BP's Deepwater Oil Spill - Still Important things to discuss - Open Thread

This thread is being closed. Please comment on http://www.theoildrum.com/node/6997.

It was pointed out to me that our "final" open thread on the Deepwater Horizon Oil Spill is now up to 488 comments, and there are still folks interested in discussing issues related to this. So this is another open thread for comments.

Thanks, we appreciate this Gail:)

Yes, thanks.

It's only til we get our own place: a day - maybe two - three years tops.

This lurker wants to say thanks as well, Gail. I have very seldom posted, but I read much...and appreciate.

Add my thanks to thanks pile, duck

And mine.

Thanks for keeping this open!

BTW, still lots of good discussion left about the science and study of the impact of the spill.

Thanks to Gail for this thread.

Here is a new BP Presentation dated September 1 but only released four days ago:

Deepwater Horizon Containment and Response:
Harnessing Capabilities and Lessons Learned
(pdf, 46 pages)

A bit of marketing but also some interesting facts and it includes links to some videos.

The articles snakehead posted in the last thread link the hi(er) definition video that the researchers used to make their calculations. I'm sure the video made the rounds at some point before, but I missed it, except as a short clip from a news show.

Not that it helps with flow estimates, but this NASA video grasps the scope and provides subtly creepy space music as well.

As I suggested in the previous thread, the slick appears to start shrinking rather dramatically two weeks before the well was closed in on July 15. (You can use the cursor to stop the sequence and move between stills.)

The flat fifth in that music sets my teeth on edge.

The flat fifth in that music sets my teeth on edge.

The flutey instrument sounds flat throughout its range. I think the other instruments aren't well tuned to it.

Yeah, well. It's supposed to be space music. Space is weird.

Space is weird.

Yikes. One explanation for that anomaly apparently busts the Big Bang theory. And it features something called "tired light." What a neat term.

In the past month, it's also been discovered that the "laws" of physics don't behave as expected everywhere. And I'm not talking about Texas, Rockman.

I caught this 4 part series last night before bed. Love this man.


Now see, Feynman's the kind of guy who would have a ball talking about the question I posed a while back about hummingbirds and tree sloths! :)~

Everybody should have a ball talking about those things. It's actually being able to think outside the "box" that we normally do, that prevents that "deeper thinking". We get complacent when we think we understand something. We stop looking for answers.

A sentence from one of Rimbaud's letters to George Izambard

"You won't possibly understand, and I can't explain it to you, to arrive at the unknown through the disordering of all the senses, that's the point.."

I'll have some orange juice while I'm so seriously OT,lol.



Physicists consider nature of the universe may be quite different from how we perceive it. The Holographic Universe. Interview with the late Michael Talbot.

Nice one. I like the story about the cancer patient and the placebo effect, not only did it imply the power to self-heal and manifest illness, for lack of better words, but also that that perhaps, we truly get that which we seek. I have always been a firm believer in that. In the beginning of the lecture, he mentions the connections/similarities between the micro/macro, and it make me think of how I thought of the universe when I was a kid. I started thinking about numbers, measurements and size, and..infinity. In between every number was an infinite containing infinities. I felt like I had run into a wall..Standing in the woods at night, looking at the full moon, wondering how big the universe was, and truly in awe that, in my mind, I could go big, or small, but never beyond the bounds of what I could conceive, if that makes any sense. Would we ever find " the smallest piece" ( impossible in my young mind )..or would we eventually, with the most awesomest massive wide field deep-space telescope we could ever build, )or that I could imagine), find a scientist in a lab coat looking in through a microscope..? Or vice versa ? Would we one day peer into what we thought was the smallest piece, only to find a whole universe with scientists looking through microscopes in search of the smallest piece...? Or are we just the thought in the mind of the scientist ?

Ok, I'm done, sorry, it's Friday, ..I'm high.

Michael Talbot is no physicist. He is pushing a pop culture thing that is often called "Quantum Mysticism" which most physicists view as a form of new age claptrap having no scientific content or possibility thereof.


How do we ever find the new without engaging a different point of view or a different interpretation ?

