Can Process Control Prevent Oil Well Blowouts?

Oil Drilling Accident in the Gulf of Mexico: What caused it? Could We Have Prevented the Blowout with Properly Designed Process Control Systems?

3 of 4 1 | 2 | 3 | 4 View on one page

The lower level response is triggered by low oil pressure (PSL) or low oil flow (FSL), which are usually caused by oil leakage and/or by the shuttle valve position detector (IPoS) signaling that the valve did not reach the required position. Naturally, these switches must be designed for operation in a deep-sea environment and be provided with wireless backup.

It is essential to increase both the speed and strength of the final control element (the ram) and its actuator (the piston), so that the ram will close before the kick has time to pass through. This can be achieved by increasing the flow and pressure of the operating fluid and substantially increasing the piston diameter. In case the kick is still faster than the ram, and it carries stone or pipe fragments into the BOP, the actuator must be strong enugh to cut through not only the drill pipe, but also all that material.

This backup blind shear ram did not exist at the BP installation. If it did it, it would have automatically started closing when the primary ram failed to fully close and its wedge locks jammed. BP—after 90 days—finally added a second BOP, which temporarily closed the well, proving that if they had a backup BOP to start with, the accident would not have occurred. The ROV also would have been able to operate the backup shear ram by both hydraulic and mechanical means. It would also have had the strength to close the BOP. 

In summary, there were no automatic and wireless BOP controls at all. In addition, the dead-man switch was not wireless, and no backup was provided for the BOP, the shuttle valve or the hydraulic oil system. Lastly, no mud flow velocity and density sensors were provided, so that during normal operation the mud flow and, in case of a blowout, the oil/gas flow could have been continuously and accurately measured.

It should be noted that the oil industry in general opposes the automatic actuation of the shear ram, because spurious trips and the resulting slicing of the drill pipe could result in the loss of the test well. In my view accepting that risk is a small price to pay for protection against the BP-like accidents. In addition, if the operators knew that reducing the mud pressure and heating the cement seal) could automatically cause the actuation of the shear ram, they would think twice before doing it. 

Safety Standards and Regulations

It is not clear which existing arm of the government should regulate offshore drilling and what safety standards should guide their design, operation and maintenance. As of today, the applicable Security Integrity Level (SIL) has not even been decided for deep-sea drilling. In a nutshell, the whole industry is basically unregulated, meaning that it is self-regulated, and the level of operational safety varies from corporation to corporation. Let me briefly address each of the above issues.

As to the regulating arm of the government is concerned, it is questionable if the Mineral Management Service (MMS), the U.S. Coast Guard (USCG) or some other agency should be made responsible for regulating this industry. Until now it was the MMS, and it failed in its role. Today the USCG has jurisdiction over ships. It is debatable if oil/gas drilling platforms, which are basically floating facilities, can be considered ships, but it is unquestionable that the selected regulating arm of the government should have experience in marine safety, and USCG does have that. However, it also seems that the experience of the Coast Guard is more in the area of security and less in the area of safety. So, in a way, the assigning this regulation to the Coast Guard is like expecting the police to treat accident victims.

On the topic of applicable standards, the API 14C committee (dominated by oil giants) excluded deep-sea drilling from being covered by any standards. Similarly, the applicability of the internationally adopted IEC 61511 standard has been restricted to be applicable to production (and not drilling) platforms. As to the standards that should be used, my view is that a new one is needed. While some elements of such existing standards as API 14C 7th ed., IEC 61511, ISA TR84.00.07, IEC 61508, ISO10418:2003, etc. are applicable, none of them cover all the needs of this new industry fully.

As to the required Security Integrity Level (SIL) that should apply to deep sea drilling, I favor SIL 3. This level is next to the most demanding level of relative risk reduction, having a risk reduction factor (RRF) of 1000 to 10,000, according to IEC 61508. It should be noted that MMS mandated the applicability of SIL 3, but only for the high- pressure section of the production riser. Yet, if this rule was followed (in case of the BP rig the BOP is in the high-pressure section, but not involved in oil production), the HIPPS (High-Integrity Pressure Protection System) would have prevented over-pressurization by not allowing the pressure in the downstream piping to exceed its design pressure. If this mandate had been implemented in the BP installation, the accident would have been avoided.

Another safety concern, which is seldom considered, is cybersecurity. If instrument and control systems (ICS) are not totally isolated from information technology (IT) systems, this can cause hazards (to all industries, not just oil drilling). If there is a hole in the security wall between IT and ICS, the critical operating controls and safety systems can be accessed, disabled or revised through the Internet by hostile parties or by accidental causes. The Hatch Nuclear Plant cyber incident demonstrates this, and we better learn that while the ICSs look like IT systems, they are not and need to be addressed accordingly.

Cyber vulnerabilities can arise from simple practices, such as allowing workers to access smart grid control system devices using a Bluetooth connection, all the way to cyber terrorism. The present state of affairs is dangerous because IT serves corporate convenience, and the users of direct data gathering are ignorant of the potential consequences. This can cause grievous harm to control systems. Yet, when it comes to the development of cybersecurity standards and regulations, it is done almost completely by IT people and not by the process control people. Consequently the drafts produced meet only the needs of the IT community.

3 of 4 1 | 2 | 3 | 4 View on one page
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments