|Date 1 June 1974|
|Location Flixborough, United Kingdom|
Similar Buncefield fire, Seveso disaster, Bhopal disaster, Phillips disaster of 1989, Texas City Refinery explosion
Flixborough disaster 1974
The Flixborough disaster was an explosion at a chemical plant close to the village of Flixborough, North Lincolnshire, England, on Saturday, 1 June 1974. It killed 28 people and seriously injured 36 out of a total of only 72 people on site at the time. The casualty figures could have been much higher, if the explosion had occurred on a weekday, when the main office area would have been occupied. A contemporary campaigner on process safety wrote "the shock waves rattled the confidence of every chemical engineer in the country".
- Flixborough disaster 1974
- Flixborough disaster 1974 uvce
- The plant
- Reactor 5 leaks and is bypassed
- The explosion
- Court of Inquiry
- Circumstances of the disaster
- Cause of the disaster
- The 20 inch hypothesis
- The 8 inch hypothesis
- The inquiry conclusion
- Lessons to be learned
- General observation
- Specific lessons
- Matters to be referred to the Advisory Committee
- Controversy as to immediate cause
- Post enquiry forensic engineering – two stage rupture of bypass
- Post enquiry forensic engineering – the 'water hypothesis'
- Dissatisfaction with other aspects of the Inquiry Report
- ICI Petrochemicals: 'A new world where new methods are needed'
- Dissatisfaction with existing regulatory regime
- Terms of Reference and personnel
- Suggested regulatory framework
- Ensuring safety of 'major hazard' installations
The disaster involved (and may well have been caused by) a hasty modification. Mechanical engineering issues with the modification were overlooked by the managers (chemical engineers) who approved it, and the severity of the potential consequences of its failure was not appreciated.
Flixborough led to a widespread public outcry over process plant safety. Together with the passage of the Health and Safety at Work Act in the same year it led to (and is often quoted in justification of) a more systematic approach to process safety in UK process industries, and – in conjunction with the Seveso disaster and the consequent EU 'Seveso directives' – to explicit UK government regulation of plant processing or storing large inventories of hazardous materials, currently (2014) by the Control of Major Accident Hazards Regulations 1999 (COMAH).
Flixborough disaster 1974 uvce
The chemical works, owned by Nypro UK (a joint venture between Dutch State Mines (DSM) and the British National Coal Board (NCB)) had originally produced fertiliser from by-products of the coke ovens of a nearby steelworks. Since 1967, it had instead produced caprolactam, a chemical used in the manufacture of nylon 6. The caprolactam was produced from cyclohexanone. This was originally produced by hydrogenation of phenol, but in 1972 additional capacity was added built to a DSM design in which hot liquid cyclohexane was partially oxidised by compressed air. The plant was intended to produce 70,000 tpa (tons per annum) of caprolactam but was reaching a rate of only 47,000 tpa in early 1974. Government controls on the price of caprolactam put further financial pressure on the plant.
It was a failure of this plant that led to the disaster. A major leak of liquid from the reactor circuit caused the rapid formation of a large cloud of flammable hydrocarbon. When this met an ignition source (probably a furnace at a nearby hydrogen production plant) there was a massive fuel-air explosion. The plant control room collapsed, killing all 18 occupants. Nine other site workers were killed, and a delivery driver died of a heart attack in his cab. Fires started on-site which were still burning ten days later. Around 1,000 buildings within a mile radius of the site (in Flixborough itself and in the neighbouring villages of Burton upon Stather and Amcotts) were damaged, as were nearly 800 in Scunthorpe (three miles away); the blast was heard over thirty miles away in Grimsby and Hull. Images of the disaster were soon shown on television thanks to BBC and Yorkshire Television filmstock news crews who had been covering the Appleby-Frodingham Gala in Scunthorpe that afternoon.
The plant was re-built but cyclohexanone was now produced by hydrogenation of phenol (Nypro proposed to produce the hydrogen from LPG; in the absence of timely advice from the Health and Safety Executive (HSE) planning permission for storage of 1200 te LPG at Flixborough was initially granted subject to HSE approval, but HSE objected); as a result of a subsequent collapse in the price of nylon it closed down a few years later. The site was demolished in 1981, although the administration block still remains. The site today is home to the Flixborough Industrial Estate, occupied by various businesses and Glanford Power Station.
The foundations of properties severely damaged by the blast and subsequently demolished can be found on land between the estate and the village, on the route known as Stather Road. A memorial to those who died was erected in front of offices at the rebuilt site in 1977. Cast in bronze, it showed mallards alighting on water: When the plant was closed the statue was moved to the pond at the parish church in Flixborough. During the early hours of New Year's Day 1984 the sculpture was stolen. It has never been recovered but the plinth it stood on, with a plaque listing all those who died that day, can still be found outside the church.
The cyclohexane oxidation process is still operated in much the same plant design in the Far East.
In the DSM process, cyclohexane was heated to about 155 °C (311 °F) before passing into a series of six reactors. The reactors were constructed from mild steel with a stainless steel lining; when operating they held in total about 145 tonnes of flammable liquid at a working pressure of 8.8 kg/cm2 gauge (0.86 MPa gauge; 125 psig). In each of the reactors, compressed air was passed through the cyclohexane, causing a small percentage of the cyclohexane to oxidise and produce cyclohexanone, some cyclohexanol also being produced. Each reactor was slightly (approximately 14 inches, 350 mm) lower than the previous one, so that the reaction mixture flowed from one to the next by gravity through nominal 28-inch bore (DN 700 mm) stub pipes with inset bellows. The inlet to each reactor was baffled so that liquid entered the reactors at a low level; the exiting liquid flowed over a weir whose crest was somewhat higher than the top of the outlet pipe. The mixture exiting reactor 6 was processed to remove reaction products, and the unreacted cyclohexane (only about 6% was reacted in each pass) then returned to the start of the reactor loop.
Although the operating pressure was maintained by an automatically controlled bleed valve once the plant had reached steady state, the valve could not be used during start-up, when there was no air feed, the plant being pressurised with nitrogen. During start-up the bleed valve was normally isolated and there was no route for excess pressure to escape; pressure was kept within acceptable limits (slightly wider that those achieved under automatic control) by operator intervention (manual operation of vent valves). A pressure-relief valve acting at 11 kg/cm2 (156 psi) gauge was also fitted.
Reactor 5 leaks and is bypassed
Two months prior to the explosion, the number 5 reactor was discovered to be leaking. When lagging was stripped from it, a crack extending about 6 feet (1.8 m) was visible in the mild steel shell of the reactor. It was decided to install a temporary pipe to bypass the leaking reactor to allow continued operation of the plant while repairs were made. In the absence of 28-inch nominal bore pipe (DN 700 mm), 20-inch nominal bore pipe (DN 500 mm) was used to fabricate the bypass pipe for linking reactor 4 outlet to reactor 6 inlet. The new configuration was tested for leak-tightness at working pressure by pressurisation with nitrogen. For two months after fitting the bypass was operated continuously at temperature and pressure and gave no trouble. At the end of May (by which time the bypass had been lagged) the reactors had to be depressurised and allowed to cool in order to deal with leaks elsewhere. The leaks having been dealt with, early on 1 June attempts began to bring the plant back up to pressure and temperature.
At about 16:53 on Saturday 1 June 1974, there was a massive release of hot cyclohexane in the area of the missing reactor 5, followed shortly by ignition of the resulting cloud of flammable vapour and a massive explosion in the plant. It virtually demolished the site. Since the accident took place at a weekend there were relatively few people on site: of those on-site at the time, 28 were killed and 36 injured. Fires continued on-site for more than ten days. Off-site there were no fatalities, but 50 injuries were reported and about 2,000 properties damaged.
The occupants of the works laboratory had seen the release and evacuated the building before the release ignited; most survived. None of the 18 occupants of the plant control room survived, nor did any records of plant readings. The explosion appeared to have been in the general area of the reactors and after the accident only two possible sites for leaks before the explosion were identified: "the 20 inch bypass assembly with the bellows at both ends torn asunder was found jack-knifed on the plinth beneath" and there was a 50-inch long split in nearby 8-inch nominal bore stainless steel pipework".
Court of Inquiry
Immediately after the accident, New Scientist commented presciently on the normal official response to such events, but hoped that the opportunity would be taken to introduce effective government regulation of hazardous process plants.
