Many educational and research organizations, including NASA, make use of pressure systems to further their work. However, there are serious risks associated with pressure systems when they are not adequately designed, reviewed or constructed. For example, in March 2016, the University of Hawaii (UH) experienced a catastrophic pressure vessel failure that severely injured a postdoctoral researcher. This case study’s purpose is to illustrate the importance of thorough hazard assessment and the expert advice of a center Pressure Systems Manager (PSM) to help researchers work safely in each NASA lab. The primary source material for this case study was the “Report to the University of Hawaii at Manoa on the Hydrogen/Oxygen Explosion of March 16, 2016,” which was prepared by the University of California (UC) Center for Laboratory Safety.
A pressure system is a structural system with an internal pressure that is different from the surrounding environment. Pressure systems encompass a wide variety of configurations and range in size from systems that would fit inside a desk drawer to those covering acres of land. Some involve large amounts of piping or tubing, while others consist largely of pressure or vacuum vessels and their means (compressors, pumps, etc.) of developing the desired pressure. Definitions vary among organizations as they attempt to describe those systems, resulting in the greatest perceived risk to people, assets and/or mission success.
NASA, universities and research institutes encourage innovative thinking as well as the development and testing of theories and ideas. This results in the purchase or construction of a wide variety of pressure systems products, sometimes with very unique designs.
NASA Pressure Systems
At NASA, the wide range of pressure system applications includes analyzing laboratory samples, creating high-speed flows for wind tunnels, or simulating rocket or jet engine operations, and attempting to mimic conditions on Venus. Thus, some systems involve large, heavy-walled, high-pressure storage vessels with extensive piping and control valves to provide, in some cases, carefully defined flow conditions or simply a practically inexhaustible supply of air. Other systems were designed and constructed to separate and chill liquid nitrogen, which can then be used to control the temperature in an icing wind tunnel, while others operate at high temperatures. There are also large numbers of small systems that have been built up in labs by researchers intent on studying a specific phenomenon of interest — whether abrasion of rocks on Venus, growth of bacteria or supercritical water oxidation reactions.
Each NASA center has a pressure systems safety organization, which may or may not be part of the center safety organization. The NASA pressure systems organizations typically include both NASA and contractor staff with years of experience in designing, reviewing and inspecting this type of equipment. Because they typically have fewer researchers and fewer systems, universities often have smaller safety organizations and less specialized staff. Often, responsibility for pressure systems safety falls under a broad environmental health and safety organization that may not include specialized pressure systems knowledge or experience.
Pressure Systems for Researching/Academia
Pressure systems in research applications are usually designed and constructed to accomplish a specific research purpose. Sometimes, these are built by researchers or technical staff, but there are also Commercial Off-the-Shelf systems available to address a wide range of applications.
Universities and research institutes often have pressure systems similar to many of the smaller NASA research systems. In a few cases, these pressure systems are comparable to NASA’s larger research systems. Many are akin to the lab systems constructed by NASA researchers in their labs, shops and offices with the goal of researching a particular reaction or operation. Some of these are carefully conceived and highly engineered, while others have been assembled with a clear intent but with less consideration of aspects such as piping or tubing supports, or what might happen in the case of the failure of a regulator or if a runaway reaction were to occur. A few have been constructed within government with little engineering or consideration of safety.
Common Problems with Pressure Systems
Regardless of whether the safety organization includes pressure systems specialists, the most hazardous system is often the one that has been assembled from readily available parts by a well-intentioned researcher who has not had a design review or a risk assessment performed. This sometimes can happen because of avoidance, a simple lack of awareness of the need or a lack of availability. It can happen at NASA as well as at universities and other organizations.
When a variety of parts are used without a proper design review (even in a simple system), the following are some of the system-level problems that may occur:
- Use of brittle materials (e.g., PVC and cast iron) in pressurized gas systems
- Use of components not rated for the operating pressures or temperatures
- Failure to consider low or high operating temperatures
- Inadequately secured components
- Misunderstanding of pressure relief requirements
- Inadequate relief system
- Inadequate weld and other quality control
- Failure to consider that low pressures operating over large areas can result in large forces
- Inadequate procedures to protect personnel and assets
UH Pressure System
At UH, the experiment was funded in hopes of the future development of a local biofuels and bioplastics industry with little or no environmental impact. It sought to optimize growth of the Cupriavidus necator bacteria, which can capture energy from a chemical reaction to fix carbon dioxide into cellular components in a process similar to photosynthesis in plants. This results in a polyester called PHA that can serve either as an energy store or a plastic. A pressure system was needed to supply an optimal mix of gases at a particular pressure for consumption by the bacteria. The pressure vessel (tank) and its associated components were used to provide a source for these gases.
