Bisk Analysis and Risk

Management for Offshore

Platforms: Lessons From the
Piper Alpha Accident
A probabilistic risk analysis (PRA) framework is used to identify the accident
IV1. E. Pate-Cornell sequence of the 1988 Piper Alpha accident. This framework is extended to include
Professor, the human decisions and actions that have influenced the occurrences of these basic
Department of Industrial Engineering and events, and their organizational roots. The results of this preliminary analysis allow
Engineering Management,
Stanford University, CA 94305
identification of a wide spectrum of possible risk reduction measures, ranging from
classical technical solutions such as addition of redundancies, to organizational
improvements such as a change in the maintenance procedures. An explicit PRA
model is then developed to assess the benefits of some of these safety measures
based, first, on the original contribution to the overall risk of the failure modes
that these measures are designed to avert, and second, on the degree to which they
can reduce the probabilities of these failure modes. PRA can then be used as a
management tool, allowing optimization of risk management strategies based both
on the qualitative information about causalities provided by the accident, and on
the quantitative information about failure probabilities updated in the light of new
events. It is shown how PRA can be used to assess, for example, the cost-effectiveness
of safety measures designed to decrease the probability of severe fire damage on-
board platforms similar to Piper Alpha.

1 Learning From Piper Alpha

1.1 Objectives and Tools. The platform Piper Alpha
(Figs. 1 and 2) was destroyed in July 1988 in a catastrophic
fire that started with a leak at the site of a blind flange assembly1
which caused a succession of fires and explosions on the deck.
An intense jet fire from a broken riser under the platform
eventually caused the failure of the structure under an intense,
prolonged heat load, and the death of 167 men. Two in-depth
enquiries followed (Petrie, 1989; Lord Cullen, 1990) and a J - f i - MODULE
SUPPORT
series of studies were undertaken to derive the lessons from FRAME
this disaster (e.g., The Institute of Marine Engineers, 1991).
Obviously, one of the objectives of the official investigations
is to determine the legal implications of the accident. Another
one, perhaps more important, is to understand what happened
so as to prevent its replication2. What complicates a post-
A blind flange (or line blank) is a pressure-retaining steel plate bolted in place
between the flanges of two pipe sections or at the end of a pipe flange, whose
function is to block the flow in the pipe (API, 1985).
2
There are probably other platforms in operation that are experiencing prob-
lems similar to those that led to the Piper Alpha accident, but have survived so
far. The factors identified here should be an indicator of "accidents waiting to
happen." There is no attempt in this paper to determine with what prior prob-
ability such an accident might happen because such an assessment relies on
detailed information about particular platforms. The probabilistic model pre-
sented further allows computation of risk reduction benefits for specified safety
measures and for a given platform.
Contributed by the OMAE Division for publication in the JOURNAL OF OFF-
SHORE MECHANICS AND ARCTIC ENGINEERING. Manuscript received by the OMAE
Division, October 11,1992; revised manuscript received January 22, 1993. Tech-
nical Editor: S. K. Chakrabarti. Fig. 1 The platform Piper Alpha (Petrie, 1988)

Journal
Downloaded From: of Offshore Mechanics and Arctic Engineering
https://offshoremechanics.asmedigitalcollection.asme.org AUGUST 1993,
on 06/28/2019 Terms of Use: http://www.asme.org/about-asme/terms-of-use Vol. 115/179

Copyright © 1993 by ASME

 Fig. 2 Location of modules (east elevation) (Petrie, 1988)

mortem analysis is that the blame can be allocated in different safety at the cost of an occasional reduction of the platform
ways according to the perspective of the investigator. The production level.
causes of the Piper Alpha disaster can be seen as a set of Learning from the Piper Alpha accident thus requires un-
technical failures (due, for example, to lack of redundancies derstanding: 1) the effects of technical and organizational
in critical systems), or as an operator error during maintenance deficiencies on the occurrence of the chain of events in the
operations (i.e., a failure to tag the space of a safety valve accident of July 6,1988, 2) the dependencies among technical
replaced by a blind flange during maintenance operations) or and organizational failures, and 3) the costs and the benefits
as a fundamental design error (e.g., a layout that did not of risk reduction measures. The Piper Alpha Technical In-
properly separate production modules from living quarters and vestigation Report (Petrie, 1988) and the Public Enquiry into
command and control functions). the Piper Alpha Disaster (Cullen, 1990) are important sources
It can also be argued that the accident was caused by man- of factual information. They set the background of the acci-
agement and by the failure of a corporate decision process that dent, establish the sequences of relevant events, and make
had expanded the platform's systems beyond what the original recommendations for the future. There is little attempt in either
design could safely accommodate in a preplanned manner. In study, however, to structure systematically the causal links
effect, the organizations that influenced operations on Piper among events, decisions, and organizational factors that even-
Alpha included, not only Occidental Petroleum that operated tually led to the disaster, or to assess their relative contributions
it, but also the oil industry at large, and the U.K. government to the occurrence and the consequences of the accident. Some
authorities, which, at that time, had often adopted a hands- of these management issues, however, have been addressed by
off attitude for economic and political reasons (Carson, 1982). Carson, a specialist of criminology, in a study of oil and gas
Some of the basic management issues include production pres- production operations in the British sector of the North Sea
sures (rooted in the corporate definition of financial con- (Carson, 1982). Written before the Piper Alpha accident, this
straints), deficiencies in personnel management, inappropriate book describes the political, economic, and regulatory climate
inspection and maintenance procedures, flaws in the design in which the petroleum companies operated at the time in that
guidelines, and numerous modifications of the platforms net- region of the world, and its effects on safety.
work without sufficient feedback to the original design to The study presented here (Pate-Cornell, 1992) is based on
understand their effects on the safety of the whole system. All these documents and other sources of information (including
of these factors, organizational and technical, contributed to Bea, 1991; and Gale, 1991). The objectives of this paper
the accident, with a hierarchy of causalities among them. As are: 1) to provide a framework to capture relations of caus-
with many disasters, what ended up in a sequence of technical ality between the different elements (technical, managerial, and
failures and human errors started mostly as a management organizational) of the Piper Alpha accident, and 2) to derive
problem (Perrow, 1984). and evaluate a set of risk management recommendations. The
There are, therefore, at least two ways to seek improvements goal is to organize a "defense-in-depth" against platform ac-
given the lessons of Piper Alpha: to implement mostly tech- cidents, to set priorities among safety measures and to optimize
nical remedies (e.g., better fire walls), and/or to promote better the use of risk management resources.
management practices (e.g., improvement of maintenance op- In the first part, an extended risk analysis model structure
erations, or reduction of the production level in specified sit- is used to identify the failure mode corresponding to the Piper
uations following certain alert signals). Such measures can Alpha accident (including event dependencies), the decisions
either be adopted voluntarily by the industry or imposed by and actions that led to these events, and the organizational
regulatory authorities. Obviously, in a comprehensive ap- factors that promoted these decisions and actions. This analysis
proach, both engineering and managerial improvements must points to a set of possible risk reduction measures (both tech-
be considered. Both types of measures, however, are costly in nical and organizational) of which a few are identified here.
the short term. Engineering modifications often call for re- In the second part, a quantified PRA model is developed.
dundancies and decouplings that require additional equipment The objective is to obtain coarse estimates of the overall safety
and/or space. Organizational modifications generally increase benefits of these measures as a function of their reduction of

