October 2019

Special Focus: Plant Safety and Environment

Looking back at the Phillips 66 explosion in Pasadena, Texas: 30 years later

October 23, 2019 marks the 30-yr anniversary of a devastating fire and explosion that claimed the lives of 23 workers at a major chemical plant in Pasadena, Texas.

Bloch, K. P., Contributing Writer; Vaughen, B.K., AIChE

October 23, 2019 marks the 30-yr anniversary of a devastating fire and explosion that claimed the lives of 23 workers at a major chemical plant in Pasadena, Texas. That explosion, which occurred at the Phillips 66 Houston Chemical Complex (HCC) on the Houston Ship Channel, helped modernize process safety management (PSM) programs in the U.S. This significant incident removed any doubt that a catastrophic industrial process release could produce severe consequences in a geographic region with a mature regulatory framework.

Fig. 1. HDPE loop reactor flow diagram.
Fig. 1. HDPE loop reactor flow diagram.

Industry’s pursuit of safe process design and operation started long before the explosion on October 23, 1989. However, PSM 30 yr ago was much different from what it is today. For example, in 1989 there were no process safety engineers staffing roles in industrial divisions. Neither were any process safety coordinators directing site compliance activities according to PSM principles. In fact, OSHA’s PSM standard that revolutionized the uniform application of safe process design and operating practices in the U.S. was not published into the Code of Federal Regulations (29 CFR 1910.119) until almost 3 yr later. Significant progress resulting from these developments has certainly made industry safer. Through these advancements, countless catastrophic process releases have been prevented, and many lives saved.

Unfortunately, significant incidents resulting in fatalities, injuries, environmental damage and property loss have continued over the last 30 yr. The refinery fire and explosion in Texas City, Texas (2005); the offshore rig fire, explosion and oil spill in the Gulf of Mexico (2010); and the toxic chemical release in LaPorte, Texas (2014) are grim reminders that global PSM improvements have yet to achieve the goal of preventing or minimizing the consequences of catastrophic releases of toxic, reactive, flammable or explosive chemicals.

Fig. 2. Illustration of the valve and settling leg arrangement.
Fig. 2. Illustration of the valve and settling leg arrangement.

Sadly, information about the 1989 Pasadena explosion is rarely communicated in modern engineering courses. As a result, many employees entering the industrial workforce today are unaware of how behaviors cultivated in a production environment can inadvertently undermine the performance of PSM programs. Controlling such behaviors requires recognizing how and why incidents like the Pasadena HCC explosion occurred.

The following summary explains the circumstances that led to the 1989 Pasadena HCC explosion. This understanding makes it possible to recognize common themes between other high-consequence incidents—both before and after the Pasadena HCC explosion. Relating these themes to situations commonly encountered in modern industrial processes unlocks PSM’s ability to meet its ultimate goal.

Process description

The general layout of the system involved in the 1989 Pasadena HCC explosion is shown in Fig. 1. High-density polyethylene (HDPE) production occurred inside two process units at the local site (Plant 4 and Plant 5). The process circulated through an arrangement of 30-in.-diameter pipes mounted vertically in 150-ft-tall, continuous, ring-like structures called “loop” reactors. Six loop reactors were operating in Plant 5. The loop reactors contained a catalytic reaction that produced HDPE, starting with ethylene feed in an isobutane diluent.

Fig. 3. Illustration of flow (open valve) and no flow (closed valve)  for the 8-in. ball valve on the settling leg.
Fig. 3. Illustration of flow (open valve) and no flow (closed valve) for the 8-in. ball valve on the settling leg.

Hydrogen and hexene were also added to achieve targeted product quality specifications. Thus, the raw materials in the loop reactor were flammable and easily ignitable, especially at the reaction’s severe operating conditions: 600 psi (4,100 kPa) and 180°F–230°F (82°C–110°C). The catalyst accelerated the rate of ethylene monomer polymerization to facilitate its conversion into heavier HDPE molecules. As the reaction product gained mass in the loop reactor, it would eventually become heavy enough to drop out of the circulating reaction mixture.

Six settling legs were located at the bottom of each loop reactor (Fig. 2). Each settling leg consisted of a flanged, 8-in.-diameter pipe connected to an air-operated, tight-shutoff, 8-in. ball valve (Fig. 3). Beyond this ball valve was an 8-ft-length run of straight pipe where the reaction product, a polyethylene “fluff,” collected. The 8-in. ball valves remained open during production, thereby allowing the polyethylene fluff to enter the settling legs. Below the settling leg was a takeoff valve where the fluff would pass into a flash tank. The settling legs were the interface between the high-pressure (loop reactor) and low-pressure (flash tank) process sections. The intent of loop reactor operation was to successfully deliver polyethylene fluff into the flash tank, where it was removed and later processed into a final product to satisfy customer orders.

