In a facility that generally runs with a high degree of stability, layers of protection that don’t get used can form holes, both figuratively and literally.
Examining the Buncefield fire in 2005 could be a textbook example of layers of protection and the “Swiss Cheese Effect.” It’s the illustration that if you take slices of Swiss cheese and lay them on top of each other, if there is a hole in the same position on every slice, now matter how many you stack up, that hole will go all the way through.
Buncefield had traditional layers of protection as part of its safety management system:
• Basic process control system (BPCS)
• Alarms
• Safety instrumented system (SIS), and
• Physical containment.
Each of these was a single point of failure with no redundancy. Each failed in its own way with disastrous results, so let’s look at them one by one.
BPCS—The key to keeping the facility safe was having accurate measurements of the level in every tank. Provided that the tanks retained their structural integrity, the biggest fear was pumping too much fuel into a tank causing it to overflow. Level sensors were supposed to tell operators how much there was in each tank via the control system. Climbing to the top of a tank to check level manually is dangerous, so the more that can be done automatically, the better. However, on tank 912, the sensor had a reputation for sticking and giving inaccurate readings.
Alarms—The alarm system depended on the level sensor from the BPCS. If that sensor didn’t work, neither did the alarms. The gasoline level in tank 912 moved past three points that should have alerted the control room, but with the level sensor inoperative, there was no warning. The fact that this level sensor had a history of malfunctioning without an identifiable cause should have provided sufficient incentive to replace it. Having a second sensor that used a different type of measuring technology could have also provided a redundant measurement to the BPCS.
SIS—There was a high level sensor that functioned independently of the BPCS, but it failed due to complex operating instructions that were not clear to the operators. Individuals who were trying to verify the sensor’s operation likely rendered it inoperable because they were not trained adequately on the correct configuration procedure. There is a question if the company that installed it understood it as well. Following the incident, the sensor company changed the design and sent safety bulletins to its customers. Again, for an installation of this size, it would be simple to justify a redundant sensor of a different design as a backup.
Physical containment—Each group of tanks had a system of surrounding bunds to prevent fuel from spreading in the event of an overflow or tank rupture. However these had been constructed with small leaks as a result of the concrete forms, and there were numerous pipe penetration points that were not sealed. Much of the 250,000 liters of gasoline that flowed out of the tank got through the bund, flowed into adjacent areas and rendered the fire-fighting system unusable. Had the bund been effective, it would have been much easier to fight the fire earlier.