This appendix presents a compilation of the findings, observations, and recommendations shown in the chapters of this report.1 The sequence in which they are presented is according to the sequence of the chapters and is not intended to imply a sense of priority.
|ABS||American Bureau of Shipping|
|AMF||automatic mode function|
|BSEE||Bureau of Safety and Environmental Enforcement|
|BSR||blind shear ram|
|CSR||casing shear ram|
|DoD||U.S. Department of Defense|
|DOI||U.S. Department of the Interior|
|DNV||Det Norske Veritas|
|EDS||emergency disconnect system|
|LMRP||lower marine riser package|
|MODU||mobile offshore drilling unit|
|OIM||offshore installation manager|
|ppg||pounds per gallon|
|ROV||remotely operated vehicle|
|SEMS||Safety and Environmental Management Systems|
|VBR||variable bore ram|
1 This compilation was not presented in the prepublication version of this report, which was issued in December 2011.
WELL DESIGN AND CONSTRUCTION
Summary Finding 2.2: The decision to proceed to displacement of the drilling mud by seawater was made despite a failure to demonstrate the integrity of the cement job even after multiple negative pressure tests. This was but one of a series of questionable decisions in the days preceding the blowout that had the effect of reducing the margins of safety and that evidenced a lack of safety-driven decision making.
Summary Finding 2.3: The reservoir formation, encompassing multiple zones of varying pore pressures and fracture gradients, posed significant challenges to isolation using casing and cement. The approach chosen for well completion failed to provide adequate margins of safety and led to multiple potential failure mechanisms.
Finding 2.4: The sequence of fluids used to cement the Macondo well included a low-density foamed slurry followed by a dense un-foamed tail slurry. The foam cement was designed to have a density of 14.5 ppg at the bottom of the well, but at the surface, where the foam was mixed, the density was extremely light at around 6 ppg. The tail slurry had a density of 16.7 ppg. Because of the extreme density imbalance, the heavy tail cement on top of the foamed cement would have been gravitationally unstable near the surface, and it probably fell into and perhaps through the foamed slurry. This would have had the unintended effect of leaving a tail slurry containing foamed cement in the shoe track at the bottom of the casing rather than leaving the heavy, un-foamed tail cement.
Finding 2.5: Foamed cement that may have been inadvertently left in the shoe track would likely not have developed the compressive strength of the un-foamed cement, nor would it have had the strength to resist crushing when the differential pressure across the cement was increased during the negative test.
2 “Summary” indicates that a finding, observation, or recommendation is presented in the report summary.
3 The first digit of a finding, observation, or recommendation refers to a chapter of this report in which it appears.
Finding 2.6: Evidence available before the blowout indicated that the flapper valves in the float collar probably failed to seal, but this evidence was not acted on at the time.
Finding 2.7: On the basis of photographic evidence, it appears that flow was up the inside of the casing, because the inside of the hanger showed signs of fluid erosion while the outside did not. However, not installing a lockdown sleeve left a potential for flow up the annulus.
Finding 2.8: Because of the choice of the long string of production casing, it was not possible to reciprocate or rotate the casing during the cementing operation. Casing movement tends to help remove any mud left in the path of the cement and force the cement into pathways that might otherwise be bypassed. The minimum circulation of mud was not achieved in this well, which would have been helpful in removing stagnant mud and debris from the annulus. Thus, the possibility of mud-filled channels or poor cement bonding existed.
Finding 2.9: No cement bond log was run to investigate the condition of the cement. The well design placed the float collar above the bottom of the deepest reservoir and would have prevented the log from investigating the lower sections of the well in which cement had been pumped.
Finding 2.10: Although data were being transmitted to shore, it appears that no one in authority (from BP onshore management or a regulatory agency) was required to examine test results and other critical data and render an opinion to the personnel on the rig before operations could continue.
Summary Observation 2.1: While the geologic conditions encountered in the Macondo well posed challenges to the drilling team, alternative completion techniques and operational processes were available that could have been used to prepare the well safely for temporary abandonment.
Observation 2.2: Had an attempt been made to bleed off the drill pipe pressure at the end of the negative test, the communication with the reservoir would likely have been discovered.
Observation 2.3: The results of a variety of static tests of foamed cement mixed at 14.5 ppg and exposed to atmospheric pressure call into question the stability of the foam, because settling of cement and breakout of nitrogen were observed in these tests. The tests were not performed at condi-
tions that existed during pumping or at the bottom of the well and therefore cannot be considered as representative of the foam during displacement or at bottom hole conditions.
Observation 2.4: The pumping sequence of cement slurries and other fluids used for cementing the Macondo well subjected the volume of the lead cement slurry to contamination by the spacer or mud that was placed ahead of it. If it was heavily contaminated, the slurry would not have established a cement cap with the compressive strength of uncontaminated cement.
Observation 2.5: Had the path of the blowout been up the annulus, a liner top or the rupture discs could have failed and allowed flow to escape the well into a shallow formation. This would result in a downhole blowout that could breach at the seafloor under the correct conditions. Future well construction could avoid this possibility by running one of the deeper casing strings back to the wellhead where it can be sealed. For example, in this well the 13 ⅝-inch liner could have been run back to the wellhead. This would protect the shallower liner tops and rupture discs from potential exposure to high pressure from flow up the annulus from a deeper reservoir.
