Modeling the Deepwater Horizon blowout using STAMP
MetadataShow full item record
This thesis has been based on reviewing literature on Systems-Theoretic Accident Model and Processes theory of accident analysis and accident investigations of the Macondo well blowout. Systems-Theoretic Accident Model and Processes is commonly known under its name STAMP and is a systemic accident modeling approach. Systemic accident modeling approaches have been developed after the sequential- and epidemiological accident models. In systemic accident models safety is seen as an emergent property. STAMP is based on three basic constructs which are safety constraints, hierarchical safety control structures, and process models. A constraint is the most basic concept of STAMP, thereby moving away from the current risk assessments focus on events. This is underlined by the fact that events leading to losses only occur because safety constraints were not successfully enforced. From systems theory a system is viewed as a hierarchical structure, where each level imposes constraints on the activity on the level below, resulting in higher-level constraints allowing or controlling lower level behavior. Process models show how the controller of a process enforces the required safety constraints, and how the controller receives feedback from the process being controlled. Feedback is a very important aspect of STAMP, as STAMP views systems as interrelated components that are kept in a state of dynamic equilibrium by feedback loops of information and control. Causal analysis based on STAMP (CAST) is a method developed for analyzing accidents and incidents. Risk assessment methods have predominantly been event based, but STAMP wishes to move forward in assessing risks and safety by using the violation of safety constraints as a basis for loss events resulting in accidents and incidents. CAST is a method developed in line with the overall framework of STAMP, and has been the basis for the accident analysis of the Macondo well blowout in this report. On April 20th 2010 the Deepwater Horizon rig was set to perform a temporary abandonment, which refers to the procedures done after the completion of the drilling of a well in preparation for the drilling rig to abandon the well. During the temporary abandonment the crew on the Deepwater Horizon would check the wells integrity before they abandoned the well site. The wells integrity was tested during the day of April 20th 2010, and approved at around 8 p.m. The next stage of the temporary abandonment was to displace the drilling mud in the riser connected with the wellhead. At approximately 8:50 p.m. the Macondo well became underbalanced and the well soon experienced a kick. The kick on April 20th developed into a blowout and at 9:49 p.m. the first explosion hit the Deepwater Horizon rig. The accident caused 11 fatalities, the destruction of the Deepwater Horizon Rig and a massive oil spill in the Gulf of Mexico. The CAST analysis performed uncovered how important the correct enforcement of safety constraints can be, as the result of violating the safety constraints at Macondo resulted in a horrific accident. Creating the models from the CAST analysis showed just how inadequate the system operations were at controlling the safety of the Macondo well. The models revealed that MMS did not have a regulatory structure capable of enforcing safety for deepwater drilling operations, and that BP quite carelessly changed procedures after receiving permits from MMS. Not regarding the fatalities the worst part of the accident was that the industry itself was shocked after it happened. How could they be, considering how they operated? The systemic accident approach is superior to the event based models. From the analysis it is evident that the accident was caused by a number of violations throughout the hierarchal safety control structure. Event based models may have concluded and blamed the lowest level for the accident and therefore ignored the problems throughout the hierarchical safety control structure. This proves the suitability for the systemic accident approach, especially as an important tool to improve future safety processes.