Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 75
4
Mobile Offshore Drilling Units
This chapter describes the basic function of the Deepwater Horizon mo-
bile offshore drilling unit (MODU);1 its application in the Macondo well explo-
ration; and specific areas of investigation undertaken by the committee, includ-
ing rig safety systems, training and responsibilities of rig personnel, and events
on the rig just before and in response to the explosions and fire. Many of the
issues considered were raised in witness testimony at investigative hearings,
during presentations to the committee, and in previously published reports (BP
2010; BOEMRE 2011; Chief Counsel 2011; DHSG 2011; Presidential Commis-
sion 2011; Republic of the Marshall Islands 2011; Transocean 2011a; USCG
2011), especially in terms of the role of the rig and its crew in the loss of well
control and loss of life. The chapter provides the committee’s findings and ob-
servations on those topics, as well as recommendations for improving rig safety.
DEEPWATER HORIZON RIG
The Deepwater Horizon was a dynamically positioned drilling unit de-
signed to propel itself to an exploration site and then keep station over the site
(without using a fixed mooring system), acting as a base for drilling operations
(see Figure 4-1). The rig served as a self-propelled vessel, a stable floating base
for drilling and outfitting a deep subsea well, a command and control base for
exploration, and a home for its crew.2
As is typical for offshore drilling rigs, when it was under way at sea, the
rig was operated by a crew under the command leadership of a U.S. Coast
Guard–licensed master. Crew actions were directed by the offshore installation
manager (OIM) whenever the rig was attached to the bottom or made fast over a
drilling site. The crew members involved in the use of offshore equipment were
divided into functional areas of deck, engineering, and drilling and subsea op-
erations, each of which was led by a department head, subordinate to the master
1
The term “rig” is intended to be synonymous with MODU.
2
See Republic of the Marshall Islands (2011) for additional overview information on
the Deepwater Horizon.
75
OCR for page 76
76 Macondo Well Deepwater Horizon Blowout
and OIM in the command organization. Crew members stood watches in a pre-
scribed rotation, and crews were regularly cycled on and off the rig to support
continuous operations.
The Deepwater Horizon worked on the Macondo well under the command
of Transocean even during drilling operations, as contracted by BP. BP’s on-site
direction was provided by two well site leaders. Four others from BP (a well site
trainee and three subsea engineers) were also aboard. In addition, BP separately
contracted for services aboard the Deepwater Horizon from contractors, includ-
ing Halliburton (cementing), Sperry Sun (well data logging), M-I SWACO (mud
material and engineering), Schlumberger (well and cement logging services),
Weatherford (provider of casing accessories), and Tidewater (owner–operator of
the offshore supply vessel Damon B. Bankston) (Transocean 2011a, 17). Further
information is given in Chapter 5.
Six large diesel generators powered the rig’s integrated electric plant. Pro-
pulsion and dynamic positioning were produced by steerable thruster pods. Gen-
erated electrical power was also consumed by hotel loads, drilling equipment
loads, and damage control equipment including pumps for firefighting and de-
watering. A backup diesel generator, smaller than any of the six main units, pro-
vided emergency power for lighting and restarting the main engines in the event
of a loss of main power. Propulsion power plays a vital role in maintaining the
rig’s position, since wind and currents constantly work to move the rig away
from the wellhead, risking separation of the riser from the wellhead. Thus, the
rig’s design and maintenance with regard to sustaining reliable propulsion power
play important roles in drilling operations safety, as well as in traditional marine
navigation safety.
FIGURE 4-1 Basic dimensions of the Deepwater Horizon rig while drilling. Source:
Chief Counsel 2011, p. 26.
OCR for page 77
77
Mobile Offshore Drilling Units
A system of protective electrical and mechanical devices, intended to de-
tect combustible gas and prevent its ignition, was designed into areas of the rig
where potentially explosive mixtures of hydrocarbons and air may accumulate if
released. Components located in rig zones with the greatest risk of high-gaseous
hydrocarbon concentrations were described as “classified,” designed to protect
against exterior ignition and required to pass tests demonstrating isolation of
internal ignition sources from potentially combustible atmospheres. Outside the
classified zones, use of standard components without such ignition prevention
features was permissible.