Observation 2.6: The use of a production liner rather than the long string could have allowed for the use of a rotating liner hanger to improve the chances of good cement bonding; allowed for the use of a liner top packer to add a barrier to annular flow near the bottom of the well; allowed for the omission of the differential fill tube, which would remove a potential failure mechanism for the float collar; potentially made the negative test simpler to conduct and interpret; and configured the well to better control and repair a leak in the liner by leaving the well filled with drilling mud to a greater depth and by placing the drill pipe at a greater depth in the well during the test.
Summary Recommendation 2.1: Given the critical role that margins of safety play in maintaining well control, guidelines should be established to ensure that the design approach incorporates protection against the various credible risks associated with the drilling and completion processes.
Recommendation 2.2: During drilling, rig personnel should maintain a reasonable margin of safety between the equivalent circulating density and the density that will cause wellbore fracturing.
Summary Recommendation 2.3: All primary cemented barriers to flow should be tested to verify quality, quantity, and location of cement. The integrity of primary mechanical barriers (such as the float equipment, liner tops, and wellhead seals) should be verified by using the best available test procedures. All tests should have established procedures and predefined criteria for acceptable performance and should be subject to independent, near-real-time review by a competent authority.
Recommendation 2.4: The general well design should include the review of fitness of components for the intended use and be made a part of the well approval process.
Recommendation 2.5: Generally accepted good operational or best practices should be used in the construction of the well. Such practices would ensure that the most accurate well data are passed from the operator to the various contractors for use in simulations and design and that the results are considered by all parties before implementation.
BLOWOUT PREVENTER SYSTEM
Summary Finding 3.1: The loss of well control was not noted until more than 50 minutes after hydrocarbon flow from the formation started, and attempts to regain control by using the BOP were unsuccessful. The BSR failed to sever the drill pipe and seal the well properly, and the EDS failed to separate the lower marine riser and the Deepwater Horizon from the well.
Finding 3.2: The crew did not realize that the well was flowing until mud actually exited and was expelled out of the riser by the flow at 21:40. Early detection and control of flow from a reservoir are critical if an impending blowout is to be prevented by a BOP whose use against a full-flowing well is untested.
Finding 3.3: Once mud began to flow above the rig floor, the crew attempted to close the upper annular preventer of the BOP system, but it did not seal properly. The BOP system had been used in the month previously to strip 48 tool joints, and apparently it was untested for integrity afterwards. Annulars are often unable to seal properly after stripping. In addition, the flowing pressure inside the well may have been larger than the preset annular closing pressure could overcome. What tests of sealing against flow have been done on this design of annular are unknown.
Finding 3.4: The crew also closed the VBRs. The damaged pipe under the upper annular demonstrated its failure to seal, and the well was only sealed, resulting in the final pressure spike, when these VBRs were closed. The DNV investigation also found that these rams closed, and they could only be closed by command from the rig control panels and not by an ROV. At this point the flow from below the VBRs would have been closed off, but gas and oil had already flowed into the marine riser above the BOP system and continued to rise to the surface, where the gas exploded.
Finding 3.5: The internal BOP, which functions as a safety valve on the top of the drill pipe, was not closed (BP 2010, 25). Also, approximately 30 minutes after the explosion the traveling block was observed to fall and the rotary hose (used to conduct drilling fluid) could have been destroyed. The growing fire indicates that the drill pipe was broken in the initial explosion and the fall of the traveling block could have allowed even more flow to escape up the drill string. This was the likely path of hydrocarbon flow before the closure of the BSR.
Finding 3.6: Once the fire started on the rig, an attempt was made (after 7 minutes) to activate the EDS, which should have closed the BSR and disconnected the LMRP. This appears to have failed because the MUX communication cables were destroyed by the explosion or fire.
Finding 3.7: Once hydraulic and electrical connection with the rig was lost at the BOP, the AMF should have activated the BSR. It might have failed at this time because of a low battery charge in one control pod and a mis-wired solenoid valve in the other, but both these points are in dispute. However, no short-term reduction in hydrocarbon flow from the well was observed after the initial fire and explosion. Such a reduction would necessarily have resulted from the VBRs sealing the annulus in the BOP and the failed BSR shearing action effectively choking, at least for a brief period of time, virtually the entire cross section of the 5½-inch drill string. Viewed in total, the evidence appears more supportive of the autoshear activation of the BSR.
Finding 3.8: The BSR appears to have been activated after 07:40 on April 22, 2010, if not earlier, when the hydraulic plunger to the autoshear valve was cut by an ROV. However, regardless of when the BSR was activated, the well continued to flow out of control.
Finding 3.9: DNV hypothesized that the drill pipe below the annular preventer was being forced upward by the pressure of the flowing well, resulting in a 115,000-pound net compressive force on the drill pipe in the BOP sufficient to buckle the drill pipe until it came in contact with the in-
side of the BOP system (DNV 2011a, I, 174). However, the fluid mechanics inherent in this assumption are dubious. The 135,000 pounds of buoyed drill string weight above the BOP appears to be a more plausible source of the compression.
Finding 3.10: When it was activated, the BSR was unable to center the drill pipe in its blades and failed to cut the pipe completely. The blades of the ram were of the old straight and V combination, which has been shown to be inferior in its shearing performance to the double-V blade geometry (West Engineering Services 2004). Because the BSR blades did not fully span the BOP annular, a mashed segment of pipe was caught between the rams and prevented them from closing to the point where they could seal (DNV 2011b, 17).
Finding 3.11: After the rig lost power and drifted off station, the marine riser kept the vessel tethered to the BOP system.
Finding 3.12: Flow from the well then exited the partially severed drill pipe in the BSR and began to erode parts of the ram and BOP stack by fluid flow.
Finding 3.13: After the vessel sank at 10:22 on April 22, 2010, the marine riser with the drill pipe inside was bent at a number of places, including the connector to the BOP, and oil and gas began to flow into the ocean.
Finding 3.14: The effect of closing the CSR on April 29, 2010, was to provide a new flow path exiting the severed drill pipe below the CSR and passing the CSR rams that were not designed to seal. Severe fluid erosion occurred past the CSR, with deep cuts made in the surrounding steel of the BOP housing itself, endangering the integrity of the housing.
Finding 3.15: Unfortunately, even if the BSR had functioned after being activated by the EDS or the AMF, it would not likely have prevented the initial explosions, fire, and resulting loss of life, because hydrocarbons had already flowed into the marine riser above the BOP system. If the BOP system had been able to seal the well, the rig might not have sunk, and the resulting oil spill would likely have been minimized.
Summary Finding 3.16: The BOP system was neither designed nor tested for the dynamic conditions that most likely existed at the time that attempts were made to recapture well control. Furthermore, the design, test, operation, and maintenance of the BOP system were not consistent with a high-reliability, fail-safe device.
Finding 3.17: Regulations in effect before the incident required the periodic testing of the BOP system. However, they did not require testing under conditions that simulated the hydrostatic pressure at the depth of the BOP system or under the condition of pipe loading that actually occurred under dynamic flow, with the possible entrained formation rock, sand, and cement, and no such tests were run. Furthermore, because of the inadequate monitoring technology, the condition of the subsea control pods at the time of the blowout was unknown.
Finding 3.18: The committee’s assessment of the available information on the capabilities and performance of the BOP system at the Macondo well points to a number of deficiencies (listed below) that are indicative of deficiencies in the design process. Past studies suggest that the shortcomings also may be present for BOP systems deployed for other deepwater drilling operations.
1. The committee could find no evidence that the BOP design criteria or performance envelope was ever fully integrated into an overall well control system perspective, nor that BOP design was consistent with the BOP’s critical role in well control.
2. While individual subsystems of various BOP designs have been studied on an ad hoc basis over the years, the committee could find no evidence of a reliability assessment of the entire BOP system, which would have included functioning at depth under precisely the conditions of a dynamic well blowout. Furthermore, the committee could find no publicly available design criteria for BOP reliability.
3. The entire BOP system design is characterized by a previously identified lack of redundancy:
- There is only one BSR.
- One shuttle valve is used by both control pods.
- Each MUX cable is incapable of monitoring the entire BOP system independently.
4. No design consideration appears to have been given to BSR performance on pipe in compression.
5. The BSR was not designed to shear all types and sizes of pipe that might be present in the BOP system.
6. The BSR probably did not have the capability of shearing or sealing any pipe in significant compression.
7. There was a lack of BOP status monitoring capabilities on the rig, including
- Battery condition,
- Condition of the solenoid valves,
- Flow velocity inside the BOP system,
- Ram position,
- Pipe and tool joint position inside the BOP system, and
- Detection of faults in the BOP system and cessation of drilling operations on that basis.
Finding 3.19: The failure of the AMF to activate might have been due to malfunctions in the control pods that could not be detected. In view of the state of the pipe in the well after the explosion, whether the BSR would have functioned properly is uncertain. This issue is moot if the rams could not perform their intended functions whenever they were activated.
Finding 3.20: The regulations did not require that the design of the equipment allow for real-time monitoring of critical features, such as the battery condition in the control pod, so that maintenance issues could be readily discovered. The current test protocol for the BSRs, for example, is designed for near-ideal surface conditions rather than the harsher conditions found on the ocean floor.
Finding 3.21: When a signal is sent from the drilling rig to the BOP (on the seafloor) to execute a command, the BOP sends a message back that the signal has been received. However, there are no transducers that detect the position or status of key components, and there are no devices to send a signal that any command has been executed (such as pressure or displacement sensors confirming that the hydraulics have been actuated, that rams have moved, or that pipe has been cut). Furthermore, there are no sensors to communicate flow or pressures in the BOP to the rig floor.
Observation 3.1: In the confusion of an emergency such as the one on the Deepwater Horizon, it is not surprising that a drill crew would not take the time to determine whether a tool joint was located in the plane of the BSR or whether tension was properly maintained in the drill pipe.
