Product Information DISCLAIMER No person should rely on the contents of this publication without first obtaining advice from a qualified professional person. This publication is sold on the terms and understanding that (1) the authors, consultants and editors are not responsible for the results of any actions taken on the basis of information in this publication, nor for any error in or omission from this publication; and (2) the publisher is not engaged in rendering legal, accounting, professional or other advice or services. The publisher, and the authors, consultants and editors, expressly disclaim all and any liability and responsibility to any person, whether a purchaser or reader of this publication or not, in respect of anything, and of the consequences of anything, done or omitted to be done by any such person in reliance, whether wholly or partially, upon the whole or any part of the contents of this publication. Without limiting the generality of the above, no author, consultant or editor shall have any responsibility for any act or omission of any other author, consultant or editor. ABOUT CCH AUSTRALIA LIMITED CCH Australia is a leading provider of accurate, authoritative and timely information services for professionals. Our position as the “professional’s first choice” is built on the delivery of expert information that is relevant, comprehensive and easy to use. We are a member of the Wolters Kluwer group, a leading global information services provider with a presence in more than 25 countries in Europe, North America and Asia Pacific. CCH — The Professional’s First Choice. Enquiries are welcome on 1300 300 224, or (for customers calling from outside Australia) +61 2 9857 1300. Books may be purchased through CCH Australia Limited’s online bookstore at www.cch.com.au. National Library of Australia Cataloguing-in-Publication entry Hopkins, Andrew, 1945 – Disastrous decisions: the human and organisational causes of the Gulf of Mexico blowout/by Andrew Hopkins. (pbk). ISBN: 978-1-922042-40-8 Subjects: BP (Firm) Decision making Petroleum industry and trade — Management Oil spills — Mexico, Gulf of — Management Industrial accidents — Mexico, Gulf of Environmental disasters — Mexico, Gulf of Emergency management — Mexico, Gulf of Petroleum industry and trade — Accidents — Mexico, Gulf of BP Deepwater Horizon Explosion and Oil Spill, 2010 Dewey Number: 363.11962233819 © 2012 CCH Australia Limited Published by CCH Australia Limited First published May 2012 All rights reserved. No part of this work covered by copyright may be reproduced or copied in any form or by any means (graphic, electronic or mechanical, including photocopying, recording, recording taping, or information retrieval systems) without the written permission of the publisher. CCH ACKNOWLEDGMENTS CCH Australia Limited wishes to thank the following who contributed to and supported this publication: Managing Director Matthew Sullivan Director, Books Jonathan Seifman Publisher, Books Andrew Campbell Editor Deborah Powell Project Coordinator Fiona Harmsworth Books Coordinator Caitlin Caldwell Market Development Manager — Books, Education & Mobile Content Lauren Ma Indexer Graham Clayton, Word Class Indexing & Editing Cover Designer Mathias Johansson (Note: Front cover photograph — CCH has been unable to identify the copyright holder; back cover photograph — reproduced by permission of copyright holder.) Typesetting Midland Typesetters ABOUT THE AUTHOR Andrew Hopkins is Emeritus Professor of Sociology at the Australian National University (ANU) in Canberra. Over the past 20 years, he has been involved in various major accident inquiries and has undertaken consultancy work for government agencies and large companies. Andrew speaks regularly to audiences around the world about the causes of major accidents. In 2008, Andrew received the European Process Safety Centre prize for his extraordinary contribution to process safety in Europe. This was the first time the prize was awarded to someone outside Europe. Andrew has written a number of books, including: Making Safety Work: Getting Management Commitment to Occupational Health and Safety and Managing Major Hazards: The Moura Mine Disaster — both of which were published by Allen & Unwin. He has also written the following books which were published by CCH Australia Limited: • Lessons from Longford: the Esso Gas Plant Explosion • Lessons from Longford: the Trial • Safety, Culture and Risk • Lessons from Gretley: Mindful Leadership and the Law • Failure to Learn: the BP Texas City Refinery Disaster, and • Learning from High Reliability Organisations. Andrew has a BSc and an MA from ANU, and a PhD from the University of Connecticut. He is also a Fellow of the Safety Institute of Australia. Andrew may be contacted on the following email address: [email protected] AUTHOR ACKNOWLEDGMENTS I would like to acknowledge the very useful conversations and email exchanges I had with many people, among others: Bob Bea, Earl Carnes, Jan Hayes, Kevin Lacy, David Llewelyn, Wayne Needoba, David Pritchard, John Smith, John Thorogood, and Jan Erik Vinnem. The working papers from the Deepwater Horizon Study Group, based in Berkeley, proved invaluable. Thanks to the following readers whose comments helped improve this book: Jan Hayes, Anthony Hopkins, Tamar Hopkins, Heather McGregor, Sally Traill and Stephen Young. Thanks, also, to Deborah Powell whose editing was both meticulous and sensitive to my concerns. My deepest gratitude goes to my partner in life, Heather, without whom I could not have written this book. CHAPTER 1 INTRODUCTION Editorial information The blowout in the Gulf of Mexico on the evening of 20 April 2010 caught everyone by surprise, although it shouldn’t have. The Deepwater Horizon, a huge floating drilling rig, had just completed drilling an ultra-deep well. It was operating in water that was 1.5 km (5,000 ft) deep and it had drilled to 4 km (13,000 ft) below the sea floor. This is a total depth of 5.5 km (18,000 ft) below sea level, greater than the height of the highest mountains in the United Sates, except Mt McKinley in Alaska, which rises a little over 6 km (20,300 ft) above sea level. This was