stookeyfpe
Specifier/Regulator
The UK Health Safety Executive has released the 3rd report that documents the current findings of the Buncefield Terminal explosion and fire.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations TugboatEng on being selected by the Eng-Tips community for having the most helpful posts in the forums last week. Way to Go!
UK HSE Releases 3rd Report on Buncefield Terminal
- Thread starter stookeyfpe
- Start date
- Status
This is carefully written and very restrained report; it refrains from asking some important questions, though I have no doubt these questions will be asked and answered in subsequent reports, in the press and by politicians.
This is not an area of expertise for me but logic suggests some seemingly obvious questions.
For example, many of the investigations post-mortem would seem could reasonablly be expected to form part of the onsite routines, especially when preparing to receive fuels.
The estimation of filling time or end point based on flow rates and tank capacity is such a simple routine it could be automated in the control systems/
Question:
Is this calculation made manually by the operators and/or within the system? Is it also performed at the supply end of the pipeline relative to the amount to be delivered?
Question:
By how much did the planned 8300m3 delivery overshoot?
Are there any routines at the supply end that can be applied to prevent oversupply?
Could they not determine this because more than one site was being supplied?
Surely they would need access to flow instrumention to monitor what was being delivered and where?
This calculation is eminently feasible given that it has been done in the post mortem.
Question:
The investigators have been able to test many elements of the instrumentation. Are these tests that would be routinely performed in preparation for receiving fuels?
If not, are they routine at any time?
When they were last performed?
Question:
Is it routine to manually dip the tanks? if so when? In preparation for eceiving fuels? When doing a stock check as at midnight?
On the face of it there ought to have been a reasonable probability that three or four or more diferent mechanisms existed to detect when the tank should have been full both through the instrumentation, on site and off, and at the supply end, and through observation and calculation.
We have the ATG, an "ultimate" high level switch, tank dipping, remote monitoring, instrument systems tests, flow calculations that can be perfomed, manually, atomatically and some which can be performed at supply end of the pipeline.
The use of the temperature readings is another missed indication and it is not an obscure clue, operators should be familiar enough to recognise the importance of other instruments as diagnostics when checking the potential failure of a key instrument.
There is also CCTV footage but apparently no one was watching at the time i.e any time from 05:20 till 06:01.
Question:
Should there be level indicators in the bunds? are there gas detectors in the immediate vicinity of the tanks? would this be usual or not?
Question:
Would it not be normal for a periodic review of all site safety routines, for routine testing of the instrumentation, a review of the procedures and, perhaps most importantly, to test for compliance?
Question:
What is the probability that all systems failed at the same time?
Is it more likely that the different parts of the system failed at different times?
Is it possible that some failures were not found e.g. the "ultimate" high level switch was never found to have failed bacuse the ATG normally never let the level reach this switch; the first indication it has failed is when the ATG fails?
So, is there a log of instrument testing and any reported failures?
Obvioulsy these are questions in response to the little I know from the reports and the even less that I know about what should go on.
Am I unrealsitic? or is this hindsight?
JMW
This is not an area of expertise for me but logic suggests some seemingly obvious questions.
For example, many of the investigations post-mortem would seem could reasonablly be expected to form part of the onsite routines, especially when preparing to receive fuels.
The estimation of filling time or end point based on flow rates and tank capacity is such a simple routine it could be automated in the control systems/
Question:
Is this calculation made manually by the operators and/or within the system? Is it also performed at the supply end of the pipeline relative to the amount to be delivered?
Question:
By how much did the planned 8300m3 delivery overshoot?
Are there any routines at the supply end that can be applied to prevent oversupply?
Could they not determine this because more than one site was being supplied?
Surely they would need access to flow instrumention to monitor what was being delivered and where?
This calculation is eminently feasible given that it has been done in the post mortem.
Question:
The investigators have been able to test many elements of the instrumentation. Are these tests that would be routinely performed in preparation for receiving fuels?
If not, are they routine at any time?
When they were last performed?
Question:
Is it routine to manually dip the tanks? if so when? In preparation for eceiving fuels? When doing a stock check as at midnight?
On the face of it there ought to have been a reasonable probability that three or four or more diferent mechanisms existed to detect when the tank should have been full both through the instrumentation, on site and off, and at the supply end, and through observation and calculation.
We have the ATG, an "ultimate" high level switch, tank dipping, remote monitoring, instrument systems tests, flow calculations that can be perfomed, manually, atomatically and some which can be performed at supply end of the pipeline.
The use of the temperature readings is another missed indication and it is not an obscure clue, operators should be familiar enough to recognise the importance of other instruments as diagnostics when checking the potential failure of a key instrument.
There is also CCTV footage but apparently no one was watching at the time i.e any time from 05:20 till 06:01.
Question:
Should there be level indicators in the bunds? are there gas detectors in the immediate vicinity of the tanks? would this be usual or not?
Question:
Would it not be normal for a periodic review of all site safety routines, for routine testing of the instrumentation, a review of the procedures and, perhaps most importantly, to test for compliance?
