754 PROCESS SAFETY AND PRESSURE-RELIEVING DEVICES

TABLE 9-48 Summary of Recent Major Industrial Accidents That Are Sourced to Process Safety Failure

Incident Causes HAZOP Identification of the Cause

Flixborough, UK (1974)
Cyclohexane vapor cloud
explosion
Bhopal, India (1984)
Release of poisonous MIC
gas (Methyl isocynate)
The cause was determined as the failure of a
bypass line connecting two reactors handling
high quantities of cyclohexane. The bypass
line was installed in a hurry without proper
engineering or safety review.
The multiple causes that led to this accident
included storage of a highly poisonous
chemical MIC in a facility that was shutdown
and idle, failure of the scrubbing and flare
system to absorb the toxic vapor, and lack
of knowledge on the nature of toxicity of the
chemical itself.
HAZOP would not have been able to predict the
actions of the plant staff.
A well-done HAZOP would have predicted the
hazards due to the non-operability of the relief
system. But it would not have predicted the
nature of the risk and catastrophe in case of
a loss of containment unless all details of the
chemical was known. (This raises a question
as to how much we know about the long-term
and short-term effects of chemicals).

Seveso, Italy (1976)
Release of poisonous gas
TCDD
Three Mile Island nuclear
plant (1979)
Equipment malfunction
and shutdown resulting
in partial meltdown of
reactor core
A runaway reaction caused the chemical TCDD
(2,3,7,8 tetrachlorodibenzo-paradioxin-one of
the most potent toxins known to man) to be
released through the relief system in a white
cloud over the town of Seveso. A heavy rain
washed the TCDD into the soil. Lack of
knowledge and poor communication with
public delayed response from authorities.
In the Three Mile island nuclear plant,
shutdown of main feed water pumps caused
chain shutdown of steam generators and the
reactor. Pressure build-up in the reactor
system occurred and the relief valve on
system opened to relieve the pressure,
but failed to seat back. Result was loss of
containment of coolant through the relief
valve. But somehow there was no direct way
the operators could know that the level of
coolant was dangerously low in the reactor
and that the reactor was overheating.
HAZOP would have predicted the consequences
of runaway reaction and release of the vapor. But
the lack of knowledge about the chemical itself
and its consequences would not have been
predictable by HAZOP.
In Three Mile Island, there were alarms in the
control room but the operator did not know that
the relief valve was stuck open and the coolant
level was getting low. Alarms in the control
room resulted in confused initial actions by the
operating staff that actually worsened the
situation. Though the reactor core suffered a
partial meltdown, worst case scenarios were
avoided. A HAZOP would have predicted lack of
critical alarms but would not have predicted the
actions by the operating staff. Reports indicate
that there were, in fact, too many alarms (nearly
100!) in the control room.

Piper Alpha Offshore
platform (1988)
Leaked condensate
caught fire resulting in
massive fire and
explosion and loss of the
platform
It is believed that the leak came from
pipe-work connected to a condensate pump.
A safety valve had been removed from the
pipe-work for overhaul and maintenance.
The pump itself was undergoing maintenance
work. When the pipe-work from which the
safety valve was removed was pressurized
at startup, it is believed that the leak occurred.
HAZOP would have predicted and corrected
a lot of items that were found lacking in
the platform during the subsequent inquiry
including unit spacing and locations, safety
provisions, etc., but would not have predicted
the causes of the incident and further the
reason for escalation of the incident to a
catastrophe.

(Source: G. Unni Krishnan [138], Reprinted with permission from Hydroc. Proc., By Gulf Publishing Company, copyrighted 2005;
All rights reserved.)

layout, or miss hazards due to leaks on lines that pass through
or close to a unit but carry material that is not used on that unit.
However, hazards should generally be avoided by changing the
design. Assessing hazard by HAZAN or any other technique should
always be the alternative choice.
A small team similar to that used in HAZOP carries out
HAZAN. The five steps in HAZAN are:
• Estimate how frequently the incident will occur.
• Estimate the consequences to employees, members of the public.
• Estimate the plant and profits.
• Compare the results of the first two steps with a target or
criterion.
• Decide whether it is necessary to act to reduce the incident’s
frequency or its severity.
9.145 FAULT TREE ANALYSIS
Fault tree analysis (FTA) is used to assess the frequency
of an incident. A fault tree is a diagram that shows how
primary causes produce events, which can contribute to a partic-
ular hazard. There are several pathways in which a single
primary cause can combine with other primary causes or
events. Therefore a single cause may be found in more than
one hazard, and may occur at different locations in the fault
tree.
The graphical structure of the fault tree enables the primary
causes, and secondary events are combined to produce the hazards.
We can compare the relative contributions of the different events
to the probability of the hazardous outcome by employing the
probability of occurrence of causes and events on the fault tree.