"Ask the Experts" is moderated by Béla Lipták, process control consultant (http://belaliptakpe.com) and editor of the Instrument Engineers’ Handbook (IEH). He is recruiting contributors for the 5th edition of the IEH. If you would like to contribute by updating an existing or preparing a new chapter, or if you have questions for our team of experts, please write to [email protected].
Q: In the August 2010 issue (www.controlglobal.com/articles/2010/OilBlowouts1008.html), you described how the BP blowout could have been prevented by correctly designed controls. My question is this: Once the blowout started, could properly designed safety controls have prevented the loss of the 11 lives?
Harold Crowney
[email protected]
A: The absolute minimum safety requirement in any industrial application is to detect the presence of flammable gases and automatically shut down all ignition sources, including electric devices if they are present. Flammables or smoke should be detected by multiple sensors configured in redundant or voting systems. All safety devices should also be tested quarterly.
In case of the BP rig, neither the regular nor the safety controls were properly designed or maintained. As I wrote in August, the BP operators first injected foam cement into the well to plug it, and because they knew the integrity of the cement job was questionable (the cement was unstable), they checked if the plug would hold by using the "let us see if it blows" method. In other words, they reduced the force (the weight of the column of heavy mud) holding down the cement plug by replacing the mud with a column of light sea water to see if it still held. It did not.
Once the well started to blow, the emergency safety responses were even worse because there was no automatic response at all. It was left to the operators to manually activate the blowout preventer (which did not work, because it was neither tested nor maintained). They also had to manually shut down all ignition sources, including sparking electrical equipment when the presence of flammable vapors was detected. Even after the operators smelled the gas, these potential ignition sources were kept in operation.
In addition, even if the operators attempted to activate the shutdown controls, it would have required the operation of 30 switches and buttons to do so. Similarly, it was left to them to manually activate the switch that would have disconnected the rig from the well so that it could move away. Finally, even after the explosions and fire, the "abandon rig" alarm was still not activated because it too had to be manually activated. In short, lives were lost because the safety controls were badly designed and because they were operated under manual control.
The lesson to be learned is that all life-protection safety controls should be fully automatic. This is an absolute requirement, because if their activation is left to panic-stricken and poorly trained operators carrying out vague instructions, such accidents are unavoidable. The argument that false alarms due to sensor failure can be expensive is no excuse. The answer to such arguments is to select reliable sensors, use them in a redundant or voting configuration, and properly maintain them.
Therefore, it is not the operators who should be held responsible, but the designers of the control systems and the inspectors whose job should have been to check the design and operation of the safety systems. Naturally, the ultimate responsibility falls on the owners, who considered cost and schedule to be more important than safety.
The lesson to be learned from this disaster is that the entire deep sea drilling industry should be regulated and be forced to live up to the requirements of a predetermined minimum safety standard which includes the requirement that all life safety systems must be completely automatic (see Table 1). Process control engineers and the ISA should play a major role in developing the required safety standards.