Many questions unanswered, but basically 300 Tonnes of unleaded petrol overflowed from a tank for 40 minutes.
Mechanical safeguards failed and human error was 'partly' to blame.
Report here:
On Tue, 09 May 2006 13:14:26 +0100, Mother scribbled the following nonsense:
interesting reading indeed.
I have worked SCADA systems as mentioned in the report before going into teaching. They are useful monitors, but we regularly used to have problems with them. We used a SCADA system to control soup cooking, and at least once a month found that the system would fail to close valves completely. This could lead to too much water entering the soup, making it watery, allowing one flavour to mix with another (although I quite liked the chicken and mushroom soup), or even allow Clean In Place (CIP) chemicals to mix with product or divert straight ot drain, rather than recycle for treatment in our effluent plant. CIP chemicals are highly caustic, but are used because they are good at removing fats and oils......
SCADA is designed to run and monitor the system and switch things on and off according to set parameters, and hence is only as good as the programming.
We used to find our biggest problem was sensor failure, which would let the system think it was doing one thing, when because of the failure something else was happening. Our favourite was the water feed pipe sensor saying the valve had closed, when it actually hadn't.
2 mins later, soup would flow over the top of the vessel. Check the records and it showed the valve was shut.....We ended up having a second SCADA terminal next the Shift Manager PC, which meant that I could keep an eye on things and notice if anything was untoward. Needless to say it was useless, because if you see everything as "normal", you take no action......
I would guess that the level sensor failed, which meant that the system continued to think that the tank was not full, and so would not shut the valve once the critical level was reached. With no data to say that the level was high, fuel would continue to pump in, over flow, explode and destroy a Vampire........ (no mention of it the report....)
Having read this factual report on the cause of the disaster I don't understand your last comments at all. ??? The blame game is yet to come.
Not just that, but the SYSTEM design has to be failsafe and redundant. I have seen to much control programming done by people with DP backgrounds, who assume that everything will happen because they say it will, and fail to check. Sounds like there was no redundancy.
Steve
The utilisation of facts to mask the obvious.
That will not go into the _real_ reasons for the fire, which IMO will all come down to profit, corner-cutting, and a basic disregard for the safety of and responsibility toward the immediate community or environment.
I would apply this to many situations floodplains, aircraft flight path final approach, chemical and petrochemical plants etc what kind of moron builds or allows houses to be built in a situation where there is an obvious inherant danger ? ( see: politicians) when you know make the buggers live there. Derek
On Tue, 09 May 2006 19:09:43 GMT, "Derek" scribbled the following nonsense:
try getting house insurance for a house in the Fens. Last time we flooded was 1947......... Many other places have flooded far more frequently since then, but are not classed as "high risk of flood areas"
I mean, I live on an island! Crowland has an ancient Abbey, and was built on one of the high spots in the area, and used to be surrounded by water.......
Havng read it I have to say that it seems well-written and well-researched. It establishes, as far as it can, the facts and events leading to the explosions. As such it is required reading for anyone involved in running a COMAH site.
Maybe. But the failure cannot simply be that of the operating company. Such sites run under licences issued by the Environment Agency and are regularly subject to HSE inspection etc. So don't run away with the idea that Megacorp have simply chosen to install System A because it's cheaper than System B. The specification will have been subjec to scrutiny by the licensing authority. In all likelihood, based on experience, those people would have little real idea what they were looking at.
Working day to day in COMAH and hazardous waste environments the culture is generally one of safety-first. After all, the decision makers are working every day right inside the time bomb. The bigger the company, the more they have to lose in terms of operating profit, share value and customer goodwill. I can say in all honesty that I don't see any evidence of cost cutting where explosive hazards exist in the companies I work for.
The acid test is whether other sites are reading these reports and making urgent reviews of their procedures. The other question is whether DEFRA are allowing rapid progress by supporting changes to operating licences without beaurocratic delays.
SCADA's come a long way in a very short time. Now that several vendors are selling 'safety PLC's' which are intended to allow the functional control of machinery /plant as well as the safety monitoring to all be done by one PLC unit (admittedly with multiple processors) there's been a lot of work put into data transmission systems and programmable logic which will fail to a safe state. Most vendors rely on supplying 'locked' software modules which are known to work - which is fine for common applications like presses and robots, but works less well for more bespoke applications. There's plenty of talk in the industry about how to deal with this - the main solution proposed by the vendors seems to be 'let us come and do it for you'.
Well, there was some redundancy, because there was both a level switch and a high level alarm, but you are right that for something as important as this, there should have been full redundancy of the sensors and the control actuators, with consideration given to the possibility of common mode failure. Difficult to be specific without seeing the plant design, but wiring the alarm so it turned off the pump which was filling the tank might have been a start.
Modern standards for this sort of control application require both redundancy and 'monitoring'. Monitoring is where the sensors and actuators are exercised and checked regularly, either as part of the normal operation of the equipment, or in a self test routine. The trick is not to look for a single 'safe' state, but to look for a change in state which can only be the result of the sensor or actuator working properly (e.g. normally closed and normally open contacts changing state within a specified time of one another). If the system behavior becomes strange, then a shut down is initiated.
It works for the 'fly-by-wire' electronics in everything flying with an Airbus badge on it, not to mention the newer Range Rovers and the production line they are made on (how's that for bringing this back on topic!), so it's not impossible to do.
Nick.
On or around Tue, 9 May 2006 22:39:52 +0100, Nick Williams enlightened us thusly:
I suspect it will become apparent that the systems at buncefield were either out-of-date or had been piggybacked onto something older. The gist of comments on the radio yesterday lunchtime was that where planning is concerned, you'd not get permission to build it where it was, now. Doesn't alter the fact that the houses etc. have no doubt all been built around it, of course. People are remarkably short-sighted about where they'll build houses... Airports, floodplains, beside a depot holding millions of gallons of petrol...
My experience is that Planning Authorities don't care about what's already there. They don't even care about whether or net sewage can flow uphill: that's the water authority's problem.
I have just had a quick glance of the report and notice from the image of the tanks they have manual access for dip checks. If the monitoring system failed at the point of filling then the crew are not to blame. But may have failed to post fuel watcher on top. Most of my time while working with fuels in the forces. (aviation, diesel and petrol bulk tanks was monitoring). So depending on the weather. 1. dip checks 2. calculations. 3. manual monitoring. If the crew already knew of the failure and nothing was done then management and company are to blame under health and safety and gross enviroment failure. We had simular incident in the RAF. A lad was charged and sent down for overfilling a fuel tanker for the station aircraft. Badger might remember this as we were stationed there. As a result a good ammount went into the local bay. But this hilight a failure to not doing manual monitoring.
regards an ex-refueller
MotorsForum website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.