Observation 3.2: In terms of emergency procedures, such as an emergency disconnect or autoshear function of the BOP system on its own, there is no ability to manipulate the tool joint position or the level of tension or compression in the drill pipe. The BSR was not designed to work for the full range of conditions that could be realistically anticipated in an emergency.
Summary Recommendation 3.1: BOP systems should be redesigned to provide robust and reliable cutting, sealing, and separation capabilities for the drilling environment to which they are being applied and under all foreseeable operating conditions of the rig on which they are installed. Test and maintenance procedures should be established to ensure operability and reliability appropriate to their environment of application. Furthermore, advances in BOP technology should be evaluated from the perspective of overall system safety. Operator training for emergency BOP operation should be improved to the point that the full capabilities of a more reliable BOP can be competently and correctly employed when needed in the future.
Recommendation 3.2: The design capabilities of the BOP system should be improved so that the system can shear and seal all combinations of pipe under all possible conditions of load from the pipe and from the well flow, including entrained formation rock and cement, with or without human intervention. Such a system should be designed to go into the “well closed” position in the event of a system failure. This does not mean that the BOP must be capable of shearing every drill pipe at every point. It does mean that the BOP design should be such that for any drill string being used in a particular well, there will always be a shearable section of the drill pipe in front of some BSR in the BOP.
Recommendation 3.3: The performance of the design capabilities described in the preceding recommendation should be demonstrated and independently certified on a regular basis by test or other means.
Recommendation 3.4: The instrumentation on the BOP system should be improved so that the functionality and condition of the BOP can be monitored continuously.
Summary Recommendation 3.5: Instrumentation and expert system decision aids should be used to provide timely warning of loss of well control to drillers on the rig (and ideally to onshore drilling monitors as well). If the warning is inhibited or not addressed in an appropriate time interval, autonomous operation of the BSRs, EDS, general alarm, and other safety systems on the rig should occur.4
Recommendation 3.6: An unambiguous procedure, supported with proper instrumentation and automation, should be created for use as part of the
4 This recommendation is repeated as Summary Recommendation 4.1.
BOP system. The operational status of the system, including battery charge and pressures, should be continuously monitored from the surface.
Recommendation 3.7: A BOP system with a critical component that is not operating properly, or one that loses redundancy in a critical component, should cause drilling operations to cease. Drilling should not resume until the BOP’s emergency operation capability is fully cured.
Recommendation 3.8: A reliable and effective EDS is needed to complete the three-part objective of cutting, sealing, and separating as a true “dead man” operation when communication with the rig is lost. The operation should not depend on manual intervention from the rig, as was the case with the Deepwater Horizon. The components used to implement this recommendation should be monitored or tested as necessary to ensure their operation when needed.
If the consequence of losing communication and status monitoring of the BOP system is an automatic severing of the drill pipe and disconnection from the well, the quality and reliability of this communication link will improve dramatically.
Recommendation 3.9: BOP systems should be designed to be testable without concern for compromising the integrity of the system for future use.
MOBILE OFFSHORE DRILLING UNITS
Summary Finding 4.1: Once well control was lost, the large quantities of gaseous hydrocarbons released onto the Deepwater Horizon, exacerbated by low wind velocity and questionable venting selection, made ignition all but inevitable.
Finding 4.1a: Uncontrolled flow of hydrocarbons through the derrick resulted in a huge cloud of combustible atmosphere surrounding the rig.
Finding 4.1b: The rig was not designed to prevent explosion or fire once it was surrounded by the extent of combustible atmosphere facing the Deepwater Horizon.
Finding 4.1c: Hydrocarbon flow was not redirected overboard. Overboard discharge of the blowout might have delayed the explosion and fire aboard the rig.
Finding 4.1d: Explosions and subsequent fire are suspected to have resulted from ignition of the surrounding combustible cloud; the source of the ignition cannot be definitively determined.
Finding 4.2: Loss of power led to a broad range of effects including loss of firefighting ability, position-keeping ability, and overall situational control.
Finding 4.2a: The rig’s dynamic positioning system operated as designed until the loss of power disabled the rig’s ability to maintain station or reposition under control.
Finding 4.2b: Backup system designs did not ensure reliable power.
Finding 4.2c: The standby generator did not automatically start and could not be started in manual mode, indicating deficient reliability in the backup system needed to restore main generator power.
Finding 4.2d: Poor performance by the standby diesel generator may indicate that insufficient environmental testing was specified for this critical, last-resort power system to demonstrate robust capability or any local indication of generator starting availability.
Finding 4.3: Alarm and indication systems, procedures, and training were insufficient to ensure timely and effective actions to prevent the explosions or respond to save the rig.
Finding 4.3a: The rig design did not employ automatic methods to react to indications of a massive blowout, leaving reactions entirely in the hands of the surviving crew.
Finding 4.3b: The crew was ill-prepared for the scale of this disaster.
Finding 4.3c: Watch officers were not trained to respond to the conditions faced in this incident.
Finding 4.3d: Emergency procedures did not equip the watch standers with immediate actions to minimize damage and loss of life.
Finding 4.3e: The training routine did not include any full rig drills designed to develop and maintain crew proficiency in reacting to major incidents.
Finding 4.3f: Training of key personnel did not include realistic blowout scenarios or the handling of multiple concurrent failures.
Finding 4.3g: Crew members lacked cross-rate training to understand rig total systems and components. As a result, many of the crew were inadequately prepared to react to the incident.
Finding 4.4: Confusion existed about decision authority and command. Uncertainty as to whether the rig was under way or moored to the wellhead contributed to the confusion on the bridge and may have impaired timely disconnect.
Finding 4.5: The U.S. Coast Guard’s requirement for the number and placement of lifeboats was shown to be prudent and resulted in sufficient lifeboat capacity for effective rig abandonment. The Coast Guard’s investigation report (USCG 2011) notes a lack of heat shielding to protect escape paths and life-saving equipment.
Finding 4.6: The above findings indicate that the lack of fail-safe design and testing, training, and operating practices aboard the rig contributed to loss of the rig and loss of life. The chain of events that began downhole could have been interrupted at many points, such as at the wellhead by the BOP or aboard the rig, where the flow might have been directed overboard or where the rig itself might have been disconnected from the well and repositioned. Had the rig been able to disconnect, the primary fuel load for the fire would have been eliminated.
Observation 4.1: The actions of some crew members in requiring due consideration of additional survivors before launching lifeboats, despite the fearsome fires engulfing the rig, are commendable and were important in the highly successful evacuation.
Observation 4.2: The attempts to start the standby diesel generator and restore power for damage control were acts of bravery.
Observation 4.3: Conditions of explosion, fire, loss of lighting, toxic gas, and eventual flooding and sinking could have resulted in many more injuries or deaths if not for the execution of the rig's evacuation.
Observation 4.4: ABS rules require that propulsion control systems for MODUs shall “in general” comply with the Steel Vessel Rules. This requirement may give rise to ambiguity concerning primary control and monitoring systems on MODUs.
Summary Recommendation 4.1: Instrumentation and expert system decision aids should be used to provide timely warning of loss of well control to drillers on the rig (and ideally to onshore drilling monitors as well). If the warning is inhibited or not addressed in an appropriate time interval, autonomous operation of the BSRs, EDS, general alarm, and other safety systems on the rig should occur.5
Recommendation 4.2: Rigs should be designed so that their instrumentation, expert system decision aids, and safety systems are robust and highly reliable under all foreseeable normal and extreme operating conditions. The design should account for hazards that may result from drilling operations and attachment to an uncontrolled well. The aggregate effects of cascading casualties and failures should be considered to avoid the coupling of failure modes to the maximum reasonable extent.
Recommendation 4.3: Industry and regulators should develop fail-safe design requirements for the combined systems of rig, riser, BOP, drilling equipment, and well to ensure that (a) blowouts are prevented and (b) if a blowout should occur the hydrocarbon flow will be quickly isolated and the rig can disconnect and reposition. The criteria for these requirements should be maximum reasonable assurance of (a) and (b) and successful crew evacuation under both scenarios.
Recommendation 4.4: Industry and regulators should implement a method of design review for systemic risks for future well design that uses a framework with attributes similar to those of the Department of Defense Standard Practice for System Safety (DoD 2000), which articulates standard practices for system safety for the U.S. military, to address the complex and integrated “system of systems” challenges faced in safely operating deepwater drilling rigs. The method should take into consideration the coupled effects of well design and rig design.
Recommendation 4.5: Industry should institute design improvements in systems, technology, training, and qualification to ensure that crew members are best prepared to cope with serious casualties.
Recommendation 4.6: ABS should eliminate any ambiguity in its rules requiring that propulsion control systems for MODUs shall “in general” comply with the Steel Vessel Rules. All of the primary control and monitoring systems and critical backup systems on these MODUs should be designed and tested to the highest standards in the industry.
Recommendation 4.7: Industry should develop and implement passive or automatic methods to redirect hydrocarbon flow overboard. Ideally, the methods would include some artificial intelligence capability to evaluate the magnitude of the flow and prevailing wind.
Recommendation 4.8: Recovery of main electrical power is a vital capability for MODUs. Industry should ensure that standby generator systems will be reliable and robust for automatic starting. Moreover, standby generator location, controls, and power lines should be positioned to minimize the likelihood of damage from fire or explosions in the main engine room or from other casualties affecting the primary electric power system.
Recommendation 4.9: Data logger systems should be designed for handling the bandwidth of sensor data that may arise under the most stressing casualty conditions. The systems should be able to transmit in real time to shore so that accurate records are potentially available for determination of root cause in subsequent investigation.
Recommendation 4.10: Inhibition of alarms should be allowed only when approved by a senior officer in the vessel. Regulators should require that the master, OIM, and chief engineer review periodically the status of alarms and indications and take action to resolve conditions of complacent behavior. This should be a standard item of regulatory and class inspections.
Recommendation 4.11: Drilling rig contractors should review designs to ensure adequate redundancy in alarms and indicators in key areas of the rig.
Recommendation 4.12: Drilling rig contractors should require realistic and effective training in operations and emergency situations for key personnel before assignment to any rig. Industry should also require that personnel aboard the rig achieve and maintain a high degree of expertise in their assigned watch station, including formal qualification and periodic reexamination.
