Buncefield Oil Storage Explosion

A storage tank at the Buncefield oil storage depot near London was being filled with gasoline. The tank capacity was approximately 1,600 cubic meters. On December 11, 2005, the normal filling operation proceeded.

The tank had two independent high-level protection systems: a mechanical float switch and a separate, independent electronic level gauge. Both were designed to stop the flow before the tank overflowed.

The mechanical float switch failed. It had stuck in an open position due to corrosion and poor maintenance. No one knew it was non-functional because it had never been tested under operational conditions.

The electronic system then failed to trigger. Investigating later revealed an electrical fault in the circuit. This too had never been detected because the system was not regularly tested.

The two supposedly independent barriers both failed at the same time. The tank overflowed completely, spilling approximately 300 tons of gasoline onto the site and into the surrounding area.

The gasoline vapor accumulated and mixed with air in a stoichiometric ratio. When ignited by a static spark or other ignition source, the vapor cloud exploded with enormous force, equivalent to 15 tons of TNT.

Both defenses failed because testing and maintenance procedures were inadequate. The failures were common cause—not independent hazards, but shared root causes in operational discipline.

The design assumed that if one protection system failed, the other would catch it. This assumes the failures are independent. They were not.

When multiple barriers can fail for the same reason—poor testing, shared power supply, same design defect, inadequate maintenance—they are no longer independent.

Ask: Do your backup systems actually protect against common causes? Or do they only look independent on paper? Could a single management failure, single skill gap, or single resource constraint disable all of them?