an impressive achievement, although it was by no means the deepest well that the Deepwater Horizon had drilled. Drilling was a long way behind schedule, but the job was finally finished and, with a sense of relief, people were preparing for departure. Suddenly, at 9.45 pm, drilling fluid — “mud” in industry language — began spewing out of the top of the derrick, covering the deck of the rig and even landing on a supply vessel stationed nearby. But worse than that, the mud was accompanied by oil and gas. Gas alarms sounded, and the vessel’s engines began revving as gas reached the engine room. Almost immediately, there was an explosion, followed shortly by another. The rig was now an inferno, with flames roaring up into the night sky. There was chaos and panic. Dazed and injured people converged on the lifeboats. At least one seriously injured man was pulled from underneath rubble, loaded onto a stretcher and carried to the lifeboats. The boats were progressively lowered into the water, but some people were so afraid that they jumped 40 m (125 ft) to the sea below. The supply vessel had backed off a short distance when the mud began raining down; it launched its own rescue craft to pick up survivors in the water and took on board all of the people in lifeboats. Of the 126 people who had been on board the Deepwater Horizon, 115 were rescued. Eleven perished in the explosions and fire. Firefighting vessels rushed to the scene and poured water onto the Deepwater Horizon but the fire was uncontrollable and, two days later, the rig sank. This was not only a disaster in terms of loss of life, it was also an environmental disaster. After the blowout erupted, but before the vessel was abandoned, efforts were made to stem the flow by activating the blowout preventer (BOP), located on the sea floor. But the BOP failed to function as intended and the flow continued unabated. It was 87 days before the well was finally capped and the flow stopped. The well was 77 km (48 miles) off the coast of Louisiana, but containment efforts were unable to prevent the oil from reaching the shores of several states around the Gulf of Mexico, doing untold damage to the environment and to the livelihood of Gulf residents. Shares in the operating company, BP, lost half their value and, at one point, it seemed possible that the company might not survive. Two years later, the share price was still nearly 25% below its pre-blowout level. BP has estimated that it will have to pay out more than $40b in damage claims and penalties.1 I will say no more here about the disastrous consequences of the blowout; it is the events leading up to the blowout that will be of interest in this book. The day of the disaster had begun well, or so it seemed. Very early that morning, the crew had finished cementing the bottom of the well. The prime purpose of this cement job was to prevent a blowout. Pumping cement 5.5 km to the bottom of a well and positioning it correctly requires considerable finesse, and engineers had spent days planning just how they would do this. Unfortunately, the cement job failed but, tragically, they did not realise it had failed, and at 5.45 am, just 16 hours before the well erupted, the cement job was declared a success. This meant, among other things, that the team was able to dispense with a particular cement evaluation test, and contractors who had been on standby to perform the test were sent ashore on an 11 am helicopter flight. At 8 pm, another test — a well integrity test — was completed, and the crew mistakenly declared that the well had passed the test. Finally, in the hour before the well erupted, there were indications of what was about to occur, but these indications were missed because no one was monitoring the well. So it was that the blowout came as a complete surprise. There have been more than a dozen books written about this disaster. Many of them focus on environmental issues. They view the blowout as a catastrophic oil spill, and there is a suggestion in many of them that the ultimate cause of this event is our reliance on oil. They conclude that the best way to prevent similar disasters in the future is to reduce that reliance. Be that as it may, there is much to be learnt from this incident about how catastrophic risks can be managed more effectively, without abandoning the hazardous activity altogether. A related theme in some books is that the accident was the result of operating at the limits of known technology, or even beyond. On this view, drilling in deep water is just as technically challenging, and hence just as risky, as space travel. The fact is, however, that both of the space shuttle accidents, Challenger and Columbia, are better viewed as the result of organisational failure rather than technological complexity.2 We shall see that the same is true for the Gulf of Mexico blowout. A final theme is that the well owner, BP, was somehow a bad company, a rogue, an industry outlier. This kind of analysis echoes public sentiment: the incident generated massive public outrage for which BP was a lightning rod. But viewing BP as an industry outlier just doesn’t fit the facts. Two other major companies were involved — Transocean, the owner of the drilling rig, and Halliburton, the service company responsible for cementing the well. Both of these companies were implicated, in the sense that, had they behaved differently, the accident would not have happened. This was very much a drilling industry accident. Some of these popular accounts are discussed in more detail in Chapter 11. All this raises the ticklish issue of how the incident should be named. Was it the BP oil spill, as several book titles suggest? To describe it in this way seems unavoidably to play into the hands of those who seek to stir up moral outrage against BP. Should the accident be named after the rig, the Deepwater Horizon? That is how BP titled its report, which suggests an alternative view about where responsibility lies. Several books refer to Deepwater Horizon in their titles, perhaps because it facilitated word plays such as “fire on the horizon” and “disaster on the horizon”. More neutral is the name of the well itself — Macondo. Not