education for chemical engineers 8 ( 2 0 1 3 ) e12–e30

Contents lists available at SciVerse ScienceDirect

Education for Chemical Engineers

journal homepage: www.elsevier.com/locate/ece

Safety education through case study presentations

David C. Shallcross ∗
Department of Chemical and Biomolecular Engineering, University of Melbourne, Melbourne, Victoria 3010, Australia

a b s t r a c t

Process safety was introduced into the curriculum of two second year undergraduate subjects in the chemical engi-
neering programs at the University of Melbourne in 2009. As part of the student learning, groups of three to four
students were each given a safety case study to investigate and report on to the rest of the class. The case studies
include well known process incidents including Bhopal, Buncefield, Longford, Flixborough and Piper Alpha. Also
included were incidents drawn from other industries still with valuable lessons to be learnt regarding procedure
and failure modes. Each student in the group was expected to talk for 4–5 min on an aspect of the safety incident
but within a seamless presentation that was well constructed. Each student was also assigned another student for
whose presentation they were to provide a written critique. Students presenting in the second week were required
to critique the presentation of a student presenting in the first week. Both the student’s presentation and the written
critique were marked by the lecturer-in-charge. Feedback from students was very positive to the use of presentations
to study safety case studies. This paper describes how the case studies have been successfully used in the class room
and presents information on 27 case studies.
© 2012 The Institution of Chemical Engineers. Published by Elsevier B.V. All rights reserved.

Keywords: Safety; Case studies; Education; Chemical engineering; Pedagogy

1. Introduction killed four people at the T2 Laboratories chemical manufac-

The teaching of process safety is critical to any undergraduate
chemical engineering program. Students need to understand
their responsibilities to themselves, their work colleagues and
the wider community. They need to be aware of safe prac-
tices and also the consequences that may arise when those
safe practices are not followed. The teaching of safety is also
an accreditation requirement specified by international bodies
such as the Institution of Chemical Engineers (2012) and the
International Engineering Alliance (2009) as well as national
accrediting bodies such as ABET (2011) in the US and Engineers
Australia (2008). More recently the European Federation of
Chemical Engineering Working Party on Education (EFCE-WPE)
released guidelines on chemical engineering curricula within
Europe which includes a significant safety element (Gillett,
2001; EFCE, 2010European Federation of Chemical Engineer-
ing, 2010). This supports the central contention of Hendershot
and Smades (2007) that “. . .the foundation of a great safety
culture in the process industries begins in the classroom. . .”.
The importance of teaching safety was confirmed following
the investigation into the explosion and subsequent fires that
turing facility in Florida in 2007 (USCSHIB, 2009aU.S. Chemical
Safety and Hazard Investigation Board, 2009a). An investiga-
tion by the U.S. Chemical Safety and Hazard Investigation
Board found that none of the operations staff involved at the
site, including the owner, a trained chemical engineer, had any
appreciation for the hazards associated with reactive chemi-
cal processes. In their recommendations in the incident report
they strongly recommended that reactive chemical process
awareness be incorporated into all undergraduate chemical
engineering programs in the US. Subsequently Willey et al.
(2011) developed an activity for use in an undergraduate reac-
tion engineering subject based around this very incident.
In reviewing the important safety topics that all engineer-
ing students should be aware of Bryan (1999) developed a
comprehensive list that included:
• where practicing engineers would be able to find informa-
tion on safety and health rules, regulations and standards;
• employer and employee rights and responsibilities under
the law where they are practicing;
• record keeping and reporting requirements;

∗
Tel.: +61 3 8344 6614; fax: +61 3 8344 4153.
E-mail address: dcshal@unimelb.edu.au
Received 15 September 2012; Accepted 23 October 2012
1749-7728/$ – see front matter © 2012 The Institution of Chemical Engineers. Published by Elsevier B.V. All rights reserved.
http://dx.doi.org/10.1016/j.ece.2012.10.002
 education for chemical engineers 8 ( 2 0 1 3 ) e12–e30
• fire prevention and protection;
• the hazards of dealing with chemicals, toxic material and
hazardous wastes;
• biomedical hazards;
• permit-to-work systems relating to procedures including
confined space entry;
• safety management systems;
• responding to site emergencies such as hazardous material
emergencies;
• environmental protection requirements.
To this list the author could have added
• human factors and safety;
• hazards associated with maintenance procedures and
recovering from process upsets;
• process control;
• hazard identification and strategies for minimization of
risk;
• the hazards associated with reactive systems; and
• inherently safe design.
As British philosopher and statesman Edmund Burke said
in the 18th century, “Those who do not learn from history are
destined to repeat it”. Many workers have suggested that the
use of case studies is an effective method to address some
aspects of chemical engineering safety education. Saleh and
Pendley (2012) propose an entire subject on chemical engineer-
ing safety that relies in part on the use of case studies. Cortés
et al. (2012) conducted a survey of Spanish safety engineering
professionals and concluded that the best way to teach safety
in an undergraduate engineering course is via a standalone
subject. None of the engineers surveyed however in that study
were chemical engineers. Ferjencik (2007) describe a subject
that has been successfully taught in the Czech Republic for
many years that covers safety using case studies.
An equally strong argument can be made for integrating
chemical engineering safety across the chemical engineering
curriculum. Rather than addressing safety in a single subject
which is usually taught in either of the last 2 years of an under-
graduate degree the safety topics can be covered in subjects
from the first to the final semester. While a core of safety
material can be taught in a single subject together with other
material relating to sustainability, ethics and other profes-
sional issues the use of carefully selected case studies allows
many of the topics to be addressed in other units.
Safety case studies that present students with the real sit-
uations that have occurred that have resulted in either death,
injury or at least property loss, are an excellent way to engage
students in learning. Case studies include well known inci-
dents that occurred in Bhopal, Flixborough, Longford, Piper
Alpha and Texas City.
One method of using case studies in student learning is
to present selected case studies in lectures taking time to
highlight key points and the chain of events that led to the
disasters. This paper describes an alternative approach in
which groups of students prepare presentations for delivery
to the class, each group looking at a different case study. This
approach not only allows students to learn more deeply about
one specific case study but it also helps to improve their com-
munication skills.
e13
2. Background
Safety case studies are included in the two second year
subjects taught in the undergraduate chemical engineering
programs at the University of Melbourne. These subjects,
Chemical Process Analysis 1 and 2, are taught in the first and
second semesters respectively of the second year of the Bach-
elor of Science (Chemical Systems) program. At Melbourne
chemical engineering is taught in a 3-year Bachelor of Science
degree which is followed by a second-cycle 2-year Master of
Engineering (Chemical) degree. Melbourne ceased intake into
its more traditional 4-year Bachelor of Engineering programs
in 2010.
The two subjects were taught for the first time in 2009. The
syllabus for Chemical Process Analysis 1 includes an introduc-
tion to process operations, compositions of mixtures, material
balances, real gas behaviour, humidity, process control and
process safety. Chemical Process Analysis 2 covers introduc-
tory thermodynamics, concepts of energy, enthalpy and heat
capacity, energy balances involving reacting and non-reacting
systems, manufacturing processes and process safety. Both
subjects have three lectures per week, a weekly 2-h workshop
class and two laboratory classes during the semester. Each
semester includes 12 teaching weeks.
Since 2009 the class size for both subjects has ranged
between 70 and 140 students averaging around 100. The safety
case study presentation activities were conducted during the
weekly 2-h workshops towards the end of each semester. The
class was divided into separate workshops each of between 32
and 38 students. Students within each workshop were then
further divided into groups of three or four. The groups were
not self-selected being assigned by the lecturer-in-charge.
In Semester 1 half the groups were randomly assigned to
present on either a safety case study selected from the list of
case studies in the next section of this paper, or on the man-
ufacturing process of common products such as shampoo,
transdermal patches or paints. In the next semester stu-
dents were assigned to different groups with half the groups
assigned to either further safety case studies or a manu-
facturing process for the production of chemicals such as
benzene, formaldehyde or acetone. The students were typi-
cally assigned their groups and topic in Weeks 7 or 8 of the
12-week semester with presentations occurring over a 2-week
period in during Weeks 10–12.
Each student in the group was expected to talk for 4–5 min
on an aspect of the safety incident within a seamless presen-
tation that was well constructed. The groups were asked to
answer three main questions:
1. “What happened? – Describe the nature of the accident
and the consequences in terms of fatalities, injuries and/or
property loss”,
2. “What was the cause of the accident? – Describe the failure
in either equipment, procedure or personnel that led to the
accident”, and
3. “What technical improvements are required to ensure that
a similar accident will not occur again?”
The students made their presentation to the entire work-
shop so that in any one 2-h session up to six groups could
present their work. Students were assessed individually on the
content of their presentations as well as on their presentation
skills.
e14 education for chemical engineers 8 ( 2 0 1 3 ) e12–e30
Students were also assigned a class mate for whom they
had to prepare a written critique of their presentation. The
critiques were to be 200–300 words. Students were given
guidelines as to what to include in their critiques. Students
presenting in the first week of presentations were required
to critique students presenting in the second week and vice
versa. While the critiques were not used to assess the stu-
dents for whom they were written, they formed part of the
assessment for the students who prepared them.
Every student received feedback from the lecturer-in-
charge via private e-mail and all presentations were recorded
on video, allowing students to later download a record of their
group’s presentation so that they might gain further feedback.
One of the teaching staff who was familiar with all the
case studies was always present when the presentations are
made by the student groups. Each group was given immedi-
ate feedback at the end of their presentation and any errors
of fact were corrected to avoid the spreading of misinforma-
tion. Occasionally students missed some of the key points
that should have been made out of the case studies and the
opportunity was taken by the teaching staff to ensure that the
key lessons that should be learnt from the case studies were
addressed. No attempt was made to assess student learning of
the presentations in other elements of the subject assessment
such as in the final end-of-semester exam.
The topic of safety is integrated throughout the chemical
engineering programs at Melbourne. This paper describes how
it is assessed at the second year of the first cycle program.
3. The case studies
A good case study is one which has sufficient detail readily
available to allow the students to understand the nature,
causes and consequences of the incident. Also, there should
be little uncertainty or debate around the circumstances of the
event. The case studies have been chosen so that students are
able to learn important lessons from the incident. The 27 case
studies are summarized in Table 1. As well as drawing exam-
ples from the process industries the list also includes case
studies from the construction, maritime and transportation
industries.
The class is directed to important sources on information
on process safety incidents. These sources include:
• “Lees’ Loss Prevention in the Process Industries”, 3rd edi-
tion published by Elsevier and available on-line through the
Knovel resource
• Health and Safety Executive of the United Kingdom, the
government agency that investigates industry mishaps –
www.hse.gov.uk
• U.S. Chemical Safety and Hazard Investigation Board, the
US federal government agency charged with investigating
industrial chemical accidents – www.csb.gov
The underlying causes of the incidents covered in the
selected case studies include:
• design not fit-for-purpose
• human factors
• lack of safety adequate training
• lack of safety culture
• lack of understanding of hazards
• lack of understanding of underlying process principles
• poor control room display
• poor maintenance procedures
• poor general procedures
• single point failure.
Six of the case studies relate to incidents that occurred
recovering from a process upset while eight occurred during
or immediately after maintenance procedures (Table 1).
Several of the later case studies suggest that lessons from
early incidents have not been learned or remembered. These
points can be made to the presenting students. As an example,
the control room at the Hypro plant in Flixborough was located
in the middle of the process area. The control room was not
designed to withstand blast pressures and was destroyed in
the explosion killing everyone inside. Over 30 years later engi-
neers at BP’s refinery at Texas City located the portable office
close to the process area. When an explosion occurred follow-
ing a leak for the raffinate splitter tower 15 people working in
the potable offices were killed. The offices should never have
been located so close to the process area, a lesson that should
have been learnt from the Flixborough lesson. By having the
student groups present these two case studies one after the
other, similarities between the two events can be drawn to
the class’ attention.
Included in the list of case studies are examples from
other industries. The collapse of the walkway in the Kansas
City Hyatt Regency resulted from an ill-considered change to
the confirmed construction plans. The capsize of the English
Channel Ferry, Herald of Free Enterprise, occurred because of
poor procedures and a lack of a safety culture within the ship’s
company. The crash of a passenger airliner in Canada in 1989
arose from allowing an aircraft to fly with one critical piece of
equipment inoperable. The design of the wheels on Germany’s
fast trains was not fit-for-purpose and led to the derailment at
Eschede in 1998. Finally, the loss of the Russian Navy subma-
rine Kursk occurred primarily because of the failure to carry
out the most basic of maintenance procedures on practice tor-
pedoes – torpedoes that had not been checked in the 10 years
since they were manufactured.
The case studies that follow are presented in chronological
order.
3.1. Feyzin LPG explosion (January 1966)
A massive leakage of liquefied petroleum gas occurred during
a non-routine operation to obtain a sample from a 1200 m3
pressurised propane sphere (Kletz, 1999). The sphere was
one of eight on the site in Feyzin, France used to store liq-
uefied flammable gas. Operators needed to obtain a liquid
sample from the storage tank as there was concern that the
ethane content of the hydrocarbon mixture was too high. The
sampling points provided on the tank were inoperable so an
unofficial but common practice was used in which the sam-
ples were collected through two drainage valves at the base of
the tank (Atheron and Gill, 2008a).
The liquid sample was to be drained from the base of the
sphere through two valves connected in series with the upper
valve connected to the sphere and the lower valve open to
the atmosphere. When the sampling operation was nearly
complete the upper valve was closed and then cracked open
again. When no flow emerged from the cracked valve, probably
because of a blockage caused by ice, the upper valve was fully
opened. The blockage immediately cleared and the propane
gushed out. The operator was unable to close either valve – the
 education for chemical engineers 8 ( 2 0 1 3 ) e12–e30 e15

Table 1 – Summary of safety case studies.

