A year since the conviction of five companies over the Buncefield explosion, the key lesson highlighted by the case is that all businesses should focus on the management of major risks by ensuring clarity of roles and responsibilities. Steven Brooker explains.

History, it would appear, doesn’t stop industry repeating mistakes – if the Buncefield case is anything to go by.
The incident was far from unique. Similar themes were identified in such incidents as the Flixborough chemical-plant explosion in 1974, the Longford gas blast in September 1998, and the Texas City refinery disaster in March 2005.

Poor shift-handover communications, lack of on-site engineering experience, ineffective defect-reporting procedures, and failure to implement management of change to safety-critical process controls were features in many of these incidents.

But, if the Buncefield incident is to teach us anything, it is that clarity, in relation to roles and responsibilities, is vital – not only in relation to regulatory compliance but also in the management of supply-chain risks.

The incident

The primary causes of the overfilling of the fuel storage tank at the Buncefield depot was a level gauge that kept sticking and a malfunctioning safety cut-off switch. However, the underlying causes were systemic – specifically: a safety management system that was not site-specific, and had reduced engineering involvement on site while focusing on individuals’ personal safety rather than major-accident hazard risks; a failure to manage those risks; and the supply-chain relationships for critical equipment.

During the early hours of 11 December 2005, two control-room supervisors were working alone at the Buncefield depot. A 6 million litre-capacity storage tank was being filled with unleaded petrol via a pipeline. The fuel being delivered was larger than the available space in the tank, so, at some point, the flow would have to be diverted from one tank to another.

However, the gauge that monitored the tank level stuck. As a result, associated level alarms failed to warn the men to switch tanks, and filling continued unnoticed. An independent high-level switch, which should have shut down the pipeline, also failed to operate, and by 5.40am, petrol was pouring out of the tank’s roof vents. Some 180 tonnes of unleaded petrol spilled out, resulting in the formation of a huge flammable vapour cloud, which spread over the site, across a public road, and into a nearby car park. A spark, most probably from a pump house, ignited the cloud, and there followed a massive explosion and fire, which overwhelmed most of the site.

The incident had a significant impact on the local economy, with hundreds losing jobs and some businesses having to relocate permanently. The total cost of the incident is estimated in the region of £1bn.

In 2010, five companies were successfully prosecuted for health, safety and environmental failings, culminating in the handing down of fines and costs totalling £9.5m – which included the highest fine for a non-fatal incident and a record environmental fine.¹

Roles and responsibilities – internal

The corporate history of the site and its development are complex and played a key role in the incident. A joint-venture company called Hertfordshire Oil Storage Limited was set up by two large oil companies to operate the site. However, the joint-venture company had no employees and was heavily reliant upon its majority shareholder to provide staff, safety management systems, resources, engineering support and technical expertise. Differing assumptions were made by the shareholders and the joint-venture company over which party was responsible for safety at the site.

In the aftermath of the disaster, one of the most surprising issues – given the site’s status as a top-tier site for the purposes of the Control of Major Accident Hazards Regulations (COMAH) – was the identity of the “operator”. Who was responsible under regulation 4 of COMAH to take all measures necessary to prevent major-accident hazards at the site and to limit their consequences to persons and the environment?

Given what was at stake – the strict nature of the obligations, the significant burden that they imposed, and the prospect of enforcement – one would have expected unambiguous roles and responsibilities. But this was not the case at the Buncefield site, and this lack of clarity dominated the legal proceedings that followed. In this case, who was in control of the operation of the establishment – the majority shareholder, or the joint-venture company? Following the incident the joint venture and its majority shareholder each pointed the finger of responsibility at the other.

In terms of who had day-to-day control at the site, the answer was relatively easy: the majority shareholder. But day-to-day control is not necessarily the answer to the issue of identity of the COMAH operator, given that this control could arise from delegation of various functions. There are many potential forms of control and there could be many competing candidates, each with some element of control of the site. These could also change over time.

At Buncefield, the majority shareholder had notified the regulator early on that it was the operator for the purposes of the Regulations. However, the overall picture was inconsistent and unclear. The joint-venture company was also described in the Safety Report and other documentation as the operator of the site. On the ground, dealings between senior staff on site and the regulator proceeded on the basis that the joint-venture company was the body dealing with COMAH issues and, when compliance steps were required, these were confirmed by and on behalf of the joint-venture firm.

From the point of view of the regulators, an element of certainty was a dominant concern, given the extensive requirements and obligations imposed by the Regulations.

In addressing this issue, the Court of Appeal set a two-fold test to determine operator identity: firstly, who identified itself to the Competent Authority as the “operator”; and, secondly, who was treated as the operator by the Competent Authority. The test is worthy of consideration, not least because it departs from the notion of control but also because it introduces the concept of a transaction of roles and responsibilities between the body on site and the regulator.