180 / Vol. 115, AUGUST 1993 Transactions

Downloaded From: https://offshoremechanics.asmedigitalcollection.asme.org on 06/28/2019 Terms of Use: http://www.asme.org/about-asme/terms-of-use of the ASME
 the probability of the basic events of the different failure modes. updating of the risk estimates allows the decision maker to
A general risk analysis model (extended to link basic events to choose the most cost-effective alternatives among risk reduc-
organizational factors) is presented here to that effect, and a tion measures.
more specific formulation is developed for a simplified system
of emergency water pumps. No numerical computation is car- 1.3 The Fallacy of Probabilities After the Fact. After a
ried out at this stage. catastrophe, there is often a debate about the prior probability
of the accident: on one hand, there are often some who claim
1.2 Risk Management Strategies and Defense-in- that it was "an accident waiting to happen" (i.e., it had a very
Depth. The goal is to learn from the Piper Alpha accident high prior probability), that warning signals were ignored, and
and to identify the most cost-effective remedial measures. This that clearly unsafe practices were tolerated and even encour-
perspective permits avoiding the classic debate: ' 'it was mostly aged; on the other hand, others are often quick to point out
a technical failure (just add redundancies and everything will that the conjunction that led to the accident was very unlikely
be fine);" "it was an operator error (those are unpredictable: and that it was rational to tolerate the risk given the state of
to err is human; so it is not our fault)," "it was, in fact, a knowledge at the time. Those characterize the tragedy as "a
management failure (don't blame us; it is their fault)." It is freak event" or an unpredictable, unavoidable "human er-
often all three: most accident sequences do involve some ror."
technical failures (here, of a blind flange in module C) that The task of assessing a posteriori the probability of an ac-
were promoted or directly caused by some human decision or cident that has already happened is generally a futile exercise,
error (here, the failure of a maintenance crew member to tell except, perhaps, in the rare instances where the accident is the
the night shift operators that a pressure relief valve had been direct result of a specific event (or a clear chain of simple
removed from a condensate injection pump). But one reason events) for which there is strong statistical evidence to support
why the fire turned into a catastrophe is that flaws in the design a probability of occurrence. For instance, when a flood with
guidelines allowed it to spread unchecked to critical facilities a known return period occurs, one can claim that it was (and
and to block the evacuation routes. These human errors are remains) an event of probability X. For most accident se-
often (but not always) promoted or directly caused by man- quences, however, the probability a posteriori can be made
agement, its priorities and its philosophy of design and op- arbitrarily small depending on the level of detail that one adopts
eration (Pate-Cornell, 1990). For example, in the U.S., in the description of the accident. In other terms, the proba-
requirements for backups are quite specific for production bility of the accident computed after the fact is determined by
equipment (API-RP23), much less specific for safety equip- the way the accident is described. For example, if one specifies
ment, and nonexistent for the composition of the crew3. There precisely the element that failed, the specified amount of gas
is, therefore, considerable latitude in the choice of the number released, the exact ignition source, etc., the identified con-
and qualification of the personnel on board. As it is shown junction of events can be attributed an extremely low prob-
further, different aspects of the management structure, pro- ability, which can even be made lower if one specifies further
cedures, and culture at all stages of the platform life (design, details (time of the day, weather conditions, etc.), and as many
construction, and operation) influenced the probability of the factors as one may choose.
events that occurred during the Piper Alpha accident. What matters, for risk management purposes, is the class
It has been shown elsewhere that more than 90 percent of of relevant events that may lead to a particular type of accident,
the failure probability of jacket-type offshore platforms in- not the details of the scenarios. The choice of the relevant class
volves at least some human errors or questionable judgments of events is to some extent arbitrary (and part of the art of
that are grounded in organizational factors and result in tech- risk assessment), but determines the value of the information
nical deficiencies (Pate-Cornell and Bea, 1989). Risk manage- provided by the analysis. In the case of Piper Alpha, as it is
ment can thus be viewed as the design of a comprehensive described in the forthcoming, the critical classes of events
strategy combining technical and managerial elements, for ex- are: a release of flammable material in module C; ignition;
ample, inspection and maintenance procedures adapated to a sequence of explosions and fires leading to rupture of a riser
the failure probabilities of the different components and their and bringing fuel at full capacity from an adjacent platform;
criticality to the overall system safety (Pate-Cornell et al., an intense fire under the platform that could not be controlled;
1987). and the death, mostly by smoke inhalation, of a large number
of people in the quarters who did not receive evacuation orders.
A key concept, used for instance in the nuclear power in-
dustry, is that of "defense-in-depth" that ensures several layers
of protection against the dangers of an accident initiator. For 1.4 System Complexities and Failure Dependen-
fires on platforms, defense-in-depth against fires would in- cies. Complexity and couplings have sometimes been pre-
volve: 1) reducing the probability that flamable material sented as the major source of failure risk in technical systems
meet an ignition source; 2) providing well-maintained emer- (Perrow, 1984). Piper Alpha presents examples of both. On
gency equipment and safety features to detect and extinguish offshore platforms, both are unavoidable to some degree: the
the fire automatically at an early stage; 3) providing fire level of decoupling that can be achieved after careful design
walls, insulation of dangerous equipment (e.g., risers) and still depends on the resources that one is willing to invest to
physical separations to prevent the fire from spreading; increase the size of the topside.
4) emergency procedures, personnel training, and accessible, A simpler system is generally preferable for management
redundant evacuation routes; and 5) reinforcement of the reasons: design errors are easier to detect, management and
structure itself against heavy, sustained fire loads. The study maintenance are simpler and less expensive, and in an emer-
of an accident allows improvement of the current risk man- gency, diagnosis and response are quicker and easier than in
agement practices for existing platforms to the extent that it a complex one. Complexity per se, however, does not auto-
reveals the possibility of scenarios that had been overlooked, matically reduce system safety. Risk depends on the system's
and also, because it permits updating the probabilities of the configuration. Adding one element in series to an existing
events that occurred (or did not) during the accident. This system (e.g., one more ignition source) generally increases its
failure probability because the failure of this element is one
more event that leads to system failure, unless the presence of
3 this element decreases considerably the failure probability of
In the U.S., a recent report of the National Academy of Sciences recommends
to the Mineral Management Services to issue guidelines regarding personnel as the other components. Adding an element in parallel (e.g., a
well as equipment. redundancy in the power supply), however, generally increases

Downloaded From:Journal of Offshore Mechanics and Arctic onEngineering

https://offshoremechanics.asmedigitalcollection.asme.org AUGUST 1993,
06/28/2019 Terms of Use: http://www.asme.org/about-asme/terms-of-use Vol. 115 /181
 both complexity and safety. The actual increase of safety de-
pends on the level of dependency ("coupling," correlation) META DECISIONS ORGANIZATIONAL LEVEL
between the failures of the redundant elements: if they are Process, procedures,
structure, culture.
highly positively correlated, the gain of redundancy is lower
than if they are independent. It is thus advantageous to try to
"decouple" to the greatest extent possible the potential failures DECISIONS IN DECISIONS AND
SPECIFIC
of parallel subsystems, in particular when they are subjected ACTIONS LEVEL

/ £-
CASES /w
to common causes of failure such as explosions or fires. There-
fore, in general, even when there is a coupling between the
EFFECTS on
parallel elements, the addition of redundancies brings some component BASIC EVENTS
(component failures
additional safety4. In the final analysis, the optimum level of ::li.ability and operator errors)
complexity for maximum safety is the result of a trade-off
Fig. 3 Hierarchy of root causes of system failures: management de-
between the number of redundancies, the level of coupling of cisions, human errors, and component failures (Pate-Cornell, 1992). £,:
these redundancies under common loads and external events, basic events of the Piper Alpha accident sequence; A,;, decisions and
the space occupied by additional components, and the benefits actions that influenced the probability of event E;, Ok: organizational
to these additional elements. New communication links and factors that influenced the A,jS.
computers, for instance, generally bring complexities and oc-
cupy scarce space for the benefit of the information that they couplings; the control room was located in the vicinity of the
provide. Only a global analysis provides an estimate of the production modules. The latter was caused by couplings and
balance. lack of backups in the structure of the on-board organization;
The problem, in fact, is often compactness (and disorder) many safety decisions depended directly on the OIM, and there
as much as complexity: a compact and disorganized system was no immediate alternative authority to order 5
the evacuation
is difficult to access, to monitor, to maintain, and the proximity and to coordinate fire-fighting operations .
of components packed in a tight space increases coupling.
Technical couplings (or a high degree of dependency among 2 Part 1: The Risk Analysis Framework for Post-
component failures) do increase failure probabilities and are mortem Analysis
unavoidable when a large number of components have to be
packed into a small area. The art of design for safety within 2.1 A Three-Step, Bottom-Up Approach to Technical and
space constraints is to try to avoid: Organizational Factors. A postmortem analysis is not a
quantitative risk analysis because there is no uncertainty about
6
• Failure dependencies among redundant elements, either the outcome; in this case, the platform was lost in a fire. The
because the failure of one is the direct cause of failure of risk analysis model structure, however, is useful to analyze
another, or because the same common cause of failure (e.g., causalities in the accident scenario. In addition, to capture
an explosion) is likely to destroy both. For example, one gen- management effects, this framework is extended to include
erally tries to physically separate the hydraulic lines of an some organizational factors, addressing sequentially the fol-
airplane, to disperse safety equipment, and to provide separate lowing questions:
emergency power sources for redundant safety systems.
• Propagation of the effects of an external or internal event 1 What are the technical and human elements (basic events)
among adjacent elements in series (e.g., fire propagation, or of the main accident sequence, including: initiating events(s),
domino effect in an earthquake). component failures, operator errors, the final states of the
7
• Component failures that can cause a release of chemical, system's components , and the consequences of the accident?
energy, or other external or internal load increasing the prob- This scenario can be identified as one of the failure modes in
ability of failure of other components. a general risk analysis model.
• Location in the same space of fuel and possible sources 2 For each of the primary elements of this accident se-
of ignition (e.g., electrical equipment), especially when external quence, what are the decisions that have been made and the
correlations are possible (the same event can cause simulta- actions that have been taken (prior to the accident in the dif-
neous failure of the fuel container and of the electrical equip- ferent phases of design, construction, and operation of the
ment). platform, or during the accident itself) that influenced the
probabilities of the basic events and the severity of their con-
Organizational couplings are as much a threat to system sequences?
safety as technical couplings. High dependencies in inspection 3 For each of these decisions and actions, what are the
and maintenance operations of two redundant elements (e.g., organizational factors that have contributed to their occur-
by the same individual repeating the same mistake) increase rences and their consequences?
the likelihood that the same signals of deterioration are missed
or that the same shortcuts are taken. More generally, the phi- A description of this hierarchy of accident contributors is
losophy of the organization, its attitude towards safety, and presented in Fig. 3. In further sections and in Fig. 3, the
the incentives that it provides for the management of the trade- notations are the following:
off between production and safety constitute a strong source
of dependencies among failures of different systems and are Basic Events: The basic events of the Piper Alpha accident
perhaps the most important source of couplings. In the case have been labeled E„ from i = 1 ("process disturbance") to i
of Piper Alpha, the platform experienced a double decapitation = 46 ("loss of the platform").
when, at the onset of the accident, it lost both its control room
5
and the OIM function. The former was caused by technical A tightly coupled organization, however, can also be a source of reliability
to the extent that someone is clearly in charge, that there is a common purpose,
and that supervision and feedback are available when needed (Roberts, 1990).
6
This is not true, however, when the additional redundant element creates the There may be uncertainty, however, about the exact sequence of events that
danger of an additional common cause of failure. This was the case, for example, led to the accident. In this case, Bayesian technique can be used to assess the
of the auxilary power units of the space shuttle: the addition of a third re- relative probabilities of the different possible scenarios, i.e., their probabilities
dundant element on the one hand decreased the probability of unavailability of conditional on the outcome.
7
the system, but, on the other hand, increased the probability of hydrazine release The "final" state of a subsystem refers here to the state of this subsystem
that constituted a common cause of failure of other subsystems. The net result at the end of its useful life (i.e., functional or not) that determined the loss,
of a third redundancy was a decrease of the system's safety (Garrick, 1988). rather than its chronologically final state at the bottom of the sea.

Downloaded From: 182 / Vol. 115, AUGUST 1993

https://offshoremechanics.asmedigitalcollection.asme.org Transactions
on 06/28/2019 Terms of Use: http://www.asme.org/about-asme/terms-of-use of the ASME
 Decisions and Actions: For each basic event E,-, a set of de-
cisions and actions have been identified and labelled Ay (e.g.,
forEi, process disturbance, fromy = 1: "decision to produce
in Phase 1," to j = 5: "design of the trip signals")- Each
decision and action is related to the phase of the platform life
when it occurred (DES: design, CON: construction,
OP: operation, and specifically, OPM; maintenance during
operation).

Organizational and Managerial Factors: Decisions and ac-

tions in each phase are then linked to different organization
and managerial factors (O*.). The sets (E,) and (Ay), there-
fore, provide a systematic tree (or matrix) structure for linking
events, failures, errors, and decisions. After grouping the Ay's
by platform life phase, the set of organizational factors j O*}
provide the next level of linkage between failures and man-
agement.

This method, therefore, relies on a "bottom-up" approach,

starting from specific, technical failures, to capture the cor-
responding decisions and management factors. It is the reverse
of the top-down approach often used in the study of organi-
zations, starting from organizational features (structure and
procedures) to assess their impact on performance.

The use of the results for risk management decisions then

involves:

(a) identification of possible risk reduction measures that

decrease the probabilities of the basic failures and events, either
directly, or because they influence the decisions and actions
that can cause these basic failures;
(b) estimation of the costs and the benefits of these meas- Fig. 4 The Piper Alpha accident scenario influence diagram represen-
tation showing event dependencies
ures, which may require either a partial risk analysis for meas-
ures that affect a limited number of specific scenarios, or a
complete risk analysis for those that reduce the probabilities
of events common to several failure modes. the platform, which had not been designed to sustain heavy
fire loads and finally collapsed. The losses reached 167 deaths
2.2 The Accident Sequence. The elements of the accident and billions of dollars in financial losses8.
sequence, starting from a process disturbance (event El) and 2.3 Decisions and Actions That Influenced the Acci-
ending with the loss of the platform (E46), are described ex- dent. Most of these basic events were caused or influenced
tensively elsewhere (Pate-Cornell, 1992). They are listed in by human decisions and actions that proved to be either gross
Appendix A. Figure 4 is an influence diagram representation errors or errors of judgment. They have been systematically
of the causalities among these basic events. identified in the original study (Pate-Cornell, 1992) and are
The initiating events included an initial explosion that could listed here in Appendix B. These errors can be classified into
not be controlled by the existing blast walls, caused a fire, four categories: design and expansion problems, production
which in turn produced a second explosion following which decisions in the platform network, personnel problems and
the fire spread across the top side and the production modules. crisis management, and errors in inspection and maintenance
The most intense heat load came from the jet fire that occurred operations. Figure 5 represents the different levels of causality
under the platform following the failure of the riser from among the factors of the accident: at the bottom, a simplified
platform Tartan. version of the accident scenario and its basic events, at the
The fire spread fast and could not be controlled because of next level above the decisions and actions that caused or in-
a sequence of failures of the emergency and control systems. fluenced them, and at the top level, the basic organizational
The platform suffered almost from the beginning from a dou- factors that in turn influenced the occurrence of these human
ble decapitation, technical with the loss of the control room errors9.
located right above the production modules, and organiza- A large number of elements of the accident scenario resulted
tional with the loss of the OIM. The OIM panicked, did not from design decisions that caused dangerous couplings and
give evacuation orders, and was killed in the living quarters. dependencies, including direct linkage of failures (e.g., power
The power supply was lost from the beginning, causing failures supply and public address system), high probability of fire
of critical functions such as radio communications and the propagation (e.g., from module B to module C to the control
public address system. The fire pumps and the deluge systems room), and vulnerability of several components to a common
failed as well; the main water inlet had been shut off to protect cause of failure (e.g., the same blast). The problem was com-
divers. No evacuation orders were issued. The living quarters pounded by lack of backups in many of the critical safety
were engulfed in smoke and fire. Those who escaped did so
often by jumping in the sea, some from the 20-ft and 68-ft 8
Note that even though the identification of relevant management factors was
levels, others from the helideck. In many cases, the lifeboats done using a bottom-up approach, the graphic representation of dependencies
could not be accessed. The fire-fighting operations that could in Fig. 5 is done "top-down" to facilitate reading.
have been carried out by the vessels that were in the vicinity 'These direct losses include the loss of the platform itself and the loss of oil
failed, mainly for lack of coordination and leadership. Most and gas production. Indirect costs, including other factors such as environmental
damage and deterioration of public image, are relevant to a loss estimation.
of the survivors were rescued at sea. The fire finally engulfed Both are more difficult to quantify than the direct costs.

Journal of Offshore Mechanics and Arctic Engineering AUGUST 1993, Vol. 115/183
Downloaded From: https://offshoremechanics.asmedigitalcollection.asme.org on 06/28/2019 Terms of Use: http://www.asme.org/about-asme/terms-of-use
 ORGANIZATIONAL FACTORS removed and replaced by a blind flange assembly without
proper tagging, thereby putting a pump out of service. The
PERSONNEL ECONOMIC FLAWS IN INSPECTION & permit-to-work system failed; communications did not occur
ISSUES: PRESSURES DESIGN MAINTENANCE between the maintenance crews and the night operators who
* Production * Production GUIDELINES PRACTICES
Culture versus 'bad layout rules 'permit to were unaware of the unavailability of the pump and tried to
4
Mnsuff icient safety *poor safety syst work sytem restart it. In addition, the enquiry concluded that for a leak
experience *Def i n i t i o n 'no structural 'inadequate
*l_earning of profit resistance regulatory
of that magnitude to develop, the assembly had not been suf-
mechanisms centers to large fires oversight ficiently tightened; there was no inspection to check the quality
of the work. Finally, the inspection and maintenance of the
\ / V- \
i^—^t
*^~
_ safety equipment seems to have been seriously defective.
'S—f ^ «;-
DECISIONS AND ACTIONS SPECIFIC TO PIPER ALPHA
•
'& 2.4 Organizational Roots of the Accident. Risk Manage-
ment Measures. These decisions and actions, in turn, were
influenced by fundamental organizational factors. These fac-
tors and the corresponding dependencies are represented at the
upper level of Fig. 5. They can be divided into four categories:
1) economic pressures that can result in questionable prac-
tices in production and safety management; 2) personnel is-
sues related in part to these economic pressures, a production
culture, and deficiencies in the learning mechanisms; 3) flaws
in the design guidelines and the design philosophy; and
4) inspection and maintenance problems including a deficient
"permit-to-work" system. In the U.K., at the time, these main-
tenance problems may have resulted, in part, from inadequate
regulatory oversight. These management factors involve fun-
damental organizational problems of information (do the per-
sonnel have appropriate level of knowledge and access to
relevant information?), incentives and rewards (what are peo-
ple actually rewarded for, and how can the incentive system
accommodate long-term safety effects?), and resource con-
straints (e.g., what are reasonable time pressures, how much
should be allocated to the inspection and maintenance of safety
Fig. 5 Organizational roots of the Piper Alpha accident scenario (in- features?).
fluence diagram representation; the lower part is a simplified version of Most of these factors are actually rooted in financial con-
Fig. 4)
straints from the corporation, with emphasis on the short term.
features such as the power supply. In general, the deck was Many decisions were made on board under pressures to pro-
packed with equipment and there was insufficient protection duce at the maximum level, to reduce design and construction
of the living quarters and inappropriate evacuation routes and costs (hence a minimum deck surface) and to reduce production
means of escape. costs (often by cutting corners in inspection and maintenance
The compactness and lack of separation that caused a rapid operations). These economic constraints are unavoidable. Yet,
fire spread were due in large part to the way the system had the trade-offs between immediate production levels and long-
grown over time to accommodate higher levels of production term probability (and costs) of a disaster seldom seem properly
than originally planned for, components that had been added examined: the tendency is to focus on the immediate possibility
and equipment that had been brought on board, some of which of frequent incidents and to dismiss or ignore the risks of
has been simply stacked on the deck. Not only was the final catastrophe.
layout quite different from the original one, but the successive There is no golden rule for the management of the trade-
additions had been made without sufficient checking that they off between safety and production. What is clear is that a
did not interfere with safety features. For example, external culture that rewards exclusively production encourages a my-
additions to module C prevented adequate functioning of the opic approach to safety: avoid small visible problems that
blast relief (Bea, 1991). may disrupt production and dismiss the possibility of large
The management of the personnel had also been deficient; rare accidents that are unlikely on anyone's watch. The risk
there were not enough qualified and experienced people on management literature tends to recommend the creation of an
board at the time of the accident and temporary promotions independent safety function, for example, to NASA, following
had allowed fulfilment of critical functions by available per- the Challenger accident (Presidential Commission, 1986). In
sonnel. Less experienced operators, maintenence crews, and the U.K., at the time of the accident, a large part of the safety
production workers were allowed to run the platform in Phase responsibility was in the hands of a dispersed set of government
1 of operations, therefore at a high level of activity that should regulators; but the British government was eager to accelerate
have required special care and attention. The loss of the OIM the production of oil in the North Sea, and the safety of
also illustrates the lack of training in crisis management. Simple operations may not have been at the forefront of their con-
instructions about emergency procedures are insufficient be- cerns. Therefore, important safety issues were overlooked by
cause they may not apply. Leadership in case of crisis requires regulatory authorities (Carson, 1992). Counting on external
appropriate protection of the people in charge, particular types control and government regulators to discover problems and
of personalities, and an in-depth knowledge of the system that monitor their solutions encourages an "us" against "them"
did not appear to be available on Piper Alpha at the time of mentality. A similar tension may actually exist inside the cor-
the accident. poration, when relying on internal control for risk management
encourages a game of "beating the safety office." Powerful
Inspection and maintenance decisions and operations also safety divisions may be effective provided that they are given
proved seriously flawed. A pressure safety valve (PSV)10 was teeth and that they do not become a convenient place to pi-
A pressure safety valve (or pop valve) is an automatic spring-loaded, pressure
geonhole the less productive. In reality, it seems that integrating
relieving valve actuated by static pressure under the seat (Evans, 1974). safety and production functions and making operators knowl-

184 / Vol. 115, AUGUST 1993 Transactions of the ASME

Downloaded From: https://offshoremechanics.asmedigitalcollection.asme.org on 06/28/2019 Terms of Use: http://www.asme.org/about-asme/terms-of-use
 edgeable and responsible is a better approach in the long run. thus critical. Unfortunately, there again, economic pressures
This strategy assumes that the internal incentive system is not in general, periodic financial restrictions of the production
solely based on short-term production figures, but also rewards sector, and procedures such as the permit-to-work system have
long-term safety measures and punishes dangerous actions. It proved detrimental to system safety. The permit-to-work sys-
also assumes that the production goals are set at a reasonable tem, investigated extensively in the Cullen report, did not en-
level and can accommodate contingencies. sure communications, nor did there seem to be any concern
The incentive system of the oil companies often relies on about the dependencies created by the simultaneous shut-off
the performance of "profit centers" defined somewhat arbi- of redundant equipment. In the U.K. sector of the North Sea,
trarily by the corporation that assesses, by internal pricing, deficiencies in maintenance could be attributed in part to in-
the performance of each unit. Problems arise in the oil industry adequate regulatory oversight. Elsewhere, they may simply be
when production and refinery have been structured into sep- the results of a myopic approach to financial performance.
arate profit centers, leaving the production sector squeezed by
fluctuations of the price of crude oil on the world market.
Reducing the production costs is then the only way to maintain
profit margins. This is often achieved by decreasing inspection 3 Part 2: Assessing the Benefits of Risk Reduction
and maintenance costs, for example, by delaying repairs of Measures
the systems that are not essential to immediate production. For most of the basic events of the Piper Alpha accident
This problem of organizational structure has apparently been sequence, there are possible technical improvements; for ex-
recognized and addressed by some of the major US oil com- ample, "add a redundancy," or "reinforce the component
panies, but remains a key issue elsewhere. against blasts and fires." In the same way, for many of the
Economic pressures in turn have a direct effect on corporate decisions and actions associated with these basic events, there
culture and personnel management, turnover, experience, and are procedures that may decrease the probabilities of errors
on the process of learning from past mistakes and incidents. by forbidding certain practices (such as turning off emergency
The priority given to short-term production has often created, systems), or by rewarding workers for discovering and fixing
within the oil industry, a "reverse safety culture" marked by problems. Often, but not always, the costs are those of reducing
formal and informal rewards for pushing industrial systems or interrupting production. Finally, for many of the organi-
to the limits of their capacities without sufficient precautions, zational features described in the foregoing, there are modi-
such as checking that additional equipment and incremental fications that may improve individual decisions and reduce the
debottlenecking do not stress existing equipment beyond their risks of failures and accidents, for example, a change in the
actual capacities, do not create dangerous couplings, and do internal accounting system, or the systematic use of a risk
not interfere with existing safety features. This requires a thor- analysis model to record all changes and to check their effects
ough understanding of the system, its complexities, and in- on the overall safety of the platform.
terdependencies based on experience, which is lacking when Many of these possible improvements can be derived directly
undertrained people are allowed to run a platform, for ex- from the description of the problem as presented in the previous
ample, because the more experienced are on leave or have been sections and have been listed in the Cullen report (Cullen,
fired in times of budget restrictions. In addition, the corpo- 1990). The Conference on Offshore Operations Post Piper
ration fails to learn when stories of near misses and minor Alpha (The Institute of Marine Engineers, 1991) presented a
incidents are suppressed because they run counter to the culture number of technical improvements including new materials for
and a corporate image of success. Again, the fundamental fire and blast protection (Hu), safer accommodation including
problem is one of incentives, formal or informal, and of the a temporary safe refuge (Godfrey), and better fire detection
culture that they promote. devices (Watkins). They also proposed organizational im-
Some of the flaws of the design philosophy can also be linked provements such as better regulation (Daneuberg and Schnei-
to economic pressures that encourage development beyond der) and corporate management (Dawson). Using the decision
what had been planned initially, and often on a minimal deck analysis framework and a coarse estimate of the benefits of
surface. Others are related to a culture of denial of serious each alternative, one can set priorities among these measures
risks, and failure to think through the possible consequences and design an economically optimal safety strategy. Most of
of incidents and the dependencies that may exist. Redundancies these modifications affect several components or phases of
are particularly critical in functions of command and control, operations; therefore, they may influence the probabilities of
especially in the power supply and in fire protection equipment. several failure modes. System analysis and risk analysis in-
Yet, safety equipment often seems to be considered as extra volving fault trees, event trees, and stochastic processes (e.g.,
baggage that gets in the way of higher production rates and Besse et al.; Fitzgerald and Grant, The Institute of Marine
consumes precious maintenance resources. Engineers, 1991) can help capture these dependencies. The risk
Proper design of redundancies and elimination of couplings analysis model, however, must be extended if one wants to
often require a formal risk analysis to examine explicitly the include 1) decisions and actions, and 2) organizational fea-
trade-offs between costs and increase of safety. The design tures in the assessment of the benefits of improving risk man-
guidelines for the deck layout are based on concepts of "area- agement.
classification" whose goal is to separate the flammable vapors
expected under normal operating conditions from ignition 3.1 The Extended Risk Analysis Model. Computation of
sources, and in particular electric equipment. The objective of the benefits of various risk reduction measures requires a global
these guidelines is to prevent fire ignition. They do not require, risk analysis model, i.e., a model linking initiating events to
however, the separation of production modules and other units a probability distribution for the losses per time unit. The
such as the living accommodation and the control room (which benefits are then calculated as the differences of the proba-
can be located anywhere, even in the process area). Further- bilities of accident scenarios (and/or by the differences of the
more, there are no specific fire criteria (similar to wave load expected values of the annual losses) with and without the
criteria) in the design of the structure, and therefore no "de- proposed measures.
fense in-depth" against sustained heat loads. Fire protection The probabilities of decisions and actions can be modified
then relies exclusively on quick response, appropriate training, either directly, for example, by forbidding certain practices,
and proper functioning of emergency systems that may not be or indirectly by modification of the organization, for instance,
available if they have been turned off or are left out of service. by changing the incentive system. In turn, these measures affect
In such an environment, inspection and maintenance are the occurrences of the failure modes. Assessment of their ben-

Journal
Downloaded From: of Offshore Mechanics and Arctic on
https://offshoremechanics.asmedigitalcollection.asme.org Engineering AUGUST 1993,
06/28/2019 Terms of Use: http://www.asme.org/about-asme/terms-of-use Vol. 115/185
 efits requires conditioning the basic probabilities of the risk cessive vibrations decreases the probability of pipe rupture
analysis model on these decisions and actions, and if appli- (and, therefore, of the initiating event: leak followed by fire
cable, conditioning these decisions and actions on relevant and explosions). A decision to improve maintenance operations
characteristics of the organization. may decrease both the probability of an initial fire and the
Let {in,- J be the set of possible initiating events of accident probability that it propagates once it starts. A decision to have
sequences (e.g., fires, blasts, wave loads, earthquakes, boat on board six experienced operators instead of five relatively
collisions); (fist,,,) the set of possible final states (characterized inexperienced ones increases the probability that an initiating
for instance by a Boolean vector such as [0, 1, 1, 0, 0 incident is quickly discovered and fixed, therefore, for in-
1] indicating whether the different components are functioning stance, decreases the probability of propagation to other mod-
or have failed); and (loss*) a partition of the set of possible ules if a fire occurs, and may decrease the probability of severe
loss levels. The probability distribution p(losst) for all k thus human losses even if several modules are destroyed.
represents a discretization of the distribution of the annual Finally, for many of the organizational features described
losses. If the initiating events are described by their annual in the foregoing, one can consider a certain number of mod-
probabilities of occurrence p(in,), the risk analysis model that ifications that reduce the risk of failures and accidents by
characterizes the annual losses can be written reducing the probability of dangerous decisions and actions,
and consequently, the probability of the basic events of the
/?(loss*) = 2 2 ^ i n ' ) x/?(fist»<'in') xp(loss* I fist,,,) failure modes. These benefits sometimes occur at the cost of
/ m
reducing or interrupting production. For instance, increased
for all k (1) inspection and maintenance, decreased pressure in the system
The probabilities p(fist„, I in,) (final states conditional on in- (therefore, reduction of the rate at which sand and other par-
itiating events) are the results of event tree and fault tree anal- ticles erode the pipes), all imply a lower production level in
yses that indicate which components can be affected by the the short term. The effects of these organizational modifica-
considered initiating event and its further developments, and tions can be measured in the foregoing model by their mod-
which failure mode (or accident sequence) can occur. The ification of the probabilities of the decisions and actions that
probability p(loss<. I fist,,,) is the result of the consequence model lead to the basic events of one or more failure modes. Many
linking the human and economic losses to the final state of of these possible improvements can be derived directly from
the system. The losses are generally represented by a vector of the description of the problems that led to the Piper Alpha
two elements (casualties and property damage). accident and have been listed in the Cullen reprot (Cullen,
To include in this model the effect of relevant decisions and 1990). Most of these modifications affect several components
actions {A,,} requires conditioning the probabilities of Eq. (1) or phases of operations; therefore, they may influence the
to the elements of the set [A„] (Note that the A„'s can affect probability of several failure modes. A complete system anal-
separately all the elements of the previous equation.) The A„'s ysis (possibly at a high level of aggregation) may be needed to
are structured so that they constitute an exhaustive, mutually capture these dependencies.
exclusive set of classes of decisions or actions that affect the
platform in the different phases of its lifetime. Each A„ is 3.2 Reduction of the Risk of Loss of Life in Fires on Board
described by a vector whose elements represent the outcomes Platforms. To illustrate the foregoing general model, con-
of these classes of decisions or actions. Equation (1) can thus sider the problem of assessing the benefits of reducing the risk
be written of losses in fires on board a platform by improving the system
of emergency water pumps. For the initiating event in,- =
p(\ossk) = 2 2 2 P(A»> x/>(in,-U„) "fire," further specifications are needed: 1) where it started
/ m n (location noted loc/), and 2) at what level of initial severity
xp(fist,„ I in,-, A„) x ^ o s s * I fistm, A„) (2) (noted sevy). The analysis is then done in several steps:
Finally, the effects of different organizational factors {Oh} (a) Logical analysis of the functions involved and fault tree
on the risk are assessed by computing their effects on the analysis.
probability of decisions and actions which, in turn, affect the (b) Probabilistic analysis of the different failure modes for
probability of the possible accident sequences. The CVs thus the top event: "failure of emergency pump."
affect the elements of Eq. (1) only to the extent that they affect (c) Computation of the probability of fire start and prop-
the probabilities of the corresponding ^4,,'s. The probabilities agation to the location of the pumps and their accesses, using
of the different loss levels given a state Oh of the organization a Markov model. (The final system's state is described by the
are thus vectors fist,,,. The probabilities computed here are that of the
fist,„'s, in which the element corresponding to the emergency
p(loss*lO A )=2] 2 YiPiAnlO^xpiinilA,,) fire pumps indicates that they do not function.)
i m n
(d) Assessment of the benefits (risk reduction) of several
xp(fist„, I in,-, A„) xp(lossk I fist,,,, A„) (3) types of measures (e.g., addition of a second manual redun-
The results of technical improvements (insulation, decou- dancy, or improvement of the protection of the pumps against
plings, redundancies, etc.) are measured directly in Eq. (1) by the effects of fires and blasts) by computing the contribution
their effects on the probabilities of initiating events (e.g., the of the pumps to the overall level of losses to fires.
corresponding decrease of the probability of fire), on the prob- 3.2.1 Event Tree and Fault Tree Analysis. The annual
abilities of the final system states (e.g., the decrease in the probability of the level of losses k is obtained by summing the
probability of fire propagation among components), and on joint probability of losses k, fire (initial location and severity),
the loss function (e.g., an increase in the probability of success and final system states
of evacuation operations). The overall effect is a reduction of
the annual probability of different levels of losses, and there- />(loss*) = 2 2 ^ ff(fire) xp(loc/lfire) Xp(sev/Ifire, loc/)
fore, of the expected value of the annual losses. m I j "EC 5*"
The results of organizational improvements (e.g., incentives fire initial state
for safety) are measured in Eq. (3) by their effects on the
probabilities of different actions and decision outcomes, and xp(fistm/fire, loc/, sevy) xp(loss*I fistj
consequently, on the overall loss levels. For example, a decision
to decrease temporarily the production level because of ex- fire propagation final losses

186/Vol. 115, AUGUST 1993

Downloaded From: https://offshoremechanics.asmedigitalcollection.asme.org Transactions
on 06/28/2019 Terms of Use: http://www.asme.org/about-asme/terms-of-use of the ASME
 States 1 to 4 States 5 and 6 Sjalas_L_fL2 States 1Q, 11. 12
E C EP
Electric Electric Automatic
Power Cables
Source
Electric T • f |
w Pump
Water
Feed
A
MP
Access to 0
Manual Operator
Manual Pump
Pumps
Fig. 6 Functional diagram for the emergency water pumps