Incident Date Location Fatalities Following During/after
process maintenance
upset

LPG explosion 01/66 Feyzin, France 18

Hydrocarbon explosion 06/74 Flixborough, UK 28
Runaway reaction and gas release 07/76 Seveso, Italy 0
Road tanker crash and explosion 07/78 San Carlos de la Rapito, Spain 215
Radioactive gas release 03/79 Three Mile Island, US 0 X
Hyatt Regency walkway collapse 07/81 Kansas City, UK 114
Toxic gas release 12/84 Bhopal, India 4000+
Radioactive gas release 04/86 Chernobyl, Ukraine 31+ X
Ship capsize 03/87 Zeebrugge, Belgium 193
Refinery fire 03/87 Grangemouth, UK 2 X
Refinery explosion 03/87 Grangemouth, UK 1 X
Tank fire 03/87 Dalmeny, UK 1 X
Offshore platform fire and explosions 07/88 North Sea, UK 167 X
Jet airliner crash 03/89 Dryden, Canada 24
Refinery explosion 10/89 Pasadena, US 23 X
Runaway reaction and explosion 03/90 Stanslow, UK 1
Chemical store fire 07/92 Bradford, UK 0
Chemical storage tank fire 09/92 Castleford, UK 5 X
Refinery explosion and fire 07/94 Milford Haven, UK 0 X
Train derailment 06/98 Eschede, Germany 101
Gas plant explosion 09/98 Longford, Australia 2 X
Loss of nuclear submarine 04/00 Russia 118
Thermal decomposition 03/01 Augusta, US 3 X X
Refinery explosion 03/05 Texas City, US 15 X
Storage tank explosion 12/05 Buncefield, UK 0
Dust explosion 02/08 Port Wentworth, US 13
Heat exchanger rupture 06/08 Houston, US 1 X

