happened. Approximately 42 m3 (11,000 gal) of the mixture
of crude MCHM and PPH, stripped, leaked from tank 396 through
two small holes on the tank floor. The holes were caused by
pitting corrosion that had degraded the thickness of the floor
from the tank interior.
The chemicals then moved under the tank, through a failed

dike, along a damaged underground culvert, and into the river.
Refer to Figure 5.3-2. The WVAW water treatment process was not
capable of fully treating and removing the chemicals, resulting in
the contaminated drinking water. Since shutting down the water
supply would have also meant a loss of firefighting water, WVAW
issued a do-not-use order when chemical odors were detected in
the treated water.
Community officials initially had only the SDS information on
which base risk estimates and communications. This resulted in
neighboring residents being given changing and conflicting
information, which increased public concern about the safety of
the drinking water.
Why it happened. Internal inspection of Tank 396 revealed two
holes in the tank floor caused by pitting corrosion, as well as other
pits and crevices. Pitting corrosion is confined to a point or small
area that takes the form of cavities, and the rate of pitting
corrosion may be many times greater than the rate of general
corrosion. Because it is localized, pitting corrosion can only be
reliably detected by periodic internal inspections. The CSB found
evidence that the tank bottom had been replaced at some point,
and experts estimated that the second floor was at least 25 years
old but were unable to determine the exact age of the tank
bottom or when pit initiation occurred.
Extremely cold weather conditions in early January 2014 may
have caused a frost-heaving effect in the ground surrounding the
Freedom tanks. Frost heaving occurs when the freezing of water-
saturated soil causes the deformation and upward thrust of the
ground surface. This possibly led to the flexing or movement of
the tank bottom in the vicinity of the holes. The movement could
have provided enough bending on the bottom plates to possibly
dislodged debris blocking flow through the bottom holes. Once
the material became dislodged, the pressure from filled tank 396
may have enabled the sudden gushing flow of liquid from the tank
bottom.

Freedom Industries is subject to the requirements of the West
Virginia/National Pollutant Discharge Elimination System (NPDES)
General Water Pollution Control Permit’s Stormwater Pollution
Prevention Plan and the Groundwater Protection Rule. These
require spill prevention and protection plans to reduce the
potential for leaks from such tanks and secondary containment.
There was no evidence that Freedom Industries or ERT
implemented a Stormwater Pollution Prevention Plan or
Groundwater Protection Plan. Freedom Industries believed they
were not covered by the federal Spill Prevention, Control, and
Countermeasure (SPCC) Rule, as this rule is only applicable to
facilities that store oil. It was later discovered that Freedom
Industries stored fatty acid on site, and thus the SPCC rule was
applicable, and they should have had a SPCC plan. Finally, when
the spill occurred, Freedom had no containment or leak
mitigation supplies on hand beyond a single bag of absorbent,
which was not adequate for a leak of this size.
III. Manage Risk

CSB found no documentation of prior maintenance or inspections
by Freedom Industries or ERT that would have identified and
addressed the internal corrosion in tank 396 since its installation
in 1938. There was no inspection of the secondary containment
system integrity, nor repair of the secondary containment wall,
despite knowing the wall cracked, nor did the site have a leak
prevention plan or leak detection system to notify employees of
tank leaks.
From a compliance perspective, the API standards are
typically regulated for petroleum-based products only. However,
from a learning point of view, these standards and others that
may not be “required” can be a very good source of information

and best practice to inform additional areas. In this case, API 650,
“Welded Tanks for Oil Storage” and 653, “Tank Inspection, Repair,
Alteration, and Reconstruction”, may have guided the construction,
maintenance, and inspection of these atmospheric storage tanks.
Facilities storing chemicals should establish inspection programs,
including the inspection and maintenance of tanks with an aim to
prevent leaks.
WVAW did not issue the do-not-use order because they believed
their system could effectively treat the water, based on the
misinformation it received about the quantity of crude MCHM
released and its properties. Additionally, the SDS for crude MCHM
contained little information on which to understand the risk to
humans. Based on this information, WVAW believed their system
could effectively treat the chemicals. Also, twelve days after the
leak was discovered, Freedom Industries identified an additional
chemical present in the leaked mixture. This delay and
subsequent change in information communicated to the public
created concern and distrust. Facilities handling chemicals with
the potential for a leak into a waterway should liaise with local
emergency responders to ensure that the chemical
characteristics are understood and can be immediately
communicated in case of an emergency.
5.4 MILLARD REFRIGERATED ANHYDROUS AMMONIA RELEASE,

ALABAMA, US, 2010
5.4.1 Summary
On August 23, 2010, at the Millard Refrigerated Services facility in
Theodore, Alabama, hydraulic shock caused a roof-mounted 0.3
m (12 in.) suction pipe to catastrophically fail, leading to the
release of more than 14,515 kg (32,000 lb) of anhydrous
ammonia. The ammonia cloud traveled downwind, impacting
crew on the ships docked at Millard and, across the river,
impacting more than 800 contractors at a Deepwater Horizon oil
spill cleanup site. One Millard employee sustained injuries after

losing consciousness. Nine ship crew members and 143 off-site
contractors downwind reported exposure. Of the exposed
victims, thirty-two required hospitalization and four were placed
in intensive care.
The Department of Justice and the US Environmental
Protection Agency (EPA) settled with Millard Refrigerated Services
regarding alleged violations of the Clean Air Act, Emergency
Planning and Community Right-to-Know Act, and Comprehensive
Environmental Response, Compensation, and Liability Act violations.
Millard is set to pay a $3 million penalty for the violations that
exposed the contractors. (CSB 2015c) (DOJ 2015b)
Key Points
Process Knowledge Management – Consider abnormal
operations. Design and operation, including that of control
systems, should include consideration of both normal and
abnormal operations, such as utility failure or cycle
interruption. Changes to that design should be managed and
controlled.
Hazard Identification and Risk Analysis – How big is the risk?
The greater the volume in a single system, the greater the
potential release. Although it may be easier to group process
equipment or tankage under a single control system, if there is
a failure, the release may include the volume of the entire
system. This risk should be identified and analyzed.
Emergency Management – Use emergency shutdown systems
in emergencies! Manually operated emergency shutdown
systems should be used immediately. If there is a desire to first
verify the situation, then this time delay and its consequences
should be analyzed and clearly communicated in procedures
and training.
Figure 5.4-1 – Location of Millard Refrigerated on Theodore,

Alabama Industrial Canal (courtesy CSB).
5.4.2 Description
Background. Millard Refrigerated Services operated as a marine
export facility that sent frozen meat abroad. The site is located on
the Theodore Industrial Canal in Theodore, Alabama. Refer to
Figure 5.4-1. Millard operated a 64,864 kg (143,000 lb) ammonia
refrigeration system that supplied five product storage freezers
and three blast freezers.
Anhydrous ammonia (NH3) is a colorless gas at normal
temperature and pressure, with a characteristic pungent odor.
The American Industrial Hygiene Association (AIHA) Emergency
Response Planning Guidelines Level 2 (ERPG) for ammonia is 150
ppm. The ERPG is the maximum airborne concentration below

which nearly all individuals can be exposed for up to 1 hour
without experiencing or developing serious adverse health effects
or adverse symptoms that could impair an individual’s ability to
take protective action.
Process. The refrigeration system at the Millard facility was a
closed system designed to handle liquid ammonia between a
minimum temperature of -40°C (-40°F) and a maximum
temperature of 43°C (110°F). The normal design system operating
pressure ranged between 223 mm (8.8 in.) of mercury (Hg)
vacuum and 14.5 barg (210 psig). The refrigeration system cooled
the freezers as the ammonia changed phase from a liquid to a
vapor. The ammonia vapor was then condensed back into a
liquid.
During cooling, moisture from the air builds up on the
external surface of the evaporator coil in the form of frost, which
can reduce its heat transfer efficiency. A hot gas defrost cycle is a
common technique used to periodically melt the accumulated
frost from the evaporator coil surfaces by interrupting the normal
cooling mode and circulating hot gaseous refrigerant from the
compressor discharge through the coil to warm the evaporator
surface.
What Happened. On the afternoon before the incident, the
refrigeration system experienced a loss of power for more than 7
hours. When starting up after the power outage, the operator
manually cleared an alarm in the refrigeration system which
interrupted an evaporator defrost that was in mid-cycle prior to
the power outage. This caused the evaporator to switch directly
from defrost mode into refrigeration mode without bleeding hot
gas from the evaporator coil.
The manual clearing of the alarm had caused a reset of the
control system. Therefore, the control system did not bleed the
high-pressure hot gas from the coil. Instead, it signaled the
suction stop valve and liquid feed valves to simultaneously open
in order to return the evaporator to cooling mode operation,
allowing the low-temperature liquid and hot gas to mix in the
same pipe. The mixing caused the hot gas to rapidly condense to
a liquid, creating hydraulic shocks that ruptured both the
evaporator piping manifold and the low-temperature suction
piping on the roof.
Immediately upon discovering the release, two Millard
employees went to the roof to manually close the isolation valves.
They attempted to isolate the source of the leak, but all other
equipment connected to the low-temperature suction header was
still in operation.
One Millard employee and more than 152 off-site workers,
including nine crew members of a ship docked at the Millard
facility, sustained injuries as a result of ammonia exposure. Of the
153 reported exposures from this incident, a total of thirty-two
workers were admitted to the hospital, and four were placed in
intensive care.
Why it happened. The rapid opening of a valve between the high-
pressure and low-pressure areas caused shock to the ammonia
system. The coil rapidly depressurized, causing refrigerant liquid
and vapor to accelerate into the downstream suction piping. The
gas quickly condensed to a liquid, leading to shock when voids of
trapped gas built up pressure and then rapidly condensed,
creating a vacuum. The creation of the vacuum reduces the
volume, allowing fluid from other parts of the system to rush in at
high velocity. Then, when this fluid hits a corner or end of a pipe,
it stops suddenly, potentially damaging that piece of pipe. The
Millard failure was likely caused by a combination of the
condensation shock and the high velocity liquid impact.
A contributing factor in this incident was the configuration of
the blast freezer evaporators at the Millard facility. Specifically,
multiple evaporator units were connected to a single control valve
group. This allowed an excessively large volume of high-pressure
gas to be introduced to the suction line during restart.

The control system contained a software error that permitted the
system to go to refrigeration mode without bleeding the high
pressure from the coil or preventing the low-temperature suction
valve from opening. In normal operation, this error went
undetected. This error was enabled by a lack of restricted access
for control system modifications.
It was also noted that the pump-out time at the beginning of
the defrost cycle was less than originally intended. This may have
resulted in not fully clearing the residual liquid ammonia from the
evaporator coil.
Software logic should consider both normal and abnormal
operations such as a power outage or cycle interruption. System
modifications, including software logic changes or manual
overrides, should be controlled, through the use of password
protection. Changes in system operations, such as time for
operational steps, should be subject to a MOC process.
Each evaporator coil at Millard had an aggregate capacity of 0.4
m3 (15 ft3) of liquid ammonia or gas with a total of 1.7 m3 (60 ft3)
of ammonia for each blast freezer valve control bank. By grouping
four large blast freezer evaporators together with one set of
control valves, the opportunity for a large volume flow through
the suction line enabled the failure. For the design of systems
handling toxic materials, avoid grouping large portions of the
process under a single control. While this may simplify operations,
it increases the volume, and thus potential impact, of any toxic
release.
III. Manage Risk

The use of the emergency stop button located in the Millard
control room would have shut down the compressors and pumps,
stopped the ammonia circulation and decreased the volume
released. However, the Millard emergency procedure instructed
personnel to first find and isolate the leak, stating that the
emergency stop button was for use in natural disasters and when
deemed necessary by authorized personnel. Because the
operator did not immediately activate the emergency stop button,
the release quantity was greatly increased. In the event of a
hazardous release, emergency shutdown systems should be
activated immediately. Where procedures advise that the leak
should first be located, the consequences of this potential time
delay should be analyzed and included in risk analyses.
5.5 DUPONT METHYL MERCAPTAN RELEASE, TEXAS, US, 2014
5.5.1 Summary
On November 15, 2014, a release of 10,886 kg (24,000 lb) of
methyl mercaptan from the third floor of the building that housed
DuPont’s LaPorte, TX, Lannate® process resulted in methyl
mercaptan concentrations that were above the level considered
“immediately dangerous to life and health” (IDLH) in the building.
Area personnel activated the building evacuation alarm and
requested rescue via the plant emergency communication
system. The Site Emergency Response Team responded to the
area for search and rescue. Site personnel placed calls to 911, and
external agencies also responded to the site. The Site Emergency
Response Team members stopped the release and isolated the
process.
The release resulted in four employee fatalities, three
personnel injuries, and three other personnel chemical
exposures. There were no off-site injuries or exposures. In 2016,
DuPont announced that it will close the La Porte plant, which has
been shut down since the gas leak (CSB 2015d).
Key Points
Hazard Identification and Risk Analysis – Look beyond the
P&ID. Are there surrounding features such as a building or a
fence that could increase the risk or limit emergency response?
Is the “vent to safe location” really safe–or is it in an area that
operators may need to access?
Operating Procedures – Use operational discipline when using
operating procedures. Following procedures every time, such
as walking the line, can help to avoid likely errors such as
misalignment of valves.
Emergency Response – Put human nature aside for a moment.
It is human nature to respond to another person’s need for
help. However, in a toxic release situation, it is imperative for
the safety of the emergency responders, as well as that of the
victim, that the responders first assess the situation and
protect themselves. Otherwise, all may become victims.
5.5.2 Description
Background. At the La Porte plant, DuPont made insecticides,
herbicides, and other products. In the Lannate® unit, methyl
mercaptan was reacted with other chemicals to create the
insecticide Lannate®. Refer to Figure 5.5-1.
Process. The process of making Lannate® is not the key process
involved in this incident. Instead, it was the chemistry of slurries
and hydrates are key. The reaction between methyl mercaptan
and other chemicals can create a slurry. This slurry is typically
cleared by flushing the lines with hot water. Hydrates are an ice-
like, solid substance that can be created when a hydrocarbon and
water are mid below a certain temperature. Lines blocked with
hydrates can be challenging to clear.
Figure 5.5-1 – DuPont building housing the Lannate® unit

(courtesy CSB).
What Happened. On November 10, 2014, the Lannate® unit was

shut down due to a problem with the reactor. On November 12,
attempts made to restart the unit were unsuccessful due to a
slurry blockage in the line that had been cleared by flushing lines
with hot water. During this clearing, a valve had inadvertently
been left open to the methyl mercaptan feed line that connected
to the methyl mercaptan storage tank. It is estimated that 907 kg
(2,000 lb) of water flowed through this open valve, into the feed
line, and into the tank. There were consistently cold ambient
temperatures that week. The water mid with the methyl
mercaptan, forming a hydrate that blocked the feedline.
On November 14, the operators attempted to clear the
hydrate by flowing hot water onto the blocked pipeline and
heating it above 11°C (52 °F), the temperature at which the

hydrate should revert to methyl mercaptan and water.
The feed line was connected by valves to the vent header at
three points along the line. With the Lannate® unit shutdown, a
fourth valve located between the feed line and the reactor system
had been closed in order to prevent methyl mercaptan from
entering the reactors. In this configuration, there was no flow path
for the methyl mercaptan except into the vent header.
At the end of the day shift, the operators communicated the
plan for clearing the hydrate to the night shift. As a result of
troubleshooting and clearing activities, valves leading to the vent
header from the methyl mercaptan feed line had been left open,
creating an interconnection from the methyl mercaptan feed line
to the vent header. The positions of the three valves were not
communicated during the shift change. Refer to Figure 5.5-2. The
night shift operators attempted to clear the remaining blockage
and then attempted to start up the unit, which involved starting
the methyl mercaptan pump and opening an additional valve
from the feed line to the reactor system. The start-up attempt was
not successful, as the blockage remained. They closed the
additional valve to the reactor and then took a break in the control
room. They left the hot water hoses and the methyl mercaptan
pump on.
Why it happened. The hydrate blockage cleared while the
operators took a break, allowing the methyl mercaptan to flow
into the feed line. It then took the path of least resistance and
flowed into the vent header. The vent header connects with
process equipment inside the Lannate® building. Operations
personnel began to observe pressure increases in the process
vessels connected to the vent header and did not realize the
pressure was caused by methyl mercaptan because vent header
pressure increases were typically associated with condensate
collecting in the vent header. Instructions were to drain liquid
from the vent system daily.
Figure 5.5-2 –Depiction Showing Location Where Drain Valves

Were Opened. These drain valves released toxic methyl
mercaptan into the manufacturing building. Methyl mercaptan
detectors on the first and fourth floors detected high
concentrations of methyl mercaptan shortly after the release
began. This depiction is a simplified graphic of the
manufacturing building and does not show the location of
Operator 1 (courtesy CSB).
Operators were sent to drain the vent system of liquid. They

opened valves intending to release the condensate, but instead
liquid methyl mercaptan was released into the building. It quickly
vaporized and exposed the workers who had been attempting to
drain the liquid from the vent system.
These are classic errors during line-up and shift hand-over
communications. According to an American Fuel & Petrochemical
Manufacturers (AFPM) study, 30% of losses of primary
containment (LOPCs) are due to line-up errors (AFPM, 2017).
Given the challenge and time involved in clearing the hydrates, a

number of valves had been operated over a number of shifts.
There was no operational continuity in communicating the
current operating state (line-up) of the plant. Good operating
discipline would include operator shift hand-over notes and
positive verification of the line-up before starting up. Other tools
include bypass boards noting the location of open bleed valves
and flags on open bleed valves.

The DuPont La Porte insecticide business unit also used methyl
isocyanate (MIC). Following the Bhopal incident, DuPont made
modifications to implement inherently safer design principles for
MIC, including an open building structure with equipment to
direct potential toxic leaks to an incinerator. However, DuPont did
not apply these same principles to the methyl mercaptan
equipment.
The Lannate® process was located inside a building.
Companies sometimes enclose toxic chemical manufacturing
equipment inside a specially designed containment building, with
the intention to contain any potential leaks in the building and
route the toxic vapor to a destruction device such as an
incinerator or scrubber.
There was no documentation of the design intent of this
building. DuPont stated that it was not a containment building. If
toxic vapors were collected in the building, they would be
discharged from the roof. However, the building’s ventilation
system was ineffective. The building’s stairways had fire doors
that were often propped open, and the building ventilation fans
were not operational at the time of the incident. A previous audit
of DuPont La Porte’s Process Safety Management system found
that the ventilation system was not being tested as required,
despite the ventilation fans being classified as process safety

critical.
Engineering solutions to mitigate process safety risks through
inherently safer design should have been developed to address
both the process equipment and also the surrounding area that
may be affected by a release of toxic chemicals. In this case, the
structure housing the Lannate® process, the discharge location
of the pressure relief system (or use of a destruction system), and
the design of the air ventilation system should have been
considered.
Performing process hazard reviews is fundamental to the
identification and consideration of potential process safety risks.
PHAs should be conducted on a routine basis and should include
operators and others familiar with the unit’s potential hazards.
PHAs should have identified the risk of operator exposure to
methyl mercaptan when draining condensate from a manual
drain valve in the vent header, a daily task, and either eliminated
the need for draining condensate or provided a safe means to do
so. Likewise, the abnormal operation of clearing a plug in the
methyl mercaptan feed line should have triggered a procedural
PHA with process-knowledgeable employees to identify potential
hazards, raise safeguards, and ultimately to determine if the
procedure could be performed safely.
III. Manage Risk
The operators created a strategy to resolve the hydrate blockage.
However, they did not consider the potential blockage of relief
paths in this strategy. Operating procedures should include
troubleshooting and other non-routine activities. The lead-up to
this incident, like so many others, took place over a number of
shifts. In this instance, the operators were not aware of the
positions of all of the valves. This reinforces the importance of
clear and complete shift turnover communications and also the
importance of walking down the line to verify the state of the

process.
DuPont had previously evaluated the potential off-site
concentrations from a release of methyl mercaptan through the
relief valves on the top of the methyl mercaptan storage tank due
to a fire. These relief valves discharge to the atmosphere. The
analysis found that the fireproofing could reduce the relief and
avoid ERPG 3 concentrations off-site. However, at the time of the
incident, the fireproofing insulation had been removed. No MOC
was found for the removal of the fireproofing. Management of
change reviews should be conducted on changes that may impact
the function of the pressure relief system. In some cases, features
like fireproofing insulation or provision of a separation distance
may not be readily recognized as an important part of a pressure
relief scenario. An MOC may help to make this clear.
At the time of the incident, there were three methyl mercaptan
detectors located in the building, but the only alarm was in the
control room. The workers located outside of the control room
had no way to know if a building gas detector was in alarm. Three
of the four fatalities occurred after the initial release when
workers entered the building without proper PPE to respond to
the first victim’s call for help. The Emergency Response Team was
not notified that the incident involved a toxic release, so they
arrived on scene without proper equipment. This resulted in a 90-
minute delay in rescue personnel entering the building. They did
bring five-minute escape masks, which are intended for a short
escape to a safe location but not for emergency response
operations during a release.
Detection and alarm equipment should be provided to warn
of the release of highly toxic materials. Emergency response
procedures and training should make it clear to emergency
responders that when highly toxic chemicals may be present, they
should review the situation and protect themselves before they
respond, so as to avoid becoming victims themselves. This is