Operating complexities

It is not uncommon for differences to exist between how a process is designed (expected) to work and how it actually works. In this respect, the HDPE manufacturing process in Pasadena was the same as any other system to be encountered in the manufacturing industry. According to design, polyethylene fluff was expected to move freely through the settling leg, from the loop reactor into the flash tank. In reality, the fluff tended to collect inside the settling legs. Accumulating fluff would develop into a large cylindrical “log” inside the settling leg. Eventually, the log would become large enough to interrupt product transfer between the loop reactor and flash tank.

Since production would cease if all six settling legs became plugged, routine, invasive maintenance was needed to remove the log plugging any of the settling legs. Settling leg maintenance was performed with the loop reactor at normal operating temperature and pressure. Thus, effective energy isolation and control was required before and during settling leg maintenance. Failure to effectively isolate the process could result in the catastrophic loss of flammable reactor contents. Under such circumstances, severe consequences (including multiple fatalities) were possible.

Settling leg maintenance

The local site was governed by a corporate policy for safe equipment isolation. The corporate policy required backup protection consisting of double-block valves to isolate the process effectively during maintenance. However, if a double-block valve arrangement was not provided by design, then a blind flange insert could be installed before performing the maintenance. In the U.S., this policy represented recognized and generally accepted good engineering practices.

Fig. 4. Illustration of a plugged settling leg prepped for maintenance.
Fig. 4. Illustration of a plugged settling leg prepped for maintenance.

Double-blocking the line for maintenance would have been preferred, since it was faster and less invasive than installing blinds to isolate the equipment. Although not possible by design in the case of the settling legs at the local site, settling leg maintenance took place without inserting a blind flange. Instead, the local site had implemented an alternative isolation procedure that met the intent of the corporate isolation policy. The local site’s alternative/substitute isolation procedure, which had been used successfully many times, involved three steps:

  1. The 8-in. ball valve was closed to isolate the plugged settling leg from the loop reactor.
  2. The 8-in. ball valve stem was physically locked in its closed position.
  3. The inlet and outlet air hoses actuating the 8-in. ball valve were disconnected from the remote valve switch control panel.

The 4-in.-diameter product takeoff valve had to be removed to extract a polyethylene log stuck in an 8-in.-diameter settling leg. With the flanged reducer removed, an embedded maintenance contractor would then reach into the settling leg bottom, grab the log and pull it out through the opening (Fig. 4). After confirming that the line was clear, the settling leg would be reassembled. Process isolation could then be reversed. Afterward, the settling leg was placed back in service.

The local site’s alternative settling leg isolation procedure specified that the 8-in. ball valve actuator air hoses should never be connected during maintenance. The purpose was to achieve an equivalent level of blinding protection while using the closed 8-in. ball valve as a substitute for a blind. With no way to accidentally open the valve during maintenance on a disassembled settling leg, a blind conceivably offered no additional protection over the closed, locked and disconnected tight-shutoff valve. From a process hazard analysis (PHA) perspective, a rapid loss of the reactor’s contents into the atmosphere would be expected if the single, 8-in. ball valve somehow opened when the settling leg was disassembled. This could surely result in a “consequence of interest.”

Incident summary

Three of the six settling legs on Reactor 6 in Plant 5 were plugged on October 22, 1989. Operations personnel isolated the settling legs according to the site’s alternative isolation procedure, which involved closing the 8-in. ball valves, locking them closed and disconnecting the actuator air hoses. Operations then contacted the maintenance contractor to remove the polyethylene logs from each of the plugged settling legs.

Fig. 5. Settling leg under maintenance with a log fragment beyond normal reach.
Fig. 5. Settling leg under maintenance with a log fragment beyond normal reach.

The first of the three plugged settling legs was disassembled and unplugged without difficulty on October 22, while the reactor continued operating at normal pressure and temperature. The next morning, the maintenance contractor started removing the log stuck in the second of the three plugged settling legs. During its extraction, the log separated, leaving a portion inside the settling leg beyond the maintenance contractor’s reach (Fig. 5).