handle came off the upper valve and the lower valve became
frozen. A massive leak of LPG ensued with a vapour cloud 1 m
deep spreading over 150 m from the tank. The operators man-
aged to leave the immediate vicinity of the tanks and to stop
traffic on a nearby road however the gas ignited and the stor-
age sphere was engulfed in the fire that followed. The tank
was on flat ground so that any propane that leaked from the
tank and that was not consumed immediately collected under
the tank to burn later.
The fire fighters who arrived at the site were untrained
in dealing with LPG fires and they failed to cool the leaking
sphere, instead concentrating their efforts on cooling the other
seven sphere. The sphere was fitted with a full water deluge
system but it was capable of delivering only half the amount of
water that was actually required. Ten fire fighters were killed
in the fire that ensued when the first tank failed. As the inci-
dent ran its course four additional spheres failed and 18 people
were killed with 81 others injured (Mannan, 2005a; HSE, 2010a).
The accident occurred because an operator allowed the
two discharge valves to be open simultaneously. The conse-
quences of these actions were foreseeable.
Important lessons that may be learned from the Feyzin
disaster include:
• all procedures need to be carefully planned and the subject
of safety analyses;
• remotely controlled isolation valves need to be fitted to all
such storage tanks;
• provide an adequate water deluge system;
• the ground should slope away from storage tanks to prevent
the collection of spilled liquids under and around the tanks;
• insulate the tanks with some form of fire-resistant insula-
tion to help prevent tanks from heating rapidly in the event
of a nearby fire.
3.2. Flixborough explosion (June 1974)
The caprolactam plant located in Flixborough, England, used
a process of the partial oxidation of cyclohexane to produce
cyclohexanol and cyclohexanone as an intermediate product.
The cyclohexane was recirculated through six reactors linked
in series. The six reactors were arranged so that each succes-
sive reactor was at a lower height that the one before it. Thus
there was a considerable difference in height between the first
and last reactors. Two months before the explosion a vertical
crack was found in the fifth reactor.
The decision was taken to remove the reactor and to con-
nect a replacement bypass line between the fourth and sixth
reactors that spanned the gap between the missing reactor.
Because the inlet and outlet points of this bypass line were
at different heights the final bypass assembly contained two
90◦ bends in the pipe in close proximity to one another. The
bypass line also included two bellows sections. The bypass
pipe assembly was supported on temporary scaffolding. The
bypass line ruptured releasing cyclohexane which formed a
vapour cloud low to the ground. When the flammable mixture
encountered an ignition source a massive explosion followed
killing 28 workers and injuring 36. It has been suggested that
the leak may have been caused in some way by a fire on a
nearby pipe which had been burning for some time prior to
the explosion others (Mannan, 2005b; Khan and Abbasi, 1999;
Venart, 2007).
All 18 workers present within the control room at the
time of the explosion were killed when the room collapsed.
The control room had been located within the process area
of the plant and had not been designed to withstand the
overpressure which accompanied the explosion. The main
administration building was also destroyed but because the
incident occurred on a Saturday the building was empty.
e16 education for chemical engineers 8 ( 2 0 1 3 ) e12–e30
Indeed the loss of life could have been much higher if the
explosion had not have occurred during the weekend.
An inquiry held to investigate the incident found that insuf-
ficient design calculations had been performed for the bypass
line (Parker, 1975). The works engineer had left the company
earlier in the year before the bypass line had been installed
and there was no engineer left on site who had the neces-
sary mechanical engineering design skills to properly design
the bypass line. In the event the bypass line was designed by
chemical engineers working outside their area of competence.
The limited calculations that were made in designing the
bypass did not account for the stresses or bending moments
that would be present within the two 90◦ bends. The enquiry
also noted that after a crack had been found in the fifth reac-
tor no inspections were ever made on the other five reactors
to determine whether similar cracks existed in those reactors
(Parker, 1975).
Key lessons learned from the Flixborough disaster include:
• locating control rooms away from the process areas and
designing them to withstand explosion overpressures – this
also included the elimination of windows from control room
design;
• engineers should only work and sign off on design in their
area of competence.
3.3. Seveso gas release (July 1976)
A toxic gas release near the town of Seveso in Italy in 1976
precipitated a Europe-wide directive aimed at improving the
safety of sites holding large quantities of dangerous chemi-
cals. While no deaths could be directly and conclusively linked
to the release of the gas many suffered from ill-effects includ-
ing sever chloracne (Mannan, 2005c).
The production of 2,4,5-trichlorophenol (TCP) at the Icmesa
Chemical Company facility near Seveso was a two-stage
batch process. In the first stage 1,2,4,5-tetrachlorobenzene
was reacted with sodium hydroxide in the presence of eth-
ylene glycol at a temperature of between 170 and 180 ◦ C to
produce 2,4,5-sodium trichlorophenate. Approximately half
of the ethylene glycol was then drained off before the sec-
ond stage commenced in which the phenate was reacted with
hydrochloric acid to produce TCP.
At the time of the accident Italian law required that the
plant be closed over the weekends requiring all the processes
within the facility to be shutdown before Friday evening. On
Friday July 8, 1976 as the plant was being shutdown for the
weekend the first stage of batch process had just concluded.
The operators drained off some 15% of the ethylene glycol in
the reactor and then secured the process. This was counter to
the company guidelines which required at least 50% of the gly-
col solution to be drained off before the contents of the reactor
could be considered stable. Power to the reactor was switched
off and with the facility shutdown, the facility was left unat-
tended. Over the Friday night the temperature in the reactor
rose to around 300 ◦ C (Kletz, 2009). Just after noon on the Satur-
day bursting disk on the reactor failed releasing a cloud of toxic
gas containing dioxins into the environment. The response
of local authorities was slow and subject to much criticism
following the incident.
At the time the facility had been built the site was away
from populated areas but over time houses began to encroach
into the vicinity of the facility.
Several lessons can be learnt from the Seveso disaster
(Mannan, 2005c):
• accepted operating procedures should never be modified
without careful consideration of all the consequences;
• chemical reaction vessels should be designed to vent safely
to a flare rather than directly to the environment;
• companies and local governmental authorities should be
ready to respond to emergencies such as the accidental gas
leak as occurred at Seveso.
3.4. Road tanker explosion at San Carlos de la Rapita,
Spain (July 1978)
A road tanker was filled with a load of liquid propylene for the
journey from a refinery in Tarragona on the Spanish coast to
a customer in the centre of Spain. While travelling through
the coastal town of San Carlos de la Rapita between Valencia
and Barcelona the tanker ruptured beside a popular camp-
ing ground releasing the propylene into the atmosphere. The
hydrocarbon cloud ignited and the resulting explosion killed
215 people including the driver (Mannan, 2005d).
No facility was available at the refinery where the tanker
was filled to measure the actual tanker load. It was only once
the tanker had left the filling station that the load could actu-
ally be measured. On occasions when the tanker was overfilled
the excess could be burnt off. On the day of the accident the
road tanker was overfilled to 23½ tonnes even though it had a
maximum rated capacity of only 19 tonnes. Neither the driver
nor any of the refinery workers aware of this situation took
any action. The driver then departed on his trip.
The driver had been instructed to take a tolled dual car-
riageway which would keep the tanker away from more
populated areas and which was a relatively safer route to take.
However on his way to his destination the driver decided to
take a coastal road which wound through the middle of sev-
eral towns. As he had been given the money for the tolls this
allowed him to pocket the unspent toll charges.
While it remains unclear what the exact mechanism was
for the rupturing of the tank what is clear was that the tanker
was overloaded and unsafe. Key lessons that may be learnt
from this incident include (Mannan, 2005d):
• the importance of equipment, procedures and training to
prevent overfilling of tankers;
• the need for pressure relief systems on vehicles carrying
flammable materials;
• the importance of keeping tankers away from populated
areas;
• the importance of human factors in the operation of any
procedure.
3.5. Radioactive release at Three Mile Island (March
1979)
The Three Mile Island nuclear power plant consisted of two
pressurised water reactors. When a turbine tripped out, opera-
tors monitoring the system became confused by contradictory
information that was erroneously displayed in the control
room. In seeking to recover from the process upset they took
incorrect action which resulted in loss of water within the core.
This in turn caused a partial meltdown of core and a hydro-
gen explosion that released reactivity into the main building
(Mannan, 2005e).
 education for chemical engineers 8 ( 2 0 1 3 ) e12–e30
Some time before the actual incident, in an effort to clear
a blockage in a process air line operators connected up the
process air line to an instrument air line. Because the pres-
sure in the process air line was significantly higher than the
instrument air line, air with some condensed water entered
the instrument air line despite the presence of a non-return
valve on that line. Some hours later the water that had passed
into the instrument air line system caused isolation valves on
the condensate polishing system to close. Within seconds a
series of other equipment tripped until finally the main tur-
bine tripped out. The reactor began to shutdown however one
critical valve did not shut despite being sent the proper com-
mand to shut. Unfortunately, displayed to the operators was
not the actual state of the valve but instead the instruction
that had been sent to the valve. Thus, although the valve was
still wide open, the display in the control room indicated that
the valve was shut because this was the instruction that had
been sent to it. Another key parameter displayed on one of
the panels in the control room was the height of water within
the reactor cooling system. However it was the mass of water
present in the cooling system that was the critical parameter
to monitor, not the water level. Because the water contained
steam bubbles the fluid was less dense meaning that the liq-
uid level over-indicated the mass of liquid water available for
cooling.
As well as being misinformed about the state of two criti-
cal parameters at one point the operators had over 100 alarms
sounding on a system which did not prioritise the importance
of the many alarms. The operators on duty in the control
room were overwhelmed by the many alarms and were tricked
into incorrectly responding to the situation by the two incor-
rect pieces of information displayed in the control room. They
allowed the water levels within the reactor to fall to an unsafe
level, exposing part of the core. A steam-zirconium reaction
then occurred which generated hydrogen which later was
vented into the containment building. This hydrogen later
exploded within the building.
Some of the key lessons that may be learned from the Three
Mile Island incident include:
• the importance of showing in the control room the key
parameters that have been measured directed and which
are only inferred;
• the importance of displaying information in a logical and
clear manner which does not overwhelm the operators
particular in an emergency when multiple alarms may be
sounding;
• emergency training had centred around the failure of major
components of items of equipment rather than in consid-
ering how to respond to the more-likely failure of minor
equipment items;
• the need to learn from past mistakes which had not previ-
ously occurred at Three Mile Island;
• an appreciation that non-return valves are not designed to
be completely watertight but rather to stop the bulk flow of
liquid in the undesired direction;
• instrument air should never be interconnected with process
air (Mannan, 2005e).
3.6. Kansas City Hyatt Regency walkway collapse (July
1981)
A crowded elevated walkway spanning a hotel atrium in
Kansas City collapsed onto another lower walkway also
e17
crowded with people. Both walkways fell to the ground killing
114 and injuring more than 200 others. At the time of the
accident the hotel had only been open for a year (Petroski,
1992).
Plans called for the atrium at the new Kansas City Hyatt
Regency Hotel to be spanned by three walkways. Each walkway
was to be suspended from the ceiling by long bolts that would
take the weight of the walkway. Because two of the walkways
were to be located so that one would be directly above the
other the engineers decided to use the same very long bolts
to support both of the walkways. Each threaded bolt was to be
over 5 m in length. Nuts would be screwed onto the bolts and
then the walkways would essentially be supported by resting
on the nuts. Calculations showed that the correctly positioned
nuts would be more than able to support the weight of each
of the walkways.
Just before the walkways were to be installed the builder
approached the engineers with a request for the bolts to be
re-designed. Rather than use the series of long bolts they pro-
posed that two series of bolts be used. The higher of the two
walkways would be suspended from the ceiling using one set
of bolts while the lower walkway would be suspended from
the upper walkway above it using a second series of long bolts.
Again, nuts correctly positions on each series of bolts would
take the weight of the walkways.
The engineer-in-charge of the walkway approved this, what
appeared to be minor, amendment and construction started.
In giving his approval the engineer conducted no calculations
on the new design, assuming that the change was so minor
that the design had not changed in any significant manner.
What the engineer failed to appreciate was that the bolts
supporting the upper walkway from the upper series of bolts
suspended from the ceiling were also supporting the weight of
the lower walkway as well. These bolts and the walkway struc-
ture where they were attached were not designed to support
what was essentially a double load. Under the stress of two
fully loaded walkways the nuts failed causing the walkways
to collapse.
During construction of the walkways the labourers on the
site had noted excessive movement of these two walkways
compared to the properly installed single walkway but no one
thought to draw the movement to the attention of any of the
engineers. The engineer who signed off on the design change
without adequate checking of the new designs lost his licence
to practice as an engineer.
Lessons that may be learnt from this example from civil
engineering include:
• the importance of checking all design calculations when-
ever any design change is made, even if it appears to be
minor;
• the need to encourage all staff to report any incident or
occurrence that appears out of the ordinary.
3.7. Bhopal toxic gas release (December 1984)
In the early 1980s Union Carbide began producing pesticides
for the Indian market in a plant in Bhopal. Monomethylamine
was reacted with phosgene to produce methylisocyanate (MIC)
as an intermediate which was then in turn used to produce
the carbonate pesticides. Initially the MIC was imported from
the US so three 57 cubic metre tanks were used to store the
MIC until required. Later MIC was manufactured on the site
and the need for the tanks disappeared. They remained in
e18 education for chemical engineers 8 ( 2 0 1 3 ) e12–e30
service however. Since methylisocyanate is highly toxic the
plant included a vent gas scrubber and a flare so that in an
emergency the MIC would be safely destroyed (Mannan, 2005f).
Early is the morning on December 3, 1984 some 500–800 L
of water invaded one of the tanks storing the MIC. The water
reacted with the MIC exothermically to produce elevated tem-
peratures and increased pressures due to the production of
carbon dioxide. Chloroform that was also present attacked the
iron in the structure which in turn catalysed the trimerization
of the MIC leading to the further release of heat. The pres-
sure relief valve finally lifted venting the MIC from the tank.
The vent gas scrubber had been decommissioned sometime
before the incident and the flare stack was out of service due
to a maintenance issue. As a result the MIC, a toxic gas that
causes asphyxiation within the lungs, was released directly
into the atmosphere. For over 2 h the gas was vented and
drifted over the shanty town that had grown up around the
plant over the previous decade. Thousands died that morning
and many more died over the next decade.
The exact cause of the water entering the MIC tank has
never been established beyond doubt. Two theories have
emerged:
1) water that was being used to flush some of the process lines
leaked into the wrong area of the plant and then made its
way into the tank; or,
2) a disgruntled employee may have admitted some water
into the tank not fully realizing the consequences of their
actions.
The entire process for the production of the pesticides was
not inherently safe. Other processing routes were available
