pages from lees loss prevention in the process industries

Appendix

18Offshore ProcessSafety

Contents

A18.1 North Sea Offshore RegulatoryAdministration 18/2A18.2 Gulf of Mexico Offshore RegulatoryAdministration 18/4A18.3 Offshore Process Safety Management 18/4A18.4 Offshore Safety Management 18/4A18.5 Inherently Safer Offshore Design 18/4A18.6 Offshore Emergency Planning 18/7A18.7 Offshore Event Data 18/8

Any account of loss prevention needs to include somemention of offshore oil and gas activities, even if this isnecessarily brief. There is a continuous interactionbetween developments onshore and offshore. The treat-ment given here is confined to an outline of offshore safetyactivities.

Offshore installations operate in a difficult and oftenhostile environment. The problems, not only of structuresbut also of processing, are challenging. The solution ofthese problems often involves technological innovation.The significance of this for safety and loss prevention isclear.

The report into the Piper Alpha disaster (Cullen, 1990),known as the Cullen Report, provides awealth of detail bothon the design and operation of an actual platform, albeitone of the older ones, in the North Sea and on the impact onit of a major accident event.

Accounts of offshore oil and gas are given in Offshore OilTechnology by Ranney (1979), Onshore Impacts of OffshoreOil by Cairns and Rogers (1981), Introduction to PetroleumDevelopment by Skinner (1982),Technological Guidelines forOffshore Oil and Gas Development by Gilbert (1983), GasProduction Operations by Begg (1984), Behaviour of Off-shore Structures by Battjes (1985) and Safety in the OffshorePetroleum Industry by Barrett, Howells and Hindley (1987)and by R.J.S. Harris (1978), Holmes and Mead (1978),Timar(1978), Shyvers (1981) andWaldie (1986).

The series of booklets by BP Petroleum Development Ltd(1990a�g) constitutes a useful starting point.

Much useful information is also given in OffshoreInstallations: Guidance on Design, Construction and Certi-fication by the HSE (1990b), also called the HSE OnshoreDesign Guide.

Selected references on offshore safety are given inTable A18.1.

A18.1 North Sea Offshore Regulatory Administration

An outline of the legislation governing oil and gas activ-ities in the UK sector of the North Sea has been given inLees Edition 3, Chapter 3, with a summary of the principallegislation given inTable A18.2.

Two principal elements of the administration are thesystems of internal control and of risk assessment. TheGuidelines for the Licencee’s Internal Control 1979 describein effect an SMS. The Regulations Related to the Licencee’sInternal Control 1985 make this a regulatory requirement.

With regardtoriskassessment, theRegulationsConcerningSafety Related to Production and Installation1976 contained arequirement that if the living quarters were to be located on aplatform where drilling, production or processing of petro-leumwastakingplace, a riskevaluationshouldbe carriedout.Atthisdate the evaluationwaslargelyqualitative.Themovetoa more quantitative approach came with the Guidelines forSafety Evaluation of Platform Conceptual Design 1981. Thesehad as a central feature, the provision of a sheltered area,required the conduct of aconcept safetyevaluation (CSE) andspecified numerical acceptance criteria.

The Guidelines defined a design accidental event as onethat does not violate any of the following three criteria:

� at least one escape way from central positions whichmaybe subjected to an accident, shall normally be intactfor at least an hour during a design accidental event;

Table A18.1 Selected references on offshoresafety issues

Offshore regulatory administrationBurgoyne (1980); Barrett, Howells and Hindley (1987);Lyons (1989); Cullen (1990); Higgs (1990); IP (1990 PUB 51,1992 PUB 64); Petrie (1990); Priddle (1990); Barrell (1992);J.W. Griffiths (1992); HSE (1992 OTI 588); H. Hughes(1992); Lees (1992); Leiser (1992); Bibbings (1992);Heiberg-Andersen (1990); Ognedal (1990, 1994);Tveit (1990)

Offshore hazardsLeblanc (1981); Anon. (1983p); CuUen (1990); Ognedal(1990).Wind and waves: DoEn (1977a, 1984); HSE (1990b)Earthquakes: Cornell and Vanmarcke (1975);Wiggins,Hasselman and Chrostowski (1976); M.W. Mitchell (1983)Vessel-platform collisions: Hathway and Rowe (1981);DoEn (1984);Technica Ltd (1985); HSE (1990b); Blowouts:Fischer (1982); Anon. (1983b); Dahl et al. (1983); Goinsand Sheffield (1983); Podio, Fosdick and Mills (1983);Milgram and Erb (1984); P.G. Mills (1984); Holand andRausand (1987); Ostebo et al. (1989)Flammable gas clouds: HSE (1992 OTI 591); Cleaver,Humphreys and Robinson (1994)Ignition sources (see alsoTable 16.23): Forsth (1981a,b,1983); Dahl et al. (1983); Sokolov (1989); J.G. Marshall(1989); Cullen (1990); Eckhoff and Thomassen (1994)Fires and explosions: Forsth (1981a,b, 1983); Solberg(1982a); Anon. (1983h,j,t); Dahl et al. (1983);Tompkins andRiffle (1983); Anon. (1985s,u); Brandie (1989b);Cullen (1990); Hjertager (1991a,b); HSE (1992 OTI 585, 586,592, 593, 595�599); Samuels (1992); Gardner et al. (1994);Wighus (1994); K. vanWingerden (1994)Missiles: R.A. Cox (1989); A.C. Palmer (1989); Cullen(1990); HSE (1992 OTI 603)Structural loading, response: DoEn (1984); HSE (1990b,1992 OTI 594, 601, 602, 608, 610); Haaverstad (1994)Escalation: D. Drysdale (1989); Cullen (1990); FourElements Ltd (1991); M. Morris, Miles and Cooper (1994)

Offshore safety managementBrading (1989); Denton (1989,1991); Ellice (1989); Fotlandand Funnemark (1989); Grogan (1989); Littlejohn (1989);Macallan (1989); McKee (1989); McReynolds (1989);G. Richards (1989); R.A. Sheppard (1989); API (1990 RP750); Cullen (1990); J. King (1992); McKeever andLawrenson (1992); S. Lewis and Donegani (1993); Jacobson(1994). Command and control: Baxendine (1989);Cullen (1990); Larken (1992)

Offshore emergency response, planningFischer (1982);Tompkins (1984); Baxendine (1989);Matheson (1989); Cullen (1990); Fitzgerald et al. (1990);R.Wilson (1992)

Offshore evacuation, escape and rescueBooth (1989); Clayson (1989); J.D. Evans (1989); Heiberg-Andersen (1989); Jefferey (1989); Keueher (1989);Lien (1989); McNeill (1989); de la Pena (1989); Perrott(1989); Petrie (1989); Rudd (1989); Side (1989); I.G.Wallace(1989,1992); Cullen (1990); Owen and Spouge (1991);Forland (1992); Forster andWong (1992)

Offshore safetyDoEn (1977, 1984); Burgoyne (1980); HSE (1980 HS(G) 12);Nat. Res. Coun., Cttee on Assessment of Safety of Outer

APPEND IX 18 / 2 OFFSHORE PROCESS SAFETY

� the shelter area shall be intact during a calculated acci-dental event until safe evacuation is possible;

� depending on the platform type, function and location,when exposed to the design accidental event, the mainsupport structure must maintain its load carryingcapacity for a specified time.

The categories of potential accident event to be evaluatedwere specified as

(1) blowouts,(2) fire,(3) explosion and similar incidents,(4) falling objects,(5) ship and helicopter collisions,(6) earthquakes,(7) other possible relevant types of accident,(8) extreme weather conditions and(9) relevant combinations of these accidents.

The Guidelines gave explicit numerical acceptability cri-teria. In practical terms, it may be considered necessary toexclude the most improbable accidental events from theanalysis. However, the total probability of occurrence ofeach type of excluded situation should not by best availableestimate exceed 1 CT4 per year for any of the main func-tions specified.This estimate is meant to indicate the orderof magnitude to aim for, as detailed calculations of prob-abilities in many cases will be impossible due to lack ofrelevant data.

Risk assessment is now the subject of the RegulationsRelating to the Implementation and Use of Risk Assessment inthe Petroleum Activities 1990. Ognedal emphasized that theNorwegian attitude is flexible in its approach to riskassessment and tries to avoid its degenerating into a ‘num-bers game’.

The Cullen Report recommended far-reaching changes inthe regulatory administration in the British sector of theNorth Sea. The recommendations flow from the evidencegiven on the Piper Alpha disaster and on the regulatory

Continental Shelf Activities (1981); Dick (1982);Petrie (1983); Kaarstad andWulff (1984); Barrett, Howellsand Hindley (1987); Cullen (1990); Knott (1990); Antomakisand Barnes (1991);W.S. Atkins (1991); Bill (1991); IMechE(1991/134, 1993/157);Venn (1991); Lees (1992); J. Morgan(1992); Renwick and Tolloczko (1992); Ronold (1992);Salter (1992); Eckhoff (1994); Lode (1994); Pappas (1994);Rushton et al. (1994).Safety system: Bodie (1989); Gordon (1989);McGeough (1989); Cullen (1990)Costs of safety: HSC (1992); Potter (1994)Injuries offshore:Wright (1986); Cullen (1990);H. Hughes (1992)

Formal safety assessmentFjeld, Andersen and Myklatun (1978); Borse (1979); Slater,Ramsay and Cox (1981); Pyman and Gjerstad (1983);Vinnem (1983); Deaves (1986); Schrader and Mowinckel(1986); Haugen and Vinnem (1987); R.A. Cox (1989d,1990, 1993); Ellis (1989); Ferrow (1989); Fleishman (1989);Gorse (1989); van der Graaf andVisser (1989); Hogh (1989);Pape (1989); Cullen (1990);Tveit (1990); Burns, Grant andFitzgerald (1991); Rock and Butcher (1991); Diaz Correa(1992); Pape (1992); S.J. Shaw (1992); Sherrard (1992);Potts (1993); S.J. Shaw and Kristofferson (1993); Gardneret al. (1994); K Miller (1994); Pitblado (1994); Ramsay et al.(1994);Trbojevic et al. (1994)

Offshore safety casesV.C. Marshall (1989); Sefton (1989); Cullen (1990);Mansfield (1992); Pape (1992);Wendes (1992); Barrell(1994); Bellamy (1994); Clegg (1994); Durnin (1994);H. Hughes (1994); Jacobson (1994); Salter (1994);Spence (1994); Spiller (1994); Hawker (1995); D. Scott(1995); D.J.Wilson (1995)

Offshore incidentsLe Blanc (1981);WOAD (1988); Due, McFarlane andCrowther (1994); H. Hughes (1994)Sea Gem: R.J. Adams (1967)Ekofisk Bravo: Gjerde (1977�78); Ognedal (1990)Alexander Kielland: Naesheim (1981); Ognedal (1990)Ocean Ranger: NTSB (1983 MAR-83 - 02); Hickman (1984)

Table A18.2 Selected legislation of offshore

A Acts

1934 Petroleum (Production) Act1962 Pipelines Act1964 Continental Shelf Act1971 MineralWorkings (Offshore

Installations) Act1971 Prevention of Oil Pollution Act1975 Petroleum and Submarine Pipe-lines Act1992 Offshore SafetyAct

Offshore Safety (Protection againstVictimization) Act

B Statutory Instruments

1972 SI 703 Offshore Installations (Managers)Regulations

1973 SI 1842 Offshore Installations (Inspectors andCasualties) Regulations

1974 SI 289 Offshore Installations (Construction andSurvey) Regulations

1976 SI 1019 Offshore Installations (OperationalSafety, Health andWelfare)Regulations

SI 1542 Offshore Installations (EmergencyProcedures) Regulations

SI 923 Submarine Pipe-lines (DivingOperations) Regulations

1977 SI 486 Offshore Installations (Life-savingAppliances) Regulations

1978 SI 611 Offshore Installations (Fire FightingEquipment) Regulations

SI 1759 Offshore Installations (Well Control)Regulations

1981 SI 399 Diving Operations atWork Regulations1989 SI 1029 Offshore Installations (Emergency Pipe-

lineValve) RegulationsSI 971 Offshore Installations (Safety

Representative and SafetyCommittees) Regulations

1992 SI 2885 Offshore Installations (Safety Case)Regulations

OFFSHORE PROCESS SAFETY APPEND IX 18 / 3

administration up to that date. The administrationenvisaged is one of goal-setting rather than prescriptiveregulations and of the use of QRA to demonstrate com-pliance. The report also recommended that an operatorshould submit a safety case and that this should be givenstructure by a requirement to demonstrate by QRA theintegrity of a temporary safe refuge (TSR). Another majorrecommendation is that the operator demonstrate, as partof the safety case, an appropriate Safety managementsystem (SMS). A further account of the report’s recom-mendations in relation to the evidence on the Piper Alphadisaster is given in Appendix 19.

