2.1 Introduction

How the safety in the chemical industry can be improved by the application of intrinsic continuous process safeguarding was discussed in Chapter 1. The concept was compared with extrinsic process safeguarding, which starts working upon a signal. It is, for other fields in society, useful to distinguish between procedural, active, and passive safety. Their definitions are given in Section 2.2. In Section 2.3, four examples of emergency power units that failed to come into action are dealt with. Three examples concern hospitals and one example a chemical plant. An emergency power unit is an active safety measure, as it starts working upon a signal. The failure of the blowout preventer (BOP) (an active safety measure) during the Gulf Oil accident in 2010 is discussed in Section 2.4. Section 2.5 deals with the safeguarding of Formula One races by means of mainly passive safety measures. Finally, Section 2.6 discusses explosion panels, also called bursting disks. These parts are designed to give in, if, due to a dust explosion, the subsequent pressure in a piece of equipment surpasses a predetermined value. Safeguarding by these components is continuously present.

2.2 Definitions

The definitions in this paragraph are borrowed from Kletz’ and Amyotte’s book [1]. A procedural safety method is a method activated by a human. The extinction of a fire by a fireman is an example. Of course, to avoid fires, preventive measures should be considered first. The use of materials that cannot take fire is an example. Complete cities burned down in the middle ages because the houses were made out of wood. Still, we cannot completely avoid the occurrence of fires, and to cope with the effects by means of a procedure is a possibility. However, the fire brigade may come in too late.

An active safety method is activated by a signal. For instance, in case of a fire, a water spray is turned on automatically by a smoke, flame, or heat detector. However, the equipment may fail or be turned off.

Both procedural safety methods and active safety methods can be compared to the concept of extrinsic process safeguarding used in the chemical industry as described in Chapter 1.

Finally, a passive safety method is immediately available. In case of a fire, fire‐proof insulation is continuously available and does not need activation by humans or equipment. Passive safety methods can be compared to intrinsic continuous process safeguarding as described in Chapter 1.

Generally speaking, passive safety measures are better than active safety measures because they do not need activation. Active safety measures are better than procedural safety measures because they are already present.

2.3 Four Failures of Emergency Power Units

2.4 The Failure of the Blowout Preventer ( BOP ) at the Gulf Oil Explosion in 2010

An accident occurred on the Mobile Offshore Drilling Unit Deepwater Horizon in the Gulf of Mexico on April 20, 2010 [6, 7]. Control of the well was lost on the evening of that day, allowing hydrocarbons to enter the drill pipe and reach the drilling unit, which resulted in explosions and subsequent fires. Eleven crew members died, and others were seriously injured. The fires engulfed and ultimately destroyed the rig, which sank after approximately 36 h. The first of more than four million barrels of oil began gushing uncontrolled into the Gulf of Mexico on April 20, 2010. The flow from the well was stopped using a technique called “top kill” on July 20, 2010. The well was effectively dead after a relief well was completed and cement was pumped into the well to seal it. This was declared to be the case on September 19, 2010.

Regarding the cause, the first two conclusions of the National Commission on the Deepwater Horizon Oil Spill and Offshore Drilling [6] are quoted:

• The explosive loss of the Macondo well could have been prevented.
• The immediate cause of the Macondo well blowout can be traced to a series of identifiable mistakes made by BP, Halliburton, and Transocean that reveal such systematic failures in risk management that they place in doubt the safety culture of the entire industry.

The oil and gas industry began to move offshore in approximately 1960. The industry first moved into shallow waters and, as from approximately 1980, into deepwater where vast new reserves of oil and gas have been opened up. The Deepwater Horizon drilled the Macondo well under 5000 ft (1524 m) of Gulf water and then over 13 000 ft (3962 m) under the seabed to the reservoir below. The pressure in the water at seabed level is approximately 2250 psi (153 bar), and intervention at the seabed level is only possible by means of remotely operated vehicles (ROVs). The reservoir pressure is also high. The reservoir temperatures are exceeding 200 °F (93.3 °C). It is clear that risks exist if a well gets out of control.

The engineering and design of the well started in 2009. On April 9, 2010, the well was drilled to its final depth of 18 360 ft (5596 m).

In the event of a loss of well control, various components of the BOP stack are functioned in an attempt to seal the well and contain the situation (see Figure 2.1). The lower section of the BOP attaches to the subsea wellhead. Prior to, during, and following the accident, numerous attempts were made to control the well by activating or functioning various components of the BOP. However, these attempts were unsuccessful. At the time of the accident, the drill pipe was present in the wellbore. The portion of the drill pipe between the shearing blades of the blind shear rams (BSRs) of the BOP was off center and held in this position by buckling forces. The BSRs are the only set of rams designed to cut drill pipe and seal the well in the event of a blowout. Because the trapped portion of the drill pipe was off center, the BSRs could not cut the drill pipe.

Forensic investigations by Det Norske Veritas proved that the BSRs of the BOP had been activated [7]. It is stated in their Executive Summary:

“Of the means available to close the BSRs, evidence indicates that the activation of the BSRs occurred when the hydraulic plunger to the Autoshear valve was successfully cut on the morning of April 22, 2010. However, on the evidence available, closing of the BSRs through activation of the AMF/Deadman circuits cannot be ruled out.”

