On December 2-3, 1984, the world’s worst industrial disaster took place in Bhopal, India. The villagers were asleep as methyl isocyanate gas leaked from a nearby pesticide plant owned by Union Carbide India Ltd, killing at least 4,000 people, while causing significant morbidity and premature death for thousands more.

Even after nearly 35 years, the aftermath of the tragedy continues to haunt villagers in the area, physically and psychologically. Tze Lin Kok, Yeuan Jer Choong, Chee Kean Looi and Jing Han Siow, Universiti Teknologi Petronas, Malaysia, write about the learning outcomes from the disaster. 

Bhopal gas tragedy

On the evening of December 2, 1984, operators began routine maintenance activities in the factory owned by Union Carbide India Limited (UCIL).

Washing of pipes was performed to keep a filter system clean by flushing contaminants out with water. (Reference 3 explains why). It will never be possible to know exactly how water reached a tank of a highly reactive pesticide intermediate(2), but the most widely accepted theory is as follows: one of the overflow devices downstream from the filter was blocked.

Water began to flow back into the vent system through a leaking isolation valve. Water could not have flowed so far if the safety procedure had been followed, whereby a slip blind is installed to achieve an impenetrable seal between the pipes.

Water travelled through hundreds of metres of pipes from the filter, eventually reaching storage tank E-610 containing 42 tonnes of methyl isocyanate (MIC)(1).

The pressure gauges connected to the tank were ignored as operators presumed the gauge to be faulty. Also, there was no reliable way of monitoring the tank temperature.

The pressure of the tank was supposed to be maintained at a certain level with inert gas to prevent backflow into the tank. However, there was an undetected leaky valve connecting the tank to the plant’s main pipe system. If gas could get out, then water could get in.

A chemical reaction between MIC and water began, and heat was generated. The reaction mixture inside the tank progressively warmed as conditions moved closer to a thermal runaway reaction.

The tank should have been kept cool with a refrigeration system, which had been switched off months earlier. Soon, the thermal runaway reaction took place.

Hot MIC vapour burst through the tank’s automatic pressure relief system and started to escape through the dysfunctional vent gas scrubber, which was meant to neutralise toxic gas exhaust from the plant.

When the operator finally noticed the actual condition inside the tank, it was already too late to stop the catastrophic loss of process containment. At this point, nothing could have been done to stop the release.

The deadly gas drifted downwind into surrounding communities, causing the death of thousands of residents of Bhopal, leading to what is known as the world’s worst industrial disaster, the Bhopal gas tragedy.

The sequence of events leading to the occurrence of the disaster are illustrated in Figure 1. It should be noted that if any of the safety measures (in green boxes) had been functioning properly, the incident could have been prevented. 

Learning outcomes

Several lessons learned are presented. They can be applied to other industries to strengthen an organisation’s defence mechanism against failures.

Asset integrity and reliability

Equipment and instrumentation failures are summarised as follows(3, 4):

  • The refrigeration system was turned off;
  • Pressure gauge was thought to be faulty, hence its readings were ignored by the operators;
  • Tank temperature was not logged;
  • The MIC storage tank was not pressurised due to a leaky valve;
  • The tank’s high-temperature alarm was not functioning;
  • Vent gas scrubber (VGS) was under maintenance;
  • VGS could not handle the large influx of MIC even if it were in operation;
  • The evacuation tank E-619 was not empty;
  • Iron pipelines were allowed to corrode;
  • Water curtains, which were 10 metres high, were not tall enough to reach the stack of VGS, which was 30 metres high;
  • Flare tower was disconnected from the plant pipe system;
  • Many valves, vent lines and feed lines were in poor condition.

Mechanical integrity programmes ensure the design, installation and maintenance of equipment are fit for use from when they are fabricated to their retirement. It involves three approaches to properly address design, operational and technical deficiencies, which include:

  • Plan and implement preventive, predictive, proactive and corrective maintenance procedures to maintain equipment integrity;
  • Provide proper training to each worker in terms of process overview, hazards and maintenance procedures;
  • Inspect, test, correct and record any defects that are outside acceptable limits on a timely manner.

