Buncefield

The incident

The Buncefield fuel storage depot, in Hemel Hempstead, Hertfordshire, UK consists of three operating sites – all defined as ‘top-tier’ major hazard sites. These sites received hydrocarbon fuels from three pipelines, originating at three different oil refineries in the UK. Most of the stored fuels were transported from the depot by road tankers, although jet aviation fuel was delivered from the site by pipeline to Heathrow and Gatwick airports. Buncefield was the fifth largest fuel distribution site in the UK and distributed fuels to London and the south-east of England.

On 10 December 2005 operators at the Buncefield depot started to fill storage Tank 912 with petrol delivered by pipeline from Coryton Oil Refinery in Essex. As the filling progressed, a series of technical issues led to high-level alarms failing to alert control room operators and an automatic shutdown system failing to activate.

At 0537 on 11 December, Tank 912 was overfilled and a large quantity of petrol overflowed from vents in the tank roof. The vapour cloud that formed around Tank 912 spread to around 360 metres in diameter and was noticed by road tanker drivers and members of the public. At 0601, after approximately 250,000 litres of petrol had escaped, the pressing of a manual fire alarm button sounded site alarms and also started a firewater pump.

Ironically, the significant vapour cloud was most probably ignited by a spark caused by this firewater pump. The ‘vapour cloud explosion’ was massive and led to many fires across the depot. There were no fatalities, partly due to luck, helped by the fact that the explosion occurred early on a Sunday morning and the adjacent industrial area was relatively quiet. The environmental effects included fuel and firefighting chemicals flowing down drains and soakaways, some of which had not been previously identified by the site operators.

Fuel and firefighting liquids flowed off site (HSE, 2011)

Following the explosion, a Major Incident Investigation Board published eight reports, before the final report in 2008. A further publication was issued by HSE at the conclusion of the criminal proceedings. There is simply a huge amount of official investigation material in the public domain. I can’t possibly summarise all of this material in a short review; however, I intend to outline the key human and organisational factors in this incident.

Key technical failures

The tank being filled with petrol had two forms of level control: a gauge that enabled the employees to monitor the filling operation; and an independent high-level switch to close down operations automatically if the tank was overfilled.

The gauge stuck – as it had been known to have done intermittently since the tank was serviced in August 2005. Neither site management nor the contractors who maintained the systems responded effectively to its obvious unreliability.
The independent high-level switch required a padlock to lock it into a working position. However, the switch supplier did not communicate the importance of this padlock to the installer, the maintenance contractor or the site operator. Because of this lack of understanding the padlock was not fitted; and so on 11 December 2005 the high-level switch was inoperable.

There was therefore no means to alert the control room staff that Tank 912 was filling to dangerous levels.

Once the primary containment (i.e. Tank 912) failed, the overflowing petrol should have been contained by the retaining wall around the tank (the bund = secondary containment) – however, this also failed. With fuel and firefighting liquids leaking from the bund, the system of drains and catchment areas (tertiary containment) failed to prevent liquids from flowing offsite and entering the groundwater.

Human factors issues

I have summarised key issues from the investigation reports, using the list of human factors topics as a structure. Note that in the company’s terminology, a ‘supervisor’ is someone who supervised the flow of fuels in and out of the storage facility, and could thus be described as control room operators or panel operators. They were not necessarily supervisors of personnel.

The discussion of supervisor actions below should certainly not be seen as a criticism of individual behaviours – the supervisors had effectively been ‘set up to fail’ by the system design and organisational failings; and they were most likely doing their best in difficult circumstances.

Safety leadership

Although Hertfordshire Oil Storage Ltd (HOSL) was the company responsible for the Safety Report (the ‘Operator’ for the purposes of the major hazard Regulations), this company had a Board of directors but no employees. HOSL was a joint venture between Total UK Ltd and Chevron Ltd, but under the day-to-day management of Total UK Ltd. The Board met twice a year, and were kept informed of health, safety and environmental issues by the Terminal Manager.

Board-level visibility and promotion of process safety leadership is considered by HSE to be key. More widely though, strong and positive process safety leadership is clearly at the core of any major hazard, high-hazard or safety-critical business. HSE concluded that the HOSL Board did not grasp its major hazard responsibilities and that:

“Such a hands-off approach was clearly insufficient oversight to achieve the stringent managerial framework required for the control of a major hazard site. As with Total, it resulted in an unjustified confidence in the safety and environmental performance of the site” (HSE, 2011).

Human Machine Interface (HMI)

This is one of the key findings of the investigation, and to understand its importance, it is also key to have an appreciation of the supervisor’s tasks.

The supervisors relied heavily on an Automatic Tank Gauging (ATG) system to control tank filling. Only one computer was provided, with no back up, to run the entire ATG system. As there was only one screen to display the ATG data for a number of storage tanks, the status of only one tank could be fully viewed at a time. Often, three or four ‘windows’ (displaying data for different storage tanks) would be stacked on the computer screen, one behind another, and supervisors had to flip between windows to view tank data. During the filling of Tank 912, its display window was stacked behind several other windows on the display, and so was not visible to the supervisors.