that could have been used to produce the pesticides without
using MIC as an intermediate. Moreover, there was no need
to store as much MIC on the site as was present that early
morning in December, 1984.
Key lessons learned from Bhopal include (Mannan, 2005f):
• the need to consider the continued operation of a processing
facility which is surrounded by a shanty town with a popu-
lation of many thousands;
• the need to shutdown a process when key safety equipment
is taken off-line for maintenance;
• the importance of considering whether dangerous or toxic
chemicals may be substituted by less harmful substances
within a process;
• the need to keep inventories of dangerous chemicals as low
as possible.
3.8. Chernobyl explosion and radioactivity release
(April 1986)
One of the world’s worst nuclear disasters was not caused
by any mechanical or equipment failure but instead occurred
because the engineers on site deliberately disabled a series of
safety systems in order to conduct a safety experiment on one
of the operating reactors (Mannan, 2005g).
The Chernobyl power station comprised four water-cooled
but graphite-moderated reactors each of which powered two
turbines. A feature of this type of reactor is that they are very
unstable at low power outputs and they are required to be
always operated above 20% of rated output. The reactor system
was designed with a number of different safety systems in
place that would cause the reactor to shutdown immediately
should any one of a range of different conditions exist.
The power station control systems drew their power from
the external power grid. In the event of an outage back-up
diesel-powered generators were available as a back-up power
supply but at that time in the Soviet Union the only gen-
erators available would take at least a minute to start-up in
an emergency. The engineers of the power station therefore
decided to test whether the turbines that were spinning down
in response to an emergency shutdown might still provide suf-
ficient power to safely control the reactors and their associated
systems. The engineers and operators carefully prepared a test
that would simulate an emergency shutdown. As part of the
approved sequence of events that had been agreed by all par-
ticipants part of the reactor’s safety systems would be disabled
so that the reactor would not shutdown automatically.
While the test was planned for the middle of the day it
was delayed until after midnight so that the reactor could be
taken off-line during a period of low load. Most of the senior
engineers had gone home leaving the test to be conducted by
the most junior engineers. As the test progressed the engi-
neers found that they had to take action disabling more of the
reactor’s safety system than was included in the agreed test
procedure. This was done in order to ensure that the reactor
did not shutdown prematurely.
In the early morning of April 26, 1986 the engineers oper-
ating the reactor lost control of it. Power output dropped to as
low as 3% of rated output and then spiked at around 100 times
the rated output. Water in the reactor quickly flashed into
steam which caused the pressure tubes to fail catastrophically.
The exposed zirconium reacted with the steam to produce
hydrogen which accumulated within the containing building.
When the hydrogen exploded debris was injected into the air
as the containment building failed. In the aftermath at least
31 people died as a release of the radiation but many more
may have died.
Key lessons learned from the Chernobyl explosions and
fires include (Mannan, 2005g):
• the power station had a poor safety culture as evidenced by
the decision to run a dangerous test on an operating reactor;
• it should have been impossible for the engineers to disable
the reactor’s safety features both physically and psycholog-
ically;
• a procedure that had been agreed to by all the key
stakeholders was changed without proper thought to the
consequences;
• junior engineers should never be tasked to perform
potentially dangerous activities when more experienced
engineers are available.
3.9. Herald of Free Enterprise capsize (March 1987)
A set of poor regulations that was rarely enforced was the root
cause for the capsize of the passenger and vehicle ferry Her-
ald of Free Enterprise outside the Belgium port of Zeebrugge.
Before the advent of the rail link under the English Channel,
ferries such as the Herald of Free Enterprise and its two sister
ships operated across the waterway. The ferry carried cars,
trucks and walk-on passenger usually between Dover and
Calais with occasional runs between Dover and Zeebrugge.
The ship had eight main decks, two of which were the two
main vehicle decks with doors at either end of the ship. These
through decks, completely open and without bulkheads along
 education for chemical engineers 8 ( 2 0 1 3 ) e12–e30
their length, permitted cars and trucks to drive on and off
quickly. Ramps between the dock and the ship allowed vehicle
access to the ship.
On the night of March 6, 1987 the ship was loading vehicles
in the port of Zeebrugge for the crossing to Dover. Because of
the high spring tide the ship was riding higher relative to the
dock than normal and so the captain was forced to take on
ballast water so as to trim the ship forward, i.e., the ship was
in a bow down configuration.
At the conclusion of the loading process and immediately
prior to sailing it was the duty of the assistant bosun of the
ship to ensure that the watertight doors on the bow of the
ship were closed before the ship sailed. On this occasion the
bosun had fallen asleep in his quarters and was not on deck to
perform this and his other duties. No one noticed his absence.
The ship’s Standing Orders stated that at the time of sailing it
was the responsibility of each section manager to notify the
captain in the event of any matter which might delay sailing on
time. If the captain did not receive any reports then he was to
assume that the ship was ready to sail. With the bosun absent
from his post he was unable to report that the bow doors were
not closed. It was not part of the ship’s regular procedure to
confirm that the doors were closed. The Chief Officer was the
last to leave the main deck and left assuming the bosun would
shortly arrive to close the doors.
On the ship’s bridge the captain was under pressure from
the company to depart on time. As there were no indicators
on the ship’s bridge that the bow and stern doors were closed
and sealed, the captain assumed that with no reports to the
contrary, the ship was ready to sail. The ship cleared the dock
and then sailed across the shallow inner harbour. Once clear
of the breakwater the ship rapidly accelerated. As it did so the
bow wave swept into the open doors flooding the lower car
deck. The ship rolled to port and capsized less than a minute
later. The ship sank with the loss of 193 passengers and crew.
The incident and its causes were investigated by a British
enquiry in late-1987 (Marine Accident Investigation Board,
1987). The enquiry found that there was a lack of an adequate
safety culture throughout the company that owned and oper-
ated the ships. Requests for indicators that would display on
the bridge the condition of the doors (i.e., whether opened
or closed) were denied by the owners as being wholly un-
necessary. Other concerns including the frequent overloading
of the ships went unacknowledged by management.
On a ship such as the Herald of Free Enterprise, the Ship’s
Standing Orders, the set of procedures and divisions of respon-
sibilities for the operation of the ship when at sea or in port
made no mention of the requirement to close the bow and
stern doors prior to departure.
Key lessons that may be learned from the loss of the ship
include:
• the need for clear instructions for all procedures and a clear
understanding of the division of responsibilities;
• the need for a reporting process that does not assume that
if no report is received that everything is ready to proceed;
• management must take seriously all safety concerns raised
by staff and must respond appropriately;
• an appropriate safety culture must reach to all levels
throughout an organization including the company direc-
tors.
While the loss of the ship was precipitated by the autho-
rised absence of the assistant bosun it was the ship’s poor
e19
culture of safety and lack of appropriate and fit-for-purpose
procedures that allowed the Herald of Free Enterprise to cap-
size.
3.10. Fire at BP Grangemouth Refinery (March 1987)
Two separate accidents occurred at the BP Oil Refinery at
Grangemouth in Scotland in March 1987. The first of these
occurred on March 13 when a valve on a 760 mm diameter
flare line was being removed for servicing. The line was still
under pressure when the last bolts were removed allowing an
estimated 20,000 L of hydrocarbon liquid to escape. The liq-
uid vapourised and the hydrocarbon cloud was quickly ignited
by a nearby generator. Two contractors working on the valve
replacement job were killed while another two were seriously
injured (HSE, 1988).
The refinery had three separate flares that could be used
to safely flare gases from throughout the refinery. One of the
valves in the flare system was found to not be closing prop-
erly and it decided that it should be removed, serviced and
then refitted at the earliest opportunity. Action was taken to
isolate the pipework on either side of the valve to be serviced.
It was important that the valve was completely isolated as
the refinery was to continue to operate during the mainte-
nance procedure. Workers closing one of the isolation valves
believed that it was completely closed when they were unable
to turn the valve wheel any further even with the application
of valve wheel keys. The maintenance workers ignored the
fact that between 75 and 100 mm of valve spindle protruded
from the valve body, possibly indicating that the valve was
not completely closed. In fact, scale in the line had jammed
in the valve body preventing the valve gate from completely
closing. Consequently the flare line remained pressurised. The
supervisor checked the pressure gauge on a nearby knock-out
drum and took its low reading to indicate that the line was
unpressurised. He could have checked the pressure at a further
location but did not.
Because it was accepted that the line would contain some
residual hydrocarbon gas the maintenance workers remov-
ing the valve were required to wear breathing apparatus. It
was assumed however that the amount of residual hydrocar-
bon in the line would not be sufficient to pose a threat to the
workers.
As the valve was elevated a scaffolding platform was built
to allow the maintenance team to access the valve. Access to
the platform was via a single ladder and workers had to climb
around the valve to reach it from the far side of the platform.
As the bolts were removed work was stopped by the team
when gas and liquid began to escape from the gap between
the valve flanges. It was only resumed when the workers were
reassured that the amount of hydrocarbon that could escape
was trivial.
When the final bolt was removed liquid flooded out of the
open pipe generating a hazardous vapour cloud. Two contrac-
tors managed to escape down the ladder but the other two
were unable to reach the ladder. Their bodies were recovered
from the platform and the foot of the ladder (HSE, 1988).
Key lessons that may be learned from this maintenance-
related incident include:
• the need for a clear procedure for isolating the pipe sec-
tion and a series of tests that could and should have been
conducted to ensure that the line was free of hydrocarbons;
e20 education for chemical engineers 8 ( 2 0 1 3 ) e12–e30
• the need for some form of indication on valves to show
operators whether the valve is open or closed;
• the need for all workers to have unobstructed emergency
evacuation routes even from temporary structures such as
scaffolding platforms;
• all potential sources of ignition should be carefully consid-
ered and located appropriately when hydrocarbons might
be exposed to the atmosphere.
3.11. Hydrocracker explosion at BP Grangemouth
Refinery (March 1987)
This was the second of two fatal accidents that occurred at the
BP Oil (Grangemouth) refinery in the space of 10 days in March
1987. The hydrocracker unit had been shutdown for 8 days for
repair work. Only a few hours after it had been re-started the
unit tripped out, triggered by a reading of an excessively high
temperature in the unit. The operators quickly established
that the single temperature reading that shutdown the plant
was erroneous and that the plant had been operating nor-
mally. The hydrocracker unit re-start procedure required that
the operators wait for the arrival of the hydrocracker supervi-
sor before re-starting the unit. As it was very early on Sunday
morning the operators had to wait for several hours for the
supervisor to arrive (HSE, 1988).
Without warning at 7 am there was a violent explosion on
the site centred on a low pressure separator. The unit blew
apart with the fractures triggered by severe over-pressuring of
the unit. The force of the explosion threw a 3 tonnes fragment
of the separator a kilometre away. The explosion and following
fires left one contractor dead.
The separator became over-pressured when the liquid level
in the adjacent high pressure separator dropped to such a level
that the high pressure gases were able to leak to the low pres-
sure separator. Liquid low level alarms on the high pressure
separator had been disconnected some time before the inci-
dent and it is possible that the operators were unaware how
low the liquid level in the high pressure separator had fallen.
Some of the level indicators frequent gave wrong values and
so were not always trusted by the operators. On one of the
chart traces used to show the liquid level the trace had been
offset by 10%. This meant that the trace showed a value of
12% when the liquid level had actually fallen to just 2%. At
least one operator was unaware of this critical issue and so
completely misjudged the height of liquid within the separa-
tor.
The set points on the controllers used in the plant were
manipulated by turning thumbwheels. The controller used to
control the liquid level in the separator had a thumbwheel
that turned in the opposite direction to many of the other
controllers in the control room. Investigators considered that
an operator may inadvertently turned the thumbwheel in the
wrong direction causing a valve connecting the high pressure
separator to the low pressure separator to open inappropri-
ately. The sudden over-pressuring caused the low pressure
separator to fail catastrophically.
Important lessons that can be drawn from this incident
include (HSE, 1988):
• alarm system should never be disconnected without a full
and comprehensive review of the safety of potential conse-
quences;
• pressure relief systems able to deal with the maximum
anticipated gas flow rates should be installed on all pressure
vessels;
• data should be presented to control room staff in clear and
unambiguous ways;
• the operation of control units should be consistent within a
control room.
3.12. Storage tank fire at Dalmeny Oil Storage Terminal
(June 1987)
The Dalmeny Oil Storage Terminal in Scotland consisted of 10
large tanks, three for the storage of ballast water and seven
identically size, floating roof tanks used for the storage of
crude oil. The seven tanks were all 78 m in diameter, 18 m in
height with a capacity of 81,000 m3 . In early 1987 it was found
that the bottom of one of the tanks contained approximately
1000 tonnes of a thick sludge, unevenly distributed across the
base of the tank. The decision was made to take the tank off-
line and then to clean the sludge out. This would be done by
sending workers into the tank (HSE, 1988).
A contracting company with experience in cleaning sludge
from oil tanks was engaged. The tank was emptied of crude
oil and then the tank covers were opened allowing air to enter
the tank. The workers were provided with breathing apparatus
for use whenever they were in the tank. The face masks were
supplied with air via air lines from an air source outside the
tank. The workers used hand tools to push the sludge towards
the open end of a 100 mm diameter pipeline that carried the
sludge out of the tank. The contractors worked in teams of
four with three working inside the tank and one man standing
outside.
Just after noon on June 11, 1987 the man outside the tank
saw a pale blue flame surrounding the three workers inside
the tank and called for them to evacuate immediately. Two of
the workers escaped but one did not, possibly tripping on his
air hose. He died in the subsequent fire that engulfed the tank.
During the fire the tank did not fail and the conflagration was
safely contained.
After the fire one of the men who had been working inside
the tank admitted to having been smoking inside the tank
and to throwing his cigarette butt onto the floor of the tank.
He did not appreciate the seriousness of this action at the
time as he and others had previously been smoking within the
tank during the work. The workers also admitted to frequently
removing their breathing masks as they claimed to have got-
ten used to the smell within the tank and found it easier to see.
The workers made sure that they always wore their breathing
masks when entering and leaving the tanks so as not to get
into trouble for breaking safety rules. It was impossible for
anyone outside the tank to see any transgressions occurring
within the tank.
While it appears that the workers did not undertake for-
mal safety training on site they admitted to being well aware
of the rules relating to the banning of smoking, the banning
of carrying cigarettes, matches and lighters onto the site and
the wearing of safety masks at all times within the site. How-
ever within the contractor’s workers these rules were regularly
flouted.
Investigators concluded that there was a poor safety cul-
ture on the site at the time of the accident. The safety training
was not enforced and the workers were not fully informed of
the reasons for the safety rules being in place. Management
could also have reduced the risks of an incident by using a
 education for chemical engineers 8 ( 2 0 1 3 ) e12–e30 e21

