This chapter describes the basic function of the Deepwater Horizon mobile offshore drilling unit (MODU);1 its application in the Macondo well exploration; and specific areas of investigation undertaken by the committee, including rig safety systems, training and responsibilities of rig personnel, and events on the rig just before and in response to the explosions and fire. Many of the issues considered were raised in witness testimony at investigative hearings, during presentations to the committee, and in previously published reports (BP 2010; BOEMRE 2011; Chief Counsel 2011; DHSG 2011; Presidential Commission 2011; Republic of the Marshall Islands 2011; Transocean 2011a; USCG 2011), especially in terms of the role of the rig and its crew in the loss of well control and loss of life. The chapter provides the committee’s findings and observations on those topics, as well as recommendations for improving rig safety.
The Deepwater Horizon was a dynamically positioned drilling unit designed to propel itself to an exploration site and then keep station over the site (without using a fixed mooring system), acting as a base for drilling operations (see Figure 4-1). The rig served as a self-propelled vessel, a stable floating base for drilling and outfitting a deep subsea well, a command and control base for exploration, and a home for its crew.2
As is typical for offshore drilling rigs, when it was under way at sea, the rig was operated by a crew under the command leadership of a U.S. Coast Guard–licensed master. Crew actions were directed by the offshore installation manager (OIM) whenever the rig was attached to the bottom or made fast over a drilling site. The crew members involved in the use of offshore equipment were divided into functional areas of deck, engineering, and drilling and subsea operations, each of which was led by a department head, subordinate to the master
1 The term “rig” is intended to be synonymous with MODU.
2 See Republic of the Marshall Islands (2011) for additional overview information on the Deepwater Horizon.
and OIM in the command organization. Crew members stood watches in a prescribed rotation, and crews were regularly cycled on and off the rig to support continuous operations.
The Deepwater Horizon worked on the Macondo well under the command of Transocean even during drilling operations, as contracted by BP. BP’s on-site direction was provided by two well site leaders. Four others from BP (a well site trainee and three subsea engineers) were also aboard. In addition, BP separately contracted for services aboard the Deepwater Horizon from contractors, including Halliburton (cementing), Sperry Sun (well data logging), M-I SWACO (mud material and engineering), Schlumberger (well and cement logging services), Weatherford (provider of casing accessories), and Tidewater (owner–operator of the offshore supply vessel Damon B. Bankston) (Transocean 2011a, 17). Further information is given in Chapter 5.
Six large diesel generators powered the rig’s integrated electric plant. Propulsion and dynamic positioning were produced by steerable thruster pods. Generated electrical power was also consumed by hotel loads, drilling equipment loads, and damage control equipment including pumps for firefighting and dewatering. A backup diesel generator, smaller than any of the six main units, provided emergency power for lighting and restarting the main engines in the event of a loss of main power. Propulsion power plays a vital role in maintaining the rig’s position, since wind and currents constantly work to move the rig away from the wellhead, risking separation of the riser from the wellhead. Thus, the rig’s design and maintenance with regard to sustaining reliable propulsion power play important roles in drilling operations safety, as well as in traditional marine navigation safety.
FIGURE 4-1 Basic dimensions of the Deepwater Horizon rig while drilling. Source: Chief Counsel 2011, p. 26.
A system of protective electrical and mechanical devices, intended to detect combustible gas and prevent its ignition, was designed into areas of the rig where potentially explosive mixtures of hydrocarbons and air may accumulate if released. Components located in rig zones with the greatest risk of high-gaseous hydrocarbon concentrations were described as “classified,” designed to protect against exterior ignition and required to pass tests demonstrating isolation of internal ignition sources from potentially combustible atmospheres. Outside the classified zones, use of standard components without such ignition prevention features was permissible.
Alarms and Indications
The Deepwater Horizon’s alarm system was controlled and monitored from the integrated alarm and control system (IACS), which comprised a network of distributed computers. Workstations around the rig displayed the condition of the propulsion system, generators, auxiliaries, and other systems. From the bridge, the watch team could monitor all instrumented activities including dynamic positioning activities, drilling, fire and gas detection, power management, and machinery systems. The integrated system is described in some detail by May and Foss (2000). According to the paper, the dynamic positioning system was a triple-redundant system with dual buses, designed with the intent of being reliable and robust.
As discussed by BP (2010), Republic of the Marshall Islands (2011), and Transocean (2011a), the fire and gas panel monitored fire detectors, combustible gas detectors (CGDs), and toxic gas detectors. There were 27 CGDs on the rig, each of which had an audible and visual alarm. According to BP (2010), the system was designed to have only one CGD at each location. Thirteen of the 27 CGDs had automatic responses, such as securing ventilation fans and all electrical power to an affected area that was in an alarm condition, while the other 14 only had an audible and visual display. The engine room ventilation CGDs did not have an automated response, which required a crew member to validate an alarm in this space before taking manual actions, since securing one or more operating diesel engines could disrupt dynamic positioning of the rig (Transocean 2011a). An emergency disconnect from the well might be necessary if the rig was latched up to the subsea system and dynamic positioning was lost.
Diesel Generator Safety Systems
The diesel engines were fitted with three overspeed shutdown devices that would shut off the fuel, but none of these devices was designed to close off the air intake to the engines directly (USCG 2011). Instead, one of the speed signals was sent to the IACS. If that system determined that the diesel engine was 13 percent above its rated speed, it would cut both the fuel and the air supply to the engine. This was the only overspeed protection on the diesel engines that would
automatically cut off the air to the engine. The diesel generator intake air could also have been closed off from the emergency shutdown panels in the driller’s shack, the bridge, or the engine control room, or manually at each engine (USCG 2011).
When control of the Macondo well was lost and hydrocarbons were released aboard the Deepwater Horizon, the rig suffered two significant explosions before bridge watch standers sounded the general alarm and took steps to attempt actuation of the emergency disconnect system (EDS) (USCG 2011). (See Figure 3-4 for a timeline of the various events leading up to the explosion.) When the gas alarms were triggered, the crew did not take steps to shut down the main engines or stop the flow of outside air into the machinery spaces, which would have isolated potential sources of ignition (USCG 2011). The apparent cause of the explosions was ignition of a combustible mixture of gaseous hydrocarbons (from the well) and air. However, no investigation has determined the precise source of ignition for the explosions.
Loss of power from the two operating diesel generators occurred close to the time of the explosions. Testimony from some of the survivors indicated that the operating diesel generators increased speed in the seconds preceding the explosions and then stopped at the second explosion.3 Other testimony described a loss of lighting and general electrical power just before the second explosion.4 It was consistently reported that lighting and other power had failed prior to the diesel generator engines shutting down.5 No independent data were available to support or refute the witness testimony concerning the sequence of electric plant changes during the disaster. Nonetheless, testimony points to the following as the most likely scenario:
• The hydrocarbon stream resulting from loss of well control flowed from the riser to the top of the derrick.6
• Flow was diverted to the mud-gas separator (MGS) system and began to exit at the MGS vents, spewing mud, oil, and gas from the goosenecks to the deck below.7
3 Testimony of Randy Ezell, May 28, 2010, Hearing Before the Deepwater Horizon Joint Investigation Team, 283-284.
4 Testimony of James Nicholas Wilson, October 13, 2010, 10; of Stephen Bertone, July 19, 2010, 35; and of Douglas Brown, May 26, 2010, 94-95, Hearing Before the Deepwater Horizon Joint Investigation Team.
5 Testimony of Charles Credeur, May 29, 2010, Hearing Before the Deepwater Horizon Joint Investigation Team, 63-64.
6 Testimony of Micah Sandell, May 29, 2010, Hearing Before the Deepwater Horizon Joint Investigation Team, 8, 10, 12.
7 Testimony of Micah Sandell, May 29, 2010, Hearing Before the Deepwater Horizon Joint Investigation Team, 8, 10, 12.
• A cloud of hydrocarbons formed around the rig, in light wind conditions, and quickly expanded to encompass most of the rig (BP 2010, 126–138 and Appendix V, 22-24).
• The running diesel generators ingested a mix of hydrocarbons and air through their induction systems, causing acceleration of the engines and an increase in the generators’ speed8 and thus an increase in the generators’ frequencies.
• Engines started to overspeed and power was lost on the rig, as recognized in later analysis of the lost data feed on the real-time data recorder (BP 2010, 111).
• Seconds later, two successive explosions occurred.
• Both operating diesel generator engines shut down.9
The only path, other than straight up through the derrick or through the MGS system vents, through which uncontrolled hydrocarbon flow could have been directed is through 14-inch diverter lines, which were positioned to send the flow overboard at about derrick floor level (see Figure 4-2). Testimony cited above indicates that this did not occur, and why there was no hydrocarbon flow along that path remains an unresolved question.10 According to BP’s analysis, the overboard diverter flow of hydrocarbons might have delayed the formation of the explosive cloud that surrounded the rig (BP 2010, 128).