By making fasleifable hypothesies. There are no shortage of mystical pseudo-science peddlers. So many that time runs out just starting to list them. If any of these guys makes a prediction that can be both tested, and tests out - then science listens, and listens big time. Look back the the last hundred yeas of physics. There were guys that were making predictions based upon their wild crazy theories that were, on the face of it absurd. Just plain whacky. But they made predictions that were measured, and found to match. Those guys usually got a free trip to Stockholm. They had names like Rutherford, Einstein, Dirac, Bohr, Feynman, Gell-Mann.

But the pseudo-science crowd do things a little differently. They will move the goal posts, and never allow anything they predict to actually be tested. Test something, and if it doesn't pan out, there is always a reason. Usually that you don't believe (they never actually come out and say that, but that is what it boils down to.) What you never see is a statistically valid test. If needed, double blind. In fact you will usually get an argument about the validity of double blind trials. If these guys can't agree about the base rules for science, you can't expect science to engage with them. There is even a miniscule chance they have blundered into something real, but they have no reason to actually know it, and could just as easily blunder on oblivious.

Sadly life has always been full of charlatans. There are always people ready and willing to believe. Some are sincere, but misguided, many are not sincere and merely prey on the weak. Mystical pseudo-scientific medical cures being the big money spinner.

Yes, I am aware of psuedoscience and it's ever shifty-ness. But that does not change the fact that our knowledge, and everything we consider knowledge is only through our interpretation. There are theories that have fallen by the wayside, only to later be resurrected and proven, only through a different view,use or interpretation. Screw theory for one, recently being considered in cosmology. Or Einstein abandoning the concept of the cosmological constant , but then in the 90's we have the discovery of cosmic acceleration in the which renewed interest in a cosmological constant. Myself, I can't deny that the truth can come from any direction at any time from any source, and that is applicable to the inspiration for the thought too. Mandelbrot drew from a wide variety of inspirations to develop chaos theory. Inspirations that have driven great minds through the ages have always come from unorthodox thinking, and the recognition of the importance of spirituality and mysticism in the sciences should never be discarded. The exponential growth rate of processing speed defined by Moore's law leads us to a technological singularity, proposed by Kurzweil and co. What happens then ? The creation of new physics and revolutions in scientific understanding so profound they appear to be magic, ala Clarke ?

That said,..some people unfortunately can't tell the difference between chicken salad and chicken sh*t.


The problem is that these new age pseudoscientists never provide a prediction that can be tested.

There is no way of determining whether or not their claims are true or not. This fails the fundamental requirements needed to be useful. Anyone can make up a theory or describe a point of view, however that theory needs have a way of being tested, to make a prediction that can be checked. If all it provides is a differing point of view without making a testable prediction it is useless.

But that does not change the fact that our knowledge, and everything we consider knowledge is only through our interpretation.

Not at all.

Our knowledge comes through the predictive power of the mathematical models of reality we have. You measure the orbit of the planets and provide a mathematical description thereof. cf. Kepler. Newton comes along and provides more detail with a law of gravitation from which he can derive Kepler's laws. Newton, when asked about how gravitation works responds "Hypotheis Non Fingo", I make (or feign) no hypothesis. That is he specifically REJECTS making an interpretation that is not needed to explain the observed effects. 150 years later Laplace writes his Magnum Opus on celestial mechanics, and when Napoleon asks why God is not mentioned in his book he says "I have no need for that hypothesis". Interpretation is a matter outside of science.

Interpretation of the models can be an interesting philosophical exercise and is great if you want to write a popular book, however it is fraught with all sorts of problems the chief one being that these models usually describe things far outside the normal common sense experiences that the minds of human beings have evolved to deal with. Since the interpretations are often untestable they are normally useless.

The classic article by Wigner gives a glimpse of the supremacy of mathematics in this regard.


As far as spirituality and mysticism in the sciences, that is VASTLY overrated by non-scientists. Few scientists believe in anything of the sort, and in general spirituality declines with the quality of the scientist.


As far as spirituality and mysticism in the sciences, that is VASTLY overrated by non-scientists. Few scientists believe in anything of the sort, and in general spirituality declines with the quality of the scientist.

Took me a minute (and a look at your Gould link) to figure out that you mean spirituality declines as the quality of the scientist rises.

Interestingly, the study described found that a higher percentage of top mathematicians believe in God (14.3%) than biological scientists (5.5%) and physicists/astronomers (7.5%).

On the other hand, the question asked was about belief in "a God in intellectual and affective communication with humankind," which may have excluded scientists who hold more abstract, less anthropomorphic Eastern-style beliefs. Be interesting to see a survey that included a greater range of possible God-concepts.

