Академический Документы
Профессиональный Документы
Культура Документы
Project by,
Abel Jacob - 1551351
Vibin Mathew Saju - 1587483
Ravi Visveswaran - 1450192
1
Table of Contents
Executive Summary……………………………………………. 4
1. Introduction…………………………………………………….. 5
1.1. Companies Involved
1.2. After Effects
2. Background……………………………………………………... 7
2.1. Timeline
2.2. Barriers Breached
2.3. Blowout Preventer
2.4. Effective Compression
3. Emergency Modes of Operation……………………………….. 15
4. Methodology…………………………………………………….. 17
4.1. Fault Tree Analysis
4.2. Fault Tree Implications
5. Results…………………………………………………………… 21
6. Discussion……………………………………………………….. 22
6.1. Maintenance
6.2. Leaks
6.3. Testing
6.4. Modifications
6.5. Monitoring and Diagnostics
6.6. Human Errors
6.7. Organizational Accident Theory
7. Comparison…………………………………………………….. 25
8. Recommendations……………………………………………… 27
8.1. Technical Recommendations
8.2. Management & Financial Recommendations
9. Conclusions……………………………………………………... 28
10. References………………………………………………………. 29
2
Figures and Tables
Figure 1: Barriers breached and the relationship of barriers to the critical factors……………9
Figure 3: The internal components of the blowout preventer used on the Macondo well….13
Figure 5: The components highlighted in red shows the failure of Pod functioning……….15
List of Abbreviations
3
Executive Summary
May 3, 2017
The blowout caused explosions and a fire on the Deepwater Horizon rig, leading to the deaths of 11
personnel onboard and serious injuries to 17 others. The rig sank two days later, leaving the Macondo well
spewing oil and gas into Gulf waters for 87 days. The Hazards were identified as Mechanical Failure–
Failure of the blowout preventer, Personnel Hazards – Inadequate training of the personnel’s on the rig,
Environment– Storms, Hurricanes, ocean currents, Health Hazards– Chemical and Fire Hazards.
The case study aims to assess the important parameters that have to be considered when analyzing the
system safety. The study primarily focuses upon failure of a critical component known as Blowout
Preventer. The events leading to its failure are highlighted and fault tree analysis have been completed to
give the reader a detailed understanding of the single point failures. Further based on the analysis, various
factors such as maintenance, leaks, diagnostic and monitoring systems and human errors have been
highlighted as key features which have been overlooked. Finally a comparative study of Deepwater Horizon
with that of NASA Challenger gives the reader further knowledge on the concept of normalization of
deviance.
4
1. Introduction
On April 20, 2010, the Deepwater Horizon mobile drilling unit exploded, caught fire, and eventually sank,
resulting in a massive release of oil and other substances from BP’s Macondo well. Initial efforts to cap the
well following the explosion were unsuccessful, and for 87 days after the explosion, the well blasted oil
and natural gas continuously and uncontrollably into the northern Gulf of Mexico. According to the U.S.
District Court’s findings of fact, approximately 3.19 million barrels (134 million gallons) of oil were
released into the ocean, by far the largest offshore marine oil spill in U.S. history.
The following companies owned, operated or provided services to the drilling rig:
Transocean Ltd - The Zug, Switzerland-based Company owned and operated the Deepwater Horizon Rig.
The rig went into service in 2001 and was drilling the Macondo prospect about 40 miles off the coast of
Louisiana.
British Petroleum - BP hired Transocean's rig at a rate of about $500,000 per day to drill the well. BP is the
Anadarko Petroleum Corp- The Houston Company owns a 25 percent non operation interest in the well.
