Deepwater Horizon’s human errors
5 key human errors, colossal mechanical failure led to fatal Gulf oil rig blowout
Published: Sunday, September 05, 2010, 6:00 AM Updated: Sunday, September 05, 2010, 3:08 PM
David Hammer, The Times-Picayune
A string of mistakes, first by people, then by a supposedly fail-safe machine, sealed the fates of 11 rig workers and led to the fouling of the Gulf of Mexico and hundreds of miles of its coastline.
More than 100 hours of testimony before a federal investigative panel, two dozen congressional hearings and several internal company reports have brought the genesis of the spill into sharp focus. The record shows there was no single fatal mistake or cut corner. Rather, five key human errors and a colossal mechanical failure combined to form a recipe for unprecedented disaster.
The rig’s malfunctioning blowout preventer ultimately failed, but it was needed only because of human errors. Those errors originated with a team of BP engineers in Houston who knew they had an especially tough well, one rig workers called “the well from hell.” Despite the well’s orneriness, the engineers repeatedly chose to take quicker, cheaper and ultimately more dangerous actions, compared with available options. Even when they acknowledged limited risks, they seemed to consider each danger in a vacuum, never thinking the combination of bad choices would add up to a total well blowout.
Tens of thousands of offshore wells have been drilled without incident. Drill teams often face difficult conditions miles down in a hole, but they use a battery of tests and equipment to proceed safely. That’s why the first time BP went with the less-than-safest option — choosing a well structure with fewer barriers against kicks of gas — nobody batted an eye.
Plenty of wells had used a similar structure of metal tube linings. Halliburton, the cementing contractor, simply recommended more devices called centralizers to make that design safer. But the second misstep came when BP’s engineering team ignored Halliburton.
Again, that shouldn’t have caused a panic: The British oil giant had another contractor on board the rig to definitively test the well’s integrity once the cement was in place. But then a third money-saving and time-saving corner was cut: BP decided to send that contractor home 11 hours before the accident, without running the test.
Rig officials might have been able to do without that test if they had correctly interpreted the readings from a subsequent pressure test. But expert testimony and documents suggest key error No. 4 occurred when rig officials erroneously viewed that test as a success.
Maybe none of that would have led to a blowout, if BP hadn’t made questionable decision No. 5: replacing heavy drilling mud with light seawater in the mile-long riser connecting rig to well, and in the top third of the hole itself, before setting a final plug.
And lastly, removing that mud barrier, the principal defense against gas kicking to the surface, might not have been fatal if the rig’s blowout preventer, the massive metal stack that shuts off the well in an emergency, had functioned properly. It did not.
As money pressures mount, caution cast aside
The Macondo well, in the Mississippi Canyon 50 miles southeast of Venice, vexed both the men who designed it and the ones who drilled it. The Transocean rig Marianas drilled a shallow portion of the well, but had to go back to a shipyard for hurricane repairs last November. In February, Transocean’s Deepwater Horizon moved in to take its place.
The troubles continued. Daily drilling reports show that on March 10, hydrocarbons flowed into the well in a sand layer several thousand feet above the oil reservoir, and a piece of drill pipe got stuck. The pipe was never retrieved.
Rig workers and engineers say they lost thousands of barrels of drilling mud during the process and don’t know why. The heavy mud is a principal barrier against gas kicks, and also helps keep drills lubricated and carries earthen shavings out of the way.
The constant problems caused huge delays and extra expense, creating additional pressure on the workers and managers to finish the project quickly and cheaply. Documents show that the Deepwater Horizon had been scheduled to drill a different well 43 days before the accident. The Macondo well, budgeted by BP to cost $96 million, had cost at least $40 million more than that when it blew, records show.
BP’s Gulf drilling manager, David Sims, acknowledged in testimony that “every conversation, every decision has a cost factor.” E-mail messages and reports by BP engineers in the weeks before the accident make reference to money or time savings as they debated methods for closing the well. In each case, they went the cheaper way.
No. 1: Fewer barriers to gas flow
Five days before the accident, BP asked for government permission to change its well design three times in a span of 24 hours. Each request was immediately approved by the U.S. Interior Department, some within minutes.
Independent engineers who have reviewed the design changes say they were baffling. They were questioned at BP, too. An internal company document from mid-April acknowledged a single, long tube running through the center of the 13,000-foot well would leave a side space for hydrocarbons to shoot up, with only one seal to stop a blowout. Computer models raised questions about whether the design would result in a weak seal on the well’s walls.
