Deepwater Horizon report: Better testing & warning system needed

In a 136-page report released today on the 2010 oil spill, the National Academy of Engineering and National Research Council make a series of recommendations designed to prevent a repeat of the Deepwater Horizon disaster.

Here are some of their conclusions about the lethal blowout of BP’s Macondo well and their recommendations for the offshore drilling industry and the regulators who police it.

Findings:

  • The flow of hydrocarbons that led to the blowout of the Macondo well began when drilling mud was displaced by seawater during the temporary abandonment process.
  • The decision to proceed to displacement of the drilling mud by sea water was made despite a failure to demonstrate the integrity of the cement job even after multiple negative pressure tests. This was but one of a series of questionable decisions in the days preceding the blowout that had the effect of reducing the margins of safety and that evidenced a lack of safety-driven decision making.
  • The reservoir formation, encompassing multiple zones of varying pore pressure and fracture gradients, posed significant challenges to isolation using casing and cement. The approach chosen for well completion failed to provide adequate margins of safety and led to multiple potential failure mechanisms.
  • The loss of well control was not noted until more than 50 minutes after hydrocarbon flow from the formation started, and attempts to regain control by using the blowout preventer (BOP) were unsuccessful. The blind shear ram failed to sever the drill pipe and seal the well properly, and the emergency disconnect system (EDS) failed to separate the lower marine riser and the Deepwater Horizon from the well.
  • The BOP system was neither designed nor tested for the dynamic conditions that most likely existed at the time that attempts were made to recapture well control. Furthermore, the design, test, operation, and maintenance of the BOP system were not consistent with a high-reliability, fail-safe device.
  • Once well control was lost, the large quantities of gaseous hydrocarbons released onto the Deepwater Horizon, exacerbated by low wind velocity and questionable venting selection, made ignition all but inevitable.
  • The actions, policies, and procedures of the corporations involved did not provide an effective systems safety approach commensurate with the risks of the Macondo well. The lack of a strong safety culture resulting from a deficient overall systems approach to safety is evident in the multiple flawed decisions that led to the blowout. Industrial management involved with the Macondo well-Deepwater Horizon disaster failed to appreciate or plan for the safety challenges presented by the Macondo well.

Observations:

  • While the geologic conditions encountered in the Macondo well posed challenges to the drilling team, alternative completion techniques and operational processes were available that could have been used to prepare the well safely for temporary abandonment.
  • The ability of the oil and gas industry to perform and maintain an integrated assessment of the margins of safety for a complex well like Macondo is impacted by the complex structure of the offshore oil and gas industry and the divisions of technical expertise among the many contractors engaged in the drilling effort.
  • The regulatory regime was ineffective in addressing the risks of the Macondo well. The actions of the regulators did not display an awareness of the risks or the very narrow margins of safety.
  • The extent of training key personnel and decision makers both in industry and in regulatory agencies have been inconsistent with the complexities and risks of deep-water drilling.
  • Overall, neither the companies involved nor the regulatory community has made effective use of real-time data analysis, information on precursor incidents or near misses, or lessons learned in the Gulf of Mexico and worldwide to adjust practices and standards appropriately.
  • Industry’s and government’s research and development efforts have been focused disproportionately on exploration, drilling, and production technologies as opposed to safety.

Recommendations:

  • Given the critical role that margins of safety play in maintaining well control, guidelines should be established to ensure that the design approach incorporates protection against the various credible risks associated with the drilling and completion processes.
  • All primary cemented barriers to flow should be tested to verify quality, quantity, and location of cement. The integrity of primary mechanical barriers (such as the float equipment, liner tops, and well head seals) should be verified by using the best available test procedures. All tests should have established procedures and predefined criteria for acceptable performance and should be subject to independent, near-real-time review by a competent authority.
  • BOP systems should be redesigned to provide robust and reliable cutting, sealing, and separation capabilities for the drilling environment to which they are being applied and under all foreseeable operating conditions of the rig on which they are installed. Test and maintenance procedures should be established to ensure operability and reliability appropriate to their environment of application. Furthermore, advances in BOP technology should be evaluated from the perspective of overall system safety. Operator training for emergency BOP operation should be improved to the point that the full capabilities of a more reliable BOP can be competently and correctly employed when needed in the future.
  • Instrumentation and expert system decision aids should be used to provide timely warning of loss of well control to drillers on the rig (and ideally to onshore drilling monitors as well). If the warning is inhibited or not addressed in an appropriate time interval, autonomous operation of the blind shear rams, emergency disconnect system, general alarm, and other safety systems on the rig should occur.
  • Efforts to reduce the probability of future blowouts should be complemented by capabilities of mitigating the consequences of a loss of well control. Industry should ensure timely access to demonstrated well-capping and containment capabilities.
  • The United States should fully implement a hybrid regulatory system that incorporates a limited number of prescriptive elements into a pro-active, goal-oriented risk management system for health, safety, and the environment.
  • BSEE and other regulators should identify and enforce safety-critical points during well construction and abandonment that warrant explicit regulatory review and approval before operations can proceed.
  • A single U.S. government agency should be designated with responsibility for ensuring an integrated approach for system safety for all offshore drilling activities.
  • Operating companies should have ultimate responsibility and accountability for well integrity, because only they are in a position to have visibility into all its aspects. Operating companies should be held responsible and accountable for well design, well construction, and the suitability of the rig and associated safety equipment. Notwithstanding the above, the drilling contractor should be held responsible and accountable for the operation and safety of the offshore equipment.
  • Industry should greatly expand R&D efforts focused on improving the overall safety of offshore drilling in the areas of design, testing, modeling, risk assessment, safety culture, and systems integration. Such efforts should encompass well design, drilling and marine equipment, human factors, and management systems. These endeavors should be conducted to benefit the efforts of industry and government to instill a culture of safety.
  • Industry, BSEE, and other regulators should undertake efforts to expand significantly the formal education and training of personnel engaged in offshore drilling to support proper implementation of system safety.
  • Industry, BSEE, and other regulators should improve corporate and industry-wide systems for reporting safety-related incidents. Reporting should be facilitated by enabling anonymous or “safety privileged” inputs. Corporations should investigate all such reports and disseminate their lessons-learned findings in a timely manner to all their operating and decision-making personnel and to the industry as a whole. A comprehensive lessons-learned repository should be maintained for industry-wide use. The information can be used for training in accident prevention and continually improving standards.
  • Industry, BSEE, and other regulators should foster an effective safety culture through consistent training, adherence to principles of human factors, system safety, and continued measurement through leading indicators.

NAE report on the Deepwater Horizon disaster

1 Comment

  1. ntangle

    If the warning is inhibited or not addressed in an appropriate time interval, autonomous operation of the blind shear rams, emergency disconnect system, general alarm, and other safety systems on the rig should occur.
    ————-
    Some of the more knowledgeable industry folks have offered good reasons why this shouldn’t be changed. Such as the risk of a false activation, the risk of losing the well altogether, and that shearing the drill pipe might hamper well control thereafter.

    I understand the desire to always have a person in the loop. But I believe that it’s prudent to have an EDS automatically triggered sooner by multiple positive indications, rather than waiting for multiple negative indications (i.e., .the loss of the 3 comm modes on the DWH due to its loss of stationing its breaking away). Especially if there’s much of a chance that the BOP won’t be able to arrest foreseeable blowouts in progress. If there are unmistakable situations where a driller should always activate a full EDS, those situations could be automated with at least as high of reliability, if not better, than a person who might hesitate given the same info.

    #1