The Buncefield explosion at Hemel Hempstead, to the north of London, which occurred in December 2005, was caused by the overflow of 300 tons of petrol from a storage tank. A fuel-air vapour cloud was created and this subsequently ignited with an explosion that was felt across a wide area of Southern England, equivalent to detonating 29.5 tons of TNT, the largest peacetime explosion in Europe. From the initial report into the explosion it appears that the cause was the failure of a high-level switch, and that a test lever or plate fitted to the switch, was critical to ensure continued effective operation. Because the switch had not operated properly petrol poured over the side of Tank 912 in Bund A, creating a vapour cloud which exploded at 6:01 am on the 11th December 2005. Failure in a standard switch was the trigger for an event which caused damage estimated at £1 billion ($1.6 billion).
Underlying this explosion was a systemic failure of multiple levels of protection, due to inappropriate procedures in testing and operation, failure to pass critical design knowledge down the supply chain of safety systems, lapses in maintenance and fault reporting, and poor interface design. In other words the system was not fit for purpose. As the final official report said:
“There should be a clear understanding of major accident risks and the safety critical equipment and systems designed to control them.
There should be systems and a culture in place to detect signals of failure in safety critical equipment and to respond to them quickly and effectively.
Time and resources for process safety should be made available.
There should be effective auditing systems in place which test the quality of management systems and ensure that these systems are actually being used on the ground and are effective.
At the core of managing a major hazard business should be clear and positive process safety leadership with board-level involvement and competence to ensure that major hazard risks are being properly managed.”
I have focused on this event because it illustrates very clearly how a cascading series of failures can occur within a system, and that a small problem can rapidly get out of control, causing damage beyond the imagination of the engineers who designed the system.
 British Geological Survey, “Analysis of the Buncefield Oil Depot Explosion 11 December 2005” http://earthquakes.bgs.ac.uk/research/events/buncefield_explosion.html
 Initial Report to the Health and Safety Commission and the Environment Agency of the investigation into the explosions and fires at the Buncefield oil storage and transfer depot, Hemel Hempstead, on 11 December 2005, page 11, paragraph 23, Buncefield Major Incident Investigation Board, HMSO, London
 Buncefield: Why did it happen? The underlying causes of the explosion and fire at the Buncefield oil storage depot, Hemel Hempstead, Hertfordshire on 11 December 2005 – COMAH, HMSO, London, 2011