2/26/2019 The Next Bhopal Paul Gruhn, P.E., CFSE Global Functional Safety Consultant Abstract The precursors that led to the Bhopal disaster occur daily throughout industry today This presentation will summarize: • How we have historically looked at accidents • A portion of the Bhopal process design • Changes that were made contrary to specifications • Problems encountered • Numerous further design and operational changes • The events that led to the worst industrial disaster in history… it took five years • Similarities that are still occurring world‐wide • How we might better prevent future events 1
2/26/2019 Paul Gruhn, P.E., CFSE Global Functional Safety Consultant at aeSolutions Safety Systems Specialist for 30 years ISA Life Fellow, active volunteer since 1989 Co‐chair and 28 year member of ISA 84 (SIS) committee Developer & primary instructor for ISA’s courses on Safety Instrumented Systems (8.5 days of material) Co‐author of ISA book on SIS BSME, IIT, Chicago, IL 2019 ISA President Kenneth Bloch Process Safety Supervisor 30+ years experience in maintenance, process safety, technical and operational roles Author of “Rethinking Bhopal” Environmental Science degree from Lamar University, Beaumont, TX 2
2/26/2019 Much of this material comes from… Other great references: • Safeware ‐ System Safety and Computers, Nancy G. Leveson • What Went Wrong? Case Histories of Process Plant Disasters, Trevor A. Kletz • An Engineer's View Of Human Error, Trevor A. Kletz • Learning from Accidents, Trevor A. Kletz • Drift into failure, Sidney Dekker Introduction Dealing with chronic pump seal problems led to misguided process‐related shortcuts How could this have happened? • The plant was patterned after a successful US facility • However, changes were made that did not match the design intention or specifications • The pattern of manipulating a process to compensate for issues is not unusual “The road to hell is paved with good intentions” • “If the original designers…” • If a US operator were transplanted… 3
2/26/2019 Summary of the disaster (Dec 3 1984) 1. Plant undergoing maintenance 2. Worker connects water hose to flush lines and valves 3. Water leaks into MIC tank and a reaction begins 4. Temperature and pressure builds and a leak started 5. Workers detect and report the leak 6. Vapor recover system off and not designed for such a load 7. Piping to flare badly corroded Summary of the disaster 8. Material released above makeshift water curtain 9. 28 tons of toxic vapor were released which settled in the capital city 10. 3,800 dead, 200,000 injured, 2,000 animals died, environment severely impacted 11. Facility never reopened 12. US operations suspended 13. Parent company never recovered, and all divisions were eventually sold AIChE CCPS, being proactive, the Titanic… 4
2/26/2019 Looking for causes Often an image of corporate misconduct, greed, and/or irresponsible cost cutting • Responsible, proud people who believe in safety There is no such thing as a “precise cause” • Cultural causes are very similar, though Equipment reliability, process reliability, productivity, and process safety are linked • Asset reliability is a fundamental aspect of preventing industrial disasters • Much depends upon how small issues are managed (as repeat failures have led to accidents) • Repeat failures also lead to normalization of deviance (e.g., Texas City) It’s not so much what they did, but why It’s not so much “How can situations like this be prevented?” but rather “What makes the regrettable choices people make even possible?” 1. Why did the design not follow the US plant? 2. Why did a worker connect a water hose to flush out lines? 3. Why was material building up inside the piping in the first place? 5
2/26/2019 History and process summary The product to be made was a success Yet the process to make it was neither cooperative nor originally efficient MIC was an intermediate product MIC needed to be: 1. cooled, 2. covered with a nitrogen blanket, 3. process constructed with stainless steel US facility operated safely for over a decade and served as the template for Bhopal History and process summary Other safety layers • high temperature alarms, • diluting heat sink (if adequate cooling could not be restored), • reserve tanks (for additional cooling, reprocessing, or disposal), • pressure relief, • vent scrubber, • flare Unfortunately, there were dependencies between all these layers 6
2/26/2019 Facility layout (1979) Facility siting issue 7
