The threat
An atmospheric distillation unit built in 1978 still processes 120,000 barrels a day at a coastal refinery in northwest Europe. The column, reboiler, and overhead system have been through three turnarounds, two control system migrations, and one partial refit. The original P&IDs exist as scanned PDFs. The current relief valve setpoints live in a different system. Operator training references a third.
Buncefield in 2005 was a level control failure in a storage tank. Texas City in 2005 was an overfill in a blowdown drum during startup. Both incidents killed people and cost billions. Both were on legacy units where the gap between design intent and operating reality had widened past the point where anyone could see it whole.
Bow-tie analysis was developed in refining because the failure modes are well understood. Overpressure in a distillation column. Loss of level control in a separator. An ignition source near a hydrocarbon vapour release. The method works when the diagram reflects what is actually installed, maintained, and relied upon. It fails when the diagram becomes a compliance artefact that no one updates.
Risks it creates for the enterprise
A vapour cloud explosion on a refinery site kills operators, damages adjacent units, and stops production for months. Seveso III requires upper-tier establishments to demonstrate that major accident hazards are identified and controlled. A bow-tie that lists a pressure relief valve decommissioned in 2019 or an interlock bypassed during the last turnaround is evidence of a failed safety management system.
The financial consequence is immediate. A three-month outage on a 120,000 bpd unit is $150 million in lost margin at $12 per barrel. Fines under Seveso III can reach €3 million in Germany, more if fatalities occur. Reputational damage extends to the parent company's licence to operate across the portfolio.
The regulatory consequence is slower but deeper. The Health and Safety Executive in the UK and equivalent national authorities in DACH conduct on-site inspections where they walk the plant with the bow-tie in hand. If the diagram shows a high-integrity pressure protection system that was downgraded to a basic process control system alarm five years ago, the inspection report will say the operator does not know its own barriers. That finding travels.
Likelihood-reducing controls
The preventive side of the bow-tie for an atmospheric distillation unit starts with high-integrity protective instrumentation. A safety instrumented system rated SIL 2 under IEC 62443 will trip the feed pump and open the relief path if column pressure exceeds design by 10%. That system must be proof-tested on schedule (typically every 24 months) with test records that close the loop back to the bow-tie.
Mechanical integrity inspection cadence matters more than the inspection itself. A thickness survey on the column shell every four years will detect corrosion before it becomes a leak path. The survey schedule, the acceptable thickness limits, and the escalation procedure when a reading falls below tolerance are all controls. If the bow-tie lists "four-year UT survey" but the last survey ran six years ago, the barrier does not exist.
Operator competency is a control when it is specific. "Trained operators" is not a barrier. "Operators qualified on high-pressure column startup procedure Rev 4, revalidated every 18 months, with simulator time on overpressure scenarios" is a barrier. The difference is whether you can audit it.
Management of change closes the loop. A modification to add a sidestream draw changes the hydraulic profile of the column. That changes the relief load case. If the relief valve was sized for the original configuration, it may no longer be adequate. The bow-tie must be updated at the same time as the P&ID, or the diagram becomes historical fiction.
Impact-reducing mitigations
The consequence side assumes the event has started. An emergency shutdown system that isolates the unit and depressures to flare within 90 seconds limits the inventory available to burn. The system must be testable under load. Most refineries test it during turnaround when the unit is already down. That introduces a four-year gap between tests. Some operators have moved to partial testing (isolating one section at a time while the unit runs) but that requires design margin most 1970s units do not have.
Blast-resistant buildings for control rooms and occupied structures reduce fatality risk when the vapour cloud does ignite. The buildings must be sited outside the expected overpressure zone for the largest credible release. That calculation depends on the inventory in the column, the release rate, the time to isolation, and the wind speed. If any of those assumptions change, the safe distance changes.
Mutual aid agreements with neighbouring sites and the local fire brigade provide foam, water, and personnel beyond what the refinery holds on site. The agreements must be exercised. A desktop drill every two years is not sufficient. A live deployment with foam application on a simulated pool fire shows whether the equipment works and whether the responders know the site layout.
Post-event investigation procedure is a mitigation because it determines whether the next incident will be smaller. A root cause analysis that stops at "operator error" or "equipment failure" does not update the bow-tie. An analysis that identifies the latent condition (the management of change process that did not trigger a relief valve review, the inspection schedule that was deferred twice) feeds back into the likelihood controls.
The atmospheric distillation unit will run another decade. The bow-tie must run with it, updated every time a barrier changes, tested every time a test is possible, and audited by someone who knows the difference between a diagram and a defence.