Root causes of the loss of containm

Root causes of the loss of containment

18 The immediate cause of this major incident was the failure of both the ATG
and the IHLS to operate as the fuel level in Tank 912 increased. This was a loss of
‘primary’ containment.
19 During and following the fire there were subsequent failures of ‘secondary’ and
‘tertiary’ containment. So what lay behind the immediate cause and subsequent
failures of containment? In other words, what in terms of the overall management
of operations at this high-hazard site led to these failures? What, in the processes
and systems, failed to deliver the necessary high level of control of site operations?
Understanding these root causes will allow those managing high-hazard industries
to learn from the experience of Buncefield.
The independent high-level switch
20 Tank 912 was fitted with a new independent high-level switch on 1 July 2004.
This had been designed, manufactured and supplied by TAV Engineering Ltd. TAV
had designed the switch so that some of its functionality could be routinely tested.
Unfortunately, the way the switch was designed, installed and maintained gave a
false sense of security. Because those who installed and operated the switch did not
fully understand the way it worked, or the crucial role played by a padlock, the switch
was left effectively inoperable after the test. (A fuller description is in Appendix 1.)
Designers of equipment for use in high-hazard operations should have
systems in place to ensure that the equipment is safe so far as is
reasonably practicable.
21 The design fault could have been eradicated at an early stage if the design
changes had been subjected to a rigorous review process. In any event, clear
guidance, including instructions about the safety criticality of the padlock, should
have been passed on to installers and users.
22 TAV was aware that its switches were used in high-hazard installations and
therefore were likely to be safety critical.
Designers and suppliers should have adequate knowledge of the
environments where their equipment will be used.
23 The impact of these defects in switch design, and the failure to inform users
and suppliers of the change in criticality of the padlock, could have been reduced
by those further down the supply chain. Motherwell Control Systems 2003 Ltd
ordered the IHLS from TAV but the ordering process by both parties fell short of
what would be expected for safety critical equipment intended for such a high-hazard
environment. The information TAV provided did not give sufficient clarity about the
key aspects of the IHLS design and use, and TAV should have enquired as to the
intended purpose of the switch and formed a view as to its suitability – in this case
for a high-level only application. Motherwell staff were highly experienced in this field
although the company itself had only recently come into existence as the result of
a management buy-out. However, their systems for checking and understanding
equipment again fell short of the mark.
Buncefield: Why did it happen? 13 of 36 pages



24 It appears that nobody within Motherwell knew the safety critical significance
of the padlock. The IHLS on Tank 912 was installed without the padlock because
it seems that Motherwell staff thought it was for security ‘anti-tamper’ purposes
only. After the periodic tests, the lever was left unsecured either in the inoperable
position or so that it could fall into that position. While they ought to have been able
to rely on TAV to tell them, Motherwell staff equally should have known better. The
elements of Motherwell’s failure were:
■ The process for ascertaining and then specifying the requirements of switches
they supplied and/or installed was not adequate.
■ They did not obtain the necessary data from the manufacturer and it follows that
they did not provide such data to their customers.
■ They did not understand the vulnerabilities of the switch or the function of the
padlock.
■ There was a reliance on TAV, which was not justified given the lack of information
provided and the critical role that Motherwell had in installing safety critical
equipment.
25 In addition to the failures of the manufacturers and installers of the IHLS, the
site operator did not exercise sufficient oversight of the ordering, installation and
testing procedure. While the switch was periodically tested, none of the staff at the
HOSL site was aware of the need for the padlock to be replaced so that the test
lever was held in the correct position. The site operator should have had greater
oversight of safety critical operations and equipment so that they understood fully
how it worked, particularly given the expertise available within large oil companies.
The automatic tank gauging system
26 Failure of the ATG system was the other immediate cause of the incident.
The servo-gauge had stuck (causing the level gauge to ‘flatline’) – and not for the
first time. In fact it had stuck 14 times between 31 August 2005, when the tank
was returned to service after maintenance, and 11 December 2005. Sometimes
supervisors rectified the symptoms of sticking by raising the gauge to its highest
position then letting it settle again, a practice known as ‘stowing’. On other
occasions Motherwell was called in to rectify the matter, although the definitive
cause of the sticking was never properly identified. Sometimes the sticking was
logged as a fault by supervisors and other times it was not.
27 The failure to have an effective fault logging process and the lack of a maintenance
regime that could reliably respond to those faults were two of the most important ‘root
cause’ managerial and organisational failures underlying the incident. Further, Motherwell
staff never saw that the unreliable gauge should be investigated. They did not analyse
why they had been called out so frequently nor questioned the reliability of the system.
Other shortcomings
28 The system also had other shortcomings that could fairly easily have been
remedied:
Monitoring screen
29 There was only one visual display screen for the data provided by the ATG
system on a number of tanks which meant that the status of only one tank could
be fully viewed at a time. On the night of the incident the display relating to
Tank 912 was at or near the back of a stack of four other tank display ‘windows’.
Only one computer was provided, with no back up, to run the entire ATG system.
The supervisors relied heavily on the ATG system to control tank filling so having no
back up for this critical control process was inadvisable.
Buncefield: Why did it happen? 14 of 36 pages
Redundant emergency shutdown
30 The tank mimics on the screen showed a red ‘stop’ emergency shutdown
button. Use of this was meant to close all tank side valves. Unbeknown to a
number of the supervisors this was not working and had never been fitted into
the system. Had it worked it may have provided a useful emergency procedure
although it may have taken several minutes for the valves to close. This issue
is indicative of poor management control where supervisors did not appreciate
the redundancy of the ‘stop’ button and Motherwell staff never tested it. This
meant that there was no proactive facility on the site to close down two (UKOP)
of the three incoming pipelines. The Finaline had an emergency shutdown button
accessible in the site control room.
System security
31 While there is no indication that it had any bearing on the incident, the security
arrangements on the ATG system were lacking. It had its own built-in security
system but this had been set so that all control room staff could modify any
parameter including being able to change the alarm settings.
Alarm function
32 Later versions of the ATG system had the ability to be set to alarm in the event
of inconsistencies between tank level measurements and filling data, which would
have provided a way of alerting control room staff to an ‘unexpected’ static reading.
Had such a modification been made then supervisors may have been made aware
of the sticking gauge before an overfill position was reached. A more stringent
monitoring scheme could have identified the shortcomings and allowed the site
operator to upgrade the ATG system