Cameron International Corp - The Houston Company supplied a piece of equipment known as a blowout
preventer. Blowout preventers are put in place to stop an uncontrolled flow of oil or gas. The Deepwater
Halliburton Co - The oilfield services company, which has headquarters in Dubai and Houston, provided a
number of services on the Deepwater Horizon. The company was providing cementing on the well to
5
1.2 After Effects
1.2.1 Environmental Effects: Nearly 10 million pounds of oily residue was removed from Louisiana
shorelines between June 2011 - April 7, 2013. However, more than 200 miles still has this oily residue
embedded in its marshlands, killing vegetation and causing erosion. While Louisiana was the hardest hit,
Alabama, Mississippi, and Florida shorelines were also impacted. Here's how much oil residue was
collected between June 2011 and March 2013: Louisiana -- 9,810,133 pounds Alabama -- 941,427 pounds
1.2.2 Impact to Wildlife: In 2011, half of the area's bottlenose dolphins were compromised by lung
disease. An NOAA study reported this type of disease is caused by "toxic exposure to oil." Nearly 20%
were so ill they weren't expected to live. More than 1,700 sea turtles were found stranded (between May
2010 and November 2012), compared to 240 normally found a year. In addition, 930 dolphins and whales
were stranded (between February 2010 and April 2013), compared to 20 normally found. To replace lost
foraging habitat for ducks and other migratory birds, 79,000 acres of harvested and idle rice fields have
1.2.3 Economic Effects: The economic damages to the communities, businesses, and individuals
affected by the spill can be at least partially quantified by examining the damage claims BP has paid to
date. As of December 2014, BP had paid more than $13 billion in damage claims, including $1.4 billion to
governments for economic damages, and $11.6 billion in economic damages and medical claims to
individuals and businesses, agreement does not include a cap on paying for legitimate claims. In 2013, the
claims center overseeing claim compensation projected that total claim costs could rise to $19.5 billion. BP
also set up a fund of $2.3 billion for the seafood industry, of which $1 billion had been paid out as of
December, 2013. Separately, Halliburton has set up a $1.1 billion settlement fund to compensate businesses
and property owners affected by the spill. The affected states have not yet been compensated for economic
damages.
6
2. Background
2.1 Timeline
The drilling rig is a mobile, temporary platform that drills the well, identifies viable hydrocarbon reserves,
and makes it safe and ready for a more permanent production platform. This involves drilling a deep
borehole in stages and filling the casing with cement. Deepwater Horizon was as a whole at the last stage
of its drilling phase, and a temporary abandonment was underway before handing it over for production.
BP was the well owner, and was also responsible for the design of the well and for leasing the rig;
Transocean were the owners and operators of the rig; providing the rig crew (for example the tool pushers
and drillers), and Halliburton was responsible for the cement operations.
On April 20th Integrity Test of well was carried out: -positive pressure test (successful) -negative pressure
test (results interpreted as successful). This test places the well in a controlled underbalanced state to test
Around 17:35 while carrying out the negative pressure test, the BP team leader realized that the rig crew
is using a process for negative testing that is not the BP preferred method. Operations were reconfigured to
meet the requirements of the permit (a permit is a safety system which only allows work to progress when
authorized persons have set out the way the work will be carried out, and defines roles and responsibilities
Between 18.42 and 20.00 a negative pressure was done in the kill lines. The line was monitored for 30
minutes and showed no flow. Even though they notice that the drill line pressure was still high, they ended
up concluding that this was due to the phenomenon of ‘Bladder effect.' The crew assumed that the negative
Around 20.00 the crew started regular activities for temporary abandonment of the well (as it is deemed
commercially viable for production drilling) – this involved returning it to the normal ‘overbalanced’
7
position with drilling mud instead of seawater. However, during this process, around 20.52, the pressure on
drill side became lesser than in the reservoir, and thus hydrocarbons started to flow. The crew failed to
21.08 The team as part of carrying out a test to check if fluids can be displaced overboard shut down the
pumps.
At 21.40 Mud starts overflowing onto the rig floor. The crew diverted the mud flow to the mud gas
separator. When the team closed the annular preventer, the drill pipe pressure started to increase steadily.
In the end, mud and hydrocarbons discharged onto the rig and overboard. This was the well blowout that
happened around 21.45. Approximately 21.47 Gas alarms started sounding in the rig. There was a rapid
At 21.48 the hydrocarbons entered the engine room air intake, and explosions happened. This resulted in
extensive damages, possibly damaging the MUX cables which were to communicate between the rig and
the blow out preventer. Thus emergency shutdown activation was unsuccessful, and the BOP is unable to
seal the well .The hydrocarbons continued to feed the fire and explosions.
As we move into the Deepwater Horizon there were many interlinked factors that contributed to the
incident. In other word different layers of barriers of protection were breached on the day of the incident.