The maintenance contractor then contacted an operator. Together, they returned to the opened settling leg. A short time later, a catastrophic process release occurred. Almost instantaneously, the reactor lost its entire contents of more than 85,000 lb of the highly flammable process materials. Within the next 2 min, the flammable vapor cloud ignited and exploded shortly after 1:00 PM on October 23 with a force equivalent to 2.4 tons of TNT, registering as a 3.5-magnitude earthquake on the Richter scale.1 Multiple explosions occurred after the initial explosion, preventing the responders from safely entering the areas with fires to search for potential survivors.2

The ensuing fire was brought under control about 6 hr later, but it continued burning fugitive process material throughout the night.2 The incident resulted in 23 fatalities and more than 314 injuries (185 Phillips 66 employees and 129 contract personnel). Additionally, property damage in the range of $750 MM (which translates to $1.52 B in today’s economy3) occurred, and production was stopped for several months. The explosion scattered debris within a 6-mi radius from the blast location.

Investigation findings

On April 26, 1990, the U.S. Department of Labor’s Occupational Safety and Health Administration (OSHA) submitted an investigation report to the U.S. president. The investigation concluded that the fire and explosion was caused by the release of flammable process gases that contacted an ignition source.1

Unfortunately, OSHA was unable to derive the specific sequence of events leading up to the release of flammable process gases. This is understandable, since no one in direct control of the equipment involved in the release survived the explosion. However, the investigation report does indicate that the local site’s alternative practice for isolating the system for maintenance was inadequate to prevent someone from inadvertently or deliberately opening the 8-in. ball valve during the maintenance procedure.1

Implying that the 8-in. ball valve might have been opened “deliberately” stirs curiosity comparable to that experienced in response to Union Carbide’s claim of “sabotage” involved in the Bhopal Gas tragedy 5 yr earlier.4 With respect to the Bhopal Gas tragedy, modern references add the context needed to understand why the system was operated in certain ways. This transparency makes it possible to exclude sabotage as a probable cause.5 Similarly, personnel familiar with loop reactor operations have explained why someone might intentionally remove isolation from the 8-in. ball valve while the settling leg was still disassembled for maintenance.

Workaround procedure

Polyethylene log removal is an example where control of the 8-in. ball valve might be temporarily returned to an operator during settling leg maintenance. This practice could be used to remove debris stuck beyond the contractor’s reach, which made it impossible to pull a log out through the bottom of the settling leg. Using process pressure, the log could be pushed out through the bottom of the settling leg by momentarily opening the 8-in. ball valve (Fig. 6). On the morning of the incident, permission to conduct this workaround procedure was requested and denied twice before the release.

Fig. 6. Settling leg condition after incident, as documented in the investigation report.
Fig. 6. Settling leg condition after incident, as documented in the investigation report.

This explanation corresponds with the information contained in the Department of Labor’s report, which documents that:

  1. The 8-in. ball valve was found open.
  2. The manual lock was removed from the valve stem.
  3. The 8-in. ball valve actuator air hoses were found reconnected; they were not disconnected as required by the local site’s alternative maintenance procedure.

The report notes that the maintenance contractor engaged an operator’s support several minutes before the release. In most industrial facilities governed by OSHA regulations, process isolation and removal belong to the operators. Contractors are prohibited from operating the process in any form, which includes opening and closing process valves. Collectively, the conditions described in the report would be expected if the 8-in. ball valve had failed open while using process pressure to flush out the line.

Additionally, the report indicates that the 8-in. ball valve air actuator hoses were found reconnected in reverse (the inlet air supply connected to the actuator air outlet and vice versa). Post-incident experiments performed on the actuator air hose connection showed that this incorrect actuator hose configuration would open the 8-in. ball valve with the actuator switch showing the valve to be closed (i.e., the safe state for performing the maintenance). To the naked eye, the operator would expect the process to remain isolated under these circumstances. Therefore, human error was involved regardless if isolation was removed from the 8-in. ball valve purposefully or not. The report confirms that the 8-in. ball valve did, in fact, fail open due to human error, which involved reconnecting the actuator air hoses in reverse.

Show respect for standards, policies and administrative controls. In the context of human error, it is acknowledged that the local site was expected to comply with the corporate policy for isolating settling legs in 1989. The corporate policy specifically required backup protection in the form of double-block valves or inserting a blind prior to performing invasive maintenance.6 The local site had developed and implemented an alternative isolation procedure contrary to the corporate standard.

The alternative isolation procedure would not have prevented the 8-in. ball valve from accidentally opening upon reconnecting the actuator air hoses in reverse. Likewise, the corporate isolation policy would not have prevented this type of a valve malfunction. However, the process release would not have occurred if the corporate policy had been applied. The secondary block valve would have remained closed (assuming independent operation of the actuator switches) or process containment would have persisted behind the blind. In either case, the release hazard would have been effectively mitigated by preventing process from escaping in the event of a valve malfunction.

