Piper Alpha and the Cost of Not Coordinating Your Protection System

The 1988 Piper Alpha disaster killed 167 people. The immediate cause was a gas leak from a condensate pump that had been taken offline for maintenance. A permit-to-work had been issued for the pump's pressure safety valve, but when the night shift started the backup pump — unaware that the safety valve had been removed — gas escaped, found an ignition source, and the resulting explosion and fire destroyed the platform.

One contributing factor: a permit-to-work system that allowed live equipment to be isolated without proper coordination across the electrical and process systems. The investigation, led by Lord Cullen, revealed systemic failures in how isolation, protection, and operational coordination were managed. The lessons extend far beyond offshore oil and gas. They apply to every electrical installation where protection devices must coordinate to prevent cascading failures.

This article examines what Piper Alpha teaches about protection coordination in electrical systems — including small LV systems where engineers often assume coordination "does not matter."

The Piper Alpha investigation revealed a fundamental coordination failure: the permit-to-work system did not ensure that all affected systems were aware of an isolation. The condensate pump had been isolated for maintenance, but the permit was stored in a filing cabinet, not communicated to the incoming shift. When the backup pump was started, the protection system that should have prevented operation without the safety valve was not in place.

Translate this to electrical protection: a circuit breaker is racked out for maintenance. The upstream protection relay is not informed. A fault occurs on an adjacent circuit. The upstream relay trips, de-energising the entire switchboard instead of just the faulted circuit. A process that was running on the "healthy" circuits shuts down without warning.

This is a protection coordination failure. The upstream device operated before the downstream device because the downstream device was not present, not set correctly, or not communicating with the upstream device. The result is loss of supply to circuits that should have remained energised.

On Piper Alpha, the consequences were catastrophic because the failure involved process safety systems. In an LV distribution system, the consequences are typically commercial rather than fatal: production downtime, data loss, or equipment damage. But the engineering principle is identical. Uncoordinated protection systems fail in exactly the same way, regardless of voltage level.

Protection coordination (also called discrimination or selectivity) means that when a fault occurs, only the protective device closest to the fault operates. All upstream devices remain closed, maintaining supply to healthy circuits. This is fundamental to reliable power system design.

A coordinated system has:

• Time-graded or current-graded selectivity between upstream and downstream devices
• Documented coordination studies showing that for every fault scenario, the correct device operates first
• Protection relay settings that are calculated, not assumed
• Regular testing and verification of protection device settings

A non-coordinated system has:

• Circuit breakers selected based on breaking capacity alone, without coordination analysis
• Default relay settings left at factory values
• No documentation of which device will operate for a given fault current
• An assumption that "the breaker closest to the fault will trip first" (which is often incorrect)

The majority of small commercial and industrial LV installations I have reviewed over my career fall into the non-coordinated category. The circuit breakers were selected for current rating and breaking capacity. Nobody ran a coordination study. Nobody checked whether the 630 A MCCB at the main switchboard will actually remain closed when the 63 A MCB on a sub-distribution board clears a fault.

In many cases, the main MCCB trips first because its instantaneous setting is lower than the prospective fault current at the sub-board. The entire installation loses power because of a fault on one circuit. This is not a failure of the equipment. It is a failure of the engineering design process.

Current Transformer Isolation (CTI) is a protection technique where current transformers on the outgoing circuits of a switchboard feed protection relays that provide time-graded overcurrent and earth fault protection. CTI is standard practice on HV and large LV systems but is rarely specified on small LV installations.

Here is why it should be:

• Discrimination at high fault currents: Moulded Case Circuit Breakers (MCCBs) have instantaneous trip elements that operate in milliseconds for fault currents above the instantaneous threshold. When the prospective fault current at a sub-board is in the instantaneous range of both the sub-board MCCB and the main switchboard MCCB, discrimination is impossible with MCCBs alone. CTI provides an alternative: the current transformer on each outgoing circuit feeds a relay with a defined time delay, ensuring the downstream device always operates first.
• Earth fault sensitivity: MCCBs typically have earth fault sensitivity of 50–100% of the phase overcurrent setting. For a 400 A MCCB, the earth fault threshold might be 200–400 A. An arcing earth fault of 50 A will not be detected by the MCCB but will be detected by a dedicated earth fault relay connected via a core balance current transformer with a setting of 100 mA to 1 A.
• Operational flexibility: CTI allows protection settings to be adjusted without replacing hardware. If load patterns change, or if additional circuits are added, the relay settings can be re-calculated and updated. With MCCBs, the only way to change the protection characteristic is to replace the MCCB with a different model or rating.

A protection coordination study is not a luxury reserved for HV installations. Every LV installation with more than one level of protection (which is virtually every installation) benefits from a formal coordination analysis. The study involves:

1. Single-line diagram: Document every protective device from the point of supply to the final circuits, including device type, rating, and breaking capacity.
2. Fault level calculation: Determine the prospective fault current at every switchboard and distribution board. This requires knowledge of the supply transformer impedance, cable impedances, and the network configuration.
3. Time-current characteristic plotting: Plot the time-current curves of all protective devices on the same axes. Check that for every fault current value, the downstream device operates before the upstream device with adequate time margin.
4. Setting adjustment: Where discrimination is not achieved, adjust relay settings, change MCCB trip units, or add time delays to achieve selectivity.
5. Documentation: Record the final settings, the coordination curves, and the fault current values used. This documentation is essential for future modifications and for technical audits.

The Piper Alpha lesson is that this analysis must be done proactively, as part of the design process, not reactively after a failure. A protection system that has never been analysed for coordination is an assumption, not a design.

Lord Cullen's inquiry report made 106 recommendations, many of which transformed safety management across the offshore industry. The underlying principle applies equally to electrical protection design:

"Safety is not achieved by compliance with regulations alone. It requires an active, questioning approach to every decision that affects the safety of people and plant."

Applied to electrical protection, this means:

• Selecting a circuit breaker that meets the breaking capacity requirement is necessary but not sufficient. You must also verify that it coordinates with every other device in the protection chain.
• A protection relay setting left at its factory default is not an engineering decision. It is an absence of engineering.
• A permit-to-work system that does not account for electrical isolation is incomplete, regardless of how thorough the process documentation appears.
• A switchboard without a documented coordination study is an unverified assumption about how the protection system will behave under fault conditions.

Every time you design a protection system, you are making decisions about what happens when things go wrong. Those decisions deserve the same rigour as the decisions about what happens when things go right. Run a protection coordination analysis on your next project. Verify that your protection system does what you think it does. The cost of checking is trivial. The cost of not checking was demonstrated on 6 July 1988.