Reading the stories emerging from BP's
Deepwater Horizon disaster in the Gulf of Mexico over the past
several weeks reminds me of arguments made by Thomas Homer-Dixon in his
book The Ingenuity Gap.
One of my key take-aways from this book was that the emergence of
increasingly complex problems facing society today demand new ways of
approaching and solving them.
Certainly the quest for offshore oil and gas has to be considered
very complex and getting more so every day as the oil companies push
into ever deeper water and ever deeper reserves.
Fortunately, the past two decades have seen the development and
adoption of a variety of risk management systems and risk assessment
tools that are intended to help us manage the complexity that is
inherent in industries such as energy and oil and gas. Systems such as
the ISO
14001 environmental management system, the OHSAS
18001 occupational health and safety management system and the ISO
9001 quality management system all exist to help managers understand the
risks they face, develop solutions to address them and monitor
performance to ensure they have actually dealt with the risks as
intended. An even broader array of tools exist to identify and assess
risks - two I am familiar with are the Hazard and Operability (HAZOP)
process and the Bow-Tie diagram.
Unfortunately, early evidence surfacing from the U.S. congressional
investigations and news reports suggests that on the Deepwater Horizon,
BP and its partners may not have made adequate use of the management
systems and tools available to them.
A report in Reuters today (see On
Doomed Rig, Lapses Sparked Catastrophe, May 14) highlights three
failures on the platform:
- Timing of removal of drilling mud from the drill bore despite data
that suggests it was unwise to do so.
BP and Transocean made a decision late on April 20 to
begin removing mud from within the drill pipe despite pressure tests
from within the well that a BP official described as "not satisfactory"
and "inconclusive," Waxman said on Wednesday.
Drilling mud is a mixture of synthetic ingredients that is pumped
into the well to exert downward hydrostatic pressure and prevent a
column of oil and gas from rushing up the pipe.
Earlier in the day, well pressure tests showed an imbalance
between the drill pipe and kill and choke lines running from the drill
deck to the blowout preventer. The pressure in the drill pipe was 1,400
pounds per square inch (PSI), while the choke and kill lines read zero
PSI, Waxman said.
"They knew there was something wrong because the pressure in the
kill and choke lines was not correct," Nagarajaiah said. "That should
have alerted them."
But according to Waxman, workers performed additional tests and
at 8 p.m. CDT (0100 GMT) "company officials determined that the
additional results justified ending the test and proceeding with well
operations."
"I'm a little shocked that they proceeded at that point," said
Philip Johnson, a petroleum engineering professor at the University of
Alabama.
"It sounds like they never got an adequate low pressure test and
someone decided to go ahead and displace the mud," Johnson said. "That
sounds like a pretty serious mistake."
- Failure of emergency power supplies to blow-out preventers.
Once the well exploded in a green flash, rig workers
tried to activate the blowout preventer on the ocean floor, designed as
a fail-safe to choke off the well.
But officials from Cameron International Corp, which manufactured
the device, told committee staff that a key hydraulic system meant to
supply emergency power was disabled.
- Having the wrong equipment in place to cut of well flow.
And another key device component designed to clamp
down around the drill pipe and seal any leak -- known as a variable
bore ram -- had been replaced by a useless test ram, according to
Representative Bart Stupak, chairman of the Energy and Commerce
Committee's investigations subcommittee.
With oil gushing into the sea, BP sent remote robots to the ocean
floor to attempt to activate the ram. "An entire day's worth of
precious time had been spent engaging rams that closed the wrong way,"
Stupak said.
In an analysis posted at Environment 360 earlier this week (see The Gulf Oil
Spill, An Accident Waiting to Happen, May 10), John McQuaid
outlines two systemic failures:
- An industry aversion to examining "worst-case scenarios", i.e. to
fully understanding the risks they were facing.
Energy companies have aggressively lobbied to avoid
formally analyzing worst-case scenarios since the Carter administration
first required them in instances where there was uncertainty about the
risk of disaster.
“They thought it would lead to irrational public resistance to
projects,” Doremus said. “But to me this Deepwater Horizon thing is an
example where a worst-case analysis would have been useful. If they had
done a worst case analysis they’d have to consider, well, ‘What if our
blowout preventer didn’t work? And what if it happened during a bout of
bad weather when the spill might reach the shore?’” Instead, BP
officials admitted they were stunned by the disaster, and they and the
government have largely improvised their response.
- Industry unwillingness to put in place backup devices for triggering
blowout preventers, despite a regulatory "suggestion" to do so.
Based on experience with malfunctioning blowout
preventers, for instance, the MMS did suggest that energy companies
install backup devices for triggering them. But it was only a
suggestion, not a requirement, and U.S. drilling operators have
declined to do so.
Mr. McQuaid goes on to draw links between the Deepwater Horizon
disaster and BP's Texas
City Refinery explosion and fire, which killed 15 and injured 170
in March 2005. BP commissioned former Secretary of State James Baker to
lead an investigation panel into the Texas City disaster, the results
of which were published in what is widely known as the Baker
Report. Among the findings were suggestions that the company had
failed to adequately manage the safety of its process because its focus
was too narrow - measuring worker safety incidents rather than looking
closely at the industrial processes in the refinery.
"BP primarily used injury rates to measure process
safety performance at its U.S. refineries ... BP's reliance on injury
rates significantly hindered its perception of process risk."
Essentially saying the company failed to monitor the safety of its
refining processes. Sounds a bit like comments made in the Reuters
article on Deepwater Horizon.
Complex operating environments like those that are present in the oil
and gas sector demand well though-out risk management systems that are
kept up to date and are used by everyone present. While its still too
early to say what contributed to the Deepwater Horizon disaster, some of
the evidence certainly suggests that operators didn't make full use of
the data being provided by risk control equipment - and thus not fully
using the safety and environmental management systems that were
undoubtedly in place.
So if there are lessons to be drawn from the disaster at this early
stage I would suggest that they are:
- have adequate systems in place ( but this isn't enough);
- make sure they are up to date;
- make sure they are understood and used by everyone involved; and
- make sure the performance and process data that is used in decision
making is the right data and that it is not ignored in response to the
pressures of the moment.
Note: Previously posted at Eos Consulting blog