Flixborough 50 Years On: Application of Inherent Safety Principles to Plant Design

Article by Steven Murphy and Graham Ackroyd

Steven Murphy and Graham Ackroyd look at how applying Trevor Kletz’s concept of inherent safety avoids rather than controls hazards

THERE is no doubt that the principal cause of the Flixborough disaster was the poor engineering of the bypass.1 However, as others have noted,2 if the inventory of flammables had been less, if the cyclohexane had not been above its atmospheric boiling point, or if the control room had been more distant from the plant, then the consequences of the release would have been much less severe. These are some of the principles of inherent safety.

Trevor Kletz spoke of an inherently safer approach to plant design as “the avoidance of hazards rather than their control by added-on protective equipment”.3 Avoidance of hazards is fundamentally what should be strived for in process safety. Often this is not always possible either because of process, or simply economic reasons. To assist development and early-stage design teams in applying inherent safety, a number of hierarchies of inherent safety exist. One such hierarchy is defined by the Center for Chemical Process Safety (CCPS)4 and takes four categories; substitute, minimise, moderate, and simplify.

North Lincolnshire Museum. Photo by TA Culpin
Fire still in progress at Nypro Chemical Works, soon after the explosion, Flixborough, on 6 June 1974

Substitute

Simply put, this is the use of inherently safer chemicals. It can take two forms: at the chemical development stage, by selecting a safer route to a target molecule; or by changing a hazardous material or operation for a more benign one, such as replacing a flammable solvent with a solvent that has a flash point higher than the process temperature.

For example, acid chloride formation with thionyl chloride from carboxylic acids traditionally used dimethylformamide (DMF) as catalyst. This reaction was found to produce carcinogenic dimethylcarbamoyl chloride from the reaction of DMF with the chlorinating agent. Substituting triethylamine for DMF avoided this potent carcinogen being produced in a side reaction, and so the process was safer for those who might sample or otherwise contact the acid chloride.5

It’s important to note that substitution would provide the most robust avoidance of hazard. However, to be effective options they must be assessed at the development stage of a process as often later in a project lifecycle it is difficult to change solvent, raw materials, or even heat transfer fluids.

Minimise

The amount of hazardous chemical or energy should be minimised. This principle should be applied to all hazardous operations, including transport and storage, reactions, distillation, utilities, and waste treatment.

Applying the “minimise” principle to Flixborough leads us to the large inventory of cyclohexane in the plant and the possibility of using smaller capacity reactors. In the fine chemical industry, there are examples where very hazardous chemicals such as phosgene are made in-situ for consumption on the plant rather than transported and stored in large quantities.

Trevor Kletz spoke of an inherently safer approach to plant design as “the avoidance of hazards rather than their control by added-on protective equipment”. Avoidance of hazards is fundamentally what should be strived for in process safety

Moderate

This inherent safety principle is concerned with reducing the impact from hazards and to achieve that there are several potential strategies. For example, a hazardous chemical can be moderated by dilution, refrigeration, or altering its physical properties.

An example of altering physical properties to make safer includes lessening dust explosion risk by moving away from charging fine powder to charging prills or other such larger conglomerated forms. This would lessen the potential for dust accumulation. Moderating the process does not remove the hazard, rather it provides a robust way to lessen the frequency it occurs, or the impact.

Simplify

This is about making the plant and process more user friendly and so safer. Designers and engineers should aim to make the plant and process less hazardous. Often simplification can make the process easier and avoid a hazard. For example, removing an isolation stage for a multi-stage synthesis avoids using storage and transferring the potentially hazardous intermediate. In other cases, simplification removes potential sources of hazard or error traps.

An example from semi-batch manufacturing is to design plants in a vertical fashion and use gravity for feeding vessels. This reduces the need for pumping, thus eliminating a leak source, the pump, and avoiding potential pressure in the process from blocked-in scenarios.

Other industrial examples

There have been other incidents besides Flixborough where inherent safety considerations could have either prevented or reduced the impact. The three presented here highlight some of the different factors which require consideration in process design.