When something stands up to testing over time it is a Law. There is a preponderance of evidence that Gravity is a fact. It is always evident. Therefore it is a natural Law. The same is true of the Laws of motion and the First law of the conservation of matter and energy. Natural Laws tell us the limits of what we can do. We cannot violate the Law of gravity and we cannot tweak our noses and put dinner on the table.

A theory meets the criteria that we have established.. Evolution is theoretical and meets all the tests and observations that we apply. Establishing physical laws is fairly easy but establishing Biological laws is more difficult..

The problem here is one of semantics. When can we say something is proven. A theory is something that has not been proven but at least for now seems to be a reasonable explanation for a phenomena.

Relativity has been met with much resistance in the scientific world. To date, a Nobel Prize has never been awarded for relativity. Louis Essen, the man credited with determining the speed of light, wrote many fiery papers against it such as The Special Theory of Relativity: A Critical Analysis. Relativity also gravely conflicts with quantum mechanics, and although theories like string theory and quantum field theory have attempted to unify relativity and quantum mechanics, neither has been entirely successful or proven. Theory of Relativity, not Law of.

Relativity rejects Newton's action at a distance, which is basic to Newtonian gravity and quantum mechanics. The mathematics of relativity assume no exceptions, yet in the time period immediately following the origin of the universe the relativity equations could not possibly have been valid.

Many scientists have indicated problems with the postulates of special relativity. Paul Davies,(U of Arizona) believes that the speed of light has changed over time. Since the speed of light is a constant speed 'c' this indicates problems with the theory light speed. Other engineers and scientist have written about problems in the basic set of special relativity equations. Based on the ideas of not Einstein but of the scientist Fitzgerald as well as others, a length contraction effect was predicted as an explanation of the failure of the Michelson Morley experiment. This idea was taken up by Lorentz and shown by others to be a useful mechanism by which theory could be forced into conformance with experimental results.

And yes, we have scientific method, but it's not set in stone, many scientific discoveries come about by accident, by getting unexpected results and accidentally asking questions that had not even been asked.

In 100 years, our interpretations of what we see have a good chance of being very different. Science is constantly updating, changing and adapting. I will never discount spirituality or mysticism, because they are part of what keep me interested in science, they are at odds with each other over the interpretation of the same things. I think science should be open to new methods like random juxtaposition , which refers to the stimulation of creativity in problem solving, design or other creative pursuit by confronting two unrelated concepts or objects. You might take interest in somebody like Edward De Bono :


As far a "god" being drawn into things, the second paper you linked asked the scientists of their belief in one particular model of "god". Very narrow question..." Do you believe in my "god" ?" is designed to elicit responses that fit the bias of the person asking the question. A better question would have been " What is "god" to you ? " The answers would have been much different. Myself, I tend to be somewhat of a Spinozaist. But that brings us back to interpretation again, doesn't it ?

Edit: I think you guys will like these,lol.:

Does the Universe Have a Purpose?


There is a mix of Laws of nature here. There are those laws we believe are intrinsic to the nature of the universe, and those that are emergent from them.

Paul Davies won the Tempelton Prize, and makes his money writing popular physics books. He is a lightweight by most measures (I can attest to this, he was professor of Natural Philosophy at my university, I know personally very highly ranked physicists that worked with him.) The problem with his stuff is that he makes his living off the back of pushing the wow factor and the edge of the mystical parts of physics. Whilst he isn't a crank, and was a professional physicist, he isn't a good benchmark.

A point about the Nobel Prize. You can't get the Nobel Prize if there are more than three people. There is lots of very high quality work that didn't get the prize simply because there were too many contributors. The lack of a Nobel is not, and has never been, a benchmark for lack of acceptance.

Relativity is a funny thing. Since Einstein initially formulated it, special relativity is as close to mainstream as you may like. Sure, no direct Nobel Prizes for "relativity" but you can't ignore Dirac and his extension of Schrödinger's work to incorporate special relativity. Now he did get the Nobel (shared with Schrödinger) for that. So it isn't true to say that relativity hasn't garnered a Nobel. Nor is it not mainstream. The Standard Model has as one of its critical pillars, special relativity. You just don't see it. It is more like not seeing the air you breath.

