Recurring Causes of Recent Chemical Accidents
U.S. Environmental Protection Agency
Chemical Emergency Preparedness and Prevention Office
This paper was originally presented at an International conference and Workshop on Reliability and Risk Management organised by AIChE/CCPS in September 1998, San Antonio, Texas
The US Environmental Protection Agency (EPA) and the Occupational Safety and Health Administration (OSHA) have investigated recent accidents at petroleum refineries, chemical manufacturing facilities, tolling operations, chemical distributors, and other types of facilities. Recurring causes of these accidents include inadequate process hazards analysis, use of inappropriate or poorly-designed equipment, inadequate indications of process condition, and others. Of particular note, installation of emissions or pollution control equipment has preceded several significant accidents, highlighting the need for stronger systems for management of change. Other recent accidents have been preceded by a series of similar accidents, near-misses, or low-level failures, pointing to the need for more attention to lessons-learned implementation and more thorough company investigation of near-misses and low-level failures as means of avoiding major accidents.
This paper presents brief case studies of several recent chemical accidents investigated by EPA and OSHA, and illustrates common root causes and other recurring themes of those accidents. These accident investigations were conducted by the EPA/OSHA Joint Chemical Accident Investigation Team. The aim of this team is to identify the root, or underlying, causes of major chemical accidents and to develop recommendations to prevent future similar accidents.
This paper presents brief case histories of several recent chemical accidents investigated by EPA and OSHA and illustrates common causes and other recurring themes of those accidents. When the underlying causes of numerous accidents are brought to light and compared against one another, recurring causes are sometimes identified - patterns that might be overlooked if investigations stop at the tip of the iceberg, or if each accident is viewed in isolation. There is value in identifying recurring root causes. The value is in determining adverse trends, in discerning the vulnerabilities and unforeseen side-effects of new technology, in identifying the obsolescence of aging equipment and systems, and in assessing the shortfalls of safety management systems in general. However, generalizing about root causes can be taken too far. One common and useful method of determining root cause is to keep asking "why?". This method must be used with a good dose of engineering judgement. The idea is to ask "why?" enough times to get to the underlying systemic cause of the event, but not so many times that the cause becomes obscured in an overarching general concern which is too vague to address. This sort of over-analysis results in abstractions and doesn’t serve any useful purpose. It’s important to keep this in mind when determining root causes; the ‘common themes’ presented in this paper are intended to be specific enough that they can be useful.
It will be useful to define some terminology that is used in this paper. Root causes are the underlying prime reasons, such as failure of particular management systems, that allow faulty design, inadequate training, or deficiencies in maintenance to exist. These, in turn, lead to unsafe acts or conditions which can result in an accident. Contributing causes are factors that, by themselves, do not lead to the conditions that ultimately caused the event; however, these factors facilitate the occurrence of the event or increase its severity. Of course, people may debate about which factors are root causes, which are contributing causes, and which are neither, but in this day and age, major accidents generally involve more than one cause. Virtually none of the accidents that EPA and OSHA investigated involved only a single cause. More commonly, half a dozen root and contributing causes were identified.
The importance of using accident investigation to identify non-causal factors should also be noted. Non-causal factors are those systematic deficiencies that may be identified during the course of an accident investigation that aren’t directly related to the cause of the accident. A thorough accident investigation will usually uncover several plausible scenarios that might have led to the accident. In fact, only one of the scenarios actually transpired, but the others might have occurred, if circumstances had been different. Each of these scenarios may identify program deficiencies which need to be addressed. Accident investigations are a valuable tool for safety program evaluation, and all deficiencies identified in alternate scenarios should be addressed. Sometimes, it can’t be determined exactly which scenario occurred. However, whenever possible, it’s important to understand which critical factors ultimately led to the accident and which did not. The common causal factors or "themes" identified in this paper are all directly related to the accidents that occurred.
Brief Accident HistoriesEPA and OSHA have investigated numerous major chemical accidents over the last several years. Most of these accidents involved fatalities, and had some significant impact on people in nearby residential communities. All involved worker injuries and substantial on-site property damage. The following list includes some of the more notable among these. Some of these were joint EPA/OSHA investigations, while others were investigated by EPA alone (OSHA investigated all of these accidents for violation of occupational health and safety laws. However, OSHA did not participate with EPA in a more in-depth "root cause" investigation for some of the incidents.).
