Industrial Accidents 2.1 Accidents
2.4 The Importance of Accidents
2.4.6 Buncefield Disaster
The Buncefield disaster is one of the major incidents in the process industry. This paragraph has been written taking inspiration from [34, 46].
In 2005, the Buncefield oil storage depot experienced an unconfined vapor cloud explosion as never seen before, resulting in severe
economic losses and, fortunately, in no victims. The storage and transfer depot was a tank farm 40 km northwest of London. In
December 2005, three different operating sites were at the depot; all of them were “top tier” sites under the Control of Major Accident Hazards Regulations 1999 (COMAH). The fuel was transported using three different pipelines. Fuels were transported in batches and were separated into dedicated tanks according to their grades. Road tanks loaded the fuel to transport it from the depot to the final destination.
The storage depot also served the Heathrow and Gatwick airports.
Moreover, the depot was above a major aquifer, providing drinking water.
On Saturday, 10 December 2005, a batch of gasoline was transferred through the pipeline into Tank 912 (25 meters of diameter and 14.3 of straight side height), with a flow rate of 550 m3/h (at this rate, a car tank is emptied in 3 4 minutes). The tank was equipped with an Automatic Tank Gauging system (ATG) which measured the level in
the tank and displayed it on a screen in the control room. In the early hours of Sunday, 11 December 2005, at about 3.00 a.m., the display showed a constant value, that is to say it stopped registering the rising level, while the tank continued to fill. As a consequence, the three ATG alarms, set at different levels, could not operate.
However, the tank was also fitted with an Independent High Level Switch (IHLS) (Figure 2.42), which was intended to stop the filling process automatically when the level reached the high level, also producing a soundable alarm. But the IHLS failed and, starting from approx. 5.30 a.m., the tank overfilled and the fuel started to spill out of the vents in the tank roof.
Figure 2.42 The IHLS.
Source: [46]. Reproduced with permission.
Closed circuit TV shows that a white cloud suddenly formed, reaching a diameter of about 360 m. including a car park and Tank 12,
containing aviation kerosene. In 25 minutes, the cloud covered an area roughly 500 meters by 40 meters to a depth of 2–4 meters. The cloud was noticed by tanker drivers who alerted employees on site. The fire alarm button was pressed at 6.00 a.m., and the firewater pump was activated. Almost immediately, at 6.01 a.m., a vapor cloud explosion
occurred, probably ignited by a spark from the firewater pump
starting. The initial blast was recorded as 2.4 on the Richter scale. Two follow up explosions occurred next.
There were no victims, and more than 40 injured. The resulting fire engulfed 23 fuel tanks (some of which are shown in Figure 2.43) and burnt for almost five days, affecting an area of about 150.000 m2. The smoke cloud was visible in satellite photos. Moreover, fuel and
firefighting chemicals flowed from leaking bunds both on and off site, causing a significant environmental, social, and economic loss. Liquids also flowed down onto the M1 motorway, which was temporarily
closed. About 2000 people had been evacuated from their homes, and 180 firefighters were present, using 20 vehicles and 25 pumps. It took 32 hours to extinguish the main blaze. The quantifiable costs
approached US$1.6 million. The consequences on humans could be worst if the event would not have occurred on Sunday morning.
Figure 2.43 The site after the incident.
Source: © Chiltern Air Support. Taken from [46]. Reproduced with permission.
In order to investigate the vaporization phenomena and the resulting vapor cloud intensity, a full scale model (1:8) of the tank was
constructed. Tests confirmed the increased vaporization from splashing of the fuel on the wind girder, boosting the vapor cloud
formation.
The immediate causes of the incident are two:
The IHLS and the ATG system.
The IHLS was designed to be tested using a lever. There were three positions for the lever: the horizontal position was the normal
operating position, allowing the switch to work as intended. A padlock should be used to secure the lever in the horizontal position. To test the IHLS, the lever is raised to the upper position, activating the alarm circuit even if the floating lid is not high enough to activate it. Once the test is completed the lever would return to the horizontal position and secured with the padlock. However, the level switch can also be used to detect low levels of fuel in a tank; therefore, the check lever could be lowered too. Unfortunately, lowering the lever has no effect on the switch that is intended to operate in the high level mode. It is evident how the padlock played a critical role in safety issue concerning the IHLS. The IHLS fitted on Tank 912 was found with no padlock, leaving the lever free to fall in the lower position.
