Can Process Control Prevent Oil Well Blowouts?

July 29, 2010
Oil Drilling Accident in the Gulf of Mexico: What caused it? Could We Have Prevented the Blowout with Properly Designed Process Control Systems?

"Ask the Experts" is moderated by Béla Lipták, process control consultant and editor of the Instrument Engineer's Handbook (IEH).  The 4th edition of Volume 3, Process Software and Networks, is in progress. If you are qualified to contribute to this volume, or if you are qualified to answer questions in this column or want to ask a question, write to [email protected].

Q: I've received a number of questions about the oil drilling accident in the Gulf of Mexico: What caused it? If properly designed process control systems were used, could the blowout have been prevented? What contributions could process control have made to stop the flow after the blowout?

A: To answer these questions, we must understand the drilling process, the causes of the BP accident and the kinds of automatic controls necessary for both the normal and the emergency drilling operation.

Drilling a test well on land is as simple as digging a hole. Drilling deep under the sea increases both the risks and the costs because of the high pressures and hostile environment at the ocean bottom. As the depth increases, the weight of the connecting piping between the sea floor and the platform above also increases. To reduce this weight and the associated cost, the pipe thicknesses had to be reduced, which could only be achieved if some of the drilling equipment was lowered down to the ocean floor where the pressure is high (2200 PSI in case of BP), the temperature is near freezing, and the environment is corrosive. Furthermore, the lowered equipment is inaccessible and has to be operated by remote-operated vehicles (ROV) or subsea robots.

Under these conditions, state-of-the-art technology, including automatic safety controls, trips and redundant equipment, should have been used, potentially making the drilling of deep sea wells uneconomical and in some cases consuming more energy than the wells produced. The industry and its regulator, the Mineral Management Service, in the absence of standards requiring such controls, concentrated on cutting costs.

The Drilling Process

A simplified sketch of the drilling process is shown in Figure 1. At BP installation, the well was 18,300 feet deep (36 in. diameter at the top; about 10 in. at the bottom) and included a number of casings, conduits, seals, spacers, snubbers and burst disks that are not shown. The casings are inserted into the well bore at various depths and held in place by cement slurry injected between them and the well bore. They should protect against cave-ins, provide a foundation for the drilling fluid (mud) and seal off high-pressure zones.

Figure 1: Simplified view of the drilling process and automatic controls that should have been provided (red ).

During drilling, mud is circulated down the drill pipe and up through the annulus between the well bore and the drill pipe. The mud carries the rock fragments produced by the drilling. This circulating mud also serves to prevent the oil and gas in the deposits from entering the well, because the pressure of the mud inside the well bore is higher than that of the oil outside. If for any reason this pressure difference (ΔP = PMUD – POIL) starts dropping, the mud pressure has to be increased to keep this ΔP positive. Otherwise the oil or gas will enter the well bore.

Once the oil pressure exceeds the mud pressure, it can lift the fluid in the well, and a blowout can occur. In case of the BP installation, four shut-off devices—placed one on top of the other—were provided in the blowout preventer (BOP) in Figure 1. These are shut-off valves that close the well in case of evolving blowout conditions. The first three are pipe rams that close only the annulus. The last one, the shear ram, also cuts the drill pipe and completely closes the well bore.

Causes of the BP Accident

Now we must understand the reasons why the pressure outside the well can suddenly rise and how gas "kicks" can develop. The cause is methane hydrate or methane ice (MI). The MI crystal is a solid similar to ice, except that it traps large amounts of methane within its crystal structure. The extreme cold and crushing pressure (2200 PSI at 5000 feet at the ocean bottom and about 8000 PSI in the oil deposits at 15,000 feet) keeps this crystal in the solid state. If conditions drop below the point of phase transition (PhT), because the pressure drops or the temperature rises, PhT is triggered, and the MI vaporizes. Each cubic foot of MI crystals explodes into 164 cubic feet of gas. Therefore, it is wise to avoid drilling through MI deposits and, if it is done accidentally, to keep the pressure inside the well above and the temperature below the PhT point.

The phase change can also occur in the reverse direction. If methane gas is exposed to water under such conditions that exceed the PhT point, the gas and the water will "freeze" into MI crystals that will plug the piping and other equipment. This can occur if the mud pressure drops below the methane pressure in the deposits, and methane enters the well bore while the pressure and temperature conditions are above the PhT point.

Under these conditions the MI crystals that are formed can also be carried up by the mud flow or by the other fluid that is circulated in the well. As they rise, the pressure in the well decreases, and the MI crystals dissociate into methane gas and water. The rapid gas expansion ejects the circulating fluid from the well, further reducing the pressure, which leads to more hydrate dissociation and further fluid ejection. This violent expulsion of fluid is referred to as a "kick," which can cause blowouts. Once the mud is blown out and methane escapes, all that is needed is a spark to ignite it.