Disasters on the scale of last Saturday's tragic explosion ... at Flixborough tend to provoke a brief wave of statements that such things must never happen again. With the passage of time these sentiments are diluted into bland reports about human error and everything being well under control – as happened with the Summerland fire. In the Flixborough case, there is a real chance that the death toll could trigger meaningful changes in a neglected aspect of industrial safety.
The Secretary of State for Employment set up a Court of Inquiry to establish the causes and circumstances of the disaster and identify any immediate lessons to be learned, and also an expert committee to identify major hazard sites and advise on appropriate measures of control for them. The Inquiry sat for 70 days in the period September 1974 – February 1975, and took evidence from over 170 witnesses. In parallel, an Advisory Committee on Major Hazards was set up to look at the longer term issues associated with hazardous process plant.
Circumstances of the disaster
The report of the court of inquiry was critical of the installation of the bypass pipework on a number of counts: although plant and senior management were chartered engineers (mostly chemical engineers) the post of Works Engineer which had been occupied by a chartered mechanical engineer had been vacant since January 1974 and at the time of the accident there were no professionally qualified engineers in the works engineering department. Nypro had recognised this to be a weakness and identified a senior mechanical engineer in an NCB subsidiary as available to provide advice and support if requested. At a meeting of plant and engineering managers to discuss the failure of Reactor 5, the external mechanical engineer was not present. The emphasis was upon prompt restart and – the inquiry felt – although this did not lead to the deliberate acceptance of hazards, it led to the adoption of a course of action whose hazards (and indeed engineering practicalities) were not adequately considered or understood. The major problem was thought to be getting reactor 5 moved out of the way. Only the plant engineer was concerned about restarting before the reason for the failure was understood, and the other reactors inspected. The difference in elevation between reactor 4 outlet and reactor 6 inlet was not recognised at the meeting. At a working level the offset was accommodated by a dog-leg in the bypass assembly; a section sloping downwards inserted between (and joined with by mitre welds) two horizontal lengths of 20-inch pipe abutting the existing 28-inch stubs. This bypass was supported by scaffolding fitted with supports provided to prevent the bellows having to take the weight of the pipework between them, but with no provision against other loadings. The Inquiry noted on the "design" of the assembly:
No-one appreciated that the pressurised assembly would be subject to a turning moment imposing shear forces on the bellows for which they are not designed. Nor did anyone appreciate that the hydraulic thrust on the bellows (some 38 tonnes at working pressure) would tend to make the pipe buckle at the mitre joints. No calculations were done to ascertain whether the bellows or pipe would withstand these strains; no reference was made to the relevant British Standard, or any other accepted standard; no reference was made to the designer's guide issued by the manufacturers of the bellows; no drawing of the pipe was made, other than in chalk on the workshop floor; no pressure testing either of the pipe or the complete assembly was made before it was fitted.
The Inquiry noted further that "there was no overall control or planning of the design, construction, testing or fitting of the assembly nor was any check made that the operations had been properly carried out". After the assembly was fitted, the plant was tested for leak-tightness by pressurising with nitrogen to 9 kg/cm2; i.e. roughly operating pressure, but below the pressure at which the system relief valve would lift and below the 30% above design pressure called for by the relevant British Standard.
Cause of the disaster
The 20-inch bypass was therefore clearly not what would have been produced or accepted by a more considered process but controversy developed (and became acrimonious) as to whether its failure was the initiating fault in the disaster (the 20-inch hypothesis, argued by the plant designers (DSM) and the plant constructors; and favoured by the court's technical advisers), or had been triggered by an external explosion resulting from a previous failure of the 8-inch line (argued by experts retained by Nypro and their insurers).
The 20-inch hypothesis
Tests on replica bypass assemblies showed that bellows squirm could occur at pressures below the safety valve setting, but that squirm did not lead to a leak (either from damage to the bellows or from damage to the pipe at the mitre welds) until well above the safety valve setting. However theoretical modelling suggested that the expansion of the bellows as a result of squirm would lead to a significant amount of work being done on them by the reactor contents, and there would be considerable shock loading on the bellows when they reached the end of their travel. If the bellows were 'stiff' (resistant to squirm), the shock loading could cause the bellows to tear at pressures below the safety valve setting; it was not impossible that this could occur at pressures experienced during start-up, when pressure was less tightly controlled. (Plant pressures at the time of the accident were unknown since all relevant instruments and records had been destroyed, and all relevant operators killed). The Inquiry concluded that this ("the 20-inch hypothesis") was 'a probability' but one 'which would readily be displaced if some greater probability' could be found.
