Deepwater Horizon Drilling Platform Explosion

The writer of the report highlighted two equipment failures, which were the main cause of the explosion. The damaged equipment items were “the oil well safety gear” and a “control pod”. The engineers conducting and supervising the drilling operation were aware of the problems; however, the management ignored the safety aspects of the operation and continued drilling, in order to meet the schedule which was already late.

I am a control systems engineer with over 35 years of experience in the design, testing, commissioning, training and operation of control and safety systems for oil and gas production plants (both onshore and offshore). During this period, on many projects, I noticed that some control and safety systems had serious shortcomings, which would adversely affect the safe operation of the plants.

There are many well defined standards, which should be used and adhered to, during various phases of a project. The most relevant standards for control and safety systems are IEC 61508 and IEC 61511. These standards are mandatory and all control and safety systems should comply with them. For the systems, which were designed and installed before the introduction of these standards, all the necessary modifications should be applied to ensure compliance with the standards.

There is no need to go through the details of the standards here, since there are many available reports and articles about them. My intention here is to highlight the key requirements and where these are normally ignored. I will use some examples, to help clarify the subject.

The IEC 61508 and IEC 61511 are in several volumes and cover many aspects of control and safety system requirements. They discuss reliability analysis in detail and divide the requirements into Safety Integrity Levels (SIL). The lower SIL values (SIL 1, SIL 2) are required for less demanding cases; eg,  Process Shutdown (PSD), Emergency Shutdown (ESD), Fire and Gas (F&G) systems. SIL 3 and 4 are applicable to higher risk processes; eg, High Integrity Process Protection Systems (HIPPS), nuclear power plants.

The SIL requirements are normally well defined and implemented for every project. However, in some cases, a SIL 3, or SIL 4 is reduced by one level, to lower the costs. As an example, the cost for a SIL 4 HIPPS may be several million Pounds, while a SIL 3 system may cost less than a million Pounds. Obviously, in such cases, the Client (owner/operator of the plant) should take full responsibility and take the necessary actions to reduce the chance of failure of the system and possible losses (production, equipment, life, environmental).

There are three important requirements in the IEC 61508 standard, which I would like to discuss here. Sadly, these requirements are often ignored. Before doing that, I need to highlight why I have included Process Control Systems (PCS) in my discussion. I am sure some readers will argue that the IEC 61508 and IEC 61511 standards only apply to safety systems, not control systems. This is probably true for the previous generation of safety systems (1960s and 70s), where control and safety systems were totally independent. However, for the modern Integrated Control and Safety Systems (ICSS), where all the subsystems (PCS, PSD, ESD, F&G) share many components (networks, operator interface, maintenance/management system, servers), we cannot separate process control from the safety system. Besides, there is a strong hierarchy in plant control and safety systems, which makes the subsystems highly interdependent. If a process control system is well designed, then the demand on safety systems will be reduced substantially. If the lower level shutdown system (eg, PSD) is robust, then demand on ESD will be reduced. So, in my view, control and safety systems are an integral part of the total system, consequently, IEC 61508 and IEC 61511 are applicable to both.

The three requirements, which are clearly defined in the standards, are:

• The client (owner/operator) of the plant is ultimately responsible for all phases of the project.
• The personnel, who are responsible for the design, testing, installation, commissioning, operation, maintenance, management and decommissioning of the plant, should be suitable for their job.
• The equipment chosen for the safety system should be suitable for the application.

These requirements are fairly simple to understand, but seems almost impossible to apply. For example, drilling oil wells is a very critical process and there is absolutely no justification to ignore the safety system requirements. It is totally unacceptable to use high cost, late schedule, or loss of production as a reason to ignore safety matters. The client is responsible for the safe operation and cannot blame other parties for the failure and loss of life, or damage to the environment. During the design control and safety systems, the clients’ engineers have to approve all the critical documents to ensure all the requirements, including the regulatory ones, are met. If they choose not to review, audit or approve the documents, in order to reduce costs and delays, then they are ignoring their responsibility.

Assigning suitable personnel to various disciplines of projects are often ignored. Engineers responsible for the design of instrumentation, control and safety systems should have adequate qualifications and experience for the job. An engineer responsible for the design of a large control and safety system, should have a relevant degree (in process, or control systems engineering), Chartered status and over 10 years experience in similar jobs. I have seen in several projects, where draftsmen/engineers with little understanding of the job, were assigned to the design of control and safety systems, or supervision/leading of engineers. Draftsmen are not educated, or experienced in doing engineering work. They cannot analyse and solve technical problems, where a solid mathematical/engineering background is necessary.

Design of control and safety systems requires the understanding and application of several critical theories; eg, systems theory, control theory, sampling theory, information theory. Ignoring these theories and simply copying from another project, or leaving the design to the manufacturer of the system, could render serious shortcomings. It is a well known fact that we do not have adequate professional and experienced engineers in the United Kingdom, and indeed in many parts of the world. I know why and I am sure many other engineers and organisations know why, but it seems the large oil companies and the governments are ignoring this problem. Employing engineers with second class degrees and little experience from other countries to do demanding jobs on large projects, is unacceptable. Organisations, which employ such engineers, are ignoring the regulatory requirements, outlined in IEC 61508.

The third item, selecting suitable equipment for control and safety systems, is as critical as the other regulatory requirements. For the safety systems, normally a SIL number is required and the chosen equipment (transmitters, valves, controllers, interfaces) are certified accordingly. However, there are other issues, besides SIL numbers, that need attention. All large oil companies have prepared detailed specifications of requirements for various control, safety and instrumentation equipment. To understand and apply them, the design engineer needs proper qualifications and experience. As an example, if we need a shutdown valve for a SIL 2 application and we have received a quote from three manufacturers, with a cost of £50,000, £100,000 and £200,000, which one should we buy? A million Dollar question! Who will decide which one to buy; the design engineer, the client engineer, the client procurement manager, or the client project manager? We might need over 50 of these valves for a large oil production plant.

Obviously, it is the design engineer’s responsibility to choose the right valve. In my view, the cost is totally irrelevant. The critical subjects are the required design life, quality control and experience of the manufacturer. The situation is very similar to buying a car! If there are two cars of exactly the same size (body and engine) and appearance, but one is for £15,000 and the other for £30,000, which one will you buy? It obviously, depends on the application and the buyer’s knowledge about cars. Is the car for short journeys; eg, occasional use to drive to the next village to do some shopping, or frequent long motorway journeys? Is the buyer ignorant about cars (even does not know why cars need water!), or is he/she an engineer with good understanding of the engine, gearbox, brakes, steering, etc?

The three requirements we discussed here, are closely related. A problem in one, will definitely affect the others. It is like a controller with positive feedback! If the client engineer fails to check the CVs of the key personnel, then junior engineers/draftsmen may be assigned to the design of control and safety systems. If the design engineer is not experienced, then he/she may not understand the requirements and buy the cheapest valve.

About the author:

Ghodrat Kalani, Senior Control Systems Consultant, BSc, MSc, CEng, FInstMC, FIET

Related forum discussions

	To start a discussion topic about this article, please log in or register.