Posted by: Harold Ennulat | September 18, 2010

Blow Out Preventer Failure: Why?

Lessons On The Importance Of “On Going Risk Management”

Oil has stopped flowing from the Macondo well on which the Deepwater Horizon oil drilling rig was operating. The well has been capped and the BOP has been brought to the surface in order to figure out what went wrong. Popular Mechanics just published an article and BP published an initial “Accident Investigation Report”.

The question I’ve been trying to figure out an answer to is…..

Why did the BOP (Blow Out Preventer) fail?

The BOP appears to have failed on several levels. A BP report indicates that neither of the two (2) control panels or pods were capable of operating the BSR (Blind Shear Ram) which is why they conclude that the Automatic Mode Function (AMF) did not activate the BSR. The AMF should have triggered automatically after the first explosion severed the data and likely the hydraulic cables. My current understanding is that it did eventually actuate (with an undersea Robot (ROV) activating it manually) but for some reason was unable to cut through the pipe. It was earlier reported that the BSR was not designed to cut through the pipe at a connection point for some reason. It now appears that there is only one BSR on the BOP. Earlier reports indicated that there are two shear ram closure valves but that one was permanently disconnected to facilitate testing. That two (2) shear rams might be needed to guarantee a closure is my own current speculation. I have not seen this suggested elsewhere… or even discussed…. yet…

BOP Overview: Click to see detailed view

On September 2nd the BOP was removed and turned over to a federal government agency for investigation as to its failure. No word yet on why it did not stop the flow of oil. However BP has made an initial determination as to why both control panels failed to actuate the BSR and other valves before and after the initial explosion.

The October 2010 issue of Popular Mechanics has a lengthy article entitled “How the Blowout Happened“. On the cover, in somewhat small print it reads “How BP Blew It”. The article outlines a series of what can now be seen as errors that step by step compromised the safety of the rig, the crew, and the Gulf itself. Complacency was a key word used, as was a kind of maverick attitude on the part of BP in making decisions intended to save money but resulted in ever-increasing safety compromises that ended in disaster.

Blind Shear Ram (BSR): Click to see detail

BP’s own report (comprised of an internal team that appears to be removed from direct involvement with BPs upper management) identifies 8 key “mistakes”, any one of which could have prevented or mitigated the gulf oil spill incident. However, while the investigation appears to have operated independently from BP management, it is clear they were BP employees loyal to their company and so lacks some objectivity even though the points it makes appear valid, or at least worth serious consideration.

Concerning the BOP the BP report points out that both control panels (the blue and the yellow panels) failed to perform their ultimate safety function. These panels were removed earlier and examined. The finding was that the blue panel had a battery that was too weak to perform the safety function and the yellow panel had a key solenoid valve that failed. The report indicates that the solenoid valve was one that was repaired earlier with a non OEM part and likely did not work even before the Deepwater Horizon (drilling platform) was moved to drill this well. The report notes that the BOP was part of the Deepwater Horizon drilling rig equipment and so was the responsibility of TransOcean to keep maintained. The report concluded that the BOP was not maintained properly as it should have been between drilling operations.

How the BSR cuts and seals the well: Click to see the sequence

So why did the BOP fail to provide its ultimate safety function? At the core it was a failure to understand the risks and a lack of commitment to the integrity of key safety systems.

Now I have an additional question: How is it that procedures end up not being followed? OK, not a good questions as procedures are often not followed. The better question: What is needed to insure ultimate safety in high risk situations, such as with the Blow Out Preventer?

What can we learn from this?

Before we in other industries lay blame on BP or TransOcean, which may well be deserved, we need to also look at our own practices in identifying risks and managing them. Do we even know what our biggest risks are? Do we continuously examine our operations for risk and fairly assess them? Generally I have found that risk assessment in our operations is done perhaps only by the design engineers or sometimes as part of a “Hazard Analysis Review” (or HazOp) involving a larger team across the company. At best these are one time events. At worst they are just time-consuming formalities that can miss or under state important hazards or proposed mitigations. Risk management would appear to require a consistent program of identification, mitigation, monitoring, and feedback across several levels in a given organization.


Why couldn’t the BOP BSR be designed to be fail safe?

This article presumes that the BOP could not have been designed to “fail safe” in the classic sense. A standard “fail safe” operation would go into the failure (i.e. safe) mode if anything is not right until it is fixed. For the BOP this has very undesirable consequences. I’m not sure how you could then later open the valve and remove the cut drill pipe and continue operations. It is for this reason the BOP was likely not designed to be truly fail safe.

There is one control panel for each of 2 control pods

Additionally the BOP was designed to perform a number of other functions as evidenced by the complexity of the control panels (on the drilling platform) that controlled and monitored the control pods on the BOP 5,000 feet below. These additional functions could also have contributed to undermining this “last resort” safety function.

Making these observations, I’m now not sure why you would not make the BOP BSR truly “fail safe” in the classic sense. Due to the severe consequence of actuation, triple sensors and even double redundant actuation means would allow a warning before needing to “fail safe”. The threat of a “fail safe” actuation would help force proper maintenance of the system…. Of course it could also force bypassing the system during maintenance too… It gets back again to proper procedures and monitoring/auditing as part of a risk management program to insure compliance…


Additional credit goes to the June 21, 2010 New York Times article from which I got all of the BOP illustrations. This article suggests that a shuttle valve on the BSR was identified by the manufacturer as a potential failure point. This no longer seems likely given that it was actuated manually which I’m thinking would require the hydraulics to still be functional.


Additional Background Info:
5 key human errors, colossal mechanical failure led to fatal Gulf oil rig blowout
On there being 2 pipes in the blow out preventer

Updated: September 18, 2010 8:19 pm | Published September 18th, 2010 7:17 am


  1. Reasonable assessment for limited information and no experience in deep-well engineering (I don’t have any, either). Reports came in early that the BOP wasn’t installed at all or correctly, that procedures actually call for installing 2 BOPs in deep service, and that maintenance wasn’t done well. Some can be blamed on the contractors, but ultimately BP hired them, and should take all blame. BP has had a history of not following PSM, and the errors here support that PSM was not being used (or used properly). Management often force “complacency” when there have been no major incidents or no officially reported incidents, and I suspect that is what drove BP mgt to be more than a bit cavalier. My experience in the nuke industry might color my view, but no one focuses on safety like the nuke industry, and even they have issues outside of their experience or outside of where incidents have occured.

    • The final word is still out on why the BOP failed as your note. At least now we have BP’s own report which gives a considerable amount of insight.
      My speculation did not involve 2 BOP’s just a second Blind Shear Ram on a single BOP spaced so that at least one of them will be guaranteed to cut the drill pipe at a non joint in the pipe.
      I hope to post a followup when additional info becomes available. Let me know if you read something interesting on this.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: