Buncefield Verdict...

Many questions unanswered, but basically 300 Tonnes of unleaded petrol
overflowed from a tank for 40 minutes.

Mechanical safeguards failed and human error was 'partly' to blame.

Report here:

http://news.bbc.co.uk/1/shared/bsp/hi/pdfs/09_05_06_buncefield_report.pdf

Whitewash and bull****.


--
"We have gone from a world of concentrated knowledge and wisdom to one
of distributed ignorance. And we know and understand less while being
increasingly capable." Prof. Peter Cochrane, formerly of BT Labs
In memory of Brian {Hamilton Kelly} who logged off 15th September 2005

On Tue, 09 May 2006 13:14:26 +0100, Mother <"@ {mother} @"@101fc.net>
scribbled the following nonsense:

>Many questions unanswered, but basically 300 Tonnes of unleaded petrol
>overflowed from a tank for 40 minutes.
>
>Mechanical safeguards failed and human error was 'partly' to blame.
>
>Report here:
>
>http://news.bbc.co.uk/1/shared/bsp/hi/pdfs/09_05_06_buncefield_report.pdf
>
>Whitewash and bull****.

interesting reading indeed.

I have worked SCADA systems as mentioned in the report before going
into teaching. They are useful monitors, but we regularly used to
have problems with them. We used a SCADA system to control soup
cooking, and at least once a month found that the system would fail to
close valves completely. This could lead to too much water entering
the soup, making it watery, allowing one flavour to mix with another
(although I quite liked the chicken and mushroom soup), or even allow
Clean In Place (CIP) chemicals to mix with product or divert straight
ot drain, rather than recycle for treatment in our effluent plant. CIP
chemicals are highly caustic, but are used because they are good at
removing fats and oils......

SCADA is designed to run and monitor the system and switch things on
and off according to set parameters, and hence is only as good as the
programming.

We used to find our biggest problem was sensor failure, which would
let the system think it was doing one thing, when because of the
failure something else was happening. Our favourite was the water
feed pipe sensor saying the valve had closed, when it actually hadn't.
2 mins later, soup would flow over the top of the vessel. Check the
records and it showed the valve was shut.....

We ended up having a second SCADA terminal next the Shift Manager PC,
which meant that I could keep an eye on things and notice if anything
was untoward. Needless to say it was useless, because if you see
everything as "normal", you take no action......

I would guess that the level sensor failed, which meant that the
system continued to think that the tank was not full, and so would not
shut the valve once the critical level was reached. With no data to
say that the level was high, fuel would continue to pump in, over
flow, explode and destroy a Vampire........ (no mention of it the
report....)
--

Simon Isaacs

"Bad officials are elected by good citizens who do not vote"
George Jean Nathan (1882-1955)

"Mother" wrote ...
> Many questions unanswered, but basically 300 Tonnes of unleaded petrol
> overflowed from a tank for 40 minutes.
>
> Mechanical safeguards failed and human error was 'partly' to blame.
>
> Report here:
>
> http://news.bbc.co.uk/1/shared/bsp/hi/pdfs/09_05_06_buncefield_report.pdf
>
> Whitewash and bull****.
>

Having read this factual report on the cause of the disaster I don't
understand your last comments at all. ???
The blame game is yet to come.

--
Regards
Bob
"Never get so busy making a living
that you forget to make a life"

Simon Isaacs wrote:

> SCADA is designed to run and monitor the system and switch things on
> and off according to set parameters, and hence is only as good as the
> programming.

Not just that, but the SYSTEM design has to be failsafe and redundant. I
have seen to much control programming done by people with DP
backgrounds, who assume that everything will happen because they say it
will, and fail to check. Sounds like there was no redundancy.

Steve

On Tue, 9 May 2006 15:10:07 +0100, "Bob Hobden" <[email protected]>
wrote:

>Having read this factual report on the cause of the disaster I don't
>understand your last comments at all. ???

The utilisation of facts to mask the obvious.

>The blame game is yet to come.

That will not go into the _real_ reasons for the fire, which IMO will
all come down to profit, corner-cutting, and a basic disregard for the
safety of and responsibility toward the immediate community or
environment.


--
"We have gone from a world of concentrated knowledge and wisdom to one
of distributed ignorance. And we know and understand less while being
increasingly capable." Prof. Peter Cochrane, formerly of BT Labs
In memory of Brian {Hamilton Kelly} who logged off 15th September 2005

"Mother" <"@ {mother} @"@101fc.net> wrote in message
news:[email protected]...
> Many questions unanswered, but basically 300 Tonnes of unleaded petrol
> overflowed from a tank for 40 minutes.
>
> Mechanical safeguards failed and human error was 'partly' to blame.
>
> Report here:
>
> http://news.bbc.co.uk/1/shared/bsp/hi/pdfs/09_05_06_buncefield_report.pdf
>
> Whitewash and bull****.
>
>
> --
> "We have gone from a world of concentrated knowledge and wisdom to one
> of distributed ignorance. And we know and understand less while being
> increasingly capable." Prof. Peter Cochrane, formerly of BT Labs
> In memory of Brian {Hamilton Kelly} who logged off 15th September 2005

I would apply this to many situations floodplains, aircraft flight path
final approach, chemical and petrochemical plants etc what kind of moron
builds or allows houses to
be built in a situation where there is an obvious inherant danger ? ( see:
politicians)
when you know make the buggers live there.
Derek

On Tue, 09 May 2006 19:09:43 GMT, "Derek"
<[email protected]> scribbled the following nonsense:

>
>"Mother" <"@ {mother} @"@101fc.net> wrote in message
>news:[email protected]...
>> Many questions unanswered, but basically 300 Tonnes of unleaded petrol
>> overflowed from a tank for 40 minutes.
>>
>> Mechanical safeguards failed and human error was 'partly' to blame.
>>
>> Report here:
>>
>> http://news.bbc.co.uk/1/shared/bsp/hi/pdfs/09_05_06_buncefield_report.pdf
>>
>> Whitewash and bull****.
>>
>>
>> --
>> "We have gone from a world of concentrated knowledge and wisdom to one
>> of distributed ignorance. And we know and understand less while being
>> increasingly capable." Prof. Peter Cochrane, formerly of BT Labs
>> In memory of Brian {Hamilton Kelly} who logged off 15th September 2005
>
>I would apply this to many situations floodplains, aircraft flight path
>final approach, chemical and petrochemical plants etc what kind of moron
>builds or allows houses to
>be built in a situation where there is an obvious inherant danger ? ( see:
>politicians)
>when you know make the buggers live there.
>Derek
>

try getting house insurance for a house in the Fens. Last time we
flooded was 1947......... Many other places have flooded far more
frequently since then, but are not classed as "high risk of flood
areas"

I mean, I live on an island! Crowland has an ancient Abbey, and was
built on one of the high spots in the area, and used to be surrounded
by water.......
--

Simon Isaacs

"Bad officials are elected by good citizens who do not vote"
George Jean Nathan (1882-1955)

ROT13 me....

On Tue, 09 May 2006 19:39:15 +0100, Mother <"@ {mother} @"@101fc.net>
wrote:

>On Tue, 9 May 2006 15:10:07 +0100, "Bob Hobden" <[email protected]>
>wrote:
>
>>Having read this factual report on the cause of the disaster I don't
>>understand your last comments at all. ???
>
>The utilisation of facts to mask the obvious.

Havng read it I have to say that it seems well-written and
well-researched. It establishes, as far as it can, the facts and
events leading to the explosions. As such it is required reading for
anyone involved in running a COMAH site.

>
>>The blame game is yet to come.
>
>That will not go into the _real_ reasons for the fire, which IMO will
>all come down to profit, corner-cutting, and a basic disregard for the
>safety of and responsibility toward the immediate community or
>environment.

Maybe. But the failure cannot simply be that of the operating
company. Such sites run under licences issued by the Environment
Agency and are regularly subject to HSE inspection etc. So don't run
away with the idea that Megacorp have simply chosen to install System
A because it's cheaper than System B. The specification will have
been subjec to scrutiny by the licensing authority. In all
likelihood, based on experience, those people would have little real
idea what they were looking at.

Working day to day in COMAH and hazardous waste environments the
culture is generally one of safety-first. After all, the decision
makers are working every day right inside the time bomb. The bigger
the company, the more they have to lose in terms of operating profit,
share value and customer goodwill. I can say in all honesty that I
don't see any evidence of cost cutting where explosive hazards exist
in the companies I work for.

The acid test is whether other sites are reading these reports and
making urgent reviews of their procedures. The other question is
whether DEFRA are allowing rapid progress by supporting changes to
operating licences without beaurocratic delays.



--

Tim Hobbs

'58 Series 2 88" aka "Stig"
'03 Volvo V70
'06 Nissan Navara aka "The Truck"

> Simon Isaacs wrote:
>
>> SCADA is designed to run and monitor the system and switch things on
>> and off according to set parameters, and hence is only as good as the
>> programming.

SCADA's come a long way in a very short time. Now that several vendors are
selling 'safety PLC's' which are intended to allow the functional control of
machinery /plant as well as the safety monitoring to all be done by one PLC
unit (admittedly with multiple processors) there's been a lot of work put
into data transmission systems and programmable logic which will fail to a
safe state. Most vendors rely on supplying 'locked' software modules which
are known to work - which is fine for common applications like presses and
robots, but works less well for more bespoke applications. There's plenty of
talk in the industry about how to deal with this - the main solution proposed
by the vendors seems to be 'let us come and do it for you'.

>Steve Taylor wrote

> Not just that, but the SYSTEM design has to be failsafe and redundant. I
> have seen to much control programming done by people with DP
> backgrounds, who assume that everything will happen because they say it
> will, and fail to check. Sounds like there was no redundancy.
>

Well, there was some redundancy, because there was both a level switch and a
high level alarm, but you are right that for something as important as this,
there should have been full redundancy of the sensors and the control
actuators, with consideration given to the possibility of common mode
failure. Difficult to be specific without seeing the plant design, but wiring
the alarm so it turned off the pump which was filling the tank might have
been a start.

Modern standards for this sort of control application require both redundancy
and 'monitoring'. Monitoring is where the sensors and actuators are exercised
and checked regularly, either as part of the normal operation of the
equipment, or in a self test routine. The trick is not to look for a single
'safe' state, but to look for a change in state which can only be the result
of the sensor or actuator working properly (e.g. normally closed and normally
open contacts changing state within a specified time of one another). If the
system behavior becomes strange, then a shut down is initiated.

It works for the 'fly-by-wire' electronics in everything flying with an
Airbus badge on it, not to mention the newer Range Rovers and the production
line they are made on (how's that for bringing this back on topic!), so it's
not impossible to do.

Nick.

On or around Tue, 9 May 2006 22:39:52 +0100, Nick Williams
<[email protected]> enlightened us thusly:
>
>It works for the 'fly-by-wire' electronics in everything flying with an
>Airbus badge on it, not to mention the newer Range Rovers and the production
>line they are made on (how's that for bringing this back on topic!), so it's
>not impossible to do.

I suspect it will become apparent that the systems at buncefield were either
out-of-date or had been piggybacked onto something older. The gist of
comments on the radio yesterday lunchtime was that where planning is
concerned, you'd not get permission to build it where it was, now. Doesn't
alter the fact that the houses etc. have no doubt all been built around it,
of course. People are remarkably short-sighted about where they'll build
houses... Airports, floodplains, beside a depot holding millions of gallons
of petrol...
--
Austin Shackles. www.ddol-las.net my opinions are just that
Too Busy: Your mind is like a motorway. Sometimes it can be jammed by
too much traffic. Avoid the jams by never using your mind on a
Bank Holiday weekend.
from the Little Book of Complete B***ocks by Alistair Beaton.

On Wednesday, in article
<[email protected]>
[email protected] "Austin Shackles" wrote:


> I suspect it will become apparent that the systems at buncefield were either
> out-of-date or had been piggybacked onto something older. The gist of
> comments on the radio yesterday lunchtime was that where planning is
> concerned, you'd not get permission to build it where it was, now. Doesn't
> alter the fact that the houses etc. have no doubt all been built around it,
> of course. People are remarkably short-sighted about where they'll build
> houses... Airports, floodplains, beside a depot holding millions of gallons
> of petrol...

My experience is that Planning Authorities don't care about what's
already there. They don't even care about whether or net sewage can flow
uphill: that's the water authority's problem.



--
David G. Bell -- SF Fan, Filker, and Punslinger.

"I am Number Two," said Penfold. "You are Number Six."

In <[email protected]> Mother wrote:
> Many questions unanswered, but basically 300 Tonnes of unleaded petrol
> overflowed from a tank for 40 minutes.
>
> Mechanical safeguards failed and human error was 'partly' to blame.
>
> Report here:
>
> http://news.bbc.co.uk/1/shared/bsp/hi/pdfs/09_05_06_buncefield_report.
> pdf
>
> Whitewash and bull****.
>
>
I have just had a quick glance of the report and notice from the image
of the tanks they have manual access for dip checks. If the monitoring
system failed at the point of filling then the crew are not to blame.
But may have failed to post fuel watcher on top. Most of my time while
working with fuels in the forces. (aviation, diesel and petrol bulk
tanks was monitoring). So depending on the weather. 1. dip checks 2.
calculations. 3. manual monitoring. If the crew already knew of the
failure and nothing was done then management and company are to blame
under health and safety and gross enviroment failure. We had simular
incident in the RAF. A lad was charged and sent down for overfilling a
fuel tanker for the station aircraft.
Badger might remember this as we were stationed there. As a result a
good ammount went into the local bay. But this hilight a failure to not
doing manual monitoring.

regards an ex-refueller