Texas City Refinery Explosion

The BP Texas City refinery included an isomerization (ISOM) unit designed to increase gasoline octane ratings. The unit used a raffinate splitter tower to separate light and heavy hydrocarbons.

During startup operations, liquid was pumped into the splitter tower while bringing temperature and pressure to operating conditions. Level control during startup was critical to prevent overfilling.

On March 23, 2005, the unit was being restarted after a maintenance shutdown. The startup process required several hours and careful monitoring of tower levels.

The raffinate splitter tower must maintain proper liquid level during startup to prevent overfilling while heating the system to operating temperature. Level instrumentation must provide accurate readings and effective alarms to operators.

The tower was being filled during startup, with liquid level rising over several hours. Operators were managing multiple tasks during the complex startup sequence.

The level instrumentation included both a sight glass and electronic level indicators. However, the sight glass had a limited range that did not show dangerously high levels.

Unknown to operators, the tower level had exceeded the sight glass range. They believed the level was within normal startup parameters based on the visible indication.

High-level alarms existed but had been configured at levels that allowed significant overfilling before triggering. The alarm setpoints did not provide adequate warning time during rapid filling.

Multiple alarms were sounding in the control room due to various startup activities. The alarm system did not prioritize safety-critical alarms over routine operational notifications.

Operators had become desensitized to alarm floods during startups. The critical high-level alarm was not distinguished from the background noise of other alarms.

Liquid continued to be pumped into the tower at a rate faster than operators realized. The level exceeded the tower capacity and began entering the overhead piping system.

Pressure relief valves opened as designed, directing the overflow to a blowdown drum and stack. However, the volume of liquid far exceeded the system design basis.

Liquid filled the blowdown drum and overflowed out the atmospheric vent stack, creating a geyser of flammable hydrocarbons at ground level near occupied trailers.

The released hydrocarbons formed a vapor cloud at ground level. A nearby vehicle ignition source triggered explosion and fire.

Fifteen workers were killed, mostly in temporary trailers located too close to the process unit. Over 180 were injured.

The explosion was not a failure of pressure containment—the relief system worked as designed. The failure was in preventing the condition that required relief in the first place.

Level instrumentation had limited range that concealed the actual danger. Sight glass showed "full" while the tower was actually overfilling.

Alarm setpoints were inadequate for the startup scenario. High-level alarms did not trigger until overfilling was already occurring.

Alarm management was ineffective. Critical safety alarms were buried in routine startup alarms, making operator recognition nearly impossible.

Procedural controls did not adequately address the specific hazards of liquid overfill during startup operations.

Operators were following procedures but those procedures did not account for the instrumentation limitations or alarm configuration issues.

Workload during startup was high, with multiple systems requiring attention simultaneously. The cognitive demand made it difficult to detect subtle warnings of developing problems.

Previous startups had been completed without incident despite these same system deficiencies, reinforcing confidence in inadequate procedures.

Cost reduction pressures had led to deferred maintenance and reduced staffing. Experienced operators who understood system limitations had been replaced by less experienced personnel.

Process safety management systems existed on paper but were not effectively implemented in operational practice.

Temporary buildings were located too close to hazardous process units due to site space constraints, violating fundamental process safety principles.

Instrumentation must cover the full range of hazardous conditions, not just normal operating ranges. If a gauge cannot show a dangerous state, operators cannot respond to it.

Alarm systems must distinguish between information and action. Safety-critical alarms require different treatment than operational notifications.

Procedures for abnormal operations (startup, shutdown, emergency response) require the same rigor as normal operation procedures, and often need more detailed hazard analysis.

Multiple simultaneous demands on operator attention during complex evolutions require either procedural simplification or additional qualified oversight.

Site layout and personnel placement are engineering controls. Temporary structures near process hazards create permanent vulnerability.