Rethinking Bhopal- A Process Saefty Analysis of the Union Carbide Bhopal Plant

Author of ‘Rethinking Bhopal’, Kenneth Bloch, is a process safety professional who has taken a very deep interest in the Bhopal Disaster story. Rethinking Bhopal is a meticulously researched account of history’s worst single-incident industrial disaster. It contextualises the process facts of the Bhopal plant, comparing them to accepted norms, and presents them in a relatively easily-digestible format. A major aim of Rethinking Bhopal is not just to produce a historical account of one terrible disaster but to engender better thinking and practice within industry professionals operating today.

Kenneth Bloch has now put together, for our benefit, a comprehensive examination of the important technical elements of the Bhopal Gas Tragedy:

“The Bhopal Gas Tragedy drove improvements that made industry safer. By protecting the lives of others, industry now honors those whose lives were suddenly changed on December 3, 1984 – some of whom may read this blog regularly. Among these are survivors who lost their health, family, or friends. Also included are workers and others who designed, operated, and maintained the equipment that became hostile. Like parents of a rebellious child that was raised and nurtured with love, care, and affection to be a productive member of society, their unjust sense of hindsight must be unbearable. My heart goes out to all of you.

“It is with deep respect for personal sacrifices involuntarily made to benefit industry that I offered my friends at the Bhopal Medical Appeal a 4-part “Technical Series” on the Bhopal Gas Tragedy. The topics speak to those with positions in industry today who might incorrectly think that the Bhopal Gas Tragedy does not apply to them. They introduce fundamental process control and safety concepts to those entering the industrial workforce today – many of whom amazingly have not heard about the incident previously! The series also explains to the curious how good things we control can become hostile under our watchful care.
“In many ways, the Bhopal Gas Tragedy affects us all even if we never see the inside of a factory. The series will help anyone determined to make a difference “rethink” their actions before going too far. I thank the Bhopal Medical Appeal for accepting my offer and I hope that readers will learn something valuable from each installment of the series.”

Click to view

Methyl Isocyanate (MIC) Rundown & Storage System

The series begins with a Process Flow Diagram (PFD) of the MIC Storage System that was involved in the Bhopal Gas Tragedy. The drawing is “As-Built,” which means that it shows the system as it appeared upon placing it in service. The PFD reveals how the process was both remarkably efficient and vulnerable.
When reviewing the PFD, pay close attention to (1) using carbon carbon steel for all equipment in MIC vapor service, (2) the need for a clear, open, unobstructed path between the E-210 MRS and the E-408 VGS atmospheric vent, and (3) nitrogen injection into the E-610, E-611, and E-619 tank head manifolds. An unbreakable dependency was formed between these three items, which made it impossible to change one without impacting the others. The dependency was rooted in deviating from a design standard that prohibited the use of carbon steel for equipment in MIC service.
Adherence to the design standard would have resulted in the use of stainless steel in MIC vapor service, where carbon steel was used. MIC polymerizes upon contacting rust; thus, a rust-resistant material such as stainless steel was needed to avoid incompatibility complications. Why was carbon steel, which would rust upon contact with air, used instead? To save money by reducing construction costs.
Saving money is something that most people can relate to. Most people must learn to survive on limited resources that prevent us from spending more money than we make. The same is true for any company that expects to stay in business. Companies that spend more money than they generate will eventually go out of business. Looking at the PFD, it becomes clear that the system was designed to operate under a continuous nitrogen purge starting at the storage tank heads and terminating upon its discharge through the VGS atmospheric vent. Stainless steel resists rust, but nitrogen in this case does the same thing by eliminating oxygen (air) that carbon steel needs to rust. The purpose for nitrogen was to eliminate air that could allow MIC in the storage tanks to ignite. It also served as a corrosion inhibitor for carbon steel equipment found in MIC vapor service by preventing air from migrating into the system through the atmospheric vent.
When I look at the drawing I see an efficient, compact, and reliable process design. On paper, everything works perfectly. But although perfection is the goal we all work toward, nothing could be further from our reach when operating a typical industrial process.

 

Remains of one of the MIC holding tanks at Union Carbide’s Bhopal plant

Major Safety Concerns Listed in September 11, 1984 Report

A different kind of “911” happened in 1984. September 11, 1984 was the date that Union Carbide management received the results of an “Operational Safety/Health Survey” completed at the Institute Methyl Isocyanate (MIC) Unit in West Virginia (now Bayer CropScience). Factory blueprints from that existing process were used to construct the pesticide factory where the Bhopal Gas Tragedy occurred.

More specifically, the report describes a scenario where cooling water leakage from the MRS Condenser could initiate a runaway reaction inside the MIC storage tanks. Less than three months after the audit report was submitted, a runaway reaction initiated by water leaking into an MIC storage tank did occur at the Bhopal factory. The report noted a history of cooling water contamination by this route in the past, with less severe consequences. The first part of this technical series shows how this could happen through the “MIC Rundown” line that connected the MRS Condenser to the MIC Storage Tanks, at the bottom left of the PFD.

Before proceeding, let’s all agree that hindsight is always 20/20. Trevor Kletz stated it best by referring to not knowing what you don’t know. With Trevor’s thought in mind, is it fair to criticize someone for not having the knowledge they needed to prevent an incident? Is there a difference when someone possesses the knowledge needed to prevent an incident, but fails to act upon it? Think about it.

The Bhopal Gas Tragedy forced industry to implement practices to identify, evaluate, and address process hazards like the one described in the September 11, 1984 audit report. The analysis provided in Part 2 of this technical series did not exist before the Bhopal Gas Tragedy. Like buckling one’s seatbelt upon getting into an automobile, this safety practice is so routine now that we would never think about not doing it. Things were much different back in 1984 when the concepts demonstrated here were immature at best, and not uniformly practiced globally. But if this practice was mandatory prior to 1984, would it have prevented the Bhopal Gas Tragedy?

Answering that question requires that adequate safeguards exist to realistically prevent an MIC gas release if water was to contaminate MIC in a storage tank. Many of the safeguards used to prevent this kind of incident can be observed in the PFD provided in the first part of this series. They were described by Ron Van Mynen, Union Carbide’s Corporate Director of Health and Safety, in a press conference on March 20, 1985 as:
1. A 30-ton refrigeration system to keep the MIC at a low temperature (0 ⚬C)
2. A temperature alarm activated by high temperature (11 ⚬C)
3. Daily MIC storage tank sample testing by operators trained to implement process isolation procedure upon obtaining evidence of contamination
4. A versatile arrangement of pipes and valves to reprocess or destroy the contaminated material
5. An empty storage tank (E-619) to contain the contaminated material and provide additional vapor space and cooling if a runaway reaction was to occur
6. A Vent Gas Scrubber (VGS) to destroy MIC through contact with a circulating stream of caustic material (sodium hydroxide)
7. A flare tower to be used as a last resort by burning-off any material making it all the way past the VGS.

Click to view full size

On the surface, there appear to be more than enough safeguards to prevent a toxic gas release resulting from a runaway reaction inside the storage tank. However, a much different conclusion is reached by using a method that was introduced in 2001 that assigns a credit (point) value to each of the safeguards. This “Layer of Protection Analysis” (LOPA) method operates on the basic premises that (1) no safeguard is 100% perfect, or always “available,” and (2) a safeguard must be independent (an Independent Protective Layer or IPL) for any additional credit to be taken. Unfortunately, the tight-coupling of dependencies mentioned in the first installment of this series defeats essentially all of the safeguards provided in the MIC Rundown and Storage system. The graphic shows how.

For example, we might accept 1/10 credit for the 30-ton refrigeration system under the assumption that well-maintained mechanical equipment can be expected to fail once every ten years. However, looking at the drawing we see that the refrigeration system operates on discharge from the MIC Circulation Pump. If this pump fails, then the refrigeration system becomes useless (a “Common Mode Failure”). The refrigeration system is therefore dependent on Circulation

pump reliability. To complicate matters further, the high temperature alarm is dependent on refrigeration system operation, which again is dependent on MIC Circulation Pump reliability. In other words, if the MIC Circulation Pump fails then not only is the refrigeration system lost, but also the ability to detect a high temperature condition created by a thermal runaway reaction because the alarm is already active and probably disabled or ignored until the pump is repaired. In this context, the high temperature alarm serves only as a nonspecific “common trouble” alarm that can be activated either by a mechanical or process failure. Finally, if the Circulation Pump fails then the drawing shows that access to the reject line is also lost. Under these circumstances, MIC storage tank contents cannot be directed into the VGS, the empty reject storage tank, the other uncontaminated tank, or the return line back to the MIC manufacturing unit for reprocessing. None of those safeguards exist.

Furthermore, “double jeopardy” does not apply in this situation because even though the logic operating here requires two independent failures (MRS Condenser leakage and a Circulation Pump failure), only one failure is detectable at a time. In this scenario either a Circulation Pump failure or contamination incident activates the high-temperature alarm and no other independent indicator is available for the other condition, such as a high-pressure alarm. A circulation pump failure would consume the only early indicator of a continuous contamination incident, meaning that a contamination incident could progress to a very late stage before an unexpected, undeniable system response would signal a problem. In the context of the Bhopal Gas Tragedy, these circumstances sound very familiar.

Part 3 of The Bhopal Gas Tragedy Technical Series will examine the consequences of MIC pump failures at the Bhopal plant, which in reality occurred multiple times per year. For that reason, the LOPA analysis accurately ends with no credit taken for the 1 in 1 year (1/1) actual probability of a Circulation Pump failure. Factoring actual Circulation Pump reliability into the analysis creates a highly-probable proposed scenario, with 1 predicted occurrence in the first 10 years of operation. Coincidentally, a similar incident happened five years into operation at the Bhopal factory.

Most companies that use the LOPA method require a frequency far less than 1/10 (one in ten years) for a toxic chemical release with potential widespread community impact – say 1/10,000,000 or a one in ten-million-year frequency. Anything higher would require a redesign for a system not yet constructed. For systems in service with a gulf so huge between actual and acceptable, an immediate shutdown would follow.

Points to Remember
Hindsight is 20/20 and things unseen are readily apparent after they occur. An analysis with the level of depth demonstrated on the MIC Rundown and Storage system is probably not possible without “hindsight bias.” But this is why we investigate an incident after it occurs – to replace the things we missed with things we learn. In doing so, may we continue to learn how to avoid incidents that we cannot afford to repeat, and continue to extract value from incidents with tragic consequences.

 

 

We believe Dow must finally accept responsibility for Bhopal. Until then, The Bhopal Medical Appeal funds two award-winning clinics in the city. Both offer free, first-class care to victims of the gas disaster or the ongoing water contamination. The survivors have nowhere else left to turn – please help if you can.