Piper Alpha: Failure of Process Safety Management on Every Level

During the platform fire in 1988, virtually nothing went right, which allows us to draw lessons from a long list of events leading to the hazard.

In the aftermath of the huge fire on the Piper Alpha platform, July 6, 1988, it was clear that the fire started and escalated very quickly into a full-blown disaster due to a huge list of individual failures at every level of the process safety management systems. In many respects, virtually nothing in the safety process worked as it should have, and the result was 165 fatalities out of the 226 men on the platform, plus two more men on a rescue vessel. Property damage ultimately totaled several billion dollars.

Part of the problem of trying to examine this event is its complexity. The specific series of events that turned a process safety incident into a disaster began with a decision to change the mode of production on the platform. A mix of maintenance issues caused management to shift to an alternate mode that was rarely used and which put a higher level of stress (650 psi operating pressures rather than 250 psi normally used) on the platform’s equipment. Operators were also inexperienced with this production method. While this was the straw that broke the camel’s back, many other safety risk elements were punching holes in the layers of protection in place and waiting to help escalate the problem. The most basic process safety management concepts did not exist on the platform. The platform was poorly designed from a safety management standpoint. The match probably could have been struck in many places and times with similar results.

Consider what happened after the first explosion:

  • Loss of electric power was almost immediate, and along with it public address, general alarms, emergency lighting, emergency shutdown capability, and fire protection systems.
  • The offshore installation manager panicked and did not order evacuation soon enough, although evacuation paths were already largely blocked due to the layout of the living quarters and the lifeboats were inaccessible.
  • The layout of the platform combined with inadequate blast panels and firewalls allowed the fire to escalate rapidly. The second explosion occurred within about two minutes of the first.

Reviewing a detailed sequence of events (well worth doing) provides insight into the process safety indicators. Many factors combined to create multiple holes through every layer of protection creating a process safety incident:

  • Management driving production beyond safe levels
  • Operators insufficiently trained
  • Lack of experienced supervisors on the platform
  • Poor maintenance practices
  • Little use of redundancy for critical systems
  • Loss of power caused safety systems to shut down
  • Critical systems not physically protected
  • Inaccessibility of safety and escape equipment for personnel, and
  • Dangerous materials located near crew quarters.

This is the beginning of the list and in subsequent posts we will examine some of the human factors and maintenance issues in greater detail. For now, let’s look at some of the organizational elements.

The decision to change the platform to the alternate production method (Phase 1 rather than the normal Phase 2) with its higher pressures was one of expedience. Gas driers that were normally used were shut down for maintenance, and this shift allowed the platform to continue producing. The platforms in the group (Piper Alpha, Tartan, Claymore and MCP-01) were interconnected physically but management was not necessarily well coordinated.

Increasing the operating pressure by 250+ percent undoubtedly caused noticeable changes on the platform, particularly one with some of the maintenance issues cited on Piper Alpha. Small leaks increased, piping would probably vibrate and rattle, and there was apparently a report that at least one of the flares was roaring and was much larger. Nonetheless, whether anyone on the platform had sufficient experience to realize the implications was not clear. The evidence suggests there wasn’t. It is also unclear exactly which gas detectors were operating, if any, and reporting gas emissions.

Ultimately a process disturbance caused one of the two condensate pumps to trip (the other was shut down for maintenance), which caused a leak at the point where a safety valve had been removed and a blind flange put in its place but not fully tightened. The leaking condensate vapors filled that portion of the platform and eventually ignited. Within minutes, fires from new sources were beginning to engulf the platform causing all manner of safety systems to fail. Once it started, each new development brought in a fresh fuel source and nothing could be done.

From an operational standpoint, we could ask if the manager that called for the platform to shift to higher-pressure operation was aware of the maintenance condition of the equipment. Did any safety management questions enter his thinking?  The point that only one condensate pump was operating indicated there was no redundancy for that critical piece of equipment. Should that have changed the operating directive? Should the local operators and supervisors have made that point? Would it have mattered?