Can performance-based safety processes prevent offshore oil spills?

CHUCK MILLER, Emerson Process Management

After being raised from the seabed, the Macondo BOP and its LMRP were separated and transported to the NASA Michoud Assembly Facility in Louisiana for post-mortem testing.

Considering the challenges put before Gulf of Mexico exploration and production companies in the last few months, many industry experts are asking if enough is being done to guarantee the protection of assets, the environment and facility personnel.

Performance-based risk assessment programs have been employed in the downstream refining and chemical industries with varying amounts of success. Should these standards be employed in the upstream oil and gas applications, or will this simply drive more complexity and cost into an industry already challenged with cost?

What we know about the Macondo BOP. The drill pipe was "deflected ... from the moment the well began flowing." Whether or not the shear rams worked when called on, they couldn't get a clean cut on the pipe, where oil and gas was flowing out.

Many sources for reference have been established by the 551-page DNV report and by the more recent NAE/NRC report (see sidebar on pages 52-53).

Most authorities agree that the BOP did operate as designed, but was not able to respond to a subsequent, unforeseen failure mode. Armchair quarterbacks might ask if it was fit for purpose and question the sizing, installation and adequacy of testing procedures. By definition, the BOP did fail and did not achieve a safe state, which had significant consequences for exploration and production in the Gulf of Mexico.

Considering this previously unrecognized failure mode has now occurred, how do we prevent a similar event in the future? Are there processes or tools that could be put in place to identify every type of BOP failure?

IEC standards. Some observers have said that IEC 61511, “Functional safety - Safety instrumented systems for the process industry sector,” would have a significant impact on the design of future BOP systems. Others, however, have said that applying IEC 61511 to drilling applications would be like “pounding a square peg into a round hole.”

IEC 61508, on the other hand, is a basic, functional safety standard that can be applied to literally any device. Could IEC 61508 be used to uncover dangerous failure modes in the BOP? Some have argued that it is reasonable to expect that a BOP designed with this process would be superior to the very specific, detailed and exhaustive requirements of BOP-specific API standards.

If this is true, what is contained in this generic, subjective document that would provide design outcomes superior to a guidance document that is based on dozens of years of field experience with a very specific application?

To many, the answer is “nothing”–61508 simply does not include the processes to improve an experience-based design. It would, however, evoke the use of the HAZOP process that is discussed in the next section.

HAZOP. Does the Hazards and Operability Analysis (HAZOP) process have universal onshore and offshore applicability? Would the BOP failure mode in question even be considered during a structured HAZOP review?

Many feel that conducting a HAZOP to identify the hazards and determine the level of risk and required safety performance is the right way to go. Once completed, this would allow the reliability engineer a basis to design the appropriate equipment solution to mitigate the risk and provide for the definition of the proof-testing requirements.

According to the Product Quality Research Institute, HAZOP is a structured, systematic technique for system examination and risk management. It is often used as a technique for identifying potential hazards in a system and identifying operability problems likely to lead to nonconforming products. HAZOP is based on a theory that assumes risk events are caused by deviations from design or operating intentions. Identification of such deviations is facilitated by using sets of “guide words” as a systematic list of deviation perspectives. This approach is a unique feature of HAZOP methodology that helps stimulate the imagination of team members when exploring potential deviations.

As a risk assessment tool, HAZOP is often described as:

• A brainstorming technique
• A qualitative risk-assessment tool
• An inductive risk-assessment tool, meaning that it is a “bottom-up” risk identification approach, where success relies on the ability of subject matter experts (SMEs) to predict deviations based on past experiences and general expertise.

Considering the preceding definition, would a discussion of this scenario have occurred during the course of a HAZOP? Wouldn’t using a set of “guide words” as a systematic list of deviation perspectives result in a discussion of only failure modes that have a historical precedent?

Seasoned engineers realize that most HAZOPs neglect a very large percentage of known hazards, and are not a good tool to uncover previously unknown or unreported failure modes.

Performance-based design standards. While many standards exist for drilling platforms, experience suggests that prescriptive standards can, and do, work well, due to similarities among BOPs. However, some argue that the IEC 61511 approach could have revealed the unknown failure mode left uncovered by the existing API standards for BOP design.

