Leadership and management engagement in dealing with significant risks to people and the environment in the petrochemicals sector was still lacking, and major hazard industries had “not yet taken on board vital lessons in process safety leadership, health, safety and environmental management.”
Official Buncefield Report findings include these statements;
• Process safety controls on safety critical operations were not maintained to the highest standard. Senior managers did not apply effective control.
• Auditing systems were not effective, auditing and monitoring arrangements focused on whether a system was in place. Audits did not test systems quality or even effective use.
• Designers, manufacturers, installers and maintenance contractors did not have an adequate knowledge of the environment in which the equipment was used.
• Contractors were unable to make the right decisions about standards needed to apply to their work.
• Operators should not take work of contractors for granted. HOSL did not act as an ‘intelligent customer’ and could not be assured of the service they were obtaining from contractors. They did not provide the necessary expertise or adequate resources to achieve this.
• In preparing its safety report HOSL missed an ideal opportunity to look critically at its own systems and managerial arrangements intended to ‘prevent major accidents and limit their consequences to persons and the environment’ (COMAH Regulation 4).
Disaster lessons repeated
A gas explosion at Longford, Australia in 1998 identified similar factors as at Buncefield;
• Poor communication at shift handover.
• Lack of engineering expertise on site.
• Failure to implement management of change processes.
Similar findings were made on the explosion and fire at Texas City Refinery in USA in March 2005;
• Management had failed to address safety critical process controls.
• Process safety protection systems should not rely on operator response to alarms.
• Overfill protection should be independent of normal operational monitoring.
• Leadership and top level engagement in dealing with significant risks to people and the environment in this industrial sector was lacking.
• Major hazard industries had not yet taken on board vital lessons in process safety leadership, health, safety and environmental management, and control of major hazards.
Major incident summary
On the night of Saturday 10 December 2005, Tank 912 at Hertfordshire Oil Storage Limited (HOSL) of Buncefield oil storage depot was filling with petrol. The tank had two forms of level control: a gauge to monitor filling, and an independent high level switch (IHLS) to close operations when overfilled.
The first gauge stuck, and the IHLS was inoperable. Large quantities of petrol overflowed. A vapour cloud ignited and a fire lasted five days.
The gauge had stuck intermittently after the tank had been serviced in August 2005. The IHLS needed a padlock to retain its check lever in a working position, but the switch supplier did not communicate this to the installer, maintenance contractor, or operator, and the padlock was not fitted.
A bund retaining wall around the tank (secondary containment) and a system of drains and catchment areas (tertiary containment) failed. Fuel and firefighting liquids entered groundwater. Containment systems were inadequately designed and maintained.
Design, management failures
Failures of design and maintenance in overfill protection and containment were the technical causes of the initial explosion and seepage. Underlying these causes were broader management failings.
Management systems at HOSL relating to tank filling were deficient and not followed, despite independent audit.
Pressures on staff had been increasing before the incident. The site was fed by three pipelines, two of which control room staff had little control over in terms of flow rate and timing. Staff did not have sufficient information easily available to manage storage of incoming fuel.
Throughput had increased at the site. There was lack of engineering support from head office. The culture, ethic and value was keyed on keeping the process operating.
Process safety principles
The Buncefield report does not identify new learning about major accident prevention, but reinforces known process safety management principles;
• Understand major risks, and safety critical systems, at all levels and organisations involved in supplying, installing, maintaining and operating controls.
• Maintain systems and culture to detect signals of failure, and respond quickly.
• Allocate time and resources to process safety procedures.
• Audit risk management systems in practice.
• Maintain clear and positive process safety leadership, with board level involvement and competence, aimed at major hazards.
Incident investigation procedure
Following the explosion and fire at Buncefield, the UK Health and Safety Commission set up an independently chaired Major Incident Investigation Board (MIIB) that published nine reports by 2008. (visit www.buncefieldinvestigation.gov.uk)
Legal constraints prevented the Board from publishing certain information about the root causes during criminal proceedings, now publishable in 2010. A statutory investigation team, after four years, summarised conclusions in 2011.
Buncefield oil storage and transfer depot tank farm had three sites under Control of Major Accident Hazards Regulations, to store 194 000 tonnes of hydrocarbon fuels. Fuel was transported to these sites through three pipelines.
