The offshore platform Piper Alpha, which was located in the British sector of the North Sea oil field and operated by Occidental Petroleum, was engulfed in a catastrophic fire on July 6, 1988.“~~) Piper Alpha received and sent to the shore the oil and gas production of a group of platforms. The disaster caused the death of 165 men (out of 226) on board the platform itself, and two men on board a rescue vessel. From this disaster, much can be learned for future risk management, on other offshore platforms as well as in other industrial sectors.
The lessons from Piper Alpha should allow a better assessment of the risks involved before other accidents occur and should point to a variety of technical and organizational risk management measures. Risk analyses for offshore structures often focus on the probability that an extreme event (e.g., an extreme value of the wave load) exceeds the actual structural capacity. It was shown previously that this “bad luck” type of case constitutes only a small part of the overall risk of platform failure~.(~,~)
ThePiper Alpha accident was one of the cases that can hardly be attributed to “an act of God”: it was mostly self-inflicted. Although the coincidence of the final events that triggered the catastrophe was not in itself controllable, the failure resulted essentially from an accumulation of management errors. For example, a piece of equipment (a critical pump with one redundancy) had been turned off for repair and the night crew that operated the platform had not been informed of it. This problem, in turn, was mostly a failure of the “permit-to-work system” that did not ensure proper communications. Things would have not taken catastrophic proportions, however, if the deluge systems had operated properly and/or if the platform had not been “decapitated” at the onset of the accident both technically (the control room was located on top of the production module) and organizationally (the Offshore Installation Manager died in the accident). Furthermore, the design of the facility did not include sufficient protection of the structure against intense fires, nor redundancies and appropriate “decoupling” of the safety systems. From a risk assessment perspective, learning from the Piper Alpha accident involves first understanding the different factors that led to this tragedy and, second, updating the probabilities of the different elements of the actual failure mode that occurred. This paper addresses the first issue by using the risk analysis framework and its extensions to management factors in order to capture the deeper levels of causality that led to the basic events of the failure mode (Fig. 1). First, the elements of the accident sequence (noted Ei) are systematically identified based on the two major inquiries that followed the accident.(’S2) Second, for each of these basic events, the human decisions and actions (noted Aij) that have influenced their occurrences are described. Third, the organizational roots of these “human errors” or questionable actions are expl~red.(~*~) The objective of this analysis is not to identify the culprits but rather to point to risk reduction measures that go beyond the purely technical (e.g., add a redundancy to the fire protection system) to also include organizational improvements (e.g., make sure that the profit center structure of the corporation does not provide direct incentives to cut comers in maintenance operations of the production sector). The case of the Piper Alpha accident is particularly interesting for several reasons. First, its severity was such that it could not be (and it not being) ignored by the oil and gas industry worldwide, where a certain number of measures are currently implemented based on this event.(’) Second, it is generalizable to many other industries and industrial processes: denial of the risk, unrecognized (and unnecessary) couplings in the design, insufficient redundancies in the safety systems, difficulties in managing the tradeoff between productivity and safety, and a tendency to stretch maintenance operations when production pressures increase are all problems common to many industrial facilities.cs) Learning from Piper Alpha using a risk assessment model structure can thus be the first step toward improving and updating risk management models for similar platforms and other industrial plants. Such models, in turn, allow assessment of the cost-effectiveness of the different safety measures that can be envisioned based on this experien.
fig.1. Hierarchy of root causes of system failures: management decisions, human errors, and component failures. |
THE ACCIDENT AND THE FAILURE PATH
The accident started with a process disturbance, followed by a flange leak that caused a vapor release. Several explosions followed and severed a petroleum line causing a pool fire. That fire impinged on a gas riser from another platform, which fueled an extremely intense fire under the deck of Piper Alpha. The layout of the topside allowed the fire to propagate quickly from production modules B and C to critical centers, and to destroy the control room and the radio room in the early stages of the accident (Fig. 2). Electric power generation, public address, general alarm, emergency shutdown, and fire detection and protection systems also failed shortly after the first explosions. The superintendent of the platform (Offshore Installation Manager or OIM) panicked, was ineffective almost from the beginning, and died during the accident. Evacuation was not ordered, and even if it had been ordered, could not have been fully carried out given the location of the living quarters, the layout of the topside, and the ineffectiveness of the safety equipment. Many evacuation routes were blocked and the life boats, all in the same location, were mostly inaccessible. The fire fighting equipment on board could not be operated because the diesel pumps, which had been put on manual mode, were inacessible and seem to have been damaged from the beginning. Fire boats were at hand, but waited for orders from OIM to fight the fire. When the master of one of the vessels on-site decided to assume the role of on-scene-commander (OSC), his fire-fighting monitors did not function properly. Piper Alpha was eventually lost in a sequence of structural failures. Over and above the tragic loss of life, the financial damage was in excess of $3 billion (U.S.).@) The risk analysis model structure2 is the basic analytical tool to identify the “failure path” or accident sequence that occurred on Piper Alpha including: initiating events, (2) intermediate developments and direct consequences of these initiating events, (3) final systems' states, and (4) consequences (i.e., the losses of the accident).
fig.2. The layout of Piper Alpha |
Source of Report: Department of Naval Architecture and Offshore Engineering of the University of California at Berkeley