8
Figure 1: Barriers breached and the relationship of barriers to the critical factors
2.2.1 Barrier 1 Annulus Cement Barrier: - The cement barrier on the final stretch of the well did not
isolate the hydrocarbons. The cement slurry design which was critical because of the pore pressure was not
up to the requirements. In Deepwater, however, the technical review of the slurry design gave heavy
emphasis to cost and production implications. Little focus was given to important aspects of design, for
example, foam stability, contamination effects, and fluid loss potential. From the Lab tests carried out as
part of the investigation, it is evident that the slurry used was an unstable mixture at drilling that depth
pressures and temperatures. The slurry was not fully tested before use. Also, necessary setting time was not
given to the cement mixture. The initial testing conducted in the well around 10.5 hours after cementing,
2.2.2 Barrier 2 The Shoe Track Barriers: - The Shoe and track barriers which were the second level
of defense did not isolate the hydrocarbons. After the annulus cement had failed to isolate the reservoir, a
mechanical barrier failed and enabled hydrocarbon ingress into the wellbore.
9
Figure 2: Failure of Shoe Track Barrier
2.2.3 Barrier 3 The Pressure Tests: - The negative pressure test was misinterpreted, and the well
integrity was not established. Initially, a positive pressure test was carried out successfully, followed by the
negative pressure test. The objective of the negative pressure test is to test the ability of mechanical barriers
to withstand the pressure differentials during subsequent operations. During the negative pressure testing,
the BP Macondo team did not recognize the importance of some events like the high fluid returns (15 bbls
taken rather than 3.5 bbls expected). This excess flow should have indicated to the rig crew that there was
However the (Transocean) rig crew’s ‘preferred method’ was to monitor the drill pipeline rather than the
kill line which was required as per BP standards. The well site leader noticed the discrepancy and they
proceeded with the BP Macondo method. The rig crew was, therefore, unfamiliar with the testing process
they were using now. Thus both parties failed to accurately interpret the negative pressure test results. Rig
crew suggested that the drill line pressure of 1400psi was due to a phenomenon they had seen before called
‘bladder effect.' The well site leaders and rig crew accepted hypothesis moved forward.
2.2.4 Barrier 4 Well Monitoring Failure: - At 20.52 the well became underbalanced again and
hydrocarbon influx resumed, which went undetected by the crew. Flow increase from the well was
discernable from real-time data from 20.58.But the rig crew who was involved in the abandonment activities
10
such as setting a cement plug, bleeding off the riser tensioners, and transferring mud to the supply vessel
may have been distracted from monitoring the well. At 21.31 the mud pumps were shut down. The pressure
on the drill pipe increased by approximately 560psi between 21.31 and 21.34. These data suggest that
hydrocarbons entered the riser at 21.38 and the crew started well control actions at 21.41.
2.2.5 Barrier 5 Well Control Response Activity Failure: - At 21.40 mud flowed uncontrolled on to
the floor of the rig. The rig crew attempted to gain control by closing the annular preventer. However, this
did not seal properly and was too late as hydrocarbons were already in the riser. In the meantime, the crew
started diverting hydrocarbons to the mud gas separator (MGS). The alternative of dumping it overboard
through the 14in pipe was not chosen. The alternative would have diverted it safely overboard. Real-time
data was lost at this point – there were fires and explosions. When the supervisor tried to initiate the
Emergency Shut down (ESD) system, the sequence did not activate due to damaged cables
2.2.6 Barrier 6 Fire and Gas System Failure: - The high-pressure hydrocarbon was diverted through
the MGS which was designed for low pressure only. The vent points near MGS released the gas onto the
rig and into potentially confined spaces. The design of the MGS allowed high-pressure carbons to be
diverted into the system by default even when it was outside the design specification.
2.2.7 Barrier 7 Hydrocarbon Surface Containment Failure: -The HVAC system directed gas-rich
mixture from the MGS outlets into the engine rooms, causing an engine to over speed, creating a source of
ignition. There were no gas detection systems in HVAC systems. All the gas detection systems were
requiring manual activations. This design was done to prevent false gas detection trips.
2.2.8 Barrier 8 BOP Failure: - There were three different routes to activate the BOP emergency mode.
The fire which may have damaged the cables which provided electronic communication to the pods
preventing the EDS from initiating the Blind Shear Ram (BSR).The second route of Automatic Mode
Function (AMF) which depended on either of the two control pods on the BOP to activate the BSR if certain
11
environments were satisfied. Further analysis of the control pods shown that they were not of proper
functioning; while the first POD had a failed solenoid valve, the other had insufficient battery.
