Case Study

Macondo (Deepwater Horizon)

key human and organisational factors

Background

On 20 April 2010, a catastrophic oil well blowout occurred onboard the Deepwater
Horizon oil rig which resulted in eleven deaths, the demise of the rig, and the largest
oil spill in history. The uncapped well impacted both local wildlife and the fishing
industry within the Gulf of Mexico. The events which led to the accident and
immediately after the explosions and fire have since become a landmark case in
process safety, law and politics. There are several important process safety
management (PSM) lessons to be learned from this incident. If the lessons learned
are diligently followed by the industry, mistakes can be avoided and the chances of a
similar accident happening again will be greatly reduced.

On 20 April 2010, several Transocean and BP executives arrived on the Deepwater

Horizon oil rig, which had drilled a well in the Macondo field. Their agenda included
discussing occupational health and safety with the workforce and to congratulate the
crew for a 7-year record with no Lost Time Injuries (LTIs). As they spoke to the
offshore team and observed them preparing to cap off the well before moving to a
new drilling site, danger was building up deep below.

The Deepwater Horizon drilling rig was owned by Transocean, on hire to BP, in order
to drill the Macondo field, estimated to contain over 50 million barrels of oil, two and
a half miles below the seabed. The Deepwater Horizon was an ultra-deepwater,
semi-submersible drilling rig. It had been under contract to BP in the Gulf of Mexico
for approximately 9 years. Such a drilling rig was necessary at this location, as the
water was almost 5,000 feet deep, creating enormous pressures at the well. To
prevent the hydrocarbons (i.e., oil and gas) from rising upwards in the well to the
surface, a heavy fluid (known as drilling ‘mud’) is injected into the shaft.
The role of the Deepwater Horizon was to drill into the reservoir, then seal the well –
known as temporary abandonment – ready for a future production unit to recover the
oil. Drilling rigs such as these are mobile, moving around the world for contracts with
major oil companies such as BP. A production unit (which may be a floating facility,
or a semi-permanent unit fixed to the seabed) then connects to the well to recover
the hydrocarbons, possibly staying on location for decades. Delays meant that the
Deepwater Horizon was overdue to leave the Macondo well by six weeks. The
Macondo well had proved to be challenging, earning it the nickname “the well from
hell”.

Barrier analysis and barrier improvement recommendations diagram

 Timeline of events onboard the rig

Drilling for oil had always been hard, dirty, dangerous work, combining heavy
machinery and volatile hydrocarbons extracted at high pressures.
Since 2001, the Gulf of Mexico workforce – 35,000 people, working on drilling
rigs and production platforms – had suffered 1,550 injuries, 60 deaths, and 948
fires and explosions.

At the time, Transocean was a major offshore drilling rig contractor with over a
hundred of these drilling rigs under contract. The fees for such a rig (and the
specialist crew) could be up to $1 million per day. This contractual relationship
between Transocean and BP was to become a key issue in the legal proceedings
that followed the incident.

Drilling the Macondo well was exploratory in nature, the objective was to collect data
about the geology and quality of the oil and gas at its location. The crew of
Deepwater Horizon were in the process of sealing the well (known as ‘capping it off’)
before getting ready to move the drilling rig to a new location. As part of this process,
the pressure balance in the well is tested to see whether pressure is increasing. This
activity, planned in advance, was high-risk in terms of process safety (or ‘major
hazard’ safety). However, the BP and Transocean executives were discussing
occupational safety issues, such as working at height, hand-injury awareness and
the hazards of dropped objects.

During their tours of the Deepwater Horizon, the executives could not fail to witness
the ongoing discussions around how to perform the pressure tests and how to
interpret the results. They expressed some concern but were informed that all was
going well. A blowout had occurred on another Transocean rig in the North Sea four
months earlier, but the executives later testified that they were unaware of this or the
internal advisory note produced.