Alarms and Indications
The Deepwater Horizon’s alarm system was controlled and monitored
from the integrated alarm and control system (IACS), which comprised a net-
work of distributed computers. Workstations around the rig displayed the condi-
tion of the propulsion system, generators, auxiliaries, and other systems. From
the bridge, the watch team could monitor all instrumented activities including
dynamic positioning activities, drilling, fire and gas detection, power manage-
ment, and machinery systems. The integrated system is described in some detail
by May and Foss (2000). According to the paper, the dynamic positioning sys-
tem was a triple-redundant system with dual buses, designed with the intent of
being reliable and robust.
As discussed by BP (2010), Republic of the Marshall Islands (2011), and
Transocean (2011a), the fire and gas panel monitored fire detectors, combustible
gas detectors (CGDs), and toxic gas detectors. There were 27 CGDs on the rig,
each of which had an audible and visual alarm. According to BP (2010), the
system was designed to have only one CGD at each location. Thirteen of the 27
CGDs had automatic responses, such as securing ventilation fans and all electri-
cal power to an affected area that was in an alarm condition, while the other 14
only had an audible and visual display. The engine room ventilation CGDs did
not have an automated response, which required a crew member to validate an
alarm in this space before taking manual actions, since securing one or more
operating diesel engines could disrupt dynamic positioning of the rig (Trans-
ocean 2011a). An emergency disconnect from the well might be necessary if the
rig was latched up to the subsea system and dynamic positioning was lost.
Diesel Generator Safety Systems
The diesel engines were fitted with three overspeed shutdown devices that
would shut off the fuel, but none of these devices was designed to close off the
air intake to the engines directly (USCG 2011). Instead, one of the speed signals
was sent to the IACS. If that system determined that the diesel engine was 13
percent above its rated speed, it would cut both the fuel and the air supply to the
engine. This was the only overspeed protection on the diesel engines that would
OCR for page 78
78 Macondo Well Deepwater Horizon Blowout
automatically cut off the air to the engine. The diesel generator intake air could
also have been closed off from the emergency shutdown panels in the driller’s
shack, the bridge, or the engine control room, or manually at each engine
(USCG 2011).
The Disaster
When control of the Macondo well was lost and hydrocarbons were re-
leased aboard the Deepwater Horizon, the rig suffered two significant explo-
sions before bridge watch standers sounded the general alarm and took steps to
attempt actuation of the emergency disconnect system (EDS) (USCG 2011).
(See Figure 3-4 for a timeline of the various events leading up to the explosion.)
When the gas alarms were triggered, the crew did not take steps to shut down
the main engines or stop the flow of outside air into the machinery spaces,
which would have isolated potential sources of ignition (USCG 2011). The ap-
parent cause of the explosions was ignition of a combustible mixture of gaseous
hydrocarbons (from the well) and air. However, no investigation has determined
the precise source of ignition for the explosions.
Loss of power from the two operating diesel generators occurred close to
the time of the explosions. Testimony from some of the survivors indicated that
the operating diesel generators increased speed in the seconds preceding the
explosions and then stopped at the second explosion.3 Other testimony described
a loss of lighting and general electrical power just before the second explosion.4
It was consistently reported that lighting and other power had failed prior to the
diesel generator engines shutting down.5 No independent data were available to
support or refute the witness testimony concerning the sequence of electric plant
changes during the disaster. Nonetheless, testimony points to the following as
the most likely scenario:
The hydrocarbon stream resulting from loss of well control flowed
from the riser to the top of the derrick.6
Flow was diverted to the mud–gas separator (MGS) system and be-
gan to exit at the MGS vents, spewing mud, oil, and gas from the goosenecks to
the deck below.7
3
Testimony of Randy Ezell, May 28, 2010, Hearing Before the Deepwater Horizon
Joint Investigation Team, 283-284.
4
Testimony of James Nicholas Wilson, October 13, 2010, 10; of Stephen Bertone,
July 19, 2010, 35; and of Douglas Brown, May 26, 2010, 94-95, Hearing Before the
Deepwater Horizon Joint Investigation Team.
5
Testimony of Charles Credeur, May 29, 2010, Hearing Before the Deepwater Hori-
zon Joint Investigation Team, 63-64.
6
Testimony of Micah Sandell, May 29, 2010, Hearing Before the Deepwater Horizon
Joint Investigation Team, 8, 10, 12.
