On a Saturday night early in December 2005 a person was filling their car tank with petrol. This was a scene that was happening in many service stations around the UK. You put the hose in the tank, start pumping, and wait for that little *click* which shuts off the pump and tells you that the tank is full.
Only this wasn’t a car petrol tank, this was Tank 912 at the Hertfordshire Oil Storage Limited part of Buncefield Depot. The little *click* was supposed to come from a device called the Independent High Level Switch. The word “independent” tells you that this was supposed to be a back up system. If you’re filling your car, you are the backup system. If the switch doesn’t work, you get petrol on your shoes, and you stop pumping. For tank 912, there were two other systems to tell the operator how full the tank was. They’d stopped monitoring these systems, relying on the independent high level switch. To continue the analogy, this is as if you used duck tape to keep the petrol hose turned on, and then walked away, trusting that the pump would stop itself when the tank was full.
The Independent High Level Switch, which was produced by an organisation called TAV Engineering. They knew that this switch was being used in high risk environments, so they had a responsibility to consider hazards in designing the switch. It was a multi-purpose switch, which could be installed to trigger on either low levels or high levels. The position of a lever determined which mode the switch was in. A padlock was used to hold the lever in the correct position.
In safety language, we have a hazard for the tank, which is to overflow. We are supposed to have multiple protections against the hazard, but our operations have evolved so that we are relying on a single protection, the independent high level switch. This switch has a dangerous failure mode, which is to have the lever in the wrong position. The only protection we have against the failure mode is a padlock. This padlock does not actually exist.
Hertfordshire Oil Storage Limited hired Motherwell Control Systems to install the tank monitoring. Motherwell Control Systems bought the switch from TAV Engineering, but never realised the safety significance of the padlock. They thought it was an anti-tamper device, and didn’t bother to install it.
Early on Sunday morning Tank 912 overflowed, with 250,000 litres of fuel spilling into the area around the tank. A large vapour cloud formed, with a diameter of around 360 metres. Workers noticed the vapour cloud, and triggered the alarm and fire system. It’s a good thing they didn’t use the big red button on the tank filling console, because it wasn’t connected to anything. Actually, it’s not a great outcome anyway, because electrical sparks coming from the fire pumps starting up were probably the ignition source for the subsequent explosion.
Luckily, because it was in the early hours of Sunday morning when the explosion occured, not many people were around. No one was killed, but 40 people were injured and 20 other fuel tanks caught fire. It was the largest peacetime fire ever seen in the UK. Tank farms contain earth or cement barriers called bunds which are used to hold any spilled liquids. At Buncefield some of these worked, but some leaked badly, allowing burning fuel, fire suppressant foam and contaminated water to drain into the ground for a considerable distance around the site.
The lessons from Buncefield aren’t new, but they are important. System safety requires operators such as Hertfordshire Oil Storage Limited to act as intelligent customers. Like many hazardous installation operators, they outsourced their safety analysis to a consultant, without retaining enough in-house capability to assess, interpret and use that analysis sensibly.
The equipment they were using included application safety requirements – things that the operator needed to do to keep the equipment safe, and monitor its effectiveness. As it happened, they were never given these requirements – that’s the fault of both the operator AND the people who sold them equipment.
It took more than the failed switch to cause the accident though. First, the other means of monitoring the tanks had to become ineffective. There was evidence that this equipment was not working as it should, but no one was systematically collecting the evidence, or acting on the knowledge. The operating procedures were not being followed, but again this was not being monitored or assessed for the safety implications. At a higher level of abstraction, no one had noticed that the defect recording system and the audit system were both defective.
Strangely enough, “no one told us we had a problem” isn’t a very good excuse coming from a board of directors. One of the prime responsibilities a director of a hazardous installation has is to ensure that there is a robust safety management system in place, so that they WILL KNOW if a problem exists. My personal view is that this requires someone at director level with safety management as their main responsibility.
The size of the explosion at Buncefield is given as one of the reasons why the containment was inadequate. All of the risk assessments assumed that a major spill and fire was the worst possible event on the site. At face value, this seems reasonable. The Kings Cross Underground fire illustrates that sometimes it takes a major accident to discover new and interesting ways for fire to behave. You could almost forgive the operators, consultants and regulators for their mistake, if it wasn’t for the BP Texas City disaster, 9 months before Buncefield, where an overfilled tank led to a massive vapour cloud explosion.
In the UK, oversight of hazardous installations is performed by a body called the Competent Authority, a joint effort by the Health and Safety Executive and the Environment Agency. The investigation board included members of the Competent Authority, but it was largely independent. The portion of the investigation covering the regulator, known as the “Policy and Procedures Report” was not released until 2012, after the criminal proceedings arising from Buncefield had been settled. It is clear from this report and other documents that there has been internal soul searching and improvement of their own processes.
The main organisations involved in the Buncefield accident were required to provide the Competent Authority with a safety report, which includes reports of both predictive risk assessment and safety management systems. Buncefield made very clear that the mere existence of this report is not evidence of safety. Whilst the regulator checks the adequacy of the safety report, it is not the responsibility of the regulator to make sure the report is true and adequate. That responsibility lies with the owners and operators of installations, and it is not an obligation that can be outsourced.
The safety report in question had not been reviewed by the Competent Authority, more than two years after it had been provided. The facility operator hired a consultant to write a report, and then passed in on to the regulator, who did not complete their review. In fact, no one had fully reviewed the risk assessment.
