In past articles, I've pointed out that safety will increase if: 1) we fully understand the process being controlled, and 2) we "protect" processes from operator errors by providing automatic override controls (AOC). I wrote several articles and also a book, explaining how Three Mile Island, Chernobyl and Fukushima could have been prevented if AOC controls were provided. I also wrote about air transportation safety, showing that AOC could have protected Asiana Airlines Flight 214 in San Francisco last year, and perhaps prevented Malaysia Airlines Flight 370's disappearance earlier this year, if AOC had prevented pilot errors.

In the cases of the nuclear accidents, we have seen that if we make it impossible for cooling to be lost, no meltdown can occur (see my earlier article describing the underwater nuclear plant of the future, "Ask the Experts, Feb. 2014,). Here, I will try to show you, not only that operator errors caused the BP Deepwater Horizon oil well accident, but also how AOC could have prevented it, because what was needed (and what the operators failed to do) was to keep a pipe straight.

Also Read "The Fukushima Nuclear Accident - Part 1"

How to Keep a Drill Pipe Straight

As we know, on April 20, 2010, while Deepwater Horizon was sealing the deepest oil well in history (10,600 m), an explosion occurred. Two days later, the rig sank, causing the largest oil spill in U.S. history, which took five months to seal. In previous articles, I've described how BP operator errors triggered this accident by attempting to seal the well without calculating the hydrostatic head required to exceed the internal pressure in the well, and by not using the concentrated cement slurry required to balance and exceed that internal pressure.

In previous articles, I also described how pressures, flows, compositions and equipment availability can be detected. And based on them, I've shown how AOC control can be implemented.

In this article, I'll focus on the critical safety requirement of keeping the drill pipe straight, and the pressure difference (ΔP) between its inside and outside pressures under safe limits, in order to keep the pipe from moving from the center of the blowout preventer (BOP) ram. In the case of the BP accident, the high ΔP caused an effective compression resulting in buckling that bent the drill pipe, and moved it outside the reach of the BOP's ram. When the operator tried to manually close the ram, it punctured the pipe because it was off-center, and that triggered the oil spill. (Figure 1 shows how the BOP ram should have operated and why it failed.)

Platform Should Be Stabilized Using Envelope Control

In general industry, we've been using feed-forward anticipatory, selective, interaction, envelope and herding controls for decades (see Chapter 8.5 in Vol. 2 of my Instrument Engineers' Handbook). In the control of offshore drilling, these strategies are new. That industry is just emerging from a manual-control culture.

For years, it was believed that as winds, waves and water currents cause platforms to move in six directions (north, south, east, west, up and down) as they sway, yaw and surge, they can be best held in position by passive mooring systems. So not only were AOC and envelope control not used, but even dynamic positioning (DP) is relatively new to the hydrocarbon industry (although Deepwater Horizon did have DP).

The hydrocarbon drilling process is shown in Figure 2. A riser pipe extends from the semi-submersible drilling platform at the ocean's surface to a flexible joint on the seabed. There it connects to the BOP and the drill pipe, which are fixed. The tension in the riser pipe is controlled by the tensioner piston operated by high-pressure hydraulic cylinders. The slip joint allows for vertical movement, while the flexible joint at the BOP allows for horizontal movement (bending) of the riser pipe.

To prevent bending the drilling pipe, not only does the pressure difference between the inside and outside of the pipe have to be kept under safe limits. In addition, the horizontal movement of the rig should be limited to keep the riser angle (A in Figure 2) less than about 3º, and the watch circle diameter (B in Figure 2) less than a corresponding value, which increases with depth. Keeping the rig within these safe limits is achieved by operating six or eight large thrusters that are distributed around the rig, forcing it to move as needed to stay within the envelope limits.

In addition to the dynamic positioning system (DPS), ballast controls (BC) are applied to keep the tilt of the platform less than about 1º. Ballast control should be achieved by throttling large water pumps (P in Figure 2), which move large quantities of water from one tank to another (WT in Figure 2). Each tank is about 300 m3, and is positioned on the perimeter of the platform to maintain its balance.

So what's wrong with this system? What is missing? What is needed to make sure that the the drill pipe does not buckle?

Also Read "Old Habits Die Hard, Even for Automation Professionals"

Manual controls. The safety of the operation should not be left to manual control. In the case of the BP accident, even the actuation of the BOP was under manual control.

Feedforward. As the forces of wind, waves and water currents change, the controls should anticipate their consequences and should act before they evolve.

Manipulated variables. All pumps, pistons and thrusters should be designed to have the required speed of response.

Interaction. The PC and DPS controls should be integrated into a single, dynamic control system. An envelope algorithm should receive all measurements and should generate all output signals to control the hydraulic tension control pistons, variable-speed pumps and thrusters.

Mathematical model. The dynamic model should be self-diagnosing because hydrodynamic conditions and drag coefficients do change and, therefore, need to be continually updated.

BOP actuation. The BOP closure should be automatically triggered by the AOC (and not allowed to be overruled by operators) when the drill pipe pressure difference (ΔP) limit or the maximum tilt limit (A and B in Figure 2) are violated.

Rig disengagement. If the presence of either methane or fire are detected on the platform, the AOC should disengage the rig and move it away from the well, regardless of whether operators or management approve or not.

Unfortunately, even the best offshore drilling safety controls have evolved from a manual safety culture. Until state-of-the-art  automatic control practices are understood and implemented by the hydrocarbon drilling industry, pipes will buckle, BOPs will fail, and oil spills will occur.