Chinedu Charles Isiadinso

April 23, 2015





On Wednesday, March 23 2005, numerous explosions, and a fire, occurred at BP Texas City
refinery, Texas, USA. The explosions and fire occurred during start-up of an isomerization unit
at the refinery. The disaster resulted in 15 fatalities, over 150 injuries, and financial losses
exceeding $1.5 billion (USD)[1].

Details of the Accident

BP had begun a lengthy maintenance project at their Texas city refinery, which required over
1000 contractors on site along with employees. A number of trailers had been set up, close to
the blow-down stack (see figure 1), to serve as offices and meeting rooms for the contractors.
In the early hours of Wednesday, March 23 2005, workers began the start-up process of an
isomerization unit by pumping highly flammable liquid into to a raffinate splitter tower (see
figure 1), which would, normally, have ≈ 2m (6.5f t) of liquid at its base. Liquid height sensor
and two alarm systems, for heights of 2m, (6.5f t) and 3m, (10f t), were installed to measure
and report the height of liquid in the tower to operators, and raise alarms if the liquid reached
2m and 3m respectively. However, the sensor was designed to measure heights up to 3m, and
thus there was no way to tell the amount of liquid in the tower beyond that point. As workers
pumped liquid into the splitter tower, the liquid reached, and exceeded, the 3m mark, setting
off the 2m alarm but not the 3m. As the liquid feed exceeded 3m, when the feed was stopped,
and the height sensor reported 3m, while in actual fact, the tower is believed to have reached
4m, (13f t)[2].

Figure 1: Raffinate section of Isomerization unit[1]

Following a shift change, and very poor communication, operators recommenced the start-up
process, adding more liquid to the overfull splitter tower. While liquid was being pumped in,
no liquid was being pumped out, as specified in the start up procedure[5], due to a level control
valve being left closed. About 10 minutes later, as part of the normal process, operator lit
burners in the furnace to heat up the liquid being fed to the splitter tower. With the level
control valve still closed, the tower liquid level rose, and the heigh meter reported a height of
under 3m; however, calculations show that the liquid reached 42m[1].

At 1 pm, the level control valve was opened, following a high pressure alarm that caused a
manual relief valve to be opened; this stabilized liquid level. However, liquid leaving the tower

was at a very high temperature, and on exiting the heat exchanger (which was not designed to
cool down very hot liquid), induced a temperature rise (over 150o [1]) in liquid being fed to the
tower. This caused liquid in the tower to boil and expand causing the liquid level in the tower to
rise. Minutes later, the 52m, (170f t)[5], 586, 100l[7] capacity splitter tower was completely full,
and liquid flowed through a overhead pipe, down 45m, (148f t), and forced open all 3 safety relief
valves near the base of the tower; these valves redirected over 200, 000l of flammable liquid to
the blow-down drum of significantly lower capacity. Similar to the tower, the blow-down drum
was fitted with a liquid height sensor and an alarm, but when the drum overfilled, the alarm
failed to alert operators, who continued redirecting flow to the drum. Minutes later, there was
an eruption of very hot highly flammable liquid, from the top of the blow-down stack[3], which
fell to the ground creating a highly flammable vapour cloud that covered the entire refinery,
especially the trailers housing the contractors. Ignition of the cloud, by backfire from an idling
diesel truck at about 1:20 pm, caused a number explosions and fires, and sent shock-waves for
miles in all directions.

Figure 2: BP Texas City Refinery Layout[1]


Table 1: Kletz-Type prevention table

Events Immediate Steps Avoiding Hazard Management System

Explosions and Fire Truck driver should

have turned engine off
after eruption
Idling diesel truck Do not idle truck a Create dedicated Always know where
backfires, ignites few meters from haz- parking space vehicles on plot are
vapour cloud ardous equipment
Vapour Cloud forms Sound alarm Install disaster alert Train staff for dis-
and expands across re- system asters, the CSB
finery report[1] showed
that staff where not
properly trained for
abnormal situations

Table 2: Kletz-Type prevention table

Events Immediate Steps Avoiding Hazard Management System

Blow-down stack over Carry out disaster Install blow-down Train staff for
fills and liquid erupts protocol drum of equal capac- disasters[9]
ity as tower. Install
modern blow-down
stack, to eliminate
possibility of overflow
Liquid in blow-down Tower is overfull, ex- Emergency purge sys- Regular equipment
drum reaches max. pect the drum alarm tem when drum over inspection, due to
capacity; high level to sound, and act if fills cost cutting tech-
alarm does not sound there’s no sound niques, less money
was available to
inspect and repair
faulty equipment[1]
High pressure liquid Turn off feed, and Install another set of
force open all 3 safety purge systems high pressure alarms
relief valves; liquid for the over head pipes
is redirected to the
blow-down drum
Tower overfills; liquid Install overflow detec-
flows through over- tor to shut down pro-
head pipe towards re- cess if tower overfills
lief valves 45m below
Liquid fed to tower Design location based Regular equipment in-
causes boiling; liquid temperature detector spection and repairs
level rises to 43m, sen-
sor shows decline
Hot liquid, from tower Design system to mea-
base, heats up tower sure temperature of
feed liquid in key areas
(e.g. tower outlet)
and alert operator of
Operators worry The process had been Design system to A supervisor must al-
about lack of outflow, running for over 3 show valve status ways be present
level control valve is hours, check what
open happened to liquid
Tower high pressure Check information Regular equipment in-
alarm sound; oper- about flow into and spection
ators open manual out of tower and see
relief valve (auto- if there discrepancies.
matic emergency
valves failed)
Improperly calibrated Show flow into and Equipment inspection
level indicator shows out of tower on same and repairs
liquid as 2.6m and screen and work out
falling; liquid is at in tower volume based
30m on these

Table 3: Kletz-Type prevention table

Events Immediate Steps Avoiding Hazard Management System

Supervisor leaves due Request replacement Enforce requirement

to family emergency, supervisor of at least one tech-
there is no replace- nical staff at all
ment times
Conflicting infor- Request clarification Design system to
mation about level show valve status
control valve is re-
ceived by operator,
valve is left closed
Start-up recom- Carry out pre-startup Improve system to Ensure pre-startup is
mences, more liquid procedure allow operators see completed ans suc-
is added to already flows in and out of cessful
overfull tower, liquid tower
level increases
Night shift operator Make better use of Enforce BP sign over
leaves, day shift oper- logbooks protocol, especially
ator takes over; state during hazardous
of start-up process is processes
badly communicated
Sensor reads 3m (ac- Improve sensor design
tual height is 4m),
feed is stopped
First tower high level Stop after first alarm Regular equipment in-
alarm sounds, second spection
Operators ignore 2m Follow safety recom- Enforce safety re-
recommended height mendation quirements
and fill to 3m max.
Contract workers in Inform all personnel Ensure everyone is out
trailers are not in- about hazardous pro- of harms way before
formed about start-up cesses starting hazardous
process processes
Isomerization start-up Evacuate all non- Ensure pre-startup is Safety culture
begins, liquid is fed essential staff completed
into splitter tower
Lengthy maintenance Setup trailers at safe Should have followed
process; trailers are distance CSB trailer citing rec-
set-up close to isomer- ommendations
ization unit

The accident could be blamed on a wide range of failures, from mechanical to human to process,
however, the entire accident could be put down to human error. Starting at the very beginning
with the location of the trailers. From figure 3, it can be seen that the trailers where set up
in, potentially, the most dangerous part of the site. Trailers where setup between the catalyst
warehouse and the isomerization unit (close to the blow-down drum and staff), separated from
the unit by a rack of pipes carrying highly flammable liquid. Not only was this citing warned
against by safety experts[1], but from figure 2, it can be seen that permanent office structures
where erected reasonably far away from hazardous material and equipment, at the other end of
the refinery; no deaths occurred at these permanent structures. A reasonable location, for the
trailers, would have been next to the control room in the blue section of figure 2.

Figure 3: Trailer area and adjacent Isomerization unit[1]

Second, employees, and maintenance workers knew how hazardous the isomerization start-up
process was, but no alerted the contracts (who where in the trailers) about the start-up, as such
contracts where unaware of of what was happening until the eruption and explosion. Deaths
could have easily been prevented if trailer staff where informed, or better still, removed from
harmsway until the start-up process was complete; there was a safety meeting that day, over
300 people (employees and contractors) where in attendance and nothing was said about the
startup about to begin[3].

While immediately it would not have been possible for the night shift operator to have know
the second alarm had failed, a better logbook entry could have been left for the day shift operator
to work on. The logbook entry gave no indication of previous pumping level and alarm sound,
instead it read ”ISOM brought in so raff to unit, to pack raff with”[1].

Operators usually neglected key safety requirements, like the pre-startup checks, which would
have confirmed the position of the level control valve, removed non-essential personnel from the

site, and potentially noticed, and dealt with, the idling truck. It could have also alerted staff
to the faulty alarms and indicator, as it required manual liquid level confirmation, via a sight
glass at the base of the tower; it is worth noting, that the sight glass had not been cleaned for
longer than recommended and as such dark liquid had covered the glass making it unuseable.

