1.1 Synopsis of the Event

The Exxon Valdez arrived Alyeska Marine Terminal at 11:30 p.m. on March 22, 1989 to take on cargo. It carried a crew of 19 plus the master. The third mate, who became a central figure in the grounding, was relieved of watch duty at 11:50 p.m. Vessel and terminal crews began loading crude oil onto the tanker at 5:05 a.m. on 23 March under the supervision of the chief mate.

The master, chief engineer, and radio officer left the Exxon Valdez about 11:00 a.m. on 23 March, and where driven from the Alyeska terminal into the town of Valdez. They expected the Exxon Valdez’s sailing time to be 10 p.m. that evening. They left Valdez by taxi at about 7:30 p.m., got through Alyeska terminal gate security at 8:24 p.m. and boarded the vessel. Loading of the Exxon Valdez had been completed for an hour by the time the group returned to the vessel and the sailing time had been revised to 9:00 p.m. Both the cab driver and the gate security guard later testified that no one in the party appeared to be intoxicated. A ship's agent who met with the master after he got back on the vessel said it appeared the master may have been drinking because his eyes were watery, but she did not smell alcohol on his breath. However, the marine pilot, assigned to the vessel, indicated that later he did detect the odor of alcohol on the master's breath.

The master's activities in town that day and on the ship that night would become a key focus of accident inquiries, the cause of a state criminal prosecution, and the basis of widespread sensational media stories.

The Exxon Valdez’s deck log shows it was clear of the dock at 9:21 p.m. under the direction of the marine pilot and accompanied by a single tug for the passage through Valdez Narrows, the constricted harbor entrance about seven miles from the berth. According to the marine pilot, the master left the bridge at 9:35 p.m. and did not return until about 11:10 p.m., even though company policy requires two ship's officers on the bridge during transit of Valdez Narrows.

The passage through Valdez Narrows proceeded uneventfully. At 10:49 p.m., the ship reported to the Valdez Vessel Traffic Center that it had passed out of the Narrows and was increasing speed. At 11:05 p.m., the marine pilot asked that the master be called to the bridge in anticipation of his disembarking from the ship, and at 11:10 p.m. the master returned. The marine pilot disembarked at 11:24 p.m., with assistance from the third mate. While the third mate was helping the marine pilot and then helping stow the pilot ladder, the master was the only officer on the bridge and according to the NTSB report there was no lookout, even though one was required.

At 11:25 p.m., the master informed the Vessel Traffic Center that the marine pilot had departed and that he was increasing to sea speed. He also reported that they would probably divert from the Traffic Separation Scheme (TSS) and travel in the inbound lane if there was no conflicting traffic. The traffic center indicated concurrence, stating there was no reported traffic in the inbound lane.

The TSS was designed to separate incoming and outgoing tankers in Prince William Sound and keep them in clear, deep waters during their transit. It consists of inbound and outbound lanes, with a half-mile-wide separation zone between them. Small icebergs from nearby Columbia Glacier occasionally enter the traffic lanes. Masters had the choice of slowing down to push through them safely or deviating from their lanes if traffic permitted. The master's report, and the Valdez traffic center's concurrence, meant the ship would change course to leave the western, outbound lane, cross the separation zone and, if necessary, enter the eastern, inbound lane to avoid floating ice. At no time did the Exxon Valdez report or seek permission to depart farther east from the inbound traffic lane; but that is exactly what it did.

At 11:30 p.m., the master informed the Valdez traffic center that he was turning the ship toward the east on a heading of 200 degrees and reducing speed to “wind my way through the ice” (engine logs, however, show the vessel's speed continued to increase). At 11:39 p.m., the third mate plotted a fix that showed the ship in the middle of the TSS. The master ordered a further course change to a heading of 180 degrees (due south) and, according to the helmsman, directed that the ship be placed on autopilot. The second course change was not reported to the Valdez traffic center. For 19 or 20 min the ship sailed south—through the inbound traffic lane, then across its easterly boundary and on toward its peril at Bligh Reef. Traveling at approximately 12 knots, the Exxon Valdez crossed the traffic lane's easterly boundary at 11:47 p.m.

At 11:52 p.m., the command was given to place the ship's engine on “load program up”—a computer program that, over a span of 43 min, would increase engine speed from 55 RPM to sea speed full ahead at 78 RPM. After conferring with the third mate about where and how to return the ship to its designated traffic lane, the master left the bridge. The time, according to NTSB testimony, was approximately 11:53 p.m.

By this time, the third mate had been on duty for 6 h and was scheduled to be relieved by the second mate. But the third mate, knowing the second mate had worked long hours during loading operations during the day, had told the second mate he could take his time in relieving him. The third mate did not call the second mate to awaken him for the midnight to 4 a.m. watch, instead remaining on duty himself. Testimony before the NTSB suggests that the third mate may have been awake and generally at work for up to 18 h preceding the accident.

The US Coast Guard was responsible for setting minimum crew numbers. It had certified Exxon tankers for a minimum of 15 persons (14 if the radio officer is not required). The president of Exxon Shipping Company, had stated that his company's policy was to reduce its standard crew complement to 16 on fully automated, diesel-powered vessels by 1990. Exxon maintained that modern automated vessel technology permitted the reduction in the number of crew without compromising safety or function.

Sometime during the critical period before the grounding and during the first few minutes of 24 March, the third mate plotted a fix indicating it was time to turn the vessel back toward the traffic lanes. About the same time, the lookout reported that Bligh Reef light appeared broad off the starboard bow—that is, off the bow at an angle of about 45 degrees. The light should have been seen off the port side (the left side of a ship, facing forward). Its position off the starboard side indicated looming and great peril for a supertanker that was out of its lanes and accelerating through close waters. The third mate gave right rudder commands to cause the desired course change and took the ship off autopilot. He also phoned the master in his cabin to inform him the ship was turning back toward the traffic lanes and that, in the process, it would be getting into ice. When the vessel did not turn swiftly enough, the third mate ordered further right rudder with increasing urgency. Finally, realizing the ship was in serious trouble, the third mate phoned the master again to report the danger. At the end of the conversation, he felt an initial shock to the vessel. The grounding, described by helmsman as “a bumpy ride” and by the third mate as six “very sharp jolts,” occurred at 12:04 a.m.

After feeling the grounding, the master rushed to the bridge arriving as the vessel came to rest. He immediately gave a series of rudder orders in an attempt to free the vessel, and power to the vessel's engine remained in the “load program up” condition for about 15 min after impact. The chief mate went to the engine control room and determined that eight cargo tanks and two ballast tanks had been ruptured. He concluded the cargo tanks had lost an average of 10 feet of cargo, with approximately 67 feet of cargo remaining in each. He informed the master of his initial damage assessment and was instructed to perform stability and stress analysis. At 12:19 a.m., the master ordered that the vessel's engine be reduced to idle speed.

At 12:26 a.m., the master radioed the Valdez traffic center and reported his predicament.

The master, meanwhile, continued efforts to power the Exxon Valdez off the reef. At approximately 12:30 a.m., the chief mate used a computer program to determine that though stress on the vessel exceeded acceptable limits, the ship still had required stability. He went to the bridge to advise the master that the vessel should not go to sea or leave the area. The master directed him to return to the control room to continue assessing the damage and to determine available options. At 12:35 p.m., the master ordered the engine back on—and eventually to “full ahead”—and began another series of rudder commands in an effort to free the vessel. After running his computer program again another way, the chief mate concluded that the ship did not have acceptable stability without being supported by the reef. The chief mate relayed his new analysis to the master at 1:00 a.m. and again recommended that the ship not leave the area. Nonetheless, the master kept the engine running until 1:41 a.m., when he finally abandoned efforts to get the vessel off the reef.