Recommendation 4.13: Realistic simulators should be used to expose key operators to conditions of stress that are expected in major conflagrations, including heat and loss of visibility.
Recommendation 4.14: Realistic major drill scenarios with independent oversight should be part of the normal routine at sea.
Recommendation 4.15: Regulators should require that all permanent crew on a rig achieve a basic level of qualification in damage control and escape systems to ensure that all hands are able to contribute to resolving a major casualty.
Recommendation 4.16: Regulators should increase the qualification requirements of the OIM to reflect a level of experience commensurate with the consequences of potential failure in his or her decision making.
Recommendation 4.17: Definition of command at sea should be absolutely unambiguous and should not change during emergencies.
Recommendation 4.18: Regulators should establish the unity of command and clearly articulate the hierarchy of roles and responsibilities of company man, master, and OIM.
Recommendation 4.19: Operating companies and drilling contractors should institute a certification authority, accountable to the head of the company, to act as the senior corporate official responsible and accountable for meeting the conditions set out in a safety management system. This appointment should provide a powerful voice for safe execution of operations and surety in dealing with emergencies: the official should have the authority and responsibility to stop work if necessary.
Recommendation 4.20: Industry and regulators should consider relevant aspects of programs for system safety certification that were established for other safety-critical large-scale activities, such as the U.S. Navy’s Submarine Safety Program, as guidance in developing a response to the Deepwater Horizon incident.
Recommendation 4.21: Industry and regulators should develop and implement a certification to ensure that design requirements, material condition, maintenance, modernization, operating and emergency instructions, manning, and training are all effective in meeting the requirements of Recommendation 4.3 throughout the rig’s service life.
Recommendation 4.22: Regulators should require that the rig, the entire system, and the crew be examined annually by an experienced and objective outside team to achieve and maintain certification in operational drilling safeguards. The consequence of unsatisfactory findings should be suspension of the crew’s operation except under special supervisory conditions.
INDUSTRY MANAGEMENT OF OFFSHORE DRILLING
Summary Finding 5.1: The actions, policies, and procedures of the corporations involved did not provide an effective system safety approach commensurate with the risks of the Macondo well. The lack of a strong safety culture resulting from a deficient overall systems approach to safety is evident in the multiple flawed decisions that led to the blowout. Industrial management involved with the Macondo well–Deepwater Horizon disaster failed to appreciate or plan for the safety challenges presented by the Macondo well.
Summary Observation 5.1: The ability of the oil and gas industry to perform and maintain an integrated assessment of the margins of safety for a complex well like Macondo is impacted by the complex structure of the offshore oil and gas industry and the divisions of technical expertise among the many contractors engaged in the drilling effort.
Observation 5.2: Processes within the oil and gas industry to assess adequately the integrated risks associated with drilling a deepwater well, such as Macondo, are currently lacking.
Observation 5.3: As offshore drilling extends into deeper water, its complexity increases. However, in-house technical capabilities within many operating companies for well drilling operations have diminished in favor of reliance on multiple contractors. This, in turn, diminishes the capacity of operations companies (the “operator”) to assess and integrate the multiplicity of factors potentially affecting the safety of the well.
Observation 5.4: The operating leaseholder company is the only entity involved in offshore drilling that is positioned to manage the overall system safety of well drilling and rig operations.
Summary Observation 5.5: The extent of industry training of key personnel and decision makers has been inconsistent with the complexities and risks of deepwater drilling.
Observation 5.6: There are too few standardized requirements across companies for education, training, and certification of personnel involved in deepwater drilling.
Summary Observation 5.7: Overall, the companies involved have not made effective use of real-time data analysis, information on precursor incidents or near misses, or lessons learned in the Gulf of Mexico and worldwide to adjust practices and standards appropriately.
Summary Observation 5.8: Industry’s R&D efforts have been focused disproportionately on exploration, drilling, and production technologies as opposed to safety.
Summary Recommendation 5.1: Operating companies should have ultimate responsibility and accountability for well integrity, because only they are in a position to have visibility into all its aspects. Operating companies should be held responsible and accountable for well design, well construction, and the suitability of the rig and associated safety equipment. Notwithstanding the above, the drilling contractor should be held responsible and accountable for the operation and safety of the offshore equipment.6
Recommendation 5.1a: Coordination of multiple contractors should be reinforced to maintain a common focus on overall safety.
Recommendation 5.1b: Operating companies should develop and maintain the proper oversight of contractor work.
Summary Recommendation 5.2: Industry should greatly expand R&D efforts focused on improving the overall safety of offshore drilling in the areas of design, testing, modeling, risk assessment, safety culture, and systems integration. Such efforts should encompass well design, drilling and marine equipment, human factors, and management systems. These endeavors should be conducted to benefit the efforts of industry and government to instill a culture of safety.
Summary Recommendation 5.3: Industry should undertake efforts to expand significantly the formal education and training of industry personnel engaged in offshore drilling to support proper implementation of system safety.
Recommendation 5.3a: Education of rig personnel early in their careers can be provided through a system similar to community or technical colleges.
