The Buncefield Incident

A Review and the Path Forward

©KENEXIS 2010
Presenter Introduction
Presenter Introduction
• Peter
Peter Herena
Herena
• Senior Engineer, Kenexis Consulting
• 12 Years Petrochemical Industry 
12 Years Petrochemical Industry
Experience
– 9 Years Control and Safety Systems
9 Years Control and Safety Systems
• BSChE, BSEnvE, Northwestern 
Universityy
• PE, ISA‐84 SFS/SSS

©KENEXIS 2010
 Buncefield Background
Buncefield Background
• Major
Major pipeline 
pipeline
transfer crossroad
• 5th largest fuel 
largest fuel
storage depot in UK
• 40km north of 
40k h f
London

Source: Buncefield Final Report

©KENEXIS 2010
 Buncefield Surroundings
Buncefield Surroundings
• Maylands Industrial 
y • Residential areas
Estate • Town of Hemel 
– 630 businesses
630 businesses Hempstead
– 16,500 people

Source: 
Buncefield 
Final Report

©KENEXIS 2010
Map of Affected Area
Map of Affected Area

Source: BBC

©KENEXIS 2010
 Local Incident Effects
Local Incident Effects
• 43
43 injuries
injuries
• 2,000 evacuated
• Damage estimate:       
i
1 billion

Source: Buncefield Final Report

©KENEXIS 2010
 Regional Effects
Regional Effects
• Disruption
Disruption to fuel 
to fuel
supply
• Environmental 
Environmental
Damage
• Negligible DW 
N li ibl DW
Contamination
• Possible MTBE/BTEX 
threat

©KENEXIS 2010
 Cost & Litigation
Cost & Litigation

• Recent High Court Ruling, Total liable for 
civil damages
civil damages
• HOSL Claims:       625 million
• Criminal investigation ongoing
C i i li ti ti i

©KENEXIS 2010
 Timeline: Initial Events
Timeline: Initial Events
• Pipeline
Pipeline transfer to load Tank 912 at HOSL 
transfer to load Tank 912 at HOSL
with petrol began night of Sat, 10 Dec ’05
• Tank level indication unchanged
Tank level indication unchanged
• No operator intervention
• Ultimate high level sensor failed to function

©KENEXIS 2010
Tank
Tank 912 Schematic
912 Schematic

Source: Buncefield Final Report
p

©KENEXIS 2010
 Timeline:
Timeline: Tank Overflow
Tank Overflow

• O
Overflow from 
fl f
~0520 onwards
• Pump rate 
increased at 0550
Source: Buncefield Final Report

©KENEXIS 2010
 Timeline:
Timeline: Tank Overflow
Tank Overflow
• Vapor
Vapor cloud flowed 
cloud flowed
from Bund A in all 
directions
• Between 0530 and 
0600 observed by
0600 observed by 
witnesses

Source: Buncefield Final Report
©KENEXIS 2010
 Timeline:
Timeline: Tank Overflow
Tank Overflow
• “White
White Mist
Mist“ Extended to far ends of some 
Extended to far ends of some
Maylands bldgs

Source: Buncefield Final Report

Source: Buncefield Final Report

©KENEXIS 2010
 Timeline: Explosions
Timeline: Explosions

• Occurred at 0601
• A series of 
explosions that 
started massive fire
• Burned for 4 days
Source: HSE

©KENEXIS 2010
 Timeline Overview
Timeline Overview
• Initiating event:
Initiating event:
– Misoperation during loading
• Propagating events/conditions:
Propagating events/conditions
– Poor administrative controls
– Failure of primary level & alarm
– Failure of operations to recognize
– Failure of safety system to act
– Poor maintenance practices

©KENEXIS 2010
 MIIB
MIIB Board Recommendations
Board Recommendations
• Intended for 
Intended for “Buncefield‐type”
Buncefield type  sites 
sites
• 78 Recommendations in 5 key areas
– Off‐site hazard mitigation
Off it h d iti ti
– Emergency response preparedness
– Land use planning
– Regulation for inspection enforcement
– Risk‐based application of prevention measures

©KENEXIS 2010
 Recommendation #3
Recommendation #3
• Application
Application of high integrity automatic 
of high integrity automatic
overfill prevention systems
• Physically and electrically separate and 
Physically and electrically separate and
independent from tank gauging system

©KENEXIS 2010
 Recommendation #8
Recommendation #8
• Called for consideration of alternate sensors
Called for consideration of alternate sensors
– Easier to test
– More reliable
More reliable
– Better diagnostics
– Do not require components internal to tank
D t i t i t lt t k

©KENEXIS 2010
 Recommendation #11
Recommendation #11
• Consider
Consider employing measures to detect 
employing measures to detect
hazardous conditions upon loss of 
containment
– Flammable gas detectors in bunds
– Connect flammable gas detectors to overfill 
Connect flammable gas detectors to overfill
protection system
– Apply CCTV equipment that can detect and 
Apply CCTV equipment that can detect and
respond to condition changes

©KENEXIS 2010
 ISA‐‐84 (IEC
ISA 84 (IEC‐
(IEC‐61511) Application
61511) Application
• Recommendations
Recommendations 1 1‐5
5 directly or indirectly 
directly or indirectly
references ISA‐84 (IEC‐61511)
– Select a SIL using its methodology
Select a SIL using its methodology
– Verify OPS (new/existing) achieves SIL
– Design OPS using its methodology
Design OPS using its methodology
– Proof test per its methodology
– Procedures for maintenance and testing, keep 
P d f i t d t ti k
test records

©KENEXIS 2010
 Challenges
Challenges in Tank Measurement
in Tank Measurement

• D
Density/Temperature 
it /T t
fluctuations
• Corrosion
• Foreign material buildup
• Foaming
• Testing/Diagnostics
• COST

©KENEXIS 2010
 Tank Level Instrumentation
Tank Level Instrumentation
• Radar/Microwave
/
• Float/Servo Gauge
• RF Cap Admit or Imp
RF Cap, Admit or Imp
• Conductivity
• Hydrostatic
• Ultrasonic
• Tuning Fork

©KENEXIS 2010
 ISA‐‐84
ISA 84 Standard Safety Lifecycle
Standard Safety Lifecycle

• International
International Society of Automation (ISA)
Society of Automation (ISA)
• ISA‐84, “Safety Instrumented Systems for the Process 
Industry Sector”
y
• Provide a complete safety lifecycle to address all root 
causes of failure
– Identification of systems
Id tifi ti f t
– Design
– Testing
– Maintenance
– Management of Change

©KENEXIS 2010
 What does ISA
What does ISA‐
ISA‐84 require?
84 require?
• Performance based
• Defines a “safety lifecycle”
• Requires selection of 
performance target
• Requires confirmation of 
target achievement
target achievement, 
quantitatively

©KENEXIS 2010
Typical SIS Design Lifecycle
Conceptual Process Design

Process Hazards Analysis Procedure Development

SIF Definition
S e to Construction, Installation,
And Commissioning

SIL Selection
PSAT

Conceptual Design
Operation, Maintenance
and Testing
SIL Verification

Design Specifications Management of Change

©KENEXIS 2010
 Principals of Risk Management
Principals of Risk Management
• Definitions
• Layers of Protection Concepts
• Different Philosophical approaches
p pp
• Risk Management Criteria

©KENEXIS 2010
 Safety Instrumented Function –
Safety Instrumented Function –
Practical Definition
• Safety Instrumented Function(SIF) is 
– Specific actions to be taken under specific circumstances, which will 
automatically move the process from a potentially unsafe state to a
automatically move the process from a potentially unsafe state to a 
safe state

Logic
Sensors
Solver
Fi l l
Final elements
t

©KENEXIS 2010
What
What is a Safety Integrity Level (SIL)?
is a Safety Integrity Level (SIL)?
A measure of the amount of risk reduction provided by a Safety 
p y y
Instrumented Function (SIF)

Safety 
Probability of 
Probability of Risk Reduction 
Risk Reduction
Integrity  Safety
Failure on Demand Factor
Level

SIL 4 > 99.99% 0.001% to 0.01% 100,000 to 10,000

SIL 3 99.9% to 99.99% 0.01% to 0.1% 10,000 to 1,000

SIL 2
SIL 2 99% to 99 9%
99% to 99.9% 0 1% to 1%
0.1% to 1% 1 000 to 100
1,000 to 100

SIL 1 90% to 99% 1% to 10% 100 to 10

©KENEXIS 2010
 How
How do I assign SIL?
do I assign SIL?
“ h
“What is the Safety 
h f
Integrity Level for my  Assign SIL that reduces risk to 
Safety Function ?” tolerable level

• Numerous techniques
– Layer of Protection Analysis
– Risk Graph
– Quantitative
– Others
• Be consistent!
B i t t!

©KENEXIS 2010
 What is risk?

Risk is a measure of the 
Risk is a measure of the
likelihood of occurrence of 
an unwanted event

and the consequence
and the consequence of 
of
adverse effects;

How often can it happen, and 
what will be lost if it does?

©KENEXIS 2010
 Types of Risk
Types of Risk
• Safety
– Workers
– Public
• EEnvironment
i t
• Property Damage
• B i
Business Interruption
I t ti
• Loss of Market Share

©KENEXIS 2010
 How ISA‐‐84 Relates to Concept of 
How ISA
“Risk”
“ ”
• Decisions
Decisions about when to use and SIS and 
about when to use and SIS and
the SIL should be based on Risk

• Don’t prescribe how much risk to tolerate

• Most standards do not directly use risk, 
they have prescriptive requirements that
they have prescriptive requirements that 
provide an appropriate degree of safety

©KENEXIS 2010
 Tolerable Risk
High Risk

Intolerable Region
10‐3/yr (workers) 10‐4/yr (public)

TOLERABLE if risk reduction 
is impracticable or if its 
cost is grossly 
g y ALARP or Tolerable 
disproportionate to the  Region
improvements gained
10‐5/yr 10‐6/yr

Broadly Acceptable  
Region
Negligible Risk
©KENEXIS 2010
Layers
y of Protection
Emergency Response

Dikes, Blast Resistance

Physical Devices
Physical Devices
Engineered Safeguards
f
(e.g., Press. Relief)
Relief Set Point
Safety Instrumented 
Emergency Shut Down
System (SIS)

Trip level alarm
Operator  Regain Operational Control
Intervention
Process alarm

Basic Process  Process
Control System Value Normal Range

Time
©KENEXIS 2010
 Reducing Risk
Reducing Risk
IInherent Risk 
h t Ri k
L of the 
Process Increasing Risk
i
k
e
l
i
h Unacceptable 
o Risk Region
o
Tolerable ALARP 
d Risk Region Risk Region

Consequence
©KENEXIS 2010
 Non‐‐SIS Risk Reduction
Non SIS Risk Reduction
L
Non SIS Risk  Consequence 
IInherent Risk 
h t Ri k
Increasing Risk
i
Reduction, e.g.  Reduction, e.g.,  of the 
Pressure Relief   material reduction,  Process
Valves k containment dikes, 
e physical protection
h i l i

l
i
h Unacceptable 
o Risk Region
o
d Tolerable ALARP 
Risk Region Risk Region

C
Consequence
©KENEXIS 2010
 SIS Risk Reduction
SIS Risk Reduction
Non SIS Risk 
Non SIS Risk IInherent Risk 
h t Ri k
Reduction, e.g.  Consequence  Increasing Risk
Pressure Relief   Reduction, e.g.,  of the 
Valves material reduction,  Process
containment dikes, 
L physical protection
h i l i
i
k
e SIL 1
SIS Risk Reduction
l SIL 2 Unacceptable 
i Risk Region
h SIL 3
o Tolerable ALARP 
o Risk Region Risk Region
d
C
Consequence
©KENEXIS 2010
 Requirements of a Layer of Protection
• Independent protection layers have the following 
characteristics
– Specificity
– Independence
– D
Dependability
d bilit
– Auditability