similar to the emergency response in the Jaipur incident
described in Chapter 4.
5.6 DUPONT PHOSGENE RELEASE, WEST VIRGINIA, US, 2010
5.6.1 Summary
On January 22 and 23, 2010, three separate incidents at the
DuPont plant in Belle, West Virginia triggered notification of
outside emergency response agencies. One involved the release
of methyl chloride, one the release of oleum, and one the release
of phosgene. The incident involving the release of phosgene gas
led to the fatal exposure of a worker performing routine duties in
an area where phosgene cylinders were stored and used.
The phosgene incident occurred when a hose used to transfer
phosgene from a 0.9 metric ton (1 ton) cylinder to a process
catastrophically failed and sprayed a worker in the face while he
was checking the weight of the cylinder. Coworkers immediately
responded to the worker’s call for help. Initially, the worker that
had been sprayed with phosgene showed no symptoms of
exposure. However, his condition deteriorated rapidly, and he
died the next night. Delayed onset of symptoms is consistent with
phosgene exposure.
In 1988, DuPont conducted risk assessments of the Belle
phosgene plant. Using internal company criteria, decisions were
made, and no potentially inherently safer approaches were
undertaken.
The CSB investigation also examined concerns raised by
emergency response organizations regarding the timeliness and
quality of information provided to response personnel (CSB
2011d).
Key Points
Compliance with Standards – Listen to your colleagues.
Company standards often codify the learnings of many of your
colleagues over many years of operation. Follow their
guidance. If the guidance seems to not make sense or to be out
of date, then use a MOC or deviation process to ensure that all
aspects of this guidance are recognized and analyzed before a
change is made or the guidance is not used.
Asset Integrity and Reliability – Take care of the systems that
take care of you. Changes in a maintenance management
system, whether computerized or manual, should be managed
and potential unintended consequences should be considered.
These systems should have sufficient redundancy to ensure
tracking and timely scheduling of preventive maintenance for
safety-critical equipment.
Incident Investigation – Know when to escalate. Incident
reporting and investigation procedures are typically clear on
what and to whom information is to be communicated. It
sometimes takes hours or days to go through the process. But
occasionally the situation identified could have imminent
consequences. The procedures also need to be clear about how
and when to escalate the process to avoid potential imminent
consequences.
5.6.2 Description
Background. DuPont’s Crop Protection business area is
responsible for the development, manufacture, and sale of
fungicides, herbicides, insecticides, and seed treatments globally.
The DuPont Belle plant is located in Belle, West Virginia, about 13
km (8 mi) east of Charleston, the state capital. The plant occupies
about 293 hectares (723 acres) along the Kanawha River and sits
in an industrial, commercial, and residential use area.
Process. The process unit runs on a campaign basis and is divided
into a “front end” and “back end.” The front-end process makes
five isocyanate intermediate products. Phosgene is fed from 0.9

metric ton (1 ton) cylinders to the front end of the process to
produce five intermediate products. The phosgene cylinders are
stored in a naturally ventilated, partially walled storage shed.
Two cylinders are staged on weigh scales and each is
connected to the process with (polytetrafluoroethylene) PTFE 304
stainless-steel overbraid hoses. One hose transfers liquid
phosgene to a steam vaporizer, and one provides 4.8 barg (70
psig) nitrogen to the cylinder. The scales record the cylinder
weight. An alarm notifies the board operator when the cylinder is
empty, and the operator then instructs field operators to switch
cylinders. This switch is completed by opening valves to the full
cylinder and closing valves to the empty cylinder. Site operating
procedures do not require enhanced PPE, such as a fully-
encapsulated suit and breathing air, for this operation. Under
normal operating conditions, the process consumes two to three
cylinders of phosgene per day. The Standard Operating
Procedures (SOPs) require operators to don a fully-encapsulated
suit with supplied breathing air when they replace an empty
cylinder with a full cylinder.
Phosgene is colorless and highly toxic and has a characteristic
odor of freshly cut hay or grass. It has a boiling point of 8°C (46°
F), making it liquid in cold weather and, gas in warmer weather. At
room temperature, phosgene is heavier than air. The U.S. OSHA
8-hour TWA PEL for phosgene is 0.1 ppm. Injury may occur before
phosgene odor is detected. Liquid phosgene contact with skin can
also cause severe chemical burns at higher doses. Inhaled
phosgene slowly undergoes hydrolysis and forms HCl, which
results in upper respiratory irritation and burning sensations,
cough, and chest oppressions. Symptoms may not appear until
several hours after exposure. Phosgene also reacts with proteins
in the pulmonary bronchioles and alveoli, disrupting the blood-air
barrier in the lungs and resulting in increased lung fluid.
Pulmonary edema can be present in victims as long as 40 hours
after exposure and may last days, depending on the
concentration and duration of the exposure.
What happened. On January 23, 2010, a stainless-steel braided

transfer hose, connected to a partially filled but not in service 1-
ton phosgene cylinder, failed catastrophically. When the release
occurred, an operator was in the phosgene shed inspecting the
status of the phosgene cylinder. He was sprayed across the chest
and face with liquid phosgene that remained in the hose from a
previous transfer operation.
DuPont estimates that about 0.9 kg (2 lb) of phosgene were
released to the atmosphere when the hose failed. The sprayed
operator immediately called for help using the public-address
phone in the phosgene shed. His dosimeter badge was
discolored, indicating an exposure.
The exposed worker washed his face and hands while waiting
in the medical center. He did not use a safety shower, nor was he
decontaminated in any other method. He was given clean
coveralls.
One confirmed and one possible phosgene exposure
occurred after the initial release as a coworker responded to the
victim in the shed and drove him to the medical center. Possible
sources of this exposure were either phosgene vapor in the
atmosphere or contact with the victim’s clothing.
Why it happened. Common practice was to use plastic ties or metal
clamps to attach tags indicating their intended service to hoses.
One manufacturer used plastic adhesive tape to secure this
identification information to the hose. The corrosion on the two
hoses was under the area where the adhesive tag had been
secured. The hoses had a core constructed of permeable PTFE
and a braided 304-stainless steel exterior. The tape over this hose
design allowed stress corrosion cracking (SCC) to occur. Refer to
Figure 5.6-1. The permeable PTFE inner core allowed the
phosgene to diffuse, which was then trapped on the stainless-
steel braid by the adhesive tape. The phosgene gas converted to
HCl which corroded the 304-stainless steel overbraid.
At the time of the incident, the phosgene hose isolation valves
were closed, trapping phosgene in the hose and pipe. The
corrosion of the hose, the hose length of service, and the thermal
expansion of the trapped phosgene caused the hose failure that

sprayed the worker who happened to be nearby.

A DuPont standard delineating acceptable construction materials
for flexible hoses in highly toxic material service had listed three
hoses for use in phosgene service. However, the Belle facility did
not use any of the specified hoses. The hose used was not suitable
for phosgene service. DuPont engineers voiced concern regarding
the materials of construction for phosgene hoses, but these
concerns were overruled based on the planned frequent change-
out of the hoses. Standards, whether industrial or company
specific, should be followed. Deviations from and changes to the
standards should be subject to MOC.
The Belle facility made the decision to deviate from the DuPont
standard recommended hose construction for phosgene
handling. It is important for those making decisions regarding
facility design, changes to equipment, operating procedures,
engineering controls, construction materials, PPE, procedures,
maintenance, emergency response, and release detection and
alarms to clearly understand the potential chemical hazards so
that they can take these hazards into account in their designs. In
this instance, the hazards associated with thermal expansion of
entrapped liquid in piping and equipment were not well
understood.

PHAs were conducted on the phosgene cylinder feed system and
vaporizer four times between 1994 and 2009. The 2009 PHA team
Figure 5.6-1 – Photo of hose used to transfer phosgene (courtesy

CSB)
reviewed changes since the 2004 PHA, previous phosgene release

incidents, and recommended corrective actions.
The team identified a potential phosgene release from the
cylinder transfer hoses if the hoses were incorrectly connected or
inadvertently disconnected while the cylinder feed valve
remained open. Thermal expansion was not considered.
Although the team did consider the phosgene and water causing
corrosion to stainless steel in other parts of the plant, this was not
considered on the hoses. There had been previous phosgene
leaks through PTFE at the plant, but this was not considered when
analyzing the hoses.
PHAs should include consideration of all potential hazards on
all of the equipment within the scope of the study. A rigorous
approach should be taken to avoid overlooking small piping or
hoses.
In the 2004 PHA, the team identified scenarios that could
result in plant-wide or off-site consequences and made a
recommendation to install a shed enclosure around the cylinders.

The original recommendation due date of December 2005 was
extended four times and had not been completed at the time of
the incident. The U.S. OSHA PSM standard requires companies to
establish systems that resolve PHA recommendations in a timely
manner.
III. Manage Risk

The DuPont SOPs specified changing the phosgene hoses every
thirty days. However, work orders showed that this was not
occurring routinely. The hoses involved in the incident were in
service for more than six months.
An SAP system was used to support maintenance at the Belle
facility. It issued the work orders to change out the phosgene
hoses per the specified frequency. In 2006, SAP data associated
with the phosgene hoses was changed and SAP stopped issuing
the work orders. The plant personnel were not aware that SAP
had stopped issuing the work orders. With SAP not issuing the
work orders, maintenance notifications to change the hoses were
not generated. Maintenance management systems,
computerized or not, should have sufficient redundancy to
ensure tracking and timely scheduling of preventive maintenance
for safety-critical equipment. Changes in maintenance
management systems that relate to safety-critical equipment
should be subject to MOC.
One, potentially two, workers were exposed to phosgene after the
initial exposure. The site did not have alarms in the phosgene
shed or a radio/telephone system dedicated to emergencies. This
resulted in limited ability to give information to emergency
responders in a timely manner. Facility emergency response
protocols should require that a responsible and accountable
employee always be available (all shifts, all days) to provide timely
and accurate information to the emergency responders.

On the morning of the phosgene incident, maintenance
personnel replaced a phosgene hose because of a suspected flow
restriction. The phosgene hose was removed and
decontaminated. The adhesive tag came off showing a damaged
stainless-steel braid and collapsed PTFE liner. Operators planned
to inform supervisors about the damaged hose on the following
Monday.
Incident and near miss reporting and investigation systems
should be thorough enough to recognize those critical incidents
that could potentially lead to a an imminent event or to the
escalation of an event. This should include the requirement to
notify appropriate levels of authority immediately, regardless of
the day of the week or the time of the day.
19. Auditing.
An additional opportunity to learn of this potential failure
occurred during a DuPont audit, where it was found that the
phosgene hoses were not of the types specified in the DuPont
SOP.
5.7 DPC ENTERPRISES, L.P. CHLORINE RELEASE, MISSOURI, US,

2002
5.7.1 Summary
On the morning of August 14, 2002, a chlorine transfer hose
failed, releasing 21,772 kg (48,000 lb) of chlorine over a three-hour
period during a railroad tank car unloading operation at DPC
Enterprises, L.P., near Festus, Missouri. Refer to Figure 5.7-1. The
facility repackages bulk dry liquid chlorine into 0.9 metric ton (1
ton) containers and 68 kg (150 lb) cylinders for commercial,
industrial, and municipal use in the St. Louis metropolitan area.
Chlorine is a toxic chemical. Concentrations as low as ten

parts per million are classified as “immediately dangerous to life
or health.” The wind direction on the day of the release carried
the majority of the chlorine plume away from neighboring
residential areas; however, some areas were evacuated. Sixty-
three people from the surrounding community sought medical
evaluation at the local hospital for respiratory distress, and three
were admitted for overnight observation. The release affected
hundreds of other nearby residents and employees, and the
community was advised to shelter-in-place for 4 hours. Traffic was
halted on Interstate 55 for 1.5 hours. Three DPC workers received
minor skin exposure to chlorine during cleanup activities (CSB
2003b).
Key Points
Asset Integrity and Reliability – Did you get what you paid for?
It is often difficult to simply visually determine if that pipe, hose,
or valve is what you thought you were purchasing. Positive
Material Identification (PMI) should be used to verify that
materials are delivered as specified, especially where the use of
an incorrect material may lead to failure.
Emergency Management – We are in it together. Recognize and
test the assets and limitations of the neighboring emergency
response capabilities in your emergency response plans and
drills.
Asset Integrity and Reliability – Will your ESD system work in
an emergency? ESD system design should consider the
operating and environmental conditions, including that of
upstream equipment that might impact the system. ESD
system testing should verify that the entire system works, from
a sensor or button to the closing of a valve.
Figure 5.7-1 – Failed chlorine transfer hose and release (courtesy

CSB).
5.7.2 Description
Background. DPC Enterprises bought the Festus repackaging
facility in 1998 and added chlorine detectors and an ESD system
to the chlorine repackaging area. The facility is part of the DX
Distribution Group network of eighteen repackaging and
distribution companies.
DPC Festus is located on an 8-acre site in the Plattin Creek
Valley of Jefferson County, Missouri. The facility receives bulk dry
liquid chlorine in 82 metric ton (90 ton) tank cars and repackages
it into 68 kg (150 lb) cylinders and 0.9 metric ton (1 ton) containers.
DPC Festus employs twelve full-time personnel, including four
packaging operators (packagers), four truck drivers, two
administrative staff, a sales representative, and an operations

manager.
The chlorine repackaging process is a one-shift operation,
typically running weekdays from 6:00 a.m. to 4:00 p.m. At the end
of the day, all tank car valves are manually closed, chlorine in the
piping system is directed to the bleach production process, a
vacuum is pulled, and the ESD button is pressed to close all ESD
valves. The chlorine transfer hoses remain connected to the tank
car overnight.
Process. Chlorine is a toxic chemical. Chlorine exposure occurs
through inhalation or through skin or eye contact. When inhaled
in high concentrations, chlorine gas causes suffocation,
constriction of the chest, tightness in the throat, and edema of the
lungs. At around 1,000 parts per million (ppm), it is likely to be
fatal after a few deep breaths. According to the National Institute
for Occupational Safety and Health, chlorine gas concentrations
of 10 ppm are classified as "immediately dangerous to life or
health" (IDLH). Depending on a number of factors—such as
release volume, terrain, temperature, humidity, atmospheric
stability, and wind direction and speed—a chlorine gas plume can
travel several miles in a short time at concentrations well above
IDLH.
At room temperature, chlorine is a greenish-yellow gas. Its
pungent and irritating bleach-like odor provides warning of high
concentrations. Chlorine gas can be detected by smell at
concentrations well below 1 ppm.
The chlorine repackaging process operation involves the
following:
Connecting an 82-metric ton (180,000 lb) chlorine tank car
to one of three unloading stations;
Transferring liquid chlorine from the tank car through the
process piping system to filling stations;
Loading the filled 68 kg (150 lb) cylinders and 1-ton
containers onto trucks for distribution;
Cleaning and preparing empty cylinders and containers
for reuse.
In addition to repackaging chlorine, the Festus facility also

runs a continuous bleach manufacturing process.
A chlorine tank car has four manually operated, one-inch
valves and a pressure relief device mounted within a protective
dome on top of the tank. Two valves are used for liquid chlorine
discharge, and two valves are connected to the vapor space;
however, at DPC Festus, one of these valves supplied “pad air” to
pressurize the tank car during chlorine unloading, and the other
was not in use. An excess flow valve that closes when the rate of
flow exceeds 6804 kg/hr (15,000 lb/hr), is located beneath each
liquid valve. Liquid chlorine is withdrawn from inside the tank car
through eduction pipes attached to the excess flow valves.
The facility operated one of the three unloading stations at a
time. DPC specifications call for each chlorine transfer hose
assembly to be constructed of a PTFE (Teflon®) inner liner
(plastic), a Hastelloy C-276 structural reinforcement braid layer
(metal) for pressure containment, and a high-density
polyethylene (HDPE) spiral guard for abrasion protection.
The DPC Festus ESD system is designed to shut off accidental
releases of chlorine from the repackaging system. The ESD system
is activated either automatically or manually by several ESD
buttons located throughout the facility. At detection of 5 ppm
chlorine, the system alarms, with flashing lights and an audio
alarm. At concentrations of 10 ppm, the ESD valves are
automatically closed and a higher decibel audio alarm sounds.
Each tank car station is equipped with five ESD valves with local
indication of valve position. The ESD system is manually activated
at the end of each day; however, the DPC standard operating
procedures did not require verification that the ESD valves closed
using the local indicators.
What happened. On August 12, 2002, a tank car containing 81,647
kg (180,000 lb) of chlorine was connected to station #3, which
served all chlorine filling operations until the time of the release
on August 14. The facility repackaging production records indicate
that the car contained 36287 kg (80,000 lb) of chlorine at the time
of the incident. It was later determined that 21,772 kg (48,000 lb)

of chlorine had been released.
The chlorine repackaging system is on standby during
morning and afternoon breaks, lunch, and cylinder change-outs.
In both standby and shutdown modes, the chlorine transfer hoses
remain connected to the tank car.
Early on August 14, four DPC packagers, a truck driver, and
the operations manager started up the chlorine filling and
container preparation operations for the day. Mid-morning, two
of the packagers and the truck driver went to the designated
smoking area outside the repackaging building; the others
remained in the breakroom. Twenty minutes later, the three men
outside heard a loud pop (rupture of the 2.5 cm (1 in) chlorine
transfer hose) and observed a continuous release of chlorine at
tank car station #3. They immediately evacuated the area.
The leak activated an area chlorine detection monitor audio
alarm. The employees in the breakroom tried to identify the leak
source but found chlorine entering the repackaging building and
evacuated the building. The operations manager pushed the ESD
button as he exited in an attempt to manually shut off the chlorine
release. However, the release continued for nearly 3 hours, until
HAZMAT personnel closed the tank car valves.
DPC had four self-contained breathing apparatus (SCBA)
units. The packagers were trained on use of the SCBA and on how
to respond to a chlorine release; however, the SCBAs were not
maintained and arranged for easy access, so the packagers were
not able to grab the SCBAs as they left the building.
The nine DPC personnel working evacuated within ten
minutes. Seven followed the emergency plans to the assembly
point, two did not but were contacted on the radio.
DPC Festus had no sirens or other community-wide alert
systems to notify the estimated 1,500 people that live and work
within a 1.6 km (1 mi) radius of the plant. A drive-through “bull
horn” notification, followed by door-to-door evacuation, was
conducted at a neighboring mobile home park and residential
area. It took emergency response personnel over one hour to

evacuate the areas. Sixty-three people from the surrounding
community sought medical evaluation at the local hospital; three
persons were admitted and released the following day. Three
workers also received minor skin exposure to chlorine during
cleanup activities after the release.
Why it happened. Hastelloy C-276 and 316L stainless-steel
structural braiding are identical in appearance. DPC relied on
information from the supplier to verify that the chlorine transfer
hose met required specifications; the lack of an internal Quality
Assurance (QA) management system, including verification of
braid material, allowed the incorrect hose to be installed and left
in operation until it failed.
Inspection of the ESD valves showed ferric chloride corrosion
product on the valve balls that prevented the valves from closing
properly. The valve balls were constructed of Monel, which is
resistant to moisture-induced corrosion in chlorine service. The
corrosion products came from upstream at the pad air supply and
tank car assemblies, as well as from parts of the plant liquid and
pad air carbon steel piping. The DPC personnel did not
understand the causes and effects of moisture-induced corrosion
in the chlorine repackaging system and so were not alerted to
deteriorating equipment conditions.
According to the Chlorine Institute, the excess flow valve is
designed to close automatically against the flow of liquid chlorine
if the valve is broken off in transit. It may close if a catastrophic
leak involving a broken connection occurs, but it is not designed
to act as an emergency shutoff device during transfer. The tank
car excess flow valves were designed to close only if the flow rate
exceeds their set point of 6804 kg/hr (15,000 lb/hr). These valves
remained open during the release.
III. Manage Risk

The DPC QA management system did not ensure that chlorine
transfer hoses met required specifications prior to installation
and use. Companies should develop and implement a quality
assurance management system, such as PMI, to confirm that
equipment is of the appropriate construction for its intended use.
PMI is a chemical analysis that verifies the percentage of metals
(e.g., iron, nickel) in various alloys, such as stainless steel and
Hastelloy. A PMI program can be used to verify critical part
components as a final check prior to shipping, receiving, and use.
The DPC testing and inspection program did not include
procedures to ensure that the process emergency shutdown
(ESD) system would operate as designed. The ESD testing
procedures did not require verification that the valves closed. The
mechanical integrity (MI) program failed to detect corrosion in the
chlorine transfer and pad air systems before it caused operational
and safety problems. Companies should implement procedures
and practices to ensure the emergency shutdown (ESD) system
operates properly, including the verification that the ESD valves
will close to shut down the flow.
Companies should implement a mechanical integrity (MI)
program that ensures critical process equipment and
components are designed, fabricated, installed, inspected, tested,
and maintained in a manner that preserves the originally
intended integrity of the equipment. Furthermore, management
should provide adequate oversight to ensure that only trained
and qualified personnel carry out these activities. Preventive
maintenance and inspection programs should consider the
various operating conditions that may be seen over the life cycle
of the equipment. These operating conditions may include
changes in environmental conditions, chemical composition or, in
this case, exposure to corrosion products that migrated from
other parts of the system.

Lack of clear emergency response plans and supporting
equipment resulted in additional exposure to neighboring
residents and businesses. Companies should develop,
communicate, test, and learn from the use of emergency
response plans. The roles and responsibilities of emergency
response personnel should be clearly described. These plans
should include local emergency responders and should
accurately reflect their capabilities and resources, including
community notification systems. Drills should be coordinated to
involve local emergency response authorities.
5.8 GEORGIA-PACIFIC HYDROGEN SULFIDE POISONING,

ALABAMA, US, 2002
5.8.1 Summary
On January 16, 2002, hydrogen sulfide (H2S) gas leaked from a
sewer manway at the Georgia-Pacific Naheola Mill in Pennington,
Alabama. Several people working near the manway were exposed
to the gas. There were two contractor fatalities, and seven people
were injured. Choctaw County paramedics who transported the
victims to the hospitals also reported symptoms of H2S exposure.
The CSB called on the Agency for Toxic Substances and
Disease Registry, the Pulp and Paper associations, and the
associated unions to consider and communicate the risks of
hydrogen sulfide exposure (CSB 2003c). This incident prompted
the CSB to release a Safety Bulletin that warns of the dangers of
sodium hydrosulfide and to recommend safe practices to prevent
accidents when handling the chemical. The CSB found forty-five
accidents associated with sodium hydrosulfide that have caused
thirty-two fatalities and 176 injuries since 1971.
Key Points
Hazard Identification and Risk Analysis – Be careful with what
you are mixing! The need to analyze chemical reactivity may be
more obvious in the process unit. However, the potential for
chemical reactions with potential hazardous results in utility
systems such as in drains and vents should not be overlooked.
Emergency Management – Right to know. Make sure all
involved (designers, operators, emergency responders, etc.)
know what materials are on site, where they are located, how
to handle them, and emergency procedures in case of
accidental release.
Management of Change – Little things add up. Over the years,
adding a little connection here or there may result in a
significant change. Changes, big or small, should be analyzed
so that hazards may be identified.
5.8.2 Description
Background. The Georgia-Pacific Naheola Mill is located in
Pennington, Alabama, approximately 201 km (125 mi) north of
Mobile and 241 km (150 mi) southwest of Birmingham. The mill
began operation in 1958, went through a series of mergers and
acquisitions, and now operates as Fort James Operating
Company, a fully owned subsidiary of Georgia-Pacific
Corporation. The Naheola Mill produces over 589,670 metric tons
(650,000 tons) of paper, paperboard, and pulp annually.
Approximately 1,475 employees work at the mill.
Process. The Naheola Mill uses the Kraft process to produce pulp.
In this process, wood chips are treated with a liquor of sodium
hydroxide and sodium sulfide that chemically breaks them down
into pulp. The liquor is recycled, and fresh chemicals are added,
including sodium hydrosulfide (NaSH). The pulp is sold as pulp
and, after processing, as tissue, towels, and paperboard.
The NaSH is delivered by tank truck and stored on site. The

Naheola Mill may go several months without a delivery and then
bring in several tank trucks in a short span of time to replenish
the supply. NaSH is delivered to an unloading station located in a
typically unoccupied area near the maintenance shops, between
the chemical area and the wastewater treatment area. Fuel oil
and caustic are unloaded in the same area. Refer to Figure 5.8-1.
Figure 5.8-1 – Layout of tank truck unloading station (courtesy

CSB).
What happened. Sodium hydrosulfide was being unloaded on

January 15–16. Construction employees were working on a
project in the vicinity of the tank truck unloading station.
The unloading station consists of a large concrete pad sloped
to a collection drain. A shallow concrete oil pit containing
unloading pumps and associated process piping is located
directly next to the pad and collection drain. This pit collects
rainwater, condensate, and chemical spills from the unloading
station.
Fifteen tank trucks of NaSH had been unloaded in the 24
hours prior to the incident, resulting in some NaSH being in the
oil pit along with water. An operator drained some liquid from the
pit to avoid having the construction crew stand in the fluid-filled

pit.
On the day of the incident, more tank trucks arrived carrying
NaSH. During the unloading process, approximately 19 l (5 gal) of
NaSH were spilled from these three tanks to the collection drain.
At the same time, sulfuric acid was being added to the acid
sewer to control pH downstream in the effluent area. The NaSH
that had been spilled to the oil pit and the collection drain drained
to the sewer and reacted with the sulfuric acid to form H2S. The
cloud of H2S gas leaked through a gap in the seal of a manway
near the construction workers. The two fatalities were
contractors; seven other people were injured due to H2S
exposure. Six Choctaw County paramedics who transported the
victims also reported symptoms of H2S exposure.

There was no management of the chemicals in the oil pit,
including no hazard review nor chemical reactivity control. During
the truck unloading process, several potential sources of NaSH
could leak and drain through the oil pit or collection drain to the
acid sewer. The NaSH safety data sheet states that its interaction
with acid will produce H2S. Companies should identify potential
chemical reactions. This analysis should include not only the main
process where the chemical is used, but also other systems where
chemicals may collect and interact, such as sewers and vent
systems. Safeguards should be put in place to decrease the
likelihood or consequences of such interactions.
III. Manage Risk
Operating procedures for NaSH tank truck unloading and oil pit
operations did not warn of the hazard of mixing NaSH with acids
or the hazard of allowing NaSH to enter sewers. Companies
should ensure that operating procedures warn of the hazards of
the chemicals being handled, including the hazards of mixing
chemicals.
Modifications to the acid sewer over a period of several years
included connections to the chlorine dioxide sewer, to the sewer
from the truck unloading area, and to the containment area
known as the oil pit. These changes were not managed with a
formal MOC process, and there was no hazard evaluation nor
consideration of the potential chemical reactions. The potential
for H2S evolution was not identified; therefore, no detectors or
alarms were placed in the oil pit area. Companies should apply
good engineering and process safety principles to all areas
handling toxic materials, including process sewer systems. This
should include hazard reviews and management of change (MOC)
analyses.
Since H2S was not identified as a hazard, there were no detectors
or alarms in the area to warn of a release. Personnel had only
their sense of smell to indicate the possible presence of H2S;
however, smell is not a reliable indicator for H2S because the gas
causes olfactory fatigue. Companies should identify areas where
toxic materials could be present or generated and provide
safeguards (including detectors and alarms) to minimize
exposure. Personnel should be trained to recognize the presence
of toxic materials and the appropriate emergency response
practices for conducting a rescue operation.
The victims were not decontaminated at the scene, because
this was not required in the local procedures. Company
emergency response plans should include procedures for

decontaminating personnel when necessary for their own safety
and also for the safety of emergency responders.
5.9 CITGO HF RELEASE AND FIRE, TEXAS, US, 2009
5.9.1 SUMMARY
A fire in the alkylation unit at CITGO's Corpus Christi refinery led
to a release of hydrofluoric acid (HF). One worker was critically
burned. One other employee was treated for possible HF
exposure during emergency response activities.
The CSB investigation raised questions regarding the
adequacy of the water mitigation system supply (CSB).
Key Points
Emergency Management – Plan for the worst. Emergency
response plans and equipment should consider the worst-case
events. When an incident could continue for many hours or
days, backup systems may be required. These backup systems
should be tested and maintained to ensure they will function
when called into service.
Auditing – Consider audits as a gift. Audits enable the
identification of potential problems before an incident occurs.
Audit protocols often include learnings from across a company
or industry. The gift of audit findings should be welcomed, even
sought.
5.9.2 DESCRIPTION
Background. CITGO’s refineries in Corpus Christi, Texas, and
Lemont, Illinois, include HF alkylation units. Processes using 454
kg (1,000 lb) or more of HF must comply with the US Occupational
Safety and Health Administration (U.S. OSHA) Process Safety
Management Standard for Highly Hazardous Chemicals (29 CFR
1910.119) and the US Environmental Protection Agency (EPA)
Chemical Accident Prevention Program (40 CFR 68). In addition,

HF is listed as an extremely hazardous substance for the purposes
of emergency planning under the U.S. EPA EPCRA.
Process. Alkylation units convert low-molecular-weight
hydrocarbons into higher octane hydrocarbons used in gasoline.
The catalyst used in alkylation units is either sulfuric or
hydrofluoric acid. HF is a corrosive, highly toxic chemical that can
severely burn skin, eyes, and other tissue.
CITGO installed an HF water mitigation system after a 1977
alkylation unit release and fire. The water mitigation system was
intended to wash the HF release out of the air to protect the
downwind community.
What Happened. On July 19, 2009, a control valve failed when an
internal plug unthreaded from the valve stem, closing the valve.
This sudden and nearly complete flow blockage caused violent
shaking of the process recycle piping, resulting in failure of two
threaded connections and a release of hydrocarbons. The
hydrocarbon cloud reached an adjacent unit and ignited. The
resulting fire caused multiple other failures and burned for
several days. Only one bypass valve was installed in the system. It
was a manually operated valve and was inaccessible following the
hydrocarbon release.
CITGO reported approximately 19 metric tons (21 tons) of the
released HF was captured by the HF water mitigation system and
14 kg (30 lb) were not captured. Studies have shown that these
water mitigation systems are 90 to 95% efficient or less. Using
these efficiencies, the release would have been about 1.8 metric
tons (2 tons).
III. Manage Risk

The Alkylation Unit PHA assumed that the HF mitigation system
was available to minimize the consequences of an HF release.
During the incident, salt water from the Corpus Christi ship
channel was pumped into the CITGO fire water system to backfill
the fire water supply tank. Multiple failures occurred during the
salt water transfer, including multiple ruptures of the barge-to-
shore transfer hoses and two water pump engine failures.
Water supplies used for firefighting or toxic cloud mitigation
should be designed to provide adequate supplies for the duration
of a potential incident through storage capacity and/or a backup
system. The entire system, including any backup water supply
arrangements, should be periodically tested to ensure they
function to their design specifications.
19. Auditing.
API RP 751, Safe Operation of Hydrofluoric Acid Alkylation Units,
recommends refineries audit the safety of HF alkylation
operations every three years. API 751 details elements to be
included as part of a comprehensive audit plan. CITGO had never
conducted an API RP 751 safety audit of HF alkylation operations.
Companies should take benefit from the learnings provided in
industry guidance documents. HF alkylation unit operations
should be audited using API RP 751 by a lead auditor with an
extensive knowledge of HF hazards, HF alkylation units, and API
RP 751.
Figure 5.10-1 – Hube Global and surrounding area (courtesy

Korea Institute of Public Administration).
5.10 HUBE GLOBAL HF RELEASE IN GUMI, SOUTH KOREA, 2012
5.10.1 Summary
On September 27, 2012, eight metric tons (8.8 tons) of
hydrofluoric acid (HF) was released at the Hube Global plant in
Gumi, South Korea. The incident resulted in five fatalities,
eighteen injuries, three thousand residents seeking medical
treatment, 212 hectares (534 acres) of damaged crops, and more
than thirty-nine livestock being exposed and destroyed.
The incident prompted the Korean government to create a
“Comprehensive Plan for Chemical Safety” that introduced off-site
consequence analysis as well as other requirements. It also
prompted changes to promote cooperation between emergency
responders, including governmental agencies (Korea Institute of
Public Administration).
Key Points
Compliance with Standards – Having and using a safety
management system is fundamental. Regulatory entities and
companies both need to commit to process safety.
Emergency Management – Cooperate. Emergency response
often calls upon several different organizations that may not
work closely in their day-to-day work. Planning and conducting
drills will highlight areas where cooperation may be improved.
5.10.2 Description
Background. The Hube Global plant is located in Gumi, South
Korea, about 200 km (124 mi) from Seoul. The commercial area
was originally developed with the goal of attracting high-tech
firms but now includes other industries, primarily manufacturing.
Refer to Figure 5.10-1. In 2008, Hube Global, a South Korean-
Chinese joint venture headquartered in Seoul, opened the plant
to supply raw materials to the electronics, chemicals, cosmetics,
pharmaceuticals, and biotech sectors.
Process. Hydrofluoric acid is used to produce chemical precursors
for the pharmaceutical industry and also has other industrial
applications. HF is highly toxic, and exposure can be fatal or cause
serious damage to the skin, lungs, heart, bones, and nervous
system.
What Happened. Investigation reporting of this incident is limited.
The incident occurred during the unloading of an HF delivery
tanker when the delivering vessel was pressurized, pushing the
HF into the receiving vessel. A security video camera recorded two
workers on top of the receiving vessel. It appears that the
operator opened the valve before the connection was complete.
The HF release, which was estimated at eight tons, engulfed the
workers. The delivering vessel was reportedly not clearly marked,
leaving the emergency responders unaware of the toxic HF
contents, which resulted in further exposure to the responders
and broader community. Refer to Figure 5.10-2.
Figure 5.10-2 – Hube Global HF release (courtesy of Korea

Institute of Public Administration).
Figure 5.10-3 – Crop damage due to Hube Global HF release

(courtesy of Korea Institute of Public Administration). The sign in
this photograph reads "Hydrofluoric Acid release accident
disaster area. Absolutely no consumption or use. ~ Gumi City
Safety Counsel."
The initial government response to the accident and slow

evacuation of nearby residents was criticized by the Korean
media. On October 8, the South Korean government designated
the area around the plant as a “special disaster zone.” Refer to
Figure 5.10-3.

There was a Process Safety Management (PSM) system in place to
prevent major industrial accidents such as chemical plant
explosion, fire, and leakage; however, Hube Globe was originally
not covered by the regulation. They were covered as of 2009 but
did not submit the report to the Ministry of Employment and
Labor. The Ministry of Environment required that when dealing
with hazardous materials, such as hydrofluoric acid, the person in
charge needs to control the leak by using counteragent; however,
Hube Globe was not equipped with a counteragent. Companies
should comply with process safety regulations, including
reporting and emergency response requirements.
Under the Toxic Chemical Control Act, nearby residents should
have been informed of the Self-Prevention Plan in advance;
however, Hube Globe was not subject to public disclosure and
thus the residents nearby were not aware that Hube Globe plant
handled hazardous materials. Companies should ensure that
neighbors who could potentially be impacted by fires, explosions,
or toxic releases are aware of the chemicals handled at the site,
their associated hazards, and appropriate emergency response
measures.
III. Manage Risk

Firefighters who initially responded to the Hube Global incident
may not have been aware of HF acid hazards or how to protect
against them. The first firefighters on the scene wore typical
firefighting bunker gear, which is not appropriate for HF
exposure. Facilities handling HF should ensure that workers and
emergency responders are provided with appropriate PPE so that
they can attempt to isolate the release and respond to the
emergency.
At the time of the accident, neither the Gumi city government
nor the Hube Global plant had supplies of slaked lime, an agent
used to neutralize the acid. Slaked lime was not deployed at the
accident scene until the day after the leak. Water mitigation
systems may be used to wash the HF cloud out of the air to
protect downwind employees and neighbors.
The emergency response involved government agencies (one
focusing on fires and explosions, and one had chemical accident
investigation equipment) and the Army who had personnel and
equipment for neutralizing chemicals in terror attacks. The local
fire department requested support from the Army; however, the
Army rejected the request because the accident was not a terror
attack.
Following the accident, the National Institute of Chemical
Safety enhanced cooperation among government agencies
related with chemical safety including sharing information.
Emergency response plans should be drilled. These drills will
serve to highlight any areas for improved cooperation between
the responding agencies.
5.11 OTHER INCIDENTS

Five environmental and toxic release incidents were described in
the first edition of this book.
ICMESA chemical release, Seveso, Italy, July 10, 1976
(2,4,5-trichlorophenol, ethylene glycol, and chlorinated
phenols. 2,3,7,8-tetrachloro-dibenzo-para-dioxin (TCDD).
Dioxin first came to widespread attention during the
Vietnam War when it was identified as a component of
Agent Orange.
Union Carbide methyl isocyanate release, Bhopal, India,
December 3, 1984
Marathon Oil Refinery HF release, Texas City, Texas,
October 30, 1987
Sinking of the “Erika”, Bay of Biscay, France, December 12,
1999
Motiva Enterprises LLC sulfuric acid tank failure, Delaware
City, Delaware, July 17, 2001

The following books and resources are available to help
understand the prevention of environmental and toxic releases.
“Chemical Reactivity Resources” The chemical reactivity
resources listed in Chapter 2 may also be helpful in the avoidance
of reactions that can generate toxic releases.
Guidelines for Asset Integrity Management (CCPS 2016). This
book is an update and expansion of topics covered in Guidelines
for Mechanical Integrity Systems (2006). The new book is
consistent with the RBPS and Life Cycle approaches and includes
details on failure modes and mechanisms. Also, example testing
and inspection programs are included for various types of
equipment and systems. Guidance and examples are provided for
selecting and maintaining critical safety systems.
Guidelines for Engineering Design for Process Safety, 2nd Edition
(CCPS 2012). The book focuses on process safety issues in the
design of chemical, petrochemical, and hydrocarbon processing

facilities. It discusses how to select designs that can prevent or
mitigate the release of flammable or toxic materials, which could
lead to a fire, explosion, or environmental damage.
Guidelines for Chemical Transportation Safety, Security and Risk
Management (CCPS 2008a). This CCPS Guideline book outlines
current transportation risk analysis software programs and
demonstrates several available risk assessment programs for
land transport by rail, truck, and pipeline for consequences that
may affect the public or the environment. Topics include loading
and unloading and operating procedures to reduce human error.
Transportation Incidents
6.1 INTRODUCTION
Incidents that Define Process Safety (CCPS 2008) included a number
of transportation incidents in the marine and aviation sectors.
This chapter will focus primarily on train and pipeline incidents.
Unlike incidents that occur in a facility such as a refinery,
chemical plant, or offshore platform, transportation incidents
may occur anywhere along a vast pipeline route or transportation
corridor. These pass through open countryside, but also through
communities and densely populated cities where, if an incident
occurs, the consequences can be great.
The CCPS RPBS element of Stakeholder Outreach is very
important in transportation risk management. Many pipeline
incidents have occurred due to damage from mechanical digging
equipment, such as a backhoe, that was inflicted years before the
incident. Having open conversation and tools for people to
understand where pipelines are can greatly aid in preventing
accidental damage. Whether from damage or from aging,
understanding the integrity of a pipeline system that spans
thousands of miles is a challenge, especially since the original
construction data may no longer be available. Ensuring that
integrity management systems are robust and based on good
data has been the subject of regulation following incidents
described in this chapter.
Considering the expanse of pipeline networks, planning for
and managing an emergency can be daunting since a release can
occur anywhere along their route. This means that stakeholder
outreach and emergency response should work together to make
sure that the location of the incident can be pinpointed, that the
potentially impacted people can quickly be made aware of the
By $$14
Chapter 6 Transportation Incidents 273
situation, and that plans are clear on how to verify the emergency
situation is rendered safe, and how to clean up the aftermath.
A few of the incidents highlight two important elements of the
conduct of operations: design expectations and what to do when
an operation doesn’t seem right. The key learning here is that if
there is an expectation for an operator to respond in a certain
way, then that information should be clearly stated, implemented
in design/training, and tested. Equally, if an operator is working
on a task and it just doesn’t seem right, then he should stop. Stop,
think, check it out, plan the appropriate next steps, and then
proceed.
6.2 MONTREAL, MAINE & ATLANTIC RAILWAY DERAILMENT AND

FIRE, QUEBEC, CANADA, 2013
6.2.1 Summary
In the early hours of July 6, 2013, an unattended Montreal, Maine
& Atlantic (MMA) Railway train rolled from its overnight parking
location and proceeded over seven miles into the town of Lac-
Megantic, where it derailed. The train was carrying crude oil and
the resulting fires and explosions fatally injured forty-seven
people and destroyed forty buildings and fifty-three vehicles.
Refer to Figure 6.2-1. Forty-seven counts of criminal negligence
were filed against three MMA employees, and the company
declared bankruptcy as a result of this incident (TSB 2013).
This incident prompted discussions on the safe rail
transportation of crude oil and the DOT final rule in May 2015 to
strengthen safe rail transportation of large volumes of flammable
liquids (NCSL, 2015).
Key Points
Compliance with Standards – Comply with industry and
company standards. Standards include the experience, hard
learnings, and even expert calculations of many others. Take
their advice and follow the standards.
Management of Change – Beware of creeping change. When
small changes happen slowly over time, it is easy to overlook
them. Eventually the small changes add up to a big change that
has not been realized or had the risk managed.
Emergency Management – Is it really “all clear?” It’s human
nature to want an emergency to be over—to declare it under
control. However, when that emergency involves operating
equipment, an expert in the control of that equipment should
be consulted to verify that the equipment status is truly safe.
Figure 6.2-1. Lac-Megantic tank cars with breaches to their

shells (adapted from TSB).
6.2.2 Description
Background. The MMA-002 train was traveling from Farnham,
Quebec, to Brownville Junction, Maine. The train was made up of
seventy-two cars carrying 7.7 million liters (2 million gal) of crude
oil (UN1267). Just before midnight on July 5, 2013, the train was
parked in Nantes.
Process. The 1,433 m (4,700 ft) long train contained seventy-two
tank cars loaded with crude oil from the Bakken fields in North
Dakota (NTSB 2015). The cars were DOT-111 design. With the
fracked crude from primarily Texas and North Dakota, the US was
producing more crude oil than it had in thirty years.
Transportation of crude oil by rail had increased significantly to
move the crude to refineries for processing. Carloads carrying oil
in 2014 rose by more than 5,000% when compared with 2008
numbers (NCSL 2015).
The fracked crude oils from formations such as the Bakken
are of a lower density, flow freely at room temperature, and have
a higher proportion of light hydrocarbon fractions resulting in
higher API gravities (between 37° and 42°). A Sandia report stated
that “No single parameter defines the degree of flammability of a
fuel; rather, multiple parameters are relevant.” (Sandia 2015) The
attention following this incident is continuing to prompt
discussion on the safe transport of various classifications of crude
oils.
What Happened. The locomotive engineer stopped the train on a
downhill grade on the main track. He used the automatic brakes
and applied the brakes on the locomotive and the buffer car. He
then began to apply the hand brakes and shut down the trailing
locomotives. He tested the hand brake by releasing the
locomotive automatic brakes but did not release the locomotive
independent brakes.
He communicated with the rail traffic controller, noting
mechanical difficulties he had experienced, including excess
smoke and a loss of power in the lead engine. They decided to
address these issues in the morning. The locomotive engineer
went off-duty to stay in a Lac-Megantic hotel. The taxi driver noted
the smoke from the smokestack, along with oil droplets. The
locomotive engineer stated that he had informed the company of
the issue.
Just before midnight, a fire was reported on a train at Nantes.
A track foreman met with the fire department and was told that
the emergency fuel cut-off switch had been used to shut down the
lead locomotive. This stopped the fuel to the fire. The firefighters
also put the locomotive electrical breakers in the off position. The
track foreman and the fire department were in conversation with
the rail traffic controller. The locomotive engineer asked the rail
traffic controller if he needed to return to the train to start
another engine. He was told that the track manager had
dispatched a track foreman to the site. The train was left for the
night with no engines running.
Over the course of the next hour, air pressure bled from the
brake system, and the train began to roll downhill. It reached a
speed of over 105 kph (65 mph) and traveled the 11.6 km (7.2 mi)
to the town of Lac-Megantic, where sixty-three railcars derailed,
releasing approximately six million liters (1 million gal) of crude
oil. The spill flowed to the lake, ignited, and resulted in the forty-
seven fatalities.
Why It Happened. The MMA procedure for parking of unattended
trains required 9 hand brakes to be set for trains of this length
and additional hand brakes to be used if the train was parked on
a slope of the grade in Nantes. Canadian rail industry best practice
would have been to set 40% of the train hand brakes. Only seven
hand brakes were set on this train, and the engineer improperly
performed a brake test without releasing the locomotive’s air
brakes. When the firefighters responded to the train fire in
Nantes, they shut down the locomotive per the firefighting
procedure; however, they did not follow the procedure
addressing parking the train on the grade. Additionally, they did
not contact the locomotive engineer. With none of the other
locomotives running, the air in the brake system started to
deplete, and an hour later the train began to roll downhill. The
train reached 105 kph (65 mph). The track in the Lac-Megantic
switch area was rated for only 24 kph (15 mph).
At the time of the incident, the DOT-111 train car was the
standard car for flammable liquids. A number of changes
happened during the increased production of fracked crudes,
including the number of cars in a single train, the overall volume
of crude transported by train, and the properties of the fracked
crude itself. The DOT-111 car was not capable of withstanding the
impacts experienced in the Lac-Megantic derailment. A 2015 DOT
final rule addressed “high-hazard flammable trains” (HHFT) which
means “a continuous block of twenty or more tank cars loaded
with a flammable liquid or thirty-five or more tank cars loaded
with a flammable liquid dispersed through a train.” This rule
included provisions on enhanced breaking, enhanced standards
for new and existing tank cars, reduced operating speeds, more
accurate classification of unrefined petroleum-based products,
and rail-routing risk assessment (DOT 2015). The DOT-117 is the
new generation of rail car now used for transportation of HHFTs.
It includes thicker gauge jackets, head shields, and tank ends and
improved valve designs. Refer to Figure 6.2-2.
Figure 6.2-2. DOT-117 Train car (courtesy DOT).


