European Commission DG for Energy (ENER/D2)

Transcription

European Commission
DG for Energy
(ENER/D2)
How to Improve Safety in
Regulated Industries
What Could We Learn
From Each Other
Background Material
Annex C
ENCO FR-(12)-44
July 2012
Specific Contract No. ENER/ 2011/NUCL/SI2.599383
in
How
w to Im
mprove Safety
S
ndustrie
es
Regullated In
What C
Could We
W Learrn
Frrom Eac
ch Othe
er
Backgground Material
Annex C
EN
NCO FR
R-(12)-4
44
July
J
201
12
Und
der the Fram
mework Serrvice Contract
forr Technical Assistance TREN/R1/3
350-2008 Lo
ot 3
Specific Contract No. ENER
R/ 2011/NUC
CL/SI2.5993
383
Prepared by:
b
Prep
pared fo
or:
E
European Commissiion
DG
G for Enerrgy
(ENE
ER/D2 Nuclear Energ
gy)
DISCLAIM
MER
The con
ntent of thiis report is the sole ressponsibility
y of the Con
ntractor andd can in no way be tak
ken
e views of the Europea
an Union.
to reflect the
Annex C. Overview of Deepwater Horizon oil rig explosion
TABLE OF CONTENTS
1. INTRODUCTION .............................................................................................................................4 1.1. EVENT SUMMARY ................................................................................................................................................... 4 1.2. BACKGROUND ....................................................................................................................................................... 4 1.3. REGULATORY AND SAFETY ASPECTS ........................................................................................................................ 5 Safety of the offshore industry ............................................................................................................................ 5 Regulatory aspects .................................................................................................................................................. 6 2. TECHNICAL ASPECTS OF THE DEEPWATER DRILLING ...........................................................7 2.1. DRILLING PROCESS OVERVIEW ................................................................................................................................ 7 Pore pressure and fracture pressure ................................................................................................................... 8 Casing and cement .................................................................................................................................................. 9 The Blowout Preventer .......................................................................................................................................... 9 Setting subsequent casing strings ...................................................................................................................... 10 Float Collar ............................................................................................................................................................ 10 Cementing casing strings ..................................................................................................................................... 11 The production casing .......................................................................................................................................... 12 Well control and barriers .................................................................................................................................... 13 2.2. MACONDO WELL DESIGN AND CONSTRUCTION ........................................................................................................ 14 2.3. PREPARING THE WELL FOR SUBSEQUENT PRODUCTION ............................................................................................ 16 Installation of the production casing ................................................................................................................ 16 The cement design ................................................................................................................................................ 18 Laboratory tests of the cement slurry .............................................................................................................. 19 Cement evaluation log ......................................................................................................................................... 20 Testing of the wellhead seals ............................................................................................................................. 20 Temporary abandonment ..................................................................................................................................... 22 Design features of the Macondo well ................................................................................................................ 24 2.4. OVERVIEW OF THE ACCIDENT ............................................................................................................................... 25 3. INVESTIGATION INTO EXPLOSION ...........................................................................................27 3.1. BP INVESTIGATION REPORT .................................................................................................................................. 28 Annulus cement barrier ....................................................................................................................................... 29 Shoe track barrier ................................................................................................................................................. 29 Negative pressure test ......................................................................................................................................... 30 Recognition of hydrocarbons influx ................................................................................................................... 30 Well control response action .............................................................................................................................. 30 Diversion of blowout to the MGS ....................................................................................................................... 31 The fire and gas systems...................................................................................................................................... 31 The BOP emergency mode ................................................................................................................................... 31 Report summary .................................................................................................................................................... 31 3.2. REPORT OF THE HUMAN RELIABILITY ASSOCIATES .................................................................................................. 32 How to Improve Safety in Regulated Industries
What Could We Learn From Each Other safety in EU”
Background Material, ENCO FR-(12)-44
© ENCO
Page i
Cement slurry design ............................................................................................................................................ 32 Cement placement ................................................................................................................................................ 33 Confirmation of placement ................................................................................................................................. 33 Negative-pressure test ......................................................................................................................................... 33 Failure to timely recognize influx of hydrocarbons ....................................................................................... 34 Failure of well control response ........................................................................................................................ 34 Failure of the Fire and Gas system .................................................................................................................... 34 Failure of the BOP emergency modes................................................................................................................ 35 Report summary .................................................................................................................................................... 35 3.3. FINDINGS OF THE OIL SPILL COMMISSION .............................................................................................................. 36 Report to the President ....................................................................................................................................... 36 Chief Counsel’s investigation report ................................................................................................................. 38 3.4. REPORT OF NAE/NRC COMMITTEE ..................................................................................................................... 41 Interim Report ....................................................................................................................................................... 41 Final Report............................................................................................................................................................ 42 3.5. OBSERVATIONS FROM OTHER SOURCES .................................................................................................................. 43 4. ANALYSIS OF THE DEEPWATER HORIZON ACCIDENT ..........................................................44 4.1. STEP 1 - DEFINITION OF THE PROBLEM ................................................................................................................. 44 4.2. STEP 2 – ANALYSIS OF CAUSES (CAUSAL MAP) ....................................................................................................... 45 4.3. STEP 3. ANALYSIS OF SOLUTIONS ......................................................................................................................... 61 Safety management and safety culture (Causes 1 – 7) ................................................................................... 62 Regulatory oversight (Causes 8 – 10) ................................................................................................................. 63 Procedures and training (Causes 11 – 16) ......................................................................................................... 65 Process safety (Causes 17 – 21) ........................................................................................................................... 66 Equipment design issues (Causes 22 – 26) ......................................................................................................... 66 5. SUMMARY CONCLUSIONS ..........................................................................................................68 5.1. INDUSTRY MANAGEMENT SYSTEM .......................................................................................................................... 68 Risk awareness ....................................................................................................................................................... 68 Communication problems .................................................................................................................................... 69 Safety culture issues............................................................................................................................................. 69 5.2. SAFETY OVERSIGHT OF THE INDUSTRY ................................................................................................................... 70 Regulatory regime of MMS................................................................................................................................... 70 Desired changes ..................................................................................................................................................... 71 6. REFERENCES TO ANNEX C ........................................................................................................73 How to Improve Safety in Regulated Industries
© ENCO
Page ii
Glossary
AMF
BOP
BSR
DOI
ECD
EDS
ETP
HAZOP
MGS
MMS
MODU
NEPA
OPA
ppg
MOC
TA
D&C
TOC
LRMP
MUX
ROV
Automatic Mode Function
Blowout Preventer
Blind Shear Ram
Department of the Interior
Equivalent Circulation Density
Emergency Disconnect System
Engineering Technical Practice
Hazards and Operability
Mud Gas Separator
Minerals Management Service
Mobile Offshore Drilling Unit
National Environmental Policy Act
Oil Pollution Act of 1990
Pounds per gallon
Management Of Change
Technical Authority
Development and Completion
Top Of Cement
Lower Marine Riser Package
Multiplex
Remote Operated Vehicle
How to Improve Safety in Regulated Industries
© ENCO
Page 3
1. Introduction
1.1. Event summary
On April 20, 2010 at approximately 9:45 pm a huge explosion rocked a semi-submersible
Mobile Offshore Drilling Unit (MODU) located about 66 km off the coast of Louisiana in the
Gulf of Mexico. The oil rig was called the Deepwater Horizon and was owned by
Transocean Ltd and leased to the British Petroleum Company through September 2013.
The direct cause of the explosion was that high pressure methane gas from the well
expanded into the drilling riser and was released onto the drilling rig, where it ignited and
exploded, engulfing the rig.
At the time of the explosion, there were 126 crew on board: 7 employees of BP, 79 of
Transocean, as well as employees of various other companies involved in the operation of
the rig, including Anadarko, Halliburton and M-I Swaco. Most of the workers escaped the
rig by lifeboat and were subsequently evacuated by boat or airlifted by helicopter for
medical treatment. However, eleven workers were never found despite a three-day Coast
Guard search operation, and are believed to have died in the explosion. 16 workers were
injured.
Efforts by multiple ships to douse the flames were unsuccessful. After burning for
approximately 36 hours, the Deepwater Horizon sank on the morning of 22 April 2010.
Remotely operated submersible vehicles were used to examine the wellhead. The vehicles
were also used in an effort to manually trigger the blowout preventer (BOP), which would
close the wellhead and prevent any farther release of oil. The blowout preventer is a 450ton valve installed at the wellhead that is designed to automatically shut to prevent oil
leaks in the event of an accident. Attempts to manually close the blowout preventer have
not been successful.
An oil leak was discovered on the afternoon of 22 April when a large oil slick began to
spread at the former rig site. Oil continued to leak from the wellhead more than a mile
underwater on the ocean floor at an estimated rate of 42,000 gallons a day. According to
the Flow Rate Technical Group, the leak amounted to about 4.9 million barrels (780,000
m3) of oil, exceeding the 1989 Exxon Valdez oil spill as the largest ever to originate in U.S.controlled waters.
1.2. Background
The Deepwater Horizon was a semi-submersible mobile offshore drilling rig that could
operate in waters up to 2,400 m deep and drill down to 9,100 m. The drilling rig is a
mobile, temporary rig that drills the well, identifies that there is a viable reservoir of
hydrocarbons, and then makes it safe and ready for a more permanent production rig. This
involves drilling a deep bore hole in stages and filling the casing with cement.
The rig was built by South Korean company Hyundai Heavy Industries. It was owned by
Transocean, operated under the Marshallese flag of convenience, and was under lease to
© ENCO
Page 4
BP from
m March 200
08 to Septe
ember 20133. Transoce
ean was pro
oviding the rig crew (e.g. the
tool pusshers and drillers). Halliburton waas responsible for the cement opperations.
At the ttime of the
e explosion, the rig w
was drilling an explorattory well aat a water depth
d
of
approximately 1,5
500 m in th
he Macondoo Prospect, located in the Mississsippi Canyo
on Block
252 of tthe Gulf of Mexico in the
t United SStates exclu
usive econo
omic zone aabout 66 km
m off the
Louisian
na coast.
BP was the operattor and principal deve
eloper of the Macondo Prospect with a 65%
% share,
while 25
5% was own
ned by Anad
darko Petrooleum Corpo
oration, and
d 10% by MO
OEX Offshore 2007,
a unit o
of Mitsui. Th
he mineral rights to drrill for oil on
o the Maco
ondo Prospeect were pu
urchased
by BP in March 2008
2
at th
he Mineralss Management Service
e's lease ssale. The platform
p
commen
nced drillin
ng in Februa
ary 2010 att a water depth of app
proximatelyy 5,000 fee
et (1,500
m).
F
FIG.
1-1. Dee
epwater Horiizon drilling rig prior to the accidennt.
The planned well was
w to be drilled
d
to 188,360 feet (5,600
(
m) below
b
sea leevel, and was
w to be
plugged
d and suspe
ended for su
ubsequent ccompletion as a subsea producer . Productio
on casing
was be
eing run an
nd cemente
ed at the time of the acciden
nt. Once thhe cementting was
complette, it was due to be
e tested fo r integrity and a cem
ment plug set to tem
mporarily
abandon
n the well for
f later completion ass a subsea producer.
p
1.3. R
Regulatorry and sa
afety asp
pects
Safety
y of the off
ffshore ind
dustry
Modern oil and gas drilling riigs and prooducing plattforms are,, in effect, enormous floating
machine
es, denselyy equipped with pow
werful engin
nes and re
esponsible ffor keeping
g within
geologicc formatio
ons large volumes of highly
y combustible hydroocarbons at
a high
tempera
atures and pressures. For all the
eir productivity, the rigs
r
expose their crew
ws to the
How to Improve Safety in Regulated Indu
ustries
om Each Other safety
s
in EU”
What Could We Learn Fro
Background Material, ENC
CO FR-(12)-44
© ENCO
Page 5
risks of injury or death if not properly operated and maintained – risks compounded for
operations conducted in progressively deeper waters, ever farther from shore.
From its creation until the Macondo well blowout, Minerals Management Service (MMS) was
the federal agency primarily responsible for leasing, safety, environmental compliance,
and royalty collection from offshore drilling. In carrying out its duties, MMS subjected oil
and gas activities to an array of prescriptive safety regulations: hundreds of pages of
technical requirements for pollution prevention and control, drilling, well-completion
operations, oil and gas major well maintenance, production safety systems, platforms and
structures, pipelines, well production, and well-control and -production safety training.
As required by the 1978 Act, MMS also attempted to conduct both annual and periodic
unscheduled (unannounced) inspections of all offshore oil and gas operations to try to
assess compliance with those requirements. Agency officials have tried to meet the
requirement for annual inspections of the operation of safety equipment designed to
prevent blowouts, fires, spills, and other major accidents. In both annual and unannounced
inspections, MMS officials used a national checklist, covering categories such as pollution,
drilling, well completion, production, crane, electrical, and personal safety. Most
inspections tend to cover a subset of the elements on the list. Roughly 20 percent of the
matters for inspection (those for the production meters) are not related to safety. But over
time, MMS increasingly fell short in its ability to oversee the offshore oil industry.
The agency’s resources did not keep pace with industry expansion into deeper waters and
industry’s related reliance on more demanding technologies. And, senior agency officials’
focus on safety gave way to efforts to maximize revenue from leasing and production.
Regulatory aspects
By the early 1990s, some MMS officials had begun to rethink the agency’s approach to
safety oversight of the offshore industry. In the wake of an accumulation of accidents in
U.S. waters, and several devastating accidents elsewhere around the globe, they had come
to appreciate that a command and control, prescriptive approach to regulation did not
adequately address the risks generated by the offshore industry’s new technologies and
exploration, development, and production activities, including industrial expansion into
deeper waters [C-4].
In March 1980, the Alexander Kielland – built as a drilling rig but under lease to Phillips
Petroleum Company to house offshore workers at the Ekofisk Field in the Norwegian North
Sea – capsized, killing 123 of the 212 people on board the rig. Two years later, during
preparation for an approaching North Atlantic storm, the Ocean Ranger semisubmersible
drilling the Hibernia field for Mobil Oil of Canada, sank off the coast of Newfoundland; all
84 crew members were lost in the freezing-cold waters. And in July 1988, the Piper Alpha
production platform operated by Occidental Petroleum 120 miles northeast of Aberdeen,
Scotland, exploded and sank, killing 167 people, including 2 rescuers. Although the causes
of the three accidents varied, they all involved international operations of U.S.-based oil
and gas companies. Common contributing factors included inadequate safety assurance,
worker training, and evacuation procedures. Poor communication and confusion about lines
of authority amplified the death toll in at least two of the accidents.
The Norwegian government responded to the loss of the Alexander Kielland by
transforming its approach to industry operations. Under the new regime, rather than
relying solely on prescribed operational and safety standards, the government required the
industry to demonstrate thorough consideration of all risks associated with the structures
© ENCO
Page 6
and operations for a drilling or production plan. The regulator no longer “approved”
operations. Shifting the burden of demonstrating safety to the operator, the regulator
would instead now “consent” to development activity proceding only upon the operator’s
demonstration that sufficient safety and risk management systems were in place.
The Piper Alpha accident and the subsequent investigation had a similar impact on United
Kingdom regulation. As in Norway, the previous prescriptive regulatory approach evolved
into one where regulations were supplemented with a requirement for companies to
demonstrate to the regulator that they had undertaken a thorough assessment of risks
associated with an activity and they had adequate safety and risk management systems to
address those risks.
All these foreign regulators – the United Kingdom, Norway, and Canada – had previously
relied on the kind of prescriptive approach used in the United States, but in the aftermath
of these fatal accidents in harsh, remote offshore environments, authorities elsewhere
concluded that adding a risk-based approach was essential. They faulted reliance on the
“prescriptive regulation with inspection model” for being fundamentally reactive and
therefore incapable of driving continuous improvement in policies and practices.[C-4].
According to Magne Ognedal, the Director General of the Norwegian Petroleum Safety
Authority, the prescription-only model engendered hostility between the parties and put
the risk – legal and moral – onto the regulator to accommodate changing technology,
geology, and location, rather than onto the operator, where the responsibility rightly
belonged. Under the new safety-management model, minimum standards for structural
and operational integrity (well control, prevention of fires and explosions, and worker
safety) remained in place. But the burden now rested on industry to assess the risks
associated with offshore activities and demonstrate that each facility had the policies,
plans, and systems in place to manage those risks. In the United Kingdom, such risk
management plans were called a “Safety Case.”
2. Technical aspects of the deepwater drilling
This section provides basic information on the deepwater drilling technology that is needed
for proper understanding of the course of events in the Deepwater Horizon accident. This
information is compiled based on Ref. [C-8]
2.1. Drilling process overview
Oil and natural gas are derived from the compressed, heated remains of ancient living
organisms like zooplankton and algae. Oil forms deep beneath the Earth’s surface when
organic materials deposited in ancient sediments slowly transform in response to intense
heat and pressure. The transformed materials can flow through porous mineral layers, and
tend to migrate upward because they are lighter than other fluids in the pore spaces. If
there is a path that leads to the surface, the hydrocarbons will emerge above ground. If an
impermeable layer instead blocks the way, the hydrocarbons can collect in porous rock
beneath the impermeable layer. The business of drilling for oil consists of finding and
tapping these “pay zones” of porous hydrocarbon-filled rock (reservoirs).
© ENCO
Page 7
Offshore drilling is similar in many ways to drilling on land. It uses drill pipe, casing, mud,
and cement in a series of carefully calibrated steps to control pressure while drilling
thousands of feet below the seafloor. Drilling mud, a sophisticated blend of synthetic
fluids, polymers, and weighting agents, is used to lubricate and cool the drill bit during
drilling.
Like their onshore counterparts, offshore rig crews use drilling mud and rotary drill bits to
bore a hole into the earth. The mud is pumped down through a drill pipe that connects
with and turns the bit. The mud flows out of holes in the bit and then circulates back to
the rig through the space between the drill pipe and the sides of the well (the annulus or
annular space). As it flows, the mud cools the bit and carries pulverized rock (called
cuttings) away from the bottom of the well. When the mud returns to the surface, rig
equipment sieves the cuttings out and pumps the mud back down the drill string. The mud
thus travels in a closed loop.
Pore pressure and fracture pressure
The weight of the rocks above a pay zone can generate significant pressure on the
hydrocarbons. Typically, the deeper the well, the higher the pressure – and the higher the
pressure the greater the challenges in safely tapping those hydrocarbons. The principal
challenge in deepwater drilling is to drill a path to the hydrocarbon-filled pay zone
(reservoir) in a manner that simultaneously controls these enormous pressures and avoids
fracturing the geologic formation in which the reservoir is found. It is a delicate balance.
In addition to carrying away cuttings, drilling mud also controls pressures inside the well as
it is being drilled. The mud column inside a well exerts downward hydrostatic pressure
that rig crews can control by varying the mud weight.
The drillers have to monitor and adjust the mud weight to keep the pressure exerted by
the mud inside the wellbore between two important points: the pore pressure and the
fracture pressure. The pore pressure is the pressure exerted by fluids (such as
hydrocarbons) in the pore space of rock.
If the pore pressure exceeds the downward hydrostatic pressure exerted by mud inside the
well, the fluids in the pore spaces can flow into the well, and unprotected sections of the
well can collapse. An unwanted influx of fluid or gas into the well is called a "kick". An
uncontrolled discharge is known as a "blowout". The fracture pressure is the pressure at
which the geologic formation will break down or “fracture.” When fracture occurs, drilling
mud can flow out of the well into the formation such that mud returns are lost instead of
circulating back to the surface. This causes what is known as “lost returns” or “lost
circulation.”
Both pore pressure and fracture pressure vary by depth. The pore pressure gradient is a
curve that shows how the pore pressure in the well changes by depth. The fracture
gradient is a curve that shows how the fracture pressure in a well changes by depth. Both
gradients are typically expressed in terms of an equivalent mud weight.
The drillers must balance the reservoir pressure (pore pressure) pushing hydrocarbons into
the well with counter-pressure from inside the wellbore. The mud plays a critical role in
controlling the hydrocarbon pressure in a well.
The weight of the column of mud in a well exerts pressure that counterbalances the
pressure in the hydrocarbon formation. If the mud weight is too low, fluids such as oil and
gas can enter the well. But if the mud weight is too high, it can fracture the surrounding
© ENCO
Page 8
rock, potentially leading to “lost returns” – leakage of the mud into the formation.
Therefore the weight (density) of the drilling mud has to be monitored and adjusted as the
well is being drilled – one of many sensitive, technical tasks requiring special equipment
and the interpretation of data from difficult drilling environments.
Casing and cement
At some point as the drilling proceeds, the pore pressure in the bottom of an open hole
section will exceed the fracture pressure of the formation higher up in this open hole
section. When this happens, the drillers can no longer rely on mud to control pore
pressure. If the crew increases the mud weight, it will fracture the formation higher up. If
the crew keeps drilling but does not increase the mud weight, hydrocarbons or other fluids
in the deeper formation will flow into the well.
At this point, the drillers must set casing. Casing is high-strength steel pipe that comes in
20- to 40-foot sections that are screwed together (or “made up”) on the rig to make a
"casing string".
The casing string serves at least two purposes – (i) it protects more fragile sections of the
hole outside the casing from the pressure of the drilling mud inside, and (ii) it prevents
high-pressure fluids (like hydrocarbons) outside the casing from entering the well. Once
cemented in place, it isolates the wellbore from the previously penetrated formations (and
their pore pressures) and serves as a conduit from the wellhead to the bottom of the well
for drilling and any subsequent production activity.
To cement the casing, a cementing crew pumps cement down the drill string. The cement
flows down the drill string, out the bottom of the casing and back up against gravity into
the annular space around the casing (between the casing and open hole). When cementing
is complete, the cement fills the annular space around the casing, reinforcing the casing
and creating the mechanical foundation for further drilling. This process continues as the
hole is drilled using progressively smaller diameter casing and cementing each in place.
Once set, the cement does two things – it seals the interior of the well (inside the casing)
off from the formation outside the casing, and it anchors the casing to the rock around it,
structurally reinforcing the wellbore to give it mechanical strength.
Cement slurry used in the deepwater drilling is a high-tech blend of dry Portland cement,
water, and numerous dry and liquid chemical additives. Operators typically employ
specialized cementing contractors to design the slurry, provide the raw materials for the
slurry, and pump it into place. Cementing specialists can adjust the cement slurry
composition to reflect the needs of each well. For instance, they can add “accelerators” to
increase the rate at which the cement sets, or “retarders” to decrease it.
The first casing string (so called "conductor casing") serves as part of the structural
foundation for the rest of the well. Welded to the top of the conductor casing is a
wellhead assembly. The wellhead assembly remains above the seafloor and serves as an
anchoring point for future casing strings. The conductor casing is inserted into place using
the drill string and a “running tool” that attaches the drill string to the wellhead.
The Blowout Preventer
The blowout preventer (BOP) is a giant assembly of valves that latches on to the wellhead.
The BOP stack serves as both a drilling tool and a device for controlling wellbore pressures.
© ENCO
Page 9
The BOP stack is connected back to the rig by the riser. The riser is a sequence of large
diameter high-strength steel pipes that serves as the umbilical cord between the rig and
the BOP during all remaining drilling operations. Once rig crews lower the BOP and riser
system into place atop the wellhead, they perform the rest of their drilling operations
through this system. The drill string, drilling tools, and all the remaining casing strings for
the well go down into the well through the riser and the BOP.
In the completed well, the BOP stack is a potential barrier that can prevent hydrocarbon
flow up the well and into the riser. It is done by using either the annular preventers, which
can slow or stop the flow, or the blind shear rams (BSR), which shuts it off completely.
The annular preventer is a large rubber element designed to close around the drill pipe
and seal off the annulus. Upon activation, the annular preventer expands and fills the
space within that part of the BOP; if there is something in the annular preventer (such as
pipe), the annular preventer seals around it. If no drill pipe is in the hole, the annular
preventer can close off and seal the entire opening.
The blind shear ram consists of two metal blocks with blades on the inner edges. It is
designed to cut the drill string and seal off the annulus and the drill string in the well
below. It can withstand and seal a substantial amount of pressure from below. Blind shear
rams are designed to cut through drill pipe but will not cut through a tool joint (the place
where two pieces of pipe are threaded together), casing hangers, or multiple pieces of
pipe. It does not seal the wellbore completely.
BOP rams can be activated in several ways: manually from the rig, automatically (when
certain conditions are met) or by remotely operated vehicle (ROV). Electrical signals are
sent to subsea control pods on the BOP stack. The signals electrically open or close a
solenoid valve, which in turn sends a pilot signal that activates the hydraulic system.
Setting subsequent casing strings
Using the drilling mud system and rotary drill bits, the drilling crew drills ahead through
the previously set casing strings. The rig crew extends the open hole below the existing
casing strings as far as the pore pressure and fracture gradient allow and then sets
subsequent smaller diameter casing strings inside the existing ones. Each new string of
casing has a smaller diameter than the previous string because it must be run through the
previous string. Some of these subsequent casing strings extend all the way back up to the
wellhead. Others, called liners, attach to the bottom segment of previous casing strings. A
casing hanger or liner hanger mechanically holds the casing in place.
Once the crew drills to a depth where a new casing string is needed, the rig crew removes
the drill string from the well in a process called tripping out. Tripping out (or in) with the
drill string is time-consuming; it typically takes a drilling crew an hour to trip in or out
1,000 feet, and tripping out of a deepwater well can be a day-long process. After tripping
out, the drill crew attaches a running tool to the end of the drill string. The crew attaches
the running tool to the casing hanger, which is in turn welded to the top of the casing. The
drill crew then lowers the drill string, running tool, and casing string down the riser,
through the BOP, and down into the well until the casing hanger is in position.
Float Collar
A “float collar” is a component installed at the bottom of a casing string. It typically
consists of a short length of casing fitted with one or more check valves (called float
© ENCO
Page 10
valves). The float collar both (1) stops wiper plugs from traveling farther down the casing
string, and (2) prevents cement slurry from flowing back up the casing after it is pumped
into the annular space around the casing (Fig. 2-1).
During casing installation, the float valves are typically propped open by a short “auto-fill
tube.” The auto-fill tube allows mud to flow upward through the float collar as the casing
string is lowered. Once the casing is in place, rig personnel “convert” the float collar. By
circulating mud through holes in the auto-fill tube, the rig crew creates pressure that
pushes the auto-fill tube down so that it no longer props the float valves open. Once the
auto-fill tube is removed, the float valves “convert” to one-way valves that allow fluid
flow down the casing but prevent fluid flow upward.
Cementing casing strings
The process for cementing casing strings into place after installing the BOP is slightly
different than cementing the early casing strings. Just as in earlier cementing steps, the
rig crew pumps cement down the drill string and into place at the bottom of the well.
However, because cement is typically incompatible with drilling mud, cementing crews
employ two methods to keep the mud and cement separated as they flow down the well.
The first involves separating the mud and cement with a water-based liquid spacer that is
designed to be compatible with both oil-based drilling mud and water-based cement but
that will prevent them from mixing. The second method involves further separating the
spacer and cement with a plastic wiper plug that travels down the well between the
spacer and the cement.
While using the mud-based drilling techniques, the cementing crew starts by pumping
spacer, followed by a “bottom” wiper plug, followed by a slug of cement, a “top” wiper
plug, more spacer, and then drilling mud. The spacers, wiper plugs, and cement slug travel
down in sequence. When the bottom plug reaches the float valve assembly near the
bottom of the casing string, it ruptures, allowing the cement behind it to pass through.
The cement flows through the float valves and out the bottom of the casing string. It then
“turns the corner” and flows up into the annular space around the casing.
© ENCO
Page 11
FIG 2-1. Casing
C
Shoe and Auto-Filll Float Colla
ar (Pre- and Post-Converrsion state)
When all of the ce
ement has made
m
it thrrough the float valves, the top pplug lands on
o top of
the bottom plug. Unlike
U
the bottom plu
ug, the top plug is not designed tto rupture. When it
lands, it blocks the
e flow of mud,
m
and th
he resulting pressure in
ncrease signnals the en
nd of the
cementting processs, at which
h time the crew turnss off the pu
umps. Cem
ment should
d fill the
annularr space aro
ound the bottom
b
of the casing
g string and the porttion of the
e casing
between the botto
om and the float valve
es (called th
he shoe track). The shhoe track is the end
section of the casing.
The sho
oe track alsso contains cement th at, togethe
er with cem
ment in the annulus, serves as
the prim
mary barrie
er preventin
ng the hydrrocarbons in
n the reserv
voir from fllowing up the well.
In this way, the shoe track
k acts as a plug betw
ween the inside
i
of thhe casing and the
formation.
The prroduction casing
If an op
perator drills a well pu
urely to leaarn about th
he geology of an area and assess if oil or
gas are present, the
t
well is called an exploration
n well. If the operatoor uses the well to
recoverr oil, it is called
c
a pro
oduction w
well. The bo
ottom-hole sections off exploratio
on wells
and pro
oduction we
ells are diffe
erent.
Once an operatorr is finishe
ed drilling an explora
ation well, they typiccally fill th
he open
bottom--hole sectio
on with cem
ment in a prrocess calle
ed plugging and abanddoning. By contrast,
c
ustries
s
in EU”
CO FR-(12)-44
© ENCO
Page 12
after drilling the final section of a production well, the operator typically installs a final
string of production casing in the open hole section.
The production casing extends past any hydrocarbon-bearing zones and down to the
bottom of the well. The shoe track also contains cement that, together with cement in the
annulus, serves as the primary barrier preventing the hydrocarbons in the reservoir from
flowing up the well. In this way, the shoe track acts as a plug between the inside of the
casing and the formation. After cementing the production casing into place, the operator
can perforate the casing by shooting holes through it and the annular cement. This allows
oil to flow into the well.
Well control and barriers
During drilling, casing, and completion operations, rig personnel must ensure that
hydrocarbons do not migrate from the reservoir into the well. Well control is the process of
monitoring the well and addressing any hydrocarbon influxes that are detected.
To maintain well control, rig personnel must create and maintain barriers inside the well
that will control subsurface pressure and prevent hydrocarbon flow. Some barriers are part
of the well design itself while others are operational barriers that a drilling crew employs
during the drilling process.
Drilling mud is a key operational barrier. As long as the column of drilling mud inside the
well exerts pressure on the formation that exceeds the pore pressure, hydrocarbons should
not flow out of the formation and into the well. If mud pressure exceeds pore pressure,
the well is said to be overbalanced. If pore pressure exceeds mud pressure, the well is
underbalanced, meaning that the mud pressure is no longer sufficient on its own to
prevent hydrocarbon flow.
Physical components of the well also create barriers to flow. One is the casing installed in
the well, along with the cement system in the bottom of the well. In a production casing
string, the cement in the annular space and in the shoe track should prevent hydrocarbons
in the formation from flowing up the annular space outside the production casing or up the
inside of the well itself.
Rig personnel can use additional barriers inside the well to increase the redundancy of the
barrier system. For instance, rig personnel can pump cement inside the final casing string
of a well to create cement plugs at various depths inside the well. Rig personnel can also
install metal or plastic mechanical plugs inside the well. Some mechanical plugs are
designed to be removed and retrieved later in the drilling process while others are
designed to be drilled out as necessary.
A BOP stack is also a potential barrier. By closing various individual rams in a BOP stack, rig
personnel can close off the well, thereby preventing hydrocarbon flow up the well and into
the riser. When a BOP ram is closed, it becomes a barrier to flow. However, the rams do
not close instantaneously—they take anywhere from 40 seconds to a minute to close once
activated.
If a kick progresses beyond the point where the driller can safely shut it in with an annular
preventer or pipe ram, the driller can activate the blind shear ram. When the two
elements of the blind shear ram close against each other, they simultaneously shut in the
well and sever the drill string.
© ENCO
Page 13
2.2. Macondo well design and construction
Macondo was an exploration well designed so that it could later be completed for
production if sufficient hydrocarbons were found. The initial objective was to evaluate
Miocene age formation expected to be found between 18,000 and 19,000 feet below sea
level in about 5,000 feet of water. The original well plan was to drill to a total depth of
19,650 feet, but this was modified during drilling and the actual total depth was 18,360
feet.
Before the well was drilled, design teams estimated pore pressures and strengths of
geologic formations to create a design that included elements such as drilling procedures,
drilling mud, drilling bits, casing design, cement and testing.
The original plan called for eight casing strings and liners (each consisting of steel casing
segments that were screwed together), but the plan was modified to react to conditions
that were encountered during drilling [C-3]. Drilling ceased at 18,360 feet (a shallower
depth than planned) and involved the use of a total of nine casing strings and liners, rather
than the planned eight, including final 9-7/8 x 7-inch tapered production casing
(sometimes referred to as a "long string"), as shown in Fig. 2-2. The space between the
casing and the wellbore is sealed by pumping cement that secures the casing.
FIG. 2.2. Design of Macondo well casing
© ENCO
Page 14
The well was to be temporarily plugged and abandoned after the production casing was set
and then completed for production at a later date. If a completed well can yield
economically valuable oil and gas, the production can be initiated by punching holes
through the casing and surrounding cement to allow hydrocarbons to flow into the well.
The Macondo well presented a number of technical challenges to the drilling and
completion teams, including the deep water, high formation pressures, and the need to
drill through multiple geologic zones of varying pore and fracture pressure. In general,
many of these problems can be anticipated, but some, such as pore and fracture pressure,
are difficult to estimate in advance of drilling the well. This is especially true for the first
well drilled in a new area, as was the case for Macondo. Thus, adaptation of the original
well plan to the changing conditions encountered with depth when the well is drilled is not
unusual. However, it is critical that the design be adapted to the changing conditions with
sufficient margin for safety.
Wellbore events that necessitated changes to the Macondo well plan included the following
[C-1]:

Measurement showed the pore pressure were increasing at a faster rate than
anticipated, combined with a period of lost circulation of drilling mud at 12,350 feet,
indicating that the well could not be continued without setting protective casing. The
16-inch liner was set 915 feet shallower than planned.

In the course of drilling at 13,250 feet, a kick occurred, and the lower annular blowout
preventer (BOP) was closed in response. During well control operation, the drill string
became stuck and was severed at 12,147 feet. The drill string and hole below 12,147
feet were abandoned and subsequent well drilling deviated slightly to go around the
abandoned materials left in the original hole. The depth of 13-5/8 inch and 11-7/8 inch
were set shallower than planned to allow for the use of higher mud weight to control
the well when passing the high pressure reservoir at 15,103 feet.

The 9-7/8 inch casing (originally planned as the production casing) was used as a liner
at 17,168 feet to drill the final section of the well safely.

During drilling at 18,250 feet, severe lost circulation of drilling mud occurred. This
problem was handled by the use of mud containing material designed to stop lost
circulation and by reducing of mud weight. The lower mud weight was not anticipated
in the plan. It was an indication that pore pressure and fracture pressure in part of this
interval were considerably less than anticipated.

The well was drilled to 18,360 feet, and after 5 days of logging to make a detailed
record of the geologic formation, it was determined that hydrocarbon-bearing
reservoirs of sufficient quality existed to warrant completion of the well for production
at a later time. According to BP investigation report [C-1] there were in fact several
reservoirs with decreasing pore pressure with depth. One of the reservoirs containing
salt water had a pore pressure exceeding the pore pressure of reservoirs containing
hydrocarbons. The difference between the mud weight needed to prevent flow of salt
water and the mud weight above which reservoir fracture could occur was very small
(only 0.2 pounds per gallon).
To continue drilling to the planned final depth of 19,650 feet, the reservoir that had been
discovered with decreasing pore and fracture pressures with depth were to be sealed with
9-7/8 x 7-inch combination casing string and cement. However, because the hole diameter
that could be drilled below the 7-inch casing was considered to small to be practical, the
well was terminated at 18.360 feet.
© ENCO
Page 15
2.3. Preparing the well for subsequent production
Installation of the production casing
At this stage of the Macondo drilling operation the next challenge was to install the
production casing and pump the cement into the well without causing additional lost
circulation. Based of the BP report [C-1] this was achieved without problems.
Relevant details regarding these activities, which could have had a material impact on the
accident and seem to be relevant from the point of view of accident causes, are discussed
below (based on Ref. [C-4]).
Use of long string
BP’s design team originally had planned to use a “long string” production casing – a single
continuous wall of steel between the wellhead on the seafloor, and the oil and gas zone at
the bottom of the well. But after the lost circulation event, they were forced to reconsider
this solution. As another option, they evaluated a “liner” – a shorter string of casing hung
lower in the well and anchored to the next higher string. A liner would result in a more
complex – and theoretically more leak-prone – system over the life of the well. But it
would be easier to cement into place at Macondo.
The long string implied several difficulties with the cementing job. First, it required the
cement to travel through a longer stretch of steel casing – roughly 12,000 feet longer –
before reaching its final destination, potentially increasing the risk of cement
contamination. Second, because it can require higher cement pumping pressure, a long
string design can lead to the selection of lower cement volumes, lower densities, and
lower pump rates. Third, the cement job at the bottom of a long string is more difficult to
remediate than one at the bottom of a liner.
On April 14 and 15, BP’s engineers, working with a Halliburton engineer, used sophisticated
computer programs to model the likely outcome of the cementing process. Early results
suggested the "long string" could not be cemented reliably. However, changing the original
design of a "long string" to a "liner" met resistance within BP. A BP expert assigned to the
modelling team determined that certain inputs should be corrected. Calculations with the
new inputs showed that a long string could be cemented properly. The BP engineers
accordingly decided that installing a "long string" was “again the primary option”.
Installing the agreed-upon casing was a major job. More than 18 hours was needed to lower
a tool, such as a drill bit, from the rig floor to the bottom of the well, 18,000 feet below
sea level. Assembling the production casing section-by-section and lowering the
lengthening string down into the well below required roughly 37 hours.
Centralizers
As the crew gradually assembled and lowered the casing, they paused several times to
install centralizers at predetermined points along the casing string. Centralizers are
critical components in ensuring a good cement job. When a casing string hangs in the
center of the wellbore, cement pumped down the casing will flow evenly back up the
annulus, displacing any mud and debris that were previously in that space and leaving a
clean column of cement. If the casing is not centred, the cement will flow preferentially
up the path of least resistance – the larger spaces in the annulus – and slowly or not at all
in the narrower annular space. That can leave behind channels of drilling mud that can
© ENCO
Page 16
severely compromise a primary cement job by creating paths and gaps through which
pressurized hydrocarbons can penetrate. This issue is known as "channelling" problem.
BP’s original designs had called for 16 or more centralizers to be placed along the long
string. But on April 1, BP team learned that BP’s supplier (Weatherford) had in stock only
six “subs” – (inline centralizers) designed to screw securely into place between sections of
casing. The alternative was to use “slip-on” centralizers – devices that slide onto the
exterior of a piece of casing where they are normally secured in place by mechanical “stop
collars” on either side. These collars can either be welded directly to the centralizers or
supplied as separate pieces. However, the slip-on centralizers with separate stop collars
can slide out of position or, worse, catch on other equipment as the casing is lowered.
Shortly after the BP team decided on the long string, Halliburton ran computer simulations
using proprietary software called OptiCem, to predict whether mud channelling would
occur. The calculations suggested that the Macondo production casing would need more
than six centralizers to avoid channelling. The BP Drilling Engineering Team Leader,
obtained permission from senior manager to order 15 additional slip-on centralizers.
Haliburton reran their simulations and found that channelling due to gas flow would be less
severe with 21 centralizers in place.
When the new centralizers arrived, it appeared that they are not custom-designed onepiece units that BP had used on a prior well and would limit the potential for centralizer
“hang up”. The earlier decision of using additional centralizers was challenged by the
well's team leader. He questioned the need for additional centralizers, and BP drilling
engineer on shore finally decided to use only the 6 centralizers of "subs" type.
Installation of the long string and preparation for cementing
Early on the morning of April 18, with a centralizer plan in hand, the rig crew finally began
assembling and lowering the long string into position. The leading end of the casing, the
“shoe track,” began with a “reamer shoe” – a bullet-shaped piece of metal with three
holes designed to help guide the casing down the hole. The reamer shoe was followed by
180 feet of 7" diameter steel casing. Then came Weatherford-manufactured “float collar,”
with two flapper valves, held open by a short “auto-fill tube” through which the mud in
the well could flow. As the long string was lowered down the wellbore, the mud passed
through the holes in the reamer shoe and auto-fill tube that propped open the float valves,
giving it a clear flow path upward.
The long string was installed in its final position early on the afternoon of April 19. With
the top end of the string seated in the wellhead and its bottom end located just above the
bottom of the wellbore, the crew’s next job was to prepare the float-valve system for
cementing. During the cementing process, fluids pumped into the well should flow in a
one-way path: down the centre of the last casing string, out the bottom, and up the
annulus (between the exterior of the steel casing and the surrounding rock formations).
To ensure unidirectional flow, the crew needed to convert the float valves (i.e. push the
auto-fill tube downward, so it would no longer prop open the float valves). With the tube
out of the way, the flapper valves would spring shut and convert from two-way valves into
one-way valves that would allow mud and cement to flow down the casing into the shoe
track, but prevent any fluid from reversing direction and coming back up the casing. Once
the float valves had converted, Halliburton could pump cement down through the casing
and up around the annulus; the valves would keep cement from flowing back up the casing
once the crew stopped pumping.
© ENCO
Page 17
Pressure anomalies in the well
To convert the float valves, that evening the crew began pumping mud down through the
casing. Based on Weatherford’s specifications, the valves should convert once the rate of
flow though holes in the auto-fill tube had reached roughly 6 barrels per minute (bpm),
causing a differential pressure on the tube of approximately 600 pounds per square inch
(psi). But the crew pumped fluids into the well, eventually pressuring up to 1,800 psi, but
could not establish flow.
In consultation with BP supervisor on shore and Weatherford staff, the rig team decided to
increase the pump pressure in discrete increments, hoping eventually to dislodge the autofill tube. On their ninth attempt, pump pressure peaked at 3,142 psi and then suddenly
dropped as mud finally began to flow. Significantly, however, the pump rate of mud into
the well and through the shoe track thereafter never exceeded approximately 4 bpm.
BP’s team concluded that the float valves had converted, but noted another anomaly. The
circulation pressure after converting the float valves (340 psi) was much lower than the
drilling-mud subcontractor, M-I SWACO had predicted (570 psi). BP’s well site leader and
the Transocean crew switched circulating pumps to see if that made a difference, and
eventually concluded that the pressure gauge they had been relying on was broken.
Believing they had converted the float valves and re-established mud circulation in the
well, BP was ready at last to pump cement down the production casing and complete the
primary cement job.
The cement design
In the days leading up to the final cementing process, BP engineers focused heavily on the
biggest challenge: the risk of fracturing the formation and losing returns. If their
cementing procedure placed too much pressure on the geologic formation below, it might
trigger another lost-returns event similar to the one on April 9. In this case, critical cement
– not mud – might flow into the formation and be lost, potentially leaving the annular
space at the bottom of the well open to hydrocarbon flow. These concerns led BP to place
a number of significant constraints on Halliburton’s cementing design.
The first compromise in BP’s plan was to limit the circulation of drilling mud through the
wellbore before cementing. Optimally, mud in the wellbore would have been circulated
“bottoms up” – meaning the rig crew would have pumped enough mud down the wellbore
to bring mud originally at the bottom of the well all the way back up to the rig.
Such extensive circulation cleans the wellbore and reduces the likelihood of channelling.
And circulating bottoms up allows technicians on the rig to examine mud from the bottom
of the well for hydrocarbon content before cementing. But the BP engineers feared that
the longer the rig crew circulated mud through the casing before cementing, the greater
the risk of another lost-returns event. Accordingly, BP circulated approximately 350 barrels
of mud before cementing, rather than the 2,760 barrels needed to do a full "bottoms up"
circulation.
BP compromised again by deciding to pump cement down the well at the relatively low
rate of 4 barrels or less per minute. Higher flow rates tend to increase the efficiency with
which cement displaces mud from the annular space. But the increased pump pressure
required would mean more pressure on the formation (ECD) and an increased risk of lost
© ENCO
Page 18
returns. BP decided to reduce the risk of lost returns in exchange for a less-than-optimal
rate of cement flow.
BP made a third compromise by limiting the volume of cement that Halliburton would
pump down the well. Pumping more cement is a standard industry practice to insure
against uncertain cementing conditions: more cement means less risk of contamination and
less risk that the cement job will be compromised by slight errors in placement. But more
cement at Macondo would mean a higher cement column in the annulus, which in turn
would exert more pressure on the fragile formation below. Accordingly, BP determined
that the annular cement column should extend only 500 feet above the uppermost
hydrocarbon-bearing zone (and 800 feet above the main hydrocarbon zones), and that this
would be sufficient to fulfill MMS regulations of “500 feet above the uppermost
hydrocarbon-bearing zone.” However, it did not satisfy BP’s own internal guidelines, which
specify that the top of the annular cement should be 1,000 feet above the uppermost
hydrocarbon zone.
Finally, in close consultation with Halliburton, BP chose to use “nitrogen foam cement” – a
cement formula that has been leavened with tiny bubbles of nitrogen gas, injected into
the cement slurry just before it goes down the well. This formula was chosen to lighten the
resulting slurry – thereby reducing the pressure the cement would exert on the fragile
formation. The bubbles, in theory, would also help to balance the pore pressure in the
formation and clear the annular space of mud as the cement flowed upward. Halliburton is
an industry leader in foam cementing, but BP appears to have had little experience with
foam technology for cementing production casing in the Gulf of Mexico.
Laboratory tests of the cement slurry
Cement slurry must be tested before it is used in a cement job. The laboratory tests
performed by Haliburton for the Macondo's cement slurry were intended to make sure the
cement will work under the conditions in the well. It included evaluating the slurry’s
viscosity and flow characteristics, the rate at which it will cure, and its eventual
compressive strength.
When testing a slurry that will be foamed with nitrogen, the lab also evaluates the stability
of the cement that results. Stable foam slurry will retain its bubbles and overall density
long enough to allow the cement to cure. The result is hardened cement that has tiny,
evenly dispersed, and unconnected nitrogen bubbles throughout. If the foam does not
remain stable up until the time the cement cures, the small nitrogen bubbles may coalesce
into larger ones, rendering the hardened cement porous and permeable. If the instability is
particularly severe, the nitrogen can “break out” of the cement, with unpredictable
consequences.
On February 10, soon after the Deepwater Horizon began work on the well, Halliburton
laboratory personnel run a series of “pilot tests” on the cement blend stored on the
Deepwater Horizon that Halliburton planned to use at Macondo. They tested the slurry and
the laboratory report was sent to BP on March 8 as an attachment to an e-mail which
provided recommended plan for cementing an earlier Macondo casing string.
The reported data that Haliburton sent to BP on March 8 included the results of a single
foam stability test. To the trained eye, that test showed that the February foam slurry
design was unstable. The report did not comment on the evidence of the cement slurry’s
instability, and there is no evidence that BP examined the foam stability data in the report
at all.
© ENCO
Page 19
Documents identified after the blowout reveal that Halliburton personnel had also
conducted another foam stability test earlier in February. The earlier test had been
conducted under slightly different conditions than the later one and had failed more
severely. It appears that Halliburton never reported the results of the earlier February test
to BP.
Halliburton conducted another round of tests in mid-April, just before pumping the final
cement job. By then, the BP team had given Halliburton more accurate information about
the temperatures and pressures at the bottom of the Macondo well, and Halliburton had
progressed further with its cementing plan. Using this information, the laboratory
personnel conducted several tests, including a foam stability test, starting on
approximately April 13. The first test Halliburton conducted showed once again that the
cement slurry would be unstable. There is no evidence that Halliburton ever reported this
information to BP. Instead, it appears that Halliburton personnel subsequently ran a
second foam stability test, this time doubling the pre-test “conditioning time” to three
hours.
The evidence suggests that Halliburton began the second test at approximately 2:00 a.m.
on April 18. That test would normally take 48 hours. Halliburton finished pumping the
cement job just before 48 hours would have elapsed. Although the second test at least
arguably suggests the foam cement design used at Macondo would be stable, it is unclear
whether Halliburton had results from that test in hand before it started the cement job.
Halliburton did not send the results of the final test to BP until April 26, six days after the
blowout.
Cement evaluation log
The BP team focused on full returns as the sole criterion for deciding whether to run a
cement evaluation log. Receiving full returns was a good indication that cement or other
fluids had not been lost to the weakened formation. But full returns provided, at best,
limited or no information about: (1) the precise location where the cement had ended up;
(2) whether channelling had occurred; (3) whether the cement had been contaminated; or
(4) whether the foam cement had remained stable.
Although other indicators – such as on-time arrival of the cement plugs and observation of
expected lift pressure – were reassuring, they too provided limited information. Other
cement evaluation tools could have provided more direct information about cementing
success.
Cement evaluation logs plainly have their limitations, particularly at Macondo. But while
many companies do not run cement evaluation logs until the completion phase, BP should
have run one here – or sought other equivalent indications of cement quality in light of the
many issues surrounding and leading up to the cement job.
Testing of the wellhead seals
Once the casing and cementing operations were concluded, the focus moved to the
installation and testing of the integrity of the wellhead seals and testing of the integrity of
the cement, and then to completion of the temporary abandonment process.
April 20 was devoted to a series of tests on the rig to check integrity of the well. This
included positive- and negative-pressure tests in preparation for “temporary
© ENCO
Page 20
abandonment.” During the positive-pressure test, the drill crew increased the pressure
inside the steel casing and seal assembly to be sure they were intact.
The negative-pressure test, by contrast, reduced the pressure inside the well in order to
simulate its state after the Deepwater Horizon had packed up and moved on. If pressure
increased inside the well during the negative-pressure test, or if fluids flowed up from the
well, that would indicate a well integrity problem – a leak of fluids into the well. Such a
leak would be a worrisome sign that somewhere the casing and cement had been breached
– in which case remedial work would be needed to reestablish the well’s integrity.
The negative-pressure test checks not only the integrity of the casing, like the positivepressure test, but also the integrity of the cement job. At the Macondo well, the negativepressure test was the only test performed that would have checked the integrity of the
bottom-hole cement job.
Typical procedure for the test is as follows. First, the crew sets up the well to simulate the
expected hydrostatic pressure exerted by the column of fluids on the bottom of the well in
its abandoned state. Second, the crew bleeds off any pent-up pressure that remains in the
well, taking it down to 0 psi. Third, they make sure that nothing flows up from and out of
the well and that no pressure builds back up inside of the well. If there is no flow or
pressure buildup, that means that the casing and primary cement have sealed the well off
from external fluid pressure and flow. A negative-pressure test is successful if there is no
flow out of the well for a sustained period and if there is no pressure build-up inside the
well when it is closed at the surface.
Conduct of these two tests at the Macondo well and their results are briefly overviewed
below.
Positive-pressure test
The crew started the positive-pressure test at noon. They pressured the well up to 250 psi
for 5 minutes, and then pressured up to 2,500 psi and watched for 30 minutes. The
pressure inside the well remained steady during both tests, showing there were no leaks in
the production casing through which fluids could pass from inside the well to the outside.
The drilling crew and BP’s well site leader considered the test successful.
Negative-pressure test
The crew began the negative test of Macondo at 5:00 p.m. Earlier in the day, the crew had
prepared for the negative test by setting up the well to simulate the planned removal of
the mud in the riser and 3,300 feet of drilling mud in the wellbore. The crew ran the drill
pipe down to approximately 8,367 feet below sea level and then pumped a “spacer” – a
liquid mixture that serves to separate the heavy drilling mud from the seawater – followed
by seawater down the drill pipe to push (displace) 3,300 feet of mud from below the mud
line to above the BOP.
While drilling crews routinely use water-based spacer fluids to separate oil-based drilling
mud from seawater, the spacer BP chose to use during the negative pressure test was a
mixture of two different lost-circulation materials left over on the rig. BP wanted to use
these materials as spacer in order to avoid having to dispose of them onshore as hazardous
waste pursuant to the Resource and Conservation Recovery Act, exploiting an exception
that allows companies to dump water based “drilling fluids” overboard if they have been
circulated down through a well. At BP’s direction, M-I SWACO combined the materials to
© ENCO
Page 21
create an unusually large volume of spacer that had never previously been used by anyone
on the rig or by BP as a spacer, nor been thoroughly tested for that purpose.
Once the crew had displaced the mud to above the BOP, they shut an annular preventer in
the BOP, isolating the well from the downward pressure exerted by the heavy mud and
spacer in the riser. The crew could now perform the negative-pressure test using the drill
pipe by opening the top of the drill pipe on the rig, bleeding the drill pipe pressure to
zero, and then watching for flow.
The crew opened the drill pipe at the rig to bleed off any pressure that had built up in the
well during the mud-displacement process. The crew tried to bleed the pressure down to
zero, but could not get it below 266 psi. When the drill pipe was closed, the pressure
jumped back up to 1,262 psi.
The crew had noticed that the fluid level inside the riser was dropping, suggesting that
spacer was leaking down past the annular preventer, out of the riser, and into the well.
This problem was solved by the annular preventer closed more tightly.
With that problem solved, the crew refilled the riser and once again opened up the drill
pipe and attempted a second time to bleed the pressure down to 0 psi. This time, they
were able to do so. But when they shut the drill pipe in again, the pressure built back up
to at least 773 psi. The crew then attempted a third time to bleed off the pressure from
the drill pipe, and was again able to get it down to 0 psi. When the crew shut the well
back in, however, the pressure increased to 1,400 psi. At this point, the crew had bled the
drill-pipe pressure down three times, but each time it had built back up. For a successful
negative-pressure test, the pressure must remain at 0 psi when the pipe is closed after the
pressure is bled off.
The results were discussed by Transocean crew and BP Well site leaders and they finally
concluded that the 1,400 psi pressure on the drill pipe was being caused by a phenomenon
called the “bladder effect.” According to one of the toolpushers this is the effect caused
by heavy mud in the riser exerting pressure on the annular preventer, which in turn
transmitted pressure to the drill pipe.
The negative test was repeated on the kill line as it had been specified in a permit
application submitted earlier to MMS. For the second test, the crew opened the kill line
and bled the pressure down to 0 psi. A small amount of fluid flowed, and then stopped. Rig
personnel left the kill line open for 30 minutes but did not observe any flow from it. The
test on the kill line thus satisfied the criteria for a successful negative pressure test – no
flow or pressure buildup for a sustained period of time. But the pressure on the drill pipe
remained at 1,400 psi throughout.
The well site leaders and crew never appear to have reconciled the two different pressure
readings. The “bladder effect” may have been proposed as an explanation for the anomaly
– but based on available information, the 1,400 psi reading on the drill pipe could only
have been caused by a leak into the well. Nevertheless, at 8 p.m., BP well site leaders, in
consultation with the crew, made a key error and mistakenly concluded the second
negative-pressure test procedure had confirmed the well’s integrity. They declared the
test a success and moved on to the next step in temporary abandonment.
Temporary abandonment
Once BP decided not to run the cement log test, Deepwater Horizon’s crew began the final
phase of its work. Drilling the Macondo well had required a giant offshore rig of Deepwater
© ENCO
Page 22
Horizon’s capabilities. By contrast, BP, like most operators, would give the job of
“completing” the well to a smaller (and less costly) rig, which would install hydrocarboncollection and -production equipment. To make way for the new rig, the Deepwater
Horizon would have to remove its riser* and blowout preventer from the wellhead – and
before it could do those things, the crew had to secure the well through a process called
“temporary abandonment.”
Four features of the temporarily abandoned well are worth noting.
First is the single 300-foot-long cement plug inside the wellbore. MMS regulations required
BP to install a cement plug as a backup for the cement job at the bottom of the well.
Second is the location of the cement plug: BP planned to put it 3,300 feet below the ocean
floor, or “mud line” (which was deeper than MMS regulations allowed without
dispensation, and deeper than usual).
Third is the presence of seawater in the well below the sea floor: BP planned to replace
3,000 feet of mud in the wellbore above the cement plug with much lighter seawater
(seawater weighs roughly 8.6 ppg, while the mud in the wellbore weighed roughly 14.5
ppg). Fourth is the lockdown sleeve – a mechanical device that locks the long casing string
to the wellhead to prevent it from lifting out of place during subsequent production
operations.
At 10:43 a.m., BP engineer e-mailed an “Ops Note” to the rest of the Macondo team listing
the temporary abandonment procedures for the well. It was the first time the BP well site
leaders on the rig had seen the procedures they would use that day. BP first shared the
procedures with the rig crew at the 11 a.m. pre-tour meeting that morning. The basic
sequence was as follows:
1. Perform a positive-pressure test to test the integrity of the production casing;
2. Run the drill pipe into the well to 8,367 feet (3,300 feet below the mud line);
3. Displace 3,300 feet of mud in the well with seawater, lifting the mud above the BOP
and into the riser;
4. Perform a negative-pressure test to assess the integrity of the well and bottom-hole
cement job to ensure outside fluids (such as hydrocarbons) are not leaking into the
well;
5. Displace the mud in the riser with seawater;
6. Set the surface cement plug at 8,367 feet; and
7. Set the lockdown sleeve.
The crew would never get through all of the steps in the procedure.
BP’s Macondo team had made numerous changes to the temporary abandonment
procedures in the two weeks leading up to the April 20 “Ops Note.” For example, in its
April 12 drilling plan, BP had planned (1) to set the lockdown sleeve before setting the
surface cement plug and (2) to set the surface cement plug in seawater only 6,000 feet
below sea level (as opposed to 8,367 feet). The April 12 plan did not include a negativepressure test. On April 14, a different procedure was set forth, which included a negativepressure test but would require setting the surface cement plug in mud before
displacement of the riser with seawater. On April 16, BP sent an 'Application for Permit to
Modify' to MMS describing a temporary abandonment procedure that was different from the
procedure in either the April 12 drilling plan, the April 14 e-mail, or the April 20 “Ops
Note.” There is no evidence that these changes went through any sort of formal risk
assessment or management of change process.
© ENCO
Page 23
Design features of the Ma
acondo we
ell
Fig. 2-3
3 gives a scchematic picture of th
he Macondo well (tak
ken from thhe BP invesstigation
report [C-1]). Thiss shows the
e cement b
barrier whic
ch failed and allowedd hydrocarb
bons and
mud fro
om the rese
ervoir to esc
cape througgh the drilll pipe (the main pipe tthrough the
e middle
section)). This figurre also show
ws the Blow
wout Preven
nter (BOP) stack.
s
Fill lines
Kill line
F
FIG.
2-3. Macondo well ((the source: BP, "Deepwa
ater Horizonn
Accident
A
Inveestigation Re
eport" [C-1]).
ustries
s
in EU”
CO FR-(12)-44
© ENCO
Page 24
2.4. Overview of the accident
Table 1-1 provides timing of relevant events that contributed to the accident. This is a
much simplified version of the chronology that aims to give an overview of the events that
is accessible to non-specialists, for the purpose of understanding the accident and
explaining how safety barriers were breached.
Table 1-1. Chronology of the accident
Date/Tim
e
Description of events
April 9 -14
The final section of the well is drilled. Total depth of 18,360 ft reached
and data collected for five days
April 14th
Haliburton OptiCem software for cement model confirmed acceptability of
using 9 7/8 x 7 inch long string as production casing
April 15th
OptiCem model updated with 21 centralizers. Decision made to order 15
additional centralizers
April 16th
Fifteen slip-on bow spring centralizers delivered to rig by helicopter.
Mechanical integrity concerns regarding the bow spring centralizers.
Decision made not to use bow spring centralizers (instead using 7 inline
centralizers)
April 19 20
Cement job pumped as planned with full fluid returns observed. Bottom
plug burst disk ruptured at higher-than-planned pressure. Cement job
completed April 20, at 00:36 hrs
April 20th
Integrity Test of well carried out:
- positive pressure test (successful)
- negative pressure test (results interpreted as successful). This test
places the well in a controlled underbalanced state to test the integrity
of the mechanical barriers.
17:35
Whilst carrying out the negative pressure test, the BP team leader realizes
that the rig crew are using a process for negative testing that is not the BP
preferred method. Operations are reconfigured to meet the requirements
of the permit (a permit is a safety system which only allows work to
progress when authorized persons have set out the way the work will be
carried out, and defines roles and responsibilities and how risks are being
controlled).
18.42 –
20.00
Sea water is pumped into the kill line to confirm that it is full, the fill line
is routed to the mini trip tank and flow stops. The line is monitored for 30
minutes and shows no flow. They notice that the drill line pressure is still
high and discuss, but this is attributed to the ‘Bladder effect’. The crew
assume that the negative pressure test is successful.
© ENCO
Page 25
Date/Tim
e
Description of events
20.00 –
21.01
The crew starts normal activities for temporary abandonment of the well
(as it is deemed commercially viable for production drilling) – this involves
returning it to the normal ‘overbalanced’ position. However, during the
process, at approximately 20.52, the well goes into an underbalanced
position – this means that the pressure on drill side is less than in the
reservoir and therefore hydrocarbons start to flow.
During this time the crew were emptying the trip tank – which may have
masked the indication of flow. Drill pipe pressure increases – this should
have alerted crew, but it was not noticed.
21.08
The team is busy carrying out a test to check if fluids can be displaced
overboard. As part of this test the pumps are shut down.
21.31
approx
The differential pressure is discussed – indicating that the drill pipe
pressure has been noticed and acknowledged as something that was not
expected.
21.40
Mud overflows onto the rig floor.
The crew diverts the mud flow to the mud gas separator. Crew close the
annular preventer and drill pipe pressure steadily increases.
Mud and hydrocarbons discharge onto the rig and overboard
21.45
Assistant driller calls senior toolpusher to report ‘the well is blowing out.
[the toolpusher] is shutting it in now’.
21.47
Gas alarms sound. There is a rapid increase in pressure in the drill pipe.
21.48
Gas probably enters the engine room air intake and explosions shake the
rig. Extensive damage ensues, possibly damaging the cables which allow
the communication of emergency shut-down system with the Blow Out
Preventer.
Emergency shutdown activation is unsuccessful – the BOP is unable to seal
the well – hydrocarbons continue to feed the fire and explosions.
22.00
Order given to abandon the ship. 11 people were determined to be missing
and the search and rescue activities commenced: no-one was found.
Results of negative-pressure test were incorrectly interpreted by the crew, suggesting that
pressure is at a safe level. Apparently the cementing processes failed to provide an
effective barrier to hydrocarbon flow. Gas and oil leaked through shoe track barrier and
float collar. The crew did not recognize there was a major problem or act to control it
until the hydrocarbons were flowing rapidly up the riser.
The impact of the decision to proceed to temporary abandonment was compounded by
delays in recognizing that hydrocarbons were flowing into the well and riser and by a
failure to take timely and aggressive well-control actions. Furthermore, failures and/or
limitations of the BOP, when it was actuated, inhibited its effectiveness in controlling the
well.
The crew closed the blowout preventer and diverter, routing oil and gas to the mud gas
separator (MGS) system rather than diverting it overboard. The MGS was overwhelmed by
the force of oil and gas which leaked into the rig's ventilation system. The heating,
ventilation and air conditioning system is thought to have sent a gas-rich mixture into the
engine rooms.
© ENCO
Page 26
At about 9:49 p.m., the rig unexpectedly began to shake and a loud surging noise was
accompanied by natural gas, drilling mud and sea water that shot high above the floor of
the drill ship. The gas exploded and the rig was engulfed in flames. A second explosion
followed and the electricity went out.
Eleven men died instantly and 115 others rushed to the lifeboats or jumped into the Gulf
of Mexico. This all happened so fast that those who died probably had no time to
understand what was happening. Two days later, the Deepwater Horizon sank to the
bottom of the Gulf of Mexico, and oil has been spilling into the Gulf at rates of at least
5,000 barrels per day since then (there are 42 gallons in a barrel).
Attempts to isolate the well using the available equipment were unsuccessful. The BOP
designed to work automatically did not control, or recapture control, of the well once it
was realized that hydrocarbons were flowing into the well. Also, both the emergency
disconnecting system designed to separate the lower marine riser from the rest of the BOP
and automatic sequencers controlling the shear ram and disconnect failed to operate.
3. Investigation into explosion
The Deepwater Horizon explosion in April 20, 2012 resulted in the loss of life of people and
caused one of the worst oil spills in history which had tremendous impact on the
environment. Investigation of this accident was conducted by many organizations directly
involved in the design and construction of the Macondo well, but also by many other
entities representing the government and the public.
From industry side it includes BP, which owned the Macondo well, Transocean (rig owner)
and Halliburton (cementer), which managed the well-sealing operation. From government
side investigations of causes of the accident were undertaken by the National Academy of
Engineering (for the Department of Interior), the Chemical Safety Board, the US Coast
Guard and the Bureau of Ocean Energy Management. There were also various Congressional
inquiries, and Department of Justice criminal and civil probes. The accident was of high
interest from the side of media.
On May 22, 2010, President Barack Obama announced the creation of the National
Commission on the BP Deepwater Horizon Oil Spill and Offshore Drilling: an independent
entity, directed to provide a thorough analysis and impartial judgment. The Commission
charter was to determine the causes of the disaster, and to improve the country’s ability
to respond to spills, and to recommend reforms to make offshore energy production safer.
The Commission reviewed thousands of pages of documents, interviewed hundreds of
witnesses, and in the autumn conducted a series of public hearings. The intense six-month
effort was concluded in the report issued in January 11, 2011 [C-3].
This section summarizes results of selected investigation reports that were released as
public domain documents. These include:
-
British Petroleum Investigation Report
Report of Human Reliability Associates Ltd of UK (retrieved from web site)
Reports of Oil Spill Commission (including "Report to the President" and "Chief
Councel's Report")
© ENCO
Page 27
-
Report of National Academy of Engineering (NAE) and National Research Council (NRC)
prepared for the Department of Interior.
The BP report was the first comprehensive investigation report from the industry side
published on September 8, 2010 [C-1]. The report included factual information that was
used as a starting point for other investigations.
The report of Human Reliability Associates is a prompt response to BP report. It provides
some views regarding the human factor. It also raises some questions that were not
addressed in the BP investigation report.
The findings of Oil Spill Commission have been published in two comprehensive reports:
"Report to the President" and "Chief Councel's Report". The "Report to the President"
focuses on regulatory oversight of leasing, energy exploration and production of oil, human
safety and environmental protection. This report includes one chapter devoted to the well
blowout and rig explosion. That chapter summarized the results of the investigation by the
Commission’s Chief Counsel, Fred Bartlit and his investigative team into the causes of the
Macondo well blow out and Deepwater Horizon rig explosion. The "Chief Councel's Report"
provide more detailed insights regarding the root causes of the Macondo well blowout and
explosion on the Deepwater Horizon.
The Report of NAE/NRC presents the consensus view of a committee of 15 experts on the
immediate and the root causes that led to loss of well control and the rig accident. It
provides observations concerning key factors and decisions that may have contributed to
the blowout of the Macondo well, including engineering, testing, and maintenance
procedures,
operational
oversight,
regulatory
procedures
and
personnel
training/certification.
Brief overview of the above mentioned reports are provided in Sections 3.1 – 3.4.
3.1. BP investigation report
BP Exploration and Production Inc. – the lease of Mississippi Canyon Block 252 and Macondo
well – started investigation of the DH accident immediately in the aftermath of the
accident independently from other spill response activities and organizations. BP
investigation team was charged with gathering the facts surrounding the accident,
analyzing available information to identify possible causes and making recommendations to
enable prevention of similar accidents in the future.
The team had access to partial real-time data from the rig, documents from various
aspects of the Macondo well's development and construction, witness interviews and
testimony from public hearings. The team used information that was made available by
other companies, including Transocean, Haliburton and Cameron. Over the course of the
investigation, the team involved over 50 internal and external specialists from a variety of
fields. BP investigation report of 193 pages was released on September 8, 2010.
The report states that no one action or inaction was behind the accident. Instead,
"multiple companies, work teams and circumstances were involved over time". It blames
the combination of "a complex and interlinked series of mechanical failures, human
judgments, engineering design, operational implementation and team interfaces".
© ENCO
Page 28
The report identified eight interlinked factors that contributed to the accident. They
correspond to the existing safety barriers that were intended to ensure safety of the rig.
These barriers include three types of safeguards: physical, administrative, and human
action type. The following key safeguards are indicated in the BP report:

Well integrity was not established or failed
1. Annulus cement barrier did not isolate hydrocarbons
2. Shoe track barriers did not isolate hydrocarbons

Hydrocarbons entered the well undetected and well control was lost
3. Negative pressure test was accepted although well integrity had not been
established
4. Influx was not recognized until hydrocarbons were in the riser
5. Well control response action failed to regain control of well

Hydrocarbons ignited on the Deepwater Horizon
6. Diversion to mud gas separator resulted in gas venting onto rig
7. Fire and gas system did not prevent hydrocarbon ignition

Blowout preventer did not seal the well
8. Blowout preventer (BOP) emergency modes did not seal well.
The key factors mentioned above are briefly discussed below.
Annulus cement barrier
The day before the accident cement had been pumped down the production casing and up
into the wellbore annulus to prevent hydrocarbons entering the wellbore from the
reservoir. The annulus cement was light, nitrified foam cement slurry. Lab tests carried
out as part of the investigation suggest that the slurry was unstable at drilling depth
pressures and temperatures and there was likely to be nitrogen breakout and migration,
resulting in incorrect cement density and allowing hydrocarbons to enter the wellbore
annulus. Nitrogen migration would have also contaminated the shoe cement and may have
caused the shoe track cement barrier to fail. The slurry was not fully tested before use.
The report concludes that there was little focus on other important aspects of design, for
example, foam stability, contamination effects and fluid loss potential were not
considered.
The BP investigation says there were "weaknesses in cement design and testing, quality
assurance and risk assessment". It suggests that "improved engineering rigour, cement
testing and communication of risk" by Halliburton could have identified those flaws. But
the report also says the Houston-based BP staff at the site could have raised awareness of
the problems.
Shoe track barrier
Having entered the wellbore annulus, hydrocarbons passed down the wellbore and entered
the space between the 7-inch production casing and the 9 7/8-inch protection casing
through the shoe track installed in the bottom of the casing. The BP investigation team
concluded that hydrocarbons ingress was through the shoe track rather than through a
© ENCO
Page 29
failure in the production casing itself or up the wellbore annulus and through the casing
hanger seal assembly.
For this to happen, both barriers in the shoe track must have failed to prevent hydrocarbon
entry into the production casing. The first barrier was the cement in the shoe track, and
the second was the float collar, a device (two flapper valves) at the top of the shoe track
designed to prevent fluid ingress into the casing.
Negative pressure test
A "negative-pressure test" was carried out to check the mechanical barriers (the shoe
track, production casing and casing hanger seal assembly). The test involved replacing
heavy drilling mud with lighter seawater to place the well in a controlled underbalanced
condition. In retrospect, pressure reading and volume bled at the time of the negativepressure test were indications of flow path communication with the reservoir, signifying
that the integrity of these barriers had not been achieved.
Witnesses state that the toolpusher (rig crew) suggested that the pressure on the drill pipe
was due to a phenomenon they (toolpusher and driller) had seen before called ‘annular
compression’ or the ‘bladder effect’. Transocean rig crew and BP leaders on the site
accepted that and carried on. The report says that they "reached the incorrect view" that
the test had been a success and the well integrity had been established.
It is stated that the responsible crew did not correctly interpret a pressure test, and both
companies neglected ominous signs such as a riser pipe losing fluid. The report also says
that while BP did not listen to recommendations by Halliburton for more centralizers, the
lack of centralizers probably did not affect the quality of the cement barrier.
Recognition of hydrocarbons influx
With the negative-pressure test having been accepted, the well was returned to an
overbalanced condition, preventing further influx into the wellbore. Later, as part of
normal operations to temporarily abandon the well, heavy drilling mud was again replaced
with seawater underbalancing the well. Over time, this allowed hydrocarbons to flow up
through the production casing and passed the BOP.
For an estimated 40 minutes, the influx of gases into the well was apparently not spotted.
By this time "hydrocarbons were rapidly flowing to the surface" and, according to
witnesses, mud flowed uncontrolled on to the rig platform.
The report says that the Transocean rig crew and a team described as "mudloggers"
working for Halliburton Sperry Sun may have been distracted by what are described as
"end-of-well activities" such as setting a cement plug in the casing, bleeding off the riser
tensioners, and transferring mud to the supply vessel and, as a result, important
monitoring was not carried out for more than seven hours.
The well should have been monitored continuously – however, procedures did not specify
how this should be achieved during activities such as in-flow testing, cleaning or other endof-well activities.
Well control response action
The first well control actions were to close the BOP and diverter, routing the fluid exiting
the riser to the mud gas separator (MGS). Closing the BOP was unsuccessful. It did not seal
© ENCO
Page 30
properly and was too late as hydrocarbons were already in the riser. Then hydrocarbons
were diverted to the mud gas separator (MGS). The alternative of dumping it overboard
through 14 in pipe was not chosen. This would (probably) have diverted it safely
overboard.
Diversion of blowout to the MGS
Diversion to the MGS resulted in gas venting onto the rig through the 12 in goosenecked
vent exiting the MGS. The high pressure hydrocarbons were diverted through the MGS
which was designed for low pressure only – there were several vent points that released
the gas onto the rig and into potentially confined spaces with presence of ignition sources.
The design of the MGS allowed high pressure carbons to be diverted into the system even
though it was outside the design specification and there were vent points onto the rig.
The fire and gas systems
The fire and gas system did not prevent hydrocarbon ignition. Hydrocarbons migrated
beyond areas on Deepwater Horizon that were electrically classified to areas where the
potential to ignition was higher. The heating, ventilation and air conditioning (HVAC)
system transfer a gas-rich mixture into the engine rooms, causing at least one engine to
overspeed, creating a potential source of ignition.
The BOP emergency mode
There were three different routes to activate the BOP emergency mode. All of them were
unsuccessful in sealing the well.
The fire is likely to have damaged the cables which provide electronic communication to
the pods - prevented the EDS from initiating the blind shear ram (BSR).
Automatic Mode Function (AMF) – two independent control pods on the BOP should activate
the BSR if certain conditions were met. Subsequent analysis of the control pods showed
they were not functioning properly; one had a failed solenoid valve and the other had
insufficient battery charge – this would have failed to complete the AMF sequence.
Remotely operated vehicle intervention to initiate the auto-shear function, another
emergency method of operating the BOP, also failed to seal the well. It is thought that this
did activate the blind shear rams, however they failed to seal the well and hydrocarbons
continued to flow.
The blowout preventer, removed on September 4, had not reached a NASA facility in time
for it to be part of the report.
Report summary
The BP investigation report concludes that no single action caused the incident – it was a
culmination of a complex interaction of mechanical failures, human judgments,
engineering design, operational implementation and team communication. They use the
Reason’s familiar Swiss Cheese metaphor to illustrate the barriers that were breached (Fig.
3-1).
© ENCO
Page 31
FIG. 3-1. Barriers bre
eached and tthe relation of barriers to the critica
cal factors
(the source:
s
"Deep
pwater Horizzon Accidentt Investigation Report" [[C-1]) .
3.2. R
Report off the Hum
man Relia
ability Associate
A
es
c
Hu
uman Relia
ability Assoc
ciates Ltd1 issued a re
eport [COn Septtember 23, 2010 the company
4] on De
eepwater Horizon
H
acc
cident that concentratted on human factor aaspects. The report
was issu
ued 2 week
ks after the
e publicatioon of BP In
nvestigation
n Report. Itt was based
d on the
factual informatio
on and anallyses provid
ded in BP Investigatio
I
on Report [[C-1] (publiished on
Sept. 8,, 2010). Hu
uman Reliab
bility Associiate's reporrt was inten
nded to proovide a sum
mmary of
the BP iincident and a comme
entary on th
he causes frrom a huma
an factors pperspective..
Where a
appropriate
e, the autho
ors – Hubbaard and Emb
brey – have given theirr own insights from
a human factors perspective.. Insights prrovided in the
t report are briefly described in terms
of prote
ective barriiers that faiiled, as pre
esented in the BP Invesstigation Reeport [C-1] (Section
2.1].
Cemen
nt slurry design
d
The rep
port points out that focus
f
on prroduction pressures
p
att the expennse of safe
ety is an
insidiou
us threat for all hazard
dous operattions. The safety requirements foor the slurry
y design,
1
Human
n Reliability Associates Ltd providess human error analysis,, strategic ddevelopment,, incident
investiga
ation, projectt manageme
ent, risk asse
essment, pro
ofessional de
evelopment trraining, and research
and deve
elopment services. The company
c
is b
based in Daltton, United Kingdom.
K
ustries
s
in EU”
CO FR-(12)-44
© ENCO
Page 32
the risks associated with not meeting them should have been explicitly recognized and
communicated between Halliburton and BP.
It is not mentioned in the BP incident report, but the rig was 41 days over schedule. Each
day over schedule cost the company approx $500,000. The authors indicate these pressures
as important factor that impacted upon the incident process. It needs to be investigated
how these pressures translated into the decisions at different levels of the organization
and between BP and Halliburton.
Cement placement
The equipment supplied (casing string) came with 7 centralizers. Halliburton had identified
on the placement model that 21 centralizers would be needed, and sent a further 15
centralizers over to Deepwater Horizon. The BP Macondo team thought they had been sent
the wrong centralizers and did not use them.
The BP report includes statement that the reduced number of centralizers probably did not
contribute directly to the accident. However, Hubbard and Embrey, in their report [C-4],
draw attention to two potential issues here – the management of people’s understanding
and knowledge, when design and operational parameters change, and poor communication
between team members leading to different understandings, perception of risk, and
possibly different goals.
Confirmation of placement
It is not clear why the well team did not follow the guidance in BP’s Engineering Technical
Practice (ETP) – they did discuss the situation and developed decision trees to decide that
no further evaluation was required. This suggests that they did not have clear guidance
regarding the appropriate strategies for different conditions. Possible reasons for not
following the BP ETP include:
-
it was viewed as guidance only,
it was difficult to use,
it was thought not to be relevant to these circumstances,
it did not clearly state the conditions in which it was/not to be applied.
Negative-pressure test
The rig crew were familiar with a different procedure for the negative pressure test.
Hubbard and Embrey [C-4] point out that for complex operations and those carried out
infrequently the procedures should be more detailed to compensate for unfamiliarity.
It is noted that in Deepwater Horizon case there was a high reliance on leadership and
know-how of the crew. However, the procedures that were available were guidelines only
and did not provide enough detail. For instance, they did not specify bleed volumes or give
success/failure criteria. The information that was available may have been difficult to
interpret and this was exacerbated by the crew’s unfamiliarity with the procedure and its
lack of detail.
There appears to have been a failure to explore other possibilities that would explain why
flow did not exit the kill line and a reliance on the explanation of ‘Bladder effect’ without
© ENCO
Page 33
considering whether there were other scenarios or risks. Poor decision making is often
linked to ‘fuzzy’ symptoms, inadequate information provision, and poor feedback of the
consequences when a course of action is taken. This may be due to a combination of other
factors that are not explored in the report.
Common problems are: time pressure and the pressure to achieve production goals (their
immediate goal was to successfully proceed with the temporary abandonment of the well),
ambiguity of roles and responsibilities, and possibly poor communications between team
members.
Failure to timely recognize influx of hydrocarbons
The well should have been monitored continuously – however, procedures did not specify
how this should be achieved during activities such as in-flow testing, cleaning or other endof-well activities Report of the Human Reliability Associates points out that in control
rooms, operations are sometimes assumed to be continuously monitored. However, this is
an assumption sometimes used in the design of plant and subsequent risk assessments
without proper consideration of its practicality in the production environment. It appears
that as the crew were busy with other activities, monitoring drill pipe pressure may not
have taken priority and there was nothing to alert them to the unanticipated drill pipe
pressure. Again, drill pipe pressure was not indicative of a known problem, and the crew
had difficulty assessing the situation and understanding its significance.
Appropriate training and job aids would have increased both the speed and accuracy of
identification that there was an influx of hydrocarbons and enhanced the probability of
appropriate well control actions.
Failure of well control response
Authors note that it is not clear why the decision to divert flow through the MGS was
taken. In their opinion it indicates lack of situational awareness of the suitability of the
MGS for large volumes of hydrocarbons and of the risks involved. It may have been
motivated by good, but misguided intentions, for instance reducing the impact on pollution
of dumping mud overboard with high hydrocarbon content.
It is noted that speed of response was crucial. Diverting the flow overboard would have
given the crew more time to respond. The BP investigation report [C-1] concludes that
Transocean’s protocols did not fully address responding to high flow emergency situations
after well control is lost. Their actions suggest they were not adequately prepared to
manage an escalating well control situation.
The crew had very little time to respond to the influx of hydrocarbons in a rapidly
escalating situation. Key members should have been trained and competent. However, the
BP investigation report does not give details of the emergency training for the crew.
Failure of the Fire and Gas system
The high pressure hydrocarbon was diverted through the MGS which was designed for low
pressure only – there were several vent points that released the gas onto the rig and into
potentially confined spaces. The design of the MGS allowed high pressure carbons to be
diverted into the system even though it was outside the design specification and there
© ENCO
Page 34
were vent points onto the rig. This indicates that inadvertent operation by operator was
not considered in the HAZOP studies of the MGS.
Failure of the BOP emergency modes
Two independent control pods on the BOP should activate the Blind Sheer Ram if certain
emergency conditions were met. Subsequent analysis of the control pods showed they
were not functioning properly; one had a failed solenoid valve and the other had
insufficient battery charge. This would have failed to complete the Automatic Mode
Function sequence. This indicates poor maintenance management system for the pods,
possibly linked to a lack of identification of critical components.
Report summary
The recommendations in the BP report focus on areas very familiar to human factors
specialists such as procedure development, training, and proactive risk assessment.
Specifically they include; improvements to procedures, competence assurance, Process
Safety Performance Management (PSPM), which also extends to monitoring the
contractors’ PSPM systems, well control practices, rig process safety, and lastly BOP
engineering design and assurance.
Similar recommendations have emerged from the analysis of the causes of many high
profile medical incidents. While the report answers questions to a certain level, as a
human factors specialist the authors would like to know more, particularly about the
latent conditions that were prevalent before the incident. After a quick read through these
there are burning questions that the BP report leaves unanswered:
-
-
Why were procedures not used – is this typical?
What was the effect on decision making and on practice of the pressure to get the
well tested and capped?
Is there a safety management system in place that includes slurry design? Why was the
slurry design not subject to a HAZOP?
Why were the changes to centralizers not part of a process that manages the changed
specification – if so, why were there communication breakdowns between Halliburton
and BP?
Why did the crew use the mud gas separator rather than pipework that would have
discharged the mud more quickly?
What emergency training did the team have? Did they have training or job support to
help them identify and respond to escalating situations?
© ENCO
Page 35
3.3. Findings of the Oil Spill Commission
President Barack Obama established the National Commission on the BP Deepwater Horizon
Oil Spill and Offshore Drilling through Executive Order 13543 on May 21, 2010. The
Commission examined the relevant facts and circumstances concerning the root causes of
the Deepwater Horizon explosion and developed options to guard against, and mitigate the
impact of, any oil spills associated with offshore drilling in the future. This included
recommending improvements to federal laws, regulations, and industry practices.
The Commission’s aim has been to provide the President, policymakers, industry, and the
American people a clear, accessible, accurate, and fair account of the largest oil spill in
U.S history: the context for the well itself, how the explosion and spill happened, and how
industry and government scrambled to respond to an unprecedented emergency.
Report to the President
On January 11th, the National Oil Spill Commission released its final report to the
President, "Deep Water: The Gulf Oil Disaster and the Future of Offshore Drilling" [C-4],
which included a chapter on the well blowout and rig explosion. The main conclusions from
this report are summarized below.
The most significant failure at Macondo – and the clear root cause of the blowout – was a
failure of industry management. Most of the failures at Macondo can be traced back to
underlying failures of management and communication. Better management of decisionmaking processes within BP and other companies, better communication within and
between BP and its contractors, and effective training of key engineering and rig personnel
would have prevented the Macondo incident.

