BP Gulf of Mexico Rig Lacked Alarm Systems 92
DMandPenfold writes "BP's monitoring IT systems on the failed Deepwater Horizon oil rig relied too heavily on engineers following complex data for long periods of time, instead of providing automatic warning alerts. That is a key verdict of the Oil Spill Commission, the authority tasked by President Barack Obama to investigate the Gulf of Mexico disaster."
Comment removed (Score:5, Interesting)
Re:As opposed to... (Score:5, Insightful)
Yeah, surprisingly alarms have to be neither missing nor useless (by being irrelevant, hard to understand, going off for the wrong reasons, presenting wrong scenario, not correlating causes etc etc etc).
Who'd have thunk it.
Re:As opposed to... (Score:5, Insightful)
It's not like we've never seen this sort of thing before
"You are about to do something."
CANCEL, or ALLOW?
Re: (Score:1)
And if you could make a perfect detector like that, you'd ha
Re: (Score:3)
"Easier said than done."
Of course, or there wouldn't be bussiness around it.
"Always triggering the right alarm - and only the right alarm - amounts to creating a system that somehow knows exactly how to handle any situation, no matter how complex."
Wrong. It amounts to getting rid of false asumptions or trying to sell a solution as the magic snake oil that will end all and every problem. Triggering the right alarm and only the right alarm is as easy as:
1) Known situation: manage automatically
2) Unknown sit
Re: (Score:2)
Re:Seems a little unrelated (Score:4, Interesting)
Things will always fail in weird, unexpected ways - that's why you need humans in the loop.
Re: (Score:2)
Re: (Score:3)
Actually, there were BPs in a redundant configuration but when the control was lost the main failed to operate and the backup's batteries were in too poor condition to work. As with most disasters there were a myriad of contributing factors. After looking at numerous reports (everyone is certainly trying to make sure their investigations are public) it looks like:
1. Familiarity breeds contempt. Alarms shut down or ignored partly because of annoyance and partly because incorrect conclusions were made a
Re: (Score:2)
er... I meant "Blowout Preventers" for "BPs". Sorry for the confusion with British Petroleum.
Re: (Score:2)
er... I meant "Blowout Preventers" for "BPs". Sorry for the confusion with British Petroleum.
Who are, of course, no longer actually called British Petroleum but just "BP", since the merger with American Oil (Amerco).
Re: (Score:1)
Would that be the merged entity of British Petroleum and Amoco which is called BP?
Re: (Score:2)
sigh... so many "sheldon" moments
I meant, BP as in Blowout Preventers, as opposed to BP as in the company formerly known as British Petroleum.
Cheers
Re: (Score:1, Flamebait)
In the BP spill it didn't.
Yes it did. Information, leakage of which would have caused much more damage to the company, was contained very effectively. Now, as far as they are concerned the matter is closed.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
I was thinking much the same thing... There probably is a happy medium, but it's going to be really really hard to hit.
Sitting a monitoring console hour after hour, day after day, is very tiring and wearing. So systems that monitor for trends and alert the operator are very valuable for cutting through that. But on the flip side, it becomes very easy to depend more and more on the automated systems and less and less on knowledge of the system, environment, and equipment. TAANSTAFL.
Discla
Re: (Score:1)
Re: (Score:3)
"Excuses that there were too many false positives just means that people needed to fix the false positives instead of ignoring or disabling them!"
While I'm with your overall message, you seem to forget that for this to work, bonuses and penalties need to be aligned; when they are not, things like this are expected to happen.
I.E: I certainly should care about each and every rised alarm, and I'm even told to do so. *But* I'm not payed to take care of rising alarms as soon as I can but to accomplish a differe
Re:As opposed to... (Score:5, Interesting)
Indeed. Alarm suppression is a complex thing to set up in many cases. I personally work in the business and know how much thought goes into the alarm handling of the plants operating in Norwegian waters.
One example of a "simple" suppression case is that if Controller A goes down, you do not need to tell the operator that ALL signals on this controller is in "bad quality" or out of bounds. What you need to tell them is that the controller is down, and which systems are affected (which they will see on their displays as valves change color or somesuch. Our system uses white asterisks and white color to indicate that something is 'dead')
More complex cases are things like not throwing alarms for low flow rates in pipes where the valves are closed, or not throw electric alarms on equipment set to maintenance mode.
Regardless of all this, there should be an alarm system that has priorities.
Pri 1 alarms are such that they require IMMEDIATE attention. Such as a dangerous triple-high alarm (HHH or 3H) of a tank, pressure or temperature or a controller going down.
Pri 2 would be alarms that could develop into Pri 1 if not handled within a few minutes (H/HH) alarms etc.