mode: CA

Fig. 8 Markov diagram and transition among states for the subsys-
tem: access to water pumps(s) (A) and electric cables (C) feeding the
electric pump(s). Location ;', severity j refer to the characteristics of the
initial fire and of fire propagation; C r A, represent the state of the access
(A) and the cables (C); index 0: intact; indexl: minor fire damage, but
still functioning; index 2: damaged by fire, failure state.
E H C H E P ) ( A ] [ M P 1 ( 0
E x O x E P x A (failures of the electric power source, of the
Fig. 7 Fault tree for the top event "the water pumps do not function"
operator, of the automatic electric pump, and of the access to
the manual pump).
Fire is one of the "common causes of failure" that can
The vectors fist,,, represent the possible final system states affect the probability of all ten failure modes. The probability
and the loss of the pumps may be one element of each fist,„. of losing the fire-pumping function in a fire (event F) depends
Therefore, a key element of the probability p(fist„, I fire, loc/, on the location / of the start of the fire and on the severity j
sev,-) is the probability of failure of the fire pumps. It can be of the initial fire. If one restricts the top event T to the loss
analyzed by classical PRA techniques (Henley and Kumamoto, of emergency pumping in a fire, Eq. (7) becomes
1981) starting with the simplified functional diagram shown p(T)=p(F)xp(TlF)
in Fig. 6. The function "water feed" is needed for both manual
and automatic functions. The automatic pump requires electric
power (i.e., that the power supply and electric cables are both =p(F)xJ] 2 ^ ( W | F ' loc'> sev/)+p(ElF, loc,, sev,)
' j
functioning) and that the electric pump itself functions. The
manual pump requires that an operator is available, that the xp(A\F, E, loc,, sev,)+ ] (8)
access has not been blocked, and that the pump itself functions. in which all the terms of Eq. (7) are conditioned on the oc-
(To simplify the diagram, it is assumed here that the subsystem currence of a fire, its location, and its initial severity.
"manual pump" includes its own emergency electric supply.)
The fault tree corresponding to the top event T = "the 3.2.2 Markov Analysis of Fire Development. Fault tree
water pumps do not function" is represented in Fig. 7. Each (and to some extent, event tree) analyses are static tools. They
component's state is represented by a Boolean variable X (all do not allow computation of the evolution over time of a
values of X are defined in Fig. 6; for example, C: state of the phenomenon such as system deterioration or fire propagation.
electric cables). X is equal to 1 if the corresponding element To do so requires a stochastic process analysis, the results of
does not function, 0 otherwise. The Boolean polynomial cor- which yield the probabilities of the different states after t time
responding to this fault tree is units. Consider, for example, one particular failure mode of
T: Cx A, i.e., "Access routes are blocked by the fire" (there-
T = W + (E + C + EP)x(A + 0 + MP) (5) fore, there can be no manual pump activation), and "Electric
Expansion of this polynomial yields the ten failure modes of cables are destroyed by the fire" (therefore, the electric pump
the pumps does not work). Assume that the cables and the access routes
T=W+ExA+CxA+EPxA+ExO+CxO are located in close proximity. Assume also, for simplicity of
illustration, that the fire can start only in one particular lo-
+ E P x O + ExMP + CxMP + EPxMP (6) cation (Module 1), and in one of two levels of intensity (low
The probability of failure of the pumping function is, thus intensity: severity 1; high intensity: severity 2). Finally, assume
that the fire has to reach location 2 (Module 2, close to the
p(T) =p(W) +p(E) xp(A IE) + p(.C) xp(A IC) +p(EP) emergency pumps) and the higher level of intensity (severity
xp(A I EP) +p(E) xp(01E) +p(C) xp(01C) +p(EP) 2) to break through a fire wall before it can propagate to
xp(01 EP) +p(E) xp(MP IE) +p(C) xp(MP IC) Module 3 where the emergency pumps are located". The prob-
abilities of the different states of the subsystem Cables and
+p(EP)xp(MP\EP)-Lp(tv/o failure modes at a time) Access after t time units can be computed using the Markov
+ Ep(three failure modes). . . etc. (7) chain of Fig. 8.
In Fig. 8, C represents the state of the electric cables (CO:
Given the strong dependencies introduced by the possibility
of accident initiators such as fires, the probabilities that two
or more failure modes occur at the same time can be high. "Such a model can become extremely large. The difficulty is in choosing a
Therefore, in Eq, (7), these terms must be explicity computed. manageable model structure and an appropriate classification of ignition sources,
An example of two failure modes at a time is the conjuction: physical components, and fire severity levels.

Downloaded From:Journal of Offshore Mechanics and Arctic on

https://offshoremechanics.asmedigitalcollection.asme.org Engineering AUGUST 1993, Vol. 115 /187
06/28/2019 Terms of Use: http://www.asme.org/about-asme/terms-of-use
 no damage; CI: minor damage by fire, but still functioning; Operations: Change in the policy allowing less experienced
C2: failure due to fire) and A represents the state of the access personnel to operate the platform. The effect is to decrease
to the manual pump (i.e., the space that must be crossed to the probability that a fire starts, the probability that the fire,
reach the pump from other locations). In the same way: AO given that it starts, reaches Module 2 and Module 3 (where
means that the fire has not reached the access, A l that the the emergency pumps are located), and the probability that
pump can still be reached but that fire and smoke are beginning no operator is available in the case where the automatic pumps
to invade the space, and A2 that the pumps are inaccessible. do not function. In the model presented, in the foregoing for
The initial states of the cables and the access to the pumps the failure mode C x A , these are the probability of fire/?(F),
while they are still undamaged but as the fire starts and prop- the conditional probability P2(0) that the fire starts at a high
agates (CO-AO) have been grouped for clarity in Fig. 8. The intensity level, and the probabilities ir,y which characterize tran-
final state C2-A2 represents the failure mode C x A of the sition to higher damage or fire intensity states.
water pumps. Operations: Improvement of the maintenance procedure
This Markov chain has 12 states numbered from 1 to 12 by (more thorough or more frequent) that decrease the probability
column in Fig. 8 (state 1: CO-AO, location 1, severity 1; of leaks in pumps and valves. The effect is to decrease the
. . . ; state 5: C0-A1; . . . ; state 7: C1-A0; . . . ; state 12: C2- probability of firep(F), and the probability that the fire starts
A2). It is assumed here that the fire always grows and damages at a high level of intensity P2(0).
the two components C and A continuously (i.e., without jumps
in severity levels). Human intervention is not modeled here An overall evaluation of the benefits of measures aimed at
explicitly, see Pate-Cornell (1984) for an example of several decreasing the probability of losing water pumps in a fire must
growth rates corresponding to different phases of fire-fighting. thus be done in the following way:
The probabilities of transition among states depend on fire-
fighting activities and on the availability of water (i.e., whether 1 Assessment of the contribution of fires and blasts to the
or not the other failure modes of the emergency pumps have overall probability of platform failure.
occurred before C x A ) . Once the fire has reached Module 3 2 Contribution of the failure of emergency pumps to the
(states 5 to 12), the severity of the fire is presented only in- probability of losing the platform given that a fire starts.
directly by its effects on the cables and the access to the pump. 3 Contribution of each of the failure modes to the probability
The initial vector P(0) represents the probabilities of the of failure of the emergency pump system.
initial severity levels given that a fire starts in Module 1 4 Computation of the reduction of the probabilities of these
P(0)=[p0(l),^0(2), 0, . . . , 0 ] (9) failure modes as a function of the reduction of specific initial
or transition probabilities such as those already identified.
Let II be the transition matrix corresponding to this system;
my is the probability of transition from state / to state j per Several types of improvements such as layout modifications,
time unit (e.g., 1 mn). The probability that the system is in fire protection, and other measures aimed at decoupling the
each of the 12 states after t time units is given by the vector different parts of the system have multiple benefits because
P(t) which is the product of the initial vector p(0) and the they reduce the probabilities of several failure modes. Im-
transition matrix to the power t (Hillier and Lieberman, 1967) provements of the inspection and maintenance procedures al-
P(t)=P(0)xn' (10) low adapting interventions to the loads and deterioration rate
The probability that the failure mode C2-A2 has occurred of each component. The choice of maintenance on schedule
before t or at time t is the twelfth element of this vector P(t) or on demand can be supported by a decision analysis (Pate-
noted Pu(i). One can then obtain the probability distribution Cornell et al., 1987).
(and the mean) of the time to failure of the water pumps
through this particular failure mode. Similar models can be 4
Conclusion
developed for the other failure modes involving fire propa- Prevention of the recurrence of accidents similar to the fire
gation. It is clear from the logical analysis alone that the electric
that occurred on Piper Alpha in 1988, requires both technical
cables should not run along the access to the manual pumps. and organizational improvements of the conditions that existed
The probabilistic analysis yields the probability that this par- on this platform at that time. In general, the burden of safety
ticular coupling causes a catastrophic fire. must be placed squarely on the oil companies. First, they must
3.2.3 Benefits of Safety Measures. This analysis (and recognize that the probability of truly catastrophic accidents
similar ones for the other nine failure modes, and possibly for is far from remote . Second, they must devise comprehensive
some conjunctions of failure modes) permits the assessment risk management strategies instead of providing minimal re-
of the benefits of a certain number of measures aimed at sponses to regulatory requirements and/or equating risk man-
reducing the probability that the fire pumps are unavailable agement with insurance programs. Such a strategy includes a
in a fire. Examples of such measures include: commitment to promote a safety culture, to alleviate produc-
tion pressures under hazardous circumstances, and to provide
Design: Isolation of the fire pumps (better layout or rein- consistent incentives for the prevention of accidents, in the
forced fire protection of the pump areas). The effect is to immediate as well as more distant future.
decrease the probability of transition between initial states CO- The process of platform growth must be strictly controlled.
AO and any of the other states. Expansion should not take place unless provisions have been
Design: Decoupling, given a fire, of the access to the manual made for it in the design phase so that added systems do not
pumps and the electric cables. The effect is to decrease the interfere with the safety of operations. The design guidelines
corresponding probabilities of transition between Q — Ay- and must also include severe accident criteria for fire protection
C,- + ,-A/ + i (e.g., CO-AO to Cl-Al). of the structure itself and a better configuration of the pipeline
Operations: Procedures forbidding closing the water inlet risers and of the safety valves which have to be both accessible
(protection of the divers through other means). The effect is and protected (Adams, 1991). The deck layout must provide
to decrease the probability of failure mode W.
12
Operations: Human redundancy in the operation of the man- Occidental management had been warned by Elmslie Consultancy Services
ual pumps (several individuals can access and operate the that a prolonged high-pressure gas fire would have grave consequences for the
platform and its personnel (Cullen, 1990, p. 227); but it had been concluded at
pumps). The effect is to decrease the probability of failure a subsequent meeting that "[the probability of the event] was so low that it was
modes E x O , E P x O , and C x O which involve an operator. considered that it would not happen" (Cullen, 1990, p. 228).