2/26/2019 Design change Vent header piping, valves, and vent gas scrubber made of iron • Such an exception could be justified with the nitrogen blanket • Might even be considered today (Value Eng.) “Can be managed” can lead to compromised thinking and normalization of deviance • When you finally appreciate what you’ve lost… When suggesting changes, state not only the what , but they why Note: Not the piping at Bhopal • Excluding the why can lead to confusion behind the recommendation, especially when the original designers are no longer around MIC tank, pumps, vent and nitrogen lines 8
2/26/2019 Pump problems from the start Pump seals lasting 45 months would be ‘average’ Seals at Bhopal only lasted 24 days Considering the number of pumps, there were repairs about every 5 days Specific details of the failure mechanism are not in the public record • Repeat failure are urgent warning signs • Simply diagnosing ‘vibration’ is not helpful (ex.) • Misdiagnosed vibration problems have led to many repeat failures in industry (Ken’s book has examples) • Not diagnosing chronic reliability problems will lead to loss of control of a process Normalization of deviance Detecting leaks was audio/visual/olfactory Workers found they could respond to leaks without serious problems Chest and eye irritation became normal for those living near the plant No immediate solution could be found Repairs became routine, but the financial impact was very penalizing Pump problems led to secondary issues… 9
2/26/2019 Secondary issues Pump failures cause irregular instrument readings (temperature) • The meaningless information became normal • High temperature alarm in the control room disabled Repeat failures and exposure became normal • Yet a false sense of security Leaks are a sign of a problem worth analyzing • All failures deserve to be addressed Acceptance of such problems is normalization of deviance • Bad things are usually the result Task force (1981) Operating at 1/3 of capacity not sustainable Task force created with members from the parent company and the subsidiary Nitrogen could also be used to move MIC (rather than use transfer pumps) • From 2 to 25 psig • Pressure information now useless Yet the circulation pumps still failed Other problems soon surfaced as a result of the changes 10
2/26/2019 More improvisations Using Nitrogen to pressurize the tank interrupted its flow to the vent header lines and the vent gas scrubber Use of iron piping and valves led to • Rust, which led to • Trimer formation, which led to • Choking of pipes and • Failure (leakage) of valves Dealing with trimer now became the priority Flushing the lines with water was the answer • Yet this led to further problems Further corrosion and repairs Process not designed for invasive maintenance • Attaching water hoses to pressure gauge taps Yet water increased the corrosion of iron pipes • Deep corrosion pits formed Leaks not tolerable and required repair • Replacing corroded sections of the pipes Note: These are not pipes at Bhopal! Water now a more likely source of MIC contamination 11
2/26/2019 Safety vs. maintainability + Inherently Safer Design ‐ Slip Blind Spacer Weld Flange Flange Joint Joint Joint with Spacer ‐ Maintainable + A fatality (Dec 1981) Repairs often required the use of blinds One worker sprayed when unbolting a flange He inhaled vapors while at the safety shower Workers felt the problem was an unforgiving, maintenance intensive process Supervisors disagreed Worker’s union insisted upon design modifications, yet supervisors refused The divide between the workers and supervisors grows 12
2/26/2019 25 workers injured (Jan 1982) One pump seal replaced with a different material (ceramic, not metallic) • Corporate did not authorize the change The seal failed catastrophically after 2 days Workers were not wearing breathing masks Supervisors considered the change sabotage 3 rd party investigation triggered Seal failure cannot be tolerated, so… Circulation pumps shut off • Pressurize the tank, rather than cool it • Such a practice is still supported in industry The divide widens Supervisors would not agree to changes • Neither side communicating or negotiating well Workers acted independently to protect themselves (e.g., use of blinds avoided) Workers took their complaints to the public • Publicity campaign with pamphlets • Public demonstrations at the factory gate Note: These are not Bhopal workers! • The public showed little interest • Supervisors terminated certain individuals • Workers came back for employment with their morale broken 13
Recommend
More recommend