RkkAnalysk, Vol. 13, No.

2, 1993

Learning from the Piper Alpha Accident: A Postmortem
Analysis of Technical and Organizational Factors

M. Elisabeth PatC-Cornell’

(Received September 18, 1992; revised October 22, 1992)

The accident that occurred on board the offshore platform Piper Alpha in July 1988 killed 167
people and cost billions of dollars in property damage. It was caused by a massive fire, which
was not the result of an unpredictable “act of God” but of an accumulation of errors and ques-
tionable decisions. Most of them were rooted in the organization, its structure, procedures, and
culture. This paper analyzes the accident scenario using the risk analysis framework, determines
which human decision and actions influenced the occurrence of the basic events, and then identifies
the organizational roots of these decisions and actions. These organizational factors are general-
izable to other industries and engineering systems. They include flaws in the design guidelines and
design practices (e.g., tight physical couplings or insufficient redundancies), misguided priorities
in the management of the tradeoff between productivity and safety, mistakes in the management
of the personnel on board, and errors of judgment in the process by which financial pressures are
applied on the production sector (i.e., the oil companies’ definition of profit centers) resulting in
deficiencies in inspection and maintenance operations. This analytical approach allows identifi-
cation of risk management measures that go beyond the purely technical (e.g., add redundancies
to a safety system) and also include improvements of management practices.

KEY WORDS: Piper Alpha accident; offshore platforms; human error; organizational errors; postmortem
analysis; probabilistic risk analysis.

1. LEARNING FROM THE PIPER ALPHA the probability that an extreme event (e.g., an extreme
ACCIDENT value of the wave load) exceeds the actual structural
capacity. It was shown previously that this “bad luck”
type of case constitutes only a small part of the overall
The offshore platform Piper Alpha, which was lo- risk of platform f a i l u r e ~ . ( ~The
, ~ ) Piper Alpha accident
cated in the British sector of the North Sea oil field and was one of the cases that can hardly be attributed to “an
operated by Occidental Petroleum, was engulfed in a act of God”: it was mostly self-inflicted. Although the
catastrophic fire on July 6 , 1988.“~~) Piper Alpha re- coincidence of the final events that triggered the catas-
ceived and sent to the shore the oil and gas production trophe was not in itself controllable, the failure resulted
of a group of platforms. The disaster caused the death essentially from an accumulation of management errors.
of 165 men (out of 226) on board the platform itself, For example, a piece of equipment (a critical pump with
and two men on board a rescue vessel. From this dis- one redundancy) had been turned off for repair and the
aster, much can be learned for future risk management, night crew that operated the platform had not been in-
on other offshore platforms as well as in other industrial formed of it. This problem, in turn, was mostly a failure
sectors. The lessons from Piper Alpha should allow a of the “permit-to-work system” that did not ensure proper
better assessment of the risks involved before other ac- communications. Things would have not taken cata-
cidents occur and should point to a variety of technical strophic proportions, however, if the deluge systems had
and organizational risk management measures. operated properly and/or if the platform had not been
Risk analyses for offshore structures often focus on “decapitated” at the onset of the accident both techni-
cally (the control room was located on top of the pro-
Department of Industrial Engineering and Engineering Management,
Stanford University, California 94305. duction module) and organizationally (the Offshore
0272433293/04004215$07.Mu10 1993 Socicty for Risk Analysis

on board could not be operated because the diesel pumps. and died during the accident. but waited for orders from OIM to fight the fire. in turn. public address. when production pressures increase are all problems tection of the structure against intense fires. The layout of izational roots of these “human errors” or questionable the topside allowed the fire to propagate quickly from actions are e x p l ~ r e d . Sev- fied based on the two major inquiries that followed the eral explosions followed and severed a petroleum line accident. safety. ( ~The * ~ )objective of this analysis production modules B and C to critical centers. insufficient redundancies in the safety systems. could not have such that it could not be (and it not being) ignored by been fully carried out given the location of the living the oil and gas industry worldwide. from another platform. and fire detection and protection systems also sure that the profit center structure of the corporation failed shortly after the first explosions. and even if it had been ordered. When the master of one of the vessels on-site decided to assume the role of on-scene-com- mander (OSC). were inacessible ties in managing the tradeoff between productivity and and seem to have been damaged from the beginning. was ineffective almost from the begin- The case of the Piper Alpha accident is particularly ning. Electric power genera- (e. his fire-fighting monitors did not func- META DECISIONS ORGANIZATIONALLEVEL tion properly.g..S. and component failures.(~. difficul. Evacuation was not interesting for several reasons. make down. ent of the platform (Offshore Installation Manager or tenance operations of the production sector). Q. Over and above the tragic loss of life. Hierarchy of root causes of system failures: management for a well-defined class of accidents. This paper addresses the first issue by using the risk analysis framework and its extensions to management factors in order to capture 2. 2). it is generalizable to many other in. and the ineffective- ber of measures are currently implemented based on this ness of the safety equipment. The superintend- does not provide direct incentives to cut comers in main. this study is the first decisions.(‘). quarters.(’) Second. Third. Furthermore. thus be the first step toward improving and updating risk From a risk assessment perspective. fol- accident sequence (noted Ei) are systematically identi. lowed by a flange leak that caused a vapor release. . common to many industrial facilities. culture sequence of structural failures. which had been put on manual mode. the organ. Many evacuation routes event.@) SPECIFIC The risk analysis model structure2 is the basic an- alytical tool to identify the “failure path” or accident EFFECTS on BASIC EVENTS sequence that occurred on Piper Alpha including: (1) component (component failures reliability and operator errors) There is no attempt here to assess after the fact the probability of Lapnne the Piper Alpha accident because. were blocked and the life boats. it is a moot point El barC eYem 01 IM Pper YpM X Z X M I S W B I I C B (the accident has already occurred). dustries and industrial processes: denial of the risk. tense fire under the deck of Piper Alpha. orgamnmnalI~YDRihaf fntllerred iha his accident could be made arbitrarily small by controlling the level of detail in which the accident is described. emergency shut- also include organizational improvements (e. at this stage. structure. OIM) panicked. For similar platforms and Fig. the layout of the topside. Fire boats were at hand. and to is not to identify the culprits but rather to point to risk destroy the control room and the radio room in the early reduction measures that go beyond the purely technical stages of the accident (Fig. human errors. First. the probability of such an A.First. That fire impinged on a gas riser human decisions and actions (noted Aij) that have influ. Piper Alpha was eventually lost in a Process. aewmn?i am mmm mi m~berwdiM pobablhyn went E. the elements of the The accident started with a process disturbance.). the causing a pool fire.. general alarm. which fueled an extremely in- enced their occurrences are described. nor redun.216 Pat&Cornell Installation Manager died in the accident). the financial damage was in excess of $3 DECISIONSIN DECISIONS AND billion (U.(’S2) Second. step toward an improved PRA. were mostly inaccessible. 1. add a redundancy to the fire protection system) to tion. Also.cs) Learning from dancies and appropriate “decoupling” of the safety Piper Alpha using a risk assessment model structure can systems. for each of these basic events. 1). learning from management models for similar platforms and other in- the Piper Alpha accident involves first understanding the dustrial plants. un. second. and a tendency to stretch maintenance operations the design of the facility did not include sufficient pro.g. Such models. allow assessment different factors that led to this tragedy and. however. all in the same location. The fire fighting equipment recognized (and unnecessary) couplings in the design. procedures.’~) actual failure mode that occurred.. where a certain num. of the cost-effectiveness of the different safety measures updating the probabilities of the different elements of the that can be envisioned based on this experien~e. its severity was ordered. THE ACCIDENT AND THE FAILURE PATH the deeper levels of causality that led to the basic events of the failure mode (Fig.

Piper Alpha Accident 217 The Piper Alpha platform: w a t elevation (simplified). the losses identification excludes secondary events that may have of the accident). (3) final influence diagram of Fig. The Pipa Alpha pldorm: CIR . (IimPliaed). 2.(') initiating events. 3. and the dependencies among them are presented in the rect consequences of these initiating events. and (4) consequences (i. (2) intermediate developments and di. Thispostfucto failure mode systems' states. Fig.. The layout of Piper Alpha. The basic events of the failure mode promoted the basic events but are not part of the failure .e.