General Relativity is a bit harder. Welding it, (and implicitly gravity) into a full theory is what keeps the theoretical physicists awake at night. There is a trip to Stockholm awaiting whoever solves that.

Good points, Francis. Had I not dropped out of high school to study art and cooking when I was 16, I might have a firmer grasp on these things, lol. Hopefully, when I go back to school this spring, I will not be too far behind. The school I applied to was puzzled as to why a chef wants to study physics. I tried to explain that cooking is physics and chemistry with a little poesis thrown in, but I don't think they followed me on that one.

Very glad to have found this website/community.

My goodness. You get major points in my estimation. Anyone taking the plunge to go back to study from the workforce passes any sincerity test. I wish you the absolute best for this. It won't be easy, but it will be worth it.

As I understand it, the idea of a 'cosmological constant' was just a kludge, without it the theory didn't work. Because the theory was flawed.

Templeton Prize

LOL. Wait, you put that in which category - chicken salad or chicken shit?


Thank you.

Did the pseudo-science tag ever apply to hypotheses such as "The Earth is round", "The Earth orbits the Sun", and "Pluto is not a planet"?
And "The Comodo Dragon has a venomous bite"?
And "Dark Matter"? And what about "Eleven Dimensions"?
Inquiring minds want to know.


Texas is so wild even the laws of gravity were broke probably more than once.

There is Helium, underground in the panhandle. Underground, deep underground.

It don't get wilder than no gravity. And that is on a rock 16k miles in diameter.

woerm, exits smirking.

Do we have unobtainium now?

Helium, under ground, is a biproduct of radioactive decay of Uranium. It is in short supply (and as He3, the stuff of fusion, even more so). Mostly used in deep sea diving as a replacement for nitrogen, to prevent the bends, and of course in balloons and funny movies to make people's voices weird.

But of course weirdness is part of the discussion, so we are back to square one.

Improbability factor: 2,024,561,414 to one, against.

Which is exactly right for the HOG to make it to Milliway's just in time for dinner.


I may be crazy, but at about 1:59, it appears the clouds follow the boundary of the slick. Perhaps that could be expected, with the differing sea surface temperature. Or it could be those weather cables the government installed to fend off hurricanes.

Or it could be those weather cables the government installed to fend off create hurricanes.


BP Engineer Called for More Questioning Before Disaster Panel

Sept. 23 (Bloomberg) -- BP Plc engineer John Guide, leader of the team that oversaw drilling of the well that caused the largest offshore oil spill in U.S. history, has been summoned to testify for a second time before a federal investigative panel.

Guide is scheduled to testify Oct. 7 to the U.S. Coast Guard-Interior Department board investigating the Gulf of Mexico drilling-rig blast that killed 11 workers and triggered the spill, according to a witness list reviewed by Bloomberg. The list was distributed today to representatives of companies and individuals designated as potential targets of the probe.

The Bloomberg article contains the following:


BP vice presidents Patrick O’Bryan and David Sims told the eight-person panel on Aug. 26 that Guide held ultimate authority for decisions regarding the structure and drilling of the Macondo well.

“If that is true, that is a huge responsibility for one position and on one man,” panel Co-Chairman Hung Nguyen said on Aug. 27.


It is a bit ironic that Nguyen makes that comment. He has strongly suggested that the BP decision making was too diffuse, with nobody clearly responsible. Given Nguyen's military background it is understandable that he would support the "Captain of the ship" model, but it is not clear why he would sound so negative about Guide's role.

What really bothers me about the statement by David Sims is that unless I missed someone. David Simms is the only licensed engineer of the bunch. Petroleum PE in Texas. As such he alone should have had ultimate responsibility. He should not have allowed civil engineering work to be done except under the direct supervision and control of a LA licensed civil engineer. (See other posts on this tread about the feds laws and PEs). John Guide was not licensed and according to Louisana law that was cited by federal law as applying, he was not eligible to take on this responsibility. David Sims as a licensed engineer should know this. I once had a corporate attorney for a firm I worked for tell me that this was negligence just because the contractor was not complying with the law when we ran into this issue with a company that really screwed up a project. I cannot say how but I can say I know that this was an issue raised with BP management as far back as 2007.