Figure 1: Mishap tank (Source: UC Center for Laboratory Safety report).
During operation of the pressure system, the highly reactive mix of pressurized gases contained in the tank ignited. This resulted in an extremely rapid pressure rise, far beyond the capacity of the pressure relief valve. As a result, the tank was blown to pieces, severely injuring the postdoc researcher who was operating the experiment. The explosion also caused significant damage to the laboratory and equipment where it was located.
The most probable immediate cause of the accident was traced to a static discharge passed through the digital pressure gauge, which ignited the hydrogen/oxygen gas mixture contained within a 13-gallon (50-liter) pressure tank. Extensive analytical testing of an identical gas tank/pressure gauge system did not reproduce a stray electrical current within the digital pressure gauge, suggesting that the initiation event was not produced by the digital pressure gauge itself, but rather was due to a static discharge from the tank or postdoc researcher. The explosive gas mixture was most likely ignited when the statically charged postdoc researcher touched the metal housing of the gauge and a charge transfer occurred, causing a corona or brush discharge within the gauge stem.
Figure 2: Oxygen, hydrogen and carbon dioxide mixture (Source: NASA Safety Center).
In the UH experiment, the C. necator bacteria were cultured to a high cell density inside a bioreactor, which contained a liquid nutrient solution. Normally, the gas mixture percolated through the culture medium and exited through an exhaust line.
Externally supplied oxygen (O2), hydrogen (H2) and carbon dioxide (CO2) to fuel the bacterial reaction were to be mixed together as a 70 percent H2 — 20 percent O2 — 10 percent CO2 mixture. The Principal Investigator (PI) sent the postdoc researcher a proposed bioreactor setup configuration with separate lines for O2 and H2/CO2 mixtures. At some point, the design was changed to use a single, large (13-gallon) storage pressurized tank that contained sufficient mixed gases for a three-day experiment. This design required a series of sequential manual operations for the charging of the three gases.
The new system design had the advantage of allowing a supply of a consistent gas mixture to the bioreactor throughout the experiment. However, disadvantages included the need to transport the tank to two locations for filling and the storage of a large volume of a pressurized, explosive gas mixture.
Gas pressure and flow rate into and out of the tank were displayed continuously on digital gauges. The tank that exploded on the day of the mishap was constructed of welded carbon steel and had an attached closure valve. It was certified in accordance with the American Society of Mechanical Engineers code for a Maximum Allowable Working Pressure of 168 pounds per square inch gauge. A 165 pounds per square inch gauge pressure relief valve had been installed by the manufacturer. The UC Center for Laboratory Safety report did not state the use pressure of the tank in this experiment. It does state that the UH maintenance shop tested the tank to 91.2 pounds per square inch gauge.
Teflon tape was installed at the pressure gauge and ball valve threads by the research team, who thought it acted as a metal lubricant to prevent leaks. Teflon tape is often effective in lubricating threads as well as in helping to make a seal. However, Teflon is flammable. While it did not play a role in this mishap, it is not safe for use in an enriched oxygen environment.
According to the UC Center for Laboratory Safety report, at some time after the postdoc researcher involved in the mishap started working in the UH lab, the pressure vessel used in the experiment, a battery-powered digital pressure gauge, a pressure relief valve and fittings were ordered for assembly into the experimental system. The assembly included a stainless steel ball valve plumbed with copper tubing to deliver the gas mixture to a gas mass flow controller. This valve was also used during the filling of the tank and for removing gas samples for analysis. While a handle opened and closed the valve, the assembly configuration did not allow sufficient room for the valve to be fully opened.
Selection of equipment differed from that identified (but not specified) in a 2013 research paper by the PI for the research project in that the pressure gauge was not “intrinsically safe” (nonsparking). There was no mention of a specification or statement of work that clearly defined requirements for the new system. In the previous assembly, a gas proportioner was used to premix the three gases en route to the bioreactor, while the system involved in the mishap required manual mixing.