The vessel came to rest roughly facing southwest, perched across its middle on a pinnacle of Bligh Reef. Computations aboard the Exxon Valdez showed that 5.8 million gallons had leaked out of the tanker in the first 3¼ h. Weather conditions at the site were reported to be 33°F, slight drizzle with a rain/snow mix, north winds at 10 knots, and visibility 10 miles.

The response capabilities of Alyeska Pipeline Service Company to deal with the spreading oil spill would be found to be both unexpectedly slow and woefully inadequate. The worldwide capabilities of ExxonMobil would mobilize huge quantities of equipment and personnel to respond to the spill, but not in the crucial first few hours and days when containment and cleanup efforts are at a premium. The US Coast Guard would demonstrate its prowess at ship salvage, protecting crews, and lightering operations, but would prove utterly incapable of oil spill containment and response. State and federal agencies would show differing levels of preparedness and command capability. The consequence—the waters of Prince William Sound, and eventually more than 1000 miles of beach in Southcentral Alaska, would be fouled by 10.8 million gallons of crude oil.

1.2 Key Findings

The NTSB concluded that the Exxon Valdez met all US and international segregated-ballast regulations, but that the standards at that time for segregated ballast and cargo tank size did not provide sufficient protection against oil spills by groundings or collisions.

Further it concluded that:

• Ice in Valdez Arm is a significant hazard to navigation and required closer monitoring and reporting. The monitoring of the amount and size of ice being calved from Columbia Glacier was inadequate for the safety of tankships transiting Prince William Sound.

• The master's judgment was impaired by alcohol during the critical period the vessel was transiting Valdez Arm. It found that the Exxon Shipping Company did not adequately monitor the master for alcohol abuse after his alcohol rehabilitation program. In addition, the company did not have a sufficient program to identify, and, if necessary remove from service or provide treatment for, employees who had substance abuse problems.

• The master's decision to depart from the TSS to avoid ice was probably reasonable, even though it required a heading toward shoal water.

• Navigating the Exxon Valdez between the ice field and Bligh Reef required a diligent, competent navigation watch capable of controlling the vessel, watching for ice, and fixing the vessel's position frequently to navigate the vessel safely; hence, two officers were required on the bridge, one with the navigation and ship handling experience to control the vessel and the other to frequently fix the vessel's position.

• The master's decision to leave the third mate in charge of the navigation watch was contrary to Federal regulations and company policy and was improper given the course of the vessel, the uncertain extent of the ice conditions, the proximity of a dangerous reef, and the fact that the third mate did not have the required pilotage endorsement.

• The performance of the third mate was deficient, probably because of fatigue, when he assumed supervision of the navigation watch from the master and that the third mate's failure to turn the vessel at the proper time and with sufficient rudder probably was the result of his excessive workload and fatigued condition, which caused him to lose awareness of the location of Bligh Reef.

• There were no rested deck officers on the Exxon Valdez available to stand the navigation watch when the vessel departed from the Alyeska Terminal. Many conditions conducive to producing crew fatigue on the Exxon Valdez also existed on other Exxon Shipping Company vessels because many were three mate vessels and because the company had pursued reduced crewing procedures. Exxon Shipping had incentives and work requirements that could be conducive to fatigue and their crewing policies did not adequately consider the increase in workload caused by reductions in the number of crew. The Coast Guard was unduly narrow in its perspective when it evaluated reduced crewing requests for the Exxon Valdez; it based reductions primarily on the assumption that shipboard hardware and equipment might reduce the workload at sea, but did not consider the heavier workload associated with cargo operations in port and the frequency of such operations.

• Although moving the pilot station to Rocky Point was apparently based on a consideration for pilot safety, the move resulted in a reduction in pilotage services past Bligh Reef, where local knowledge was needed. Moving the pilot station to a position south of Bligh Reef would enhance navigation safety by ensuring the presence of an officer with local knowledge of the area on the bridge of each vessel transiting Valdez Arm past Bligh Reef.

• The Coast Guard had not maintained an effective vessel traffic service in Prince William Sound. The limited supervision of the Vessel Traffic Center probably contributed to the commanding officer's and operation officer's lack of awareness that tankers were departing from the TSS to avoid ice and were passing close to Bligh Reef. The VTS radar was operating satisfactorily, and the detection range of the radar was not significantly reduced by weather or sea conditions while the Exxon Valdez was transiting Valdez Arm. However, the VTC lost radar contact with the Exxon Valdez about 7.7 miles from the radar site, which is about 5.5 miles from the northern part of Bligh Reef, because the Center's watch stander did not use a higher range scale and not because of any limitation or malfunction of the radar. Had he used a higher range scale, the vessel probably could have been tracked as far as the site of the grounding, but no firm policy required him to do so. Monitoring the Exxon Valdez by radar as it transited Valdez Arm would have revealed to the VTC watch stander that the vessel had changed course to 180 degree, had departed the vessel TSS, and was headed for shoal water east of Bligh Reef. A query or warning from the VTC might have alerted the third mate to the impending danger from Bligh Reef. The monitoring of vessels in Valdez Arm was left to the discretion of the VTC watch stander because the senior watch stander decided to allow the Center's watch standers to monitor instead of plot the positions of vessels transiting Valdez Arm. A firm policy requiring the VTC to plot tankers transiting the full length of Valdez Arm could have alerted the commanding officer of the Marine Safety Office that tankships were departing from the TSS in the vicinity of Bligh Reef to avoid ice.

1.3 Lessons Learned

In the aftermath of the Exxon Valdez accident, ExxonMobil made major changes. It committed to safeguarding the environment, employees, and operating communities worldwide. As an example, to improve oil spill prevention, it has:

• Modified tanker routes.

• Instituted drug and alcohol testing programs for safety sensitive positions.

• Restricted safety sensitive positions to employees with no history of substance abuse.

• Implemented more extensive periodic assessments of ExxonMobil vessels and facilities.

• Strengthened training programs for vessel captains and pilots.

• And, applied new technology to improve vessel navigation and ensure the integrity of oil containment systems in the event a spill occurs and have improved their response capability.

Following the Exxon Valdez oil spill and against the background of a number of other disasters arising from the hazardous activities of companies other than Exxon and its affiliates, the company developed a framework for the safe and environmentally sound operation of its various undertakings. The framework was called the Operations Integrity Management Framework (OIMF). Within this framework, a series of expectations and guidelines were developed which included the Exxon Company International (ECI) Upstream OIMS Guidelines. The ECI guidelines contained 11 primary elements with associated expectations, and a series of guidelines for the achievement of these expectations. The company decreed that its affiliates should develop a management system in which all the expectations outlined in the OIMF and contained in the ECI Guidelines, were met. The elements referred to in the Guidelines are:

1. Management leadership, commitment, and accountability.

2. Risk assessment and management.

3. Facilities design and construction.

4. Information/documentation.

5. Personnel and training.

6. Operations and maintenance.

7. Management of change.

8. Third party services.

9. Incident investigation and analysis.

10. Community awareness and emergency preparedness.

11. Operations integrity assessment and improvement.

While there is no question that the Exxon Valdez spill was an unfortunate, but avoidable incident, it is also clear that it provided a necessary impetus to reexamine the state of oil spill prevention, response, and cleanup. In addition to the Exxon Valdez spill, the summer of 1989 experienced three oil spills that drained any resources left from the ongoing spill response in Alaska. Between 23 and 24 June, the T/V World Prodigy spilled 290,000 gallons of oil in Newport, Rhode Island; the T/V Presidente Rivera emptied 307,000 gallons of oil into the Delaware River; and the T/V Rachel hit Tank Barge 2514, releasing 239,000 gallons of oil into Houston Ship Channel (Shigenaka, 2014). But these were not the only oil spills plaguing US waters during that time, and it resulted in action from the politicians.