- Terra Industries, Inc. Port Neal, Iowa, December 13, 1994; explosion of an ammonium nitrate unit; four employees were killed, 18 were hospitalized. 5700 tons of anhydrous ammonia and 25,000 gallons of nitric acid were released. Residents were evacuated from the surrounding area, and ammonia plumes were detected several miles away.
- Powell Duffryn Terminals, Inc. (PDTI), Savannah, Georgia, April 10, 1995; crude sulfate turpentine fire and hydrogen sulfide release. The fire was probably ignited by a newly installed and improperly designed activated carbon vapor control unit. 2000 residents were evacuated for up to 30 days, an elementary school was temporarily closed, and nearby marsh water was contaminated.
- NAPP Technologies, Lodi, New Jersey, April 21, 1995; a blender containing a mixture of sodium hydrosulfite, aluminum powder, potassium carbonate and benzaldehyde exploded, triggering a major fire. Water-reactive chemicals in the blender underwent an exothermic reaction after water contaminated the blender. Four fatalities and numerous injuries resulted. A nearby river was contaminated by runoff of firefighting water.
- Pennzoil Product Company Refinery, Rouseville, PA, October 16, 1995; an explosion and fire erupted in storage tanks containing flammable hydrocarbons and wastewater. Hot work near the storage tanks probably ignited the explosion. Three employees were killed and three others were injured. Two later died as a result of their injuries. Employees at the plant and nearby offices, and residents from the town of Rouseville were evacuated.
- Tosco Company Refinery, Martinez, CA, January 21, 1997; a major fire started at a hydrocracker unit when a temperature excursion occurred, causing a piping elbow to fail catastrophically. One employee was killed and forty?four were injured. Nearby residents sheltered?in?place.
- Surpass Chemical Company, Albany, NY, April 8, 1997; a storage tank failed causing a large spill of hydrochloric acid (HCl). The tank was over pressurized during a filling operation. A hydrochloric acid cloud drifted offsite, and spilled liquid entered the city storm sewer. 43 persons, including employees, were treated at hospitals; of these, 4 were hospitalized. One square block around the facility was evacuated. Students and faculty at nearby elementary schools sheltered?in?place.
- Shell Chemical Company, Deer Park, TX, June 22, 1997; a large explosion and fire occurred in an olefins production unit. Shaft blow-out of a pneumatically-assisted check valve resulted in the release of large quantities of flammable hydrocarbon gas into a congested area. A vapor cloud explosion resulted, which was felt 10 miles away. Major plant damage occurred. One employee was hospitalized, and several others received minor injuries. Nearby residential areas suffered minor blast damage, and residents sheltered?in?place. Highways west and south of the plant were closed for three hours.
- A series of explosions and fires involving ethylene oxide (ETO) packaging or sterilization operations occurred between April and November 1997; Two of the incidents occurred after installation of catalytic oxidizers in ETO exhaust ventilation systems. As a result of an accident involving ETO at Accra Pac in Elkhart, Indiana, one employee was killed, 59 others were treated at a hospital, and 3 were hospitalized. Approximately 2,500 people were evacuated from a 1 mile radius around the Accra Pac plant.
- Georgia Pacific, Columbus, Ohio, September 10, 1997; an explosion occurred in the phenol/formaldehyde reaction kettle of a resin manufacturing process. Reactants were added to the kettle in the wrong sequence and at an excessive rate, resulting in an uncontrolled exothermic reaction. One employee was killed and 13 others were treated for injuries. Fifteen nearby homes were evacuated.
These accidents involved different events, varying circumstances, and a unique set of causes. However, when the incidents are compared to one another, some common themes can be discerned. These include the following:
1. Inadequate hazard review or process hazards analysis
In almost every accident EPA and OSHA have recently investigated, some aspect of hazard review or process hazards analysis (PHA) was found to be lacking. This can take a variety of forms. In some cases, the PHA did not address known equipment failure scenarios. For example, at Shell Chemical Company in Deer Park, the PHA did not consider the possibility of check valve shaft blow-out, even though the facility and other Shell facilities had experienced near-miss blow-outs in the past. In fact, the PHA at Shell Deer Park was actually suspended in order to conduct repairs following one such incident. At Georgia Pacific in Columbus, Ohio, the PHA did not consider the runaway batch reaction resulting from a "dump-in" scenario (i.e. failure to control the rate of chemical addition to an exothermic process), and emergency pressure relief systems were not capable of relieving the pressure rise associated with such an event. The only line of defense against the event was the operator, and this was not enough.
In some accidents, a PHA was performed but it did not identify all process hazards. For example, at Napp Technologies in Lodi, New Jersey, Material Safety Data Sheets (MSDSs) were relied upon as the primary source of hazard information for gold precipitating agent, a water reactive chemical. However, while MSDSs usually provide substantial information on chemical hazards, they often provide very little information on process hazards. The MSDSs did not reveal accident history, identify or account for potential sources of water, or address the proper technology and design of equipment necessary to safely blend water reactive substances. Even for situations not involving complex chemical processing operations, MSDSs are not always sufficient to identify all reactivity, thermal stability, or explosive hazards.
In other accidents, no hazard review or PHA was performed on the process involved in the accident. This was the case at Terra Industries in Port Neal, Iowa, at PDTI in Savannah, Georgia, and at Pennzoil in Rouseville, Pennsylvania. If hazards are never reviewed or analyzed, then avoiding accidents is more a matter of luck than design.
2. Installation of pollution control equipmentSeveral of the accidents described above occurred following the installation of devices to eliminate or reduce vapor emissions. This is a reflection of inadequate hazards analysis and inadequate management of change procedures. These incidents are discussed separately, instead of being included in the general discussion above, because of the frequency of their occurrence. Each case involved a process change made with good intentions (i.e. protecting the environment), but the full implications to personnel safety were not considered.
- Prior to the accident at PDTI, the company installed an activated carbon vapor control system. The system was designed to prevent crude sulfate turpentine (CST) vapor from escaping into the environment as a result of volumetric expansion due to increasing ambient temperatures or during tank filling. PDTI installed this system in response to repeated complaints from neighboring residents of a strong odor arising from the facility. However, the company had not designed the system to prevent outside air from entering the activated carbon bed (a known cause of fires in these systems) and failed to install flame arrestors
in the vapor control system, which allowed a fire to spread from the activated carbon unit to the CST storage tanks.
- In two of the accidents involving ethylene oxide explosions, catalytic oxidation units had recently been installed to oxidize toxic emissions from ETO sterilization chambers. However, the companies did not adequately consider the hazards of confining flammable vapors in vent collection systems. Trevor Kletz has stated "The ignition of a few tens of kilograms of flammable gas inside a building can destroy it. If the gas is release out-of-doors several tonnes. are needed to destroy a building." (Kletz, 1993). The catalytic oxidizer provided an ignition source for the confined flammable vapors.
- At Surpass, the company had recently installed a scrubber at the end of the vent pipe connected to a large hydrochloric acid storage tank. The purpose of the scrubber was to neutralize acid vapor emissions from the storage tank. However, the scrubber also caused back pressure to build up in the tank when it was being filled, and the tank ruptured.
New equipment, even when well-designed, can create additional hazards if it is not properly integrated into existing systems. These accidents highlight the need for rigorous implementation of management of change procedures so that all hazards of new equipment are analyzed and accounted for.
3. Use of inappropriate or poorly designed equipmentIn several accidents, equipment used for a task was inappropriate or not in accordance with current standards:
- At Napp Technologies, the blender used to mix chemicals was not designed to mix water reactive chemicals, because water seals were used in the blender, and any seal leakage could lead to a runaway reaction. The investigation revealed that water probably did get in the blender and cause a runaway exothermic reaction.
- At Shell Chemical Company, a check valve used to control process gas flow was not properly designed for heavy-duty hydrocarbon gas service. The design of the valve and the service it was used for placed extremely high stresses on a relatively thin drive shaft dowel pin. The pin fractured and the drive shaft was expelled from the valve, resulting in a large flammable gas leak and vapor cloud explosion.
- At Pennzoil, the storage tanks involved in the fire did not have frangible roofs, which are standard for flammable liquid storage. When vapors in the storage tank ignited, the tank failed at the bottom, releasing the entire contents of the tank.