The BOP is a system of valves designed to shut in a well in the event of well control issues such as kicks,
or if a sudden increase in wellbore pressures occurs. It was invented by Cameron International, a company
based out of Texas, which provides flow equipment to oil, gas, and other process industries. The company
manufactured the BOP used at the Macondo well site. The BOP was designed to cut through casing and
shear through pipe to shut off a well. The various shut-in devices on the BOP used on the Deepwater
The use of the various devices depends on the well control situation as well as other factors such as the
presence of pipe or casing. According to API 16D standards, the Deepwater Horizon BOP required at least
four remote-controlled, hydraulically rams during offshore operations. This was based on the depth and
All of the rams on the BOP failed to close properly during the blowout event that occurred on the Deepwater
Horizon. Here is a brief explanation of each ram and it significance in understanding the working of the
BOP.
Annular Preventers are rubber donut shaped seals that close around the pipe sealing the well. They can
also seal the well with an absence of pipe in the hole. A process known as stripping occurs when the annular
is closed around the pipe, and the pipe is moved upward or downward during this time. Primary
investigations by CSB indicate that stripping had occurred in the BOP and pieces of rubber were detected
Variable Bore Rams (VBR) are metal bars with circular ends such that they can seal the well by clamping
around the drill pipe, sealing the annular spacing and seal off further hydrocarbon influx into the rig. These
were designed to operate within 5000 – 10000 PSI range of fluid pressure. There were 3 VBRs in the BOP.
12
Blind Shear Rams (BSR) are the last line of defense among the various devices on the BOP. It seals the
well by cutting the drill pipe or other material that is in the well. However the blind shear rams cannot cut
through the tool joints. Tool joints play a significant role in our analysis. Presence of tool joint across the
section to be sheared off hampered the efficiency and performance of the BSR.
Casing Shear Ram (CSR) is designed to shear off the casing pipe in case of any failure. It has been reported
that this ram was not closed during the emergency shutdown. The reasons are unknown and hence we
assume failure of CSR to be a common cause failure with a variety of impacting factors.
Figure 3: The internal components of the blowout preventer used on the Macondo well. The function of
each component is labeled next to each instrument. From, “Investigating the Cause of the Deepwater
Horizon Blowout.” The New York Times 21 June 2010. Web. 28 Apr 2011.
13
2.4 Effective Compression
and curbed further influx of hydrocarbons onto the rig. The already escaped hydrocarbons above the VBR
started rising up to the rig thereby creating a region of low pressure between the top surface of VBR and
upper annular. As a result of the large differential pressure between the inside and outside of the drill pipe,
the straight drill pipe buckled. This has been termed as effective compression.
Figure 4 describes the consequence of effective compression. In an emergency, the BSR is supposed to
close around a centered pipe, searing it off and sealing the well. However in this accident the buckled pipe
was off center and the BOP could not shear it off. It ended up puncturing the pipe, which began leaking oil
uncontrollably.
14
3. Emergency Modes of Operation
There were primarily six emergency mode of operations to activate the closure of the BSR. Based on our
readings and comparison with our analysis model we were able to conclude what key factors led to the
failure of each mode. As soon as the fire and explosion took place, the emergency disconnect sequence
(EDS) failed as the communication and transmission lines (MUX cables) to the Blowout Preventer was cut
off. This was the primary method available to the rig personnel for activating the BSR and sealing the
wellbore.
The critical condition of certain components in the blue and yellow control pods on the BOP prevented the
activation of Automatic Mode Function (AMF), which was designed to operate automatically without the
intervention of any rig personnel and the MUX cables. Further to the investigation done by CSB on the
BOP, it was detected that both the redundant pods were ineffective (Figure 5). The batteries in the blue pod
which supplied electrical power to operate the computer and solenoid valve were out of charge whereas a
faulty wiring of the solenoid coil in the yellow pod rendered the yellow pod ineffective. This is better
Figure: 5. the components highlighted in red shows the failure of Pod functioning. From “Deepwater
Horizon Accident Investigation Report”, BP Report. Web. September 201
15
Sl. No Emergency Modes Method Requirements Success or Failure
One POD
1 High Pressure BSR Function Crew Initiated MUX Cable Failed
Manual Activation
One POD
2 EDS Function Crew Initiated MUX Cable Failed
Manual Activation
One POD
3 AMF (Deadman Switch) Automatic Failed
Manual Activation
4 ROV Initiated AMF ROV One POD Failed
Hydraulic Supply
5 ROV Initiated Auto shear ROV Partially Succeeded
from Accumulators
ROV Seawater Pump Failed (15
6 ROV Hot Stab ROV
Ex. Hydraulic Supply attempts)
Table 1: Comparison of 6 Emergency Modes included in BOP
The six Emergency modes of BOP Operation are explained briefly as follows:
1. High Pressure BSR Function: This was done by the rig personnel from the control panel which
2. EDS Function: The crew personnel initiates this system to close the BSR. But because the MUX
cables were cut off, this system failed to work its intended function.
