Вы находитесь на странице: 1из 29

Department of Industrial Engineering

Cullen College of Engineering


University of Houston

Deepwater Horizon Blowout


Analysis

Under the guidance of


Dr. Nancy J Currie-Greg

Project by,
Abel Jacob - 1551351
Vibin Mathew Saju - 1587483
Ravi Visveswaran - 1450192

1
Table of Contents

Executive Summary……………………………………………. 4

1. Introduction…………………………………………………….. 5
1.1. Companies Involved
1.2. After Effects
2. Background……………………………………………………... 7
2.1. Timeline
2.2. Barriers Breached
2.3. Blowout Preventer
2.4. Effective Compression
3. Emergency Modes of Operation……………………………….. 15
4. Methodology…………………………………………………….. 17
4.1. Fault Tree Analysis
4.2. Fault Tree Implications
5. Results…………………………………………………………… 21
6. Discussion……………………………………………………….. 22
6.1. Maintenance
6.2. Leaks
6.3. Testing
6.4. Modifications
6.5. Monitoring and Diagnostics
6.6. Human Errors
6.7. Organizational Accident Theory
7. Comparison…………………………………………………….. 25
8. Recommendations……………………………………………… 27
8.1. Technical Recommendations
8.2. Management & Financial Recommendations
9. Conclusions……………………………………………………... 28
10. References………………………………………………………. 29

2
Figures and Tables

Figure 1: Barriers breached and the relationship of barriers to the critical factors……………9

Figure 2: Failure of Shoe Track Barrier…………………………………………………….10

Figure 3: The internal components of the blowout preventer used on the Macondo well….13

Figure 4: Effective Compression & Drill Pipe Offset……………………………………....14

Figure 5: The components highlighted in red shows the failure of Pod functioning……….15

Figure 6: Organizational Accident Theory…………………………………………………25

Table 1: Comparison of 6 Emergency Modes included in BOP…………………………..16

List of Abbreviations

AMF - Automatic Mode Function

BOP - Blowout Preventer

BSR - Blind Shear Ram

CSR - Casing Shear Ram

DCP - Driller’s Control Panel

EDS - Emergency Disconnect Sequence

MGS - Mud Gas Separator

MMS - Maintenance Management Services


OAT - Organizational Accident Theory

MUX - Multiplex Lines

ROV - Remotely Operated Vehicle

TCP - Tool changer’s Control Panel

VBR - Variable Bore Ram

3
Executive Summary

May 3, 2017

The blowout caused explosions and a fire on the Deepwater Horizon rig, leading to the deaths of 11

personnel onboard and serious injuries to 17 others. The rig sank two days later, leaving the Macondo well

spewing oil and gas into Gulf waters for 87 days. The Hazards were identified as Mechanical Failure–

Failure of the blowout preventer, Personnel Hazards – Inadequate training of the personnel’s on the rig,

Environment– Storms, Hurricanes, ocean currents, Health Hazards– Chemical and Fire Hazards.

The case study aims to assess the important parameters that have to be considered when analyzing the

system safety. The study primarily focuses upon failure of a critical component known as Blowout

Preventer. The events leading to its failure are highlighted and fault tree analysis have been completed to

give the reader a detailed understanding of the single point failures. Further based on the analysis, various

factors such as maintenance, leaks, diagnostic and monitoring systems and human errors have been

highlighted as key features which have been overlooked. Finally a comparative study of Deepwater Horizon

with that of NASA Challenger gives the reader further knowledge on the concept of normalization of

deviance.

4
1. Introduction

On April 20, 2010, the Deepwater Horizon mobile drilling unit exploded, caught fire, and eventually sank,

resulting in a massive release of oil and other substances from BP’s Macondo well. Initial efforts to cap the

well following the explosion were unsuccessful, and for 87 days after the explosion, the well blasted oil

and natural gas continuously and uncontrollably into the northern Gulf of Mexico. According to the U.S.

District Court’s findings of fact, approximately 3.19 million barrels (134 million gallons) of oil were

released into the ocean, by far the largest offshore marine oil spill in U.S. history.

1.1 Companies Involved

The following companies owned, operated or provided services to the drilling rig:

Transocean Ltd - The Zug, Switzerland-based Company owned and operated the Deepwater Horizon Rig.

The rig went into service in 2001 and was drilling the Macondo prospect about 40 miles off the coast of

Louisiana.

British Petroleum - BP hired Transocean's rig at a rate of about $500,000 per day to drill the well. BP is the

project's operator and has a 65 percent working interest in the well.

Anadarko Petroleum Corp- The Houston Company owns a 25 percent non operation interest in the well.

Cameron International Corp - The Houston Company supplied a piece of equipment known as a blowout

preventer. Blowout preventers are put in place to stop an uncontrolled flow of oil or gas. The Deepwater

Horizon's blowout preventer failed to operate and seal the well.

