LPB 297 Online

Loss Prevention Bulletin
Improving process safety by sharing experience
Flixborough
Issue 297, June 2024
Keystone Pictures USA/ZUMAPRESS.com/Mary Evans

50 YEARS ON Flixborough – in the
words of the witnesses
Nylon Years –
an interview with
Ramin Abhari
Remembering ICI’s
response to the
disaster
Flixborough and
inherent safety
Building-in in-building
safety
The effect of control
room location on major
accident consequence
and likelihood
Recollections of
Flixborough
Safety leaders page
LPBcover297.indd 1 05/06/2024 15:39:19

DS34HAZARDS34HAZARDS34HAZA
IChe
m
DS34HAZARDS34HAZARDS34HAZA E
Safet
Hazards34
ISC
re
y
t
n
Ce
5–7 November 2024, Manchester, UK
Join the major hazards community at Hazards 34 to review good practice, current thinking, lessons learned
and emerging challenges in process safety and hazard management.
Hazards 34 is an industry-focused event ideal for anyone who is active in process safety and risk management
for chemical process facilities or other facilities dealing with hazardous materials. It is an exciting chance to
connect with fellow professionals, build networks and share insight and experiences in person.
Programme themes
Q Assurance
Competencies
Q
Q
Hazardous Area Classification
Human Factors
Q
Q
New Energies
Non-routine Operations
Q
Q Critical Task Analysis Q Hydrogen Hazards Q Safety Critical Task Analysis

Q Cross-sector Learning (Nuclear) Q Hydrogen Experimental Results Q Safety Culture
Q Cross-sector Learning (Water) Q Hydrogen Lessons Learned Q Safety Culture - Leadership
Q Digitalisation Q Hydrogen Risk Assessment Q Safety Culture - Operator’s
Learning from Incidents Experience
Q Engineering & Design Q
Q Environment & Climate Change Q Modelling & Simulation
Speakers
DS34HAZARDS34HAZARDS34HAZA Dr Marlene Kanga Fiona Macleod Andrew Curran
Rux Energy Independent Health & Safety Executive
Trevor Kletz Hazards Consultant New Technologies,
Lecture Bhopal, 40 Years On Developments and
The Challenges Energy Transition
Facing the Process
Industries
DS34HAZARDS34HAZARDS34HAZA Mike Nicholas

Environment Agency
Owen Quake
bp
Natech Events, the H2: the Risks and the
Risks to Process Opportunities
Safety and the
Environment
www.icheme.org/hazards34
Find out more and register:
Gold Sponsor Silver Sponsors
LPB 292
LPB297 Hazards34 IFC.indd 1 05/06/2024 12:26:19

Loss Prevention Bulletin 297 June 2024 | 1
Contents
2 Editorial 17 Building-in in-building
Loss Prevention Bulletin Fiona Macleod, Chair of the safety
Loss Prevention Bulletin Editorial Andrea Longley and Ken Patterson
Articles and case studies Board, introduces this special outline how the siting and design
from around the world issue commemorating the 50th of control rooms and other
anniversary of the Flixborough occupied buildings were factors in
Issue 297, June 2024 disaster. Flixborough and several later major
incidents, and how this led to the
Editor: Tracey Donaldson 3 Flixborough – in the development of the UK Chemical
Publications Director: words of the witnesses Industries Association’s Guidance
Claudia Flavell-While Rick Loudon, author of Flixborough on Occupied Buildings.
Subscriptions: Hannah Rourke – I was there, recounts the events
Designer: Alex Revell
of 01 June 1974 and its immediate 22 The effect of control room
aftermath, using the words of location, architectural
Copyright: The Institution of Chemical the emergency services and local
Engineers 2024. A Registered Charity in population who witnessed the
design, systems
England and Wales and a charity registered disaster. configuration and human
in Scotland (SCO39661) factors on major accident
ISSN 0260-9576/24
7 Nylon Years – consequence and
An interview with likelihood
The information included in lpb is given in
good faith but without any liability on the
Ramin Abhari Andy Brazier discusses the
part of IChemE Ramin Abhari talks about what importance of overall design of
inspired him to write his graphic the control room and associated
Photocopying novel, Nylon Years – and what systems highlighting that more
lpb and the individual articles are protected are the key lessons that he would focus is needed on supporting the
by copyright. Users are permitted to like readers to take away from the control room operator to perform
make single photocopies of single articles story. their critical role of keeping the
for personal use as allowed by national
plant safe and responding to
copyright laws. For all other photocopying
permission must be obtained and a fee 11 Flixborough — accidents.
paid. Permissions may be sought directly remembering ICI’s
from the Institution of Chemical Engineers,
response to the disaster 25 Recollections of
or users may clear permissions and make
Frank Crawley remembers, as Flixborough
payments through their local Reproduction
a young production manager Recollections from IChemE
Rights Organisation. In the UK apply
to the Copyright Licensing agency in 1974, how the Flixborough members of Flixborough and how
Rapid Clearance Service (CLARCS), 90 disaster caused ICI to undertake the disaster ultimately shaped the
Tottenham Court Road, London, W1P a review - led by Trevor Kletz - of progression of their careers.
0LP (Phone: 020 7631 5500). In the USA its own processes and implement
apply to the Copyright Clearance Center new process safety improvement 33 Safer leader page:
(CCC), 222 Rosewood Drive, Danvers, MA
01923 (Phone: (978) 7508400, Fax: (978)
strategies. An interview with
7504744). Ken Rivers
13 Flixborough and inherent Ken Rivers shares his perspective
Multiple copying of the contents of safety – inspired by on process safety and the
this publication without permission is
Trevor Kletz importance of good leadership,
always illegal.
Andy Brazier explains how the drawing on learnings from
Institution of Chemical Engineers concept of inherent safety – for Buncefield, Flixborough and other
Davis Building, Railway Terrace, example, what you don’t have, accidents.
Rugby, Warks, CV21 3HQ, UK
can’t leak – came to the forefront
Tel: +44 (0) 1788 578214 in process design considerations
Fax: +44 (0) 1788 560833 following the disaster.
Email: tdonaldson@icheme.org
or journals@icheme.org
www.icheme.org
© Institution of Chemical Engineers

0260-9576/24/$17.63 + 0.00
297contents.indd 2 05/06/2024 15:48:19

2 | Loss Prevention Bulletin 297 June 2024
Editorial
Flixborough – 50 years on
Fiona Macleod
The June 2024 edition of Loss Prevention Bulletin marks the and Ken Patterson and Andrea Longley draw attention to the
50th anniversary of the Flixborough accident. importance of building-in in-building safety. There is a delicate
On 01 June 1974, a huge cloud of cyclohexane exploded balance between having the right people in the right place to
above the Nypro factory, causing 28 deaths, multiple injuries prevent accidents, while minimising the occupancy in potential
and widespread damage. danger zones.
Rick Loudon, a member of the fire service, gives a unique IChemE members recount where they were on the afternoon
insight into the emergency response in his paper Flixborough of Saturday 01 June 1974, and how the accident changed their
- in the words of the witnesses. First responders were met professional lives. Finally, in our safer leader page, Ken Rivers
with scenes of utter devastation: villages destroyed, fallen shares his perspective on the importance of good leadership
high voltage cables arcing on the ground, a wall of flame in process safety, drawing on learnings from Buncefield,
and a growing risk of escalation -— the British Steel blast Flixborough and other accidents.
furnaces north of Scunthorpe were in danger of overheating The tragic accident at Flixborough catalysed the passing of
after a critical cooling water main was shattered by the Nypro the Health and Safety at Work Act and started the international
explosion. journey to the Safety Case approach to process safety in high
The court of inquiry found that the root cause of the hazard industries.
accident was an ill-judged modification to the cyclohexane There are no new accidents. Unless we make the effort to
plant, compromising the mechanical integrity and leading to a understand what happened
catastrophic loss of containment. and why, we are destined
Although crucially important in high hazard industries, to repeat them. The 28
the lessons from Flixborough shouldn’t be confined to people who died and
Management of Change. Ramin Abhari discusses the all those physically and
inspiration for his graphic novel Nylon Years which illustrates mentally injured, paid far
the influence of political, economic, techological and social too high a price for us to
change, highlights the importance of listening to the safety ignore the lessons from
concerns of workers, and reminds us of the importance of Flixborough.
inherent safety in design.
Frank Crawley remembers the ICI response to the accident Fiona Macleod
and Andy Brazier expands on Trevor Kletz’s approach to Chair, LPB
inherent safety. Andy also writes about control room design Editorial Panel

0260-9576/24/$17.63 + 0.00
297 editorial.indd 2 05/06/2024 15:49:31

Incident
Flixborough – in the words of the witnesses

Rick Loudon, UK
01 June 2024 marks the 50th anniversary of the disaster at
the Nypro Chemical Plant near Scunthorpe – now in North
Lincolnshire – but at the time was in Lincolnshire (Lindsey).
Worldwide it is known as ‘The Flixborough Disaster’ but
more locally to Scunthorpe and its surrounding villages it is
known as simply ‘NYPRO’.
By chance, the 50th anniversary this year also falls on a
Saturday, marking the same day in the week when 28 workers
lost their lives when a catastrophic explosion occurred at
16.53 hours causing destruction of the works and widespread
damage to the adjacent villages of Flixborough (900 metres
away), Amcotts (300 metres away on the river bank opposite
the plant) and Burton upon Stather (1.5km away).
In 1964 Nypro was formed jointly owned by Dutch State
Mines (DSM) and the National Coal Board (NCB) and in 1972 a
major £15m expansion was finished which brought the plant’s
capacity up to 70,000 tons of Caprolactum per year.
In the months leading up to 01 June 1974 a crack had been
discovered in ‘Reactor 5’ (one of six) and it was decided to
remove that reactor (from the official enquiry, ‘Nobody thought Figure 1: Storage tank at the point of the explosion
knowledge and
to check if the other five reactors had a similar fault’) and (© Andrew Henry)
competence
bypass it to keep production going. The following is taken from
the official enquiry and is not supposition: tonnes of Cyclohexane gas were released to the atmosphere,
very quickly finding a nearby ignition source and causing a
This bypass was constructed on site using material
Vapour Cloud Explosion (VCE) that at 17.05 registered at a
available, and connecting bellows for each end were
height of 200 miles and caused an RAF Canberra Jet flying at
engineering
and design
supplied from a specialist company. Whilst the fabricators
6000 feet to alter course.
who constructed the bypass did exactly as they were
The explosion caused widespread damage in the
instructed, the bypass was completely untested and failed
surrounding area and plate glass shop windows in Scunthorpe
to comply with the relevant British Standards at the time
five miles away were blown in causing widespread damage
and did not meet the bellows manufacturers specific
and injuries to shoppers from flying glass. In the village of
systems and
installation instructions.
procedures
Flixborough itself, out of 79 properties only seven did not
It should also be noted that the official enquiry into the incident suffer damage.
stated: Fire appliances were mobilised from all over the area with
the furthest away on the initial attendance that day coming
The key post of ‘Works Maintenance Engineer’ was vacant
from as far away as Hyde in Greater Manchester and Ossett
and had been since early 1974.
and Wakefield in West Yorkshire (bearing in mind there were
It also be noted that: ‘None of the engineers on the workforce no motorways in the area in 1974).
had an engineering background, all were chemical engineers The explosion had also destroyed a cooling main from the
and were incapable (through qualification) of recognising River Trent to British Steels Normanby Park Steelworks and the
what was, in essence ‘a simple engineering problem’ let alone blast furnaces needed thousands of gallons of water supplying
human factors
resolving it’. (Please be aware these statements were made to prevent an even bigger explosion occurring which would
by the team at the official enquiry into the incident nearly fifty have destroyed a good proportion of northern Scunthorpe!
years ago. They are not intended to be a criticism of current Ambulances and Police came from a wide area and London
practice, but cannot be altered from the official report of the Fire Brigade and London Ambulance Service offered assistance
time.) which was not ultimately needed.
Fortunately, as it was a weekend, many staff from the offices
A member of the workforce said:
etc. were at home and contractors working on the site had
finished work by 12 noon. ‘I saw the flames shooting about 250 feet in the air from
At 1653 hours the bypass failed and approximately 16 section 25A, then I heard a siren sounding, I put on my

0260-9576/24/$17.63 + 0.00
297 Loudon.indd 3 05/06/2024 15:54:44

Figure 2: General view from the banks of the River Trent some Figure 3: Fire-fighters at no.5 reactors (© Scunthorpe
distance away (© Andrew Henry) Telegraph)
safety helmet and went to the door but then there was slippers and with no crash helmet on as he’d rushed out of
another huge bang no more than 30 seconds after the first the house to find us and to see what had happened!’
bang. All I could see was a big sheet of yellow flame in the Another young girl was in her parents’ car coming home from
direction of section 25 and then I was thrown onto the floor holiday and recalled:
by the blast. I could hear burning and some other bangs
and I tried to crawl in the opposite direction. I was shouting ‘As we got nearer to the River Trent we suddenly saw
for help as I crawled and I finally came to a fence and could a huge blue flash shoot into the air to the north, in the
go no further. I was very tired and decided to lay where I vicinity of the Nypro works followed by a huge explosion.
was and go to sleep, then somebody came to me.’ We didn’t know what it was or if there was a danger of
toxic fumes. Dad told us to shut the car windows for the
Another employee who was working overtime that day said:
rest of our journey home!’
‘I was working overtime and as was normal practice, if we
worked the full shift we got paid for that shift; however, The first crews on the scene (four appliances and 12 firemen)
if we finished our job early, we had the choice of either were met with a scene of utter devastation and the first
staying for the remainder of the shift and getting paid or message back was:
‘knocking off early’ and claiming time in lieu. I needed to ‘Major Disaster, approximately 40 acres of a chemical
go into town, so I took the time in lieu option and left work works completely involved in fire, many casualties and an
around 16.10 hours and went home for a bath before unknown number of persons unaccounted for.’
heading into town. I’d just got in the bath when there was
an almighty bang! My first thought was Mum’s blown the
cooker up in the kitchen! I found mum outside talking to
a neighbour about what had happened (we lived on the
northern edge of Scunthorpe at the time and had a clear
view across the fields of what was occurring about 4 miles
away). Later it transpired that whilst mum hadn’t blown
the cooker up, our house and many others in the area had
suffered significant structural damage and we required a
new roof. So, my decision to claim a ‘lieu day’ as opposed
to cash that day was quite a significant moment in my life!’
A young girl who lived in the Flixborough village, and was 9

years old at the time said:
‘Every time we heard the sirens go at the plant, we’d jump
on our bikes and ride to the hill overlooking the works to
watch the fire engines arrive! As we turned the corner,
we saw it explode in front of our eyes, we were knocked
off our bikes and the sky went dark, when we opened our
eyes there was bits of debris falling from the sky around Figure 4: Tank farm on fire (Image taken from North
us. Then my dad arrived on his motorbike still wearing his Lincolnshire Libraries Collection)

0260-9576/24/$17.63 + 0.00
297 Loudon.indd 4 05/06/2024 15:54:48

‘anti looting patrols’ in the evacuated villages. One recalled:

‘Flixborough Village will always stay in my mind. It just
felt like the film set of an ‘apocalypse’. The whole village
had been evacuated, doors left open, windows smashed
and roofs blown off houses. Everybody had just left, and
personal documents were just scattered in the gardens of
the houses directly opposite the plant.’
The first two ambulancemen on the scene only had a simple

‘first aid box’ with them to tend to injured personnel. They
commented that ‘they didn’t see anybody on the site initially’.
As previously mentioned, the steelworks to the North of
Scunthorpe were deprived of vital cooling water for the blast
furnaces due to a main being shattered and it was essential
that a water supply was found to keep them cool until a repair
could be effected. This resulted in a further request for pumps
Figure 5: The reactors with the removed no5 reactor to the left from various sources plus Fire Service pumps (fire engines)
(Image taken from North Lincolnshire Libraries Collection) coming from as far away as Leeds and Hyde.
The steelwork’s blast furnace manager was at a friend’s
wedding some five miles away, and recalled:
The fire engines attending from Scunthorpe could not I had just sat down after proposing a toast to the bride
immediately access the site due to the intense radiated heat and groom when the explosion rocked the building. We
and fallen high voltage power cables ‘arcing on the ground’ had been experiencing some problems with one of the
in front of them. Fire engines that had come from villages two blast furnaces and I was concerned it may have been
and towns further afield and to the west gained access and one of those that had blown up. I made a quick phone call
‘set their pumps into’ the adjacent River Trent to commence a and the control room man said he wasn’t sure what had
water supply for firefighting (a standard fire engine carries 400 blown up but it wasn’t on the works. I made my excuses
gallons of ‘first aid water’ and has a 1000 gallon per minute and left for the steelworks driving as fast as I could. I could
pump). see the smoke and was aware it was Nypro. On arrival at
The officer in charge of the first fire engine later said: the works, I checked all was OK with the furnaces and
then got on a ‘works locomotive’ and went down there
‘When we got there, we were met with a wall of flame and (we had a wharf at Flixborough and the railway ran to the
after several attempts/detours we found our way onto wharf.) As we arrived the damage was incredible with
the site in the car park area. It was total devastation, with the whole plant in flames and the adjacent houses almost
wrecked cars and debris everywhere’. totally destroyed. I met up with one of our works service
engineers who had also gone to check if everything was
The officer in charge of the second fire engine said:
OK (despite his house in Burton upon Stather being badly
‘As we went through Flixborough village we could see damaged). We found the badly damaged pump house
the appalling damage to the houses and many distressed and tried restarting the pumps only to discover that they
people wandering around. When we got to the top of the tripped out again due to no water. I then had to find the
hill overlooking the Nypro plant we could not believe our senior fire officer on the scene and explain to him that if
eyes, there was approximately 40 acres of chemical plant we didn’t get water sorted soon, he would have an even
well alight!’ bigger explosion to deal with! He actually asked me to put
it in writing!
The officer in charge of the Fire Station in Scunthorpe some
five miles away remembered: The incident became major news and the last appliance on site
did not return to Scunthorpe fire station until 21 June 1974
‘I was getting ready to go home and was in my office nearly three weeks after the initial call.
when the initial call came into the fire station watchroom
by AFA (automatic fire alarm), then the whole building Some brief statistics on Flixborough
shook! I ‘booked mobile’ in my car and proceeded through
Scunthorpe town centre requesting more assistance as The incident at Flixborough required the attendance of 30 fire
I progressed and ambulances to attend the town centre engines and around ten specialist fire engines (hose layers,
due to numerous injuries from flying glass. Still two miles emergency tenders etc) on that first day. The situation at the
away I requested a further ten reinforcing appliances be steelworks required a further 17 pumps (fire engines). In total:
mobilised — and on arrival at the incident I requested ten • 19 miles of fire hose were used.
more!’
• 254 firemen were deployed to the Flixborough site.
Police officers attended to deal with traffic control, evacuation • 28 men lost their lives (all were on the works during the
of residents and overnight and the following days carried out initial explosion).

