On the 15th anniversary of the Buncefield Oil Storage Depot Explosion, we reflect on the second of three key questions raised by the Health and Safety Executive at the time of the criminal prosecution.
Do you know what systems you use to prevent and mitigate a major accident?
At approximately 6am on Sunday 11th December 2005, a large explosion occurred at Buncefield Oil Storage Depot in Hemel Hempstead, Hertfordshire. The fire engulfed the fuel tanks and burned for several days – it was the largest fire seen in peacetime in the UK.
At Buncefield many systems were in place to prevent and mitigate against a major accident. An automatic tank gauging (ATG) system connected to three level alarms was fitted on the tank that overfilled. An independent high-level switch (IHLS), set at a higher level than the ATG alarms, was also fitted on the tank. This was intended to automatically shut down the filling process, as well as sounding an audible alarm, if the petrol reached the undesired high level. Both systems failed.
The storage tanks were also bunded, and should have been capable of containing the oil, water and firefighting foam during a prolonged fire.
This situation raises a key question for facility operators – are there enough independent preventative systems in place so if one fails, there is another barrier?
All three operating sites at Buncefield were upper-tier COMAH sites. Like all upper-tier COMAH sites, the Buncefield operators had to prepare a safety report that methodically considers their major accident risks, controls and mitigation measures.
The safety report should demonstrate that ‘all measures necessary’ have been taken to prevent major accidents and limit their consequences to people and the environment in order to satisfy COMAH regulation 4.
Despite all the systems in place, the Buncefield disaster still occurred and it raises key questions for discussion amongst facility operators:
- Will the preventative and mitigative systems in place prevent a hazard being realised or mitigate its consequences?
- What methods / tools are used to determine necessary preventative and mitigative systems?
- How has their effectiveness been assessed / determined?
- Have safety critical systems been identified?
- Are there enough preventative and mitigative protection systems?
- How has the adequacy of preventative and mitigative protection systems been assessed?
- How are preventative and mitigative barriers managed?
While barriers should be in place to prevent the incident or reduce its consequences, management systems should also be in place to ensure that all barriers are working.
Management systems in place for HOSL , one of the site operators at Buncefield, relating to tank filling were both deficient and not properly followed despite the systems being independently audited.
The site was fed by three pipelines, two of which staff had little control over in terms of flow rates and timing of receipt. This meant that they did not have sufficient information easily available to them to manage the storage of incoming fuel precisely.
Facility operators should consider the following:
- What are your safety management systems?
- Are you satisfied that your management systems are adequate?
- Do you have suitable in-house expertise present to implement these systems?
- Are there enough resources to effectively implement these systems?
- Are the onsite practices scrutinised compared to the written systems?
- Are management of change (MOC) procedures in place?
- How is it ensured these are adequately applied?
- What are your systems for controlling contractors?
For more advice and support about process safety and risk management click here
- Buncefield: Why did it happen? The underlying causes of the explosion and fire at the Buncefield oil storage depot, Hemel Hempstead, Hertfordshire on 11 December 2005”, Competent Authority (CA) URL: https://www.hse.gov.uk/comah/buncefield/buncefield-report.pdf
A study on the effect of trees on gas explosions, Kees van Wingerden