Author of ‘Rethinking Bhopal’, Kenneth Bloch, is a process safety professional who has taken a very deep interest in the Bhopal Disaster story. Rethinking Bhopal is a meticulously researched account of history’s worst single-incident industrial disaster. It contextualises the process facts of the Bhopal plant, comparing them to accepted norms, and presents them in a relatively easily-digestible format. A major aim of Rethinking Bhopal is not just to produce a historical account of one terrible disaster but to engender better thinking and practice within industry professionals operating today.
Kenneth Bloch has now put together, for our benefit, a comprehensive examination of the important technical elements of the Bhopal Gas Tragedy:
“The Bhopal Gas Tragedy drove improvements that made industry safer. By protecting the lives of others, industry now honors those whose lives were suddenly changed on December 3, 1984 – some of whom may read this blog regularly. Among these are survivors who lost their health, family, or friends. Also included are workers and others who designed, operated, and maintained the equipment that became hostile. Like parents of a rebellious child that was raised and nurtured with love, care, and affection to be a productive member of society, their unjust sense of hindsight must be unbearable. My heart goes out to all of you.
Methyl Isocyanate (MIC) Rundown & Storage System
Major Safety Concerns Listed in September 11, 1984 Report
A different kind of “911” happened in 1984. September 11, 1984 was the date that Union Carbide management received the results of an “Operational Safety/Health Survey” completed at the Institute Methyl Isocyanate (MIC) Unit in West Virginia (now Bayer CropScience). Factory blueprints from that existing process were used to construct the pesticide factory where the Bhopal Gas Tragedy occurred.
More specifically, the report describes a scenario where cooling water leakage from the MRS Condenser could initiate a runaway reaction inside the MIC storage tanks. Less than three months after the audit report was submitted, a runaway reaction initiated by water leaking into an MIC storage tank did occur at the Bhopal factory. The report noted a history of cooling water contamination by this route in the past, with less severe consequences. The first part of this technical series shows how this could happen through the “MIC Rundown” line that connected the MRS Condenser to the MIC Storage Tanks, at the bottom left of the PFD.
Before proceeding, let’s all agree that hindsight is always 20/20. Trevor Kletz stated it best by referring to not knowing what you don’t know. With Trevor’s thought in mind, is it fair to criticize someone for not having the knowledge they needed to prevent an incident? Is there a difference when someone possesses the knowledge needed to prevent an incident, but fails to act upon it? Think about it.
The Bhopal Gas Tragedy forced industry to implement practices to identify, evaluate, and address process hazards like the one described in the September 11, 1984 audit report. The analysis provided in Part 2 of this technical series did not exist before the Bhopal Gas Tragedy. Like buckling one’s seatbelt upon getting into an automobile, this safety practice is so routine now that we would never think about not doing it. Things were much different back in 1984 when the concepts demonstrated here were immature at best, and not uniformly practiced globally. But if this practice was mandatory prior to 1984, would it have prevented the Bhopal Gas Tragedy?
Answering that question requires that adequate safeguards exist to realistically prevent an MIC gas release if water was to contaminate MIC in a storage tank. Many of the safeguards used to prevent this kind of incident can be observed in the PFD provided in the first part of this series. They were described by Ron Van Mynen, Union Carbide’s Corporate Director of Health and Safety, in a press conference on March 20, 1985 as:
1. A 30-ton refrigeration system to keep the MIC at a low temperature (0 ⚬C)
2. A temperature alarm activated by high temperature (11 ⚬C)
3. Daily MIC storage tank sample testing by operators trained to implement process isolation procedure upon obtaining evidence of contamination
4. A versatile arrangement of pipes and valves to reprocess or destroy the contaminated material
5. An empty storage tank (E-619) to contain the contaminated material and provide additional vapor space and cooling if a runaway reaction was to occur
6. A Vent Gas Scrubber (VGS) to destroy MIC through contact with a circulating stream of caustic material (sodium hydroxide)
7. A flare tower to be used as a last resort by burning-off any material making it all the way past the VGS.
On the surface, there appear to be more than enough safeguards to prevent a toxic gas release resulting from a runaway reaction inside the storage tank. However, a much different conclusion is reached by using a method that was introduced in 2001 that assigns a credit (point) value to each of the safeguards. This “Layer of Protection Analysis” (LOPA) method operates on the basic premises that (1) no safeguard is 100% perfect, or always “available,” and (2) a safeguard must be independent (an Independent Protective Layer or IPL) for any additional credit to be taken. Unfortunately, the tight-coupling of dependencies mentioned in the first installment of this series defeats essentially all of the safeguards provided in the MIC Rundown and Storage system. The graphic shows how.
