Human issues in the Deepwater Horizon blowout

An Interim Report on causes of the Deepwater Horizon oil rig blowout and ways to prevent such events by the committee for the analysis of causes of the Deepwater Horizon explosion, fire, and oil spill by the National Academy of Engineering; National Research Council mentions the following:
"1.The incident at the Macondo well and Deepwater Horizon MODU was precipitated by the decision to proceed to temporary abandonment of the exploratory well despite indications from several repeated tests of well integrity [the test type known as a negative (pressure) test] that the cementing processes following the installation of a long-string production casing failed to provide an effective barrier to hydrocarbon flow (Sections II and III).
2. The impact of the decision to proceed to temporary abandonment was compounded by delays in recognizing that hydrocarbons were flowing into the well and riser and by a failure to take timely and aggressive well-control actions. Furthermore, failures and/or limitations of the BOP, when it was actuated, inhibited its effectiveness in controlling the well (Sections III and IV).
3. The failures and missed indications of hazard were not isolated events during the preparation of the Macondo well for temporary abandonment. Numerous decisions to proceed toward abandonment despite indications of hazard, such as the results of repeated negative-pressure tests, suggest an insufficient consideration of risk and a lack of operating discipline. The decisions also raise questions about the adequacy of operating knowledge on the part of key personnel. The net effect of these decisions was to reduce the available margins of safety that take into account complexities of the hydrocarbon reservoirs and well geology discovered through drilling and the subsequent changes in the execution of the well plan (Section VI).
4. Other decisions noted by the committee that may have contributed to the Macondo well accident are as follows:
• Changing key supervisory personnel on the Deepwater Horizon MODU just prior to critical temporary abandonment procedures (Section VI);
• Attempting to cement the multiple hydrocarbon and brine zones encountered in the deepest part of the well in a single operational step, despite the fact that these zones had markedly different fluid pressures (because of the different fluid pressures, there was only a small difference between the cement density needed to prevent inflow into the well from the high-pressure formations and the cement density at which an undesirable hydraulic fracture might be created in a low pressure zone) (Section II);
• Choosing to use a long-string production casing in a deep, high-pressure well with multiple hydrocarbon zones instead of using a cement liner over the uncased section of the well (Section II);
• Deciding that only six centralizers would be needed to maintain an adequate annulus for cementing between the casing and the formation rock, even though modeling results suggested that many more centralizers would have been needed (Section II);
• Limiting bottoms-up circulation of drilling mud prior to cementing, which increased the possibility of cement contamination by debris in the well (Section II);
• Not running a bond log after cementing to assess cement integrity in the well, despite the anomalous results of repeated negative-pressure tests (Section II);
• Not incorporating a float shoe at the bottom of the casing as an additional barrier to hydrocarbon flow (Section II); and
• Proceeding with removal of drilling mud from the well without installing the lockdown sleeve on the production casing wellhead seals to ensure the seals could not be shifted by pressure buildup under the seals (Section II).
5. Available evidence suggests there were insufficient checks and balances for decisions involving both the schedule to complete well abandonment procedures and considerations for well safety (Section VI).
6. The decisions mentioned above were not identified or corrected by the operating management processes and procedures of BP or those of their contractors or by the oversight processes employed by the Minerals Management Service (MMS) or other regulators (Sections VI and VII).
7. Currently, there are conflicting views among experts familiar with the incident regarding the type and volume of cement used to prepare the well for abandonment.There are also conflicting views on the adequacy of the time provided for the cement to cure. These factors could have had a material impact on the integrity of the well (Section II).
8. The BOP did not control—or recapture control of—the well once it was realized that hydrocarbons were flowing into the well. Also, both the emergency disconnect system designed to separate the lower marine riser from the rest of the BOP and automatic sequencers controlling the shear ram and disconnect failed to operate (Section IV).
9. Given the large quantity of gas released onto the MODU and the limited wind conditions, ignition was most likely. However, the committee will be looking into reports (such as testimony provided at the MBI hearings) that various alarms and safety systems on the Deepwater Horizon MODU failed to operate as intended, potentially affecting the time available for personnel to evacuate (Section V).
10. The various failures mentioned in this report indicate the lack of a suitable approach for anticipating and managing the inherent risks, uncertainties, and dangers associated with deepwater drilling operations and a failure to learn from previous near misses(Section VI).
11. Of particular concern is an apparent lack of a systems approach that would integrate the multiplicity of factors potentially affecting the safety of the well, monitor the overall margins of safety, and assess the various decisions from perspectives of well integrity and safety. The “safety case” strategy required for drilling operations in the North Sea and elsewhere is one example of such a systems approach (Section VII)
Read the full report in this link.