The ATG had stuck before the incident, and it was not the first time: it occurred 14 times between 31 August and 11 December 2005. When it happened, supervisors solved the problem by “stowing”.
This incident also teaches about ergonomics: there was only one visual display screen for the ATG system on a number of tanks: this means that the operator could only monitor the status of one tank at a time.
Going deeper in the incident investigation, the underlying management failures concern:
The control of incoming fuel. Indeed, flow rate suddenly increased from 550 m3/h to 900 m3/h, without the knowledge of supervisors;
the increase in throughput, since the adjacent terminal closed in 2002 and its throughput was absorbed into the terminal that suffered the incident;
the tank filling procedures. As previously discussed, it was possible to see the status of only one tank at a time. Moreover, supervisors
often relied on alarms to control the filling process. Therefore,
“when situations arise requiring staff to work outside the normal operating envelope they should be recorded and reviewed by management”;
the pressure of work, since fuel deliveries were unpredictable. To overcome this, supervisors developed their own systems, like a small alarm clock into the control room to track the filling procedure and that tanks were getting close to their capacity.
Moreover, working patterns did not help: supervisors worked 12 hours shifts for a total of 84 hours of working in seven days.
“Management has a duty to monitor working pressures on staff and take actions to keep workloads to acceptable levels so far as reasonably practicable”;
the inadequate fault logging, being absent any system to monitor key safety parameters. “Management should have in place systems to monitor the reliability of safety critical equipment”; and
contractor control systems. “For high hazard risks duty holders should have formal arrangements that specify the roles of all parties involved to ensure so far as is reasonably practicable that the highest standards are provided for safety critical equipment”.
Regarding the loss of secondary containment (i.e. the bund surrounding a tank or a group of tanks), the main causes were:
Bund joints, that do not retain liquid if they do not contain waterstops (preformed strips of durable impermeable material embedded in the concrete during the construction, providing a liquid tight seal during a range of joint movements);
tie bar holes, introduced to hold in place the formwork used to cast the concrete. They are penetrating through the bund, plugged and grouted; and
pipe penetrating through walls could no longer retain liquids when, for instance, a catastrophic failure of the walls at pipe penetrations happens or for the loss of seal between pipes and walls (Figure 2.44).
Figure 2.44 Pipe penetrations for the loss of seal between pipes and walls.
Source: [46]. Reproduced with permission.
At Buncefield, the tertiary containment, i.e. the means by which liquids can be contained/controlled within the site boundary, was virtually not in place. Indeed, the containment outside the bunding was designed for rainwater, not for large scale releases.
In conclusion, the management systems were inadequate because:
Risk assessments did not consider the implications of more than one tank being on fire. They also failed considering that bunds do not fail structurally or their capacity is never exceeded;
changes during the design and construction of bunds were not reviewed;
bunds failures were not treated as “near misses”
there was no periodic review on the bunds' characteristics;
the safety critical parts list was not provided: it was an example of the poor focus on major hazard systems and plant; and
the SMS focused too closely on occupational safety and lacked any
depth about the control of major hazards, including the loss of primary containment.
The report in [46] reminds that “good process safety management does not happen by chance and requires constant active engagement.
Safety management systems […] should specifically focus on major hazard risks and ensure that appropriate process safety indicators are used and maintained”.
The HSE final report listed 25 recommendations for design and
operation of fuel storage sites (to increase the defence provided by the primary containment – i.e. the tank , and to improve secondary and tertiary containment too), 32 recommendations on emergency
preparedness, and 21 recommendations about land use planning and control of societal risk. The 25 recommendations for design and
operation include also some broader strategic objectives relating to sector leadership and safety culture.
In conclusion, the process safety controls on safety critical operations were not maintained to the highest standard, senior managers did not apply effective control, and effective auditing systems were not in place. Moreover, it clearly emerged that high standards expected of operators of safety critical equipment apply equally to all those involved in the supply of that equipment.
Figure 2.45 shows the diagram developed by company Governors BV (NL) for the analysis, through RCA, of the Buncefield explosion. In the presented RCA diagram, the immediate, underlying, and root causes of the incidental event are depicted.
Figure 2.45 RCA of the Bouncefield explosion developed by company Governors BV (NL).
Source: Adapted from [20]. Reproduced with permission.