The 8-inch hypothesis
Detailed analysis suggested that the 8-inch pipe had failed due to creep cavitation at a high temperature while the pipe was under pressure. Failure had been accelerated by contact with molten zinc and there were indications that an elbow in the pipe had been at significantly higher temperature than the rest of the pipe. The hot elbow led to a non-return valve held between two pipe flanges by twelve bolts. After the disaster, two of the twelve bolts were found to be loose; the inquiry concluded that they were probably loose before the disaster. Nypro argued that the bolts had been loose, there had consequently been a slow leak of process fluid onto lagging leading eventually to a lagging fire, which had worsened the leak to the point where a flame had played undetected upon the elbow, burnt away its lagging and exposed the line to molten zinc, the line then failing with a bulk release of process fluid which extinguished the original fire, but subsequently ignited giving a small explosion which had caused failure of the bypass, a second larger release and a larger explosion. Tests failed to produce a lagging fire with leaked process fluid at process temperatures; one advocate of the 8-inch hypothesis then argued instead that there had been a gasket failure giving a leak with sufficient velocity to induce static charges whose discharge had then ignited the leak.
The inquiry conclusion
The 8-inch hypothesis was claimed to be supported by eyewitness accounts and by the apparently anomalous position of some debris post-disaster. The inquiry report took the view that explosions frequently throw debris in unexpected directions and eyewitnesses often have confused recollections. The inquiry identified difficulties at various stages of the accident development in the 8-inch hypothesis, their cumulative effect being considered to be such that the report concluded that overall the 20-inch hypothesis involving 'a single event of low probability' was more credible than the 8-inch hypothesis depending upon 'a succession of events, most of which are improbable'.
Lessons to be learned
The inquiry report identified 'lessons to be learned' which it presented under various headings; 'General observation' (relating to cultural issues underlying the disaster), 'specific lessons' (directly relevant to the disaster, but of general applicability) are reported below; there were also 'general' and 'miscellaneous lessons' of less relevance to the disaster. The report also commented on matters to be covered by the Advisory Committee on Major Hazards.
The disaster was caused by 'a well designed and constructed plant' undergoing a modification that destroyed its technical integrity.
When the bypass was installed, there was no works engineer in post and company senior personnel (all chemical engineers) were incapable of recognising the existence of a simple engineering problem, let alone solving it
Matters to be referred to the Advisory Committee
No one concerned in the design or construction of the plant envisaged the possibility of a major disaster happening instantaneously. It was now apparent that such a possibility exists where large amounts of potentially explosive material are processed or stored. It was 'of the greatest importance that plants at which there is a risk of instant as opposed to escalating disaster be identified. Once identified measures should be taken both to prevent such a disaster so far as is possible and to minimise its consequences should it occur despite all precautions.' There should be coordination between planning authorities and the Health and Safety Executive, so that planning authorities could be advised on safety issues before granting planning permission; similarly the emergency services should have information to draw up a disaster plan.
The inquiry summarised its findings as follows:
We believe, however, that if the steps we recommend are carried out, the risk of any similar disaster, already remote, will be lessened. We use the phrase "already remote" advisedly for we wish to make it plain that we found nothing to suggest that the plant as originally designed and constructed created any unacceptable risk. The disaster was caused wholly by the coincidence of a number of unlikely errors in the design and installation of a modification. Such a combination of errors is very unlikely ever to be repeated. Our recommendations should ensure that no similar combination occurs again and that even if it should do so, the errors would be detected before any serious consequences ensued.
Controversy as to immediate cause
Nypro's advisers had put considerable effort into the 8-inch hypothesis, and the inquiry report put considerable effort into discounting it. The critique of the hypothesis spilled over into criticism of its advocates: 'the enthusiasm for the 8-inch hypothesis felt by its proponents has led them to overlook obvious defects which in other circumstances they would not have failed to realise'. Of one proponent the report noted gratuitously that his examination by the court 'was directed to ensuring that we had correctly appreciated the main steps in the hypothesis some of which appeared to us in conflict with facts which were beyond dispute'. The report thanked him for his work in assembling eyewitness evidence but said his use of it showed 'an approach to the evidence which is wholly unsound'.