As the rig suffered from a loss of power, explosions, and fire, the bridge team reacted, but confusion clouded the decision process. The general alarm was manually activated by the dynamic positioning officer, and she sent Mayday messages.11 Senior officers argued about whether the order had been given to initiate an emergency disconnect of the lower marine riser from the blowout preventer (BOP), and they were conflicted about who had the authority to issue that order, the master or the OIM.12 Before the master and OIM completed discussions about initiating the EDS, the subsea supervisor had already made an attempt to do so, but it was unsuccessful (USCG 2011). The display panels indicated that the disconnect had occurred, but he determined that the MODU was still connected to the riser (USCG 2011).
8 Testimony of Douglas Brown, May 26, 2010, Hearing before the Deepwater Horizon Joint Investigation Team, 93-94.
9 Testimony of Stephen Bertone, July 19, 2010, Hearing before the Deepwater Horizon Joint Investigation Team, 35-36.
10 Testimony of Micah Sandell, May 29, 2010, Hearing Before the Deepwater Horizon Joint Investigation Team, 9-11.
11 Testimony of Andrea Fleytas, October 5, 2010, Hearing Before the Deepwater Horizon Joint Investigation Team, 14.
12 Testimony of Daun Winslow, August 23, 2010, 450-451, and of Stephen Bertone, July 19, 2010, 39, Hearing Before the Deepwater Horizon Joint Investigation Team.
FIGURE 4-2 Illustration of the main deck of the Deepwater Horizon. The rig crew could send fluids from the well overboard through the overboard diverter lines. Alternatively, the crew could route flow from the well to an MGS pipe and vent hydrocarbon gas before sending the mud to the mud pits (not shown). Source: Chief Counsel 2011, p. 27.
Assuming that emergency disconnect had occurred, the chief engineer and others attempted unsuccessfully to restart the standby generator in an effort to restore power to pump water for firefighting and power thrusters to reposition the rig.13 On the basis of the severity of the damage and fire and the inability to restore power, a decision was made to order abandonment of the rig.14
All but 11 of the crew survived and were rescued. Most of the survivors followed the abandonment order by making their way to the operable lifeboats. Despite the substantial confusion among rig personnel, evacuation was effected. One hundred personnel left by two lifeboats (combined capacity of 146), seven left in a life raft, and eight jumped into the sea (Transocean 2011a, 201–203). The large number of personnel to escape by lifeboat was attributed to a few key crew members who delayed launching until they had boarded as many as possible.15,16
13 Testimony of Stephen Bertone, July 19, 2010, Hearing Before the Deepwater Horizon Joint Investigation Team, 39-40.
14 Testimony of Stephen Bertone, July 19, 2010, Hearing Before the Deepwater Horizon Joint Investigation Team, 39-40.
15 Testimony of Micah Sandell, May 29, 2010, Hearing Before the Deepwater Horizon Joint Investigation Team, 11-13.
16 Testimony of Daun Winslow, August 23, 2010, Hearing Before the Deepwater Horizon Joint Investigation Team, 452.
In the confusion of the evacuation, no complete muster (headcount) of personnel was conducted onboard the Deepwater Horizon (USCG 2011). At least two of the four senior merchant marine officers expected to be most knowledgeable about coordinating a mass evacuation of the rig were not available to participate in the muster or in the launching of either lifeboat, because they were carrying out other duties. Also, when fire and abandonment drills were conducted, the marine crew and the drill crew did not collectively participate because of drilling operations (USCG 2011).17
The supply vessel, Damon B. Bankston, was alongside the rig when the blowout occurred. The vessel’s “fast rescue craft” was instrumental in the rescue of survivors who had jumped into the sea. The ship’s crew also helped in freeing the life raft from a rope that tethered the raft to the rig and in towing the raft to safety (USCG 2011, xiv). The rig crew had not practiced a life raft launch, and the raft occupants were unable to release the connecting line on their own (USCG 2011, xv, 64).
After all survivors had been accounted for, it was determined that the 11 killed were crew last seen on the drill floor, the mud pump room, and the shaker house. All of those areas were broadly exposed to the gaseous hydrocarbon flow erupting from the well through the MGS system vents.18 No protection system was built into these working areas of the rig to deflect the effects of explosion from those who were exposed.