Downloaded From: 188/Vol. 115, AUGUST 1993

https://offshoremechanics.asmedigitalcollection.asme.org Transactions
on 06/28/2019 Terms of Use: http://www.asme.org/about-asme/terms-of-use of the ASME
 adequate separation or insulation of the different modules, Roberts, K. H., 1990, "Some Characteristics of High Reliability Organiza-
and whenever feasible, the living quarters should be located tions," Organization Science, Vol. 1, No. 2, pp. 1-17.
The Institute of Marine Engineers, 1991, Proceedings of the Conference on
on a separate accommodation platform. In the production Offshore Operations Post-Piper Alpha, London, England.
phase, risk reduction requires improvement of inspection and Weick, K. E., 1987, "Organizational Culture as a Source of High Reliability,"
maintenance operations, including the work-permit system, of California Management Review, Winter.
the personnel safety and evacuation procedures, and better
coordination and communication among platforms in a net-
work.
APPENDIX A
Probabilistic risk analysis (particularly when extended to
include management factors) allows evaluation of risk reduc- Piper Alpha Acpident Sequence
tion benefits for specified platforms and safety measures, and The basic events of the accident sequence are shown in Tables
an optimal allocation of risk management resources. The com- Al, A2, and A3.
putation, in many cases, can be limited to parts of the system.
Once the results are available, decisions including the balance
of costs and benefits have to be made by corporate manage-
ment. Eventually, the final safety level and the residual risk Table A1 Initiating events: major explosions and fire loads
should be the responsibility of the oil companies, and not of PRIMARY INITIATING EVENT:
government regulatory agencies. EVENT#
First explosion. July 6,1988. (21:58)
El: Process disturbance (inadvertent pressurization of a PSV) 21:45 to 21:50.
E2: Two redundant pumps inoperative in Module C: condensate pump 'B' trips. Pump 'A' was shut
down for maintenance.
E3: Failure of a blind flange assembly at the site of PS V 504 in module C.
Acknowledgment E4: Release of condensate vapors in module C (-45 kg, filling -25% of the module volume); failure
of gas detectors and emergency shutdown.
This study was funded as part of the Joint Industry Project E5: First ignition and explosion. Possible ignition sources: hot surfaces, broken light fitting,
electrostatic sparks, electric motors (Cull. p.60).
entitled "Management of Human Error in Operations of Ma- E6: Almost total failure of gas detectors and Fire detection/protection (deluge) systems.
rine Systems" headed by Professor Robert G. Bea in the De- E7:
E8:
Partial (almost total) failure of emergency shut down system.
Failure of C/D Fire wall. No function of blowout panel to contain explosion inside module.
partment of Naval Architecture and Offshore Engineering of
SECONDARY INITIATING EVENT:
the University of California, Berkeley. Second explosion. Propagation of fire in module B (shortly after 22:00)
E9: Rupture of B/C fire wall (single layer, 4.5 hour integrity wall).
E10: Rupture of a pipe in module B (projectile from B/C fire wall).
El 1: Large crude oil leak in module B.
References E12: Fire ball and deflagration in module B.
E13: Fire spreads back into module C through breach in B/C fire wall.
Adams, A., 1991 "U.K. Experienced in Offshore Pipeline Management," E14: Fire spreads to 1,200 barrels of fuel stored on deck above modules B and C.
Proceedings of the International Workshop on Offshore Pipeline Safety, ed.,
D. V. Morris, December 4-6, New Orleans, LA, pp. 34-43. TERTIARY INITIATING EVENT:
Jet fire from broken riser (22:20)
American Petroleum Institute, 1985, API Standard 590, First Edition, "Sec-
tion 1: Steel Line Blanks," Mar. E15: Failure of fire pumps: automatic pumps have been turned off; manual (diesel powered) pumps
located in module D damaged by failure of C/D fire wall.
Bea, R. G., 1991, personal communications. E16: Rupture of riser (Tartan to Piper Alpha) caused by pool fire beneath it (E5, E12, E13); "high
Bea, R. G., and Gale, W. E., 1990, "Structural Design For Fires on Offshore temperature reducing die pipe steel strength to below the hoop stress induced by internal
Platforms," NAOE Industrial Liaison Program Conference, University of Cal- pressures" (Cull. p. 133).
E17: Intense impinging jet fire under the platform.
ifornia, Berkeley, CA.
Carson, W. G., 1982, The Other Price of Britain's Oil: Safety and Control
in the North Sea, Rutgers University Press, New Brunswick, NJ.
Cullen, The Hon. Lord, 1990, The Public Inquiery into the Piper Alpha
Disaster, Vols. 1 and 2, Report to Parliament by the Secretary of State for Table A2 Further effects of initiating events and final subsystems'
Energy by Command of Her Majesty, Nov. states
Evans, F. L., ed., 1974, "Valves for the H P I , " Hydrocarbon Processing,
June, p. 91. CONSEQUENCES OF THE FIRST EXPLOSION
Gale, W. E., 1991, Personnal communications. E18: Immediate loss of electric power.
Garrick, B. J., 1984, "Recent Case Studies and Advancements in Probabilistic E19: Failure of emergency lighting.
E20: Failure of the control room (no lights on mimic panels).
Risk Assessments," Risk Analysis, Vol. 4, No. 4, pp. 267-279. E21: Failure of the public address/general alarm system.
Garrick, B. J., 1988, "Quantitative Risk Assessment and the Space Program," E22: Failure of the radio/telecommunication room.
Risk Analysis Seminars, Department of Industrial Engineering, Stanford, CA, E23: Loss of the OIM function, both on board and as OSC of rescue operations.
E24: Smoke prevents the Tharos helicopter from reaching the helideck.
Mar. E25: Fire and smoke envelop the North side of the platform.
Heimer, C , 1988, "Social Structure, Psychology, and the Estimation of Risk," E26: Casualties in A, B, C modules.
Annual Review of Sociology, Vol. 14, pp. 491-519. E27: Escape of some people from 68ft level to 20ft level -> some jump into the sea.
Henley, E. J., and Kumamoto, H., 1981, Reliability Engineering and Risk CONSEQUENCES OF THE SECOND EXPLOSION
Assessment, Prentice Hall Inc., Englewood Cliffs, NJ; Cambridge University
E28: Fire from modules B and C spreads to various containers ("lubricating oil drums, industrial gas
Press, Cambridge, U.K. bottles: oxygen, acetylene, butane "(Petrie)).
Hillier, F. S., and Lieberman, G. J., 1967, Introduction to Operations Re- E29: Fire from modules B and C causes rupture of pipes and tanks -> growth of oil and condensate
search, Holden-Day. fires.
E30: Some survivors jump into the sea from 68 ft and 20 ft levels.
Pate-Cornell, M. E., 1984, "Fire Risks In Oil Refineries: Economic Analysis E31: Some people are engulfed in smoke and die in the quarters (22:33)
of Camera Monitoring," Risk Analysis, Vol. 5, No. 4, pp. 277-288. E32: Partial failure of Tharosfire-fightingequipment.
Pate-Cornell, M. E., Lee, H. L., and Tagaras, G., 1987, "Warnings of Mal- CONSEQUENCES OF THE JET FERE
functions: The Decision to Inspect and Maintain Production Processes on
Schedule or on Demand," Management Science, Vol. 33, No. 10, Oct., pp. E33: Rupture of the MCP-01 riser at Piper Alpha.
E34: Most people remain and are trapped in living accomodations (more survivors jump into the sea
1277-1290. from the 20 ft and the 68 ft levels).
Pate-Cornell, M. E., and Bea, R. G/, 1992, "Management Errors and System E35: Third violent explosion (22:52).
Reliability: A Probabilistic Approach and Application to Offshore Plat- E36: Some survivors jump from the helideck (175ft levels).
E37: Collapse of platform at 68ft level below B module (22:50).
forms," Risk Analysis, V9WI2, No. 1, Mar., pp. 1-18. E38: Collapse of western crane from turret (23:15).
Pate-Cornell, M. E., 1990, "Organizational Aspects of Engineering System E39: Fourth violent explosion (23:18): rupture of Claymore gas riser.
E40: Major structural collapse in the center of the platform.
Reliability: The Case of Offshore Platforms," Science, November 30, pp. E41: Slow collapse of the north end of the platform
1210=1217. E42: Collapse of the pipe deck, White House, and OPG workshop (-> additional casualties).
Pate-Cornell, M. E., 1992, "A Postmortem Analysis of the Piper Alpha E43: Accomodation module over-turned into the sea (AAW north end of platform)
E44: Rescue of survivors at sea (vessels Tharos, Silver Pit, Lowland Cavalier, and Maersk Cutter).
Accident: Technical and Organizational Factors," Report No. HOE-92-2, De-
partment of Naval Architecture and Offshore Engineering, University of Cal-
ifornia, Berkeley, CA.
Petrie, J. R., 1988, Piper Alpha Technical Investigation Interim Report, De-
partment of Energy, Petroleum Engineering Division, London, England. Table A3 Losses
Perrow, C , 1984, Normal Accidents, Basic Books, New York, NY.
Presidential Commission on the Space Shuttle Challenger Accident, 1986, E45: Human casualties: 167 (165 men on board; 2 rescue workers).
Washington, DC, June. E46: Loss of the platform; damage in excess of three billion U.S. dollars.
Raiffa, H, 1968, Decision Analysis, Addison-Wesley.

