Posted By jom
In 2005 we saw the Texas City refinery explosion and the Buncefield fuel depot explosion. A bad year for process safety.

What an amazing contrast between the way each accident has been processed by authorities and discussed in professional arenas such as this forum.

Reporting and discussion of the TC accident was very fast and public, while with the B accident, it was along the line of "we musn't talk about it - there are legal processes afoot."

I like the American model. I think it produced useable learnings quicker.

John.

Posted By peter gotch
Hi Jom

....and there is quite a lot of commonality between the findings

Regards, Peter

Posted By Robert K Lewis
jom

One of the early action points released was on the checking and maintenance of level sensors and it seems apparent for me that the manufacturers guidance manual was being ignored and short cuts had been created when checking the action of the level sensors.

The material has however been spread across numerous documents as highlighted above and this has dissipated the effectiveness of the information and lost focus on the narrative of events. I think the last recommendations also have not brought together all the various lessons because of this "barrage" of documents.

Bob

Posted By jom
>Therefore, has it been suppressed,

I said "suppressed discussion". I didn't say there was suppression of the invetsigation reporting.

John.

Posted By peter gotch
Hi John

The problem is that the investigators are not confident as to the mechanism. From Consultative Document CD211.

Buncefield proved that a major release of unleaded petrol can result in a violent
explosion. Further scientific research is required to investigate this VCE
phenomenon - without it there will continue to be uncertainty about how VCEs might
occur and what effects they may have. However it would take a number of years to
do all the necessary work and clearly it would be imprudent to delay making changes
to HSE’s advice on LUP pending the outcome of the research.

P

Posted By jom
I was thinking about the steps behind the overflow, rather than the mechanism behind the explosion.

The high level shutdown mechanism that did not operate had to be the last defence against overflow.

Is it known if the control room survived the event?

John.

Posted By Ian Waldram
I think all the comments to date have missed some other factors in the reporting/ discussion of these events. BP openly published its own internal report long before the external authorities (CPSB and OSHA). It also commissioned and published an independent report into US refinery process safety management before the CPSB report was published (arguably they did this under pressure from the authorities, so it maybe wasn't just internal culture that influenced this). CPSB report wasn't published until 2 years after the event, and it was all in one document.

Another key difference was the ratio of on-site to off-site damage and disruption, with Buncefield being much higher (and of course still continuing). I suggest that also influenced reporting and discussion.

So I suggest it's not a simple UK vs US culture difference. In my general experience of this sector, EU-based organisations are usually more willing to publish as much as they feel able to compared to US-based, some of whom invoke legal privilege which then has the effect of limiting open reporting and discussion.

Also the Buncefield reports have been pretty speedy, as noted above, with the exception of anything relating to details of site management before and at the time of the release, which would of course be absolutely core to any prosecution, so cannot be publicised at this stage. Compare the depth of these reports with the OSHA fines on BP (and reasons for them - many were about violations of detailed prescribed paperwork requirements, almost none dealt with root causes in the way the BP, Baker Panel and CPSB reports all did).

Happy to hear other views about this, so please continue the debate!

Posted By jom
Ian,

The CSB and Baker report were both huge documents. That makes them hard to read and understand, don't you think? The Buncefield investigators have broken their reports down into specific, tight topics, directed at particular parties. That aspect of the Buncefield invetsigation is good.

I'm not pushing a US v UK argument here. I think we should examine the investigation reports into both these extraordinary events and see what worked well and what didn't. We don't have to be a passive audience. We can and should give feedback to investigators.

John.

Posted By Pete48
I wonder whether another significant difference between TC and Buncefield is that in the former it is clearly BP who managed the site. At Buncefield there were a number of operators involved. That must make it almost impossible to get to a situation where anyone other than the investigators would say very much at all in public, or am I beginning to get cynical in my old age?
And maybe it also holds the key to some of the primary causes??

Posted By jom
Does anyone know if the Buncefield investigation had coercive powers - i.e., the power to subpoena evidence and witnesses?

John.

Posted By Phillip
In my opinion there has been ample open discussion, papers & reports on Buncefield.

For me the main common factor between BP & TC is the failure of safety management systems more that the technical issues.

Why are major chemical hazardous sites allowed to operate without employing chemical engineers and process safety specialists. After all to run a pharmacy shop you need a qualified pharmacist.

Posted By jom
Phil,

"In my opinion there has been ample open discussion, papers & reports on Buncefield."

But what caused the overflow? Does anyone know?

John.

Posted By jom
Peter,

Correct me if I'm wrong, but I feel that not all detail has been disclosed (regarding how the tank came to be overfilled).

It has been disclosed that the high level switch was not functional. Perhaps the authorities thought that piece of info needed to get out to industry asap.

It has also been disclosed that the level indication to the panel operator was static, when in fact the tank was overflowing. Has anything being disclosed explaining that?

There are lots of other questions left hanging. In particular, it will be important to know if control software was implicated.

John.

Posted By Mike Charleston
John

Speaking as a CEng as well as CMIOSH, the link between two failures of level control has been explained to my satisfaction.

Normal level control in the tank consisted of high and low level switches to shut off or open the incoming flow. In case of system failure, a separate ultimate high level switch was available to shut off supply if necessary. That was the system which had operated satisfactorily for years.

The incident occurred as a result of an earlier failure of the ultimate high level switch, which could have happened at any time since the previous functional test (perhaps weeks before - I am not aware of the duration). Once that had failed, level control was completely dependent on a single line of defence - the routine high/low level control system.

The rest, as they say, is history - the second, routine control system failed and there was nothing further installed on the tank that could detect an overfilling incident.

As a hidden failure, ultimate level switches are not always recognised as high priorities for inspection - and are often not tested enough because their chosen frequency of test bears no relation to the desirable level of confidence that it will work when needed.

However frequently a hidden failure is inspected for correct operation, it could fail immediately afterwards, or at any time up to the next inspection. Thats a basic tenet of a logical methodology for assessing such conditions, known as Reliability Centred Maintenance.

In this particular case, I don't know enough to comment on the site's maintenance schedule or their actual performance at the time - I merely reflect what is established wisdom. Hidden failures require close and frequent inspection if their level of reliability must be high (that's why dual and triple safety devices are often specified these days, to reduce the chances of multiple failure to tolerable levels).

In case you haven't guessed, the RCM technique is a particular speciality of mine when I am not acting as a Safety Adviser - contact me direct if you want to know more.

Mike

Posted By jom
Phillip,

"Perhaps the report to date can only publicly state what has happened. The why and who to blame (and sue) left to the courts"

It seems that this is the case. Legal processes are inhibiting full disclosure of the causal factors.

With Texas City, full disclosure of causal factors was rapid, coming first from the company itself, and then from the CSB.

That didn't seem to impede the process of massive penalty from the regulator and civil litigation by victims.

Will all causal factors behind the Buncefield overfill be publicly disclosed one day in the future? Perhaps they won't.

John.

Posted By Robert K Lewis
Philip

Flixboro was being run by purely chemical and process engineers at the time of the disaster!!

Mike

You are indeed correct but we should also bear in mind the maintenance reminder sent out by the HSE regarding the level trip alarms/switches. Apparently the test levers were not padlocked back into place in accordance with manufacturers recommendations. This seems to indicate both a potential design weakness and a loss of information by the system leading to a fail to danger situation.

Bob

Posted By Pete48
Guys, I think John(JOM) has a point that we do not yet have any information on the other contributing factors to the overspill. Whilst I accept the comments about RCM and how it fits into the overall safety profile: the tank level alarms are not the only part of a safe operating system for a long distance transfer operation via a multi-product pipeline.
I could speculate as to the what and where but do not feel it would add anything to the debate at this stage. We have to wait for the official conclusions; if only because we have even less information than I suspect the investaigation team have.

Posted By Pete48
Mike, I do have experience in this specific area and that is why, like John, I am still waiting for some more answers from the investigation team.

Your comments about RCM are both valid and relevant to the later stages of why the overspill eventually happened. Your comments remind us of the fallibility of things mech and elec; and the problems associated with the testing of such safety critical devices. We end up relying upon predictive data.
But we also have to look at the overall design of a safe operating system in which this single component is used. And that involves a whole load else of controlling elements including that fallible machine, the human being.

The key question that I have yet to see answered to my satisfaction is- just how did the fuel terminal get to such a super-critical situation (in operational terms)before the failure of the emergency level alarm occurred and the tank continued to be filled for some time until it overflowed.

I can only speculate that the investigation is covering ground that needs careful technical attention in very difficult circumstances, perhaps with little or no primary data available, and where immense pressures, (social, political and legal) will clearly exist.
Not a task I would accept easily. They deserve our patience; I am sure they are publishing critical information as soon as it is available.

Posted By jom
Does anyone have knowledge of how the 8,000 m3 cargo of petrol would be switched from the first receival tank to another, once the first tank was full?

I mean in terms of procedures and computer control.

Does anyone have knowledge of how this is typically done?

John.

Posted By jom
Thankyou Jay,

I understand what you say. What I don't understand is the plan for the cargo of 8000 m3 of petrol to be delivered to a tank that cannot contain that amount.

There must have been a plan.

The investigators must know the detail of that plan.

Nothing has been released to the public.

John.