A different kind of “911” happened in 1984. September 11, 1984 was the date that Union Carbide management received the results of an “Operational Safety/Health Survey” completed at the Institute Methyl Isocyanate (MIC) Unit in West Virginia (now Bayer CropScience). Factory blueprints from that existing process were used to construct the pesticide factory where the Bhopal Gas Tragedy occurred.
The first installment of this 4-part Bhopal Gas Tragedy Technical Series specially produced for The Bhopal Medical Appeal introduced a Process Flow Diagram (PFD) that shows the arrangement of equipment in the Bhopal chemical plant’s methyl isocyanate (MIC) rundown and storage system. This second installment closely examines one of two “major” concerns listed in the September 11, 1984 report, which communicated the potential for a runaway reaction in that system.
More specifically, the report describes a scenario where cooling water leakage from the MRS Condenser could initiate a runaway reaction inside the MIC storage tanks. Less than three months after the audit report was submitted, a runaway reaction initiated by water leaking into an MIC storage tank did occur at the Bhopal factory. The report noted a history of cooling water contamination by this route in the past, with less severe consequences. The first part of this technical series shows how this could happen through the “MIC Rundown” line that connected the MRS Condenser to the MIC Storage Tanks, at the bottom left of the PFD.
Before proceeding, let’s all agree that hindsight is always 20/20. Trevor Kletz stated it best by referring to not knowing what you don’t know. With Trevor’s thought in mind, is it fair to criticize someone for not having the knowledge they needed to prevent an incident? Is there a difference when someone possesses the knowledge needed to prevent an incident, but fails to act upon it? Think about it.
The Bhopal Gas Tragedy forced industry to implement practices to identify, evaluate, and address process hazards like the one described in the September 11, 1984 audit report. The analysis provided in Part 2 of this technical series did not exist before the Bhopal Gas Tragedy. Like buckling one’s seatbelt upon getting into an automobile, this safety practice is so routine now that we would never think about not doing it. Things were much different back in 1984 when the concepts demonstrated here were immature at best, and not uniformly practiced globally. But if this practice was mandatory prior to 1984, would it have prevented the Bhopal Gas Tragedy?
Answering that question requires that adequate safeguards exist to realistically prevent an MIC gas release if water was to contaminate MIC in a storage tank. Many of the safeguards used to prevent this kind of incident can be observed in the PFD provided in the first part of this series. They were described by Ron Van Mynen, Union Carbide’s Corporate Director of Health and Safety, in a press conference on March 20, 1985 as:
1. A 30-ton refrigeration system to keep the MIC at a low temperature (0 ⚬C)
2. A temperature alarm activated by high temperature (11 ⚬C)
3. Daily MIC storage tank sample testing by operators trained to implement process isolation procedure upon obtaining evidence of contamination
4. A versatile arrangement of pipes and valves to reprocess or destroy the contaminated material
5. An empty storage tank (E-619) to contain the contaminated material and provide additional vapor space and cooling if a runaway reaction was to occur
6. A Vent Gas Scrubber (VGS) to destroy MIC through contact with a circulating stream of caustic material (sodium hydroxide)
7. A flare tower to be used as a last resort by burning-off any material making it all the way past the VGS.
On the surface, there appear to be more than enough safeguards to prevent a toxic gas release resulting from a runaway reaction inside the storage tank. However, a much different conclusion is reached by using a method that was introduced in 2001 that assigns a credit (point) value to each of the safeguards. This “Layer of Protection Analysis” (LOPA) method operates on the basic premises that (1) no safeguard is 100% perfect, or always “available,” and (2) a safeguard must be independent (an Independent Protective Layer or IPL) for any additional credit to be taken. Unfortunately, the tight-coupling of dependencies mentioned in the first installment of this series defeats essentially all of the safeguards provided in the MIC Rundown and Storage system. The graphic shows how.
For example, we might accept 1/10 credit for the 30-ton refrigeration system under the assumption that well-maintained mechanical equipment can be expected to fail once every ten years. However, looking at the drawing we see that the refrigeration system operates on discharge from the MIC Circulation Pump. If this pump fails, then the refrigeration system becomes useless (a “Common Mode Failure”). The refrigeration system is therefore dependent on Circulation
pump reliability. To complicate matters further, the high temperature alarm is dependent on refrigeration system operation, which again is dependent on MIC Circulation Pump reliability. In other words, if the MIC Circulation Pump fails then not only is the refrigeration system lost, but also the ability to detect a high temperature condition created by a thermal runaway reaction because the alarm is already active and probably disabled or ignored until the pump is repaired. In this context, the high temperature alarm serves only as a nonspecific “common trouble” alarm that can be activated either by a mechanical or process failure. Finally, if the Circulation Pump fails then the drawing shows that access to the reject line is also lost. Under these circumstances, MIC storage tank contents cannot be directed into the VGS, the empty reject storage tank, the other uncontaminated tank, or the return line back to the MIC manufacturing unit for reprocessing. None of those safeguards exist.
Furthermore, “double jeopardy” does not apply in this situation because even though the logic operating here requires two independent failures (MRS Condenser leakage and a Circulation Pump failure), only one failure is detectable at a time. In this scenario either a Circulation Pump failure or contamination incident activates the high-temperature alarm and no other independent indicator is available for the other condition, such as a high-pressure alarm. A circulation pump failure would consume the only early indicator of a continuous contamination incident, meaning that a contamination incident could progress to a very late stage before an unexpected, undeniable system response would signal a problem. In the context of the Bhopal Gas Tragedy, these circumstances sound very familiar.
Part 3 of The Bhopal Gas Tragedy Technical Series will examine the consequences of MIC pump failures at the Bhopal plant, which in reality occurred multiple times per year. For that reason, the LOPA analysis accurately ends with no credit taken for the 1 in 1 year (1/1) actual probability of a Circulation Pump failure. Factoring actual Circulation Pump reliability into the analysis creates a highly-probable proposed scenario, with 1 predicted occurrence in the first 10 years of operation. Coincidentally, a similar incident happened five years into operation at the Bhopal factory.
Most companies that use the LOPA method require a frequency far less than 1/10 (one in ten years) for a toxic chemical release with potential widespread community impact – say 1/10,000,000 or a one in ten-million-year frequency. Anything higher would require a redesign for a system not yet constructed. For systems in service with a gulf so huge between actual and acceptable, an immediate shutdown would follow.
Points to Remember
Hindsight is 20/20 and things unseen are readily apparent after they occur. An analysis with the level of depth demonstrated on the MIC Rundown and Storage system is probably not possible without “hindsight bias.” But this is why we investigate an incident after it occurs – to replace the things we missed with things we learn. In doing so, may we continue to learn how to avoid incidents that we cannot afford to repeat, and continue to extract value from incidents with tragic consequences.