DEEPWATER HORIZON
WHAT HAPPENED?
DESIGN FAILURES AND SYSTEM LIFE CYCLE
ISSUES AND FINDINGS RELATED TO PEOPLE, WORKPLACE & MANAGEMENT
On the 20th April 2010, the Deepwater Horizon oil rig encountered critical errors which lead to a catastrophic system failure.
At 9:56pm the highly flammable gas vapour ignited, exploding meters into the air
The blaze continued, unable to be extinguished for 36 hours. Figure 1 shows attempts to douse the blaze.
On the 22nd April 2010 the rig capsized and sunk. This ruptured the riser and without the counter pressure of the injected drilling mud the oil was released unopposed into the gulf.
Oil continued to spill into the ocean for 87 days before the companies were able to completely secure the leak.
Over 5 million barrels of oil were estimated to have leaked over the duration the well was not sealed. At it's peak there was potentially up to 60000 barrels worth a day (Pallardy, 2019), contaminating waters, endangering wildlife and marine animals
9:31pm Pressure in the marine riser increases significantly. Night shift staff respond by closing down the pumps
11 people lost their lives, and 17 were injured
WHY IT HAPPENED?
Lack of regulatory supervision
No cement bond log performed to determine the integrity of the seal
Human Factors
MECHANICAL FAILURE
Multiple negative pressure test readings indicated a leak somewhere within the system
Results were misinterpreted
A second test was performed through the kill line. This test showed there was no pressure rising
No follow up to the discrepancy despite both test supposed to have been reading the same. The workers were behind schedule and they failed to investigate further due to time constraints
Workers assumed the results from the kill line were correct and ignored the higher reading from the previous test
The night shift manager used faulty logic to explain the results as a 'bladder effect' and continued operations (Darlow Smithson Productions, 2012)
PEOPLE
A level of arrogance caused an oversight of results and other workers felt they were not able to challenge the decision
CONCEPT & DESIGN
CONTSTRUCTION
DECOMMISSIONING
MAINTENANCE
There were no industry standards for how a negative pressure test should be conducted or the way in which results should be interpreted. Tests were interpreted based on personal knowledge and experience. (Tabibzadeh & Meshkati 2014; Tabibzadeh & Meshkati; 2016)
Failures to report safety concerns from all parties
Deepwater Horizon was a mobile offshore drilling unit designed to drill some of the deepest offshore oil and gas wells.
FAILURES
Workers were scheduled on a 21/21 based roster with 12 hour shifts
CULTURAL FACTORS
Transocean employees considered to have an excellent safety culture
Shift change occurred during these tests, different staff and supervisors left to interpret results
This dramatic representation visually aids out understanding of events leading up to and during the incident. Source: Seconds from Disaster (2012)
Figure 1: Deepwater Horizon oil rig; fire
Source: Encyclopedia Britannica (2010)
Production rewarded - safety issues may cause further delays
Figure 2: Macondo Well
Source: British Petroleum (2010)
The HVAC fans in the engine rooms were not designed with automated devices which would have shut down controls on detection of gas. This allowed flammable vapours to enter and ignite in the engine room (BP, 2010)
Completely isolated from the mainland and reliant upon each other
Different levels of expertise and acquired knowledge on each shift
Potentially missing family and friends, fatigue from extra weeks of work
Not willing to bring up potential issues, overlooking potential failures in favour of 'getting the job done'
Kill line possibly/probably blocked or damaged at some point during operations and there was no follow up investigation performed to investigate discrepancies between the negative pressure test and kill line read.
BLOW OUT PREVENTER (BOP)
BP (2010), acknowledges that the safety systems on the rig relied heavily on manual or human intervention in the event of an emergency
The blind shear ram component of the BOP has no backup. As the only section of the BOP capable of completely severing the drill pipe and isolating the rig from the well it is of critical importance.
NATURE OF SYSTEM AND SYSTEM PARTS
HUMAN INTERFACE
MECHANICAL SYSTEM with elements of HUMAN SUPERVISORY CONTROL
EXTERNAL INFLUENCES
ENVIRONMENT
MECHANICAL/HYDRAULIC
MANAGEMENT
INFORMATION TRANSFER
Lack of investigation of real time data, no communication between onshore and offshore regarding tests
REGULATORY
Missing documentation and certifications, lack of emergency procedures
Supervision of reasonably practicable safety protocols was lacking
ORGANISATIONAL AND SYSTEM DESIGN
Decision makers and management not present on the rig. Most of the critical decisions and logistics organized by personnel in Houston, Texas. (BP, 2010)
The rigging platform was owned and operated by separate parties
Leased by BP.
Multiple contractors utilized during operations
Suppliers/Logistics
Daily operations
Maintenaince
Owned and commissioned by Transocean
WORKPLACE
Mullins (2010), Pallardy (2019), Cook (2017) & Bea (2011) agree that despite Halliburtons rebuttal of BP's claims to the efficacy of it's cementing product, there is evidence to suggest that the nitrogen based foam cement did not create an adequate seal therefore allowed hydrocarbons to enter the riser
click to edit
The diagram in Figure 2 provides a view of the Macondo Well and the key mechanical components that malfunctioned leading to the disaster. This allows us to better understand the set up of the well and the sheer depth of engineering in place
This device is made up of several key components. The annular preventers, control pods, Blind Shear Ram, casing shear ram, accumulators, pipe rams and the test ram as are clearly show in Figure 4. Each section plays a crucial role within the system, however the Blind Shear Ram ultimately is the only means of sealing the well and shearing the drill pipes during an emergency blowout.
Did not learn from prior incidents, further safety precautions could have been taken from design through to operation
HUMANS
Deepwater and offshore drilling operations play a crucial role in the production and supply of oil and gas (Tabibzadeh & Meshkati 2014)
ENVIRONMENTAL FACTORS
Figure 3: Deepwater Horizon oil spill 2010: path of the oil
Source: Encyclopedia Britanica
Maintaining dynamic positioning
Economic impacts on other industries were significant, including but not limited to, fishing, tourism and others within the oil and gas sector as they faced increased scrutiny.
8000-12000 people temporarily unemployed or underemployed due to the ongoing crises.
Accessibility and timeframes impact schedules
Delays in maintenance due to ongoing issues during the drilling of the Macondo Well
Additional precautions required due to high levels of pressure and temperatures involved in the process of offshore drilling. Instability of the geological structures subsurface, increase the risk of an already unpredictable environment (National Academy of Engineering and National Research Council 2012)
Located in the Missisippi Canyon region of the Gulf of Mexico, approximately 50 miles (80km) offshore
Originally intended as an exploratory well to determine and survey the region for extractable oils and gases that may be further utilized in the future
Planned total depth of 19 650 ft (~6000m), however in April 2010, drilling was halted at 18 360 ft due to ongoing delays and complications.
Preparations for temporary well abandonment were underway
Several zones discovered at varying depths in the region (National Academy of Engineering and National Research Council 2012)
Different levels of pressure detected between the reservoir pores
Drilling mud needed to prevent reservoir flow
Seismological considerations due to geographic and geological location
Temporary well abandonment is where the drilling rig ceases operations, seals the well and essentially 'abandons' the well to be used by a different subsidiary at a later date.
Industry regulatory decisions
Emergency Personnel
Scientists
Company Officials
Engineers
Rig workers
Tides and currents
Weather impacts production and operation
Vessel required to remain static over well during the operation
HALLIBURTON / BP CEMENT SEAL
Professor Robert Bea is an experienced in all aspects of offshore platforms, from design management, engineering, risk mitigation, decommissioning of marine systems and was actively involved in the Deepwater Horizon investigations
Different engineers and contractors involved in all aspects
Lack of controls over maintenance of submerged parts
Inadequate reviews and safety checks
Requirements to ensure functioning system parts
BOP maintenance was not a priority
Water temperatures
Questions raised over drilling safety in the region, an area often affected by tropical storms and hurricanes.
Kaiser (2008) provides an overview of challenges faced within the region due to environmental instability. This research is important in understanding infrastructure considerations, importance of safety systems and evacuation procedures. This demonstrates alternative needs for the systems and shows the importance of maintaining the integrity of these systems in the event of critical failures. It also provides context to drilling time frames and deadlines to ensure smooth operation and preventative measures to avoid excessive impacts
Constructed by Hyundai Heavy Industries in South Korea 1998-2001 and delivered to Transocean
Sophisticated, dynamic positioning, multi-system multi-discipline requirements
Blow Out Preventer - connected to the well head
Blind shear ram
Annular preventers
Control pods powered by both electrical components and hydraulic systems
Drills
Casing shear ram -
Computer systems, monitors,
Control panels
Doors and locking mechanisms
Takes time and resources away from production
By the time the crew realized there was indeed a leak, it was to late to prevent hydrocarbons from entering the riser
EQUIPMENT
The blind shear ram was designed to effectively shut down the well and prevent this type of blowout (Gröndahl, et al. 2010). However this device malfunctioned - possibly damaged by the explosion, weakened by the counterpressure from the blow out or had activated earlier, puncturing the pipeline ineffectually (BP, 2010; Pallardy, 2019 )
BLOW OUT PREVENTER (BOP)
In the event of a blowout, a rig worker would hit the emergency button, sending an electrical signal through to the control pods.
The control pod would then redirect fluid from the rig and accumulators through a valve and into the Blind Shear Ram. The Blind Shear Ram would then cut through the drill pipes and effectively seal the well preventing overflow. (Gröndahl, et al. 2010)
Government Officials
Further risk analysis identified that a section of device showed that a valve, called the 'shuttle valve' was susceptible to failure. This valve, the only point designed to allow hydraulic fluid into the ram is a critical part of the system and in the even of its failure the well would not be effectively sealed (Gröndahl, et al. 2010)
Figure 6: Inside the Blind Shear Ram
Source: Gröndahl et al. 2010
Figure 4: Diagram of the inside of the Blow Out Preventer
Source: Gröndahl et al. 2010
Within minutes of the explosion one of the workers triggered the BOP but the device failed.
Economic pressures influenced a company culture of production over safety. Multiple sources indicate personnel were acknowledged for their performance enhancement and cost reduction achievements with productivity bonuses, whereas there was little acknowledgment of safety prowess (Tabibzadeh & Meshkati 2014
Halliburton, also referred to as Serry Sun, was one of the contractors. They were used to perform the concreting of the well for temporary abandonment
Administration disconnect from workers
Lack of regulatory controls for maintenance and checks that BOP systems are fully functional - third party checks were not standard practice (Laursen, 2016)
Most of the emergency functions of equipment relied on human input to control
Disconnect between switches caused equipment failure
'Dead mans switch' which should have activated in the event of power failure malfunctioned
Automated 'Dead Mans Switch' should have activated when the BOP lost contact with the surface, however this too failed
The concrete seal or plug for each well is specific to each site, according to pressure, geological structures and foundations
Macondo Well required a light weight mixture to meet the geological and pressure requirements of the site and a nitrogen based 'foam' cement for the base was chosen by BP and Halliburton for the task. (Cook, 2017)
Controversial decision to use a nitrogen based foam cement mixture by BP, later challenged by Transocean
Inter company conflicts
Economic pressures
Environmental regulations
Deepwater, offshore
Isolated
Exposed to elemental pressures
Not easily accessible
Multitude of stakeholders and investors
Procedural issues
Lack of documented procedures surrounding points of operation, such as the negative pressure test
Keel laid down in March 2000
Original company was R&B Falcon which was later acquired by Transocean
Safety inspections and audits of the vessel were not always performed promptly. Some were cancelled due to other commitments and weather, not all were rescheduled
The last few inspections of the entire operation were performed in under 2 hours indicating there may not have been a complete and thorough inspection of all the rigs safety mechanisms and equipment
Human fallacy played a key role in critical errors in the lead up to the disaster.
Over budget and behind schedule - incentives to speed up processes and complete operations
Pilot tests by Halliburton showed the slurry to be an unstable composition - information was not relayed to BP
Halliburton continued with the compound and Transocean and BP employees accepted the job as sound and continued operations without questioning the compressive strength of the cementing seal
Staffing provided by Transocean to assist in daily operation of rig
Rig Supervisors and management roles were filled by BP employees
These people made many of the key decisions with little consultation with rig workers or contractors
Gas alarm systems did not prevent ignition. There were no design measures in place to prevent the vapour from reaching ignition points once it had entered the riser. Had fail safes been in place to stop the gas from entering the engine room disaster may have been averted (BP, 2010)
Negligent maintenance of safety systems
During the process negative pressure tests were used to indicate well integrity. The results were debated between employees and ultimately perceived as acceptable readings
Degani (1996) paper, "Modeling human-machine systems: on modes, error, and patterns of interaction.’ This research document provides insight into the human-machine interface of systems that were standard at the time of construction of the rigging platform. This lends itself to further examination of predominant system styles and components utilized and the ways in which human factors were considered during interface design processes.
Gas alarm systems were in place however they did not prevent ignition points from being reached in the event of a blowout
Other stakeholders
Tourists
Locals to coastal towns
Tourism operators
Harsh
Remotely operated vehicles (ROV) were used in an attempt to close the pipes in the days following the blow out. They were not able to complete the task due to damage
The rig was only the second of it's type to be designed and constructed and the first to be dynamically positioned
Department of Justice (DOJ)
Electrical
Chemical
Envrionmental
Mechanical
Hydraulic
Drilling
Public Health Departments
Bureau of Ocean Energy Management, Regulation & Enforcement (BOEMRE)
Gas and ventilation systems
Airconditioning
Environmentalist groups
https://archive.nytimes.com/www.nytimes.com/interactive/2010/04/28/us/20100428-spill-map.html This webpage provides a great deal of information following the initial system failure. It demonstrates clearly the effects on surrounding areas and environmental impacts caused by the disaster. Aigner, et al. further provide a 100 day composite tracking the spill from the explosion through to when the well was finally sealed.
click to edit
Management overrode safety and operational decisions due to time constraints and budget
Safety concerns regarding the appropriate number of centralizer required were not relayed in a manner demonstrative to their importance
An important part of cementing the well is the exact positioning and central placement of the seal. There were 6 centralizers already onboard the rig to undertake cemmenting task.
