OTC-27188-MS

Improving Safety of Deepwater Drilling Through Advanced Instrumentation,

Diagnostics, and Automation for BOP Control Systems
William R. Nelson, DNV GL

Copyright 2016, Offshore Technology Conference

This paper was prepared for presentation at the Offshore Technology Conference held in Houston, Texas, USA, 2–5 May 2016.

This paper was selected for presentation by an OTC program committee following review of information contained in an abstract submitted by the author(s). Contents
of the paper have not been reviewed by the Offshore Technology Conference and are subject to correction by the author(s). The material does not necessarily reflect
any position of the Offshore Technology Conference, its officers, or members. Electronic reproduction, distribution, or storage of any part of this paper without the
written consent of the Offshore Technology Conference is prohibited. Permission to reproduce in print is restricted to an abstract of not more than 300 words;
illustrations may not be copied. The abstract must contain conspicuous acknowledgment of OTC copyright.

Abstract
Among the contributors to excessive downtime for deepwater drilling are undetected failures in blowout
preventer (BOP) control systems. These undetected failures result from the limited instrumentation of
current systems, and require use of conservative criteria to decide if the BOP should be pulled to the
surface for maintenance. The safety and risk effects of undetected failures are currently measurable only
indirectly by the consequence of excessive non-productive time.
A reliability- and human-centered design approach has been developed for next-generation BOP
control systems to improve the safety of deepwater drilling by providing additional redundancy and fault
tolerance, more accurate information regarding control system health, and clear guidance for determining
whether the control system should be reconfigured to compensate for failures or pulled to the surface for
maintenance. Enhanced instrumentation is provided to enable improved diagnostics and prognostics,
measurable safety integrity levels, and reduced human errors in pull/no pull decisions.
This approach has been applied to the development of advanced BOP control systems that include
innovative design features to reduce downtime and enhance safety for deepwater drilling. The approach
focuses on development of advanced instrumentation and decision support for continuous assessment of
BOP health, assessment of compliance to regulatory and industry standards for BOP functions, automatic
reconfiguration to compensate for component failures, and determination whether operations can continue
or if the BOP must be pulled for maintenance.
Importance of Continuous Assessment of the BOP Barrier
Assessment of the occurrence and recurrence of catastrophic accidents such as Three Mile Island (TMI),
Columbia, Fukushima, and major pipeline leak accidents has indicated a number of shortcomings of
current risk management approaches. First, in all these cases important safety barriers were missing,
degraded, or failed, allowing the initiating event to progress to a major accident with catastrophic
consequences. In all these industries the need to establish and maintain effective barriers is well
recognized, but in each case the critical barriers failed in some way. The second common element in these
events is that human decision making was not adequate to recognize the inadequacy of the critical barriers
and to formulate effective corrective actions in time to prevent the accident or mitigate its consequences.
In some cases the most obvious decision making errors occurred during the event itself:
2 OTC-27188-MS

● The Three Mile Island operators did not recognize that the primary coolant boundary had been
breached and turned off the critical Emergency Core Cooling System.
● The Columbia mission managers did not recognize that the wing leading edge had been breached
by the foam impact, even though NASA engineers deep within the organization were analyzing
that very scenario.
● Major pipeline leak accidents have occurred because control center operators did not recognize the
symptoms of a leak, delaying the response to isolate the leak and resulting in major spills and
environmental damages.
As tempting as it is, each of these types of ⬙industry defining⬙ catastrophic events cannot be completely
described by focusing on decision making failures of the operating personnel during the ⬙heat of the
moment.⬙ In all cases, there were major shortcomings that occurred earlier in the project lifetime that ⬙set
the stage⬙ for the barrier failures and decision making errors that occurred during the events. This
highlights the importance for designing safety barriers so that they can be continuously monitored during
operation, and providing effective decision support so operators can detect barrier degradation and
identify corrective actions to restore the degraded barrier or activate another barrier. This same principle
for decision support for dynamic barrier management also applies to deepwater drilling, as demonstrated
by the Macondo event and its consequences.
The BOP and the fluid column are the two main barriers for preventing loss of well control during
offshore drilling. Figure 1 is a simplified bow tie diagram showing how the fluid column is the primary
well control barrier while the BOP is the secondary well control barrier that is used to maintain well
integrity if the fluid column barrier is degraded. This illustrates the critical importance for monitoring the
condition of the BOP to continuously assess its availability to function as the secondary well control
barrier when required. Regulatory and industry requirements are used to establish the operating bound-
aries for BOP availability that govern when drilling operations are allowed. Thus it is also essential to
continuously and clearly determine the regulatory compliance of the BOP control system. This paper
summarizes the approach that has been developed for the design of advanced BOP control systems with
advanced instrumentation, diagnostics, decision support, and compliance assessment to enable reduced
downtime and enhanced safety of deepwater drilling operations. The reliability- and human-centered
design approach is built on formal systems engineering methods that enable the development of advanced
BOP control system architectures that utilize proven technologies and advanced diagnostics to achieve
higher levels of reliability, fault tolerance, and safety integrity.

Figure 1—Simplified Well Control Bow Tie Diagram

Regulatory Compliance Assessment

Industry and regulatory requirements have been established that govern the envelope within which
offshore drilling operations are allowed. In particular, API STD 53 ⬙Blowout Prevention Equipment
OTC-27188-MS 3

Systems for Drilling Wells⬙ establishes requirements for the availability of BOP functions during drilling
operations. The limited instrumentation of conventional BOP control systems means that failures within
the control system may go undetected. Bureau of Safety and Environmental Enforcement (BSEE)
regulations specify in 30 CFR 250.141 that drilling operations must be suspended if one BOP control
station or pod does not function properly, and operations cannot be resumed until that station or pod is
operable. For today’s dual pod control systems this often means that the BOP must be pulled to the surface
for repair of the malfunctioning pod. The time required to bring the BOP to the surface, diagnose the
faults, repair or replace the faulty components, and lower the BOP and relatch it to the wellhead can lead
to substantial unplanned downtime. In addition, because of the limited instrumentation of conventional
BOP control systems, it can be very difficult to conclusively determine the condition of the BOP when
it is attached to the wellhead. This means that very conservative decisions must be taken when the
condition and regulatory compliance of the BOP control system are uncertain.
Effective instrumentation and decision support are needed to continuously monitor the health of the
BOP control system, continuously assess compliance with regulatory requirements, and ensure the BOP
will operate when needed to maintain well control when required due to degradation of the fluid column
barrier.
Trends for Next-Generation BOP Control Systems
In order to increase reliability, reduce unplanned downtime, and enhance safety, next-generation BOP
control systems will have new features and perform differently when compared to conventional BOP
control systems. Three major considerations are important:
● Next-generation BOP control systems can utilize technologies that have been proven in other
industries to perform standard BOP functions in ways that are different from conventional BOP
control systems. This can improve performance and reliability of BOP control systems.
● Next-generation BOP control systems can use system architectures that are different when
compared to conventional BOP control systems. This could enable the control system to continue
operation with multiple failures rather than requiring drilling operations to cease following a single
control pod failure as required for a conventional system.
● Advanced instrumentation, health monitoring, and diagnostic capabilities can be included that will
enable the condition of the control system to be continuously monitored and information to be
provided to operators so they can clearly identify when failures require the BOP to be pulled for
maintenance on the surface. These capabilities will also make it possible for the BOP control
system to be automatically reconfigured to compensate for multiple failures as long as the decision
criteria for regulatory compliance are satisfied.
The process for development of advanced capabilities for diagnostics, decision support, and recon-
figuration for next-generation BOP control systems are described in the following sections.
Approach for Development of BOP Control System Diagnostics and
Decision Support
Design of BOP control system diagnostics and decision support begins by identification of the available
success paths including electrical, hydraulic, and software elements for activation of each BOP function.
Next, a systematic analysis is performed to identify information and instrumentation that is required to
determine the health of the control system assemblies that make up each success path. Decision criteria
are defined for determining whether the system can be reconfigured to compensate for failed components,
or if the BOP must be pulled for maintenance. These decision criteria are based on continuous assessment
of the availability of BOP functions to satisfy regulatory requirements as specified by BSEE regulations
and industry standards such as API STD 53. When it is possible to continue drilling while remaining
4 OTC-27188-MS

compliant to regulatory requirements, instructions are provided for reconfiguration of the control system,
which can be performed either manually or automatically.
This approach for developing diagnostics and decision support for next-generation BOP control
systems is based on four major activities:
● Development of a response tree showing the pathways that can be used to provide hydraulic fluid
to operate the BOP functions, and availability of success paths to reconfigure the system to
compensate for any combination of equipment failures.
● Development of a spreadsheet capturing the information requirements, potential sources of the
information (e.g. instrumentation), and decision criteria for assessing the health of the BOP control
system and specifying actions to be taken to reconfigure the control system to enable continued
operation.
● Development of a success tree logic model showing the decision criteria for regulatory compliance
for continued operation and BOP pull/no pull decisions.
● Development of an information architecture to define the information flow and analysis to assess
control system status and the availability of individual assemblies, identify available success paths
for control system reconfiguration when required due to assembly failures, and application of the
regulatory compliance decision criteria to determine whether operations can be continued or the
BOP must be pulled for maintenance or repair.
For an overview of the general approach for information requirements analysis and application to
offshore operations see Nelson (2011). Corcoran et al. (1981) describes the origin of the critical safety
function and success path concepts in the nuclear industry following the Three Mile Island accident.
Nelson (1980) provides background on response trees and Hanson et al. (1990) describes the nuclear
industry approach for information requirements analysis in greater detail. The elements developed in these
studies have been combined to form the approach for information requirements analysis as described in
the following sections.

Response Tree for BOP Control System

Figure 2 shows the structure of a simplified response tree for BOP control system diagnostics and
regulatory compliance assessment. This response tree represents a simplified view of the success paths for
a conventional dual pod BOP control system. As shown on the response tree this hypothetical BOP control
system has two pods (blue and yellow), two rigid conduits, a crossover line that allows flow to be directed
from the yellow side to the blue side and vice versa, surface accumulators for operation of subsurface BOP
functions, and subsea accumulators for operation of emergency BOP functions.
OTC-27188-MS 5

Figure 2—Simplified BOP Response Tree

Each pathway from the bottom of the response tree to the top represents a different success path for
providing hydraulic fluid to a specific BOP function. Individual assemblies will appear in every success
path for which they are used to route the flow of hydraulic fluid to a BOP function. The response tree can
be used to assess the effects of assembly failures on the availability of the success paths, and provide
guidance for selecting a success path for reconfiguring the system to continuously maintain the functions.
Note that this reconfiguration could occur either manually by operator action or automatically through
command from the control system. The choice of manual or automatic reconfiguration will be based on
formal assessment and comparison of the reliability and safety of these alternatives. The levels of the BOP
response tree are as follows:
● Barrier- This response tree represents the success paths for the BOP well control barrier.
● Success Objective- The success objective for the BOP barrier is to function a BOP ram to
maintain well integrity.
● Success Strategy- The combination of BOP control system assemblies that are aligned to provide
hydraulic fluid to function the BOP ram.
● Success Path- The unique identifier for the success path. The green color shows that each of the
success paths is currently available to function the BOP ram, assuming that each assembly of the
control system is currently available.
As mentioned above, this response tree is a simplified representation of a conventional dual pod BOP
control system. Next-generation BOP control systems with different architectures and equipment can be
designed that will have a larger number of success paths and hence a higher degree of fault tolerance and
safety integrity. The response trees for such advanced designs will show a much larger number of success
paths as visual evidence of increased fault tolerance to continue operation following multiple assembly
failures.
Application of the Response Tree to Assess the Effects of Assembly Failures
Figure 3 shows an example of how the BOP control system response tree is used to assess the effects of
a combination of assembly failures. The response tree has been color coded to show the effects of a
6 OTC-27188-MS

hypothetical scenario for failure of the yellow pod and also failure of the crossover line between the
yellow and blue pathways. These failures are indicated by the orange color. Note that the failed assemblies
may be represented multiple times on the response tree because of the multiple hydraulic pathways they
serve. For example, the failure of the yellow pod affects two different success paths utilizing different
pathways for hydraulic fluid.

Figure 3—BOP Response Tree Showing Effects of Control System Failures

Any success path that requires the availability of a failed assembly is not available for use. These
unavailable success paths are coded with a red color as shown at the bottom level of the response tree.
Once the unavailable success paths have been identified for the combination of failures, the available
success paths are identified and coded with the green color. Any one or more of these available success
paths can then be used to operate the desired BOP function. Finally, the light blue color is used to show
how prioritized selection rules can be applied to identify a recommended success path for implementation.
Activation of the recommended success path can then be accomplished either by human action or by
automatic reconfiguration of the BOP control system to deliver hydraulic fluid to the desired BOP
function.
Figure 4 shows how the success paths shown on the response tree support the operation of the BOP
well control barrier for offshore drilling. The figure shows the simplified bow tie diagram indicating that
the Fluid Column and the BOP are the primary well control barriers for maintaining well control and
preventing Loss of Containment. The red color of the Fluid Column barrier shows a situation where the
fluid column well control barrier is degraded, so that a BOP success path must be selected and
implemented to maintain well control and prevent Loss of Containment. The response tree shows that the
next step is the evaluation of the response tree to identify the success path that should be used by the BOP
control system to function the selected BOP ram to shut in the well to maintain well integrity. This
combination of the barrier and success path concepts represents a robust system for decision support for
prevention and mitigation of loss of well control incidents.
OTC-27188-MS 7