Halliburton Co - The oilfield services company, which has headquarters in Dubai and Houston, provided a

number of services on the Deepwater Horizon. The company was providing cementing on the well to

stabilize its walls, according to Transocean's webs

5
1.2 After Effects

1.2.1 Environmental Effects: Nearly 10 million pounds of oily residue was removed from Louisiana

shorelines between June 2011 - April 7, 2013. However, more than 200 miles still has this oily residue

embedded in its marshlands, killing vegetation and causing erosion. While Louisiana was the hardest hit,

Alabama, Mississippi, and Florida shorelines were also impacted. Here's how much oil residue was

collected between June 2011 and March 2013: Louisiana -- 9,810,133 pounds Alabama -- 941,427 pounds

Mississippi -- 112,449 pounds Florida -- 73,341 pounds.

1.2.2 Impact to Wildlife: In 2011, half of the area's bottlenose dolphins were compromised by lung

disease. An NOAA study reported this type of disease is caused by "toxic exposure to oil." Nearly 20%

were so ill they weren't expected to live. More than 1,700 sea turtles were found stranded (between May

2010 and November 2012), compared to 240 normally found a year. In addition, 930 dolphins and whales

were stranded (between February 2010 and April 2013), compared to 20 normally found. To replace lost

foraging habitat for ducks and other migratory birds, 79,000 acres of harvested and idle rice fields have

been intentionally flooded.

1.2.3 Economic Effects: The economic damages to the communities, businesses, and individuals

affected by the spill can be at least partially quantified by examining the damage claims BP has paid to

date. As of December 2014, BP had paid more than $13 billion in damage claims, including $1.4 billion to

governments for economic damages, and $11.6 billion in economic damages and medical claims to

individuals and businesses, agreement does not include a cap on paying for legitimate claims. In 2013, the

claims center overseeing claim compensation projected that total claim costs could rise to $19.5 billion. BP

also set up a fund of $2.3 billion for the seafood industry, of which $1 billion had been paid out as of

December, 2013. Separately, Halliburton has set up a $1.1 billion settlement fund to compensate businesses

and property owners affected by the spill. The affected states have not yet been compensated for economic

damages.

6
2. Background

2.1 Timeline

The drilling rig is a mobile, temporary platform that drills the well, identifies viable hydrocarbon reserves,

and makes it safe and ready for a more permanent production platform. This involves drilling a deep

borehole in stages and filling the casing with cement. Deepwater Horizon was as a whole at the last stage

of its drilling phase, and a temporary abandonment was underway before handing it over for production.

BP was the well owner, and was also responsible for the design of the well and for leasing the rig;

Transocean were the owners and operators of the rig; providing the rig crew (for example the tool pushers

and drillers), and Halliburton was responsible for the cement operations.

On April 20th Integrity Test of well was carried out: -positive pressure test (successful) -negative pressure

test (results interpreted as successful). This test places the well in a controlled underbalanced state to test

the integrity of the mechanical barriers.

Around 17:35 while carrying out the negative pressure test, the BP team leader realized that the rig crew

is using a process for negative testing that is not the BP preferred method. Operations were reconfigured to

meet the requirements of the permit (a permit is a safety system which only allows work to progress when

authorized persons have set out the way the work will be carried out, and defines roles and responsibilities

and how risks are being controlled).

Between 18.42 and 20.00 a negative pressure was done in the kill lines. The line was monitored for 30

minutes and showed no flow. Even though they notice that the drill line pressure was still high, they ended

up concluding that this was due to the phenomenon of ‘Bladder effect.' The crew assumed that the negative

pressure test was successful.

Around 20.00 the crew started regular activities for temporary abandonment of the well (as it is deemed

commercially viable for production drilling) – this involved returning it to the normal ‘overbalanced’

7
position with drilling mud instead of seawater. However, during this process, around 20.52, the pressure on

drill side became lesser than in the reservoir, and thus hydrocarbons started to flow. The crew failed to

notice the pressure increase in the drill pipe.

21.08 The team as part of carrying out a test to check if fluids can be displaced overboard shut down the

pumps.

At 21.40 Mud starts overflowing onto the rig floor. The crew diverted the mud flow to the mud gas

separator. When the team closed the annular preventer, the drill pipe pressure started to increase steadily.

In the end, mud and hydrocarbons discharged onto the rig and overboard. This was the well blowout that

happened around 21.45. Approximately 21.47 Gas alarms started sounding in the rig. There was a rapid

increase in pressure in the drill pipe.

At 21.48 the hydrocarbons entered the engine room air intake, and explosions happened. This resulted in

extensive damages, possibly damaging the MUX cables which were to communicate between the rig and

the blow out preventer. Thus emergency shutdown activation was unsuccessful, and the BOP is unable to

seal the well .The hydrocarbons continued to feed the fire and explosions.

Around 22.00 the rig abandonment was ordered.

2.2 Barriers Breached

As we move into the Deepwater Horizon there were many interlinked factors that contributed to the

incident. In other word different layers of barriers of protection were breached on the day of the incident.

8
Figure 1: Barriers breached and the relationship of barriers to the critical factors

2.2.1 Barrier 1 Annulus Cement Barrier: - The cement barrier on the final stretch of the well did not

isolate the hydrocarbons. The cement slurry design which was critical because of the pore pressure was not

up to the requirements. In Deepwater, however, the technical review of the slurry design gave heavy

emphasis to cost and production implications. Little focus was given to important aspects of design, for

example, foam stability, contamination effects, and fluid loss potential. From the Lab tests carried out as

part of the investigation, it is evident that the slurry used was an unstable mixture at drilling that depth

pressures and temperatures. The slurry was not fully tested before use. Also, necessary setting time was not

given to the cement mixture. The initial testing conducted in the well around 10.5 hours after cementing,

which was not enough for proper setting.

2.2.2 Barrier 2 The Shoe Track Barriers: - The Shoe and track barriers which were the second level

of defense did not isolate the hydrocarbons. After the annulus cement had failed to isolate the reservoir, a

mechanical barrier failed and enabled hydrocarbon ingress into the wellbore.

9
Figure 2: Failure of Shoe Track Barrier

2.2.3 Barrier 3 The Pressure Tests: - The negative pressure test was misinterpreted, and the well

integrity was not established. Initially, a positive pressure test was carried out successfully, followed by the

negative pressure test. The objective of the negative pressure test is to test the ability of mechanical barriers

to withstand the pressure differentials during subsequent operations. During the negative pressure testing,

the BP Macondo team did not recognize the importance of some events like the high fluid returns (15 bbls

taken rather than 3.5 bbls expected). This excess flow should have indicated to the rig crew that there was

a flow path to the reservoir through failed barriers.

However the (Transocean) rig crew’s ‘preferred method’ was to monitor the drill pipeline rather than the

kill line which was required as per BP standards. The well site leader noticed the discrepancy and they

proceeded with the BP Macondo method. The rig crew was, therefore, unfamiliar with the testing process

they were using now. Thus both parties failed to accurately interpret the negative pressure test results. Rig

crew suggested that the drill line pressure of 1400psi was due to a phenomenon they had seen before called

‘bladder effect.' The well site leaders and rig crew accepted hypothesis moved forward.

2.2.4 Barrier 4 Well Monitoring Failure: - At 20.52 the well became underbalanced again and

hydrocarbon influx resumed, which went undetected by the crew. Flow increase from the well was

discernable from real-time data from 20.58.But the rig crew who was involved in the abandonment activities

10
such as setting a cement plug, bleeding off the riser tensioners, and transferring mud to the supply vessel

may have been distracted from monitoring the well. At 21.31 the mud pumps were shut down. The pressure

on the drill pipe increased by approximately 560psi between 21.31 and 21.34. These data suggest that

hydrocarbons entered the riser at 21.38 and the crew started well control actions at 21.41.

2.2.5 Barrier 5 Well Control Response Activity Failure: - At 21.40 mud flowed uncontrolled on to

the floor of the rig. The rig crew attempted to gain control by closing the annular preventer. However, this

did not seal properly and was too late as hydrocarbons were already in the riser. In the meantime, the crew

started diverting hydrocarbons to the mud gas separator (MGS). The alternative of dumping it overboard

through the 14in pipe was not chosen. The alternative would have diverted it safely overboard. Real-time

data was lost at this point – there were fires and explosions. When the supervisor tried to initiate the

Emergency Shut down (ESD) system, the sequence did not activate due to damaged cables

2.2.6 Barrier 6 Fire and Gas System Failure: - The high-pressure hydrocarbon was diverted through

the MGS which was designed for low pressure only. The vent points near MGS released the gas onto the

rig and into potentially confined spaces. The design of the MGS allowed high-pressure carbons to be

diverted into the system by default even when it was outside the design specification.

2.2.7 Barrier 7 Hydrocarbon Surface Containment Failure: -The HVAC system directed gas-rich

mixture from the MGS outlets into the engine rooms, causing an engine to over speed, creating a source of

ignition. There were no gas detection systems in HVAC systems. All the gas detection systems were

requiring manual activations. This design was done to prevent false gas detection trips.

2.2.8 Barrier 8 BOP Failure: - There were three different routes to activate the BOP emergency mode.

The fire which may have damaged the cables which provided electronic communication to the pods

preventing the EDS from initiating the Blind Shear Ram (BSR).The second route of Automatic Mode

Function (AMF) which depended on either of the two control pods on the BOP to activate the BSR if certain

11
environments were satisfied. Further analysis of the control pods shown that they were not of proper

functioning; while the first POD had a failed solenoid valve, the other had insufficient battery.