Incident summary
During the afternoon, the process of replacing the heavy fluids in the well with
seawater commenced. Unknown to the crew, oil was leaking into the well. As they
removed the heavy ‘drilling mud’, they were unknowingly replacing it with a lesser
volume of seawater due to the oil collecting at the bottom of the well. The imbalance
of heavy drilling mud and lighter seawater occurred 43 minutes before the blowout.
Due to several simultaneous operations (e.g., setting a cement cap on the well,
easing tension on the drilling risers), and the drilling mud being transferred to an
adjacent supply vessel, the crew were not closely monitoring the volumes of
mud/seawater flowing in the well.

As the drilling mud was removed, the only physical barrier still in place was the
Blowout Preventer (BOP). This is a huge mechanical device that can close around
the pipe, or as a last resort shear through and clamp the pipe, preventing
hydrocarbons from reaching the rig. However, this barrier requires a timely response
from a person on the rig.

Pressure continued to rise and that evening, methane gas expanded in the well,
pushing the drilling mud up onto the rig. The high-pressure gas followed the mud
onto the rig, where it found a source of ignition and exploded. The explosion and
fires took the lives of eleven men, whose bodies were never recovered. The four
executives and 111 workers were rescued, although there were many injuries.

The Deepwater Horizon rig burned for 36 hours and finally sank on 22 April 2010. Oil
flowed from the Macondo well for 87 days. It is estimated that at least 4 million
barrels of oil were spilled into the Gulf of Mexico before the well was controlled.

The Macondo well blowout is the worst offshore oil spill in history. Claims,
settlements and clean-up costs have risen to more than $42 billion. Nearly 800km of
coastline in Louisiana, Mississippi, Alabama and Florida was impacted.

The investigations
There were many investigations into this disaster, including by the Chemical Safety
and Hazard Investigation Board (CSB), National Commission, National Academy of
Engineering, Department of Interior, Joint Investigation Team (US Coast Guard and
Bureau of the Ocean Energy Management), Deepwater Horizon Study Group, BP
and Transocean. Some commentary below on the key human and organisational
factors.

Investigations found that the disaster was preventable, and was caused by failures in
risk management, technology, mechanical equipment, procedures, spill response
planning and human factors.
There were failures in three categories of barriers:
 People (e.g., competency, leadership, culture)
 Plant (e.g., the hardware, control systems and the facility layout)
 Process (e.g., risk management systems).
History shows us that catastrophic events occur if there are failures in each of these
three barriers. The investigations show that risks were taken with every barrier, partly
on the assumption that other barriers would pick up any problems.

The loss of Deepwater Horizon was preventable. We can, with the benefit of
hindsight, identify a series of mistakes that were made by the various organisations
involved.

In order to prevent a blowout, there were several technical barriers in place, and I
have attempted to summarise hundreds of pages of analysis in a few paragraphs
below:

Cement job: The cement barrier did not isolate reservoir hydrocarbons. The quality
of the cement slurry was not adequate.
Cement evaluation: An independent evaluation of the cement job was neglected,
on the assumption that the cement job had been a success.
Well integrity test: BP and Transocean personnel determined that the well integrity
test was successful, even though the results were not conclusive.
Monitoring: The Macondo team did not properly monitor the well in the final hours
leading up to the blowout (mainly because of the earlier declaration that both the
cement job and the well integrity test had been successful).
Blow-Out Preventer: the BOP failed on two accounts. The pipe rams failed to seal
the well and the shear ram failed to shear the drill pipe. Given that the BOP was
designed to operate most effectively if activated long before hydrocarbons flowed
onto the rig, the monitoring failure above contributed to the failure of the BOP.
The incident response was certainly an unprecedented effort, with the clean-up
involving 6500 vessels and approximately 47,000 people. The incident response was
based around containment, dispersion and removal of oil. Initial plans were
insufficient to seal the flowing well. Several containment measures were attempted
but failed, and the well wasn’t sealed until 15 July 2010, almost three months after
the blowout.

In his book Disastrous Decisions, Hopkins stated that the original spill response was
“written to satisfy regulatory requirements rather than with any real concern about
how effective it might be” (Hopkins, 2012).
The Swiss Cheese fallacy
The Swiss Cheese model (Reason, 1997) is a neat way of showing how several
barriers must fail for an incident to occur. However, if some barriers are reliant on a
previous barrier, then these barriers are not independent. Therefore, as in this case,
the failure of one barrier (the inadequate cement job) led to the failure of other
barriers. Although the Swiss Cheese model gives the impression that there are
multiple layers of protection against an incident, this is not the case if the barriers are
inter-related.

Cost versus safety?

A study of this incident provides an insight into the inevitable tension between
operations and safety. Of the key decisions that were made prior to the blowout,
almost all of these led to reduced cost and rig time – and the majority of them
increased the risk.

The Macondo well was planned to cost BP around $96 million. But the well cost
much more than BP anticipated, having to seek additional funds from project
partners on several occasions. At the time of the blowout, BP had spent over $142
million on the well, which was more than 38 days behind schedule.

It is unclear to what extent these cost and time overruns impacted the decisions
made or behaviours at head office, or on the rig itself, but we do know that it was a
concern to at least some personnel on the rig.

Human and organisational factors

“The Macondo disaster was not, as some have suggested, the result of a
coincidental alignment of disparate technical failures. While many technical
failures contributed to the blowout, the Chief Counsel’s team traces each of
them back to an overarching failure of management”

NATIONAL COMMISSION ON THE BP DEEPWATER HORIZON OIL SPILL

AND OFFSHORE DRILLING, CHIEF COUNSEL’S REPORT, P.225
The various investigations into this disaster highlighted failures in technical decision
making, failures of management, concerns with the regulatory framework for the
offshore industry and numerous human factors.

Deepwater drilling requires significant technical and engineering challenges to be

overcome; however, the industry, and this disaster, is largely about people.

Although actions by the offshore crew onboard the Deepwater Horizon directly
contributed to the event, the crew had been set up to fail by much wider issues.

Confirmation bias
The well integrity test was a key barrier, but analysis of this shows that it was
misinterpreted. The purpose of the well integrity test is to check that the cement seal
was working prior to moving the rig away from the location. The crew knew from
experience that it is very unlikely the well would fail the test and so the test was seen
as a box-ticking exercise. The cement engineers declared the test a success, but
they were looking for confirmation that the well was sealed, not investigating whether
it was, or was not.

“Once the test had been declared a success, the driller and tool pusher appear to
have put any concerns about the test behind them rather than increasing their
vigilance” (National Commission on the BP Deepwater Horizon Oil Spill and Offshore
Drilling, Chief Counsel’s Report, p.244).

There were some indications that the well had failed the integrity test: that oil and
gas were passing the seal. However, these unexpected test results were explained
away the with ‘bladder effect’. The team then applied another technique to find the
confirmation that they were seeking, and once declared a success, the team moved
on from any concerns about the test. It appears that the team were looking for
feedback that confirmed the view that they had already made about the integrity of
the well. It didn’t help that there were simultaneous activities and other distractions.

“Once these processes are taken into account, the faulty decisions made
by the Macondo group become entirely understandable, terrifyingly so”
HOPKINS, 2012

Non-Technical skills
I have defined Non-Technical Skills elsewhere on this website as “the cognitive,
social and personal resource skills that complement technical skills and contribute to
safe and efficient task performance” (International Association of Oil and Gas
Producers, IOGP, 2014). In this incident, there were failures of several Non-
Technical Skills, including inaccurate Situation Awareness and Decision-Making
failures.

Situation Awareness can be defined as developing and maintaining a dynamic

awareness of the situation and the risks present in order to think ahead about what
may happen next.

Gaining good situation awareness in a team revolves around three key questions:

1. What do they know that I need to know?

2. What do I know that they need to know?
3. What do none of us know that we need to know?

Inaccurate situational awareness often results in poor decision making and

unnecessary risk taking. On a major hazard facility such as the Deepwater Horizon,
these conditions increase the likelihood of an accident. From the investigations it is
clear that the crew’s situation awareness (or lack of) played a pivotal role in the
Macondo disaster.

For example:
Crew members on the drill floor were not aware of dynamic and substantial changes
in the status of the Macondo well.
‘Kicks’ from the well that signalled a blowout was imminent were not detected.
Over a 45-min period, various data indicating an impending blowout were not acted
upon (e.g., increases in drilling-pipe pressure, pressure differences between the drill
pipe and kill line).
The mud logger was separate from the well operations crew and unaware of
activities that impacted his understanding of the data he was meant to monitor.
There was an 80-minute period when the Tool pusher, Driller, Well Site Leader, and
others discussed pressure discrepancies between the drill pipe and the kill line. This
suggests that the crew recognised issues and had concerns. However, they did not
appear to consider the possibility of well integrity loss.

Their incomplete understanding of the situation led the crew to falsely interpret the
Negative Pressure Test (NPT) as successful. This misunderstanding influenced their
subsequent decisions, which ultimately led to the blowout.

“systematic application of various Non-Technical Skills could have altered the

interactions between rig personnel for the better”

CHEMICAL SAFETY AND HAZARD INVESTIGATION BOARD (CSB),

INVESTIGATION REPORT, VOLUME 3, 2016, P.69

The crew appear to be confused and were having difficulty interpreting the situation
as it developed. They had concerns but did not appear to understand the
significance of the developing situation in the well. The crew’s mental models (“the
picture that you have in your mind”) were not updated: and certainly, some of the
crew would not have the experience to be able to form an accurate mental model.
Therefore, the increasing pressure in the well was recognized as a concern but was
not interpreted as the well flowing.

In order to understand why the crew erroneously concluded that the well was stable,
the investigation reports show that:
The positive pressure test for the cement job of the casing conducted earlier in the
shift (approximately 11am), had been deemed a success, thus providing a strong
expectation that the forthcoming negative pressure test would also be successful.
The 3pm pre-job safety meeting did not mention any contingency procedure should
the test fail, thus priming the crew that the test would pass (i.e., setting an
expectation).
Information was not shared between the drill crew and the mud logger.
As late as 9.20pm, the senior Tool pusher was assured by the crew that “Everything
was fine”. But 20 minutes later, drilling mud was flowing out of the well onto the
Deepwater Horizon. At 9.49pm, high-pressure gas from the well reached the rig and
ignited.

To summarise, the lack of situation awareness was a result of missing information, a

failure to understand the significance of certain cues and a failure to revise mental
models in the developing situation.

Social dynamics and group thinking

The majority of the crew members were tradesmen, without considerable experience
in abstract engineering or physics concepts, making them more susceptible to
accepting the Tool pusher’s interpretation of events (who explained the Macondo
well issues as ‘the bladder effect’). The Tool pusher and Driller were both considered
to be experienced, trusted and well respected. This may have validated the new
information that they were telling the other drill crew members.

The investigations suggest that “group think” may have influenced the crew’s
decision making. The crew were wanting to arrive at a consensus decision. There is
considerable research to show that a feature of small groups is they seek a
unanimous decision – everyone must agree. We also know that decisions made by
groups are more likely to be risky than decisions taken by individuals (known as the
“risky shift”).

As group consensus was that the Macondo well was safe, and therefore activities
could continue, no individual was required to take responsibility for the decision to
proceed.