As one experienced safety expert remarked in a blog posting: “A prescriptive standard may be needed for equipment as specialized as a BOP. If the BOP was also subjected to a performance-based design approach like IEC 61508, the process may have led to the consideration of risk associated with drill pipe damage and tool joints in the BOP.”

In process-related industries, major oil companies have documented some success in using a combined prescriptive/performance-based approach, but does IEC 61508 have anything to offer in this instance? While IEC 61508 is a great design tool, its guidance on interaction between safety equipment and the physical process has been referred to as “between insufficient and non-existent.” The guidance in the IEC standard lacks the basis for identifying equipment/application mismatch.

Most agree that there are similarities in the BOP scenario and the design of topsides safety functions, where the use of the prescriptive API 14C guidance in conjunction with IEC61511 analysis and safety lifecycle principles has provided a reduction of risks not adequately addressed by API 14C alone.

In conclusion, because IEC 61511 is such a generic process that does not consider the unique attributes of very specialized equipment, design specifics are improved only by prescriptive standards, prescriptive regulations and prescriptive workflow processes.

BOP test requirements. Testing procedures and their fault coverage factor have been called into question. However, one must keep in mind that the Macondo BOP did activate. One must take a closer look at the facts:

By DOI requirements, BOPs must be tested regularly. The tests do not include activating the shear rams during drilling, as cutting the drill pipe would result in the substantial cost of fishing to remove the cut pipe from the bore hole.

Engineers experienced in BOP design have also recognized that older BOPs were not designed to sever the newer high-strength drill pipe used in many of today’s deepwater wells. There is no amount of redundancy that will overcome the risk of an undersized BOP. Therefore, proper design and sizing of the BOP in accordance with API standards is imperative.

BOP application experts have also recognized that where two pieces of pipe are coupled, a BOP may not be able to completely separate the thicker piece of pipe. To overcome this problem dual-blind shear rams are deployed, spaced far enough apart so that a coupling contacted by one set of rams allows the other shear ram to do its job.

Accountability. In times of crises, is it reasonable to suggest that we take responsibility away from individuals and companies that are actually empowered with the decision-making process?

Virtually all of the critical decisions leading to the disaster were made by BP and its drilling subcontractors. By all accounts, the MMS did not have the review and approval of day-to-day decisions, which is where critical mistakes were made.

The Presidential report listed a series of decisions that saved time and increased the risk of a well incident. The only decision relative to the MMS concerned a surface plug, which was never installed, because the well blew out before BP could put it in place.

With both the authority and responsibility to oversee and manage construction activity and the associated processes and materials, regulators and end-users depend on the guidance documents generated by industry experts, in this case API ANSI and other standards bodies. This is where the focus should be.

Conclusions. According to the Presidential Commission report, “The blowout was not the product of a series of aberrational decisions made by rogue industry or governmental officials that could not have been anticipated or expected to occur again. Rather, the root causes are systemic and, absent significant reform in both industry practices and government policies, might well recur.”

In summary, there is no evidence to support an either/or debate; the BOP did, in fact, fail to meet the safety coverage that it was designed to provide. Any continuous improvement process merits the use of all available tools, including the implications of both prescriptive and performance-based standards. Prescriptive standards are easier to use and provide open access to cumulative knowledge. On the other hand, performance-based standards provide engineers and system designers a tool to and more fully analyze their processes and equipment. Shouldn’t the use of prescriptive standards stand as a baseline, augmented with the best analytical processes and tools, integrity targets and audited QA/QC workflows available?

In the end, the report may well support a call for competency and certification in all aspects of the safety system industry, and it is reasonable that we have a plan to protect us and the environment from ourselves.

ACKNOWLEDGEMENT
This article was prepared from the paper SPE-144491, “Will Performance Based Safety Processes Prevent Future Oil Spill Disasters?” presented at the SPE Offshore Europe Oil and Gas Conference and Exhibition held in Aberdeen, UK, Sept. 8, 2011.