- At Georgia Pacific, the pressure relief system was incapable of relieving the two-phase flow resulting from a runaway batch reaction. The resulting pressure transient caused a vessel explosion, killing one worker.
Many other causal factors contributed to each of these accidents, but use of inappropriate or poorly designed equipment clearly stands out as a primary cause in these and other recent accidents.
4. Inadequate indications of process conditionIn several accidents, process instrumentation did not provide operators with indications needed to clearly identify unsafe process conditions:
- At Terra Industries, a probe used to monitor pH in an ammonium nitrate unit neutralization tank was out of commission for two weeks prior to the accident, but operations continued. Operators were unable to determine when unsafe acidic conditions developed in the tank, contributing to the accident.
- At the Tosco refinery in Martinez, California, control room indications of hydrocracker temperature were unreliable, and operators were forced to obtain temperature readings from a distant field instrument panel. This prevented operators from taking timely action to mitigate a dangerous temperature excursion. A pipe rupture occurred, killing one worker (ironically, the same worker who was monitoring the field temperature reading).
- At Shell, control room operators did not have instrumentation to provide indications of a major hydrocarbon leak, and therefore took no mitigating actions for four minutes after the leak started. Earlier action might have avoided or reduced the severity of the ensuing explosion.
- At Surpass Chemical Company, there was no instrument installed to indicate pressure in an HCL storage tank that was being filled using air pressure as the pumping force. Pressure increased above the tank’s pressure limit and the tank failed catastrophically.
- In two accidents at ethylene oxide sterilization facilities, no instrument to indicate ethylene oxide concentration in the sterilization chamber was installed, and operators were not able to determine if ETO concentration was greater than the lower explosive limit prior to initiating catalytic oxidation, resulting in explosions in each case.
Each of these accidents occurred or was made more severe because the instrumentation necessary to safely control the process was not available. Operators were essentially forced to "fly blind".
5. Warnings went unheeded
History shows repeatedly that major disasters are often preceded by a series of smaller accidents, near-misses, or accident precursors. This was true in some of the most notorious accidents in recent decades. In the Challenger space-shuttle accident, engineers at NASA and its contractor, Morton Thiokol, were well aware of previous malfunctions in solid rocket booster O-ring joints, and that 4 of 21 previous shuttle launches had experienced booster O-ring leakage. Engineers even met with launch managers on the morning of the accident to consider the safety implications of the O-ring problem. It was known that low ambient temperatures exacerbated the problem, and the day of the accident was the coldest launch day yet. In spite of knowledge of past problems and the explicit warnings from engineers, project managers decided to proceed with the launch over engineering objections. At Bhopal, India, smaller accidents had occurred at the plant prior to the disastrous methyl isocyanate (MIC) release in 1984, and small MIC leaks had been noted on numerous previous occasions highlighting the need for automatic MIC leak detection. In fact, workers stated that experiencing eye irritation (a symptom associated with low levels of airborne MIC) was not an unusual phenomenon, but these warnings went unheeded.
The same type of warnings existed in several of the recent accidents investigated by EPA and OSHA. Prior to the accident at Georgia Pacific, the facility had recently experienced a near miss involving similar circumstances to those resulting in the later accident. An operator added chemicals to a batch resin process at too high a rate. Other alert operators noted the procedural deviation, and were able to prevent an accident. The company investigated the incident and disciplined the first operator. No other actions were taken. In the case of Shell, the company had experienced mechanical integrity problems involving the same type of check valve on at least four earlier occasions at Deer Park and other Shell plants. One of these events involved a serious flammable gas leak at a facility in Saudi Arabia. Fortunately, the gas never ignited. The plant which experienced the earlier incident conducted an investigation, but the recommendations which might have prevented the later accident at Deer Park were never implemented there. At Tosco, operators had experienced hydrocracker temperature excursions on several previous occasions, but were able to bring process temperatures back into normal operating ranges without shutting down the unit (the standard procedure) or suffering adverse consequences. Other process upsets had been investigated, but lessons learned were generally not incorporated into operating practice.
