A system of protective electrical and mechanical devices, intended to detect combustible gas and prevent its ignition, was designed into areas of the rig where potentially explosive mixtures of hydrocarbons and air may accumulate if released. Components located in rig zones with the greatest risk of high-gaseous hydrocarbon concentrations were described as “classified,” designed to protect against exterior ignition and required to pass tests demonstrating isolation of internal ignition sources from potentially combustible atmospheres. Outside the classified zones, use of standard components without such ignition prevention features was permissible.

Alarms and Indications

The Deepwater Horizon’s alarm system was controlled and monitored from the integrated alarm and control system (IACS), which comprised a network of distributed computers. Workstations around the rig displayed the condition of the propulsion system, generators, auxiliaries, and other systems. From the bridge, the watch team could monitor all instrumented activities including dynamic positioning activities, drilling, fire and gas detection, power management, and machinery systems. The integrated system is described in some detail by May and Foss (2000). According to the paper, the dynamic positioning system was a triple-redundant system with dual buses, designed with the intent of being reliable and robust.

As discussed by BP (2010), Republic of the Marshall Islands (2011), and Transocean (2011a), the fire and gas panel monitored fire detectors, combustible gas detectors (CGDs), and toxic gas detectors. There were 27 CGDs on the rig, each of which had an audible and visual alarm. According to BP (2010), the system was designed to have only one CGD at each location. Thirteen of the 27 CGDs had automatic responses, such as securing ventilation fans and all electrical power to an affected area that was in an alarm condition, while the other 14 only had an audible and visual display. The engine room ventilation CGDs did not have an automated response, which required a crew member to validate an alarm in this space before taking manual actions, since securing one or more operating diesel engines could disrupt dynamic positioning of the rig (Transocean 2011a). An emergency disconnect from the well might be necessary if the rig was latched up to the subsea system and dynamic positioning was lost.

Diesel Generator Safety Systems

The diesel engines were fitted with three overspeed shutdown devices that would shut off the fuel, but none of these devices was designed to close off the air intake to the engines directly (USCG 2011). Instead, one of the speed signals was sent to the IACS. If that system determined that the diesel engine was 13 percent above its rated speed, it would cut both the fuel and the air supply to the engine. This was the only overspeed protection on the diesel engines that would



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement