It’s not whether you win or lose, it’s how you place the blame
BP is not all that impressed by the movie, which is very much Hollywood’s version of events, according to them.
Here from Splash 24/7 today: http://splash247.com/bp-slams-deepwater-horizon-movie/
A fish rots from the head.
It’s become more and more obvious to me over the years how important the top four people, the captain, chief, C/M and 1 A/E are to the smooth running of the ship. It’s not always possible to have an excellent crew but it is possible to improve most crews or to replace poor performers if need be.
It’s also possible to be aware of a crew’s limitations and keep them out of trouble. However if the top four are not competent then there are very sharp limits to how well crews can preform and worse case scenario inexperienced or incompetent leadership can get even the best crews in trouble.
Every crew has a point when things, little by little, start to fall apart. How much sense does it make to focus on the crew alone and not on the people who, without being aware of what was happening, pushed the crew well beyond reasonable limits?
Do the people in charge have no responsibility to be aware that they are pushing crews to the limits and beyond?
Does reading this email exchange give anyone the sense eveything is OK?
On April 17, 2010, BP’s Houston-based “Wells Team Leader” for the Macondo well, John Guide, e-mailed David Sims, another Houston-based BP executive and Guide’s boss:
David, over the past four days there has been so many last minute changes to the operation that the WSL’s [BP’s rig-based Well Site Leaders] have finally come to their wits end. The quote is ‘flying by the seat of our pants.’ Moreover, we have made a special boat or helicopter run every day. Everybody wants to do the right thing, but, this huge level of paranoia from engineering leadership is driving chaos. This operation is not Thunderhorse. Brian [BP’s Brian Morel, a Houston-based engineer] has called me numerous times trying to make sense of all the insanity. Last night’s emergency evolved around the 30 [barrels] of cement spacer behind the top plug and how it would affect any bond logging (I do not agree with putting the spacer above the plug to begin with). This morning Brian called me and asked my advice about exploring opportunities both inside and outside of the company. What is my authority? With the separation of engineering and operations, I do not know what I can and can’t do. The operation is not going to succeed if we continue in this manner.
The same day, David Sims responded to Guide’s e-mail.
John, I’ve got to go to dance practice in a few minutes. Let’s talk this afternoon. . . . We’ve both [been] in Brian’s position before. The same goes for him. We need to remind him that this is a great learning opportunity, it will be over soon, and that the same issues - or worse - exist anywhere else . . . I’ll be back soon and we can talk. We’re dancing to the Village People.
[QUOTE=Kennebec Captain;191065]Does reading this email exchange give anyone the sense eveything is OK?
On April 17, 2010, BP’s Houston-based “Wells Team Leader” for the Macondo well, John Guide, e-mailed David Sims, another Houston-based BP executive and Guide’s boss:
The same day, David Sims responded to Guide’s e-mail.[/QUOTE]
Sure am glad the priorities were in order. . .
[QUOTE=c.captain;191043]Earl, if everyone and everything associated with the rigfloor was violently destroyed when that massive explosion occurred, what evidence survived to tell us what actions were attempted and when? there is no data recorder for cyber chairs! over clearcomm with the DPO?[/QUOTE]
Now you get an idea of why it took five years and a peer review team of drilling experts to figure out what little we know 
The BOP was fished out of the water (with great fanfare – FBI escort and all that) and subjected to forensic analysis by DNV. A lot can be (tediously) deduced by analysis of the Sperry Sun telemetry to shore. The drill crew notified the bridge that they were in a well control situation and called the Senior Toolpusher asking for him to come to the drill floor and telling him they were trying to shut in the well. He was on his way when the thing blew.