Figure 4 —Application of the Response Tree to Select a BOP Success Path for Responding to Degradation of the Fluid Column Barrier

Identification of Information and Instrumentation Requirements

The next step to develop BOP control system diagnostics and decision support is to use the response tree
to guide the information requirements analysis for the assemblies of the BOP control system. A
spreadsheet format is used to systematically guide the identification of the information requirements in a
workshop setting with Subject Matter Experts (SMEs) representing engineering, operations, and main-
tenance.
Table 1 shows an example spreadsheet that is developed in the information requirements analysis
workshop. The rows of the spreadsheet show the elements of the bow tie diagram including threats,
prevention barriers, prevention barrier success paths, top event, mitigation barriers, mitigation barrier
success path, and consequences. Thus the information requirements analysis can be used to identify the
information and instrumentation requirements for the full range of decision support for prevention and
mitigation of incidents or accidents.
8 OTC-27188-MS

Table 1—Sample Information Requirements Analysis Spreadsheet for the Loss of Containment Bow Tie

Table 1 illustrates application of information requirements analysis to the full bow tie model for Loss
of Containment. For focused application to the BOP barrier, the columns of the information requirements
spreadsheet are used as follows:
● Information Requirement - The information that is needed to determine the availability and
health of the BOP control system assembly.
● Source of Information - Instrumentation and other sources of information that can be used to
directly provide the required information. Note that in many cases the health or availability of an
assembly will not be known while it is inactive, but will be detected during a function test or
activation of a BOP function.
● Decision Criteria (IF) - Criteria that are used to determine the health and availability of the
assembly under discussion. In most cases this is comprised of a logical combination of parameters
and thresholds for each parameter that indicates degradation of the assembly.
● Response Guidance (THEN) - Actions that should be taken when the assembly is determined to
be degraded or failed. This information will be used to inform the development of alerts, warnings,
alarms, and guidance messages that will be displayed on the Human Machine Interface (HMI) and
for development of procedures for control system diagnostics and maintenance. The response
guidance will also be used to specify how the hydraulic fluid pathways are manually or automat-
ically reconfigured if it is determined that the currently selected success path becomes unavailable.
BOP Control System Compliance Assessment
The BOP control system information requirements analysis is also used to establish decision criteria for
regulatory compliance assessment and BOP pull/no pull decisions. The decision criteria are represented
in a success tree logic model to facilitate understanding of current status of regulatory compliance and
communication among operations, maintenance, and regulatory personnel. The ultimate goal is to agree
in advance with regulatory personnel regarding the decision criteria for continued operation and pull/no
pull decisions, to form the basis for discussion and consensus during drilling operations.
Figure 5 shows portion of a success tree decision criteria logic model for regulatory compliance
assessment for a generic BOP control system. The logic model is a success tree structure based on the
OTC-27188-MS 9

requirements of API STD 53 for availability of BOP functions. The Top Event for the logic tree is
⬙Criteria for Continued Operation.⬙ The basic premise is that as long as the availability of BOP functions
at the lower levels of the tree is such that the Top Event is satisfied, drilling operations can continue. This
logic model is continuously monitored during drilling operations to determine if drilling operations can
continue because the BOP control system complies with all regulatory requirements. If failures of BOP
control system assemblies result in a situation where the available BOP functions do not meet regulatory
compliance requirements, this provides clear indication that the drilling operations must be suspended and
the BOP must be pulled to the surface for maintenance. A major benefit of this regulatory compliance
logic model is that decision criteria can be agreed in advance between operators and regulatory authorities
such as BSEE. This means that discussions with regulatory personnel during operation can focus on the
effects of BOP control system failures on the pre-established decision criteria, rather than requiring
detailed review of piping and instrumentation diagrams (P&IDs) and the effects of individual component
failures. This will facilitate consensus between operator and regulator on decisions for continued operation
as long as the regulatory decision criteria are satisfied.

Figure 5—Regulatory Compliance Decision Criteria Logic Model

10 OTC-27188-MS

Information Architecture for Control System Reconfiguration, Compliance

Assessment, and Pull/No Pull Decisions
A high level information architecture has been developed to assess the availability of BOP control system
assemblies, determine the availability of success paths for providing hydraulic fluid to BOP functions, and
apply the decision criteria for regulatory compliance to determine if operations can continue or the BOP
must be pulled for maintenance. This information will be used to process information from control system
instrumentation to determine the availability of BOP functions, assess regulatory compliance and pull/no
pull decisions, and generate the information to be communicated to drilling personnel and regulatory
personnel during operations.
The elements of the information architecture and the flow of information are described in the following.
● BOP control system instrumentation determining current conditions -Instrumentation used to
monitor mechanical, hydraulic, and electrical components of the BOP control system and their
current state.
● Assembly diagnostics - Based on the BOP control system instrumentation and the decision
criteria defined in the information requirements analysis, the health and availability of the control
system assemblies are continuously assessed.
● Pathway availability and selection - When degraded conditions are detected in BOP control
system assemblies, the response tree is used to determine the availability of hydraulic fluid
pathways for each BOP function. If assembly failures lead to the unavailability of a success path,
selection criteria are applied to choose the preferred success path from those remaining. The BOP
control system will be manually or automatically reconfigured to implement the recommended
success path to provide hydraulic fluid to the function.
● Decision criteria for continued operation -The regulatory compliance decision criteria logic
model is evaluated based on the availability of pathways for delivering hydraulic fluid to each BOP
function. Drilling operations can continue as long as the Top Event ⬙Criteria for Continued
Operation⬙ is satisfied. If the combination of unavailable BOP functions cause the Top Event to
not be satisfied, drilling operations must cease and the BOP must be pulled for maintenance.
● Traffic light for BOP pull/no pull decisions - If all the BOP functions are available the traffic
light will be green. If one or more BOP functions is unavailable but the Top Event is still satisfied,
the traffic light will be colored yellow but drilling operations can continue. If the unavailability of
the BOP functions causes the Top Event to not be satisfied, the traffic light will be colored red,
and drilling operations must be shut down and the BOP must be pulled for maintenance.

Conclusions
A reliability- and human-centered design approach has been developed for next-generation BOP control
systems to improve the safety of deepwater drilling by providing additional redundancy and fault
tolerance, more accurate information regarding control system health, and clear guidance for determining
whether the BOP control system should be reconfigured to compensate for failures or pulled to the surface
for maintenance. Enhanced instrumentation is provided to enable improved diagnostics and prognostics,
measurable safety integrity levels, and reduced human errors in pull/no pull decisions.
A systematic development process is used to identify information requirements for BOP diagnostics,
control system reconfiguration, BOP maintenance planning, regulatory compliance assessment, and BOP
pull/no pull decisions. The results of the information requirements analysis can then be used to form the
framework for final design of the BOP control system, including instrument selection and placement,
development of the formal diagnostic algorithms, design of the Human Machine Interface, and software
specification for control system diagnostics.
OTC-27188-MS 11

The information requirements analysis can also play a critical role in regulatory approval for deploy-
ment of the advanced BOP control system and regulatory compliance assessment during operations. For
decision making during operations, the visual representations provided by the response trees and the
regulatory compliance decision criteria logic model can be used to form the foundation to ensure
straightforward communication and consensus between operator and regulatory personnel during the full
range of operational scenarios.

REFERENCES
Corcoran, W. R., Finnicum, D. J., Hubbard, F. R.,III, Musick, C. R., & Walzer, P. F. 1981. Nuclear power-plant safety
functions. Nuclear Safety, 22(2): 179 –191.
Hanson, D.J., Ward, L.W., Nelson, W.R., and Meyer, O.R. 1990. Accident Management Information Needs: Methodology
and Application to a Pressurized Water Reactor (PWR) with a Large, Dry, Containment. U.S. Nuclear Regulatory
Commission Report NUREG/CR-5513, April 1990.
Nelson, W.R. 1980. Response Trees for Emergency Operator Action at the LOFT Facility. Presented at the ANS/ENS
Topical Meeting on Thermal Reactor Safety, Knoxville, TN, April 7-11.
Nelson, W.R. 2011. Nuclear Industry Concepts for Safety and Performance Management and Application to Offshore
Operations. Presented at the Offshore Technology Conference, Houston, TX May 2-5.