The Flixborough disaster was an explosion at a chemical plant close to the village of Flixborough, North Lincolnshire, England, on Saturday, 1 June 1974. It killed 28 and seriously injured 36 of the 72 people on site at the time. The casualty figures could have been much higher if the explosion had occurred on a weekday, when the main office area would have been occupied.[1] A contemporary campaigner on process safety wrote "the shock waves rattled the confidence of every chemical engineer in the country".
The disaster involved (and may well have been caused by) a hasty equipment modification. Although virtually all of the plant management personnel had chemical engineering qualifications, there was no on-site senior manager with mechanical engineering expertise. Mechanical engineering issues with the modification were overlooked by the managers who approved it, and the severity of potential consequences due to its failure were not taken into account.
Flixborough led to a widespread public outcry over process safety. Together with the passage of the UK Health and Safety at Work Act in the same year, it led to (and is often quoted in justification of) a more systematic approach to process safety in UK process industries. UK government regulation of plant processing or storing large inventories of hazardous materials is currently under the Control of Major Accident Hazards Regulations 1999 (COMAH). In Europe, the Flixborough disaster and the Seveso disaster in 1976 led to development of the Seveso Directive in 1982 (currently Directive 2012/18/EU issued in 2012).
The chemical works, owned by Nypro UK (a joint venture between Dutch State Mines (DSM) and the British National Coal Board (NCB)) had originally produced fertiliser from by-products of the coke ovens of a nearby steelworks. Since 1967, it had instead produced caprolactam, a chemical used in the manufacture of nylon 6. The caprolactam was produced from cyclohexanone. This was originally produced by hydrogenation of phenol, but in 1972 additional capacity was added, built to a DSM design in which hot liquid cyclohexane was partially oxidised by compressed air. The plant was intended to produce 70,000 tons per annum (tpa) of caprolactam but was reaching a rate of only 47,000 tpa in early 1974. Government controls on the price of caprolactam put further financial pressure on the plant.[1]
It was a failure of the cyclohexane plant that led to the disaster. A major leak of liquid from the reactor circuit caused the rapid formation of a large cloud of flammable hydrocarbon. When this met an ignition source (probably a furnace at a nearby hydrogen production plant) there was a massive fuel-air explosion. The plant control room collapsed, killing all 18 occupants. Nine other site workers were killed, and a delivery driver died of a heart attack in his cab. Fires started on-site which were still burning ten days later. Around 1,000 buildings within a 1mile radius of the site (in Flixborough itself and in the neighbouring villages of Burton upon Stather and Amcotts) were damaged, as were nearly 800 in Scunthorpe away; the blast was heard over away in Grimsby, Hull and Saltfleet. Images of the disaster were soon shown on television, filmed by BBC and Yorkshire Television filmstock news crews who had been covering the Appleby-Frodingham Gala in Scunthorpe that afternoon.
The plant was re-built but cyclohexanone was now produced by hydrogenation of phenol (Nypro proposed to produce the hydrogen from LPG;[2] in the absence of timely advice from the Health and Safety Executive (HSE) planning permission for storage of 1,200 te LPG at Flixborough was initially granted subject to HSE approval, but HSE objected[3]); as a result of a subsequent collapse in the price of nylon it closed down a few years later. The site was demolished in 1981, although the administration block still remains. The site today is home to the Flixborough Industrial Estate, occupied by various businesses and Glanford Power Station.
The foundations of properties severely damaged by the blast and subsequently demolished can be found on land between the estate and the village, on the route known as Stather Road. A memorial to those who died was erected in front of offices at the rebuilt site in 1977. Cast in bronze, it showed mallards alighting on water. When the plant was closed, the statue was moved to the pond at the parish church in Flixborough. During the early hours of New Year's Day 1984, the sculpture was stolen. It has never been recovered but the plinth it stood on, with a plaque listing all those who died that day, can still be found outside the church.
The cyclohexane oxidation process is still operated in much the same plant design in the Far East.
