washingtonpost.com
Freak accident or frontier enterprise? Deep-water drilling is still a big unknown.

By Joel Achenbach
Washington Post Staff Writer
Thursday, September 30, 2010; AA01

BP's internal report on the causes of the Deepwater Horizon blowout, released earlier this month, summarized the calamity as the result of eight separate breaches of physical and operational barriers, any one of which could have, and should have, stopped the unfolding disaster. The blowout, in the BP scenario, was very much a freak event. A long shot.

A graphic in the report showed the barriers arrayed like eight slices of Swiss cheese. All the holes, the report states, "lined up" to enable the blowout:

"[A] complex and interlinked series of mechanical failures, human judgments, engineering design, operational implementation and team interfaces came together to allow the initiation and escalation of the accident."

There is a different, and simpler, way to describe what happened: They weren't careful enough.

For the can-do culture of petroleum engineers, this catastrophe should heighten respect for the way bad things can happen to what looks like proven technology. Oil drilling is a risky business, and deep-water drilling is riskier still. Depth matters. And as the industry went deeper, it didn't commensurately increase its safety margin -- or prepare for the worst-case scenario.

On land, on sea, in the air, in space, in our laboratories, on our farms, we are surrounded by technologies of increasing complexity, all of them vulnerable, at some level, to catastrophes of human origin. Engineers do amazing things, but they aren't always as smart as they think, nor their systems as robust as they seem on paper.

The more complex the job, the more potential infiltration points for gremlins.

"We believed that the blowout preventer was the ultimate fail-safe mechanism," BP CEO Tony Hayward testified before Congress in June, bringing to mind the captain of the Titanic, believing that his ship was unsinkable.

Charles Perrow, in his seminal book on technological disasters, "Normal Accidents," writes, "We have produced designs so complicated that we cannot anticipate all the possible interactions of the inevitable failures; we add safety devices" -- think blowout preventers -- "that are deceived or avoided or defeated by hidden paths in the system."

His argument is that such accidents, though rare, are integral characteristics of the system, with its interlinked components. That's what happened here.

The pivotal moment came late on the afternoon and into the early evening of April 20. The Horizon crew conducted two pressure tests to look for any signs of hydrocarbons flowing in the well, which had already been cemented. For reasons that remain somewhat murky -- most of the key figures either have refused to testify or died in the explosion -- the BP "company man" and the Transocean crew decided that the results of the pressure tests were benign.

As in many industrial accidents involving complex technology, they were trying to interpret something they couldn't see directly -- what was happening below the bottom of the sea. The critical hardware, the blowout preventer, was a mile deep.

The pressure tests showed pressure on the drillpipe, a strong sign of a possible leak in the cement job. But when another valve was opened, on what is known as the "kill line," nothing flowed out of the well. That seemed like a good result. Except the kill line could merely have been clogged with gunk. The gunk was "spacer fluid" sent down the well to flush out heavy mud and allow seawater to replace it.

That's a normal procedure -- except this time, a double "pill" of spacer was used, twice as much as is standard. BP approved the plan by the mud engineer to send down this double-size batch of goo. It appears that the huge amount of spacer fluid was a classic shortcut: The fluid had already been mixed, and under the environmental regulations any fluid not used would have to be hauled to shore for proper disposal -- unless it was used in the wellbore. Down the well it went, so that, when it came back up, it could be dumped into the Gulf of Mexico.

The spacer, BP said in its report, might have clogged the kill line and created a confusing pressure reading.

Whether BP (and/or its contractors) were criminally negligent is the subject of a Justice Department investigation. BP made much-criticized decisions in well design but maintains that the design was not a factor in the blowout. A BP spokesman said last week that all the information about the well obtained through efforts to kill it "leads us to believe conclusively that the well design did not contribute to this accident."

BP also decided against running a time-consuming "cement bond log" test that might have detected flaws in the cement job. The company's report acknowledges that the well team should have done more risk analysis.

BP's industry competitors will favor the simple explanation that this was a catastrophe caused by a single bad actor, a company with a sketchy safety record. These companies spent the summer throwing BP under a bus as though it were a boardwalk game. They want to get back to deep-water drilling. Policymakers will have to ponder the fact that these other companies use the same contractors as BP, the same kind of technology, the same line of blowout preventers, etc.

Bob Dudley, BP's incoming CEO, said to NPR this summer, "We have been drilling for 20 years in the Gulf of Mexico without an accident." But past performance does not guarantee future results. And deep-water drilling is still a frontier enterprise.

There are 37,441 wells in the Gulf of Mexico, about two-thirds of which have been permanently abandoned, according to the Bureau of Ocean Energy Management, Regulation and Enforcement. Of those, only 2,089 wells are in water 1,000 feet or deeper.

The Macondo well was drilled in 5,067 feet of water, putting it in what is known, bureaucratically, as "ultra-deep water" -- anything deeper than 5,000 feet. There are only 410 ultra-deep-water wells in the gulf, according to the federal government. That's not a huge number.

In shallow water wells, the blowout preventer often sits on the rig during the drilling process. In deep-water wells, the BOP is on the seafloor. You can't put on scuba gear and dive to 5,000 feet. The only way to tinker with the BOP is with remotely operated vehicles, but that's not the same as being able to walk right up and fiddle with the kill line to see if it's clogged with gunk.

"We have found no evidence in our assessment and investigation of this accident to suggest that costs were any part of how this occurred," Hayward said Sept. 15.

But all decisions in the drilling business are made with cost in mind.

"We're a business," BP executive David Sims testified this summer before a government investigative panel. "We have shareholders. Our job responsibility is to be fiscally responsible. . . . Every decision has some cost factor."

Edward Tenner, a historian of technology and author of "Why Things Bite Back," said in an interview that BP's own report acknowledges multiple failures of design, organization, maintenance and judgment. "As with every other major disaster, identifying these flaws will help define a new set of best practices," Tenner said. "The real question is whether the new rigor will be sustained and enhanced after the outrage fades."

What we thought we were seeing, in the summer of the spill, was a worst-case scenario unfolding in front of us. But there are even more dire scenarios out there. Blowouts can happen in many ways, some of them creating, potentially, multiple leaks from the seafloor, a situation not readily fixed. It's not inconceivable that an oil field deep in the rock could effectively bleed out.

Unlikely, sure. But catastrophes are always hard to imagine until the very moment you are up to your eyeballs in one.

Post a Comment


Comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions. You are fully responsible for the content that you post.

© 2010 The Washington Post Company