“The organizational causes of this disaster are deeply rooted in the histories and cultures of the offshore oil and gas industry and the governance provided by the associated public regulatory agencies. While this particular disaster involves a particular group of organizations, the roots of the disaster transcend this group of organizations.”
The Japanese people have suffered unimaginable devastation from the recent earthquakes and tsunami and are now facing the specter of unprecedented nuclear accidents. While we keep the people of Japan in our thoughts and provide support however we may, as safety and reliability professionals we must be mindful that the aftermath of other catastrophes are ongoing; including Haiti, the Upper Big Branch Mine and the Deepwater Horizon Macondo well.
The U.C. Berkeley Center for Catastrophic Risk Management Deepwater Horizon Study Group (DHSG) has published their final report on the Deepwater Horizon accident. “The DHSG was formed by members of the Center for Catastrophic Risk Management (CCRM) in May 2010 in response to the blowout of the Macondo well on April 20, 2010. A fundamental premise in the DHSG work is: we look back to understand the why‘s and how‘s of this disaster so we can better understand how best to go forward. The goal of the DHSG work is defining how to best move forward – assessing what major steps are needed to develop our national oil and gas resources in a reliable, responsible, and accountable manner.”
The Report summarizes the major organizational factors contributing to the accident as follows:
“The organizational causes of this disaster are deeply rooted in the histories and cultures of the offshore oil and gas industry and the governance provided by the associated public regulatory agencies. While this particular disaster involves a particular group of organizations, the roots of the disaster transcend this group of organizations. This disaster involves an international industry and its governance.
This disaster was preventable if existing progressive guidelines and practices been followed—the Best Available and Safest Technology. BP’s organizations and operating teams did not possess a functional Safety Culture. Their system was not propelled toward the goal of maximum safety in all of its manifestations but was rather geared toward a trip-and-fall compliance mentality rather than being focused on the Big-Picture. It has been observed that BP’s system “forgot to be afraid.” The system was not reflective of one having well-informed, reporting, or just cultures. The system showed little evidence of being a high-reliability organization possessing a rapid learning culture that had the willingness and competence to draw the right conclusions from the system’s safety signals.
The Macondo well disaster was an organizational accident whose roots were deeply embedded in gross imbalances between the system’s provisions for production and those for protection. The multiple failures (to contain, control, mitigate, plan, and clean-up) that unfolded and ultimately drove this disaster appear to be deeply rooted in a multi-decade history of organizational malfunctions and shortsightedness. There were multiple opportunities to properly assess the likelihoods and consequences of organizational decisions (i.e., Risk Assessment and Management) that were ostensibly driven by BP management’s desire to “close the competitive gap” and improve bottom-line performance. Consequently, although there were multiple chances to do the right things in the right ways at the right times, management’s perspective failed to recognize and accept its own fallibilities despite a record of recent accidents in the U.S. and a series of promises to change BP’s safety culture.
Analysis of the available evidence indicates that when given the opportunity to save time and money—and make money—poor decision making played a key role in accident causation. The tradeoffs that were made were perceived as safe in a normalized framework of business-as-usual. Conscience recognition of possible failure consequences seemingly never surfaced as the needle on the real-time risk-meter continued to climb. There was not any effective industry or regulatory checks and balances in place to counter act the increasingly deteriorating and dangerous situation on Deepwater Horizon. Thus, as a result of a cascade of deeply flawed failure and signal analysis, decision-making, communication, and organizational-managerial processes, safety was compromised to the point that the blowout occurred with catastrophic effects.
In many ways, this disaster closely replicates other major disasters that have been experienced by the offshore oil and gas industry. Eight months before the Macondo well blowout, the blowout of the Montara well offshore Australia in the Timor Sea developed in almost the same way—with very similar downstream effects.1 The Occidental Petroleum North Sea Piper Alpha platform explosions and fires (1988) and the Petrobras P36 production platform sinking offshore Brazil (2005) followed roadmaps to disaster that are very similar to that developed during and after the Macondo well blowout. These were major system failures involving a sequence of unanticipated compounding malfunctions and breakdowns—a hallmark of system disasters.
This disaster also has eerie similarities to the BP Texas City refinery disaster. These similarities include: a) multiple system operator malfunctions during a critical period in operations, b) not following required or accepted operations guidelines (“casual compliance”), c) neglected maintenance, d) instrumentation that either did not work properly or whose data interpretation gave false positives, e) inappropriate assessment and management of operations risks, f) multiple operations conducted at critical times with unanticipated interactions, g) inadequate communications between members of the operations groups, h) unawareness of risks, i) diversion of attention at critical times, j) a culture with incentives that provided increases in productivity without commensurate increases in protection, k) inappropriate cost and corner cutting, l) lack of appropriate selection and training of personnel, and m) improper management of change. In both cases—the BP Texas City and the BP Macondo well disasters—meetings were held with operations personnel at the same time and place the initial failures were developing. These meetings were intended to congratulate the operating crews and organizations for their excellent records for worker safety. Both of these disasters have served—as many others have served—to clearly show there are important differences between worker safety and system safety. One does not assure the other.
In all of these disasters, risks were not properly assessed in hazardous natural and industrial governance-management environments. The industrial-governance-management environments unwittingly acted to facilitate progressive degradation and destruction of the barriers provided to prevent the failures. An industrial environment of inappropriate cost and corner cutting was evident in all of these cases as was a lack of appropriate and effective governance—by either the industry or the public governmental agencies. As a result, the system’s barriers were degraded and destroyed to the point where the natural environmental elements (e.g., high-pressure, flammable fluids and gases) overcame and destroyed the system. Compounding failures that followed the triggering failures allowed the triggering failures to develop into a major disaster—catastrophe.”
The full report of the report will be available on the DOE Operating Experience Wiki.