133). E. lEl (consequences of first explosion). B. E. i. Fig. and electric motors (Ref. 1988.: Rupture of a pipe in module B (projectile from B/C fire wall).: Failure of C/D fire wall. July 6.E1.e. : Rupture of B/C fire wall (single layer. E14: The fire spreads to 1200 barrels of fuel stored on the deck above modules B and C. Tertiary initiating event (ZE. but also the subsequent below the hoop stress induced by internal pres- ones which initiated further component failures. failure of C/D fire wall. Included in “initiating events” are not only the temperature reducing the pipe steel strength to actual initial explosion and fire. “high events. condensate pump “B” trips..: The fire spreads back into module C through a breach in B/C fire wall. shortly after 22:OO.) E . electrostatic sparks. E17: Intense impinging jet fire under the platform. 3.: Fireball and deflagration in module B. 1. the error made earlier in the fitting C. system. Ell: Large crude oil leak in module B. port(’) and the Petrie report(*)include the specific sections E16: Rupture of riser (Tartan to Piper Alpha) caused of these detailed documents. Possible ignition sources include hot surfaces. No blowout panel to contain explosion inside the module. panels). powered) pumps in module D are damaged by ences to the investigations described in the Cullen Re. (influence diagram representation). 4. . and E7) and failure of containment function (E. Initiating Events (IE): Major Eqlosions and Fire Loads Further Effects of Initiating Events and Final Subsystems ’ States A. Immediate loss of electric power. 2158.: First ignition and explosion. 1.: Two redundant pumps inoperative in module C: Failure of emergency lighting. Failures of the emergency shutdown and of the deluge system (E. Propagation of the fire to module B. sures” (Ref. broken light fit- ting. E l : Process disturbance (21:45 to 2150). diesel have been separated from their consequences. 60). fail- ure of gas detectors and emergency shutdown. filling -25% of the module volume).“) El. E7: Partial (almost total) failure of the emergency shutdown system. the redundant pump Failure of the control room (no lights on mimic “A” was shut down for maintenance. p. Secondary initiating event (ZE2): Second explosion. E. (Almost immedi- ately. E. p. Times are indicated for some by pool fire beneath it (E5.).: Failure of a blind flange assembly at the site of Failure of the public addresdgeneral alarm Pressure Safety Valve 504 in Module C.):Jet fire from broken of the blind flange. El. Refer. E4: Release of condensate vapors in module C (-45 Failure of the radio/telecommunication room. El. manual (manually started.218 Pat&Cornell kg. Event dependencies in the Piper Alpha accident scenario El. the E15:Failure of fire pumps: automatic pumps have iniating events and the major loads (fires and explosions) been turned off.: Almost total failure of gas detectors and fire detection/protection (deluge) systems.. Note that the labeling of the basic riser (22:20). events (Eis) has been chosen for analytical purposes and does not imply a chronolgical order. Primary initiating event (IEl): First explosion.. E.5 hr integrity wall). mode-for example.) led to further explosions. for example.

sitions on a temporary basis (OP). Tartan. sometimes under regulatory constraints billion (U.S. The mode . at the time of the accident. maintenance (OPM). These rescue workers). El: Process disturbance around 21:45 E31: Some people are engulfed in smoke and die in the quarters (22:33). E30: Some survivors jump into the sea from 68 ft and 20 ft levels.Piper Alpha Accident 219 Ez3: Loss of the OIM function. 4 : Missed signals (OP). shut down and isolated for routine maintenance (Ref. addition of the gas conservation module). in the system (650 psi instead of the normal 250 psi in E41: Slow collapse of the north end of the platform. production parameters.1. which triggered a sequence of compressor trips E3.g. tions with only remote control (at best).(. It occurred because. a number of decisions and actions. operation (OP). Claymore. 4. Alpha. (e. accomodations. Phase 1production mode was not common on Piper E3$ Collapse of western crane from turret (23:15). OPG workshop (additional casualties).1: Decision to produce in the Phase 1 (high-pres- sure level) mode (OP).: Partial failure of Tharos fire-fighting equip.2.2. others are judgments that may B. From ZE.).: Accomodation module overturned into the sea (Piper Alpha. have been acceptable at the time when they were made but proved catastrophic in conjunction with other events. Phase 2 (Ref. E2$ Fire from modules B and C spreads to various At least some of these conjunctions could have been containers (“lubricating oil drums. B.) according to the phase where they occurred: design (DES). Ez9: Fire from modules B and C causes rupture of construction (CONST). butane”).g. Phase 1 operations resulted in high pressures platform. 4 . There was cident) by on-site vessels. therefore a conjunction of a high level of physical cou- pling among the platforms and a low level of manage- ment/organizational coordination.. cifically. are labeled gas bottles: oxygen. and strain the equipment than the regular production mode. changes were jointly decided by corporate and local E45: Loss of the platform. From IE. Piper Alpha Accident Ez6: Casualties in A. the Gas Conservation Project). and MCP-01) com- (AAW north end of platform) (00:45). DECISIONS AND ACTIONS SPECIFIC TO as OSC of rescue operations. and regulatory E45:Human casualties: 167 (165 men on board. E. operators’ confusion that can be linked to: C. C modules.(’) The network had apparently grown in an unpreplanned manner as the sys- Losses tem was developed and constructed over time to accom- modate new needs. 2 requirements (e. Human Actions Linked to Basic Events of platform.2)) which was more likely to E42: Collapse of the pipe deck. module (22:50).. and more spe- pipes and tanks. damage in excess of $3 management. (consequences of the jet fire). E36: Some survivors jump from the helideck (175 4 . ft level).. A1. E.4.: Collapse of platform at 68 ft level below B nals (DES). A1. E4o: Major structural collapse in the center of the 4.: Rupture of the MCP-01 riser at Piper Alpha. and gas alarms is the result of a system overload and ment. 2. some jump into the sea. industrial anticipated. Distributed decision-makingwithin the platform network E4. E.3). both on board and 3. (consequences of second explosion). E2+ Escape of some people from 68 ft level to 20 Each of these basic events have been influenced by ft level. Some of these de- cisions are clear errors. rupture of the gas driers essential to Phase 2 operations had been Claymore gas riser. acetylene.. The decisions and actions A . White House.2: Physical and managerial interdependencies in E34: Most people remain and are trapped in living the platform network (DES. A1. 2.: Fire and smoke envelop the North side of the 3.1. E39: Fourth violent explosion (23: 18). PIPER ALPHA Ez4: The smoke prevents the Tharos helicopter from reaching the helideck. 5 : Lack of redundancies in the design of trip sig- E.3: Decision to promote personnel to critical po- E35: Third violent explosion (2252). pounded the problem of managing high-pressure opera- E44: Rescue of survivors at sea (throughout the ac. CONST).

roaring A3. the rest does not appear to have been thoroughly possible sources.: Failure of both condensate injection pumps in ing system for gas release: first. Furthermore. there were Az. 2. These changes have also involved. were due to the design of the panels. permit system (Ref. sibility. detection and diagnosis capabilities.2:Decision to remove PSV 504 in pump A and actions of the operator. The decision to remove a completely separate fuel lines from ignition sources. second. it issued false alerts that module C caused real ones to be ignored and.14. that only mini- mum work was performed.. 2.3. A3.*:No inspection of the assembly work (OPM). ignition source (OPM). The assembly ficient experience was probably not available.1: Error in fitting of the blind flange (OPM). pressure safety valve in pump A for maintenance is con. experienced operators (Ref 2. however.3. The blind flange was not leak tight. tude (Ref. E. spection of the work and an error in fitting. an operator &: Possible error of detection of potential error in trying to restart pump A) (OPM).1. ther. if it happened. PSV 504 verity with warning signals such as vibrations. small leaks. An effective. Second.1). CONST). there was insufficient redun. 5. 1. southwest flare was roaring and larger than normal) and &: Poor design of the monitoring panels in the “the control room operator did not check which heads control room (DES). before the accident.2).000 bar. First. one single trip signal) (Ref. and therefore. but there were two problems with the warn- E. been detected and fmed earlier. 2. About 45 kg of condensate were released in module C and should have been detected before an explosion could occur. the problem was compounded by tight” assembly could experience a leak of this magni- the temporary promotion of a certain number of em. &: Poor design of control mechanisms: spark Both pumps A and B had been maintained shortly arrestors and deluge system (DES). 1.8. 2. 102). tried to restart pump A (Ref. mediate attention. perhaps without sufficient checking that the system could safely accomodate the load increment. but it could also be sistent with the view that there was one redundancy (B) a broken light fitting or other anomalies that could have and that it was sufficient to continue operations. This failure can be traced back to the work levels of production.e.14).1: Faulty warning systems for gas release had less experience than the old-timers who managed (DES. 8.” or can be had not been much opportunity to learn about Phase 1 “flogged up.2: Failure to fix the warning system after it not given sufficient attention (e.12). Electrostatic sparks are a possibility. It seems.3. These symptoms require im. to replace it by a blind flange (OPM). spark Then. with a peak of about 320. On the night could not have been detected and fixed.5) and therefore A4. flares. of the accident. were detecting gas prior to the explosion” (Ref.l: Apparently improper maintenance of both read out problems in the control room (Ref. and perhaps to the A2. the fact that the issued false warnings (OPM). a serious failure of a communication oc.g. A4. Suf. curred between the day crew and the night shift. initial phase. operations in normal time. higher pressures and higher density of equip- ment on deck.4: Failure of the control room operator to read Furthermore. 2. there can be made “finger tight.3:Failure of the maintenance crew to inform E9* First ignition the night shift that pump A was out and that the PSV was missing (hence. and interpret the signals (OP). The members of the pro.: Failure of the blind flange assembly at the site of High pressures can cause problems of varying se. E.14) that pumps A and B (OPM).2. 8. 2. . there was no in- ployees to positions above their regular level of respon. if not impossible.. arrestors could have prevented ignition. For electric motors. 10. What was clearly broken was The first ignition may have been caused by several fixed. in Phase 1. A2. a regular practice on Piper Alpha.5. A sequence of signals were A4.1.220 PatbCornell of operation evolved in the first years toward higher 8. It is difficult. Chapter 11) and is discussed fur- rels per day in 1979.4). the production team consisted of five operators (which is the minimum number of persons who could operate the platform). etc. to checked (Ref. the explosion-resistant and properly maintained deluge sys- night crew who had not been informed that PSV 504 tem may have prevented the fire from spreading in its had been removed.” “hand tight.1. p. dancy in the signals of alarm (i. at times.: Undetected release of condensate vapors in duction management team had been promoted one level module C above their normal position (Ref.” Experts concluded that only a “finger operations.

pumps against fires and blasts. water inlet (there are apparently other ways to protect divers).: Poor design of the manual fire-fighting operation in Phase 1. The system was primarily designed system (DES): bad location.: Failure of gas detectors. mode and were damaged in the first explosion.1: Poor fire insulation (DES). The diesel-pow- In particular. Several factors contributed to the tragic loss of fire- E8. the deluge system started and one more source of hazard that was avoidable.15). no to operate safetly in Phase 2 at pressures of 250 psi and redundancy. 205).5:No automatic fire protection upon gas plings: tight space.. fire protection Elo. because the module was on fire. In some areas. in any case. 1.4. at the site of the riser from Tartan). fire walls with turned off to protect divers from being sucked into the little resistance to blast pressures (DES).. OP).z: Couplings due to poor protection against (DES).g. separation and cou- A6-7. rather. and blast walls may cause new problems by cre. attributed to the malfunction of the fire-fighting equip- High gas alarms were received shortly after. The diesel fire pumps were therefore on manual Fire walls and blast walls have different character. 1. deluge systems did not Storage of fuel above modules B and C introduced even exist. 2. Automatic pumps having been turned off.g. many areas of the platform. A6-7. El+* Fire ball in module B that spreads back into Phase 1 mode (DES. they could not have been reached ating projectiles if and when they finally break. and insufficient blast and fire detection in west half of module C (DES).1: Decision to store fuel above the production system could not function in places where it existed. Even if istics.4: Design of the gas detection system: couplings to the electric power system The propagation of the accident at this stage in- (DES). module C Prior to the initial explosion. equipment against blast projectiles A6-7. been determined earlier that the gas detection system was to a design problem that made each module vulnerable issuing false alerts (Ref. A1z-13. In module C. and poor protection of the some safety features (e. volves general problems of layout. E. Ref..2:Decision to turn off the automatic system to the pressures of Phase 1.. but it had ment (the succession of events was too fast) but. ceived in the main control room. nism) may not have been fully adapted to accomodate A1S. protect divers (OP). 9. The space problem may be unavoidable in A6-7.3:Design of the low-gas alarm system (DES). The automatic system had been No blast control panels. and blasts (and protected against them).2: Failure of operator to check origin of gas A. the blowout (side) panels were ineffective. In modules. E. important to reinforce the fire and blast protection to A6-7.6:Lack of redundancy in the fire pumps this part of the production system. ered fire pumps (and the fire protection system in gen- . However. fire propagation (DES). the automatic trip mecha. quickly failed (e..Piper Alpha Accident 221 E6.14).. the operator did not check where they came from.: Failure of the CID and BIC fire walls fighting capabilities. (DES). E15: Failure of diesel power fire pumps Primary automatic trip functions did not exist for AIS. and emergency shutdown systems Couplings in the design of the modules A6-7. They should have been fire and blast containment systems on board Piper Alpha located in places where they were less vulnerable to fires were generally insufficient (Ref. it is all the more (DES. A. but because of the display of the signals' origins in the detector module The spreading of the fire at this point cannot be rack. p. which. did not survive the first explosion for lack of electric power. protection.: Failue to upgrade some safety functions to EI2.: Insufficient protection of critical alarms from detector module rack (OP). CONST. OP). The gas detection to blasts in the adjacent ones. 66. 5. at the same time. caused the inoperability of the pumps and of the deluge El&* Fire spread to fuel storage system. 2.. (DES). gas alarms were re.. the fire deluge system had experienced repeated clogging and was inoperable (Ref. the A14. spatial couplings (OP).1: Design of the Main Control Room (insufficient space separation) (DES). system. they had been intact. (location of the detector module rack) Alo-ll. '46-7. and in particular in critical parts of the production modules.7: Deluge system of limited effectiveness attenuate coupling problems.EIl: Pipe rupture in module B and large oil leak (deluge)..

power system (OPM). no of a severe condition on Piper Alpha (and even to in..4: Underestimation of the fire severity (and the accident could have been minimized by controlling optimism) on other platforms (OP).1: Physical linkages in the Piper-Tartan. OP).Failure of the radioltelecom room Piper Alpha against all signals to the contrary led the OIM to the decision to continue production until an hour Bad location of the radio room (DES). .3: Lack of inspection and maintenance of emergency generators (DES).. 1. The location of the control room next to the pro- Tartan-Claymore network (OP). first from Tartan.3. Loss of electric power can be one of the most dev- A16-33-39. E33. Lack of redundancies in command and Claymore network (DES. to maintain production) may not have considerably wors- ened the situation given the pressures in the pipe line at The public address system was entirely dependent the onset of the accident. but on Clay..2: Distributed decision-making in the Piper. followed by a fourth violent explosion at 23:18 AZ2. 133). where A17.6). couplings among the backups of electric alized the severity of the situation on Piper Alpha and power supply caused a power failure. In this case. Later failures of risers the emergency generator did not start..1: No fireproofing of the riser connection (DES). The OIM on Tartan soon re. 4. then failed. failure of redundancies elsewhere. a high probability of destroying the control room.3: Poor communication among the platforms an accident initiator (fire or blast) in these modules had and with the vessel Tharos (DES. There was no appropriate fire-proofing to pro. the process. insistance on maintaining pipeline pressure and optimism about the capabilities of containing the fire on ET2. erator started. A. prevented this failure went out. more. the system was technically decapi- production on Tartan (communication tated. system (DES). E3p*Rupture of the risers..: Lack of redundancies in the communication with the rupture of the Claymore riser.* Jet fire under Piper Alpha A20.1: Bad location of the control room next to the production modules (DES). Lack of redundancies in the commands made it problems. the a heat load that the riser from Tartan failed under the cable routes were running through one of the most vul- platform.i: Design error: decision to run the cable route through module D (DES). redundancy for loss of electric power crease the pressure as it was beginning to drop in order (DES). later. and the deluge system that could have dancy (Ref. nerable of the production areas without adequate redun- tect the riser. After the main generator tripped. CONST). The decision to continue production on the other E2x: Failure of the public address system platforms even though there were clear and visible signs Design of public address system.. therefore. tems functioned for a while.222 PatbCornell eral) were thus poorly located and without sufficient Ex8. equipment. A few batter-activated sys- sive fire loads as the accident unfolded.2: Poor design of the deluge system astating accident initiators if there is not adequate re- (DES). E2*: Loss of the control room El.. The drilling gen- from MCP-01 and Claymore were also caused by mas. was no sound. on electricity. With loss of command and control and loss A. dundancy in the system since many emergency features require electricity (on offshore platforms as in nuclear The pool fire above modules B and C caused such power plants and many other systems). A 17. The emergency lighting ther explosions as production continued on these platforms. duction modules created failure dependencies such that Al.: Inadequate redundancies in the electric Ex6. 1. then from MCP-01 and Claymore A18-9. emergency lighting A18-19.. then failed.. A 16-33-39.: To some extent: the decision to continue of electrical power. functioned briefly.. control (technical decapitation) (DES). insufficient procedures and extremely difficult at that time to manually control the enforcement of existing procedures) (DES.. Exp*Immediate loss of electric power. and caused fur. OP). A17. there ordered production to stop (Ref.

it was waiting for orders that never came from the OIM on Piper Alpha.4: Individual initiatives to escape and much time had been lost and the result was negligible. p.3: No organizational redundancy.) (DES. rescuing personnel on board (by providing an external escape route).: Fire and smoke spread spect individual protection equip- throughout the platform ment (smoke hoods. A26-30-34-36-44... 163). and the assumption that the OIM on Piper A32. A26-30-34-36-44. the loss of the radio room pre. (OP). Second. tions and coordinate fire fighting from the fire boats.Piper Alpha Accident 223 The location of the radio room on the east side of E3?. properly locate. Alpha was to assume the role of on-scene commander (OSC) for the rescue. escape Although the OIM was not killed at the onset of and rescue of survivors the accident. appeared to be in a state of shock.1: Desigdplanning of evacuation routes (lack of redundancies) (DES). A26-30-34-36-44. Third. First. compounded by an organizational decapitation as no one rafts.2: Failure of the Tharos fire-fighting equipment (DES. no redundancy (DES. cedures that could not apply and of ordering an improvised A26-30-34-36-44. install. the location of the control centers and utility &-zL2&29-31. and the vessels in the vicinity (decapitation It could have played a major role in fighting the fire and of all damage control operations). By the time the E. disruption of the chain of command (OP). E.2: Equipment design. First. and was incapable. in the vicinity of Piper Alpha at the time of the accident.5: Poor training for evacuation (OP). mediate death of a certain number of key operators and personnel. life jackets.: Failure to properly inspect and maintain inflatable rafts (OPM). appropriate orders. survivability suits.. of giving A26-30-34-36-44. insufficient fire modules close to the production modules caused the im- proofing and smoke filters (DES). Neither tion orders (OP).1: Layout decisions. Claymore. and in- EZ4. A24-25-28-29-31. modules and components caused the fire to spread to the poor planning of the exits (lack of separation. E25. E34. and boats. OIM is incapacitated (OP). but eventually made little difference for several reasons. blockage of the planned evacuation routes and the ina- . and evacuation. The semisubmersible vessel Tharos was by chance vented critical exchanges of information with Tartan. re- utility modules and escape routes. ble. 1. OP). The technical decapitation of the system was inspect emergency exit equipment. to the OIM position (OP).E29. and the smoke to fill dundancies.Ineffectiveness of the Tharos irt fighting the fire the platform (AAE)above the C module made it vul- nerable to production accidents.1: Decision to hire and promote the individual severe to be fought effectively from the outside. lack of physical separation (DES). E2*. Given the interdepen. leaders. A26-30-34-36-44. tional. in particular evacuation orders that A26-30-34-3&44. E. OPM).2: Failure of the OIM to give evacua- could have saved many lives (Ref. in the sea from more than 60 ft. could he assume the OSC function. Second.2: Poor training for this kind of emergency fire-fighting monitors were overloaded and nonfunc- (OP). he panicked. the equipment on the Tharos malfunctioned because the A23.8: provide. so that by the time A26-30-34-364. from the beginning.6: Failure to properly locate. emergency.1: Delay in the decision of the Tharos master dencies among the different platforms in case of to take charge as OSC in time (OP).(') A23.OPM). jump off against previous informa- The OIM probably knew that the evacuation passages tion about survivability of jumping were blocked and that regular evacuation was impossi. E44: Casualties on board. he was perhaps incapable of thinking behond pro.: Loss of the OIMfunction master of the Tharos decided to take charge as OSC. etc. Poor location of the took charge except the personalities that emerged as lifeboats. it was too late to come close to Piper and the fire was too E23. E36. the poor location of living accomo- dations too close to the production modules and equip- A combination of lack of fire-fighting capabilities ment allowed the smoke to fill the quarters and failed to and design decisions that allowed fire propagation across provide a safe temporary refuge for the personnel.3: No alternative official authority when the master of the Tharos decided to assume these func. Eza. and single-point passages) led to the early the living accomodations. A32.

2: Decision to ignore early warning of several components to the same event or load (com- that the platform could not mon causes of failure.g. An accumulation of questionable decisions. to the life raft could not be inflated (it may not have been technical and organization decapitation of Piper Alpha inspected and maintained properly).2). many more therefore be divided into four categories: (1) design de- would have died in the cold water. maintenance. quences. 163). and operations both tried. and bad judgments that have been and there were additional deaths by drowning that could identified above and contributed to the accident can have been avoided. These decisions and actions occurred in the ably shortened the time that the personnel would have three phases of the lifetime of the structure: design. according to personalities. 1. and (3) vulnerability A37-38+. It should be noted that some of these decisions (e. and errors of judgment of varying severity thus not take the initiative to escape perished. 158). design deci- that the platform could not survive prolonged exposure sions) were considered acceptable at the time and conformed to the to a high-intensity fire. 14 had died during escape. As in many emergency situations. EdOA3 Structural failures and collapse of decisions that caused couplings and dependencies of three the structure types: (1)direct linkage of component failures (i. in particular. There was chaos. Finally. Claymore. at the onset of the accident. no organized response. It is this accumulation some drillers knew about (Ref. Of the 135 bodies recovered. Of those who struction and development over time. they were not aware of the Piper Alpha and Occidental Petroleum. Some and the 175 ft level and took the risk of jumping from were strategic decisions common to the operations of such heights. contributed to the Piper Alpha accident and its conse- ability of smoke hoods in the living accomodation prob. 6. Classification of the Decisions and Actions ers emerged. The human errors.e. some critical features had simply been neglected more than 10 min. 1. a wrong assumption which may have contributed to his state of panic and his of independence in the successive failure event^. This bad judgment was based on an propelled survival crafts). 1988. 227). the 100-year wave). . redundancies and dispersion of sonnel management.1: No specific fire load provisions ability of fire propagation (e.2.224 PatbCornell cessibility of the TEMPSC’s (Totally enclosed. (2) production and expansion decisions. The slow collapse of the Occidental management had been warned by Elmslie Consultancy structure as the steel yielded under the prolonged and Services that a prolonged high-pressure gas fire would have grave intense fire load may not have significantly increased the consequences for the platform and its personnel (Ref. error of reasoning and. in winter time. was ig. (3) per- problem was the lack of. In some cases. from module B to module in design of structure (DES). con- had otherwise to make escape decisions.. 3. lead. pub- lic address linked to power generation). Oc. p.g. and luck. 228-229). 1. e. Tartan. The OIM probably knew this. Design Decisions rescue operations. At least one of questionable decisions that led. pp. in other sustain severe fire loads for cases. The overall design of the network of platforms (Piper ing to the wave loads that they may experience in their Alpha. existing codes and practices of the industry. Whereas jacket-type platforms are designed accord. and no responsibility or authority (Ref.. 2. of the event] was so low that is was considered that it would not cidental Petroleum management had been warned earlier happen” (Ref. blasts).. some found themselves trapped at the 68 ft level before and during the accident of July 6.. 1991).&4243.^ inability to function and give orders. and (4) inspection. and the and correction of detected problem^. p. gross The personnel who followed the procedures and did errors. 1.1.2. the lifeboats around the platform (Ref.. but human losses. however. a large number were directly influenced by design E3. (2) high prob- A37-38-40-4~-42-43. but the property damage was certainly it had been concluded at a subsequent meeting that “[the probability greater than if the structure could have been saved.^ lack of appropriate access routes (there was a single ac- cess point). apparently. few were fully equiped to survive in the water tionable decisions.g. E38. but without planning and training in crisis response.g. taken seriously. C. It is these codes and nored because the event was judged too unlikely to be common practices that are questioned below and need improvement. The unavail. knowledge of That Contributed to Piper Alpha Accident the premises. some were tac- possibility of some passages to the 20 ft level which tical decisions made on the spot. motor. ques- cued later.. in the design. the fire loads are not cally interdependent without providing sufficient man- explicitly accounted for in the design of the structure agement integration both for production decisions that itself (Gale and Bea. Of the survivors res. p. Among the basic events of the Piper Alpha failure mode. to control room and beyond).) A serious design cisions. MCP-01) made them physi- lifetime (e. The warning. all others had died on board and two in 3. (In fact.