Causes That Didn’t Make the List
If understanding recurring causal factors and root causes is important in learning about accident patterns, it’s perhaps nearly as important to recognize what root causes have not "made the list". These include training and operator error. For example, in the Shell Deer Park accident investigation, EPA and OSHA identified a total of 7 root and contributing causes and 13 recommendations. None of them explicitly addressed training or operator error. This may seem surprising, since these are often considered "the usual suspects" in accident investigations. However, while operator performance clearly plays a crucial role in safe plant operation, it is only one aspect of a proper safety management system. For most major chemical accidents, EPA and OSHA believe that it is rarely the action or inaction of a single operator that is the sole or even primary cause of an accident. The Safety Precedence Sequence illustrates that numerous barriers must fail before operator action can cause an accident:Safety Precedence Sequence:
- Design for Minimum Hazard
- Install Safety Devices
- Use Safety Warnings
- Control with Procedures / Administrative Controls
- Personnel Action by Training, Awareness, Knowledge
- Accepted Risk
Note that personnel action is almost on the bottom of the list. In keeping with this philosophy, during root cause accident investigations EPA and OSHA normally focus attention on the actions of operators as they reflect the performance of the organization and its management systems. Viewed from this perspective, operator errors, excluding willful negligence or malfeasance, are often symptoms and not really root causes. If an incident investigation program frequently assigns operator error and inadequate training as root causes, or if the recommendations frequently include disciplining operators or conducting more training, this may be a sign that the program isn’t identifying or addressing the true root causes. Likewise, if a safety management system relies on properly trained operators to take correct action as the only line of defense against a major disaster, then a facility that employs such a system is asking for trouble in the long run, because humans make mistakes.
From the perspective of the individual facility manager, catastrophic events are so rare that they may appear to be essentially impossible, and the circumstances and causes of an accident at a distant facility in a different industry sector may seem irrelevant. However, from our nationwide perspective at EPA and OSHA, while chemical accidents are not routine, they are a monthly or even weekly occurrence, and there is much to learn from the story behind each accident. Catastrophic chemical accidents still occur too often. Furthermore, when we look beyond the obvious to the underlying systemic causes of an accident, we see that the same root and contributing causes keep popping up again and again. This indicates that government and industry together are not doing a good enough job at sharing accident information and implementing lessons learned.
The views expressed in this document are the opinions of the author and may not represent official agency positions.
Kharbanda, O.P. and Stallworthy, E.A. Safety in the Chemical Industry: Lessons from Major Disasters. G.P. Publishing, Inc. Columbia, Md, 1988
Engineers, Center for Chemical Process Safety, Guidelines for Investigating Chemical Process Incidents. American Institute of Chemical Engineers, New York, 1992
Conger, D. and Elsea, K. Root Cause/Incident Investigation Workshop, Course Notes. Conger & Elsea, Inc. Woodstock, GA, 1997.
Kletz, T.A. The Unforeseen Side-Effects of Improving the Environment. Process Safety Progress, Volume 12, No. 3, June 1993.
Rogers, William P. Armstrong, Neil A. Acheson, David C. Covert, Eugene E. Feynman, Richard P. Hotz, Robert B. Kutyna, Donald J. Ride, Sally K. Rummel, Robert W. Sutter, Joseph F. Walker, Jr. Arthur B.C. Wheelon, Albert D. Yeager, Charles, Keel, Alton G. Report of the Presidential Commission on the Space Shuttle Challenger Accident. National Aeronautics and Space Administration, Washington, DC, 1986
U.S. Environmental Protection Agency, EPA Chemical Accident Investigation Report: Pennzoil Product Company Refinery Rouseville, Pennsylvania. March 1998
U.S. Environmental Protection Agency, EPA Chemical Accident Investigation Report: Powell Duffryn Terminals, Inc. Savannah, Georgia. May 1998
U.S. Environmental Protection Agency and United States Occupational Safety and Health Administration, EPA/OSHA Joint Chemical Accident Investigation Report: Napp Technologies, Inc. Lodi, New Jersey. October 1997
U.S. Environmental Protection Agency and United States Occupational Safety and Health Administration, EPA/OSHA Joint Chemical Accident Investigation Report: Shell Chemical Company, Deer Park, Texas. June, 1998
U.S. Environmental Protection Agency and United States Occupational Safety and Health Administration, EPA/OSHA Joint Chemical Accident Investigation Report: Surpass Chemical Company, Albany, NY. January 1998 draft