I noticed an article on the Tech Briefs website about new sensors that could withstand extreme environments. That’s an especially important feature — a failure in a system that normally operates in a severe environment is more likely to be catastrophic. Think of oil wells and nuclear reactors. But the sensing element itself is just one piece of the puzzle of monitoring potentially hazardous operations.
I think we can learn a lot by examining what went wrong in an actual disaster. For example, the 2016 report from the U.S. Chemical Safety and Hazard Investigation Board describes the explosion and fire on the Deepwater Horizon oil drilling rig:
“On April 20, 2010, a multiple-fatality incident occurred at the Macondo oil well approximately 50 miles off the coast of Louisiana in the Gulf of Mexico during temporary well-abandonment activities on the Deepwater Horizon (DWH) drilling rig. Control of the well was lost, resulting in a blowout — the uncontrolled release of oil and gas (hydrocarbons) from the well. On the rig, the hydrocarbons found an ignition source and ignited. The resulting explosions and fire led to the deaths of 11 individuals, serious physical injuries to 17 others, the evacuation of 115 individuals from the rig, the sinking of the Deepwater Horizon, and massive marine and coastal damage from a reported 4 million barrels of released hydrocarbons.”
Would better pressure, temperature, and flow sensors have helped by sounding the alarm that something was wrong sooner? Most certainly they would have — they could have even triggered automatic safety mechanisms. However, even though there were safety systems onboard, they didn’t avert the disaster. The investigators’ report is a primer on what can go wrong.
The main safety device was a blowout preventer (BOP), designed to seal off the well. It was intended to be operated manually by the crew or automatically in the event of a fire or explosion.
One of the first principles for designing safety systems is redundancy, so if one system fails, another will still function. The Deepwater did have a redundant safety system, where two different control systems would automatically activate the BOP and also shear the drill pipe in the event of an emergency.
So, what happened? According to the report, it was a combination of things. First of all, one of the two redundant control systems didn’t work because it was miswired. Then, although the BOP operated and activated the shearing mechanism, the drill pipe in the BOP was off-center, which prevented the shear ram from fully closing to completely seal the well.
Another issue was that the electrical wiring was not done according to the various codes covering electrical apparatus in hazardous areas. (See, for example, the article in the May 2023 issue of Sensor Technology.)
However, even the most perfectly designed and meticulously installed safety systems need thorough routine testing to make sure nothing has deteriorated. A problem with safety systems is that they only operate during the very rare emergency situations they are designed to protect against. That means frequent testing is critical.
On the Deepwater Horizon, “routine inspection and weekly function testing of operational BOP components necessary for daily drilling operations were insufficient to identify latent failures of the emergency systems.”
But proper design, installation, and testing by themselves are not enough to ensure safety. The systems have to be designed with people in mind — the ones who will be operating and installing the systems.
“The lack of incorporation of human factor considerations into the planning and executing of the temporary abandonment of the Macondo well increased the likelihood of the blowout.”
The systems must be designed for everything from alarms to manual controls to be clearly and easily understood. And operators should be extensively trained in best practices for dealing with emergencies. The operators should be involved in the routine testing process to reinforce what they have been taught.
And there needs to be an active feedback loop involving designers and operators. As spelled out in the investigators’ report, “The operator cannot write a drilling program that foresees all circumstances and covers every detail for the drilling contractor to follow. Therefore, the operator and drilling contractor must actively work to bridge the gap between work-as-imagined (WAI) in the drilling program as defined by well designers, managers, or even regulatory authorities and work-as-done (WAD) by the well operations crew.”
Sensors, Systems, and Safety
Multiple factors have to be considered in any system design, but that need is magnified for systems that guarantee safety. Rugged and accurate sensors are vital components without which the rest of the system is useless, but that is just the beginning. They have to be embedded in systems that are well-planned and well-executed — and that includes designing with human operators in mind, and planning for routine testing with both equipment and people, and designing to Code.
Note: All quotes are from “The Investigation Report Executive Summary of the Drilling Rig Explosion and Fire at the Macondo Well” by the U.S. Chemical Safety and Hazard Investigation Board. Report No. 2010-10-I-OS 04/12/2016.