6 This recommendation is also presented as Summary Recommendation 6.20.
Recommendation 5.3b: In addition to rig personnel, onshore personnel involved in overseeing or supporting rig-based operations should have sufficient understanding of the fundamental processes and risks involved.
Recommendation 5.3c: A research process is needed for establishing standardized requirements for education, training, and certification of everyone working on an offshore drilling rig. Additional standardized requirements should be established for education, training, and certification of key drilling-related personnel working offshore and onshore.
Summary Recommendation 5.4: Industry and regulators should improve corporate and industrywide systems for reporting safety-related incidents. Reporting should be facilitated by enabling anonymous or “safety privileged” inputs. Corporations should investigate all such reports and disseminate their lessons-learned findings in a timely manner to all their operating and decision-making personnel and to the industry as a whole. A comprehensive lessons-learned repository should be maintained for industrywide use. This information can be used for training in accident prevention and continually improving standards.7
Summary Recommendation 5.5: Industry should foster an effective safety culture through consistent training, adherence to principles of human factors, system safety, and continued measurement through leading indicators.
Recommendation 5.5a: The committee endorses the concept of a “center for offshore safety” to train, monitor the work experience of, and certify (license) personnel. Leadership of the center should involve persons affiliated with one or more neutral organizations that are outside of the petroleum industry.
Recommendation 5.5b: Effective response to a crisis situation requires teamwork to share information and perform actions. Training should involve on-site team exercises to develop competent decision making, coordination, and communication. Emergency team drills should involve full participation, as would be required in actual emergency situations, including a well blowout. Companies should approach team training as a means of instilling overall safety as a high priority.
Recommendation 5.5c: Use of training simulators similar to those applied in the aerospace industry and the military should be considered.
7 This recommendation is also presented as Summary Recommendation 6.14.
Approaches using simulators should include team training for coordination of activities in crisis situations.
Summary Recommendation 5.6: Efforts to reduce the probability of future blowouts should be complemented by capabilities of mitigating the consequences of a loss of well control. Industry should ensure timely access to demonstrated well-capping and containment capabilities.
Summary Observation 6.1: The regulatory regime was ineffective in addressing the risks of the Macondo well. The actions of the regulators did not display an awareness of the risks or the very narrow margins of safety.
Summary Observation 6.2: The extent of training of key personnel and decision makers in regulatory agencies has been inconsistent with the complexities and risks of deepwater drilling.
Summary Observation 6.3: Overall, the regulatory community has not made effective use of real-time data analysis, information on precursor incidents or near misses, or lessons learned in the Gulf of Mexico and worldwide to adjust practices and standards appropriately.
Summary Recommendation 6.1: The United States should fully implement a hybrid regulatory system that incorporates a limited number of prescriptive elements into a proactive, goal-oriented risk management system for health, safety, and the environment.
Recommendation 6.2: BSEE should continue to work closely with private industry and other agencies in adopting and developing comprehensive goals and standards to govern the many processes and systems involved in offshore drilling.
Recommendation 6.3: BSEE should make effective use of existing industry standards, well-established international standards, and best practice guidelines used by other countries, but it should recognize that standards need to be updated and revised continually.
Recommendation 6.4: As the SEMS program moves forward in the United States, BSEE should incorporate the steps already taken by private indus-
try (and industry associations and consortia) to improve offshore drilling safety after the Deepwater Horizon accident.
Recommendation 6.5: Quantitative risk analysis should be an essential part of goal-oriented risk management systems.
Summary Recommendation 6.6: BSEE and other regulators should identify and enforce safety-critical points during well construction and abandonment that warrant explicit regulatory review and approval before operations can proceed.
Recommendation 6.7: To augment SEMS, BSEE should work closely with private industry to develop a list of safety-critical points during well construction and abandonment that will require explicit regulatory review and approval before operations can proceed.
Recommendation 6.8: As part of a hybrid risk management system, BSEE should establish safe operating limits, which, when exceeded, would require regulatory approval for operations to proceed.
Recommendation 6.9: BSEE should incorporate requirements for approval and certification of key steps during well construction into codes and standards.
Recommendation 6.10: BSEE should review existing codes and standards to determine which should be improved regarding requirements for (a) use of state-of-the-art technologies, especially in areas related to well construction, cementing, BOP functionality, and alarm and evacuation systems, among others, and (b) approval and certification incumbent to management of changes in original plans for well construction.
Recommendation 6.11: The manner in which the above-mentioned codes and standards will be enforced should be specified by BSEE in the well plan submitted by operating companies for approval.
Recommendation 6.12: BSEE should adopt a system of precertification of operators, contractors, and service companies before granting a drilling permit for especially challenging projects.
Recommendation 6.13: BSEE should consider the use of independent well examiners to help in reviewing well plans and in regularly monitoring ongoing activities during drilling, completion, and abandonment.
Summary Recommendation 6.14: Industry, BSEE, and other regulators should improve corporate and industrywide systems for reporting safety-
related incidents. Reporting should be facilitated by enabling anonymous or “safety privileged” inputs. Corporations should investigate all such reports and disseminate their lessons-learned findings in a timely manner to all their operating and decision-making personnel and to the industry as a whole. A comprehensive lessons-learned repository should be maintained for industrywide use. This information can be used for training in accident prevention and continually improving standards.8
Summary Recommendation 6.15: A single U.S. government agency should be designated with responsibility for ensuring an integrated approach for system safety for all offshore drilling activities.