The proponent of the 8-inch gasket failure hypothesis responded by arguing that the 20-inch hypothesis had its share of defects which the inquiry report had chosen to overlook, that the 8-inch hypothesis had more in its favour than the report suggested, and that there were important lessons that the inquiry had failed to identify:
[T]he Court's commitment for the 20-inch hypothesis led them to present their conclusions in a way that does not help the reader to assess contrary evidence. The Court could still be right that a single unsatisfactory modification caused the disaster but this is no reason for complacency. There are many other lessons. It is to be hoped that the respect normally accorded to the findings of a Court of Inquiry will not inhibit chemical engineers in looking beyond the report in their endeavours to improve the already good safety record of the chemical industry.
The Flixborough inquiry findings have not been accorded the normal respect; one critic of them was able to note after a flurry of articles on the 25th anniversary:
In view of the Court of Inquiry's qualified conclusion, the cause of the accident has been the subject of considerable controversy, especially as to the actual failure process (e.g., Ball, 1975, 1976; Butler, 1975; Cox, 1976; Gugan, 1976; King, 1977; Warner, 1975; Warner and Newland, 1975); the amount of cyclohexane released, and whether the unconfined vapor cloud formed in the release detonated (e.g., Gugan, 1978, 1980; Ale and Bruning, 1980a, b; Fu and Eyre, 1980; Phillips, 1981). The debate and argument continue to this day (e.g.,Gugan, 2000; Hoiset et al., 2000; King, 2000; Kletz, 2000; Swan, 2000).
The HSE website currently (2014) says "During the late afternoon on 1 June 1974 a 20 inch bypass system ruptured, which may have been caused by a fire on a nearby 8-inch pipe". In the absence of a strong consensus for either hypothesis other possible immediate causes have been suggested.
Post-enquiry forensic engineering – two-stage rupture of bypass
The enquiry noted the existence of a small tear in a bellows fragment, and therefore considered the possibility of a small leak from the bypass having led to an explosion bringing the bypass down. It noted this to be not inconsistent with eyewitness evidence, but ruled out the scenario because pressure tests showed the bellows did not develop tears until well above the safety valve pressure. The theory has however been revived, with the tears being caused by fatigue failure at the top of the reactor 4 outlet bellows because of flow-induced vibration of the unsupported bypass line. Finite element analysis has been carried out (and suitable eyewitness evidence adduced) to support this theory.
Post-enquiry forensic engineering – the 'water hypothesis'
The reactors were normally mechanically stirred but reactor 4 had operated without a working stirrer since November 1973; free phase water could have settled out in unstirred reactor 4 and the bottom of reactor 4 would reach operating temperature more slowly than the stirred reactors. It was postulated that there had been bulk water in reactor 4 and a disruptive boiling event had occurred when the interface between it and the reaction mixture reached operating temperature. Abnormal pressures and liquor displacement resulting from this (it was argued) could have triggered failure of the 20-inch bypass..
Dissatisfaction with other aspects of the Inquiry Report
The plant design had assumed that the worst consequence of a major leak would be a plant fire and to protect against this a fire detection system had been installed. Tests by the Fire Research Establishment had shown this to be less effective than intended. Moreover, fire detection only worked if the leak ignited at the leak site; it gave no protection against a major leak with delayed ignition, and the disaster had shown this could lead to multiple worker fatalities. The plant as designed therefore could be destroyed by a single failure and had a much greater risk of killing workers than the designers had intended. Critics of the inquiry report therefore found it hard to accept its characterisation of the plant as 'well-designed'. The HSE (through the Department of Employment) had come up with a 'shopping list' of about 30 recommendations on plant design, many of which had not been adopted (and a few explicitly rejected) by the Inquiry Report; the HSE inspector who acted as secretary to the inquiry spoke afterwards of making sure that the real lessons were acted upon. More fundamentally, Trevor Kletz saw the plant as symptomatic of a general failure to consider safety early enough in process plant design, so that designs were inherently safe – instead processes and plant were selected on other grounds then safety systems bolted on to a design with avoidable hazards and unnecessarily high inventory. 'We keep a lion and build a strong cage to keep it in. But before we do so we should ask if a lamb might do.'