7
Testimony of Micah Sandell, May 29, 2010, Hearing Before the Deepwater Horizon
Joint Investigation Team, 8, 10, 12.
OCR for page 79
79
Mobile Offshore Drilling Units
A cloud of hydrocarbons formed around the rig, in light wind condi-
tions, and quickly expanded to encompass most of the rig (BP 2010, 126–138
and Appendix V, 22-24).
The running diesel generators ingested a mix of hydrocarbons and air
through their induction systems, causing acceleration of the engines and an in-
crease in the generators’ speed8 and thus an increase in the generators’ frequen-
cies.
Engines started to overspeed and power was lost on the rig, as recog-
nized in later analysis of the lost data feed on the real-time data recorder (BP
2010, 111).
Seconds later, two successive explosions occurred.
Both operating diesel generator engines shut down.9
The only path, other than straight up through the derrick or through the
MGS system vents, through which uncontrolled hydrocarbon flow could have
been directed is through 14-inch diverter lines, which were positioned to send
the flow overboard at about derrick floor level (see Figure 4-2). Testimony cited
above indicates that this did not occur, and why there was no hydrocarbon flow
along that path remains an unresolved question.10 According to BP’s analysis,
the overboard diverter flow of hydrocarbons might have delayed the formation
of the explosive cloud that surrounded the rig (BP 2010, 128).
As the rig suffered from a loss of power, explosions, and fire, the bridge
team reacted, but confusion clouded the decision process. The general alarm was
manually activated by the dynamic positioning officer, and she sent Mayday
messages.11 Senior officers argued about whether the order had been given to
initiate an emergency disconnect of the lower marine riser from the blowout
preventer (BOP), and they were conflicted about who had the authority to issue
that order, the master or the OIM.12 Before the master and OIM completed dis-
cussions about initiating the EDS, the subsea supervisor had already made an
attempt to do so, but it was unsuccessful (USCG 2011). The display panels indi-
cated that the disconnect had occurred, but he determined that the MODU was
still connected to the riser (USCG 2011).
8
Testimony of Douglas Brown, May 26, 2010, Hearing before the Deepwater Horizon
Joint Investigation Team, 93-94.
9
Testimony of Stephen Bertone, July 19, 2010, Hearing before the Deepwater Horizon
Joint Investigation Team, 35-36.
10
Testimony of Micah Sandell, May 29, 2010, Hearing Before the Deepwater Horizon
Joint Investigation Team, 9-11.
11
Testimony of Andrea Fleytas, October 5, 2010, Hearing Before the Deepwater Hori-
zon Joint Investigation Team, 14.
12
Testimony of Daun Winslow, August 23, 2010, 450-451, and of Stephen Bertone,
July 19, 2010, 39, Hearing Before the Deepwater Horizon Joint Investigation Team.
OCR for page 80
80 Macondo Well Deepwater Horizon Blowout
FIGURE 4-2 Illustration of the main deck of the Deepwater Horizon. The rig crew could
send fluids from the well overboard through the overboard diverter lines. Alternatively,
the crew could route flow from the well to an MGS pipe and vent hydrocarbon gas before
sending the mud to the mud pits (not shown). Source: Chief Counsel 2011, p. 27.
Assuming that emergency disconnect had occurred, the chief engineer and
others attempted unsuccessfully to restart the standby generator in an effort to
restore power to pump water for firefighting and power thrusters to reposition
the rig.13 On the basis of the severity of the damage and fire and the inability to
restore power, a decision was made to order abandonment of the rig.14
All but 11 of the crew survived and were rescued. Most of the survivors
followed the abandonment order by making their way to the operable lifeboats.
Despite the substantial confusion among rig personnel, evacuation was effected.
One hundred personnel left by two lifeboats (combined capacity of 146), seven
left in a life raft, and eight jumped into the sea (Transocean 2011a, 201–203).
The large number of personnel to escape by lifeboat was attributed to a few key
crew members who delayed launching until they had boarded as many as possi-
ble.15,16
13
Testimony of Stephen Bertone, July 19, 2010, Hearing Before the Deepwater Hori-
zon Joint Investigation Team, 39-40.
14
Testimony of Stephen Bertone, July 19, 2010, Hearing Before the Deepwater Hori-
zon Joint Investigation Team, 39-40.
15
Testimony of Micah Sandell, May 29, 2010, Hearing Before the Deepwater Horizon
Joint Investigation Team, 11-13.
16
Testimony of Daun Winslow, August 23, 2010, Hearing Before the Deepwater Ho-
rizon Joint Investigation Team, 452.
OCR for page 81
81
Mobile Offshore Drilling Units
In the confusion of the evacuation, no complete muster (headcount) of
personnel was conducted onboard the Deepwater Horizon (USCG 2011). At
least two of the four senior merchant marine officers expected to be most
knowledgeable about coordinating a mass evacuation of the rig were not avail-
able to participate in the muster or in the launching of either lifeboat, because
they were carrying out other duties. Also, when fire and abandonment drills
were conducted, the marine crew and the drill crew did not collectively partici-
pate because of drilling operations (USCG 2011).17
The supply vessel, Damon B. Bankston, was alongside the rig when the
blowout occurred. The vessel’s “fast rescue craft” was instrumental in the rescue
of survivors who had jumped into the sea. The ship’s crew also helped in freeing
the life raft from a rope that tethered the raft to the rig and in towing the raft to
safety (USCG 2011, xiv). The rig crew had not practiced a life raft launch, and
the raft occupants were unable to release the connecting line on their own
(USCG 2011, xv, 64).
After all survivors had been accounted for, it was determined that the 11
killed were crew last seen on the drill floor, the mud pump room, and the shaker
house. All of those areas were broadly exposed to the gaseous hydrocarbon flow
erupting from the well through the MGS system vents.18 No protection system
was built into these working areas of the rig to deflect the effects of explosion
from those who were exposed.
Complex Operations in Hazardous Environments
Conduct of marine exploration drilling from the Deepwater Horizon and
other deepwater rigs is an extremely complex engineering operation in an unfor-
giving maritime environment. Management of those complexities by the respon-
sible companies during the drilling and temporary abandonment of the Macondo
well was unsuccessful in preventing loss of life, injury, and extensive pollution
of the environment. This disaster underscores the need for instilling an effective
systems safety approach for offshore drilling operations (see Chapter 5). Pro-
grams for system safety that were established for other safety-critical large-scale
activities can be a source of useful guidance.
In the aftermath of the loss of a space shuttle, the Columbia Accident In-
vestigation Board (CAIB) in 2003 examined the U.S. Navy’s Submarine Safety
Program (SUBSAFE)19 as one example of successful implementation of system
17
In its response to the U.S. Coast Guard report (USCG 2011), Transocean (2011b)
noted that “To require on-duty drill crews to participate in fire drills would be imprudent
and unsafe—during the fire drill no one would be left to monitor the well.”
18
In its report, the U.S. Coast Guard (USCG 2011, x) concludes that the crew on the
drill floor and in the mud pits were likely killed during the initial explosions.
19
SUBSAFE was implemented in 1963, after the loss of the USS Thresher. Since
SUBSAFE was implemented nearly 50 years ago, no SUBSAFE-certified submarine has
been lost at sea. This is far different from the situation that existed before SUBSAFE,
OCR for page 82
82 Macondo Well Deepwater Horizon Blowout
safety (CAIB 2003, 182–184). Among the observations made by CAIB with
regard to the Navy’s submarine programs, the following highlights provide use-
ful guidance in considering the oil and gas industry’s and government’s neces-
sary responses to the Deepwater Horizon disaster:
Technical requirements are clearly documented and achievable, with
minimal “tailoring” or granting of waivers.
A separate compliance verification organization independently as-
sesses program management.
There is a strong safety culture that emphasizes understanding and
learning from past failures.
Extensive safety training is based on past accidents.
The safety program structure is enhanced by the clarity, uniformity,
and consistency of submarine safety requirements and responsibilities. Program
managers are not permitted to “tailor” requirements without approval from the
organization with final authority for technical requirements and the organization
that verifies compliance with critical design and process requirements.
Compliance with critical design and process requirements is independ-
ently verified by a highly capable centralized organization that also “owns” (i.e.,
accepts responsibility for) the processes and monitors the program.
