I would like to acknowledge the insights provided by Ken Arnold in bringing this particular scenario to our attention.
This is the first in a series of Safety Moments in which we show that actions taken to improve safety were a contributing factor in the creation of a catastrophic event. In other words, beware the Law of Unintended Consequences.
One of the worst industrial tragedies ever to have taken place — and the worst that has occurred in the offshore oil and gas business — was the Piper Alpha explosion and fire in the year 1988 that led to the death of 167 men and the total loss of the platform.
This incident has, of course, been analyzed in great depth in numerous reports, web pages, videos, articles and conference proceedings. (The Cullen report is definitive.) Many factors that contributed to the event have been cited. These include flawed emergency response procedures, the failure of firewater pumps and problems with the Permit to Work system.
But relatively little attention has been given to the fact that the initial leak occurred from what was, in effect, an open flange. Normally that spot would have been occupied by a pressure safety relief valve.
The incident started with a leak from a hydrocarbon condensate pump system that consisted of two pumps operating in parallel. Each pump was full capacity so it was only necessary to operate one pump during normal operation with the second pump being on standby. Each pump had an associated pressure safety relief valve. The relief valves had to be tested on a regular basis. This was done by removing the valve, covering the opening with a blind flange and shipping the valve to an onshore facility for testing.
The sequence of events was as follows:
- A relief valve on one of the pumps was removed for testing.
- The relief valve’s opening was not covered with a pressure-rated blind flange but with a loosely connected metal plate.
- While the valve was absent the other pump failed during normal operations. In order to keep production going it was decided to start the spare — the one without the relief valve. (Due to a mix-up in the Permit to Work system the operating technicians were not aware that the spare pump was not in an operable condition.)
- When the spare pump was started, the plate covering the open flange failed and a large amount of highly flammable gas was discharged into the operating area.
- The gas almost immediately found a source of ignition, resulting in a large explosion and fire.
There are many lessons to be learned from the Piper Alpha event. But one that is rarely discussed is the decision to remove the relief valve in the first place. There are basically three reasons to test a relief valve.
- The valve must open at the desired pressure. It is crucial that it does not stick closed for any reason.
- The valve must open at the specified pressure.
- The valve should meet its required volumetric capacity.
The frequency with which these tests should be carried out and the testing methods to be used will vary from company to company and on pertinent s and standards such as API 527.
The part of the test to do with checking the pressure at which the valve opens can often be done in situ. A load can be applied to the valve spindle to check that it opens at the correct pressure as explained by Engineer Live. (However, the implications of this strategy need to be thought through. In situ testing does mean that a block valve has to be located beneath the relief valve which means that the block valve may be closed inadvertently.)
We are not informed as to whether the relief valve in question did have to be tested onshore. But, had it been possible to test the valve in situ, 167 men would not have lost their lives.
One of the many lessons to be learned from the Piper Alpha event is to be sure that any safety program is not creating unanticipated consequences that could create a major disaster. In this case the management of the facility have to balance the need for accurate relief valve testing with the potential problems associated with its not being there when needed.
When reviewing an incident such as this it is useful to determine which elements of Process Safety Management (PSM) failed. The system that we use for these Safety Moments is that developed by the Center for Chemical Process Safety (CCPS). It consists of the following 20 management elements. The elements which are most pertinent to this incident have been highlighted.
- Process Safety Culture
- Workforce Involvement
- Stakeholder Outreach
- Knowledge Management
- Hazard Identification / Risk
- Operating Procedures
- Safe Work Practices
- Asset Integrity / Reliability
- Contractor Management
- Training / Performance
- Management of Change
- Operational Readiness
- Conduct of Operations
- Emergency Management
- Incident Investigation
- Measurement and Metrics
- Management Review
We are not informed as to whether a Hazard Identification exercise had been carried out. (It probably had not — they were not widely used until the 1990s.) If such an analysis had been performed the policy for removing and testing relief valves could have been discussed.
Asset Integrity is also a feature of this incident. It is important that equipment items are tested and checked on a regular basis. Ironically, in this case, it may be that the inspection program was too rigorous.