Psychological safety
Psychological safety includes a belief that the workplace is safe for speaking up with
ideas, questions, concerns and even mistakes. It’s a sense of confidence that your
voice is valued. However, a survey of Transocean crew working on the Deepwater
Horizon rig a few weeks before the disaster highlighted that 46% of crew members
surveyed felt that the workforce feared reprisals for reporting unsafe situations
(National Commission on the BP Deepwater Horizon Oil Spill and Offshore Drilling,
2011, p.224).
Communications

Critical information was not communicated from one organisation to another (there
were several contractors working on the Deepwater Horizon at any one time), or
even within an organisation. For example, the offshore crew were not informed that
the cement job might be more likely to fail at the Macondo well than elsewhere and
to be extra vigilant. There are several cases of key decisions being made without
complete information. The National Commission Report refers to these issues as
“information compartmentalisation”.

During the unexpected results from well testing, the rig crew did not seek advice or
support from experts onshore. The guidance as to when offshore personnel should
consult the onshore team was not clear (and we know from other disasters that there
may be a reluctance to seek help from remote engineering teams).

Four months prior to the Macondo blowout, a similar incident occurred on a

Transocean drilling rig in the North Sea. Fortunately, although hydrocarbons flowed
into the well, it was shut in before a blowout could occur. Transocean produced
internal advisories about this event, but the lessons from this near miss do not
appear to have been received by the Deepwater Horizon crew. An internal
presentation included warnings such as “tested barriers can fail” and “risk perception
of barrier failure was blinkered by the positive inflow test [negative pressure test]”.
The National Commission Report states that “The relevant facts of the Macondo and
North Sea incidents are the same”.

Organisational change
There was confusion amongst leadership as to who was accountable for key
decisions.

At the beginning of April 2010, a major reorganization of BP’s exploration business

unit (including the BP Macondo team) separated the engineering and operations into
distinct Functions. Previously, the exploration business was organised by Project.
The reorganisation created confusion during the Macondo project – there was a lack
of clarity over authority, roles and responsibilities.

“Though it is understandable that no one would wish to take

ownership of the well after the blowout, the Chief Counsel’s team
found many instances in which nobody was taking ownership
before the blowout”.
NATIONAL COMMISSION ON THE BP DEEPWATER HORIZON OIL
SPILL AND OFFSHORE DRILLING, CHIEF COUNSEL’S REPORT, P.227

Besides the changes to reporting relationships, the reorganisation meant that many
of the managers overseeing the Macondo project had only a few months of
experience in their positions at the time of the disaster.

Procedures and competency

It is not possible to prescribe every detail of a drilling program in a written procedure,
nor would it be practical for a crew to follow a written procedure step-by-step. The
crew were to use their knowledge, experience and skills to undertake critical
activities such as the Negative Pressure Test and Temporary Abandonment.

“the companies failed to provide the rig crew and well site leaders exercising that
judgment with adequate training, information, procedures, and support to do their
jobs effectively” (Chief Counsel’s Report, p.235).

However, procedures for such safety critical operations would outline agreed
practices and provide guidance for potential events, such as a loss of well control.
Procedures facilitate human performance by documenting the intended steps of a
task.
Key rig procedures, such as the Temporary Abandonment plan were updated on
several occasions during April 2010. The CSB investigation notes that this plan
occurred without a formal process. The changes to this plan had the potential to
negatively affect well control barriers, but the impact of those changes was not
assessed.

“Changes to the well design and procedures made in the month prior to the blowout
created risks that were not adequately addressed by the Macondo team” (Staff
presentation to the National Commission, December 2010).

In fact, it appears that the onshore team were struggling to keep up with operations
on the Deepwater Horizon. Much-needed procedures were provided to the rig at the
last minute. The crew had little time to digest these prior to undertaking the critical
activities.

“Thus, at Macondo, the operator [BP] and drilling contractor [Transocean] each
presumed the other was responsible for a proper negative test procedure. The crew
was left to put together something to get the work done”

CHEMICAL SAFETY AND HAZARD INVESTIGATION BOARD (CSB),

INVESTIGATION REPORT, VOLUME 3, 2016, P.101

The response to the well control event prior to the explosion suggests that the crew
were insufficiently prepared to manage an escalating well control situation.