AMF stands for automatic mode function. The Autoshear valve was cut by an ROV on the morning of April 22, 2012. If closing of the BSRs occurred through activation of the AMF/Deadman circuits, such closing would have occurred earlier than April 22, 2010, e.g. on April 20, 2010. Whether on April 20, 2010 or on April 22, 2010, activation of the BSRs did, as already stated, not lead to the sealing of the well.

The BSRs in the BOP of the Deepwater Horizon were an active safety measure. The safety measure did not function.

The BOP is a last line of defense against the loss of well control.

2.5 The Safeguarding of Formula One Races

The Brazilian Formula One driver Ayrton Senna died in a crash at Imola in Italy on May 1, 1994. Since that accident one further life was lost at Formula One races. A serious accident occurred at Suzaka in Japan on October 5, 2014. The French Formula One driver Jules Bianchi was heavily injured at this accident and died on July 17, 2015. Still, the situation improved considerably if one compares the number of accidents and incidents in the period 1994–2014 to that in the period 1974–1994.

First, passive safety measures for the driver will be mentioned. Possibly, the most important measure in this category is the head restraint Head And Neck Support (HANS) device. It had been realized that a number of fatalities were due to the unrestrained head leading to excessive loads to the neck and base of the skull at frontal impacts. The inventor is Ron Hubbard. HANS was introduced in 2002. From 2003, it became mandatory in Formula One races. HANS became mandatory in other branches of motor sport as well.

The incorporation of a strong cockpit designed to stay intact in the event of an accident is a further passive protection measure. The introduction of fuel tanks made of strong fibers also belongs to this category.

In the mid‐1970s, FIA (Fédération Internationale de l’Automobile) introduced standards for clothing and helmets. Over the years, these standards have become increasingly strict. Suits, shoes, gloves, helmets, seats, and other accessories are now made from a fire‐resistant material.

Furthermore, there is a five‐point harness securing a driver to his seat. A quick‐release mechanism enables a driver to get out of the car in an emergency.

Passive safety measures for the layout of the racing tracks are discussed briefly. FIA saw to the elimination of all dangerous locations. Wide strips adjacent to the racing track, gravel pits, speed‐limiting chicanery, concrete walls, and adequate distances between the cars and the spectators made the Formula One races safer.

The automatic interruption of the fuel supply to the motor when an accident occurs is an active safety measure. There are further active protection measures.

Procedural measures have also been taken. Race control is informed by marshals, and the course of the race is checked on monitors by race control. The safety car has been introduced. The safety car slows down the race in the event of a crash or other incidents. The medical car is used to rush doctors and rescue personnel to a driver who is injured during a race.

2.6 Dust Explosion Relief Venting

The principle of dust explosion relief venting is that, at a predetermined pressure, an aperture opens to vent the explosion products safely from, e.g. a dust filter (see Figure 2.2). It is a passive safety measure. For a short period after the vent opens, the pressure may continue to rise, so sufficient area should be provided to ensure that the pressure peak does not damage the vessel. This method can be used only if the emission of material is allowable and a safe discharge area for the products can be found.

A design based on the invention of the Davy safety lamp in 1815 for use in coal mines is an interesting development. The lamp in use before 1815 had a wick and an oil vessel originally burning a heavy vegetable oil. Davy discovered that a flame enclosed inside a copper mesh of a certain fineness cannot ignite methane, the main component of flammable gases in mines. The minimum explosible concentration of methane in air is between 4% and 5% by volume. The screen cools the passing gases and thereby acts as a flame arrestor. The type of dust explosion relief vent based on the idea to cool emitted gases is marketed by several suppliers. It encompasses a discharge into a device having a cylindrical wall consisting of several layers of metal gauze that, in case of a dust explosion, cool emitted gases and retain solid particles. Be it that a larger vent size is necessary because the gauze reduces the opening. Thus, discharge into a plant building is possible (see Figures 2.3 and 2.4).

References

1. [1] Kletz, T.A. and Amyotte, P.R. (2010). Process Plants – A Handbook for Inherently Safer Design, 6, 187–189. Boca Raton: CRC Press.
2. [2] De Twentsche Courant Tubantia, Enschede, The Netherlands, August 1, 2002, p. 10 (in Dutch).
3. [3] De Twentsche Courant Tubantia, Enschede, The Netherlands, August 7, 2002, p. 7 (in Dutch).
4. [4] NRC Handelsblad, Rotterdam, The Netherlands, November 25, 2003, p. 3 (in Dutch).
5. [5] De Twentsche Courant Tubantia, Enschede, The Netherlands, May 10, 2011, pp. 6, 7 (in Dutch).
6. [6] National Commission to the President on the Deepwater Horizon Oil Spill and Offshore Drilling (2011). Deep Water – The Gulf Oil Disaster and the Future of Offshore Drilling, vi–xii, 21–53. Washington: The Superintendent of Documents, U.S. Government Printing Office.
7. [7] Det Norske Veritas (2011). Forensic Examination of Deepwater Horizon Blowout Preventer, Final Report, vol. I, 1–17, 34, 35, 169, 174. Dublin, OH: Det Norske Veritas.