For example, we might accept 1/10 credit for the 30-ton refrigeration system under the assumption that well-maintained mechanical equipment can be expected to fail once every ten years. However, looking at the drawing we see that the refrigeration system operates on discharge from the MIC Circulation Pump. If this pump fails, then the refrigeration system becomes useless (a “Common Mode Failure”). The refrigeration system is therefore dependent on Circulation
pump reliability. To complicate matters further, the high temperature alarm is dependent on refrigeration system operation, which again is dependent on MIC Circulation Pump reliability. In other words, if the MIC Circulation Pump fails then not only is the refrigeration system lost, but also the ability to detect a high temperature condition created by a thermal runaway reaction because the alarm is already active and probably disabled or ignored until the pump is repaired. In this context, the high temperature alarm serves only as a nonspecific “common trouble” alarm that can be activated either by a mechanical or process failure. Finally, if the Circulation Pump fails then the drawing shows that access to the reject line is also lost. Under these circumstances, MIC storage tank contents cannot be directed into the VGS, the empty reject storage tank, the other uncontaminated tank, or the return line back to the MIC manufacturing unit for reprocessing. None of those safeguards exist.
Furthermore, “double jeopardy” does not apply in this situation because even though the logic operating here requires two independent failures (MRS Condenser leakage and a Circulation Pump failure), only one failure is detectable at a time. In this scenario either a Circulation Pump failure or contamination incident activates the high-temperature alarm and no other independent indicator is available for the other condition, such as a high-pressure alarm. A circulation pump failure would consume the only early indicator of a continuous contamination incident, meaning that a contamination incident could progress to a very late stage before an unexpected, undeniable system response would signal a problem. In the context of the Bhopal Gas Tragedy, these circumstances sound very familiar.
Part 3 of The Bhopal Gas Tragedy Technical Series will examine the consequences of MIC pump failures at the Bhopal plant, which in reality occurred multiple times per year. For that reason, the LOPA analysis accurately ends with no credit taken for the 1 in 1 year (1/1) actual probability of a Circulation Pump failure. Factoring actual Circulation Pump reliability into the analysis creates a highly-probable proposed scenario, with 1 predicted occurrence in the first 10 years of operation. Coincidentally, a similar incident happened five years into operation at the Bhopal factory.
Most companies that use the LOPA method require a frequency far less than 1/10 (one in ten years) for a toxic chemical release with potential widespread community impact – say 1/10,000,000 or a one in ten-million-year frequency. Anything higher would require a redesign for a system not yet constructed. For systems in service with a gulf so huge between actual and acceptable, an immediate shutdown would follow.
Points to Remember
Hindsight is 20/20 and things unseen are readily apparent after they occur. An analysis with the level of depth demonstrated on the MIC Rundown and Storage system is probably not possible without “hindsight bias.” But this is why we investigate an incident after it occurs – to replace the things we missed with things we learn. In doing so, may we continue to learn how to avoid incidents that we cannot afford to repeat, and continue to extract value from incidents with tragic consequences.
Many significant incident investigations finish after determining what happened. However, knowing why the incident happened is infinitely more important. Unfortunately, this is where most incident investigation reports fail. They describe only what happened without explaining why it happened.
Simply knowing what happened makes it difficult to prevent future problems. In other words, adding value requires knowing why the incident happened. Only then can we picture how we might react to the same situation when things start brewing again. But determining why an incident happened usually requires looking deep beneath the surface of what happened. Sometimes it exposes something that changes our perception about what happened.
The Bhopal Gas Tragedy is a perfect example that supports this fact. Union Carbide’s website that covers the Bhopal Gas Tragedy provides access to an independent investigation report issued by Arthur D. Little (ADL). This report contains trustworthy information about the incident. Indeed, the ADL report offers a credible, scientific basis behind what happened. But does the report accurately reflect why the incident happened?
To answer that question, let’s consider how the completeness of a formal incident investigation report might be assessed. For one thing, one might expect the final investigation report to contain no technical inconsistencies. Disparities that are not thoroughly explained ultimately lead to conjecture and controversy. This could unfairly undermine the credibility of an otherwise good investigation report, and the investigation team’s effort behind it. Therefore, a final investigation report carefully documents how technical differences between one or more credible references were resolved. Never should a final investigation report fail to meet this basic expectation for acceptance, especially in cases involving severe consequences.
Specific information contained in the ADL report conflicts with a system diagram that was published in Union Carbide’s official internal investigation report. In this way the ADL report does not satisfy a basic requirement for an acceptable final investigation report. The conflicting references are both considered credible, since they originated from a common source (Union Carbide).
In the ADL report we read: “The MIC was transferred in one-ton batches to a charge pot in the SEVIN unit using nitrogen pressure. A nitrogen pressure of at least 14 PSIG in the MIC storage tank was necessary to move the material from the storage area to the SEVIN unit charge pot at a reasonable rate.”
This technical description contradicts information in the tank diagram that shows a “transfer pump” attached to the MIC storage tank. If a MIC transfer pump existed as indicated on the tank drawing, then there was no need to establish a minimum pressure of 14 PSIG inside the MIC storage tank as stated in the ADL report. The transfer pump would have delivered MIC into the pesticide production area (MIC Derivatives) without difficulty, regardless of the storage tank pressure.
Prematurely jumping to conclusions can hamper an otherwise good investigation. This inconsistency simply means that the documentation in the ADL report is incomplete. The significance of any disparity detected during an incident investigation is unknown until it has been completely examined. Closing the information gap requires poking beneath the surface of what happened. Digging deeper to reconcile the inconsistency may yield more insight into why the Bhopal Gas Tragedy happened.
The photograph appearing at the top of this article contains visible evidence that the MIC transfer pumps were installed during original factory construction. Notice the five small concrete pump pedestals at the bottom-right of the photo, in the space between the MIC and solvent storage tanks. At the time of the incident on December 3, 1984 these pumps were not being used.
This third installment of the Bhopal Gas Tragedy Technical Series (click on the graphic above to download the pdf file) covers the significance of this intentional change in operating methodology. The top line (boxes 1 through 3) simulates how the system was expected to perform under design conditions when the factory was commissioned with MIC transfer pumps. The MIC storage tank vent valves were always open, allowing nitrogen to continuously contact the iron components in MIC vapor service. This type of operation was simple, clean, and efficient. Pipes and valves in MIC vapor service remained free from rust and debris. There was no need to clean them routinely, in between major maintenance intervals. The decision to save money by constructing system components in MIC vapor service with iron instead of stainless steel was inconsequential. Pesticide production meeting quality specifications (less than 0.5% chloroform solvent) was possible whether the tank was being filled with MIC from the MIC Refining Still (MRS) or not.
Abandoning the transfer pumps required closing the MIC storage tank vent valves. Boxes 4 through 9 simulate how the system responded to this substitute operating procedure. Closing the vent valves isolated nitrogen from the pipes and valves in MIC vapor service, and allowed air containing oxygen to migrate into the VGS.
This action was needed to bypass the MIC transfer pumps; making it possible to send tank contents into MIC Derivatives using differential pressure as documented in the ADL report. However, oxygen now infiltrating the system contacted the iron pipes and valves in MIC vapor service. Replacing nitrogen with oxygen resulted in internal corrosion, which produced rust. This rust catalyzed MIC “trimer” formation on iron components when the vent valves were reopened during tank filling. Trimer deposits accumulated inside the PVH, which restricted vapor flow to the VGS while filling the MIC storage tanks. Backpressure on the MRS, caused by restricted vapor flow through the PVH, resulted in MRS flooding – meaning that the MRS tower started retaining more liquid.
