At a Seveso-classified plant producing substances used in medical imaging, a temperature control defect on a biconical dryer caused product decomposition during the drying cycle. The subsequent pressure surge led, around 10 pm, to the explosion of part of the glass piping (a pipe elbow connecting the dryer to its vacuum pump). At the time, the dryer was holding 1,800 kg of a mix containing ethanol and an product releasing iodine (I2), hydrochloric acid (HCl) and nitrogen oxides (NOx) when decomposing. I2 was discharged into the atmosphere via both a door left open and the building’s roof air extractors; 1 plant safety officer was slightly intoxicated by this release.
The external emergency plan was activated at 11 pm and a 500-m safety perimeter set up; the Classified Facilities Inspectorate, accompanied by the Deputy Prefect and the police, visited the site.
Notified by neighbours around 10:15 pm and expecting to battle a residential blaze, fire-fighters arrived at the scene without proper equipment for a chemical accident. When entering the buildings in diving suits, they reported the presence of a silvery liquid on the floor, while the 2nd-level alarm on their atmospheric detectors was tripped (HCl measured 2.45 ppm in the atmosphere). A pungent smell was perceptible as far as a cinema 1 km away. Fire-fighters’ atmospheric readings downwind of the site further east/south-east did not however reveal any danger. The emergency plan was lifted at 5:30 am, with dryer temperature steadying at 10°C, thereby guaranteeing inerting of all product remaining in the dryer (which amounted to 1/3 of the initial load). Damage was limited to the adjacent partition walls in the sector where the explosion occurred; no other dryer sustained damage. The operator proceeded by cleaning and decontaminating the premises. This accident had not been identified in the plant’s safety report and emergency plans as a high-risk scenario.
The internal emergency plan was not triggered due to a dysfunctional decision-making process unable to keep up with the fast pace of events. The automatic responses programmed into the internal emergency plan were thus implemented late and not necessarily in the right order: personnel evacuated prior to installation shutdown; alarm sirens ordering neighbours to remain indoors sounded 50 min after the explosion was heard (according to the press) over a several km radius; and the decision to place all dryers in a cooling position announced 2 hours after the explosion, with another hour required to fully execute the measure.
The next day, neighbours protesting in front of the plant were received by the Deputy Prefect; their complaints focused on the late warning given and lack of information on the part of both the plant and local authorities, resulting in some neighbours failing to comply with the confinement order.
A communication breakdown between a relay controlling the dryer’s process sensors and the programmable controller regulating temperature had kept the dryer in heating mode even though the maximum temperature had already been reached; the excess temperature initiated product decomposition. Since the dryer had not been equipped with a rupture disc, the ensuing pressure surge caused the most vulnerable part (glass) to burst. The safety device for high temperature detection did not operate due to a common failure mode (i.e.the safety mechanism was not independent of the faulty process operating system).
The plant operator introduced a cable thermal fluid temperature control on each dryer independent of the programmable controller and with heating shutoff upon high temperature detection, plus continuous monitoring to ensure an open communication line with the programmable controller on each input/output relay (with a safety override in the event of non-communication). He raised the rupture disc outlet installed on screw dryers by 3 m, so as to minimize ground effects in case of accident.
The operator also modified guidelines for monitoring drying functions, reassessed the independence of “backup safety systems” (i.e. mutual independence of barriers, relative to both the operating system and the actual accident scenario) and reworked the risk analysis performed as part of the 5-year safety report revision (to account for this accident and a previous one that took place in August 2010). As a final step, the operator updated the site’s internal emergency plan and established an emergency organization feedback loop.