Complex Operations in Hazardous Environments
Conduct of marine exploration drilling from the Deepwater Horizon and other deepwater rigs is an extremely complex engineering operation in an unforgiving maritime environment. Management of those complexities by the responsible companies during the drilling and temporary abandonment of the Macondo well was unsuccessful in preventing loss of life, injury, and extensive pollution of the environment. This disaster underscores the need for instilling an effective systems safety approach for offshore drilling operations (see Chapter 5). Programs for system safety that were established for other safety-critical large-scale activities can be a source of useful guidance.
In the aftermath of the loss of a space shuttle, the Columbia Accident Investigation Board (CAIB) in 2003 examined the U.S. Navy’s Submarine Safety Program (SUBSAFE)19 as one example of successful implementation of system
17 In its response to the U.S. Coast Guard report (USCG 2011), Transocean (2011b) noted that “To require on-duty drill crews to participate in fire drills would be imprudent and unsafe—during the fire drill no one would be left to monitor the well.”
18 In its report, the U.S. Coast Guard (USCG 2011, x) concludes that the crew on the drill floor and in the mud pits were likely killed during the initial explosions.
19 SUBSAFE was implemented in 1963, after the loss of the USS Thresher. Since SUBSAFE was implemented nearly 50 years ago, no SUBSAFE-certified submarine has been lost at sea. This is far different from the situation that existed before SUBSAFE,
safety (CAIB 2003, 182–184). Among the observations made by CAIB with regard to the Navy’s submarine programs, the following highlights provide useful guidance in considering the oil and gas industry’s and government’s necessary responses to the Deepwater Horizon disaster:
• Technical requirements are clearly documented and achievable, with minimal “tailoring” or granting of waivers.
• A separate compliance verification organization independently assesses program management.
• There is a strong safety culture that emphasizes understanding and learning from past failures.
• Extensive safety training is based on past accidents.
• The safety program structure is enhanced by the clarity, uniformity, and consistency of submarine safety requirements and responsibilities. Program managers are not permitted to “tailor” requirements without approval from the organization with final authority for technical requirements and the organization that verifies compliance with critical design and process requirements.
• Compliance with critical design and process requirements is independently verified by a highly capable centralized organization that also “owns” (i.e., accepts responsibility for) the processes and monitors the program.
On the basis of the preceding discussion and the information obtained from witness testimony at investigative hearings, presentations to the committee, and previously published reports, the committee has developed the following findings, as well as the observations and recommendations provided in subsequent sections.
Explosions and Fire on the Deepwater Horizon
Summary Finding 4.1: Once well control was lost, the large quantities of gaseous hydrocarbons released onto the Deepwater Horizon, exacerbated by low wind velocity and questionable venting selection, made ignition all but inevitable.
Finding 4.1a: Uncontrolled flow of hydrocarbons through the derrick resulted in a huge cloud of combustible atmosphere surrounding the rig.
when, on average, a submarine was lost every 3 years to noncombat causes from 1915 to 1963. Additional discussion of the safety system aspect of SUBSAFE is provided by Presidential Commission (2011).
Finding 4.1b: The rig was not designed to prevent explosion or fire once it was surrounded by the extent of combustible atmosphere facing the Deepwater Horizon.
Finding 4.1c: Hydrocarbon flow was not redirected overboard. Overboard discharge of the blowout might have delayed the explosion and fire aboard the rig.
Finding 4.1d: Explosions and subsequent fire are suspected to have resulted from ignition of the surrounding combustible cloud; the source of the ignition cannot be definitively determined.
The Rig’s Power Supply
Finding 4.2: Loss of power led to a broad range of effects including loss of firefighting ability, position-keeping ability, and overall situational control.
Finding 4.2a: The rig’s dynamic positioning system operated as designed until the loss of power disabled the rig’s ability to maintain station or reposition under control.
Finding 4.2b: Backup system designs did not ensure reliable power.
Finding 4.2c: The standby generator did not automatically start and could not be started in manual mode, indicating deficient reliability in the backup system needed to restore main generator power.
Finding 4.2d: Poor performance by the standby diesel generator may indicate that insufficient environmental testing was specified for this critical, last-resort power system to demonstrate robust capability or any local indication of generator starting availability.
Alarm and Indication Systems, Procedures, and Training
Finding 4.3: Alarm and indication systems, procedures, and training were insufficient to ensure timely and effective actions to prevent the explosions or respond to save the rig.
Finding 4.3a: The rig design did not employ automatic methods to react to indications of a massive blowout, leaving reactions entirely in the hands of the surviving crew.
Finding 4.3b: The crew was ill-prepared for the scale of this disaster.