Poor communication saw the situation on the ground being badly transmitted from ground
operators to board staff, which lead to a one of the most obvious causes of the disaster, the level
valve was left closed for over 3 hours while liquid as fed. The valve was later opened, but staff
should have instigated the location of hours of pumped liquid; if there was no liquid outflow,
then there must have been a build up of liquid in the tower, this would have brought the faulty
indicator (which read 2.6m and falling instead of 30m), to their attention and they could have
stopped the feed and drained the tower. Following the departure of the only technically trained
staff on site that day, due to a family emergency, and contrary to BP standard procedure,
there was no replacement supervisor assigned to over see the startup process; this left one low
experience operator (not qualified to run an entire refinery without supervision) alone to manage
all 3 units at the refinery, including the iszomerizaion unit.

On one end of Kletz’s spectrum, we have ways of preventing the hazard. In this case, the
hazard could have been prevented had the level indicator had been designed to accommodate
the full 52m height of the tower. Looking at it from the point of view of what is necessary,
the level was never meant to exceed 3m, however, if operators did not stop the feed exactly
when the 3m alarm was heard, they would overshoot and not know how much by. The system
could have been fool-proofed by designing an automatic system that shut off liquid feed when
the level reached 3m instead of just an alarm. A similar system in the blow-down drum could
automatically open the sewer block valve (see figure 4) to drain the drum if it overfills; these
would help prevent any instances where there’s human failure.

Figure 4: Blow-down drum and gooseneck[1]

A similar system was already operational in the emergency relief valve, which failed to open on
operator’s command, but opened when pressure exceeded maximum allowed, and this prevented
a different accident of a burst pipe.

In figure 3, cars can be seen parked around very dangerous equipment, there where more
suitable locations for a car park than between a catalyst warehouse and a rack of pipes.

Also, the CSB’s report noted poor operator display designs. The control unit did have display
for amount of liquid flowing into and out of the tower, but these when on different screens, and
thus meant that unless the operator suspected discrepancies in the flow, they would not check
to see if the number matched. A better design would have been to have both flows on the
same screen, but also to workout the different the alert the operator, or trigger an automatics
protection system, if the difference exceeds an acceptable tolerance range.

On the other end of Kletz’s spectrum, failures of the management, such as lack of regular
equipment inspection and repairs, lead to key safety devices and instruments, level indicators,
alarms and even the emergency pressure relief systems, failing to alert operators of danger; these
piece of equipment where know by management to be faulty but nothing was done to repair or
replace them[3]. Staff where not adequately trained and protections where not put in place to
prevent catastrophic failures, the likes of which, had bee predicted as early as 1992[9]. There
where no real automatic systems that would act immediately in and emergency, all systems
required the intervention of an operator, and while BP required operators to work in pairs and
always have one person in the control room at all times, cases of desertion where very common;
on the day of the accident, an operator deserted his post hours before his replacement arrived.

Management had also consistently failed to address re-occurring unsafe practices, e.g. startup
without fully completed pre-startup checks, that had previously (on February 12, 1994) lead
to a similar situation where the tower was overfilled. Also, reports show management failed
to invest in hazard prevention and safeguard. Furthermore, huge cost cutting tactics saw the
isomerization unit grossly under staffed during startup.

Management had a responsibility to ensure a safe working environment for everyone on site,
but years of limited funding and a growing unsafe culture saw mandated processes being ig-
nored, and near misses being left uninvestigated. The main cause of the disaster was a lack of
properly implemented pre-emptive measures, which would have completely prevented not only
this incidence, but future ones as well.

Lessons Learned
The following lessons could be drawn and generalized from is disaster;

1. Follow recommend procedure: Operators should not deviate from their training, but also,
managers, and supervisors should ensure protocol is strictly adhered to.

2. Alert people of potential danger: Contractors and uninvolved staff, e.g. the two in the
idling truck, where not aware of the hazardous process that was going on very close to
them. This could also be extended to members of the public, for example, construction
site must tell, not only their employees about dangers, but passers-by that could be hurt
as well.

3. Check design by Hazop: Safety equipment, in the refinery, where not designed to eliminate
hazard, rather they where designed to alert of potentially dangerous situations, and thus

where highly susceptible to human error. Safety devices should be designed to make it
almost impossible to hurt yourself and others, e.g. automatic speed limiters on high speed
trains (Santiago de Compostela rail disaster)[11].

In conclusion, the disaster at Texas City was completely preventable. Key immediate steps by
operators on the day could have prevented the accident, however, the key cause of the disaster
was a continuous failure to learn from near misses, an absence of safety culture, and persistent
absence of hazard prevention by management staff, even after numerous near misses on numer-
ous machines. Also misplaced priorities could be blamed for the disaster, as investments in
safety and hazard prevention where not made following BP’s acquisition of Amoco’s outdated
(even at the time of acquisition) refinery, instead job cuts and poor maintenance culture, which
saved BP hundreds of thousands of dollars, where priority.