mechanical extraction system to help ventilate the tank prior • the need for adequate safety management systems.
to the maintenance operation.
Key lessons that may be learned from this fire include: 3.14. Crash of Air Ontario Flight 1363 at Dryden
Airport (March 1989)
• the importance of safety training including drills in evacu-
ating from the tank in an emergency; On March 10, 1989 Air Ontario Flight 1363 failed to gain suf-
• the need to reinforce safety every day amongst the work- ficient height to clear a group of trees beyond the end of the
force; runway at Dryden Airport in Canada and crashed killing 24
of the 69 passengers and crew on board. The Fokker F-28
regional jet aircraft with two tail-mounted engines was piloted
3.13. Loss of Piper Alpha platform (July 1988)
by an experienced captain. The plane failed to gain height
because the wings were covered with snow which severally
Piper Alpha was an offshore oil platform in the North Sea off
disrupted the ability of wings to generate sufficient lift. The
the Scottish Coast. As well as producing oil and gas from its
pilot had decided to takeoff without de-icing the plane’s wings
own wells it served as a transfer station for at least two other
(Moshansky, 1992).
oil platforms further out to sea. On July 6, 1988 one of two
On the day of the accident the auxiliary power unit on
hydrocarbon condensate pumps, pump A, was taken out of
board the aircraft was inoperable. This unit provided com-
service for routine maintenance. Pump B was started to take
pressed air and electrical power to different systems on the
over the duty of pump A. As the maintenance work would take
aircraft while the aircraft was on the ground. The unit was also
several days the decision was taken to use the opportunity
needed to start the engines when other power was unavail-
to test and calibrate a pressure relief valve on the discharge
able at an airfield. The auxiliary power unit on this particular
side of the pump. The valve was removed from the pump and
unit had a recent history of operational problems which the
replaced with a blind flange that was not tightened down. At
maintenance department had tried to rectify during the rel-
the end of the shift the recertification task on the pressure
atively short periods between scheduled flights. The decision
relief valve was incomplete and the decision was taken to
was taken to defer the correction of the persistent problems
complete the task the next day. At shift change the fact that
with the unit until the aircraft reached the maintenance base
the task was incomplete and that the blind flange was not
at Toronto after it had completed several more flights.
properly secured was not communicated to the supervisors
The airline released the pilot to fly the aircraft from Thun-
(Atheron and Gill, 2008b; Paté-Cornell, 1993).
der Bay to Winnipeg via Dryden with the auxiliary power unit
At 9:50 pm pump B tripped out and could not be re-started.
inoperable on the condition that the pilot would not shutdown
The decision was then taken to put pump A back into service.
both engines at Dryden. Keeping one engine running while on
All that had been done towards the maintenance task was
the ground would allow the other engine to be re-started for
to electrically isolate the pump. The pump was re-connected
takeoff.
and started up. Operators were unaware due to a failure of the
On arrival at Dryden several passengers disembarked while
permit-to-work system that the pressure relief valve was not
other passengers joined the flight to Winnipeg. While on the
in place and that the blind flange was not properly secured.
ground the plane was re-fuelled with one engine kept run-
Immediately the pump was started condensate leaked from
ning at all times. The flight had arrived late into Dryden and
the loose flange and ignited. The room in which the pumps
there was pressure on the pilot to takeoff from Dryden as
were located was designed to be fire proof but not explosion
soon as practicable. At the time the plane landed at Dryden
proof. The resulting explosion generated shrapnel and severed
a light snow shower set in covering the runway and aircraft
oil lines resulting in further fires and explosions.
with snow.
The Tartan and Claymore platforms continued to send oil
It is well known that accumulated snow on the wings of
and gas to the platform after the explosions on board Piper
an aircraft can significantly adversely affect the ability of the
Alpha. They were unaware of any problems. Twenty minutes
wings to generate lift. The snow disrupts the flow of air over
after the first explosion the riser carrying natural gas from the
the wing. De-icing is a normal procedure at airports subject
Tartan platform failed resulting in a massive explosion. This
to snow. The snow and ice on the wings and fuselage may be
was followed later by the failure of a second riser giving rise
removed either by mechanical methods such as scraping or by
to the third massive explosion within 30 min.
the use of chemicals such as glycols which lower the freezing
The emergency fire water system failed. Staff on board the
point of water.
platform were directed to wait within the accommodation
The operating manual for the Fokker jet aircraft expressly
block for helicopter rescue however due to the fires, explo-
prohibited any de-icing of the aircraft while an engine was
sions and heavy black smoke it was impossible for helicopters
running. The pilot in command of the aircraft was therefore
to safely reach the platform. Sixty-two escaped from the plat-
faced with a dilemma – shutdown the running engine to allow
form but 167 died. By morning the entire platform was lost.
the plane to be de-iced but stranding the aircraft at the airport
While the root cause of the disaster was traced to a faulty
as the engines could not then be re-started for takeoff.
permit-to-work system further issues relating to safety train-
The pilot elected to takeoff without de-icing the aircraft. An
ing and safety management were identified by an enquiry
experienced pilot travelling on board the aircraft observed the
established after the event. The event is summarized by Cullen
amount of ice on the wing and made the judgment that the
(1990) and Mannan (2005h).
wings needed to be de-iced. When the pilot positioned the air-
Key lessons learned from the Pipe Alpha disaster include:
craft at the threshold of the runway for takeoff the passenger
pilot did not express his concern to anyone as he did not wish
• the importance of an adequate permit-to-work system that to interfere the command decisions of the pilot in command.
cross-references related tasks; The subsequent investigation established that there was
• the need for safety training of all staff including contractors; too much snow on the wings to allow the aircraft to gain
e22 education for chemical engineers 8 ( 2 0 1 3 ) e12–e30
altitude and that the pilot erred in not having the plane
de-iced. Neither the pilot nor co-pilot were able to participate
in the investigation as both had been killed in the crash.
Lessons that may be learned from this aircraft crash
include (Moshansky, 1992):
• never dispatch an aircraft with an inoperable auxiliary
power unit;
• the importance of training pilots (and operators) that safety
always comes first in any situation;
• the need for professional to speak up when they see a poten-
tial dangerous situation arise.
3.15. Explosion at Phillips 66 complex at Pasadena
(October 1989)
The Phillips 66 Company manufactured high-density
polyethylene in its Pasadena, Texas plant. In the plant
ethylene gas was dissolved in isobutane inside long tubular
reactors. Under elevated temperatures and pressures the eth-
ylene polymerized to produce polyethylene. Other chemicals
were added to the process to modify the exact composition
of the polymer to ensure that the final product had the
desired characteristics. The polyethylene was formed as
particles within the reactor, collecting in settling legs located
along the length of the pipe reactor. In normal operation the
polyethylene granules would be collected by closing a large
ball valve at the top of the settling leg where it joined the
reactor loop. Another valve at the base of the settling leg
would then be opened and the granules would be dumped for
collection. With the lower valve closed again the upper ball
valve would be opened and the settling leg would begin to
fill with particles. At no time should both the upper or lower
valves in a settling leg be open together as the contents of the
reactor under high temperature and pressure would vent to
the atmosphere (Bethea, 2003).
In October 1989 one the settling legs became blocked and
the granules would not dump to the collection point. Nor-
mal maintenance procedures for the plant were followed and
work started clearing the blocked settling leg while the tubu-
lar reactor continued to operate. Because there was no way on
the ball valve itself to identify whether the valve was open or
closed operators queried the control room staff who advised
them that the indicator showed the valve as closed. The air
lines controlling the valve were disconnected and work com-
menced to release the blocked settling leg through the open
lower valve. At some point the air lines were re-connected to
the control valve while the maintenance job continued. This
was clearly against company maintenance policy. However,
in re-connecting the air lines they were connected the wrong
way around so that the valve position indicator in the control
room showed that the valve was open when it was in real-
ity closed. At some point the upper control valve was opened
while the lower valve was still open and over 38½ tonnes
of ethylene, isobutene, hexane and hydrogen escaped to the
atmosphere. The released gas was ignited less than 2 min after
the leak started and the resulting explosion devastated the
area. Two further massive explosions occurred in the next
hour as nearby tanks and process units ruptured. The total
death toll was 23 with estimates of the number of injuries
ranging from 130 to 300 (Mannan, 2005i).
A simple design change in the connectors for the control
valve air lines could have made it impossible to inadvertently
cross-connect the air lines as happened. There were no
indicators on the air lines to signify which air line connected
to which connection port.
Key lessons learned from the Phillips 66 disaster include:
• valves should always have external indicators on them clear
show whether they are open or closed;
• valve connectors should be designed so that they cannot
be inadvertently mis-connected particularly where such an
error would result in a catastrophic situation;
• if a simple mistake can be made by any person in a process
then eventually that mistake will be made.
3.16. Shell Stanslow Refinery explosion (March 1990)
A chemical reactor at the Shell Stanlow fluoroaromatics
plant exploded in March 1990 just after it had been charged
(Mannan, 2005j). Operators in the control room watched as the
contents of the reactor were heated to 165 ◦ C as normal. How-
ever instead of stabilising the temperature continued to rise
beyond 170 ◦ C. The reaction vessel began to vent gas and the
operators began to cool the reactor in an effort to control the
situation. At the time they were unaware that the pressure had
reached in excess of 6 MPa compared to the normal operating
pressure of 500 kPa. The reaction vessel finally failed cata-
strophically generating a large fireball which in turn sparked
of other fired around the facility. One person was killed as a
result of the event with five others injured.
Investigators later determined that water had entered the
reactor earlier in the process initiating a series of reactions
that resulted in the generation of acetic acid. The acid reacted
vigorously with the initial contents of the reactor leading to
the runaway reaction.
At the time of the incident the operators were unaware of
the real extent of the problem. Their instrumentation only told
them that the reactor contents were above the desired tem-
perature. The data display units in the control room did not
display the reaction vessel pressure and so they were unaware
of the rapid over-pressuring of the vessel. They were only
alerted to the possibility of a runaway reaction when an oper-
ator outside the control room actually observed the venting
and entered the control room to advise the staff there of the
situation. The pressure that built up within the reaction vessel
significantly exceeded the pressure relief valve setting indicat-
ing that the relief system was overwhelmed by the amount of
gas generated within the reaction vessel.
Key lessons learned from this incident include (Mannan,
2005j):
• vital process information must always be available to oper-
ators;
• the pressure relief system should have been sized to cope
with such an emergency.
3.17. Allied Colloids fire (July 1992)
A fire broke out in a chemical store at the Allied Colloids chem-
ical plant just outside Bradford in the United Kingdom. Two
chemicals which should never have been stored together in
the same location came into contact with one another and
ignited causing a blaze that left several people affected from
inhaling the chemical plume (HSE, 1993a).
The Allied Colloids chemical plant outside Bradford pro-
duced a range of speciality chemicals including polymers and
stored a range of hazardous chemicals. Much of the feedstock
 education for chemical engineers 8 ( 2 0 1 3 ) e12–e30
for the plant was stored in the raw materials warehouse which
had been built in 1989. The warehouse included two fire-
resistant store rooms. Known as the oxystores these rooms
contained floor to ceiling shelving into which bags and kegs
of material could be stored.
The genesis of the situation occurred when several kegs
of azodiisobutyronitrile (AZDN) were stored on the top shelf
in one of the oxystores directly above sacks of sodium per-
chlorate. These two chemical should never have been stored
in the same location, and certainly not in a situation in which
the contents of one container might actually leak onto another
container.
In the morning of July 21, 1992 rain fell in the district and
forklift trucks operating on the site brought water onto the
floor of the raw materials warehouse, making the floor slip-
pery. A decision was taken to apply some heating to room to
evaporate the water from the floor. It is believed that one of
the workers may have accidently turned on the steam heating
system in to one of the oxystores. The steam heating system
had been originally installed in the store room when it was
intended for other chemicals to be stored in that room. The
heating system was not required and a request had been made
to have the system removed. Instead a worker simply turned
the control off rather than disconnecting the system. In any
case, on this day the steam was switched on. The condensate
return line passed just under the ceiling near to the kegs of
AZDN. Because AZDN is thermally unstable it is believed that
the kegs became overheated and ruptured spilling onto the
sodium perchlorate and then the floor below. The rupture of
the AZDN kegs was unobserved as the store room doors were
closed.
Several hours after heating of the store room commenced
smoke was seen to be coming from the air vents leading into
the store room. The alarm was sounded and the store room
door opened to allow the managers to assess the situation.
The chemicals then ignited and the fire then spread to the sec-
ond oxystore and then the entire warehouse. Although no one
was killed several people suffered from the inhalation of the
chemicals and the water used to fight the fires escaped to the
environment causing considerable damage to the waterways
downstream of the site.
Key lessons learned from this incident include (HSE, 1993a):
• chemicals should be stored properly and the different
classes of chemicals should be kept segregated;
• work orders, particularly those relating to safety issues,