Pri 3 would be what we call "pre-alarms". Things that could cause process upset or issues down the line. Like a low flow of coolant even though the temperature of the equipment being cooled hasnt started raising yet. Or a low level in a fuel tank.
Pri 4 we usually assign as maintenance issues. Like two redundant sensors having more than 0.5% deviation between them (But not enough to cause a real alarm). Things that should be looked at but within a day or so.
Being able to filter alarms like this helps immensely during an emergency. This is an old system with a limited number of 'alarm groups' and 'priority levels' but it still works fairly well. Operators can see what happens even with several hundred alarms going off at the same time. On our simulator we did a fun test where we tripped 70% of the plant (about 18000 distinct 'tags' or io points went into Bad quality and several thousand in alarm). :)
The operators were able to stop the cascade failure and no pipe burst in the simulator
Shit -will- hit the fan. It is always nice to be able to filter it so that only the important shit actually hits the wall :p
Re: (Score:2)
Wrong analogy. BT is a UK company.
Read job adverts for this class of UK company IT architects on jobserve. They are _VERY_ explicit that the job of the architect is only to shop-n-ship. There is no allowance to collect reqs for a made-to-order job or spec-out an in-house system. If it is not supported by an off the shelf package it will not be. Period. The "We are not software developers" mantra taken to its ultimate limit.
My educated guess that the hodgepodge of systems delivered by 3 subcontractors for th
Of course it is IT's fault (Score:1)
I mean, IT is always the irresponsible bad guy, right? It couldn't be someone else told them not to do it because it took too long, or was a waste of money, or...
Re: (Score:2)
On slashdot IT is never the bad guy. It's always some mythical manager who must have ordered them to do what they do. Why can nobody here ever believe a programmer/engineer/IT guy was incompetent?
Re: (Score:2)
Why do they even bother? (Score:1)
Just another whitewash...
Re:Why do they even bother? (Score:5, Informative)
http://www.nytimes.com/2010/06/21/us/21blowout.html?_r=1&pagewanted=all [nytimes.com]
'Failure of management' and regulators given blame for disaster
http://www.chron.com/disp/story.mpl/business/7367856.html [chron.com]
How British oil giant BP used all the political muscle money can buy to fend off regulators and influence investigations into corporate neglect.
http://www.newsweek.com/2010/05/07/slick-operator.html [newsweek.com]
This wasn't a technical failure - it was a failure brought out by greed and corruption. The blow-out was only the symptom, and addressing the symptom isn't going to prevent similar incidents from happening again.
We've seen this before - the mortgage disaster and bank bailouts, the savings and loan disaster, etc.
Start by fixing campaign financing - private donations only, strict annual limit per capita, no 3rd party involvement, etc.
-- Barbara
Re: (Score:3)
Re:Why do they even bother? (Score:4, Insightful)
Have a peek at the Norwegian sector. We've been doing this shit since the 70s and try damn hard to not have another Alexander Kielland...
http://en.wikipedia.org/wiki/Alexander_L._Kielland_(platform) [wikipedia.org]
The norwegian petroleum oversight is something... The regulators are ruthless when it comes to compliance and better yet... they are not directly controlled by politicians ;)
The cost of one fuckup is too much to allow people to cut corners.
I sure as hell dont in my job... and I do it for a living. When we have the option of doing it right, or doing it fast.. we pick right. Every time. I dont care if the customer is pissed at things being delayed. We do it -right-.
Re: (Score:1)
"Exactly; the private sector cannot be trusted to do things safer/more efficiently/better."
Quite on the contrary, you can expect the private sector to do things certainly more efficiently and better, once you understand what's the proper definition of "better" within context. In fact, that's all you can trust the private sector to come with.
Regarding "safer", just apply my previous paragraph: to which extent can "safer" be derived of, or translated into, "more efficiently and better within context"? That'
Re: (Score:2)
It also appears that the major players involved were already pretty aware of the risk of that particular well, including a vary favourable insurance policy by Transocean (no cost cutting here), buying a oil clean up company by Halliburton and many insiders selling BP stock.
No type of warning systems could have saved this particular rig from a major gas blowout with only one spark required to ignite it. It could have however saved the crew if they could have abandoned the rig prior to ignition.
Greed fee
Make the investigation public (Score:1)
Re: (Score:2)
Earlier I saw this and will attribute it to the author with a link http://news.slashdot.org/comments.pl?sid=1942186&cid=34806036 [slashdot.org]
That definition matches this case. The regulatory agency should be shattered and it's personnel dismissed without benefit or pension and disbarred from any government service. Those directly responsible charged with what ever crime is possible.
