Introduction
Late in the evening of July 6, 1988, a series of explosions ripped through the Piper Alpha platform in the North Sea. Engulfed in fire, over the next few hours most of the oil rig topside modules collapsed into the sea. A total of 167 men died and many more were injured and traumatised. The world’s biggest offshore oil disaster affected 10 per cent of UK oil production and led to financial losses of an estimated £2 billion (the equivalent of $5 billion today).
What went wrong on Piper Alpha? Why did it have such disastrous consequences? And what lessons can still be learned today?
Background
The Piper oil field lies about 120 miles (195km) northeast of Aberdeen in Scotland. Discovered in January 1973, it was one of the first deep water reservoirs to be exploited in the northern North Sea. Production of oil started in December 1976, less than four years after discovery, a record that has only rarely been beaten. Oil was exported through a sub-sea line, 128 miles (205km) long, to the purpose-built refinery on the island of Flotta in the Orkneys.
Piper Alpha proved spectacularly productive and when the operator, Occidental, sought permission to increase rates, permission was granted on condition that gas should also be exported instead of being flared.
A gas treatment plant was retrofitted and gas export started in December 1978. After removal of water and hydrogen sulphide in molecular sieves, gas was compressed and then cooled by expansion. The heavier fractions of gas condensed as a liquid (essentially propane) and the rest of the gas (mainly methane) continued to export. The condensate was collected in a large vessel connected to two parallel condensate pumps (duty and standby) and injected into the oil for export to Flotta.*
The accident
[caption id="attachment_44685" align="alignright" width="300"]
Figure 1: Locations of Piper Alpha, associated platforms and oil and gas terminals[/caption]
At about 9.45pm on July 6, 1988, condensate pump B tripped. Shortly afterwards, gas alarms activated, the first-stage gas compressors tripped and the flare was observed to be much larger than usual. At about 10pm, an explosion ripped through Piper Alpha.
Witnesses heard a sustained high-pitched screeching noise followed by the flash and whoomph of an explosion.
The men in the control room were knocked off their feet and thrown to the floor. Most men were off duty in the accommodation block; they were lifted from chairs or thrown from their beds.
The initial explosion in Module C (gas compressor module) caused a condensate line teeing into the main oil line to rupture in Module B (oil separation module). Witnesses reported a second flash and bang as a huge fireball roared into the night sky.
Twenty minutes later, at about 10.20pm, a high-pressure gas line connected to the Tartan platform, operated by Texaco, ruptured releasing gas at an initial rate of about three tonnes per second.
Fifty minutes later, at about 10.50pm, a Total-operated gas line ruptured, releasing gas flowing though Piper Alpha from the Frigg field via MCP-01 to St Fergus. A fast rescue craft, launched from standby vessel Sandhaven, was destroyed by the explosion, killing two of the three-man crew and the six men they had just rescued from the sea.
Eighty minutes later, at about 11.20pm, the gas line to Claymore, another platform operated by Occidental, ruptured. By this time the structure of Piper Alpha was so badly weakened by the intense fires that the topsides started to collapse. The main accommodation module, a four-storey building in which at least 81 men were sheltering, slid into the sea. All those inside died.
By the early morning of July 7, 1988, three-quarters of the original topsides, together with significant sections of the jacket, had been destroyed and lay in a tangled mass on the sea bed 140 metres below.
The fires from the wells and the oil and gas lines (all of which ruptured, one by one) had produced flames with a height of about 200 metres and a peak rate of energy consumption of ~100 gigawatts, three times the rate of UK total energy consumption.
It took more than three weeks for the fires to be extinguished. The remains of Piper Alpha were toppled into the sea on March 28, 1989. Of the 226 people on board that night, only 61 survived. Of the deceased, 109 died from smoke inhalation, 13 by drowning, 11 of injuries including burns. In four cases, the cause of death could not be established, and 30 bodies were never recovered.
Investigation and analysis
One week after the disaster, Lord Cullen was appointed to hold a public inquiry into the accident. It sat for a total of 180 days. Lord Cullen’s report (
Reference 1.) was published on November 13, 1990. The inquiry heard evidence from a large number of witnesses, including most of the survivors, and from several experts.
It wasn’t easy to establish the cause of the disaster. Little physical evidence remained, and no senior member of Piper Alpha’s management team survived.
Many possible causes were advanced. Few could be conclusively discounted, but many were extremely improbable, requiring several successive unlikely events to have occurred — for which there was no evidence at all.
[caption id="attachment_44686" align="alignright" width="300"]
Figure 2: PFD Condensate pumps and safety relief valves[/caption]
The inquiry concluded that the most likely cause of the first explosion was the release of as little as 30kg of condensate (mainly propane) over 30 seconds through an unsecured blind flange in Module C where a pressure safety relief valve had been removed as part of maintenance on the standby condensate pump.