Earl
[QUOTE=Jamesbrown;191021]could you be a little more specific on the regulatory deadline? Seems to me they got the lease in 2003, not sure how long a term but if current guide is any indicator they would have got 8-10 years to drill, but they had drilled and found oil, once with DWH once with another rig. What deadline was relevant?[/QUOTE]
According to the letter sent by BP to MMS the day before the blowout asking for a suspension of operations, “The Kaskida Unit is currently held by previous continuous drilling operations that concluded on November 18, 2009. The 180 day allowance to resume operation will expire on May 16, 2010.” (MDL 2179 Deposition Exhibit 2285)
BP had actually put more on the Horizon’s plate by scheduling them to do a plug and abandon of a well called Nile before they moved to Kaskida. Nile was east of Macondo, Kaskida was far to the southwest.
Cheers,
Earl
but how much is actually known about the steps taken to kill the well before it became too late to do so? we know there was time after the initial eruption of gas, water and mud before the massive detonation caused by the generator running wild. do we have any clue what happened during those 20 seconds (correct me if that amount of time is not accurate but that is what I recall reading). I still hold that too much critical time was lost to attempt sealing off the well bore which was either people not knowing what to do, being too scared shitless to do it, having too complicated of procedures in place or not wanting to take the responsibility to do it (or any combination of the above if you please)
The BOP was fished out of the water (with great fanfare – FBI escort and all that) and subjected to forensic analysis by DNV. A lot can be (tediously) deduced by analysis of the Sperry Sun telemetry to shore. The drill crew notified the bridge that they were in a well control situation and called the Senior Toolpusher asking for him to come to the drill floor and telling him they were trying to shut in the well. He was on his way when the thing blew.
ok but was evidence discovered that the shear rams were attempted to be activated or is it inferred that the driller was waiting for the toolpusher to arrive at the driller’s shack before taking that action? in this instance was there any other line of defense to fall back to to prevent the blowout?
ok, got many answers from this video which has clarified much although somewhat skewed to make TO look like everything was done right by their people…was it or not? were the right actions taken but just too late to stop the disaster?
[QUOTE=c.captain;191073]but how much is actually known about the steps taken to kill the well before it became too late to do so? we know there was time after the initial eruption of gas, water and mud before the massive detonation caused by the generator running wild. do we have any clue what happened during those 20 seconds (correct me if that amount of time is not accurate but that is what I recall reading). I still hold that too much critical time was lost to attempt sealing off the well bore which was either people not knowing what to do, being too scared shitless to do it, having too complicated of procedures in place or not wanting to take the responsibility to do it (or any combination of the above if you please)
ok but was evidence discovered that the shear rams were attempted to be activated or is it inferred that the driller was waiting for the toolpusher to arrive at the driller’s shack before taking that action? in this instance was there any other line of defense to fall back to to prevent the blowout?[/QUOTE]
Minor clues about the steps, nothing solid. Once gas gets in the riser you’re pretty much a goner and closing in the well won’t do you much good. Given the lack of event data recording, the range of possible timing for activation of the blind shear ram (there was only one of them) is two days. (I am not joking here).
It’s important to understand what a POS that BOP was as an emergency response device. As far as we know there was nobody on that rig who had ever activated a blind shear ram in an emergency, and some of that crew had forty or fifty wells under their belts. In an emergency there are a hundred ways that thing could have failed and only a handful of ways it would have worked. I think they followed proper procedure and were let down by their gear. YMMV, as they say on the tubes of the interwebs Read the chapter and I’ll be happy to discuss the sequence on a minute by minute basis.
Earl
PS. Posted this before seeing your #29.
this video not from TO is definitely not as favorable to them and their maintenance of the BOP. in fact is indicates that the deadman closing of the blind shear rams while not effective to seal the well was still just shit luck
I say that the blind shear rams had to be activated before the massive explosion which destroyed the MUX cables and there was three full minutes available to do so. Now tell me your professional opinion, you do believe that they did try in the driller’s shack to activate the blind shear rams before everything detonated? I am doubtful myself.
of course, if the all rig shutdown had been activated on the bridge during those three minutes, then it is just possible the massive detonation might not have occurred and if the EDS initiated they could have at least become unlatched, so we can point fingers there too.
