Deepwater Horizon report
Back in June (this blog does not in any way aim to be a timely reporter of news), Transocean released their report on the Deepwater Horizon disaster. I found it interesting, and read most of it; it seems like primarily an honest effort to get to the bottom of the disaster, not an exercise in blame-shifting and ass-covering. (I am not involved in the industry, so might be being a bit naive here, but at least have the miserable excuse that I am unbiased.) There is only one place, described below, where I noticed the report getting weaselly. Otherwise, the bad decisions were quite plainly BP’s, both as a matter of law (they being the “operator” who was in control) and as a matter of fact; so Transocean didn’t need to indulge in evasiveness, but could just plainly state what happened, and what should have been done better.
The main thing I was interested in was what had happened with the blowout preventer. Back during the disaster, there was all sorts of speculation about it. After dragging the 150-ton device up from the deeps, they indeed have figured out what happened – and it was none of the scenarios regarding hydraulic failure or electrical failure that were voiced in the press. All the mechanics of the thing had worked: batteries provided current; valves opened; hydraulic accumulators provided hydraulic power; rams closed and were locked closed by massive steel wedges. The engineering seems to have been, throughout, the sort of thing that one does if one wants a device to work very reliably. There are minor questions regarding some pieces of it (one relay in one of the dual-redundant electrical boxes seems to have been goosey somehow), but those weren’t why it failed. Why it failed, to summarize the whole sequence of things that went wrong, is that it was a blowout preventer, but what they needed was a blowout interrupter. The fast, high-pressure flow through the device, carrying not just fluids but pieces of abrasive rock, was something it had never been designed or tested to control. The report comes with a good video showing the whole sequence of failures, which does a better job of describing it than the report does, or that I can do here – so I won’t try.
The place where I noticed the report getting weaselly was in the following language:
The investigation team is aware that some sources suggest that the various activities during final displacement constituted inappropriate “simultaneous operations,” which may have interfered with the monitoring of the well. Tasks such as repairing a relief valve or dumping a trip tank commonly are performed on an offshore rig and would be considered normal in the course of operations – not simultaneous operations. … The investigation team determined that after the fluid transfers to the Bankston were completed at 5:10 p.m., the activities of the drill crew were completed in a sequential manner, and “simultaneous operations” were not present.
As to what exactly constitutes “simultaneous operations”, I’ll leave that to the lawyers. My sympathy goes out to the people in the industry who must labor under rules defined so imprecisely. Hopefully, on a fifty-thousand-ton drilling rig with 150 people on board, at least some of them are allowed to walk and chew gum at the same time. But whatever the rules might be, the physics issue here is that the most reliable way of monitoring flow out of the well was by measuring the levels in the tanks (the “mud pits”) it was flowing into; there were other flow sensors on board, but none nearly as accurate. But in this case, at the same time that mud was flowing from the well into mud pits, it was being pumped from them overboard into the auxiliary ship Damon B. Bankston. So the operators couldn’t simply determine the amount of fluid coming out of the well by looking at how much had accumulated in the mud pits.
This sort of thing was a large part of why the disaster occurred: if they’d noticed the well “kicking” earlier, by observing that it was sending out a lot more fluid than they were pumping in, they’d have been able to shut it down before the flow got too great for the blowout preventer to stop, and before gas emerged onto the deck, exploded, and turned the rig into an inferno. Since this part of the rig’s operations was largely or entirely the responsibility of Transocean, it is no wonder that their report gets a bit weaselly – which is not to suggest that anything stated is untrue; indeed, their defense on grounds of timing is a good one. The disaster struck much later in the day: gas exploded onto the deck at 9:45 p.m., after having started flowing into the bottom of the well at a time estimated as “sometime between 8:38 p.m. and 8:52 p.m.”. So probably no serious discrepancies in flow happened during the time before 5:10 p.m. during which they were pumping mud out to the Bankston. (As to why they didn’t notice the later discrepancies, the investigation was hampered by the fact that most or all of the people who should have noticed died in the disaster.)
Still, even with it not being the cause of the disaster, not being able to monitor flow from the well was undesirable. At first glance, this seems to be a case where doing things right would impose serious delays, from doing things consecutively rather than simultaneously. But on consideration, there seems to be a way, in this sort of situation, to accurately monitor the fluid volume coming from the well while still simultaneously transferring it overboard. That would be to direct fluid coming out of the well to a mud pit that wasn’t currently being emptied, then when that pit filled, to switch the flow from the well to another mud pit and start emptying the first pit, alternating between the two (or more) pits as necessary. That way, the volume coming from the well could be accurately calculated by measuring levels in the pits, without any serious costs. It would mean a bit more activity (switching of valves and pumps), but little more in the way of costs. The report makes no mention of this as a possible alternative; perhaps they didn’t think of it, or perhaps there was some stupid little reason (involving, say, details of pipes and valves, or of control software) that it wouldn’t have been feasible. But there don’t seem to have been any big reasons: the rig had more than enough mud pits, and enough valves and pumps. As for the control software, with forethought they could even add a feature to do this procedure automatically, switching flow between pits and totalling up the rises in levels of the active pit(s) in order to get the total flow, then displaying that for the operator rather than forcing him to do the arithmetic.
The primary thing that went wrong, though, was the cement job at the bottom of the hole. The investigations found so many things done badly about the cement job that it’s hard to tell which of them was actually responsible for the failure. To pick just one error, they tried to leave drilling mud below the cement while it cured, with the drilling mud being lower density (14.17 pounds per gallon) than the cement (16.74 ppg), and with no barrier separating the two fluids, just a “reamer shoe” with an open orifice of about an inch and a half in diameter (to judge from the diagrams). How they could possibly have thought this would succeed is unclear: when you put a heavier fluid on top of a lighter fluid, they naturally tend to swap places. And in the place the cement would have migrated to (the 55-foot-long “rat hole” under the end of the casing), it would have been of no use at all. It wasn’t like the cement was particularly resistant to flowing (the report quotes its shear strength at 2 lbf/100ft2), or like it set particularly fast (the report speaks of setting times in hours). Also, as it dribbled out that hole, the mud that came in to replace it would then have proceeded to bubble up to the top of the cement column. And that was the critical piece of cement that failed: there was also cement outside the casing, which had its own issues; but in the disaster, the rogue flow came up the inside. With mistakes on this level (another was to make foamed cement with one of the ingredients being an anti-foaming additive), it’s not a question of just saying “be more careful next time”; people need to lose their jobs, if they haven’t already – and not just the people who originated these particular mistakes, but also their supervisors. Increased government regulation, as per the usual knee-jerk response, can’t fix a lack of clue in the industry itself.