3. AMF: An automatic method to close the BSR when electrical power and hydraulic power is lost
from the rig. This failed to work due to the failure of critical components of the control pods.
4. ROV Initiated AMF: The AMF sequence is initiated using an ROV to cut communication and
hydraulic lines at the LMRP. This did not work due to the critical conditions of key elements in the
control pods.
5. ROV Initiated Auto shear: An ROV is used to cut across the auto shear activation rod to close
high pressure BSR. The accumulators on BOP stack were the only source of hydraulic power. This
system partially worked to close the BSR but could not completely seal the well.
6. ROV Initiated BSR: An underwater ROV used an underwater sea pump to close the BSR. Various
attempts were done prior to and after the rig sank, but it was all in vain.
Table 1 highlights one of the key features applicable to our analysis. The interdependency of operating
emergency modes means that single failures could have multiple modes of BOP operation.
16
4. Methodology
17
4.1 Fault Tree Analysis -2
18
4.2 Fault Tree Implications
In our FTA the three legs of the fault tree signifies the failure of BOP via BOP component failure, Non
shear Failure and common cause failure. While we went more deep into the first leg of the fault tree, the
second and third legs of the tree is a proof that BOP component failure may not have been the sole cause
of the incident.
Moving into the first leg of the tree then we divided the failures into Lower marine riser package failure
and the BOP stack failure. The LMRP had two annular preventers which mainly had three modes of failure
the presence of a tool joint, improper rubber seal specifications and common cause failures. While the
presence of a tool joint at the point where the annular preventers hugs the drill pipe would reduce the
effectiveness of annular preventers the usage of rubber materials of improper specifications can also cause
the annular preventer to fail. The third reason for failure is a combination of common cause failures which
are explained in detail below as a part of the third leg of the tree. The third leg of the tree is again transferred
The BOP stack failure can be because of the failure of all the 5 rams in the BOP stack (3 VBR’s , CSR &
BSR).The variable bore ram as well as the Casing shear ram has the integration of common cause failures
as their failure modes where we have transferred in the common cause failure leg of the tree into it. The
blind shear ram had 4 ways of activation such as Manual activation from the rig, Automatic Mode function,
Emergency disconnect sequence and using a remotely operated vehicle. The first 3 mechanisms are done
either through rig communications or dead man's switch mechanisms, while the ROV mechanism is an
external mechanism. All the first 3 mechanisms have a common failure mode that is the POD failures along
The third section of FTA represent the POD failure methods which would result the first 3 mechanisms
fail. As you can see the redundant yellow and blue PODs have four kinds of failure mods namely Computer
19
failures, Solenoid Valve failures electrical failures and the PLC failures. The AND gates represents the
Looking into the second leg of the tree, non-shear failure, which can be due to either a high differential
pressure in the drill pipe or lack of tension in the pipe. The differential pressure between the inside and
outside of the drill pipe can be explained through the process of pipe buckling which can be attributed to
effective compression which happened as a result of closure of the VBR while the drill pipe was in high
pressure. Coming to the next situation of lack of tension in the drill pipe, from the Transocean documents
it was found that optimum shearing characteristics are acquired when the pipe is motionless and under
tension. Drill pipe can transmits high compressive loads, particularly when it uses the side walls of the BOP
for lateral stability. In the case of the Deepwater Horizon on April 20, 2010, the drill string above the BOP
had a “dry weight” of more than 150,000 pounds. If an effort is made to shear a drill string in compression,
additional friction can be important. The BSR can shear off the drill pipe easily as long as it is under tension
(stretched laterally) rather than compressing where the two pieces being cut are pressed against each other
and pressing on the shearing blades, making the required shearing force much greater. Also Under
compression, the pipe may tend to be jammed into the rams and hence blocking the entire sealing. To keep
the drill pipe string stretched(under tension), it is hung off a “hook” that is fixed to a “traveling block”
whose vertical location can be brought up and down by a huge cable hoist in the drilling crane. At the time
of blast on the Deepwater Horizon, the dry weight of the entire drill string was 217,000 pounds, entirely
carried by the hook and traveling block, and the total hook load floated around 360,000 pounds As per the
BP reports. As per Witness statements the traveling block, which carries the hook load (weight of the drill
20
4.2.3 FTA Leg – 3 Analysis
We called the third leg of our tree as a common cause failure which comprised of Human error, Hydraulic
failure, mechanical failure MUX cable failure, Press button control Failure.
Hydraulic failure: - BOP as a whole is a hydraulic system which had 7 mechanisms which used hydraulic
energy for functioning. Any disruptions in the hydraulic energy would render the device ineffective. In the
Mechanical Failure: - Mechanical failure of critical components in the system may prove catastrophic in
the end. The main types of mechanical failures are excessive deflection, buckling, ductile fracture, brittle
fracture, impact, creep, relaxation, thermal shock, wear, corrosion, stress corrosion cracking, and various
types of fatigue. For instance, the likelihood of erosion of the rubber packer sealing material in the annular
preventer probably have caused the them to fail under high flow rate
Human Error: - Delayed Emergency mode activation from the control panels by the operator,
misinterpreted pressure test results owing to lack of training, retrieval errors contribute to Human errors
identified within the system. It also takes into account of the various design and installation errors which
MUX Cable Failure: - The MUX cables are contained the hydraulic, electrical and electronic lines from
the rig to the BOP. In Deepwater horizon the explosions in the rig damaged the MUX cable and hence
Press Button control Failure: - The Rig had two main control stations driller’s control panel (DCP) and
tool pusher’s panel (TCP) they both contained a set of pushbuttons controlling the BOP functions.
5. Results
The Fault tree constructed had a total of 18 OR gates and 17 AND gates. The proportion of AND gates
implies the redundancies present in the system. The MOCUS method helped in reducing the first leg of
21
the fault tree and ended up with more than 450 sets of cut sets which were later decreased to 20 minimal
cut sets. While analyzing the minimal cut sets it became quite evident that Common cause
failures, POD failures and ROV failures were key factors of BOP failure. The first 16 of the minimal cut
sets were different combinations of common cause failure ROV failure and POD failures were as the last
four cut sets wee combinations of Common Cause failures and ROV failures
6. Discussions
Based on the analysis obtained from our fault tree, we have identified few key elements that were
6.1 Maintenance
As per the audit from BP maintenance management system one key finding was “Overdue maintenance in
excess of 30 days, totaling 390 jobs and 3545 man hours”. The subsea maintenance personnel recorded
BOP and other equipment maintenance manually on spreadsheets and daily log books instead of the MMS
provided by Transocean, which made it difficult to track BOP equipment performance level. The ram
bonnets of 3 VBRs were not recertified for the past 10 years whereas API standards require it to be certified
after 5 years. BP overlooked the 5 year replacement policy in the case of hydraulic hoses. As mentioned
earlier the solenoid valve in the yellow control pod was found to be defective. It also had a non OEM
electrical connector installed. The 27 Volt battery in blue pod was reported to have 7.61 Volts which was
too low to complete the AMF sequence, whereas in the yellow pod, voltage was measured to be 18.41
which is an indication of rapid decline. These were some of the key findings in our study.
6.2 Leaks
There were 6 major hydraulic leaks identified in the BOP control system. One of the leaks were identified
at a hose fitting at the close side of the upper annular surge bottle supplying pressure to the annular preventer
operating piston. The next major leak was identified at the shuttle valve which is critical to functioning of
the BSR operating piston. It was identified that close to 54 gallons of hydraulic fluid were lost which has
22
detrimental effects on a system which is supposed to maintain at least 5000 PSI at all times. Hydraulic
analysis confirms the fact that sufficient hydraulic pressure was unavailable to shear off he drill pipe an
6.3 Testing
Although industry standards such as API RP 53, BP standards and Transocean operating policy were in
effect prior to the incident, these were designed for surface tests prior to deployment and none of these
requirements included testing the high pressure BSR closing function. These testing standards did not
include any tests to check the functionality of the AMF and ROV systems. Although weekly function tests
were in place, it failed to identify any hydraulic leaks except that a subsea engineer speculated there might
6.4 Modifications
Based on our extensive study, 19 known modifications have been identified in the BOP and its control
system. What surprises us is the fact that BP has mentioned this in their own report. The pipe ram receptacle
was connected to the test VBR (lower) and not to the middle VBR as was assumed. These modifications
were not documented on the BOP stack flow schematics, and they impacted the effectiveness of ROV
intervention.