Question:
What is the probability that all systems failed at the same time?
Is it more likely that the different parts of the system failed at different times?
Is it possible that some failures were not found e.g. the "ultimate" high level switch was never found to have failed bacuse the ATG normally never let the level reach this switch; the first indication it has failed is when the ATG fails?
So, is there a log of instrument testing and any reported failures?
Obvioulsy these are questions in response to the little I know from the reports and the even less that I know about what should go on.
Am I unrealsitic? or is this hindsight?
JMW
JMW.
Your questions are pertinent.
I don't agree with you in that the report is "constrained".
I think the three reports have come out in good time, and kept us abreast of the investigator's findings.
Investigations of other incidents have taken much longer.
I think the next report will address some of your questions.
I don't think there is anything to prohibit a complete and accurate understanding of the accident process - the personnel survived, the control room was undamaged, the remote location that dispatched the fuel was undamaged. Electronic records survived.
I think the next report will explain much.
J.
J.
Your questions are pertinent.
I don't agree with you in that the report is "constrained".
I think the three reports have come out in good time, and kept us abreast of the investigator's findings.
Investigations of other incidents have taken much longer.
I think the next report will address some of your questions.
I don't think there is anything to prohibit a complete and accurate understanding of the accident process - the personnel survived, the control room was undamaged, the remote location that dispatched the fuel was undamaged. Electronic records survived.
I think the next report will explain much.
J.
J.
- Thread starter
- #4
stookeyfpe
Specifier/Regulator
JMW:
I apologize if this appears to be a simple answer to a complex issue. However your posting reinforces some of the concerns I had. For example, the HSE was able to analyze the signal controls and data acquistion outputs. In this report they report the temperature increased because gasoline was flowing into the tank. HSE also stated that the terminal operators had accumulated a large amount of data using SCADA. Based on the amount of data amassed, it would seem reasonable to me that using the temperature data in conjunction with constant polling of the high-high alarm and ambient air temperature that the process controls should have stopped the transfer process.
I enjoyed a very detailed discussion on this incident with peer I highly respect yesterday. We both are wondering where are the operators?
One of the more interesting elements of this incident is that the NFPA 30 committee probably has never considered a vapor cloud explosion as part of the equation in the design of containment system or bunds if you live across the pond. The failure of the bunds does not suprise me given that a VCE occurred. However, this incident is going to introduce a whole new element in any new tank battery designs that I review.
This investigation is going to reveal a great number of lessons to be learned. I would like to believe that it will also enhance petroleum terminal safety, and I state this with the understanding that 99 percent of the terminal owners and operators are very responsible. But I all agree with JMW in that we need to let the HSE do its investigation. They have been extremely diligent in releasing information and I as a code official understand the why and how of writing conservative reports.
I apologize if this appears to be a simple answer to a complex issue. However your posting reinforces some of the concerns I had. For example, the HSE was able to analyze the signal controls and data acquistion outputs. In this report they report the temperature increased because gasoline was flowing into the tank. HSE also stated that the terminal operators had accumulated a large amount of data using SCADA. Based on the amount of data amassed, it would seem reasonable to me that using the temperature data in conjunction with constant polling of the high-high alarm and ambient air temperature that the process controls should have stopped the transfer process.
I enjoyed a very detailed discussion on this incident with peer I highly respect yesterday. We both are wondering where are the operators?
One of the more interesting elements of this incident is that the NFPA 30 committee probably has never considered a vapor cloud explosion as part of the equation in the design of containment system or bunds if you live across the pond. The failure of the bunds does not suprise me given that a VCE occurred. However, this incident is going to introduce a whole new element in any new tank battery designs that I review.
This investigation is going to reveal a great number of lessons to be learned. I would like to believe that it will also enhance petroleum terminal safety, and I state this with the understanding that 99 percent of the terminal owners and operators are very responsible. But I all agree with JMW in that we need to let the HSE do its investigation. They have been extremely diligent in releasing information and I as a code official understand the why and how of writing conservative reports.
I wonder if software failure had a role in this accident.
Does anyone know the "normal" process for dispatching a quantity of fuel from a remote location to the receiving tank by pipeline?
Would it be part of the process to ensure that the receiving tank has ample capacity? I sure hope it isn't the case that they pump until the high level is reached and then stop pumping.
I wrote a brief summary of the basics of the 3rd report, if people don't have time to read the full report:-
Here's a thought - the level recording on the DCS says the tank was 2/3 full even though they believe it was filled to capacity. Now, if one parameter from an electronic data base is wrong, should we mistrust all parameters? Computer based data looks so credible.
J.
Does anyone know the "normal" process for dispatching a quantity of fuel from a remote location to the receiving tank by pipeline?
Would it be part of the process to ensure that the receiving tank has ample capacity? I sure hope it isn't the case that they pump until the high level is reached and then stop pumping.
I wrote a brief summary of the basics of the 3rd report, if people don't have time to read the full report:-
Here's a thought - the level recording on the DCS says the tank was 2/3 full even though they believe it was filled to capacity. Now, if one parameter from an electronic data base is wrong, should we mistrust all parameters? Computer based data looks so credible.
J.
Jom,
Perhaps I really meant "restrained" i.e. clear, factual and with no emotive words, and no element of pre-judgment.
As you point out, they have ample instrumentation data to evaluate, so this is perhaps an easier task at this stage than some other disaster evaluations.
"Where are the operators?" is a good question. It may be that we didn't get to this part in the reporting phase and perhaps because it makes sense to get all the hard evidence in and evaluated before moving on to the operators. That is going to make some interesting reading, but it is probably innappropriate to speculate just yet.
Your last point in your last post was something I wondered about.
The more automation we have and the more safety that is built into such systems, the less it seems operators trust themselves.
If they do have a concern they often seem to make the wrong choices.
At Chernobyl the safe approach would be to assume the instrument is right and here, if the operators were aware of the problem with the level gauge, to assume the instrument was wrong and act accordingly.
One would hope that various mechanisms would exist within the HSE procedures to continuously evaluate "what if?" scenarios so that operators can react in such situations in a planned manner. This shouldn't be a "surprise" requiring agonising thought.
In this case, shut down manually and investigate. Given the time scale here, they could even have had time to investigate before shutting down... how long would it take someone to get out to tank 912 and manually dip it?
The part of the investigation I would hope to see is a review of the site procedures, operator training and skills as a pre-amble to what the operators did and did not do.
JMW
Perhaps I really meant "restrained" i.e. clear, factual and with no emotive words, and no element of pre-judgment.
As you point out, they have ample instrumentation data to evaluate, so this is perhaps an easier task at this stage than some other disaster evaluations.
"Where are the operators?" is a good question. It may be that we didn't get to this part in the reporting phase and perhaps because it makes sense to get all the hard evidence in and evaluated before moving on to the operators. That is going to make some interesting reading, but it is probably innappropriate to speculate just yet.
Your last point in your last post was something I wondered about.
The more automation we have and the more safety that is built into such systems, the less it seems operators trust themselves.
If they do have a concern they often seem to make the wrong choices.
At Chernobyl the safe approach would be to assume the instrument is right and here, if the operators were aware of the problem with the level gauge, to assume the instrument was wrong and act accordingly.
One would hope that various mechanisms would exist within the HSE procedures to continuously evaluate "what if?" scenarios so that operators can react in such situations in a planned manner. This shouldn't be a "surprise" requiring agonising thought.
In this case, shut down manually and investigate. Given the time scale here, they could even have had time to investigate before shutting down... how long would it take someone to get out to tank 912 and manually dip it?
The part of the investigation I would hope to see is a review of the site procedures, operator training and skills as a pre-amble to what the operators did and did not do.
JMW
JMW,
Yeah, I now understand what you mean by "constrained".
What's striking about Buncefield and Texas City is the simplicity of the accident processes. It would be some kind of comfort if they were the result of some complicated or exotic causes. But, they're really dumb events.
Buncefield being a COMAH site is surely an embarrassment.
It's often said that chemical process accidents are always repeats of prior accidents. I wonder if that thinking could mislead us. I wonder if a new "family" of accident type could be emerging. Tell me if you think this is nutty thinking.
We have increasing automation and decision making by computer, accompanied by reduced staffing levels. Are we constructing a new production environment that will deliver us a new class of accident?
Does increased automation remove the potential of human error at the process operator level, only to pass the responsibility to programmers?
J.
Yeah, I now understand what you mean by "constrained".
What's striking about Buncefield and Texas City is the simplicity of the accident processes. It would be some kind of comfort if they were the result of some complicated or exotic causes. But, they're really dumb events.
Buncefield being a COMAH site is surely an embarrassment.
It's often said that chemical process accidents are always repeats of prior accidents. I wonder if that thinking could mislead us. I wonder if a new "family" of accident type could be emerging. Tell me if you think this is nutty thinking.
We have increasing automation and decision making by computer, accompanied by reduced staffing levels. Are we constructing a new production environment that will deliver us a new class of accident?
Does increased automation remove the potential of human error at the process operator level, only to pass the responsibility to programmers?
J.
Or do the operators stop thinking for themselves?
Reduced manning: this was a late night/early morning event... some quetsions about the alertness of the operators to be asked anyway.
JMW
Reduced manning: this was a late night/early morning event... some quetsions about the alertness of the operators to be asked anyway.
JMW
I wonder how the responsibilty is spread for ensuring a tank is not overfilled by a remote pumping station.
Assuming different companies operate the pump station and the recieving facility, would both companies have an obligation to ensure no overfill?
I wonder what the sales contract says about this.
Should be interesting to see how the insurers fight it out.
J.
Assuming different companies operate the pump station and the recieving facility, would both companies have an obligation to ensure no overfill?
I wonder what the sales contract says about this.
Should be interesting to see how the insurers fight it out.
J.
- Status
Similar threads
- Locked
- Question
- Locked
- Question
