Buncefield: Why did it happen?

Report published February 2011 and available at the HSE website.

Report sub heading "The underlying causes of the explosion and fire at the Buncefield oil storage depot, Hemel Hempstead, Hertfordshire on 11 December 2005"

On the night of Saturday 10 December 2005, Tank 912 at the Hertfordshire Oil Storage Limited (HOSL) part of the Buncefield oil storage depot was filling with petrol. The tank had two forms of level control: a gauge that enabled the employees to monitor the filling operation; and an independent high-level switch (IHLS) which was meant to close down operations automatically if the tank was overfilled. The first gauge stuck and the IHLS was inoperable – there was therefore no means to alert the control room staff that the tank was filling to dangerous levels. Eventually large quantities of petrol overflowed from the top of the tank. A vapour cloud formed which ignited causing a massive explosion and a fire that lasted five days.

The gauge had stuck intermittently after the tank had been serviced in August 2005. However, neither site management nor the contractors who maintained the systems responded effectively to its obvious unreliability. The IHLS needed a padlock to retain its check lever in a working position. However, the switch supplier did not communicate this critical point to the installer and maintenance contractor or the site operator. Because of this lack of understanding, the padlock was not fitted.
Having failed to contain the petrol, there was reliance on a bund retaining wall around the tank (secondary containment) and a system of drains and catchment areas (tertiary containment) to ensure that liquids could not be released to the environment. Both forms of containment failed. Pollutants from fuel and firefighting liquids leaked from the bund, flowed off site and entered the groundwater. These containment systems were inadequately designed and maintained.
Failures of design and maintenance in both overfill protection systems and liquid containment systems were the technical causes of the initial explosion and the seepage of pollutants to the environment in its aftermath. However, underlying these immediate failings lay root causes based in broader management failings:

Management systems in place at HOSL relating to tank filling were both deficient and not properly followed, despite the fact that the systems were independently audited.

Pressures on staff had been increasing before the incident. The site was fed by three pipelines, two of which control room staff had little control over in terms of flow rates and timing of receipt. This meant that staff did not have sufficient information easily available to them to manage precisely the storage of incoming fuel.

Throughput had increased at the site. This put more pressure on site management and staff and further degraded their ability to monitor the receipt and storage of fuel. The pressure on staff was made worse by a lack of engineering support from Head Office.
Cumulatively, these pressures created a culture where keeping the process operating was the primary focus and process safety did not get the attention, resources or priority that it required.

This report does not identify any new learning about major accident prevention. Rather it serves to reinforce some important process safety management principles that have been known for some time:
There should be a clear understanding of major accident risks and the safety critical equipment and systems designed to control them.
This understanding should exist within organisations from the senior management down to the shop floor, and it needs to exist between all organisations involved in supplying, installing, maintaining and operating these controls.
There should be systems and a culture in place to detect signals of failure in safety critical equipment and to respond to them quickly and effectively.
In this case, there were clear signs that the equipment was not fit for purpose but no one questioned why, or what should be done about it other than ensure a series of temporary fixes.
Time and resources for process safety should be made available.
The pressures on staff and managers should be understood and managed so that they have the capacity to apply procedures and systems essential for safe operation.
Once all the above are in place:
There should be effective auditing systems in place which test the quality of management systems and ensure that these systems are actually being used on the ground and are effective.
At the core of managing a major hazard business should be clear and positive process safety leadership with board-level involvement and competence to ensure that major hazard risks are being properly managed.