Then the agency should be remade with some checks in it's ability to wave any regulatory requirement.
Re: (Score:1)
Sorry, do your own googling. And study a little history*. Pick a period, any period. It doesn't matter. Over and over again the same things happen, damn near play by play, word for word. This here is just another example of the "thin blue line" that permeates.
*particularly, if you're up to it, that of BP, but the same deal applies to all human efforts
Re: (Score:2)
Sorry, do your own googling. And study a little history*. Pick a period, any period. It doesn't matter. Over and over again the same things happen, damn near play by play, word for word.
You mean like this [talkingpointsmemo.com]
Sounds familiar... (Score:2)
Re: (Score:2)
Hm...lack of alarms...leading to a catastrophic engineering failure...where have I heard this story before...
Ummm the Internet?
the power grid fault had a race bug that was fixed (Score:2)
the power grid fault had a race bug that was fixed but the software update was not yet installed on that system.
As well the lack of tree timing and under trained people working the grid who did not know that other alarms where telling them.
how much did that cost (Score:2)
I don't even want to know how much tax payer money was pissed away for that "key verdict" - having worked with quite a few monitoring and alarm systems for years I can tell you that most of the time "automatic alarms" get ignored and in fact can cause worse problems when an actual real alarm does occur because of how the operators tune them out - seems like they completely missed the mark on this - the real problem is most likely where you would expect it, the people running the system - human error I am s
Re: (Score:2)
I don't even want to know how much tax payer money was pissed away for that "key verdict" - having worked with quite a few monitoring and alarm systems for years I can tell you that most of the time "automatic alarms" get ignored and in fact can cause worse problems when an actual real alarm does occur because of how the operators tune them out - seems like they completely missed the mark on this - the real problem is most likely where you would expect it, the people running the system - human error I am sure !
I think everyone's familiar of that phenomenon regarding the alarm that cried wolf due to all the car alarms. Rarely do people even turn their head when they hear a car alarm.
I think I'm gonna make a "Let's blame IT!" t-shirt cause it's pretty popular theme. Seems to me that the hardware for detecting the problems was there, but the software required "the right person to be looking at the right data at the right time" which sounds vaguely like "the software requires training". If the data output is coming a
Re:how much did that cost (Score:4, Insightful)
I think everyone's familiar of that phenomenon regarding the alarm that cried wolf due to all the car alarms. Rarely do people even turn their head when they hear a car alarm.
Competent professionals don't do that. The problem with car alarms is that they aren't aimed at professionals, competent or otherwise, they're aimed at the general public and the mechanism they use isn't typically going to assure that anything is going on.
Competent professionals like the ones that are supposed to be running rigs should know to check them out every time and not turn the alarm off withotu ascertaining that the alarm is in fact false. Disabling an alarm should only be done when there are adequate contingency plans in place to handle if the condition happened and how they would respond.
I used to work security at a high rise and we'd often times have alarms turned off on portions of the building. It was the only way to ensure that under certain circumstances that work wouldn't cause a false alarm. It was done in a controlled way with plans in place to make sure that there was somebody keeping an eye on it while the work was being done, and that the alarms would be turned back on when they could be.
And every time that building had an alarm go off which wasn't a known cause, it was always investigated promptly. Alarms that go off repeatedly need to be fixed, not disabled.
Re: (Score:3)
Is it the maintenance team who is backlogged with bullshit alarms that go off under normal process conditions because someone decided that it would work to prevent some disaster which may occur?
Is it the process / technical team who decided yet another alarm will be cheaper than re-designing the process to meet the safety guidelines?
Is it the console operator who has gone mental at the alarm going off constantly in the middle of
Re:how much did that cost (Score:5, Insightful)
I don't even want to know how much tax payer money was pissed away for that "key verdict" - having worked with quite a few monitoring and alarm systems for years I can tell you that most of the time "automatic alarms" get ignored and in fact can cause worse problems when an actual real alarm does occur because of how the operators tune them out - seems like they completely missed the mark on this - the real problem is most likely where you would expect it, the people running the system - human error I am sure !
You don't even have to ignore the alarm that isn't there. But I don't think the "alert" that we're discussing is the big klaxon/flashing sign reading "OIL LEAK," or an oil pressure light with electrical tape over it. What the article indicates was missing was an automatic method of indicating that a failure was imminent. As far as the cost of determining this: learning from mistakes can be expensive. Not learning from mistakes is likely even more so.
Re: (Score:1)
Apparently abusing engineers (Score:2)
Is common practice everywhere "why buy a 5 dollar alarm when we can force some engineer to watch figures for days on end?" Gosh people hate engineers for no reason.
Re: (Score:2)
do you mean "why buy a $5 alarm when we could pay an engineer thousands of dollars a year to do the same thing?"
I have a phrase that you should practice: "would you like fries with that?"
and "paper or plastic, sir?"
very good now again, in Chinese.
gosh people PAY engineers for no reason...
Re: (Score:3)
Unfortunately, a single alarm configuration on a "tag" could cost anywhere from 10k to 100k dollars.
The configuration isnt all that hard or time consuming but the testing of the system after the modification is brutal. At least here where it has to be certified to be allowed into operation ;)
Re: (Score:2)
If it costs that much, you are doing it wrong. A good engineering team should be able to make something work very well for only a few hundred to a few thousand dollars.
Re: (Score:3)
Doing the change: 3-4 hours of work.
Organizing the update to the controller in the field?
- Requires a look into what could be influenced by the change
- Requires in some cases an 'offline' load of the controller which can only be done at a time of a maintenance downtime (once a year at most, sometimes every 2-4 years)
Documentation:
- Documentation of what functionality changes for operators
- Update of system configuration diagrams
- Update of various tag info in the plant documentation system
Install:
- A job pa
If BP were a US company ... (Score:2)
Re: (Score:1)
Two names: Exxon Valdez.
There was a huge shit storm when they fucked up
So to answer your question, yes.
BP were the boys in charge and when it comes down to it, it was up to them to keep Haliburton et al. in line, so it was there fault. And it was also the regulators fault for dropping the ball and letting a big corp make them their bitches; which is usually the case with all US Government agencies.
Re: (Score:2)
... BP were the boys in charge and when it comes down to it, it was up to them to keep Haliburton et al. in line, so it was there responsibility. ...
Fixed that for you ...
When r they getting theirs? (Score:2)
When will we get a governing body that can punish or apply fines for this and enforce those fines or punishments...seriously, we need to evolve with these types of companies that spit all over international laws (or lack of)
Re: (Score:3)
When will we get a governing body that can punish or apply fines for this and enforce those fines or punishments
Two words: regulatory capture.
Re: (Score:1)
I wonder when such investigations will occur in areas where Americans aren't affected? How is the behaviour of companies such as Exxon in the Niger delta [guardian.co.uk] being tracked, oh wait it isn't. Still that doesn't matter, because it doesn't affect fat American business men!
Re: (Score:2)
I wonder when such investigations will occur in areas where Americans aren't affected? How is the behaviour of companies such as Exxon in the Niger delta [guardian.co.uk] being tracked, oh wait it isn't. Still that doesn't matter, because it doesn't affect fat American business men!
That's just silly. If a foreign corporation is allowed to do business in your country, it is your government that should perform due diligence and make sure that said corporation is obeying local regulations. If it doesn't, then it should take appropriate action, whatever that might be.
Re: (Score:1)
So if an individual (which a corporation is legally termed) behaves objectionably abroad it is no business of the government from which the individual came from? Don't get me wrong "when in Rome" and all that is fine. But how would the US government react to a US corporation working in north Korea on weapons development, I mean all the work would be obey local regulations...
Your suggestion suggests a level of naivety that I would categorise as in-genuine; to the point of drawing parallels to three monkeys c
Re: (Score:1)
So many good points, I would hate to bring it to an end, but I believe that there should be a one track international sanction that needs to be followed in matters that affect environment in such a way that it could affect other nations indirectly (like this spill)....and that governing body should be forceable enough to make all think twice, (like the US bypassing the nato sanction not to invade, sort of like we heard you but dont care and will still do this....) can you imagine if they could actually come
This newsstory sounds... (Score:1)
like
1) someone have alarm systems available but noone wants to buy them.
2) and they saw the disaster as a good opportunity to sell more of them
3) and announcing that deepwater horizon lacked them sounds like a good business plan
4) just to guarantee that they will have customers for longer period of time
5) government is going to make them mandatory for any such operations
6)
7) profit
Nagios (Score:4, Funny)
check_catastrophy -H blowout-preventer716.haliburton.com -w ANY_LEAKS - c ANY_FRIGGIN_LEAKS
A perl script? (Score:2)
Re: (Score:2)
Re: (Score:2)
Operator: "Disk alarm - disk is at 80% capacity."
Manager: "Increase the threshold to 90%."
Re: (Score:3)
Operator: "I cant do that, that has to be run through the PCDA office and certified by the technical staff first."
Manager: "Ok, I'll submit the paperwork"
PCDA: "This is a bad idea, lets fix it instead..."