The recommendations of the Cullen Reportwere acceptedin toto by the government and the new administration withthe HSE as the regulatory body was put in place in 1991.Initial legislation under this administration includes theOffshore Safety Act 1992 and the Offshore Installations(Safety Case) Regulations 1992. Development of the newadministration has been described by Barrell (1992a,b).

A18.2 Gulf of Mexico Offshore RegulatoryAdministration

The offshore petroleum industry began in the US Gulf ofMexico in the 1950s. The Coast Guard was the originalregulatory agency, but the responsibility for offshoresafety was eventually transferred to the Minerals Man-agement Service (MMS). The safety regulations are foundin the UIS Code of Federal Regulations,Title 250.

MMS directly references many of the American Petro-leum standards and recommended practice documents.The API 14 series, contain standards for subsurface safetyvalves, platform safety systems, piping systems, electricalsystems, and fire safety systems. The API t series recom-mended practices for offshore staff training is also codifiedby the MMS.

API 14C, the recommended Practice for analysis,design and installation of basic surface safety systems onoffshore production platforms was originally promulgatedin 1972. API 14C embodies two very important processsafety concepts;

� Every identifiable failure mode shall require two func-tionally independent safeguards.

� Recommended safeguards for each type of offshore pro-cess unit (pressure vessel, pump, heater, etc) were devel-oped using a generic failure mode and effects analysis.

The documentation showing the results of a 14Capproach are presented in a SafetyAnalysis and FunctionalEvaluation diagram, known as a SAFE chart. The SAFEchart is a special type of cause and effect diagram.

A18.3 Offshore Process Safety Management

In the 1990s, MMS requested voluntary adherence to theAPI 75 and API 14G recommended practice documents,which present process safety concepts to the offshoreenvironment. These standards are very similar to theOSHA process safety management regulation, containingvirtually identical wording in many sections.

A18.4 Offshore Safety Management

An offshore platform has both marine and process char-acteristics. It shares with marine vessels the hazards of

severe weather and of collision and in extremis those ofescape to the sea. At the same time it contains high pressureplant processing oil and gas. The platform is also a self-contained community with its own power plant, accom-modation and other facilities. The senior manager on theplatform is required in large part to combine the skills of aship’s captain with those of a refinery manager and toexercise command and control in an emergency.

A18.5 Inherently Safer Offshore Design

The processing of hydrocarbons is the raison d’etre of anoffshore platform. This clearly sets certain limitations onthe practice of inherently safer design. Nevertheless, thisdesign principle is just as applicable offshore.

Three examples will suffice. One is reduction in the oilinventory in the production separators. The separatorsconstitute a major oil inventory on the platform and it wasthe separators that fed the oil pool fire on Piper Alpha.Separators are now in use which have much reducedinventories. It may be noted in passing that evidence on thehydrocarbon inventory on Piper Alpha was given to theInquiry by Clark (1989).

A second example is adoption of a layout that minimizesthe possibility of an oil pool forming near a gas riser.

A third example concerns the potential for a jet flamefrom a gas riser to impinge on the accommodation. Follow-ing PiperAlpha, Shell reviewed their platforms to establishwhether in each case this was a possibility (Chamberlain,1989). In those cases where it was, action was taken.

A18.5.1 Friendly plantClosely related is the design of plant that is friendly to theprocess operator. In oil and gas extraction there are strongpressures to maintain production. In these circumstances,it is highly desirable that there be fallback states of plantoperation to which the operator can resort, without facingthe all-or-nothing choice of continuing normal productionor effecting total shut-down.

A case in point is the confidence that the operator hasthat shutting down the gas plant will not lead to loss ofpower on the main generators. Evidence at the PiperAlphaInquiry appeared to indicate that in some systems fuelchangeover on the generators, from gas to diesel, could notbe fully relied on. If this situation exists, it puts a greaterpressure on the operator to keep going.

A18.5.2 Plant layoutOffshore production platforms carry large amounts ofequipment held in a small space. Space and weight are bothat a premium, since they are difficult and expensive toprovide. Spacing between equipment in a module has to beless generous than in onshore plants.Where a 15 m distanceis widely used in the latter, the distance offshore is oftenhalf that. It is also necessary to ensure that the layout issuch that the centre of gravity of the total mass of equip-ment is at the centre of the supporting structure. CADpackages for plant layout provide a powerful tool forachieving a layout that meets this requirement.

The decks of the platform are divided into modules. Themodules are separated by fire walls which inevitablyreduce the ventilation.

Layout design seeks to separate sources of hazard fromvulnerable targets.The application of this principle is seen


on many platforms by the separation of the accommodationfrom the wellhead.

A18.5.3 Platform systemsThere are a number of basic systems that are critical forsafe operation of the platform. The account given here ofthese systems is limited to a brief overview. It is convenientto cast it as a description of the systems on Piper Alpha.The Cullen Report gives a detailed description of thesesystems and of their behaviour on the night of the disaster.

Electrical power systemsThe first of the systems is the electrical power supply sys-tem. Basic power is supplied by a pair of main turbine-driven generators with dual fuel firing, gas being the normalfuel with diesel fuel as standby. As backup, there is anemergency generator, turbine-driven and diesel fuelled.Changeover of fuel on the main generator and start up ofthe emergency generator are automatic. Drilling is servedby a separate power supply from a diesel-driven generatorwith its own emergency generators.

The emergency generator for the main supply isdesigned to provide supply to critical services, whichinclude HVAC, instrumentation and valves, and emergencylighting. Further backup is provided by an uninterruptiblepower supply (UPS) drawn from batteries designed to pro-vide power during the momentary interruption while theemergency generator starts up and, if necessary, for aperiod in the event of total failure of the main supply.

Electrical systems for offshore production platforms arethe subject of API RP 14F: 1991.

Fire protection systemThe fire protection system comprises a number of com-plementary elements.These are

� hazardous area classification,� fire walls,� fire and gas detection system,� fire water deluge system,� fire pumps,� foam system,� Halon or clean agent systems and� fire fighting arrangements.

Fire prevention and control on offshore production plat-forms is covered in API RP 14G: 1986.

The first line of defense against fire is the use of hazardousarea classification to reduce the risk of ignition of any flam-mable leak that may occur.This was formerly covered byAPIRP 500B: 1973, specific to offshore, which is now replaced bythe general onshore and offshore code RP 500 : 1991.

The traditional form of active fire protection is the waterdeluge system. This is covered by the NFPA Fire codes,Construction and Use Regulations 1974 and the associatedguidance in the Offshore Design Guide.The plant is dividedinto reference areas with a specified quantity of water to bedelivered over each area. In order to limit the size of thereference areas use is made of firewalls.There are firewallsbetween the main production modules, namely the well-head, separation and gas compression modules. Theseprovide basic passive fire protection. They are not neces-sarily designed as blast walls.

There is an extensive fire and gas (F&G) detection sys-tem, with sensors in the main production modules and

elsewhere, utilizing both combustible gas detectors andfire detectors.

A fixed water deluge system with distribution through-out the main modules and at the risers furnishes a basiclevel of active fire protection.Water for the deluge system isdrawn from the sea by fire pumps operating off the mainpower supply but with diesel-driven pumps as standby.

At locations where an oil pool fire may occur, such as theproduction separators, foam injection is provided.

Certain closed volumes may be provided with a halontotal flooding system. Enclosures which may be protectedin this way include the centrifugal compressor enclosures,the generator area, the electrical switchgear room and thecontrol room.Where, as in the latter case, operators may bepresent, a non-toxic agent is used and there is prior alarm.These fixed systems are supplemented by the fire fightingteams.

As just indicated, the traditional means of fire protectionhas been passive protection by firewalls and active protec-tion by a uniform water deluge. Alternative approacheshave tended to be inhibited by the need to comply with thetwo separate sets of regulations covering fire, one requir-ing passive and the other active fire protection measures.

In addition to the trade-off between passive and activefire protection, there may also be a trade-off between ven-tilation and active fire protection. If a module is wellventilated, gas from a leak is less likely to accumulate in thefirst place.

A plea for greater flexibility was made to the PiperAlphaInquiry by Brandie (1989b), who advocated a scenario-based approach inwhich specific fire hazards are identifiedand water deluge arrangements directed more specificallyto these scenarios. The Cullen Report recommended thisapproach within the context of Safety Case.

There are a number of issues related to fire protection.One is the availability of standard fire tests for hydro-carbon, as opposed to building, fires, such tests being nee-ded for design of fire walls. Another is the use of passivefire protection on risers, which might involve a risk ofcorrosion beneath the lagging.

Another long-standing issue, which relates to active fireprotection, is the availability of the fire pumps.

There is generally a strong argument for the use of pas-sive fire protection in that once installed it appears lesssubject to human failings. The matter is not, however,straightforward. Thus, for example, in some applicationscorrosion may occur under fireproofing, which may bothpromote the corrosion and conceal it.

There is now considerable activity in the investigation offire events on platforms, covering oil pool fires and jetflames; impingement of flames on vulnerable targets suchas risers and passive protection of these targets. Furtherdetails are given in Section A18.7.

A18.5.4 Emergency shut-down systemTheplatformisprovidedwithanemergencyshut-down(ESD)system, the main functions of which are (1) to shut down theflow from the reservoir, (2) to shut off the flow through thepipelines entering and leaving the platform, (3) to shutdown the main items of equipment and (4) to initiate blow-down of the inventories to flare. There are various levels ofESD, some involving only individual items of equipmentand others a full platform ESD, or PESD. Physically, PESDmay be activated from the control room or from any ofa number of emergency pushbuttons around the platform.


As important as the hardware are the procedures thatgovern operation of the PESD system. It bears emphasisthat the protection apparently afforded can be negated ifthere are cultural, organizational or human factors whichinhibit initiation of the system in a real emergency.

A18.5.5 Evacuation, escape and rescue systemThe evacuation, escape and rescue (EER) system is builtaround the three main means of leaving the platform,which are (1) helicopter, (2) lifeboat and (3) liferaft. Theemergency procedure is for personnel to collect at desig-nated muster points. In the vast majority of cases evacua-tion is by helicopter, personnel being summoned to thehelideck from their muster points. There are a number ofreasons, however, why evacuation by helicopter may beimpractical. They include high winds and smoke from theplatform, which can prevent landing. Another is the timetaken to reach the platform. A helicopter already in or nearthe field may arrive relatively quickly but in many locationsit takes about an hour for a helicopter to travel from anonshore base.

If helicopter evacuation is not practical, the other mainmeans of getting off the platform is by lifeboat. The use oflifeboats is also subject to limitations. Lifeboats maysometimes be difficult to reach and have limitations in highseas. Even if the conditions do not actually prevent use,they may increase the risk of injuries.

If the lifeboats cannot be used, resort is to escape to thesea by launching liferafts and climbing down knottedropes.The use of knotted ropes requires a certain degree offitness and is not without risk. One area of development hasbeen improved lifeboat systems. Prominent among these isthe freefall lifeboat, which is launched with its complementstraight into the water, as opposed to being lowered fromdavits.These have been in use on Norwegian platforms andare the method used on the replacement for Piper Alpha,Piper Bravo.

A variety of devices have become available for escape,ranging from individual packages which can be hookedonto a guard rail to chutes and slides.

Another aspect is the integrity of the escape routes fromlocations where personnel are likely to be to the means ofescape. Escape routes need therefore to be designed againsta variety of scenarios. Of particular importance are theroutes to the lifeboats from the accommodation, where atany given time a large proportion of the personnel will be.One approach is to locate lifeboats in a protected area inte-gral with the accommodation.

The PiperAlpha Inquiry heard a considerable amount ofevidence on evacuation, escape and rescue. Contributorsincluded Petrie (1989) (life-saving appliances), Rudd(1989) and Heiberg-Andersen (1990) (evacuation), Ginn(1989) (evacuation by helicopter), Kelleher (1989) (life-boats), Side (1989) (evacuation and rescue), I.G. Wallace(1989) (evacuation and escape), Lien (1989) and Perrott(1989) (escape systems), Booth (1989) (escape routes) andJ.D. Evans (1989) and de la Pena (1989) (smoke hoods).Work in this area has been described by Bellamy andHarrison (1988), Forland (1992), Forster and Wong (1992)and I.G.Wallace (1992).

A18.5.6 Explosion protectionIn many earlier platform designs, there was little protectionagainst explosion over and above that against fire, namelypartition walls being designed as firewalls rather than as

blast walls. This situation no longer pertains and mucheffort is being devoted to explosion protection. CFD simu-lation is being used to study the overpressures generatedby explosions in modules, with particular reference to theenhancing effect of obstacles and to the mitigating effectsof venting and of water spray systems.

A large amount of work has been done on the develop-ment and venting of explosions in modules and otherobstructed spaces. Much of the work using CFD explosionsimulation codes has been directed to the offshore modulesituation. Representative work using such codes is that ofHjertager (1982a, 1986, 1991), Bakke et al. (1989), Catlin(1990) and Hjertager et al. (1994). Examples of work onmodule explosions includes that described by Solberg,Pappas and Skramstad (1980, 1981), A.J. Harrison and Eyre(1987b), Catlin (1991), Brenton, Thomas and Al-Hassan(1992), Samuels (1992, 1993), Catlin, Manos and Tite (1993)and Catlin et al. (1993). A fuller account is given in Chapter 17.

Blast wallsAn increasingly common method of explosion protection isthe use of blast walls. The design of a blast wall is partly amatter of formulating suitable accident scenarios and pre-dicting by simulation the resultant overpressure and partlyone of engineering the wall so that it fulfils its protectivefunction even if it deforms somewhat.

An account of the design of theblast walls on the Kittiwakeplatform was given to the Piper Alpha Inquiry by Doble(1989).The engineering of blast walls was described by vanBeek (1989).

Smoke minimization and protectionAnother area of work is the investigation of the hazardpresented by smoke, particularly that from an oil pool fire.Aspects of this are the generation and movement of smokeand the exclusion of smoke from the accommodation.

A18.5.7 Design basis accidentsThe design of plant to cope with accidental events requiresthat there be defined a set of design basis accidents.The concept is that the plant is then designed to with-stand the design basis accidents in each category but doesnot have to be designed for events more severe than this.The selection of the design basis accidents is thereforeclosely linked with the estimates for the frequency ofsuch events, so that overall risk in the design is an appro-priate one.

DrillingDrilling is a major activity on the platform that has nocounterpart onshore. One aspect of this activity is the ever-present hazard of a well blowout.

Another aspect that can impinge on the operation of theplatform as a whole is the need to avoid loss of power suchthat the drill becomes stuck.

DivingDiving is another activity specific to an offshore platform.For the most part it does not impinge to any major extent onother activities except in so far as precautions are neces-sary to ensure the safety of the divers. At the time of theexplosion on PiperAlpha the fire pumps had been turned tomanual start to prevent sudden start-up of the pumps withconsequent danger of a diver being drawn into the pump


water inlet. This was not the policy on the sister platformClaymore, run by the same operator and in the same field.

ContractorsThe proportion of contractors on a platform may well be ofthe order of 70% or more.Typically specialist teams such asdrillers and divers are contractors with one person from theoperating company as liaison. Some contractors mayremain on a platform for long periods, others come and go.The operating company attempts to ensure the quality ofcontractors admitted to the platform by means of a qualityassurance system. Personnel from the company visit thecontractor company onshore and make the usual qualityassurance audit.

It is the responsibility of a contractor to ensure that itspersonnel are properly trained in offshore emergency pro-cedures as well as in safe systems of work and PTW sys-tems. However, there may well be features of the systemsoperated on a platform that are particular to that platform.The operator needs, therefore, to ensure that contractorswithin its system are familiar with them.

A18.6 Offshore Emergency Planning

Offshore emergency planning has the same broad featuresas that for onshore. In principle, they include the detectionof the incident, the assessment of its nature and serious-ness and if necessary, the declaration of the emergency, theassumption of command and control, and the implementa-tion of the emergency plan.

However, the emergency may not present in this ideallystructured form. It may well take the form of an emergencyshut-down initiated automatically or by personnel in thecontrol room or at one of the shut-down buttons scatteredthroughout the platform.

A18.6.1 Emergency scenariosThe first step in emergency planning is the definition of theset of scenarios on which the plan is to be based. A widerange of scenarios need to be considered if the plan is to berobust. It is not uncommon for an incident to require theevacuation of the platform, but in the vast majority of casesthis will be by helicopter and management may well feel ithas not done aswell as it might if even one person is injured.

At the other extreme is the sort of situation that arose onPiper Alpha where there was no prospect of an evacuationby any of the conventional means and where escape to thesea was the only option. This implies that the person incommand explicitly instruct personnel to make their ownescape.

A18.6.2 Goal-setting regulationsThe basic framework operated in the new offshore safetyadministration is that of regulations which are goal-settingrather than prescriptive.

The first set of regulations of the new offshore adminis-tration are the Offshore Installations (Safety Case) Regula-tions 1992.

Before considering these, it is interesting to note thatthe first regulations issued, by the DoEn, in the wake ofthe Piper Alpha disaster were the Offshore Installations(Pipe-lineValve) Regulations 1989, which require the opera-tor to fit EIVs to the pipelines connected to the platformand are thus prescriptive. The Cullen Report explicitly

endorsed this, in effect considering that exceptionallythis case met the conditions for adopting a prescriptiveregulation.

A18.6.3 Safety caseThe Offshore Installations (Safety Case) Regulations 1992implement Recommendation 1 of the Cullen Report that theoperator should submit to the regulator a safety case.

For major hazard installations onshore a requirement fora safety case already existed under the CIMAH Regula-tions 1984. Evidence on the onshore safety case wasgiven to the Piper Alpha Inquiry by Sefton (1989) andV.C. Marshall (1989d).

The offshore safety case is largely modelled on theonshore case, but has three features not explicitly con-tained in the latter.

Safety management systemOne of these is the requirement on the operator to demon-strate that it has an SMS, which will assure the safety ofthe project through the design and operation. The SMS isthus part of the safety case rather than a free-standingrequirement.

Temporary safe refugeThe second distinguishing feature of the offshore safetycase is the requirement that the platform has a TSR, nor-mally the accommodation, which should provide protectionfor a defined period. Design of aTSR involves the definitionof the events against which it is to provide protection andspecification both of the endurance period and the condi-tions which constitute failure.

Quantitative risk assessmentThe third distinguishing feature of the offshore safety caseis the requirement to use QRA. Essentially the QRA is amatter for the operator. The Cullen Report does, however,propose that one aspect of it be specified by the regulator.

The Safety Case involves a demonstration that the fre-quency of events that threaten the endurance of theaccommodation, orTSR, will not exceed a certain value. Inorder to provide at least one fixed point in the administra-tion, both the minimum endurance and the frequency withwhich there is a failure of such endurance should be speci-fied by the regulatory body, at least in the first instance.

Accounts of offshore QRA include those of Pape (1992)(regulator), Sherrard (1992) (drillling units), R.F. Evans(1994) (model validation) and Gardner et al. (1994)(methodology).

A18.6.4 Costs of offshore safetyIn the wake of Piper Alpha the offshore industry hasincurred major expenditure to enhance safety. Much of thiswas incurred in response to the disaster itself and beforethe Cullen Report appeared.

The HSE itself has made a comparison of the quantifi-able costs and benefit of safety measures in the UK NorthSea expressed as Net Present Value over 15 years (HSC,1992). It attributes the bulk of both costs and benefits tothe Safety Case Regulations, the costs being estimatedat £1200�2500 million and the benefits at £2600�4600million. A commentary on these estimates is given byPotter (1994).


A18.7 Offshore Event Data

As for onshore installations, information on offshoreevents is of two main types: (1) incident data and (2) equip-ment failure data.TheWorld-wideOffshoreAccidentDatabank(WOAD,1988) enumerates the principal accidents involvingoffshore structures involved in oil and gas activities.There isalso a need, particularly in hazard assessment, for more

detailed information on events such a leaks, fires and explo-sions, dropped loads and so on.The HSE has created the HCRdatabase, as described byBruce (1994).

Equipment failure data collection is the subject of amajor co-operative exercise carried out under the aegis ofOREDA and initiated some years before Piper Alpha. Thisis described in Appendix 14.


Appendix

19Piper Alpha

Contents

A19.1 The Company, the Management and the Personnel A19/2A19.2 The Field and the Platform A19/3A19.3 The Process and the Plant A19/4A19.4 Events Prior to the Explosion A19/4A19.5 The Explosion, the Escalation and the Rescue A19/7A19.6 The Investigation A19/8A19.7 Some Lessons of Piper Alpha A19/11A19.8 Recommendations on the Offshore Safety Regime A19/14

At 10.00 p.m. on 6 July1988 an explosion occurred in the gascompression module of the Piper Alpha oil productionplatform in the North Sea. A large pool fire took hold in theadjacent oil separation module, and a massive plume ofblack smoke enveloped the platform at and above the pro-duction deck, including the accommodation. The pool fireextended to the deck below, where after 20 min it burnedthrough a gas riser from the pipeline connection betweenthe Piper and Tartan platforms. The gas from the riserburned as a huge jet flame. Most of those on board weretrapped in the accommodation. The lifeboats were inacces-sible due to the smoke. Some 62 men escaped, mainly byclimbing down knotted ropes or by jumping from a height,but 167 died, the majority in the quarters.

The Piper Alpha explosion and fire was the worst accid-ent which has occurred on an offshore platform.

Following the disaster a Public Inquiry was set up underthe Public Inquiries Regulations � Offshore InstallationsRegulations 1974 presided over by Lord Cullen to establishthe circumstances of the disaster and its cause and to makerecommendations to avoid similar accidents in the future.The Inquiry’s reportThe Public Inquiry into the PiperAlphaDisaster (the PiperAlpha Report, or Cullen Report) (Cullen,1990) is the most comprehensive inquiry conducted in theUnited Kingdom into an offshore platform disaster, or indeedinto any process industry disaster, onshore or offshore.

The Piper Alpha Inquiry has been of crucial importancein the development of the offshore safety regime in the UKsector of the North Sea.Whereas Flixborough was followedfirst by a Court of Inquiry and then by the Advisory Com-mittee on Major Hazards, the Piper Alpha Inquiry not onlydischarged the function of an inquiry into the specific dis-aster, but made recommendations for fundamental changesto the offshore safety regime which were accepted by thegovernment.

The description of the Piper Alpha disaster given belowis necessarily a relatively brief one. Nevertheless, it is some-what fuller than that of the case histories in the otherappendices, for several reasons. It provides a good illus-tration of the work of an accident inquiry. It is replete withlessons on design and operation of hazardous installations.And it has had far-reaching consequences for the offshoresafety regime. A fuller account is given in the PiperAlphaReport. The daily transcripts, available in copyrightlibraries, also repay study. An account from the viewpointof one of the consultants to the Inquiry has been given bySylvester-Evans (1991).

Selected references on Piper Alpha are given inTable A19.1.

A19.1 The Company, the Management and thePersonnel

The Piper Alpha oil platform was owned by a consortiumconsisting of Occidental Petroleum (Caledonia) Ltd,TexacoBritain Ltd, International Thomson plc and Texas Petro-leum Ltd and was operated by Occidental.

The management concerned with the Piper platformincluded

Offshore Installation Manager Mr C.D. SeatonOffshore Superintendent MrT.J. ScanlonSenior Maintenance Superintendent Mr R.H. SeddonMaintenance Superintendent Mr K.D.White

MrA.C.B.Todd

Table A19.1 Selected references on Piper Alpha

Report of the Public InquiryCullen (1990)

Part 1 EvidenceF.H. Atkinson (1989) (Lloyds Register); Bakke (1989)(explosion simulation); Balfour (1989) (gas detectors);Bett (1989) (reciprocating compressors); Bodie (1989)(Offshore Safety Superintendent); Bollands (1989)(Control Room Operator); Brading (1989) (Chairman,Occidental Petroleum (Caledonia) Ltd); Burns (1989)(Shift Supervisor, MCP01); A.G. Clark (1989) (MaintenanceLead Hand); M.R. Clark (1989) (hydrocarbon inventory);Clayson (1989) (evacuation, escape and rescue); R.A. Cox(1989a) (damage to firewall, explosion simulation);R.A. Cox (1989b) (damage by projectiles); R.A. Cox (1989c)(damage to electrical systems, ESD, F&G, fire protectionsystems); R.A. Cox (1989d) (damage to risers); Cubbage(1989) (explosion effects analysis); J. Davidson (1989)(Operations Superintendent, Claymore); M.E. Davies(1989) (wind tunnel modelling of gas dispersion); D.D.Drysdale (1989) (escalation of fire); J. Drysdale (1989)(hydrates, methanol injection); Gordon (1989) (Manager,Loss Prevention Dept); P.M. Grant (1989) (contractors);Grieve (1989) (Process Operator); Grogan (1989)(Vice-President Engineering, Occidental); Guiomar (1989)(OIM, MCP01); Henderson (1989) (Lead Operator); Jefferey(1989) (liferafts); Jenkins (1989) (DoEn Inspector); Johnsen(1989) (hydrates, methanol injection); Leeming (1989)(OIM,Tartan); P. Lloyd (1989) (electrical systems);Lockwood (1989) (Lead Production Operator, permits-to-work); Macallan (1989) (Production and Pipeline Manager);A.G. McDonald (1989) (telecommunications); McGeough(1989) (safety training); McLaren (1989) (Lloyds Register,electrical); McNeill (1989) (rescue); McReynolds (1989)(Vice-President Operations, Occidental); J.G. Marshall(1989) (ignition sources); Moreton (1989) (ProductionSupervisor,Tartan); J. Murray (1989) (gas detectors); A.C.Palmer (1989) (damage by projectiles); Paterson (1989)(hydrates, methanol injection); Petrie (1989) (Director ofSafety, DoEn); Pillans (1989) (Lloyds Register, electrical);Rankin (1989) (supervisor, Score PSVcertification team);G. Richards (1989) (OIM (back-to-back)); S.M. Richardson(1989a) (hydrates, methanol injection); S.M. Richardson(1989b) (gas pipelines); S.M. Richardson (1989c)(autoignition); S.M. Richardson (1989d) (leaks);Ritchie (1989) (Managing Director, Score UK Ltd);K. Roberts (1989) (Facilities Engineer,Tartan); G.G.Robertson (1989) (Safety Supervisor); J.B. Russell (1989)(hydrates, methanol injection); Saborn (1989) (standbyvessel); Sandlin (1989) (OIM, Claymore); Saville (1989a)(condensate admission to PSV 504 system); Saville (1989b)(leaks); Saville (1989c) (hydrates, methanol injection);Saville (1989d) (pipe failure); Scanlon (1989)(Offshore Superintendent, maintenance); Scilly (1989)(explosion effects analysis); Scothern (1989) (gasdetectors); Seddon (1989) (Senior MaintenanceSuperintendent); Smyllie (1989) (flare);Tea (1989)(gas detectors);Thomson (1989) (Lloyds Register);Todd(1989) (Maintenance Superintendent);Tucker (1989)(accommodation); P.C.A.Watts (1989)(flare);Whalley (1989) (PSV recertification);W.P.Wood (1989) (DoTp surveys);Wottge (1989)(platform, facilities and systems)

APPEND IX 19 / 2 P IPER ALPHA

Other personnel on duty on the evening of July 6 andreferred to below include

Lead maintenance hand MrA.G. ClarkLead production operator Mr R.A.VernonPhase 1 operator Mr R.M. RichardPhase 2 operator Mr E.C. GrieveControl room operator Mr G. BollandsInstrument technician MrW.H.Young

A19.2 The Field and the Platform

The Piper Alpha platform was located in the Piper fieldsome 110miles north-east of Aberdeen.The platforms in thefield and the pipeline connections between them are shownin Figure A19.1.The Piper platform separated the fluidproduced by the wells into oil, gas and condensate. The oilwas pumped by pipeline to the Flotta oil terminal in theOrkneys, the condensate being injected back into the oil fortransport to shore. The gas was transmitted by pipeline tothe manifold compression platformMCP-01, where it joinedthe major gas pipeline from the Frigg Field to St Fergus.

There were two other platforms connected to PiperAlpha. Oil from the Claymore platform, also operated byOccidental, was piped to join the Piper oil line at the‘ClaymoreT’. Claymore was short of gas and was thereforeconnected to Piper Alpha by a gas pipeline so that it couldimport Piper gas. Oil from Tartan was piped to Claymoreand then to Flotta and gas fromTartan was piped to Piperand thence to MCP-01.

Elevationviews of the PiperAlpha platform, the layout ofthe production deck at the 84 ft level and the layout of thedeck below, the 68 ft level, are shown in Figures A19.2,A19.3 and A19.4 respectively. The production deck levelconsisted of four modules, Modules A�D. A Module was thewellhead, B Module the oil separation module, C Modulethe gas compression module and D Module the power gen-eration and utilities module.

A Module was about 150 ft long east to west, 50 ft widenorth to south and 24 ft high. The other modules were ofapproximately similar size. There were firewalls betweenA and B Modules, between B and C Modules and betweenC and D Modules (the A/B, B/C and C/D firewalls, respec-tively); these firewalls were not designed to resist blast.

The pig traps for the three gas risers fromTartan and toMCP-01 and Claymore were on the 68 ft level. Also on thislevel were the dive complex and the JT flash drum, the con-densate suction vessel and the condensate injection pumps.

There were four accommodation modules: the EastReplacement Quarters (ERQ), the main quarters module;the Additional Accommodation East (AAE); the LivingQuarters West (LQW) and the Additional AccommodationWest (AAW).

The control room was in a mezzanine level in the upperpart of D Module. It was located about one quarter of theway along the C/D firewall from the west face.

There were two flares on the south end of the platform,the east and west flares, and there was a heat shield aroundA Module to provide protection against the heat from theflares.

Platform systems included the electrical supply system,the fire and gas detection system, the fire water delugesystem, the emergency shut-down system, the commu-nications system and the evacuation and escape system.

Electrical power was supplied by two main generatorswhich normally ran off the gas supply but could be firedby diesel. There was a diesel-fired emergency generatorand also a drilling generator and an emergency drillinggenerator. In addition, there were uninterrupted powersupplies for emergency services.

The main production areas were equippedwith a fire andgas detection system. In C Module the gas detection systemwas divided into five zones: Cl and C2 in the west and easthalves of the module and C3, C4 and C5 at the three com-pressors, respectively.

Part 2 EvidenceA.J. Adams (1989) (pipeline isolation, inc. subsea isolationvalves); C.S. Allen (1989) (PTWs); Ashworth(1989)(process control and ESD); Banks (1990) (maintenancesupervisors); Baxendine (1989) (emergency command);van Beek (1989) (blast walls); Booth (1989) (escape routes);Brandie (1989a) (safe havens); Brandie (1989b)(alternatives to standard fire water systems); Broadribb(1989) (subsea isolation valves); Chamberlain (1989)(mitigation of vapour cloud explosions); R.A. Cox (1989c)(QRA); Cunningham (safety representatives); Dalzell(1989) (smoke ingress into accommodation); Daniel (1989)(standby vessels); G.H. Davies (1989) (PTWs); Day (1989)(emergency power); Denton (1989) (quality managementsystems); Doble (1989) (explosion prevention andmitigation � Kittiwake); Drew (1989) (standby vessels);Ellice (1989) (training of OIMs); Ellis (1989) (HSE view ofQRA); J.D. Evans (1989) (smoke hoods); Ferrow (1989)(FSA); Fleishman (1989) (Gyda safety evaluation); Gilbert(1989) (subsea isolation valves); Ginn (1989) (evacuation byhelicopter); Gorse (1989) (FSA); Heiberg-Andersen (1990)(evacuation, Norwegian sector); Higgs (1990) (offshoresafety regime); Hodgkins (1989) (HSC � DoEn AgencyAgreement); Hogh (1989) (QRA); M.J. Jones (1990)(training); Keenan (1989) (standby vessels); Kelleher (1989)(lifeboats); Kinloch (1989a) (PTW); Kyle (1989) (PTWs);Lien (1989) (escape systems); Littlejohn (1990) (offshoresupervisors); Lyons (1989) (offshore safety regime);McIntosh (1989) (fire and explosion protection); McKee(1990) (safety management); Macey (1989) (standbyvessels); Matheson (1989) (offshore emergency medicalteam);V.C. Marshall (1989d) (safety cases); Middleton(1989) (standby vessels); Nordgard (1990) (accommodationin Norwegian sector); Ognedal (1990) (Norwegian offshoresafety regime); Pape (1989) (HSE view on QRA); de laPena (1990) (smoke hoods); Perrott (1989) (escape systems);Petrie (1989, 1990) (life-saving appliances, offshore safetyregime); Priddle (1990) (offshore safety regime);Rimington (1990) (onshore safety regime); Rudd (1989)(evacuation); Scanlon (1989) (PTWs); Sefton (1989)(CIMAH, safety cases); R.A. Sheppard (1989)(safety management); Side (1989) (rescue andevacuation); Spouge (1989) (options for accommodation);B.G.Taylor (1989) (offshore industry developments);Tveit (1990) (Norwegian offshore safety regime, QRA);Vasey (1989) (mitigation of module explosions);I.G.Wallace (1989) (evacuation and escape);Willatt (1989)(offshore pipeline connections)Further accountsAnon. (1988g); Johnsen (1989, 1990); Boniface (1990a,c�e);Redmond (1990, 1991 LPB 102); S.M. Richardson, Savilleand Griffiths (1990); Sylvester-Evans (1990a,b, 1991);Tombs (1990); Lees (1991,1992a, 1994b)

P IPER ALPHA APPEND IX 19 / 3

The fire water deluge system consisted of ring mainswhich delivered foam in A�C Modules and part of Dmodule and at theTartan andMCP-01 pig traps andwater atthe condensate injection pumps. The fire pumps were sup-plied from the main electrical supply but there were backupdiesel-driven pumps.

The hydrocarbon inventory in the pipelines wasapproximately as follows. The main oil line was 30 in. indiameter and 30 miles long and held some 70,000 te ofoil. The gas line from Tartan was 18 in. in diameter and11.5 miles long and held some 450 te; the gas line to MCP-01was 18 in. in diameter and 33.5 miles long and held 1280 te;the gas line to Claymore was 16 in. in diameter and 21.5 mileslong and held 260 te.

A19.3 The Process and the Plant

The fluid from the wellhead, containing oil, gas, con-densate and water, passed through the wellhead ‘Christmastrees’ to the two separators where the gas was separatedfrom the oil and water. The oil was then pumped into themain oil line. The gas was compressed first in three cen-trifugal compressors to 675 psia, with some gas beingtaken off at this point as fuel gas for the main generators,and then boosted in the first stage of two reciprocatingcompressors to 1465 psia. Condensate was removed and thegas was then further compressed in the second stage of thereciprocating compressors to 1735 psia. The gas then wentthree ways: to serve as lift gas at the wells, to MCP-01 asexport gas or to flare. The plant could be operated in twomodes, which affected the method of removing condensate.In the normal, or phase 2, mode, the gas passed from the

first stage of the reciprocating compressors to the GasConservation Module (GCM), where it was dried. The gaswas then cooled by reducing the pressure across a turbo-expander so that condensate was knocked out by theexpansion and returned to the outlet of the JT flash drum,which was also the inlet of the second stage of the recipro-cating compressors. Condensate from the GCM was passedto the JT flash drum. The process could also revert to theoriginal, or phase 1 mode, dating from a period before theGCM was installed to produce export quality gas, in whichthe GCM was isolated and gas from the first stage of thereciprocating compressors was let down in pressure acrossthe JTvalve into the JT flash drum so that condensate wasknocked out by the Joule�Thomson ( JT) effect and thenpassed as before into the second stage of the reciprocatingcompressors. Condensate from the JT flash drum passedfirst to two parallel centrifugal condensate booster pumpsand then to two reciprocating condensate injection pumpswhich pumped the condensate into the main oil line.There was normally one condensate injection pump lineoperating and one on standby.

Each condensate injection pump was protected fromoverpressure on the delivery side by a single pressure safetyvalve (PSV). The PSVwas on a separate relief line from thedelivery head of the pump rather than on the delivery lineitself.The valve on Apumpwas PSV 504 and that on B pumpPSV 505. These valves were located in C Module, the reliefline running up from the 68 ft level, where the pumps werelocated, to the PSVs in C Module and back down to the con-densate suctionvessel on the 68 ft level.

In accordance with standard practice, methanol wasinjected into the process at various points to preventformation of hydrates whichwould tend to cause blockages.

A19.4 Events Prior to the Explosion

On 6 July there was a major work programme on the plat-form. This included the installation of a new riser for theChanter field and work on a prover and metering loop.

The extra accommodation for the workforce was pro-vided on the Tharos, a large floating fire fighting vesselanchored near the platform. Also near the platform werethe standby vessel, the Silver Pit, a pipeline vessel, theLowland Cavalier, and Maersk anchor handling vessels fortheTharos.

The GCM was also out of service for changeout of themolecular sieve driers. In consequence, the plant operationhad reverted to the phase 1 mode so that the gas was rela-tively wet.

The resulting increased potential for hydrate formationwas recognized by management onshore. The increasedmethanol injection rates required were calculated andcommunicated to the platform together with suggestionsfor the configuration of the methanol pumps.The methanolinjection rates needed were some 12 times greater than fornormal phase 2 operation.

However, there was an interruption of the methanolsupply to the most critical point, at the JT valve, between4.00 and 8.00 p.m. that evening.

The operating condensate injection pump was B pump.The A pump was down for maintenance. There were threemaintenance jobs to be done on this pump: (1) a full24 month preventive maintenance (PM), (2) repair of thepump coupling and (3) recertification of PSV 504. In orderto carry out the 24 month PM, the pump had been isolated

Figure A19.1 Pipeline connections of the Piper field(Sylvester-Evans,1991)(Courtesy of the Institution ofChemical Engineers)


by closing the gas operated valves (GOVs) on the suctionand delivery lines but slip plates had not been inserted.Work on the coupling, which was suffering from avibrationproblem, would not involve breaking into the pump.

With the pump in this state, with the GOVs closed butwithout slip plate isolation, access was given to remove PSV504 for testing. It was taken off in the morning of July 6 by atwo-man team from the specialist contractor Score UK Ltd.They were not able to restore the PSV that evening. Thesupervisor in this team came back to the control room sometime before 6.00 p.m. to suspend the permit-to-work (PTW)

and the team then went off duty, intending to put the PSVback the next day.

At about 4.50 p.m. that day, just at shift changeover, themaintenance status of the pump underwent a change. Themaintenance superintendent decided that the 24 month PMwould not be carried out and that work on the pump shouldbe restricted to the repair of the pump coupling.

About 9.50 p.m. that evening B pump on the 68 ft leveltripped out. The lead production operator and the phase 1operator attempted to restart it but without success.The loss of this pump meant that with A pump also down

Figure A19.2 The Pipe Alpha platform: (a) east elevation and (b) west elevation (Sylvester-Evans,1991)(Courtesy of the Institution of Chemical Engineers)


Figure A19.3 The Piper Alpha platform: the production deck on the 84 ft level (Sylvester-Evans,1991)(Courtesy of the Institution of Chemical Engineers)

Figure A19.4 The Piper Alpha platform: the 68 ft level (Sylvester-Evans,1991) (Courtesy of the Institution ofChemical Engineers)


condensate would back up in the JT flash drum and withinsome 30 min would force a shut-down of the gas plant.There was a possibility that if the gas supply to the maingenerator was lost and if the changeover to the alternativediesel fuel failed, the wells also would have to be shut-down.It would then be necessary to undertake a ‘black start’.

The lead operator came up to the control room. He talkedon the telephone with the lead maintenance hand and it wasagreed to attempt to start A pump.The lead operator signedoff the permit for A pump so that it could be electricallydeisolated and restarted, and went back down to the pumps.The leadmaintenance hand came down to the control room toorganize the electricians to deisolate the pump. It is uncer-tain precisely what action the lead operator and the phase 1operator took. They were observed at the pumps by thephase 2 operator and an instrument fitter, but the evidence ofthese witnesses was inconclusive. However, there was nodoubt that the lead operator intended to start A pump.

About 9.55 p.m. the signals for the tripping of two of thecentrifugal compressors in C Module came up in the controlroom.This was followed by a low gas alarm in C3 zone on Ccentrifugal compressor. Then, the third centrifugal com-pressor tripped. Before the control room operator couldtake any action a further group of alarms came up: threelowgas alarms in zones C2, C4 and C5 and a high gas alarm.The operator had his hand out to cancel the alarms when hewas blown across the room by the explosion.

Just prior to the explosion personnel in workshops inD Module heard a loud screeching sound which lasted forabout 30 s.

A19.5 The Explosion, the Escalation and the Rescue

The initial explosion occurred at 10.00 p.m. It destroyedmost of the B/C and C/D firewalls and blew across the roomthe two occupants of the control room, the control roomoperator and the lead maintenance hand.

The emergency shut-down (ESD) system operated, clos-ing the emergency shut-off valve (ESV) on the main oil lineand starting blowdown of the gas inventories to flare. TheESVs on the gas pipelines were not designed to close onplatform ESD; this would impose an undesirable forcedshut-down on the other platforms connected to Piper.Instead there were three separate shut-down buttons forthese ESVs in the control room.

The explosion was followed almost immediately by alarge fireball which issued from the west side of B Moduleand a large oil pool fire at the west end of that module. Theexplosion and fire were witnessed by personnel on the ves-sels lying off the platform. It so happened that one witnesson the Tharos was standing with camera at the ready. Hetook a sequence of shots of the development of the fireball.

The large oil pool fire gave rise to a massive smoke plumewhich enveloped the platform from the production deck atthe 84 ft level up.

The offshore installation manager (OIM) made his wayto the radio room and had a Mayday signal sent.

The Tharos effectively took on the role of On-SceneCommander. The Coast Guard station and Occidentalheadquarters onshore were informed. Rescue helicoptersand a Nimrod aircraft for aerial on-scene command weredispatched. The flight time for the helicopters was aboutan hour.

Most of the personnel on the platform were in theaccommodation, the majority in the ERQ.Within the first

minute flames appeared on the north face of the modulealso and the module was enveloped in the smoke plumecoming from the south.The escape routes from the moduleto the lifeboats were impassable.

At the 68 ft level divers were working with one manunder water. They followed procedure, got the man upand briefly through the decompression chamber. Theywere unable to reach the lifeboats, which were inaccessibledue to the smoke. They therefore launched life raftsand climbed down by knotted rope to the lowest level, the20 ft level.

The drill crew also followed procedure and secured thewellhead.

The oil pool in B Module began to spill over onto the 68 ftlevel where a further fire took hold. There were drums ofrigwash stored on that level which may have fed the fire.

The fire water drench system did not operate. There wasonly a trickle of water from the sprinkler heads.

The explosion disabled the main communications sys-tem which was centred on Piper. The other platforms wereunable to communicate with Piper.They became aware thatthere was a fire on Piper, but did not appreciate its scale.They continued for some time in production and pumpingoil. This pumping would have caused some additional oilflow from the leak at Piper.

After some 20 min from the initial explosion the fire onthe 68 ft level led to the rupture of the Tartan riser on theside outboard of the ESV. This resulted in a massive jetflame which enveloped much of the platform.

The emergency procedure was for personnel to report totheir lifeboat, but in practice most evacuations would be byhelicopter and personnel would be directed from the life-boats to the dining area on the upper deck of the ERQ andthen to the helideck. Personnel in the ERQ found the escaperoutes to the lifeboats blocked and waited in the diningarea.The OIM told them that a Mayday signal had been sentand that he expected helicopters to be sent to effect theevacuation. In fact the helideck was already inaccessible tohelicopters.

Some 33 min into the incident the Tharos picked up thesignal ‘People majority in galley. Tharos come. Gangway.Hoses. Getting bad’.

No escape from the ERQ to the sea was organized by thesenior management. However, as the quarters began to fillwith smoke individuals filtered out by various routes andtried to make their escape.

Some men climbed down knotted ropes to the sea. Othersjumped from various levels, including the helideck at174 ft. One man who had arrived only that afternoon onhis first tour jumped from a high level. One standing onpipes protruding from the pipe deck was pushed off byanother behind him who could no longer stand the heat ofthe pipes.

The vessels around the platform launched their fast res-cue craft (FRCs). The first man rescued, by the FRC of theSilver Pit, was the oil laboratory chemist, who, on experi-encing the explosion, simply walked down to the 20 ftlevel and was picked up without getting his feet wet. Mostsurvivors, however, were rescued from the sea. Much ofthe rescue operation took place after the rupture of theTartan riser.

The FRC of another vessel, the Sandhaven, was des-troyed with only one survivor. The FRC of the Silver Pitmade repeated runs to the platform; eventually it wasblown out of the water, and began to sink, but returned


to the platform and then finally sank, its crew beingthemselves rescued by helicopter.

At about 10.50 p.m. the MCP-01 riser ruptured and about11.18 p.m. the Claymore riser ruptured. The pipe deckcollapsed and the ERQ tipped. By 12.15 a.m. on 7 July thenorth end of the platform had disappeared. By the morningonlyA Module, the wellhead, remained standing.

A19.6 The Investigation

An investigation of the disaster was immediately under-taken by the Department of Energy (DoEn) headed byMr Petrie. Two reports were issued, an interim report(the Petrie Interim Report, or simply, the Petrie Report) anda final report (the Petrie Final Report); the latter includedappendices on various technical studies commissioned.

The Petrie Report put forward two scenarios for thehydrocarbon leak which led to the explosion: a leak fromthe site of PSV 504 (Scenario A) and a leak due to ingestionof liquid into the reciprocating compressors (Scenario B).

The Inquiry was presided over by a Scottish judge, LordCullen, assisted by three technical assessors. There was alegal counsel to the Inquiry assisted by technical con-sultants to the Inquiry. Parties to the Inquiry includedOccidental, the DoEn, groups representing survivors andthe trade unions, the contractors, the specialist contractorScore, several equipment manufacturers and for the secondpart, the UKOil Operators Association (UKOOA). Part 1 ofthe Inquiry dealt with the disaster and its background,Part 2 with the future.The Inquiry heard some 280witnessesin 180 days of evidence and received some 840 productions,or documents.

It began by considering whether to advise that the debrisof the platform should be raised from the sea bed. It wasclear at an early stage that the size of leak sought was ofthe order of 10 mm2. The evidence was that the opera-tion presented a number of problems and hazards, wouldinvolve considerable delay and might well not provide muchuseful information. The Inquiry decided not to pursue thematter.

In seeking to find the cause of the leak, the Piper AlphaReport begins with the evidence on the explosion itself. Itconcludes that the explosionwas at 10.00 p.m., that it was inC Module and in the south-east quadrant of that module,that the fuel involved was condensate, that the leak gaverise to a gas cloud filling less than 25% of the module, thatthe mass of fuel within the flammable region was some30�80 kg, that the explosionwas a deflagration rather thana detonation, that the maximum peak overpressure was inthe range 0.2�0.4 bar and that the ignition source could notbe identified. Evidence for these findings included the gasalarms in C Module; the screeching noise heard just priorto the explosion; testimony of and photographs taken byobservers on the surrounding vessels of the fires just afterthe explosion; the effects of the explosion, including thedamage to the two firewalls in C Module; the effects of theexplosion on the control room and its occupants; the lack ofdamage to the heat shield on A Module and estimates ofoverpressure based on some of the explosion effects, suchas firewall damage and bodily translation of persons.

It was not initially clear how a gas cloud of sufficient sizecould develop without setting off certain gas alarms whichaccording to the evidence had not been triggered. In parti-cular there was a gas detector in the roof above the site ofPSV 504 or PSV 505 (the two valves were close together)

and another some 2�3 ft above floor level among the heatexchangers between the reciprocating and centrifugalcompressors; both these detectors were in C2 zone. How-ever, the first gas alarm was in C3 zone at C centrifugalcompressor. Accordingly, wind tunnel tests were commis-sioned from BMT Fluid Mechanics to explore the pattern ofgas alarms for different types of leak. Scenarios investi-gated included leaks of natural gas and of condensate, theone a buoyant and the other a heavy gas; leaks fromvariouspoints in the modules and leaks from various types ofsource, including a leaking flange and an open pipe. It wasconcluded by the investigator that of the scenarios studiedonly a leak from the site of PSV 504 or PSV 505 fitted thepattern of gas alarms and, further, that this leak was a two-stage leak, the first stage being small and the second rela-tively large. It would have been this second stage whichgave rise to the gas cloud sought.

The experimental run of main interest simulated a leakof 100 kg/min from PSV 504. Figure A19.5 shows thecontours of the lower flammability limit of the gas cloudformed after 30 s from such a leak. The cloud would notset off either of the gas detectors mentioned. Figure A19.6shows the mass of gas within the flammable limit as afunction of the leak flow rate after 30 s and at infinite time.These results were subject to a number of reservationsbut indicated that a gas cloud of sufficient size could beformed.

The next question considered was whether the explosionof such a gas cloud could cause the damage observed. It wasestimated that the B/C firewall would fail at an over-pressure of 0.1 bar and the C/D firewall at an overpressureof 0.12 bar.

Simulations of the explosion of flammable mixtures inthe module had been commissioned prior to the Inquiry atthe Christian Michelsen Institute (CMI) by the DoEn andother parties. The simulations were performed using theFLACS computer code. Following the wind tunnel work, theInquiry commissioned a single further run for a gas cloudin the south-east quadrant of C Module and containingsome 45 kg of propane within the flammable limit. Thesimulation was subject to a number of reservations butindicated that such an explosion could cause the firewalldamage observed.

The simulation also provided an explanation of a pointwhich had seemed puzzling. The two occupants of thecontrol room were thrown across it by the explosion andexperienced a rush of cold air, not hot gas. The simulationshowed that in the early stages of the explosion the controlroom wall would be subject to a positive overpressure andinrush of air, but that by the time the hot combustion pro-ducts approached the control room, the negative phase ofthe pressure pulse had set in, the velocity vectors hadreversed and the direction of air flow was out of the controlroom into C Module.

The two-stage nature of the leak also presented anotherpoint of difficulty. Isolation of Apumpwas by the closure ofthe GOVs on the suction and the delivery lines.The suctionGOVwas electrically isolated and it was uncertain whetherpower to it had been restored by the time of the initialexplosion. In any event restoration of the valve wouldinvolve reconnecting a pneumatic line to the valve, whichcould quickly be done by an operator. It was concluded thatthis connection was made and that probably the operatorgave it a tweak to make sure the valve movement wasrestored. This would have had the effect of admitting


condensate to the relief line to PSV 504, but not of filling itwith condensate liquid, thus giving rise to the early, smal-ler leak. Subsequent opening of the valve and filling of therelief line with condensate liquid could then have causedthe later, larger leak.

Evidence was also heard on tests on leaks from blindflanges. The flange at PSV 504 was a ring-type joint(RTJ) flange. Three methods of tightening up were investi-gated: flogging up with a flogging spanner and hammer;hand tightening with a combination spanner and fingertightening. The results showed that a flange in good con-dition which had been flogged up or hand tightened did notleak. Even deterioration of the flange would be unlikely togive the leak sought unless the deterioration was gross.However, a finger-tightened flange could give a leak whichwas directionally downwards and was of the flow ratesought.

The Inquiry concluded that the explosion had beencaused by ignition of a gas cloud containing some 45 kg ofhydrocarbon within the flammable range, arising from atwo-stage leak, in the first stage perhaps some 4 kg/minand in the second stage some 110 kg/min lasting some30 s, coming from an orifice of equivalent diameter some8 mm2.

There was no obvious explanation why the blind flangewas not leak-tight. Much evidence was led to the effect thatan experienced and competent fitter would not make upa blind flange which was not leak-tight.The Inquiry noted,however, that the decision not to proceed with the full24 month PM on A pump was taken just as shift handoverson the platform were starting so that some personnel mayhave been ignorant of this change in intent and that thelack of leak-tightness of the blind flange may have beenconnected with the status of A pump.

The lead production operator had clearly had the inten-tion to start A pump. It was difficult to explain this givenfact that its sole PSV was off. The Inquiry concluded thatthe lead operator was indeed ignorant of this, even though

Figure A19.5 The flammable gas cloud for a leak of100 kg/min in the BMT wind tunnel tests: LEL contoursat 30 s (Cullen, 1990)

Figure A19.6 Mass of fuel in the flammable range in the BMT wind tunnel tests: (a) variation with time(b) variation with leak rate (Cullen, 1990)


this meant a serious breakdown of communications aboutthe work. It implied that the fact that the PSV was off wasnot communicated in the handovers of the lead main-tenance hand, the phase 1 operator and the lead productionoperator and that the lead operator did not learn of itthrough the PTWsystem.

When he found that he was unable to put the PSV backthat evening, the Score supervisor came up to the controlroom to suspend the permit. He was on his first tour as asupervisor and had had no training in the operation of thePTWsystem in use on the platform.Whom he spoke to andwhat transactions took place were obscure. It was unclearhow he knew that the procedure in filling out the permit forsuspension was to write ‘SUSP’ in the gas test column.

In any event the Score supervisor did not make a finalinspection of the job site before going off work and evi-dently the lead production operator did not inspect the jobsite either, although in both cases good practice requiredthat this be done.

Further, the leak would not have occurred if there hadbeen a more positive isolation of the pump by means suchas the use of a slip plate.

The explanation just described is that adopted in thePiperAlpha Report but several other scenarios for the leakwere also explored. One group of scenarios was concernedwith explanations of the leak from the blind flange follow-ing admission of condensate into A pump other than lackof leak-tightness. They include the possibilities of auto-ignition, shock loading, low temperature brittle fracture,and overpressurization by methanol injection. All of thesewere quickly ruled out except auto-ignition by compressionof a flammable mixture formed in the relief line. The linehad been left open for an hour before the blind flange wasput back on. It was not possible to calculate whether auto-ignition would have occurred due to lack of data on auto-ignition properties of the multi-component mixture at thehigh pressures involved, some 300 bar. Moreover, companydocumentation on the rating of the pipework was incon-sistent so that it was uncertain whether the flange wasa 900 or 1500 lb one. The expert evidence was that ifauto-ignition had occurred and the lower rating applied,a leak was possible, although whether it would havehad the required characteristics was another matter. Anaccount of this work on auto-ignition has been given byS.M. Richardson, Saville and Griffiths (1990).