Recommendation 6.16: As a first step, DOI should work with other departments and agencies with jurisdiction over some aspect of offshore drilling activities to simplify and streamline the regulatory process for drilling on the U.S. outer continental shelf.
Recommendation 6.17: BSEE should work with other federal agencies to delegate supporting regulatory responsibilities and accountabilities for ensuring system safety, integrating all aspects of system safety for the parts of offshore drilling operations in which a particular agency is involved. BSEE should strive to involve the domain expertise and core competencies of the other relevant agencies. BSEE should have purview over integrating regulation, inspection, and monitoring enforcement for all aspects of system safety for offshore drilling operations.
Recommendation 6.18: BSEE should work with other federal agencies to develop efficient and effective mechanisms for investigating future accidents and incidents.
Recommendation 6.19: DOI should require BSEE to provide the Secretary of the Interior with a net assessment of the risks of future drilling activities so that such risks can be factored into decisions with regard to new leases. Focusing on system safety, the assessment should be a formal probabilistic risk analysis that evaluates risks associated with all operations having the potential for significant harm to individuals, environmental damage, or economic loss. The operations addressed by the assessment should include drilling and well construction, temporary well abandonment, oil and gas production, and eventual well abandonment.
Summary Recommendation 6.20: Operating companies should have ultimate responsibility and accountability for well integrity, because only they are in a position to have visibility into all aspects. Operating companies
should be held responsible and accountable for well design, well construction, and the suitability of the rig and associated safety equipment. Notwithstanding the above, the drilling contractor should be held responsible and accountable for the operation and safety of the offshore equipment.9
Recommendation 6.21: In carrying out its regulatory responsibilities, BSEE should view operating companies as taking full responsibility for the safety of offshore equipment and its use.
Recommendation 6.22: While the operating company is recognized to have the principal responsibility for compliance with rules and regulations governing offshore operations, BSEE should require the partner companies (as co-lease holders) to have a “see to” responsibility to ensure that the operator conducts activities in such a manner that risk is as low as reasonably practicable.
Summary Recommendation 6.23: BSEE and other regulators should undertake efforts to expand significantly the formal education and training of regulatory personnel engaged in offshore drilling roles to support proper implementation of system safety.
Recommendation 6.24: BSEE should exert every effort to recruit, develop, and retain experienced and capable technical experts with critical domain competencies.
Summary Recommendation 6.25: BSEE and other regulators should foster an effective safety culture through consistent training, adherence to principles of human factors, system safety, and continued measurement through leading indicators.
Recommendation 6.26: As a regulator, BSEE should enhance its internal safety culture to provide a positive example to the drilling industry through its own actions and the priorities it establishes.
BP. 2010. Deepwater Horizon Accident Investigation Report, http://www.bp.com/liveas-sets/bp_internet/globalbp/globalbp_uk_english/gom_response/STAGING/local_assets/downloads_pdfs/Deepwater_Horizon_Accident_Investigation_Report.pdf. Most recently accessed Jan. 17, 2012.
DNV. 2011a. Forensic Examination of Deepwater Horizon Blowout Preventer, Vols. 1 and 2 (Appendices). Final Report for U. S. Department of the Interior, Bureau of Ocean Energy Management, Regulation, and Enforcement, Washington, D.C. Re-
9 This recommendation is also presented as Summary Recommendation 5.1.
port No. EP030842. http://www.boemre.gov/pdfs/maps/DNVReportVolI.pdf, http://www.uscg.mil/hq/cg5/cg545/dw/exhib/DNV%20BOP%20report%20-%20Vol%202%20%282%29.pdf. Most recently accessed Jan. 17, 2012.
DNV. 2011b. Addendum to Final Report: Forensic Examination of Deepwater Horizon Blowout Preventer. Report No. EP030842. http://www.boemre.gov/pdfs/maps/AddendumFinal.pdf. Most recently accessed Jan. 17, 2012.
DoD. 2000. Standard Practice for System Safety. MIL-STD-882D. Feb. 10. http://www.everyspec.com/MIL-STD/MIL-STD+(0800+-+0899)/MIL_STD_882D_934/. Most recently accessed Jan. 17, 2012.
USCG. 2011. Report of Investigation into the Circumstances Surrounding the Explosion, Fire, Sinking and Loss of Eleven Crew Members aboard the Mobile Offshore Drilling Unit Deepwater Horizon in the Gulf of Mexico April 20–22, 2010, Vol. I. http://www.hsdl.org/?view&did=6700. Most recently accessed Jan. 17, 2012.
West Engineering Services, Inc. 2004. Shear Ram Capabilities Study for U.S. Minerals Management Service. Requisition No. 3-4025-1001. Sept. http://www.boemre.gov/tarprojects/463/(463)%20West%20Engineering%20Final%20Report.pdf. Most recently accessed Jan. 17, 2012.