0260-9576/24/$17.63 + 0.00
297 Loudon.indd 5 05/06/2024 15:54:49

The 28 who perished on 01 June 1974 are remembered below

and on the memorial at the church in Flixborough village.
John Barrett (43) Ian Kidner (37)

Wayne Bradshaw (19) Allan Lambert (25)
Terence Carter (36) Denis Lawrence (48)
Michael Clark (26) Thomas Leighton (40)
Kenneth Crawford (33) Geoffrey Marshall (20)
Roland Cribb (35) Albert Nutt (51)
Thomas Crookes (53) John Render (20)
James Doherty (46) Graham Richards (30)
Steven Drury (27) Richard Simpson (34)
Ronald Forster (23) Michael Skelton (27)
Anthony Freear (30) Harry Stark (44)
Stanley Grundy (48) Geoffrey Twidale (30)
Michael Hickson (26) Frederick Watkinson (35)
Edwin Holland (24) Keith Winter (24)
It is particularly poignant to reflect on the ages of those who

were lost — almost a half were aged only 30 or under.
The original memorial of Mallards in flight cast in bronze
and sited outside the rebuilt office block was relocated on the
plants closure to the parish church in Flixborough village, it
was later stolen and has never been recovered.
Figure 6: Granite memorial to the victims at Flixborough The new memorial in granite was commissioned some
Church (© Richard Loudon) years later.
• Two members of the workforce were rescued by fire

service. Editorial note
• 105 workers were injured. Rick Loudon is the author and
• 200 families were rendered homeless. publisher of FLIXBOROUGH
• Around 51,000 meals were provided to families, emergency ‘I Was There’ The Story of the
workers and other agencies between 01 June and 20 June 1974 Flixborough Disaster.
by the Salvation Army, WRVS and local school canteens. Rick has painstakingly
compiled personal accounts
The disaster shook the population of Great Britain and rattled and photographs to record the
the confidence of each and every chemical and refinery very human element of the
engineer in the UK. Flixborough disaster.
It demonstrated very clearly the necessity to ‘plan and Published Nov. 2023. ISBN:
prepare’ for a massive escape of gas from containers holding 9781399963671, Hardcover:
flammable liquids under pressure at temperatures above their 366 pages, Dimensions:
boiling point and the resulting formation of clouds of highly 210 x 297 mm, £25.00
flammable gas.

0260-9576/24/$17.63 + 0.00
297 Loudon.indd 6 05/06/2024 15:54:53

Interview
Nylon Years – An interview with

Ramin Abhari
LPB talks to Ramin Abhari, when the accident occurred. Since the plant ran for two months
Principal Process Engineer under normal operating conditions with the “bypass pipe” with no
at Chevron and Editorial reported issues, a case can be made that it was this “hot standby”
Panel member, about his condition — when an unagitated pool of water in R-4 was heating
passion for sharing process up — that initiated the hypothesised squirming motion of the
safety lessons through story bypass pipe/bellows assembly and subsequent failure/release.
telling and in particular his
depiction of the Flixborough disaster through his graphic novel What led you to dig deeper?
Nylon Years – see https://www.icheme.org/media/26138/ I think it’s natural to want to learn as much as one can about a topic
nylonyearslpbcompletenew.pdf before writing a story about it. It became clear early in researching
the events that this would be the story of a well-designed plant
What prompted you to create a ‘graphic becoming increasingly compromised by an unfortunate chain
dramatisation’ of the Flixborough disaster? of events. The tragedy is that was the result of well-intentioned
I learned about Flixborough when I read Ralph King’s book as a actions taken in response to external factors.
young chemical engineer. It was 1993 and I had just returned to my
employer’s home office after a 14-month assignment operating a What is known about the effect of the miners’
demonstration plant where “creative workarounds” were common. strike and oil crisis?
Reading King’s insightful account of the 1974 accident resonated
The coal miners’ union had demanded an inflation adjusted
with me and became a foundation for developing my process
pay increase in 1973. The government of Prime Minster Heath
safety competency. Years later in 2015, while working for another
knowledge and
refused, and the miners started a “no overtime strike.” When the
competence
company, the plant that our team built based on a new process we
Arab oil embargo took effect later that year, the Heath government
had developed experienced two fire incidents involving injuries.
instituted measures requiring the largest industrial energy users
That’s when I decided to write something about process safety.
to cut back their power consumption. This led to the decision by
Since I had read that stories and images are remembered longer,
Nypro to turn off the electric powered reactor agitators.
I chose to tell the story of a chemical plant disaster in the graphic
engineering
novel format. I chose Flixborough as the inspiration for the story.
and design
Can you explain what is meant by ‘The Water
What did you base your research on? Hypothesis’?
The Court of Inquiry report was my main source for the factual When two immiscible phases are heated in the same tank, each
events surrounding the accident. For technical information, I exerts its own vapour pressure. This phenomenon is encountered
when a hot hydrocarbon is transferred to a tank that contains
systems and
procedures
relied on King’s writings about heat up of the two-phase water-
cyclohexane system, but also on other Flixborough-inspired papers hydrocarbon with a pool of water at the bottom. When the settled
on nitrate stress corrosion cracking and the hydrodynamics of the water layer rapidly heats up as a result, a sudden eruption of the
“bypass pipe” failure. Other research included original patents liquid can result. To avoid this, the rule of thumb is to ensure the
filed by Stamicarbon/DSM on cyclohexane oxidation technology tank pressure is greater than the sum of the vapour pressures of
and chemical market reports about caprolactam and nylon-6 in the the hydrocarbon and water.
‘60s-70s. Since I was writing about 1970s northern England, I also During hot circulation in the Nypro CSTRs, the hot cyclohexane
researched the time, culture, and politics of that time and place. flowing over the water layer in R-4 would have heated up the latter
in a similar manner. According to King’s analysis, after the R-4
Did you agree with the findings of the (1975) cyclohexane reached 155⁰C, the water layer would have needed
Court of Inquiry on the root cause? to reach 145⁰C for the sum of the vapour pressures to exceed the
operating pressure of 7.8 bar. When that condition was met, a
The Court of Inquiry report is an extensive accident investigation
pressure spike with eruption of liquid could have exerted stress on
based on an exhaustive number of interviews and data collection.
the bypass pipe assembly, initiating the squirming of the pipe at
I don’t think anyone disagrees with the “bypass pipe” as being
the bellows and the rupture that followed.
the root cause. However, I agree with King that the failure of
the “bypass pipe” could have been initiated by the water pool
Do we know for sure that the concentration of
culture
in unagitated “R-4” reactor. The Court of Inquiry missed the

consequences of that additional deviation from the original process water in reactor 4 was the highest?
design, particularly during “hot standby” (with no air sparge) No, that is a conjecture supported by generalised chemical

0260-9576/24/$17.63 + 0.00
297 Abhari.indd 7 05/06/2024 15:56:09

Figure 1 – Chemistry of caprolactam production and use,

and the two feedstocks for the cyclohexanone intermediate
First Nypro Unit
(1968)
(cyclohexanol which is co-produced and used in a mixture with
cyclohexanone is not shown)
Phenol
Cyclohexanone Nylon-6
Caprolactam
New Nypro
Process Unit
(1974)
Cyclohexane
Figure 2. The cyclohexane oxidation process unit built at Flixborough
To Flare
Air
Nitrogen
(1)
(1)
(1) (1) (1)
R-1 R-2 R-3 R-4

Heater R-5
Reactor System (2) R-6
Scrubber/Absorber
Distillation Train
Cyclohexane Recycle
Water
Cyclohexanone to
Caprolactam Unit
Cyclohexane
Air
Nitrogen
Cyclohexane from heater Reactor effluent to water

separation and distillation
R-1 R-2
R-3
R-4
R-6
Figure 3 – The rector system at the time of the accident, showing how a pool of water
byproduct could form in unagitated R-4 reactor next to the “bypass pipe” assembly

0260-9576/24/$17.63 + 0.00
297 Abhari.indd 8 05/06/2024 15:56:12

reactor behaviour. Since cyclohexane oxidation forms water, its joint venture in England, they also built an identical caprolactam
concentration in the reactor system increases with conversion. plant in Augusta, Georgia (USA). In 2016, when the Augusta
For all first order or higher reactions, the conversion curve caprolactam plant was permanently shut down, I used Google
(conversion as a function of reactor number for CSTRs in series) Earth to zoom inside that plant. I could spot three cyclohexane
is expected to look something like what the operators have oxidation trains identical to what was in operation at Flixborough
sketched in the bottom panel of Page 20 of Nylon Years. That is, (same six CSTRs in series with each reactor at a higher elevation
the concentration of water would be lowest in R-1 and highest than the next). Clearly, the technology continued to be used for
in R-6. However, since most reaction happens in the first 4-5 caprolactam production and capacity expansion.
reactors, the increase from R-4 to R-6 would have been minor.
(That’s why when R-5 was pulled out, there was no significant What lessons would you like us to take away from
drop in conversion performance.) Furthermore, since the last your story?
reactors would have been the hottest (highest conversion of the
exothermic oxidation reaction without heat removal), a case can Lesson 1. Inherent safety in process design.
be made that some of the water may have been stripped with the
sparging air such that during normal steady-state operation, R-4 Due to low per-pass conversion, large volumes of cyclohexane
would have had the highest water content when the agitation was had to be circulated at elevated temperatures and pressure.
stopped.
Lesson 2. Weak signals and normalisation of
None of the shift team or control room records deviation
survived the accident — how much of the Although product quality and production rates were not
description of operator actions leading up to the impacted, running with none of the reactors stirred seems to have
explosion in Chapter 10 can you be sure of?
That part is complete dramatisation. There is no doubt that
the operators were immediately made aware of the loss of
containment as reactors rapidly depressurised. What they did in
the two minutes between that, and the vapour cloud explosion is
something we can only imagine. I read some firsthand account by
a technician working in the lab that he saw a haze (of cyclohexane
vapour) as he was evacuating the plant with his colleagues, before
he was knocked down by the vapour cloud explosion. I imagined
something similar with the process operators, except that in my
story they chose to mitigate the vapour release as they had done
with much smaller vapour releases in the past.
Did the Nypro plant ever restart after the

explosion? Using what process?
Yes, the plant was rebuilt and production restarted at Flixborough
in 1977 using the old phenol hydrogenation process. Due to
restrictions imposed by authorities and concerns voiced by the
community, the plant discontinued use of cyclohexane and other
flammable hydrocarbons. The plant shut down production a year
later. It was demolished in 1981.
Did this accident signal the end for the cheaper/

higher hazard cyclohexane process?
Trevor Kletz developed the foundation of what is known as
Inherent Process Safety after Flixborough. Due to low per-pass
conversion, Flixborough relied on circulation of a large inventory
of the volatile and flammable cyclohexane at elevated temperature
and pressure. Loss of containment anywhere in the reactor/
fractionation loop could have resulted in a fire/explosion. Instead
of relying on equipment/instrumentation to keep the “tiger in the
cage,” Kletz argued, why not see if we can adopt a less dangerous
pet in the form of other reactant or process condition? In many
respects, cyclohexane oxidation is a good example of what is
NOT an inherently safe process. The old phenol hydrogenation
was arguably an inherently safer process. Nevertheless, the
cyclohexane oxidation process continued to be used for
caprolactam production. At the same time DSM started the Nypro

0260-9576/24/$17.63 + 0.00
297 Abhari.indd 9 05/06/2024 15:56:13

introduced unexplained mechanical failures and normalised this

deviation such that continuing to run with one unstirred reactor
did not seem unusual anymore.
Lesson 3. Management of change

Following the failure of Reactor No. 5, a “bypass pipe” was
designed, fabricated, and installed in three days. According to
Trevor Kletz, the pipe was drawn on the shop floor. There were
no drawings issued for review by mechanical engineers for stress
calculations when assembled with bellows to the two connecting
reactors.
Lesson 4. Proper communication of safety concern

by workers
Transparency and open communication are key to a healthy safety
culture. In the story, Allan’s girlfriend encouraged him to voice
his concerns through proper channels and went as far as typing
a memo for him to send the plant manager. However, he did
not have a sense of psychological safety and decided not to go
through with it.
Lesson 5. Temporary fix becoming acceptable

(a form of “normalisation of deviation”)
Nypro operated for two months with the bypass pipe seeing no
issues, and this seems to have deprioritised implementing the
permanent fix. Workers got used to thinking of it as normal part of In case of running without mechanical agitation, the potential
the process even though it was a very weak mechanical protection for water byproduct settling in the tanks during hot standby (with
against the worst case loss-of-containment scenario. air supply off) flew under the radar as a latent hazard with “weak
signals”. The character of Allan in Nylon Years picked up on the
Lesson 6. Recognising that our metrics for weak signals but was not heard. When R-5 failed and the “bypass
monitoring change may be incomplete pipe” was being fabricated, he felt that he had connected the dots
and his girlfriend made him go to proper channels to bring this to
Our industrial facilities do not operate in a bubble. A chemical
plant is part of the broader society and at times may need to the attention of management. But due to his own personal and
respond (quickly) to political, economic, and technological professional frustrations, he did not. Therefore, another lesson is
changes around it. These responses may take the form of a that workers need to take responsibility if they see problems and
temporary operational change introduced with the best intentions. to communicate those through proper channels. Being concerned
Common examples are switching to a cheaper feedstock with an observed safety risk and staying silent is as good as not
or running the unit at different throughputs than designed. noticing it at all.
Sometimes the metrics we rely upon to assess the impact of
the change do not capture all the consequences. A key lesson What do you think we learned from Flixborough
therefore is knowing the limitations of our process monitoring and what lessons are we in danger of forgetting
tools/instrumentation in assessing what we believe are well 50 years on?
planned process modifications.
Not enough. Most writings/presentations about Flixborough are
in the context of Management of Change (with perhaps an image
of the “bypass pipe” between R-4 and R-6 as a reminder of what
was done wrong). The bigger story and lessons are rarely told.
Did you consult/have any feedback from any

witnesses, survivors or relatives of the deceased?
After Nylon Years was published, I connected with a former Nypro
operator (who was not in the plant during the accident) and the
son of one of the 28 workers who died. They both thanked me
for this dramatisation of the event, and showcasing aspects of
the accident they were not aware of. The son and the coworker
were glad to learn that the lessons of Flixborough have mostly
been embraced by our industry to build and operate safer
petrochemical plants today.