The scenario was considered that condensate liquid hadbacked up in the JT flash drum and thence into the reci-procating compressors. There was evidence that on loss ofB pump steps had been taken to reduce the condensatemake by unloading and recycling these compressors. Thereport concludes that there had been insufficient time forbackup to occur before the initial explosion and that inaddition both the conditions around the compressors andthe expected action of protective instrumentation wereagainst this scenario.

A further scenario which emerged in the Inquiry wasthat the leak occurred from PSV 505 and that it was causedby hydrate blockage. The interruption to the methanolsupply to the JT valve lent credibility to this scenario.Experimental work commissioned showed that hydrateswould form under the conditions pertaining at the JTvalveduring the partial loss of methanol supply if the tempera-ture at the valve fell below a critical value; it had in factbeen below this temperature on 5 July.The expert evidencewas that hydrates could pass through to the condensate

injection pumps and cause blockage there some 2 h afterrestitution of the full methanol supply. There were severalversions of the scenario all leading to blockage of hydrate atPSV 505 and overrunning of the pump so that the deliverypressure rose to a value high enough to cause rupture of thevalve, which was the weakest point in the line. The reportdoes not rule out this scenario, but regards it as less likelythan the preferred one.

Finally, the consultants to the Inquiry reviewed a largenumber of other scenarios which were not purely theore-tical but had some link with the information available at thetime, which included a hazop study, past equipment fail-ures and process conditions that evening. None was foundconvincing by the Inquiry.

Turning to the escalation, the causes of the oil pool fireand the fireball which occurred in BModule within secondsof the explosion in C Module were unclear. The Inquiryheard evidence on the type, number, velocity and impacteffects of the projectiles which would have resulted fromthe destruction of the B/C firewall. The condensate injec-tion line ran from C Module through into B Module where itjoined the main oil line.The report concludes that probablythe fireball was caused by a missile rupturing this line nearthe main oil pumps at the west face of B Module.

Estimates of the size of the oil pool fire indicated that thesupply of oil to the fire probably exceeded the oil inventoryof the separators and that there was a leak of oil from themain oil line through the main oil line EVS which was notfully closed. This leak would be aggravated by continuedpumping of oil by the other platforms.

The fire water deluge system did not work. The initialexplosion knocked out the main power supplies. It may alsohave damaged the water pumps and the water mains. In anyevent it was the practice on Piper to put the pumps onmanual start when divers were in the water and thus inpossible danger of being sucked into the pump intakes andthey were on manual start that evening. The start controlswere at the pumps themselves. After the explosion occur-red an attempt was made to get through to the pumps tostart them by personnel wearing breathing apparatus, butto no avail. Further evidence was given of quite extensiveblockage caused by corrosion products in the fire waterdeluge system, which operated on sea water, a problemwhich had persisted for some years.

The initial explosion caused the operation of the plat-form ESD. This could have occurred through loss of themain power supply and/or rupture of a pneumatic ringmain. Also, although dazed by the explosion the controlroom operator pressed the platform ESD button. He didnot, however, press the buttons to close the ESVs on thethree gas pipelines. Evidently, these did close but theirclosure was due rather to the effects of the initial explosionon power supplies to the valves.

Following the initial explosion a period of extendedflaring occurred which greatly exceeded that to be expec-ted from the flaring of the gas inventory on the platform.The report accepted that the most probable explanationwas a failure of the Claymore ESV to close fully.

The main communications for the Piper field werecentred on Piper.The systemwas knocked out by the initialexplosion, so that the other platforms were unable to com-municate with Piper and had difficulty communicatingwith the shore.

The report details a number of management weaknesses.There were severe and numerous defects in the PTW

APPEND IX 19 / 1 0 P IPER ALPHA

system. For example, it violated more than half of the mainpoints in the code of practice on PTWs issued by the OilIndustry Advisory Committee (OIAC). The system wasoperated rather casually. The training of the specialistcontractors supervisor in the permit system operated onthe platform was found to be inadequate.

With regard to handovers, the company had been pro-secuted only a year before for a fatality and had pleadedguilty. The report takes the view that a failure in handoverprocedures was a factor in that accident.

A number of different types of audit were performed bythe company, by its partners, by loss prevention specialistsand so on. None of these had revealed the defects in thePTWwhich became apparent very quickly at the Inquiry.

The report is critical of the handling of the emergency bythe senior management on the platform and in particular ofthe failure to recognize that helicopter evacuation was notpossible and to take command of the situation and organizeescape from the ERQ.

The decision to keep the platform operating despite thelarge workload is another matter of which the report iscritical.

The report states that the company had no system toensure that all projects were subject to formal safetyassessment. Certain techniques such as hazopwere used onsome projects and quantitative estimates had been made insome studies, but the approach was unsystematic. Thereport takes the view that as a consequence the hazardspresented by the hydrocarbon inventory on the platformand particularly in the pipelines had not been system-atically addressed.

Part 2 of the Inquiry was concerned with the future off-shore safety regime. The context was not only the PiperAlpha disaster but also the changes taking place in theNorth Sea oil province. The exploitable oil and gas fieldswere becoming smaller and the technology to develop themwas becoming more varied.

The evidence in Part 1 revealed serious weaknesses inthe company management. It was an issue why the DoEnhad not discovered these weaknesses.The report is criticalof the relative lack of emphasis placed by the Department onthe assessment of management and management systems.

In contrast to the British onshore and Norwegian off-shore regimes, which had both moved increasingly towardsgoal-setting regulations, the British offshore regime reliedexcessively on prescriptive regulations, and associatedguidance.

The deficiencies of such a regime were illustrated in theregulations concerning fire protection, which had a num-ber of defects. Passive and active fire protection were cov-ered by two separate sets of regulations. The regulations,and associated guidance, for active fire protection led inpractice to systems based on delivery of a uniform quantityof water over large areas of a platform, deluge systemsprone to blockage and massive water pumps. Fire protec-tion was not integrated with explosion protection.

The report states that the approach taken by the DoEnto the control of the major hazards from hydrocarbons athigh pressure did not impress as an effective one. Further,the inspectorate had relatively little expertise in this area.

Following the Piper Alpha disaster the DoEn brought inregulations to require ESVs to be placed nearer to sea leveland for the valves to be of full ESV standard. The reportnotes that of the 400 risers covered by the regulations, some70 required modification in the latter respect.

The regime made little use of formal safety assessment(FSA). This was in contrast to the regulatory use of FSAonshore, and in particular the onshore safety case. TheDoEn had in fact explicitly rejected the concept of an off-shore safety case. This policy also contrasted with thesituation in the Norwegian sector, where a concept safetyevaluation (CSE) was required. Quantitative risk assess-ment is required in a CSE and is often necessary to fulfilthe requirements of a safety case.

Considerable evidence was heard on quantitative riskassessment (QRA). The burden of this evidence was thatQRA is in regular use in many companies as an aid todecision-making both for onshore and offshore installa-tions and that there was no serious impediment to this fromany problems of overall methodology, frequency estima-tion, consequence modelling or risk criteria.

In contrast to the HSE, the DoEn was not well equippedto operate a regime based on goal-setting regulations andFSA. It had no experts in FSA or fire protection.

A number of recommendations which would have metsome of the points on which the DoEn was criticized hadbeen made in the Burgoyne Report (Burgoyne, 1980), buthad not been implemented.

A19.7 Some Lessons of Piper Alpha

A19.7.1 Some lessonsLessons from the Piper Alpha disaster are considered inthis section with the exception of the recommendations ofthe report on the offshore safety regime which are con-sidered in Section A19.8. A list of some of the lessons isgiven in Table A19.2. Many apply particularly to offshoreinstallations, but others are of more general applicability.

Regulatory control of offshore installationsThe Piper Alpha disaster exposed weaknesses in the off-shore regulatory regime which have already been described.The lessons drawn are seen in the recommendations given inSection A19.8.

Quality of safety managementThe PiperAlpha Report is critical of the quality of manage-ment, and particularly safetymanagement, in the company.

It was not that the company did not put effort into safety.On the contrary, there were numerous meetings and muchtraining on safety. The problem was the quality of theseactivities.

Many managers had come up through the ranks and hadminimal qualifications.The culture tended to be somewhatin-grown and insufficiently self-critical.

These defects manifested themselves in various wayssuch as in the toleration of poor practices in plant isolationand operation of the PTWsystem; in the failure to appreci-ate the ineffectiveness of the audits done; in the failure toaddress the major hazard problem and to use FSA. Thereport comments:

Senior management were too easily satisfied that thePTWsystemwas being operated correctly, relying on theabsence of any feedbackof problems as indicating that allwaswell.They failed to provide the training necessary toensure that an effective PTW system was operated inpractice. In the face of a known problem with the delugesystem they did not personally become involved in prob-ing the extent of the problem and what should be done toresolve it as soon as possible.They adopted a superficial

P IPER ALPHA APPEND IX 19 / 1 1

response when issues of safety were raised by others, . . .They failed to ensure that emergency training was beingprovided as they intended. Platform personnel and man-agement were not prepared for amajor emergency as theyshould have been. (para 14.52)

A crucial weakness was failure to appreciate thatabsence of feedback to management about problems isalmost certainly an indicator not that there are no problemsbut that there are, and they could be serious. Of one OIM thereport states: ‘His approach seemed to be, in his ownwords,‘‘surely that is all you are concerned with about the permitsystem . . . If the system is working and no problems areidentified . . . then you should be reasonably happy withit, surely?’’ . . . He had been surprised by the number ofdeficiencies in the operation of the permit system whichhad been revealed in the Inquiry. He had checked this outand found it to be true.’ Of another manager it states that hesaid ‘he knew that the system was monitored on a dailybasis by safety personnel. By the lack of feedback he ‘‘knewthat things were going all right and there was no indicationthat we had any significant permit to work problems’’.’(para 14.26)

Safety management systemOnshore the quality of the management and the manage-ment system are of prime concern to the HSE in its inspec-tions in general and in the safety case in particular. Insubmitting a safety case a company will often give exten-sive documentation on its systems. Nevertheless, in theregulations the formal requirements on management arefairly minimal.

The Inquiry heard evidence in favour of the assurance ofsafety through the use of quality assurance to standards

such as BS 5750 and ISO 9000. It also heard evidence on theneed for better qualified management, including a pro-posed requirement for all OIMs to be graduates.

The concept of a safety management system goes partway towards these insofar as the system itself is based onprinciples similar to those of quality assurance and coversthe question of management quality.

Documentation of plantThe discrepancies in the documentation concerning therating of the flange on PSV 504 have already been men-tioned. The Inquiry in fact heard of a number of otherdefects in the documentation of the plant. Failure to main-tain correct records can have serious consequences.

Fallback states in plant operationThe loss of the working condensate pump on Piper createda situation where operating personnel were under somepressure to start the other pump and avoid a gas plant shut-down with its possible escalation to a total shut-down, lossof power and the need for a ‘black start’. In this case thepressure was created partly by the view which an indivi-dual took of the probability that the changeover of the maingenerators from gas to diesel would fail.This illustrates thedesirability of ensuring that plants have fallback statesshort of total shut-down. In this case the problemwas in thereliability of changeover, a type of problem which may liewith design or with maintenance.