Downloaded From:Journal of Offshore Mechanics and Arctic onEngineering

https://offshoremechanics.asmedigitalcollection.asme.org 06/28/2019 Terms of Use: http://www.asme.org/about-asme/terms-of-use
AUGUST 1993, Vol. 115/189
 APPENDIX B Table B3 Decisions and actions A,, associated with basic events E, {i
= 24 to 43). Phases: DES: design, CON: construction; OP: operations;
Decisions and Actions That Affected the Basic Events OPM: maintenance.
Table 61 Decisions and actions A,7 associated with basic events E, (/
DECISION AND ACTIONS PHASE
= 1 to 9). Phases: DES: design; CON: construction; OP: operations;
OPM: maintenance.
E24, E25, E28, E29, E31: Fire and smoke spread throughout the platform
A 24-25-28-29-31.1: Layout decisions; Lack of physical separation PES)
DECISION AND ACTIONS PHASE A 24-25-28-29-31.2: Equipment design decisions: Lack of fire proofing, insulation,
smoke filters (DES)
E l : Process disturbance E32: Ineffectiveness of the Tharos in fighting the fire
A 1.1: Decision to produce in the Phase 1 mode (OP) A 32.1: Failure of the Tharos master to take charge as OSC in time (OP)
A 1.2: Physical and managerial interdependencies in the Piper Alpha-Tartan- A 32.2: Failure of the Tharos fire fighting equipment (DES; OP)
Claymore-MCP-01 network (DES; CON) E26, E30, E34, E36, E44: Casualties on board; rescue of survivors
A 1.3: Decision to promote personnel to critical positions on a temporary basis (OP) A 26-30-34-36-44.1: Poor design and planning of evacuation routes (lack of
A 1.4: Missed signals (OP) redundancies) (DES)
A 1.5: Lack of redundancies in the design of trip signals (DES) A 26-30-34-36-44.2: Failure of the OIM to give evacuation orders (OP)
E2: Failure of both condensate injection pumps in module C: A 26-30-34-36-44.3: No alternative official authority when OEM is incapacitated (OP)
A 2.1: Apparently improper maintenance of both pumps A and B (OPM) A 26-30-34-36-44.4: Individual initiatives to escape and jump off against previous
A 2.2: Decision to remove PSV 504 in pump A and toreplaceit by a blind information about survivability of jumping in the sea from more than 60 ft (OP)
flange (OPM) A 26-30-34-36-44.5: Poor training for evacuation: lack of knowledge of the platform
A 2.3: Failure of the maintenance crew to inform the night shift that pump A layout and alternative escape routes (OP)
was out and that the PSV was missing A 26-30-34-36-44.6: Failure to properly locate, install, and inspect emergency exit
(-> operator error in trying to restart pump A) (OPM) equipment, rafts and boats. Poor location of the life boats (and lack of
E3: Failure of the blind flange assembly at the site of PSV504 redundancies when they are inaccessible) (DES; OPM)
A 3.1: Error in fitting of the blind flange (OPM) A 26-30-34-36-44.7: Failure to inspect and maintain inflatable rafts (inoperative) (OPM)
A 3.2: No inspection of the assembly work (OPM) A 26-30-34-36-44.8: Failure to provide, properly locate, and inspect individual
E4: Undetected release of condensate vapors in Module C protection equipment (smoke hoods, survivability suits, life jackets) (DES, OPM)
A 4.1: Faulty warning systems for gas release (DES; CON) E37, E38, E40, E41, E42, E43. Structural failures. Collapse of structure
A 4.2: Failure to fix the warning system after it issued false warnings (OPM) A 37-38-40-41-42-43.1: Failure to account specifically for fire loads in die design
A 4.3: Poor design of the monitoring panels in the control room (DES) of me structure (DES)
A 4.4: Failure of the control room operator to read and interpret the signals (OP) A 37-38-40-41-42-43.2: Decision to ignore early warning that the platform could not
E5: First ignition sustain severe fire loads for more than ten minutes (OP)
A 5.1: Possible error of detection of potential ignition source (OPM)
A 5.2: Poor design of control mechanisms: spark arrestors and deluge system.
E6, E7: Failure of gas detectors, fire protection,
and emergency shutdown
A 6-7.1: Design of the Main Control Room (location of the detector module rack) (DES)
A 6-7.2: Failure of the control room operator to check the origin of first
gas alarms from the detector module rack (OP)
A 6-7.3: Faulty design of the low-gas alarm system (DES)
A 6-7.4: Faulty design of the gas detection system: couplings to die
electric power system (DES)
A 6-7.5: No automatic fire protection upon gas detection in west half of Module C (DES)
A 6-7.6: Lack ofredundancyin the fire pumps (DES; OP)
A 6-7.7 Deluge system of limited effectiveness (DES)
A 6-7.8: Failure to upgrade safety functions to requirements of Phase 1
production mode (DES; OP)
E8, E9: Failure of the C/D and B/C Are walls
A 8-9.1: Design of fire walls with little resistance to blast pressures;
no blast control panels (DES)

Table B2 Decisions and actions A,, associated with basic events E, (/'
= 10 to 23). Phases: DES: design; CON: construction; OP: operations;
OPM: maintenance.

EVENTS DECISION AND ACTIONS PHASE

E10, E l l : Pipe rupture in module B and large oil leak

A 10-11.1: Couplings in the design of the modules (insufficient space separation) (DES)
A 10-11.2: Couplings due to poor protection against fire propagation (DES)
A 10-11.3: Insufficient protection of critical equipment against blast projectiles (DES)
E12, E13; Fire ball in Module B that spreads back into module C
A 12-13.1: Poor fire insulation (DES)
E14: Fire spread to fuel storage
A 14.1: Decision to store fuel above the production modules; spatial couplings (OP)
E15: Failure of diesel power Are pumps
A 15.1: Poor design of the manual firefightingsystem
(bad location, no redundancy)
Poor protection of the pumps against fires andblasts (DES)
A 15.2: Decision to turn off the automatic system to protect divers (OP)
E16, E33, E39: Rupture of the risers from Tartan, MCP-01, and Claymore
A 16-33-39.1: No ftreproofing of the riser connection (DES)
A 16-33-39.2: Bad design of the deluge system (DES)
E17: Jet fire under Piper Alpha
A 17.1: Physical linkages in the Piper-Tartan-Claymore network (DES; CON)
A 17.2: Distributed decision making in the Piper-Tartan-Claymore network (OP)
A 17.3: Bad communication among the platforms and with the vessel Tharos (DES; OP)
A 17.4: Underestimation of the severity of the Piper situation and optimism
on other platforms (OP)
A 17.5: To some extent: decision to continue production on Tartan (bad
communication system; insufficient procedures and enforcement
of existing procedures) (DES; OP)
EI8, E19: Immediate loss of electric power. Failure of emergency lighting
A 18-19.1: Design error decision to run the cable route through module D (DES)
A 18-19.2: Inadequateredundanciesin the electric power system (OPM)
A 18-19.3: Lack of inspection and maintenance of emergency generators (DES)
E20: Loss of the control room
A 20.1: Bad location of the control room next to the production modules (DES)
A 20.2: Lack of redundancies in command and control (->technical decapitation) (DES)
E21: Failure of the public address system
A 21.1: Bad design of the public address system: no redundancy for the loss of
electric power (DES)
E22: Failure of the radio/telecom room
A 22.1: Bad location of the radio room (DES)
A 22.2: Lack of redundancies in the communication system (DES)
E23: Loss of the OIM function
A 23.1: Decision to hire and promote the individual to the OIM position (OP)
A 23.2: Poor training for this kind of emergency (OP)
A 23.3: Loss of organizational redundancy and disruption of the chain of
command (OP)

190/Vol. 115, AUGUST 1993

Downloaded From: https://offshoremechanics.asmedigitalcollection.asme.org on 06/28/2019 Terms of Use: http://www.asme.org/about-asme/terms-of-use
Transactions of the ASME