On 21 April 1995, an explosion and fire occurred at the Napp Technologies speciality chemical plant in Lodi, New Jersey.6 Five employees died, and most of the facility was destroyed. The incident arose from a simple toll blending operation, which should have taken less than an hour. The mixture was known to be unstable in contact with water. Despite this, water was used both for cooling and on the mechanical seal. Water had been detected in the blender on several occasions during startup, but operations continued, with nitrogen inerting being (erroneously) viewed as providing safety. On the day of the event, operators noticed the reaction producing heat and gas. They sought technical advice and after a delay there was a major deflagration leading to the loss of life. The incident featured a number of failures both in terms of risk assessment and operator training. The process would have been inherently safer by replacing the water on the seal with an inert oil. Furthermore, consideration could also have been given to an indirect cooling system.

On 19 December 2007, four people were killed and 13 others were hospitalised when an explosion occurred at T2 Laboratories in Florida, US during the production of a gasoline additive.7 In addition to flaws in the design and operation of the chemical process, the incident’s impact was increased by the choice of equipment. A lack of control of the desired reaction caused an undesired second exothermic reaction to occur which generated sufficient heat that it could not be contained. Subsequent testing showed the pressure and temperature rise during the second exothermic reaction were around 2,200 bar/min and 1,300°C/min. The normal operating pressure of the process was 50 psig (3.45 bar), but the vessel’s rupture disc set pressure was 400 psi. By the time the relief pressure was reached, there was no longer any chance of controlling the runaway reaction, and within seconds the vessel (rated to 600 psig) failed catastrophically with an estimated energy release of 1,400 lb of TNT. Given the lack of understanding of the thermal hazards, an incident was almost inevitable, but if the vessel had relieved (or even failed) at a lower pressure, then the energy release would have been minimised.

US CSB
A 2007 explosion at T2 Laboratories in Florida, US was caused by flaws in the design and operation of the chemical process, and the choice of equipment

Finally, an incident which could have been very much worse but for inherent safety considerations during the design. On 28 August 2008, a runaway reaction occurred inside a 17 m3 residue treatment pressure vessel on an insecticide manufacturing plant in West Virginia, US.8 The incident took place during the restart of the plant after a prolonged outage for engineering and process control system upgrades. The energy generated by the reaction caused the over-pressurisation and rupture of the vessel, followed by ignition of its flammable contents and a sustained fire. The incident caused two fatalities and eight injuries among workers and emergency services. However, the same plant also handled methyl isocyanate (MIC), which most readers will immediately recognise from the Bhopal disaster. This was stored in a tank near the vessel rupture, but the risk assessment for the MIC storage had identified a nearby explosion and fire as a risk. Therefore, the safety countermeasures put in place (a shield to protect the vessel from explosion debris and water cannons to avoid overheating of the vessel content in case of a nearby fire) provided some degree of moderation and prevented the accident from propagating and having even more catastrophic consequences.

US CSB
In 2008, two workers were fatally injured when a waste tank violently exploded in Institute, West Virginia

Conflicting priorities

When attempting to design an inherently safer process, one of the major issues is that there are many different aspects to process safety. While the primary focus is often on very visible consequences such as fires, explosions, and thermal runaways, other factors such as human and environmental toxicity, and increasingly, sustainability, also need to be factored into the overall risk profile of a process. Unfortunately, a choice which improves the safety in one area can often increase the risk in another. For example, using a lower-boiling solvent can provide a thermal barrier against runaway reaction hazards, but often at the price of increased flammability and/or vapour emissions due to the increased volatility. Similarly, novel green chemicals under development to improve the environmental profile of a process can introduce thermal stability or reactivity issues.

While some functions and specialist roles will be focused on addressing one specific hazard, the chemical engineer is often in a uniquely privileged position to have an overview of the entire picture. This inevitably presents a challenge in balancing the priorities of the different areas. In trying to find the optimum overall solution, it is likely that few (if any) of the specialists will get what they see as their perfect solution. In addition, the need to comply with legislation may inadvertently impose restrictions which do not allow all risks to be balanced equally.