Findings
On the evening of July 6, 1988, condensate pump A was isolated for maintenance on its motor drive coupling. Pump A's pressure relief valve had also been removed for maintenance under a separate permit and a blind flange almost certainly fitted in its place. The flange was not, however, leak-tested or pressure-tested. When Pump B tripped at about 9.45pm, the operators tried unsuccessfully to restart it.
The operators would have been aware that Pump A was out of commission for maintenance – but as maintenance had not yet started and the problem with Pump A was not especially serious, it would not have been unreasonable to consider restarting it.
Because of the way in which work permits were organised on Piper Alpha, the operators would not have known that the pressure relief valve for Pump A was missing. It is believed that the operators took steps to reinstate Pump A and condensate leaked from the blind flange which had been installed in place of the pressure relief valve, but not fully tightened up.
The escaping condensate ignited. The first explosion was quickly followed by an oil pipe rupture and fire. The sequential failure of the gas lines then caused a rapid escalation of the disaster.
Lessons learned
Many lessons can be drawn from the tragic events on Piper Alpha; this paper focuses on seven key areas:
1.) Management of change (design issues);
2.) Personal safety over process safety (fire water pumps on manual start to protect divers);
3.) Permit to work and isolation for maintenance (pump restarted before maintenance complete);
4.) Handover (inadequate transfer of information between crews, shifts and disciplines);
5.) Interconnection (no rig is an island…);
6.) Emergency response – evacuation;
7.) Safety culture (complacency — everything’s fine).
Management of change (design issues)
Piper Alpha was designed to produce and export oil. The requirement to export gas — with the associated separation of condensate — was an afterthought and involved extensive modification. The retrofitting went on in several phases, starting with separation of condensate and ending with production of export-quality gas.
The new facilities were located beside the control room, under the electrical power, radio room and accommodation modules, so that when disaster struck, it did so with disastrous effect on the rest of Piper Alpha.
[caption id="attachment_44687" align="alignright" width="300"]
Figure 3: Location topside modules The ‘spark’ shows the site of missing PSV-504 which probably led to the initial leak[/caption]
The control room was badly damaged in the first explosions (the control room operator survived and gave valuable evidence to the public inquiry on the sequence of alarms preceding those first explosions). The radio room was rendered useless; communications were lost almost at once.
In many retrofitting projects, non-ideal design solutions are required. However, in the case of Piper Alpha, the worst-case scenario on which the process safety design rested (fire) was not revisited effectively when the platform was modified to treat gas with an additional risk of explosion.
Personal safety over process safety
Despite the extensive fixed fire protection system on Piper Alpha, not a single drop of water was applied from Piper Alpha itself to any of the fires. Water alone would not have put the oil fires out (and with gas fires one should not even attempt to do so) but it might have cooled the structure and pipelines and have prevented — or at least significantly delayed — the gas line rupture which was the major escalating factor in the Piper Alpha disaster. After the rupture of the first gas line, Piper Alpha was doomed.
So why didn’t the fire protection system activate as intended?
For many years, the practice on Piper Alpha was to switch the fire pumps from automatic to manual when divers were in the sea. As diving was such a regular part of normal operation, in practice the pumps remained on manual most of the time.
It is much easier to imagine the horror of a close colleague being sucked into a pipe (as had happened a few years earlier although the diver survived) and prioritise it over the danger of leaving 226 men unprotected in the highly unlikely event of fire.
The assessment of risk was skewed. The suction pipes under Piper Alpha were protected with grilles to prevent divers from being sucked in, although anyone within five metres of the inlet could be drawn towards them when the fire pumps started with the risk of serious injuries. On other rigs this was managed by close communication with divers and a temporary override used only when the divers were working within a short distance of the inlets, a relatively rare occurrence.
When fire broke out on Piper Alpha, the only way to activate the fire-fighting system was to start the pumps locally. Despite valiant attempts, dense smoke and fire prevented anyone from reaching them.**
Permit to work and isolation for maintenance
The night shift operators were aware that condensate injection Pump A was out of commission for maintenance and also that maintenance had not yet started: the maintenance and associated work permits had been suspended overnight.
The suspended work permits were not displayed in the control room but in the safety office. It appears that the operators were not aware of another suspended permit. The pressure relief valve for Pump A had also been removed. Even if operators had gone to the safety office to check, permits in the safety office were filed by trade and not by location.
