- Russian Dam Disaster: Assessing the Cost of Failed Safety Practices
- Analyzing the Human Element of the Russia Dam Disaster
- Turbine 2: How a Track Record of Uncertainty Led to Disaster
- Russian Dam Disaster: A Reckoning for Bypassed Safety
- When Running People Past Their Breaking Point Effects Safety: The Bayer Crop Science Incid…
A Maintenance Process Hazard Analysis: Piper Alpha Incident
Among the physical causes of the initial process safety incident, maintenance should be at the top of the list. That basic safety management failure struck the first match.
How tightly does a flange have to be bolted to prevent vapor leaks on a condensate line pressurized to 650 psi? Most people that have been in an oil production environment understand how critical that answer is. The problem is that on the Piper Alpha platform, a PSV (pressure safety valve) had been removed and a blind flange put in its place, and indications are that the bolts were only finger tight. The maintenance person left it that way and no supervisor or process safety engineer came back to check it, so it stayed that way. The most basic oil and gas safety protocols was not implemented.
On July 6, 1988, a process upset caused a condensate pump to trip triggering events that caused the flange to release about 45 kg of condensate into module C on the platform. Nobody in the control room was aware of the explosive situation. Basic safety instrumentation functions were compromised because gas detectors were not working, were sending unclear warnings, and/or were simply being ignored because they were known for sending false alarms. The condensate found an ignition source. That safety incident set the larger disaster in motion.
But let’s back up a few hours to the time before the fires began. Maintenance had been working on the Module C condensate injector pumps A and B. This was not a major rebuilding. Reports after the incident say that it was strictly a fix-what’s-wrong-and-get-them-working-again situation. PSV 504 on pump A was removed so it could be taken back to the shop and the flange put in its place. The decision was made that it was OK to resume production with only pump B fully operational.
The message that pump A was out of service and could not serve as a backup did not get to the control room or the operators were simply not paying attention. Either way, when pump B tripped after a process upset, the operators tried to start pump A. Condensate began escaping from the loose flange into Module C and the platform’s fate was sealed. Maintenance procedures were not very tight on the platform, so the breakdown in communication as to the condition of pump A was not uncharacteristic. The permit-to-work system failed and the pump was not tagged as needed. There was no follow-up inspection or adherence to safety compliance.
Investigations following the incident would point to a history of shortcuts, poor conformance with procedures and a general lack of experience among the maintenance men. Reports suggested that the maintenance procedures that did exist were inadequate and did not go into sufficient depth on critical matters such as tagging and locking off equipment that was not fully functioning. Night-shift operators were often in the dark as to what had been going on with maintenance operations during the day. With a weak process safety culture, such situations were not part of a safety management plan.