should always been completed with the highest priority.
3.18. Hickson and Welch fire (September 1992)
On 21 July 1992 workers began cleaning out the sludge from
the base of a process unit. The process unit had never been
cleaned out in its more than 30 years of operation. Only a very
simple test was made to determine the nature of the sludge
and on the basis of this test it was assumed that the sludge
was thermally stable tar. In fact the sludge was not simple tar
but a mixture of accumulated sludge containing pockets of
flammable material (HSE, 1993b).
It was decided to apply some heat to the unit in order to
soften up the sludge which was thought to be tar. Instructions
were given not to exceed a temperature of 90 ◦ C during the
heating process. However because of poor placement of the
temperature sensor the sludge was actually heated to about
180 ◦ C.
e23
While the sludge was being raked out the sludge material
ignited and a jet flame almost 5 m in diameter erupted from
the end of the process unit and struck the plant control build-
ing as well as a larger office building standing behind it and
over 50 m away from the process unit. Five people were killed
and many others were affected by exposure to the chemicals
over the coming days. While the exact source of ignition was
never confirmed it appears the most likely explanation is that
the heating by the steam caused the thermally unstable sludge
residues to exothermically decompose. The heat generated
was sufficient to ignite the chemical mixture in the vessel.
The jury at the Coroner’s Court identified a list of factors
that contributed to the incident (HSE, 1993b):
• the decision to clean out a process unit for the first time
in 30 years in the absence of a proper understanding of the
contents of the sludge in the vessel;
• the decision to apply heat to the process unit;
• the inadequacy and inaccuracy of the temperature measur-
ing and recording system within the process unit;
• the use of a metal rake to clean out the sludge; and, the
decision to allow the vessel to be raked out while heat was
still be applied to the vessel.
Key lessons learned from this sudden fire include:
• the need to develop well thought out procedures for all tasks
including those that are only rarely undertaken;
• where any work is to be conducted in a confined space
which contains process material, then the nature of that
material must be fully understood and appropriate safety
precautions put in place;
• the design and locating of office and control buildings
around a process facility must be carefully assessed consid-
ering the possibilities of fires, explosions or toxic releases.
3.19. Fire and explosions at Texaco Refinery, Milford
Haven (July 1994)
Just before 9 am on a Sunday morning a fierce electrical storm
swept through the Pembroke region of south Wales. The storm
caused a number of plant upsets and disturbances at the Tex-
aco Refinery located near the town of Milford Haven. Operators
trying to restore the refinery to normal operation allowed a
vessel to overfill resulting in the failure of piping. This led to
the release of some 20 tonnes of hydrocarbons which formed a
vapour cloud that drifted with the wind. When the cloud found
a point of ignition the resulting explosion had the destructive
power equivalent to at least 4 tonnes of high explosives. No
one was killed in the explosion, primarily because it was a
Sunday morning when few staff were around the facility, and
because of the safe and sound construction used in the plant
buildings (HSE, 1995).
During an intense period of time following the electrical
storm the operators in the refinery were busy restoring the
operation of the plant. Once the level in the de-ethaniser was
restored to its correct setting, flow to the de-butaniser was
re-started. At this time the outlet valve on the de-butaniser
to the naphtha should have opened but did not. In the con-
trol room an incorrect signal from the valve indicated that it
had opened when in fact it remained closed. Because the way
the information was displayed on the computer screens in the
control room the operators were unable to identify from the
information available that the control valve was stuck closed.
e24 education for chemical engineers 8 ( 2 0 1 3 ) e12–e30
Reacting to indications that the de-butaniser was over-
pressured the operators opened another valve which allowed
the hydrocarbon to move out of the de-butaniser to the wet
gas compressor system. Eventually the mixture of liquid and
gas overwhelmed the knock-out drum system and liquid at too
high a flow rate entered the gas line to the flare. This line failed
releasing around 20 tonnes of hydrocarbon to the atmosphere.
The explosion followed shortly after, sparking fires throughout
the facility. The line that failed was found to be partly corroded
yet investigators concluded that it would have failed under the
fast flow of liquid whether it had been corroded or not.
During the almost 5 h between the electrical storm sweep-
ing across the refinery and the explosion the operators had
been acting to restore operation of the plant. In the control
room the alarm system kept sounding hundreds of alarms,
with at one stage operators being faced with a new alarm every
2–3 s. They were overwhelmed by the information that they
were receiving and found it difficult to distinguish between
the critical alarms and those that were merely advisory (HSE,
1995).
Key lessons learned from this refinery fire include:
• the need to provide operators with information that allows
them to make appropriate decisions;
• the need to permit operators to shutdown a plant when
they are overwhelmed with responding to alarms and non-
standard situations;
• the fact that with properly designed buildings personnel can
survive extreme explosions and fires.
3.20. Eschede Train Disaster (June 1998)
On June 3, 1998 a high speed German express train travel-
ling between Munich and Hamburg at over 200 km/h derailed
just before passing under a bridge. The fourth passenger car
crashed into the bridge causing the bridge to collapse onto the
following passenger cars. Over 100 people died and 88 people
were injured (Esslinger et al., 2004; Brumsen, 2011).
During the train trip passengers in the first passenger car
sitting above one of the wheel sets felt severe and unusual
vibrations. Moments later the steel tire around one of the
wheels peeled away from the wheel and punctured the floor
of the car. The passengers were rightly alarmed to witness
the steel tire spear through the floor and an armrest narrowly
missing two passengers sitting close by. Rather than pull the
emergency stop handle located in every passenger car, one of
the passengers went looking for the conductor to report the
incident. What no one realized was that the steel tire had not
only speared the floor upwards but was hanging down below
the car running just centimetres away from the one of the rails.
It took time to find the conductor and they did not want to stop
the train until they had assessed the damage. As the conduc-
tor entered the first passenger car the train passed over a set
of diverging points. The embedded steel tire hanging below
the passenger car hit the switch work causing the trailing car-
riages to skew off onto the parallel set of tracks. The passenger
cars then jack-knifed as the train passed under a road bridge
at the town of Eschede. The fourth passenger car hit one of the
bridge supports standing beside the track causing the bridge
to collapse onto the trailing passenger cars. The leading power
car separated from the trapped carriages and came to a safe
stop further down the track.
The cause of the separation of the steel tire from the wheel
lay in the design of the wheel. The train wheels on the high
speed trains were originally formed as monoblocs, cast as a
single piece of steel. However after several months of use the
wheels were seen to be wearing an unacceptably high rate.
Metal fatigue and uneven wear on the wheels caused the
wheels to go out of round which in turn caused vibrations.
The rail engineers decided to solve the wheel problem by
fitting a steel tire to the main section of the wheel. The steel
tire was separated from the main part of the wheel by using
a rubber ring. Steel tires had long been successfully used on
trams and streetcars throughout Germany. What the rail engi-
neers did not appreciate was that the trams and streetcars that
used wheel sets of an inner steel wheel with a steel tire usu-
ally travelled up to 60 km/h only over short distances. The high
speed trains were deigned to operate at speeds up to 250 km/h
for extended periods of several hours. The engineers decided
that there was no need to conduct any tests on the new two-
steel piece wheel sets at high speed.
In operation the rail engineers observed that the steel tires
were failing more often than they should have. Every time the
wheels turned they were subjects to repetitive dynamic forces
which had not been accounted for in the design modelling of
the steel sets. And the wheels turned up to 500,000 times a day.
The fatigue cracks that formed were on the inside of the tires
where they could not be observed. As the tires became thinner
due to the continuous wear the rate of crack growth increased.
The regular maintenance checks were unable to detect the
fatigue cracks. Staff on the train logged issues relating to noise
and vibrations from the wheel set containing the failed tire as
many as eight times in the 2 months immediately preceding
the failure however no action was taken. The engineers had
designed a wheel set that was not fit for purpose. They had not
adequately designed the wheels to meet the severe demands
placed on them by the continuous high speed operation of
the trains. They took technology that worked for one applica-
tion and assumed that it would work in a completely different
environment.
Key lessons learned from the this rail disaster include
(Esslinger et al., 2004):
• the design engineers assumed that technology that worked
successful in one application could be transplanted to a
more aggressive operating environment without the need
the proper design tests;
• the railway management responsible for maintenance of
the trains did not have in place an adequate testing regime
that should have identified the metal fatigue on the tires;
• the bridge support should not have been placed so close to
the running track.
3.21. Longford explosion (September 1998)
The Longford Gas Plant located near the Australian coast pro-
cesses the gas that comes ashore from the many offshore
platforms in Bass Strait. Following a process upset on February
25, 1998 a pump supplying warm lean oil to a heat exchanger
stopped operating (Kletz, 2003). The heat exchanger used the
warm lean oil flowing through the shell-side to heat rich
oil flowing on the tube-side. With the supply of lean oil to
the heat exchanger suddenly stopped the temperature of the
exchanger temperature rapidly fell to the temperature of the
cold rich oil, around −48 ◦ C. Operators noted that ice formed
on the outside of the exchanger but did not fully understand
its significance. When the lean oil pump re-started sometime
later the oil entered the exchanger at 230 ◦ C. The thermal
 education for chemical engineers 8 ( 2 0 1 3 ) e12–e30
shock caused by this sudden and very large change in tem-
perature induced a brittle fracture in the exchanger releasing
about 10 tonnes of hydrocarbon vapour. The vapour cloud that
formed drifted downwind and ignited when it encountered a
set of heaters 170 m away. The resulting explosion and subse-
quent fires killed two operators on the site and injured eight
others.
Some years before almost all the engineers on site had been
relocated to Melbourne, some 180 km away from the plant.
There was therefore little day-to-day face-to-face discussions
between the engineers and the site operators. Subsequent
investigations identified that the plant operators did not
understand the risks of brittle fracture nor of thermal damage.
It was suggested that operator training focussed on what the
operators needed to know to complete their jobs rather than
on giving them a deeper understanding of the process allow-
ing them to cope with unforeseen circumstances (Mannan,
2005k). Obviously the decision to re-start the lean oil pump
injecting hot oil into the freezing heat exchanger was incor-
rect, however the operator was unaware of the dangers of
thermal shock.
Key lessons learned from this disaster include:
• the need for train staff to understand more about the pro-
cess than just required to complete their tasks;
• the importance of regular face-to-face contact between
operators and engineers;
• the need to have engineers on site on a day-to-day basis.
3.22. Loss of nuclear submarine Kursk (August 2000)
The K-141 Kursk was a nuclear-powered missile submarine,
the most advanced submarine of its kind possessed by the
Russian Navy. In August 2000 it was participating in a series
of war games with other submarines and surface ships of the
Russian Navy. As part of the activities it was required to make
a stealthy approach on one of the surface ships before firing a
torpedo at the ship. The torpedo was a practice one in which
the explosive-filled war-shot had been replaced by a pod of
instruments and data loggers which would monitor and record
the progress of the torpedo towards the target. The torpedo
was designed to move through the water at the speed of a
regular torpedo but at a depth that would allow it to pass under
the keel of the target ship (Moore, 2004).
In 2000 the Russian submarine force used torpedos pro-
pelled by reacting hydrogen peroxide with kerosene. With a
length of around 11 m and a mass of approximately 5 tonnes
the reaction was powerful enough to propel the torpedos
through the water at 56 km/h over a distance of 80 km. The
exothermic reaction that occurred within the torpedo was par-
ticular violent and it was essential that the two reactants were
kept separated until needed.
As a practice torpedo was being loaded into the torpedo
tube the corroded tank containing one of the reactants failed
allowing the hydrogen peroxide to prematurely react with the
kerosene. The resulting detonation of the fuel, equivalent to
the energy released by 100 kg of TNT, caused the submerged
submarine to sink bow first. As the bow of the stricken
submarine hit the seabed at a depth of 115 m the live torpedos
filled with explosives in the forward torpedo room detonated
with such a force that the forward two-thirds of the boat
were destroyed. Several sailors survived for some days in the
stern sections of the boat but they died later when a flash fire
e25
consumed what little oxygen was left in the rear engineering
spaces.
The first explosion was caused by the two reactants com-
ing into contact with one another outside the combustion
chamber in an uncontrolled manner. This occurred because of
severe corrosion of one of the two fuel chambers. The practice
torpedo that was used that day had been manufactured in
1990, 10 years before it was prepared to be fired and in that
decade it had never been fired nor had any maintenance ever
been performed on it. It had just sat for 10 years in a warehouse
on the navy base. Other torpedos from the same manufactur-
ing batch were found to have suffered similar corrosion. If an
inspection had have been carried out before the torpedo was
loaded onto the submarine the corrosion would most likely
have been identified and the torpedo not used.
The key lesson learned from the loss of the Kursk is that
regular maintenance is vital for safe operation. An adequate
safety management system would have ensured that the tor-
pedos were subject to routine maintenance and would have
been inspected prior to the fuel being loaded into them.
3.23. Thermal decomposition incident at BP Amoco,
Augusta (March 2001)
Three workers were fatally injured when the cover they were