Simulated models of the procedure demonstrated that 6 centralizers were not going to provide adequate stability for the process and result in less than desirable results concerning safety and sealing capabilities
A total of 21 centralizers would be required to safely complete the cementing job
15 more were sourced and dispatched to the rig however the time that it would take for these to be set up would delay operations further (Darlow Smithson Productions, 2012)
The crew were ordered to continue with the cement seal with the initial 6 units.
Drilling mud is used to lubricate the drill and remove waste by-products. Furthermore it provides a plug to stop the natural oil and gas from entering the pipe and escaping prematurely
Battery was to low to power back up systems
Fishing industry workers
Geological considerations
Rig workers failed to divert oil and gas through systems designed to pump such a spill safely overboard. They attempted instead to separate the mud and gas, which ultimately led to gas covering the platform. (Cook, 2017)
Nitrogen weakened the foundations of the cement and prevented it from curing correctly
Over confident in abilities due to previous successes. The crew had demonstrated abilities in the drilling industry and had recently completed the task of drilling the deepest well to date.
There had been multiple difficulties throughout the drilling of the Macondo Well and crew were glad to be seeing the end of it
Tabibzadeh & Meshkati (2014) attest that research shows there was a lack in information process relating to feedback loops and ensuring management were integrated within the BP organizational structure
Parts utilized for other projects where suitable
Would have been dismantled in stages
Life cycle varies depending on vessel based on a number of differ
Maintenance
Upgrades in technology
Regulatory conditions
Electrical failures led to system access being denied following initial explosion
Multiple components required electricity to function
Violations of the Clean Water Act (Pallardy, 2019)
Emergency control systems
Centralizers
Pumps
Vessel steering and navigation systems
Experienced individuals who overlooked results as they just wanted to get home or move onto the next operation
Responses under duress were not accounted for in procedural guidelines and emergency plans
The Macondo Well was in the process of being prepared for temporary abandonment. Employees were taking standard steps toward readying the rig for departure
Halliburton contractors completed the cementing seal that should have prevented the hydrocarbons entering the riser
Results were automatically sent to shore, no one bothered to relay the information
Seawater was used to displace drilling mud following the sealing of the well.
"We see what we want to see"
9.41pm Natural gas, oil and drilling mud blast into the air above the derrick. It had traveled to far to be prevented from entering the riser before detection.
Figure 5: Diagram of Deepwater Horizon oil rig
Source: Park, Roberts & Tse, 2012
Communications
Required specialist expertise and engineering skills
Cost over $300 million to complete
Failure to maintain the BOP
Training and knowledge of operation required
No continuous monitoring systems
Business communication systems lacking - breakdown in communications between BP, Halliburton and Transocean employees
Failures by BP to transfer risk assessment systems and findings to offshore management
Communication breakdown between the driller and mud logger led to ineffective well monitoring (Tabibzadeh & Meshkati, 2014)
Deficits in training documentation protocols
Failures to address increased risks and delegate tasks accordingly
Lack of risk mitigation controls
Failures in updating procedures as changes were made
Environmental impacts are still ongoing and the massive loss of marine and avian life in the area as a direct result of the oil spill will impact the Gulf for generations.
OPERATION
Joint operations with different staff from multiple companies. Necessary for contractors and company employees to liaise and work together on projects
Health and safety screening of new employees to ensure fitness for tasks
Adherence to standards and codes of practice as outlined by regulatory guidelines and company protocols
Inductions for new staff, training and updating certifications and qualifications of all employees
Simultaneous operations required for day to day activity of the rig
Bea (2011), identifies that many organisations diminish safety standards in favour of profit and production without comprehending the link between these factors. BP's (and Transoceans) culture relied on the production results without first developing a sustainable safety culture
Multiple methods to stop the flow were used over the course of the spill, including the use of ROVs and
Advertising companies
Hoists
Diesel engines
Casings, riser
Drilling equipment
Mud mixer
Pipes and hoses
Simultaneous operations divided staffing focus
Drilling line
Mud Gas Seperator
click to edit
Design and testing of the BOP was not adequate to dynamic condition specifications and were not reliable for a fail safe device of this importance
This two part presentation by lecturers at Stanford University provides further analysis of the disaster, breaking down sections into key factors that contributed to the overall disaster
Mud gas separator was not appropriate for emergency use