Diagnostics of the BOP control system were available to the rig crew and subsea personnel through an
alarm indication system and event logger. The dedicated alarm lights on the TCP and DCP displayed the
most critical fault alarms. The control system was capable of identifying solenoid coil faulty wiring, but
the unfamiliarity of the crew with using such systems proved to be detrimental in a way that they coudnot
23
6.6 Human Errors
6.6.1 Operation Error: 40 minutes after the primary blast, the emergency BOP activation systems were
activated by the crew. But their efforts were in vain since the transmission (MUX) cables to the BOP were
cut off on account of the blast. Had they been more vigilant in responding to such critical failures, the
6.6.2 Communication Error: The early closure of the annular preventers led to pressure build up and
subsequent failure of the annular preventers. Had they taken more caution to move the drill pipe higher,
they could have avoided the failure due to presence of tool joint in that section. Effective communication
6.6.3 Retrieval Error: Although the monitoring and diagnostic capability was available via the TCP and
DCP modules, the operators could not interpret the signals because of their non-familiarity with
understanding the alarm signals. Also factors such as short and long term memory loss, adrenaline rush and
6.6.4 Design and Installation Errors: The ineffective approach to battery replacement, faulty wiring of
the solenoid valve and wrong pipe ram labelling during negative pressure testing bear witness to the fact
that key design parameters and installation guidelines were not followed by both BP and Transocean
personnel who are primarily responsible for the integrity of the safety of such sophisticated equipment.
A useful approach that can be used to explain the deep water horizon accident was put forward by James
Reason. Reason’s managing the Risks of Organizational Accidents Theory (OAT) describes major system
organizational accidents as penetration of hazards through the system’s defenses or barriers. In Reason’s
‘Swiss Cheese’ model (Figure 3), an accident develops when the major risk factors addressing a system are
able to successfully infiltrate the barriers through defects in the barriers formed by the Risk Control System
(RCS).
24
Figure 6: Organizational Accident Theory
Application of Reason’s OAT to the Macondo well disaster renders useful insights into both the causes of
this disaster and into how the risks associated with such systems can be better managed in the future. It is
obvious that multiple proactive, reactive, and interactive barriers were penetrated to develop the blowout
(Figure 3). A critical proactive protective barrier that was penetrated was the plan for temporary
abandonment of the Macondo well—specifically the plan for the negative pressure test and displacement
of the mud from the well before a second barrier was in place.
During the negative pressure test, interactive barriers were infiltrated. Critical signals (e.g., drill pipe
pressures, well fluid volumes) were not properly detected, analyzed, or appropriate action was taken. After
the well had begun blowing out, multiple reactive barriers were ruptured including diversion of the well
7. Comparison
NASA Challenger: After the loss of the space shuttle Challenger in 1986, sociologist Diane Vaughan
began a long investigation into the accident. Her findings would challenge many of our easy assumptions
25
about how disasters occur. We like to think that accidents happen because bad people knowingly and
carelessly let them happen. Vaughan discovered something more troubling: that even organizations staffed
by smart, seemingly moral people can slowly slide into dangerous and unethical behavior.
Vaughan, an expert in corporate malfeasance, wanted to know how NASA officials made the decision to
launch the Challenger despite a serious last-minute safety concern. Very cold weather was forecast for
launch day, and some engineers worried that the low temperatures might worsen a long-standing problem:
The shuttle’s solid-fuel booster rockets had a tendency to leak small jets of hot gas during takeoff. The
engineers urged a delay. NASA decided to launch anyway. The standard view of the accident holds that
NASA brass overruled the nervous engineers out of concerns that allowing yet another launch delay would
hurt NASA’s image with the public and Congress. From this view, the managers knowingly rolled the dice,
bending the safety rules in order to stay on schedule. According to her findings the managers were, in fact
quite moral and rule abiding as they calculated the risk. But, over the years they had systematically deluded
Here’s how the normalization of deviance works: Early in the shuttle program, the appearance of small
leaks from the booster rockets’ rubber seals was an unexpected and alarming event. NASA assigned a
working group, which dutifully studied the issue and determined the leaks would be manageable as long as
they didn’t exceed a certain threshold. “They redefined evidence that deviated from an acceptable standard
so that it became the standard,” Vaughan writes. Sure enough, small booster-seal leaks were soon seen as
routine during shuttle launches. The problem had been normalized. But as shuttle missions continued, the
leaks kept getting bigger. Each time, NASA repeated the process, again determining that the seal failures
were acceptable as long as it didn’t exceed certain, ever higher, thresholds. NASA had crept right to the
edge of what would cause a mission failure, all the while convinced that it was operating safely. The fact
that the shuttles kept flying reinforced its false sense of security. Then came something NASA hadn’t
anticipated: a launch day so cold that it made the rubber seals hard and brittle. The huge resulting leak
26
Deep Water Horizon: In the case of the Deep Water Horizon rig, many alarm systems on the rig were
deliberately “inhibited” in order to prevent false alarms from waking up the crew. On the sea floor, a crucial
structure of pipes and valves known as the blowout preventer was poorly maintained . The blowout
preventer was supposed to be the last-ditch defense against high-pressure gas and oil bursting out of the
In designing the structures that would stabilize the pipe and prevent leaks below the sea floor, BP repeatedly
opted for the quickest, rather than the most secure, approaches. Through this analysis we understood that
how large accidents are more often the result of dozens of tiny contributing factors: misguided assumptions
on the part of workers and managers; small, subtly flawed decisions; routine mechanical or digital glitches.
8. Recommendations
Based on the results and parameters discussed, we provide the following recommendations that have to be
taken into consideration which would help to evaluate current and future safety of deep-water drilling. They
are as follows:
Blowout Preventer:
1) Sheath the cables to prevent MUX Transmission-an important cable for transmission from the rig to
2) Install a redundant Blow out Preventer just in case the primary BOP fails in its operation
3) Train the crew members on the rig with the necessary technical knowledge to counter hazardous
27
Fire and Gas Systems:
Higher Reliable Systems: The use of Fire and Gas Systems in off shore installations has become mandatory
across the globe. The reliability of such equipment is of paramount importance since it relates to the
frequency of two undesirable failure modes: 1) Failures causing a loss of fire or gas detection. 2) Process
shutdowns due to spuriously generated signals. Failures in the first category may affect a single fire or gas
area or, on the other hand, the entire system. A reliability study of any proposed system must evaluate both
of these eventualities so that the design can be reliable. Spurious fire and gas signals may cause events
ranging from simple audio/visual annunciation to total process shutdown. The effect will depend upon the
specific functions which each output is used to initiate. The actual "cause and effect' specifications which
define a given system are therefore needed in order to carry out a full reliability analysis.
9. Conclusion
At the end of the investigation, there was a lot of pinpointing by the companies involved as to who is to be
blamed for the incident. The United States District released a report stating that the incident was caused by
This reason was narrowed down as the primary reason which ultimately led to the Deep Water Horizon
Accident. According to the three of us going by the research and the information collected the blame should
be squarely put on the companies involved in the whole incident. At the end of it their mismanagement,
misjudgment and gross negligence especially BP or British Petroleum and their choice of cost reduction
28
and process expediency over safety and security is what ultimately led to the Deep Water Horizon
catastrophe.
10. References
1. "CSB Public Meeting in Houston Texas to Release Macondo Report." Macondo Blowout and
Explosion - Investigations | the U.S. Chemical Safety Board. Web. 03 May 2017.
2. Administration, National Oceanic and Atmospheric. Deepwater Horizon Oil Spill Final
Programmatic Damage Assessment and Restoration Plan and Final Programmatic Environmental
3. "Read "Macondo Well Deepwater Horizon Blowout: Lessons for Improving Offshore Drilling
4. "Deepwater Horizon." Lees' Loss Prevention in the Process Industries (2012): 3111-125. Web.
5. Meigs, James B. "Blame BP for Deepwater Horizon. But Direct Your Outrage to Its Actual
Mistake: Years of Cutting Corners." Slate Magazine, 30 Sept. 2016. Web. 03 May 2017.
6. Amadeo, Kimberly. "BP Spent $56.4 Billion on Spill So Far." The Balance. Web. 03 May 2017.
7. "Deepwater Horizon Oil Spill." Wikipedia. Wikimedia Foundation, 21 Apr. 2017. Web. 03 May
2017.
9. Fountain, Henry. "Solution to Capping Well Stays Elusive." The New York Times. The New
10. "FACTBOX-Companies Involved in the U.S. Gulf Rig Accident." Reuters. Thomson Reuters,
29