Inherently safer design (ISD)

The UCIL plant reacted methylamine with phosgene to produce MIC, which was then reacted with 1-naphthol to produce the fertiliser product carbaryl.

The process involves the formation of the intermediate compound, MIC, which is very hazardous. Inherent safety should have been applied in hazard management(5).

Inherent safety approach is a concept of avoiding hazards at source instead of controlling them. The four main approaches and some example actions which could have been done were listed as follows:

1.) Minimise, or use small quantities of hazardous substances:

  • Reduce hazardous MIC intermediate inventory as it is not essential as a raw material nor as a product;
  • Keep incompatible materials apart and avoid water for washing or any other purposes.

2.) Substitute, or replace hazardous reactions with another of less hazard:

  • Use a safer route by reacting alphanaphthol and phosgene to produce chloroformate ester, followed by reaction with methylamine to yield carbaryl to avoid MIC formation, regardless of higher operating costs.

3.) Moderate, or reduce the strength of an effect:

  • Separate UCIL plant location from potentially impacted people, evacuation points and emergency response facilities;
  • Store MIC in several smaller tanks instead of two big concentrated ones.

4.) Simplify, or eliminate unnecessary complexity to reduce risk of human error:

  • Design equipment to totally contain MIC at ambient temperature or the maximum attainable process temperature.

If engineers adopt inherent safety in their plant designs, risk control would not be so dependent upon regulation, operator training, protective systems and so on.

Process Hazard Analysis (PHA)

Starting from the UCIL plant formulation stage itself, hazard assessment had not been highlighted by the company nor the local authority in evaluating the certainty of potential rare events in complex facilities.

At the corporate level, the major errors include not evaluating the feasibility and safety levels of a toxic facility close to a railway station and centre of population.

At the governmental and regulatory level, the errors include permitting the construction of the MIC plant amid the local community without assessing the potential hazards, or reviewing the risk as people started building houses close to the factory.

Thus, a rigorous process hazard analysis which identifies, evaluates and controls hazards involved in a process should be adopted to anticipate the catastrophic potential of a toxic facility and to make necessary prevention and mitigation strategies.

A comprehensive PHA must at least address process hazards, engineering and administrative controls, consequences of deviation and steps required to correct or avoid deviation.

Pre-Startup Safety Review (PSSR)

Pre-startup safety review (PSSR) is a way to identify, evaluate and control issues proactively before an activity is given the permission to proceed.

If thorough checking and isolation on MIC storage lines are enforced before washing, the accident could have been prevented. PSSR shall confirm that prior to the operation of critical activities, the criteria below are achieved:

  1. Equipment is in accordance with permissible design specifications.
  2. Adequate safety, operating, maintenance and emergency procedures are in place.
  3. Process hazard analysis has been resolved.
  4. Training of each employee involved in an operation has been completed. 

Employee participation

As a part of an economy drive, the period of safety training on site was reduced from six months to 15 days. Manpower in safety and maintenance was also cut down intensively to save costs.

This substandard system indirectly brought about the tragedy due to the operators’ poor perception of risk severity, neglecting specific instructions, giving orders without comprehending the nature of task, failure to communicate and not taking efficient corrective measures(4).

The previous minor accidents were indicative of eroded operator performance beyond minimum compliance in a highly hazardous plant.

Hence, employee participation in decision making, resources of knowledge and planning and implementation of safety measures in a reasonable manner is of utmost importance.

An employee involvement programme may include regular training and performance assessment to ensure their competency level, developing and reviewing of operating and maintenance procedures and incident investigations.

Human error prediction and rectification

To address human errors caused by slips, lapses or mistakes, the possibility of failure affected by different error producing conditions (EPC) should be considered to varying degrees.

Through quantitative assessment of each factor that is potentially relevant to the situation, human error probability (HEP) can be estimated.