The design philosophy of emergency. quent accidents is. oil and 20 MMcfd of gas per day. there were simple cases of the deck surface was fixed and the result of unpreplanned deficiencies in the design of emergency equipment which additions was an extremely packed space. Indeed. By 1988. ad- fire were inadequate. or equipment such as life rafts that are not additions apparently interfered with the proper function- used in normal time and could not be inflated when ing of safety features: external reinforcements on module needed.. but also. based on the assumption that they ditional safety precautions should have been taken at the were simply too unlikely to be worth worrying about time of the shift to Phase 1 production in order to ac- (Ref. sioned in 1980: “To conserve the gas produced at Piper. without sufficient redundancies in this central authorities.1. comodate the greater risks due to higher pressures.7).” The result fire conditions that developed during the accident. onset of the accident. Also troublesome. Many modifications ure dependencies and couplings made automatic shut. and (4) critical sys. clearly insufficient. (3) The design proposal which was presented to the the lifeboats. automatic response to gas alerts. Fifth. The general “[Occidental management] adopted a superficial attitude layout of Piper Alpha was questionable because of lack to the assessment of the risk of major hazard” (Ref.(”) The plat- duction modules as to be inoperative in crisis situations form was completed in 1976. government capability. diesel pumps. atures and direct heat loads for a long time. of redundancies. and clear criteria of a serious accident was unfolding on Piper Alpha. p. display. tion of about 320. (2) inappropriate planning of escape routes (insufficientredundancies). storage P. According to Lord Cullen. the severe fire loads. of fuel on the deck). prevention of small and fre. First.(’) Third. (Ref.Piper Alpha Accident 225 affected operations on other platforms and for coherent how safe is safe enough. the lack of redundancies in production 2. for example.6. prevented adequate functioning of the Finally.000 barrels tems for emergencies (control room. radio room. the living quarters generators. life rafts. Mutual proximity produced critical spatial couplings such as: (1) no spatial separation of production modules and other 3. although protection against both is major modifications to the Piper platform were under- difficult to achieve.2. 1. and and where at the time of the accident.”(”) Other modifications included the addition etc. pumps). 228). in the short run. more cost-effective. public address. and excessive compactness. C.) implied strong couplings among failures of emer. was based on a peak production rate of 250. the system was capable of situation on Piper Alpha was described by Bea(6)as “fif- responding to minor fire emergencies. Furthermore.. for example. not to the severe teen pounds of potatoes in a five-pound bag. facilities.3). the recordkeeping of these additions readouts in the control room that proved difficult in times was inadequate: it was not even clear what was on board of crisis because of poor choice of layout. equipment and safety equipment proved critical at the Although the structure itself was reinforced in 1979.@)Some of these color coding. and other means of escape were United Kingdom Department of Energy in March 1974 grouped at one end of the platform. In particular. 3. unnecessary complexities (e. 1. fatal fail. protection. and other critical systems the addition of equipment. Safety was with new couplings and higher risks of accident that may generally considered on a small scale but provisions for not have been realized (or sufficiently questioned) at the severe conditions such as a prolonged high-pressure gas time when the additions were made.g. the manual and the automatic living quarters. which was being flared in considerable amounts as oil selves coupled. On .) were so close to the pro. were designed to accomodate 135 persons.K. gency system. The was that safety features that may have been adequate in structure itself was not designed to sustain high temper. some of which included down. It reached a peak produc- when they were critically needed. on the other platforms when there were clear signals that benefit analysis under uncertainty. of a produced water facility in 1980.1.@) At the end of this growth process. had been made to the platform. in particular living quarters. 3.000 bpd. were the decisions to continue production rious events requires an in-depth risk analysis and cost. Production and Etpansion Decisions modules. installation of oil lift pumps.000 barrels per day in 1979. backing up judgments regarding rare and se. the design of fire protection taken to retrofit gas separation processing and export systems (deluge systems. Altogether. the beginning became insufficient for this new layout. without effect. of supplementary gency systems (e. alarm. and quick decisions in case of emergency. etc. 2. Not only ad- did not work when needed: a warning system for gas ditional components were stacked. electric of oil per day (Ref. although in the end probably However. the Piper Gas directly dependent on central electric power generation Conservation project required by the U. these backups were them. Annex B). Fourth. which was initiated in 1978 and commis- source and reliable alternative supply for each emer. etc.000 barrels of and safety systems was generally faulty. thus creating new leaks that produced too many false alarms and relied on couplings. the platform was simply not designed for blast relief.2. the production had declined to about 130. fire and blast protection was was being produced at rates in excess of 300. Second.g.

experience. structure in the number of casualties. However. Life rafts.2. represents an investment that assumes first that the them? What are they actually rewarded for?). Inspection and Maintenance Decisions systems. the conditions a serious fire. and bypassed procedures (Ref. pp. and (4) insufficient attention to some circumstances. crises are rarer. The inquiry con- interruption of production on the other platforms would cluded that for a gas leak of the magnitude observed to have made little or no difference since the gas was al. This tendency can be traced back to a clear definition of success as the ability to meet production and financial goals. charge of his own system. This training seems to have been inade. contract maintenance crews. Platform do not seem to have received proper attention. money. and re- organization recognizes the possibility of truly cata. attention. generated by an organi- bilities. of the permit-to-work system and the carelessness with duction process. appropriate levels of knowledge? Do they receive ap- foreseen situations are the result of appropriate screening propriate information to take action in different cases?). As a strophic situations and properly estimates their proba. fire pumps. procedures.3. and questionable time when high-level activity should have required spe. judgments that contributed to the Piper Alpha accident cial care. lowing: (1) questionable judgment in the management agement and a clear line of authority become more cru. All of these knowledge of the system (e. Screening.s Once again. human errors. and their rationale). what are the consequences for ever. in this of this situation and tried to restart this pump in which case. procedures denial. this mainte- nance failure was rooted in a history of short cuts. The choice of personality of the corporation. particularly in safety sidered and “negative excusers” reassigned(@. once the accident started on Piper Alpha. 193- Training. (3) problems of per- are insufficient because they may not be applicable in sonnel management. at first.(12)Simple instructions about emergency procedures losphy and the design guidelines. Key organizational factors that are at the root of the gency situations. Therefore. incentives and rewards (What are people actually told to quate in the case of Piper Alpha.” ready in the line under pressure. and training in crisis man. develop. 4). and a culture that encour- of prior information that indicated a very real danger of aged flirting with disaster. (2) flaws in the design phi- cial. There seems to have been a The most critical maintenance problem was the failure lack of central command and control of the normal pro. problems accumulated. layout and passages). do? If they don’t do it. The OIM on each platform was in the factors that weakened redundant pumps A and B.4. and Promotion 194). Temporary promotions allowed fulfillment of critical functions by 4. The night shift was not informed authority and communication failures. even the initial leak seems to have started. SPECIFIC TO PIPER ALPHA sonnel. ORGANIZATIONAL ROOTS OF DECISIONS available people.. oth- fit to be captain of a ship is traditionally the result of a ers in specific features of the British oil industry and its promotion process by which individuals are evaluated relations to the British government authorities.. ganizational factors. The assembly work was not inspected and.g. Altogether. safety. and pro- duction workers were allowed to run Piper Alpha at a The decisions. how. the temptation to shut down gas alarms and deluge 3. and to Inspection on Piper Alpha appears after the fact to the painful process of feedback by which goal reductions are con- have been lacking in many areas. Some of these factors are rooted in The loss of the OIM clearly led to a tragic increase the characteristics of the oil company (culture.226 PatbCornell platform Tartan. Minimal Claymore took more than 1 hr before responding and response to inspection findings was apparently one of stopping production. and training. involve questions of information (Do the personnel have ability to reason under pressure and to respond to un. source constraints (time. result. production was even increased equipment. thereby putting forms could not be activated because of loss of command pump A out of service. and attention). there is a general tendency toward zational structure that lacked redundancies. the assembly must have been only “finger tight. described here may not have existed in July 1988 in other For example. flange assembly without proper tagging. and the ability to recognize abnormal can be in turn related to a certain number of basic or- signs in order to diagnose and fix problems immediately.2. some less experienced per. Thorough understanding and maintenance and inspection (see Fig. There were not enough qualified and trained per- sonnel on board at the time of the accident. Emergency procedures by which the which the PSV 504 was removed and replaced by a blind Piper OIM could have communicatedwith the other plat. l. Management of Personnel: Hiring. therefore. or emergency lighting to maintain line pressure before shutting down. . Such training.@) on the effectiveness of their actions in normal and emer. In this respect. which for Piper Alpha occurred with the rejection that allowed cutting corners. As marine systems have become more decisions identified in the previous section are the fol- sophisticated. in- 3. operators. the defect was not detected. of productivity vs.

1. the tendency is to consider it a “freak event” that was un- predictable and simply should not have happened. The desirability of a particular system that encourages safety in operation^. This result is often obtained by an accumulation of details in the story and by ignoring dependencies among events. punitive costs in order to make the costs of real disasters tors (influence diagram representation. itive attitude toward safety measures. For example. If and when a large accident occurs. This is not the case when: (1) operators.1. Yet. The use of decision duction increases sometimes occur with little under- analysis relies on an explicit risk attitude. oil companies and may or may not exist at this time in particular oil companies. Prob- abilities are sometimes used a posteriori to claim that the likelihood of the particular chain of events that led to a catastrophe was so small that the corporation was justified in ignoring its possibility. Dependencies among basic events of the accident scenarios. and attract the attention of the insurance companies. Decision analysis (e. however. Myopia in Risk Management and Emphasis on However. Safety A safety culture is generally defined by a clear un- derstanding of the system and its safety features. large sums of money. the lesson of the accident can be partially lost and the losses absorbed as “costs of doing business. create a visible record of incidents.2.1.” The Fig. public. the design guidelines for fire pro- tection are generally geared toward the control of minor incidents and are inadequate to protect the system from major events. and enormous environmental costs. safety trade-off. and (2) the risk attitude ing environment. Responses standing of how close one is or might be to the danger from the public and the legal system (either to hazardous zone. the philosophy seems to be system designers are not aware of all the dependencies “production first” and the time horizon seems limited of a naturally complex system. however. The Management of Production vs.(4) term perspective. and actions specific to Piper Alpha.Piper Alpha Accident 227 ORGAN12ATIONAL FACTORS to the short term. and faces a demanding world market. and/or In some oil companies. is given insuffi- cient attention because catastrophes are unlikely to occur on any particular watch. Ref. by “debottle- risk management problems include the following.1. Critical factors and potential is modified and the system expanded. (2) undertrained and un- . the high sustained pro- that the risk attitude of the corporation does not clash with duction levels are a source of pride. A “Reverse Safety Culture ’’ 4. as it will be discussed further. the lower part is a simplified unbearable enough to force the industy to adopt a longer- version of Fig. 4. large accidents may in- volve multiple casualties. of the corporation. 13) is the culture is marked by formal and informal rewards thus the tool best adapted to support such choices in a for pushing the system to the limit of its capacity. necking” and by adding components and links that allow still greater production levels. a pos- There is no golden rule for managing the produc.. The possibility of ‘Learnlng 01 proill raalalanu ragulalory rnechanlrrna centen to large l l r w overrlght severe (and rare) accidents. When this hap- pens. When a platform operates above the level of flow conditions or to an accident) are generally meant to ensure rates for which it was designed. 4. These myopic views and the rarity of large accidents tend to focus attention on avoiding small PRESSURES MAINTENANCE (and frequent) safety problems that may disrupt produc- Produetlon Productlon GUIDELINES PRACnCES Cultura veraua tion. The original design the values of society at large. and an incentive tivity vs. production engineers.('^) In an safety measure is the result of: (1)what the organization organization that rewards maximum production. 3). 4. the Piper Alpha accident was an eye opener that simply could not be ignored. and organizational fac. pushing the envelope without disaster re- Small Incidents quires understanding the consequences. oper- believes (and wants to know) about the effect of the ates most of the time in a rough and generally unforgiv- feature on the system’s safety.g. Because the costs proved so high. Pro- consistent and rational manner. is now pressing for higher and higher decisions.

Separation vs. approach to regulation. he contended. Integration of Safefy Functions benefit from North Sea petroleum.228 PatbCornell derexperienced people are allowed to run the operations. for example.(’) It was also argued that consoli- the time of the Piper Alpha accident. This. the safety division or office tions. because industries reward as long as they complied with government specifica. it was pointed out after the In such a cultural and economic environment. Chap. 1986). the responsibility for the re. the concept of government regulation of oil and bad news that increasing the production level is danger. of course.1. At than on the details. and that safety must be seriously considering the resulting risk. in turn.4. as well as outside a corporation when it is in opposition sulting degree of safety from the operating oil companies to its regulators. During the Cullen investigation of the Piper Alpha tors may not really want to know what could happen accident (Ref. 241). this laissez-faire situation when expanding and increasing the demand and they was compared to the much more stringent Norwegian may not want feedback from the people who have de. always keep up with developments and expansions in and (3) negative experiences and stories of near-misses the production area. the system was not dating the regulatory bodies would allow the oil com- working at its peak of production but at a high pressure panies to deal with one single authority in a more consistent level that required additional precautions. Many economic reasons. production function? The creation of a strong safety of- tween the British oil industry and several regulatory au. Therefore. they run counter to the general philosophy. Everything being permitted unless explic. 16). United Kingdom. power and effectiveness of the safety function.’ Yet. ing together for 2 years on revisions of OCS regulations. Carson(s)had al- ready pointed out that the British government. the emphasis was not on the actual level It seems. rewarding safety measures tion to the detail of more mundane issues. both in the United Kingdom retrofitting. further reduces the requirements. an integral part of the production process.3. but in order to allow uninterrupted favor a strong safety function that can impose its views production. in effect. gas production has not always been welcome by a large ous. between production and safety functions can exist inside dures.1. the government regula. itly forbidden. the approach of these government agencies ulation in other industries shows that the same opposition was to micromanage the specifics of design and proce. and others who tend to slow down production). Carson(s)writes of the situation in the British zone of the North Sea at the end of the seventies: “Indeed. the incentive system created safety problems because of its cursoriness and lack of atten. had adopted a hands- off attitude compared. regulation had to change emphasis in “them” (the safety inspectors. and the United States. fice has often been recommended to organizations facing thorities. These regula. (In the same tions were often incomplete because the regulator cannot way. Furthermore. Yet experience with reg- guidelines. for example. this process could even and incidents tend to be ignored and suppressed because stifle safety innovation itself. the manufacturing industry has dis- covered that inspection alone does not provide quality. the incentive to improve this aspect of offshore safety was not being ’According to the U. The opera.. this situation is evolving in the backed up. Coast Guard. Among other things. the Piper Alpha accident that the Norwegians had been more star is thus the one who shows unflinching optimism and effective in regulating offshore safety and that. . This policy simplified the task of the offshore can become a convenient position to pigeon hole the less operators who simply had to show that they satisfied the productive employees. removing. and a lot of the effort put into making the installation United States.6 Furthermore. in their the Challenger accident. For cultural reasons described signed the system because such inquiry may bring the above. mostly the production stars.S. the oil companies will face a wegian government where the tradition of regulation and problem of organizational structure: should the safety inspection was generally much stronger. 1. and effective manner. according to the safety manager but that quality must be the responsibility of everyone for one well-known oil company. that separating safety and pro- of safety achieved but on satisfying regulations without duction is not the best strategy. the inspectors’ approach actually in the production line. has to be adapted to this goal. on production (e. Presidential Commission Report on looked by inspection authorities. in the wins the battles of “us” (the production people) vs. its scope. important safety issues may have been over. The result was function be separated or should it be integrated into the a set of relatively loose and dispersed connections be. Before the Piper Alpha accident. implies that the companies themselves are willing to change their per- spective. This. eager to 4. therefore. and manage both safety and production func- 4. Advice in the literature vanes. to that of the Nor.) To that end. where industry and the Coast Guard have been work- “shipshape” appeared to be wasted” (p. and focus on the result (actual safety) rather tors. The Role of Government and Safety Regulations tions within more general regulatory requirements.g. The British government was very supportive critical safety problems.(15) such as NASA after the of the petroleum industry for a variety of political and Challenger accident. As a result. or that the system may have to be shut down for segment of the oil industry.

in maintained. if they become inac- cessible. Redundancies are particularly critical in the func- Making the production personnel responsible for tions of command and control whose loss (“decapita- safety requires that they receive appropriate resources. electrically unclassified) area.2. The first step is to the automatic shutdown. Finally.@) cumstances are not always obvious in times of normal The profits of the oil business vary with the world price operations. Lack of Redundancies. and margin of maneuver in production operations. because the linkages that may occur under severe cir- ters that separates production from refining operations. is of the central supply.Piper Alpha Accident 229 and punishing dangerous actions. Decapitation can occur both at the technical of petroleum. Therefore. as if they provided for each of the critical systems in case of failure were separate entities and independent businesses. tion”) may prevent the proper functioning of emergency time. and when the formal tuations.5. of the emergency shutdown. and the profits of production are directly and at the organizational level. on do not exist there. Even if the number of backups is are unclassified. of course. the requirements are much For example. areas including ig- less specific and a philosophy of minimum compliance nition sources other than electric (such as an open flame) can be disastrous. emergency (battery-activated) power sources must be This arbitrary definition of profit centers. Economic Constraints and Profit Centers the sea.2. areas where In organizations that cultivate the production-first. When the price of the barrel of oil decreases. fire-fighting.(16) In the United States. Flaws in Some of Guidelines for Topside Layout 4. the loss of electrical seek greater involvement. electrical equipment. areas that directly affect the safety of operations such as inspection. emergency and safety features. power generation must be methods isolate them to some extent from the world located in a “safe” (Le. because electric power is needed to activate most results and at the risk of a disaster. As it was mentioned earlier. and reliable alternative a function of the selling price and the volume of demand. but for to be present and there may be some ignition sources. Moreover. The system must be able linked to this external variable. maintenance. equipment and procedures. vapors are normally expected are classified as Division penny-pinching philosophy and the perception that se. to be vapor-tight or nonsparking. production operations have to adjust to these fluc. cumstances. once in- therefore at the fundamental root of some questionable stalled. 4. It takes special attention to Yet the production sector of many integrated oil com. and evacua- by constrast. even if they are seldom called upon. The rest is unclassi- tion going. Catastrophic Couplings. Flaws in the Design Philosophy The layout of the topside is generally guided by area-classificationconcepts whose goal is to separate the 4. backup require. fied: no vapors in ignitable concentrations are assumed ments are specific enough for topside operations. Refinery operations. may be no power to activate the safety features such as sibility for the safety of operations. sometimes at the expense of longer-term financial cables. and the gen- set reasonable production goals and objectives. when centers goals. where explosion-resistant equipment is required.2. where equipment is required satisfy regulations and are there mainly to keep produc. generation at the onset of a disaster implies that there duction personnel have to assume the primary respon. Areas vere accidents are too rare to be seriously planned for. and to eral alarm systems that are designed for these very cir- allow for contingencies. which does not mean that fire hazards specified.1..1. in the end. Governments (in the potential failures. 1. For instance. the safety gains will depend. decreasing its costs. the robustness of the equipment and the couplings among The objective of such guidelines is to prevent the . price of the raw materials and measures their results as electric cables must be protected. where vapors are present only under abnormal conditions the view is generally held that redundancies must simply are classified as Division 2. and personnel management. the public address. The costs of research and the costs Among the most critical subsystems are electric of nonimmediate safety measures are often the first to power production equipment and electric transmission be cut. there is no escape alternative but to jump into 4. head of the organization either is dead or has lost control the production sector tries to absorb these variations by of the situation. flammable vapors expected under normal production and Risk of Decapitation conditions from the sources of ignition-in particular. of command and control are out. if the backups of the United Kingdom as well as in the United States) may power supply are tightly coupled. anticipate and explicitly address decapitation problems panies is pressured by corporate structuring of profit cen. enjoy a greater stability because accounting tion operations. these backups must be regularly inspected and practices of cost reduction in the production sector. In order to meet these to function when parts of it are isolated.2. in the United States. lack of redundancies in the lifeboats (and their location) implies that. but the operators and the pro.

fire safety also involves fire training. and steel fire-proofing. existence of vapors and ignition sources. One of the to protect the system from minor incidents. and to avoid having to bring on board higher-rank- these functions had been planned for in the initial design ing individuals. Later Modifications and Unpreplanned Growth tion) and the uncertainties about the system’s capacity to sustain these loads. * Beyond design issues..e. the velocity and pressure of the flows. as a rule. unpierced bulkhead wall) but there are Structure no specific requirements against fires and blasts. for the same functions. and its As it was pointed out earlier. unpreplanned growth can bring porary promotion allowed Occidental-Aberdeen to fully with it. how these changes can affect the Temporary Promotions probabilities of external or internal accident initiators. inherent fire resistance). For the control room. plex than setting criteria for waves because the occur- and therefore piping erosion from sand and other particles. problems can oc. one generally tries to ings. by trying to prevent (as described above) the co- air. the com.. to increase multiple loads to which the structure may be subjected. water spray and deluge systems. or to correct funda. I . it was not inconsistent with these guide. Therefore. Too Few People in Time of High Activity. may be an abundance of statistics about platform fires or that the production capacity and the pressures after in the industry as a whole.2. there was generally no attempt to check by analytical reasoning. The increase lars where they can be most efficient for risk reduction. resistive coat- next to them (although. can prove fatal unless there is a clear understanding of and evacuation. The control room can be located anywhere. not directly accounted for in the design of the struc- tween). capacity by removing bottlenecks. separa. 4. is to be able to check the effects vivability (at least there was no such requirement when of successive modifications. Therefore. Fire protection thus relies on fire production modules. phase.3. proach that is taken for wave loads could be used to characterize the uncertainties about the future fire loads (as a function of the system design and mode of opera- 4. utilize available personnel to replace off-duty employ- plexities and weaknesses that would not have occured if ees. A decision analysis based on mar- Platform production systems generally evolve through ginal costs of increased safety and on the risk attitude the life of the platform.3. This tinkering with the system. the control “living document. to adjust the design parameters to provide thermal ro- pressor module can be placed next to (or even below) bustness (i. electrical classification determines the design criteria: physical separation and vapor-tight separations 4. Also. The actual criterion offen 4. and by providing lines to locate the control room above or even within the means of fire-fighting. The guide. nor to put the living accomodations pumps. benefits of developing a probabilistic risk analysis model lines do not require decoupling of production modules for each system at the design stage and of using it as a and other modules such as accomodations.2.” updated and modified as the system room. even in a process Fire risk is accounted for. in the design of the top- area. evolves and responds. may be more com- in the system. . modification are compatible with the design character- istics and maintenance schedule. factor. there is more uncertainty for a partic- cur when there is insufficient feedback to the original ular platform and more variability among platforms in designer to check that these modifications do not create the estimation of the future fire loads. Piper Alpha was constructed). All that is required in its design is to bring in fresh side. a whole new set of com. There is tion requires more space. on the other hand. such an analysis permits placing safety dol- mental flaws such as an undersized pump. however. Therefore. It is thus easy to see why under fire loads to which the structure might be subjected and guidelines that allow for such tight couplings. however. or the radio/telecom room that are critical to sur. on the one hand. and transients for the expanded system. even though there couplings and hazards that may not be directly visible. in production capacity often increases mechanical stress Setting fire criteria. loads. rences of fires is not a stable external environmental As in most engineering systems. securing. however. Problems of Personnel Management appears to be trial and error: does the system seem able to sustain an increase of load? In the past. The same ap- the living accomodations. ture(’’) in the way wave loads are considered.* Fire loads. Multiple modifications are often of the corporation can allow consistent treatment of the made to the original design-for example.3.230 PatbCornell start of a fire under normal conditions of operations and the system’s characteristics in its final state. This temporary promotion system. the system of tem- ability to respond. allows for imaginative innovations but. Insulation for fires and blasts is costly.4. and there is great congestion no attempt to assess the annual probabilities of different on a typical platform. before a real-life test. Lack of Specific Fire Criteria in Design of are required (i-e. are separate process and accomodations with utilities in-be.

The culture of any industry that discourages internal disclosure and communication of bad news leads to ig- noring small incidents and near-misses as long as they 4. of one affected the others. p. the number of people who ingly what equipment had been isolated for maintenance were operating the system in Phase 1was the minimum purposes” (Ref. pointed out earlier.~ of communications in the permit-to-work system and an In addition. when the system must fore. 192-193). The permit-to-work system. mum response to this minimum inspection. there seemed their practical applications. and that in the event of his death or inca. even when an accident does occur. procedures are too complicated for the workers who per- form the job and that they consider it necessary to take shortcuts to alleviate the load. permit.4. Also. spective. In such an environ. train- level of the OIM as well as in the supervision of the ing. .2. There. The enforcement of safety regulations 4. Defects were ings to other OIMs. Carson(5)discusses 13 cases of serious safety violations of the North 4. It may be that the formal costs are implemented. for whatever reason. could be performed on a single permit. 5. a night-shift lead production operator would not pecially in the case of a catastrophic fire. and verification. Again. Minimum Response to Inspections. The communication problem to operate quickly under emergency conditions. As priate measures to avoid its recurrence are not necessar. had government authorities of the United Kingdom as well failed before. Consequently. appro. pp. the problem is recognized.2. In this per- In fact. clearly (or to be willing to communicate) dependencies tions. be shut down for maintenance and cleaning. the objective is to seem to be considered. for example. because production and maintenance crews. when as corporate personnel were generally minimal or inef- a worker was killed in an accident in the A module (Ref. 196). p. Its deficiencies 251). the custom seems to have been mini- error in the shift handovers. 11). Furthermore. even in quires that the OIM be in a relatively safe location most the written procedure. and how maintenance As with many other organizational issues. generally because of insuf- to be inadequate redundancy in human functions. the 4. In spite of memos and warn.4. At the time of know which permits had been suspended and accord- the Piper Alpha accident. the safety inspections performed by ily taken. Failure to Learn procedures should be streamlined and simplified so as to remove the source of the problem. at the ficient resources (including personnel and time). did not guarantee that appropriate experience may not be in the formal procedures themselves but in was available when needed. attempt to find out if the same defects existed elsewhere. Safety do not result in full-scale accidents.3. and an alternative chain of command is set up upon” (Ref. others are in. just enough to keep producing and to set records constitute a black mark for the personnel involved. 1. safety issues are seldom part of the picture. choose to attend to the most pressing problems. that occurred on Piper Alpha seemed to be a general ticular. If that is the case. Features as Extra Baggage ment. the Cullen report (Ref. es. p. The accident was the result of a breakdown way in order to permit uninterrupted produ~tion. the fact that a severe accident did not occur seems to be sufficient proof that the system works and that “an inch is as good as a mile. discipline. developed a distinctively low-profile approach The permit-to-work system is described in detail in to the application of legal sanctions against offenders” (Ref. there is no mention of “tagging of the time. 1. and locking off of isolation valves which have been closed pacitation. when overburdened by several func. 197). these prob. or opened as part of making equipment safe to work formed. small. Deficiencies of the Permit-to-Work System has thus far been dominated by an administrative structure which. of duration between turnarounds.” The possibility that several If and when the primary concern is to maintain the minor problems could occur at the same time does not flow and to reduce short-term costs. multiple jobs Avoiding the risk of organizational decapitation re. In par. operators. In many who performed the work did not seem to understand cases. in particular on Piper Alpha in 1987. a platform network has to be able to operate one: “unless he was involved himself in suspending a safely in situations of distributed decision-making. the people required and appears to have been insufficient. the culture did not discourage shortcuts. For example.1. and couplings among components. 1. The question simply does not lems are rooted in the way strategies to cut production seem to have been addressed. fective because inspectors sometimes looked the other 1. the lesson was not learned on Piper corrected where they were found but there was often no Alpha itself. Chap.4. isolated do minimum maintenance that would interrupt produc- incidents are seldom discussed openly since they would tion. Insufficient Attention to Maintenance and Sea oil industry that reached the British court system and concludes: Inspection “Suffice it to say here that the evidence on prosecution once again supports the view that tolerance of violation has been institutionalized at a comparatively high level.Piper Alpha Accident 231 however. the same problems are likely to recur elsewhere.

Measures that are then taken to 9. Decision Analysis (Addison-Wesley. but mostly one of priorities and incentives. 1 and 2 (Report to Parliament by the Secretary of Many of the events that led to the Piper Alpha ac. “Structural Design for Fires on Off- maintenance error that eventually led to the initial leak shore Platforms” (presentation to the NAOE Industrial Liaison Program Conference. California). “Management Errors and tion situation that was inappropriate for the personnel’s System Reliability: A Probabilistic Approach and Application to Offshore Platforms. 10. Patt-Cornell and R.” Science 1210- and to other industries as well. J. State for Energy by Command of Her Majesty. For a long time. Project Pro- file. Weick. 267-279 (1984).” California Management Review (Winter 1987). New Brunswick. E. At the heart of the prob. some of which are London England. E. HOE- Because they must attend to immediate problems. cident prevention. B. 1968). “Social Structure. features and procedures on board the platforms. was the result of inexperience. The OtherPrice ofBritain3 Oil: Safety and Con- made without sufficient feedback and understanding of trol in the North Sea (Rutgers Universtiy Press. England.” Risk Analysis 5. and the Estimation of Risk. government regulations have been fought 12. November 1990). Personnal communications (1991). 1217 (1990). R.’’ and “Piper Gas Conservation. G. . they are the most likely to be ne. The Hon. M. Heimer. 1-17 (1990). E. Petrie. Gale. “Organizational Aspects of Engineering Sys- tem Reliability: The Case of Offshore Platforms.232 PatbCornell much less to seek to correct them. 1990).491-519 (1988). Ganick. PatC-Cornell. lem was a philosophy of production first and a produc. Vols. Bechtel Corporation. 13. izations. Carson.” Organization Science 1. ing. 1-18 (1992). Bea A1~ha. W. Berkeley. the lack 14. overworked operators. Piper Alpha” (Proceedings of the February 1991 Conference. M. Gale. Patt-Cornell “A Post-mortem Analysis of the Piper Alpha Accident: Technical and Organizational Factors” (Report no. 2. Petroleum Eng’lneering Division. and deficient learning mechanisms. facilities and less experienced. Lord Cullen. K. 1991). G. H. W. 18.” Risk Analysis 4. at least prior to the loss of Piper erations of Marine Systems.” Annual Review of Sociology 14. “Piper Production Platform. Patt-Cornell. “Some Characteristics of High Reliability Organ- by the oil industry (fearing interference and loss of con. Engineering of the University of California at Berkeley. Berkeley. poor maintenance pro. 1984). G. J. Psychology. itself under pressures. 6. San Francisco. New York. September 1992). their effects on the safety of operations. the structure.” Risk Analysis 12. University of California. Altogether. these 92-2. oil production contributed to the neglect of the safety 16. University of California. C. The 17. Personnal communications (1991). “Fire Risks in Oil Refineries: Economic save money in the short term have led to understaffed Analysis of Camera Monitoring. This problem was in ACKNOWLEDGMENTS part a problem of communication.Department of Naval Architecture and Offshore Engineer- operators are often unable to focus specifically on ac. it is the production part of the corporation that often finds London. At the time of the Piper Alpha accident. the interests of the British government in an accelerated 15. common to large segments of the oil and gas industIy 3. Corporation. K. 1988). M. R. E. 8. The Institute of Marine Engineers. which does not seem to have been at 11. H. 1982). R. Bea. method of assessment of the internal financial results of 7. “Organizational Culture as a Source of High Re- of coordination of dispersed regulatory authorities and liability. and the port” (Department of Energy. personnel are reduced to a minimum. abilistic Risk Assessments.” headed by Robert G. Bea and W. C. Because of the New Jersey. Roberts. “Recent Case Studies and Advancements in Prob- cedures. REFERENCES 5. inspection and This study was funded as part of a Joint Industry maintenance of safety features seem to have been low Project entitled “Management of Human Error in Op- on the priority list.c~) If these features seem like extra baggage even of the Department of Naval Architecture and Offshore at the design stage. M. G.277-288 (1984). E. Bea. CONCLUSIONS 1. procedures of Occidental Petroleum. Successive additions to the system had been 5. Project Profile” (Bechtel the forefront of the corporation’s concerns in any case. glected when resources are scarce. “Offshore Operations Post the different segments of some integrated oil companies. E. Normal Accidents (Basic Books. “Piper Alpha Technical Investigation lnterim Re- cident were rooted in the culture. 4. experience. E. The Public Inquiery into the Piper Alpha Disaster. Perrow. Raiffa. and everyone’s attention is focused on maintaining (or increasing) production. trol).