0260-9576/24/$17.63 + 0.00
297 Abhari.indd 10 05/06/2024 15:56:16

Incident
Flixborough — remembering ICI’s response to

the disaster
Frank Crawley, UK
Background straw. He said “I think that this was probably the cause of the
I joined ICI in 1963 as a trainee production manager on olefin incident”. He was right!
plants and by 1968/9 I was one of the commissioning and After a visit to Ardeer, by Trevor Kletz, I was asked to put
start-up managers on the largest olefin plant ever built. I made forward a “shopping list” of implements in process safety
the acquaintance of a certain Trevor Kletz. He spoke of new that I considered would likely be cost beneficial. This list was
and challenging ideas with which I wanted to be involved. purged by the Assistant Works Manger and was submitted.
I also met and got to know the ICI Division specialists in Trevor responded with “This is not the full list. I want the
“effects” — Dick Robertson (thermal radiation), Les Cude (gas whole list; I will worry about the costs!” It is not often that
dispersion) and Bill High (explosions). you go over the head of a senior member of staff such as an
I moved, inside the ICI Division, to a new Nylon Assistant Works Manager!
intermediates plant in Scotland (Ardeer, Stevenston) where I For the next two years I spent about 30% of my working
was a specialist engineer covering: time on the improvements which were exchanged and
discussed with the team from the Nylon Intermediates at
• safety studies (cyclohexane oxidation, as with any Wilton at a quarterly meeting somewhere near Carlisle.
oxidation process, resulted in a number of serious (ICI had a policy that a driver of a car should only travel 250
incidents worldwide) miles per day. Hence the “half way house”). Also, there was
• machine and process health monitoring using vibration a quarterly face-to-face discussion with Trevor to discuss
and other process techniques progress. Coincidently, it was during one of Trevor’s site
• problem solving (what is going wrong?) visits that there was a fire on the Ketone Alcohol Plant. An
• accident investigation (what went wrong?) emergency isolation on a pump, which had been fitted as
• efficiency monitoring/optimising. one of the safety improvements, closed on operation so
extinguishing the fire. This featured in one of the ICI Safety
Newsletters.
01 June 1974
engineering
and design
What was the outcome? A number of changes were
As it was a Saturday I was at home with my wife and young
required. Table 1 describes the changes, the reason and the
family when news of the Flixborough explosion hit the evening
actual requirements. This is a sample of the more significant
headlines. The footage of incident was initially unclear, but
changes.
the papers next morning were more informative and from
The first change was quite simple. The emergency
an ICI methodology, written by Bill High (which became part
systems and
procedures
procedures did not cater for an event of the size of
of the IChemE Monograph on explosions) and placing the
Flixborough.
epicentre on the Cyclohexane Oxidation Plant, it was possible
to assess a likely TNT equivalence from the damage profiles The second change was self-evident from the number
seen in the papers. It was quite unbelievable and at the best of joint leakages and the joint damage. It only required
estimate it appeared that the leak rate to cause that explosion specification of an acid resistant and solvent tolerant jointing
was the equivalent of a manhole cover being blown off. One material.
of the anomalies was the off-site damage to houses. This was The third change was installation of hydrocarbon gas
put down to a second explosion (and a new epicentre) in the detectors which were then coming onto the market and had
Caprolactam Plant been used successfully elsewhere in ICI.
As Monday 03 June was a bank holiday I decided not to go The fourth change was based on the observation that most
to the works as it would have inferred concerns. fire-water drainage systems were inadequate. Fire zones were
Things happened quickly. First came a request from Trevor defined and the probable fire-water loading was assessed for
Kletz to review the improvements that I felt were necessary each zone. Then water was pumped into each zone and “back
on the Cyclohexane Oxidation Plant (KA, ketone alcohol, at up” and segregation was assessed. The results were worse
Ardeer). This was already a part of my role. The second was than anticipated. Pinch points were treated by bunding and
a presentation by D Waters, the Fire Chief at ICI Wilton (who fire-water spread by grading. Fire water recovery required the
I knew well from my production “fire experiences”). He was construction of an earth settling area and strategically placed
seconded to organise the firefighting at Flixborough but he pump-out points.
produced a photo of a piece of piping, bent like a drinking Strangely there were two improvements which came from

0260-9576/24/$17.63 + 0.00
297 Crawley.indd 11 05/06/2024 15:57:36

Change Required Reason Final Result
Review all safety procedures and Most procedures were based on upsets A whole raft of new emergency procedures
upgrade in the light of Flixborough and not emergencies was drawn up
Change the piping jointing Cyclohexane dissolved the elastomer in Replace all joints with SEW loaded with
Compressed Asbestos Fibre joints which “graphite” joints. The joint comprised an
then leak inner and outer retaining ring filled with a
spiral of graphine and stainless steel sealed
to the rings.
Upgrade the Fire and Gas detection The installed system did not include gas A new gas detector system, strategically
system detectors which were just coming on the placed, was installed
market
From earlier observations it was clear A simulated full fire water load test was The concrete was regraded, mini buds were
that the fire-water drainage was not fit carried out to simulate a full fire. installed to limit fire spread on water and
for purpose in most chemical plants pump-out points identified with “settling
tank or bunded areas”
The process used a slurry of boric acid Installed secondary flexible pump seals CRANE (the pump seal manufacturer) were
which damaged pump seals between the flush point and the impellor consulted and were just bringing to the
market “tetra-lip seals These were installed
The installed Emergency Isolation The Oxidation process results in a strong New valves were purchased and installed
Valves were not reliable acidic environment but the seals must
also be acid resistant and tolerant of the
boric acid slurry
Table 1: Summary of Significant Changes
writing a specification for each case/item but not knowing if it convinced that they could supply and added an extra feature
knowledge and
competence
existed. – a scrapper ring to dislodge any slurry off the ball surface.
The fifth change was again the result of pump seal leakage. This was the first ever use of their valves in Europe but now
Seal flushes were not perfect as boric acid could still migrate to NELES supply nearly all sub-sea pipeline isolation valves in the
the seal face. A specification was written for a secondary seal, offshore O & G industry.
between the impellor and the main pump seal, using a flexible There were other minor changes and one failure.
engineering
and design
graphite loaded PTFE seal which was to be an annular fixture Emergency depressing could not be done properly as there
lubricated by the seal flush but roughly shaped as a comma was no flare stack on the plant. Dispersions calculations
in cross section such that it would give some sealing should showed that venting to atmosphere was viable (it would not
the main seal collapse. CRANE (the pump seal manufacturer) now be so due to the environmental considerations) but the
were consulted and given a specification of what we wanted. integrity could not be proven so it was abandoned.
CRANE were a little surprised as they were just about to bring
systems and
Did it make a difference? Yes. Operation was easier,
procedures
their new secondary seal to the market and showed us a emergency procedures were sharpened up, leak frequency
prototype of their TETRA-LIP SEAL at the meeting which was more than halved — in particular on pumps and pipe jointing,
exactly as we had specified!! emergency isolation was far more reliable and,possibly of
The final change was based on wish list for the “specification more importance, the operators felt more confident in the
of all that we wanted in a ball valve”. A valve purchaser took safety of the plant.
on the task and identified a Finnish company by the name History is such that about ten years later the Nylon business
NELES which could manufacture to that specification. was sold to Dupont and eventually the whole business was
After a trip to Finland in a very cold February I was discontinued ten years later.

0260-9576/24/$17.63 + 0.00
297 Crawley.indd 12 05/06/2024 15:57:37

Safety practice
Flixborough and inherent safety – inspired by

Trevor Kletz
Andy Brazier, UK
a gauge pressure of about 10 bar (150 psi), to a mixture of
Overview cyclohexanone and cyclohexanol, usually known as KA (ketone/
The official inquiry into the Flixborough disaster1 identified alcohol) mixture. It is a stage in the manufacture of nylon. The
shortcomings in integrity of plant, management of change inventory in the plant was large (200 to 500 tonnes has been
and plant management as specific learnings. Trevor Kletz, quoted) because the reaction was slow and the conversion low,
on the other hand, was prompted to consider why the the latter being about 6 percent per pass! Much of the inventory
plant had been so hazardous in the first place and whether was held in six large continuous reactors operated in series, and
a better chemical process design could have allowed a the rest was held in the equipment for recovering the product
smaller inventory, which would have been inherently safer. and recycling the unconverted raw material.”
A paper presented by N.A.R. Bell at a symposium three Based on this explanation, Kletz believed that a more efficient
years before the accident ultimately led him to develop reaction process would have significantly reduced the inventory
his ideas about inherent safety, leading to his first paper of hazardous material present on site. Even if a mechanical
on the subject being published in 1978. Of course, Kletz failure of plant had occurred the consequences would have
is not the only person to have thought about inherent been much less.
safety in the 50 years since Flixborough, but he was one
of the most prolific. In the Trevor Kletz Compendium2 we An alternative description of inherent safety
dedicated a full chapter (40 pages) to summarising the One of Kletz’s skills was his ability to reduce seemingly
historical and current views on the subject and its place complicated issues to the simple fundamentals. For inherent
knowledge and
competence
in the hierarchy of risk controls. This paper is a shortened safety he proposed the following very simple but effective
version. statements5:
Keywords: Inherent safety, Flixborough, Kletz • “what you don’t have, can’t leak”
• “people who are not there can’t be killed”
engineering
and design
What is inherent safety? • “the more complicated a system becomes, the more
It is probably fair to say that inherent safety is a concept rather opportunities there are for equipment failure and human
than a clearly defined method or approach. This may explain error”
why the development of a universally agreed definition has not The best way of preventing a leak of hazardous material is to
been straightforward. use so little that it does not matter if it all leaks out, or to use a
systems and
procedures
Whilst Kletz wrote a lot about the subject, he does not appear safer material instead. We cannot always find ways of doing this
to have used a specific definition. One of the closest attempts but once we start looking for them, we find a surprisingly large
appears in his autobiography3 where he says the main concept number.
is that “it is better to remove a hazard than to keep it under Whilst hazard elimination will always be the most effective
control.” measure, Kletz was very well aware that this was not always
Organisations including US Center for Chemical Process possible or desirable. With this in mind, keeping people away
Safety (CCPS), UK Health and Safety Executive (HSE) and the from hazardous areas can be very effective at reducing the
Energy Institute have actively explored the subject with the consequences of accidents that occur.
following common themes: There is a view that complication is inevitable today.
• risk reduction is an intrinsic part of the process and not an Sometimes it may be, but not always. There are many ways in
added layer; which plants have been made simpler, and thus cheaper and
safer. As with the reduction of stocks, the constraints are often
• it is permanent and inseparable from the process;
procedural rather than technical. We cannot simplify a design if
• it should be balanced with other decision-making criteria, we wait until it is far advanced; we have to consider alternatives
especially where there is significant cost or technical risk. in a structured and systematic way during the early stages of
design.
Relevance to Flixborough With regards to cost, Kletz was adamant that an inherently
Kletz wrote4 “Flixborough in 1974 occurred in a plant for safer plant is also cheaper to build, operate and maintain
the oxidation of cyclohexane with air, at about 150°C and because it can be smaller and use less protective equipment.

0260-9576/24/$17.63 + 0.00
297 Inherent.indd 13 05/06/2024 15:58:44

Intensification or minimisation
The aim here is to perform the same activity with smaller quantities of hazardous
material or performing an activity less often. This can be achieved by selecting
different equipment and processes that are more efficient or require smaller hazardous
inventories. Switching from batch to flow reactors can significantly reduce inventories.
Substitution
The aim here is to reduce the hazard severity by replacing a hazardous substance or
a processing route with a less hazardous alternative. Another option is to replace a
procedure with one that presents a lesser hazard. Using safer solvents or choosing
processes that require less hazardous conditions.
Attenuation or moderation
The aim here is to use a substance in a way that reduces its hazardous properties or to
use less severe processing conditions. Another way is to store or transport material in a
less hazardous form. It can be achieved by controlling operating temperature to below
where a runaway reaction can occur and storing materials in less hazardous forms (e.g.
paste instead of powder).
Simplification
The aim here is to reduce the likelihood of an accident through inherent features of the
design. This can involve designing processes, equipment and procedures to eliminate
opportunities for failure, including human error; also, designing equipment that cannot
be exposed to extreme process conditions by the worst-case processing conditions.
Table 1: A series of images Kletz presented to illustrate the principles of inherent safety6.
Principles of inherent safety these changes earlier is likely to be cheaper and cause fewer
knock-on issues.
In his workshop notes published by IChemE in 1978, Kletz
references Edward de Bono as saying simple pictures can be In the very early stages of a project decisions are made
very powerful at conveying ideas. Images do not have to be about what to make, by what route and where the facility
accurate or descriptive, but simple enough to lodge in the will be located. Adopting and mandating formal conceptual
memory. Above is a series of images Kletz presented to illustrate stage studies can ensure sensible discussions take place so
the principles of inherent safety6. that optimal decisions can be made. Researching all available
chemical processes, including low-inventory flow reactions and
Elimination may be considered the most fundamental
semi-batch methods, and conducting laboratory and pilot plant
principle of inherent safety but did not appear on Kletz’s list
experiments should be considered to ensure the safest chemical
because he generally saw it as a result of applying inherent
process is selected. Also, it sets the scene for the remainder of
safety rather than a principle in itself2.
the project.
During Front End Engineering Design (FEED) or Define
Applying inherent safety through design
phase, when a flowsheet that identifies the main sub-systems
The concept and principles of inherent safety can be applied has been developed, the following can be used as a prompt7:
at all stages of a system’s lifecycle. However, the greatest
opportunities for risk reduction are found at the earlier stages • materials — develop an inventory, identify their hazards and
of development because there are more options to eliminate or consider options to remove or reduce;
significantly reduce hazards by changing the chemical process, • reaction — size of reactors and opportunities to reduce;
fundamental engineering design or plant location. Also, making process conditions and opportunities to make less severe;

0260-9576/24/$17.63 + 0.00
297 Inherent.indd 14 05/06/2024 15:58:45

and any potential for runaway reaction;

MOST
• separation — inventory of material in separators and EFFECTIVE
opportunities to reduce; PHYSICALLY REMOVE
ELIMINATION THE HAZARD
• heat transfer — inventory of material in exchangers and
opportunities to reduce; use of less hazardous heat transfer SUBSTITUTION REPLACE THE HAZARD
medium; ensuring the most hazardous material is in the
safest part of the exchanger (e.g. in tubes not shell); ENGINEERING ISOLATE PEOPLE FROM
CONTROLS THE HAZARD
• storage — factors defining storage requirements and
ADMINISTRATIVE
options that would reduce these; storage process conditions CONTROLS CHANGE THE WAY PEOPLE WORK
and options to make less hazardous; PPE PROTECT WORKER WITH PERSONAL
• equipment types — options to use simpler alternatives; PROTECTIVE EQUIPMENT
• human error — options to reduce susceptibility that do not LEAST

EFFECTIVE
involve additional safety systems.
Although it may become more difficult, it is still important to Figure 1 - Hierarchy of Risk Controls
continue looking for options to increase inherent safety as the
detailed design is developed. Examples include eliminating maintenance carries its own risk and so a balanced approach has
or minimising the stored inventory of hazardous materials, to be taken.
substituting a more corrosion resistant material of construction Another decision to make when carrying out maintenance
for equipment, minimising potential hazardous impact by is the type of isolation to be used. The inherently safer option
locating access routes and roads away from potentially is to use positive isolation, with removal of spool pieces being
hazardous areas, locating emergency equipment such as the most robust option because the alternative methods (e.g.
fire water pumps and switch gear for emergency equipment spades, blind flanges) are easier to defeat. However, all forms of
away from the main plant which it is designed to protect, and positive isolation involve breaking joints and so introduce their
designing the equipment arrangement in well vented and own risks.
open process areas to prevent accumulation of hydrocarbon if Whilst hazard is present there is always some risk. But certain
released. operations such as plant start-up and shutdown are known to be
more hazardous. In these cases, the concept of “people who are
Applying inherent safety during operations and not there can’t be killed” can be applied by clearing sites during
maintenance the most hazardous operations, or at least limiting them to
essential personnel only. Other hazardous operations where this
Whilst inherent safety is a critical design issue there can be many applies include tanker deliveries of hazardous material, opening
opportunities to use the same principles during the operational pig receivers/launchers, sampling and any activity involving a
stage of a system. Whilst it should be a continual goal, there break of containment, such as filter changing.
will be specific times when it should be considered formally
including identifying actions following an incident investigation Hierarchy of risk controls
or when evaluating a plant or process change.
Although options to follow an inherently safer approach The goal of inherent safety is to avoid reliance on added
should always be considered, application to a system that has safety systems as it is recognised that these can never be fully
already been designed and built is not straight forward and can effective. The hierarchy of risk controls highlights that the
options available to control residual risks are not all equally
often lead to unintended consequences.
effective or reliable8.
Managing inventories is one option. Just because a tank or
It is possible to argue that inherent safety results in hazard
vessel can hold a quantity of material, it does not always need
avoidance and so it not technically a control. However,
to be filled to capacity. Reducing inventories to only what is
pragmatically it is clear that it is part of the overall management
needed will reduce the potential consequences of failure. On
of risks and excluding it in order to make clear-cut distinctions is
the other hand, reduced inventories will inevitably mean that
neither necessary nor helpful.
materials need to be handled more often (e.g. smaller deliveries
The concept of the hierarchy of risk control illustrates that the
carried out more often). The risk of additional handling needs
effectiveness of controls depends on their characteristics. As a
to be considered against the reduction of risk through reduced
general philosophy controls at the top of the hierarchy should
inventory.
always be considered first because they are most reliable. But
It is standard practice to isolate, drain, clean and purge
the overall solution is likely to involve controls at all levels of the
process equipment before maintenance. But decisions can be
hierarchy.
made about how much plant needs to be prepared in this way.
The inherently safer approach is to shut down and prepare the
whole facility because this will minimise the inventory of material
ALARP
present whilst the maintenance is being carried out and also The acronym ALARP is now widely used and stands for “As Low
reduces the potential consequence of maintenance errors (e.g. As Reasonably Practicable.” In a safety context it is used when
someone breaking the wrong pipework joint). However, it can discussing whether a risk is ALARP or further action is required
have significant impact on production. Also, preparing plant to reduce it.
and equipment for maintenance; and returning it to service after ALARP is generally applicable in ‘goal-setting’ regulatory

