After bhopal: six principles of inherently safer design

Author Richard White Published 30 November 2009

At midnight on 3 December 1984, a leak at the Union Carbide pesticide plant in the Indian city of Bhopal exposed more than 500,000 people to poisonous gases including methyl isocynate (MIC). The leak formed into a 40-tonne MIC vapour cloud, which hung over the plant and surrounding shanty towns in Bhopal. At least 3000 people died within 72 hours of the leak, and up to 25,000 people have died of gas-related diseases since.

More than 25 years after the gas leak, 390 tonnes of toxic chemicals abandoned at the Union Carbide plant continue to pollute the ground water around Bhopal Madhya Pradesh, and the incident remains the subject of much controversy. Civil and criminal cases fly through Manhattan and Bhopal courts against Union Carbide (now owned by Dow Chemical Company); an arrest warrant is currently pending against Warren Anderson, CEO of Union Carbide at the time of the disaster.

There are many web sites dealing with the Bhopal disaster, and it is a good case study to observe. www.bhopal.com, managed by Dow Chemical Company, acknowledges that Union Carbide (the owner/operator of the Bhopal site in 1984) merged with a subsidiary of The Dow Chemical Company and became a wholly-owned subsidiary of the company. The message further states that Dow purchased all of the shares of Union Carbide stock but that Union Carbide continues to exist as a separate legal entity with its own assets and liabilities. Stockholders are not responsible for the liabilities, if any, of the companies in which they have invested.

Following the merger there have been questions about Dow Chemical's position on the Bhopal disaster—most notably a plea that Dow Chemical assume responsibility for the disaster. You should visit www.bhopal.com for more information.

It has been suggested that the accident had it roots in the way the plant was designed and the subsequent use of secondary prevention of hazards. In this case, the plant was designed and built before protective measures were put in place to deal with potential hazards. The problem with secondary prevention is that it only tackles the probability of events occurring. This means that the hazardous condition is still present—albeit monitored and (hopefully) controlled. But remember that risk is the product of the consequence and the probability of an event. If either consequence or probability is reduced, then the risk is reduced.

An alternative approach, known as Inherently Safer Design, targets the event itself by changing the chemicals or the processes used in the plant. This earlier identification of hazards enables them to be avoided or minimised by making the design of the plant safer and less reliant on control measures. In the Bhopal example, an inherently safer plant would have stored a much smaller quantity of MIC (which was an intermediate in the process). In a further improvement, it would have been possible to react the raw materials in a different order, thus avoiding the production of MIC altogether.

Six general principles may be followed when looking to have inherently safer design:

• Elimination—if you can avoid the hazard in the first place, you don’t have to deal with it
• Intensification—where a hazard cannot be avoided, minimise the level of hazard present (e.g. use less of a hazardous material, where possible)
• Attentuation—modify process conditions so they are less extreme, or use the hazardous material in a less hazardous form
• Substitution—use a safer process operation or safer material
• Limitation—where an incident might occur, minimise its effects
• Simplification—reduce the opportunities for errors or malfunctions to occur.

This approach is in some ways similar to what is known as the hierarchical approach to waste management (eliminate, reduce, recycle, treat, dispose of wastes in that order).

While Inherently Safer Design may be readily applied to chemical plants, there is no reason why the generic approach could not be applied to other areas of engineering. Indeed, it could be an essential part of any risk engineering strategy and so may be used to minimise the impacts of hazards. This is good for the community, workers and companies. Management in particular should be able to see the advantages of avoiding incidents as significant as the Bhopal accident.

References
Edwards, D and Gupta, J (2003) Losing Control: Why Plants Fail, The Chemical Engineer, Issue 744, June, 2003, p 39–40.