Blowout protection is provided by keeping the mud pressure inside the drill pipe higher than the pressure of the oil and gas outside in the deposits. This is feasible because we know how to measure the difference between these pressures; we know how to increase the mud pressure if the oil or methane pressure rises; and we know how to close off the well if this pressure exceeds the weight of the mud column and a "kick" is evolving. So why did the BP accident occur?

Bad engineering, bad operating practices and, most important, manual operation.

Manual operation means that the response to unsafe conditions depended on the judgment of the rig supervisor. That's dangerous because it is impossible to guarantee that the judgment and decisions of all rig supervisors will be safe 24/7 and not influenced by financial or schedule pressures.

In this case, the rig supervisor at BP decreased the mud density by injecting sea water into the well when it should have been increased. In addition, BP selected a potentially risky type of well casing design and released heat into the well during the cementing process to speed the setting of the concrete, risking the initiation of a "kick." The explosion occurred right after the heating of the cement seal around the wellhead started, causing the MI crystals to explode and shoot up, damaging a badly designed seal.

If automatic controls were used, this operation would not have been allowed in the first place. Automatic controls also would not have allowed continued drilling when they detected that the BOP was faulty, had not been inspected not tested for two weeks, its readiness had not been validated, and its power supply was defective. It was known for days before the accident that hydraulic oil was leaking at the control pad. The rig's alarm system was disabled and did not sound at all during the accident.

It is true that the phase change of methane hydrate causes a kick is so powerful that the drill pipe itself can be pushed into the BOP, and BP argues that nothing could have prevented this accident because the gas bubble caused such structural and mechanical damage to the safety systems and to the BOP itself that it was not possible to seal the well. Not true!

BP has a history of total ignorance of modern process control (The Thunder Horse accident in 2005 was caused by a check valve installed backwards; the 2005 explosion at its Texas City refinery resulted from not having a backup for a high-level switch; the Alaska pipeline accident in May  caused by lack of sufficient monitoring, etc.). This backwardness in process control, combined with the company's arrogance and its being in denial are major contributors to the causes of this latest BP accident.

Controls Needed During Normal Operation

Good controls are always crucial, but when drilling for oil they are even more important because here the emergencies evolve faster than manual control can respond, and the sensors and safety trips operate in a very hostile environment. Therefore, the PID loop and the trips must be fast, the sensors redundant, and the final control elements (BOPs and their actuators) must have total backup.

Figure 2: Emergency trips on top activate backup shuttle valve system, and trips on bottom activate backup BOP.

Figure 1 illustrates the basic controls needed during normal operation, and Figure 2 shows the emergency controls that should have been used. The main goal of the normal operating controls is to keep the pressure inside the well higher than the the pressure outside under all conditions, including when drilling through methane hydrate deposits.

As shown in Figure 1, in a properly designed system strain gauge sensors would have measured the differential pressure (ΔP), and a differential pressure transmitter (ΔPT) would have reported this measurement to a differential pressure recorder-controller (ΔP-RC). If the ΔP started to drop, the controller would have automatically increased the mud pressure (PMUD) by either pressurizing the mud tank (in seconds) and/or by increasing the mud density. BP had no such automatic controls and did not have means to pressurize the mud tank. All the components must be designed for operating in the hostile undersea environment, and be provided with self-diagnostics and full automatic backup. If BP had such a control loop, when the methane pressure started to rise, it would have automatically increased the mud pressure to balance the system, and prevented the evolution of a kick.

Controls Needed During Emergencies

In a properly designed system, if the normal operation controls fail or do not respond fast enough, the ΔP would drop to zero, and the low ΔP switch (ΔPS-L) would have automatically actuated the blinding rams in the BOP to close the annulus. If the blinding rams were also too slow or failed, and the mud pressure dropped further, the low-low ΔP switch (ΔPS-LL) would have automatically actuated the shear ram, completely closing the metal casing by also cutting the drill pipe.

The key error in the BP design was that neither the slide valve nor the shear ram itself had any backup. If correctly designed, the fully automatic operation of the shear ram system would have been as shown in Figure 2. In that system, the trips detect two levels of unsafe conditions. The response to the lower level trips is to actuate the backup shuttle valve and the associated components that operate the ram piston while the higher level trips would have caused the actuation of the backup blind shear ram in the backup BOP.

