Friday, September 10, 2010

BP Oil Spill: Content of the Accident Investigation Report

In my previous blog I looked at the context of the report, in this blog I want to look at the content of the report (report available at http://www.bp.com/sectiongenericarticle.do?categoryId=9034902&contentId=7064891). The investigation identified eight key causes that combined to produce the incident. The eight are:
  • The annulus cement barrier did not isolate the hydrocarbons
  • The shoe track barriers did not isolate the hydrocarbons
  • The negative-pressure test was accepted although well integrity had not been established
  • Influx was not recognised until hydrocarbons were in the riser
  • Well control response actions failed to regain control of the well
  • Diversion to the mud gas separator resulted in gas venting onto the rig
  • The fire and gas system did not prevent hydrocarbon ignition
  • The blowout preventer (BOP) emergency mode did not seal the well
For each of these causes some articles assign blame to BP and its contractors (e.g. BBC report - http://www.bbc.co.uk/news/world-us-canada-11230757, Guardian article - http://www.guardian.co.uk/environment/blog/2010/sep/08/bp-oil-spill-report-deepwater-horizon-blame-game). But how did the team investigate the cause within their TOR?

Appendix I of the report outlines the method used: fault tree analysis. Fault tree analysis (FTA) is a standard method of analysing technical failures of systems using Boolean logic to combine a series of lower level or previous events. Originally developed in 1962 to analyse ICBM launch control systems (http://en.wikipedia.org/wiki/Fault_tree_analysis), the analysis starts with the undesired event as the top of the tree and then breaks the possible causes down into subsystems and assesses how these prior causes or initiators could arise. The analysis relies upon experts being able to identify how subsystems and their components fail and how these failures can build up to produce the top event, the undesired event (Figure 1). Once identified, each subsystem can be analysed to assess if it was likely to be the source of failure in the cascade that results in the top event. Failure of lower subsystem can be prevented from producing a cascade of failures to the top event if some intervening subsystem does not fail. The number of possible ways failure can occur increases as the number of subsystems increases. As the number of subsystems reduces as the top event is approached, providing fail-safe systems becomes increasingly important as there are fewer and fewer pathways to failure. The process of creating and analysing a fault tree is systematic and logical and, where information is available, probabilities can even be assigned to specific events within the branches of the tree so a likelihood of an incident can be calculated.


Figure 1 Illustratin of Fault Tree Analysis

Within Appendix I there are four fault trees outlined based on the four critical factors identified by the investigation team; well integrity, hydrocarbons entering well undetected and loss of well control, hydrocarbons igniting on Deepwater Horizon and blowout preventer not sealing the well. These four fault trees are focus of investigation and are the context in which all evidence is collected and evaluated. The team assigned each box as a possible contributing factor to be investigated, designating, where possible, if the box represented a ‘possible immediate cause’ or a ‘possible system cause’. Simplistically, ‘possible immediate cause’ can be equated to mechanical or technical failure, whilst ‘possible system cause’ can be equated with failure of communication, human mistakes of interpretation and procedures. In addition, within each box there was either a reference to a specific section of the report for further discussion, a statement that evidence ruled out that cause or a statement that the evidence was inconclusive for that cause.


Figure 2 Illustration of branches of fault tree associated with well intregity

Figure 2 illustrates a subsection of the fault tree for well integrity. This subsection of the FTA shows that more details are available in the appropriate section of the full report, but for this branch of the fault tree, all the possible causes can be ruled out based on the evidence collected. Figure 3 shows the end branches for a section of the fault tree and in this case the interaction between ‘immediate possible cause’ and ‘possible system causes’ illustrates that it is not a simple answer of either mechanical or system failure but more likely to be a complicated combination of both as you analyse the branches. Both these figures are not chosen to point to the most important cause but rather to illustrate the reasoning behind the conclusions and recommendations of the investigation team.



Figure 3 Illustration of end branches of fault tree showing possible immediate and possible system causes

The investigation team used the Swiss-cheese model to illustrate how the four critical factors and eight causes were related (Figure 4). The barriers are the defensive physical and operational barriers that were meant to prevent an incident. Although the figure makes the key relationships easier to understand it does not show the intricate web of relations that tied all the actants, physical and human, together in the complex system that produced the event. The figure does not show the web behind the barriers nor how the barriers are defined and set up in the first place. As I said in an earlier blog, experience tends to influence what is seen as important for operation and for prevention; a new incident can alter this perception and so alter what is regarded as important for different barriers and may even identify new barriers to consider in new environments or contexts. Many of the recommendations made are aimed at improving the links and flow of information between the human actants in the system to ensure that information derived about the physical actants, such as well pressure, is interpreted in a consistent and appropriate manner and that it is clear what actions should be taken and when. Likewise, the investigation highlighted the need for information flows about the state of these actants needs to be improved, such as the condition of critical components in the yellow and blue control pods for the BOP, are maintained at the standard required for them to operate correctly.

Figure 4 Illustration of Swiss cheese model of hazards analysis based on Deepwater Horizon report

Official publications associated with the disaster are:




The US Fish and Wildlfie Service have produced this publication:




Whilst other books that explore the spill and its legacy and legal aspects include:




No comments:

Post a Comment