I think you may be overreaching a bit. I do not know anything about the laws of LA specifically, but in general full-time employees of a corporation are not required to be licensed as engineers as long as their engineering work is not being provided by the company to the public. Engineering work for use internally by the company for the company's own needs, even to create a product that will be sold to the public, is not generally required to be performed by licensed engineers.

If BP was selling well designs to other companies then that engineering would be covered by license requirements. If BP is designing wells for their own company use then in general the engineering would not be covered by license requirements.

There are lots of complications, including state-to-state variations and specific requirement in specific situations. IANAL. Nonetheless, in my observation the vast majority of corporate engineers are not licensed.

Saltwater, think you are wrong. A structural engineer working for company XYZ on a building designing the structural steel, WILL BE REQUIRED TO BE A LICENSED STRUCTURAL ENGINEER OR ARCHITECT WITH A PE LICENSE IN THE FIELD. So here a Company is supplying a design for steel that they will use in their new fang dangle skyscraper for their own use etc etc but that structural design will be required to be signed off and stamped by a registered engineer. The skyscraper affects public safety there for the license requirement.

In the case of the well it seems clear to me that the well affects public safety same as the skyscraper and therefore must be designed or approved and stamped by a licensed engineer with authority for that type of design, i.e. and licensed electrical engineer approved to sign off on transmission lines cannot sign-off on a well design.

In the case of 252 I believe that the well resides in federal waters therefore federal law would apply.

There is no question about the requirements for designing a building. The building will be used by the public, and in addition the building code specifically requires licensed engineers to be responsible for the design.

I don't think an oil well is generally categorized as a building. It matters little what seems clear to you. What matters is what the law says. Is there any specific law that requires a PE license for oil well design?

Well Saltwater, Careful reading still required. What I said was an oil well is just another type of construction and affects public safety and that performance style regulations can be written for their design and construction. A building may not be used by the "public" e.g. a residence, but we still have the performance requirements. A building designed and constructed with standard components can be built without the stamp of a licensed engineer and only needs the approval of the code enforcement agency. Even a privately owned residence is a matter of public safety, e.g. if it is a fire hazard then it could affect all the structures around it.

Oil wells are also a matter of public safety, as has and is still being demonstrated by the impact of the 252 well. And you are correct it does "appear" that a licensed engineer may not currently be required to sign-off on the well design, etc. I think what DE and I are saying is the law should be strengthened to require "Licensed engineers" to be in charge of and "sign-off" on well designs along with licensing the field people doing the actual construction with a clear line of command.

Louisiana is the exception to the "industrial exception".

"37:701. Public and private work; application of provisions

C. This Chapter shall not apply to, affect, interfere with, or in any way regulate employees of firms engaged in industrial operations, including but not limited to producing, processing, manufacturing, transmitting, distributing, or transporting, when performing services within the state of Louisiana in the course and scope of the business
of said firms or affiliates thereof. In the event any of the activities set forth in this Subsection shall fall within the definition of practice of engineering as defined in R.S. 37:682, such activities shall be under the responsible charge of a professional engineer. However, this Subsection shall not apply to persons practicing civil engineering or land surveying, who must at all times comply with the provisions of this Chapter."

Bottom line everyone performing engineering has to do the work under the supervision of a licensed engineer. In the case of civil engineering all engineering has to be performed by a licensed engineer. No exception.

It is the law of the adjoining state and the federal law adopts it.
Just not being enforced.

I am a licensed PE in Louisiana and had to get a LA civil PE to review calculations for a lifting plan for a series of 20 ton lifts at a manufacturing yard in LA. I could not due to this restriction. Many don't know about it. Many ignore it. Just like the speed limit on the highway, just because it may not be enforced doesn't mean it is not the law.

According to NCEES, oil well design falls under the category of Petroleum Engineering, not Civil Engineering. Therefore your exception to the exception would not apply. Of course NCEES does not make law, but most state laws are pretty closely aligned with the national standards.

I find it hard to believe that the laws regarding engineering are not being enforced in Louisiana. In Florida the PE laws serve as a great substitute for labor unions. Any PE who hears of unlicensed work reports it to the state officials who pursue the violation with vigor.

Why is it that when Engineers ask for the law to be enforced those that do not want to follow the regulations think that they are acting like a labor union? The labor unions may have a point if it means they want someone qualified to do the job rather than having someone who just thinks they are qualified. Remember those that don't know don't know what they don't know. I have experienced this personnally almost to making me a casualty of a DWH type conflagration. Only because of decisions I made prior to the event did I protect myself and others from that calamity. Their is no substitute for requiring a combination of testing, education, experience and references that one is qualified to make decisions related to the field of engineering for which one is getting licensed.