If the UK public were largely reassured to be told the accident was a one-off and should never happen again, some UK process safety practitioners were less sanguine. Critics felt that the Flixborough explosion was not the result of multiple basic engineering design errors unlikely to coincide again; the errors were rather multiple instances of one underlying cause: a complete breakdown of plant safety procedures (exacerbated by a lack of relevant engineering expertise, but that lack was also a procedural shortcoming).
ICI Petrochemicals: 'A new world where new methods are needed'
The Petrochemicals Division of Imperial Chemical Industries (ICI) operated many plants with large inventories of flammable chemicals at its Wilton site (including one in which cyclohexane was oxidised to cyclohexanone and cyclohexanol). Historically good process safety performance at Wilton had been marred in the late 1960s by a spate of fatal fires caused by faulty isolations/handovers for maintenance work. Their immediate cause was human error but ICI felt that saying that most accidents were caused by human error was no more useful than saying that most falls are caused by gravity. ICI had not simply reminded operators to be more careful, but issued explicit instructions on the required quality of isolations, and the required quality of its documentation. The more onerous requirements were justified as follows:
Why do we need the HOC rules on the isolation and identification of equipment for maintenance? They were introduced about 2 years ago, but Billingham managed for 45 years without them. During those 45 years there were no doubt many occasions when fitters broke into equipment and found it had not been isolated, or broke into the wrong line because it had not been identified positively. But pipe-lines were mostly small, and the amount of flammable gas or liquid on the plant was not usually large. Now pipe-lines are much larger and the amount of gas or liquid that can leak out is much greater. Several serious incidents in the last 3 years have shown that we dare not risk breaking into lines that are not properly isolated. As plants have got larger we have moved ... into a new world where new methods are needed.
In accordance with this view, post-Flixborough (and without waiting for the Inquiry Report), ICI Petrochemicals instituted a review of how it controlled modifications. It found that major projects requiring financial sanction at a high level were generally well-controlled, but for more (financially) minor modifications there was less control and this had resulted in a past history of 'near-misses' and small-scale accidents, few of which could be blamed on chemical engineers. To remedy this, not only were employees reminded of the principal points to consider when making a modification (both on the quality/compliance of the modification itself and on the effect of the modification on the rest of the plant), but new procedures and documentation were introduced to ensure adequate scrutiny. These requirements applied not only to changes to equipment, but also to process changes. All modifications were to be supported by a formal safety assessment. For major modifications this would include an 'operability study'; for minor modifications a checklist-based safety assessment was to be used, indicating what aspects would be affected, and for each aspect giving a statement of the expected effect. The modification and its supporting safety assessment then had to be approved in writing by the plant manager and engineer. Where instruments or electrical equipment were involved signatures would also be needed from the relative specialist (instrument manager or electrical engineer). A Pipework Code of Practice was introduced specifying standards of design construction and maintenance for pipework – all pipework over 3"nb (DN 75 mm) handling hazardous material would have to be designed by pipework specialists in the design office. The approach was publicised outside ICI; while the Pipework Code of Practice on its own would have combatted the specific fault(s) that led to the Flixborough disaster, the adoption more generally of tighter controls on modifications (and the method by which this was done) were soon recognised to be prudent good practice. In the United Kingdom, the ICI approach became a de facto standard for high-risk plant (partly because the new (1974) Health and Safety at Work Act went beyond specific requirements on employers to state general duties to keep risks to workers as low as reasonably practicable and to avoid risk to the public so far as reasonably practicable; under this new regime the presumption was that recognised good practice would inherently be 'reasonably practicable' and hence should be adopted, partly because key passages in reports of the Advisory Committee on Major Hazards were clearly supportive).