Safety systems failure
Safety management systems at the HOSL site were embedded in the safety report that is required to be produced for a top-tier COMAH site, but the document and the safety management systems did not reflect what actually went on.
A critical parts list was required for maintenance, and stated to have been critically reviewed in a risk assessment, but the list had no rationale. The safety report required a management of change exercise for replacing critical equipment, but no such procedure was considered when an IHLS on Tank 912 was replaced in 2004.
Loss of secondary and tertiary containment at HOSL and BPA can be traced back to failings in safety management systems. Bunding failures resulted from several root causes within the safety management system.
Bunds should be treated as safety critical equipment. They should be designed, built, operated, inspected and maintained to ensure that they remain fit for their containment purpose.
Management system deficiencies
Operators’ management systems were inadequate in several respects. Risk assessments did not consider implications of more than one tank being on fire.
They did not assess release of large volumes of fuel and firefighting water.
Risk assessments failed to consider that bunds may fail structurally due to fire, as well as their capacity being exceeded.
Systems for control of contractors, including those designing and constructing bunds, did not ensure bunding work was in accordance with good practice.
Management of change procedures were not adequately applied to bund projects. Changes during design and construction were not reviewed in terms of impact on the ability of the bund to retain liquids.
Bunds were not subject to adequate inspection and maintenance. No periodic review of the bunds’ characteristics compared to updated standards and guidance.
Bund failures were not treated as ‘near misses’ to trigger investigation. Collectively, these failings represent many missed opportunities for the operators to ensure better bunding.
Site management failure
Operations of HOSL site were undertaken and managed by Total employees. It was incumbent on Total management to provide day to day staff support, but the principal did not ensure receipt of support service like engineering expertise.
Operations Managers and Terminal Co-ordinators had too much work to do. The latter was given insufficient direction on how to prioritise and had insufficient expertise and resources to cope with the duties. He was given little help in implementing the safety management system.
A Loss Control Manual was handed down to the site by Watford Head Office, but not implemented. A list of safety critical parts was required, but the resulting list was inaccurate.
There was no adequate framework to set process safety indicators, such as measurement of a number of relatively simple indicators to detect problems.
The safety management system focused closely on personal safety and lacked depth about control of major hazards, particularly in relation to primary containment.
A safety report was prepared by a contractor, but never scrutinised by HOSL Board, which met only twice a year, and was informed of health, safety and environmental issues by a Terminal Manager. A hands-off approach was insufficient oversight to achieve stringent managerial framework required at a major hazard site.
The board had unjustified confidence in safety and environmental performance. There was a delay in employing a ninth supervisor, and failure to provide finance for tertiary bunding.
Aspects of the Terminal Manager’s report were ‘aspirational’, rather than a true reflection of conditions on site. The board of HOSL did not grasp its legal responsibilities, and aimed at financial management convenience.
Clear and positive process safety leadership is at the core of a major hazard business and is vital to ensure that risks are effectively managed. It requires board level involvement and competence. Board level visibility and promotion of process safety leadership is essential to set a positive safety culture throughout an organisation.
Outcome of criminal proceedings
Five companies were charged with offences arising out of the investigation of the Buncefield incident, several in terms of Major Hazard Regulations. Proceedings were completed at St Albans Crown Court on 16 July 2010.
Total UK Limited pleaded guilty to failing to ensure the safety of its employees so far as was reasonably practicable (fined £1 000 000), failing to ensure the safety of persons not in its employment so far as was reasonably practicable (fined £1 000 000), and causing pollution of controlled waters (fined £600 000).
Hertfordshire Oil Storage Limited was found guilty of failing to take all measures necessary to prevent major accidents and limit their consequences to persons and the environment; fined £1 000 000, and to causing pollution of controlled waters; fined £450 000.
British Pipeline Agency Limited pleaded guilty to failing to take all measures necessary to prevent major accidents and limit their consequences to persons and the environment, fined £150 000, and to causing pollution of water; fined £150 000.
Motherwell Control Systems 2003 Limited was found guilty of failing to ensure the safety of persons not in its employment so far as was reasonably practicable; fined £1000.
TAV Engineering Limited was found guilty of failing to ensure the safety of persons not in its employment so far as was reasonably practicable; fined £1000.
PHOTO; Buncefield containment systems were inadequately designed and maintained, including piping passing loosely through piping holes.