This discussion illustrates the underlying universal principle that regulatory and corporate policies cannot be expected to prevent human error. Regardless of the system involved, human error will always be a possible source of system malfunction. However, it is reasonable to expect that standards, policies and administrative controls will help prevent or minimize the consequences of catastrophic releases of toxic, reactive, flammable or explosive chemicals. For standards, policies or administrative controls to offer any protection, they must be applied. Failure to apply them will offer little to no protection, as was the case involving the 1989 Pasadena explosion and many other highly consequential industrial incidents in recent times. Operational discipline from everyone in the company must be sustained in all aspects of a PSM program every day.

Lessons learned

The 1989 Pasadena explosion provides several insights, as explained in the following sections.

Adherence to safe work practices. Often-perceived “inconvenient” adherence to safe work practices (SWPs) may create the incentive to pursue an alternative method that might appear to offer an easier way to achieve an equivalent level of protection. The danger occurs when the alternative work process, previously allowed by exception only, becomes common and then routine, to the point of transforming into normal day-to-day operations and maintenance. This is known collectively as a “normalization of the deviance”—an issue that has resulted in many significant incidents, such as the NASA Challenger explosion (which occurred 3 yr before the 1989 Pasadena explosion),7 and the Bhopal disaster in 1984 (5 yr before the 1989 Pasadena explosion).5

The lesson learned here is to recognize that process design, operating procedures and maintenance procedures are linked to an overall process safety and risk management program. When a system does not meet its design intent, an alternative operating method should not be sought to cope with the issue. Instead, the problem should be investigated, with the goal of addressing the root of the issue to achieve acceptable performance.8 If a design issue is present, then the design should be addressed. If an operation issue is found, then the operation should be examined. If a maintenance procedure is at fault, then the maintenance should be reevaluated. Alternative work practices that deviate from approved local or corporate policies should never be standardized.

Compliance with standards and regulations. Standards and regulations have been created and implemented for the benefit of workers. They exist to protect workers from what they do not know and cannot afford to learn through experience. Many standards and regulations originate from previous incidents that involved the catastrophic release of a hazardous substance or energy.

Governments often respond reactively, especially to events that make the news. Progressive companies have moved from reacting to incidents to proactively identifying potential issues and addressing them before an incident occurs. Since each facility has its own special issues, it is essential that everyone at the facility understands why compliance is needed. As was demonstrated by the Phillips 66 HCC explosion, failure to comply with corporate requirements can directly impact health and the environment.

The temptation to modify corporate standards with a substitute practice that meets the intent of the prescribed approach should be resisted. If circumstances at a facility prevent corporate standards from being fully implemented, there is an option. The more difficult choice is to change the corporate policy, but this approach may be required if compliance with a corporate policy is impossible and must, therefore, be managed by exception. On the other hand, the facility should invest in projects to close the conformance gap and achieve the minimum specifications dictated in corporate standards.

For the record, a facility can authorize temporary exceptions to policies that have been thoroughly reviewed to implement short-term, interim measures while the long-term solution is in progress. These exceptions must be documented and approved and include a mitigation plan to address potential hazards while the site works to achieve full conformance with corporate standards.

Removing or disabling safeguards. Many incidents happen when the available safeguards, whether engineering or administrative (or both), fail or are deliberately bypassed or removed.10 In some cases, engineering safeguards may be temporarily disabled to perform a specific job task and allow operations to take direct control over the process that is undergoing the work. Most facilities have a management system for safely removing safeguards on a temporary and “approved-by-exception-only” basis. The basic principle behind temporary safeguard removal is to retain adequate energy control so that any possibility for exposure is properly mitigated.

It is important never to be misled into thinking that removing safeguards—especially on a live process—for anything other than maintenance or testing of the safeguard itself is acceptable. The safeguards are in place for a very good reason, as is documented through a layer of protection analysis (LOPA), which has defined independent protective layers (IPLs) and the safety implications for their intentional removal or unexpected failure.11 Never should the temporary removal of established safeguards be considered “normal.”

Operating and maintenance discipline. It is well established that everyone in an organization must have the operational discipline to “carry out each task the right way, each time” when sustaining an effective process safety program. “Everyone” includes all personnel, whether they be engineers, technicians, operators, mechanics, electricians, supervisors or managers. It also includes workers in purchasing, warehousing and shipping.