Permit-to-work systemsThe defects in the PTW system have already been descri-bed. These defects led directly to a situation where con-densate was admitted to a pump from which the PSV hadbeen removed and hence to the disaster. The Piper AlphaReport devotes considerable attention to the need for aneffective system.

Isolation of plant for maintenanceThe Piper Alpha Report states that the disaster would nothave occurred if A pump had been positively isolated sothat condensate could not be admitted. Positive isolation isnot achieved by shutting avalve but requires means such asinsertion of a slip plate or removal of a pipe section.

Training of contractors’ personnelThe proportion of contractors’ personnel on an offshoreinstallation can be as high as 70%. The offshore scenetherefore exemplifies in extreme form a problem whichapplies to onshore plants also. This is the need to traincontractors’ personnel in the company’s operating andemergency systems and procedures. Failure to train a con-tractor’s supervisor in the operation of the PTWsystem onPiper meant that he was unfamiliar with a feature of thesystem which turned out to be a critical one.

Disabling of protective equipment by explosion itselfThe initial explosion on Piper disabled large parts of theprotective systems, including power supplies and firewater supplies. It illustrates the importance of taking thisfactor into account in design and in FSA.

Offshore installations: control of pressure systems forhydrocarbons at high pressureAn offshore production platform contains a large amount ofplant containing hydrocarbons at high pressure. The feed

Table A19.2 Some lessons of Piper Alpha

Regulatory control of offshore installationsQuality of safety managementSafety management systemDocumentation of plantFallback states in plant operationPermit-to-work systemsIsolation of plant for maintenanceTraining of contractors personnelDisabling of protective equipment by explosion itselfOffshore installations: control of pressure systems for

hydrocarbons at high pressureOffshore installations: limitation of inventory on

installation and in its pipelinesOffshore installations: emergency shut-down systemOffshore installations: fire and explosion protectionOffshore installations: temporary safe refugeOffshore installations: limitation of exposure of

personnelOffshore installations: formal safety assessmentOffshore installations: safety caseOffshore installations: use of wind tunnel tests and

explosion simulations in designThe explosion and fire phenomena

Explosions in semi-confined modulesPool firesJet flames

Publication of reports of accident investigations


to this plant is from the wells, which can sometimes behavein an unpredictable way. The pipelines connected to theplatform contain large quantities of hydrocarbon, the highpressure gas pipelines constituting a particularly serioushazard.

There needs therefore to be a comprehensive system forthe control of the total pressure system, covering design,fabrication, installation, operation, inspection, main-tenance and modification and including control of suchfeatures as materials of construction, lifting of loads and soon and personnel need to be trained in the purposes andoperation of system.

Offshore installations: limitation of inventory oninstallation and in its pipelinesThe scale of the Piper disaster was due primarily to thelarge inventory of the three high pressure gas pipelinesconnected to the platform. The Inquiry heard evidence onthe practicalities of reducing the number of gas pipelinesconnected to a platform. There are many technical pro-blems involved, but the point has been made that suchreduction should be a design objective.

The main inventory of hydrocarbons in process on a plat-form is in the separators. The massive oil pool fire on Piperwas fed from the separators. The PiperAlpha Report recom-mends that methods of dumping this inventory be explored.

Evidence was also heard that in some cases the maininventory of hydrocarbons on a platform might be thediesel fuel.

The alternative method of preventing the hydrocarboninventory from feeding a fire is emergency isolation, whichis considered next.

Offshore installations: emergency shut-down systemThe ESD system on Piper operated, shut-down ESVs andblew the gas inventory on the platform down to flare.

Nevertheless, the accident drew attention to a number ofproblems in effecting isolation, some specific to offshoreplatforms and some more generally applicable.

The Tartan riser ruptured on the outboard side of theESV so that closure of this valve was of no avail. It is clearthat an ESV needs to be located as close to the sea level aspractical in order to minimize this risk.

It is possible to go one step further and install a subseaisolation valve, but this is for consideration on a case-by-case basis.

Both types of isolation valve received considerableattention in the Inquiry. However, neither will be effectiveunless it achieves tight shut-off.The evidence that the mainoil line and the Claymore gas line ESVs did not shut-offtightly emphasizes the importance of this feature.

Moreover, in order to be effective the ESD system has tobe activated.The fact that on Piper closure of the three gasline ESVs was not part of the platform ESD but had to beeffected for each line separately by manual pushbutton,that these buttons were not pushed and that closure onlyoccurred due to loss of power shows that this problem alsois not a trivial one.

Offshore installations: fire and explosion protectionAn offshore installation is not in general able to call onoutside assistance comparable with that available from thefire brigade to an onshore plant. It must be self-reliant.

This implies that both protection against, and mitigationof, fire and explosion on the one hand and fire fighting on

the other are of particular importance and that both thehazard assessment and the design and operation of theplant must be of high quality.

Offshore installations: temporary safe refugeIt is clear from the Piper disaster that there needs tobe a temporary safe refuge (TSR) where personnel canshelter in an emergency and where the emergency can becontrolled and evacuation organized.

This TSR will normally be the accommodation. In mostcases it will be on the production platform itself, but it maybe on a separate accommodation platform.

The protection of the TSR from ingress of smoke andfumes from outside and from generation of fumes by firesplaying on the outside needs careful attention. Measuresrequire to be taken to prevent smoke ingress through doorsand through the ventilation system.

Offshore installations: limitation of exposure of personnelThe concept of aTSR is a particular application of the moregeneral principle of limitation of exposure of personnel.The Inquiry also heard evidence of the application of theprinciple to other aspects such as the location of workshops.

Offshore installations: formal safety assessmentThe evidence showed that many companies which operateinstallations onshore and offshore have formal systems forsafety assessment and practise FSA routinely, that FSAhas considerable benefits in the design and operation ofplant and that it provides a suitable basis for dialoguebetween the company and the regulatory body.

Offshore installations: safety caseA safety case is a particular form of FSA. The evidenceindicated that a safety case is as applicable offshore asonshore and that it is a suitable means for the company todemonstrate to the regulatory body that it has identifiedthe major hazards of its installation and has them undercontrol.

Offshore installations: use of wind tunnel tests andexplosion simulations in designWind tunnel tests and explosion simulations were used inthe Inquiry to investigate the cause of the explosion, butevidence was also heard of their value in platform design.

Wind tunnels may be used to assess the effectiveness ofventilation and of the gas detection system in a module, thewind conditions at the helideck and the movement of smokefrom oil pool fires. Explosion simulations may be used toinvestigate the effect of different module layouts on explosionoverpressures and to assess the effectiveness of blast walls.

The explosion and fire phenomenaThe Piper disaster drew attention to several importantaspects of explosion and fire on offshore installations.These include explosions in semi-confined modules, oilpool fires and jet flames.

Explosions in semi-confined andcongestedmodules are ahazard which assumes particular significance offshore.Although major progress has been made in the last decadein simulating such explosions and developing designmethods, this remains an areawhere furtherwork is needed.

Oil pool fires onshore are relatively well understood, butthis does not apply to the behaviour of such a pool fire onan offshore platform. Aspects of some importance are

P IPER ALPHA APPEND IX 19 / 1 3

design to prevent accumulation of an oil pool in the firstplace and the massive smoke plume from such a fire.

Jet flames, including jet flames from risers, are particu-larly important for offshore platforms. In this case there areavailable a number of models developed for flares andflames on onshore plant, including pipelines, which can beapplied offshore.

Evidence given indicated that in considering the hazardof a jet flame from a riser, the worst case was not necessa-rily a full bore rupture but a partial rupture, since the latteris sustained for a longer period.

Publication of reports in accident investigationThe Inquiry heard that the company had a policy ofseverely restricting circulation of accident investigationreports.

Likewise, the DoEn did not make public reports on majoroffshore accidents. This contrasts markedly with the HSEpolicy of issuing reports on major accidents, many of whichare referred to in this book.

A19.7.2 An accident modelThe following outline of a model of the accident highlightsthe role played by some of the features just mentioned:

Deficencies in

Initial event:gas explosion

Operational control

Escalation 1:explosion damage

Hazard identification,assessment and management

Explosion mitigationEscalation 2:

oil pool fireHazard identification,

assessment and managementFire mitigation and fire fightingInter-platform emergency

planningEscalation 3:

riser ruptureHazard identification,

assessment and managementFire protection of risers

Escalation 4:accommodationfailure

Hazard identification,assessment and management

TSR fire and smoke protectionEmergency command

and control

A19.8 Recommendations on the OffshoreSafety Regime

The Piper Alpha Report makes recommendations forfundamental changes in the offshore safety regime.

The basis of the recommendations is that the responsi-bility for safety should lie with the operator of the installa-tion and that nothing in the regime should detract from this.

The offshore regime envisaged in the recommendations isone inwhich the emphasis is on the operator demonstratingto the regulatory authority the safe design and operation ofits installation rather than demonstrating mere compliancewith regulations. In this regime the preferred form of reg-ulations is goal-setting rather than prescriptive.

The recommendations envisage that FSA will play amajor role. It may be used to demonstrate compliance with agoal-setting regulation or with the general requirements ofthe HSWA.

A central feature of the regime proposed is the safetycase for the installation.This safety case is broadly similarto that required for onshore installations but there are someimportant differences. In the offshore safety case it isrequired that the operator should demonstrate that theinstallation has a TSR in which the personnel on theinstallation may shelter while the emergency is broughtunder control and evacuation organized.

Further, it is recommended that this demonstrationshould be by QRA. This means that there must be criteriawhich define the failure of the TSR and criteria for itsendurance time and its failure frequency. The criteriamay then be met by reducing the frequency of accidentalevents, by increasing the durability of theTSR or by somecombination of these.

The recommendation on the safety case includes arequirement that the operator should demonstrate that ithas a safety management system (SMS) to ensure the safedesign and operation of the installation. This SMS shoulddraw on quality assurance principles similar to those of BS5750 and ISO 9000.The elements of the SMS should includethose listed in Table A19.3. They include managementpersonnel standards.

Various measures related to hardware were urged at theInquiry. These included the provision of separate accom-modation platforms, the installation of subsea isolationvalves and blast walls, the use of freefall lifeboats andpurpose-built standby vessels. The report takes the view,however, that in accordance with its basic philosophy suchmatters should be dealt with as part of the demonstration ofsafe design and operation.

The report considers that the then current regulatorybody, the DoEn, is unsuitable as the body to be chargedwith implementing the new regime and recommends thetransfer of responsibility for offshore safety to the HSE.

These recommendations were accepted immediately bythe government and the new regime under the HSE beganin April 1991.

Table A19.3 Some elements of the safetymanagement system

Organizational structureManagement personnel standardsTraining, for operations and emergenciesSafety assessmentDesign proceduresProcedures, for operations, maintenance, modifications

and emergenciesManagement of safety by contractors in respect

of their workInvolvement of the workforce (operator’s and contractors’)

in safetyAccident and incident reporting, investigation

and follow-upMonitoring and auditing of the operation of the systemSystematic re-appraisal of the system in the light of

experience of the operator and industry


pages from lees loss prevention in the process industries

Documents