At the conclusion of the criminal proceedings, the jury applied the Court of Appeal two-step test and found that the joint-venture company had identified itself, and had been treated by the regulator, as the COMAH operator. The joint-venture company was consequently convicted of an offence under COMAH and fined.

Roles and responsibilities – external

Both the joint-venture board and its majority shareholder failed to consider adequately the safety of the site’s core activity – i.e. the safe receipt and filling of fuel storage tanks.

Given the structure of the joint venture and its shareholding, safety management systems had been adopted from the majority shareholder. However, these systems had not yet been fully implemented and were of a generic nature, focusing on personal safety instead of major accident hazards. This had the effect of limiting the involvement of off-site engineering expertise and increasing reliance on external contractors.

As a result, there was no accurate list of critical parts, which, in turn, affected the maintenance regime. There was also no framework to set process-safety indicators, and no functioning professional engineering oversight of the operations at Buncefield – a characteristic shared with the Texas City blast.

The Buncefield site was developed during the 1980s, when a new pipeline was added to the two existing ones bringing fuel on to the site. However, there were major differences between these pipelines.

With the newer pipeline, the site controllers had monitoring systems and full control of the flow-rate of the fuel channelled on to the site, enabling them to control the time of arrival of fuel batches while allocating them to separate tanks. However, as a result of historical changes, the site staff no longer had sufficient information about, or effective control over, the flow-rate through the two inherited pipelines. The flow of fuel through these pipelines could be stopped in an emergency by a telephone call off-site, but the flow-rate and the timing of receipt was outside the site’s control.

The issue this created can be illustrated by imagining a bucket being filled with a hosepipe – a simple task when there is one hosepipe and one bucket, and where the flow is steady and controlled via the tap. However, the situation at Buncefield can be described as three different hosepipes with several different buckets, where the flow speeds on two hoses varied and some of the taps were located elsewhere, under somebody else’s control. It was also necessary to switch between buckets without turning off the two original hosepipes.

Given the reactive nature of the filling arrangements in relation to two pipelines, it is not surprising that the control supervisors relied on two overspill prevention systems – relating to level measurement, and the independent high-level switch. In the absence of any procedures or monitoring, control-room supervisors developed their own working practice of relying on level alarms to prompt them to switch tanks. This reliance was misplaced, owing to the failure of those managing safety at the site and their contractors to appreciate the importance of the overfill prevention systems, despite a near-miss overfill in August 2003. As a result, the systems became seriously deficient and had been so for some time before the incident.

With the dominant health and safety influence off-site, responsibility for installation and maintenance of safety-critical process equipment was essentially delegated to contractors. However, there was a mismatch between the importance of these systems and the detail of the arrangements between the site and contractors. The relationship was limited to a conventional purchaser/supplier type arrangement, with insufficient clarity as to the systems on site and how they were being used, standards, competence, information sharing, responsibility for monitoring, and defect reporting.

By way of example, there was no robust defect-reporting system in place. This became critical in light of repeated gauge-sticking events in the weeks prior to the incident. The gauge system would occasionally fail to record changes in fuel levels, or alarm when fuel reached pre-determined levels. There was no separate self-diagnostic facility, or alarm to identify an anomaly between fuel levels and pipeline movements, and so, when the gauge system stuck, filling operations would often continue blind.

Frequently, staff would only discover that there had been a problem when conducting stock checks. When sticking events, or anomalies in stock were discovered, they were not always recorded as defects by staff, especially when symptoms were temporarily resolved by an unofficial “work-around” reset. Any trend in defect occurrence would therefore have been inaccurate, even if such a system had been in place.

When problems could not be resolved easily by site staff, a call-out contractor was used, but the arrangements were such that the contractor’s only concern was to resolve the symptoms of the problems encountered rather than investigate any root-cause, or trend information for their customer. The Competent Authority’s investigation discovered that in the three months prior to the incident the level measurement system had failed on at least 14, possibly up to 19, separate occasions.

Design deficiencies

The last line of defence against overspill was the independent high-level switch (IHLS). In simple terms, this consisted of a switch, which, when triggered by rising fuel at the top of a tank, sounded an alarm and shut down the incoming pipeline.

Almost a year and a half before the incident, the IHLS on the tank involved in the incident was replaced. Prior to its replacement, the switch manufacturer had altered its design to enable its operation to be tested and to allow the same model of switch to be configured for different functions. However, this meant that, on the new model, the function of the padlock fitted to the switch became integral to the switch’s safe operation, having previously been required only for anti-tamper or security purposes.

The potential consequences of this change in function, although known to the manufacturer, were neither adequately communicated to installers of the switches nor clearly set out in operation and maintenance instructions. The result was that the significance of the padlock was misunderstood, and it became possible for the switch to be left in an inoperative state following routine testing if the padlock was not secured, or removed. During the investigation, no padlock was found on the IHLS fitted to the tank that over-spilled.