0260-9576/24/$17.63 + 0.00
297 Inherent.indd 15 05/06/2024 15:58:45

systems where it is the duty holder’s responsibility to for convenience rather than necessity (what you don’t have
demonstrate that they are managing their risks rather than can’t leak). At BP Texas City, most of the 15 people who died
prescriptive ‘rule-setting’ systems where the regulator has were in a temporary building that could have been located in
a greater role in saying how risks shall be managed. Other a far safer place on the site (people who are not there can’t be
countries including the US have avoided adoption of the ALARP killed). At Esso Longford the heat exchanger that failed had not
principle. One of the reasons is that it is difficult to define what is been designed to withstand the low temperatures possible under
considered as reasonably practicable for a given circumstance. abnormal or fault conditions (the more complicated a system
The UK’s HSE provides guidance on how to apply ALARP in becomes, the more opportunities there are for equipment failure
practice. Cost benefit analysis may be one approach but can and human error).
be complicated and relies on quantified data that may not be Controlling risk is not simple. Opportunities for reduction
readily available in any useful form2. should always be looked for, whilst being aware of unintended
Guidance for permissioning within the Control of Major consequences. Whilst it may be easier at the early stages of a
Accident Hazards (COMAH) regulations states that “ALARP design project, the principles of inherent safety can be applied at
demonstration for individual risks is essentially a simple concept any time. When contemplating a task everyone involved should
which can be satisfied by the operator answering the following be asking themselves whether all reasonably practicable steps
fundamental questions”9. have been taken to remove hazards, if people who do not need
to be present have been kept away and if arrangements are as
1. What more can I do to reduce the risks?
simple as they could be.
2. Why have I not done it?
An inherently safer solution may not actually create the lowest
Answers to the first question are qualitative in nature and overall risk. Applying the hierarchy of risk controls is not a case
involve looking systematically at the risks and drawing up, of selecting which control to apply but can provide a structured
in a proportionate way, a list of measures which could be way of evaluating the potential strengths and weaknesses of
implemented to reduce those risks. different options. Ultimately the aim is to achieve risks that are
The answer to the second question may be qualitative or ALARP, which requires you to continually consider what more
quantitative in nature depending on the predicted level of risk can be done to reduce risk and demonstrate that doing more is
prior to the implementation of those identified further measures. not beneficial.
The guidance states that if “it cannot be shown that the cost All this is taking place in a global context. We may feel that
of the measure is grossly disproportionate to the benefit to our responsibility is to the safety of our colleagues, neighbours
be gained, then the operator is duty bound to implement that and local environment; and that decisions we make that may
measure”9. However, there are often reasons to not implement affect risk in another part of the world are not our concern. But
additional measures that are not purely due to financial cost. morally we all have to be aware of how the decisions we make
Risk transferral is very often a factor where a measure to reduce affect others. The message for industry is that it should “export
one risk increases another. inherent safety not risk.”10
In some cases, ALARP can mean that an inherently safer
solution is not safer overall. For example, choosing to not References
make a product, to eliminate a hazard, may simply mean that
production is moved to another site, possibly in another country. 1. The Flixborough Disaster. Report of the Court of Inquiry.
The alternative may apply lower safety standards. Also, risks Department of Employment (1975)
of transport will have increased. In this case the issue may be 2. Brazier, A. Edwards, D. Macleod, F. Skinner, C. Vince, I.
moral rather than economic, and there may be an argument to Trevor Kletz Compendium. Elsevier (2021)
say that such global issues are not necessarily the responsibility 3. T. Kletz, By accident … a life preventing them in industry, PFV
of commercial organisations. However, with increased scrutiny Publications (2000).
from customers of the supply chains of their suppliers it is 4. T. Kletz, Plant Design for Safety - a user friendly approach,
possible that keeping production local may be the best solution Hemisphere Publishing Corporation (1991)
from all perspectives.
5. T. Kletz, Lessons from Disaster, Institute of Chemical
Engineers (2003).
Conclusion
6. T. Kletz, Cheaper, Safer Plants or Wealth and Safety at
There have been many publications since the Flixborough Work (Notes on Inherently Safety and Simpler Plants), The
disaster encouraging us to adopt inherent safety, with very Institution of Chemical Engineers (1984)
little (if any) dissent. Similarly, the hierarchy of risk controls is
7. T. Kletz, P. Amyotte, Process Plant, A Handbook for
well established and accepted. However, Safety Instrumented
Inherently Safer Design”, 2nd Edition, Taylor & Francis (2010).
Systems (SIS) have proliferated, which are clearly an add-
on safety device rather than an inherently safe solution. 8. A. Brazier, N. Wise. Making Sure Risks are ALARP. The
Instead of eliminating hazards they can be used to allow more Chemical Engineer (2021)
hazardous processes to take place, whilst also increasing overall 9. Health and Safety Executive HID CI5A. Guidance on ALARP
complexity. Decisions in COMAH. SPC/Permissioning/37. Version
There have been plenty of accidents since Flixborough 3, http://www.hse.gov.uk/foi/internalops/hid_circs/
that would have been avoided or far less serious if inherent permissioning/spc_perm_37/ (Accessed March 2024)
safety had been adopted more widely. At Bhopal the methyl 10. D. Edwards, Export inherent safety - not risk, Loss Prevention
isocyanate that leaked was only an intermediate that was stored Bulletin 240 (2014).

0260-9576/24/$17.63 + 0.00
297 Inherent.indd 16 05/06/2024 15:58:46

Safety practice
Building-in in-building safety

Dr Andrea Longley, Thermofisher Scientific, UK & Dr Ken Patterson, retired
Flixborough is probably the classic “what-if” major accident. killing people inside control rooms or other “occupied buildings”
When you read a report on any major accident you find quite (OBs) before guidance was finally produced. In 1989, at Pasadena
a few “what-if”s — points where, if someone had asked a few in Texas, USA another 30-tonne release of flammable material at
more questions, or if fragments of a vessel had shot off in a high temperature and pressure gave another major VCE, this time
slightly different direction, or – or – or, the outcome could have killing 23 people, including everyone in the control room which
been quite different – better or worse. Flixborough occurred at was in the middle of the plant2. Back in the UK on 21 September
16:50 on a Saturday1. There were relatively few people on site, 1992 a jet flame shot out of a vessel being cleaned at the Hickson
none of the office staff or senior managers, and only the required & Welch (H&W) site in Castleford, West Yorkshire3. In ~90
operational staff. The vapour cloud explosion (VCE) from a seconds the flame tore its way through a timber-framed, control
30-tonne release of boiling cyclohexane destroyed the site, killing room and plant office building and then struck the main site office
all 18 people in the control room building and ten production block smashing through the windows and igniting the interior. It
workers across the rest of the site. The laboratory and office was lunchtime so both buildings were lightly occupied but still five
blocks, which were standard brick and glass buildings like the people died sitting at their desks or moving around an office, in
control room, were almost flattened, though no-one was inside what felt like — and should have been — a safe area.
them. The disaster was terrible enough, killing 28 people. “What- Six weeks later at 05:20 on 9 November 1992 there was a
if” it had happened 24 hours earlier at ten to five on a weekday major vapour cloud explosion at Total’s La Mede refinery, 40km
when the buildings might well have had ~250 people in them? west of Marseilles4. It is believed that a 200mm diameter pipe in
The death toll could have been ten times worse. the gas recovery and desulphurisation unit of the refinery had
Flixborough seems to have started, though perhaps not with become corroded. It cracked, releasing some 12–15 tonnes of
the speed it deserved, a change in thinking about where and why flammable gas, mainly propane and butane. The gas cloud filled
non-process-centred people should be located on a chemical the congested area of the plant with a flammable mixture and
production site, or indeed on any site handling large amounts of within a few minutes it found an ignition source. The initial flash
potentially explosible material. Following the accident, CIA did fire transitioned to a deflagration and in at least two areas of
produce guidance on chemical plant control room location and congestion, further transitioned to a detonation. The control room
design, but other occupied buildings were not included. Change was totally destroyed killing three of the four occupants. Three
did not occur at breakneck speed and more accidents happened, further employees were killed working in and around the plant.
engineering
and design
Mary Evans / The National Archives, London. England.
assurance
Photograph showing the extent of building damage after the Flixborough explosion

0260-9576/24/$17.63 + 0.00
297 Patterson.indd 17 05/06/2024 16:00:56

edition left the sections on fire and explosions largely unchanged

(but corrected) and added a more thorough discussion on toxic
gas releases. The implementation of the advice in the second
edition was described in a paper7, written jointly by HSE, the CIA
and an operator.
Then in 2005, BP suffered a major accident when another
vapour cloud released from a fractionation unit exploded at the
company’s Texas City refinery in the USA8. The causes of and
effects of this explosion, which followed the release of 30 tonnes
of boiling hot hydrocarbon with subsequent ignition, have been
widely discussed elsewhere with video explanations of the events
from both BP and the CSB. The explosion killed 15 people, nearly
all in buildings, with none of them working on the plant which had
the release. Again, while the main focus of the investigations was
Photograph showing the destroyed timber-framed control rightly on the causes of the release and how it should have been
room at Hickson & Welch and beyond the main office block prevented, the location of the buildings and their behaviour in a
damaged after it was struck by the jet flame. The flame, which refinery explosion also received investigatory attention.
lasted for ~90 seconds, blew in the office block windows and Those killed were almost all contractors in portable timber-
set light to the interior of the building. (Photograph from the framed buildings (trailers in US parlance). These were buildings
HSE report.) which were very similar in construction to the plant control room
at H&W in which four of the workers died. At Texas City, those
CIA guidance on occupied buildings killed were in a meeting discussing a major maintenance project
on a nearby plant or were people simply working at their desks.
Eight of the eleven people who died in these last two accidents The meeting did not need to be held close to the plant which
died in buildings that offered little or no protection from a exploded but could have been in a safe location elsewhere. This
potentially foreseeable event. That did start a process of thinking accident again triggered a review of the existing guidance, both in
about how people without direct, hands-on involvement in the UK and the USA, where API re-wrote their guidance (API 752)
production could and should be protected. Following a discussion on occupied buildings9. The CIA decided to set up a new working
with/request from HSE, the UK Chemical Industries Association group to review the existing guidance and ensure it adequately
(CIA) convened a working group which wrote and, with regulator covered temporary buildings. This group included representatives
approval, published the first edition of Guidance on the location from BP and the downstream chemical industry, and met over
and design of occupied buildings on chemical manufacturing the period 2007-2009 leading to the publication of a third
sites in February 19985. The title became longer in subsequent edition of the CIA guidance in 2010. The 2010 guidance was a
editions but it is often known as The CIA occupied buildings complete revision and re-write of the 2004 second edition, which
guidance or CIA OBRA guidance for short (OBRA = Occupied re-presented the ideas and methods of the earlier editions. The
Buildings Risk Assessment). The first edition dealt mainly with changes in and thinking behind the third edition were described
protection of buildings against fires and explosions. The sections in a paper presented at Hazards in 201010. The 2010 guidance
dealing with the approach to be adopted where there could be a was reviewed and slightly revised, mainly to remove errors and
release of toxic material, especially toxic gases, were not so well ambiguities, to give the current fourth edition published in 20205.
developed. During the following 2-3 years a number of points This edition was accompanied by two information sheets: the first
needing clarification or correction were noted, together with a factsheet giving an outline of the Occupied Buildings guidance
requests for a section providing more comprehensive and easy and site operator’s duties, and a second which provides an
to use guidance on toxic gas refuges and alarm systems. This led overview of the methods set out in the guidance for carrying out
to a second edition being published in January 2004. The second an Occupied Buildings Risk Assessment6a, 6b.
The principles of safety for those in occupied

buildings
The CIA working group tasked with writing the third edition
set out to simplify, wherever possible, how companies should
approach the issue of safety for people in buildings on chemical
sites. The aim was to prioritise things which can be done
reasonably swiftly, to give the best increase in safety as quickly
as possible, only then moving onto more difficult issues.
This approach, built around the ideas of inherent safety, was
embedded and exemplified in the guidance during the production
of the current fourth edition. This edition clearly adopts the
principles of inherent safety and recommends a hierarchical
approach, reducing hazards and exposure to hazards before
Picture of destroyed portable buildings at Texas City. dealing with risk reduction for individual buildings. This inherent
BP video screen capture safety based step-wise approach is recommended throughout

0260-9576/24/$17.63 + 0.00
297 Patterson.indd 18 05/06/2024 16:00:58

process safety and ended elsewhere in safety practice, for As Is Reasonably Practicable” (SFAIRP) — the requirement in the
example in the UK COSHH regulations (dealing with workplace UK’s Health and Safety at Work Act.
chemical exposure). For occupied buildings these can be For those without direct operational roles working in a building
summarised as: Remove, Reduce, Relocate, Protect, and Assess. — which will include control room operators, maintenance staff,
The assessment should be started by obtaining a site layout plant-attached laboratory staff, some technical staff in plant
plan, at a reasonable scale, and marking — colouring in — all management and other supervisory roles, and others — the best
the buildings which have people working in them, together with solution is that the building should be outside the hazard range
the numbers of people in each building. Then the location of the of the potential accidents. This may be possible by relocation of
site’s significant hazards should be marked onto the plan — in a the task or operation to another building, still on-site but outside
different colour. This simple and quite quick process will give a the hazard ranges of the site’s significant hazards. It may also
rapid picture of both the site population and the buildings which be possible to reduce or relocate the source of the hazard, for
are near significant hazards. If a very rough sketch-estimation of example by reducing the on-plant inventory of a flammable or
the likely ranges of the significant hazards is added, the hazard- toxic gas by providing a piped supply from a relatively remote
population interactions will be visible. The hazard ranges will be storage. Any steps of this nature should, of course, be subject
refined and properly calculated as the OBRA process continues to a full management of change assessment to ensure that new
but this simple step will often show both the extent of the problem hazards are not introduced and that overall risks are indeed
and indicate the buildings at greatest risk. It may well suggest reduced. This assessment should take into account the need of
immediate improvements which can be made, and which locations some staff, who may not have direct operational roles, to be near
should be studied first. enough to the plant to ensure good communication and effective
The first task is to remove people from locations and buildings teamwork. It is important that they understand the way the plant
where they are exposed to the inevitable hazards on a chemical works and its actual condition, of both plant and staff. As is often
production site (or other site handling significant quantities of the case in process safety, different risks have to be balanced
hazardous materials). This can often be done relatively quickly and against each other to give the best overall result.
produces immediate gains: at H&W and Texas City a comparison
of who currently worked on the production site and whose work Risk based justification for staff in occupied
actually required proximity to production, showed that around buildings
20% of staff could be moved off site and do their work elsewhere
without any significant detriment. At Texas City this amounted The steps up to this point can be characterised as a hazard-based
to some hundreds of people. Once the types of job have been approach and the CIA guidance advocates that this approach
considered, a second task is asking if it is possible for the numbers should be used first. The aim of the hazard-based approach is to
of people close to plant to be reduced, perhaps by re-defining job identify as many personnel as possible who may be at risk from
roles. Again, overall aggregated human risk can be reduced by potential site incidents and act as quickly as possible to remove
ensuring that only those parts of a job which actually need to be them from locations where they are “in harm’s way”.
done on site are done there, with the other parts carried out in a However, after these steps have been taken, there will usually
safe location. be OBs within the hazard range of potential site incidents which
There will almost certainly still be a significant population are operationally required, and which will need to continue to be
on-site even when the first task is completed. The CIA guidance used. For the buildings in this category, it is necessary to protect
recommends that the next step should be hazard based: the occupants of each OB and assess the risks to ensure that the
considering where people are in relation to the site’s significant residual risk is acceptable — a risk-based approach. The first
hazards. At its simplest, especially for a site which has a Seveso/ of these steps, protect part 1, requires a consideration of all the
COMAH Safety Report, this can be done by firstly calculating hazards for which any building is within the hazard range, and
and then plotting the hazard range for each of site’s major then a demonstration that the building itself does not add to the
hazard events onto the site plan and then highlighting the site risks faced by the people inside it. As examples — is the building
buildings which have people working in them. Figures for the likely to be rapidly affected by a nearby fire and catch fire itself,
outer boundary of the hazard range for various events are given in increasing the risk to those inside? In a foreseeable explosion does
the CIA guidance — for example an overpressure of 30mbar for the building have glass or other materials which could fail and
explosions (pressures below 30mbar do not significantly damage produce dangerous missiles? Is the building’s structure likely to
buildings4); or the distance at which a flammable gas will have fail in such a way as to prevent escape? Are there suitable escape
been diluted to the lower flammable limit concentration. routes from the building to a place of safety? Buildings judged
It is worth noting at this point that those working in direct unsuitable by these tests will need to be either vacated or rapidly
operational roles in a plant are excluded from this part of the OB modified to make them suitable for continued use.
assessment. Indeed, in a site’s overall approach to hazard control, If this first group of tests are passed, the second requirement
the requirement to make the operations of the whole site as safe is to show that, taking into account its location and the identified
as practicable comes before the need for OBRA. If a site operates hazards, the building offers suitable protection to those working
safely and smoothly, everyone’s safety is improved wherever inside it: protect part 2. The assessment needs to take account
they are. The safety of the whole site population is covered by of the consequences to the building if each hazard is realised,
the requirement (on a major hazard site) to demonstrate that “all considering (again as examples) fire resistance, resilience of the
necessary measures” have been taken to avoid major accidents structure to any foreseeable explosion, and means of escape. In
and to ensure that the operational risks have been reduced to “As addition, the protection the building offers to its occupants in the
Low As Reasonably Practicable” (ALARP)11. On other sites this is event of a toxic gas release will need to be assessed, along with
covered by the requirement to operate with risks reduced “So Far any (all the) other identified hazards. These issues (and others) are

0260-9576/24/$17.63 + 0.00
297 Patterson.indd 19 05/06/2024 16:00:58

Pictures showing buildings rebuilt to withstand calculated maximum credible threats at the Hickson & Welch site. Left, the
rebuilt control room, resistant to a blast overpressure of 500mbar and providing protection in case of toxic gas release (there was
a 40 tonne chlorine storage ~100m away), and right, the site office block, resistant to fire and blast overpressure of 300mbar.
Photographs by Ken Patterson
extremely important in the case of control rooms which are almost which can be used for different hazards and the building design
always required to continue functioning in the event of an accident, techniques which will enable a building to mitigate the various
to enable the plant to be safely shut down. hazards, can be found in the CIA guidance. The use of the
However, the question, as always in process safety is “have CIA guidance and API recommended practice documents 752
we done enough?” The CIA guidance endorses the principle & 753 has been widely discussed in the literature and many
that those working inside an occupied building should not face consultancies offer specialist help in carrying out OBRAs and with
a higher risk than people off-site. The reasoning is clear: these the ALARP demonstration.
are jobs which could be done elsewhere, even though that might
add inconvenience and reduce plant contact. If they could be
done elsewhere, then the buildings being worked in should keep
the people inside as safe as they would be off-site. The HSE
publication Reducing Risks, Protecting People (R2P2)12 gives figure
of 1x10-4 for the risk of death per year as the maximum acceptable
risk level for people off-site and the guidance adopts this figure
for people working in occupied buildings. Of course, this is a
maximum tolerable risk, not a target: the target should be as low as
practicable, preferably 1x10-6 or better.
The description of how to carry out a full OBRA is outside the
scope of this article and is dealt with comprehensively in the CIA
guidance5, though the details will vary from site to site as the
hazards and local conditions very. In the UK an OBRA is expected
as part of a COMAH site’s safety report and forms a significant part
of the site’s ALARP demonstration. However, the CIA guidance
provides the flowchart opposite, which is also included in the one-
page summary5, 6b.
For the ALARP demonstration it is perhaps worth adding two
points:
1. Having calculated the risk level for each hazardous event at
the building boundary, we need to consider the degree of
protection the building provides to give the mitigated risk, that
is the risk the occupants inside the building face taking into
account the protection the building provides;
2. However, it is the sum of the mitigated risks from all the
hazards which needs to be compared to the company’s target
value, which should never be worse than a chance of death of
1x10-4. per annum, the public risk level given in R2P2.
More detailed guidance, particularly of the assessment methods