The approach used in the book Earl cowrote is explained in the introduction to the book, the approach used is systems approach as per Nancy Leveson. This approach is also explained in this post:
Accident analysis and systems thinking - Post at Understanding Society about an essay"A New Accident Model for Engineering Safety"
by Nancy Leveson
This is from the linked post at [Understanding Society.](Complex socio-technical systems fail; that is, accidents occur. And it is enormously important for engineers and policy makers to have a better way of thinking about accidents than is the current protocol following an air crash, a chemical plant fire, or the release of a contaminated drug. We need to understand better what the systems and organizational causes of an accident are; even more importantly, we need to have a basis for improving the safe functioning of complex socio-technical systems by identifying better processes and better warning indicators of impending failure. A long-term leader in the field of systems-safety thinking is Nancy Leveson, a professor of aeronautics and astronautics at MIT and the author of Safeware: System Safety and Computers (1995) and Engineering a Safer World: Systems Thinking Applied to Safety (2012). Leveson has been a particular advocate for two insights: looking at safety as a systems characteristic, and looking for the organizational and social components of safety and accidents as well as the technical event histories that are more often the focus of accident analysis. Her approach to safety and accidents involves looking at a technology system in terms of the set of controls and constraints that have been designed into the process to prevent accidents. “Accidents are seen as resulting from inadequate control or enforcement of constraints on safety-related behavior at each level of the system development and system operations control structures.” (25) The abstract for her essay “A New Accident Model for Engineering Safety” (link) captures both points.)
Complex socio-technical systems fail; that is, accidents occur. And it is enormously important for engineers and policy makers to have a better way of thinking about accidents than is the current protocol following an air crash, a chemical plant fire, or the release of a contaminated drug. We need to understand better what the systems and organizational causes of an accident are; even more importantly, we need to have a basis for improving the safe functioning of complex socio-technical systems by identifying better processes and better warning indicators of impending failure.
A long-term leader in the field of systems-safety thinking is Nancy Leveson, a professor of aeronautics and astronautics at MIT and the author of Safeware: System Safety and Computers (1995) and Engineering a Safer World: Systems Thinking Applied to Safety (2012). Leveson has been a particular advocate for two insights: looking at safety as a systems characteristic, and looking for the organizational and social components of safety and accidents as well as the technical event histories that are more often the focus of accident analysis. Her approach to safety and accidents involves looking at a technology system in terms of the set of controls and constraints that have been designed into the process to prevent accidents. “Accidents are seen as resulting from inadequate control or enforcement of constraints on safety-related behavior at each level of the system development and system operations control structures.” (25)
The abstract for her essay “A New Accident Model for Engineering Safety” captures both points.
[QUOTE=c.captain;191076]this video not from TO is definitely not as favorable to them and their maintenance of the BOP. in fact is indicates that the deadman closing of the blind shear rams while not effective to seal the well was still just shit luck
I say that the blind shear rams had to be activated before the massive explosion which destroyed the MUX cables and there was three full minutes available to do so. Now tell me your professional opinion, you do believe that they did try in the driller’s shack to activate the blind shear rams before everything detonated? I am doubtful myself.
of course, if the all rig shutdown had been activated on the bridge during those three minutes, then it is just possible the massive detonation might not have occurred and if the EDS initiated they could have at least become unlatched, so we can point fingers there too.[/QUOTE]
We and the CSB disagree on this point (I am in exchanges with one of their consultants). They think the AMF actuated the blind shear ram (not rams - important point). My co-author has decades of experience with these kinds of electromechanical control systems and his assessment after studying the control circuitry is that AMF initiation is least likely option. My personal opinion is that the toolpusher pushed the buttons and nothing happened. Or it closed but owing to the pressure in the drill pipe the pipe was already off center. Or the fact that the riser became buoyant and banged against the rig, possibly damaging the cable connections at the upper end.