FINDINGS
On the basis of the preceding discussion and the information obtained
from witness testimony at investigative hearings, presentations to the committee,
and previously published reports, the committee has developed the following
findings, as well as the observations and recommendations provided in subse-
quent sections.
Explosions and Fire on the Deepwater Horizon
Summary Finding 4.1: Once well control was lost, the large quantities
of gaseous hydrocarbons released onto the Deepwater Horizon, exac-
erbated by low wind velocity and questionable venting selection, made
ignition all but inevitable.
Finding 4.1a: Uncontrolled flow of hydrocarbons through the der-
rick resulted in a huge cloud of combustible atmosphere surround-
ing the rig.
when, on average, a submarine was lost every 3 years to noncombat causes from 1915 to
1963. Additional discussion of the safety system aspect of SUBSAFE is provided by
Presidential Commission (2011).
OCR for page 83
83
Mobile Offshore Drilling Units
Finding 4.1b: The rig was not designed to prevent explosion or fire
once it was surrounded by the extent of combustible atmosphere
facing the Deepwater Horizon.
Finding 4.1c: Hydrocarbon flow was not redirected overboard.
Overboard discharge of the blowout might have delayed the explo-
sion and fire aboard the rig.
Finding 4.1d: Explosions and subsequent fire are suspected to have
resulted from ignition of the surrounding combustible cloud; the
source of the ignition cannot be definitively determined.
The Rig’s Power Supply
Finding 4.2: Loss of power led to a broad range of effects including
loss of firefighting ability, position-keeping ability, and overall situ-
ational control.
Finding 4.2a: The rig’s dynamic positioning system operated as de-
signed until the loss of power disabled the rig’s ability to maintain
station or reposition under control.
Finding 4.2b: Backup system designs did not ensure reliable power.
Finding 4.2c: The standby generator did not automatically start
and could not be started in manual mode, indicating deficient reli-
ability in the backup system needed to restore main generator
power.
Finding 4.2d: Poor performance by the standby diesel generator
may indicate that insufficient environmental testing was specified
for this critical, last-resort power system to demonstrate robust ca-
pability or any local indication of generator starting availability.
Alarm and Indication Systems, Procedures, and Training
Finding 4.3: Alarm and indication systems, procedures, and training
were insufficient to ensure timely and effective actions to prevent the
explosions or respond to save the rig.
Finding 4.3a: The rig design did not employ automatic methods to
react to indications of a massive blowout, leaving reactions entirely
in the hands of the surviving crew.
OCR for page 84
84 Macondo Well Deepwater Horizon Blowout
Finding 4.3b: The crew was ill-prepared for the scale of this disas-
ter.
Finding 4.3c: Watch officers were not trained to respond to the
conditions faced in this incident.
Finding 4.3d: Emergency procedures did not equip the watch stan-
ders with immediate actions to minimize damage and loss of life.
Finding 4.3e: The training routine did not include any full rig drills
designed to develop and maintain crew proficiency in reacting to
major incidents.
Finding 4.3f: Training of key personnel did not include realistic
blowout scenarios or the handling of multiple concurrent failures.
Finding 4.3g: Crew members lacked cross-rate training to under-
stand rig total systems and components. As a result, many of the
crew were inadequately prepared to react to the incident.
Decision Authority and Command
Finding 4.4: Confusion existed about decision authority and com-
mand. Uncertainty as to whether the rig was under way or moored to
the wellhead contributed to the confusion on the bridge and may have
impaired timely disconnect.
Life-Saving Equipment
Finding 4.5: The U.S. Coast Guard’s requirement for the number and
placement of lifeboats was shown to be prudent and resulted in suffi-
cient lifeboat capacity for effective rig abandonment. The Coast
Guard’s investigation report (USCG 2011) notes a lack of heat shield-
ing to protect escape paths and life-saving equipment.
Lack of Fail-Safe Design and Testing, Training, and
Operating Practices Aboard the Rig
Finding 4.6: The above findings indicate that the lack of fail-safe de-
sign and testing, training, and operating practices aboard the rig con-
tributed to loss of the rig and loss of life. The chain of events that be-
gan downhole (see Chapter 2) could have been interrupted at many
points, such as at the wellhead by the BOP (see Chapter 3) or aboard
OCR for page 85
85
Mobile Offshore Drilling Units
the rig, where the flow might have been directed overboard or where
the rig itself might have been disconnected from the well and reposi-
tioned. Had the rig been able to disconnect, the primary fuel load for
the fire would have been eliminated.