Tools to aid inherent safety assessment

Since Kletz first documented the concept of inherent safety in 19789 many teams and companies have developed tools to assess the inherent safety of chemical processes. Several papers and books have surveyed the tools available to assess a process for inherent safety (Gupta & Edwards,10 Khan, Sadiq & Amyotte,11 and the CCPS4). These papers reference original work and provide a full explanation of the tools. Many of these references list tools to compare process variants in terms of their inherent safety. Examples are the Dow Chemical Exposure Index, Dow Fire & Explosion Index, INSET Toolkit, Inherent Safety Index (IS), and Mond Index.

There are an increasing number of regulations seeking to ensure chemical processes avoid unnecessary hazards and strive for processes that are inherently safe. The UK COMAH regulations and associated guidance says: “Conceptual Design: At this stage, the fundamental level of inherent safety and operability of an installation is established. The processes and organization established for this task are therefore critical. It is particularly important that the true full life costs and associated safety risks of options are considered, as CAPEX-only costing can mitigate against some basic inherently safer design objectives.”12

Several states in the US have promoted Inherent safety reviews, including the Inherently Safer Systems Analysis (ISSA) required by the Contra Costa County (California)13 Industrial Safety Ordinance. More recently, similar requirements have been proposed at US federal level in the pending EPA Risk Management Plan (RMP) revisions.14

Conclusion

The Flixborough disaster served as a stark reminder of the importance of embracing inherent safety principles from the outset of process design. While numerous failures contributed to the catastrophic event, the fundamental lesson is that proactively incorporating inherent safety principles could have mitigated or prevented the devastating impact.

As we move forward, the increasing number of regulations mandating safer technology assessments and hierarchical control justifications underscore the urgency for chemical engineers to prioritise inherent safety evaluations in the early stages of project development. By thoroughly assessing and documenting inherent safety principles during the initial phases, we can effectively avoid hazards altogether, rather than relying on identifying bolt-on safety measures later in the design phase.

Consequently, chemical engineers must assess and document the inherent safety principles early in the development stage of projects to ensure the hazards are avoided rather than controlled by added-on protective equipment. Fortunately, a wealth of tools and processes exist to facilitate this. It is our professional duty as chemical engineers to learn from past incidents, such as Flixborough, and design inherently safer processes that not only enhance safety but also improve operational efficiency. By proactively incorporating inherent safety principles, we can create a more robust and sustainable future for our industry.

References

1. Health and Safety Executive, The Flixborough Disaster: Report of the Court of Inquiry, HMSO, ISBN 0113610750, 1975
2. D Crowl, J Louvar, 2011. Chemical Process Safety: Fundamentals with Applications. 3rd Edition
3. Kletz and Amyotte, Process Plants: A Handbook for Inherently Safer Design, 2nd Edition (2010)
4. Center for Chemical Process Safety, Guidelines for Inherently Safer Chemical Processes: A Life Cycle Approach, 3rd Edition
5. D Levin, Organic Process Research & Development 1997
6. https://bit.ly/4bUeWbB
7. https://bit.ly/4cbTz5x
8. https://bit.ly/3z3wdk1
9. Trevor Kletz (1978). What You Don’t Have, Can’t Leak. Chemistry and Industry, pp 287–292
10. Gupta and Edwards, Process Safety and Environmental Protection, vol. 80, pp 115–125 (May 2002)
11. https://doi.org/10.1002/prs.680220203
12. UK Health and Safety Executive, SPC/Enforcement/179
13. Contra Costa County, CA; Division 450-8.016(i), Stationary Source Safety Requirements
14. Executive Order 13650 Actions to Improve Chemical Safety and Security – a Shared Commitment


The views expressed in this article are solely those of the authors and do not necessarily reflect the views of their employer or other associated parties.

Article By

Steven Murphy

Head of process safety at Syngenta


Graham Ackroyd

Process hazards group leader, Syngenta


Recent Editions

Catch up on the latest news, views and jobs from The Chemical Engineer. Below are the four latest issues. View a wider selection of the archive from within the Magazine section of this site.