Before any operations, the human error assessment and reduction technique (HEART) should be employed to assess whether the calculated HEP is acceptable or not and if corrective actions are needed to reduce the likelihood of errors.

To formulate the most cost- and time-effective error reduction strategies, sensitivity analysis can be further used to pinpoint the factors that have the greatest effect on error probability.

Leading and lagging indicators

The next level of management errors in the accident were system related errors, which included:

  • Negligence on earlier minor MIC leakages or ‘near misses’ that caused burns and deaths;
  • Failure to improve after earlier inspection that reported concerns on leaks of phosgene, MIC and chloroform, ruptures in pipework and sealed joints, defective gauges and indicators and unsatisfactory instruction methods.

To evaluate how well a facility is functioning, leading and lagging indicators should be used to measure performance gaps between current and desired performance precisely.

A leading indicator such as a safety audit is proactive monitoring that examines the effectiveness of a facility through routine and systemic inspection and provides an early warning of potential incidents.

A lagging indicator, such as accident investigation, is results oriented. It keeps track of undesired events to measure compliance with safety rules.

Emergency response planning (ERP)

Corporate management has an undeniable responsibility in establishing proper emergency response procedures, which serve as the last layer of defence to reduce the consequences in cases of loss of control.

Some prerequisites for an effective ERP which UCIL failed to deliver before, during and after the incident include:

  • Before leakage – potential airborne hazards, toxicity of emissions and treatment methods in case of accident were not disseminated. There was no knockdown tank to direct discharged MIC to flare tower;
  • During leakage – ad hoc response by operators was prone to errors as severe stress hindered rational decision-making;
  • After leakage – delayed and less noisy warning alarm that could not be heard outside the factory, lack of evacuation routes and late information delivered to police officials and hospitals for treatment due to lack of detailed rehearsal of emergency with active involvement of all management levels.

The essence of ERP includes preparedness, response and recovery as a strategy to minimise injury, property and public damage and to provide immediate resumption of normal operations.

The three main components of ERP include:

  1. Prevention – identify credible scenarios and assess operating procedures and safety measures.
  2. Internal and external communication – share information with site emergency responders and neighbouring communities.
  3. Mitigation – internal emergency planning and co-operation with external services.

Safety as a prime concern

Analysis of the Bhopal accident indicates all human initiated catastrophe can be traced back to management failures. Yet these inadequacies are often poorly tackled as production or financial targets are always the major concern along with simultaneous loss and slipping of knowledge and expertise.

As it is hard to analyse the probabilities of undesirable events in a complex system accurately, the status of safety management and compliance to regulations at both corporate and governmental levels has to be high.

For this, a sense of preparedness and open-mindedness has to be stimulated and equipped to diminish the risks of occurrence of detrimental events.

Authors: Tze Lin Kok, Yeuan Jer Choong, Chee Kean Looi and Jing Han Siow, Universiti Teknologi Petronas, Malaysia.

References

1.) Anon, Bhopal – the company’s report. Loss Prevention Bulletin, 1985(63).

2.) Macleod, F, Impressions of Bhopal. Loss Prevention Bulletin, 2014(240): p. 3-9.

3.) Bloch, K and B Jung, Understanding the impact of unreliable machinery. Loss Prevention Bulletin, 2014(240): p. 13-16.

4.) Eckerman, I, The Bhopal saga: causes and consequences of the world’s largest industrial disaster. 2005: Universities press.

5.) Graeme, E, Are we doing enough to reduce hazards at source? Loss Prevention Bulletin, 2014(240).

(Main image: Stefan Krasowski, New York, NY, USA – Bhopal Sambhavna Trust 05, CC BY 2.0, https://commons.wikimedia.org/w/index.php?curid=57398061)

This article was reproduced with the kind permission of The Institution of Chemical Engineers (IChemE), which advances chemical engineering's contribution worldwide for the benefit of society. It supports the development of chemical engineering professionals and provides connections to a powerful network of about 35,000 members in 100 countries. More information: www.icheme.org