Dissatisfaction with existing regulatory regime
The terms of reference of the Court of Inquiry did not include any requirement to comment on the regulatory regime under which the plant had been built and operated, but it was clear that it was not satisfactory. Construction of the plant had required planning permission approval by the local council; while "an interdepartmental procedure enabled planning authorities to call upon the advice of Her Majesty's Factory Inspectorate when considering applications for new developments which might involve a major hazard" (there was no requirement for them to do. so), since the council had not recognised the hazardous nature of the plant they had not called for advice. As the New Scientist commented within a week of the disaster:
There are now probably more than a dozen British petrochemical plants with a similar devastation-potential to the Nypro works at Flixborough. Neither when they were first built, nor now that they are in operation, has any local or government agency exercised effective control over their safety. To build a nuclear power plant, the electricity industry must provide a detailed safety evaluation to the Nuclear Inspectorate before it receives a licence. On the other hand, permission for highly hazardous process plants only involves satisfying a technically unqualified local planning committee, which lacks even the most rudimentary powers once the plant goes on stream. ... The Factory Inspectorate has standing only where it has promulgated specific regulations
Terms of Reference and personnel
The ACMH's terms of reference were to identify types of (non-nuclear) installations posing a major hazard, and advise on appropriate controls on their establishment, siting, layout, design, operation, maintenance and development (including overall development in their vicinity). Unlike the Court of Inquiry, its personnel (and that of its associated working groups) had significant representation of safety professionals, drawn largely from the nuclear industry and ICI (or ex-ICI)
Suggested regulatory framework
In its first report (issued as a basis for consultation and comment in March 1976), the ACMH noted that hazard could not be quantified in the abstract, and that a precise definition of 'major hazard' was therefore impossible. Instead installations with an inventory of flammable fluids above a certain threshold or of toxic materials above a certain 'chlorine equivalent' threshold should be ' notifiable installations '. A company operating a notifiable installation should be required to survey its hazard potential, and inform HSE of the hazards identified and the procedures and methods adopted (or to be adopted) to deal with them.
HSE could then chose to – in some cases (generally involving high risk or novel technology) – require submission of a more elaborate assessment, covering (as appropriate) "design, manufacture, construction, commissioning, operation and maintenance, as well as subsequent modifications whether of the design or operational procedures or both". The company would have to show that "it possesses the appropriate management system, safety philosophy, and competent people, that it has effective methods of identifying and evaluating hazards, that it has designed and operates the installation in accordance with appropriate regulations, standards and codes of practice, that it has adequate procedures for dealing with emergencies, and that it makes use of independent checks where appropriate"
For most 'notifiable installations' no further explicit controls should be needed; HSE could advise and if need be enforce improvements under the general powers given it by the 1974 Health and Safety at Work Act (HASAWA), but for a very few sites explicit licensing by HSE might be appropriate; responsibility for safety of the installation remaining however always and totally with the licensee.
Ensuring safety of 'major hazard' installations
HASAWA already required companies to have a safety policy, and a comprehensive plan to implement it. ACMH felt that for major hazard installations the plan should be formal and include
Safety documents were needed both for design and operation. The management of major hazard installations must show that it possessed and used a selection of appropriate hazard recognition techniques, had a proper system for audit of critical safety features, and used independent assessment where appropriate.
The ACMH also called for tight discipline in the operation of major hazard plants:
The rarity of major disasters tends to breed complacency and even a contempt for written instructions. We believe that rules relevant to safety must be everyday working rules and be seen as an essential part of day-to-day work practice. Rules, designed to protect those who drew them up if something goes wrong, are readily ignored in day-to-day work. Where management lays down safety rules, it must also ensure that they are carried out. We believe that to this end considerable formality is essential in relation to such matters as permits to work and clearance certificates to enter vessels or plant areas. In order to keep strong control in the plant, the level of authority for authorisations must be clearly defined. Similarly the level of authority for technical approval for any plant modification must also be clearly defined. To avoid the danger of systems and procedures being disregarded, there should be a requirement for a periodic form of audit of them.
The ACMH's second report (1979) rejected criticisms that since accidents causing multiple fatalities were associated with extensive and expensive plant damage the operators of major hazard sites had every incentive to avoid such accidents and so it was excessive to require major hazard sites to demonstrate their safety to a government body in such detail:
We would not contest that the best run companies achieve high standards of safety, but we believe this is because they have .... achieved what is perhaps best described as technical discipline in all that they do.
We believe that the best practices must be followed by all companies and that we have reached a state of technological development where it is not sufficient in areas of high risk for employers merely to demonstrate to themselves that all is well. They should now be required to demonstrate to the community as a whole that their plants are properly designed, well constructed and safely operated.
The approach advocated by the ACMH was largely followed in subsequent UK legislation and regulatory action, but following the release of chlordioxins by a runaway chemical reaction at Seveso in northern Italy in July 1976, 'major hazard plants' became an EU-wide issue and the UK approach became subsumed in EU-wide initiatives (the Seveso Directive in 1982, superseded by the Seveso II Directive in 1996). A third and final report was issued when the ACMH was disbanded in 1983.