2.3 Blowout Preventer

The BOP is a system of valves designed to shut in a well in the event of well control issues such as kicks,

or if a sudden increase in wellbore pressures occurs. It was invented by Cameron International, a company

based out of Texas, which provides flow equipment to oil, gas, and other process industries. The company

manufactured the BOP used at the Macondo well site. The BOP was designed to cut through casing and

shear through pipe to shut off a well. The various shut-in devices on the BOP used on the Deepwater

Horizon can be seen in Figure 3.

The use of the various devices depends on the well control situation as well as other factors such as the

presence of pipe or casing. According to API 16D standards, the Deepwater Horizon BOP required at least

four remote-controlled, hydraulically rams during offshore operations. This was based on the depth and

pressures encountered in the Macondo well.

All of the rams on the BOP failed to close properly during the blowout event that occurred on the Deepwater

Horizon. Here is a brief explanation of each ram and it significance in understanding the working of the

BOP.

Annular Preventers are rubber donut shaped seals that close around the pipe sealing the well. They can

also seal the well with an absence of pipe in the hole. A process known as stripping occurs when the annular

is closed around the pipe, and the pipe is moved upward or downward during this time. Primary

investigations by CSB indicate that stripping had occurred in the BOP and pieces of rubber were detected

after the accident giving evidence of its occurrence.

Variable Bore Rams (VBR) are metal bars with circular ends such that they can seal the well by clamping

around the drill pipe, sealing the annular spacing and seal off further hydrocarbon influx into the rig. These

were designed to operate within 5000 – 10000 PSI range of fluid pressure. There were 3 VBRs in the BOP.

12
Blind Shear Rams (BSR) are the last line of defense among the various devices on the BOP. It seals the

well by cutting the drill pipe or other material that is in the well. However the blind shear rams cannot cut

through the tool joints. Tool joints play a significant role in our analysis. Presence of tool joint across the

section to be sheared off hampered the efficiency and performance of the BSR.

Casing Shear Ram (CSR) is designed to shear off the casing pipe in case of any failure. It has been reported

that this ram was not closed during the emergency shutdown. The reasons are unknown and hence we

assume failure of CSR to be a common cause failure with a variety of impacting factors.

Figure 3: The internal components of the blowout preventer used on the Macondo well. The function of
each component is labeled next to each instrument. From, “Investigating the Cause of the Deepwater
Horizon Blowout.” The New York Times 21 June 2010. Web. 28 Apr 2011.

13
2.4 Effective Compression

When mud and gas started spewing onto the

deck, the rig personnel responded by closing the

drill pipe at the rig thereby increasing pressure

in the drill pipe. Also the fluid from below

started rising up to the surface via the annulus.

The crew then initiated the closure of the

Annular Preventers which sealed off the

annular space around the drill pipe. The

presence of a tool joint at the junction of the

Annular Preventers failed to isolate the well and

still further hydrocarbon influx could be

observed. The crew then initiated closure of the


Figure 4: Effective Compression & Drill Pipe Offset
top VBR which succeeded in sealing the annulus

and curbed further influx of hydrocarbons onto the rig. The already escaped hydrocarbons above the VBR

started rising up to the rig thereby creating a region of low pressure between the top surface of VBR and

upper annular. As a result of the large differential pressure between the inside and outside of the drill pipe,

the straight drill pipe buckled. This has been termed as effective compression.

Figure 4 describes the consequence of effective compression. In an emergency, the BSR is supposed to

close around a centered pipe, searing it off and sealing the well. However in this accident the buckled pipe

was off center and the BOP could not shear it off. It ended up puncturing the pipe, which began leaking oil

uncontrollably.

14
3. Emergency Modes of Operation

There were primarily six emergency mode of operations to activate the closure of the BSR. Based on our

readings and comparison with our analysis model we were able to conclude what key factors led to the

failure of each mode. As soon as the fire and explosion took place, the emergency disconnect sequence

(EDS) failed as the communication and transmission lines (MUX cables) to the Blowout Preventer was cut

off. This was the primary method available to the rig personnel for activating the BSR and sealing the

wellbore.

The critical condition of certain components in the blue and yellow control pods on the BOP prevented the

activation of Automatic Mode Function (AMF), which was designed to operate automatically without the

intervention of any rig personnel and the MUX cables. Further to the investigation done by CSB on the

BOP, it was detected that both the redundant pods were ineffective (Figure 5). The batteries in the blue pod

which supplied electrical power to operate the computer and solenoid valve were out of charge whereas a

faulty wiring of the solenoid coil in the yellow pod rendered the yellow pod ineffective. This is better

explained with the help of the following diagram.