The installer of the IHLS failed to investigate, or interrogate the manufacturer on the significance of the design change in the product to ensure it understood how the switch functioned before fitting it. Implementation of the site’s change management procedure had been restricted to items of capital expenditure and, as the switch fell under operational expenditure, no assessment was made of the new model, despite it being different in appearance and featuring a new checking mechanism. The site continued to use its old testing procedures for the new model of switch, despite obvious incompatibility.

How to be an “intelligent client”

The Buncefield incident is a suitable opportunity for those across a variety of industries to analyse what went wrong and to see where lessons can be learnt.

Successful management of major risks can be achieved by considering the effect of corporate structures and the focus of safety management systems. Those deciding on the structure of corporate arrangements should consider its effect on safety and management of critical risks – particularly given increasing use of joint-venture vehicles and multi-site operations. This should include staff employment issues and clarity of roles and responsibilities between the joint venture and shareholders – what agreements have been reached as to responsibility for managing risks and ensuring safety, and do these match what actually happens on the ground?

Regular reviews need to be built in to cater for developments at site level. Safety systems implemented at arm’s length should not be generic but rather focus on major risks and site-specific issues. Resourcing and the provision of technical expertise should also be considered to determine whether the safety systems are effective at arm’s length.
Supply chains and management of contractors also need careful consideration where these coincide with business-critical risks. Each link in that supply chain – the designer/manufacturers, contractors who install and maintain, and the staff who use the equipment – should have detailed knowledge of the arrangements and working practices on site. The aim should be for each link in the chain to apply appropriate standards and to have mutual understanding of the expectations made of them in relation to their role and responsibilities.

Their understanding should be fuelled by information sharing and take into account management-of-change issues. For the sake of clarity, these arrangements should be fully encapsulated within formal written agreements between the parties, and effectively communicated to all elements involved in the chain. In order to be an “intelligent client”, the end-user at site level has a critical role in monitoring these arrangements to ensure that they manage risk effectively.

While this article does not seek to set out, in full, the various guidance, or recommendations made after Buncefield, it does seek to reinforce that the underlying systemic causes of the incident are not industry-specific. Focusing on management of major risks by ensuring clarity of roles and responsibilities should be the goal of all businesses regardless of their activities. 

Reference

1    www.shponline.co.uk/news-content/full/-5-3m-fine-for-buncefield-devastation-

Steven Brooker is a senior associate at Bond Pearce LLP.

Continuing professional development is the process by which OSH practitioners maintain, develop and improve their skills and knowledge. IOSH CPD is very flexible in its approach to the ways in which CPD can be accrued, and one way is by reflecting on what you have learnt from the information you receive in your professional magazine. By answering the questions below, practitioners can award themselves credits. One, two or three credits can be awarded, depending on what has been learnt – exactly how many you award yourself is up to you, once you have reflected and taken part in the quiz.

There are ten questions in all, and the answers can be found at the end of the online version of this article at www.shponline.co.uk/features-content/full/cpd-article-precision-parts

To learn more about CPD and the IOSH approach, visit www.iosh.co.uk/membership/about_membership/about_cpd.aspx

QUESTIONS

1 What were the primary causes of the incident at Buncefield:*

a Operator error
b A malfunctioning safety cut-off switch
c Incorrect fuel input into the system
d A level gauge that kept sticking

2 One of the causes of the situation that led to the Buncefield
explosion was:

a Ineffective defect-reporting procedures
b Not following procedures
c Lack of staff
d Staff were smoking on the site

3 The total cost of the incident was:

a £1 million
b £5 million
c £1 billion
d £10 billion

4 The independent high-level switch was:*

a Recently fitted
b Replaced 18 months before the incident
c Faulty
d Of a different design to its predecessor

5 Successful management of major risks can be achieved by:

a Having in-depth documented procedures
b Considering the effects that corporate structures may have on
safety management
c All partners on multisite operations having their own methods
d Assuming the other partner is responsible

6 The explosion was a result of the formation of:

a A flammable cloud meeting a spark
b A pool of petroleum with a lighted match
c A build-up of excess waste in a corner of the site that ignited
d A badly-maintained vehicle entering the site and emitting sparks

7 How many companies were fined as a result of the explosion:

a Two
b Seven
c Five
d One

8 Who was in day-to-day control of the site:

a The majority shareholder
b The joint-venture company
c The Government
d The Local Authority

9 The COMAH Regulations stand for:

a the Control of Major Accident Hazard Regulations
b the Control of Multiple Accountable Hazard Regulations
c the Chemical and Mixing Hazard Regulations
d the Chemical Operations Major Hazard Regulations

10 The staff should have had sufficient information about controlling
the hazards by:*

a Using monitoring systems
b Controlling the flow rate of the fuel
c Controlling the time that the fuel was received
d Relying on their own working practices involving alarms

* Hint: There could be more than one correct answer to this question

ANSWERS:

1. B & D
2. A
3. C
4. B & D
5. B
6. A
7. C
8.  A
9. A
10. A, B & C