Typical industry practice for exploration wells, according to numerous engineers, would be to run a short tube to line the bottom 1,500 feet of the hole. That liner would hook onto a bigger tube above it, which would tie back to the top of the well, creating an additional barrier blocking natural gas from flowing into the side space between the tubes. It also involved setting an extra plug in the center of the well.
The gas that eventually blew out of the Macondo well either went up the center of the hole or up through a side space. Either way, the industry-endorsed method would have given the drillers one more barrier to slow or halt the gas’s attack. A BP document shows that was also once the company’s preferred method, though it would have cost as much as $10 million more.
In the operation’s final weeks, those cost concerns took over. On March 30, BP engineer Brian Morel, whose name is on the well design documents, wrote that “not running the tie-back saves a good deal of time/money.”
Then BP got a measure of safety affirmation. Halliburton ran a computer model April 15 that showed a good cement seal on the walls would be possible with the long central tube, as long as BP used 21 devices called centralizers to help the cement set. An internal BP document called it the “best economic case and well integrity case.”
It appears BP was determined to use a long tube in the middle because it would make future oil production operations easier. Often, oil companies drill exploratory wells, strike oil, fill the well with cement and then drill a new well to extract the oil. In this case, BP wanted to be able to plug the exploratory well without filling it in, abandoning it only temporarily so a production crew could tap into the hole Deepwater Horizon had already drilled.
It’s not uncommon to convert an exploration well to a production well, but it wasn’t something workers on this rig were used to. That left many crew members in uncharted territory.
No. 2: Fewer centralizers to keep cement even
Although BP engineers got confirmation from Halliburton that a long center tube could be safe, they weren’t initially keen on spending the extra time and money to install more than six centralizers. The devices help keep the tubes centered in the hole as they telescope downward. If one tube isn’t on center, cement poured there will go to the wider side, leaving a weaker barrier on the other side.
Jesse Gagliano, a Halliburton employee who worked in the same office with the BP engineers, warned his clients April 15 of the possibility. BP’s Morel responded: “Hopefully the pipe stays centralized due to gravity.”
A worried Gagliano caught up to several members of BP’s engineering team at their shared Houston offices. He persuaded Gregg Walz, the engineering team’s new leader, that 21 centralizers were needed based on Halliburton computer models. Walz told John Guide, his counterpart in operations, “We need to honor the modeling.”
Sims, the new manager for several of BP’s Gulf wells, agreed with Walz. The company had 15 additional centralizers sent to the rig the next morning. But then Guide found out the centralizers didn’t have the right collars to keep them in place. Also, he complained in an e-mail message that it would “take 10 hrs to install them.” In the end, the 15 centralizers were not used.
On April 18, Halliburton ran a new model of a cement job using fewer than seven centralizers. It showed a “severe risk of gas flow.” But Gagliano didn’t make a scene this time. He attached the report to an e-mail message to his clients. Three different BP engineers later testified they never saw the warning, which was buried on page 18 of the report. Guide said he didn’t read the report until after the accident.
Even Gagliano never dreamed that two days later, the rig would go up in smoke and flames.
He said he didn’t try to stop the job because uneven cement “doesn’t equal a blowout. My concern was … having to do a remedial cement job.”
But that assumed BP would find out if there was a problem to remedy. After Guide went with the riskier cementing method, engineers Morel and Brett Cocales, who had seen Halliburton’s models, shrugged it off.
“Who cares, it’s done, end of story, will probably be fine,” Cocales wrote Morel. Morel responded that they could see if Halliburton’s models were right once they checked data on the actual cement barriers.
That check was never done.
No. 3: No bond log to check cement integrity
BP sent a crew from oil-field services firm Schlumberger to the rig two days before the accident to run various tests on the well. The company was paid about $10,000 to wait until the cement was set. It would get another $100,000 or so if the crew ran a cement bond log, the gold standard for testing cement integrity.
Initially, when engineers decided to use the long central tube, they acknowledged a cement bond log would probably be needed.
But because cement didn’t escape when it was poured, BP sent Schlumberger home on April 20 at 11:15 a.m., without having run the test.
Had it been run, the bond log might have found problems with the cement barriers, requiring a new cementing procedure that would have take at least a month, said Tom McFarland, a cementing consultant. Additional cost to BP: at least another $30 million.
Again, by itself the decision was explainable. Cement bond logs aren’t always necessary. But the skipped steps on a troublesome project were adding up.
No. 4: Pressure test misinterpreted
When BP executives toured the rig the afternoon of April 20, they found the drill team gathered in a shack, debating the results of the negative pressure test, which measures upward pressure from the shut-in well. A good test would mean the well was nearly complete.
But 15 barrels of mud had leaked through a valve in the blowout preventer. That was odd. A few weeks earlier, a mechanic, Mike Williams, had reported that chunks of rubber from the valve came up in mud from the hole. He saw computer readings showing the drill pipe was moved while the valve was closed around it, and he believed that had damaged the rubber closure. But a supervisor dismissed it as normal wear and tear.
Three hours before the accident, the drill team tried the pressure test again, this time instructing the worker in charge of the blowout preventer, Chris Pleasant, to mash the rubber valve against the pipe with more force. Little or no fluid escaped.
Better. But still, the drill team observed high pressure readings. That was abnormal. BP executive Sims said the team members sounded “confused” after the second negative test, and he suggested that Transocean’s top rig officer, Jimmy Harrell, help resolve the issue.
Later, at dinner, one of the visitors, BP Vice President Patrick O’Bryan asked Harrell if everything was OK. He gave the thumbs-up. Guide talked to BP’s well site leader, Robert Kaluza, and recalled that Kaluza, too, was “confused” by the pressure.
Rig officials eventually ruled the test a success. But John Smith, an associate professor of petroleum engineering at LSU who was hired by federal investigators as an expert, testified that the rig officials misinterpreted the results.
Smith also said the test itself may have been faulty. BP had paid for two doses of a viscous fluid for the test, and ordered contractors to use both at once. Smith said the abnormal quantity may have distorted the pressure readings.
The mixing may have been yet another cost-cutting move. If the extra dose had gone unused, BP would have had to pay to transport it to shore and dump it as hazardous waste. Once poured in the hole, however, federal rules allowed it to simply be dumped overboard for free.
No. 5: Mud barrier removed early
According to investigators’ notes, Kaluza was confused by his bosses’ directions in the hours before the accident. “They decided we should do displacement (of protective drilling mud with seawater) and the negative test together; I don’t know why,” Kaluza told investigators. “Maybe they were trying to save time. At the end of the well sometimes they think about speeding up.”
Smith, the LSU engineer, said rig workers thought they were all set after the negative test, which may explain why they missed signs of gas kicks starting 50 minutes before the first explosion.
The crew was confident enough to take one more risky step before setting a final cement plug: replacing heavy drilling mud with seawater, which is 40 percent lighter and far less capable of holding down gas.
No. 6: Blowout preventer failed
In spite of all the shortcuts BP took, much of the disaster, particularly the leaking oil, could have been avoided if the blowout preventer had activated when power was lost.
When Harrell, the top Transocean man on the rig, was concerned about the plans for April 20, he grumbled that the BOP’s shear rams might have to save the day: “Well, I guess that’s what we have those pinchers for.”
When two explosions rang out, at about 9:56 p.m., it was time for the pinchers. Pleasant hit a button on a control panel. Lights indicated he had sent a message a mile below the rig and sea, through optics and hydraulic lines, to disconnect the rig from the well. That would cause the blowout preventer to activate its shear rams, cut the drill pipe and seal the well.
None of that happened. The well wasn’t shut and the rig wasn’t able to escape the fuel source for a fire that would rage for two days.
Investigators wonder if two pipes, found side by side just above the blowout preventer, fouled up the works. There is only supposed to be one pipe, and the blowout preventer’s slicing rams are designed to cut only one.
But none of that explains why other parts of the blowout preventer never seemed to function, or why the emergency disconnect never activated. Pleasant testified that when he tried to intervene manually, he “had no hydraulics.” The loss of three things — power, hydraulics and communications — is supposed to trip a “dead-man” switch and close in the well. It didn’t.
Rig officials knew all along the blowout preventer had some leaks, notably in the yellow control pod that receives messages from the rig. But they didn’t think it mattered. BP and Transocean officials said they were familiar with a federal regulation stating that if “a BOP control station or pod … does not function properly” the rig must “suspend further drilling operations” until it’s fixed, but they didn’t think the regulation applied in this case.
BP’s man in charge on the rig until April 16, Ronnie Sepulvado, said he reported the pod’s problems to Guide and assumed Guide would tell the feds. He didn’t. And another federal regulation requiring the blowout preventer to be recertified every five years was ignored. Deepwater Horizon’s BOP had been in use for nearly 10 years and was never recertified. Getting it recertified would have required Transocean to take the rig out of use for months while the four-story stack was disassembled.
It was one more corporate cost avoided. And a final precaution that could have erased a string of other missteps and spared an infinitely larger cost later.