In the DSM process, cyclohexane was heated to about 155 °C (311 °F) before passing into a series of six reactors. The reactors were constructed from mild steel with a stainless steel lining; when operating they held in total about 145 tonnes of flammable liquid at a working pressure of 8.6 bar gauge (0.86 MPa gauge; 125 psig). In each of the reactors, compressed air was passed through the cyclohexane, causing a small percentage of the cyclohexane to oxidise and produce cyclohexanone, some cyclohexanol also being produced. Each reactor was slightly (approximately 14 inches, 350 mm) lower than the previous one, so that the reaction mixture flowed from one to the next by gravity through nominal 28-inch bore (700mm DN) stub pipes with inset bellows. The inlet to each reactor was baffled so that liquid entered the reactors at a low level; the exiting liquid flowed over a weir whose crest was somewhat higher than the top of the outlet pipe. The mixture exiting reactor 6 was processed to remove reaction products, and the unreacted cyclohexane (only about 6% was reacted in each pass) then returned to the start of the reactor loop.
Although the operating pressure was maintained by an automatically controlled bleed valve once the plant had reached steady state, the valve could not be used during start-up, when there was no air feed, the plant being pressurised with nitrogen. During start-up the bleed valve was normally isolated and there was no route for excess pressure to escape; pressure was kept within acceptable limits (slightly wider than those achieved under automatic control) by operator intervention (manual operation of vent valves). A pressure-relief valve acting at 11-0NaN-0 gauge was also fitted.
Two months prior to the explosion, the number 5 reactor was discovered to be leaking. When lagging was stripped from it, a crack extending about was visible in the mild steel shell of the reactor. It was decided to install a temporary pipe to bypass the leaking reactor to allow continued operation of the plant while repairs were made. In the absence of 28-inch nominal bore pipe (700mm DN), 20-inch nominal bore pipe (500mm DN) was used to fabricate the bypass pipe for linking reactor 4 outlet to reactor 6 inlet. The new configuration was tested for leak-tightness at working pressure by pressurisation with nitrogen. For two months after fitting the bypass was operated continuously at temperature and pressure and gave no trouble. At the end of May (by which time the bypass had been lagged) the reactors had to be depressurised and allowed to cool in order to deal with leaks elsewhere. The leaks having been dealt with, early on 1 June attempts began to bring the plant back up to pressure and temperature.
At about 16:53 on 1 June 1974, there was a massive release of hot cyclohexane in the area of the missing reactor 5, followed shortly by ignition of the resulting huge cloud of flammable vapour and a massive explosion in the plant. The explosion virtually demolished the site. As it was a weekend there were relatively few people on site: of the 72 people on-site at the time, 28 were killed and 36 injured. Fires burned on-site for more than ten days. Off-site there were no fatalities, but 50 injuries were reported and about 2,000 properties damaged.
The occupants of the works laboratory had seen the release and evacuated the building before the release ignited; most survived. None of the 18 occupants of the plant control room survived, nor did any records of plant readings. The explosion appeared to have been in the general area of the reactors and after the accident only two possible sites for leaks before the explosion were identified: "the 20 inch bypass assembly with the bellows at both ends torn asunder was found jack-knifed on the plinth beneath" and there was a 50-inch long split in nearby 8-inch nominal bore stainless steel pipework".
Immediately after the accident, New Scientist commented presciently on the normal official response to such events, but hoped that the opportunity would be taken to introduce effective government regulation of hazardous process plants.
The Secretary of State for Employment set up a Court of Inquiry to establish the causes and circumstances of the disaster and identify any immediate lessons to be learned, and also an expert committee to identify major hazard sites and advise on appropriate measures of control for them. The inquiry, chaired by Roger Parker QC, sat for 70 days in the period September 1974 – February 1975, and took evidence from over 170 witnesses. In parallel, an Advisory Committee on Major Hazards was set up to look at the longer-term issues associated with hazardous process plants.