In this configuration, when the lower level response is initiated, the backup shuttle valve should not use the same energy source (hydraulic) as the failed one. The energy source for operating the backup BOP also should be different from the one used for the main BOP. Therefore, the backup system should be operated by high-pressure nitrogen.

The lower level response is triggered by low oil pressure (PSL) or low oil flow (FSL), which are usually caused by oil leakage and/or by the shuttle valve position detector (IPoS) signaling that the valve did not reach the required position. Naturally, these switches must be designed for operation in a deep-sea environment and be provided with wireless backup.

It is essential to increase both the speed and strength of the final control element (the ram) and its actuator (the piston), so that the ram will close before the kick has time to pass through. This can be achieved by increasing the flow and pressure of the operating fluid and substantially increasing the piston diameter. In case the kick is still faster than the ram, and it carries stone or pipe fragments into the BOP, the actuator must be strong enugh to cut through not only the drill pipe, but also all that material.

This backup blind shear ram did not exist at the BP installation. If it did it, it would have automatically started closing when the primary ram failed to fully close and its wedge locks jammed. BP—after 90 days—finally added a second BOP, which temporarily closed the well, proving that if they had a backup BOP to start with, the accident would not have occurred. The ROV also would have been able to operate the backup shear ram by both hydraulic and mechanical means. It would also have had the strength to close the BOP. 

In summary, there were no automatic and wireless BOP controls at all. In addition, the dead-man switch was not wireless, and no backup was provided for the BOP, the shuttle valve or the hydraulic oil system. Lastly, no mud flow velocity and density sensors were provided, so that during normal operation the mud flow and, in case of a blowout, the oil/gas flow could have been continuously and accurately measured.

It should be noted that the oil industry in general opposes the automatic actuation of the shear ram, because spurious trips and the resulting slicing of the drill pipe could result in the loss of the test well. In my view accepting that risk is a small price to pay for protection against the BP-like accidents. In addition, if the operators knew that reducing the mud pressure and heating the cement seal) could automatically cause the actuation of the shear ram, they would think twice before doing it. 

Safety Standards and Regulations

It is not clear which existing arm of the government should regulate offshore drilling and what safety standards should guide their design, operation and maintenance. As of today, the applicable Security Integrity Level (SIL) has not even been decided for deep-sea drilling. In a nutshell, the whole industry is basically unregulated, meaning that it is self-regulated, and the level of operational safety varies from corporation to corporation. Let me briefly address each of the above issues.

As to the regulating arm of the government is concerned, it is questionable if the Mineral Management Service (MMS), the U.S. Coast Guard (USCG) or some other agency should be made responsible for regulating this industry. Until now it was the MMS, and it failed in its role. Today the USCG has jurisdiction over ships. It is debatable if oil/gas drilling platforms, which are basically floating facilities, can be considered ships, but it is unquestionable that the selected regulating arm of the government should have experience in marine safety, and USCG does have that. However, it also seems that the experience of the Coast Guard is more in the area of security and less in the area of safety. So, in a way, the assigning this regulation to the Coast Guard is like expecting the police to treat accident victims.

On the topic of applicable standards, the API 14C committee (dominated by oil giants) excluded deep-sea drilling from being covered by any standards. Similarly, the applicability of the internationally adopted IEC 61511 standard has been restricted to be applicable to production (and not drilling) platforms. As to the standards that should be used, my view is that a new one is needed. While some elements of such existing standards as API 14C 7th ed., IEC 61511, ISA TR84.00.07, IEC 61508, ISO10418:2003, etc. are applicable, none of them cover all the needs of this new industry fully.

As to the required Security Integrity Level (SIL) that should apply to deep sea drilling, I favor SIL 3. This level is next to the most demanding level of relative risk reduction, having a risk reduction factor (RRF) of 1000 to 10,000, according to IEC 61508. It should be noted that MMS mandated the applicability of SIL 3, but only for the high- pressure section of the production riser. Yet, if this rule was followed (in case of the BP rig the BOP is in the high-pressure section, but not involved in oil production), the HIPPS (High-Integrity Pressure Protection System) would have prevented over-pressurization by not allowing the pressure in the downstream piping to exceed its design pressure. If this mandate had been implemented in the BP installation, the accident would have been avoided.

Another safety concern, which is seldom considered, is cybersecurity. If instrument and control systems (ICS) are not totally isolated from information technology (IT) systems, this can cause hazards (to all industries, not just oil drilling). If there is a hole in the security wall between IT and ICS, the critical operating controls and safety systems can be accessed, disabled or revised through the Internet by hostile parties or by accidental causes. The Hatch Nuclear Plant cyber incident demonstrates this, and we better learn that while the ICSs look like IT systems, they are not and need to be addressed accordingly.

Cyber vulnerabilities can arise from simple practices, such as allowing workers to access smart grid control system devices using a Bluetooth connection, all the way to cyber terrorism. The present state of affairs is dangerous because IT serves corporate convenience, and the users of direct data gathering are ignorant of the potential consequences. This can cause grievous harm to control systems. Yet, when it comes to the development of cybersecurity standards and regulations, it is done almost completely by IT people and not by the process control people. Consequently the drafts produced meet only the needs of the IT community.

We must realize that standards and regulations alone can not instill a culture of safety. To instill and to develop such a culture, corporations should stop judging and rewarding their engineers on the basis of cutting corners and reducing costs and should start evaluating their performance on the basis of quality, efficiency and safety. But corporations will not do that unless it is in their interest to do so.


API – American Petroleum Institute
BOP – Blow Out Protector
BP – British Petroleum
DCS – Distributed Control System
DMS – Dead Man Switch
FSL – Low Flow Switch
HIPPS - High Integrity Pressure Protection System
IEC – International Electrotechnical Commission
IPoS – Incorrect Position Switch
ISA – International Society of Automation
ISO – International Organization for Standardization
IT – Information Technology
MMS - Mineral Management Service
PhT – Phase Transition
PMUD – Mud Pressure
PSI – Pounds per Square Inch
PSM - Plant Safety Management
ROV - Remote Operated Vehicles
ΔP – Pressure Difference
ΔPRC – Differential Pressure Recording Controller
ΔPSL – Low Differential Pressure Switch
ΔPSL – Low-Low Differential Pressure Switch
ΔPT - Differential Pressure Transmitter
ROV – Remote Operated Vehicle
RRF - Risk Reduction Factor
SIL - Security Integrity Level
USCG - US Coast Guard

Therefore, the safety record of corporations should be widely distributed, allowing the average citizen to take that into account when making a purchasing decision. Similarly, not only the corporations should be penalized for their safety offenses, but also their officers as individuals.

In case of the BP accident, the BOP's reliability and availability numbers did not meet even minimum risk level standards! This could occur only because there were neither regulations nor enforcement and because economics was considered to be more important than safety or preparedness for handling accidents. Future regulations must include accident mitigation response including the use of oil skimmers, booms, controlled burning, health and welfare monitoring of workers, human resource pools, ecology monitoring, coast line protection, etc. In the future, such regulations must also state that all foreign companies violating the standards will be fined and banished from U.S. waters.

It is also important to realize that criminal penalties and economic liabilities alone will not instill a culture of safety; positive incentives are also needed! In the case of drilling for oil, for example, the corporations with good safety records should be rewarded by paying less in royalties for their off-shore leases and should receive their permits faster than the ones with bad safety records. These steps would reduce the presently prevailing conflict between safety on the one hand and cost and schedule on the other.

The Moral

What should we learn from this accident? One of the important lesson is that accidents can be very expensive, and the protection against them should override any other consideration. A consequence of this recognition is that the role of process control engineers should be increased. This is because while the specialists of mechanical, electrical, civil, chemical or computer engineering are all doing a good job within their fields, none of them are qualified to look at the overall process. Only process control engineers have the overall understanding to design systems that will guarantee total safety, but we are far from this being universally understood.

(When I was teaching process control at Yale University, I did that within the chemical engineering department. My books on process control are being published within the electrical engineering department. This is not because these institutions have anything against our profession! It is because they don't even know that it exists!)

Full automation is required not only because human judgment is a function of the qualification of the person making the decisions, but also because that judgment can be influenced by cost and schedule considerations or can be too slow to arrest a quickly evolving unsafe condition.

Another lesson we should learn is the need for process-specific regulations so that drilling for oil could not take place without automatic safety equipment, backup and redundancy. This is essential because if each platform is individually designed and is operated by cost and schedule-oriented "objective management," these accidents will continue to occur. On the other hand, if the world's best talent, - and not the views of the lobbyists and politicians in Washington, where there are nearly 500 oil industry lobbyists -  is used to come up with an international reference standard, safety will be improved. Finally and most important, society as a whole must accept that safety costs money, and that cost has to be paid for by the user through increasing the cost of gasoline.

Naturally, we should also realize that this cost of "scraping the bottom of the barrel" for traditional energy sources could be better spent by investing it in the conversion to free, safe and inexhaustible energy sources (such as solar hydrogen). This is true not only because sooner or later this conversion has to be done anyway, but also because (while offshore drilling today provides thousands of jobs) the conversion will create millions, and if renewable energy plants are moved into the areas devastated by oil spills, the people there will have jobs and our grandchildren will have no reason to ask: "Why did you not act in time?"