Finding 4.3c: Watch officers were not trained to respond to the conditions faced in this incident.
Finding 4.3d: Emergency procedures did not equip the watch standers with immediate actions to minimize damage and loss of life.
Finding 4.3e: The training routine did not include any full rig drills designed to develop and maintain crew proficiency in reacting to major incidents.
Finding 4.3f: Training of key personnel did not include realistic blowout scenarios or the handling of multiple concurrent failures.
Finding 4.3g: Crew members lacked cross-rate training to understand rig total systems and components. As a result, many of the crew were inadequately prepared to react to the incident.
Decision Authority and Command
Finding 4.4: Confusion existed about decision authority and command. Uncertainty as to whether the rig was under way or moored to the wellhead contributed to the confusion on the bridge and may have impaired timely disconnect.
Finding 4.5: The U.S. Coast Guard’s requirement for the number and placement of lifeboats was shown to be prudent and resulted in sufficient lifeboat capacity for effective rig abandonment. The Coast Guard’s investigation report (USCG 2011) notes a lack of heat shielding to protect escape paths and life-saving equipment.
Lack of Fail-Safe Design and Testing, Training, and Operating Practices Aboard the Rig
Finding 4.6: The above findings indicate that the lack of fail-safe design and testing, training, and operating practices aboard the rig contributed to loss of the rig and loss of life. The chain of events that began downhole (see Chapter 2) could have been interrupted at many points, such as at the wellhead by the BOP (see Chapter 3) or aboard
the rig, where the flow might have been directed overboard or where the rig itself might have been disconnected from the well and repositioned. Had the rig been able to disconnect, the primary fuel load for the fire would have been eliminated.
Observation 4.1: The actions of some crew members in requiring due consideration of additional survivors before launching lifeboats, despite the fearsome fires engulfing the rig, are commendable and were important in the highly successful evacuation.
Observation 4.2: The attempts to start the standby diesel generator and restore power for damage control were acts of bravery.
Observation 4.3: Conditions of explosion, fire, loss of lighting, toxic gas, and eventual flooding and sinking could have resulted in many more injuries or deaths if not for the execution of the rig’s evacuation.
Rules for Rig Propulsion Control Systems
Observation 4.4: American Bureau of Shipping (ABS)20 rules require that propulsion control systems for MODUs shall “in general” comply with the Steel Vessel Rules. This requirement may give rise to ambiguity concerning primary control and monitoring systems on MODUs.
Summary Recommendation 4.1: Instrumentation and expert system decision aids should be used to provide timely warning of loss of well control to drillers on the rig (and ideally to onshore drilling monitors as well). If the warning is inhibited or not addressed in an appropriate time interval, autonomous operation of the blind shear rams, EDS, general alarm, and other safety systems on the rig should occur.21
20 As a classification society, the role of ABS is to verify that marine vessels and offshore structures comply with rules that the society has established for design, construction, and periodic survey (ABS 2011).
Safety System Design
Recommendation 4.2: Rigs should be designed so that their instrumentation, expert system decision aids, and safety systems are robust and highly reliable under all foreseeable normal and extreme operating conditions. The design should account for hazards that may result from drilling operations and attachment to an uncontrolled well. The aggregate effects of cascading casualties and failures should be considered to avoid the coupling of failure modes to the maximum reasonable extent.
Recommendation 4.3: Industry and regulators should develop fail-safe design requirements for the combined systems of rig, riser, BOP, drilling equipment, and well to ensure that (a) blowouts are prevented and (b) if a blowout should occur the hydrocarbon flow will be quickly isolated and the rig can disconnect and reposition. The criteria for these requirements should be maximum reasonable assurance of (a) and (b) and successful crew evacuation under both scenarios.
Recommendation 4.4: Industry and regulators should implement a method of design review for systemic risks for future well design that uses a framework with attributes similar to those of the Department of Defense Standard Practice for System Safety (DoD 2000), which articulates standard practices for system safety for the U.S. military, to address the complex and integrated “system of systems” challenges faced in safely operating deepwater drilling rigs. The method should take into consideration the coupled effects of well design and rig design. (See Chapter 5 for a discussion of safety system qualities.)
Recommendation 4.5: Industry should institute design improvements in systems, technology, training, and qualification to ensure that crew members are best prepared to cope with serious casualties.
Recommendation 4.6: ABS should eliminate any ambiguity in its rules requiring that propulsion control systems for MODUs shall “in general” comply with the Steel Vessel Rules. All of the primary control and monitoring systems and critical backup systems on these MODUs should be designed and tested to the highest standards in the industry.