Highly Reactive Media
As learned in the deadly fire on Apollo 1 (1968), pure oxygen, even at 15 pounds per square inch gauge (sea-level atmospheric pressure), is very reactive and requires special handling. In the UH experiment, though not pure oxygen, the partial pressure of the oxygen was much higher than 15 pounds per square inch gauge. Hydrogen also requires special safety considerations due to its extreme flammability, low ignition energy, wide flammability range and high reaction rate. Since the time of the Apollo 1 fire, NASA has developed a high level of expertise in the fields of oxygen and hydrogen safety.
Figure 3: Safety procedures and guidelines (Source: White Sands, ASTM International and ANSI/AIAA).
Figure 4: Image of damaged 13-gallon tank (Source: UC Center for Laboratory Safety report.)
In particular, the White Sands Test Facility has conducted decades of research and testing, developing knowledge, procedures and techniques on how to operate systems with elevated oxygen content safely. White Sands personnel produced the “Guide for Oxygen Compatibility Assessments on Oxygen Components and Systems.” They have also been major contributors to “Safe Use of Oxygen and Oxygen Systems: Handbook for Design, Operation, and Maintenance” (ASTM International) and “Guide to Safety of Hydrogen and Hydrogen Systems” (American National Standards Institute (ANSI)/American Institute of Aeronautics and Astronautics (AIAA)). These are important references for researchers designing lab experiments involving explosive gases. White Sands personnel regularly perform oxygen compatibility assessments both for NASA and for outside organizations, and they train others to do so.
Hazardous Contents Not Considered
In order to fill the tank with the three different gases, it was moved from its experimental location to two different filling locations. Then, it was returned to its original location where the mishap ultimately occurred. To avoid potentially dangerous sparking, both the tank and the operator should have been grounded at each location, but they were not. The postdoc researcher involved in the mishap reported being sparked when touching the tank, and others working in the same area had noticed electrical discharges.
In order to sample the gas mixture in the tank, a thin, fluorinated ethylene propylene sampling bag was fitted over a plastic tube stub. The burst pressure of the bag could easily have been exceeded, releasing the flammable mixture into the room. While acceptable when used with nonreactive gases, these practices are insufficient to ensure safe operations when working with explosive gases.
The standard pressure relief system provided for use of the tank as an air receiver would clearly be inadequate in the event of a runaway reaction. (An air receiver tank has outlets based on pumping capacity of standard sized air compressors, not based on an internal explosion.)
During the explosion, the 13-gallon tank was violently ripped apart. The pressure relief valve was intended to release accidental overpressure as can occur in nonreactive gas handling but was never designed to relieve massive, instantaneous overpressure of a runaway explosive reaction.
Lack of Awareness of Applicable Regulations
The Occupational Safety and Health Administration (OSHA) regulations require a Chemical Hygiene Plan (CHP) for operations such as were being performed in this case. UH had a CHP, but according to the UC Center for Laboratory Safety report, “The UH CHP is largely comprised of a collection of compliance documents.” A companion document is the “UH Departmental Health and Safety Guide”.
The UC Center for Laboratory Safety investigators did not identify federal or state OSHA lab safety requirements in their report. States may levy additional local requirements, providing an equal or greater level of safety. In this case, Hawaii Administrative Rules (HAR) Title 12-60-2, Safety and Health Programs, section (a)(3) requires every employer to “eliminate existing or potential hazards by design, process substitution, or other methods that eliminate the need for further employee protection.” Where no other controls reduce risk of injury to acceptable levels, “Personal Protective Equipment [PPE] shall be provided and used.” Federal OSHA statutes did not go to this level of specificity, which, if followed, decreases the likelihood and severity of another such explosion. A seldom-appreciated but important part of an effective local safety program includes periodic checks for new or different safety regulations that apply and must be followed.
Lack of Awareness of Safety Risks
Reportedly, the PI and the postdoc researcher were both concerned with safety. However, without sufficient understanding of the risks, they were at a disadvantage. Consider the following evidence:
- The PI’s screening questionnaire asked about the duties and responsibilities related to the Environmental Health and Safety in the laboratories, even though the investigation found no such UH laboratory guidelines to question/assess safety. This was in spite of the fact that no evidence was found that the UH laboratory faculty or management required any proof of knowledge of hazards and controls for pressure systems or explosive gases. No evidence was found to support that personnel were required to conduct a risk assessment specific to a planned new system.
- After being hired, the postdoc researcher accomplished safety training for hazardous waste, laboratory safety and biosafety.
- Questions in the postdoc researcher’s notes reflect concerns related to combining explosive gases, explosive concentration limits, PPE, the existence of lab-standard operating procedures, risk assessments and clearance to start work. However, investigators found no answers to these questions.
Based on these facts, it appears that the PI and the postdoc researcher, while not unconcerned about safety, were either unaware of some of the safety risks or failed to recognize their magnitude.
Applying Lessons Learned to Current and Future NASA Missions
Safe System Alternatives
Safe operation of a system for the UH application might be achieved by use of a pressure vessel capable of withstanding the full pressure developed by the reaction, should it occur, or by isolation of the system from personnel (either by distance or by barriers) to ensure their safety. When considering other designs, various system safety principles, such as safety margin, defense-in-depth, fail-safe and other options, exist.
NASA Safety Program and Policies
Figure 6: NASA policies and standards (Source: NASA).
NASA has had its own experience with failed pressure systems. Examples of this occurred in the mid-1970s when three major systems at three centers suffered catastrophic failures. These failures were significantly more dramatic than the UH mishap, involving much larger systems and levels of stored energy. Fortunately, two of the cases involved only minor injuries, and the third had none. As a result, however, NASA embarked on the development of a pressure systems safety program that has been very successful in minimizing the number of pressure systems mishaps over the years.
NPD 8710.5, Policy for Pressure Vessels and Pressurized Systems, provides top-level policy to ensure the safety of pressure systems both on the ground and in space. NASA-STD 8719.17, NASA Requirements for Ground-Based Pressure Vessels and Pressurized Systems (PVS), provides direction on achieving the safe operation of pressure systems on the ground. In doing so, NASA-STD-8719.17 is the agency implementation document for compliance with the OSHA regulations in this area. In addition, nearly all NASA centers have local documents tailored to their individual needs and that provide further detail on achieving the safe operation of pressure systems.
While responsibility for compliance with policy and regulations rests with the system owners and users, each NASA center has a PSM who is responsible for oversight with responsibilities as specified in NPD 8710.5. These include the following:
- The development and implementation of procedures for the safe and effective operation of ground-based PVS throughout their life cycles — from design through operation.
- The evaluation and certification of PVS in accordance with NASA-STD-8719.17 before operation. This responsibility includes the review of design and procurement specifications for compliance, specification and interpretation of applicable National Consensus Standards, ensuring that certifications, periodic inspections and recertifications are performed for all PVS and that PVS are documented.
While implementation details vary from center to center, NASA-STD-8719.17 requires that pressure systems undergo certification prior to use. This process is intended to ensure system integrity and safe operation. While rigor is needed to keep systems safe and reliable, the requirements are devised to minimize the burden on pressure system owners and users to the greatest extent possible. Pressure systems office personnel at NASA centers are specialists in their fields and are available to consult on safety-related requirements that might otherwise be a heavy burden for a researcher operating a small system and performing all the work alone.
The NASA certification/recertification process addresses the following:
Problems with Unauthorized Systems
Whether caused by a lack of an authorization/permitting system, ignorance or deliberate avoidance, an unauthorized PVS is likely to be missing one or more of the following:
- Hazard analysis, including addressing unique design and operational considerations made necessary by unique operating requirements or caused by unfamiliarity of a researcher with standard practice in the pressure systems field
- Design review, including material selection, component selection, wall thicknesses, adequacy of relief system, etc.
- Stress analysis
- Review for compliance with OSHA regulations and applicable voluntary consensus standards
- Review of implementation versus design
- Review of safe overall installation (e.g., need for fume hood, low-oxygen sensors or securing pressurized gas cylinders, etc.)Review of safe overall installation (e.g., need for fume hood, low-oxygen sensors or securing pressurized gas cylinders, etc.)
- Reinspection and component (relief device and pressure gauge) callback
It’s important to remember that ignorance of the issues doesn’t make them go away. One of the most important reasons to perform a risk assessment specific to an experiment is to formalize the actual likelihood and severity of potential undesired outcomes during the course of the activity. Without such an assessment, subjective judgment usually underestimates potential dangers that can lead to serious injury or illness.
Government Laboratory Research Survey
In a 2012 study called “Laboratory Safety Attitudes and Practices,” it was reported that slightly over half of surveyed government laboratory researchers stated that they used their organization’s approved forms for risk assessment. About one-third responded that they conducted informal risk assessments, and the rest responded that they conducted none at all. Further, less than one-fifth of researchers in academic labs assessed their risk using an approved form. Informal risk assessment was reported by over half of academic researchers, and the others did no assessment at all.
