On January 25, 2005, an explosion occurred at the Acetylene Services Company (ASCO) facility in Perth Amboy, New Jersey, United States. ASCO generated and packaged acetylene for use in multiple industries. Three workers were killed in the explosion, and one other was injured. The explosion destroyed a storage shed at the facility, and windows were shattered in other buildings. The explosion also heavily damaged a building at a nearby manufacturing site.

Investigation

Building damage following an acetylene explosion at ASCO (Credits: US Chemical Safety and Hazard Investigation Board).

Building damage following the acetylene explosion at ASCO (Credits: US Chemical Safety and Hazard Investigation Board).

The United States Chemical Safety and Hazard Investigation Board (CSB) found that acetylene, a highly reactive and flammable gas, had inadvertently built up inside the storage shed near tanks used in the acetylene production process. Acetylene had flowed back past a check valve through a recycled water line and into the shed where it accumulated, ignited, and exploded. The check valve did not prevent back flow as it should have done, and the check valve design was susceptible to failure, according to the CSB. No other safeguards other than the check valve prevented back flow. The CSB stated that ASCO did perform a hazard analysis in 1996, but that hazard analysis did not identify hazards created by the location of the water line drain in the shed. The hazard analysis should have been updated in 2001, but ASCO failed to do so. As stated in the report, “In failing to update the [hazard analysis], a second opportunity to identify the conditions that led to the explosion was missed.” The report also noted that written operating procedures did not exist for many of the operating processes, including critical ones associated with this accident. For example, the report stated that operators did not use written procedures or checklists for startup of the acetylene generator.

Hazard Identification

This accident was caused in large part by a failure to identify what could go wrong, known as hazard identification. Hazard identification is arguably the most important part of the safety analysis effort. One could think of the hazard identification step as defining the problem to be solved. If one does not properly identify the problem then it becomes difficult to assess the risk or postulate solutions. Hazard identification takes persistence to characterize known hazards and creativity to identify the ways in which the system design or operation can lead to an accident. Hazard identification usually starts early in the development process, and then continues through development as new information becomes available on the system and its operation.

There are several approaches that can help visualize hazards. One approach is to use hazardous element checklists based on previous experience. Checklists are available from a number of sources, although safety practitioners should be aware that no checklist is ever complete. Another approach to identifying hazards is to use past experience to help drive the analysis. This approach works best when developing systems that are similar to those operated in the past. This approach can include review of previous hazard analyses, and can include operational experience and studies of mishaps and accidents.

Design practices, regulations, and standards can assist in the development of analyses. By understanding an accepted practice one can look for ways in which the new system can fail. These standards include safety criteria, such as the proper way to use relief valves. Regulations can be a good source of potential standards because many prescriptive rules, such as some Federal Aviation Administration regulations, came about as a result of an accident or incident.

Still another way to identify hazards is to consider individual failure states. Examples of failure states might include the following:

  • Failure to operate (including failure to start or stop operation)
  • Operates incorrectly or erroneously
  • Operates inadvertently
  • Operates at the wrong time
  • Receives or sends erroneous or conflicting data
The probably failure mode of the check valves used by ASCO; this failure was not reflected in their hazard analysis (Credits: US Chemical Safety and Hazard Investigation Board).

The probable failure mode of the check valves used by ASCO; this failure was not reflected in the company’s hazard analysis (Credits: US Chemical Safety and Hazard Investigation Board).

Hazards should not just consider hardware failures. A hazard analysis should also consider software issues, unanticipated operation, environments, human error, design errors, and procedures. Hazard identification must consider all operating phases and states. The focus of most hazard analyses tends to be on hazards during operation, such as during launch of a space vehicle. However, there are hazards associated with transport of the equipment to the operational site, storage of components, maintenance actions, and so on. Not all hazards apply to all phases of operation. Hazards related to loading of cryogenic fuels in a space launch vehicle will not apply during equipment transport to the launch pad when the tanks are empty, for example. Hazard identification must also consider who or what is at risk. Some hazards may apply to maintenance personnel while others may affect the uninvolved public or hardware assets. For example, a propellant leak may lead to fire and explosion that can injure on-site workers and damage facilities.

As the development life cycle proceeds new hazards are uncovered and some hazards may no longer be relevant. The life cycle includes not only the initial development but also the operation of the system. If the hazard analysis is not revisited and updated throughout the life cycle then resources may be expended on previously identified hazards that may no longer be relevant. More importantly, new hazards may not be identified as the design matures or when operators have experience with the system

Summary

Hazard identification may be one of the most difficult tasks in the system safety process. But hazard identification is critical to the system safety effort, because one cannot analyze or reduce risks if those risks have not been identified. A number of methods exist for performing hazard identification, with the most common being checklists and hazard reports developed from similar systems. However, these approaches alone may still fail to capture hazards and hazard causes. Therefore, hazard identification requires tenacity in gathering information based on similar systems designed and operated in the past, and imagination to look for ways a new system can act in unexpected and potentially catastrophic ways.

Reference: U.S. Chemical Safety and Hazard Investigation Report, Explosion at ASCO: Dangers of Flammable Gas Accumulation,” Safety Bulletin No. 2006-01-B, January 2006.

Tags

About the author

Terry Hardy

Twitter Facebook Website

Terry Hardy founded and leads efforts in system safety, software safety, and emergency management at Great Circle Analytics. Mr. Hardy has over 30 years of engineering experience and has performed engineering, safety, emergency management, and risk management activities for a number of commercial and government organizations including NASA and the U.S. Federal Aviation Administration. Mr. Hardy has created a web site, www.systemsafetyskeptic.com, to provide lessons learned in system safety, and he is author of several books on system safety including "The System Safety Skeptic: Lessons Learned in Safety Management and Engineering" and "Software and System Safety: Accidents, Incidents, and Lessons Learned."

Leave a Reply

Your email address will not be published. Required fields are marked *