BP’s management process did not adequately identify or address risks created by late
changes to well design and procedures. BP did not have adequate controls in place to
ensure that key decisions in the months leading up to the blowout were safe or sound
from an engineering perspective. While initial well design decisions undergo a serious
peer review process and changes to well design are subsequently subject to a
management of change (MOC) process, changes to drilling procedures in the weeks and
days before implementation are typically not subject to any such peer-review or MOC
process. At Macondo, such decisions appear to have been made by the BP Macondo
team in ad hoc fashion without any formal risk analysis or internal expert review. This
appears to have been a key causal factor of the blowout.

Halliburton and BP’s management processes did not ensure that cement was
adequately tested. Halliburton had insufficient controls in place to ensure that
laboratory testing was performed in a timely fashion or that test results were vetted
rigorously in-house or with the client. In fact, it appears that Halliburton did not even
have testing results in its possession showing the Macondo slurry was stable until after
the job had been pumped.

BP, Transocean, and Halliburton failed to communicate adequately. Information
appears to have been excessively compartmentalized at Macondo as a result of poor
communication. BP did not share important information with its contractors, or
sometimes internally even with members of its own team. Contractors did not share
important information with BP or each other. As a result, individuals often found
© ENCO
Page 36
themselves making critical decisions without a full appreciation for the context in
which they were being made.

Transocean failed to adequately communicate lessons from an earlier near-miss to its
crew. Transocean failed to adequately communicate to its crew lessons learned from
an eerily similar near-miss on one of its rigs in the North Sea four months prior to the
Macondo blowout. On December 23, 2009, gas entered the riser on that rig while the
crew was displacing a well with seawater during a completion operation. Had the rig
crew been adequately informed of the prior event and trained on its lessons, events at
Macondo may have unfolded very differently.

Decisionmaking processes at Macondo did not adequately ensure that personnel fully
considered the risks created by time- and money-saving decisions. Many of the
decisions that BP, Halliburton, and Transocean made that increased the risk of the
Macondo blowout clearly saved those companies significant time (and money). The
problem is that, at least in regard to BP’s Macondo team, there appears to have been
no formal system for ensuring that alternative procedures were in fact equally safe.
None of BP’s (or the other companies’) decisions in Table 3-1 appear to have been
subject to a comprehensive and systematic risk-analysis, peer-review, or management
of change process.

Government also failed to provide the oversight necessary to prevent these lapses in
judgment and management by private industry. Minerals Management Service (MMS)
regulations were inadequate to address the risks of deepwater drilling. Many critical
aspects of drilling operations were left to industry to decide without agency review.
For instance, there was no requirement, let alone protocol, for a negative-pressure
test, the misreading of which was a major contributor to the Macondo blowout. Nor
were there detailed requirements related to the testing of the cement essential for
well stability.

Responsibilities for these shortfalls are best not assigned to MMS alone. Efforts to
expand regulatory oversight, tighten safety requirements, and provide funding to equip
regulators with the resources, personnel, and training needed to be effective were
either overtly resisted or not supported by industry, members of Congress, and several
administrations. As a result, neither the regulations nor the regulators were asking the
tough questions or requiring the demonstration of preparedness that could have
avoided the Macondo disaster.

But even if MMS had the resources and political support needed to promulgate the
kinds of regulations necessary to reduce risk, it would still have lacked personnel with
the kinds of expertise and training needed to enforce those regulations effectively.
Table 3-1.
Examples of decisions that increased risk while potentially saving time.
Was
Decision
Was there a less
risky alternative
available ?
Less time
than
alternative ?
Decision maker
Not waiting for more centralizers of
preferred design
Yes
Saved Time
BP on shore
Not waiting for foam stability test
results and/or redesigning slurry
Yes
Saved Time
Halliburton (and
perhaps BP) on
shore
© ENCO
Page 37
Decision
Was there a less
risky alternative
available ?
Less time
than
alternative ?
Decision maker
Not running cement evaluation log
Yes
Saved Time
BP on shore
Using spacer made from combined lost
circulation materials to avoid disposal
issues
Yes
Saved Time
BP on shore
Displacing mud from riser before
setting surface cement plug
Yes
Unclear
BP on shore
Setting surface cement plug 3,000 feet
below mud line in seawater
Yes
Unclear
BP on shore
(Approved by MMS)
Not installing additional physical
barriers during temporary
abandonment procedure
Yes
Saved Time
BP on shore
Not performing further well integrity
diagnostics in light of troubling and
unexplained negative pressure test
results
Yes
Saved Time
BP (and perhaps
Transocean) on rig
Bypassing pits and conducting other
simultaneous operations during
displacement
Yes
Saved Time
Transocean (and
perhaps BP) on rig
Chief Counsel’s investigation report
In addition to the final report to the President [C-4], the Oil Spill Commission has released
additional report on the Chief Counsel’s investigation, which provides details of the series
of engineering and management mistakes by those responsible for the drilling operations,
including BP, Halliburton, and Transocean [C-8].
This additional report was intended to provide the public, policymakers, and industry with
the fullest possible account of the investigation into the causes of the well blowout, which
was summarized in the Commission’s report. The Chief Counsel’s investigative team
uncovered and analyzed far more information than could have been included in the
Commission’s report. The report provided comprehensive, coherent, and detailed account
of the events leading up to the blowout and explosion. It shows the confusion, lack of
communication, disorganization, and inattention to crucial safety issues and test results
that led to the accident. It is noted in the report that this was an entirely preventable
disaster and that the real cause were poor decisions by management.
Among the details presented publicly for the first time in the Chief Counsel’s report are
these:

BP was aware of problems with Halliburton personnel and work product years before
the blowout. In 2007, a consulting firm issued a quality control report warning BP that
Halliburton’s lab technicians “do not have a lot of experience evaluating data” and
that BP needed to improve communication with Halliburton “to avoid unnecessary
delays or errors in the slurry design testing.” BP’s own cementing expert described the
“typical Halliburton profile” as “operationally competent and just good enough
technically to get by.” And BP’s engineers had been forced to “work around” the
Halliburton engineer assigned to Macondo for years – they said that he was “not cutting
it” and that he often waited too long to conduct critical tests. But they neither
© ENCO
Page 38
reviewed his work at Macondo carefully, nor even checked to see that he conducted
testing in a timely manner – even though they knew that their last minute changes to
the cement design test could cause problems and that using nitrogen foamed cement
could pose “significant stability challenges.”

Although testing of the blowout preventer may ultimately reveal flaws in that
equipment, BOP failures were not the root cause of the blowout. The rig crew
activated the BOP, at best, only moments before the blowout began. By then,
hydrocarbons had already gone past the BOP into the riser and were expanding rapidly
towards the rig floor. Even if the BOP had functioned flawlessly, the rig would have
exploded.

A BP engineering reorganization in early 2010 resulted in delays and distractions for the
team drilling the Macondo well. The reorganization appears to have had an impact on
decision-making in the weeks leading up to the blowout, the time during which
virtually all of the decisions identified by the Chief Counsel’s team as increasing the
risk of a blowout were made.

BP’s own well site leaders accepted facially implausible explanations for the negative
test results. Less than a week after blowout, one of the two BP company men who had
been on the Deepwater Horizon during the crucial test told senior engineers “I believe
there is a bladder effect,” and that this effect – not failed cement – was the source of
the problematic test results. Every industry expert the investigative team met with
dismissed the so-called bladder effect as a fiction that could not have accounted for
the pressure readings the men saw on April 20. If anyone had consulted the BP’s vice
president for drilling (who was physically present on the rig during the crucial test) or
any other shore-based engineer, the blowout might never have happened.

Physical evidence taken from the well shows that hydrocarbon flow almost certainly
came to the surface through the “shoe track” of the well and up the production casing.
Cement in the shoe track should have blocked this flow, which further calls into
question the quality of the cement job.

Although BP engineers recognized that the Macondo cement job would be a difficult
one, and that Halliburton’s engineer was not doing “quality work,” they did not fully
review his cement design. BP’s Macondo team asked an internal cement specialist to
provide technical support on an “ad hoc” basis, but he left the country without
carefully reviewing the cement design, and never saw any information about the
cement slurry design or lab testing results until six days after the blowout. When he
reviewed those materials, several aspects of Halliburton’s cement design surprised
him.

The Transocean crew missed several signs of a “kick” – that is, hydrocarbons in the
riser – on the night of a blowout. At 9:27 pm, less than 15 minutes before the blowout
began, they did notice an anomaly in pressure data from the well, and shut down
operations to investigate. They noticed several anomalies that should have caused
serious concern, but showed no hint of alarm.

BP’s well design decisions complicated efforts to cap the well. BP was forced to be
especially cautious in its capping efforts because it believed that capping the well at
the top could cause oil to burst through the sides of the well and flow up through the
rocks to the sea floor. BP increased the risks of such problems by installing pressure
relief “burst disks” in the well and by choosing not to install a “protective casing” at
Macondo.
© ENCO
Page 39

Once the Chief Counsel’s team identified serious concerns with Halliburton’s cement
slurry design and testing process, Halliburton declined to cooperate with the
investigation effort. Halliburton refused to allow the team to conduct further
interviews of its cementing engineer and lab personnel. Halliburton has not provided
scientific data to support some of its technical assertions, and declined to provide
documents regarding lab testing protocols and evaluation criteria. Halliburton also has
not used or made available its proprietary cement modeling software to back up its
assertions that the Macondo well failed because BP did not use enough centralizers.
The Chief Counsel’s team believes that it is reasonable to infer that Halliburton would
have provided these materials if they had been favorable to Halliburton.

The Chief Counsel’s report settles the confusion over what type of centralizers BP
shipped to the rig. BP shipped additional centralizers to the rig to run on the final
casing string, but then decided not to use them. Until now, there has been no clear
account of what type of centralizers BP shipped to the rig and why they were not used.
The Chief Counsel’s report identifies the type of centralizers that were delivered – and
includes an actual photograph of them taken by a BP engineer. It also explains why
BP’s Macondo team thought they were the wrong type.

BP’s on-duty Well Site Leader was not present during preparations for the critical
negative pressure test, and may not have been present during the beginning of the
negative pressure test itself. Industry experts say that Well Site Leaders should be
present on the rig floor during this crucial period. On the Deepwater Horizon rig,
fundamental mistakes were made during the negative pressure test, beginning with the
test set-up. The misinterpretation of test results was a major factor contributing to the
blowout.

BP’s penultimate version of its temporary abandonment procedures included not one
but two negative pressure tests. BP dropped one of these tests in its final version.
According to one expert, this second test would have been less likely to have been
misinterpreted by Well Site Leaders and the rig crew. At the very least, it would have
given the Deepwater Horizon another opportunity to realize that the cement job had
failed.

BP and the Macondo team were aware of ways to carry out its temporary abandonment
procedure that could have reduced risk. BP decided to set a lockdown sleeve during
temporary abandonment operations (rather than later in the well project) to save time
(5.5 days) and cost ($2 million). Its engineers also believed that they should set a
backup cement plug and a lockdown sleeve as the last steps in the temporary
abandonment sequence. Because of these decisions, BP instructed the rig crew to
displace over 3000 feet of heavy drilling mud from the well with seawater – severely
underbalancing the well – before setting additional backup barriers to hydrocarbon
flow. The Macondo team knew this was unnecessary, and that they could use
alternative procedures to avoid underbalancing the well before setting additional
barriers. They even included such procedures in their plans at various points. But they
ultimately rejected those options in favor of an approach that created significant and
unnecessary risks.
© ENCO
Page 40
3.4. Report of NAE/NRC Committee
In response to a request from Department of Interior (DOI) Secretary, NAE and NRC formed
Committee to examine the causes of the Deepwater Horizon – Macondo well blowout,
explosion, fire, and oil spill and to identify measures for preventing similar incidents in the
future.
As part of this task, the Committee provided an interim report to the DOI Secretary on
November 16, 2010 [C-2]. That report presented preliminary findings and observations
concerning key factors and decisions that may have contributed to the blowout of the
Macondo well, including engineering, testing and certification. The final report [C-8]
presents the Committee's overall findings with regard to causes of the accident and its
recommended approaches for improved safety.
Interim Report
In its interim report the Committee [C-2] pointed out several factors that could have had a
material impact on the accident. They are briefly highlighted below.
It is noted that the failures and missed indications of hazard were not isolated events
during the preparation of the Macondo well for temporary abandonment. Numerous
decisions to proceed toward abandonment despite indications of hazard suggest an
insufficient consideration of risk and a lack of operating discipline. The decisions also raise
questions about the adequacy of operating knowledge on the part of key personnel.
Changing key supervisory personnel on the Deepwater Horizon MODU just prior to critical
temporary abandonment procedures must have been one of the contributing factors.
The Committee noted that the design decision of choosing to use a long-string production
casing in a deep, high-pressure well with multiple hydrocarbon zones was inappropriate.
Preferable solution would be the use of a cement liner over the uncased section of the
well.
Deciding that only six centralizers would be used to maintain an adequate annulus for
cementing between the casing and the formation rock, even though modeling results
suggested that many more centralizers would have been needed was not appropriate.
Questionable was also attempting to cement the multiple hydrocarbons and brine zones
encountered in the deepest part of the well in a single operational step, despite the fact
that these zones had markedly different fluid pressures. Due to this fact, there was only a
small difference between the cement density needed to prevent inflow into the well from
the high-pressure formations and the cement density at which an undesirable hydraulic
fracture might be created in a low pressure zone.
Limiting bottoms-up circulation of drilling mud prior to cementing, which increased the
possibility of cement contamination by debris in the well, was noted by the personnel but
not properly responded. Not running a bond log after cementing to assess cement integrity
in the well, despite the anomalous results of repeated negative-pressure tests was an
important contributor to the accident.
Currently, there are conflicting views among experts familiar with the incident regarding
the type and volume of cement used to prepare the well for abandonment. There are also
conflicting views on the adequacy of the time provided for the cement to cure. These
factors could have had a material impact on the integrity of the well.
© ENCO
Page 41
Given the large quantity of gas released onto the MODU and the limited wind conditions,
ignition was most likely. Therefore, operation of various alarms and safety systems on the
Deepwater Horizon MODU was an important factor potentially affecting the time available
for personnel to evacuate. It seems that they failed to operate as intended.
The various failures mentioned above indicate the lack of a suitable approach for
anticipating and managing the inherent risks, uncertainties, and dangers associated with
deepwater drilling operations and a failure to learn from previous near misses.
Of particular concern is an apparent lack of a systems approach that would integrate the
multiplicity of factors potentially affecting the safety of the well, monitor the overall
margins of safety, and assess the various decisions from perspectives of well integrity and
safety. The “safety case” strategy required for drilling operations in the North Sea and
elsewhere is one example of such a systems approach.
Final Report
In the Final Report the Committee assessed that the following findings of facts have been
established by the available evidence:

The flow of hydrocarbons that led to the blowout of the Macondo well began when
drilling mud was displaced by seawater during the temporary abandoning process.

The decision to proceed to displacement of the drilling mud by seawater was made
despite a failure to demonstrate the integrity of the cement job even after multiple
negative pressure tests. This was but one of a series of questionable decisions in the
days preceding the blowout that had the effect of reducing the margins of safety and
that evidenced a lack of safety-driven decision making

The reservoir formation, encompassing multiple zones of varying pore pressures and
fracture gradients, posed significant challenges to isolation using casing and cement.
The approach chosen for well completion failed to provide adequate margin for safety
and led to multiple potential failure mechanisms.

The loss of well control was not noted until more than 50 minutes after hydrocarbons
flow from the formation started, and attempts to regain control by using the BOP were
unsucessful. The blind shear ram failed to sever the drill pipe and seal the well
properly, and the emergency disconnect system failed to separate the lower marine
riser and the Deepwater Horizon from the well.

The BOP system was neither designed nor tested for the dynamic conditions that most
likely existed at the time that attempts were made to recapture the well control.
Furthermore, the design, test, operation, and maintenance of the BOP system were not
consistent with a high reliability, fail-safe device.

Once well control was lost, the large quantities of gaseous hydrocarbons released onto
Deepwater Horizon, exacerbated by low wind velocity and questionable venting
selection, made ignition all but inevitable.

The actions, policies and procedures of the corporations involved did not provide an
effective system safety approach commensurate with the risk of the Macondo well. The
lack of a strong safety culture resulting from a deficient overall system approach to
safety is evident in the multiple flawed decisions that lead to the blowout. Industrial
management involved with the Macondo well Deepwater Horizon accident failed to
appreciate or plan for the safety challenges presented by the Macondo well.
© ENCO
Page 42
During the course of its investigations, the Committee made several observations with
regard to the process and procedures used by industry and government regulators.
-
While the geologic conditions encountered in the Macondo well posed challenges to the
drilling team, alternative completion techniques and operational processes were
available that could have been used to prepare the well safely for temporary
abandonment.
-
The ability of the oil and gas industry to perform and maintain an integrated
assessment of the margins of safety for a complex well like Macondo is impacted by the
complex structure of the offshore oil and gas industry and the divisions of technical
expertise among the many contractors engaged in the drilling.
-
The regulatory regime was ineffective in addressing the risks of the Macondo well. The
actions of the regulators did not display an awareness of the risks or very narrow
margins for safety.
-
The extent of training of key personnel and decision makers both in industry and in
regulatory agencies has been inconsistent with the complexities and risks of deepwater
drilling.
-
Neither the companies involved nor the regulatory community has made effective use
of real time data analysis, information on precursor incidents or near-misses, or lessons
learned in the Gulf of Mexico and worldwide to adjust practices and standards
appropriately.
-
Industry's and government's research and development efforts have been focused
disproportionally on exploration, drilling, and production technologies as opposed to
safety.
3.5. Observations from other sources
The Macondo well accident was subject to high interest to the oil drilling industry, the US
governmental organizations, the public, individual experts in the field and media. This
report is based mostly on the investigation reports described above (Sections 3.1 – 3.4).
Opinions related to possible causes and discussions of circumstances could also be found in
media and internet forums/ web site pages (e.g. [C-9] – [C-12]). This information was used
in drafting this report with caution. However, in many cases it was found to be useful
providing new insights and viewpoints that were free of certain biases not necessarily
avoided in some of the official materials.
© ENCO
Page 43
4. Analysis of the Deepwater Horizon accident
This section of the report summarizes the results of causal analysis presented in the
available material discussed in Section 3. The results are presented in the form of Cause
Map (CM). It displays the whole structure of causes in a graphical form. This form of
presentation is believed to facilitate effective communication and documentation of
causes of the problem (accident). It is worth noting that communication of findings to
experts from different industries and of different professions is an important aspect in this
project.
The CM for the Deepwater Horizon accident was developed and presented in MS Excel using
the worksheet / template prepared by "ThinkReliability" Consulting Company available at
web site page http://www.thinkreliability.com.
4.1. Step 1 - Definition of the problem
The first step of the Cause Mapping approach is to define the problem by asking the four
questions: What is the problem? When did it happen? Where did it happen? And how did it
impact the goals? Answers to these questions are provided in Table 4-1.
The Deepwater Horizon accident had very severe consequences – safety-related, financial,
and environmental. It had also considerable impact on the image of the companies
involved and the whole oil industry in the USA.
As a direct result of the events at the Deepwater Horizon oil rig 11 workers were killed and
16 injured. This is an impact to the worker safety goal.
Financial consequences for the companies involved in the accident were enormous. These
consequences are closely related with the environmental impact of the accident and also
with the loss of property.
Two years after the accident, BP found itself paying out tens of billions of dollars to
contain a blowout at the Macondo well, mitigate the damage resulting from the millions of
gallons of oil flowing from that well into the Gulf of Mexico, and compensate the hundreds
of thousands of individuals and businesses harmed by the spill. BP and its partners
(Anadarko and MOEX), and its key contractors (particularly Halliburton and Transocean)
face potential liability for the billions more necessary to restore natural resources harmed
by the spill [C-4].
Table 4-1. Definition of the problem
What
Problem(s)
Deepwater Horizon oil rig explosion and oil spill
When
Date
April 20, 2010
Time
21:49
Different, unusual, unique
Deepwater drilling
State, city
Gulf of Mexico, Louisiana, United States
Where
© ENCO
Page 44
28°44′12.01″ N 88°23′13.78″ W
Facility, site
Macondo well
Unit, area, equipment
Deepwater Horizon oil rig
Task being performed
Process of temporary abandoning the well
Impact to the Goals
Safety
11 fatalities, 16 injured
Public Safety
Extensive damage to marine and wildlife habitats
and to the Gulf's fishing and tourism
Environmental
Significant release of oil, offshore pollution
Production-Schedule
Drilling operation in the area suspended
Property, Equip, Mtls
Complete loss of the rig (appr. cost $700 mln)
Labor, Time
Massive efforts to terminate the oil spill
Frequency
Very rare
4.2. Step 2 – Analysis of causes (Causal Map)
Property goal was impacted because the oil rig was burned up and sunk. Safety goal was
impacted because of the explosion and fire led to 11 fatalities and 16 persons injured.
Environmental goal was impacted because the explosion and fire led to significant release
of oil to the environment. Production goal was impacted because the drilling operations in
the region were suspended for several months. Labor goal was impacted because the
release of oil required significant efforts to terminate the spill.
The oil rig was burned up and sunk because of the loss of well control and hydrocarbons
blowout. Hydrocarbons were released onto the rig because the well integrity was not
established during the temporary abandonment process.
There were two physical barriers that have been designed to seal the well – the annulus
cement barrier and cement plug in the shoe track. Both of these barriers failed to contain
hydrocarbons within the geologic formation (reservoir).
Influx of hydrocarbons from the formation to the well through the imperfect cement
barriers was induced by the end-of-well activities – displacing the mud from the riser and
replacing it with seawater. This made the well underbalanced because the mud is much
heavier than seawater.
Rig crew failed to disconnect the well using the blank shear ram (BSR) because the crew
did not recognize gas influx in time. BOP emergency disconnect system also failed to
terminate blowout. Flammable gases penetrated the engine area and ignited causing
explosion and severe fire.
© ENCO
Page 45
Integrity of annulus cement barrier
Annulus cement barrier (see Cause Map - Page 2, Cause A) was ineffective in sealing the
well because of three potential causes: (i) deficiencies of cement slurry design, (ii)
deficiencies of cementing job, and (iii) problems with placing cement in the well.
Cement slurry design was critical because of the pore pressure and fracture gradient –
however the technical review of the slurry design gave heavy emphasis to preventing lost
returns. If cementing procedure placed too much pressure on the geologic formation
below, it might trigger another lost-returns event similar to the one on April 9. In this
case, critical cement – not mud – might flow into the formation and be lost, potentially
leaving the annular space at the bottom of the well open to hydrocarbon flow.
BP chose to use “nitrogen foam cement” – a cement formula that has been leavened with
tiny bubbles of nitrogen gas, injected into the cement slurry just before it goes down the
well. This formula was chosen to lighten the resulting slurry from approximately 16.7
pounds per gallon (ppg) to 14.5 ppg – thereby reducing the pressure the cement would
exert on the fragile formation. The bubbles, in theory, would also help to balance the pore
pressure in the formation and clear the annular space of mud as the cement flowed
upward.
Lab tests carried out as part of the investigation suggest that the slurry was unstable at
drilling depth pressures and temperatures and there was likely to be nitrogen breakout.
The slurry was not fully tested before use.
There were several cement slurry design features that could have led to foam instability
and contributed to a failure of the cement barrier. These include: the extremely low
cement slurry yield point, additive of a defoamer, and lack of fluid loss control additives
[C-4].
Potential instability factors were also the possibility of cement slurry contamination
because of no bottoms up circulation, relatively low rate of pumping cement, and small
volume of cement [C-4].
BP’s plan was to limit the circulation of drilling mud through the wellbore before
cementing. Optimally, mud in the wellbore would have been circulated “bottoms-up” –
meaning the rig crew would have pumped enough mud down the wellbore to bring mud
originally at the bottom of the well all the way back up to the rig. Such extensive
circulation cleans the wellbore and reduces the likelihood of channeling (see Section 2.3
for additional explanations). And circulating bottoms-up allows technicians on the rig to
examine mud from the bottom of the well for hydrocarbon content before cementing.
But the BP engineers feared that the longer the rig crew circulated mud through the casing
before cementing, the greater the risk of another lost-returns event. Accordingly, BP
circulated approximately 350 barrels of mud before cementing, rather than the 2,760
barrels needed to do a full bottoms-up circulation [C-4].
BP decided to pump cement down the well at the relatively low rate of 4 barrels or less
per minute. Higher flow rates tend to increase the efficiency with which cement displaces
mud from the annular space. But the increased pump pressure required moving the cement
quickly would mean more pressure on the formation (ECD) and an increased risk of lost
returns. BP decided to reduce the risk of lost returns in exchange for a less-than-optimal
rate of cement flow.
BP made another compromise by limiting the volume of cement that would be pumped
down the well. Pumping more cement is a standard industry practice to insure against
© ENCO
Page 46
uncertain cementing conditions: more cement means less risk of contamination and less
risk that the cement job will be compromised by slight errors in placement. But more
cement at Macondo would mean a higher cement column in the annulus, which in turn
would exert more pressure on the fragile formation below.
Why?
Effect
Possible Solutions:
Cause
Cause
Evidence:
Start with the Goals (in red) that have been impacted.
Read the map to the right by asking Why questions.
Step 2. Cause Map - Page 1
Annulus cement
barrier not
effective
Well integrity not
established or
failed
A
AND
Shue track
barrier not
effective
B
AND
Labor
Goal
Impacted
Massive efforts
to stop oil spill
Environmental
Goal
Impacted
Production
Goal
Impacted
Well underbalanced during
the end-of-well
activities
Drilling
operations in
area shutdown
Hydrocarbons
influx onto
the rig
Rig crew did not
disconect the
well using BSR
AND
C
Crew failed to
recognize gas
influx in time
D
AND
Significant
release of oil
from the well
Explosion of
hydrocarbons
and severe fire
Displacing mud
from riser before
setting plug
AND
Oil rig
burned up
and sunk
BOP emergency
modes failed
to seal the well
E
Property
Goal
Impacted
Gas leaked to
the engine area
and ignited
Safety Goal
Impacted
E
F
11 fatalities,
16 injured
Accordingly, BP determined that the annular cement column should extend only 500 feet
above the uppermost hydrocarbon-bearing zone (and 800 feet above the main hydrocarbon
zones), and that this would be sufficient to fulfill MMS regulations of “500 feet above the
uppermost hydrocarbon-bearing zone". However, it did not satisfy BP’s own internal
guidelines, which specify that the top of the annular cement should be 1,000 feet above
the uppermost hydrocarbon zone.
The integrity of cement barriers was also affected by the design of the cement job. There
were two important factors that increased potential for channeling: the use of long string
casing and a limited number of centralizers (see Section 2.3).
© ENCO
Page 47
The 18,300 ft long 400-ton casing string had a 5,800 ft long lower portion with 7-inch
diameter. Most of the hole over this portion of casing was 9.875-inch diameter. However,
the lowest 180 ft of 7-inch casing with 4 equi-spaced centralizers was squeezed into an
8.5-inch hole with only 56 ft of rathole bottom clearance. Compressed sediment and
granular infill in the 0.75-inch wide annulus (Halliburton’s best practices document
recommends 1.5 to 2-inch annular gap tolerance) most probably explains the need for
much-higher-than-normal pressure of 3142 psi to liquefy it (at the ninth attempt) and
allow mud to circulate. The unexpected high pressure and subsequent lower-than-specified
mud flow led to problems with conversion of float collar (as discussed in the context of the
integrity of shoe track barrier).
17
Questionable
stability of
nitrified foam
AND/OR
Small volume
of cement
AND
19
Possible
contamination
by mud/debris
Weaknesses of
cement slurry
design
Potential
instability of foam
cement
AND/OR
AND
A
Weaknesses of
cement placing
TOC less than
required
in BP ETP
AND
Reducing risk
of lost returns
(lower ECD)
AND
18
No fluid loss
additive
Annulus cement
barrier not
effective
No bottoms up
circulation
Relatively low
rate of pumping
cement
AND/OR
Addition of
defoamer
AND/OR
No proven
cement
evaluation (log)
Low yield
point
AND
Placement
difficult due to
narrow gap
Weaknesses of
cement job
design
Potential for
channelling
Use of long string
More convenient
system over the
life of the well
Rig crew do not
wait for devices
of preferable type
Production
pressure / delay
of the project
AND
1
Limited number
of centralizers
Centralizers are critical components in ensuring a good cement job. The evidence to date
does not unequivocally establish whether the failure to use 15 additional centralizers was a
direct cause of the blowout. But the process by which BP arrived at the decision to use
only six centralizers at Macondo illuminates the flaws in BP’s management and design
procedures, as well as poor communication between BP and Halliburton [C-4].
It does not appear that BP’s team tried to determine before April 15 whether additional
centralizers would be needed. Had BP examined the issue earlier, it might have been able
to secure additional centralizers of the design it favored. Nor does it appear that BP based
its decision on a full examination of all potential risks involved. Instead, the decision
© ENCO
Page 48
appears to have been driven by an aversion to one particular risk: that slip-on centralizers
would hang up on other equipment.
BP did not inform Halliburton of the number of centralizers it eventually used, let alone
request new modeling to predict the impact of using only six centralizers. Halliburton
happened to find out that BP had run only six centralizers when one of its cement
engineers overheard a discussion on the rig [C-4].
It needs to be noted that the decisions on the use of long casing string, limited number of
centralizers, and Top Of Cement (TOC) lower than in BP's Engineering Technical Practice,
which had potential impact on the integrity of cement annular barrier, were convenient
from the production point of view or intended to save time and money.
The BP team erred by focusing on full returns as the sole criterion for deciding whether to
run a cement evaluation log. The BP Macondo team used final lift pressure and returns to
confirm successful cement placement and decided no further evaluation was needed.
However, this was not in line with procedures which state that more rigorous evaluation is
required in some circumstances [C-4].
Cement evaluation logs plainly have their limitations, particularly at Macondo. But while
many companies do not run cement evaluation logs until the completion phase, BP should
have run one here – or sought other equivalent indications of cement quality in light of the
many issues surrounding and leading up to the cement job [C-4].
Integrity of shoe track barrier
Potential causes that led to a failure of the shoe track barrier (see Cause Map – Page 3,
cause B) include two items: inadequate quality of shoe track cement and failure of flapper
valves to seal [C-1].
Inadequate quality of shoe track cement barrier could have been caused by the
contamination of shoe track cement due to nitrogen breakout (from the foam cement used
for the annular space), contamination of shoe track cement by mud in the wellbore,
inadequate design of shoe track cement (tail cement), and swapping of the shoe track
cement by mud in the rathole (bottom of the well).
Contamination of the shoe track cement by mud was more likely because of the oil-based
spacer used by the crew. While drilling crews routinely use water-based spacer fluids to
separate oil-based drilling mud from seawater, the spacer BP chose to use during the
negative pressure test was a mixture of two different lost-circulation materials left over on
the rig – the heavy, viscous drilling fluids used to patch fractures in the formation when
the crew experiences lost returns.
BP wanted to use these materials as spacer in order to avoid having to dispose of them
onshore as hazardous waste1. Material of this type had never previously been used by
anyone on the rig or by BP as a spacer, nor been thoroughly tested for that purpose.
Two flapper valves, which create additional element of the shoe track barrier, could have
failed because of three possible mechanisms: failure to convert the flow collar, damage
due to high load needed to establish circulation (see Section 2.3 for discussion of pressure
1
Pursuant to the Resource and Conservation Recovery Act, exploiting an exception that allows companies to
dump waterbased “drilling fluids” overboard if they have been circulated down through a well
© ENCO
Page 49
anomalies during the preparation of the well for cementing job), and random failure of the
two flapper valves.
Whether the float valves converted contributing to the blowout, has not yet been, and may
never be, established with certainty. But, what is certain is that BP’s team failed to take
time to consider whether and to what extent the anomalous pressure readings may have
indicated other problems or increased the risk of the upcoming cement job.
BP’s team appears not to have seriously examined why it had to apply over four times the
750 psi design pressure to convert the float valves. More importantly, the team assumed
that the sharp drop from 3,142 psi meant the float valves had in fact converted. That was
not at all certain. The auto-fill tube was designed to convert in response to flow-induced
pressure. Without the required rate of flow, an increase in static pressure, no matter how
great, would not dislodge the tube.
Contamination
of shoe track
cement by nitrogen
Need to use havier
fluid to improve
displacement
AND/OR
20
Contamination
of shoe track
cement by mud
Inadequate
quality of shoe
track cement
B
Use of oil-based
spacer
AND/OR
Disposing lostcirculation
material
Inadequate
design of shoe
track cement
Shoe track
barrier not
effectikve
AND
AND/OR
Swapping
of shoe track
cement with
the mud
18
Flow collar
not converted
Low rate of
cement down
the well
AND/OR
Flapper valves
do not seal
Damage due to
high load required
to establish
circulation
AND/OR
Random failure
of flapper valves
While BP’s Macondo team focused on the peak pressure reading
that circulation was reestablished, it does not appear the team
sufficient mud flow rate had been achieved to convert the float
considered this issue. Because of ECD concerns, BP’s engineers
of 3,142 psi and the fact
ever considered whether
valves. They should have
had specified a very low
© ENCO
Page 50
circulating pump rate – lower than the flow rate necessary to convert the float valves. BP
does not appear to have accounted for this fact.
High load applied to establish circulation could have damage the flapper valves and
resulted in their failure to prevent blowout. It is also possible that the failure of flapper
valves to seal was a random failure, although likelihood of coincident failures of two valves
seems to be low.
Displacement of mud from the riser
Decision regarding displacement of mud from the riser before setting cement plug (see
Cause Map – Page 4, Cause C) was an important factor that have contributed to the
blowout. First, it was not necessary or advisable for BP to replace 3,300 feet of mud below
the mud line with seawater. By replacing that much heavy drilling mud with much lighter
seawater, BP placed more stress on the cement job at the bottom of the well than
necessary. BP’s stated reason for doing so was its preference for setting cement plugs in
seawater rather than mud.
BP team
preference for
setting plug in
seawater
C
Displacing mud
from riser before
setting plug
Cement setting in
seawater better
than in mud
Contamination of
cement by mud
avoided
Plug solution
consistent with
setting lockout
sleeve
1
Less risky
alternatives
not considered
The risk of
displacing mud
not fully realized
Focus on
production as
opposed to safety
4
Lessons from
past events not
communicated to
the rig crew
2
3
No formal
system for risk
assessment
Safety culture at
the company
level inadequate
While industry experts have acknowledged that setting cement plugs in seawater can avoid
mud contamination and that it is not unusual for operators to set cement plugs in
seawater, BP has provided no evidence that it or another operator has ever set a surface
cement plug so deep in seawater (particularly without additional barriers). The risks BP
created by its decision to displace 3,300 feet of mud with seawater outweighed its
concerns about cement setting better in seawater than in mud.
As BP has admitted, cement plugs can be set in mud. BP also could have set one or more
non-cement bridge plugs (which work equally well in mud or seawater). No evidence has
yet been produced that the BP team ever formally evaluated these options or the relative
risks created by removing 3,300 feet of mud [C-4].
© ENCO
Page 51
It is noted in Ref [C-4] that setting the cement plug 3,300 feet below the mud line was not
necessary. The BP Macondo team chose to do so in order to set the lockdown sleeve last in
the temporary abandonment sequence to minimize the chances of damage to the sleeve.
Setting the lockdown sleeve would require 100,000 pounds of force. The BP Macondo team
sought to generate that force by hanging 3,000 feet of drill pipe below the sleeve – hence
the desire to set the cement plug 3,000 feet below the mud line.
BP’s desire to set the lockdown sleeve last did not justify the risks its decision created. BP
could have used other proven means to protect the lockdown sleeve if set earlier in the
process. It also did not need 3,000 feet of space to generate 100,000 pounds of force.
There were some recommendations of BP experts for setting the plug roughly 1,300 feet
below the mud line (using heavier drill pipe), rather than 3,300 feet down. That would
have significantly increased the margin of safety for the well.
The most troubling aspect of BP’s temporary abandonment procedure was BP’s decision to
displace mud from the riser before setting the surface cement plug or other barrier in the
production casing. During displacement of the riser, the BOP would be open, leaving the
cement at the bottom of the well (in the annulus and shoe track) as the only physical
barrier to flow up the production casing between the pay zone and the rig. Relying so
heavily on primary cement integrity put a significant emphasis on the negative-pressure
test and well monitoring during displacement, both of which are subject to human error.
BP’s decision under these circumstances to displace mud from the riser before setting
another barrier unnecessarily and substantially increased the risk of a blowout. BP could
have set the surface cement plug, or a mechanical plug, before displacing the riser. BP
could have replaced the mud in the wellbore with heavier mud sufficient to overbalance
the well. It is not apparent why BP chose not to do any of these things.
Decision making processes at Macondo did not adequately ensure that personnel fully
considered the risks created by time- and money-saving decisions. Whether purposeful or
not, many of the decisions that BP, Halliburton, and Transocean made that increased the
risk of the Macondo blowout clearly saved those companies significant time (and money).
It is noted in Ref. [C-4] that choosing a less-costly or less-time-consuming alternative – as
long as it is proven to be equally safe – is normal in commercial business. The problem is
that, at least in regard to BP’s Macondo team, there appears to have been no formal
