- Russian Dam Disaster: Assessing the Cost of Failed Safety Practices
- Analyzing the Human Element of the Russia Dam Disaster
- Turbine 2: How a Track Record of Uncertainty Led to Disaster
- Russian Dam Disaster: A Reckoning for Bypassed Safety
- When Running People Past Their Breaking Point Effects Safety: The Bayer Crop Science Incid…
White Paper Buncefield Incident
A Case Study for Layers of Protection: Buncefield Incident
At 6:50 pm on Saturday, December 10, 2005, Buncefield began receiving a load of unleaded gasoline via the south pipeline which was directed to tank 912, the middle tank in a cluster of three within a common bund on the western edge of the site.
Each tank in the group could handle 6 million liters. Tank 912 had typical process instrumentation, including two level sensing devices. For normal operation there was a continuous level sensor that sent its data to the control room so operators could watch the level change as the tank filled or emptied. The control system had three alarm levels: user level, high level and high-high level. Each was intended to alert operators when they had passed that point.
SIS also had an independent level switch, which was supposed to shut off supply to the tank and sound an alarm before it reached the tank vents. It did not depend on the control system to perform its safety critical function.
Pumping fuel into tank 912 continued all night, but the operators were unaware that the float on the level indicator in the tank had gotten stuck. The level being shown on the screen in the control room was not changing, nor did it cross any of the three alarm levels. The level continued to rise until it reached the independent level switch. That device also malfunctioned and did not cause the SIS to shut the inlet valves. By 5:37 am, the tank was full and gasoline started running out through the roof vents, running down the sides and into the space enclosed by the bund. However, the bund proved to be more porous than expected and fuel began to flow out the north end of the enclosure accumulating around the road. It also surrounded the fire suppression system pumping station next to the west lagoon.
People from the surrounding community and waiting truck drivers saw a vapor cloud forming near the road and called the control room. At 6:01 am, operators hit the fire alarm. By this time, 250,000 liters of gasoline had spilled out. Cold temperatures slowed evaporation, but winds were still so the cloud was not being carried away. Starting the fire pump likely ignited the vapor and there was a huge explosion. The fact that there were no fatalities can be attributed largely to the explosion happening early on a Sunday morning. Under other circumstances that probably would not have been the case. The fire burned for five days and destroyed most of the facility. Lost fuel mixed with water and chemicals used in the fire fighting effort caused an environmental mess and contaminated ground water.
Buncefield should serve as a warning against drifting into a false sense of security and neglecting any process safety protection layers. Unlike more obviously dangerous environments such as an offshore oil platform, the simplicity of the process and a quiet safety record probably caused people to take safety for granted. The fact that there was a multi-story office building barely 120 m from several 6 million liter fuel tanks says something about the perceived threat level.
Were holes in the bunds a problem? If there aren’t any spills, and did it matter? The bunds are there just to satisfy the regulators and insurance companies. The tanks are in good condition, nothing leaks and we can control our pumping processes. We have sophisticated safety management systems in place. Nothing is going to happen.
