Blowout protection is provided by keeping the mud pressure inside the drill pipe higher than the pressure of the oil and gas outside in the deposits. This is feasible because we know how to measure the difference between these pressures; we know how to increase the mud pressure if the oil or methane pressure rises; and we know how to close off the well if this pressure exceeds the weight of the mud column and a "kick" is evolving. So why did the BP accident occur?
Bad engineering, bad operating practices and, most important, manual operation.
Manual operation means that the response to unsafe conditions depended on the judgment of the rig supervisor. That's dangerous because it is impossible to guarantee that the judgment and decisions of all rig supervisors will be safe 24/7 and not influenced by financial or schedule pressures.
In this case, the rig supervisor at BP decreased the mud density by injecting sea water into the well when it should have been increased. In addition, BP selected a potentially risky type of well casing design and released heat into the well during the cementing process to speed the setting of the concrete, risking the initiation of a "kick." The explosion occurred right after the heating of the cement seal around the wellhead started, causing the MI crystals to explode and shoot up, damaging a badly designed seal.
If automatic controls were used, this operation would not have been allowed in the first place. Automatic controls also would not have allowed continued drilling when they detected that the BOP was faulty, had not been inspected not tested for two weeks, its readiness had not been validated, and its power supply was defective. It was known for days before the accident that hydraulic oil was leaking at the control pad. The rig's alarm system was disabled and did not sound at all during the accident.
It is true that the phase change of methane hydrate causes a kick is so powerful that the drill pipe itself can be pushed into the BOP, and BP argues that nothing could have prevented this accident because the gas bubble caused such structural and mechanical damage to the safety systems and to the BOP itself that it was not possible to seal the well. Not true!
BP has a history of total ignorance of modern process control (The Thunder Horse accident in 2005 was caused by a check valve installed backwards; the 2005 explosion at its Texas City refinery resulted from not having a backup for a high-level switch; the Alaska pipeline accident in May caused by lack of sufficient monitoring, etc.). This backwardness in process control, combined with the company's arrogance and its being in denial are major contributors to the causes of this latest BP accident.
Controls Needed During Normal Operation
Good controls are always crucial, but when drilling for oil they are even more important because here the emergencies evolve faster than manual control can respond, and the sensors and safety trips operate in a very hostile environment. Therefore, the PID loop and the trips must be fast, the sensors redundant, and the final control elements (BOPs and their actuators) must have total backup.
Figure 1 illustrates the basic controls needed during normal operation, and Figure 2 shows the emergency controls that should have been used. The main goal of the normal operating controls is to keep the pressure inside the well higher than the the pressure outside under all conditions, including when drilling through methane hydrate deposits.
As shown in Figure 1, in a properly designed system strain gauge sensors would have measured the differential pressure (ΔP), and a differential pressure transmitter (ΔPT) would have reported this measurement to a differential pressure recorder-controller (ΔP-RC). If the ΔP started to drop, the controller would have automatically increased the mud pressure (PMUD) by either pressurizing the mud tank (in seconds) and/or by increasing the mud density. BP had no such automatic controls and did not have means to pressurize the mud tank. All the components must be designed for operating in the hostile undersea environment, and be provided with self-diagnostics and full automatic backup. If BP had such a control loop, when the methane pressure started to rise, it would have automatically increased the mud pressure to balance the system, and prevented the evolution of a kick.
Controls Needed During Emergencies
In a properly designed system, if the normal operation controls fail or do not respond fast enough, the ΔP would drop to zero, and the low ΔP switch (ΔPS-L) would have automatically actuated the blinding rams in the BOP to close the annulus. If the blinding rams were also too slow or failed, and the mud pressure dropped further, the low-low ΔP switch (ΔPS-LL) would have automatically actuated the shear ram, completely closing the metal casing by also cutting the drill pipe.
The key error in the BP design was that neither the slide valve nor the shear ram itself had any backup. If correctly designed, the fully automatic operation of the shear ram system would have been as shown in Figure 2. In that system, the trips detect two levels of unsafe conditions. The response to the lower level trips is to actuate the backup shuttle valve and the associated components that operate the ram piston while the higher level trips would have caused the actuation of the backup blind shear ram in the backup BOP.
In this configuration, when the lower level response is initiated, the backup shuttle valve should not use the same energy source (hydraulic) as the failed one. The energy source for operating the backup BOP also should be different from the one used for the main BOP. Therefore, the backup system should be operated by high-pressure nitrogen.