system for ensuring that alternative procedures were in fact equally safe. None of BP’s (or
the other companies’) decisions (shown in Table 3-1) appear to have been subject to a
comprehensive and systematic risk-analysis, peer-review, or management of change
process.
Transocean failed to adequately communicate lessons from an earlier near-miss to its
crew. Transocean failed to adequately communicate to its crew lessons learned from a
similar near-miss on one of its rigs in the North Sea four months prior to the Macondo
blowout. The basic facts of both incidents are the same. Had the rig crew been adequately
informed of the prior event and trained on its lessons, events at Macondo may have
developed very differently.
The above mentioned deficiencies indicate significant weaknesses in safety culture not
only within BP, but also within other corporations involved in the Macondo project.
Kick detection
Failure of the rig crew to recognize influx of hydrocarbons into the well (see Cause Map –
Page 5, Cause D) was an important factor that have contributed to the Macondo accident.
© ENCO
Page 52
The crew could have prevented the blowout – or at least significantly reduced its impact –
if they had reacted in a timely and appropriate manner. What is not now clear is precisely
why the drilling crew and other individuals on the rig missed several critical signs
indicating that a kick was occurring. There are several potential causes that can explain
such behaviour.
The rig crew was confident regarding the integrity of the existing cement barriers. There
was no systematic monitoring of the important parameters of the well that could help in
detecting occurrence of a kick. Important factor was also that at the same time the crew
was engaged in several end-of-well activities that could have distracted their attention.
The crew was confident that the existing cement barriers are effective based on the
negative pressure test, results of which were misinterpreted. The cement evaluation log
that could have identified potential barrier integrity problems was not conducted. The
crew did not recognised anomalies in the well parameters that could have provided an
indication of a kick.
© ENCO
Page 53
Cement
evaluation log
not conducted
Safety culture at
the company
level inadequate
No formal
system for risk
assessment
11
No detailed
requirements
for the log
10
AND
8
Crew confident
of the well
integrity
AND
Safety oversight
not effective
Negativepressure test
mis-interpreted
AND
G
AND
Kick symptoms
not recognized
Crew failed to
recognize gas
influx in time
Crew distracted
with end-of-well
activities
Preparation for
setting cement
plug in the riser
No monitoring
of the well
parameters
AND
9
21
1
Displacement
bypassing pits &
flow out meter
Production
pressure due to
project delays
Saving time
and money
16
Pressure
anomalies not
recognised
13
8
No suitable
procedure on
well monitoring
Regulatory regime
not effective in
addressing the risk
AND
Department of
the Interior was
understaffed
Inadequate
scope of safety
regulations
No data on water
inflow and mud
outflow
D
3
2
Rig crew training
not sufficient
10
Department of the
Interior was
understaffed
AND
22
Instrumentation
and displays not
adequate
© ENCO
Page 54
Cement evaluation log was not conducted because the BP team was considering full
returns as the sole criterion for deciding whether to run the evaluation log. Receiving full
returns was a good indication that cement or other fluids had not been lost to the
weakened formation. But full returns provided, at best, limited or no information about (i)
the precise location where the cement had ended up, (ii) whether channelling had
occurred; (iii) whether the cement had been contaminated; or (iv) whether the foam
cement had remained stable. Although other indicators – such as on-time arrival of the
cement plugs and observation of expected lift pressure – were reassuring, they too
provided limited information. Other cement evaluation tools could have provided more
direct information about cementing success.
BP team decision of not conducting a cement evaluation log did not fully conform to the
intent of its own guidelines ETP GP 10-60 [C-1]. These guidelines require that top of
cement (TOC) barrier should be 1000 ft above any distinct permeable zone and
centralization should extend to 100 ft above such zone. If these conditions are not met, as
in this case, TOC should be determined by a "proven cement evaluation log", which would
be done during the completion phase of the well. There is no evidence of a documented
risk assessment regarding annulus barriers. It is not clear what is the regulator's position
regarding this issue.
There are several potential factors that may have contributed to the failure to properly
conduct and interpret the negative pressure test that night.
There was no standard procedure for running or interpreting the test in either MMS
regulations or written industry protocols. The regulations and standards did not require BP
to run a negative-pressure test at all. BP and Transocean had no internal procedures for
running or interpreting negative-pressure tests and had not formally trained their
personnel in how to do so.
The crew engaged in conducting and interpreting the test were not fully aware of the
associated risk. There were several factors that could have impact on the crew's
appreciation of the risk.
Although many BP and Halliburton employees were aware of the difficulty of the primary
cement job those issues were for the most part not communicated to the rig crew that
conducted the negative-pressure test and monitored the well. It appears that BP did not
even communicate many of those issues to its own personnel on the rig. BP well site
leaders did not consult anyone on shore about the anomalous data observed during the
negative-pressure test. Had they done so, the Macondo blowout may not have happened.
Due to poor communication, it does not appear that the staff performing and interpreting
the test had a full appreciation of the context in which they were performing it. Such an
appreciation might have increased their willingness to believe the well was flowing.
The rig crew missed several signs of a “kick” – that is, hydrocarbons in the riser -- on the
night of a blowout. The Sperry Sun data available to the crew from between 8:00 p.m. and
9:49 p.m. reveal a number of different signals that if observed, should at least have
prompted the driller to investigate further, for instance, by conducting a visual flow
check, and then shutting in the well if there were indications of flow.
For instance, the increasing drill-pipe pressure after the pumps were shut down for the
sheen test at 9:08 p.m. was a clear signal that something was happening in the well.
Similarly, at roughly 9:30 p.m., the driller and toolpusher recognized an anomalous
pressure difference between the drill pipe and kill line. Both of these signals should have
prompted action – especially the latter: it was clearly recognized by the crew and coherent
© ENCO
Page 55
with the odd pressure readings observed during the negative-pressure test. The crew
should have done a flow check and shut in the well, immediately upon confirmation of
flow.
The crew missed or misinterpreted these signals. One possible reason is that they had done
a number of things that confounded their ability to interpret signals from the well. For
instance, after 9:08 p.m., the crew began sending fluids returning from the well
overboard, bypassing the active pit system and the flow-out meter. Only the mudlogger
performed a visual flow check. At 9:27 pm, less than 15 minutes before the blowout
began, they did notice an anomaly in pressure data from the well, and shut down
operations to investigate. They noticed several anomalies that should have caused serious
concern, but showed no hint of alarm.
Another factor that prevented correct diagnosis of the problem was the lack of information
regarding the flow parameters. Bypassing the active system and flow-out meter resulted in
the lack of flow-in and flow-out data that could have indicated the well integrity problem.
Had the crew routed the seawater through the active pit system before sending it into the
well, such data would have been available.
Once the crew began displacing the riser with seawater, they confronted the challenge of
dealing with all of the returning mud. The driller repeatedly rerouted the mud returns
from one pit to another in order to accommodate the incoming volume. During that time,
the crew also sent mud from other locations into the active pit system. It is not clear
whether the crew could adequately monitor active pit volume (or flow-in versus flow-out)
during that time given all the activity.
Important factor was also the lack of a suitable information system that would be capable
to alert the crew when anomalies arise. In light of the potential consequences, the system
used at the rig, which requires the right person to be looking at the right data at the right
time, and then to understand their significance, in spite of simultaneous activities and
other monitoring responsibilities, is not adequate.
The above mentioned deficiencies and missteps were rooted in systemic failures by
industry management (extending beyond BP to contractors that serve many in the
industry), and also by failures of government to provide effective regulatory oversight of
offshore drilling. These are important root causes that must be properly addressed to
prevent recurrence of similar accidents.
Failure of BOP emergency mode
Blowout preventer (BOP) was the last line of defence in the case of failure of the
remaining barriers. The BOP is designed to contain pressure within the wellbore and halt
an uncontrolled flow of hydrocarbons to the rig. The Deepwater Horizon’s BOP did not
succeed in containing the Macondo well.
Witness accounts indicate that the rig crew activated one of the annular preventers around
9:41 p.m., and pressure readings suggest they activated a variable bore ram (which closes
around the drill pipe) around 9:46 p.m. Flow rates at this point may have been too high for
either the annular preventer or a variable bore ram to seal the well. Earlier kick detection
would have improved the odds of success.
After the first explosion, crew members on the bridge attempted to engage the rig’s
emergency disconnect system (EDS). The EDS should have closed the blind shear ram,
severed the drill pipe, sealed the well, and disconnected the rig from the BOP. But none of
© ENCO
Page 56
that happened. When the subsea supervisor pushed the EDS button the panel indicators lit
up, but the rig never disconnected.
Three potential causes can be identified for this failure. They include: failure of the
control signal that activate the blind shear ram (BSR), failure of the hydraulic system that
operate the shears, and BSR failure to slice through the drill pipe.
It is possible that the first explosion had already damaged the cables to the BOP,
preventing the disconnect sequence from starting. Even so, the BOP’s automatic mode
function (so called “deadman” system) should have triggered the blind shear ram after the
power, communication, and hydraulics connections between the rig and the BOP were cut.
But the "deadman" system failed too.
Another possible cause is unavailability of two redundant control "pods" that control the
BOP’s automatic mode function (the “deadman” system). The deadman is designed to
close the shear ram if the electronic and hydraulic lines connecting the rig to the blowout
preventer are severed.
Post-incident testing of the two redundant “pods” revealed low battery charges in one pod
and defective solenoid valves in the other. If those problems existed at the time of the
blowout, they would have prevented the deadman system from working. This failure may
have been due to poor maintenance.
Failure of the BSR hydraulic system is a potential single failure that could disable the BSR
function. The likely cause is hydraulic fluid leak that may have reduced the ram cutting
force. Failure of this system would have also prevented activation of BSR through the use
of underwater robot (VOR).
Attempt to use VOR was undertaken within the first few days after the explosion. Using a
robotic submersible equipped with a hydraulic pump, the crew injected seawater into the
blind shear ram, hoping to drive its pistons and blades closed. But the pump did not have
nearly the needed strength; it could not pump water at a sufficient rate to budge the
blades.
It is also possible that BSR was not capable to shear the pipe. Two potential causes can be
indicated: BSR blades are positioned on indestructible joint or the BSR cutting force is not
sufficient to cut pipe.
The first possibility, for the BOP with only one BSR, as used by the Deepwater Horizon, is
estimated as 0.10. The possibility of the latter scenario is confirmed by two studies of
West Engineering Services of Brookshire, Tex., one of the industry’s premier authorities on
blowout preventers (cited in Ref. [C-12]). These studies found a more basic problem: even
when everything worked right, some blind shear rams still failed to cut pipe. West’s
experts concluded that calculations used by makers of blowout preventers overestimated
the cutting ability of blind shear rams. It is noted that modern drill pipe is nearly twice as
strong as older pipes of the same size. In addition, the intense pressure and frigid
temperatures of deep water make it tougher to shear a pipe.
It is worth noting that from the point of view of reliability, BOP is rather a vulnerable
device. According to Ref. [C-12] in 2009 Transocean commissioned a "strictly confidential"
study of the reliability of blowout preventers used by deepwater rigs. Using the world’s
most authoritative database of oil rig accidents, a Norwegian company, Det Norske Veritas,
focused on some 15,000 wells drilled off North America and in the North Sea from 1980 to
2006. It found 11 cases where crews on deepwater rigs had lost control of their wells and
then activated blowout preventers to prevent a spill. In only six of those cases were the
wells brought under control, leading the researchers to conclude that in actual practice,
© ENCO
Page 57
blowout preventers used by deepwater rigs had a “failure” rate of 45 percent. The study
also revealed that the BOP is vulnerable to a single failure of a control valve in the
hydraulic system.
An examination by The New York Times [C-12] reveals that the federal agency charged
with regulating offshore drilling, the Minerals Management Service, repeatedly declined to
act on advice from its own experts on how it could minimize the risk of a blind shear ram
failure.
© ENCO
Page 58
VOR failed to
activate BSR
AND
Control signal
failed
Fire induced
damage to BSR
control cables?
10
AND
Department of the
Interior was
understaffed
None of the two
control pods
operable ?
OR
15
Test and
maintenance not
adequate
BOP did not seal
properly
8
Safety oversight
not effective
AND
9
BSR hydraulic
system failed
Pressure in the
system too low?
Leaking valve
or untight joint?
Inadequate
scope of safety
regulations
25
E
BOP emergency
1
modes failed
to seal the well
BSR blades on
indestructible
joint?
OR
OR
24
BSR unable to
shear pipe
OR
26
BSR cutting
capability
overestimated
BOP activation
too late
D
Weakness
of the BSR
design?
Crew failed to
recognize gas
influx in time
© ENCO
Page 59
OR
Emergency
procedures not
adequate ?
Crew diverted
mud & gas
flow to MGS
Emergency
conditions not
recognized
F
Gas leaks to
engine area
and ignites
Gas enters
from MGS
through HVAC
Department of the
Interior was
understaffed
8
Safety oversight
not effective
16
Emergency
training not
adequate ?
AND
10
14
AND
9
Inadequate
scope of safety
regulations
MGS operated
beyond design
basis
AND
23
Connections
between MGS
and HVAC
Weakness
of the MGS
design
© ENCO
Page 60
Diversion of flow to the MGS
Direct cause of the ignition and explosion of blowout gases was that gas penetrated the
engine area that was outside the fire protection area and had electrical equipment
containing potential ignition sources. Gas entered the engine area from the mud gas
separator (MGS) system through the rig's heating, ventilation and air conditioning system
(HVAC).
When hydrocarbons flow was finally noted, the Deepwater Horizon crew closed the
blowout preventer and diverter, routing oil and gas to the mud gas separator (MGS) system
rather than diverting it overboard. The MGS was operated beyond design basis and was
overwhelmed by the force of oil and gas which leaked into the rig's ventilation system. Gas
was exiting the vents located on the derrick, directly above the rig floor.
It is not clear why personnel did not choose to divert the gas directly overboard. While
that ultimately may not have prevented an explosion, diverting overboard would have
reduced the risk of ignition of the rising gas. Considering the circumstances, the crew also
should have activated the blind shear ram to close in the well. Diverting the flow
overboard and/or activating the blind shear ram may not have prevented the explosion,
but likely could have given the crew more time and perhaps limited the impact of the
explosion.
There are a few possible explanations for why the crew responded in this way. The crew
may not have recognized the severity of the situation, though that seems unlikely given
the amount of mud that spewed from the rig floor. They did not have much time to act.
The explosion occurred roughly six to eight minutes after mud first emerged onto the rig
floor.
Perhaps the most significant factor is the lack of appropriate emergency procedure and
training. The rig crew had not been trained adequately how to respond to such an
emergency situation, including the simulations and drills for such emergencies, and
momentous decision to engage the blind shear rams or trigger the EDS.
The heating, ventilation and air conditioning system is thought to have sent a gas-rich
mixture into the engine rooms. Connections between MGS and HVAC indicate weaknesses
of the design.
4.3. Step 3. Analysis of solutions
The Cause Map is used to identify all the possible solutions for the problem so that the best
solutions can be selected. Potential solutions correspond to those causes which can be
controlled by the problem owner so that the problem is prevented from recurring.
The following causes, which can be subject of interest in this context, can be identified on
the Cause Map for the Deepwater Horizon accident (as developed in Step 2):
General issues related to safety management, safety culture, and regulatory
oversight
1.
2.
3.
Focus on production as opposed to safety / production pressure
No formal system for risk assessment of alternative solutions
Safety culture at the company level inadequate
© ENCO
Page 61
4.
5.
6.
7.
8.
9.
10.
Lessons from potential issues or past events not communicated to the rig crew
Subcontractors failed to communicate adequately
Making ad hoc changes during well development without evaluation of the related
risk
Well site management not consulting potential issues/anomalies with on shore office
Safety oversight of exploration, drilling and production of oil from deepwater
formations not effective
Inadequate scope of safety regulations for deepwater oil industry
Department of the Interior responsible for safety oversight of deepwater oil industry
understaffed.
Procedures and training
11.
12.
13.
14.
15.
16.
No detailed requirements for the cement log test
Standard BP procedure for negative-pressure test not detailed enough
No suitable procedure on well monitoring
Emergency procedures not adequate
BOP test and maintenance not adequate
Rig crew training not sufficient.
Process safety
17.
18.
19.
20.
21.
Small volume of cement used in the well cementing process
Relatively low rate of pumping cement
No bottoms up circulation
Use of oil-based spacer
Displacement bypassing pits and flow out meter.
Equipment design issues
22.
23.
24.
25.
26.
Instrumentation and displays for well monitoring not adequate
Weakness of the MGS design
BSR unable to shear pipe
BSR blades on indestructible joint
Weakness of the BSR design.
The above mentioned causes are arranged in several groups of different type, area of
origin and importance. Their numbering corresponds to that used in Cause Map (Step 2,
Pages 1 – 8). These causes and corresponding solutions are briefly discussed below.
Safety management and safety culture (Causes 1 – 7)
Analysis of risks and risk awareness
Companies involved in deepwater oil drilling must have in place strict policies requiring
rigorous analysis and proof that less-costly alternatives are in fact equally safe (Cause 2).
This recommendation also applies to current practice of making ad hoc changes during well
development and completion without evaluation of the related risk (Cause 6). When
implemented successfully, it would ensure that individual decision makers have a full
awareness of the risk associated with the decision.
If BP had any such policies in place, it does not appear that its Macondo team adhered to
them. Unless companies create and enforce such policies, there is simply too great a risk
that financial pressures will systematically bias decision making in favour of time- and
cost-savings (Cause 1).
© ENCO
Page 62
Regulators need to create suitable framework that support such an approach. One of the
important pre-conditions is clear formulation of health, safety and environmental
objectives and establishing regulations that require operators, drilling contractors and
service companies to work together to meet these safety objectives.
Safety management system
failure of industry management. Most, if not all, of the failures at Macondo can be traced
back to underlying failures of management and communication. Better management of
decision making processes within BP and other companies, better communication within
and between BP and its contractors, and effective transfer of information among key
engineering and rig personnel would have prevented the Macondo incident (Causes 4, 5,
and 7).
BP and other operators must have effective systems in place for integrating the various
corporate cultures, internal procedures, and decision making protocols of the many
different contractors involved in drilling a deepwater well.
The management system has to clearly define the roles and responsibilities for all parties
involved in a given project (operator, drilling contractor and service companies) for
health, safety and environmental protection. It should provide detailed project specific
information to be shared by key personnel regardless of whether they are employed by the
operator, the drilling contractor, or a service company. The system has to facilitate the
management of change process and serve as a mechanism to communicate the implications
of programme changes to all key personnel.
Safety culture
It is also critical that companies implement and maintain a pervasive top-down safety
culture that reward employees and contractors who take action when there is a safety
concern even though such action costs the company time and money (Causes 1 and 3).
Long-term proactive improvement programme that ensure effective learning from
experience is an integral element of an effective risk management approach reflecting a
safety culture (Cause 4). In such a programme “near misses” should provide opportunities
to improve, and the reporting of errors, omissions, and questionable results should be
highly encouraged. The regulators should establish practices and standards that foster
continuous improvement in safety culture within the industry.
Regulatory oversight (Causes 8 – 10)
Regulatory approach
Government agencies1 that regulate offshore activity should reorient their regulatory
approaches to integrate more sophisticated risk assessment and risk management practices
1
The Mineral Management Service (MMS) that was the federal agency primarily responsible for
regulating the safety of offshore drilling at the time of the Macondo well accident. Since October 1,
2011 the federal entity responsible for safety and environmental oversight of offshore oil and gas
activities is the Bureau of Safety and Environmental Enforcement (BSEE).
© ENCO
Page 63
into their oversight of energy developers operating offshore (Cause 8). They should shift
their focus from prescriptive regulations covering only the operator to a foundation of
augmented prescriptive regulations, including those relating to well design and integrity,
supplemented by a proactive, risk-based performance approach that is specific to
individual facilities, operations, and environments1.
This would be similar to the “safety case” approach that is used in the North Sea, which
requires the operator and drilling rig owners to assess the risks associated with a specific
operation, develop a coordinated plan to manage those risks, integrate all involved
contractors in a safety management system, and take responsibility for developing and
managing the risk management process.
Regulations and standards
The regulator agencies working with the International Regulators’ Forum and other
organizations, Congress and the DOI should identify those drilling, production, and
emergency-response standards that best protect offshore workers and the environment,
and initiate new standards and revisions to fill gaps and correct deficiencies.
Criteria for high-risk wells and develop methodology to assess those risks should be
identified. This process should include input from broad group of experts. Furthermore,