0260-9576/24/$17.63 + 0.00
297 Patterson.indd 20 05/06/2024 16:01:00

Office and control room buildings damaged by an explosion and fire at the Bayernoil Refinery on 1 September 2018. Pictures from
Werkfeuerwehr Bayernoil13
Since Flixborough we have made great progress in page/1/sort/0.

understanding the consequences of major incidents and in how 6. Chemical Industries Association:
people can be protected by the buildings they work in, even if an a. Occupied Building Risk Assessment Factsheet 2020.
accident does occur. Nonetheless, as these pictures taken by the [Online] https://www.cia.org.uk/Portals/0/OBRA%20
fire brigade after a refinery explosion in Germany in 2018 show, factsheet.pdf?ver=2020-10-22-162144-567.
much remains to be done. b. Occupied Building Risk Assessment Guidance
Update and Method Overview 2020. [Online] https://
The authors www.cia.org.uk/Portals/0/OBRA%20Factsheet%202.
Dr Andrea Longley was the convenor for the CIA working group pdf?ver=2020-10-22-162236-203.
for the production of the current fourth (2020) edition of the CIA’s
7. Nick Berentzen, Ron De Cort and Ken Patterson: Occupied
Occupied Buildings Guidance. Dr Ken Patterson chaired the CIA
Buildings on Chemical Sites - Revised Chemical Industries
working group which wrote the previous third (2010) edition.
Association Guidance and Assessment Method. Hazards
Acknowledgements XVIII paper 45, [Online] IChemE, 2004. https://www.
icheme.org/media/9928/xviii-paper-45.pdf.
The authors would like to thank Dr Jackie Coates who was the
CIA convenor of the third edition working group, for her helpful 8. US Chemical Safety and Hazard Investigation Board: Final
comments in writing this article. Also, thanks to Mark Hailwood of Investigation Report - Refinery Explosion and Fire, BP, Texas
the Landesanstalt für Umwelt Baden-Württemberg, for drawing City, Texas 23rd March 2005 [Online] https://www.csb.
our attention to the Bayernoil fire and its consequences. gov/file.aspx?DocumentId=5596
9. The American Petroleum Institute (API). API Releases
References New Updates to Standards for Hazard Management in
1. Department of Employment (UK) The Flixborough Process Plant Structures (RP 752, 753 and 756). [Online]
Disaster - Report of the Court of Inquiry: IChemE Safety 2024. https://www.api.org/news-policy-and-issues/
& Loss Prevention SIG [Online] https://www.icheme.org/ news/2024/01/16/api-releases-new-updates-to-standards-
media/17752/the-flixborough-disaster-report-of-the-court- for-hazard-management-in-process-plant-structures.
of-inquiry.pdf 10. Dr Jackie Coates and Dr Ken Patterson: The revised third
2. John Bond, Loss Prevention Bulletin: Explosion at the edition of the CIA’s “Guidance for the location and design
Phillips’ Houston chemical complex, Pasadena, 23 October of occupied buildings on chemical manufacturing sites”,
1989, LPB 097 (1991) reprinted in LPB272 (2020) [Online] Hazards XXII paper 3, [Online] IChemE, 2010. https://
https://www.icheme.org/media/13605/lpb272_pg29.pdf www.icheme.org/media/9091/xxii-paper-03.pdf
3. HSE (The Health and Safety Executive, UK): The fire at 11. HSE (The Health and Safety Executive, UK): A guide to the
Hickson & Welch, 21st September 1992, Report of the Control of Major Accident Hazards Regulations (COMAH)
Investigation, (1994) [Online] https://www.icheme.org/ 2015 L111 Third edition,. [Online] https://www.hse.gov.
media/13704/the-fire-at-hickson-and-welch-ltd.pdf uk/pubns/books/l111.htm.
4. French Ministry of the Environment, ARIA Database: 12. HSE (The Health and Safety Executive, UK): Reducing risks,
Gas explosion in the cat cracking and gas plant units of a protecting people - R2P2. [Online] 2001. https://www.hse.
refinery, La Mède, France 9th November 1992 [Online] gov.uk/enforce/expert/r2p2.htm
https://www.aria.developpement-durable.gouv.fr/ 13. .Armin Kappen & Armin Wiesbeck, Werkfeurwehr
wp-content/files_mf/FD_3969_La_Mede_1992_ang.pdf Bayernoil: Presentation to the 17th Leaders Conference
5. Chemical Industries Association: Guidance for the of the State Fire Brigades Association, Bavaria
location and design of occupied buildings on chemical (Landesfeuerwehrverband Bayern) (2019) [Online] https://
manufacturing and similar major hazard sites. [Online] www.lfv-bayern.de/media/filer_public/5f/37/5f37d02f-
2020. https://www.cia.org.uk/Publications-Store#!curr/ 9b03-485e-a431-af53feb1f92c/03_kappen_
GBP/cat/49089d72-ad20-e911-80e3-0050568729dd/ bayernoil_01092018.pdf

0260-9576/24/$17.63 + 0.00
297 Patterson.indd 21 05/06/2024 16:01:01

Safety practice
The effect of control room location, architectural

design, systems configuration and human factors
on major accident consequence and likelihood
Andy Brazier, UK
Locating a control room away from the plant
Summary
At a subjective level, CROs may feel less connected to a plant
The Flixborough accident reminds us that wherever that is a long way away. It can lead to the formation of separate
major hazards are handled there is always the possibility teams that mean the CRO never visits the plant they control.
of an accident. Of the 28 people killed in the explosion, There is a view that “too much time spent operating from the
18 of those were in the control room at the time1. This control room may result in a loss of “feel” for plant operation”2.
highlights the importance of location and structural This can usually be overcome by rotating members of the
design of control rooms. However, moving a control operating team between control room and plant roles.
room away from the plant to reduce fire and explosion
The opportunities for face-to-face communication between
risks has other implications.
the CRO and field operators is likely to be reduced, with radios
The nature of process operations since 1974 has
and phones being relied on more. It is generally accepted2
changed, largely as the result of new technology. Whilst
that face-to-face communication is most reliable because “it is
learning from Flixborough may have been focussed on
easier to convey urgency and hence problems are identified
location, it is worth considering how the overall design
more quickly”, “things get done better” and “you are more
of the control room and associated systems contribute
likely to get the correct interpretation of the message”2.
to risks at sites handling major accident hazards in the
This applies to general communication throughout a shift,
2020s. This goes far beyond the colour of the walls, desk
but becomes a more significant issue for the most critical
height and type of chairs provided. The focus should
be on supporting the control room operator (CRO) to communication events (e.g. shift handover, team briefings)
perform their critical role of keeping the plant safe and if they are not conducted face-to-face. Accidents including
responding to accidents. Piper Alpha, BP Texas City and Buncefield occurred after shift
The aim of this paper is to summarise the areas where handovers where communication had been poor1. Although
control room design can influence the risks of major the main failure leading to Buncefield was related to alarms, if
accident hazards. Reference is made to an HSE Contract the operators knew the tank level was rising, they would have
Research report related to remote operation of process recognised the need to intervene before safe operating levels
plans2 and the latest edition of EEMUA Guidance 201 were exceeded.
related to control room design3. Communication with other groups may actually improve. If
the control room is closer to offices, it can mean that people
Keywords: Control room, human factors, outside of the operating team (e.g. engineers) are more able
Flixborough and inclined to visit and discuss issues with the CRO. However,
it may also mean they are less inclined to visit the plant
themselves, which creates its own issues.
Control room location The ability for the CRO to directly perceive plant conditions
The number of fatalities that occurred as a result of the (e.g. hear, smell, feel) is reduced by distance from the
explosion at Flixborough illustrates how important it is to plant. The effect this has is difficult to determine but may be
consider where people are working in relation to the hazard. “significantly underestimated, particularly for detecting fault
As Trevor Kletz4 highlighted in his concepts of inherent safety conditions”2. Of course, the field operators are still available
— “People who are not there can’t be killed.” to use their senses, but this has to be conveyed to the CRO,
Most control rooms are occupied 24 hours a day, seven which is not easy.
days a week. Moving them away from plant areas, outside of To support effective teamwork, it is normal to use the control
the hazardous area, means that people working in them are room as the main hub for all members of the operating team.
inherently safer if an accident does occur, but it has to be done As distances increase the field operators spend more time
in a way that does not increase the likelihood of an accident in travelling back and forth to plant. Although, this can have
the first place. This needs to be considered during design and benefits if they “take a more systematic approach and spend
when managing risks of an existing facility. more time on the plant with each visit”2.

0260-9576/24/$17.63 + 0.00
297 Brazier.indd 22 05/06/2024 16:05:47

Locating a control room near to the plant direct perception. Good system design can assist them to detect
and diagnose problems promptly, giving them the opportunity
The benefits and risks discussed above for remote control rooms to intervene to avoid escalation. These requirements may not be
can be reversed for control rooms close to the plant. However, fully consistent with the ‘normal’ demands for the CRO, which are
there are other issues to consider. more focussed on optimising the process to achieve production
Creating a control room that will protect its occupants from and quality goals, and so need to be carefully considered in the
accidental events can lead to a perception of ‘operating from system design.
a bunker.’ Although nearby, the reinforced structure of the Human Machine Interfaces (HMI) are used by the CRO (and
building may mean the ability to directly perceive the plant is others) to “develop, maintain and use accurate and up-to-date
lost. Providing windows to the outside world becomes more situational awareness of the current, recent past and likely future
complicated (and expensive) meaning they are often not provided state of the system”3. Whilst there can be a lot of discussion about
(or are blocked up as the result of an occupied buildings risk colour schemes, use of symbols and text font, it is the presentation
assessment). This leads to many complaints from CROs who feel of data that makes the greatest contribution. Well-designed
increasingly cut off from the outside world. graphical displays show plant data in ways that is consistent with
Proximity to the plant can encourage CROs to quickly ‘pop human capabilities. They should provide the data the CRO needs
out’ to look at something for themselves, instead of asking a field in a way that they can understand easily without overloading
operator to do it for them. This can lead to the control room being them3. Achieving this requires a thorough understanding of the
unoccupied, with the potential for the CRO to be incapacitated overall system objectives and functions, the tasks performed by
during their brief visit to plant. This is not an issue if an unoccupied the CRO and the information they need to do them. Unfortunately,
control room has been considered in design, but in many cases graphics are often designed simply to show data that is available,
the assumption is for a competent CRO to be present at all times. without a consideration of the CRO’s requirements. Better HMI
Access to fortified control rooms via heavy steel doors and design could have prevented several major accidents including
airlocks can be difficult. Power assistance can reduce the effort Texaco Milford Haven, Esso Longford and BP Texas City1.
required to open and close the doors, ensuring an effective airlock Visibility of data shown on screens and panels depends on
is maintained, but often works slowly. Delays may cause problems viewing distance and angle, size of object (text, symbol etc.), and
if operators need to attend to something urgently on the plant and the person’s eyesight3. Control room designers should have a
the hassle of using the doors may even discourage people with good understanding of how the CROs work when deciding how
legitimate reasons from visiting the control room during normal many screens are required, their size and locations.
situations. Alarms are part of the HMI and are specifically intended to
inform CROs of equipment malfunctions, process deviations
Accident prevention and abnormal conditions. Unfortunately, many systems distract
The CRO has a critical role in ensuring the safety of operations. the CRO with unnecessary and nuisance alarms during normal
They monitor for early signs of problems and intervene to prevent operations, and overload them when things start to go wrong.
escalation. To do this effectively they need to be alert and healthy, Poor alarm management has been identified as a contributory
and supported by well-designed systems. factor in several major accidents including Texaco Milford Haven,
Esso Longford, Cataño oil refinery fire (Puerto Rico) and the toxic
CRO alertness release at the La Porte site in Texas, USA1. Alarm rationalisation
should be an essential activity for any new control room project,
A CRO who is alert and healthy is more likely to detect and
and routinely repeated for operational facilities.
diagnose issues early, reducing the potential for escalation. Given
that many work twelve-hour shifts, including nights, this is not
trivial. The shift pattern and management of hours actually worked Accident response
is critical, but aspects of control room design can also have an It is usually someone in the operating team who will recognise that
effect. a hazardous situation has arisen requiring a prompt and effective
Working conditions in a control room including lighting, response. The situation is unlikely to be obvious at first and the
temperature, air quality and noise will all affect levels of fatigue resources available immediately will be limited5. It is noted that
and stress. Lighting can be very personal, so individuals working in over 50% of the accidents listed in the IChemE summary of major
a control room should have control over their own lighting levels. incidents1 included ‘emergency preparedness’ as a root cause.
Poor air conditioning can contribute to fatigue and other health
issues, and can lead to CROs propping open doors to get fresh air, Identifying a hazard has occurred
which can negate safety and security requirements. Protective system alarms (e.g. fire and gas detection) handled by
Access to welfare facilities including places to prepare and systems independent from the control system may be the first
human factors
consume meals, toilets and rest areas are important because indication that loss of containment has occurred. These do not
“Meal and rest breaks can have a significant effect on CRO tend to suffer with the same problems as control systems but the
performance”3. This assumes that organisational arrangements are way they are displayed to the CRO can have a big impact on how
in place to allow CROs to leave the control room to take breaks, they perceive a developing scenario. During normal operations
which far too often is not the case. single gas detectors may be activated due to faults, routine testing
or small leaks. Identifying a single activation on an alarm list is
Situational awareness quite straightforward. If a large leak ever occurs there will be
CROs achieve situational awareness of plant conditions from multiple detectors being activated and being able to interpret the
control and safety systems, communication with colleagues and pattern can allow the CRO to visualise the flow of the gas cloud

0260-9576/24/$17.63 + 0.00
297 Brazier.indd 23 05/06/2024 16:05:47

and help them to determine the source and predict the extent of to control room location and architectural design. Subsequent
the hazard. technological developments means that the focus should be on
Being able to see the scene directly can give a better supporting the control room operator (CRO) to perform their
understanding of the issue. CCTV can be very useful for CROs critical role of keeping the plant safe. All design is compromise
in an emergency, and the relatively low cost of systems means and there is no correct solution but there are resources that can
there is little justification for major hazard sites to not have it. help to identify the critical issues and develop optimum solutions.
Whilst a window from the control room is only ever going to This paper has tried to summarise the types of issues that should
provide limited visibility of a plant, the increasing concern of be considered. The following is a (non-exhaustive) list of factors
environmentally caused incidents means that being able to see to consider:
what is happening outside will help the CRO to understand the
impact of heavy rain, strong wind etc. • locate outside the hazardous zone or protect against the
hazard;
Mobilising the appropriate response • make sure the most critical communication is carried out face-
There are some actions that the CRO can take to mitigate an to-face (e.g. shift handover, control of work);
accident. An HMI that allows the CRO to interact with the system • make communication devices readily available and high
quickly and efficiently under all plant conditions can allow them to quality (radios, telephones);
take prompt action. Beyond this the CRO is likely to be directing • support good teamwork within each team with good links
other members of the operating team to take action, activating between teams;
evacuation alarms, mobilising support teams and calling the • allow and encourage legitimate visitors without causing
emergency services. There is a lot to remember and making sure distraction;
emergency response procedures are readily available and fit for
• windows with external views wherever possible;
purpose is critical.
As a scenario develops there may be requirements to formulate • working conditions that enhance alertness;
plans to isolate damaged sections of the plant and vent and/ • lighting that individuals can adjust to suit their personal
or drain process fluids to safe locations. Access to Piping and requirements;
Instrument Diagrams (P&ID), and being able to lay them out • welfare facilities easily accessible;
so that a small group of people can work together is important. • time and cover in each shift for the CRO to take quality breaks
Having a suitable table in the control room, with good lighting away from the control room;
above, should be considered in the control room design.
• HMI graphics designed to show critical information in ways
The control room is sometimes used as the Emergency Control
consistent with human capabilities;
Centre (ECC). It gives the emergency management team visibility
of plant data and allows good communications with the operating • number of ‘normal’ and large screens optimised to show plant
team. However, it is also very distracting for the CRO, who has a overviews and detailed displays;
critical role to play. An adjacent room with visibility into the control • good alarm management so that operators receive early
room may be considered a preferred option. indication that action is required without causing nuisance
and overload;
Allowing CROs to work safely in an emergency • protective systems that provide early warning of hazards;
Although most people on site will evacuate in an emergency, the • CCTV for CROs to visually assess what is going on;
CRO will normally be required to stay in the control room. Power • procedures and supporting information (e.g. P&ID) easily
loss to the site is one common occurrence. Whilst control and accessible with somewhere to lay them out;
safety systems, including associated HMI, are usually supplied
• ECC nearby but separate from the control room;
with Uninterruptible Power Supplies (UPS), control room lights are
not. Designers often consider lighting requirements for evacuating • backup power to all systems including enough lights to
a control room, which ultimately may be required. However, continue working safely in an emergency;
they fail to recognise that the CRO may be required to continue • ventilation systems that prevent ingress of hazardous
working for some time. “Where possible, full lighting should materials.
remain in the control room on power failure. If this is not possible,
the location of lighting units with power backup should take into References
account tasks to be performed during the scenario”3.
Another consideration is the Heating, Ventilation and Air 1. IChemE Safety and Loss Prevention Special Interest Group.
Conditioning (HVAC) system, which “should be capable of Learning lessons from major incidents. (2022)
being operated in recirculation mode if there is the possibility 2. HSE Contract Research Report 432/2002. Human factors
of an abnormal situation resulting in the presence of toxic gas in aspects of remote operation in process plant.
the external environment”3. This feature should be considered 3. EEMUA 201. Control Rooms: A guide to their specification,
as being safety critical and receive appropriate maintenance, design, commissioning, and operation 3rd Edition (2019).
inspection and testing. 4. Brazier, A. Edwards, D. Macleod, F. Skinner, C. Vince, I.
Trevor Kletz Compendium. Elsevier (2021)
Conclusion 5. Brazier, A. Emergency Procedures. Loss Prevention Bulletin
The Flixborough accident highlighted serious concerns related 254 (2017)

