For those unfamiliar with this issue Buncefield is the location of a storage facility owned by TOTAL UK Limited (60%) and Texaco 40%. News reports described the incident as the biggest of its kind in peacetime Europe.
When combined with the 5 day fire it started this was Britain's costliest industrial incident at $1.6 billion USD. Fortunately there were no fatalities at all.
The report is as thorough, as you would expect, and quickly gets around to blaming corporate complacency and failures in the process safety management systems that are in place. All valid and expected criticisms.
However, when reviewed with an eye to the principles of Reliability-centered maintenance we see the all too familiar signs of a lack of application of rigorous maintenance management processes.
- A gauge used to monitor the level within Tank 912 was stuck and not indicating accurately.
- This was not a one of failure, but a known failure that had been occurring since intrusive maintenance in August of the same year. (2005)
- The second, and last, layer of protection to prevent the spill was the Independent High Level Switch. This was inoperable. From what I have read so far it was inoperable due to poor operational management in that it was not padlocked into position as it should have been.
- Lastly, and very importantly, the bund surrounding the tank was not fit for purpose. In typical fashion the report points to the fact that it is under capacity and was not supported by corporate engineering.
For those familiar with RCM these are all signs of a plant that has either no control, or has lost control, over its physical asset management programs.
The Gauge
The Gauge
A chronic failure, the sticking gauge, should never have been allowed to persist on the monitoring gauge. The potential safety and environmental consequences alone should have seen to that.
The mismanagement of that failure is a classic example of Perin's (1992) unrocked boat principle.
A gradual erosion of safety management,. Things are left in an unsafe condition, or unsafe practices are allowed to continue. Until it reaches the point where something should go dramatically wrong - and doesn't. (The unrocked boat) The resulting disaster, when it occurs, is often catastrophic.
The Switch
The Switch
The plant should not have been operable if the Independent High Level Switch was left in an inoperable state, as opposed to asset failure.
However, there should have been a detective maintenance routine in place, designed to inspect it for failure at a frequency that supported a predetermined level of risk. This is sadly lacking in many refineries. With instrumentation " experts" often opting for costly and often uncompleted asset modifications as the first means of managing risk.
This is a dangerous practice, and one that so easily masquerades as a leading safety practice.
The Bund
This is another area where there is a distinct danger of comnpanies lurching towards even more complex and unmanageable safety management instead of adopting good, sound physical asset management approaches.
The fundamental issue here was one of exceeding the inherent capacity of the bund. When production / flow through was increased no doubt all manner of engineering calculations were done to make sure the installation could deal with it operationally.
However, in a rigorous RCM approach all of the functions of the system would be reviewed and looked at when making changes to the design, or demand / operation, of any physical asset.
Recommendations... (The real danger)
The real danger here is that a series of unmanageable changes will be forced into the petroleum industry. We saw this in the wake of the BP refinery explosion in Houston, and we see it regularly in the wake of industrial incidents.
Forcing the engineering departments into areas of operational concern instead of instituting standard RCM function style comparisons between the user requirements and the inherent capacity of the assets.
All issues here are fundamental concepts of Reliability-centered Maintenance. All are concepts that every organization should have at their core, and all are concepts that are sadly misunderstood or not even known to the people who carry out these root cause analysis studies.
The Bund
This is another area where there is a distinct danger of comnpanies lurching towards even more complex and unmanageable safety management instead of adopting good, sound physical asset management approaches.
The fundamental issue here was one of exceeding the inherent capacity of the bund. When production / flow through was increased no doubt all manner of engineering calculations were done to make sure the installation could deal with it operationally.
However, in a rigorous RCM approach all of the functions of the system would be reviewed and looked at when making changes to the design, or demand / operation, of any physical asset.
Recommendations... (The real danger)
The real danger here is that a series of unmanageable changes will be forced into the petroleum industry. We saw this in the wake of the BP refinery explosion in Houston, and we see it regularly in the wake of industrial incidents.
- Issues like probability of failure calculations that include evident as well as hidden failure modes, pushing companies to expensive redesign options.
- Lurching always to redesign instead of recognizing that effective and properly managed maintenance regimes can and do reduce risk exposure.
Forcing the engineering departments into areas of operational concern instead of instituting standard RCM function style comparisons between the user requirements and the inherent capacity of the assets.
All issues here are fundamental concepts of Reliability-centered Maintenance. All are concepts that every organization should have at their core, and all are concepts that are sadly misunderstood or not even known to the people who carry out these root cause analysis studies.
If you enjoyed this post you may like to subscribe to get each blog post as they are written in your inbox here.