The report of the court of inquiry was critical of the installation of the bypass pipework on a number of counts: although plant and senior management were chartered engineers (mostly chemical engineers), the post of Works Engineer which had been occupied by a chartered mechanical engineer had been vacant since January 1974, and at the time of the accident there were no professionally qualified engineers in the works engineering department. Nypro had recognised this to be a weakness and identified a senior mechanical engineer in an NCB subsidiary as available to provide advice and support if requested. At a meeting of plant and engineering managers to discuss the failure of reactor 5, the external mechanical engineer was not present. The emphasis was upon prompt restart and – the inquiry felt – although this did not lead to the deliberate acceptance of hazards, it led to the adoption of a course of action whose hazards (and indeed engineering practicalities) were not adequately considered or understood. The major problem was thought to be getting reactor 5 moved out of the way. Only the plant engineer was concerned about restarting before the reason for the failure was understood, and the other reactors inspected. The difference in elevation between reactor 4 outlet and reactor 6 inlet was not recognised at the meeting. At a working level the offset was accommodated by a dog-leg in the bypass assembly; a section sloping downwards inserted between (and joined with by mitre welds) two horizontal lengths of 20-inch pipe abutting the existing 28-inch stubs. This bypass was supported by scaffolding fitted with supports provided to prevent the bellows having to take the weight of the pipework between them, but with no provision against other loadings. The Inquiry noted on the design of the assembly:
The Inquiry noted further that "there was no overall control or planning of the design, construction, testing or fitting of the assembly nor was any check made that the operations had been properly carried out". After the assembly was fitted, the plant was tested for leak-tightness by pressurising with nitrogen to 9 kg/cm2; i.e. roughly operating pressure, but below the pressure at which the system relief valve would lift and below the 30% above design pressure called for by the relevant British Standard.
The claim argued by experts retained by Nypro and their insurers was that the disaster's cause was that the 20-inch bypass was not what would have been produced or accepted by a more considered process. Controversy developed (and became acrimonious) as to whether its failure was the initiating fault in the disaster (the 20-inch hypothesis, argued by the plant designers (DSM) and the plant constructors; and favoured by the court's technical advisers), or had been triggered by an external explosion resulting from a previous failure of the 8-inch line.
Tests on replica bypass assemblies showed that deformation of the bellows could occur at pressures below the safety valve setting, but that this deformation did not lead to a leak (either from damage to the bellows or from damage to the pipe at the mitre welds) until well above the safety valve setting. However theoretical modelling suggested that the expansion of the bellows as a result of this would lead to a significant amount of work being done on them by the reactor contents, and there would be considerable shock loading on the bellows when they reached the end of their travel. If the bellows were 'stiff' (resistant to deformation), the shock loading could cause the bellows to tear at pressures below the safety valve setting; it was not impossible that this could occur at pressures experienced during start-up, when pressure was less tightly controlled. (Plant pressures at the time of the accident were unknown since all relevant instruments and records had been destroyed, and all relevant operators killed). The Inquiry concluded that this ("the 20-inch hypothesis") was 'a probability' but one 'which would readily be displaced if some greater probability' could be found.
Detailed analysis suggested that the 8-inch pipe had failed due to "creep cavitation" at a high temperature while the pipe was under pressure. The metal of the pipe would have experienced hard-to-detect deformation, microscopic cracks, and structural weakness as a result, increasing the likelihood of failure. Failure had been accelerated by contact with molten zinc; there were indications that an elbow in the pipe had been at significantly higher temperature than the rest of the pipe. The hot elbow led to a non-return valve held between two pipe flanges by twelve bolts. After the disaster, two of the twelve bolts were found to be loose; the inquiry concluded that they were probably loose before the disaster. Nypro argued that the bolts had been loose, there had consequently been a slow leak of process fluid onto lagging leading eventually to a lagging fire, which had worsened the leak to the point where a flame had played undetected upon the elbow, burnt away its lagging and exposed the line to molten zinc, the line then failing with a bulk release of process fluid which extinguished the original fire, but subsequently ignited giving a small explosion which had caused failure of the bypass, a second larger release and a larger explosion. Tests failed to produce a lagging fire with leaked process fluid at process temperatures; one advocate of the 8-inch hypothesis then argued instead that there had been a gasket failure giving a leak with sufficient velocity to induce static charges whose discharge had then ignited the leak.