The MMA SOP required a prescribed number of hand brakes to
be set, depending on the number of rail cars and the grade of the
parking location. The MMA-002 train was not in compliance with
this requirement. Additionally, the brake effectiveness check was
not performed correctly in that the check was conducted with the
air brakes set. Standards, whether regulatory or company, should
be followed. When standards are not followed and work is
completed based solely on one’s experience or judgment, then
the benefit of other person’s experiences, hard learnings, and
even expert calculations are a resource and opportunity wasted.
III. Manage Risk

The locomotive that failed had engine problems in October 2012,
and a repair was made. Two days before the Lac-Megantic
incident, the locomotive engineer reported problems with the
same engine surging. When the locomotive was parked at Nantes,
the smoke and oil spray was noticed by the taxi driver, but the
locomotive engineer and the rail traffic controller felt it could wait
until morning to be addressed. Nonetheless, this same engine
was the only one left running and was the sole source of air
pressure for the parked train. After the incident, tests showed that
the cam bearing had fractured when the mounting bolt was over-
tightened after the non-standard repair in October. Repairs
should be made following expert direction. “Making do” with
materials on hand and over-tightening bolts are frequently noted
in accident reports. Additionally, operational issues with
equipment that has been repaired should be reported and
investigated to ensure that it is fit for continued service.

This incident is an example of creeping change in an industry over
a number of years. The industry was generally satisfied with the
performance of the DOT-111 cars. However, significant changes
were being made to the number of cars in a single train, the
volume of crude oil being transported, and the properties of the
crude oil. The impact of these change on the risk profile were not
effectively addressed until this incident prompted the industry to
do so. Likewise, the MMA railroad did not perform an adequate
risk assessment when they began transporting large trains of
flammables. In particular, MMA did not assess the risk of changing
to single person train operations or the risk of leaving trains
unattended on a grade. In addition to procedural changes, a
thorough risk assessment could have recommended several
engineered safeguards, including the use of engine auto-start on
low air pressure and a software upgrade that would automatically
apply full emergency braking upon reaching low air pressure,
before the air was completely exhausted.
The emergency response to the train on fire at Nantes was also
an opportunity to stop the incident before it progressed, but this
opportunity was missed since MMA management assigned a
person who had not been trained and qualified as a locomotive
engineer to assist the fire department. An emergency scene
should not be declared under control until personnel qualified to
make that determination are on scene and able to do so. For
example, with a house fire, the fire department may work in
conjunction with a utility company to determine whether the fire
is under control. With operating equipment, experts in the use
and control of that particular equipment should be consulted
before the scene is declared safe.
6.3 NORFOLK SOUTHERN COLLISION AND HAZARDOUS

MATERIALS RELEASE, SOUTH CAROLINA, US, 2005
6.3.1 Summary
On January 6, 2005, a Norfolk Southern Railway freight train
collided with another parked Norfolk Southern train. The collision
derailed sixteen of the forty-two freight train cars. Among these
derailed cars were three tank cars containing chlorine, one of
which released chlorine gas. Nine people died from exposure to
the chlorine gas and 554 people sought treatment in hospitals.
Approximately 5,400 people near the derailment site were
evacuated for several days (NTSB,2005).
Key Points
Stakeholder Outreach – Speak to your stakeholders. Plan
together. Talking among yourselves will likely not provide the
best understanding and response. Working together in
advance, understanding who all may be involved, and planning
together will help support an effective response.
Conduct of Operations – Whatever control you are using, make
sure it works. If it is an engineered system – maintain it. If it is a
procedure – follow it. And if there is a safeguard – make sure
there is time for you to identify the issue, time for you to
respond, and sufficient time for the device to function properly
to prevent an incident.
Emergency Management – Be specific in communications.
Identify the best means of communication before an incident
occurs. Interpret the safety data sheet and plan appropriately.
Depending on the potential hazards, emergency
communications may require advising people to shelter in
place or to seek higher ground.
6.3.2 Description
Background. Graniteville is a rural community located in a valley
with approximately 5,400 people living within 1.6 km (1 mi) of the
accident site. The Norfolk Southern track in the area is not
equipped with automatic signals indicating rail switch positions.
There are a number of sidings, short sections of track distinct
from the main line, servicing the local industries.
Process. The process is that of moving train cars on various
industry sidings using both the sidings and some sections of main
line.
What Happened. On the day before the accident, train cars were
moved around the various sidings during the day. Shift change
occurred in the evening. At 2:39 a.m., a train traveling at 77 kph
(48 mph) was unexpectedly diverted onto an industry siding and
into a parked train. Refer to Figure 6.3-1. Several railcars ruptured.
Approximately 54 metric tons (60 tons) of liquefied chlorine gas
was released and rapidly vaporized.
The conductor and engineer survived the impact. They exited
the train, moved about 91 m (300 ft), traveled a bit further, and
laid on the ground. They saw white or gray smoke and smelled
chemicals.
Winds were light that night, and the chlorine cloud settled in
the valley along the track. There were numerous 911 calls as
people smelled the gas. The local fire departments responded,
sensed the gas, and stood back from the scene. At 2:49 a.m., the
fire department asked that the reverse 911 emergency
notification system be activated, advising residents to shelter
indoors. At 2:57 a.m., the fire department asked that road traffic
for a one-mile radius around the site be blocked and reiterated
the reverse 911 request. From 3:05 a.m. to 3:40 a.m., the fire
department set up an incident command center, moved that
center further away, accessed information on the materials in the
breached tank cars, and set up a second decontamination center.
At 3:50 a.m., firefighters began rescuing people from adjacent
industrial sites.
Figure 6.3-1. Norfolk Southern Railway freight train derailment

site (courtesy NTSB).
Meanwhile, the reverse-911 system worked, but

communication to the local residents was not entirely effective.
Some people were told to shelter in place, and some were told to
evacuate but were not given any guidance on how or in which
direction to go.
At 11:00 p.m. on the day of the incident, the emergency
responders used a polymer patch on one of the ruptured tank
cars. This was the start of the process of containing and then
unloading the contents from the damaged railcars. This process
was completed on January 18.
Why It Happened. The train diverted onto the industry spur
because the switch had not been moved to disconnect the spur
from the main line. The switches were manual, and there was no
mechanism to remind personnel of the switch position before
they left the site. Federal Railroad Administration data has shown
that a leading cause of train accidents is improperly lined switches
(NTSB 2005).
The NTSB concluded that there was not sufficient reaction
time for the train engineer to see the signal position banner, react,
and stop the train.
Railroads, like other transportation corridors, often traverse
populated areas, and the people in those areas may be impacted
by an incident on the traffic corridor at any time of the day or
night. This understanding and the details of what types of
chemicals might be involved, as well as what the appropriate
responses might be, should be communicated and understood by
local authorities. This requires cooperation between all the
stakeholders involved: the company that owns/produces the
chemical, the company transporting the chemical, the local
emergency responders, and the neighboring residents.
III. Manage Risk

The many local sidings in this area were manually switched from
the main line. Although this is a railway incident, there are many
parallels to an operating process unit and the hierarchy of
controls. A better design would have been to automate the
switches or to implement an administrative control to keep track
of switch position. The switch position signal safeguard that was
in place, should have been analyzed to ensure that the signal
could be detected, responded to, and been reliable enough to
function in sufficient time to prevent the incident.

While the reverse 911 system worked, it alone was not sufficient
to protect the exposed people. Effective communication and
cooperation between all stakeholders are required. Planning for
effective communication should include such factors as: how to
promptly identify materials involved, reviewing and
understanding SDS guidance on appropriate emergency
response procedures, providing clear and specific direction to
residents on how to respond (e.g., direction of travel), and
preparing communication channels for use in an emergency.
6.4 GAYLORD CHEMICAL NITROGEN TETROXIDE RELEASE,

LOUISIANA, US, 1995
6.4.1 Summary
On October 23, 1995, a railroad tank car containing nitrogen
tetroxide and water began leaking at the Gaylord Chemical
Corporation plant in Bogalusa, Louisiana. Plant personnel and fire
responders used water to suppress the vapors. Approximately
3,000 people were evacuated. Of the 4,710 people that were
treated at local hospitals, eighty-one were admitted (NTSB 1998).
Key Points
Conduct of Operations – If it doesn’t seem right, stop and check!
When a measurement looks odd, or a gauge is at its maximum,
or a sample is not as expected–take this as a warning. Verify the
data before proceeding. In doing so, you may prevent an
accident before it happens.
Emergency Management – Make sure you clean up. This is
important to protect emergency responders, operators,
neighbors, and the environment. Many emergencies involve
the mishandling of materials that were involved in an incident
or that were generated in the emergency.
6.4.2 Description
Background. Vicksburg Chemical Company was the shipper of
nitrogen tetroxide to Gaylord Chemical Corporation in Bogalusa,
Louisiana.
Process. Nitrogen tetroxide is a liquefied poisonous gas and
oxidizer. When nitrogen tetroxide is mid with water, it reacts to
form nitric acid.
What Happened. On September 14, nitrogen tetroxide vapors
leaking from the tank car were suppressed with water. The Union
Tank Car Company replaced four valves and noticed that one
valve stem showed significant wear. On September 26, the tank
car was loaded with nitrogen tetroxide at the Vicksburg Chemical
Company. The tare weight of the car was 4,309 kg (9,500 lb) over
the maximum weight noted on the car, but operators saw the new
valves and assumed that the car had been rebuilt and that the
maximum weight had been increased. They did not verify this
assumption. On October 12, the nitrogen tetroxide was
transferred into a storage tank at Gaylord. At the same time,
material from the storage tanks was being transferred to the
plant. Process sensors detected water contamination in the
nitrogen tetroxide and triggered interlocks to shut down the
chemical reactor. Because of the water contamination, it was
decided to switch the rail car unloading into stainless-steel cargo
tank trailers. On October 13, a meter used to measure the
transfer indicated that the full quantity had been transferred. No
other verification of the remaining quantity was made.
Vapors started leaking from another cargo tank containing
the same material. On October 17 and 20, a number of valves and
gaskets on the tank car were replaced because they were
determined to be inappropriate for the nitrogen tetroxide and
fuming nitric acid. On October 19, Gaylord employees began
transferring the remaining material into a cargo tank. The meter
indicated over 23 m3 (6,000 gal) had transferred; post-accident
calculations determined actually only over 3 m3 (800 gal)
transferred. On October 23, a chemical analysis was done on the
contents of the tank car and, unexpectedly, (since the Gaylord

personnel thought the tank car had been emptied of nitrogen
tetroxide and any residual diluted with water) the results showed
that the material was wet nitrogen tetroxide. The Gaylord
personnel assumed the sample was not representative. More
water was added to the tank car. The pressure rose to 6.9 bar (100
psig), the maximum calibrated pressure on the gauge. The water
was turned off, but the pressure was at its maximum and
appeared to be rising. The end of the tank car failed, releasing a
large reddish-brown vapor cloud, approximately two and a half
hours after the water was added that day.
Why It Happened. On October 13, when the tank car was thought
to be fully unloaded at Gaylord, water was added to dilute any
residual material. After the accident, it was determined that only
a small fraction had been offloaded. The carbon steel eduction
pipes had been corroded by the nitric acid. On October 19, after
the reactor shutdown and material sampling, meters were again
used as the only measurement to determine if full unloading had
occurred. Water was then added to clean what was thought to be
an unloaded tank car. After the accident, it was found that the
safety relief device had activated (set pressure at 26 bar (375 psig))
and bands of corrosion were found inside the tank.
III. Manage Risk
The NTSB indicated that the accident was caused by the lack of
adequate procedures on the parts of both the shipping and
receiving chemical companies (NTSB, 1998). The shortcomings in
these procedures enabled the contamination of the product and
the lack of detection of this contamination.
Operating procedures should address both normal and
abnormal situations. Providing clear direction on how to detect,
verify, and respond to an abnormal situation can help operators

recognize deviations and respond appropriately.
Measurements were taken using a single device and not verified.
Even after the reactor shutdown and the discovery that the
eduction tubes had corroded away, a single measuring device was
again used with no verification. Testing of the material in the tank
car showed that it was wet nitrogen tetroxide, but this was
dismissed as not representative. The pressure gauge, which was
at its maximum, did not trigger an appropriate response.
This is a classic example of a cognitive bias, where the
information that doesn’t support the presumed situation is
dismissed. Operator training should include an instruction to
question the situation before proceeding if things do not look
right. Assuming that a device is broken, or a sample is not
representative, and not verifying that to be true, is a warning
missed. Operators should feel empowered to stop the procedure,
question why, and proceed only when it has been determined
that it is safe to do so.
The NTSB also found that Gaylord Chemical’s emergency
response procedures were inadequate (NTSB, 1998). Gaylord’s
adding water and lack of accurately measuring the tank car
quantity contributed to the tank car rupture.
Emergency response procedures should address more than
just fighting the emergency. They should also address how to
safely handle and dispose of any hazardous materials that were
involved in or generated by the emergency.
6.5 PACIFIC GAS AND ELECTRIC COMPANY PIPELINE RUPTURE

AND FIRE, CALIFORNIA, US, 2010
6.5.1 Summary
On September 9, 2010, a Pacific Gas and Electric (PG&E) Company
intrastate natural gas pipeline failed catastrophically in a
residential area of San Bruno, California. The release of an
estimated 1.3 million standard cubic meters (47.6 million
standard cubic feet) of gas resulted in a crater that was 22 m (72
ft) long and 8 m (26 ft) wide. A fire ensued, causing eight fatalities,
injuring many others, destroying thirty-eight homes, and
damaging seventy more. Refer to Figure 6.5-1.
The NTSB made recommendations to the US Secretary of
Transportation and multiple state agencies and industry
associations. The Pipeline Hazardous Materials SA issued an
Advisory Bulletin regarding the need to ensure the accuracy of
data supporting the maximum allowable operating pressure
calculations. Congress introduced several bills that strengthened
pipeline safety oversight (NTSB 2011).
Key Points
Process Knowledge Management – Make sure you have good
data. Garbage in, garbage out. It is imperative to have correct
data input to systems that control operations and
maintenance. Without correct data, poor decisions will result.
Asset Integrity and Reliability – Keep it in the pipe. Having a
good system to manage equipment inspection, testing, and
maintenance is required to maintain the integrity of the many
pieces of equipment.
Emergency Management – What’s happening? In an
emergency, operators may be swamped with many alarms,
work may be ongoing and other units may be impacted. Have
plans to promptly identify what the problem is, where it is
located, and how to isolate it to minimize the incident.
6.5.2 Description
Background. PG&E provides natural gas and electric service to
fifteen million people in northern and central California.
Process. The PG&E gas facilities include more than 67,592 km
(42,000 mi) of natural gas distribution pipelines and 10,300 km
(6,400 mi) of transmission pipelines. The pipeline involved in the
incident originates at the Milpitas Terminal and flows 74 km (46
mi) to the Martin Station. This PG&E system includes three
pipelines and six crossties that allow gas to flow between the
pipelines.
The supervisory control and data acquisition (SCADA) center
is located in PG&E’s San Francisco headquarters and manages the
operations of the system.
PG&E had experienced a 2008 explosion of a pipeline in
Rancho Cordova and a 1981 pipeline leak in San Francisco. The
NTSB noted similar factors between these incidents and the San
Bruno accident.
What Happened. About 3.5 hours before the rupture,
uninterrupted power supply work was initiated at the Milpitas
Terminal. The technician at the terminal was in contact with the
(SCADA) center. They confirmed that the valves on incoming lines
would close on loss of power, so they locked the valves open. As
the work progressed, the terminal technician and the SCADA
center were in contact at each step of the work. During the work,
a local control panel lost power. The workers began looking for an
alternate power source. Subsequent investigation showed that
erratic voltages from redundant power supplies during this work
caused erroneous pressure signals, prompting regulating valves
to open fully. Less than an hour before the incident, the SCADA
center displayed over sixty alarms in a few seconds. Through
troubleshooting, they realized that the SCADA center was not
receiving accurate data. They recognized that the entire system
was overpressured and began changing set points to lower the
pressure. High-high pressure alarms continued with pressures
above 27 bar (386 psig) until just after 6:11, when the rupture
occurred.
Figure 6.5-1. PG&E pipeline rupture and fire in San Bruno

(courtesy NTSB).
The pipeline fractured at the weld joining two short pipe

segments. The gas ignited, and a large fire ensued. San Bruno
Police arrived in one minute and firefighters arrived in two
minutes. The emergency response involved 900 people.
Firefighting continued for two days after the gas flow was
stopped. PG&E took ninety-five minutes to stop the gas flow.
Why It Happened. The 1948 construction records for the pipeline
showed 209 radiographed welds, fifteen of which were rejected,
and a number of which were “borderline.” There were also notes
of construction damage and repairs. The pipeline was tested at
6.9 bar (100 psig) with a soap and water solution on the welds and
held at pressure for 48 hours.
In 1956, PG&E relocated 564 m (1,851 ft) of the line that had
been installed in 1948 to allow for the grading proposed for a new
residential housing development. There were no design,
construction, or testing records made available to the NTSB on
this relocation. In 1961, PG&E relocated 531 m (1,742 ft) of the line
relocated in 1956, including the portion that ruptured in this

incident.
This section of pipeline was noted in the PG&E graphical
information system (GIS) as being installed in 1956 (not 1948). It
was noted as a seamless steel pipe API 5L X42 with a wall
thickness of 1 cm (0.375 in.). The GIS information came from a
1977 pipeline survey that was based on accounting records, as
opposed to engineering records, and the material code was
incorrectly copied during the pipeline survey. The pipe was not
seamless. PG&E later stated that at the time this pipe was
purchased, all 30-inch pipe purchased would have had a
longitudinal seam.
The pipeline in the location of the rupture was created from
six short segments of pipe. Subsequent testing showed that some
of the segments did not meet the 1948 PG&E or industry material
specifications. There were multiple defects found in the welds
joining the segments.
In 2008, San Bruno had a contractor replace the existing 6-inch
vitrified clay sewer pipe with a 25 cm (10 in.) polyethylene pipe,
using pneumatic pipe bursting. This is a widely used method that
uses a bursting head to break and push out the existing pipe while
simultaneously pulling the new pipe into place. The required
notices were made prior to this work, and PG&E mechanic
inspected the gas pipeline and was satisfied with the work. The
NTSB report reviewed studies on the safe distances for this type
of pipe bursting adjacent to utilities (NTSB, 2011). Calculations
indicated that the ground vibrations could have deformed the
segment where the rupture occurred.
Figure 6.5-2. Weld in failed PG&E pipeline (courtesy NTSB).
Figure 6.5-3. Properly made weld (courtesy NTSB).