The pressure relief valves for the condensate injection pumps were located one floor above the pumps. Although it is almost always best practice for a pressure relief valve to be sited as close as possible to the unit that it is protecting, condensate on the downstream side had to be able to drain to an appropriate vessel, so the valve was placed about eight metres above (and 15 metres away from) the pump.
[caption id="attachment_44688" align="alignright" width="300"]
Figure 4: Horizontal diagram with control room, radio room and gas compression module[/caption]
In order to reinstate condensate injection Pump A, two separate actions would have been required: reinstate electrical power and open the gas-operated suction and discharge valves. By reconnecting the air supplies to the valves, they could then be opened using toggle buttons on a local control panel by Pump A. There was no locking of isolation valves, spading or double-block-and-bleed in order to prevent repressurisation of a system isolated for maintenance.
The permit to work system on Piper Alpha relied heavily on informal communication.
The Cullen inquiry asked four questions of the permit to work system:
1.) Was the procedure adequate?
2.) Was the procedure complied with?
3.) Was there adequate training?
4.) Was the procedure monitored?
The answer to all four questions was no.
Handover
On Piper Alpha, communications between departments, between shifts, and between crews was personal, informal and tailored to the job. While bespoke communications can have some benefits, minimum standards were not set or met.
Incoming crews were supposed to be given safety induction training by the safety department. There was a huge gap between what the safety department intended to convey, and what they actually conveyed. Communication is a two-way thing. According to witnesses, if the newcomer had worked offshore before, then training was brief to the point of non-existent. The safety induction consisted of being handed a booklet and told to read it. Much of the information was out of date or inapplicable to Piper Alpha.
Operators kept a log but often failed to record maintenance activities. Shift handover was a busy time. The Occidental procedure required maintenance and operations to meet, inspect the work site and sign off permits together. However, the operators were busy with their own handovers at the same time, and the practice developed where maintenance would sign off the permit and leave it in the control room or safety office. At shift changeover, lead production operators would not review or discuss suspended permits.
Interconnections
Communications between Piper Alpha, Claymore, Tartan and MCP-01 were lost from the first explosions. This delayed shutdown on the other platforms, particularly on Claymore and Tartan.
Could more rapid shutdown at the other platforms, and in particular blowdown or depressurisation of the inter-platform gas lines have averted disaster? Almost certainly not. Claymore, Tartan or MCP-01 could not be depressurised quickly enough. Too little gas could have been flared at the other platforms in the time available to make any real difference.
However, shutting the inter-platform oil lines would probably have made a difference. The oil from Tartan to Claymore joined oil from Piper Alpha at a Y junction before flowing onwards to Flotta. Oil continued to be produced and exported into the line to Flotta for about an hour after the first explosion on Piper Alpha. The emergency shutdown valve on the Piper Alpha oil export line appears to have failed to close tightly, allowing the oil from Tartan and Claymore to take the easier reverse route onto Piper Alpha. Shutdown of oil production only started on Tartan at about 10.40pm and on Claymore at about 11pm.
Oil exported from Tartan and Claymore flowed out of the ruptured oil line on Piper Alpha, flooded the floor and overflowed to the floor beneath, starting a large pool fire which impinged directly on the gas import and export lines, leading to their rupture – and hence to the inevitable escalation of events on Piper Alpha.
Emergency response — evacuation
One of the most shocking aspects of the Piper Alpha tragedy was the inability to evacuate the personnel on board. It was assumed that, whatever happened, evacuation would be (at least substantially) by helicopter. This assumption, so easy to criticise with hindsight, was based on several premises, the most important being that no event on Piper Alpha would render the helideck inoperative almost immediately and that sufficient helicopters would be available to evacuate everyone on board.
However, within about a minute of the first explosion, the helideck became enveloped in black smoke (presumably from oil fires) and helicopters could not land on it.
The multi-function support vessel Tharos was close to Piper Alpha throughout the disaster. Although not intended primarily as a fire-fighting vessel, Tharos had significant fire-fighting capabilities. The lack of communication from Piper Alpha led to a delay in deployment, then the demand for electrical power was so great that Tharos suffered an almost complete power failure, from which it took several minutes to recover. There was a subsequent delay, because so many monitors were opened that the water pressure fell to a level below that at which the discharge valve on the fire pump could be opened. The safety systems on Tharos, good as they were, had never been tested in such extreme conditions before. When it came to it, the systems failed that test.
No lifeboats or inflatable life rafts were launched successfully from Piper Alpha. All those who survived did so by making their way to the sea by whatever means they could. This included climbing down knotted ropes and jumping, from as high as the helideck, more than 50 metres above sea level.
Safety culture
There were many warnings that all was not well with safety management systems on Piper Alpha long before the accident.