0260-9576/24/$17.63 + 0.00
297 Brazier.indd 24 05/06/2024 16:05:47

Flixborough anniversary
Recollections of Flixborough
A selection from IChemE members
The TV lounge at the University Halls of residence
was full early on Saturday evening, 1st June 1974. As the
closing music of Doctor Who started to play a few people
In 1974 I was a sandwich student in my 3rd year at stood up to leave and prepare for the Saturday night dance
Loughborough University in Chemical Engineering. The course at the University Union. But as the BBC news started to roll
required us to spend a year in industry and I went to Gulf Oil Refining and scenes of a major explosion at Flixborough (a place
Limited in Milford Haven. I remember vividly seeing the accident no one had heard of) were shown, movement towards the
being reported on the news and wondered what caused such a tragic exit stopped and people stared in silence at the screen. (I
disaster. The reporting included visiting the local community – some of also heard about Piper Alpha from the TV in a university
the public had to board up shattered windows and cover their roofs. common room during a “teaching the teachers” course at
The control room staff lost their lives and the plant was virtually Exeter University). Flixborough was keenly discussed by
flattened by the blast. In the ensuing months there was an the chemical engineering students in the following weeks
investigation and I followed this through my colleagues and in the and was in our minds during the following final year of our
press. The findings from the investigation shaped the industry in course. Fifty years ago attitudes were very different, safety
many ways such as better more robust (blast resistant) control room was not a significant issue in the final year design project
designs, better plant layouts, introduction of Management of Change and the requirement for Personnel Protective Equipment
procedures, better control of modifications, and safety in general. (PPE) was limited. Investigations into the devastation at
This was a milestone in history much like Piper Alpha, Pasadena and Flixborough were still continuing when I graduated. After
so on. I have worked in the insurance industry as a risk consultant for starting work, the importance of safety soon became
35 years and we still refer to this as an example of ‘what can happen’ if apparent. Initially in the form of safe methods of work in an
control of work is not managed properly. Industry has benefited from a operational environment and then by the use of rudimentary
learning curve on many occasions – however, we should never rely on risk assessment techniques in a design environment. I
such accidents to make changes to our working methods. have used the basic, and later enhanced tools, of both
Robert Canaway occupational and process safety ever since. For most of that
time, I have conducted insurance risk assessments for a
variety of enthusiastic or disinterested clients. I often have a
sense of déjà vu as issues I identified early in my career are
still common today. Knowledge fades with time and is lost as
one generation gives way to the next. Like rust, it will corrode
if not constantly checked and reinforced.
Doug Scott
I hadn’t realised it was coming up to 50 years — there might not be that

many around now who remember the incident! I was a Bradford University
student doing my third industrial period (four-year sandwich course) working
at Laporte, Stallingborough at the time. I was 23 then. We heard a bang, but
it was nowhere near, we thought. It was only later that news filtered in of the
explosion and I saw the devastation on the news. A while later I bumped into
a friend in the year above who had graduated before me and had worked at
Flixborough (he could only be a year or so older than me), it was his first job
after graduating. He said he was lucky to survive — his part of the plant was
mainly intact. The sad part was how the weeks after the explosion had really
gotten to him. As his part of the plant was mainly intact, he had to attend every
working day, seeing the damage and reliving the incident over again each
time. He could only stand it for a couple of months and had to resign and find
work elsewhere. It was sad seeing him — a spark had gone out in him. There
must have been many like him. I have not seen him since that day. Hopefully
he has put it behind him, but I still think back to it even now.
Jim Park

0260-9576/24/$17.63 + 0.00
297flixboroughrecollections.indd 25 05/06/2024 16:07:15

I started my career in 1968 at the ICI Nylon plant in Ardeer,

Ayrshire, Scotland and provided technical support to their cyclohexane
oxidation process which was similar to the Flixborough unit. While we didn’t
immediately know what had happened, all the safety systems / interlocks were
validated and tested as an initial precaution.
Years later in Canada I met a water treatment consultant who was driving
towards the Flixborough plant when it exploded. There was nothing he could do
to help. He turned around and drove away. What if he had been closer to, or in
the plant? Then in the 1980s in Saudi Arabia I met someone in operations who
was supposed to work in Flixborough that night, but he called in sick. He lost
both friends and colleagues and had harrowing stories from the victims’ families
who were dealing with their loss. This was an event that steered my career path
into process safety, of actively challenging Murphy’s Law (If an accident can
happen, it will). There are no new accidents. The causes are basically the same.
Only the consequences differ due to a moment in time or space. Is it only when
someone says ‘enough’ that we change a process, or a protocol, or a procedure
to prevent an accident? We’re human, we make mistakes, so let’s find out how
we were set up for failure to prevent or mitigate those mistakes.
Lessons from accidents are already paid for and so are free if you
take the time to look for them.
And some memories stay with you.
Andy Hart
I was a student studying Applied Chemistry with
Biochemistry at Huddersfield in 1974. I was in the midst of
preparing for my exams in June when this incident occurred. As
In 1974 I was a young instrument technician working news filtered through, we were all in a state of shock. The news
offshore in the North Sea. At the time I was involved in the didn’t filter through fast as it does nowadays, so the information
commissioning of the Brent Bravo for Shell. Not a lot to say about was very scanty and most of it was hearsay. The true extent and
that as there were no live fluids coming aboard at the time. I had the severity of the explosion were not realised until much later as
a few ‘hairy’ chopper trips as a lot of the helicopters had come the events unfolded over time. It gradually became apparent that
straight from Vietnam.... and they were pretty scarred…. the incident was primarily attributed to a design and engineering
I was offshore on the platform at the time of the explosion, and oversight causing a 20” conduit bypass pipe to rupture
we got the news and the newspapers. Some of the guys said that catastrophically. This pipe was installed between two cyclohexane
they knew people who had worked there ….. We all felt sad at the vessels to make up for the absence of one vessel taken out for
loss of life. Our situation didn’t change too much but I did focus repair in a series of six large vessels.
on ensuring that fire & gas detection systems on the platform I wasn’t working in the chemical industry at the time but
were commissioned properly. Flixborough was the talk of the town even when I joined the HSE
I was always interested in process safety, being an instrument in 1991. The Piper Alpha explosion of 1988 was also very much
technician originally, then later as a Chartered Control Engineer talked about and this also became part of the training I received
I was very involved in fire & gas and associated Emergency then. Along with many others, these incidents have had a
Shutdown Systems. To me process safety was the next step in profound impact on me in many ways, including the way industrial
my professional career. It has not been an easy journey — there safety practices and regulations were shaped, adopted, managed,
are a lot of ‘deaf and blind’ people out there involved in major and regulated. These practices helped forge improvements in
hazard industries. One serious disappointment to me is the process safety management to prevent similar incidents from
inability of corporate managers to realise that they should avoid happening in the future. As HSE’s specialist inspector, within its
locating manned control rooms in the middle of major hazard Hazardous Installation Directorate, I understood how crucially
plants. They’re still doing it, especially where I am in Australia. vital it was to ensure safety in all facets of industry was seriously
It’s not uncommon to see manned Portacabins in the middle of addressed, whether it be chemical, nuclear, or offshore. In my
high pressure gas plants here …. for convenience. This to me is view, for us to be effective and safety conscious, safety has to be
the one thing we have NOT taken from the Flixborough incident. engrained deeply into our culture through excellent training and
We now have fiber optic comms and DCS control systems which technical support. Recognition of hazards and the extent of harm
allow us to operate plants from long distances away if we so wish they may cause to people and society at large has to be thoroughly
– Flixborough did not have such equipment available at the time. understood and risk assessed. As Trevor Kletz stated, ‘If you think
Corporate companies should make sure that their managers are safety is expensive try an accident’.
trained in process safety. Sadly, I have met very few who have a Iqbal Essa
clue about process safety or what an event like Flixborough
would do to their company.
John Boyd

0260-9576/24/$17.63 + 0.00

I was working in the UK at the time, transitioning to the design office, after ten years in operations at three different sites where I
initially worked as a process operator to becoming a commissioning supervisor on a three-year major oil refinery project.
If I hadn’t seen it all, I thought I had seen most of it – that is the aspect which had the biggest effect on me.
I frankly can’t remember when I heard of the accident, but if I had to guess, my reaction to Flixborough at the time would be more like ‘there
but for the Grace of God’. On reflection, had we, as a society become inured to multiple fatality accidents in heavy industry, mining and air
travel? Remember the Aberfan disaster eight years before and a number of mining multi fatalities and airline crashes. Sure, we moved on
after these by papering over the cracks. But were we doing enough to apply lessons more widely? Almost certainly not.
What did make a massive impact was the enactment of the Health and Safety at Work Act two months after Flixborough. This had been
kicking around in parliament since the 1972 Robens Report, getting nowhere fast during the Conservative Heath government. Did
Flixborough result in HASAWA? Not in itself, but many see it as a catalyst for gaining Royal Assent for the Act two months later when the
Labour/Liberal coalition under Harold Wilson was in power, and I certainly wouldn’t disagree with that. The really important point is that
HASAWA started us on the road to COMAH Safety Cases and that is what really changed things not only in the UK, but within Europe and
other jurisdictions that followed the UK approach to safety. This meant focusing minds by having to demonstrate your safety case to the
regulator and public, and the UK led the way on this. Should we not be celebrating that?
So, did Flixborough change my attitude to safety? Not Flixborough in isolation, but four years later with my operations and design
experience and with some project management under my belt, I was working my first process safety related job, which over the next thirty
years led me all over the world, gaining experience of other cultures, spreading the word, conducting hazard studies,
risk assessments, audits and investigations, and passing on lessons through teaching and coaching. I enjoyed it all, it wasn’t just
a job, for me it was a vocation — the job I was always meant to do.
Undoubtedly one of the major issues coming out of Flixborough was management of change, and this is an area I worked on for almost
all of my subsequent professional career, and thoroughly enjoyed the challenges. Flixborough provides a useful case study, but there are
many others, some more complex and insidious in nature. One of the major areas I was involved in was the development and application
of multi-stage, multi-discipline Project Safety Reviews, later Project HSE Reviews, which are an independent assurance process that all HSE
issues are being properly addressed and closed out by project management. If they didn’t play ball it escalated upstairs, and I’ve got some
interesting stories about that. This programme was eventually linked to the release of capital expenditure at the various stages of a project,
gaining far wider acceptance and adding true value. I led many such reviews and later as a site HSE Manager at two major, and different
sites where major projects were being carried out at those sites and had to respond accordingly.
John Atherton
After a first-class honours and PhD in chemical engineering in 1973 at

Birmingham University I was steadily pursuing my research career with Unilever
Research at their corporate centre in Port Sunlight. Slowly I began to realise
that I wanted to do more. Then Flixborough happened. A devastating event.
It changed my life goals completely. I realised I needed to make a practical
difference to stop such events in the future, rather than pursuing
long term research activities.
In those days, safety and loss prevention was still an emerging concept, usually
qualitative rather than quantitative. I took a gamble and joined FM Global as
a Field Engineer. FM Global is the world’s largest industrial and commercial
mutual insurer but with a unique business model. Clients actively invest in
physical improvements to mitigate or eliminate hazards of any kind, such as
fire, explosion, natural disasters etc. Working in the field brought me up close
and personal with how to help/convince clients to identify risk, evaluate and
mitigate —in other words pure risk management. Then being a mutual, the
clients who are also the owners benefit from safer factories
and stable, long-term insurance.
We believed, what has happened, can happen again unless efforts are applied
to reduce risk through structured evaluation. Back then aspects such as fire
protection, supply chain, resilience, industrial risk management and mitigation
were emerging from the classic Heath & Safety umbrella.
In the late70s/early80s, the Safety and Loss Prevention Subject Group under
the oversight of leaders such as Hancock, Lihou and Kletz gave this very
important topic the attention it deserved.
I pursued my career for 40 years within this arena with increasing management
and commercial underwriting responsibilities. And finally for the last 15 years or
so before retirement, setting up the emerging business within Asia and sharing
the concepts and practice worldwide.
Dennis Bessant

0260-9576/24/$17.63 + 0.00

I was a student in June 1974, just finishing my first year of a PhD at Leeds University. My work included testing concrete samples
for their alumina content, as poorly protected concrete beams made with a high alumina cement had shown a tendency to fail suddenly
and catastrophically, though the failures were fortunately without fatal consequences (in the UK). There is a big read-across to the current
RAAC concrete beam problem! But that meant I already had some awareness of how things could go wrong due
to systemic failures and lack of foresight.
Then on 1st June Flixborough happened and 28 people died in an explosion that destroyed a chemical plant. It was headline news in every
newspaper, on radio and on every TV channel — all three of them! Jackie, my girlfriend (and now Dr Jackie Coates, my wife) was also a
chemist and about to start her PhD at Leeds; her parents lived in North Lincolnshire and she had a motorbike. Her parents’ house was just
4km from the centre of the Flixborough plant and they felt the explosion. Their house was not harmed, though people in the same street
had roofs and conservatories damaged. I visited her at home early that June and she drove us both round the perimeter of the destroyed —
and still gently steaming — Flixborough site. I had visited a chemical plant before, it had seemed vibrant and immensely strong; here was a
site laid waste and its buildings flattened in a moment. For us it was a stark introduction to the potential dangers of
the chemical industry that we would both join in the next 2-3 years.
When I started work in 1976, at a chemical plant in West Yorkshire, the Safety Officer (Gerry Owen) had recently been re-designated Safety
Manager and his department strengthened. I still remember Gerry with great affection and admiration. He was an early advocate of the
then newly founded Loss Prevention Bulletin and I found myself added to the bottom of the circulation list as the magazine
(or possibly illicit photocopies) did the rounds of all the site’s technical and production staff.
Gerry did not have an easy task: from the top of the site distillation columns you could see five working pits and accidents were an accepted
fact of life in the mining industry. That attitude spilled over into our site and many accidents were greeted with a shrug and a claim, via the
Union, for compensation — compensation claimed quite rightly (of course) but it made attitudes harder to shift. Gerry and the production
& engineering management had learned from Flixborough about the dangers of uncontrolled and un-assessed plant modifications and
there was absolute adherence to the newly revised and strengthened “Works Standing Instruction 16b” (known as WSI 16b, or even just “a
16b”), which controlled changes to the physical plant hardware. I was a chemist and I discovered after a while that process
changes were not so well controlled — and neither were changes to the fairly rudimentary control systems on site.
Gerry discovered that I was a physical rather than an organic chemist and that my skill was not in tweaking the last 2% yield out of a reaction
but in understanding the thermochemistry and hazards of our processes. I was given the job of characterising raw materials, products and
processes handled, produced or performed on site, and the company gave me the time and an equipment budget to get on with the work. I
was soon exploding dusts and trying to understand the then fairly new science of plant-scale reaction chemistry – learning from
Gordon Ireland at Ciba-Geigy, Richard Rogers at ICI and Phil Nolan at London South Bank Polytechnic.
I was also given the job of helping to investigate reactions which had not behaved as expected on the plant — accidents and incidents. The
work meant trying to carry out reactions in thermos flasks rather than normal chemist’s glassware and often working outside, sometimes
behind a blast wall, as I allowed (or persuaded) reactions to runaway. Running reactions at a distance, especially if they were intended to
runaway, gave me an interest in both remote sensing of the conditions in the vessel, and in controlling the material flows. I found myself
building systems to remotely control additions, stop and start agitation, and monitor temperature, pressure and other physical parameters
– all from my trusty BBC micro-computer. It was all quite a lot of fun but it also gave me at least some understanding of control systems,
program writing, data acquisition and management, and process characterisation and safety — all of which were of
great importance to me in the rest of my career.
After I’d done ten years in industry, Jackie spotted an advert seeking people join HSE to work on chemical safety and persuaded me
to apply. I must have learned something, as HSE gave me a job as a specialist inspector in process aafety. And then, six years later, the
company I had worked for had a major accident, doing something they had not done before and had not properly assessed. A year after
that I found myself being asked to go back and help the company improve. Despite enjoying HSE enormously the opportunity to work with
my former colleagues was too good to resist and I went back, to spend another 23 years in industry as a safety professional. There were lots
of challenges, not least rapidly adding WSI 16c (for chemical changes) and WSI 16d
(control system changes) to our Management of Change procedures.
It’s probably fair to say I was affected quite a lot by Flixborough and over time it certainly effected big changes in the way industry viewed
process safety. Seeing at first hand what getting it wrong looked like gave me a personal incentive to get it right — or as right as I could
make it. And it affected both of us on that motorbike — Jackie became the Safety Manager for her company and later was the Health,
Safety and Environment Manager for the UK Chemical Industries Association. Together we played a significant role in writing the third
edition of the CIA’s Occupied Buildings Guidance, a publication which was directly driven by the destruction of control rooms,
laboratories and offices at Flixborough. The history of our working lives, in some ways, reflect the changes that Flixborough wrought on the
chemical and process industries — over time changes that have made it considerably better. We both had a working
lifetime of learning from and applying the lessons of the Flixborough tragedy, doing just what Loss Prevention Bulletin
seeks to do in each issue — read on, learn and apply!
Ken Patterson

0260-9576/24/$17.63 + 0.00

For me, 1974 came with chartered status four years out from
university. I must try to write this without the benefit of the glorious
hindsight we now have. I had the best start working for ICI Billingham in a great
team studying cyclohexane oxidation (yes, the very same) to cyclohexanone
and cyclohexanol (KA), intermediates in the production of nylon. ICI had two
KA Plants, a smaller one at Billingham which used an ICI process and a larger
one at Wilton which was an SDC (Scientific Design Company) plant which I
understand to be like the one at Flixborough. At the time of Flixborough I had
been transferred to be the sole Chemical Engineer on a similar team studying
the oxidation of paraxylene (also capable of a big bang) to terephthalic acid – a
polyester intermediate. During this period, I was seconded to Davies works
Wilton to help with a plant start-up and while there the news of Flixborough
came through. As was our custom in those days our lunch breaks were spent
with a run followed by a nutritious pie and a pint. This group of smart, ambitious
young process engineers pondered as information emerged and we wondered
why the bang was so big and what could be done to minimise the chance of
what appeared to us at the time to be a one in a million occurrence. Trevor Kletz
was Petrochemicals Safety Advisor at the time and was making noises. So, we
all benefited from his HAZOP training and attendance at many workshops.
I later hosted Trevor for a short time during a trip to New Zealand. And thus
began a lifelong relationship with process safety, a word that did not exist at the
time, and carried on and developed through my years in plant management,
engineering management and eventually process safety consultancy. Over time
I have clarified my views on the role of HAZOP, coming to the realisation that
when designing, engineers are focused on making a process work, not fail. It
is the latter mindset which is required by the team when conducting a HAZOP
study and the leader must ensure it is maintained. The company I started, Safety
Solutions Ltd now run by my son, also a Chemical Engineer and Fellow of the
Institution is now expanding beyond New Zealand and promoting all aspects
of process safety. If you will excuse an awful pun. Flixborough was the spark
that started it all and I will never forget the closing comment from the BBC
documentary on Flixborough. “Just one slip and the abyss”.
Colin Feltoe
I was a second year engineering student at the time of the incident and do not recall hearing about it then.
However, when I started work in Santos Australia, references to the Flixborough incident and learnings from the incident
had made it to many safety related and other courses. Subsequently as I progressed in Santos and took charge of process
safety, Flixborough always got a mention whenever and wherever Management of Change (MOC) was discussed. A
second major learning from Flixborough, as I recall, related to impact of unconfined vapour cloud explosions (VCE) on
occupied buildings. This second aspect in my view did not get the attention it deserved. When I say attention I mean
developing management systems as well as technical standards on the topic. In my work and also in my interactions with
ISC and CCPS, we tried to revisit learnings from major incidents including Flixborough and fill gaps if or when found. My
take on where we stood, and may be still stand, regarding the two major learnings from Flixborough are as follows:
• MOC: While MOC processes are quite well established in most major organisations, what is not often clear
is what “what qualifies as change” and “who is responsible for recognising change” and whether or not well
equipped to call a “change” when it happens. The point I am trying to make is that once a change is recognised
, due processes get initiated to respond to it, but it is the very recognition of “change” that is challenging and
industries must continue to develop this recognition aspect on a continuing basis.
• VCE: Unconfined VCE modelling is quite advanced and does get called upon more often than not for new
projects and developments. Existing facilities however may not draw the same attention. Secondly technical
standards for temporary buildings were not developed enough to address capability of withstanding a VCE
overpressure, at the time of my leaving the industry six years ago. I am not sure if much has changed. And
although a priority of temporary buildings, the consequence analysis is equally important for permanent
buildings that may not have undergone a review for overpressures resulting from VCE.
I have focussed on what I took away from the incident and how it shaped me as well
as what I think might still be out there requiring more attention.
Shekharipuram Sreedhar

0260-9576/24/$17.63 + 0.00

At the time of the Flixborough incident, I was working at the

BP Kent Refinery on the Isle of Grain as an assistant shift supervisor.
The incident captured everyone’s attention in the refinery with
thoughts about whether a catastrophic incident could occur on one of
our process units. Inevitably there was a greater focus on the safety
culture within the refinery for a year or more. After a period of process
In June 1974 I was nearing the end of my second
development work in Epsom, Antwerp refinery and Sunbury, I returned
year in Chemical Engineering at Imperial College and busy
to the Kent Refinery responsible for operations of three catalytic
revising for my end of year exams. I remember hearing very
reformers, two hydrofiners, an isopentane fractionator, and several
early on that an explosion had happened on a Saturday
small process units. Low and behold, I found myself implementing a
afternoon and that, despite how bad things clearly were, it
modification procedure (we didn’t call it Management of Change in
would have been much worse if it happened on a weekday
those days), but at least the refinery had learnt from the Flixborough
when more people were onsite. I also recall that one of
incident. Later in 1992, after various assignments running other Kent
the guys on my course, in my year, his father was a senior
Refinery process units (catalytic cracker, two alkylation plants and
manager at the site. We really felt for him.
sulphur recovery, etc.), London Head Office, Sullom Voe Oil Terminal,
As a result, we all paid a lot more attention to the safety
and Safety Engineering for the North Sea platforms, I was transferred
lectures we had in the final year at University. I joined industry
to the North Slope, Alaska oilfields because US OSHA was introducing
just over a year later and it was very clear that the impact
the Process Safety Management (PSM) regulation many years after
of Flixbrough had been profound across the whole of the
Europe implemented the Seveso Directive. Imagine my surprise when
industry. Proper management of change was front and centre
I discovered that the North Slope oilfields did not have any procedures
of everyone’s minds and was here to stay.
for process changes and modifications 18 years after Flixborough! One
Flixborough was a seminal moment and one that I have of my first tasks was to write a Management of Change procedure for
referred to many times in the talks I’ve given on process the oilfields (Prudhoe Bay and Endicott Island) and train everyone,
safety. Events like Flixborough really do leave an indelible while also working on compliance with 13 other PSM regulations.
impression — I realised that day that in my chosen profession Alaska OSHA even referred other Alaskan companies to me for
when things go wrong the consequences can be catastrophic. advice and guidance on implementing Management of Change and
Doing whatever we can as chemical engineers to address other PSM elements. After three years’ hard work, Prudhoe Bay was
process safety became a personal mission for me. awarded Voluntary Protection Program (VPP) status by OSHA that
Dame Judith Hackitt recognises and partners with businesses and worksites that show
excellence in process safety, occupational safety and health. I also
received a small plaque from Alaska OSHA.
Mike Broadribb
I was a 13-year-old teenager with no idea that my working life would be spent
as a chemical engineer in the process industries, but I still have vivid memories
of the Flixborough disaster and the lessons from it have been with me ever
since. I remember hearing about the accident very soon after it happened; the
football results on the TV were interrupted to announce the tragedy and I recall
seeing the first aerial footage of the scale of the explosion, however, growing
up on Tyneside, I had no idea where Flixborough was.
I subsequently went to Leeds University to study Chemical Engineering in

1979 and I’m pretty sure that neither Flixborough, nor process safety, was
ever mentioned throughout my three years there, so my first real exposure to
process safety came when I joined ICI in 1988, just three months before the
Piper Alpha disaster. Having had no exposure to process safety considerations
in my first two jobs in the chemical industry, the response to Piper Alpha in ICI
was immense; it really brought serious attention to process safety, and of course
Flixborough was another key event in the history of the subject, and has always
been the key incident in relation to the development of change management
processes. Although Flixborough was my first exposure to process safety at the
age of 13; ICI subsequently raised my awareness of the subject enormously and
I eventually moved into process safety management roles and spent my whole
career after 1993 in process safety. Early in my days at ICI, a colleague who was
leaving the company gave me his framed picture of the Flixborough aftermath
— it stayed on my office wall for the best part of 30 years.
Phillip Eames

0260-9576/24/$17.63 + 0.00

In 1974 I was a PhD student in Chemical Engineering at Sydney University. I

recall hearing about the accident and all of us in the department recognising
how terrible it was. Professor Prince invited Trevor Kletz to come to our
department around 1977-78, and he provided a HAZOP / HAZAN training
course that I attended. Trevor explained the accident in detail and how it was
caused and how the damage from the Vapour Cloud Explosion exceeded what
everyone expected at the time. It sparked an interest in process safety that
eventually became my career speciality. I became a lecturer in the department
and we invited David Slater to come on a three month secondment to the
Warren Centre at Sydney University to show how process safety might be
better managed. Flixborough became a driver for process safety growth in
Australia and for regulatory requirements in NSW in particular, starting with
safety separation requirements for LPG refueling stations in urban areas
(growing as a fuel for taxi fleets) based on possible accidents rather than
separations protecting that tank from external activities, then the common
approach in Australian and international standards. I started my process safety
career initially working with Sir Frederick Warner and David Train in Cremer
and Warner and later in Technica when I moved to London. Attitudes were
different then. I recall one senior design engineer saying that computers would
never have an important role in designing process plants. In contrast, Technica
was spearheading consequence modeling as having a role in facility layout.
Those calculation tools, starting with WHAZAN developed for the World Bank
eventually became the SAFETI risk calculation tool developed over several years
for Ben Ale in the Netherlands and later as a standalone consequence tool called
PHAST. Key people driving the approach in Technica included
David Slater and Tony Cox. SAFETI was adopted as a required risk calculation
approach in the Netherlands and later adopted by many companies for their
own risk calculation assessments. So, computers did eventually
become a standard approach in process facility design!
Robin Pitblado
I recollect the news of the incident as it happened on my birthday, 1st June 1974. I was sitting for my A Level
exams after completing a one year crushed course for A Levels. This is because the pre-university education that I had
in Bangladesh was not up to A Level standard. Although it was horrific, the news of the accident did not make as big an
impact as I think it should have done. This is probably because the chemical industry (and industry in general) was used
to having frequent accidents at that time. Later that year, in the autumn, I started a chemical engineering degree course
at Imperial College. During my study at Imperial, the significance of Flixborough was brought to me very extensively in
safety lectures by Dr. Napier. If I remember correctly, Dr. Napier was in the Flixborough investigation team. I graduated in
1977 and joined the Humber Refinery of Conoco Ltd. (now Phillips 66). The refinery is in North Lincolnshire (then South
Humberside) and is only about 30 miles from Flixborough. It would be appropriate to say that process safety, as we know
it now, was not there. The refinery was proud of its safety record but safety was measured in terms of personal injuries as
it was throughout the industry. Process safety was part of engineering judgement as evaluated by experienced engineers
and operators. Elements of process safety e.g. HAZOP was introduced in the 1980s. CIMAH regulations required the
refinery to produce safety reports justifying our safe operations. This was, of course, intensified by COMAH regulations
(as an aftermath of Seveso and Bhopal incidents).
After doing various assignments in technical services, operations and projects, I was definitely attracted to process safety.
It was almost a natural progression and it became clear to me that experienced chemical engineers like myself must
become guardians of process safety and question everything to maintain plant integrity. This personal mission became
more enhanced after our gas plant explosion in 2001. The Nypro Flixborough plant was rebuilt and I had an opportunity
to visit the plant on an IChemE organised plant tour. It was a model plant with every structure fireproofed and automatic
water sprinklers everywhere. Unfortunately, the plant was not profitable and was closed down.
S. Mohammad Ali

0260-9576/24/$17.63 + 0.00

On 01 June 1974 I had just completed my final year

exams in Chemical Engineering at Swansea with Professor Jack
Richardson. I then joined Cremer & Warner (C&W) Consulting
Engineers as a junior engineer in mid-July. On the day
I joined C&W, Sir Frederick Warner, my mentor, stated
that he had just been made Technical Advisor to the
Flixborough Court of Inquiry which was to be chaired by
Roger Parker, Q.C. I was to look after the files and to assist
in the investigation along with the excellent C&W team
and industry discipline experts. What a privilege!
What an opportunity!
I was on the Flixborough Nypro site for some four months,
preparing documents for the Inquiry and investigating
issues as requested by the Inquiry.
This work included assisting with testing activities to
simulate the failure of the bellows and the 20-inch
dog-legged pipe assembly.
Toward the end of the Inquiry, I was involved in examining
the alternative technical theories being advanced by
various parties to the Inquiry and gave factual evidence
at the Inquiry regarding their likelihood based on the
photographs and dismantling of the Process Section
25a where the release of cyclohexane occurred. Also,
I assisted in preparing the drawings for the final Inquiry
Report. Overall, it was a golden opportunity for me, but of
course it arose from very tragic circumstances.
The lessons from the Flixborough disaster are legion.
The management systems were found to be deficient, for
example, regarding a lack of qualified and experienced
people, poor definition of responsibilities, poor coverage
of absence and stressed decision-making. Important
technical issues were identified such as the need to
control modifications, reduce hazardous inventories,
ensure there is communication of a clear design intent
from designers to operators. The investigations provided
a greater understanding of failure mechanisms such as
nitrate stress corrosion cracking and zinc embrittlement of
stainless steel. There was great focus on the issue of the
source release, together with vapour dispersion and the
consequences of vapour cloud explosion and major fires,
which then required a major rethink about the location and
design of control room, offices and critical safety systems.
In fact, the investigation into the disaster provided an
insight and paved the way for almost
every aspect of safety engineering and major
accident hazard assessment.
This experience shaped my whole attitude to process safety
and for the past 50 years I have investigated and continue to
investigate incidents and major losses in the UK and abroad either Pictured, from top: Dismantling the west side
for the Crown, Government or companies/duty holders and of Section 25A; Dismantling the south end of
acting as an expert witness. Section 25A; Dismantling the south east corner
of Section 25A with Section 7 behind.
Rod Sylvester-Evans All photos courtesy of RSE photos

0260-9576/24/$17.63 + 0.00

Safety leader
An interview with Ken Rivers

ideas were battered backwards and forwards across the net
For this special to try to “win the point”. Buncefield put an end to that.
anniversary issue of The whole credibility of the industry and the regulatory
LPB, we talk to former regime was under fire. We were all in the same boat, all our
IChemE President reputations were on the line and the usual tennis match was
2018-19, Ken Rivers, to not going to give us the answer.
gain his perspective on
Something different needed to happen and it did. And it
process safety and the
changed the entire game. It was triggered by how leaders
importance of good
behaved.
leadership.
I am proud of the way the leaders at the time stood up
Ken has significant
to the challenge. Industry and regulator all shared the view
experience of working
that a Buncefield incident must never happen again. We
with government and
recognised that by pooling our knowledge, experience and
regulators in the oil
insights that we could deliver better, more effective, more
and chemical sectors,
efficient and more timely solutions. And that whilst we might
including holding the
not know what had gone wrong at Buncefield (and there was
post of CEO of the listed company Refining NZ and senior
a commission working on that), we did know what had to go
positions within Shell.
right and so we together could move quickly into action and
Ken has skills and experience relevant to organisations
deliver prompt and meaningful change.
operating in regulated environments where safety is
critical. Until recently, he was chair of the COMAH We formulated a new mindset of “aligned but not joined”
Strategic Forum and successfully chaired this tripartite which recognised that regulator and regulated shared a
group for the last eight years since inception. common goal of preventing major incidents and that it was
knowledge and
through open, frank discussion and pooling our different
competence
Ken is a member of the Industry Safety Steering Group
monitoring industry’s progress in implementing the perspectives that we could best achieve that goal. It led
Building Regulation and Fire Safety review post-Grenfell. to industry becoming more self-disciplined and holding
He also chaired the industry/regulator task force in the ourselves more to account and it led to a more mature and
wake of the Buncefield Terminal explosion. Ken has a track collaborative relationship with the regulator. It led to leaders
record of managing change and business turnarounds across organisations stepping up and holding themselves to
engineering
and design
based on developing a clear strategic direction and account. When industry works together, when regulators
building organisational capability. work together and then when industry and regulators work
together then transformational change can happen. And that
is magic!
At what stage in your career journey did the The success of the Buncefield Standard Task Group in
systems and
procedures
importance of leadership in process safety working together to identify, develop and deliver real change
was subsequently continued and built on by the Process
become clear to you?
Safety Leadership Group. The incidents at Buncefield —
The moment I think the absolute and truly critical importance and also at Texas City — highlighted and re-emphasised
of leadership for me was triggered by Buncefield. I saw the the critical importance of leadership in preventing major
profound impact that leadership can have not only in how we incidents. The PSSG went on to define what good leadership
manage major hazards within an organisation but also across in managing major hazards looks like. That work on
a nation. leadership had a resounding impact on the UK process
Buncefield was a shock to the industry, it was a shock to the industries and is now embedded in the regulatory framework.
regulator and most importantly a shock to the public. See Principles of Process Safety Leadership: http://www.p-
A Major Incident Investigation Board was set up to s-f2.org.uk/wp-content/uploads/PSLG-Principles-1.pdf
identify what went wrong, but it took time as much of the I think the leadership which drove the Buncefield Task
evidence had been destroyed. In the meantime, pressure was Force went beyond the technical and operational and facility
mounting on all parties to do something. changes that were implemented (real and important as they
The crisis around Buncefield changed the nature of the were). It demonstrated a new level of maturity in our ways
interaction between regulators and the regulated in the UK. of working and it paved the way for the working together on
Up until then, developments progressed like a game of tennis leadership. Better outcomes in turn build trust and credibility
with one party proposing change which would be rebuffed between regulators and regulated, and created a virtuous
with counter proposals from the other side. Solutions and spiral, which manifests itself today in the COMAH Strategic