In August of 1990, the US Congress voted unanimously to pass the Oil Pollution Act, which significantly improved measures to prevent, prepare for, and respond to oil spills in US waters. The shipping industry underwent a significant makeover in oil spill prevention, preparedness, and response. Examples of the result of the spills and legislation include the phasing out of tankers with single hulls, new regulations requiring the use of knowledgeable pilots, maneuverable tug escorts, and an appropriate number of people on the ship's bridge during transit.

But perhaps one of the most important elements of this law required those responsible for oil spills to foot the bill for both cleaning up the oil, and for economic and natural resource damages (NRD) resulting from it. This provision requires oil companies to pay into the Oil Spill Liability Trust Fund, a fund theoretically created by Congress in 1986 but not given the necessary authorization until the Oil Pollution Act of 1990. The fund helps the US Coast Guard pay for the upfront costs of responding to marine and coastal accidents that threaten to release hazardous materials such as oil into the environment. It also covers the assessment of potential environmental and cultural impacts, and implementing any restoration to make up for such impacts.

2.1 Synopsis of the Event

The night before the incident there was a larger than usual flow of liquids into the plant from offshore. The result was a build-up of the level of condensate in the absorber. The volume of condensate could be controlled to some extent by raising the temperature. However, an automatic valve which controlled the temperature was not working properly and operators were using a manual by-pass valve. For various reasons, they did not keep the temperature high enough and the build-up of condensate continued. The outflow through the condensate outlet was too great for the downstream reprocessing so the overflow rate was automatically reduced. The level of condensate in the absorber tower then rose so high that it went off scale, that is, beyond the point where the operators could monitor it. In fact, it rose to the point where it overflowed into the rich oil stream.

The presence of condensate in the rich oil stream caused the rich oil to become much colder than normal. This caused an upset in the processing equipment downstream which in turn led to an automatic shutdown of the pumps which maintained the lean oil flow.

Operators were unable to restart these pumps and they remained shutdown for hours.

Because the circulation of warm lean oil had stopped, two of the heat exchangers became abnormally cold and a thick layer of frost formed on their exterior pipework. The temperature dropped below the design limit and the metal in one exchanger contracted to the point that it began to leak oil onto the ground. Unsuccessful attempts were made to fix this leak by tightening the bolts. At this point, operators decided to stop the flow into GP1 to try to deal with the situation. This stopped any further flow of cold condensate within the plant. But operators did not depressurize the plant. Rather, they decided to try again to restart the pumps to rewarm the heat exchanger. This was a critical error. The metal in the vessel by this time was so cold that it was brittle and it needed time to thaw out before being warmed. Operators succeeded in restarting the pumps and the reintroduction of warm liquid caused fracturing and catastrophic failure of one of the heat exchangers. A large quantity of volatile liquid and gas escaped and was ignited by a nearby ignition source.

The explosions and fire shutdown the three gas plants at Longford. The fire was not fully extinguished until September 27, 1998. The resumption of gas supply commenced on October 04, 1998 and was completed by October 14, 1998. The 10-day delay to restore gas supply was due to the need to extinguish the fires in GPl and to ensure the complete isolation of GPl, and the CSP, from GP2 and GP3.

On October 12, 1998, the Victoria Government announced its intention to establish a Royal Commission of Inquiry into the explosion and fire at Longford. The Commission submitted its report on June 28, 1999 (Dawson et al., 1999).

The Commission's key findings were divided among a number of categories.

4 BP Texas City 2005

4.1 CSB BP Texas City

In 1998, BP had one refinery in North America. In early 1999, BP merged with Amoco and then acquired ARCO in 2000, ending up with five refineries in North America. Prior to 1999, Amoco owned the Texas City refinery, the third-largest oil refinery in the United States with 475,000 barrels per day (bpd) refining capacity and had been in operation since 1934. Cost-cutting and failure to invest in the 1990s by Amoco and then BP, left the Texas City refinery's infrastructure and process equipment in disrepair. Operator training and staffing were also downsized. BP replaced the centralized HSE management systems of Amoco and Arco with a decentralized HSE management system. The effect of decentralizing HSE in the new organization resulted in a loss of focus on process safety management.

On March 23, 2005, at 1:20 p.m., the BP Texas City Refinery experienced explosions and fires that killed 15 people and injured another 180, alarmed the surrounding community, and resulted in financial losses exceeding $1.5 billion. The incident occurred during the startup of an isomerization (ISOM) unit when a raffinate splitter tower was overfilled; pressure relief devices opened, resulting in a release of flammable liquid from a blowdown stack that was not equipped with a flare. The release of flammables led to the explosion and fire. All the fatalities occurred in or near office trailers located close to the blowdown drum. A shelter-in-place order was issued that required 43,000 people to remain indoors. Houses were damaged as far away as three-quarters of a mile from the refinery.

4.2 Synopsis of the Event

For 2 years prior to the incident, BP had used a rigorous prestartup procedure that required all startups after turnarounds to go through a Pre-Startup Safety Review which included completing maintenance work, performing required safety reviews, checking equipment, and ensuring that utilities, control valves, and other equipment were functioning and correctly aligned. The process safety coordinator responsible for an area of the refinery that included the ISOM was unfamiliar with the process, and no Pre-Startup Safety Review procedure was conducted.

BP supervision decided to initiate the startup of the ISOM unit raffinate section during the night shift on March 22, 2005. However, after the startup was begun, it was stopped and the raffinate section was shutdown to be restarted during the next shift. Starting and then stopping the unit was unusual, and not covered in the startup procedures, which only addressed one continuous startup.

The Night Lead Operator controlled filling the raffinate section from the satellite control room because it was close to the process equipment. The Night Board Operator controlled the other two process units from the central control room. The Night Lead Operator did not use the startup procedure or record completed steps for the process of filling the raffinate section equipment, which left no record for the operators on the next shift.

When the Day Board Operator changed shifts in the central control room with the Night Board Operator shortly after 6:00 a.m., he received very little information on the state of the unit other than what was written in the logbook.

On the morning of 23 March, the raffinate tower startup began with a series of miscommunications. The early morning shift directors’ meeting discussed the raffinate startup, and Day Supervisor B, who lacked ISOM experience, was told that the startup could not proceed because the storage tanks that received raffinate from the splitter tower were believed to be full. The Shift Director stated in postincident interviews that the meeting ended with the understanding that the raffinate section would not be started. However, that was not communicated to the ISOM operations personnel.

Day Supervisor A told the operations crew that the raffinate section would be started but did not distribute or review the applicable startup procedure with the crew, despite being required to do so in the procedure. Because the startup procedure that should have provided information on the progress of the startup by the night shift was not filled out and did not provide instructions for a noncontinual startup, the Day Board Operator had no precise information of what steps the night crew had completed and what the day shift was to do.

The Day Board Operator, acting on what he believed were the unit's verbal startup instructions and his understanding of the need to maintain a higher level in the tower to protect downstream equipment, closed the level control valve. The level sight glass, used to visually verify the tower level, had been reported by operators as unreadable because of a buildup of dark residue; the sight glass had been nonfunctional for several years. Knowing the condition of the sight glass, the Day Board Operator did not ask the outside crew to visually confirm the level. Even though the tower level control valve was not at 50% in “automatic” mode, as required by the startup procedure, the Day Board Operator said he believed the condition was safe as long as he kept the level within the reading range of the transmitter. The Day Board Operator observed a 97% level when he started circulation and thought that this level was normal. He said he did not recall observing a startup where the level was as low as 50%. At 10:10 a.m., 20,000 bpd of raffinate feed was being pumped into the tower and 4100 bpd was erroneously indicated as leaving the tower through the level control valve. The Day Board Operator said he was aware that the level control valve was shut.

As the unit was being heated, the Day Supervisor A, an experienced ISOM operator, left the plant at 10:47 a.m. due to a family emergency. The second Day Supervisor was devoting most of his attention to the final stages of the Aromatics Recovery Unit (ARU) startup; he had very little ISOM experience and, therefore, did not get involved in the ISOM startup. No experienced supervisor or ISOM technical expert was assigned to the raffinate section startup after the Day Supervisor A left, although BP's safety procedures required such oversight.

The Day Board Operator continued the liquid flow to the splitter tower, but was unaware that the actual tower level continued to rise. At 9:55 a.m., two burners were lit in the raffinate furnace, which preheated the feed flowing into the splitter tower and served as a reboiler, heating the liquid in the tower bottom. At 11:16 a.m., operators lit two additional burners in the furnace. While the transmitter indicated that the tower level was at 93% (8.65 feet) in the bottom 9 feet of the tower, the U.S. Chemical Safety and Hazard Investigation Board (CSB) determined from postincident analysis that the actual level in the tower was 67 feet. The fuel to the furnace was increased at 11:50 a.m., at which time the actual tower level was 98 feet, although the transmitter indicated that the level was 88% (8.4 feet) and decreasing.

At 12:41 p.m., the tower's pressure rose to 33 pounds (psig) (228 kPa), due to the significant increase in the liquid level compressing the remaining nitrogen in the raffinate system. The operations crew, however, believed the high pressure to be a result of the tower bottoms overheating, which was not unusual in previous startups. In response to the high pressure, the outside operations crew opened the 8-in. chain-operated valve that vented directly to the blowdown drum, which reduced the pressure in the tower.

The Day Board Operator and the Day Lead Operator agreed that the heat to the furnace should be reduced, and at 12:42 p.m. fuel gas flow was reduced to the furnace. At this time the raffinate splitter level transmitter displayed 80% (8 feet), but the actual tower level was 140 feet.

From 10 a.m. to 1 p.m. the transmitter showed the tower level declining from 97% to 79%. The Day Board Operator thought the level indication was accurate, and believed it was normal to see the level drop as the tower heated up. At the time of the pressure upset, the Day Board Operator became concerned about the lack of heavy raffinate flow out of the tower, and discussed with the Day Lead Operator the need to remove heavy raffinate from the raffinate splitter tower. None of the ISOM operators knew the tower was overfilling. At 12:42 p.m., the Day Board Operator opened the splitter level control to 15% output, and over the next 15 min opened the valve five times until, at 1:02 p.m., it was 70% open. However, heavy raffinate flow had not actually begun until 12:59 p.m.

The heavy raffinate flow out of the tower matched the feed into the tower was 20,500 bpd at 1:02 p.m. and by 1:04 p.m. had increased to 27,500 bpd. Unknown to the operators, the level of liquid in the 170 foot tower at this time was 158 feet, but the level transmitter reading had continued to decrease and now read 78% (7.9 feet). Although the total quantity of material in the tower had begun to decrease, heating the column contents caused the liquid level at the top of the column to continue increasing until it completely filled the column and spilled over into the overhead vapor line leading to the column relief valves and condenser.

At 1:14 p.m., hydrocarbon liquid flowed out of the top of the raffinate splitter tower and into the vertical overhead vapor line, due to overfilling and rapid heating of the column.

As the liquid filled the overhead line, the resulting hydrostatic head in the line increased. The tower pressure (which remained relatively constant) combined with the hydrostatic head exceeded the set pressures of the safety relief valves. The valves opened and discharged liquid raffinate into the raffinate splitter disposal header collection system. Both the Day Board Operator in the central control room and the outside operators in the satellite control room saw the splitter tower pressure rising rapidly to 63 psig (434 kPa); however, interviews revealed that the outside operators did not hear the three splitter tower relief valves open.

Once the blowdown system filled, flammable liquid discharged to the atmosphere from its stack and fell to the ground. Shortly after the ISOM operators began troubleshooting the pressure spike, they received, via radio, the first notification that the blowdown drum was overflowing. In response to the radio message, the Board Operator and Lead Operator used the computerized control system to shut the flow of fuel to the heater, while the other operators left the satellite control room and ran toward an adjacent road, to redirect traffic away from the blowdown drum, as required by BP's “Emergency Response Procedure A-7.”

The ISOM operators stated they had insufficient time to sound the emergency alarm before the explosion. Approximately 15 s after hearing the radio message, both the Board Operator and the Lead Operator said they started the process of shutting off the fuel to the furnace using the computerized control system. Their testimony is substantiated by the computerized control system data, which showed that the fuel gas flow control valve was shut 5 s before the explosion. Hundreds of alarms registered in the computerized control system at 1:20:04 p.m., including the high level alarm on the blowdown drum; the flood of alarms indicates when the explosion occurred. Consequently, ISOM operations personnel did not have sufficient time to assess the situation and sound the emergency alarm prior to the explosion.

The released volatile liquid evaporated as it fell to the ground and formed a flammable vapor cloud. The most likely source of ignition was an idling diesel pickup truck located about 25 feet from the blowdown drum. The 15 employees killed in the explosion were contractors working in and around temporary trailers that had been previously sited by BP as close as 121 feet from the blowdown drum.

4.3 Key Findings

The Texas City disaster was caused by organizational and safety deficiencies at all levels of the BP Corporation. Warning signs of a possible disaster were present for several years, but company officials did not intervene effectively to prevent it. The extent of the serious safety culture deficiencies was further revealed when the refinery experienced two additional serious incidents just a few months after the March 2005 disaster. In one, a pipe failure caused a reported $30 million in damage; the other resulted in a $2 million property loss. In each incident, community shelter-in-place orders were issued.

The following findings are taken from BP's Fatal Accident Investigation (Mogford, 2005):

• Over the years, the working environment had eroded to one characterized by resistance to change, and lacking trust, motivation, and a sense of purpose. Coupled with unclear expectations around supervisory and management behaviors this meant that rules were not consistently followed, rigor was lacking and individuals felt disempowered from suggesting or initiating improvements.

• Process safety, operations performance, and systematic risk reduction priorities had not been set and consistently reinforced by management.

• Many changes in a complex organization led to the lack of clear accountabilities and poor communication, which together resulted in confusion in the workforce over roles and responsibilities.

• A poor level of hazard awareness and understanding of process safety on the site resulted in people accepting levels of risk that were considerably higher than comparable installations. One consequence was that temporary office trailers were placed within 150 feet of a blowdown stack which vented heavier than air hydrocarbons to the atmosphere without questioning the established industry practice.

• Given the poor vertical communication and performance management process, there was neither adequate early warning system of problems, nor any independent means of understanding the deteriorating standards in the plant.

The following findings are taken from the Investigation Report of the CSB (U.S. Chemical Safety and Hazard Investigation Board, 2007).

The ISOM startup procedure required that the level control valve on the raffinate splitter tower be used to send liquid from the tower to storage. However, this valve was closed by an operator and the tower was filled for over 3 h without any liquid being removed. This led to flooding of the tower and high pressure, which activated relief valves that discharged flammable liquid to the blowdown system. Underlying factors involved in overfilling the tower included:

• The tower level indicator showed that the tower level was declining when it was actually overfilling. The redundant high level alarm did not activate, and the tower was not equipped with any other level indications or automatic safety devices.

• The control board display did not provide adequate information on the imbalance of flows in and out of the tower to alert the operators to the dangerously high level.

• A lack of supervisory oversight and technically trained personnel during the startup, an especially hazardous period, was an omission contrary to BP safety guidelines. An extra board operator was not assigned to assist, despite a staffing assessment that recommended an additional board operator for all ISOM startups.

• Supervisors and operators poorly communicated critical information regarding the startup during the shift turnover; BP did not have a shift turnover communication requirement for its operations staff.

• ISOM operators were likely fatigued from working 12-h shifts for 29 or more consecutive days.

• The operator training program was inadequate. The central training department staff had been reduced from 28 to 8, and simulators were unavailable for operators to practice handling abnormal situations, including infrequent and high hazard operations such as startups and unit upsets.

• Outdated and ineffective procedures did not address recurring operational problems during startup, leading operators to believe that procedures could be altered or did not have to be followed during the startup process.

• BP Texas City managers did not effectively implement their prestartup safety review policy to ensure that nonessential personnel were removed from areas in and around process units during startups, an especially hazardous time in operations. The process unit was started despite previously reported malfunctions of the tower level indicator, level sight glass, and a pressure control valve.

• Occupied trailers were sited too close to a process unit handling highly hazardous materials. All fatalities occurred in or around the trailers.

• The size of the blowdown drum was insufficient to contain the liquid sent to it by the pressure relief valves. The blowdown drum overfilled and the stack vented flammable liquid to the atmosphere, which fell to the ground and formed a vapor cloud that ignited. A relief valve system safety study had not been completed.

• Neither Amoco nor BP replaced blowdown drums and atmospheric stacks, even though a series of incidents warned that this equipment was unsafe. In 1992, OSHA cited a similar blowdown drum and stack as unsafe, but the citation was withdrawn as part of a settlement agreement and therefore the drum was not connected to a flare as recommended. Amoco, and later BP, had safety standards requiring that blowdown stacks be replaced with equipment such as a flare when major modifications were made. In 1997, a major modification replaced the ISOM blowdown drum and stack with similar equipment, but Amoco did not connect it to a flare. In 2002, BP engineers proposed connecting the ISOM blowdown system to a flare, but a less expensive option was chosen.

• The BP Board of Directors did not provide effective oversight of BP's safety culture and major accident prevention programs. The Board did not have a member responsible for assessing and verifying the performance of BP's major accident hazard prevention programs. Cost-cutting, failure to invest and production pressures from BP Group executive managers impaired process safety performance at Texas City.

• Reliance on the low personal injury rate at Texas City as a safety indicator failed to provide a true picture of process safety performance and the health of the safety culture.

• Deficiencies in BP's mechanical integrity program resulted in the “run to failure” of process equipment at Texas City.

• A “check the box” mentality was prevalent at Texas City, where personnel completed paperwork and checked off on safety policy and procedural requirements even when those requirements had not been met.

• BP Texas City lacked a reporting and learning culture. Personnel were not encouraged to report safety problems and some feared retaliation for doing so. Therefore, the lessons from incidents and near misses, were generally not captured or acted upon. Important relevant safety lessons from a British government investigation of incidents at BP's refinery in Grangemouth, Scotland, were also not incorporated at Texas City.

• The BP Texas City site had a number of reporting programs, yet serious near misses and other critical events were often unreported. In the eight previous ISOM blowdown system incidents, three were not reported in any BP database, five were reported as environmental releases, and only two were investigated as safety incidents. In the 5 years prior to the 2005 disaster, over three-quarters of the raffinate splitter tower startups’ level ran above the range of the level transmitter and in nearly half, the level was out of range for more than 1 h. These operating deviations were not reported by operations personnel or reviewed in the computerized history by Texas City managers. During the March 2005 ISOM startup, the operating deviations were more serious in degree but similar in kind to past startups. Yet the operating envelope program designed to capture and report excursions from safe operating limits was not fully functional and did not capture high distillation tower level events in the ISOM to alert managers to the deviations.

• Safety campaigns, goals, and rewards focused on improving personal safety metrics and worker behavior rather than on process safety and management safety systems. While compliance with many safety policies and procedures was deficient at all levels of the refinery, Texas City managers did not lead by example regarding safety.

• BP Texas City did not effectively assess changes involving people, policies, or the organization that could impact process safety.

• Beginning in 2002, BP Group and Texas City managers received numerous warning signals about a possible major catastrophe at Texas City. In particular, managers received warnings about serious deficiencies regarding the mechanical integrity of aging equipment, process safety, and the negative safety impacts of budget cuts and production pressures.

On August 17, 2005, following two further safety incidents at Texas City, the CSB issued an urgent safety recommendation to the BP Group Executive Board of Directors that it convene an independent panel of experts to examine BP's corporate safety management systems, safety culture, and oversight of the North American refineries. BP accepted the recommendation and commissioned the BP US Refineries Independent Safety Review Panel, chaired by former Secretary of State James Baker, III (Baker Panel). The scope of the Baker Panel's work did not include determining the root causes of the Texas City ISOM incident.

The following is taken from the Baker Panel Report (Baker, 2007) that was issued on January 16, 2007. The Panel found that “significant process safety issues exist at all five US refineries, not just Texas City,” and that BP had not instilled “a common unifying process safety culture among its US refineries.” The report found “instances of a lack of operating discipline, toleration of serious deviations from safe operating practices, and [that an] apparent complacency toward serious process safety risk existed at each refinery.” The Panel concluded that “material deficiencies in process safety performance exist at BP's five US refineries.”

The Baker Panel Report stated that BP's corporate safety management system “does not effectively measure and monitor process safety performance” for its US refineries. The report also found that BP's over-reliance on personal injury rates impaired its perception of process safety risks, and that BP's Board of Directors had “not ensured, as a best practice, that BP's management has implemented an integrated, comprehensive, and effective process safety management system for BP's five US refineries.” The report's findings covered three broad themes: corporate safety culture, process safety management systems, and performance evaluation, corrective action, and corporate oversight.

4.5 Process Safety Management Systems

The Baker Panel's findings to the effectiveness of process safety management systems that BP utilized for its five US refineries relate to its process risk assessment and analysis, compliance with internal process safety standards, implementation of external good engineering practices, process safety knowledge and competence, and general effectiveness of BP's corporate process safety management system.

4.6 Performance Evaluation, Corrective Action, and Corporate Oversight

Maintaining and improving a process safety management system requires the periodic evaluation of performance, the identification of deficiencies, and the measures to be taken to correct the deficiencies. Significant deficiencies existed in BP's site and corporate systems for measuring process safety performance, investigating incidents and near misses, auditing system performance, addressing previously identified process safety-related action items, and ensuring sufficient management and Board oversight. Many of the process safety deficiencies were not new, but were identifiable to BP based upon lessons from previous process safety incidents, including process incidents that occurred at BP's facility in Grangemouth, Scotland in 2000.

4.7 Lessons Learned

Simply targeting the mistakes of BP's operators and supervisors misses the underlying and significant cultural, human, and organizational causes of the incident that have a greater preventative impact. One underlying cause was that BP used inadequate methods to measure safety conditions at Texas City. For instance, a very low personal injury rate at Texas City gave BP a misleading indicator of process safety performance. In addition, while most attention was focused on the injury rate, the overall safety culture, and process safety management program had serious deficiencies. Despite numerous previous fatalities at the Texas City refinery (23 deaths in the 30 years prior to the 2005 disaster) and many hazardous material releases, BP did not take effective steps to stem the progression to a catastrophic event.

Further evidence of a systemic problem with BP's management systems occurred in July 2005 and March 2006. In July 2005, Thunder Horse, BP's giant new production platform in the Gulf of Mexico, nearly sank during a hurricane. In their rush to finish the $1 billion platform, workers had installed a valve backwards, allowing the ballast tanks to flood. Inspections revealed other shoddy work. Repairs costing hundreds of millions would keep Thunder Horse out of commission for 3 years.

Then, in March 2006, corrosion in BP's Prudhoe Bay pipelines caused a 267,000-gallon oil leak, the worst spill ever on Alaska's North Slope. This accident was a result of the company's failure to properly test and clean miles of aging pipe.

As part of a strategic plan to restructure BP's US refining portfolio, the company completed the sale of the Texas City Refinery on February 01, 2013 after reporting it spent over $1 billion in modernizing and improving the plant. It said Texas City lacked strong integration into any of its marketing assets.

5.1 Key Findings

BP formed an investigation team that was charged with gathering the facts surrounding the accident, analyzing available information to identify possible causes, and making recommendations to enable prevention of similar accidents in the future. BP's investigating team identified eight key findings related to the causes of the accident (BP, 2011). These findings are briefly described below.

• The annulus cement barrier did not isolate the hydrocarbons. The day before the accident, cement had been pumped down the production casing and up into the wellbore annulus to prevent hydrocarbons from entering the wellbore from the reservoir. The annulus cement that was placed across the main hydrocarbon zone was a light, nitrified foam cement slurry. This cement probably experienced nitrogen breakout and migration, allowing hydrocarbons to enter the wellbore annulus. The investigation team concluded that there were weaknesses in cement design and testing, quality assurance, and risk assessment.

• The shoe track barriers did not isolate the hydrocarbons. Having entered the wellbore annulus, hydrocarbons passed down the wellbore and entered the 9 7/8 in.×7 in. production casing through the shoe track, installed in the bottom of the casing. Flow entered into the casing rather than the casing annulus. For this to happen, both barriers in the shoe track must have failed. The first barrier was the cement in the shoe track, and the second was the float collar, a device at the top of the shoe track designed to prevent fluid ingress into the casing. The investigation team concluded that hydrocarbon ingress was through the shoe track, rather than through a failure in the production casing itself or up the wellbore annulus and through the casing hanger seal assembly. The investigation team identified potential failure modes that could explain how the shoe track cement and the float collar allowed hydrocarbon ingress into the production casing.

• The negative pressure test was accepted although well integrity had not been established. Prior to temporarily abandoning the well, a negative pressure test was conducted to verify the integrity of the mechanical barriers (the shoe track, production casing, and casing hanger seal assembly). The test involved replacing heavy drilling mud with lighter seawater to place the well in a controlled underbalanced condition. In retrospect, pressure readings and volume bleed at the time of the negative pressure test were indications of flow-path communication with the reservoir, signifying that the integrity of these barriers had not been achieved. The Transocean rig crew and BP well site leaders reached the incorrect view that the test was successful and that well integrity had been established.

• Influx was not recognized until hydrocarbons were in the riser. With the negative pressure test accepted, the well was returned to an overbalanced condition, preventing further influx into the wellbore. Later, as part of normal operations to temporarily abandon the well, heavy drilling mud was again replaced with seawater, underbalancing the well. Over time, this allowed hydrocarbons to flow up through the production casing and pass through the BOP. Indications of influx with an increase in drill pipe pressure are discernable in real-time data from approximately 40 min before the rig crew took action to control the well. The rig crew's first apparent well control actions occurred after hydrocarbons were rapidly flowing to the surface. The rig crew did not recognize the influx and did not act to control the well until hydrocarbons had passed through the BOP and into the riser.

• Well control response actions failed to regain control of the well. The first well control actions were to close the BOP and diverter, routing the fluids exiting the riser to the rig's mud gas separator (MGS) system rather than to the overboard diverter line. If fluids had been diverted overboard, rather than to the MGS, there may have been more time to respond, and the consequences of the accident may have been reduced.

• Diversion to the MGS resulted in gas venting onto the rig. Once diverted to the MGS, hydrocarbons were vented directly onto the rig through the 12 in. goosenecked vent exiting the MGS, and other flow lines also directed gas onto the rig. This increased the potential for the gas to reach an ignition source. The design of the MGS system allowed diversion of the riser contents to the MGS vessel although the well was in a high flow condition. This overwhelmed the MGS system.

• The fire and gas system did not prevent hydrocarbon ignition. Hydrocarbons migrated beyond areas on the DWH that were electrically classified to areas where the potential for ignition was higher. The heating, ventilation, and air conditioning system probably transferred a gas-rich mixture into the engine rooms, causing at least one engine to overspeed, creating a potential source of ignition.

• The BOP emergency mode did not seal the well. Three methods for operating the BOP in the emergency mode were unsuccessful in sealing the well.

– The explosions and fire very likely disabled the emergency disconnect sequence, the primary emergency method available to the rig personnel, which was designed to seal the wellbore and disconnect the marine riser from the well.

– The condition of critical components in the yellow and blue control pods on the BOP very likely prevented activation of another emergency method of well control, the automatic mode function (AMF), which was designed to seal the well without rig personnel intervention upon loss of hydraulic pressure, electric power, and communications from the rig to the BOP control pods. An examination of the BOP control pods following the accident revealed that there was a fault in a critical solenoid valve in the yellow control pod and that the blue control pod AMF batteries had insufficient charge; these faults likely existed at the time of the accident.

– Remotely operated vehicle intervention to initiate the autoshear function, another emergency method of operating the BOP, likely resulted in closing the BOP's blind shear ram (BSR) 33 h after the explosions, but the BSR failed to seal the well.

Through a review of rig audit findings and maintenance records, the investigation team found indications of potential weaknesses in the testing regime and maintenance management system for the BOP.

The team did not identify any single action or inaction that caused this accident. Rather, a complex and interlinked series of mechanical failures, human judgments, engineering design, operational implementation, and team interfaces came together to allow the initiation and escalation of the accident.

The Joint Investigation Team of the Bureau of Ocean Energy Management, Regulation and Enforcement (BOEMRE) (formerly the Minerals Management Service or “MMS”) and the United States Coast Guard (the Panel) identified a number of causes of the Macondo blowout (The Bureau of Ocean Energy Management Regulation and Enforcement, 2011).

