Texas City refinery accident: Case study in breakdown of defense-in-depth and violation of the safety–diagnosability principle in design

Abstract

In 2005 an explosion rocked the BP Texas City refinery, killing 15 people and injuring 180. The company incurred direct and indirect financial losses on the order of billions of dollars for victims’ compensation as well as significant property damage and loss of production. The internal BP accident investigation and the Chemical Safety Board investigation identified a number of factors that contributed to the accident. In this work, we first examine the accident pathogens or lurking adverse conditions at the refinery prior to the accident. We then analyze the sequence of events that led to the explosion, and we highlight some of the provisions for the implementation of defense-in-depth and their failures. Next we identify a fundamental failure mechanism in this accident, namely the absence of observability or ability to diagnose hazardous states in the operation of the refinery, in particular within the raffinate splitter tower and the blowdown drum of the isomerization unit. We propose a general safety–diagnosability principle for supporting accident prevention, which requires that all safety-degrading events or states that defense-in-depth is meant to protect against be diagnosable, and that breaches of safety barriers be unambiguously monitored and reported. The safety–diagnosability principle supports the development of a “living” or online quantitative risk assessment, which in turn can help re-order risk priorities in real time based on emerging hazards, and re-allocate defensive resources. We argue that the safety–diagnosability principle is an essential ingredient for improving operators’ situation awareness. Violation of the safety–diagnosability principle translates into a shrinking of the time window available for operators to understand an unfolding hazardous situation and intervene to abate it. Compliance with this new safety principle provides one way to improve operators’ sensemaking and situation awareness and decrease the conditional probability that an accident will occur following an adverse initiating event. We suggest that defense-in-depth be augmented with this principle, without which it can degenerate into an ineffective defense-blind safety strategy.