Static electricity and explosives

An article in the Times of India mentions the following about the recent blast in the cordite factory at Ooty:"factory staff suggest that mere "human vibrations" are enough to trigger a calamity in the highly explosive environment of the dough making unit....At the 13 by 13 feet at the incorporation unit where the blast occurred, earth plates and poles have been positioned for the workers to release their "vibrations" after they perform every small task."
Apparently the "human vibrations" they are talking about is nothing but static electricity. A static discharge spark can readily detonate primary explosives. From the article, all measures to avoid static electricity generation were reportedly taken. It will be good if the investigation team shares reasons on what caused the accident without breaching confidentiality as it is a defense unit.
Read the Times of India article in this link.

Safety Integrity Levels - Hip or Hype?

Yesterday I attended a seminar on "Safety Integrity - Life cycle approach", organised by ISA at IIT, Madras.The IEC 61508 and 61511 standards were discussed. Having interacted with many users, I think the problem with the safety integrity approach lies somewhere between hip and hype. When I mean hip, many users think that just be implementing a SIL 3 capable system, everything will be hunky dory. Not so! It requires a lot of operations and maintenance inputs throughout the life cycle of the system to ensure that it maintains its reliability. While instrument manufacturers often tend to go overboard to sell their ides to the client and engineering, procurement and construction companies also tend to recommend such systems to their clients, ultimately it is the the client who has to decide what level of risk is he prepared to take and whether existing instruments will be sufficient, without going in for a detailed SIL study. Unfortunately many clients do not have the technical support requires to make such decisions and rely on the designer. I go back to the analogy I had given in my earlier posts - We had operated a pneumatic controlled ammonia plant (no DCS, no smart transmitters, no fieldbus, no HART) quite successfully in the eighties for over a decade without an instrument failure that caused a spurious trip or fail dangerous undetected state. The answer to the question whether safety integrity is Hip or Hype lies in the understanding of risks by the client and is solely based on his decision. So the answer lies inbetween!!

Blast in cordite factory

Its ironical that my last blog was about a blast in a test tube. Today there is news about a massive explosion in the cordite factory in Ooty, that killed at least 5 people.A news report mentions that "An intermediary process of mixing dough (a nitrocellulose-nitroglycerine paste) was in progress when the explosion occurred. It brought down a part of the building".
Read the articles in these links":
Blast1
Blast2

A test tube explosion!

An accident at a school lab in the US indicates the dangers of chemicals. A news article mentions the following: "It was a simple science experiment designed to create a small combustion in a glass container and teach high schoolers about chemical reactions.A mixture of three chemicals -- potassium chlorate, manganese dioxide and glycerin -- and a dash of sugar heated over a Bunsen burner in a test tube were supposed to cause a pop and a puff of smoke, demonstrating an exothermic reaction to a class of Grade 11 students at F.J. Brennan Catholic high school.But something went wrong Tuesday morning. The test tube exploded, launching shards of glass across the science lab and injuring teacher Steve Pellarin and three students.No one was seriously hurt, but Pellarin sustained cuts to his face and hands. The students had minor lacerations, and no one sustained any chemical burns, said Windsor-Essex Catholic District School Board spokeswoman Jill Braido".
Read the article in this link.
Wikepedia mentions the following:
"Potassium chlorate is often used in high school and college laboratories to generate oxygen gas[citation needed]; it is a far cheaper source than a pressurized or cryogenic oxygen tank. Potassium chlorate will readily decompose if heated in contact with a catalyst, typically manganese (IV) dioxide (MnO2). Thus, it may be simply placed in a test tube and heated over a burner. If the test tube is equipped with a one-holed stopper and hose, warm oxygen can be drawn off. The reaction is as follows:
2KClO3(s) + heat → 3O2(g) + 2KCl(s)
The safe performance of this reaction requires very pure reagents and careful temperature control. Molten potassium chlorate is an extremely powerful oxidizer and will spontaneously react with many common materials. Explosions have resulted from liquid chlorates spattering into the latex or PVC tubes of oxygen generators, as well as from contact between chlorates and hydrocarbon sealing greases. Impurities in potassium chlorate itself can also cause problems. When working with a new batch of potassium chlorate, it is advisable to take a small sample (~ 1 gram) and heat it strongly on an open glass plate. Contamination may cause this small quantity to explode, indicating that the chlorate should be discarded".
For folks operating chemical reactors in the industry, know what you are dealing with!

Trapped inside a pipe for 80 hours

A Chinese worker in an offshore platform was reportedly trapped inside a pipe when he was inside it doing some work. The pipe apparently collapsed due to water pressure and the worker was trapped for 80 hours before he was rescued.Read the article in this link.

H2S the deadly killer

A news report mentions that 3 people were killed when H2S gas leaked out probably form a burst pipeline in an refinery in Israel. The accident occurred when maintenance work was going on. The report mentions that "An initial investigation points to a technical malfunction in a pipe to a unit that burns off the waste gas from the refining process".
Now every "technical" malfunction is caused by a "human" malfunction. I have observed many incident reports which do not want to discuss the human issue at all. Its like the saying "we are like that only"!!!
Read the report in this link.