Automatic Redirection of Hydrocarbon Flow Overboard
Recommendation 4.7: Industry should develop and implement passive or automatic methods to redirect hydrocarbon flow overboard. Ide-
ally, the methods would include some artificial intelligence capability to evaluate the magnitude of the flow and prevailing wind.
Recovery of Main Electrical Power
Recommendation 4.8: Recovery of main electrical power is a vital capability for MODUs. Industry should ensure that standby generator systems will be reliable and robust for automatic starting. Moreover, standby generator location, controls, and power lines should be positioned to minimize the likelihood of damage from fire or explosions in the main engine room or from other casualties affecting the primary electric power system.
Capturing and Preserving Data for Future Investigations
Recommendation 4.9: Data logger systems should be designed for handling the bandwidth of sensor data that may arise under the most stressing casualty conditions. The systems should be able to transmit in real time to shore so that accurate records are potentially available for determination of root cause in subsequent investigation.
Alarms and Indicators
Recommendation 4.10: Inhibition of alarms should be allowed only when approved by a senior officer in the vessel. Regulators should require that the master, OIM, and chief engineer review periodically the status of alarms and indications and take action to resolve conditions of complacent behavior. This should be a standard item of regulatory and class inspections.
Recommendation 4.11: Drilling rig contractors should review designs to ensure adequate redundancy in alarms and indicators in key areas of the rig.
Education and Training of Rig Personnel
Recommendation 4.12: Drilling rig contractors should require realistic and effective training in operations and emergency situations for key personnel before assignment to any rig. Industry should also require that personnel aboard the rig achieve and maintain a high degree of expertise in their assigned watch station, including formal qualification and periodic reexamination.
Recommendation 4.13: Realistic simulators should be used to expose key operators to conditions of stress that are expected in major conflagrations, including heat and loss of visibility (see Chapter 5).
Recommendation 4.14: Realistic major drill scenarios with independent oversight should be part of the normal routine at sea.
Recommendation 4.15: Regulators should require that all permanent crew on a rig achieve a basic level of qualification in damage control and escape systems to ensure that all hands are able to contribute to resolving a major casualty.
Recommendation 4.16: Regulators should increase the qualification requirements of the OIM to reflect a level of experience commensurate with the consequences of potential failure in his or her decision making.
A comparison of the current minimum qualification requirements of an OIM with those of a rig master shows that the OIM requirements are much less rigorous today than is indicated by the OIM’s significant responsibilities for well control (46 CFR 11.404 and 46 CFR 11.470). For example, a typical master of unrestricted tonnage has a 4-year degree in a recognized maritime academy deck officer curriculum or more than 3 years of relevant rating sea time, plus additional years of sea experience in successive promotion roles from third mate through second mate and chief mate. In contrast, one may be licensed as an OIM with as little as 4 years (or 2 years plus an engineering technology degree) of experience aboard MODUs in roles as assistant driller, assistant tool pusher, electrician, or crane operator; 14 days of experience as a supervisor of those ratings; and a 5-day course in stability for OIMs.
Definition of Command at Sea
Recommendation 4.17: Definition of command at sea should be absolutely unambiguous and should not change during emergencies.
Recommendation 4.18: Regulators should establish the unity of command and clearly articulate the hierarchy of roles and responsibilities of company man, master, and OIM.
Appointment of Certification Authority
Recommendation 4.19: Operating companies and drilling contractors should institute a certification authority, accountable to the head of
the company, to act as the senior corporate official responsible and accountable for meeting the conditions set out in a safety management system (see Chapter 5). This appointment should provide a powerful voice for safe execution of operations and surety in dealing with emergencies: the official should have the authority and responsibility to stop work if necessary.
System Safety Certification
Recommendation 4.20: Industry and regulators should consider relevant aspects of programs for system safety certification that were established for other safety-critical large-scale activities, such as the U.S. Navy’s Submarine Safety Program, as guidance in developing a response to the Deepwater Horizon incident.
Recommendation 4.21: Industry and regulators should develop and implement a certification to ensure that design requirements, material condition, maintenance, modernization, operating and emergency instructions, manning, and training are all effective in meeting the requirements of Recommendation 4.3 throughout the rig’s service life.
Recommendation 4.22: Regulators should require that the rig, the entire system, and the crew be examined annually by an experienced and objective outside team to achieve and maintain certification in operational drilling safeguards. The consequence of unsatisfactory findings should be suspension of the crew’s operation except under special supervisory conditions.