Over the Edge

A book about a disaster necessarily belongs to the genre of tragedy.

Engineering Human Ecology Review Scientists Nightstand

Current Issue

This Article From Issue

May-June 2017

Volume 105, Number 3
Page 182

DOI: 10.1511/2017.105.3.182

DEEPWATER HORIZON: A Systems Analysis of the Macondo Disaster. Earl Boebert and James M. Blossom. 290 pp. Harvard University Press, 2016. $39.95.

A book about a disaster necessarily belongs to the genre of tragedy. You read the story already knowing that it will end with loss and carnage. But in a technological disaster, unlike in a Greek play, the actors are not mere helpless playthings of the gods. They make their own fate, and the forces driving them onward to ruin are very human foibles: haste, inattention, overconfidence, wishful thinking.

In Deepwater Horizon, engineers Earl Boebert, retired from Sandia National Laboratories, and James M. Blossom, whose career has included 20 years at Los Alamos National Laboratory, reexamine one of the most horrifying technological disasters of recent memory: the blowout of an oil well in the Gulf of Mexico that destroyed a drilling rig, killed 11 crew members, and led to the largest marine oil spill in U.S. history.

Ad Right

Transocean, which controls a fleet of mobile offshore rigs, owned the drilling vessel Deepwater Horizon and operated it under contract to the petroleum producer BP. In April 2010 the rig was completing work on the Macondo well in the Gulf of Mexico, 40 miles southeast of New Orleans, Louisiana. It floated in mile-deep water, connected to the wellhead on the sea floor by a long tube called a riser. The well itself extended another two miles into the sedimentary rocks beneath the Gulf, reaching layers of oil and gas at a total depth of more than 18,000 feet below sea level.

On the night of April 20, the crew was preparing to disengage from the well and move on to their next assignment. They had poured a cement plug into the bottom of the well to seal off the hydrocarbon layers. This plug was meant to be drilled out by a different rig when the well was eventually reopened for production. Until then, the cement would have to resist the tremendous pressure of the surrounding fluids—roughly 13,000 pounds per square inch.

Before placing a cap on the well and leaving the site, the Deepwater Horizon was required to test the integrity of the cement plug. The essence of the procedure was to open a valve in a pipe connected to the riser and make sure no fluid was driven up the drill pipe by oil and gas leaking in at the bottom of the well. When the crew conducted the test, its result was unclear. They repeated it, but the outcome of the second test was also uncertain. After extended discussion, the crew decided there must be some benign explanation for the fluctuating flows and pressures they were observing. They continued on to the final steps in the well-capping procedure. At this point the chorus in the Greek tragedy would begin its keening.

Less than an hour later, fluids began spurting out of the riser pipe onto the drilling floor, in the middle of the rig’s main deck. Soon a geyser of seawater and mud reached the crown of the drilling derrick, 250 feet above the water’s surface. The last line of defense was the blowout preventer, a towering 400-ton stack of valves, hydraulic rams, and other devices mounted atop the wellhead a mile below the rig. Crew members activated controls to shut off the flow at the blowout preventer and to detach the riser so that the platform could move away, but the commands had no effect. (The reason for that failure remains a subject of contention.)

In a few minutes the oil and gas reached the water’s surface, and the Deepwater Horizon was engulfed in flames. Considering the scale of the cataclysm, it’s remarkable there were no more than 11 deaths; 115 people escaped the explosions and fire and were rescued after leaping into the sea. The rig burned for 36 hours before sinking.

If this were the end of the story, it would be an industrial accident of the first magnitude. But indeed, the sinking was not the end of the story. The damaged wellhead continued to spew petroleum into the sea, thwarting several attempts to contain or control the spill. By the time the well was finally sealed three months later, more than 200 million gallons had escaped, becoming the largest oil spill in U.S. history.


The procedure for closing the Macondo well in the Gulf of Mexico was nearly complete in April 2010 when a blowout destroyed the Deepwater Horizon drilling vessel and led to the largest marine oil spill in U.S. history. The vessel, floating at the sea surface, was connected to the well through a mile-long riser pipe and a blowout preventer mounted on the sea floor. The well itself, extending another two miles into the sedimentary rocks of the gulf, was not just a hole in the ground; it was a complex assembly of telescoping steel tubes. The diagram at right shows the plan for temporarily capping the well with two cement plugs and a steel lockdown sleeve. Oil and gas erupted through the riser pipe before that work could be completed. The diagrams are not to scale and greatly exaggerate the width of the well bore. (ppg, pounds per gallon)
From Deepwater Horizon.

The tale of the Deepwater Horizon has been told many times in the seven years since the accident. The companies involved released the results of their own internal investigations, and official reports came from the Coast Guard, the Department of the Interior (which regulates oil-drilling activities), and a special presidential commission. Also available are the transcript of a federal trial, at least six earlier books, and a movie starring Mark Wahlberg. All of these documents attempt, in one way or another, to tell us what went wrong. So what’s left to say in this new account?

Boebert and Blossom promise a scholarly rather than a judicial approach: “The judicial mindset concentrates on the accident that was, in support of assigning blame; the scholarly mindset considers both the accident that was and the accidents that might have been, seeking all factors with the potential to combine into a disaster.” Their telling of the story features neither heroes nor villains. Their focus is first on the technical challenges that need to be overcome to safely drill an offshore well, and second on organizational factors—the planning process, decision making, patterns of communication, and adherence to established procedures.

The technical challenges mainly have to do with “well control.” To an outsider, it’s not obvious that a well is something that needs to be controlled. After all, isn’t it just a hole in the ground? But imagine drilling a hole into the fuel tank of an automobile: How do you make the hole without letting any of the liquid or vapor leak out? Drilling a well deep into the Earth poses a similar problem, but with the added difficulty that the oil and gas are under high pressure. They don’t merely dribble out but are expelled with great force.

While a well is under construction, the key to controlling it lies in a substance called drilling mud, a soupy fluid that is pumped down the hollow drill pipe and back up the annular space between the drill pipe and the steel casing that lines the hole. The mud’s weight keeps the flammable hydrocarbons safely confined, but the balance is delicate. The “push” from the mud must be matched to the “shove” from the hydrocarbons. If the mud is too light, it will not hold back the oil and gas. If it is too dense, the excessive pressure at the bottom of the hole will fracture the surrounding rock, allowing the mud to leak out of the well; then, without the protective column of mud, the oil and gas can infiltrate the well.

Most of us have little experience dealing with such unstable systems, and even less familiarity with circumstances in which a miscalculation can lead to multiple deaths and a major environmental catastrophe. In a metaphor that recurs throughout the book, Boebert and Blossom convey the intense complexities of living and working near “The Edge,” where the slightest misstep can take you over the precipice. In this dangerous environment, they assert, drillers must have “the ability to draw conclusions from incomplete and conflicting information and . . . the moral fiber to act.”

The authors argue that the Deepwater Horizon disaster was a failure of well control. Other tellings emphasize other failures—such as that of the cement plug at the bottom of the well or that of the blowout preventer. It’s true that those components did fail, but the procedures of well control—developed through more than a century of drilling experience—are intended to cope with just such untoward events. The breach of the cement seal was not a sudden failure in the moments before the well erupted in flames; multiple signs of trouble had appeared hours earlier, but those in charge of the project (both on the rig and on land) either didn’t recognize the signs or chose not to act on them.

The most obvious warnings were the two integrity tests that gave puzzling results, but there were other missed signals as well. One of the simplest and most reliable ways of monitoring the status of a well is to keep an eye on the “mud pits,” which hold a reserve of drilling mud. When the well is in equilibrium, the amount of mud pumped down the hole equals the amount returning to the surface, and the level in the pits remains steady. A rising or falling level is a sign of trouble. Unfortunately, the crew of Deepwater Horizon was deprived of this intelligence: During certain critical operations, mud was being transferred to a supply ship in preparation for moving on to the next well. Changes in mud level caused by the transfers obscured any signals from mud moving up or down the riser.

It’s easy to fasten onto these particular events (or others like them) as key missed opportunities. If only BP had monitored the mud pits, the conflagration might have been averted. If only they had run a third test. If only they had chosen a different kind of cement or replaced the batteries in the blowout preventer. Yet Boebert and Blossom take a dim view of this if-only reasoning. Yes, some of those actions might have saved the rig on April 20, but the next accident could be triggered by a quite different series of mistakes. The authors argue for broader changes—for a more cautious and conscientious approach to the management of risk.

From Deepwater Horizon.

According to the authors, safety-critical operations in the last stages of the Macondo project were carried out with only vague and informal planning. For example, no detailed procedure was ever established for the cement-integrity test, nor was there a specific criterion to define success and failure. Such procedures must be custom-designed for the specific well, a task that would generally be undertaken by an experienced member of the drilling crew in consultation with experts on shore. At the Macondo well, the plan was assembled in haste by junior personnel. Complicating matters, communication among various groups working on the rig was sporadic and unreliable. The person responsible for monitoring mud levels was not told when transfers to the supply ship started and stopped; as a result he could not correctly interpret what he was seeing. Supervision from BP’s office in Houston, Texas, was inadequate; only two professionals were assigned to the well, and they had been on the job only a few months. (The authors note that another oil company, Shell, assigns 15 to 20 professionals to each well.)

Furthermore, all those working to finish the Macondo project were conscious of a ticking clock. BP risked losing its drilling rights in another region of the Gulf if it did not move the Deepwater Horizon to a new well site within about three weeks. BP managers deny that they pressured the crew to hurry or take risks, but Boebert and Blossom find that disclaimer inadequate: “What was required for survival was explicit pressure on the crew members to slow down, determine how close they were to The Edge, and take steps to move away from it—pressure that never came.”

Many tellings of the Deepwater Horizon story point out a painful irony: On the day of the disaster, four executives from Transocean and BP were visiting the rig to celebrate seven years without a loss-of-worktime accident. That’s a commendable achievement, one that betokens a serious commitment to personal safety—always wearing a hard hat and steel-toed shoes, for example. The events of that night suggest a neglect of process safety—making sure the entire rig doesn’t burn and sink. Boebert and Blossom put it this way:

Promoting a “safety culture” of methodical wariness is insufficient unless that culture is backed up by an “engineering culture” that includes methodical decision making, contextual review, and management of change. . . . Just as important, a corporation must accept that an engineering culture imposes inefficiency in two ways: directly, because of the time employees must devote to those vital efforts, and indirectly, because ensuring that employees at every level take pains with safety-critical decisions slows down other activities. Macondo teaches that those in an oil company who are responsible for allocating resources might save thousands or even millions of dollars by forgoing such activities but spend multiple billions on the other side of The Edge.

Beyond safety culture and engineering culture, there is another level of risk management that Boebert and Blossom do not discuss. Through its government, a society can collectively decide what risks are worth taking, and how close to The Edge we choose to live. The Deepwater Horizon accident had fearful consequences: the 11 lives lost, the environmental damage, the economic penalties paid by Gulf Coast fishermen and the tourist industry as well as shareholders and employees of BP and the other companies held liable. One possible response might have been to declare a moratorium on drilling in deep waters and other high-risk environments.

Petroleum and natural gas are not in short supply. We could afford to leave those deposits in the ground for now, and they would still be there if we ever needed them in the future. But that option was overridden by current economic incentives and an abiding distaste for government-imposed regulations. Perhaps it is not only corporations but whole societies that need to develop more methodical wariness, methodical decision making, contextual review, and management of change.

Most accounts of the Deepwater Horizon disaster dwell on the drama of the rig’s last hours, as the crew struggled to cope with the well blowout and then fought to survive. Those events are also part of Boebert and Blossom’s story, but the scope of their narrative is broader. Much of the action takes place deep underground, where drilling technology meets the uncertainties of geology, or else miles away in BP’s Houston offices. Their approach is analytic rather than dramatic. Theirs is the account for readers who want to understand how such disasters come about and what strategies might have the best chance of preventing more of them.

Brian Hayes is senior contributing writer for American Scientist. His book Foolproof, and Other Mathematical Meditations will be published by MIT Press this fall.