Understand Hazards and Risk

The GIS data was based on accounting data which contained an
error. This led to a lack of understanding of the type of pipe, the
type of welds, and the pipe age.
Many of the subsequent recommendations and legislation
following the incident addressed the importance of verifying the
data upon which managing systems such as control systems and
maintenance systems are based.
The NTSB report (NTSB, 2011) noted that PG&E had experienced
a number of leaks due to longitudinal weld defects since 1948.
The response to more recent incidents had not met the
expectations of the NTSB. PG&E had risk management practices
that considered the likelihood and consequences of failure. The
failure values were based on industry experience. These values
were optimistic compared with PG&E’s experience but were not
changed. This resulted in their integrity management program
underestimating threats due to external corrosion and design
and manufacturing defects.
Hazard identification techniques are often required by
regulation to include consideration of past incidents, both in the
company and in the broader industry.
III. Manage Risk

PG&E’s pipeline integrity management system was inadequate. It
was based on inaccurate information, failed to consider known
weld defects in risk assessment, and used inappropriate
inspection methods that could not detect weld defects.
Inadequate quality assurance in the 1956 project resulted in a
poorly welded pipe section being installed. An inadequate
pipeline integrity management program failed to detect the

defective weld. Refer to Figures 6.5-2 and 6.5-3.
Integrity management systems are critical. Ensuring that
accurate data is included in the system is imperative to support
sound risk analysis and decision-making regarding inspection and
maintenance.
PG&E lacked an adequate procedure for addressing large-scale
emergencies, including providing clarity on a single point of
command. The PG&E control systems caused delays in identifying
the pipeline break location. Also, the lack of automatic shutoff
valves or remote-control valves delayed isolation of the gas flow.
Emergency response procedures should address all
emergencies, small and large. In addition, contingency plans
should be put in place to address situations when information or
systems that are typically used in an emergency but may be
offline or out of service.
6.6 ADDITIONAL PIPELINE RELEASES
6.6.1 Summary
There have been numerous pipeline releases, in addition to the
PG&E San Bruno release described above, that have resulted in
human harm, damage to the environment, and destruction of
property. While pipelines are frequently thought of traversing
open countryside, they are also located in populated areas where
the consequence of incidents can be significant. The incidents
included below are representative, including toxic, flammable,
and explosive consequences.
Key Points
Stakeholder Outreach – “Know what’s below” (PHMSA, 2017).
You may own or operate a pipeline, but it likely runs under
areas where you have little control. Enabling stakeholders to
prevent damage can avoid a release.
Asset Integrity and Reliability – Is it still in good shape? There
are miles and miles of pipelines that are in service for many
years. Use a good integrity management system is imperative
to ensuring safe and reliable service.
Conduct of Operations – Where is it? Pipeline systems are vast.
Like all control systems, it is important to design the control
system to enable the operator to quickly understand and
respond.
6.6.2 Description
Three additional pipeline incidents are used to discuss the Key
Points in this Section.
Olympic Pipeline. On June 10, 1999, an Olympic Pipeline Company
pipeline ruptured and released 897 m3 (237,000 gal) of gasoline
into a creek in Bellingham, Washington. Over an hour later, the
gasoline ignited and burned 2.4 km (1.5 mi) along the creek,
causing three fatalities, injuring eight others, and damaging a
residence and the Bellingham water treatment plant. Refer to
Figure 6.6-1.
The pipeline was damaged during excavation works
associated with the 1994 water treatment plant modification. In-
line inspections indicated damage, but the pipeline was not
excavated for further inspection. The NTSB concluded that the
pipeline would have been able to withstand the internal pressure
at the time of the accident had it not been weakened by the
external damage.
Bayview Terminal was built and commissioned 6 months
before the accident. There were issues with the pressure relief
valves, resulting in operational issues that were reported but not
corrected. On the day of the incident, database development

work being performed on the SCADA system while it was online
caused it to fail, making it difficult to analyze the pipeline
operation (NTSB, 2002).
Enterprise Products. On October 27, 2004, Magellan Midstream
Partners pipeline, operated by Enterprise Products, ruptured near
Kingman, Kansas. Approximately 772 m3 (4,858 bbl) of anhydrous
ammonia were released. No people were harmed, but more than
25,000 fish were killed. The investigation identified that the pipe
segment that ruptured had four external gouges. Cracks within
the gouges penetrated the pipe. It is unclear how the gouges were
made. The pipeline operator using the SCADA did not accurately
evaluate the data and promptly shutdown the pipeline (NTSB,
2007).
Nigerian pipeline. On December 26, 2006, people were scooping
fuel from a pipeline that had been hot-tapped by thieves in the
Abule Egba area. The fuel ignited, causing hundreds of fatalities
and injuries. There have been seven similar pipeline accidents in
Nigeria from 1998 to 2006 that have caused thousands of
fatalities (BBC, 2006).
Background. There are nearly two million kilometers of petroleum
pipelines around the world. They supply petrochemicals to
refineries and chemical plants and deliver products to ships for
transport and to end users. In the United States, the Pipeline and
Hazardous Materials Safety Administration (PHMSA) of the
Department of Transportation has jurisdiction over pipelines,
issuing regulations addressing their construction, operation and
maintenance. Also, in the United States, the National
Transportation Safety Board (NTSB) has oversight of pipeline
accident investigations.
Process. Pipelines are typically operated using SCADA systems.
SCADA systems gather operating data, operate remote valves,
track the pipeline flow, and provide leak detection. It can be
challenging to verify pipeline integrity issues simply because
pipelines are buried, so conducting a visual inspection requires
excavation.
Figure 6.6-1. Burned vegetation along the creek from Olympic

pipeline release and fire (courtesy NTSB).
What and Why It happened. As can be seen in the pipeline incidents

described here, damage done to a pipeline during installation or
done by digging equipment in subsequent years is often a factor
years later in a pipeline failure. The pipeline company may not be
aware of the damage; hence, inspection is critical to ensure the
ongoing fitness for service of the pipeline.
The SCADA systems are also cited in a number of these
incidents as relates to the reliability of the SCADA system and the
ability of the operator to interpret and respond to an emergency
situation.
Pipelines, by their function, connect many stakeholders including
owners, operators, neighbors, regulators, and emergency
responders. Damage prevention systems such as the PHMSA 811
system— “Know what’s below. Call 811 before you dig.”—can help
reduce the likelihood of pipeline damage. As a PHMSA report
states, “Damage prevention is a shared responsibility.” (PHMSA,
2017) Sadly, as seen in the Nigerian incident, some damage is
intentional and then escalates to involve many other innocent
people.
III. Manage Risk

Pipelines operate virtually unseen for decades. Using a good
integrity management system is imperative for safe pipeline
operations. Not only identifying anomalies, but also investigating
them, can provide the data necessary to make good decisions
regarding continued safe operation.
Operating a pipeline is challenging, considering the vast territory
that a pipeline may cover. SCADA systems are intended to support
these operations. As in all types of control systems, it is important
to consider human factors in the design of the system. Can the
operator quickly and easily gather and interpret the information
to make the correct decision?
6.7 AIR FRANCE FLIGHT AF 447 RIO DE JANEIRO TO PARIS, 2009
6.7.1 Summary
Air France flight AF 447 was traveling from Rio de Janeiro to Paris
on 31 May 2009. Just over two hours into the flight, the plane
stalled and crashed into the Atlantic Ocean, resulting in 228
fatalities. The wreckage was found on April 2, 2011at a depth of
3,900 m (2.4 mi), about 12 km (6.5 nm) from the aircraft’s last
transmitted position (BEA 2012).
Key Points
Hazard Identification and Risk Analysis – Is now the best time?
There are some jobs, or elements within a job, that may pose
more risk than normal. Ensure that the right people are on the
job and that their mind is on their work at the critical points of
the job.
Conduct of Operations – Have realistic expectations. If you are
expecting specific behaviors to certain operational situations,
then make sure that situation can be easily detected and that
employees are trained and practiced in that response.
6.7.2 Description
Background. The captain had 6,258 flying hours, including sixteen
rotations in the South American sector in the preceding two years.
There were two co-pilots on the flight. The meteorology over the
Atlantic Ocean was normal, although there were some storms in
the early hours of the flight path.
Process. The plane was an Airbus A 330-203, manufactured in April
2005 with GE engines. The air speed is deduced from
measurements from three pitot probes and six static pressure
sensors. The probes were equipped with drains and an electrical
heating system to prevent icing. The speed of the plane is
calculated based on data from these probes and sensors used in
the flight control systems and the ground proximity warning

system.
What Happened. At about two hours into the flight, as the captain
left to take his in-flight rest despite the storms in the flight path.
He commented to the co-pilots that they could not yet climb out
of the cloud layer because the temperature was falling more
slowly than forecasted, and the log-on to the Dakar, Senegal, air
traffic control center had failed. At 2 hr 08 min, the heading was
changed slightly, speed reduced, and engine de-icing turned on.
At 2 hr 10 min 05 sec, the autopilot and the auto-thrust
disconnected. The stall warning came on twice. At 2 hr 10 min 16
sec, the voice recorder captured “we’ve lost the speeds.” In the
following seconds, a number of attempted corrective actions
were made, but the stall warning came on again. The captain re-
entered the cockpit at 2 hr 10 min 51 sec. Voice recordings
captured “I have no more displays.” The recordings stopped at 2
hr 14 min 28 sec.
Why It Happened. If there are excessive quantities of ice crystals at
altitudes above 9,144 m (30,000 ft), they can accumulate in the
pitot probe tube. As the de-icing struggles to address the quantity,
the instrument function is lost for 1 or 2 minutes. This was a
known failure in aviation, and it was expected that pilots would
identify it and take precautionary measures. During the AF 447
flight, the co-pilots did not correctly identify the problem due to
inaccurate data (due to the pitot probe plugging) and the plane’s
performance being inconsistent with their mental model of the
situation. The voice recordings noted a degradation of the normal
practice of clearly stating their actions, which made identification
of the problem more difficult. This resulted in taking actions that
prompted the stall.
AF 447 attempted to contact the Dakar Oceanic air traffic
control center (ATC), but these attempts failed due to an absence
of the flight plan in the Eurocat system. Eurocat was an air traffic
management system being used on an experimental basis at the
Dakar Oceanic ATC. The flight control centers noticed the lack of
a flight plan and created a virtual one. The various flight control
centers communicated with one another about where AF 447
should be based on the virtual flight path. At 5 hr 23 min, they

reported the disappearance of the flight.

The flight crew identified concerns regarding the storm, but the
captain appeared unresponsive to the concerns, as he had not
had difficulty with storms in this area on previous flights. He chose
this time to take his in-flight rest, despite the fact that this is when
the plane would be crossing the storm path.
Who is in charge should be taken into consideration when
planning to conduct a higher-risk task. An example of this is the
Exxon Valdez where the third mate was on the bridge when
leaving Prince William Sound. It should be a deliberate decision in
choosing the right person with the appropriate education,
experience and skill to conduct the more challenging operations.
III. Manage Risk

The possibility of the pitot probes plugging was known. It was
expected that the pilots would promptly identify the situation and
take corrective action. A discussion on human factors in the BEA
Final Report notes the following are required for a person to
successfully identify a problem (BEA 2012):
The signs of the problem are sufficiently salient to bring
the (operator) out of their preoccupations and priorities
in the (operation) in progress;
The signs are credible and relevant;
The available indications relating to the anomaly are very
swiftly identifiable so that the possible immediate actions
to perform from memory to stabilize the situation are
triggered, or that the identification of the applicable

procedure is done correctly;
The memory items are known and sufficiently rehearsed
to become automatic reflex associated only with
awareness of the anomaly, without the need to construct
a more developed understanding of the problem;
There are no signals or information available that suggest
different actions or that incite the crew to the prior
reconstruction of their understanding of the situation.
6.8 OTHER INCIDENTS
A number of transportation incidents were described in the first
volume of this book.
Marine
Exxon Valdez Oil Spill, Valdez, Alaska, July 10, 1976
Sinking of the Titanic, North Atlantic, April 15, 1912
Sinking of the Erika, Bay of Biscay, France, December 12,
1999
K-Boats – British Steam-Powered Submarines in WWI, UK,
1914 - 1918
Capsize of the Herald of Free Enterprise, Zeebrugge,
Belgium, March 6, 1987
Fire on Board HMS Glasgow, Newcastle-Upon-Tyne, UK,
September 23, 1976
Aviation
NASA Challenger, Florida, USA, January 28, 1986
Loss of Space Shuttle Columbia, Texas, USA, February 1,
2003
Loss of Boeing 747-131 TWA Flight 800, USA, July 17, 1996
Hindenburg Disaster, Lakehurst, NJ, USA, May 6, 1937
Flight TS 236 Loss of Fuel over the Atlantic, August 24,
2001
Air France Concorde Crash, Paris, France, July 25, 2000
Flash Airlines Boeing 737, Sharm El Sheikh, Egypt, January
3, 2004

understand the prevention of environmental and toxic releases.
book is consistent with RBPS and Life Cycle approaches and
includes details on failure modes and mechanisms. Also, example
testing and inspection program is included for various types of
equipment and systems. Guidance and examples are provided for
selecting and maintaining critical safety systems.
Guidelines for Engineering Design for Process Safety, 2nd Edition
(CCPS 2012). The book focuses on process safety issues in the
design of chemical, petrochemical, and hydrocarbon processing
facilities. It discusses how to select designs that can prevent or
mitigate the release of flammable or toxic materials, which could
lead to a fire, explosion, or environmental damage.
Guidelines for Chemical Transportation Safety, Security and Risk
Management (CCPS 2008a). This CCPS Guideline book outlines
current transportation risk analysis software programs and
demonstrates several available risk assessment programs for
land transport by rail, truck, and pipeline for consequences that
may affect the public or the environment. Topics include loading
and unloading and operating procedures to reduce human error.
Guidelines for Mechanical Integrity Systems (CCPS 2006). In
recent years, process safety management system compliance
audits have revealed that organizations often have significant
opportunities for improving their MI programs. As part of the
Center for Chemical Process Safety's Guidelines series, Guidelines
for Mechanical Integrity Systems provides practitioners a basic
familiarity of MI concepts and best practices. The book
recommends efficient approaches for establishing a successful MI
program.
7
Non-Oil/Chemical Incidents
7.1 INTRODUCTION
Some people think that lessons are only learned from incidents in
industries that are the same as their own. This is a false and
limiting opinion. Lessons may be learned from industries,
locations, and cultures that are different from your own. In fact,
the differences may prompt deeper thinking in finding the root
cause that is common across the industries, and, by getting to that
root cause, potentially prevent a broader range of incidents in
your own situation.
It is interesting to note the impact of process safety culture in
the incidents in this chapter. These incidents occurred in
industries that were not familiar with process safety, but they did
have to manage hazards and risks. The culture to do this
effectively was lacking. In some cases, it was lacking in the
company, in the supporting companies, and in the regulator.
Without a strong culture to manage hazards and risks, the other
controls to support safe work start to degrade.
The other point that stands out in these incidents is that
emergency management is just as key as it is in the other
incidents described in this book. It is not just about having
emergency responders or knowing what number to call to get
them; it is about the planning. Identify the various emergency
scenarios, assess the resources required to handle the
emergency, and practice tabletop and field drills with in-house
and external emergency responders to verify the effectiveness of
the emergency plan.
By $$14
Chapter 7 Non-Oil/Chemical Incidents 305
7.2 FUKUSHIMA DAIICHI NUCLEAR POWER PLANT RELEASE,

JAPAN, 2011
7.2.1 Summary
On March 11, 2011, one of the largest recorded earthquakes
occurred off the coast of Japan. This caused a tsunami that caused
more than 1,500 fatalities, injured more than 6,000, and many
more were missing. The tsunami waves flooded the Fukushima
Daiichi nuclear power plant, impacting all six units on site. In the
following days, the units overheated, and radioactive material was
released, exposing surrounding communities and the
environment (IAEA, 2015). People were evacuated within 20 km
(12.4 mi) of the site for years. No human fatalities were attributed
directly to the incident; however, since the accident, there has
been reporting of significant increases in thyroid cancer (NAIIC
2012).
The Fukushima Nuclear Accident Independent Investigation
Commission (NAIIC) called for reforms in both the electric power
industry and the related government and regulatory agencies.
Key Points
Stakeholder Outreach – Make sure companies and agencies
are working toward the same goal–safety. It is good to have a
positive working relationship with other stakeholders.
Remember, though, that just because someone says an action
is okay does not mean that it is safe.
Process Safety Competency – Make sure process safety
competency is strong as it underpins many elements in most
management systems. If process safety is strong, business
management will be also. If the understanding of process
safety is weak, then decisions over time will degrade overall risk
management.
Hazard Identification and Risk Analysis – How unlikely is it,

really? Potential emergency events can seem unrelated.
Analyze scenarios to consider whether one can be prompted
by another. If the consequence is very high, then the likelihood
should be very low for the risk to be tolerable. Simply deciding
an event is unlikely may result in design, procedures, and
emergency response falling short.
7.2.2 Description
Background. Following the oil crisis of the 1970s, Japan moved to
diversify its power sources. By 2010, nuclear power generation
provided 29% of the total power generation in Japan. There are
five nuclear power plants located on the northeastern coast of
Japan. Fukushima Daiichi is operated by Tokyo Electric Power
Company (TEPCO).
Process. The Fukushima Daiichi design used boiling water
reactors. The reactors are a closed loop system. Water boils in the
reactor, producing steam that drives turbines to generate electric
Figure 7.2-1. Fukushima Daiichi nuclear reactor design (courtesy

IAEA).
power. The steam is condensed using cold water from the ocean
and then fed back to the reactor again. Refer to Figure 7.2-1.
What Happened. The Great East Japan Earthquake occurred at 4:46
p.m. It was a magnitude 9.0 and lasted more than two minutes,
causing damage to structures and power infrastructure. Units 1,
2, and 3 were running at the time and shut down automatically
due to the seismic motion. A tsunami was created by the
earthquake, with the waves arriving forty 40 minutes after the
initial shock. A wave of 14 to 15 m (46 to 49 ft) overwhelmed the
Daiichi seawalls and flooded the site, causing significant damage,
loss of power, loss of control, and eventual loss of reactor
containment.
Following the earthquake, TEPCO set up an emergency
response center in Tokyo and an on-site emergency response
center at the Daiichi site to manage the response. Evacuation and
shelter-in-place orders were issued over the next three days.
Why It Happened. After inserting the control rods (rods composed
of chemical elements used to control the nuclear fission) to stop
the reaction, heat continued to be generated. Cooling systems are
run and controlled by electrical power. The earthquake had
damaged the off-site power supply, resulting in a total loss of
power supply to the plant. This loss of power isolated the units
from their turbines, resulting in increased temperature and
pressure in the reactors. The operators followed appropriate
procedures for the earthquake and loss of power in shutting
down, isolating, and activating cooling systems.
The tsunami flooded the reactors and turbines, resulting in
loss of seawater intake for all units which in turn resulted in a loss
of cooling. It also damaged the electrical equipment, including the
diesel generators, power distribution, and switchgear, which
resulted in the loss of the emergency diesel generators to provide
cooling for all but one of the six units. DC power was provided as
an additional emergency backup, but the batteries were flooded,
and this power supply was lost to most of the units. With the loss
of power, the ability to monitor reactor pressure, water level, and
other aspects of core cooling was lost for three of the units.
The operators struggled with the loss of power and were

taking various approaches to provide cooling water. With the loss
of the ability to monitor the process conditions, the worst-case
scenario of a core overheating was assumed, and an evacuation
and shelter-in-place order was issued at 9:23 p.m. on March 11.
At 11:00 p.m., radiation levels were detected outside the unit.
Over most of March 12, efforts were made to restore cooling
water and power to the units with no or limited success. At 3:30
p.m. on March 12, an explosion occurred in one unit that
damaged emergency water and power supplies and created an
abnormal rise in radiation levels. This prompted an extension of
the evacuation zone to 20 km (12 mi). On March 13, high radiation
levels were detected at a second unit. On March 14, another
explosion occurred, injuring workers and damaging equipment.
On March 15, explosions occurred in two additional units. The on-
site emergency response center ordered the evacuation of all
units. The highest radiation readings of the accident were
recorded. Residents between the 20 and 30 km (19 mi) radii were
ordered to shelter-in-place.
Refer to Figure 7.2-2 for an overview of the incident progression.
Figure 7.2-2. Fukushima Daiichi incident progression (courtesy

IAEA).

The Japanese Fukushima NAIIC concluded that knowledge,
training, inspection, and instruction were lacking (NAIIC, 2012).
This points to a lack of process safety competency to support
good practices in each of these areas. Without a deep
understanding of process safety, the decisions made, and actions
taken in these areas increased the risk of such an incident.
Process safety competency underpins many elements in most
management systems. Without the mindset of being vulnerable
and considering each decision through a risk lens, the day-to-day
decisions over the years can add up to poor integrity
management, poor practices, and an inability to respond
effectively in an emergency.
The NAIIC also concluded that collusion between the government,
regulators, and TEPCO was at the root of the incident (NAIIC,
2012). The government agencies thought to be addressing public
safety were found to be promoting nuclear power at the expense
of safety. The events and structural damage could have been
foreseen. Structural improvements and improved emergency
plans were not demanded by the regulator, even though they
were aware of the shortfalls.

The nuclear industry is recognized for its use of probabilistic risk
assessment. The Fukushima nuclear power plant was originally
designed to withstand a magnitude 8 earthquake. Although the
earthquake potential was recognized and addressed in design
and procedures, the fact that the design basis was less than the
magnitude 9 earthquakes that have occurred along the Pacific
Figure 7.2-3. Fukushima Daiichi nuclear power plant elevations

(courtesy Tokyo Electric Power Company) (OP: Sea level at
Onahama Port).
“ring of fire” was not clearly addressed in the risk assessments.

Loss of externally supplied power was recognized and addressed
in design and procedures. The tsunami potential was recognized
but was also underestimated. However, the likelihood that these
events could happen simultaneously was not well addressed. The
relative elevation of critical systems with respect to sea level left
Fukushima Daiichi NPP vulnerable to larger tsunamis. Refer to
Figure 7.2-3. In hindsight, it is logical to see how one event can
cause the next and thus their simultaneous occurrence is
credible. Because the risk of a full loss of power was not
recognized, the operators were not provided with appropriate
procedures (loss of all power—main, diesel generator, and DC
backup).
III. Manage Risk

The roles and responsibilities of the various regulators and
agencies involved in the emergency response were not clear. This
enabled the deterioration of the situation at the Fukushima
nuclear power plant. Emergency preparedness and crisis
management was lacking over the years, which resulted in
confusion and inefficient management of the situation during the
emergency.
An effective emergency response is dependent on the
identification of the potential emergency, planning for it, including
all those who may be impacted, and putting the systems in place
to manage the event if it occurs.
7.3 SEWOL FERRY SINKING, SOUTH KOREA, 2014
7.3.1 Summary
On April 16, 2014, the Sewol ferry capsized and sank in the waters
off South Korea. Only 172 of the 476 passengers were rescued.
The Korea Maritime Safety Tribunal investigated the incident.
Over 150 people were jailed, some for murder, and government
structures were reorganized as a result of this accident and the
emergency response (Kwon 2016).
Key Points
Process Safety Culture – Work to make sure all stakeholders
have a good process safety culture. Process safety culture,
good or bad, can exist in companies you do business with, in
the regulator, and in auditors. Where it is good, it can
encourage all involved to continuously improve. Where it is
bad, it can fail to identify problems and enable the
normalization of deviance.
Conduct of Operations – Know and respect the operating limits.