Figure: 5. the components highlighted in red shows the failure of Pod functioning. From “Deepwater
Horizon Accident Investigation Report”, BP Report. Web. September 201

15
Sl. No Emergency Modes Method Requirements Success or Failure
One POD
1 High Pressure BSR Function Crew Initiated MUX Cable Failed
Manual Activation
One POD
2 EDS Function Crew Initiated MUX Cable Failed
Manual Activation
One POD
3 AMF (Deadman Switch) Automatic Failed
Manual Activation
4 ROV Initiated AMF ROV One POD Failed
Hydraulic Supply
5 ROV Initiated Auto shear ROV Partially Succeeded
from Accumulators
ROV Seawater Pump Failed (15
6 ROV Hot Stab ROV
Ex. Hydraulic Supply attempts)
Table 1: Comparison of 6 Emergency Modes included in BOP
The six Emergency modes of BOP Operation are explained briefly as follows:

1. High Pressure BSR Function: This was done by the rig personnel from the control panel which

required at least one POD and the associated MUX cables.

2. EDS Function: The crew personnel initiates this system to close the BSR. But because the MUX

cables were cut off, this system failed to work its intended function.

3. AMF: An automatic method to close the BSR when electrical power and hydraulic power is lost

from the rig. This failed to work due to the failure of critical components of the control pods.

4. ROV Initiated AMF: The AMF sequence is initiated using an ROV to cut communication and

hydraulic lines at the LMRP. This did not work due to the critical conditions of key elements in the

control pods.

5. ROV Initiated Auto shear: An ROV is used to cut across the auto shear activation rod to close

high pressure BSR. The accumulators on BOP stack were the only source of hydraulic power. This

system partially worked to close the BSR but could not completely seal the well.

6. ROV Initiated BSR: An underwater ROV used an underwater sea pump to close the BSR. Various

attempts were done prior to and after the rig sank, but it was all in vain.

Table 1 highlights one of the key features applicable to our analysis. The interdependency of operating

emergency modes means that single failures could have multiple modes of BOP operation.

16
4. Methodology

4.1 Fault Tree Analysis -1

17
4.1 Fault Tree Analysis -2

4.1 Fault Tree Analysis – 3

18
4.2 Fault Tree Implications

In our FTA the three legs of the fault tree signifies the failure of BOP via BOP component failure, Non

shear Failure and common cause failure. While we went more deep into the first leg of the fault tree, the

second and third legs of the tree is a proof that BOP component failure may not have been the sole cause

of the incident.

4.2.1 FTA –Leg 1 Analysis

Moving into the first leg of the tree then we divided the failures into Lower marine riser package failure

and the BOP stack failure. The LMRP had two annular preventers which mainly had three modes of failure

the presence of a tool joint, improper rubber seal specifications and common cause failures. While the

presence of a tool joint at the point where the annular preventers hugs the drill pipe would reduce the

effectiveness of annular preventers the usage of rubber materials of improper specifications can also cause

the annular preventer to fail. The third reason for failure is a combination of common cause failures which

are explained in detail below as a part of the third leg of the tree. The third leg of the tree is again transferred

in into the annular preventer failures.

The BOP stack failure can be because of the failure of all the 5 rams in the BOP stack (3 VBR’s , CSR &

BSR).The variable bore ram as well as the Casing shear ram has the integration of common cause failures

as their failure modes where we have transferred in the common cause failure leg of the tree into it. The

blind shear ram had 4 ways of activation such as Manual activation from the rig, Automatic Mode function,

Emergency disconnect sequence and using a remotely operated vehicle. The first 3 mechanisms are done

either through rig communications or dead man's switch mechanisms, while the ROV mechanism is an

external mechanism. All the first 3 mechanisms have a common failure mode that is the POD failures along

with Hydraulic failures.

The third section of FTA represent the POD failure methods which would result the first 3 mechanisms

fail. As you can see the redundant yellow and blue PODs have four kinds of failure mods namely Computer

19
failures, Solenoid Valve failures electrical failures and the PLC failures. The AND gates represents the

redundancies in each of the levels.

4.2.2 FTA – Leg 2 Analysis

Looking into the second leg of the tree, non-shear failure, which can be due to either a high differential

pressure in the drill pipe or lack of tension in the pipe. The differential pressure between the inside and

outside of the drill pipe can be explained through the process of pipe buckling which can be attributed to

effective compression which happened as a result of closure of the VBR while the drill pipe was in high

pressure. Coming to the next situation of lack of tension in the drill pipe, from the Transocean documents

it was found that optimum shearing characteristics are acquired when the pipe is motionless and under

tension. Drill pipe can transmits high compressive loads, particularly when it uses the side walls of the BOP

for lateral stability. In the case of the Deepwater Horizon on April 20, 2010, the drill string above the BOP

had a “dry weight” of more than 150,000 pounds. If an effort is made to shear a drill string in compression,

additional friction can be important. The BSR can shear off the drill pipe easily as long as it is under tension

(stretched laterally) rather than compressing where the two pieces being cut are pressed against each other

and pressing on the shearing blades, making the required shearing force much greater. Also Under

compression, the pipe may tend to be jammed into the rams and hence blocking the entire sealing. To keep

the drill pipe string stretched(under tension), it is hung off a “hook” that is fixed to a “traveling block”

whose vertical location can be brought up and down by a huge cable hoist in the drilling crane. At the time

of blast on the Deepwater Horizon, the dry weight of the entire drill string was 217,000 pounds, entirely

carried by the hook and traveling block, and the total hook load floated around 360,000 pounds As per the

BP reports. As per Witness statements the traveling block, which carries the hook load (weight of the drill

pipe string and upper works), fell at 22:20.