Less than a year earlier, on September 7, 1987, a contract rigger was killed in an accident on Piper Alpha. The accident highlighted the inadequacies of both the permit to work and the shift handover procedures. A golden opportunity to put these right was missed.
When the disaster occurred, offshore safety was governed through the use of prescriptive regulations. Such regulations have their uses, provided all eventualities have been considered. But a regulations-bound system falls down because practices not covered by regulations are simply not addressed. People become complacent when they are encouraged to think that safety can be ensured by rules enforced by inspectors: it is impossible to cover all eventualities in a set of general rules.
The Cullen inquiry recognised that:
• The primary responsibility for safety lies with those who create the risks and those who work with them, in other words with the management and operators of an installation;
• Safety management systems should be developed by the management and operators of the installation themselves, in order that they identify with the system and make it work;
• Critical safety procedures must be checked to see how they work in practice: auditing must include what is actually done and not just what is meant to be done or said to be done.
Conclusions
After any accident, there is a very human need to find out exactly what went wrong, to attribute clear causes for any accident, to implement specific recommendations to fix them and move on. It could be argued it was a good thing that the Cullen Inquiry left open the exact cause of the disaster. Those with excellent permit to work systems might have felt complacent and failed to learn the many other lessons that Cullen gives in his truly outstanding report.
The subset of lessons described here illustrate the widespread system failures that led to the Piper Alpha tragedy. It is clear that there were serious design flaws, but even perfectly engineered ‘hardware’ can always be operated incorrectly. While technical measures are essential for safety, they are in no sense sufficient. Safety also requires an appropriate management structure – and that structure must be maintained throughout the whole life of a project from design, through change to decommissioning.
What next?
Switch off the computer. Get up from your desk. Go for a walk and talk to some people, face to face. Ask yourself and your teams the following questions:
1.) What changes have been made to the operation of my facility since it was built? How are those changes managed? Who has the technical knowledge to ensure changes don’t compromise the fundamental process safety design?
2.) Who is authorised to override automatic safety systems? How many overrides are in place today? Why are they overridden? Is it necessary? What process ensures that the problem that caused them to be overridden is fixed and they are reinstated or upgraded?
3.) When did I last carry out a permit to work audit to see how the system actually works in practice? On a live maintenance job that spans several shifts? Or where several multidisciplinary permits are live on a single system? How many live permits can I find today?
4.) When did I last audit a critical procedure on night shift? Tonight might be a good time to start.
5.) How is my facility connected to other facilities, what could go wrong at the interface?
6.) When did I last test each part of my emergency response in practice?
Don’t be alarmed by what you find. But do something about it.
References
1. Cullen, W.D.: The Public Inquiry into the Piper Alpha Disaster, HMSO, London, 1990]
Notes
* Note that there were two modes of operation. Phase 1 mode where excess gas was flared and Phase 2 mode where gas was exported. Piper was operating in Phase 2 mode until three days before the disaster, when the molecular sieves were taken out of service for routine maintenance. The gas and condensate treatment facilities were then reconfigured so that Piper could operate in Phase 1 mode. Condensate was still removed from the gas and injected into the oil export line but gas in excess of that required for fuelling the turbo-generators and the gas lift system on Piper was flared.
** It is not known whether the initial explosion on Piper ruptured the fire water ring main or damaged the control system for the fire pumps. It is likely that electrical power was knocked out, but there was a diesel back-up. It is not known how effective the deluge would have been had it deployed as the nozzles often blocked with scale and the fire-water pipework on Piper Alpha was undergoing phased replacement.
(This article was originally published in the 'Loss Prevention Bulletin: Piper Alpha Disaster – 30th Anniversary'. Please see 'Loss Prevention Bulletin': www.icheme.org/lpb)
About the 'Loss Prevention Bulletin'
The 'Loss Prevention Bulletin' (LPB) is a journal for the process industries to share information on process safety incidents, and help organisations learn more about process safety without repeating the same mistakes. Now with a 40-year archive, LPB is the leading source of process safety case studies. If you are an IChemE member and wish to subscribe, log in to your 'My IChemE' account. Once logged in, click on 'pay my subscriptions' and select 'subscribe to a new journal'. Non-members can subscribe to LPB by emailing
sales@icheme.org or calling +44 (0) 1788 534470.
Authors: Professor Stephen Richardson CBE is emeritus professor of chemical engineering at Imperial College, London, where he taught for 30 years and carried out process safety research (mainly high pressure hydrocarbon systems) while serving as an expert witness on the Piper Alpha and Ocean Odyssey Inquiries. Fiona Macleod is managing director of Billions Europe Ltd, a part of the Lomon Billions Group and the volunteer chair of the Loss Prevention Bulletin Editorial Panel.