OBSERVATIONS
Evacuation
Observation 4.1: The actions of some crew members in requiring
due consideration of additional survivors before launching life-
boats, despite the fearsome fires engulfing the rig, are commend-
able and were important in the highly successful evacuation.
Observation 4.2: The attempts to start the standby diesel generator
and restore power for damage control were acts of bravery.
Observation 4.3: Conditions of explosion, fire, loss of lighting, toxic
gas, and eventual flooding and sinking could have resulted in many
more injuries or deaths if not for the execution of the rig’s evacua-
tion.
Rules for Rig Propulsion Control Systems
Observation 4.4: American Bureau of Shipping (ABS)20 rules require
that propulsion control systems for MODUs shall “in general” comply
with the Steel Vessel Rules. This requirement may give rise to ambi-
guity concerning primary control and monitoring systems on MO-
DUs.
RECOMMENDATIONS
Summary Recommendation 4.1: Instrumentation and expert system
decision aids should be used to provide timely warning of loss of well
control to drillers on the rig (and ideally to onshore drilling monitors
as well). If the warning is inhibited or not addressed in an appropriate
time interval, autonomous operation of the blind shear rams, EDS,
general alarm, and other safety systems on the rig should occur.21
20
As a classification society, the role of ABS is to verify that marine vessels and off-
shore structures comply with rules that the society has established for design, construc-
tion, and periodic survey (ABS 2011).
21
Although it was presented in Chapter 3, the recommendation is also presented here
to underscore that the rig, riser, BOP, and drilling equipment are an integrated system.
OCR for page 86
86 Macondo Well Deepwater Horizon Blowout
Safety System Design
Recommendation 4.2: Rigs should be designed so that their instrumen-
tation, expert system decision aids, and safety systems are robust and
highly reliable under all foreseeable normal and extreme operating
conditions. The design should account for hazards that may result
from drilling operations and attachment to an uncontrolled well. The
aggregate effects of cascading casualties and failures should be con-
sidered to avoid the coupling of failure modes to the maximum rea-
sonable extent.
Recommendation 4.3: Industry and regulators should develop fail-safe
design requirements for the combined systems of rig, riser, BOP,
drilling equipment, and well to ensure that (a) blowouts are prevented
and (b) if a blowout should occur the hydrocarbon flow will be
quickly isolated and the rig can disconnect and reposition. The crite-
ria for these requirements should be maximum reasonable assurance
of (a) and (b) and successful crew evacuation under both scenarios.
Recommendation 4.4: Industry and regulators should implement a
method of design review for systemic risks for future well design that
uses a framework with attributes similar to those of the Department
of Defense Standard Practice for System Safety (DoD 2000), which ar-
ticulates standard practices for system safety for the U.S. military, to
address the complex and integrated “system of systems” challenges
faced in safely operating deepwater drilling rigs. The method should
take into consideration the coupled effects of well design and rig de-
sign. (See Chapter 5 for a discussion of safety system qualities.)
Recommendation 4.5: Industry should institute design improvements
in systems, technology, training, and qualification to ensure that crew
members are best prepared to cope with serious casualties.
Recommendation 4.6: ABS should eliminate any ambiguity in its rules
requiring that propulsion control systems for MODUs shall “in gen-
eral” comply with the Steel Vessel Rules. All of the primary control
and monitoring systems and critical backup systems on these MODUs
should be designed and tested to the highest standards in the industry.
Automatic Redirection of Hydrocarbon Flow Overboard
Recommendation 4.7: Industry should develop and implement passive
or automatic methods to redirect hydrocarbon flow overboard. Ide-
OCR for page 87
87
Mobile Offshore Drilling Units
ally, the methods would include some artificial intelligence capability
to evaluate the magnitude of the flow and prevailing wind.
Recovery of Main Electrical Power
Recommendation 4.8: Recovery of main electrical power is a vital ca-
pability for MODUs. Industry should ensure that standby generator
systems will be reliable and robust for automatic starting. Moreover,
standby generator location, controls, and power lines should be posi-
tioned to minimize the likelihood of damage from fire or explosions in
the main engine room or from other casualties affecting the primary
electric power system.
Capturing and Preserving Data for Future Investigations
Recommendation 4.9: Data logger systems should be designed for
handling the bandwidth of sensor data that may arise under the most
stressing casualty conditions. The systems should be able to transmit
in real time to shore so that accurate records are potentially available
for determination of root cause in subsequent investigation.
Alarms and Indicators
Recommendation 4.10: Inhibition of alarms should be allowed only
when approved by a senior officer in the vessel. Regulators should re-
quire that the master, OIM, and chief engineer review periodically the
status of alarms and indications and take action to resolve conditions
of complacent behavior. This should be a standard item of regulatory
and class inspections.
Recommendation 4.11: Drilling rig contractors should review designs
to ensure adequate redundancy in alarms and indicators in key areas
of the rig.
Education and Training of Rig Personnel
Recommendation 4.12: Drilling rig contractors should require realistic
and effective training in operations and emergency situations for key
personnel before assignment to any rig. Industry should also require
that personnel aboard the rig achieve and maintain a high degree of
expertise in their assigned watch station, including formal qualifica-
tion and periodic reexamination.
OCR for page 88
88 Macondo Well Deepwater Horizon Blowout
Recommendation 4.13: Realistic simulators should be used to expose
key operators to conditions of stress that are expected in major con-
flagrations, including heat and loss of visibility (see Chapter 5).
Recommendation 4.14: Realistic major drill scenarios with independ-
ent oversight should be part of the normal routine at sea.
Recommendation 4.15: Regulators should require that all permanent
crew on a rig achieve a basic level of qualification in damage control
and escape systems to ensure that all hands are able to contribute to
resolving a major casualty.
Recommendation 4.16: Regulators should increase the qualification
requirements of the OIM to reflect a level of experience commensu-
rate with the consequences of potential failure in his or her decision
making.
A comparison of the current minimum qualification requirements of an
OIM with those of a rig master shows that the OIM requirements are much less
rigorous today than is indicated by the OIM’s significant responsibilities for
well control (46 CFR 11.404 and 46 CFR 11.470). For example, a typical master
of unrestricted tonnage has a 4-year degree in a recognized maritime academy
deck officer curriculum or more than 3 years of relevant rating sea time, plus
additional years of sea experience in successive promotion roles from third mate
through second mate and chief mate. In contrast, one may be licensed as an OIM
with as little as 4 years (or 2 years plus an engineering technology degree) of
experience aboard MODUs in roles as assistant driller, assistant tool pusher,
electrician, or crane operator; 14 days of experience as a supervisor of those
ratings; and a 5-day course in stability for OIMs.
Definition of Command at Sea
Recommendation 4.17: Definition of command at sea should be abso-
lutely unambiguous and should not change during emergencies.
Recommendation 4.18: Regulators should establish the unity of com-
mand and clearly articulate the hierarchy of roles and responsibilities
of company man, master, and OIM.
Appointment of Certification Authority
Recommendation 4.19: Operating companies and drilling contractors
should institute a certification authority, accountable to the head of
OCR for page 89
89
Mobile Offshore Drilling Units
the company, to act as the senior corporate official responsible and
accountable for meeting the conditions set out in a safety management
system (see Chapter 5). This appointment should provide a powerful
voice for safe execution of operations and surety in dealing with
emergencies: the official should have the authority and responsibility
to stop work if necessary.
System Safety Certification
Recommendation 4.20: Industry and regulators should consider rele-
vant aspects of programs for system safety certification that were es-
tablished for other safety-critical large-scale activities, such as the
U.S. Navy’s Submarine Safety Program, as guidance in developing a
response to the Deepwater Horizon incident.
Recommendation 4.21: Industry and regulators should develop and
implement a certification to ensure that design requirements, material
condition, maintenance, modernization, operating and emergency in-
structions, manning, and training are all effective in meeting the re-
quirements of Recommendation 4.3 throughout the rig’s service life.
Recommendation 4.22: Regulators should require that the rig, the en-
tire system, and the crew be examined annually by an experienced
and objective outside team to achieve and maintain certification in
operational drilling safeguards. The consequence of unsatisfactory
findings should be suspension of the crew’s operation except under
special supervisory conditions.