In response to MRS tower flooding, the temperature inside the MRS was raised to increase evaporation and send more liquid out of the tower. Unfortunately, this elevated the chloroform solvent level in the distilled MIC rundown stream. Eventually, the chloroform content inside the MIC storage tank exceeded the 0.5% maximum quality limit. Contaminated MIC exceeding the chloroform limit would then have to be reprocessed, recovered, or destroyed at great expense. Lost production due to business interruption during this period made it difficult for the factory to compete with other suppliers that were able to remain online.
Installing a flex-hose jumper to connect the trimer-choked PVH to the corroded, but clean, Relief Valve Vent Header (RVVH) offered an immediate, albeit short-term, solution. This action temporarily restored the production of MIC that met the purity limit but transferred the trimer accumulation problem into the RVVH. When both vent headers were choked with trimer, making it impossible to produce MIC meeting quality specifications, the system was shut down for cleaning.
Acceptable system performance was temporarily restored by flushing trimer from the lines with water. Since the system was not equipped by design for this type of alternative maintenance procedure, improvisation was necessary. Water hoses were attached by replacing threaded pressure gauges with adapters at various locations along the vent header system. Water was then introduced to the system to flush the vent header lines; clearing them of trimer deposits restricting vapor traffic. When the iron components in MIC vapor service were clean, the system was put back into service and the cycle repeated as trimer continued to build-up on corroded internal iron surfaces.
The Big Picture
The information yielded by examining the inconsistency preserved in the ADL report is extraordinarily significant. This insight exposes how the choices we make prior to constructing an industrial process can end-up being counterproductive, depending on how a system changes during its life cycle. This specific example explains why water, a known MIC contaminant capable of causing an adverse and dangerous reaction, was routinely injected into MIC process piping. We have learned that this was not the design intent for the original system. In fact, trimer fouling in MIC vapor service that necessitated the routine invasive use of water would have been nonexistent if the system had been in conformance with the stainless steel design standard. Likewise, routine water flushing would not have been necessary if the MIC transfer pumps had not been bypassed.
This analysis in no way invalidates the ADL report’s determination about what happened. It does, however, provide the missing information needed to understand why the incident happened. Over three decades of employment in the manufacturing industry has given me the opportunity to investigate hundreds of industrial incidents; some of which were highly consequential. As others with similar experience know, there is no “honor among thieves” between operators, workers, or Union Brothers. If someone mischievously compromises the process to deliberately cause a system malfunction, their coworkers will find out who did it and immediately rat them out. The insight gained by reconciling the unaddressed inconsistency in the ADL report provides something I can relate to. It gives me something to recognize that I am constantly exposed to when working in a manufacturing environment. It also aligns more closely with the input of eyewitnesses who were inside the factory when the incident occurred.
If all of this unnecessary work, complexity, and risk could have been avoided by simply using the transfer pumps according to the original system design, why were the MIC transfer pumps abandoned? Reliable sources cited in Rethinking Bhopal (ISBN 978012803778) indicate the MIC transfer pumps were not reliable. In fact, the MIC pump seals leaked at an average rate of about once every 24 days per pump. MIC is a highly-toxic substance that could not be safely released into the atmosphere. MIC pump seal failures created an exposure hazard. Additionally, damaged transfer pumps were removed from service for repair. Recurring pump maintenance was costly and resulted in loss of commodity market share. An alternative, more reliable MIC transfer method offered a solution even though it added considerable complexity, effort, cost, and risk.
Some readers may reject this explanation on the basis that an MIC circulation pump also existed. The MIC storage tank drawing shows that the circulation pump processed tank contents through a refrigeration unit. The circulation pump suction and discharge lines originated and terminated at the same places as the transfer pump. The pump pedestal photo at the beginning of this article suggests that these pumps were identical. Therefore, if the transfer pumps suffered from poor reliability, then similar problems would likely have impacted the circulation pumps also. Under these circumstances it would have been difficult to keep the refrigeration system operating, and there is no evidence to support this conclusion . . .
. . . or is there?
Note to Self
Telling what happened involves explaining why it happened.