0260-9576/24/$17.63 + 0.00
297 Rivers.indd 33 05/06/2024 15:44:09

Forum, which was set up to bring the Competent Authorities on a journey that has helped me grow those leadership skills
and the “chemical sector” together to discuss and resolve and I am still learning today.
matters of strategic importance in the management of major My leadership journey started with trying to understand
hazards. what a leader really is. There are thousands of books written
As I said back in 2007 ….. about thermodynamics and they all say the same/similar
things. There are probably even more books written about
“How industry responds to incidents such as Buncefield,
leadership and they all seem to say something different.
and how the regulators respond on behalf of the public is a
measure of our society. A decisive and dynamic response So what do I mean by being a leader and how is that
with all parties co-operating is the product of a democratic different from being a manager? Managers are great at moving
and advanced society...” from A to B, but it is leaders that define what B is and it is that
vision in how it is created, defined, shared and owned that can
And the work of leaders in making that happen is pivotal. transform organisations.
For me it was always about what I called “visible leadership”,
Was there a key event or person that had a about creating a compelling vision, then going on to build
big impact on shaping your interest in process a guiding coalition to drive that change. To excite, energise
safety. What happened and what did you and empower people and provide the support and resources
they need……..and then to step back and let them deliver, but
learn? always being available to help, support and encourage.
The key event was Flixborough, and the key person was Trevor It was always coupled with high and well understood
Kletz. standards in which to instil the belief and confidence that we
Flixborough occurred in 1974 while I was at university can do better and be different, to recognise that you get the
and the following year I started my career with Shell at performance you demand and to hold especially yourself and
their refinery in Essex. After a year working in crude oil then others accountable.
distillation, I joined the Major Projects group which had I always remember a story told by a colleague of mine. He
a big focus on managing major hazards as a result of had just become site manager of a major chemical complex
Flixborough. I remember being busy with reviewing the for the first time. There was an incident which released a large
management of change, but also becoming one of the first cloud of flammable gas that flowed past their administration
technologists to be sent off to learn from ICI about HAZOPs centre full of people. Fortunately, the gas cloud dissipated,
etc. and put that into practice. and no one was injured. His first reaction was “how could they
What a life changing experience that was! To meet Trevor have done this? how could they have let this happen?” He was
Kletz and his team and be exposed to the eye-watering cross and angry. The following morning when he woke up,
array of potentialities for disaster and to then grasp how he realised how wrong he was. The question he should have
that potential chaos could be converted into an orderly and asked himself first was “how could I have done this? how could
structured management of the risks. To understand how I have let this happen?”
chronic unease did not have to be disabling but motivating. As a leader, the organisation looks to you. Your responses
And of course, to grasp the idea of inherent safety — “What or lack of response send powerful signals which shape their
you don’t have, can’t leak”. behaviour and attitudes, influence decisions and priorities. I
I guess the biggest lesson though was about personal always look to myself first and what it is that I did (or didn’t do)
conduct. About not asking for permission, but just doing that contributed to any incident or shortcoming. That has led
what was right. As a result, during my career, I have had to to a fundamentally different approach and outlook in managing
ask for lots of forgiveness after the event, but I have never major hazards and which has helped me on my leadership
regretted choosing that path. journey.
Trevor was a true pathfinder and has inspired me and I guess the final comment though is about changing the
generations of other chemical engineers to grasp the nature of conversations.
difficult challenges of addressing those major accident I believe that more diverse inputs leads to better
hazards that can kill, maim, or wound people, do untold conversations which lead to better analysis and better
damage to the environment, generate huge economic cost conclusions, better decisions and ultimately better outcomes.
and disruption, and destroy communities and businesses. And that requires you to be open to listening, hearing and
He shone a light on how those events can be mapped, understanding others’ views especially if they are different
mitigated, and managed, and those lessons and insight to yours. And if you show that you are interested in others’
are now being grasped beyond the process industries, for views and you respect them then a rich cascade of new and
example in the building sector post-Grenfell. fresh inputs can emerge that helps address those difficult and
sometimes intractable process safety questions.
How do you, as a leader, ensure that People make the difference and creating an environment in
your commitment to process safety is which they can deliver their best is essential.
communicated, embraced and correctly
applied by your teams? As a leader, how do you evaluate and
Firstly I think you have to be yourself and demonstrate your
balance risk?
personal commitment to managing major hazards. I have been There are three questions that are always top of mind. Do we

0260-9576/24/$17.63 + 0.00
297 Rivers.indd 34 05/06/2024 15:44:09

Visible Leadership
• create the compelling vision
• build the guiding colation
• excite, energise and empower
• support, resource, stand back and encourage
High and Well Understood Standards

• Instill the belief & confidence that we
can do better and different
• you get the performance you demand
• hold yourself and others accountable
Changing the nature of conversations and thinking

• changes the nature of the analysis and the quality
of the decisions
• can deliver transformational change
People are the difference

• focus on building capability & gardening talent
• performance anchored in values
• ‘first’ team now and the future A Leadership Journey
understand the risks we are managing? Do we know how to also to look at the learnings from other incidents that might be
manage and mitigate those risks? And have we reduced them occurring in your sector and asking whether the lessons apply
to as low as reasonably practicable (and can we demonstrate to you. And ultimately, what did the Grenfell fire or the Boeing
that)? 737 Max crashes mean for your business.
There are processes, tools and techniques that help us, but Underpinning all this is a culture of “chronic unease’ that
central is an open and transparent discussion in which issues goes beyond compliance and that questions what more can
are shared and in which we respond strongly to weak signals. and should be done.
It requires a culture in which the raising of problems, concerns And those questions apply to both the management
and uncertainties are welcomed. of specific risks but also the steps in the improvement
And rather than looking at specific risk, I would look at how engine which underpin the culture in the organisation. The
we establish within an organisation that right culture in which journey from “unconscious incompetence” to “conscious
this occurs. This starts with the journey that an organisation incompetence” relates to a dependent culture where external
goes on starting with “unconsciously incompetence” in regulatory standards often dominate and where you feel you
which the sky is blue, grass is green, and everything appears are doing it because you have to. The next step in becoming
OK — and then we have an incident and we realise that we “consciously competent” is driven by an understanding
are “unconsciously incompetent”. Hopefully, we realise this
before an incident occurs by taking measurements, trending
those measurements and benchmarking the results to see Improvement Engine
whether we have a performance problem.
Having realised we are “consciously incompetent’, we then
UNCONSCIOUS
go on to implement the systems, processes and procedures COMPETENCE
that if followed will lead us to become demonstrably CONSCIOUS CULTURE
COMPETENCE
Audit, Learning from others
“consciously competent” and have passed our “driving test”! Values, Behaviours
We then move on to embed that into our behaviour and SYSTEMS

Processes,
values until we become “unconsciously competent” and Procedures, CONSCIOUS
managing risks well is simply becomes part of how we do our Systems INCOMPETENCE
business. UNCONSCIOUS MEASURE
INCOMPETENCE Incidents,
Unfortunately, “unconscious incompetence” can look very Measurement,
Comparisons
similar to “unconscious competence”. The key performance
indicators can be “green”, the auditing of the processes / Alert to incidents and sharing & learning from them
systems can be “green” and yet there can be inherent
weaknesses that may not have been picked up. What is then ‘Chronic unease’ – a mindset shift
required is an external perspective and assessment — and

0260-9576/24/$17.63 + 0.00
297 Rivers.indd 35 05/06/2024 15:44:15

enough. And a big part of the addressing that challenge is

The Cultural Journey how we reach out to those who are not currently engaged or
committed. We often — and without realising it — primarily
Natural instincts
Where are you? talk to those already interested and want to know more. But
some don’t see a problem; others see it as somebody else’s
Supervision
problem; and others are simply waiting to be told what to do
Injury rates
Self (by the authorities).
Team The CSF response has been to prioritise “leadership” and
“outreach” with action plans to address these imperatives in
Dependant Independent Interdependent
a number of ways. For specific organisations, the challenge is
to understand the good practices that are available, which are
I do it because... I have to! It makes sense It makes sense
for me for us
relevant and to ensure they have been implemented.
The most important of these good practices and one
So what???? Consequences $$$$$ The right thing which applies to all organisations involved in major hazards
is leadership. See Leadership for the major hazard industries:
https://www.hse.gov.uk/pubns/indg277.pdf
of the benefits that the systems /procedures deliver and
creates an independent culture where you are doing these What key piece of process safety advice would
things because you know they add value. The last step to you give to give a new engineer?
“unconscious competence” often drives an interdependent
culture where if suppliers and customers get engaged then all I would remind them of Dame Judith Hackitt’s words that
parties benefit. there are:
“No new accidents, just different people making the same
What are the main obstacles to maintaining or mistakes because of a failure to recognise the relevance
improving process safety in your organisation to them of other people’s experiences and therefore not
and what are you doing to address them? learning.”
I recently stepped down as Chair of the COMAH Strategic and so, keep your mind open and learn from others. Look for
Forum (CSF) which brought industry and regulators together good practices and question when they are not being applied.
to identify and address matters of strategic importance in the And you will make a real difference.
management of major hazards in the UK.
Our vision included creating a thriving safe and sustainable
sector with a regulatory regime that supports business growth, Process Safety definition
high standards and strong compliance.
The Centre for Chemical Process Safety (CCPS) defines
The question then was “what is the most important thing we
process safety as ‘a disciplined framework for managing
need to do to achieve this vision?” You may find the answer
the integrity of hazardous operating systems and
surprising — it was to turn “good practice” into “common
processes by applying good design principles engineering
practice”. So, this is not about creating new tools and
and operating practices. It deals with the prevention and
processes, but rather making sure that the existing armoury of
control of incidents that have the potential to release
good practice is known, available and used across industry.
hazardous materials or energy. Such incidents can cause
Most — if not all — of the major incidents have causes that
toxic effects, fire or explosion and could ultimately result
we have seen in earlier incidents and for which remedies and
in serious injuries, property damage, lost production and
cures have been identified. The problem is we do not apply
environmental impact.’
this learning comprehensively, consistently and continually

0260-9576/24/$17.63 + 0.00
297 Rivers.indd 36 05/06/2024 15:44:15

Information for authors and readers
Loss Prevention Bulletin 2024 Subscription rates
Panel members Complete online collection
Helping us to help others
Mr Ramin Abhari £592 + VAT
Chevron Renewable Energy Group, US • The Loss Prevention Bulletin (LPB)
aims to improve safety through Print and complete online collection
Dr Andy Brazier the sharing of information. In this £662 + VAT (UK)
AB Risk Ltd, UK respect, it shares many of the Print and complete online collection
Mr Roger Casey same objectives as the Responsible £687 + VAT (ROW)
Roger Casey & Associates, Ireland Care programme particularly in its
The complete collection online provides
openness to communication on
Dr Tom Craig access to over 40 years of articles, back
safety issues
Consultant, UK to 1975. Multi-user site licences are also
• To achieve our aims, we rely on available. For further details,
Dr Bruno Fabiano contributions providing details of
University of Genoa, Italy contact sales@icheme.org
safety incidents. This information
Mr Geoff Gill can be published without naming an Coming up in future issues
Consultant, UK affiliated author, and details of the
plant and location can be anonymised
of lpb
Dr Zsuzsanna Gyenes
Global Industrial Safety Solutions Ltd., if wished, since we believe it is We are especially interested in
Hungary important that lessons can be learned publishing case studies of incidents
and shared without embarrassment related to:
Mr Mark Hailwood or recrimination.
LUBW, Germany • Organisation structure &
• Articles published in LPB are process safety
Dr Andrea Longley essentially practical relating to all
ThermoFisher Scientific, UK • Emergency planning & response
aspects of safety and loss
prevention. We particularly • Ageing plant
Ms Fiona Macleod
Consultant, UK encourage case studies that • Lessons from other industries
describe incidents and the lessons • Management of Change
Mr Robert Magraw that can be drawn from them.
BakerRisk, UK • Hazardous waste
• Articles are usually up to 2500
Dr Ken Patterson • Hidden hazards
words in length. However we are
Consultant, UK also interested in accepting accident • Transfer of hazardous materials
Dr Christina Phang reports to be written up into articles • Electrostatic hazards
GRIP Global, Malaysia by members of the Editorial Panel. • Energy
Drawing and photographs are
Mr John Riddick, welcome. Drawings should be clear, If you can help on these or any other
Caldbeck Process Safety Inc., Canada
but are usually re-drawn before topic, or you would like to discuss your
Mr Doug Scott printing. Any material provided can ideas further, please contact the editor
Charles Taylor Adjusting, UK be returned if requested. Tracey Donaldson on the number above.
Dr Hans Schwarz For further information, see
ProsafeX, Germany https://www.icheme.org/
knowledge/loss-prevention-bulletin/
Mr Sam Summerfield submit-material/
Consultant, UK
• Correspondence on issues raised
Ms Zoha Tariq by LPB articles is particularly
Tecnologías Marte, UK welcome, and should be addressed
Dr Ivan Vince to the editor at:
ASK Consultants, UK Loss Prevention Bulletin
Institution of Chemical Engineers
165 - 189 Railway Terrace
Rugby, Warwickshire
CV21 3HQ, UK
Tel: +44 (0)1788 578214
Fax: +44 (0)1788 560833
Email: tdonaldson@icheme.org

0260-9576/24/$17.63 + 0.00
297 infopagev2.indd 37 05/06/2024 15:41:28

TRAINING
LIVE ONLINE ON-DEMAND FACE-TO-FACE IN-COMPANY
Develop your process safety skills

IChemE provides a wide range of process safety training courses to help you identify, assess and
manage process risk effectively at your organisation. From hydrogen safety to HAZOP, we've got
it covered.
Hazard identification and risk analysis

■ Bowtie Analysis and Barrier-Based Risk Management
■ Consequence Modelling Techniques
■ Delta HAZOP
■ Hazard Identification Techniques
■ HAZOP Leadership and Management
■ HAZOP Study for Team Leaders and Team Members
■ Layer of Protection Analysis (LOPA)
■ Process Risk Assessment
■ Quantified Risk Analysis
■ Safety Instrumented Functions (SIFs)
Process safety management

■ Fundamentals of Process Safety
■ Process Safety Leadership and Culture
Understanding hazards
■ Advanced Process Safety Considerations for
Hydrogen Projects
■ Pressure Systems
■ What Engineers Need to Know About
Hydrogen Safety
Human factors
■ Human Factors in the Chemical and Process Industries
IN-COMPANY
All our courses can be delivered in-company,

LPB297
on-site or online.
www.icheme.org/process-safety-training
LPB 295 Courses FP AD.indd 1 01/02/2024 12:36:35

LPB 297 Online

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

LPB 297 Online

Uploaded by

Copyright:

Available Formats

Loss Prevention Bulletin

Improving process safety by sharing experience

Keystone Pictures USA/ZUMAPRESS.com/Mary Evans

LPBcover297.indd 1 05/06/2024 15:39:19

Q Critical Task Analysis Q Hydrogen Hazards Q Safety Critical Task Analysis

Q Environment & Climate Change Q Modelling & Simulation

DS34HAZARDS34HAZARDS34HAZA Mike Nicholas

LPB297 Hazards34 IFC.indd 1 05/06/2024 12:26:19

© Institution of Chemical Engineers

297contents.indd 2 05/06/2024 15:48:19

© Institution of Chemical Engineers

297 editorial.indd 2 05/06/2024 15:49:31

Flixborough – in the words of the witnesses

© Institution of Chemical Engineers

297 Loudon.indd 3 05/06/2024 15:54:44

A young girl who lived in the Flixborough village, and was 9

© Institution of Chemical Engineers

297 Loudon.indd 4 05/06/2024 15:54:48

‘anti looting patrols’ in the evacuated villages. One recalled:

The first two ambulancemen on the scene only had a simple

© Institution of Chemical Engineers

297 Loudon.indd 5 05/06/2024 15:54:49

The 28 who perished on 01 June 1974 are remembered below

John Barrett (43) Ian Kidner (37)

It is particularly poignant to reflect on the ages of those who

• Two members of the workforce were rescued by fire

© Institution of Chemical Engineers

297 Loudon.indd 6 05/06/2024 15:54:53

Nylon Years – An interview with

in unagitated “R-4” reactor. The Court of Inquiry missed the

© Institution of Chemical Engineers

297 Abhari.indd 7 05/06/2024 15:56:09

Figure 1 – Chemistry of caprolactam production and use,

Figure 2. The cyclohexane oxidation process unit built at Flixborough

R-1 R-2 R-3 R-4

Cyclohexane from heater Reactor effluent to water

© Institution of Chemical Engineers

297 Abhari.indd 8 05/06/2024 15:56:12

Did the Nypro plant ever restart after the

Did this accident signal the end for the cheaper/

© Institution of Chemical Engineers

297 Abhari.indd 9 05/06/2024 15:56:13

introduced unexplained mechanical failures and normalised this

Lesson 3. Management of change

Lesson 4. Proper communication of safety concern

Lesson 5. Temporary fix becoming acceptable

Did you consult/have any feedback from any

© Institution of Chemical Engineers

297 Abhari.indd 10 05/06/2024 15:56:16

Flixborough — remembering ICI’s response to

© Institution of Chemical Engineers

297 Crawley.indd 11 05/06/2024 15:57:36

Change Required Reason Final Result

Table 1: Summary of Significant Changes

© Institution of Chemical Engineers

297 Crawley.indd 12 05/06/2024 15:57:37

Flixborough and inherent safety – inspired by

© Institution of Chemical Engineers

297 Inherent.indd 13 05/06/2024 15:58:44

© Institution of Chemical Engineers

297 Inherent.indd 14 05/06/2024 15:58:45

and any potential for runaway reaction;

• human error — options to reduce susceptibility that do not LEAST