Fire in chemical factory at Vadodara

A news report mentions that a major fire broke out at a chemical factory in Vadodara, killing one. The company manufactures industrial solvents which are highly flammable substance.The video accompanying the news item depicts the company entrance mentioning it is an ISO 9001,ISO 14001 and OHSAS 18001 certified company. Is there a lesosn to learn from this?? See the video in this link.
Read another article on the blast in this link

Ammonia leak at Navi Mumbai

Ammonia is used in many cold storages across the country.I have been reading regular reports of ammonia leaks from such facilities in the USA and it is really alarming. Now a newspaper report mentions about a ammonia leak incident in a cold storage facility in Navi Mumbai, India which caused 10 people to be hospitalized. In India, ammonia is manufactured in many large scale ammonia plants in the private as well as public sector. As part of their Corporate Social Responsibility initiatives, these organizations should train the small scale cold storage owners on the hazards of ammonia and its safe handling and maintenance procedures. Read the news article in this link.
Read another article on the accident in this link.

Accident in Chemical factory in China

The Hindustan Times has reported an accident in a chemical plant in China where three people were killed. The article mentions "The factory produced an array of chemicals ranging from common food additives to compounds used in making plastics and paper, according to the company website.
Two of the injured were in serious condition, the report said. In China, considered one of the world's most dangerous places to work, an average of 187 people were killed in work-related accidents on each day in the first half of this year, the government has said'.
Another article mentions that PVC was produced in the plant.While details of the accident are not known, the production of PVC deals with polymerization reactions that must be controlled carefully to avoid the chance of an accident. I have seen plants where batch operations of critical reactions are carried out manually. As experience levels in the chemical industry are coming down drastically, managements must periodically re assess their risk.
Read the article in this link.

Lessons in Process Safety Management from aviation incidents

Two air accidents that I have been tracking closely is the Air India express Mangalore air plane crash and the Qantas Airbus superjumbo incident in Singapore. Details of the CVR recordings from India express crash now reveal that the pilot had slept for 90 minutes during the flight and was suffering from “sleep inertia” when he was attempting to land. How many of you consider your poor shift crew in this light? When I was working in shifts, I have experienced this sleep inertia even though I had slept well during the day.
A news article about the Qantas Superjumbo Rolls Royce engine incident it was a “worst case scenario” when one of its four engines exploded. The article reports that the crew were inundated with 50 error messages. However for the pilots, luck was on their side, there was no fire, and they managed to land the plane safely.
''It could have been much, much worse,'' says Richard Woodward, a Qantas A380 captain and a vice-president of the Australian and International Pilots Association. ''It could probably be termed a one-in-100 million event with bits and pieces going everywhere.''
Smith, a two-time chairman of Australia's aviation watchdog, says it was lucky QF32 did not become a repeat of the Concorde crash in 2000.
Smith says that the public has come to expect the impossible - aircraft being fail-safe. ''It is almost like people believe that flying in the air is perfectly safe. Even the most disciplined person can make an error - it is the same with design.''
''One of the things in aviation safety is 'hindsight bias'. It is so easy after an accident to say they should have known,'' says Thomas Anthony, the director of aviation safety at the University of Southern California.
''It is part of the problem of new engines and new aeroplanes. Change is a frequent precondition to error,'' Anthony says. ''When you are changing things you really do need to have a very robust change management process to identify potential problems.''
The above accidents had direct parallels to process safety. Learn lessons from them!
Read the articles in these links
Air India Express Crash
Qantas Superjumbo incident
PS: I have a deep interest in aviation safety as my Dad was a pilot and I have spent many days in the cockpit with him when I was young!

The familiar technical and safety failures

An article mentions the following about the BP oil rig disaster:
"A sorry catalogue of technical, safety and regulatory failures all contributed to the Deepwater Horizon oil spill in the Gulf of Mexico, according to an interim independent report commissioned by the US Department of the Interior and published today.
The oil spill began on 20 April when an uncontrolled release of oil and gas from an underwater well caused an explosion that engulfed the Deepwater Horizon rig, killing 11 crewmen on board. The leak continued until 15 July, releasing about 5 million barrels of oil into the Gulf, the largest accidental marine oil spill in history.
The report highlights a number of failures that led to the accident. It says the well had not been properly sealed with cement and that this allowed oil and gas to escape.
The "pivotal moment" came when workers carried out several pressure tests to check the integrity of the well but ignored the signs that something was wrong, said Paul Bommer, a petroleum engineer at the University of Texas at Austin and a member of the panel of experts that produced the report.
The report says the panel has not yet had time to work out why the blowout preventer, a giant valve on the seafloor which should have stopped the flow of oil as a measure of last resort, failed to activate".
Always, technical as well as safety failures occur for an incident to happen. Just by implementing management systems does not mean you can prevent an incident. Today, there is also a lot of talk about behavior based safety management systems, but as I have mentioned earlier, I am not a fan of this. It needs constant 24X7 safety oriented behaviour by top management, be it budget allocation, decision making, manpower allocation, gauging technical competency to manage cost cutting etc to ensure process safety is managed well.
Read the full article in this link.