- Russian Dam Disaster: Assessing the Cost of Failed Safety Practices
- Analyzing the Human Element of the Russia Dam Disaster
- Turbine 2: How a Track Record of Uncertainty Led to Disaster
- Russian Dam Disaster: A Reckoning for Bypassed Safety
- When Running People Past Their Breaking Point Effects Safety: The Bayer Crop Science Incid…
How Many Units Can Operators Monitor on One Screen?: Buncefield Incident
Operators didn’t see the tank overfilling. Part of the problem was mechanical, but part was inattention. How much can we expect from individual operators?
The Buncefield fuel depot fire was somewhat akin to leaving the tub filling in the upstairs bathroom, going somewhere else in the house and forgetting the water is running. On one hand, it’s easy to write the incident off as a mechanical instrumentation failure. Who would have expected two level sensors to fail at the same time? On the other hand, why didn’t one of the operators look at the control room screen and realize, “Haven’t we been pumping gasoline into Tank 912 for several hours now? How come the level isn’t going up? That can’t be right.”
Let’s consider both hands in the question. Was it a mechanical failure within the process control system? Yes, but it should not have been a surprise. Investigations after the incident reported that the automatic tank gauging system had failed regularly. The level sensor had been serviced during a maintenance outage less than four months earlier, and there had been 14 incidents reported of the device sticking since then. Operators had taken to trying to free the mechanism by hand, but nobody ever figured out what the root problem was. Motherwell Control Systems, the company responsible for the process control system design and maintenance, had not been able to fix it.
That being the case, let’s consider the other alternative and ask the obvious question, why didn’t the operators pay closer attention to that tank for the simple reason that they knew it had a faulty level sensor? Part of the answer relates to the control room and the way that Motherwell Control Systems put it together. The facility had to be monitored on one HMI screen, so operators could only watch one tank at a time. Post-incident investigations reported that operators were trying to keep an eye on five tanks during that shift, so they would have to scroll through them one at a time.
One very peculiar aspect of the incident sheds light on the overall safety management mindset. Investigations following the fire revealed that there was an emergency shutdown function that operators could activate through the control system, however it didn’t actually work and nobody realized it. There was a red stop button on the HMI that the operators could click that was supposed to shut off the incoming pipelines, but it didn’t do anything. Motherwell had never tested the function. This fact didn’t figure into the incident directly, but it gives an interesting insight into the way the plant was designed and operated.
It is not farfetched to suggest that the operators might have thought that they had a fail-safe device in the form of the independent high-level sensor. This is purely speculation, but it is not difficult to imagine that the operators found it easier to depend on the safety system as an automatic shutoff. They didn’t have to pay attention, because even if the main sensor did stick, the SIS would stop the filling and they could switch over to the next tank without incident. Closing a valve to stop the pipeline feed for a few minutes for tank changeover was probably no big deal.
The independent high-level sensor failure is also an interesting aspect of the discussion and speaks to safety training. Operators at the site did not fully understand how it operated, and how it could fail if a padlock was not installed correctly. (The device had a dual purpose in that it could function as either a high-level or low-level switch but only one at a time. It also had a handle that could allow a technician to trip the device from outside the tank for testing purposes. The padlock secured the device in one mode or another, and without it, it could slip into the low-level mode rendering it inoperative for this application.) Motherwell had selected that device but had not trained the operators adequately on how to test it. Given the apparent dependence on the functioning of this system to compensate for other elements that didn’t work, this could arguably be considered the ultimate cause of the incident.
