Lessons from Buncefield

At 7.00pm on 10 Dec, 2005, a 14-inch pipeline began pumping aviation fuel at a rate of 550m3/hr into a massive oil storage tank, at the Buncefield Oil Storage Terminal, starting a chain of events - including the overfilling of the tank due to the failure of the level shut-off and monitoring systems - that early the next morning, led to one of the biggest ever explosions in peacetime Europe.

The investigation team, led by the UK’s Major Incidents Investigation Board (MIIB), has since produced a series of heavy-weight reports into issues such as safety management at storage sites for fuels and other hazardous substances, environmental impact and planning around industrial sites. There has also been the recent prosecutions of five companies (see News p6) over the incident, with the court cases set to start this month.

For all the paperwork, though, the basic cause of the accident was a lack of appreciation of the risks associated with handling such huge quantities of fuel and over-reliance on dated equipment and systems for preventing tank overflows - including, reportedly, the mis-use of a simple padlock on the level sensing system.

A common denominator here seems to be human error at various levels of the oil storage operation. The incident also suggests a lack of drive to invest in safety equipment and systems, or to fully embrace the philosophy and approaches to functional safety as set out by the IEC61508 and 61511 standards.

A key lesson from Buncefield is that at site level process safety must be secured by automatic systems, without reliance on human intervention. Moreover, senior management should be responsible for delivering and maintaining site safety regimes, based on systems that minimise the impact of human error and make its occurrence less likely.

Indeed, the MIIB recommendations include a mandatory requirement that overfill must be prevented by independent and automatic means so that operators cannot rely on human intervention, for example in responding to an alarm and then taking executive action.

The MIIB also called for a move away from the use of simple, high-level switches and towards more advanced ‘fail-safe’ sensors, especially those certified for use in SIL2/3 applications in accordance with BS EN 61511. Tank gauging systems often employ mechanical servo gauges to sense the liquid level, but these gauges can be vulnerable to a number of potential failure modes, the Buncefield investigators’ report noted.

With the increased standards installed as recommended by the MIIB, the risks of another ‘Buncefield’ will undoubtedly be reduced, but are they reduced enough? asks Dr Andrew Fowler, a principal consultant at HFL Risk Services Ltd , who spent 16 years at the HSE, where he chaired a working group on emergency arrangements post-Buncefield.



According to Fowler, while the MIIB is quite correct in focusing on the prevention of overfilling of tanks, all the improvements concerning the design and operation it has recommended rely on ensuring that there are a number of layers of protection.

“This is the ‘Swiss cheese’ approach - the more layers of holey Swiss cheese present between the cause and effect, the less chance there is of the holes lining up and allowing the event to occur. The trick, however, is deciding on how many layers of protection are necessary,” he said.

For his part, Kees Kemps, director sales, Honeywell Process Solutions (HPS), based in The Netherlands, believes: “Awareness of safety in the process industries overall is stepping up, but at a very slow pace. Incidents such as Buncefield increase awareness of safety up to the very top of a company, but then after a few days, weeks, months it comes back to normal again.

“Buncefield has created some turbulence in the users’ world, examining that kind of application, making sure that a culmination of two or three faults are covered.”

This has led to some significant improvement in risk analysis and risk (SIL) classification, though the HPS expert still sees a lack of clarity in the market when it comes to choosing solutions to the requirements identified by this risk assessment work.

Industry observers note different approaches to safety and its execution in continental Europe compared with the US and UK. There you see qualitative safety: prove that the function is there and everything is working okay and exclude people from the whole safety regime, in line with IEC61508. In the Americas and UK, however, the approach is more flexible with more emphasis on reliability data, as encompassed by IEC61511.

Human intervention remains a difficult issue worldwide, noted the HPS executive. Some companies, he said, have a corporate safety strategy, philosophy or operational procedures where human interaction is still acceptable as part of the procedures, while other companies exclude this entirely.

“Any standard, norm or guidleline has a certain freedom of interpretation,” added Kemps. “It is down to the individual person how he translates the rules into practical execution. Some play very strict and exclude human intervention, for others such intervention is fully included. Both are correct within the corporate philosophy and their interpretation of the safety bible.”

Global suppliers have to follow end-users’ interpretations of both the 61508 and 61511 standards, which are essentially guidelines that must be translated into operational procedures within each company.

Some companies adopt 61508 and 61511 and really tune all their safety procedures strictly to the standard, while others do it with more flexibility, according to Kemps. HPS, he said, supports all camps, while promoting qualitative measures as much as possible and excluding human intervention from the safety loop.

“More than 90% of issues are caused by human errors; if you can solve that, you have a good solution. The target should be to define what the safety function is within the automation system and delegate it to a safety manager system with programming that will do it 24/7, 365 days a year,” said the HPS expert.

Overall, though, risk management is the responsibility of the board of the directors of the company, believes Kemps, who concluded: “In the safety world the key enabler is discipline. Ultimately you need to get your troops organised.”

Likewise, Fowler at HFL Risk Services concluded: “What’s required is not adherence to standards per se, but deep thinking about your particular installation. Companies need to demonstrate to themselves that they are doing enough and continually reviewing that this is the case. Only then can senior managers confidently know that the risks from their installations are assured and under control.”