one of the books uses “Macondo” in its title, presumably because the name is not well known. But various inquiry report titles do use this name, thereby avoiding any suggestion of taking sides. In this book, I shall refer to the Macondo incident, the Macondo team and so on, partly because of the neutrality of the name, but also because it is a convenient and accurate way of referring to the drilling team, which included personnel from various companies. Apart from the outpouring of popular writing, an unprecedented number of reports have been written about the disaster, some by government and quasi- governmental agencies and some by the companies involved. These provide a wealth of invaluable detail about the technical causes of the incident. But that very detail makes them hard for industry outsiders to read. Ploughing through them amounts to taking a crash course in drilling engineering. My book is addressed to audiences both inside and outside the industry and seeks to minimise technical detail in order to maximise comprehensibility I do not shy away from technical detail, however, when that is necessary to make sense of the decisions that were made. The other feature of most of the reports is that, while they provide detailed accounts of what happened, they do not focus on why it happened. Answering the why question takes us into the realm of human and organisational factors, which was not the centre of attention in most of the inquiries. It is certainly important to know what people did, but even more important to know why they did it. It is not enough to know that people made mistakes; we need to know why they made these mistakes if we are to have any hope of preventing them or others from making the same mistakes again. The decision-makers invariably thought they were doing the right thing, when in fact their flawed decisions were taking them a step at a time towards disaster. We need to make sense of those disastrous decisions, which means understanding why they made sense to the decision-maker. Very often, the way people make sense of a situation dictates how they act, which means that they are not really engaged in decision-making at all.3 So this book is an attempt to get inside the heads of decision-makers and understand how they themselves understood the situations they were in. Furthermore, it seeks to discover what it was in their organisational environment that encouraged them to think and act as they did. Footnotes 1 Wall Street Journal, 12 March 2012. 2 CAIB, 2003; Vaughan, 1996. 3 This is nicely demonstrated in Snook, 2000, pp 75, 206. Thinking about accident causation Initial attempts to explain the accident focused on the failure of a supposedly failsafe device, the BOP. Accordingly, there was an enormous sense of expectation when the device, the height of a five-storey building, was brought to the surface and towed ashore, months after the accident. A huge amount of effort was devoted to trying to understand just how and why it had failed. The BOP acquired an almost mythical status. Here is how one writer described it a year later:4 “[T]he critical hardware was a mile below the surface of the sea, where only remotely controlled vehicles could venture. People couldn’t quite see what was going on. They literally groped in the dark. They guessed, wrongly — and people died, and the rig sank, and the oil gushed forth.” But the BOP was only the last line of defence and, arguably, not the most important. The defence metaphor is the key to a much more sophisticated understanding of this accident. The prevention of major accidents depends on defence-in-depth, that is, a series of barriers to keep hazards under control. In the drilling industry, the concept of “barrier” often refers to a physical barrier (eg a cement plug) and the usual philosophy is that there should be at least two physical barriers in place at all times to prevent a blowout. However, there is a more general and more widely used meaning of the word “barrier” that includes non-physical barriers such as training, procedures, testing, and engineering controls. Accidents occur when all of these barriers fail simultaneously. The ubiquitous Swiss cheese model developed by Professor Jim Reason conveys this idea (see Figure 1.15). Each slice of cheese represents a fallible barrier, and accidents only occur when all of the holes line up. This is an extremely useful way to think about accident causation, since it acknowledges and depicts the complex nature of major accidents. In particular, it enables us to think about the contribution of each and every barrier failure without falling into the trap of assuming that any one of these is the cause of the accident. Each is a cause, in the sense that, had that barrier not failed, the accident would not have occurred, but it cannot be said that any one such failure gave rise to the accident since, by itself, it clearly didn’t. On this view, there is no such thing as the cause. Only the simultaneous failure of all of the barriers is sufficient to cause an accident. While the Swiss cheese model is an aid to rational understanding of why accidents occur, it does not lend itself to the attribution of blame or liability. In the case of the Macondo accident, three different companies, BP, Transocean and Halliburton, had some responsibility for one or more of the failed defences. An analysis in terms of multiple failed defences means that no one company can be said to have caused the accident by its own actions or inactions. Lawyers in the blowout litigation will be seeking to paint one party or another as having caused the accident. We should not expect them, therefore, to make any use of Swiss cheese thinking. I have already alluded to the defences that failed in the Macondo incident: the failure of the cement job; the decision to dispense with cement evaluation; the misinterpretation of the well integrity test results; the failure of monitoring; and the failure of the BOP. This sequence of failures is represented in Figure 1.2. Figure 1.2 does not depict all of the barriers that failed. Importantly, it does not depict several barriers that failed after the blowout. They will be identified later.