Operating limits are defined for a reason. Disregarding those
limits and operating outside of them is setting the scene for an
incident.
Emergency Management – Practice! Conducting emergency
response training and drills will help identify areas for
improvement so that the response, if needed, will be
successful.
7.3.2 Description
Background. The ferry was constructed in 1994 and operated for
18 years without incident. Chonghaejin Marine Company
purchased the ferry in 2012 and made extensive modifications,
adding cabins to the third, fourth, and fifth decks, increasing
weight by 239 metric tons (263 tons), decreasing cargo capacity by
half, and increasing the ballast water requirement by four times.
The Sewol traveled its 402 km (250 mi) journey in 13.5 hours three
times a week. It had made the journey 241 times before the
incident. The water temperature was approximately 15°C (59°F),
which can cause hypothermia in ninety minutes.
Process. The Sewol ferry was a car ferry or roll-on/roll-off (ro-ro)
ferry.
What Happened. On the day of the accident, the Sewol departed
over two hours late, carrying 476 passengers, 124 cars, 45 trucks,
and 1,157 metric tons (1,275 tons) of cargo. The third mate was
on the bridge. She had one year’s experience in steering ships and
had never steered the Sewol through the Maenggol Channel,
which is known for its strong underwater currents. The helmsman
had six months of experience on the ferry. Orders were given to
the helmsman to turn the ferry. He made a quick, sharp turn, and
the ferry lost balance, listing twenty degrees into the water. The
cargo containers fell to one side of the ferry. The ferry began
taking on water through the ro-ro doors at the bow and stern. The
Captain went to the bridge and ordered the engines be stopped.
A passenger made the first emergency call to shore. Coast

Guard patrol vessels and helicopters were dispatched. Repeated
announcements were made on the ferry’s public address (PA)
system for passengers to stay in their cabins. Announcements
then ceased, as the crew assumed the PA system had failed. A
number of emergency calls were made from various ship crew
members using the radio system. Two helmsmen attempted to
drop life rafts from the starboard side but were unable to reach
them due to the listing of 40 degrees.
The first patrol vessel arrived approximately forty minutes
after the first distress call and reported there were no passengers
on the decks or in the water. They rescued some of the crew. An
order was given from the coast guard to announce, “abandon the
ferry” and guide passengers to be evacuated. This order was not
followed.
The third and fourth decks were submerged and dark. A few
of the crew members began shouting to passengers to evacuate
and helping them from the submerging cabins. The Sewol sank in
two and a half hours. Approximately 150 passengers jumped into
the water in the final twenty minutes before the ferry capsized.
Refer to Figure 7.3-1.
Why It Happened. The 1,157 metric tons (1275 tons) of cargo on
the transit was more than double the legal limit and was not
properly secured. A map was posted showing the loading and
securing of cars, trucks, and cargo containers. It was not used, and
practices were not verified. The requirements for ballast water
were not followed. The ferry crew did not receive safety training,
nor did they practice evacuation drills. Personal flotation devices
were stored in the cabins and not at the evacuation points. The
life rafts were deployed too late, and some failed on deployment.
Communications on the ferry, within the coast guard, and
between the ferry and the coast guard were incomplete and
ineffective.
Figure 7.3-1. Sewol Ferry capsizing and sinking (courtesy South

Korea Coast Guard & South Korea Media, Straits Times graphic
adapted from AFP).

In this incident, the problems of a poor safety culture did not rest
with the operator alone. Chonghaejin Marine made extensive
modifications, but those modifications were certified by the
Korean Register of Shipping without reviewing the plan for
securing the additional vehicles. It was later found that 58 of 66
vehicles could not be properly secured. Four times the ballast

water was required, however, Chonghaejin Marine carried less
than half of the ballast water required. The Korean Shipping
Association approved the departure based on inaccurate
documents and checking only the load line (line on outside of
ferry indicating maximum loading) but not the cargo and ballast
requirements.
III. Manage Risk

Korean Maritime Law included an exemption that if the ship’s
crew had one year of experience, then safety training was not
required. This resulted in the crew of the Sewol being exempted
from safety training for 7 to 19 years. The coast guard
headquarters did not participate in search and rescue training.
Training personnel and assuring that they can perform tasks
as expected is important. This is easy to say, but also easy to
dismiss, as this would be lower on the hierarchy of controls than
eliminating the hazard or providing engineering controls.
However, emergency response is truly the last chance to mitigate
the risk, thus making sure plans, equipment, and people are
working as intended is imperative. Additionally, the human
response in the stress of an emergency may not be as good as
that during normal operations. Having training and experience to
rely on can improve the likelihood of a successful emergency
response.
The Sewol Ferry had an Operation Management Regulations
Document as required, but it did not include the topics of ballast
water or total load. Paperwork on the ferry loading was routinely
falsified, and the ferry was routinely overloaded. There were
posted requirements for the loading and securing of vehicles and
cargo, but this was ignored. In fact, it was not possible to secure
the vehicles as required, yet the ferry had been in operation for
years. This is a classic example of normalization of deviance.
Conduct of operations speaks to formalizing operations and

expecting that operations are conducted diligently. Operating
procedures describe what the operating limits are and how to
stay within them. When operators are not able to conduct
operations as expected and that situation is tolerated, the
message to the operators is that procedures and other direction
can be viewed as optional. Additionally, where operations are not
being conducted as expected, it is helpful to ask why. Perhaps it
is not the operator ignoring procedures; perhaps the design or
the procedure needs improvement.
The crew abandoned the ferry without assisting the passengers.
They were unclear on how to respond in the emergency, and
made individual decisions on where to stay, what advice to give
on the PA system, and what orders to heed. Some of the crew did
not know how to use the PA system to broadcast emergency
messages to the passengers, so when it didn’t work, they
assumed (incorrectly) that it had failed due to the flooding, and
no further PA direction was given. The person on watch at the
land-based station was not notified of the sharp turn for twenty
minutes. The fact that passengers were told to stay in their cabins
was not communicated to the coast guard patrol vessels and
helicopters, so they initially only rescued those people on the
decks. The coast guard headquarters gave orders that the local
coast guard district did not follow. The patrol vessels did not
communicate directly with the ferry. By rescuing some of the crew
first, including the captain, the only means to communicate (cell
phones and 2-way radios) with the crew who were helping
passengers was lost.
The topic of emergency response training is addressed above
in the comments on training and assurance. Beyond the training,
the conduct of emergency response drills is key in identifying
communications, equipment, and working relationships that may
not go as planned. By identifying these in a drill, emergency
response plans can be continuously improved.
7.4 PIKE RIVER COAL MINE EXPLOSION, SOUTH ISLAND, NEW

ZEALAND, 2010
7.4.1 Summary
On November 19, 2010, there was an explosion in the Pike River
Coal Mine. There were twenty-nine fatalities. There were three
additional explosions in the next nine days before the mine was
sealed. A royal commission was established to investigate the
incident. This was the twelfth such commission investigating fatal
coal mine incidents. The mine now has a new owner.
Recommendations have been made for a new regulator with a
focus on health and safety, changes to existing regulations and
conduct of joint emergency response drills (NZ Royal Commission
2012).
Key Points
Contractor Management – Manage your contractors, or you
may end up managing an incident. Contractors are often able
to cause, prevent, or mitigate an incident. Make sure they are
provided with the training, tools, and supervision to do a safe
job.
Operational Readiness – Are you ready, or just anxious, to start
up? A start up can be pushed for by management, can be
exciting after months of work, and can be demanding for the
workers. Determine what is required for a safe start up and to
verify those requirements are in place before the start up.
Management Review and Continuous Improvement – Is it really
that good? Management, like everyone, likes to hear good
news. But they should verify that they are getting accurate and
full data about operational safety and risk management so that
they can support improvements where needed.
7.4.2 Description
Background. The Pike River Coal Mine is in the Paparoa Range on
the West Coast of New Zealand’s South Island near Greymouth.
Pike River Coal Ltd. operated the mine, and it was their only mine.
The mine was opened in 2008 with the first sales in 2010. The
company had overestimated the production forecasts,
underestimated the challenge of the geological conditions, and
was borrowing money to support operations.
Process. Methane gas is naturally occurring in coal. Large volumes
can be generated by mining the coal. The LEL and UEL for
methane in air are 5% and 15%, respectively. The methane level
is controlled through ventilation and atmospheric monitoring.
The original mine plan included two fans on the mountain. This
was changed to relocate a fan underground.
Hydro mining was seen as a way to significantly increase
production. It is not a common technique and uses a water jet
following a specific cutting sequence to avoid undue release of
methane.
What Happened. The investigation concluded that a large volume
of methane accumulated, potentially from a roof collapse due to
hydro mining or from operations in another part of the mine that
had reported high methane readings. The ignition sources could
have been the electrical system, diesel engines, the main fan, or
contraband (cigarettes, watches, and cameras). These were
prohibited, and preventive actions had been taken by Pike, but
the practices continued.
A search and rescue effort was undertaken but was hampered
due to lack of planning. Damage to the fans meant that the mine
could not be re-ventilated quickly. The emergency response was
managed by the police in Wellington. Many decisions were made
in Wellington instead of at the mine where the rescue experts
were gathered. The response included the police, mining
specialists, mine rescue services, and emergency responders. The
inability to understand the atmospheric conditions in the mine
prevented rescue attempts. Refer to Figure 7.4-1.
Figure 7.4-1. Pike River Mine (courtesy stuff.co.nz).
Why It Happened. Pike River Coal Ltd. had not completed the
ventilation and drainage systems to support management of the
methane produced by using hydro mining. The New Zealand
Department of Labor did not have the resources or focus to make
sure that the mine was in compliance with regulations.
Normalization of deviance is evidenced by the twenty-one times
that levels of methane exceeded the LEL in the months preceding
the incident. The decision to move the non-explosion-protected
fan underground, into a mine with a potential for an explosive
methane atmosphere, was opposed by a ventilation consultant
and by some staff, but it was placed there anyway. This fan failed
in the explosion, and the backup fan in the ventilation shaft was
damaged.
In October, the width of the hydro mining cut was increased
by 50%. An expert consultant identified the risk of a roof collapse.
A major roof collapse did occur, and methane readings were high,
but an explosion did not occur. Work was continued without
assessment of the roof collapse.
III. Manage Risk

The Pike workers included numerous long-term contractors and
it was recognized that the work induction and supervision of
these contractors were not effective. Also, the Pike River Coal
Mine employed a high percentage of inexperienced miners and
those unfamiliar with the local conditions. There were reports of
the workers bypassing safety devices in order to continue
operations in the presence of methane.
Contractor management can be a challenging topic because
there is a limit to how much the company granting the contract
can intervene in the contractor’s business. That said, the
contracted workers are often able to either cause, prevent, or
mitigate an incident. The contracted workers should clearly
understand the hazards and proper ways to manage the
operational risks.
14. Operational Readiness.
Focus on safety and health should start early in the design stages
and should be a requirement to obtain a permit. The Pike
management team was challenged with operational issues as
they worked to increase production and put their focus in these
areas. Meanwhile, the health and safety management plan was
still in draft, there was no ventilation engineer, the ventilation plan
was deficient, and the reported high methane levels were not well
investigated nor analyzed. High methane levels were causing

constant tripping of machinery, which prompted the miners to
bypass the sensors. Gas detectors were placed in a few locations
throughout the mine: one was broken for months before the
incident, and the other could not read above 2.96% methane.
In this incident, the drive for increased production was
outpacing the safety readiness of the operation. It is important to
determine the requirements for a safe operation well before that
operation is started and to have a system to verify those
requirements have been met. Without a logical and resourced
plan, it may not be clear when everything is in place to support
safe operations.
Emergency planning was ineffective to the extent that rescue
operations could not be undertaken due to the inability to
understand and improve the atmospheric conditions in the mine.
Emergency planning should plan for the worst-case scenarios.
It should recognize that equipment is often damaged in the event.
If critical data is needed to support the emergency management,
then a means to gather this data should be addressed during
emergency planning. This could involve emergency response
equipment, or it could identify the need to protect operational
equipment against fire, explosion, flooding, or another
emergency condition.
20. Management Review and Continuous Improvement.

The Pike board received a monthly report, including a section on
health and safety; however, it did not address hazards relevant to
a major event such as an explosion. An insurance risk survey had
identified concerns regarding the risks of hydro mining and the
potential for an explosion. The board did not see this report. They
had assumed that the Pike managers would inform them of any
major issues.
7.5 BIG BRANCH MINE EXPLOSION, WEST VIRGINIA, US, 2010
7.5.1 Summary
On April 5, 2010, an explosion occurred in the Big Branch Coal
Mine in southern West Virginia. There were twenty-nine fatalities
and two injuries. Multiple employees and an executive were
convicted as a result of the incident.
Key Points
Process Safety Culture – Do not normalize deviance. When
tolerating shortcomings becomes normal and workers no
longer see the point in speaking up about safety issues, the
progression toward an incident has likely started.
Safe Work Practices – Protect the key risk barriers. Making sure
that practices support the integrity of barriers and do not allow
people to work-around them, are key to managing risk.
Measurement and Metrics – Measure what is important to
manage. Metrics should reflect the health of those barriers that
have been put in place to manage risk. If metrics solely address
production, it is time to review the process safety culture.
7.5.2 Description
Background. The Big Branch Coal Mine was owned by Massey
Energy and operated by its subsidiary, Performance Coal
Company. Work was behind schedule and pressure to produce
was high. The miners felt that leaving the job was not an option
unless there was an emergency, so they tolerated poor conditions
to produce coal (GIIP, 2011).
Process. Methane is released in the process of coal mining. Coal
dust is generated from the mining, from conveyor belts that
transport the coal, and from some coal seams. An industry
practice is to apply rock dust over the coal dust to prevent coal
dust explosions. Refer to Figure 7.5-1.
What Happened. The initial explosion involved methane gas
released from the coal and ignited by the friction of the shearing
operation as it hit the surrounding rocks. The methane explosion
caused the coal dust to be dispersed in the air, which then
supported subsequent coal dust explosions. The coal dust
explosions traveled more than two miles around the various mine
tunnels. Reports said it sounded like thunder, went on for
minutes, and threw wood cribbing, signs, and other materials
around. It damaged the ventilation system and electrical system.
The workers died from blast injuries and from carbon monoxide
poisoning.
The miners attempted to put on their “rescuers”, a self-
contained, self-rescue breathing apparatus which provides less
than one hour breathing air. One man stayed with his team for
forty-five minutes. He tried to call on the radio and use the
tracking device, but there was no response. Mine employees who
were in the on-site offices heard the sound of the ventilation fans
Figure 7.5-1. Shearer cutting coal (courtesy GIIP).

changing and sensed something was wrong. They entered the

mine.
Calls were made to Massey management and to the Mining
Health and Safety Administration (MSHA). MSHA officials set up a
command center at the site. The response events were not
adequately recorded. At times, it was not clear who was in charge
and who was in the mine. Some of the men rescuing others were
not trained mine rescuers and were in the mine for four hours
following the explosion. Rescuers exiting the mine were not
debriefed, which further added to the confusion.
Why it happened. The Upper Big Branch mine was a gassy mine
and had three previous methane-related events. Coal mine
explosions are prevented by minimizing methane accumulation
through venting, by controlling ignition sources, and by
minimizing coal dust accumulations to prevent a subsequent coal
dust explosion should the methane ignite. These were all
inadequate at the mine. The mining operations had been shut
down for Easter Sunday. The de-watering pumps had failed, and
water had accumulated in areas leading to the ventilation fans,
which resulted in the air flow being reduced, which allowed
methane to accumulate.

The normalization of deviance is reviewed in the Governor’s
Independent Investigation Panel (GIIP, 2011). The ventilation
problems were chronic and had become a part of the normal
operation. There were continual water problems, with miners
sometimes working in chest-deep water. Miners were sent into
the mine without communication or gas detection equipment.
Methane readings were falsified. Workers who questioned safety
conditions or shutdown operations were intimidated and
suspended from work. “It was acceptable at this mine to do
nothing because identifying unsafe conditions might have meant

dedicating man-hours to correcting the problems.” (GIIP, 2011)
III. Manage Risk

In the Big Branch mine, the ventilation system was inadequate,
the coal dust was not managed, and safety equipment was not
maintained (GIIP, 2011). The rock dusting equipment at the mine
was poorly maintained, and the rock dusting performance was
poorly managed and ineffective.
The mine was cited every month in 2009 for failure to provide
adequate ventilation. Performance Coal Company management
told a foreman to disregard a citation for faulty ventilation. MSHA
ventilation inspectors suspected the mine of manipulating the
ventilation system to pass tests. The ventilation problems from
the mine were so significant that it prompted a change in the
MSHA policy on issuing violations.
The West Virginia Office of Miners’ Health, Safety and Training
(WVOMHS&T) investigation identified that regulatory language for
coal mine ventilation is inadequate (WVOMHS&T). This illustrates
the question of whether compliance is sufficient. Whether in
mining or other industries, if the relevant regulations are
insufficient, then additional measures should be taken to manage
the risks. At the most simplistic level, it is the employer’s
responsibility to provide a safe workplace.
The emergency response was challenged by a lack of
understanding of who was in the mine at the time of the
explosion. The mine’s personnel tracking system was not working,
and the backup log system was not maintained. It took days to
understand who was in the mine and determine the number of
fatalities.
Tracking of personnel is fundamental to operations and
supports the development of rescue plans. Whether the system
is manual cards, tags, or electronically managed, a system should

be in place. Being able to define how many people are involved is
essential for emergency responders and also needed for
communications with families.
18. Measurement and Metrics.

Management was able to quote the daily metrics used to measure
coal production. There was no measure relating to safety.
The adage is that you manage what you measure. There
should be measures reflecting the process risk management.
Measures addressing personal safety are not sufficient.
7.6 UNIVERSITY LABORATORY INCIDENTS
7.6.1 Summary
There have been a number of incidents in university laboratories
that resulted in severe injuries and fatalities. The laboratories
failed to manage process safety almost in its entirety. These
incidents have prompted changes in the way many university
laboratories address process safety. The CSB has created a video
entitled “Experimenting with Danger” that is aimed at highlighting
the hazards at university chemical labs (CSB, 2011e).
Key Points
Process Safety Culture – Make sure process safety is part of
your safety culture. Regardless of what culture you are in, if
there are process safety hazards, then process safety should be
a key part of your culture.
Hazard Identification and Risk Analysis – It all starts here.
Identify hazards. If you don’t identify the hazard and assess the
risk, then you will not be able to put barriers in place and
manage the risk.
Incident Investigation – If something unexpected happens,
question why. Investigate it. You might identify a hazard or a
broken barrier. Then document it and share your learning with
others.
7.6.2 Description
Three incidents are used to discuss the Key Points in this Chapter
1. University of Hawaii. On March 16, 2016, a hydrogen/oxygen
explosion occurred at the Manoa campus, resulting in a
postdoctoral researcher losing her arm and suffering
additional severe injuries. The lab was using hydrogen,
oxygen, and carbon dioxide in the green production of
bioplastics and biofuels. This gas mixture has a very large
flammability range as seen in Figure 7.6-1. The gas mixture
was likely ignited by a static discharge involving the
researcher, the tank, and a gauge. The equipment was not
bonded and grounded, and the gauge was not intrinsically
safe (UC, 2016).
2. University of California at Los Angeles. In December 2008, a
staff research associate was fatally burned when the t-butyl
lithium she was working with caught fire. The plunger on the
syringe came loose and the pyrophoric compound spilled on
her clothing, igniting spontaneously. No flame-resistant lab
coats were used. No hazard assessment was performed and
hence no subsequent protective equipment identified. There

was no written procedure on handling pyrophoric materials
(UCLA Newsroom, 2009).
3. Texas Tech. On January 7, 2010, a graduate student suffered
severe injuries when nickel hydrazine perchlorate derivative
detonated. Texas Tech was working with Northeastern
University on explosive threats under a program funded by
the US Department of Homeland Security. The students
decided to scale up the experiment to make a batch large
enough to fully characterize the chemical. The change was not
managed. There were no procedures requiring the students
to consult with anyone. Clumps occurred in the chemical, and
the student used a mortar and pestle, with a bit of added
hexane, to break them up. It detonated (CSB, 2010b).
Figure 7.6-1. Flammability range of hydrogen, oxygen and

carbon dioxide as was handled in the University of Hawaii
incident (courtesy UC).
Background. University chemistry are often used by graduate

students conducting research. This brings together a challenging
combination. Research chemistry by definition may include
unknowns about the chemistry. Students may have limited
experience or be performing experiments that may not have been
previously researched. Also, the university setting is unlike a

refinery or chemical plant. They are not accustomed to
addressing process safety on a daily basis.
Process. The laboratory work typically involves small experiments
of bench-scale processes.
What and why it happened. Although the chemistry and incident
scenario are different in each of these incidents, there are many
similarities at the root cause level. Fundamentally, there was no
management of process safety, and thus, none of the protections
in place.

University laboratories have typically focused on occupational
safety and may be unaware of the importance and scope of
process safety. The U.S. OSHA regulates general chemical hazards
but not process safety in university laboratories. The
accountability for process safety in the university laboratories
may not be clear. Different laboratories may be managed by
different university departments, such that the safety
department, focused on personnel safety, provides the only
consistency. The research-granting agency does not typically
prescribe safety requirements.
Similar to industry, it is clear that process safety culture starts
at the top. When the leaders, whether of a refinery or a university,
put time and effort into managing process safety, so will their staff
and students. When they don’t, then the other drivers of
production—cost management or technical research
challenges—will become the daily focus and overshadow the
importance of process safety. In addition to high turnover of
students, universities often have high turnover of administrators
and a strong focus on safety may be lost in the turnover.
Figure 7.6-2. Swiss cheese model representing potential failures

in university chemical laboratory process safety management
(courtesy CSB).
Process safety is applicable to and important for university

laboratories. For example, some process safety topics might
include: process safety information (hazardous mixing grid, safe
operating limits, ventilation design); hazards analysis; operating
manuals; safe work practices (energy isolation); mechanical
integrity; and emergency planning. Refer to Figure 7.6-2.
Guidance on laboratory safety in secondary schools and academic
institutions is available from the American Chemical Society (ACS,
2018).
III. Manage Risk

There were many similarities in the RBPS elements that were not
addressed in these incidents. At the root, though, is not
identifying the hazard or assessing the risk. Without this, there
were no specific protections in place. The hazards of changes,
such as scaling up the chemistry, were not managed. There were
no operating procedures in which to document potential hazards.
If you don’t identify the hazards and assess the risks, then you
will not have the information necessary to manage those hazards
and risks. HIRA is the start of understanding what the hazards are,
what barriers may be appropriate, what changes might be in ill-
advised, and what precautions should be included in guidance.

In all three incidents, researchers could have learned from
previous university incidents. However, universities typically have
no system in place to adequately document previous lessons,
communicate them, or learn from incidents that occurred in
similar research or laboratories.
At University of Hawaii at Manoa, cracking noises had
been heard when turning the gauge on/off, and the
researcher had been shocked previously.
A hydrogen explosion in the Earth and Space Sciences
Building at Stony Brook University injured one graduate
student and one faculty on May 15, 2014.
On December 18, 2015, a hydrogen gas cylinder exploded
in a chemistry building at Tsinghua University in China,
causing the fatality of a postdoctoral researcher (UC
2016).
7.7 MARS CLIMATE ORBITER MISHAP, 1999
7.7.1 Summary
The Mars Climate Orbiter (MCO) was launched on December 11,
1998, and contact was lost on September 23, 1999, as it entered
into an orbit around Mars.
Key Points
Stakeholder Outreach – Are you speaking the same language?
In large projects and complex operations, it is important that
people have the same understanding of relevant terminology
and are using the same basis such that all the project/operation
parts work safely together.
Conduct of Operations – Trust. And verify. Conducting good
operations and projects requires managers to trust that the
competent people on the job will do a good job. They should
also understand that people make mistakes. Thus, they should
verify that the job, especially the safety aspects, was completed
as planned.
7.7.2 Description
Background. The Mars Surveyor '98 program included the Mars
Climate Orbiter and the Mars Polar Lander, which were launched
separately. The intent was to study the weather on Mars. The
MCO would also serve as a communication relay for the Mars
Polar Lander (NASA, 2018).
Process. The Mars Climate Orbiter includes propulsion and
equipment modules. The mass at launch is 629 kg (1,387 lb) which
includes 291 kg (642 lb) of propellant.
What Happened. The spacecraft reached Mars. It passed behind
Mars, and contact was not re-established. Some of the spacecraft
commands were in English units instead of being converted to
metric. A navigation error resulted from some spacecraft

commands being sent in English units instead of being converted
to metric. Due to this error, the MCO would have entered the
Martian atmosphere at the incorrect altitude and would have
been destroyed on entry.
Why it happened. A simple unit conversion error is why it
happened. However, understanding why that unit conversion
error happened gets into the root causes. Contributing causes
listed in the NASA report are:
1. Undetected mismodeling of spacecraft velocity changes
2. Navigation Team unfamiliar with spacecraft
3. Trajectory correction maneuver number five not
performed
4. System engineering process did not adequately address
transition from development to operations
5. Inadequate communications between project elements
6. Inadequate operations Navigation Team staffing
7. Inadequate training
8. Verification and validation process did not adequately
address ground software (NASA, 1999)
III. Manage Risk

NASA projects include a large array of contractors and
subcontractors. Keeping the communications flowing well and
the project hand-offs happening seamlessly is challenging. This is
the same challenge faced by the oil and gas industry when
implementing large projects that involve numerous engineering
and construction contractors and subcontractors working around
the globe to build a single installation. In both cases, keeping
everyone communicating and working together well is required
to deliver a successful project.

Building on the large number of contractors, the manner in which
projects are managed must be controlled to support those
communications and hand-offs. In this NASA case, there were
ineffective communications between project elements and
teams. The systems in place to verify that the project was
proceeding as planned did not address all areas.
Projects can take years and many people to design and
construct. Often, there are business pressures or simply the
desire to see the finished product that pushes people to rush
through verification steps. It is important to perform a thorough
hazard and risk management assessment. Even topics such as
consistent language (units) are identified in verification processes.
In a small project, this could be realized as a PSSR. In a large
project, it could be seen as a detailed verification and certification
program that could take weeks to complete.
It is easy to understand the importance of focusing on
challenging problems. Human nature draws some people into
challenging work. But this does not mean that the simplest of
topics, such as unit conversion, can be disregarded.
7.8 OTHER INCIDENTS

A number of non-oil/chemical incidents were described in the first
edition of this book.
Three Mile Island Nuclear Reactor Core Meltdown,
Pennsylvania, USA, March 28, 1979
NASA Challenger Disaster, Florida, USA, January 28, 1986
Loss of Space Shuttle Columbia, Texas, USA, February 1,
2003
Massive Dust Explosion at Courrieres Mine, France, March
10, 1906
Chernobyl Nuclear Disaster, USSR, April 26, 1986

address the topics highlighted in the incidents contained in this
chapter.
book is consistent with RBPS and Life Cycle approaches and
includes details on failure modes and mechanisms. Also, an
example testing and inspection program is included for various
types of equipment and systems. Guidance and examples are
provided for selecting and maintaining critical safety systems.
Guidelines for Chemical Laboratory Safety, American Chemical
Society. These publications are intended to help educators at the
high school and college level. They are designed to develop
knowledge, increase awareness, establish strong foundations,
and nurture safety culture.
Appendix 1
Matrix relating incidents, industries, and

RBPS elements
By $$14
Appendix 1 339
Appendix 1 341
References
ABET 2015. “Criteria for accrediting engineering programs,”
Accreditation Board for Engineering and Technology,
Baltimore, MD.
ACS 2018. “Guidelines for Chemical Laboratory Safety,” viewed
July 30, 2018, www.acs.org/content/acs/en/chemical-
safety/guidelines-for-chemical-laboratory-safety.html,
American Chemical Society.
AFPM. “Safety Portal Event Sharing Database, American Fuel &
Petrochemical Manufacturers,” www.afpm.org/safetyportal
(accessed December 1, 2017), Login credentials required.
Arm-Tex. Viewed on March 12, 2019. www.arm-tex.com/hamer-
line-blind-valves.html
Arco 1991. “A Briefing on the ARCO Chemical Channelview plant
July 5, 1990 accident.” ARCO Chemical Company, January
1990.
API 2009, API RP 939-C: “Guidelines for Avoiding Sulfidation
(sulfidic) corrosion failures in oil refineries, American
Petroleum Institute, Washington, D.C.
Barton, J. & Rogers, R. 1997. Chemical Reaction Hazards: A Guide to
Safety. Institute of Chemical Engineers, Elsevier, Amsterdam,
Netherlands.
BBC. “Lagos pipeline blast kills scores.” Viewed May 16, 2018.
http://news.bbc.co.uk/2/hi/africa/6209845.stm
BEA 2012. “Final Report on the accident on 1st June 2009 to the
Airbus A330-203 registered F-GZCP operated by Air France
flight AF 447 Rio de Janeiro – Paris.” Bureau d’Enquetes et
d’Analyses pour la securite de l’aviation civile, July 2012.
Bills, Kym and Agostini, David. 2009. “Varanus Island incident
investigation,” Government of Western Australia, June.
www.slp.wa.gov.au/salesinfo/varanusinquiry.pdf
By $$14
References 343
BP 2010. “Deepwater Horizon Accident investigation report.”

British Petroleum, London, UK, September 8, 2010.
Bretherick, L. & Urben, P. 2006. Bretherick's handbook of reactive
chemical hazards (seventh edition), Elsevier Ltd., Oxford, UK.
Buncefield 2008. “The Buncefield incident, 11 December 2005: the
final report of the major incident investigation board,” UK
Health and Safety Executive.
(www.hse.gov.uk/comah/buncefield/miib-final-volume1.pdf)
CalEPA 2014, “Improving public and worker safety at oil refineries,
Report of the Interagency Working Group on Refinery Safety.”
Sacramento, CA., February.
CCPS 1995. “Guidelines for Chemical Reactivity Evaluation and
Application to Design.” Center for Chemical Process Safety of
the American Institute of Chemical Engineers, New York, NY.
CCPS 1998. “Guidelines for Safe Warehousing of Chemicals.”
Center for Chemical Process Safety of the American Institute
of Chemical Engineers, New York, NY.
CCPS 2003. Essential Practices for Managing Chemical Reactivity
Hazards. Center for Chemical Process Safety of the American
Institute of Chemical Engineers, New York, NY.
CCPS 2004. A Checklist for Inherently Safer Chemical Reaction
Process Design and Operation, Center for Chemical Process
Safety of the American Institute of Chemical Engineers, New
York, NY.
CCPS 2006. Guidelines for Mechanical Integrity Systems. Center for
Chemical Process Safety of the American Institute of Chemical
Engineers, New York, NY.
CCPS 2005. Building Process Safety Culture Toolkit,
www.aiche.org/ccps/topics/elements-process-
safety/commitment-process-safety/process-safety-
culture/building-safety-culture-tool-kit. Center for Chemical
Process Safety of the American Institute of Chemical
CCPS 2007. Guidelines for Risk Based Process Safety. Center for
CCPS 2007a. Human Factors Methods for Improving Performance
in the Process Industries. Center for Chemical Process Safety
of the American Institute of Chemical Engineers, New York,
NY.
CCPS 2008. Incidents that Define Process Safety. Center for
CCPS 2008a. Guidelines for Chemical Transportation Safety, Security
and Risk Management. Center for Chemical Process Safety of
the American Institute of Chemical Engineers, New York, NY.
CCPS 2009. Inherently safer chemical processes. Center for
CCPS 2011. Guidelines for Vapor Cloud Explosion, Pressure Vessel
Burst, BLEVE and Flash Fire Hazards, 2nd Edition. Center for
CCPS 2012. Guidelines for Engineering Design for Process Safety, 2nd
Edition. Center for Chemical Process Safety of the American
CCPS 2012a. Guidelines for Evaluation Process Plant Building for
External Explosions, Fires, and Toxic Releases, 2nd Edition. Center
for Chemical Process Safety of the American Institute of
Chemical Engineers, New York, NY.
CCPS 2016. Guidelines for Asset Integrity Management. Center for
CCPS 2017. Guidelines for Pressure Relief and Effluent Handling
Systems, 2nd Edition (CCPS 2017). Center for Chemical Process
Safety of the American Institute of Chemical Engineers, New
York, NY.
References 345
CCPS 2017a. Guidelines for Combustible Dust Hazard Analysis (CCPS

2017). Center for Chemical Process Safety of the American
CCPS 2019. Risk Analysis Screening Tool (RAST) and Chemical Hazard
Engineering Fundamentals (CHEF). Center for Chemical Process
Safety of the American Institute of Chemical Engineers and
European Process Safety Center, New York, NY.
CEP 2015. “Lessons Learned from Recent Process Safety
Incidents.” Al Ness, Chemical Engineering Progress, March
2015. American Institute of Chemical Engineers, New York,
N.Y.
Chemistry World. “Questions remain after huge hydrofluoric acid
leak.” Viewed February 26, 2019.
www.chemistryworld.com/news/questions-remain-after-
huge-hydrofluoric-acid-leak/5611
Crowl, Daniel A. 2003. Understanding explosions. Center for
CSB. “DuPont La Porte Facility Toxic Chemical Release Interim
Recommendations.” Chemical Safety Hazard and
Investigation Board. Viewed 19 February 2018.
www.csb.gov/dupont-laporte-facility-toxic-chemical-release-/
CSB. “CITGO HF Release and Fire in Corpus Christi, Texas Text of
Urgent Recommendations.” Chemical Safety Hazard and
Investigation Board. Viewed 26 February 2018,
www.csb.gov/citgo-refinery-hydrofluoric-acid-release-and-
fire/
CSB 2002. “Improving Reactive Hazard Management.” Chemical
Safety and Hazard Investigation Board, Investigation Report,
Report No. 2001-01-H, October. (www.csb.gov/investigations).
CSB 2003. “Safety Bulletin – Hazards of nitrogen asphyxiation.”
Chemical Safety and Hazard Investigation Board - Board
Safety Bulletin, 2003-10-B, June. www.csb.gov/assets/1/19/SB-
Nitrogen-6-11-03.pdf
CSB 2003b. “Investigation Report Chlorine Release” DPC

Enterprises, L.P. Chemical Safety Hazard and Investigation
Board, Report No. 2002-04-I-MO, May 2003.
CSB 2003c. “Investigation Report Hydrogen Sulfide Poisoning
Georgia-Pacific Naheola Mill.” Chemical Safety Hazard and
Investigation Board, Report No. 2002-01-I-AL, January 2003.
CSB 2004. “Sodium Hydrosulfide: Preventing Harm.” Chemical
Safety Hazard and Investigation Board, Safety Bulletin No.
2003-03-B, reprinted November 2004.
CSB 2007. “Runaway chemical reaction and vapor cloud
explosion.” Chemical Safety and Hazard Investigation Board,
Investigation Report, Report No. 2006-04-I-NC, July 31.
(www.csb.gov/investigations).
CSB 2008. “LPG fire at Valero – McKee Refinery, Chemical Safety
and Hazard Investigation” Board, Investigation Report, Report
No. 2007-05-I-TX, July. (www.csb.gov/investigations).
CSB 2009. “T2 Laboratories, Inc. runaway reaction, Chemical
Safety and Hazard Investigation” Board, Investigation Report,
Report No. 2008-3-I-FL, September.
CSB 2009a. “Sugar dust explosion and fire, Chemical Safety and
Hazard Investigation” Board, Investigation Report, Report No.
2008-3-I-FL, September. (www.csb.gov/investigations).
CSB 2009c. “Safety Bulletin: Dangers of Purging Gas Piping into
Buildings.” Chemical Safety and Hazard Investigation Board,
Investigation Report, Report No. 2009-12-NC, September.
CSB 2009c. “Urgent recommendations.” Chemical Safety and
Hazard Investigation Board, Investigation Report, December
9.
CSB 2010. “Urgent Recommendations.” Chemical Safety and
Hazard Investigation Board, June 28.
References 347
CSB 2010b. “Texas Tech University Laboratory Explosion.”

Chemical Safety Hazard and Investigation Board, Report No.
2010-05-I-TX, October 19, 2011.
CSB 2011. “West fertilizer company fire and explosion.” Chemical
Safety and Hazard Investigation Board, Investigation Report,
Report No. 2008-05-I-GA, September.
CSB 2011b. “Hoeganaes corporation metal dust fires and
hydrogen explosion.” Chemical Safety and Hazard
Investigation Board, Case Study, Report No. 2011-04-I-TN,
December. (www.csb.gov/investigations).
CSB 2011c., “Heat exchanger rupture and ammonia release in
Houston, Texas.” Chemical Safety and Hazard Investigation
Board, Case Study, Report No. 2008-06-I-TX, January.
CSB 2011d. “Investigation Report E.I. DuPont de Nemours & Co.,
Inc., Belle, West Virginia.” Chemical Safety Hazard and
Investigation Board, Report No. 2010-6-I-WV. September
2011.
CSB, 2011e. “Experimenting with Danger, Chemical Safety Hazard
and Investigation Board.” Viewed June 11, 2018,
www.csb.gov/videoroom/detail.aspx?VID=61
CSB 2013. “Williams Geisner olefins plant: reboiler rupture and
fire.” Chemical Safety and Hazard Investigation Board, Case
Study, Report No. 2013-03-I-LA, June 5.
CSB 2013a. “Powerpoint presentation on hazards.” Chemical
Safety and Hazard Investigation Board,
www.csb.gov/assets/1/19/Nitrogen_Asphyxiation_Bulletin_Tr
aining_Presentation.pdf
CSB 2103b. “High-pressure vessel rupture.” Chemical Safety and
Hazard Investigation Board, Case Study, Report No. 2010-04-
I-IL, November. (www.csb.gov/investigations).
CSB 2014a. “Explosion and fire at the Macondo Well; Overview.”

Chemical Safety and Hazard Investigation Board, Case Study,
Report No. 2010-10-I-OS, June 5.
CSB 2014b. “Explosion and fire at the Macondo Well; Vol. 1,
Macondo-specific incident events.” Chemical Safety and
Hazard Investigation Board, Case Study, Report No. 2010-10-
I-OS, June 5. (www.csb.gov/investigations).
CSB 2014c. “Explosion and fire at the Macondo Well; Vol. 2,
Technical findings on the Deepwater Horizon blowout
preventer (BOP).” Chemical Safety and Hazard Investigation
Board, Case Study, Report No. 2010-10-I-OS, June 5.
CSB 2014d. “Explosion and fire at the Macondo Well; Vol 3,
Human, organizational and safety system factors of the
Macondo blowout.” Chemical Safety and Hazard Investigation
Board, Case Study, Report No. 2010-10-I-OS, June 5.
CSB 2015. “Chevron Richmond refinery pipe rupture and fire.”
Chemical Safety and Hazard Investigation Board, Case Study,
Report No. 2012-03-I-CA, January.
CSB 2015b. “Caribbean Petroleum tank terminal explosion and
multiple tank fires.” Chemical Safety and Hazard Investigation
Board, Case Study, Report No. 2010.01.I.PR, October.
CSB 2015c. “Key Lessons for Preventing Hydraulic Shock in
Industrial Refrigeration Systems Anhydrous Ammonia
Release at Millard Refrigerated Services, Inc.” Chemical Safety
Hazard and Investigation Board, Report No. 2010-13-A-AL,
January 2015.
CSB 2015d. “Transcript 30015_DuPont Public Meeting (9-30-
2015).” Chemical Safety Hazard and Investigation Board,
viewed 21 February 2018,
www.csb.gov/assets/1/19/Transcript9.pdf
References 349
CSB 2016. “Pesticide chemical runaway reaction: pressure vessel

explosion.” Chemical Safety and Hazard Investigation Board,
Investigation Report, Report No. 2013-02-I-TX, January.
CSB 2017. “Investigation Report. Chemical Spill Contaminates
Public Water Supply in Charleston, West Virginia.” Chemical
Safety Hazard and Investigation Board, Report No. 2014-01-I-
WV, May 2017.
DowWolff. “Nitrocellulose Storage and Handling.” DowWolff
Cellulosics,
(http://msdssearch.dow.com/PublishedLiteratureDOWCOM/
dh_08a6/0901b803808a67fc.pdf?filepath=/822-
00001.pdf&fromPage=GetDoc)
DOJ 2015. “U.S. and five Gulf States reach historic settlement with
BP to resolve civil lawsuit over Deepwater Horizon oil spill.”
Department of Justice, Office of Public Affairs, October 5.
(www.justice.gov/opa/pr/us-and-five-gulf-states-reach-historic-
settlement-bp-resolve-civil-lawsuit-over-deepwater)
DOJ 2015b. “Georgia-Based Millard Refrigerated Services to Pay
$3 Million Civil Penalty for Ammonia Release that Sickened
Workers Responding to Deepwater Horizon Oil Spill.”
Department of Justice Office of Public Affairs, viewed 7 March
2018, www.justice.gov/opa/pr/georgia-based-millard-
refrigerated-services-pay-3-million-civil-penalty-ammonia-
release
DuPont. “La Porte Investigation Report Investigation Summary.”
Viewed 19 February 2018,
www.laporteinvestigationreport.com/summary.html.
DOT 2015. “Rule Summary: Enhanced Tank Car Standards and
Operational Controls for High-Hazard Flammable Trains.”
Department of Transportation, viewed April 11, 2018,
www.transportation.gov/mission/safety/rail-rule-summary
Dunning, 2009. “Train Wreck and Chlorine Spill in Graniteville
South Carolina.” Transportation Research Record Journal of
the Transportation Research Board 2009, DOI: 10.3141/2009-

17, viewed April 11, 2019,
www.transportation.gov/sites/dot.dev/files/docs/DISASTER_R
ECOVERY_TrainWreckChlorineSpillGranitevilleSC.pdf
Ellis, Ralph. 2016. "Fire that led to Texas fertilizer blast set on
purpose, officials say." www.cnn.com. CNN. Retrieved May 11,
2016.
EO 2013. “Executive Order 13650 Improving Chemical Facility
Safety and Security.” White House, Washington D.C., August 1.
FMG 2013. “Prevention and mitigation of combustible dust
explosion and fire.” FM Global Data Sheet 7-76, Johnston, RI.
GIIP 2011. “Upper Big Branch The April 5, 2010, explosion: a failure
of basic coal mine safety practices.” Report to the Governor,
Governor’s Independent Investigation Panel, May 2011.
Gustin 2001. “How the study of accident case histories can
prevent runaway reaction accidents to occur again.” IChemE
Symposium series No. 148.
Hernandez, J.C. 2016. “Tianjin explosions were result of
mismanagement, China finds.” New Yok Times, Feb. 5.
HSE 1994. The Fire at Hickson & Welch ltd. UK Health and Safety
Executive, ISBN 071760702X, Sudbury, UK.
HSE 2009. Designing and operating safe chemical reaction processes.
UK Health and Safety Executive.
HSE 2009a. Buncefield Explosion Mechanism Phase 1, Vols. 1 and
2. UK Health and Safety Executive.
www.hse.gov.uk/research/rrpdf/rr718.pdf
HSE 2012. Flammable vapour cloud risks from tank overfilling
incidents. RR 937, UK Health and Safety Executive.
HSE 2017. Review of vapour cloud explosion incidents. UK Health
and Safety Executive.
Huang, P. and & Zhang, J. 2015. “Facts related to August 12, 2015
explosion accident in Tianjin, China.” Process Safety Progress,
Vol.34, No.4, December.
References 351
HoustonPress. 2016. “DuPont Will Shutter La Porte Plant Where

Chemical Leak Killed 4 Workers.” Viewed 7 March 2018.
www.houstonpress.com/news/dupont-will-shutter-la-porte-
plant-where-chemical-leak-killed-4-workers-8291326
IAEA 2015. The Fukushima Daiichi Accident. Technical Volume 1/5
Description and Context of the Accident, ISBN 978–92–0–
107015–9 (set), International Atomic Energy Agency, August
2015.
IChemE 2016. “The Sandoz warehouse fire 30 years on.” Issue 251,
viewed March 21, 2018.
www.icheme.org/shop/lpb/2016/issue%20251/the%20sando
z%20warehouse%20fire%2030%20years%20on.aspx
ICIS 2013. “US Williams eyes $343 million claim from Geismar
business interruption loss.” ICIS, October 13.
www.icis.com/resources/news/2013/10/31/9721150/us-
williams-eyes-343m-claim-from-geismar-business-
interruption-loss/
Jacobs, A., Hernandez, J.C. & Buckley, C. 2015. “Behind deadly
Tianjin blast, shortcuts and lax rules.” New York Times, Aug.
30.
Johnson and Lodal. 2003. “Screen your facilities for chemical
reactivity hazards.” Chemical Engineering Progress, pp. 50-58,
August.
Johnson, D.M. 2012. “Vapor cloud explosion at the IOC terminal in
Jaipur.” IChemE Symposium Series No. 158. Hazards XXIII.
www.icheme.org/communities/special-interest-
groups/safety%20and%20loss%20prevention/resources/haz
ards%20archive/hazards%20xxiii.aspx
Kepplinger H.M., Hartung U. 1995. "Störfall – Fieber. Wie ein Unfall
zum Schlüsselereignis einer Unfallserie wird." Alber-Broschur-
Kommunikation. Verlag Karl Alber GmbH, Freiburg/München.
Korea Institute of Public Administration. “Case Study of
Collaborative Governance in Korea: National Institute of
Chemical Safety.” Viewed 26 February 2018.
http://oecdkorea.org/common/attachfile/attachfileDownload
.do?attachNo=00002828
Kwon 2016. “System Theoretic Safety Analysis of the Sewol-Ho
Ferry Accident in South Korea. Yisug Kwon”, Submitted to the
System Design and Management Program in Partial
Fulfillment of the Requirements for the Degree of Master of
Science in Engineering and Management at the
Massachusetts Institute of Technology, February 2016.
Lexis/Nexis. 2016. “Workers Injured In Chemical Plant Explosion
Obtain $30 Million Verdicts In Two Louisiana State Court Trials
Against Plant Owners/Operators.” LexisNexis December 8.
www.lexisnexis.com/jvsubmission/b/case_of_week/archive/2
016/12/08/workers-injured-in-chemical-plant-explosion-
obtain-30-million-verdicts-in-two-louisiana-state-court-trials-
against-plant-owners-operators.aspx?Redirected=true
Marmo, L., Piccinni, N., Russo, G., Russo, P., Munaro, L. Multiple
tank explosions in an edible oil refinery plant: A case study.
Chemical Engineering Technology, V. 36, No. 7, p.1131-1137.
MIIB 2008a. “The Buncefield incident, Vol. 1.” Major Incident
Investigation Board,
MIIB 2008b. “The Buncefield incident, Vol. 1.” Major Incident
Investigation Board,
MOM 2011. “Update on MOM’s investigation on fire at Pulau
Bokum.” Singapore Ministry of Manpower Press Release, 2-
October. www.mom.gov.sg/newsroom/press-
releases/2011/update-on-moms-investigation-on-fire-at-
pulau-bukom
MOM 2011b. “Shell fined $80,000 for 2011 Pulau Bokum refinery
fire.” Singapore Ministry of Manpower Press Release, 29-
October. www.mom.gov.sg/newsroom/press-
releases/2012/shell-fined-80000-for-2011-pulau-bukom-
refinery-fire
MoPNG Committee. 2010. Constituted by Govt. of India.
Independent Inquiry Committee, Report on Indian Oil
References 353
Terminal Fire at Jaipur on 29th October 2009; completed 29th

January 2010. Available from http://oisd.nic.in, accessed 19
August 2013.
NACE International. 2010. “Stress Corrosion Cracking, NACE
Resource Center.” Retrieved from:
http://events.nace.org/library/corrosion/Forms/scc.asp.
NAIIC 2012. “The official report of The Fukushima Nuclear
Accident Independent Investigation Commission.” The
National Diet of Japan, 2012.
NCSL 2015. “Transporting Crude Oil by Rail: State and Federal
Action.” National Conference of State Legislatures, October
30, 2015, viewed April 10, 2018,
www.ncsl.org/research/energy/transporting-crude-oil-by-rail-
state-and-federal-action.aspx
NFPA 2015. “NFPA 484 Standard for Combustible Metals.”
National Fire Protection Association, Quincy, MA.
NFPA 2017a. “NFPA 497 Recommended Practice for the
Classification of Flammable Liquids, Gases, or Vapors of
Hazardous (Classified) Locations for Electrical Installations in
Chemical Process Areas.” National Fire Protection Association,
Quincy, MA.
NASA 1999. “Mars Climate Orbiter Mishap Investigation Board
Phase I Report.” National Aeronautics and Space
Administration, November 10, 1999
NASA 2018. Mars Climate Orbiter. NASA Space Science Data
Coordinated Archive, viewed June 12, 2018,
nssdc.gsfc.nasa.gov/nmc/spacecraftDisplay.do?id=1998-073A
NTSB 1998. Hazardous Material Accident Brief. National
Transportation Safety Board, Accident No. DCA-96-MZ-001,
January 27, 1998.
NTSB 2002. Pipeline Rupture and Subsequent Fire in Bellingham,
Washington June 10 1999. Pipeline Accident Report NTSB/PAR-
01/02 PB2002-916502, October 8, 2002.
NTSB 2005. Collision of Norfolk Southern Freight Train 192 with

Standing Norfolk Southern Local Train P22 With Subsequent
Hazardous Materials Release at Graniteville, South Carolina.
National Transportation Safety Board, NTSB/RAR-05/04,
January 6, 2005.
NTSB 2007. Pipeline Accident Brief. National Transportation Safety
Board, Accident No. DCA05-MP001, June 14, 2007.
NTSB 2011. Pacific Gas and Electric Company Natural Gas
Transmission Pipeline Rupture and Fire, San Bruno, California,
September 9, 2010. National Transportation Safety Board,
Accident Report NTSB/PAR-11/01 PB2011-916501, August 20,
2011.
NTSB 2015. Improve Rail Tank Car Safety. National Transportation
Safety Board. Viewed April 11, 2018,
www.ntsb.gov/safety/mwl/Pages/mwl5_2015.aspx
NZ Royal Commission. 2012. Royal Commission on the Pike River
Coal Mine Tragedy Volume 1 + Overview, ISBN: 978-0-477-
10378-7, Wellington, New Zealand, October 2012.
NFPA 2017b. NFPA 499, Classification of Combustible Dusts and of
Hazardous (Classified) Locations for Electrical Installation in
Chemical Process Areas. National Fire Protection Association,
Quincy, MA.
OGJ 1991. “ARCO spells out cause of Channelview blast.” Oil and Gas
Journal, January 14.
OSHA 1992. Process Safety Management of Highly Hazardous
Chemicals; explosives and blasting agents. Federal Register
1992, Vol. 57, No. 36, February 24.
OSHA 1998. 29 CFR 1910.109, Blasting and Explosive Agents,
Federal Register 33450, June 18.
OSHA 1999. Technical Manual – Section IV: Chapter 2 – Petroleum
Refining Process,
www.osha.gov/dts/osta/otm/otm_iv/otm_iv_2.html
References 355
OSHA 2019. Confined Spaces, viewed April 23, 2019,

www.osha.gov/SLTC/confinedspaces/index.html.
PHMSA. Damage Prevention. Pipeline and Hazardous Materials
Safety Administration, viewed May 17, 2018,
primis.phmsa.dot.gov/comm/DamagePrevention.htm
PHMSA 2017. A Study on Improving Damage Prevention Technology.
US Department of Transportation, Pipeline and Hazardous
Materials Safety Administration, August 3, 2017.
Qureshi, Tamara. Fatal Toxic Chemical Release at DuPont, U.S.
Chemical Safety and Hazard Investigation Board, presented at
AIChE 15th.
Sandia 2015. Literature Survey of Crude Oil Properties Relevant to
Handling and Fire Safety in Transport. Sandia National
Laboratories, SAND2015-1823, March 2015.
Shutterstock 2015. www.shutterstock.com/editorial/image-
editorial/huge-explosion-rocks-chinese-port-city-of-tianjin-china-
15-aug-2015-10223415a
Standards Australia. 1995. Australian Standard The storage and
handling of oxidizing agents. Standards Australia, AS 4326-
1995, ISBN 0 7262 9909 X, 1 The Cresent, Hoebush, NSW 2140,
September 1995.
Swiss Re Institute 2017. "Natural catastrophes and man-made
disasters in 2016: a year of widespread damages." 10-February.
http://media.swissre.com/documents/sigma2_2017_en.pdf.
Savannahnow 2018. Imperial Sugar tragedy: Repercussions continue
10 years later, Savannah Morning News, February 6, 2018,
viewed at www.savannahnow.com/news/2018-02-
06/imperial-sugar-tragedy-repercussions-continue-10-years-
later.
Sax 2012. Sax's dangerous properties of industrial materials, 12th
Edition. Richard Lewis, Wiley & Sons, New York, NY.
Stuff 2010. Pike River Disaster: Yellow ribbons of hope. Viewed June
8, 2018. http://static.stuff.co.nz/files/minegraphic.jpg.
TAABMU 1994. "Leitfaden Erkennen und Beherrschen exothermer

chemischer Reaktionen (Guidance recognizing and mastering
exothermic chemical reactions)." Technischer Ausschuss für
Anlagensicherheit (Technical Committee on Plant Safety).
TAA-GS-05, December 4.
TO 2011. Macondo Well incident. Transocean Investigation Report,
Vol. 1, June.
Tremblay, J. 2016. “Chinese investigators identify cause Of Tianjin
explosion.” Chemical and Engineering News, February 8.
TSB 2013. Transportation Safety Board of Canada Railway
Investigation Report R13D0054 Runaway and Main-Track
Derailment Montreal, Maine & Atlantic Railway Freight Train
MMA-002 Mile 0.23, Sherbrooke Subdivision, Lac-Megantic.
Transportation Safety Board of Canada, Quebec, 06 July 2013.
UC 2016. Report to the University of Hawaii at Manoa on the
Hydrogen/Oxygen Explosion of March 16, 2016. UC Center for
Laboratory Safety, June 29, 2016.
UCLA, 2009. Report to the Chancellor on UCLA Laboratory Safety.
University of California at Los Angeles, July 2009.
UCLA Newsroom, 2009. Campus receives finding in lab death,
recommits to safety. Office of Media Relations, May 4, 2009,
viewed June 11, 2018,
http://newsroom.ucla.edu/releases/campus-accepts-finding-
in-lab-90542
White, Ronald. 2015.“UPDATE: Freedom Industries Executives Plead
Guilty to...” Viewed 7 March 2018.
www.foreffectivegov.org/almost-heaven-west-virginia...
USEPA. 1996. Chemical Incident Investigation Report. Terra
Industries Inc., Nitrogen Fertilizer Facility, Port Neal, IA, EPA,
September.
USEPA. 2015. Chemical Advisory, safe storage and handling of solid
ammonium nitrate prills. EPA 550-F-15-001, June.
References 357
USEPA 2015a. How to better prepare your community for a chemical

emergency. EPA 550-F-15-002, June.
USEPA2015b. "Climate Action Benefits: Inland Flooding." 22 June.
www.epa.gov/cira/climate-action-benefits-inland-flooding.
Vivienne Zeng. August 2015. "3,000 tonnes of dangerous chemicals
were stored at Tianjin explosion site, say police." Hong Kong Free
Press, August 18.
Wikipedia. “2014 Kaohsiung gas explosions.” Viewed May 16, 2018.
en.wikipedia.org/wiki/2014_Kaohsiung_gas_explosions
WVOMHS&T. Upper Big Branch Mine Disaster Investigative Report
Summary. West Virginia Office of Miners’ Health, Safety and
Training, Charleston, VW.
Young, G. and Oelner, J. 2017. “Don’t do this!” Chemical Engineering
Progress, p. 46-53, January.
INDEX
Air France
AF 447, 331
Concorde, 335
ARCO Channelview, 69, 71
Asset Integrity and Reliability, 46, 71, 74, 98, 116, 124, 157, 158,
174, 178, 188, 199, 201, 205, 218, 232, 240, 246, 250, 269, 274,
276, 277, 283, 308, 318, 324, 327, 330
Auditing, 49, 275, 290, 294
Azote de France, Toulouse, 100
Bartlo Packaging, Inc., 100
Bayer CropScience, 101
Bhopal, 37, 39, 42, 230, 264, 300
Big Branch Coal Mine, 357, 358, 359, 360
BLSR Operating Ltd., 105, 106, 134-140, 218
BP
Grangemouth, UK, 226
Texas City, TX, 226
Buncefield Depot, 147-159, 163
CAPECO Storage Tank, Puerto Rico, 157, 159
Celanese Pampa, 166, 168, 171
Challenger, FL, 334, 372
Chemical Safety and Hazard Investigation Board (CSB), 14, 39, 41,
53, 55, 57, 58, 62-64, 74, 75, 79, 82, 100, 101, 105, 112-116, 122,
138, 141, 158, 184, 185, 187, 190, 192, 196, 197, 207, 211, 219,
224, 231, 237, 239, 242, 245, 249, 250, 267, 284, 290, 362
Chernobyl, USSR, 39, 372
Chevron Richmond, 115, 117, 122, 124, 126
CITGO, Corpus Christi, 105, 106, 141, 290, 291, 293, 294, 378
Columbia, TX, 335, 372
Combustible dust, 41, 105, 108, 113, 114, 181, 182, 185, 188-191,
196, 228
By $$14
Index 359
Commit to Process Safety, 43, 44, 61, 67, 73, 81, 87, 97, 112, 122,
132, 139, 155, 171, 187, 197, 204, 210, 224, 238, 250, 272, 297,
308, 313, 330, 343, 349, 360, 366
Compliance with Standards, 44, 61, 81, 86, 87, 97, 105, 106, 112,
123, 127, 132, 135, 139, 150, 155, 187, 198, 204, 210, 219, 224,
238, 246, 250, 269, 272, 295, 297, 304, 308
ConAgra Foods, 207, 208
Concept Sciences, Inc., 100
Conduct of Operations, 14, 24, 48, 50, 66, 68, 160, 164, 173, 178,
179, 183, 189, 199, 241, 310, 313, 314, 317, 327, 330-333, 347,
350, 360, 369, 372
Contractor Management, 46, 140, 233, 240, 352, 355, 370
Courrieres Mine, France, 372
Deepwater Horizon, 230-233, 240-243, 252
DPC Enterprises, 276, 278-283
DuPont
Belle Plant, 267, 269, 272, 274
LaPorte Plant, 259
Elf Refinery, France, 226
Emergency isolation valves, 15, 25, 105, 133, 134
Emergency Management, 48, 63, 76, 84, 116, 124, 158, 160, 165,
214, 246, 251, 253, 259, 266, 275, 277, 284, 286, 289, 290, 293,
295, 299, 304, 309, 310, 313, 314, 317, 319, 325, 346, 347, 351,
356, 361
Engineering design, 51, 199, 241, 242
Erika, France, 300
Exxon Valdez, AK, 333, 334
Flash Airlines, Egypt, 335
Flight TS 236, Atlantic, 335
Freedom Industries, Inc., 244-246, 248, 249, 250, 251
Fukushima Daiichi Nuclear Plant, 338, 339, 343, 344, 346
Gaylord Chemical, 314-317
Georgia-Pacific, 284, 286
Goodyear, TX, 180
Hayes Lemmerz, 147, 191, 196, 197, 198, 199
Hazard Identification and Risk Analysis, 16, 45, 46, 58, 62, 84, 88,
92, 97, 103, 127, 133, 156, 168, 171, 188, 198, 199, 214, 218, 253,
257, 260, 265, 273, 286, 288, 324, 331, 333, 339, 343, 363, 368
Herald of Free Enterprise, 334

Hickson & Welch, 93-96, 98
Hindenburg, NJ, USA, 335
HMS Glasgow, UK, 334
Hoechst Griesheim, 64
Hoeganaes Corporation, 41, 105-115
Hube Global, South Korea, 294-299
Human Factors Methods for Improving Performance in the
Process Industries, 50
Imperial Sugar, 41, 147, 181, 184, 187-189, 197, 388
Incident Investigation, 17, 27, 49, 58, 61, 63, 106, 114, 148, 183,
189, 191, 200, 208, 212, 219, 224, 242, 269, 275, 363, 368
Jaipur Lub. Terminal, 147, 155, 157, 159, 162, 267
K-Boats, Submarines, 334
Kleen Energy Systems, 207, 209
Kletz, Trevor, 42, 50
Learn from Experience, 43, 49, 63, 114, 189, 199, 212, 224, 242,
275, 294, 357, 361, 368
Macondo Well, 231, 233, 238, 239, 240, 242, 244, 380, 388
Manage Risk, 43, 46, 63, 68, 73, 84, 93, 98, 124, 134, 140, 157, 164,
173, 178, 188, 199, 205, 212, 218, 240, 250, 259, 265, 274, 283,
289, 293, 299, 308, 313, 316, 324, 330, 333, 346, 350, 355, 360,
368, 370
Management of Change, 18, 28, 48, 63, 94, 100, 134, 157, 178,
189, 199, 235, 238, 240, 241, 257, 266, 269, 272, 275, 289
Management Review and Continuous Improvement, 49, 353, 357
Marathon Oil Refinery, TX, USA, 300
Mars Climate Orbiter, 17, 369, 370, 386
Measurement and Metrics, 49, 357, 361
Millard Refrigerated Service, 252, 254-257, 259, 381, 382
MMA Railroad, 309
MMA Railway, 17, 303, 305, 306, 308, 309, 389
Morton International, Inc., 100
Motiva International, Inc., 226, 300
Napp Technologies, Inc., 100
NDK Crystal, 18, 146, 219-222, 224, 225
Nissan, Japan, 100
Norfolk Southern Rail, 310-312, 386
Index 361
Oil storage tank, Italy, 213

Operating Procedures, 29, 46, 50, 89, 93, 98, 135, 140, 157, 174,
178, 199, 240, 260, 265, 270, 289, 316
Operational Readiness, 29, 48, 352, 356
Pemex LPG Terminal, Mexico, 226
PG&E Pipeline, 19, 318-322, 324, 325
Phillips Pasadena, 226
Pike River Coal Mine, 352
Piper Alpha Platform, UK, 226
Port Neal, IA, 89, 146, 389
Process Knowledge Management, 30, 45, 83, 113, 140, 188, 190,
198, 217, 252, 257, 264, 318, 324
Process Safety Competency, 45, 57, 61, 66, 67, 71, 73, 106, 168,
171, 183, 187, 198, 200, 205, 208, 210, 272, 338, 343
Process Safety Culture, 31, 44, 50, 61, 76, 81, 85, 87, 116, 122, 149,
155, 158, 200, 204, 212, 219, 224, 232, 238, 346, 349, 357, 360,
363, 366, 376
Reactive chemical incidents, 55, 72, 100, 101
Risk Based Process Safety, 20, 32, 43, 44, 49, 50, 51, 53, 81, 166,
188, 224, 300, 335, 368, 373, 374
Rohm & Haas Road Tanker, 100
Safe Work Practices, 21, 32, 46, 214
Sandoz warehouse incident, 230
Seveso, Italy, 230, 300
Sewol Ferry, South Korea, 346, 347, 348, 350, 351
Shell Refinery, Singapore, 141
Stakeholder Outreach, 45, 83, 297, 302, 310, 313, 327, 330, 338,
343, 369
Synthron LLC, 100
T2 Laboratories, Inc., 52, 56, 58, 60, 64, 378
Texaco Oil Refinery, UK, 226
Three Mile Island, PA, 372
Tianjin, China, 85, 87
Titanic, North Atlantic, 39, 334
Total FCCU, France, 226
Training and Performance Assurance, 47, 50, 68, 189, 199, 350
TWA Flight 800, USA, 335
Understand Hazards and Risk, 43, 45, 62, 83, 92, 97, 133, 139, 156,
171, 188, 198, 217, 257, 264, 273, 288, 324, 333, 343
University laboratory incidents, 379
Valero-McKee, 105, 128
Varanus Island, Australia, 147, 201, 202, 204-206
West Fertilizer Company, TX, 41, 74, 75, 76, 77, 81, 146
Williams Olefins, 174
Workforce Involvement, 45, 50

ccps2019 PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

ccps2019 PDF

Încărcat de

Drepturi de autor:

Formate disponibile

.

Library of Congress Cataloging-in-Publication Data is available.

It is our sincere intention that the information presented in this

4.13 ADDITIONAL RESOURCES .................................................. 205

6.3 NORFOLK SOUTHERN COLLISION AND HAZARDOUS

Figure 1.2-1. Risk Based Process Safety (RBPS) approach

Figure 3.2-2. Computer graphic of maintenance workers

Figure 3.5-4. Damaged trucks and disposal/washout pit area

Figure 4.5-2. Schematic of propylene fractionator (adapted from

Figure 4.9-2. ConAgra Plant explosion aftermath (courtesy CSB).

Figure 5.6-1 – Photo of hose used to transfer phosgene (courtesy

Figure 7.2-2. Fukushima Daiichi incident progression (courtesy

ACRONYMS AND ABBREVIATIONS

ABET Accreditation Board for Engineering and

AFPM American Fuel and Petrochemical

AIChE American Institute of Chemical Engineers

AIHA American Industrial Hygiene Association

ALARP As Low As Reasonably Practicable

AMF Automatic Mode Function

API American Petroleum Institute

APTAC Automatic Pressure Tracking Adiabatic

ARC Accelerating Rate Calorimeter™

ASME American Society of Mechanical Engineers

ATC Air Traffic Control

ATG Automatic Tank Gauging

BEA Bureau of Investigation and Analysis (France)

BLEVE Boiling Liquid Expanding Vapor Explosion

BOEMRE Bureau of Ocean Energy Management

BOP Blowout Preventer

BS&W Basic Sediment and Water

BSEE Bureau of Environmental Enforcement (US)

BSR Blind Shear Ram

CalEPA California Environmental Protection Agency

CCPS Center for Chemical Process Safety

CFR Code of Federal Registry (US)

COMAH Control of Major Accident Hazards (UK)

COO Conduct of Operations

CRW Chemical Reactivity Worksheet

CSB Chemical Safety and Hazard Investigation

DDT Deflagration to Detonation Transition

DHS Department of Homeland Security (US)

DMP Department of Mines and Petroleum

DOCEP Department of Consumer and Employment

DOIR Department of Industry and Resources

DOJ Department of Justice (US)

DOT Department of Transportation (US)

EIV Emergency Isolation Valve

EPCRA Emergency Planning and Community Right-to-

EPA Environmental Protection Agency (US)

ERPG Emergency Response Planning Guideline (US)

ERS Emergency Relief System

ERT Etowah River Terminal, LLC

ESD Emergency Shutdown System

ETC Energy Technology Center Chevron

FGAN Fertilizer Grade Ammonium Nitrate

FRC Flame retardant clothing

GE General Electric Company

H2S Hydrogen Sulfide

HAZMAT Hazardous Materials

HAZOP Hazard and Operability Study

HCl Hydrogen Chloride

HDPE High-density polyethylene

HIRA Hazard Identification and Risk Analysis