Of course, personal risk perception, schedule and resources all influence whether formal tools will be used. In the survey, respondents generally thought their own risk in their labs was significantly lower than the risk level they assumed their organization had determined as acceptable. There is frequently a trade-off between efficiency and safety, but as has been seen in this case study, the laws of physics make no allowances for each individual’s personal risk perception.
Steps for Building a Safe Pressure System
Take the following steps to build a pressure system:
- Consult the experts: Seek out input from knowledgeable associates and the PSM (even as a laboratory manager or supervisor, or operator of the equipment). Active reinforcement of lab safety practices beyond required formal training can improve recognition and mitigation of hazards, such as noncompliant pressure systems. Those whose projects have experienced system failures can share lessons that can be leveraged in the design. The most skilled, experienced engineers and scientists understand that they’re probing uncertain terrain with experiments. Thus, they seek to identify those hazards they’ve yet to imagine, rather than expect success.
- Start early: Invite the PSM into the process early to gain the greatest benefit. Ultimately, it is faster and less expensive to design an experimental pressure system with compliance in mind up front than to stop an experiment, redesign, retrofit or replace components, and then start over. Costs and delays are kept to a minimum if the PSM is brought into the process early. The PSM is generally familiar with readily available components, standard system designs/configurations and applicable requirements. This helps ensure the development of an effective and compliant design from the beginning, thereby avoiding system redesign and the reworking, replacement or failure of inadequate components.
Anyone that encounters a pressure system that is not in the NASA PVS program should consult his or her center’s PSM. It is much better to bring a system into the program a little late than to risk a serious accident.
Questions for Discussion
- If your organization works with NASA-defined pressure systems, how does your PSM keep these systems safe and compliant with NASA policy?
- Does your organization have a process in place to ensure that your pressure systems are included in your center’s pressure systems program?
- When building a pressure system, how do you identify potential hazards during the design phase?
- If a potential safety issue is detected in an operational pressure system, what processes exist to make the system safe with respect to engineering and safety standards?
- Merlic, Craig; Ngai, Eugene; Schroeder, Imke; Smith, Kenneth: Report to the University of Hawaii at Manoa on the Hydrogen/Oxygen Explosion on March 16, 2016, Report 1: Technical Analysis of Accident, UC Center for Laboratory Safety, June 29, 2016.
- Wander, Steve: Fire in the Cockpit, NASA System Failure Case Studies, vol. 2, is. 2, February 2008.
- Rosales, Keisa; Shoffstall, Michael; Stoltzfus, Joel: Guide for Oxygen Compatibility Assessments on Oxygen Components and Systems, NASA/ TM-2007-213740, March 2007.
- Beeson, Harold; Smith, Sarah; Stewart, Walter: Safe Use of Oxygen and Oxygen Systems: Handbook for Design, Operation, and Maintenance, Second Edition, ASTM International, MNL36—2nd, 2007.
- Guide to Safety of Hydrogen and Hydrogen Systems, American Institute of Aeronautics and Astronautics, ANSI/AIAA G-095A-2017.
- University of Hawai’i at Manoa Departmental Health and Safety Guide, Environmental Health and Safety Office, January 2003.
- Hawaii Administrative Rules, Title 12, Department Of Labor and Industrial Relations, Subtitle 8, Hawaii Occupational Safety and Health Division, Part 2, General Industry Standards, Chapter 60, General Safety and Health Requirements, December 2012.
- Ellis, Olivia; Huang, Debbie Yan Qun; Gibson, James; Schroder, Imke; Wayne, Nancy: Laboratory safety attitudes and practices: A comparison of academic, government, and industry researchers, Journal of Chemical Health and Safety, vol. 23, is. 1, January/February 2016, pp. 12–23.
Visit nsc.nasa.gov/SFCS to read this and other case studies online or to subscribe to the Monthly Safety e-Message.
Responsible NASA Official: Steve Lilley
This is an internal NASA safety awareness training document based on information available in the public domain. The findings, proximate causes and contributing factors identified in this case study do not necessarily represent those of the Agency. Sections of this case study were derived from multiple sources listed under References. Any misrepresentation or improper use of source material is unintentional.