The Panel found that a central cause of the blowout was failure of a cement barrier in the production casing string (a high-strength steel pipe set in a well to ensure well integrity and to allow future production). The failure of the cement barrier allowed hydrocarbons to flow up the wellbore, through the riser and onto the rig, resulting in the blowout. The precise reasons for the failure of the production casing cement job were not known, but the Panel concluded that the failure was likely due to: (1) swapping of cement and drilling mud (referred to as “fluid inversion”) in the shoe track (the section of casing near the bottom of the well); (2) contamination of the shoe track cement; or (3) pumping the cement past the target location in the well, leaving the shoe track with little or no cement (referred to as “over-displacement”).

The loss of life at the Macondo site on April 20, 2010 and the subsequent pollution of the Gulf of Mexico through the Summer of 2010 were the result of poor risk management, last-minute changes to plans, failure to observe and respond to critical indicators, inadequate well control response, and insufficient emergency bridge response training by companies and individuals responsible for drilling at the Macondo well and for the operation of the DWH.

BP, as the designated operator under BOEMRE regulations, was ultimately responsible for conducting operations at Macondo in a way that ensured the safety and protection of personnel, equipment, natural resources, and the environment. Transocean, the owner of the DWH, was responsible for conducting safe operations and for protecting personnel onboard. Halliburton, as a contractor to BP, was responsible for conducting the cement job, and, through its subsidiary (Sperry Sun), had certain responsibilities for monitoring the well. Cameron was responsible for the design of the DWH BOP stack.

At the time of the blowout, the rig crew was engaged in “temporary abandonment” activities to secure the well after drilling was completed and before the rig left the site. In the days leading up to 20 April, BP made a series of decisions that complicated cementing operations, added incremental risk, and may have contributed to the ultimate failure of the cement job. These decisions included:

• The use of only one cement barrier. BP did not set any additional cement or mechanical barriers in the well, even though various well conditions created difficulties for the production casing cement job.

• The location of the production casing. BP decided to set production casing in a location in the well that created additional risk of hydrocarbon influx.

• The decision to install a lock-down sleeve. BP's decision to include the setting of a lock-down sleeve (a piece of equipment that connects and holds the production casing to the wellhead during production) as part of the temporary abandonment procedure at Macondo increased the risks associated with subsequent operations, including the displacement of mud, the negative test sequence and the setting of the surface plug.

• The production casing cement job. BP failed to perform the production casing cement job in accordance with industry-accepted recommendations.

The Panel concluded that BP failed to communicate these decisions and the increasing operational risks to Transocean. As a result, BP and Transocean personnel onboard the DWH on the evening of April 20, 2010, did not fully identify and evaluate the risks inherent in the operations that were being conducted.

On 20 April, BP and Transocean personnel onboard the DWH missed the opportunity to remedy the cement problems when they misinterpreted anomalies encountered during a critical test of cement barriers called a negative test, which seeks to simulate what will occur at the well after it is temporarily abandoned and to show whether cement barrier(s) will hold against hydrocarbon flow.

The rig crew conducted an initial negative test on the production casing cement job that showed a pressure differential between the drill pipe and the kill line (a high-pressure pipe leading from the BOP stack to the rig pumps). This was a serious anomaly that should have alerted the rig crew to potential problems with the cement barrier or with the negative test. After some discussion among members of the crew and a second negative test on the kill line, the rig crew explained the pressure differential away as a “bladder effect,” a theory that later proved to be unfounded. Around 7:45 p.m., after observing for 30 min that there was no flow from the kill line, the rig crew concluded that the negative test was successful. At this point, the rig crew most likely concluded that the production casing cement barrier was sound.

The cement in the shoe track barrier, however, had in fact failed, and hydrocarbons began to flow from the Macondo reservoir into the well. Despite a number of additional anomalies that should have signaled the existence of a kick or well flow, the crew failed to detect that the well was flowing until 9:42 p.m. By then it was too late. The well was blowing drilling mud up into the derrick and onto the rig floor. If members of the rig crew had detected the hydrocarbon influx earlier, they might have been able to take appropriate actions to control the well. There were several possible reasons why the crew did not detect the kick:

• The rig crew had experienced problems in promptly detecting kicks. The DWH crew had experienced a kick on March 08, 2010 that went undetected for approximately 30 min. BP did not conduct an investigation into the reasons for the delayed detection of the kick. Transocean personnel admitted to BP that individuals associated with the 08 March kick had “screwed up by not catching” it. Ten of the 11 people on duty on 08 March, who had well control responsibilities, were also on duty on 20 April.

• Simultaneous rig operations hampered the rig crew's well-monitoring abilities. The rig crew's decision to conduct simultaneous operations during the critical negative tests—including displacement of fluids to two active mud pits and cleaning the pits in preparation to move the rig—complicated well-monitoring efforts.

• The rig crew bypassed a critical flow meter. At approximately 9:10 p.m., the rig crew directed fluid displaced from the well overboard, which bypassed the Sperry Sun flow meter, which is a critical kick detection tool that measures outflow from the well. The DWH was equipped with other flow meters, but the Panel found no evidence that these meters were being monitored prior to the blowout.

Once the crew discovered the hydrocarbon flow, it sent the flow to a MGS, a piece of equipment not designed to handle high flow rates. The MGS could not handle the volume of hydrocarbons, and it discharged a gas plume above the rig floor that ignited.

The Panel found evidence that the configuration of the DWH general alarm system and the actions of rig crew members on the bridge of the rig contributed to a delay in notifying the entire crew of the presence of very high gas levels on the rig. Transocean had configured the DWH general alarm system in “inhibited” mode, which meant that the general alarm would not automatically sound when multiple gas alarms were triggered in different areas on the rig. As a result, personnel on the bridge were responsible for sounding the general alarm. Personnel on the bridge waited approximately 12 min after the sounding of the initial gas alarms to sound the general alarm, even though they had been informed that a “well control problem” was occurring. During this period, there were approximately 20 alarms indicating the highest level of gas concentration in different areas on the rig.

The BOP stack, a massive 360-ton device installed at the top of the well, was designed to allow the rig crew to handle numerous types of well control events. However, on 20 April, the BOP stack failed to seal the well to contain the flow of hydrocarbons. The explosions likely damaged the DWH's multiplex cables and hydraulic lines, rendering the crew unable to activate the BOP stack.

The BOP stack was equipped with an “automatic mode function,” which upon activation would trigger the BSR, two metal blocks with blades on the inside edges that are designed to cut through the drill pipe and seal the well during a well control event. The Panel concluded that there were two possible ways in which the BSR might have been activated: (1) on 20 April, by the AMF, immediately following loss of communication with the rig or (2) on 22 April, when a remotely operated vehicle triggered the “autoshear” function, which is designed to close the BSR if the lower marine riser package disconnects from the rest of the BOP stack. Regardless of how the BSR was activated, it did not seal the well.

A forensic examination of the BOP stack revealed that elastic buckling of the drill pipe had forced the drill pipe up against the side of the wellbore and outside the cutting surface of the BSR blades. As a result, the BSR did not completely shear the drill pipe and did not seal the well. The buckling of the drill pipe, which likely occurred at or near the time when control of the well was lost, was caused by the force of the hydrocarbons blowing out of the well; by the weight of the 5000 feet of drill pipe located in the riser above the BOP forcing the drill pipe down into the BOP stack; or by a combination of both. As a result of the failure of the BSR to completely cut the drill pipe and seal the well, hydrocarbons continued to flow after the blowout.