The 8-inch hypothesis was claimed to be supported by eyewitness accounts and by the apparently anomalous position of some debris post-disaster. The inquiry report took the view that explosions frequently throw debris in unexpected directions and eyewitnesses often have confused recollections. The inquiry identified difficulties at various stages of the accident development in the 8-inch hypothesis, their cumulative effect being considered to be such that the report concluded that overall the 20-inch hypothesis involving 'a single event of low probability' was more credible than the 8-inch hypothesis depending upon 'a succession of events, most of which are improbable'.
The inquiry report identified 'lessons to be learned' which it presented under various headings; 'General observation' (relating to cultural issues underlying the disaster), 'specific lessons' (directly relevant to the disaster, but of general applicability) are reported below; there were also 'general' and 'miscellaneous lessons' of less relevance to the disaster. The report also commented on matters to be covered by the Advisory Committee on Major Hazards.
The disaster was caused by 'a well designed and constructed plant' undergoing a modification that destroyed its mechanical integrity.
When the bypass was installed, there was no works engineer in post and company senior personnel (all chemical engineers) were incapable of recognising the existence of a simple engineering problem, let alone solving it
No one concerned in the design or construction of the plant envisaged the possibility of a major disaster happening instantaneously. It was now apparent that such a possibility exists where large amounts of potentially explosive material are processed or stored. It was 'of the greatest importance that plants at which there is a risk of instant as opposed to escalating disaster be identified. Once identified measures should be taken both to prevent such a disaster so far as is possible and to minimise its consequences should it occur despite all precautions.' There should be coordination between planning authorities and the Health and Safety Executive, so that planning authorities could be advised on safety issues before granting planning permission; similarly the emergency services should have information to draw up a disaster plan.
The inquiry summarised its findings as follows:
Nypro's advisers had put considerable effort into the 8-inch hypothesis, and the inquiry report put considerable effort into discounting it. The critique of the hypothesis spilled over into criticism of its advocates: 'the enthusiasm for the 8-inch hypothesis felt by its proponents has led them to overlook obvious defects which in other circumstances they would not have failed to realise'. Of one proponent the report noted gratuitously that his examination by the court 'was directed to ensuring that we had correctly appreciated the main steps in the hypothesis some of which appeared to us in conflict with facts which were beyond dispute'. The report thanked him for his work in assembling eyewitness evidence but said his use of it showed 'an approach to the evidence which is wholly unsound'.
The proponent of the 8-inch gasket failure hypothesis responded by arguing that the 20-inch hypothesis had its share of defects which the inquiry report had chosen to overlook, that the 8-inch hypothesis had more in its favour than the report suggested, and that there were important lessons that the inquiry had failed to identify:
The HSE website as of 2014 said that "During the late afternoon on 1 June 1974 a 20 inch bypass system ruptured, which may have been caused by a fire on a nearby 8-inch pipe".[4] In the absence of a strong consensus for either hypothesis other possible immediate causes have been suggested.