The evidence is that the toolpusher was in the middle of the emergency sequence: the annular was closed, the VBR was actuated, the bridge and the senior toolpusher were notified that they were in a well control situation and were shutting in the well. Given what we know about the toolpusher’s ability and personality, I find it doubtful that he didn’t push the BSR button. But thanks to the crap design of that system, we’ll never know.
Earl
[QUOTE=Kennebec Captain;191085]The approach used in the book Earl cowrote is explained in the introduction to the book, the approach used is systems approach as per Nancy Leveson. This approach is also explained in this post:
[B]Accident analysis and systems thinking - [/B]Post at Understanding Society about an essay"A New Accident Model for Engineering Safety"
by Nancy Leveson
This is from the linked post at [Understanding Society.](Complex socio-technical systems fail; that is, accidents occur. And it is enormously important for engineers and policy makers to have a better way of thinking about accidents than is the current protocol following an air crash, a chemical plant fire, or the release of a contaminated drug. We need to understand better what the systems and organizational causes of an accident are; even more importantly, we need to have a basis for improving the safe functioning of complex socio-technical systems by identifying better processes and better warning indicators of impending failure. A long-term leader in the field of systems-safety thinking is Nancy Leveson, a professor of aeronautics and astronautics at MIT and the author of Safeware: System Safety and Computers (1995) and Engineering a Safer World: Systems Thinking Applied to Safety (2012). Leveson has been a particular advocate for two insights: looking at safety as a systems characteristic, and looking for the organizational and social components of safety and accidents as well as the technical event histories that are more often the focus of accident analysis. Her approach to safety and accidents involves looking at a technology system in terms of the set of controls and constraints that have been designed into the process to prevent accidents. “Accidents are seen as resulting from inadequate control or enforcement of constraints on safety-related behavior at each level of the system development and system operations control structures.” (25) The abstract for her essay “A New Accident Model for Engineering Safety” (link) captures both points.)[/QUOTE]
I certainly hope our book convinces the world that it is time to give Swiss cheese and bowties a decent burial.
Cheers,
Earl
[QUOTE=Earl Boebert;191091]I certainly hope our book convinces the world that it is time to give Swiss cheese and bowties a decent burial.
Cheers,
Earl[/QUOTE]
I used to sail mate on the Aleutians freighters where seamanship is about Fingerspitzengefühl. We sometimes parted lines, dropped loads, damaged equipment but it’s a quick feedback, do something wrong, something bad happens. It’s a small world and if you pay attention you can learn quick.
For people with that type of background stuff like this seems like buzzword bullshit:
Modeling complex organizations or industries using system theory involves dividing them into hierarchical levels with control processes operating at the interfaces between levels (Rasmussen, 1997).
However I’ve worked at operations with a lot more moving parts, far less then drilling in deep water but still more complex then being on deck of a small coastal freighter.
In this case I’ve learned that when the tempo is fast, margins are small and the port sequence gets changed while we are running coastwise; something is going to go wrong. Don’t know what, but things are not going to go smooth.
What we did was start with most urgent/important tasks and start revising plans even while operations were on-going. We didn’t have the manhours to do it 100% and it never goes completely right.
That experience, seeing good seaman in situations where things get out of hand, has made me more receptive to moving beyond the finger-pointing.
[QUOTE=Kennebec Captain;191092]I used to sail mate on the Aleutians freighters where seamanship is about Fingerspitzengefühl. We sometimes parted lines, dropped loads, damaged equipment but it’s a quick feedback, do something wrong, something bad happens. It’s a small world and if you pay attention you can learn quick.
For people with that type of background stuff like this seems like buzzword bullshit:
[quote omitted by forum system]
However I’ve worked at operations with a lot more moving parts, far less then drilling in deep water but still more complex then being on deck of a small coastal freighter.
In this case I’ve learned that when the tempo is fast, margins are small and the port sequence gets changed while we are running coastwise; something is going to go wrong. Don’t know what, but things are not going to go smooth.