Or something like that is how it goes here :p
If it even passes the manager. Most of the time the technical staff handles the alarms without telling any 'manager'. The operator responsible for the shift has authority over the day to day operation without any manager interference.
You cant operate if non-techi
Automation not always "better" ... (Score:2)
BP's monitoring IT systems on the failed Deepwater Horizon oil rig relied too heavily on engineers following complex data for long periods of time, instead of providing automatic warning alerts.
So, in other words, let's replace engineers who are on the spot and have some feel for what is going on with software that might not know what to do when something bad happens, and is dependent upon settings provided by people who apparently weren't able to recognize the signs of disaster until it was too late anyways. Regardless, I have the feeling there were plenty of alarm systems involved in this disaster, and I'll wager that the relevant ones were either incorrectly programmed or were turned off becaus
Re: (Score:2)
Re: (Score:2)
Don't replace the engineer
I wasn't saying that, but it looks like that report is just another example of blaming the technical people for systemic failures of management.
Typical. Absolutely typical.
Re: (Score:2, Insightful)
A B C
1 ->-0-->--| |
| | 0
2 ->-0 | |
3 ->-0-->--0-->--|
| | 0
A, B and C are various barriers.
A = Automation (automatic shutdown on severe alarms etc)
B = Procedures (Check X before doing Y)
C = Operator Training
As you can see her
Re: (Score:2)
" We dont want to replace anyone but we -do- want to add more barriers!"
Who is "we"? For all that matters, the manager is not part of "we": all he wants is his bonuses.
Re: (Score:2)
I'm sadly not allowed to disclose the company name due to an NDA, but it is one of the largest in norther europe.
At the particular company where I work we fucking HATE the shoddy work and failed procedures of this disaster. It makes us all look like asshats.
The people in charge of the technical things here are actually not the people who are trying to get bonuses. The government oversight on the security of such sites and rigs is so strong as to be borderline anal. And personally I am fine with that. I woul
Re: (Score:2)
"The people in charge of the technical things here are actually not the people who are trying to get bonuses."
That's why I asked for your definition of "we". Of course the engineers dislike appearing like asshats.
"The government oversight on the security of such sites"
So being a representative democracy, I'd say goverment is the kind of "we" to be in control in managing such externalities instead of "we", the high managers that get the bonuses.
Of course, your government is one of those damn communist ones,
corporate failure (Score:1)
I don't have a source. But CNN has coverage that engineers warned that the blowout preventers were going to leak, and BP ignored them. This is a corporate failure, as much as it is a technical one.
Re: (Score:2)
Yep.
Both are bad.. Together they are absolutely cataclysmic.
Complete failure of barriers here. Have a gander at my other comment about the idea behind those barriers.
http://news.slashdot.org/comments.pl?sid=1942186&cid=34807134 [slashdot.org]
Re: (Score:2)
I don't have a source. But CNN has coverage that engineers warned that the blowout preventers were going to leak, and BP ignored them. This is a corporate failure, as much as it is a technical one.
I certainly saw engineers from Transocean, or was it Halliburton, saying something like that. Luckily we can obviously trust those engineers because they (and the company they work for) has nothing to gain from saying it.
Of course, it could be argued that if those engineers, who presumably worked for Transocean (who owned and operated the rig) knew there was a problem and did nothing about it then they, and the company they work for, are left holding the smoking gun!
Unless we allow the "ve vere only fol
Why call it IT? (Score:1)
Re: (Score:2)
Does it seem a little wrong to call it an 'IT system'? Control system, SCADA, or embedded system maybe, but "IT?"
Was not Information moving around? Was not that Information moving around by Technical means?
Automatic control systems are IT, Supervisory Control And Data Acquisition systems are IT, signaling embedded systems are IT.
I know BP leased the rig, but come on (Score:5, Interesting)
Transocean Gulf of Mexico Rig, leased to BP, lacked Alarm Systems
Re: (Score:1)
This means they learned nothing (Score:4, Interesting)
They had this exact problem with Texas City-- they didn't do maintenance on the systems, so a subsystem overfilled with volatile hydrocarbons with no alarms going off at all-- and when one alert sounded at the monitoring area, they ignored it. They didn't invest the (relatively) small cost of installing a flare (to burn off excess), so the excess hydrocarbons spilled out into the open. Cost-cutting and an incredibly cavalier approach to maintenance from the London management generated a fucking fuel-air bomb in Texas.
This is one instance where the Brit management, when they changed to Hayward, should have told their investors to "fuck off-- er, give us a few years" and spend the necessary money to get their facilities up to snuff, or decommission the facilities that are too costly to maintain. Alas, profit motive proved more powerful than basic empathy or responsibility.
Re: (Score:2)