The enquiry noted the existence of a small tear in a bellows fragment, and therefore considered the possibility of a small leak from the bypass having led to an explosion bringing the bypass down. It noted this to be not inconsistent with eyewitness evidence, but ruled out the scenario because pressure tests showed the bellows did not develop tears until well above the safety valve pressure. This hypothesis has however been revived, with the tears being caused by fatigue failure at the top of the reactor 4 outlet bellows because of flow-induced vibration of the unsupported bypass line. Finite element analysis has been carried out (and suitable eyewitness evidence adduced) to support this hypothesis.[5] [6]
The reactors were normally mechanically stirred but reactor 4 had operated without a working stirrer since November 1973; free phase water could have settled out in unstirred reactor 4 and the bottom of reactor 4 would reach operating temperature more slowly than the stirred reactors. It was postulated that there had been bulk water in reactor 4 and a disruptive boiling event had occurred when the interface between it and the reaction mixture reached operating temperature. Abnormal pressures and liquor displacement resulting from this (it was argued) could have triggered failure of the 20-inch bypass.[7]
The plant design had assumed that the worst consequence of a major leak would be a plant fire and to protect against this a fire detection system had been installed. Tests by the Fire Research Establishment had shown this to be less effective than intended. Moreover, fire detection only worked if the leak ignited at the leak site; it gave no protection against a major leak with delayed ignition, and the disaster had shown this could lead to multiple worker fatalities. The plant as designed therefore could be destroyed by a single failure and had a much greater risk of killing workers than the designers had intended. Critics of the inquiry report therefore found it hard to accept its characterisation of the plant as 'well-designed'. The HSE (through the Department of Employment) had come up with a 'shopping list' of about 30 recommendations on plant design, many of which had not been adopted (and a few explicitly rejected) by the Inquiry Report; the HSE inspector who acted as secretary to the inquiry spoke afterwards of making sure that the real lessons were acted upon. More fundamentally, Trevor Kletz saw the plant as symptomatic of a general failure to consider safety early enough in process plant design, so that designs were inherently safe – instead processes and plant were selected on other grounds then safety systems bolted on to a design with avoidable hazards and unnecessarily high inventory. 'We keep a lion and build a strong cage to keep it in. But before we do so we should ask if a lamb might do.'[8]
If the UK public were largely reassured to be told the accident was a one-off and should never happen again, some UK process safety practitioners were less confident. Critics felt that the Flixborough explosion was not the result of multiple basic engineering design errors unlikely to coincide again; the errors were rather multiple instances of one underlying cause: a complete breakdown of plant safety procedures (exacerbated by a lack of relevant engineering expertise, but that lack was also a procedural shortcoming).[9]
The Petrochemicals Division of Imperial Chemical Industries (ICI) operated many plants with large inventories of flammable chemicals at its Wilton site (including one in which cyclohexane was oxidised to cyclohexanone and cyclohexanol). Historically good process safety performance at Wilton had been marred in the late 1960s by a spate of fatal fires caused by faulty isolations/handovers for maintenance work. Their immediate cause was human error but ICI felt that saying that most accidents were caused by human error was no more useful than saying that most falls are caused by gravity. ICI had not simply reminded operators to be more careful, but issued explicit instructions on the required quality of isolations, and the required quality of its documentation.[10] The more onerous requirements were justified as follows:
In accordance with this view, post-Flixborough (and without waiting for the Inquiry Report), ICI Petrochemicals instituted a review of how it controlled modifications. It found that major projects requiring financial sanction at a high level were generally well-controlled, but for more (financially) minor modifications there was less control and this had resulted in a past history of 'near-misses' and small-scale accidents,[11] few of which could be blamed on chemical engineers. To remedy this, not only were employees reminded of the principal points to consider when making a modification (both on the quality/compliance of the modification itself and on the effect of the modification on the rest of the plant), but new procedures and documentation were introduced to ensure adequate scrutiny. These requirements applied not only to changes to equipment, but also to process changes. All modifications were to be supported by a formal safety assessment. For major modifications this would include an 'operability study'; for minor modifications a checklist-based safety assessment was to be used, indicating what aspects would be affected, and for each aspect giving a statement of the expected effect. The modification and its supporting safety assessment then had to be approved in writing by the plant manager and engineer. Where instruments or electrical equipment were involved signatures would also be needed from the relative specialist (instrument manager or electrical engineer). A Pipework Code of Practice was introduced specifying standards of design construction and maintenance for pipework – all pipework over 3"nb (DN 75 mm) handling hazardous material would have to be designed by pipework specialists in the design office.[11] The approach was publicised outside ICI; while the Pipework Code of Practice on its own would have combatted the fault or faults that led to the Flixborough disaster, the adoption more generally of tighter controls on modifications (and the method by which this was done) were soon recognised to be prudent good practice. In the United Kingdom, the ICI approach became a de facto standard for high-risk plant (partly because the new (1974) Health and Safety at Work Act went beyond specific requirements on employers to state general duties to keep risks to workers as low as reasonably practicable and to avoid risk to the public so far as reasonably practicable; under this new regime the presumption was that recognised good practice would inherently be 'reasonably practicable' and hence should be adopted, partly because key passages in reports of the Advisory Committee on Major Hazards were clearly supportive).
The terms of reference of the Court of Inquiry did not include any requirement to comment on the regulatory regime under which the plant had been built and operated, but it was clear that it was not satisfactory. Construction of the plant had required planning permission approval by the local council; while "an interdepartmental procedure enabled planning authorities to call upon the advice of Her Majesty's Factory Inspectorate when considering applications for new developments which might involve a major hazard"[12] (there was no requirement for them to do so), since the council had not recognised the hazardous nature of the plant they had not called for advice. As the New Scientist commented within a week of the disaster:
The ACMH's terms of reference were to identify types of (non-nuclear) installations posing a major hazard, and advise on appropriate controls on their establishment, siting, layout, design, operation, maintenance and development (including overall development in their vicinity). Unlike the Court of Inquiry, its personnel (and that of its associated working groups) had significant representation of safety professionals, drawn largely from the nuclear industry and ICI (or ex-ICI)
In its first report[13] (issued as a basis for consultation and comment in March 1976), the ACMH noted that hazard could not be quantified in the abstract, and that a precise definition of 'major hazard' was therefore impossible. Instead installations with an inventory of flammable fluids above a certain threshold or of toxic materials above a certain 'chlorine equivalent' threshold should be ' notifiable installations '. A company operating a notifiable installation should be required to survey its hazard potential, and inform HSE of the hazards identified and the procedures and methods adopted (or to be adopted) to deal with them.
HSE could then choose to – in some cases (generally involving high risk or novel technology) – require submission of a more elaborate assessment, covering (as appropriate) "design, manufacture, construction, commissioning, operation and maintenance, as well as subsequent modifications whether of the design or operational procedures or both". The company would have to show that "it possesses the appropriate management system, safety philosophy, and competent people, that it has effective methods of identifying and evaluating hazards, that it has designed and operates the installation in accordance with appropriate regulations, standards and codes of practice, that it has adequate procedures for dealing with emergencies, and that it makes use of independent checks where appropriate"
For most 'notifiable installations' no further explicit controls should be needed; HSE could advise and if need be enforce improvements under the general powers given it by the 1974 Health and Safety at Work Act (HASAWA), but for a very few sites explicit licensing by HSE might be appropriate; responsibility for safety of the installation remaining however always and totally with the licensee.
HASAWA already required companies to have a safety policy, and a comprehensive plan to implement it. ACMH felt that for major hazard installations the plan should be formal and include
Safety documents were needed both for design and operation. The management of major hazard installations must show that it possessed and used a selection of appropriate hazard recognition techniques, had a proper system for audit of critical safety features, and used independent assessment where appropriate.
The ACMH also called for tight discipline in the operation of major hazard plants:
The ACMH's second report (1979) rejected criticisms that since accidents causing multiple fatalities were associated with extensive and expensive plant damage the operators of major hazard sites had every incentive to avoid such accidents and so it was excessive to require major hazard sites to demonstrate their safety to a government body in such detail:
The approach advocated by the ACMH was largely followed in subsequent UK legislation and regulatory action, but following the release of chlordioxins by a runaway chemical reaction at Seveso in northern Italy in July 1976, 'major hazard plants' became an EU-wide issue and the UK approach became subsumed in EU-wide initiatives (the Seveso Directive in 1982, superseded by the Seveso II Directive in 1996). A third and final report was issued when the ACMH was disbanded in 1983.
Footage of the incident appeared in the film Days of Fury (1979), directed by Fred Warshofsky and hosted by Vincent Price.[14]