The raffinate splitter tower had no functioning level sensors—overflow was the hazardous result.
On March 23, 2005, the raffinate splitter process was being restarted after a turndown. The unit had been shut down February 21 so that the tower could be drained, purged, and steam cleaned to remove residues. Apparently nothing had been done to check level sensors installed in the tower, and a sight glass mounted at the bottom that had been too dirty to use for some years was untouched. Operators preparing for the restart had reported that a pressure vent valve on the reflux drum could not be operated from the control room, but this was not fixed either. According to BP procedures, that single valve malfunction alone should have prevented restarting the unit until it could be resolved.
Established safety management procedures also called for a thorough pre-startup safety review (PSSR), but this was skipped along with other requirements for appropriate staffing during the restart. A PSSR would have checked and verified all safety instrumentation and other related equipment, but that would have most certainly delayed getting the unit running again. The process was set into motion without the sign-offs normally required. Basic process safety and environmental protection procedures were ignored.
In daily operation, the raffinate splitter tower would have between 7 and 9 feet of liquid with reflux raining down from the trays above. Operators on the night shift began to fill the tower to a normal depth, although the level indicator was not functioning properly. The night lead operator stopped filling the tower when the DCS indicated the level was 8.95 feet (99%), although it was actually 13.3 feet. The inexperienced day shift operator started the process and began pumping in feedstock, although there was no indication that anything was going downstream. By 11:50 am, the level in the tower had reached 98 feet, but the DCS still said 8.4 feet (88%). In less than an hour, it was up to 140 feet, and at 1:14 pm it began to flow out of the overhead piping to the blowdown drum. At 1:20 pm, liquid was released out of the stack, formed a vapor cloud, ignited, and exploded.
There were four level sensors that were inoperative during this incident, which represented all the level sensors in the immediate system. Since the tower was a distillation column, it was not intended to be filled like a storage tank. The maximum level under normal operation was less than 10 feet. The basic process control level sensor was sending a reading to the DCS, but it ended up giving a terribly inaccurate reading. The normal way to perform a check on this sensor was the sight glass, but for years, it had been too dirty to use. The high-level alarm sensor was worn out and the mechanism locked up so that it could not respond.
There was no other level sensor on the tower. Even if they had all been functioning normally, once liquid got above the high-level alarm sensor, the operator had no way to determine if the depth was 12, 50, or 150 feet.
The fourth level sensor that failed was on the blowdown drum. It had a damaged float and could not warn that the drum was going to overflow. This would not have prevented the incident, but it could have at least sounded an alarm to get people to evacuate the area.
Allowing the condition of the equipment to deteriorate to the point where none of the level sensors were functional combined with the decision to restart the unit without adequate safety checks suggest an environment where production concerns were placed ahead of safety.