Fig. 7. Operating in the safe operating space helps prevent incidents.9
Fig. 7. Operating in the safe operating space helps prevent incidents.9

Operational discipline is one of the three essential foundations for a successful process safety and risk management program, relying on and influencing the other two foundations: Safety leadership and culture, and process safety systems.12 Inherent in the process safety system for managing operations and maintenance are the company’s safe work practices.13,14 Industrial experiences by the authors, and as noted in the findings reported in many incident investigations, have proven that weaknesses in operational discipline at any point in the equipment’s lifecycle can adversely affect the safe operating zone of a facility.

Every process safety-related decision will directly or indirectly affect another part of a process safety program. Although it is not feasible to be an expert in each system that could be impacted, everyone must have a general understanding of how these systems interact so that everyone can safely execute their tasks every day. Simply stated, communication is needed between everyone to collaborate on a safe, collective path forward.

Living in the safe operating zone

A safe operating zone is created by simply operating a process every day within the equipment’s safe design limits, using standard operating procedures and maintaining equipment within the guidelines established in an inspection, testing, and preventive maintenance (ITPM) program.13,14 The risk of losing containment is increased when operating outside the safe zone (Fig. 7). In an unknown operating zone, the consequences of an incident are multiplied.

A “sense of vulnerability” is needed during day-to-day activities. Ultimately, one’s willingness to perform work according to prescribed safe practices will protect him or her from learning things at a cost that cannot be recovered. Operating in a safe operating zone maintains process stability; more importantly, it saves lives. Hazards and their risks should not be feared, but rather observed and safely managed. HP

Acknowledgments

The authors sincerely appreciate the guidance of the many process safety and reliability professionals who have helped develop these concepts over the past 30 yr. Their contributions continue to refine and improve our ability to mitigate industrial safety risks—personnel, process, environmental and business. In particular, special appreciation is extended to Dr. Stewart Behie for his critical review of drafts of this article. As process safety continues to advance globally, case studies like this one protect us and others from unintended harm. The health and safety of people, communities and the environment depend on our collective efforts.

Literature cited

  1. U.S. Department of Labor, “Phillips 66 company chemical complex explosion and fire,” U.S. Department of Labor, OSHA, Washington, DC, 1990.
  2. White, D., “Wrong Pasadena,” Industrial Fire World, Vol. 24, No. 5, 2009.
  3. The 100 Largest Losses in the Hydrocarbon Industry, 1978–2017, “Large property damage losses in the hydrocarbon industry,” 25th Ed., Marsh & McLennan Companies, London, UK, 2018.
  4. Browning, J. B., “Union Carbide: Disaster at Bhopal,” Crisis Response: Inside Stories on Managing Under Siege, Visible Ink Press, Detroit, Michigan, 1993.
  5. Bloch, K., Rethinking Bhopal: A Definitive Guide to Inventing, Preventing and Learning from Industrial Disasters, Elsevier, Amsterdam, the Netherlands, 2016.
  6. Bethea, R. M., “Explosion and fire at the Phillips company Houston chemical complex, Pasadena, TX,” Louisiana State Minerals Processing Research Insititute (MPRI), Baton Rouge, Louisiana, 1997.
  7. CCPS, Recognizing and Responding to Normalization of Deviance, John Wiley & Sons, Hoboken, New Jersey, 2018.
  8. CCPS, Guidelines for Investigating Process Safety Incidents, 3rd Ed., John Wiley & Sons, Hoboken, New Jersey, 2019.
  9. CCPS, “Process safety metrics: Guide for selecting leading and lagging indicators,” Center for Chemical Process Safety, AIChE, New York, New York, 2019.
  10. Vaughen, B. K. and K. Bloch, “Use the bow tie diagram to help reduce process safety risks,” Chemical Engineering Progress, Vol. 112, No. 12, 2016.
  11. CCPS, Layer of Protection Analysis (LOPA): Simplified Risk Assessment, John Wiley & Sons, Hoboken, New Jersey, 2001.
  12. Vaughen, B. K., J. A. Klein and J. W. Champion, “Our process safety journey continues: Operational discipline today,” Process Safety Progress, Vol. 37, No. 4, 2018.
  13. Klein, J. A. and B. K. Vaughen, Process Safety: Key Concepts and Practical Approaches, CRC Press, Boca Raton, Florida, 2017.
  14. CCPS, Guidelines for Risk Based Process Safety (RBPS), John Wiley & Sons, New York, New York, 2007

The Authors

Related Articles

From the Archive

Comments

Comments

{{ error }}
{{ comment.comment.Name }} • {{ comment.timeAgo }}
{{ comment.comment.Text }}