Fatigue
The Transocean crew of Deepwater Horizon worked offshore for 21 days at a time (a
‘hitch’, or ‘tour’), working 12-hour shifts. Although it’s not possible to make robust
links between their working pattern and the incident, we do know that performance
decreases as the periods of consecutive shift work increases. We also know that the
ratio of fatalities and severe injuries to less severe injuries is markedly higher for
hitches longer than 14 days.

At the time of the incident, the Driller and one Assistant Driller were on shift number
20 of 21; the second Assistant Driller was on shift 19 of 21; and the day shift Tool
pusher was on day 20.

A safety culture survey conducted a few weeks before the incident contained
comments from the crew that the 21-day pattern was causing fatigue. Comments
from the crew included “On their last week, they seem like they are in another world”
and “On the last week, you are so tired that you feel like a robot”.

Engineering design
The Mud-Gas Separator (MGS) is able to remove small amounts of gas from the
drilling mud. This gas is then vented to atmosphere at a safe location. During the
event, the rig crew diverted the high flow of hydrocarbons to the MGS, which
overwhelmed the system.

The crew had the alternative option of diverting hydrocarbons overboard, which may
have vented the majority of the gas safely. This diverter option may have given the
crew more time to respond, reduced the likelihood of ignition, or may have reduced
the consequences of the event. However, the design of the MGS allowed fluids from
the riser to be diverted to the Mud-Gas Separator when the well was in a high flow
condition (i.e. during a blowout).

Unfortunately, when the increasing flow of gas, oil, mud and water was diverted to
the MGS, it vented hydrocarbons directly back onto the rig. Within minutes, large
areas of the Deepwater Horizon were enveloped in a flammable mixture.

We must also consider the design of the well itself. For example, the office-based
engineers who designed how the well would be plugged with cement made several
decisions based on financial risks, without fully understanding the impact on safety.
Decisions were made that increased the risk of cement failure. Chapter 4 of the
Report to the President begins with a quote from a Macondo engineer’s email: “But,
who cares, it’s done, end of story, [we] will probably be fine and we’ll get a good
cement job.”

Final thoughts
Operations related to the Macondo well required a heavy reliance on people: on
human judgement in particular.
It would be wrong to focus on the actions and decisions of those people on the
Deepwater Horizon drilling rig, or those staff onshore who were closely linked to the
Macondo well. Hindsight is a powerful tool, and it’s easy to find fault, especially given
the benefit of time and the huge resources applied to these detailed investigations.

But even so, the failures of the various organisations involved are not unique to
those organisations. If you conclude that somehow these organisations are different
to yourselves, then you will fail to learn the lessons. And there are many lessons
here – not just for the oil and gas industry – but for all organisations.

The Report to the President concluded:

“The immediate causes of the Macondo well blowout can be traced to a series of
identifiable mistakes made by BP, Halliburton, and Transocean that reveal such
systematic failures in risk management that they place in doubt the safety culture of
the entire industry” (National Commission on the BP Deepwater Horizon Oil Spill and
Offshore Drilling, 2011, p.vii)

The Macondo disaster echoes those disasters that have gone before, across many
industries. The recurring themes are missed warning signals, failure to share
information and an inadequate appreciation for the risks involved. If, as the Columbia
Accident Investigation Board concluded, “complex systems almost always fail in
complex ways”, then where do we go from here?
When organisations operate at the very frontiers of technology, we can’t allow an
understanding of the human factors involved to lag behind. Unfortunately, for all of
those touched by this tragedy, in this case it did.

Terminology (who’s who)

Offshore Installation Manager (always abbreviated to OIM) is in charge of the
drilling rig when it arrives at a location.

The Senior Tool pusher is the senior drilling operations supervisor, second only to
the OIM in the chain of command.

Tool pushers are drilling managers who direct and supervise day-to-day drilling
operations on a drilling rig.

Drillers and assistant drillers work in the drill shack and are responsible for
operating drilling machinery and monitoring and controlling the well.

Floor hands and roustabouts provide the labour force for drilling operations.

https://humanfactors101.com/incidents/macondo-deepwater-horizon/

Investigation reports

Macondo Investigation Report, Executive Summary, Report No. 2010-10-I-OS,

U.S. Chemical Safety and Hazard Investigation Board (CSB), April 2016. This is a
24-page summary of the investigation approach, the investigative challenges, key
findings and conclusions, and a summary of recommendations. Previous
investigation reports were limited by information available at the time, and this
Executive Summary outlines several new insights and lessons previously
unreported.

Macondo Investigation Report, Volume 1, Report No. 2010-10-I-OS, U.S.

Chemical Safety and Hazard Investigation Board (CSB), June 2014. This volume
provides a description of the Macondo incident, together with a description of
deepwater drilling and temporary abandonment. It summarises information on the
companies and entities involved in the drilling and temporary abandonment of the
Macondo well, the well itself, the Deepwater Horizon rig, and the drilling crew aboard
the rig on the day of the incident. It concludes with an incident description summary
that identifies the failures in the hours leading up to the explosions and fires aboard
the Deepwater Horizon. The summary of drilling and completion activities provides
the foundation for the CSB’s technical, systemic, organisational, and regulatory
analyses in subsequent report volumes.

Macondo Investigation Report, Volume 2, Report No. 2010-10-I-OS, U.S.

Chemical Safety and Hazard Investigation Board (CSB), June 2014. This volume
covers the technical failure analysis of the BOP (BlowOut Preventer), barrier
management at Macondo and Safety Critical Elements. Ultimately, the blowout
preventer was the only physical barrier that could have potentially contained well
fluids, but only if the crew or emergency systems could have successfully engaged it.
As the events of 20 April 2010 indicate, the BOP did not seal the well.

Macondo Investigation Report, Volume 3, Report No. 2010-10-I-OS, U.S.

Chemical Safety and Hazard Investigation Board (CSB), April 2016. The key issues
in this report include human factors, organisational learning, safety performance
indicators, risk management practices, corporate governance and safety culture. I
have listed this volume 3 of the CSB investigation before the other volumes, because
this part provides the most complete analysis of the human and organisational
factors contributing to the incident. Although the industry is dependent upon human
actions to maintain safe operations, the CSB investigation reveals a significant gap
in the effective management of human factors in offshore operations. I was honoured
to be asked by the CSB to review aspects of this volume prior to its publication.

Macondo Investigation Report, Volume 4, Report No. 2010-10-I-OS, U.S.

Chemical Safety and Hazard Investigation Board (CSB), April 2016. This volume
addresses the US offshore safety regulation during and after Macondo, and
attributes of an effective regulator and regulatory system. The CSB concludes that
“Ultimately, the offshore regulatory changes made thus far do not sufficiently place
the onus on industry to reduce risk or empower the regulator to ensure proactive and
effective industry management and control of major hazards” (p.12).

Chief Counsel’s Report, National Commission on the BP Deepwater Horizon Oil

Spill and Offshore Drilling, 2011. This document provides a number of technical,
management and regulatory findings. Chapter 5 (“Overarching failures of
management“) is particularly interesting from a human and organisational factors
perspective. The introduction to this chapter states that “The failures at Macondo
were not inevitable, and the Chief Counsel’s team sets them out here in the hope
that they will not be repeated” (p.225).

Report to the President, National Commission on the BP Deepwater Horizon Oil

Spill and Offshore Drilling, 2011. This document is structured into three main parts:
(1) The path to tragedy, (2) Explosion and aftermath, and (3) Lessons learned. It
provides an excellent outline of the events leading up to the disaster and the events
that followed. It is a thorough and very readable review – “Though it is tempting to
single out one crucial misstep or point the finger at one bad actor as the cause of the
Deepwater Horizon explosion, any such explanation provides a dangerously
incomplete picture of what happened encouraging the very kind of complacency that
led to the accident in the first place” (p.viii).