unbolting from a process unit blew off the vessel releasing
hot molten plastic. The incident occurred at the BP Amoco
Polymers plant in Augusta, Georgia where a nylon thermoplas-
tic polymer was manufactured (USCSHIB, 2002U.S. Chemical
Safety and Hazard Investigation Board, 2002).
The manufacture of the thermoplastic polymer occurred in
a number of stages. The raw materials were first fed to a pres-
surised and heated reaction vessel in which the prepolymer
was formed. A high pressure pump then sent the prepoly-
mer to a tubular reactor before passing the material on to the
extruder and finally the pelletizer. During start-up and shut-
down the effluent from the tubular reactor was sent to the
polymer catch tank, a 2.8 cubic meter horizontal cylindrical
vessel.
On March 10, 2001 the entire unit was shutdown for main-
tenance on the extruder. The next day the polymer catch tank
was opened and thoroughly cleaned of waste material. The
unit was then sealed ready for the unit to be started up the next
day. The normal start-up procedure called for the extruder to
be test run ahead of the system being charged with material.
Unaccountably this task was not done and the unit was started
up with the raw materials flowing into the reactors. Following
normal procedures the effluent from the reactors was diverted
to the polymer catch tank for the first 50 min of operation.
When the operators attempted to start the extruder the screws
would not turn. After almost 20 min the operators abandoned
the attempt to start the extruder and decided to shutdown the
entire process. During this period the effluent from the tubular
reactors continued to fill the catch tank. As the reactors were
being flushed with solvent as part of the shutdown procedure
the catch tank continued to collect the effluent which was a
hot, partially polymerized material. Finally the catch tank was
closed off and no additional material entered the tank.
Over its years of operation the polymer catch tank had
never been filled to such an extent. The polymer near the
outside of the tank solidified into a hard crust. Solid polymer
also solidified around the drainage points and at the pressure
tapping. The hot polymer within the centre of the tank
began to thermally decompose generating gases. These gases
e26 education for chemical engineers 8 ( 2 0 1 3 ) e12–e30
pressurised the closed off tank. Because the pressure port and
drainage points were blocked by solid polymers there was no
way for the operators to know that the tank was at an elevated
pressure. Three workers were sent to open the polymer catch
tank to clean it and remove the accumulated material. As
normal they began unbolting the flat end plate that was held
in place by 44 bolts. When 22 had been removed the plate
blew off venting the hot molten plastic over the three workers
who died from their injuries. The force of the release of the
polymer severed an oil line that led to an explosion and fire.
Key lessons that can be learned from this incident include
(USCSHIB, 2002U.S. Chemical Safety and Hazard Investigation
Board, 2002):
• the need for a more rigorous assessment of the hazards and
risks associated with filling the tank to near capacity with
molten plastic;
• the need for pressure sensors appropriate for the type of
material stored in the tank;
• the importance of learning from past experiences when
the pressure tapping and pressure relief device had become
blocked with plastic;
• the operators were unaware that the polymer could thermal
decompose within the tank leading to overpressurization;
• operators had no direct measure of the level of the polymer
in the polymer catch tank.
3.24. Texas City BP refinery explosion (March 2005)
In 2005 the Texas City refinery of BP was the third largest oil
refinery operating in the US. After maintenance had been per-
formed on one of the units the raffinate splitter tower was
re-started. As part of the start-up procedure flammable liquid
hydrocarbons were pumped into the base of the tower. Due
to an operator error an outlet valve was not opened and the
tower began to fill with the hydrocarbon. The tower level indi-
cator malfunctioned and indicated that the liquid level in the
tower was actually decreasing when in fact it was overfilling.
The high level alarm did not function. The operators who were
fatigued from repeated long shifts did not realize the true sit-
uation in the tower (USCSHIB, 2007U.S. Chemical Safety and
Hazard Investigation Board, 2007).
The liquid overflowed the top of the tower and ran down
an overhead pipe to pressure relief valves located near the
ground 45 m below. These valves open discharging the liquid
to a blowdown drum. The liquid under pressure then vented
out the top of a stack connected to the drum forming a geyser.
The liquid droplets vapourised as their rained back down to
the ground, forming a dense vapour cloud. The flammable
cloud found an ignition source and detonated devastating the
unit. All the 15 people killed were working in temporary office
accommodation which had been located just 37 m away from
the blowdown drum.
While the direct cause of the incident was the failure
to open a valve and the subsequent failure of the instru-
mentation to correctly indicate that the raffinate tower was
overfilling the deaths were a direct result of the temporary
office accommodation being located too close to an operating
process facility. The offices were not associated with the oper-
ation of the unit and there was no need to locate them where
they did. The U.S. Chemical Safety and Hazard Investigation
Board found that cost-cutting and a failure to invest impaired
the safety management at Texas City. Managers relied on low
personal injury rates as a safety measure rather than the
underlying safety culture on the site. Training staff numbers
had been reduced significantly in the years leading up to the
incident and the company had not responded sufficiently to
safety concerns raised in the past.
Key lessons learned from this disaster include:
• the need for appropriately trained staff;
• the need for an appropriate staff management system that
does not permit staff to become tired working on 12-h long
shifts for weeks at a time;
• staff should not be accommodated on site or near operating
facilities unless there is a real need for them to do so, and
any staff accommodation must be built to an appropriate
standard and should not be simple trailer accommodation;
• and appropriate safety culture must be in place.
3.25. Buncefield explosion and fire (December 2005)
The Buncefield oil storage and transfer facility is located to the
north of London. Refined stocks such as petrol and aviation
jet fuel are pumped remotely into the facility from refiner-
ies across England and out to sites across south-east England
including Heathrow and Gatwick airports. On the morning of
December 11, 2006 the liquid level indicator on one of the
large tanks failed while it was receiving unleaded petrol from
a remote site. Even though the petrol was being pumped in
at a rate of 550 m3 /h into Tank 912 from 3:00 am onwards the
liquid level indicator did not show a change in the height of
liquid in the tank. Just over 2 h later the tank was completely
full and flow should have stopped automatically. It did not
and unleaded petrol began to cascade down the outside of the
tank.
Operators at the pumping station seeing that the tank was
apparently not yet full increased the flow rate of the petrol
flowing into the tank to 890 m3 /h. The operators did not stop
to consider that they had been pumping petrol into a tank for
several hours but the height as displayed had not increased.
At 5:46 am nearby security cameras showed a 2 m thick vapour
cloud on the ground and spreading out in all directions from
the storage facility. At 6:01 am the cloud detonated, ignited
by a source in a car park. The resulting explosion did a huge
amount of damage but because it was early on a Saturday
morning no one was injured.
The incident occurred because a single piece of equipment
failed (the level indicator) and because there were no other
checks in place to safeguard against this. Operator response to
what appeared to be a tank that was not filling quickly enough
was to increase the flow rate of petrol to the tank rather than
understanding why the tank was apparently slow to fill.
Key lessons to be learnt from the Buncefield incident:
• the importance of having a system that can withstand the
inevitable failure of a single piece of equipment;
• the need for appropriately trained staff.
The BMIIB (2008)Buncefield Major Incident Investigation
Board (2008) published their final reports in 2008.
3.26. Imperial Sugar refinery explosion in Port
Wentworth, Georgia (February 2008)
A series of sugar dust explosions at the Imperial Sugar refinery
in Port Wentworth, Georgia, US, killed 13 people and injured
another 36. The company received raw sugar and refined it into
 education for chemical engineers 8 ( 2 0 1 3 ) e12–e30
granulated sugar which was then either shipped as a product
or further processed on site to a range of other sugar-based
products. The refined sugar was stored in three silos, each 12 m
in diameter and 32 m in height. The sugar was moved around
the site and between the silos on conveyor belts, screw convey-
ors and by buckets. Beneath the three silos two belt conveyors
ran in a tunnel 40 m long, 2.3 m high and 3.7 m wide. The
refined, granulated sugar formed fine dust particles within the
process and these dust particles accumulated over the many
years of operation (USCSHIB, 2009bU.S. Chemical Safety and
Hazard Investigation Board, 2009b).
A 0.8 m wide steel conveyor belt in the tunnel transported
sugar from two of the silos into an elevator system that
conveyed the sugar to the packaging area. Concerned the con-
taminants might fall onto the refined sugar on its way for
packaging the engineers decided to fully enclose the conveyor
belt and its assembly. By enclosing the conveyor belt the engi-
neers prevented the fine sugar dust from dispersing into a
wider volume of air. Investigators later concluded that the con-
centration of sugar dust in the enclosed conveyor belt system
belt up to such a level that it exceeded the minimum explosible
concentration.
While the exact ignition source was never identified but
may have been an overheated roller bearing on the conveyor,
what is known is that a large dust explosion occurred within
the enclosed conveyor belt system in the evening of February
7, 2008. The explosion triggered a series of secondary explo-
sions that rippled through the facility devastating the entire
facility. It is surmised that each successive explosion dislodged
accumulated dust into the air which then ignited.
The investigators found that the conveying equipment
used on site was neither designed or maintained to mini-
mize the production of sugar dust. They found that inadequate
housekeeping activities resulted in sugar dust accumulating
throughout the facility to unacceptably high levels. Further
they found that the recently installed enclosure around the
conveyor belt increased the likelihood of a dust explosion by
allowing the concentration of dust particles to exceed the min-
imum explosible concentration (USCSHIB, 2009bU.S. Chemical
Safety and Hazard Investigation Board, 2009b).
Key lessons learned from the sugar refinery explosions
include:
• the enclosure as designed and installed was not fit for pur-
pose;
• the need for appropriate levels of housekeep to ensure that
dust did not accumulate within the process;
• the need for adequate evacuation plans and the practice of
those plans.
3.27. Goodyear heat exchanger rupture (June 2008)
Goodyear used pressurised anhydrous ammonia as a cooling
fluid in a shell and tube heat exchanger at their synthetic
rubber plant in Houston, Texas. The process chemicals to be
cooled were pumped through the tubes inside the exchanger
while the ammonia was circulated shell-side. On June 10, 2008
operators closed an isolation valve on the shell-side so that
they could replace a burst rupture disk. Closing the isolation
valve also closed off a pressure relief valve that was located
there to prevent pressure build up of the ammonia on the
shell-side. At the conclusion of the rupture disk replacement,
the isolation valve was not re-opened. The next day another
operator closed a block valve on the ammonia shell-side loop
e27
isolating the pressure control valve from the heat exchanger.
The operator was aware that the shell-side was full of pres-
surised ammonia but was unaware that the isolation valve
remained closed form the operations from the day before. The
operator assumed that any over-pressuring that might occur
would be able to vent through the valve to the pressure relief
valve (USCSHIB, 2011U.S. Chemical Safety and Hazard Investi-
gation Board, 2011).
The operator connected a steam line to the tube-side of
the exchanger in order to clean the exchanger. The steam
quickly heated up the ammonia, and with the shell-side effec-
tively isolated the pressure began to build up as the liquid
ammonia began to evaporate. Less than an hour later the
heat exchanger shell violently ruptured spraying the area with
metal shrapnel and releasing dangerous levels of ammonia to
the atmosphere. Five nearby workers were exposed to the gas
and had to be treated.
Later that morning the plant management declared the
incident over and work began to clean up the area. It was at
this point that the body of a company employee was discov-
ered amongst the debris. She had been felled by the flying
shrapnel and died on the scene. Since she was a member
of the plant’s emergency response team no one considered
her absence during the incident unusual. The company’s sys-
tem of accounting for staff had failed as no one identified
that the employee was missing after the incident. Indeed
several people who had the responsibility for accounting
for staff were unaware that this was their role in an emer-
gency. Although internal company safety policies required
that plant-wide emergency drills be conducted at least once
every three months, no such drill had been conducted in the
facility for the 4 years prior to the incident.
Key lessons learned from this incident at Goodyear include
(USCSHIB, 2011U.S. Chemical Safety and Hazard Investigation
Board, 2011):
• maintenance procedures were not followed;
• the operator did not visually check that the isolation valve
to the pressure relief valve was open before steaming the
tubes of the exchanger;
• the head count was not correctly performed and a missing
worker was not identified as being missing;
• established safety drills were not held in the facility on a
regular basis so that the workers and management were not
properly prepared to adequately respond to the incident.
4. Student feedback
Three months after completing the oral presentations stu-
dents were asked for their feedback on the effectiveness of
the oral presentations as a vehicle for instruction on pro-
cess safety. Participation in the survey was voluntary and the
responses were anonymous. Using a paper-based survey form
students were asked to state the extent to which they agreed
or disagreed with a series of statements. On a 5-point Likert
scale in which 1 is assigned to the response “Strongly disagree”
and 5 is assigned to “Strongly agree”, the responses and the
average scores for the students for the questions are presented
in Table 2.
Of the students surveyed 92% either agreed or strongly
agreed with the statement that chemical engineers need com-
munication skills of a high standard. A similar percentage also
agreed that the oral presentations helped them develop their
 e28
Table 2 – Summary of survey responses. Students asked to indicate the extent to which they either agreed or disagreed with eight statements using a 5-point Likert scale.
Statement Number of Strongly Disagree (2) Neither agree Agree (4) Strongly Average % Agree % Disagree
respondents disagree (1) nor disagree (3) agree (5) score

education for chemical engineers 8 ( 2 0 1 3 ) e12–e30

Chemical engineers need communication 38 0 0 3 17 18 4.4 92.1 0.0
skills of a high standard
The oral presentations helped me develop 37 0 2 1 25 9 4.1 91.9 5.4
my presentation skills
The oral presentations were an effective 38 0 3 6 24 5 3.8 76.3 7.9
way to learn about my particular topic
The oral presentations were an effective 38 0 5 7 22 4 3.7 68.4 13.2
way to learn about a range of safety
case studies
I found that preparing the critique for 37 1 3 11 16 6 3.6 59.5 10.8
another student helped me to think
about what is important in improving
my own presentations
My team should have been allowed to 38 1 7 16 6 8 3.3 36.8 21.1
choose its own topic from a list of topics
I recommend that the next time the 38 2 2 10 16 8 3.7 63.2 10.5
subject is taught that the presentations
are again recorded for later review by
the students
I recommend that the next time the 38 0 0 3 14 21 4.5 92.1 0.0
subject is taught all students receive
written feedback from the
lecturer-in-charge
 education for chemical engineers 8 ( 2 0 1 3 ) e12–e30
presentation skills. Over three-quarters of the class agreed
that the oral presentations were an effective way for them to
learn about the particular topic for which they had to present
on. The majority of students also agreed that the oral pre-
sentations whether they were a presenter or a member of the
audience were an effective way to learn about a range of safety
case studies.
The requirement for each student to prepare a written cri-
tique for a class mate’s presentation was set with the intention
that not only would each student receive detailed written feed-
back from a class mate but that the preparation of the critique
would allow them to reflect on their own performance. In
response to a yes/no question, “Was the written critique that
you received from your class mate helpful?” over 90% of the
cohort responded positively. However only 59.5% of the class
either agreed or strongly agreed with the statement that “I
found that preparing the critique for another student helped
me to think about what is important in improving my own
presentations.” This suggests that while the activity was pos-
itively viewed by the students as worthwhile the students
might have benefited from more preparation in self-reflection.
The cohort was generally ambivalent about being able to
choose their own topics with a small margin favouring that
outcome.
The students strongly agreed with the proposition that
the next class completing the subject should receive written
feedback from the lecturer-in-charge. While they did view the
critique written by their class mates favourably they appeared
to have greater confidence in the teaching staff to provide
useful feedback.
The students found the video recording of their presen-
tations less useful, with just over a quarter of the class
downloading their presentations from the subject web site.
Comments from the class suggest that the main reason for
this was the relatively large size of the video file being a bar-
rier to downloading. In future the video files will be saved in
a format with a significantly smaller file size. Of those that
did download the video recordings of their presentations 80%
found reviewing their presentations very helpful.
5. Concluding remarks
The 27 case studies presented have been successfully used
in the an undergraduate chemical engineering subject to not
only introduce students to the importance of safety, but also
to develop their presentation and general communication
skills. The activity described has also been designed to try to
develop the students’ willingness and ability to reflect on their
performance. The survey conducted with a random group
of students who participated in the activity 3 months later
showed that they responded very well to the activity and found
it a useful learning experience on a number of levels.
References
ABET, 2011. Criteria for accreditation engineering programs.
ABET, Engineering Accreditation Commission, Baltimore.
http://www.abet.org/uploadedFiles/Accreditation/
Accreditation Process/Accreditation Documents/Current/
eac-criteria-2012-2013.pdf (accessed 25 August, 2012).
Atheron, J., Gill, F., 2008a. Incidents That Define Process Safety.
Center for Chemical Process Safety/AIChE, New York,
pp.125–127.
e29
Atheron, J., Gill, F., 2008b. Incidents That Define Process Safety.
Center for Chemical Process Safety/AIChE, New York, pp.
277–281.
Bethea, R.M., 2003. Explosion and fire at the Phillips Company
Houston Chemical Complex, Pasadena, TX. In: Proc. SACHE
Faculty Workshop on Designing for Safe and Reliable Process
Operations, Baton Rouge, USA, September 2003.
Brumsen, M., 2011. Case description: the ICE train accident near
Eschede. Euro. Bus. Ethics Cases Context 28, 157–168.
Bryan, L.A., 1999. Educating engineers on safety. J. Manage. Eng.
15, 30–33.
Buncefield Major Incident Investigation Board, 2008. Buncefield
Investigation.
http://www.buncefieldinvestigation.gov.uk/index.htm
(accessed 25 August, 2012).
Cortés, J.M., Pellicer, E., Catalá, J., 2012. Integration of
occupational risk prevention courses in engineering degrees:
Delphi study. J. Prof. Issues Engin. Educ. Prac. 138, 31–36.
Cullen, W.D., 1990. The Public Inquiry into the Piper Alpha
Disaster. HM Stationery Office, London.
Engineers Australia, 2008. G02 Accreditation Guidelines.
Engineers Australia Accreditation Board. http://www.
engineersaustralia.org.au/sites/default/files/shado/Education/
Program%20Accreditation/AMS%20Professional%20Engineer/
G02%20Accreditation%20Criteria%20Guidelines.pdf (accessed
25 August, 2012).
Esslinger, V., Kieselbach, R., Koller, R., Weisse, B., 2004. The
railway accident of Eschede–technical background. Eng.
Failure Anal. 11, 515–535.
European Federation of Chemical Engineering, 2010. EFCE
Bologna Recommendations – EFCE recommendations for
chemical engineering education in a Bologna three cycle
degree system, EFCE. http://www.efce.org/
Bologna Recommendation.html (accessed 25 August, 2012).
Ferjencik, M., 2007. Best starting point to comprehensive process
safety education. Process Saf. Prog. 26, 195–202.
Gillett, J.E., 2001. Chemical engineering education in the next
century. Chem. Eng. Technol. 24, 561–570.
Hendershot, D.C., Smades, W., 2007. Safety culture begins in the
classroom. Process Saf. Prog. 26, 83–84.
HSE, 1988. The Fires and Explosion at BP Oil (Grangemouth)
Refinery Ltd. HSE Books, London.
HSE, 1993. The Fire at Allied Colloids Limited: A Report of HSE’s
Investigation Into the Fire at Allied Colloids Ltd., Low Moor,
Bradford on 21 July 1992. HSE Books, London.
HSE, 1993. The Fire at Hickson & Welch Ltd: A Report of the
Investigation by the Health and Safety Executive into the Fatal
Fire at Hickson & Welch Ltd, Castleford on 21 September 1992.
HSE Books, London.
HSE, 1995. The Explosion and Fires at the Texaco Refinery, Milford
Haven, 24 July 1994. HSE Books, London.
HSE, 2010. Refinery Fire at Feyzin, 4th January 1966.
http://www.hse.gov.uk/comah/sragtech/casefeyzin66.htm
(accessed 25 August, 2012).
Institution of Chemical Engineers, 2012. Accreditation of
chemical engineering degrees: a guide for university
departments and assessors, IChemE, Rugby. http://www.
icheme.org/membership/∼/media/Documents/icheme/
Membership/Accreditation/accreditationguide0212.pdf
(accessed 25 August, 2012).
International Engineering Alliance, 2009. Graduate attributes and
professional competencies, IEA.
http://www.washingtonaccord.org/IEA-Grad-Attr-Prof-
Competencies-v2.pdf (accessed 25 August, 2012).
Khan, F.I., Abbasi, S.A., 1999. Major accidents in process
industries and an analysis of causes and consequences. J.
Loss Prev. Process Ind. 12, 361–378.
Kletz, T., 1999. What Went Wrong? Case Histories of Process Plant
Disasters, 4th ed. Gulf Professional Publishing, Burlington.
Kletz, T., 2003. Still Going Wrong. Elsevier, London.
Kletz, T., 2009. What Went Wrong? Case Histories of Process Plant
Disasters and How They Could Have Been Avoided, 5th ed.
Elsevier, London, pp. 345–346.
e30 education for chemical engineers 8 ( 2 0 1 3 ) e12–e30
Marine Accident Investigation Board, 1987. Herald of Free
Enterprise report. http://www.maib.gov.uk/
publications/investigation reports/herald of free enterprise/
herald of free enterprise report.cfm (accessed 25 August,
2012).
Mannan, S., 2005a. A38 Feyzin, France, 1966. In: Lees’ Loss
Prevention in the Process Industries, third ed. Elsevier,
London, p. A1/33.
Mannan, S., 2005b. Flixborough. In: Lees’ Loss Prevention in the
Process Industries, third ed. Elsevier, pp. A2/1–A2/18.
Mannan, S., 2005c. Seveso. In: Lees’ Loss Prevention in the
Process Industries, third ed. Elsevier, pp. A5/1–A5/13.
Mannan, S., 2005d. San Carlos de la Rapita. In: Lees’ Loss
Prevention in the Process Industries, third ed. Elsevier, pp.
A16/1–A16/4.
Mannan, S., 2005e. Three Mile Island. In: Lees’ Loss Prevention in
the Process Industries, third ed. Elsevier, pp. A21/1–A21/13.
Mannan, S., 2005f. Bhopal. In: Lees’ Loss Prevention in the
Process Industries, third ed. Elsevier, pp. A5/1–A5/11.
Mannan, S., 2005g. Chernobyl. In: Lees’ Loss Prevention in the
Process Industries, third ed. Elsevier, pp. A22/1–A22/10.
Mannan, S., 2005h. Piper Alpha. In: Lees’ Loss Prevention in the
Process Industries, third ed. Elsevier, pp. A19/1–A19/14.
Mannan, S., 2005i. Pasadena. In: Lees’ Loss Prevention in the
Process Industries, third ed. Elsevier, pp: A6/1–A6/5.
Mannan, S., 2005j. A131 Stanlow, Cheshire, 1990. In: Lees’ Loss
Prevention in the Process Industries, third ed. Elsevier,
London, p. A1/62.
Mannan, S., 2005k. Longford. In: Lees’ Loss Prevention in the
Process Industries, third ed. Elsevier, London, pp. A1/66–A1/67.
Moore, R., 2004. A Time to Die: the Untold Story of the Kursk
Tragedy. Three River Press.
Moshansky, V.P., 1992. Commission of inquiry into the Air Ontario
crash at Dryden. Ontario Final Report. Government of Canada,
Ottawa.
Parker, R.J., 1975. Flixborough disaster: Report of the Court of
Inquiry. UK Department of Employment. HMSO, London.
Paté-Cornell, M.E., 1993. Learning for the Pipe Alpha accident a
postmortem analysis of technical and organizational factors.
Risk Anal. 13, 215–235.
Petroski, H., 1992. To Engineer is Human: The Role of Failure is
Structural Design. Vintage.
Saleh, J.H., Pendley, C.C., 2012. From learning from accidents to
teaching about accident causation and prevention:
multidisciplinary education and safety literacy for all
engineering students. Reliab. Eng. Syst. Saf. 99, 105–113.
U.S. Chemical Safety and Hazard Investigation Board, 2002.
Investigation Report Thermal Decomposition Incident. U.S.
Chemical Safety Board Report No. 2001-03-1-GA.
U.S. Chemical Safety and Hazard Investigation Board, 2007.
Investigation Report Refinery Explosion and Fire BP. U.S.
Chemical Safety Board Report No. 2005-04-1-TX.
U.S. Chemical Safety and Hazard Investigation Board, 2009.
Investigation Report T2 Laboratories Inc Runaway Reaction.
U.S. Chemical Safety Board Report No. 2008-3-1-FL.
U.S. Chemical Safety and Hazard Investigation Board, 2009.
Investigation Report Sugar Dust Explosion and Fire Imperial
Sugar Company. U.S. Chemical Safety Board Report No.
2008-05-1-GA.
U.S. Chemical Safety and Hazard Investigation Board, 2011. Case
study – heat exchanger rupture and ammonia release in
Houston, Texas. U.S. Chemical Safety Board Report No.
2008-064-1-TX.
Venart, J.E.S., 2007. Flixborough: a final footnote. J. Loss Prev.
Process Ind. 20, 621–643.
Willey, R.J., Fogler, H.S., Cutlip, M.B., 2011. The investigation of
process safety into a chemical reaction engineering course:
kinetic modelling of the T2 incident. Process Saf. Prog. 30,
39–44.