the DOI should develop in-house competence to perform such sophisticated risk
assessments (Cause 10).
Such evaluations could guide the transition to a system where all operators and contractors
are required to demonstrate an integrated, proactive, risk management approach prior to
leases being granted or receiving permits for exploration wells and major development
projects.
Coordinated, inter-agency research effort will be needed to develop safer systems,
equipment, and practices to prevent failures of both design and equipment in the future.
The federal government has relevant expertise in areas that could and should be
transferred to the offshore industry.
More detailed requirements for incident reporting and data concerning offshore incidents
and “near misses” are needed. Such data collection would allow for better tracking of
incidents and stronger risk assessments and analysis. Such reporting should be publicly
available and should apply to all offshore activities. In addition, DOI, in cooperation with
the International Regulators Forum, should take the lead in developing international
standards for incident reporting in order to develop a consistent, global set of data
regarding fatalities, injuries, hydrocarbon releases, and other accidents. Sharing
information as to what went wrong in offshore operations, regardless of location, is a key
to avoiding such mistakes. Transparent information and data sharing within the offshore
industry and among international regulators is critical to continuous improvement in
standards and risk management practices.
1
Proactive, goal-oriented risk management system similar to the systems used in the North Sea by
the United Kingdom and Norway has already been instituted by DOI. Implementation of Safety and
Environmental Management System (SEMS) in 30 CFR 250 (Federal Register, Vol. 75, No 199, Oct.
15, 2010) began on November 15, 2011.
© ENCO
Page 64
Resources and staffing
To expand regulatory oversight and tighten safety requirements the regulatory agencies
should be provided with adequate funding. Regulators to be more effective should be
provided with the resources, personnel, and training. In the past these agencies were not
adequately supported by industry, members of Congress, and several administrations. As a
result, neither the regulations nor the regulators were asking the tough questions or
requiring the demonstration of preparedness that could have avoided the Macondo
disaster.
The regulator should have a formal training and certification program for its inspectors.
The extent of training of key personnel and decision makers in regulatory agencies has to
be consistent with the complexities and risks of deepwater drilling. It is also essential that
there is better opportunity for higher education and career advancement for inspectors.
Individuals involved in regulatory oversight should have qualifications that are appropriate
for meeting the challenges of the offshore drilling industry.
Procedures and training (Causes 11 – 16)
Procedures
The Macondo well accident identified several procedures that appear to be inadequate or
lacking and require improvement. These include requirements for conducting cement bond
log (Cause 11), procedure for conducting negative-pressure test (Cause 12), procedure on
well monitoring (Cause 13), and emergency procedure for situations that involve loss of
well integrity (Cause 14).
These procedures should be carefully reviewed and re-worked. They should clearly define
mandatory practices and specify roles and accountabilities for the personnel involved.
Procedures should be detailed enough to specify operational steps and decision points as
well as the related criteria.
Procedures related to tests should include definition of success/failure criteria for the
test. Procedures for operations that are more complex and carried out infrequently should
be more detailed to compensate for unfamiliarity. So far there was a high reliance on
leadership and know-how of the crew. However, the procedures that were available were
guidelines only and did not provide enough detail. For instance, the procedure on
negative-pressure test did not specify bleed volumes or give success/failure criteria.
While initial well design decisions undergo a serious peer review process and changes to
well design are subsequently subject to a management of change (MOC) process, changes
to drilling procedures in the weeks and days before implementation were typically not
subject to any such peer-review or MOC process. At Macondo, such decisions appear to
have been made by the BP Macondo team in ad hoc fashion without any formal risk analysis
or internal expert review. This appears to have been a key causal factor of the blowout.
Such practices are not acceptable and have to be eliminated.
These temporary abandonment procedures should be thoroughly and rigorously vetted
earlier in the design process. It does not appear that the changes to the temporary
abandonment procedures used at Macondo went through any sort of formal review at all.
© ENCO
Page 65
Industry staff training
Standards for education, training, and professional certification of private-sector decisionmaking personnel involved in drilling operations in force at the time of the Deepwater
Horizon accident were relatively minimal compared with other safety-critical industries,
such as nuclear or chemical.
Personnel on the Deepwater Horizon MODU were mostly trained on the job, and this
training was supplemented with limited short courses (such as 1 week of well control
school every few years). While this appears to be consistent with industry standard
practice and current regulations (such as 46 CFR 10.470 for OIMs), it is not comparable
with other safety-critical industries such as nuclear power or chemical manufacturing. The
appropriate qualifications of key personnel both on deepwater drilling rigs and ashore need
to be assessed and improved, as needed, to provide for safe operations and protect the
public interest.
Numerous decisions to proceed toward abandonment despite indications of hazard, such as
the results of repeated negative-pressure tests, suggest an insufficient consideration of
risk and a lack of operating discipline. The decisions also raise questions about the
adequacy of operating knowledge on the part of key personnel. Improvement in the
awareness of risks and risk management practices should help in resolving this issue.
The rig crew has to be trained adequately how to respond to escalating emergency
situations, including the simulations and drills for such emergencies, and momentous
decision to engage the blind shear rams or trigger the EDS.
During the Macondo well accident the crew had difficulty assessing the situation and
understanding its significance. Appropriate training and job aids would have increased both
the speed and accuracy of identification that there was an influx of hydrocarbons and
enhanced the probability of appropriate well control actions.
Process safety (Causes 17 – 21)
Investigation of causes of the Macondo well accident identified several process-specific
decisions that contributed to the risk of blowout. They correspond to the causes 17 – 21
which are associated mostly with the implementation of temporary abandoning procedure.
These specific issues should be carefully addressed in the development of appropriate
internal procedures and Engineering Technical Practices.
Equipment design issues (Causes 22 – 26)
Investigation of causes of the Macondo well accident identified several design-specific
concerns that contributed to the risk of blowout or had an impact on the severity of
accident consequences. These weaknesses correspond to causes 22 – 26.
Instrumentation and displays used for well monitoring must be improved (Cause 22). An
expert system decision aid should be used to provide timely warning of loss of well control
to drillers on the rig (and ideally to onshore drilling monitors as well). If the warning is
inhibited or not addressed in an appropriate time interval, autonomous operation of the
blind shear rams, emergency disconnect system, general alarm, and other safety systems
on the rig should occur.
© ENCO
Page 66
Design of the MGS has to be evaluated with regard to consequences of its use beyond
design basis, in particular, from the point of view of penetration of flammable gases to
non-fire-protected zone through the HVAC system (Cause 23). Arrangement of gas
detectors, automatic dampers, and alarms needs to be checked in this context, and
eventual design changes introduced.
Cutting, sealing and separating capabilities of the BOP system should be specified in the
regulations (Causes 24 - 25). Application of specific BOP systems in a well drilling project
should be made consistently with the drilling environment to which they are applied and
the rigs on which they are installed. Test and maintenance procedures should be
established to ensure operability and reliability appropriate to their environment of
application.
The use of two blind shear rams is also essential issue that needs resolution. Two blind
shear rams give an extra measure of reliability, especially, if one shear ram hits on a joint
connecting two drill pipes (Cause 25).
BOP as well as some other components that are critical to the safety of oil drilling
operations should be required to be independently certified by a third party (such as a
classification society) or by the relevant regulatory agency. At the time of the Macondo
well accident the MMS did not directly oversee the initial and subsequent certifications of
BOPs. Instead, the operator was to self-certify the BOP.
© ENCO
Page 67
5. Summary conclusions
Significant number of issues discussed in Section 4.2 and 4.3 are rather specific to the
technology of deepwater oil drilling. They should be carefully addressed by the industry
(operators, drilling contractors and service companies) and resolved through appropriate
changes in the procedures and training programmes. Regulator agencies have also
important role in enforcing appropriate changes.
However, most of the issues can be traced back to underlying causes of more general type
such as management system, safety culture, and safety oversight. Some of them can be of
general interest to different industries and are worth to be discussed during the workshop.
Comparisons have to be made and conclusions drawn with care, taking into account
significant differences of industries considered in the project. It is important to note that
the deepwater oil drilling industry is rather specific area that involves a large number of
facilities and was subject to intensive development of technology and rapidly expanding
production activities.
The Macondo blowout was the product of several individual missteps and oversights by BP,
Halliburton, and Transocean, which government regulators lacked the authority, the
necessary resources, and the technical expertise to prevent. The extent to which each of
these missteps and oversights caused the accident to occur will never be precisely known.
What we nonetheless do know is considerable and significant: (1) each of the mistakes
made on the rig and onshore by industry and government increased the risk of a well
blowout; (2) the cumulative risk that resulted from these decisions and actions was both
unreasonably large and avoidable; and (3) the risk of a catastrophic blowout was
ultimately realized on April 20 and several of the mistakes were contributing causes of the
blowout.
Deepwater drilling is an inherently risky business given the enormous pressures and
geologic uncertainties. It is now clear that both industry and government need to reassess
and change business practices to minimize the risks of such drilling.
5.1. Industry management system
failure of industry management. Most, if not all, of the failures at Macondo can be traced
back to underlying failures of management and communication. Better management of
decision making processes within BP and other companies, better communication within
and between BP and its contractors, and effective training of key engineering and rig
personnel would have prevented the Macondo incident.
Risk awareness
BP’s management process did not adequately identify or address risks created by late
changes to well design and procedures. BP did not have adequate controls in place to
ensure that key decisions in the months leading up to the blowout were safe or sound from
an engineering perspective. It should be noted that changes to drilling procedures in the
© ENCO
Page 68
weeks and days before implementation were not subject to any peer-review or
management of change (MOC) process. At Macondo, such decisions appear to have been
made by the BP Macondo team in ad hoc fashion without any formal risk analysis or
internal expert review. This appears to have been a key causal factor of the blowout.
An obvious example is the last-minute confusion regarding whether to run six or 21
centralizers. Another clear example is provided by the temporary abandonment procedure
used at Macondo. That procedure changed dramatically and repeatedly during the week
leading up to the blowout. As of April 12, the plan was to set the cement plug in seawater
less than 1,000 feet below the mud line after setting the lockdown sleeve. Two days later,
the procedure was to set the cement plug in mud before displacing the riser with
seawater. By April 20, the plan was to remove 3,300 feet of mud from below the mud line
and set the cement plug after the riser had been displaced. It does not appear that the
changes to the temporary abandonment procedures went through any sort of formal
review.
Halliburton and BP’s management processes did not ensure that cement was adequately
tested. Halliburton had insufficient controls in place to ensure that laboratory testing was
performed in a timely fashion or that test results were vetted rigorously in-house or with
the client. In fact, it appears that Halliburton did not even have testing results in its
possession showing the Macondo slurry was stable until after the job had been pumped. It
is difficult to imagine a clearer failure of management or communication.
The story of the foam stability tests may illuminate management problems within BP as
well. By early April, BP team members had recognized the importance of timely cement
testing. And by mid-April, BP’s team had identified concerns regarding the timeliness of
Halliburton’s testing process. But despite their recognition that final changes to the
cement design (made to accommodate their concerns about lost returns) might increase
the risks of foam instability, BP personnel do not appear to have insisted that Halliburton
complete its foam stability tests and report the results to BP for review before ordering
primary cementing to begin.
Communication problems
BP, Transocean, and Halliburton failed to communicate adequately. For example, many BP
and Halliburton employees were aware of the difficulty of the primary cement job. But
those issues were for the most part not communicated to the rig crew that conducted the
negative-pressure test and monitored the well. It appears that BP did not even
communicate many of those issues to its own personnel on the rig. Transocean failed to
adequately communicate to its crew lessons learned from a similar near-miss on one of its
rigs in the North Sea four months prior to the Macondo blowout.
Safety culture issues
Management and communication issues mentioned above clearly indicate problems with
safety culture. Resulting from a deficient overall system approach to safety is evident in
the multiple flawed decisions that lead to the blowout. These problems involved the lack
of management commitment to safety, lack of the questioning attitude and safety
awareness, insufficient level of knowledge of procedures and rules and lack of operating
discipline, incompliance with the existing internal procedures or work practices, and
inadequate communication on safety matters between individuals and groups.
© ENCO
Page 69
BP was aware of problems with Halliburton personnel and work product years before the
blowout. Despite that BP’s own well site leaders accepted facially implausible explanations
for the negative test results. BP’s on-duty well site leader was not even present during
preparations for the critical negative pressure test, and may not have been present during
the beginning of the negative pressure test itself. In the light of these facts, the
management commitment to safety is questionable.
Decision making processes at Macondo well did not adequately ensure that personnel fully
considered the risks created by time- and money-saving decisions. None of such decisions
appear to have been subject to a comprehensive and systematic risk-analysis, peer-review,
or management of change process. The companies are lacking of appropriate
organizational and technical framework for a systematic risk assessment, or if such
framework existed, it was not used.
BP team decision of not conducting a cement evaluation log did not fully conform to the
intent of its own guidelines. Introducing ad hoc changes in the temporary abandonment
procedure used at Macondo also indicate procedure-related problems at BP. That
procedure changed many times during the week leading up to the blowout without any
assessment of the related risks.
Learning from operational events or near-misses was minimal or non-existing. Also the use
of existing expertise and knowledge within the corporation was questionable.
5.2. Safety oversight of the industry
Regulatory regime of MMS
The oversight system of the deepwater drilling industry in force at the time of the
Macondo well accident was based mainly on prescriptive approach. Under that approach
specific requirements for equipment and operations were developed and then compliance
with the regulations was monitored through auditing. Prescriptive regulations, which are
often developed through a multiyear process in response to events and observed trends,
were neither timely nor complete and lag behind the development of new technologies [C4].
Over the past few decades, exploration and production companies within the oil and gas
industry developed advanced technology that led to a marked increase in deepwater
drilling in the Gulf of Mexico. During this period the predominantly prescriptive regulatory
system for deepwater drilling used by the Minerals Management Service (MMS) did not keep
up with these technological advances. In addition, its level of funding and technical
staffing remained static or decreased as industry's offshore drilling activity increased.
The Macondo well blowout was precipitated by multiple flawed decisions involving the
operator and contractors as they moved toward temporary abandonment of the well
despite indications of increasing hazard. This reduced the available margins of safety that
take into account complexities of the hydrocarbon reservoirs and well geology discovered
through drilling and the subsequent changes in the execution of the well plan. In effect,
the industry made important decisions without regulator's review of the impact of the
changes on the overall risk with regard to temporary abandonment procedures.
MMS’s cursory review of the temporary abandonment procedure mirrors BP’s apparent lack
of controls governing certain key engineering decisions. Like BP, MMS focused its
© ENCO
Page 70
engineering review on the initial well design, and paid far less attention to key decisions
regarding procedures during the drilling of the well. Also like BP, MMS did not assess the
full set of risks presented by the temporary abandonment procedure. The limited scope of
the regulations is partly to blame. But MMS did not supplement the regulations with the
training or the processes that would have provided its permitting official with the guidance
and knowledge to make an adequate determination of the procedure’s safety.
As noted in the investigation report of NAE/NRC [C-3] the regulatory regime was
ineffective in addressing the risk of the Macondo well. The actions of the regulators did not
display an awareness of the risk or the very narrow margins of safety. Many critical aspects
of drilling operations were left to industry to decide without agency's review. For instance,
there was no requirement, let alone protocol, for a negative-pressure test, the misreading
of which was a major contributor to the Macondo blowout. Nor were there detailed
requirements related to the testing of the cement essential for well stability.
Issue of concern is that a flawed, risky well plan for the Macondo well was approved by the
MMS, and BP, Anadarko and Mitsui management. Similar or identical plans were
undoubtedly approved and used by many operators on other wells drilled in the Gulf of
Mexico. A plan that does not include enough cement to overlap the final and previous
casing strings, and that does not require running a cement-bond log to ensure the integrity
of the seal is a defective plan. The fact that there have not been blowouts on previous
wells does not justify the approval and use of an unsafe plan.
The extent of training of key personnel and decision makers in regulatory agencies has
been inconsistent with the complexities and risks of deepwater drilling. The regulatory
community has not made effective use of real-time data, information on precursor
incidents or near-misses, or lessons learned from operation to adjust practices and
standards appropriately.
Desired changes
The Deepwater Horizon-Macondo well accident demonstrated the need for changing the
existing safety oversight system for a proactive goal-oriented system integrating all aspects
of drilling operations that could affect occupational and process safety. The new
regulatory system should incorporate a limited number of prescriptive elements into a
proactive goal-oriented risk management system for health, safety and the environment.
Quantitative risk analysis should be an essential part of such goal-oriented risk
management system. With regard to this approach the drilling industry may benefit from
lessons learned and practices implemented in the nuclear industry that widely applies the
probabilistic risk assessment (PSA) to support both the operators and regulators at various
stages of plant design and operation.
The regulators should identify safety critical points during well construction and
abandonment that warrant explicit regulatory review and approval before operation can
proceed and enforce appropriate regulations. The regulator should establish safe operating
limits, which, when exceeded, would require regulatory approval for operation to proceed.
Appropriate requirements for approval and certification of key steps during well
construction should be incorporated into codes and standards.
Pre-certification of operators, contractors, and service companies before granting a
drilling permit for especially challenging projects could be a useful element of the new
oversight system. Consideration should also be given to the possibility of using independent
© ENCO
Page 71
well examiners that could help in reviewing well plans and monitoring ongoing activities
during drilling, completion and abandonment.
© ENCO
Page 72
6. References to Annex C
[C-1]
British Petroleum, "Deepwater Horizon Accident Investigation Report", Sept. 8,
2010.
[C-2]
"Interim Report on Causes of the Deepwater Horizon Oil Rig Blowout and Ways to
Prevent Such Events", National Academy of Engineering (NAE) and the National
Research Council (NRC), prepared for U.S. Department of the Interior, November
16, 2010.
[C-3]
"Macondo Well Deepwater Horizon Blowout, Lessons for Improving Offshore Drilling
Safety", National Academy of Engineering (NAE) and the National Research Council
(NRC), prepared for U.S. Department of the Interior, Final Report.
http://www.nap.edu/openbook.php?record_id13273
[C-4]
"Deepwater, The Gulf Oil Disaster and the Future of Offshore Drilling", Report to
the President, National Commission on the BP Deepwater Horizon Oil Spill and
Offshore Drilling, January 2011.
[C-5]
Hubbard, A., Embrey, D., "Deepwater Horizon – Summary of Critical Events, Human
Factors Issues and Implications", ©Human Reliability Associates Ltd, Sept. 23, 2010.
[C-6]
"Oil Spill Reaches Mississippi River". CBS News. 29 April 2010. Retrieved 29 April
2010.
[C-7]
"Weekly Address: President Obama Establishes Bipartisan National Commission on
the BP Deepwater Horizon Oil Spill and Offshore Drilling" (Press release). The
Whitehouse. 2010-05-22. Retrieved 2010-06-01.
[C-8]
Oil Spill Commission, Chief Counsel's Report,
http://www.oilspillcommission.gov/chief-counsels-report.
[C-9]
"Oil spill: BP 'did not sacrifice safety to save money'". BBC. 9 November, 2010.
Retrieved 12 November 2010.
[C-10] "Gulf oil spill: President's panel says firms complacent". BBC. 9 November, 2010.
Retrieved 12 November 2010.
[C-11] Leo King (12 November 2010). "Deepwater Horizon modelling software showed BP
cement conditions unstable". Computerworld UK. Retrieved 12 November, 2010.
[C-12] David Barstow, Laura Dodd, James Glanz, Stephanie Saul and Ian Urbina "Regulators
Failed to Address Risks in Oil Rig Fail-Safe Device", New York Times, June 20, 2010.
© ENCO
Page 73

European Commission DG for Energy (ENER/D2)

Transcription

Similar documents

Radial Analysis Cement Bond Log

! Euro Palace Casino No Deposit

Flexilite MC Cement Datasheet

Case Study

POL895 C-57D Instrucitons

FLEXTILE LTD - Hudson Restoration

PDF - Nabors Industries Ltd.

Health effects

Nichiha USA Case Study