Prior to the events of 20 April, BP and Transocean experienced a number of problems while conducting drilling and temporary abandonment operations at Macondo. These problems included:

• Recurring well control events and delayed kick detection. At least three different well control events and multiple kicks occurred during operations at Macondo. On 08 March, it took the rig crew at least 30 min to detect a kick in the well. The delay raised concerns among BP personnel about the DWH crew's ability to promptly detect kicks and take appropriate well control actions. Despite these prior problems, BP did not take steps to ensure that the rig crew was better equipped to detect kicks and to handle well control events. As of 20 April, Transocean had not completed its investigation into the 08 March incident.

• Scheduling conflicts and cost overruns. At the time of the blowout, operations at Macondo were significantly behind schedule. BP had initially planned for the DWH to move to BP's Nile well by March 08, 2010. In large part as a result of this delay, as of 20 April, BP's Macondo operations were more than $58 million over budget.

• Personnel changes and conflicts. BP experienced a number of problems involving personnel with responsibility for operations at Macondo. A reorganization that took place in March and April 2010 changed the roles and responsibilities of at least nine individuals with some responsibility for Macondo operations. In addition, the Panel found evidence of a conflict between the BP drilling and completions operations manager and the BP wells team leader and evidence of a failure to adequately delineate roles and responsibilities for key decisions.

At the time of the blowout, both BP and Transocean had extensive procedures in place regarding safe drilling operations. BP required that its drilling and completions personnel follow a “documented and auditable risk management process.” The Panel found no evidence that the BP Macondo team fully evaluated ongoing operational risks, nor did it find evidence that BP communicated with the Transocean rig crew about such risks.

Transocean had a number of documented safety programs in place at the time of the blowout. Nonetheless, the Panel found evidence that Transocean personnel questioned whether the DWH crew was adequately prepared to independently identify hazards associated with drilling and other operations.

Everyone on board the DWH was obligated to follow the Transocean “stop work” policy that was in place on 20 April. It provided that “[e]ach employee has the obligation to interrupt an operation to prevent an incident from occurring.” Despite the fact that the Panel identified a number of reasons that the rig crew could have invoked stop work authority, no one on the DWH did so that day.

The Panel's recommendations sought to improve the safety of offshore drilling operations in a variety of different ways:

• Well design. Improved well design techniques for wells with high flow potential, including increasing the use of mechanical and cement barriers, to decrease the chances of a blowout.

• Well integrity testing. Better well integrity test practices (e.g., negative test practices) to allow rig crews to identify possible well control problems in a timely manner.

• Kick detection and response. The use of more accurate kick detection devices and other technological improvements to help ensure that rig crews can detect kicks early and maintain well control. Also, better training to allow rig crews to identify situations where hydrocarbons should be diverted overboard.

• Rig engine configuration (air intake locations). Assessment and testing of safety devices, particularly on rigs where air intake locations create possible ignition sources, to decrease the likelihood of explosions and fatalities in the event of a blowout.

• Blowout preventers. Improvements in BOP stack configuration, operation, and testing to allow rig crews to be better able to handle well control events.

• Remotely-operated vehicles (ROVs). Standardization of ROV intervention panels and intervention capabilities to allow for improved response during a blowout.

The CSB builds on previously published investigation reports by analyzing evidence that, in some respects, became available only following their publication, offering technical, human, organizational, and regulatory perspectives beyond those of previous reports (U.S. Chemical Safety and Hazard Investigation Board, 2016).

The CSB Macondo investigation identified several safety gaps and worthy lessons:

• Testing limitations masked latent failures of the DWH BOP, affecting its operation on the day of the incident, and these latent failures will continue to exist for similarly designed BOPs unless modifications are made to current standard industry testing protocols.

• Pressure conditions in a well can cause the drill pipe to buckle (or bend) in a BOP even after a crew has initially sealed a well, potentially incapacitating emergency functions of the BOP intended to cut the drill pipe and seal the well.

• Industry is challenged to effectively assess the human performance expectations and human factor implications of the barriers and safety systems meant to control or mitigate the hazards of safety-critical well operations.

• Cognitive and social skills training, in conjunction with technical competencies, can be valuable for combating cognitive biases and other mental traps that may influence decision making within complex systems.

• Gaps between work-as-imagined by well designers, managers, or regulatory authorities and work-as-done by the well operations crew must be continually identified, managed, and minimized by building a resilient process that can sustain desirable operations during both expected and unexpected conditions.

• Obstacles continue to exist that not only limit sharing of lessons from incident investigations within individual companies, but also across the operator/drilling contractor boundary and across international geographical regions.

• An equal focus and effort to collect, measure, and improve process safety performance indicators to that currently dedicated to personal safety statistics is necessary to reduce the potential for a major accident event.

• Corporate Boards of Directors’ oversight, shareholder activism, and US Securities and Exchange Commission (SEC) reporting requirements have the potential to influence an organization's focus on major accident risk.

• Incongruities among proclaimed values, actual practices, and unstated basic assumptions within an organization's culture impacts its focus on safety, necessitating efforts to effectively assess, monitor and modify all three cultural components for safety change to occur.

• Complexities of multi-party risk management between an operator and drilling contractor in the US offshore industry necessitate more explicit and established safety roles and responsibilities, as well as oversight.

5.2 Lesson Learned

In 2011, the Secretary of the Department of the Interior (DOI) redefined the responsibilities previously performed by the MMS and reassigned the functions of the offshore energy program among three separate organizations: the Bureau of Ocean Energy Management (BOEM), the Bureau of Safety and Environmental Enforcement (BSEE), and the Office of Natural Resources Revenue (ONRR) (Ramseur, 2015).

As one of the responsible parties, BP is reported to have spent over $14 billion in cleanup operations (U.S. District Court for Eastern District of Louisiana, 2016). In addition, BP has paid over $15 billion to the federal government, state and local governments, and private parties for economic claims and other expenses, including reimbursements for response costs related to the oil spill. BP and other responsible parties have agreed to civil and/or criminal settlements with the Department of Justice (DOJ). Settlements from various parties, to date, total almost $6 billion. BP is to pay the United States a civil penalty of $5.5 billion under the Clean Water Act (CWA), payable over 15 years. BP will pay $7.1 billion to the United States and the five Gulf states over 15 years for NRD. This is in addition to the $1 billion already committed for early restoration. BP will also set aside an additional amount of $232 million to be added to the NRD interest payment at the end of the payment period to cover any further NRD that are unknown at the time of the agreement. A total of $4.9 billion will be paid over 18 years to settle economic and other claims made by the five Gulf Coast states. Up to $1 billion will be paid to resolve claims made by more than 400 local government entities. The principal payments arising from the agreements will be made over a period of 18 years.

In July 2010, IOGP established the Global Industry Response Group (GIRG) to identify, learn from and apply the lessons of Macondo and similar well accidents. The GIRG brought together more than 100 technical experts and managers from some 20 companies around the world. Most of them worked full time on the project for the better part of a year. They pooled their knowledge and experience to create three dedicated teams focused on oil spill prevention, intervention, and response.

Their recommendations led to:

• An industry-wide well control incident database.

• A task force on BOP reliability.

• Improved human factors training and competencies.

• The development and implementation of key international standards for well design and operations management.

• The creation of the Subsea Well Response Project—known as SWRP—to improve intervention capabilities.

• The creation of the Oil Spill Response Joint Industry Project—known as the OSR-JIP—to improve oil spill response capabilities.

• Mutual aid agreements and framework to enable operators to access additional resources in the event of an major oil spill.

As a result of GIRG, industry can show that it has learned from events such as Macondo and has worked to reduce the likelihood and consequences of future incidents.