What we did was start with most urgent/important tasks and start revising plans even while operations were on-going. We didn’t have the manhours to do it 100% and it never goes completely right.
That experience, seeing good seaman in situations where things get out of hand, has made me more receptive to moving beyond the finger-pointing.[/QUOTE]
Sure. What you point out is what I regard as the central problem in achieving (as opposed to talking about) systems safety: how to bridge the gap between analytic models, which look at life backwards, and the needs of practitioners, who must live life in the forward direction. I’ve not seen any easy answers.
Cheers,
Earl
1 Like
[QUOTE=Earl Boebert;191090]We and the CSB disagree on this point (I am in exchanges with one of their consultants). They think the AMF actuated the blind shear ram (not rams - important point). My co-author has decades of experience with these kinds of electromechanical control systems and his assessment after studying the control circuitry is that AMF initiation is least likely option. My personal opinion is that the toolpusher pushed the buttons and nothing happened. Or it closed but owing to the pressure in the drill pipe the pipe was already off center. Or the fact that the riser became buoyant and banged against the rig, possibly damaging the cable connections at the upper end.
The evidence is that the toolpusher was in the middle of the emergency sequence: the annular was closed, the VBR was actuated, the bridge and the senior toolpusher were notified that they were in a well control situation and were shutting in the well. Given what we know about the toolpusher’s ability and personality, I find it doubtful that he didn’t push the BSR button. But thanks to the crap design of that system, we’ll never know.
Earl[/QUOTE]
Thank you Earl…there remains much still to discuss but will have to wait till later today
[QUOTE=c.captain;191097]Thank you Earl…there remains much still to discuss but will have to wait till later today[/QUOTE]
back now so instead of asking many detailed questions Earl let me ask you this:
in your opinion were the actions taken by the ontour toolpusher and drillers to secure the well taken in adequate time based on your analysis or did precious minutes pass watching the well go wildly out of balance after the cement plugs failed? It appears that only the upper annular was closed before the initial blowout occurred on the rig floor. If the pipe rams had been closed at the same time as the annular would not the quantity of gas released been much reduced.
I still cannot believe that the drillers did not sit on their hands somehow not wanting to take the responsibility for the massive fallout that would have come from upper management if a full blown emergency was declared and shear ram activated before a full blown emergency was upon them whereby it was obviously too late to act.
[QUOTE=c.captain;191114]back now so instead of asking many detailed questions Earl let me ask you this:
in your opinion were the actions taken by the ontour toolpusher and drillers to secure the well taken in adequate time based on your analysis or did precious minutes pass watching the well go wildly out of balance after the cement plugs failed? It appears that only the upper annular was closed before the initial blowout occurred on the rig floor. If the pipe rams had been closed at the same time as the annular would not the quantity of gas released been much reduced.
I still cannot believe that the drillers did not sit on their hands somehow not wanting to take the responsibility for the massive fallout that would have come from upper management if a full blown emergency was declared and shear ram activated before a full blown emergency was upon them whereby it was obviously too late to act.[/QUOTE]
I don’t have either the evidence or the experience to answer that question. It is possible that the crew underestimated the magnitude of the kick they were taking. It appears that they were trying to diagnose the situation starting a little after 9:30. They were distracted by the fact that they had blown the popoff valve on the pump connected to the kill line when they started the pump, presumably in preparation to circulate heavier mud into the well. They told the first mate, who had stopped by the shack to check on when cement would be needed for the “surface” plug, that there would be a one or two hour delay in cementing and he overheard the toolpusher say “we may need to circulate.” During this period there is evidence that they tried to do a flow test using the trip tank. By 9:45 gas was clearly in the riser. And that is all we know. So your hypothesis and mine sit equally balanced on the scales of evidence.
Earl
I see the instant blackout by a DP3 vessel due to poor DP3 engine room ventilation specifications seems to have been lost…
USCG asked the question…oops ABS
Plenty of DP2 vessels with separated engines rooms would have survived longer…not that might have made any difference but?