©KENEXIS 2010
Commonly used IPLs

• Operator Intervention
– Annunciated alarm
– Continuously manned location
– Proper training for alarm response
– Adequate Response time
q p
• Relief devices
• Check valves
Check valves
• BPCS

©KENEXIS 2010
 Allocation of Risk
Allocation of Risk

• After all protection layers 
are considered, the 
remaining risk that is in
remaining risk that is in 
excess of what is tolerable is 
assigned to protection 
layers, usually as SIS

©KENEXIS 2010
Principles of Risk Management
Summary
• Necessary to adopt a “risk” approach to determine SIS 
ecessa y o adop a s app oac o de e eSS
design requirements
• Criteria for tolerable risk needs to be established
• Consistent methods for analyzing risk need to be 
established. No “standard” industry approach. 
• Consider:
9Consequence
9 Likelihood 
9Layers of Protection

©KENEXIS 2010
Typical SIL 1 Design
Typical SIL 1 Design
PT 

UC
PLC

SV
IAS

FC

PFD(Sensors) + PFD(Logic Solver) + PFD(Final Elements)
=  1% to 10%

©KENEXIS 2010
Typical SIL 2 Design
Typical SIL 2 Design
PT  1oo2

UC
PLC

PT 

SV SV
IAS IAS

FC FC

PFD(Sensors) + PFD(Logic Solver) + PFD(Final Elements)
=  0.1% to 1%

©KENEXIS 2010
SIL Verification
SIL Verification
• Purpose
Purpose is to 
is to
quantitatively verify 
selected equipment and 
testing meets 
requirements
• Uses reliability 
engineering calculations

©KENEXIS 2010
 Parameters impacting SIL

Component
Selection

Diagnostic Fault
Coverage Safety Tolerance
Integrity
Level

Common
C
Functional
Cause
Test Interval
Failures

©KENEXIS 2010
 Component Selection
Component Selection
• Device suitable application
• Device is suitable for safety
– Proven in use
– Mfg. in accordance w/ IEC 61508
• Technology of Device Appropriate
gy pp p
– Safe Failure Fraction
– Switches versus Transmitters
Switches versus Transmitters
– Relay vs. PLC vs. Safety PLC

©KENEXIS 2010
 Diversification – the Only 
Diversification –
Free Lunch?

• Sensor
Sensor diversification should be strongly 
diversification should be strongly
considered
• When multiple components are working 
h li l ki
to perform a safety function, common 
cause can disable similar components
di bl i il

©KENEXIS 2010
Safety Requirements Specifications
Safety Requirements Specifications

• Purpose
P
– Select equipment appropriate for 
SIL
– Specify how the system operates 
– Basis for detailed design
– Basis for Managing Change
• Result
– Logic
Logic Solver Functional Specification 
Solver Functional Specification
(a.k.a, safety requirements 
specifications)

©KENEXIS 2010
 Test Plans
Test Plans
• One for each SIF
• Describes each step taken
• Matches PFD calculations
Matches PFD calculations
• Takes into account startup 
resources
– Personnel
– Equipment
– Time

©KENEXIS 2010
 Recurring Nightmare
Recurring Nightmare

• Puerto Rico, 2009 • Burned for 2 days
• Two injuries • Destroyed 20 tanks
©KENEXIS 2010
 Conclusions/Overview
• Ch
Challenge to meet new requirements
ll i
• Risk‐based approach allows concentration on 
bi
biggest hazards
th d
• Safety Lifecycle has mutually supporting 
components
• Selecting instrumentation requires balancing 
many factors
many factors
• Some tools can streamline process

©KENEXIS 2010
 Thank You for Attending!
h k f di !

Peter G. Herena

Kenexis Consulting Corporation

2929 Kenny Road, Suite 225
Columbus, OH, 43221
USA
(614) 451-7031
http://www kenexis com
http://www.kenexis.com

©KENEXIS 2010