Supervisors developed their own systems to overcome the deficiencies in the control and oversight system. For example, they used a small alarm clock as a reminder that tanks were getting close to full capacity.

I mentioned earlier that the storage depot received fuels from three pipelines, fed by three UK refineries. The supervisors only controlled the receipt of fuel from the Finaline pipeline (fed from Lindsey Oil Refinery in Humberside). Receipt of incoming fuel ‘batches’ from the other two pipelines (from Stanlow and Coryton Oil Refineries) were controlled from elsewhere and the Buncefield supervisors did not have access to the same computerised data or control system that they used for the Finaline pipeline.

Supervisors may not be informed whether these two pipelines were feeding the storage depot, nor would they have an easy way to determine the flow rates from these two pipelines (especially as more than one tank could be filling at any one time, and the tanks could be simultaneously feeding the road tanker loading bays).

Changes in the flow rates in these two pipelines were made elsewhere and sometimes the Buncefield supervisors were not informed of these changes. Shortly before the explosion, the flow rate in one of these pipelines was increased from 550 m3/hr to 900 m3/hr without the knowledge of the supervisors. When we also understand that in the event of the independent high-level switch failing, an emergency shutdown could only be achieved by a telephone call to another terminal or activation of a manual call point on an adjacent site; we can build a picture of a lack of control over these two pipelines feeding the storage tanks.

This lack of control contributed to pressure on the supervisors, which was exacerbated by an understanding among them that if these two pipelines (over which they had little control) were slowed or stopped the site operator would incur a financial penalty.

Clearly, the lack of information and control undermined the ability of supervisors to plan and control the management of fuel movements – surely a key activity for a large fuel storage facility.

“In summary, there was no tank filling system worth its name. Considering that this was the single most important process control system to prevent loss of containment of fuel, this was a serious management failure in the control of a major accident hazard” (HSE, 2011).

Alarm management

There were three ‘high level’ alarms on the storage tanks:

the ‘user high’ could be set by the supervisor to a value they chose, to indicate that some intervention was required;
the ‘high’ level was set at a level in the tank below its maximum working level; and
the ‘high-high’ level, which was set below the level at which the independent high-level switch was intended to operate.

The supervisors used these alarm levels differently. If the depot was struggling for storage space, the supervisors may allow the level in a tank to rise to the ‘high-high’ alarm – or even allow the level to exceed the high-high level. The supervisors relied on the alarms to control the filling process, contrary to good practice in the industry.

Although it may not have been a factor in this incident, the Automatic Tank Gauging (ATG) system security setting had been set so that all supervisors and other control room staff could modify any parameter – including being able to change the alarm settings.

Procedures

The written work procedures for the filling process lacked detail and gave no guidance as to how to choose the tanks to be filled. The procedures did not state whether it was appropriate to deliberately fill a tank above the ‘high’ or the ‘high-high’ level. There was no guidance as to when to inform management of these instances, so they could be reviewed. There was not a system in place that would ensure all supervisors were filling storage tanks in a consistent and safe manner.

Fatigue

Supervisors worked 12-hour shifts and were scheduled to work five shifts in a row. No fixed breaks were scheduled; they took a break when operating conditions allowed. Supervisors worked large amounts of overtime and resisted the employment of an additional supervisor as this would result in a significant loss of income. Overtime sometimes led to them working 84 hours in a seven-day period. Further details on the fatigue aspects of the HSE investigation can be found in the article by Wilkinson and Bell (2015).

It is not unusual in the oil, gas and chemical industries for staff to favour certain working patterns for financial gain; despite these working arrangements often being unsuitable from a fatigue perspective. Some of my most difficult interventions as a HSE Specialist Inspector involved giving advice on shift patterns where I knew that the staff would be financially worse off as a result, especially when they had become accustomed to high levels of overtime and the associated salary.

Workload

Between the 1960s and the date of the incident, there had been a four-fold increase in throughput of fuel at the Buncefield depot, largely because closure of the adjacent Shell terminal in 2002 led to its throughput being absorbed into the HOSL terminal. The increase in fuel movements led to an inevitable increase in the number of road tanker loading operations.

The result of these changes was considerable pressure on the storage space available at the terminal. This in turn meant that when fuel was delivered by pipeline, ‘batches’ of fuel were diverted between several tanks to prevent overfilling. As fuel was simultaneously transferred into road tankers at the loading bays, storage space for incoming fuel became available. This increase in fuel movement clearly affected the workload of supervisors.

The pressure on storage capacity due to an increased throughput of fuel at the terminal, combined with an inability to predict incoming fuel deliveries (and rates of delivery) from two of the three pipelines, increased the workload of the supervisors.

Note that the supervisors had other duties besides the constant monitoring of the filling and emptying of tanks. They were not the only personnel feeling under pressure – the Operations Manager offered his resignation shortly before the incident because of the pressurised environment.

“All this added up to a system that put supervisors under considerable pressure” (HSE, 2011).

Communications

The overlap for supervisors between shifts was short, which reduced the time when the outgoing shift could ‘handover’ key information with their incoming colleagues. Supervisors were not paid for this time. The handover documentation only captured information for the Finaline only and did not robustly contain information on the other two pipelines (over which the supervisors had little control). The documentation that they used for this purpose only captured information at the end of the shift rather than recording as things happened during the shift.

The HSE investigation found that on the night of the incident, large batches of unleaded fuel were being received from two different pipelines, and the supervisors were likely confused as to which pipeline was filling which tank. This confusion arose because of deficiencies in the shift handover procedures and the overlapping windows on the ATG system described above.

As with other incidents described on this website, we can see here how several human factors issues are at play. It’s easy to understand how the supervisors could be confused when they lacked control over fuel movements, had inadequate procedures, were likely suffering from fatigue, were under increased workload and relied upon unsuitable display screens for key data. These Performance Influencing Factors were starting to come together to influence their actions and decisions.

Warning signs

An electronic defect log had been created, but was not used consistently. For example, the sticking of the ATG gauge on Tank 912 was not recorded and the Operations Manager was unaware of the frequency of failure (14 times during the three months before the incident).

“Staff on site were unaware of the extent of the unreliability of safety critical equipment, and there was no system in place for senior management to monitor key safety parameters” (HSE, 2011).

As is the case with many other major hazard organisations, auditing and monitoring arrangements did not test the quality of the systems or whether they were being used in practice, or were even effective. Audits simply focused on whether a system was in place.

For example, the systems within the Loss Control Manual had not been fully implemented. A more thorough scrutiny of actual working practices would have uncovered this discrepancy. The HSE investigation suggests that the Buncefield incident may well have not occurred had the systems in this manual been implemented.

Contractors

The investigation determined that Hertfordshire Oil Storage Ltd (HOSL) did not act as an ‘intelligent customer‘ and did not assure the service that they were obtaining from their contractors. They did not provide the necessary expertise or adequate resources to achieve this, and should not have taken the work of their contractors for granted.

The Safety Report and ‘safety’

As we have seen in other incidents (for example, the Nimrod case study), what is described in the safety report or safety case isn’t necessarily what actually happens in practice. Some aspects of the Buncefield Safety Report are described by HSE as ‘aspirational’ rather than a true reflection of site conditions.

The HSE concluded that:

“However, what was set out in the document (the safety report) and the safety management systems did not reflect what actually went on at the site” (HSE, 2011).

A safety report is not simply a document to be produced to satisfy the regulator. It is an opportunity to look critically at your assessments, systems and management arrangements. Will they prevent major accidents? Will they limit the consequences to people and the environment should an incident occur?

Inadequacies in the management arrangements for tank bunds in particular created missed opportunities, that could have reduced the impact of the event. For example, bunds (which are designed to contain spillage of hazardous liquids) were not routinely inspected or maintained and bund failures were not treated as near misses.

The investigation concluded, like many other investigations before, that the company and its systems focused on personal safety, rather than the control of major hazards (often known as ‘process safety’). For an example of a similar conclusion, see the Grangemouth incident, where the investigation concluded that control of major accident hazards requires a specific focus on process safety management over and above conventional safety management. HSE states in the final Buncefield report (2011) that good process safety management does not happen by chance.

The investigation summary in the HSE post-prosecution report concluded that management failings – including increased throughput, a lack of control over incoming flow rates and timing of deliveries and inadequate management systems for tank filling – were the root causes behind the immediate technical failures:

“Cumulatively, these pressures created a culture where keeping the process operating was the primary focus and process safety did not get the attention, resources or priority that it required” (HSE, 2011).

Will we ever learn these lessons?

The organisational and management failings identified in the Buncefield investigation provide lessons for all high-hazard industries, certainly not just operators of fuel storage facilities. However, several high-profile incidents came before the Buncefield explosion and key lessons were not learnt from these (such as BP Texas City and Esso Longford, where similar findings were reported).

If we step back from the technical failures, there are learnings for other types of oil and gas facilities; but also for complex systems such as healthcare and aviation. Each industry has had its own ‘Buncefield’, and yet organisations are generally weak at learning lessons from other industries.

Hopefully, by bringing similar human and organisational lessons from several industries together, humanfactors101.com provides a stimulus for improvements in human and organisational factors across all industries where the consequences of adverse events can be catastrophic.

Criminal proceedings

Five companies were charged with offences arising out of the investigation and proceedings were completed on 16 July 2010.

Total UK Limited pleaded guilty to three charges and were fined a total of £2.6 million;
Hertfordshire Oil Storage Limited (HOSL) was found guilty of one charge and pleaded guilty to another, and fined a total of £1,450,000;
British Pipeline Agency Limited pleaded guilty to two charges and was fined £300,000;
Motherwell Control Systems 2003 Limited was found guilty on one charge and fined £1000;
TAV Engineering Limited was found guilty on one charge and fined £1000.

The Court also ordered costs against the defendants totaling just over £4 million.