20
4.2.3 FTA Leg – 3 Analysis

We called the third leg of our tree as a common cause failure which comprised of Human error, Hydraulic

failure, mechanical failure MUX cable failure, Press button control Failure.

Hydraulic failure: - BOP as a whole is a hydraulic system which had 7 mechanisms which used hydraulic

energy for functioning. Any disruptions in the hydraulic energy would render the device ineffective. In the

case of Deepwater Horizon several instances of hydraulic leakages were identified.

Mechanical Failure: - Mechanical failure of critical components in the system may prove catastrophic in

the end. The main types of mechanical failures are excessive deflection, buckling, ductile fracture, brittle

fracture, impact, creep, relaxation, thermal shock, wear, corrosion, stress corrosion cracking, and various

types of fatigue. For instance, the likelihood of erosion of the rubber packer sealing material in the annular

preventer probably have caused the them to fail under high flow rate

Human Error: - Delayed Emergency mode activation from the control panels by the operator,

misinterpreted pressure test results owing to lack of training, retrieval errors contribute to Human errors

identified within the system. It also takes into account of the various design and installation errors which

play a pivotal role in ensuring the safety of the rig.

MUX Cable Failure: - The MUX cables are contained the hydraulic, electrical and electronic lines from

the rig to the BOP. In Deepwater horizon the explosions in the rig damaged the MUX cable and hence

further communication between the rig and BOP was hampered.

Press Button control Failure: - The Rig had two main control stations driller’s control panel (DCP) and

tool pusher’s panel (TCP) they both contained a set of pushbuttons controlling the BOP functions.

5. Results

The Fault tree constructed had a total of 18 OR gates and 17 AND gates. The proportion of AND gates

implies the redundancies present in the system. The MOCUS method helped in reducing the first leg of

21
the fault tree and ended up with more than 450 sets of cut sets which were later decreased to 20 minimal

cut sets. While analyzing the minimal cut sets it became quite evident that Common cause

failures, POD failures and ROV failures were key factors of BOP failure. The first 16 of the minimal cut

sets were different combinations of common cause failure ROV failure and POD failures were as the last

four cut sets wee combinations of Common Cause failures and ROV failures

6. Discussions

Based on the analysis obtained from our fault tree, we have identified few key elements that were

overlooked by both BP and Transocean personnel

6.1 Maintenance

As per the audit from BP maintenance management system one key finding was “Overdue maintenance in

excess of 30 days, totaling 390 jobs and 3545 man hours”. The subsea maintenance personnel recorded

BOP and other equipment maintenance manually on spreadsheets and daily log books instead of the MMS

provided by Transocean, which made it difficult to track BOP equipment performance level. The ram

bonnets of 3 VBRs were not recertified for the past 10 years whereas API standards require it to be certified

after 5 years. BP overlooked the 5 year replacement policy in the case of hydraulic hoses. As mentioned

earlier the solenoid valve in the yellow control pod was found to be defective. It also had a non OEM

electrical connector installed. The 27 Volt battery in blue pod was reported to have 7.61 Volts which was

too low to complete the AMF sequence, whereas in the yellow pod, voltage was measured to be 18.41

which is an indication of rapid decline. These were some of the key findings in our study.

6.2 Leaks

There were 6 major hydraulic leaks identified in the BOP control system. One of the leaks were identified

at a hose fitting at the close side of the upper annular surge bottle supplying pressure to the annular preventer

operating piston. The next major leak was identified at the shuttle valve which is critical to functioning of

the BSR operating piston. It was identified that close to 54 gallons of hydraulic fluid were lost which has

22
detrimental effects on a system which is supposed to maintain at least 5000 PSI at all times. Hydraulic

analysis confirms the fact that sufficient hydraulic pressure was unavailable to shear off he drill pipe an

seal the well.

6.3 Testing

Although industry standards such as API RP 53, BP standards and Transocean operating policy were in

effect prior to the incident, these were designed for surface tests prior to deployment and none of these

requirements included testing the high pressure BSR closing function. These testing standards did not

include any tests to check the functionality of the AMF and ROV systems. Although weekly function tests

were in place, it failed to identify any hydraulic leaks except that a subsea engineer speculated there might

be a leak in the accumulator.

6.4 Modifications

Based on our extensive study, 19 known modifications have been identified in the BOP and its control

system. What surprises us is the fact that BP has mentioned this in their own report. The pipe ram receptacle

was connected to the test VBR (lower) and not to the middle VBR as was assumed. These modifications

were not documented on the BOP stack flow schematics, and they impacted the effectiveness of ROV

intervention.

6.5 Monitoring & Diagnostic Capability

Diagnostics of the BOP control system were available to the rig crew and subsea personnel through an

alarm indication system and event logger. The dedicated alarm lights on the TCP and DCP displayed the

most critical fault alarms. The control system was capable of identifying solenoid coil faulty wiring, but

the unfamiliarity of the crew with using such systems proved to be detrimental in a way that they coudnot

initiate the AMF sequence successfully.

23
6.6 Human Errors

6.6.1 Operation Error: 40 minutes after the primary blast, the emergency BOP activation systems were

activated by the crew. But their efforts were in vain since the transmission (MUX) cables to the BOP were

cut off on account of the blast. Had they been more vigilant in responding to such critical failures, the

severity of the damage could have possibly been reduced.

6.6.2 Communication Error: The early closure of the annular preventers led to pressure build up and

subsequent failure of the annular preventers. Had they taken more caution to move the drill pipe higher,

they could have avoided the failure due to presence of tool joint in that section. Effective communication

down the organizational hierarchy was absent.

6.6.3 Retrieval Error: Although the monitoring and diagnostic capability was available via the TCP and

DCP modules, the operators could not interpret the signals because of their non-familiarity with

understanding the alarm signals. Also factors such as short and long term memory loss, adrenaline rush and

non-responsiveness to emergency situations have to be taken into account.

6.6.4 Design and Installation Errors: The ineffective approach to battery replacement, faulty wiring of

the solenoid valve and wrong pipe ram labelling during negative pressure testing bear witness to the fact

that key design parameters and installation guidelines were not followed by both BP and Transocean

personnel who are primarily responsible for the integrity of the safety of such sophisticated equipment.

6.7 Organizational Accidents Theory

A useful approach that can be used to explain the deep water horizon accident was put forward by James

Reason. Reason’s managing the Risks of Organizational Accidents Theory (OAT) describes major system

organizational accidents as penetration of hazards through the system’s defenses or barriers. In Reason’s

‘Swiss Cheese’ model (Figure 3), an accident develops when the major risk factors addressing a system are

able to successfully infiltrate the barriers through defects in the barriers formed by the Risk Control System

(RCS).

24
Figure 6: Organizational Accident Theory
Application of Reason’s OAT to the Macondo well disaster renders useful insights into both the causes of

this disaster and into how the risks associated with such systems can be better managed in the future. It is

obvious that multiple proactive, reactive, and interactive barriers were penetrated to develop the blowout

(Figure 3). A critical proactive protective barrier that was penetrated was the plan for temporary

abandonment of the Macondo well—specifically the plan for the negative pressure test and displacement

of the mud from the well before a second barrier was in place.

During the negative pressure test, interactive barriers were infiltrated. Critical signals (e.g., drill pipe

pressures, well fluid volumes) were not properly detected, analyzed, or appropriate action was taken. After

the well had begun blowing out, multiple reactive barriers were ruptured including diversion of the well

effluents to the low capacity mud-gas separator rather than overboard.

7. Comparison

NASA Challenger (1986) Vs Deep Water Horizon (2010):

NASA Challenger: After the loss of the space shuttle Challenger in 1986, sociologist Diane Vaughan

began a long investigation into the accident. Her findings would challenge many of our easy assumptions

25
about how disasters occur. We like to think that accidents happen because bad people knowingly and

carelessly let them happen. Vaughan discovered something more troubling: that even organizations staffed

by smart, seemingly moral people can slowly slide into dangerous and unethical behavior.

Vaughan, an expert in corporate malfeasance, wanted to know how NASA officials made the decision to

launch the Challenger despite a serious last-minute safety concern. Very cold weather was forecast for

launch day, and some engineers worried that the low temperatures might worsen a long-standing problem:

The shuttle’s solid-fuel booster rockets had a tendency to leak small jets of hot gas during takeoff. The

engineers urged a delay. NASA decided to launch anyway. The standard view of the accident holds that

NASA brass overruled the nervous engineers out of concerns that allowing yet another launch delay would

hurt NASA’s image with the public and Congress. From this view, the managers knowingly rolled the dice,

bending the safety rules in order to stay on schedule. According to her findings the managers were, in fact

quite moral and rule abiding as they calculated the risk. But, over the years they had systematically deluded

themselves, through a process she calls the “normalization of deviance”.

Here’s how the normalization of deviance works: Early in the shuttle program, the appearance of small

leaks from the booster rockets’ rubber seals was an unexpected and alarming event. NASA assigned a

working group, which dutifully studied the issue and determined the leaks would be manageable as long as

they didn’t exceed a certain threshold. “They redefined evidence that deviated from an acceptable standard

so that it became the standard,” Vaughan writes. Sure enough, small booster-seal leaks were soon seen as

routine during shuttle launches. The problem had been normalized. But as shuttle missions continued, the

leaks kept getting bigger. Each time, NASA repeated the process, again determining that the seal failures

were acceptable as long as it didn’t exceed certain, ever higher, thresholds. NASA had crept right to the

edge of what would cause a mission failure, all the while convinced that it was operating safely. The fact

that the shuttles kept flying reinforced its false sense of security. Then came something NASA hadn’t

anticipated: a launch day so cold that it made the rubber seals hard and brittle. The huge resulting leak

burned a hole in the shuttle’s external fuel tank.

26
Deep Water Horizon: In the case of the Deep Water Horizon rig, many alarm systems on the rig were

deliberately “inhibited” in order to prevent false alarms from waking up the crew. On the sea floor, a crucial

structure of pipes and valves known as the blowout preventer was poorly maintained . The blowout

preventer was supposed to be the last-ditch defense against high-pressure gas and oil bursting out of the

well. It failed utterly.

In designing the structures that would stabilize the pipe and prevent leaks below the sea floor, BP repeatedly

opted for the quickest, rather than the most secure, approaches. Through this analysis we understood that

how large accidents are more often the result of dozens of tiny contributing factors: misguided assumptions

on the part of workers and managers; small, subtly flawed decisions; routine mechanical or digital glitches.

8. Recommendations

Based on the results and parameters discussed, we provide the following recommendations that have to be

taken into consideration which would help to evaluate current and future safety of deep-water drilling. They

are as follows:

8.1 Technical Recommendations:

Blowout Preventer:

1) Sheath the cables to prevent MUX Transmission-an important cable for transmission from the rig to

the blowout preventer

2) Install a redundant Blow out Preventer just in case the primary BOP fails in its operation

3) Train the crew members on the rig with the necessary technical knowledge to counter hazardous

situations while working on complex operations.

27
Fire and Gas Systems:

Higher Reliable Systems: The use of Fire and Gas Systems in off shore installations has become mandatory

across the globe. The reliability of such equipment is of paramount importance since it relates to the

frequency of two undesirable failure modes: 1) Failures causing a loss of fire or gas detection. 2) Process

shutdowns due to spuriously generated signals. Failures in the first category may affect a single fire or gas

area or, on the other hand, the entire system. A reliability study of any proposed system must evaluate both

of these eventualities so that the design can be reliable. Spurious fire and gas signals may cause events

ranging from simple audio/visual annunciation to total process shutdown. The effect will depend upon the

specific functions which each output is used to initiate. The actual "cause and effect' specifications which

define a given system are therefore needed in order to carry out a full reliability analysis.

8.2 Management & Financial Recommendations

1. Trained personnel for critical tasks

2. Work planning & adequate time scheduling

3. Allot sufficient maintenance budget

4. Review emergency evacuation systems

9. Conclusion

At the end of the investigation, there was a lot of pinpointing by the companies involved as to who is to be

blamed for the incident. The United States District released a report stating that the incident was caused by

the decision to go against the use of a cement log.

This reason was narrowed down as the primary reason which ultimately led to the Deep Water Horizon

Accident. According to the three of us going by the research and the information collected the blame should

be squarely put on the companies involved in the whole incident. At the end of it their mismanagement,

misjudgment and gross negligence especially BP or British Petroleum and their choice of cost reduction

28
and process expediency over safety and security is what ultimately led to the Deep Water Horizon

catastrophe.

10. References

1. "CSB Public Meeting in Houston Texas to Release Macondo Report." Macondo Blowout and

Explosion - Investigations | the U.S. Chemical Safety Board. Web. 03 May 2017.

2. Administration, National Oceanic and Atmospheric. Deepwater Horizon Oil Spill Final

Programmatic Damage Assessment and Restoration Plan and Final Programmatic Environmental

Impact Statement: Chapter 2: Incident Overview. Web

3. "Read "Macondo Well Deepwater Horizon Blowout: Lessons for Improving Offshore Drilling

Safety" at NAP.edu." National Academies Press: OpenBook. Web. 03 May 2017.

4. "Deepwater Horizon." Lees' Loss Prevention in the Process Industries (2012): 3111-125. Web.

5. Meigs, James B. "Blame BP for Deepwater Horizon. But Direct Your Outrage to Its Actual

Mistake: Years of Cutting Corners." Slate Magazine, 30 Sept. 2016. Web. 03 May 2017.

6. Amadeo, Kimberly. "BP Spent $56.4 Billion on Spill So Far." The Balance. Web. 03 May 2017.

7. "Deepwater Horizon Oil Spill." Wikipedia. Wikimedia Foundation, 21 Apr. 2017. Web. 03 May

2017.

8. "Deepwater Horizon, Three Years Later." Physics Today (2013): Web.

9. Fountain, Henry. "Solution to Capping Well Stays Elusive." The New York Times. The New

York Times, 30 Apr. 2010. Web. 03 May 2017.

10. "FACTBOX-Companies Involved in the U.S. Gulf Rig Accident." Reuters. Thomson Reuters,

30 Apr. 2010. Web. 03 May 2017.

29

Вам также может понравиться