As for the Louisiana law. If you eyes do not glaze over so you cannot read the following.

"In the event any of the activities set forth in this Subsection shall fall within the definition of practice of engineering as defined in R.S. 37:682, such activities shall be under the responsible charge of a professional engineer."

To call one's self a "professional engineer" they must be licensed. All the activities associated with well design are a part of the definition of practice of engineering, in particular most of the functions that you attribute to petroleum engineering. However cement designs have been typically attributed to civil engineering. But in your defense there are many schools that have Petroleum Engineering departments in their College of Civil Engineering. So it may be considered a subset of civil engineering and in my defense is thus covered by the Louisiana statute. Most of these statutes do read that they are to be liberally interpreted in order to protect the public.

What most corporations don't like is for their employee's to have a higher duty than to their senior management or to their stockholder's desire to make a profit. Sometimes the PE laws create a direct conflict with this desire when management acts in a manner directly counter to the health, safety and welfare of the public. The "public" includes the employees of that corporation as well. Some managers believe their employees are nothing more than chattel to be treated as they wish. Not many but some. That is why the laws are needed and the must be enforced. Management must learn to delegate certain decisions to those knowledgeable when it comes to the technical matters that they do not have the technical education or experience to understand the full risk or experience to know that it can have such an affect on the public. If left to their own devices they will rationalize that an entry level engineer or a high school graduate with on the job training is sufficient. One has only to look at the DWH incident for proof. Transocean Subsea Engineers were only HS graduates with on OTJ training. Unless I heard the testimony wrong the "engineer" that was being allowed to "run" the cement job appears to have been a "trainee" by BP. A "future" well team leader that had a business degree.....and some on the job onshore experience... enough said....

Something I think a lot of people outside of engineering don't get, is that there is a core "engineeringness" to all of the professions, and that is very much about it being a profession. Professionals have ethics, and a wider responsibility. The reasons for this are, like the other professions, something that has evolved over a long time, and has been moulded by experience. Usually bad experience. The usual example of the beginning of professional engineering has been steam boilers. But as technology has advanced, every area of engineering practice has reached the point where the art is applied to projects where the lives of people and society at large is at risk.

We expect professional ethics from doctors and lawyers, and these professions vigorosly defend their rights to adhere to them. Because most people rarely engage with engineers in a professional role, they tend not to think about this so much. But the safety of almost everything they use in daily life is based in these ethics. The legal framework that surrounds a professional engineer is more about the ethical application of skills than the skills themselves. Ethically, if you don't have the requisite skills, you cannot and must not do the work.

Something we used to teach in engineering ethics, was Kallman & Grillo's five point test.

The mom test: would you tell your mother?
The TV test: would you tell your story on national TV?
The smell test: does it smell bad?
The other person’s shoes test: would you like it if done to you?
The market test: would your action make a good sale pitch?

The test applies to both engineers and managers.

+10 DE. This was what I was talking about elsewhere in the thread. In a deal like this such as design or decision making on a rig, IT MUST BOIL DOWN to those truly licensed to make the decision.
In the present situation it appears what we are talking about is the corporate structure decision makers not the external licensed decision makers. Most people outside of the "licensed" professions do not understand the concept, and so they rely on the business or corporate power structure.

Re Stuxnet , from the website ControlGlobal , posted 08/03/2010:

" Per Goetz Liedtke on the SCADAlisterve, “Siemens is the market leader in oil drilling control systems. The Deepwater Horizon drilling rig had both Siemens and GE Fanuc equipment, but I believe the latter was in the Blow Out Preventer (yes, off-shore oil drilling rigs use PLCs or controllers in the underwater equipment - even 5000 feet down).”

Both Siemens PLCs and GE Fanuc PLCs have known control system cyber vulnerabilities. I googled Siemens PLC and oil drilling to get the following:

Control system structure
Controller with a redundant backup feature, consists of two SIMATIC CPU 315-2DP module composition; use ET200M will be on-site input and output points connected to the controller via Profibus bus, and through Profibus bus with five sets ABB Inverter communication; Manager's Office with SIMATIC WINCC software via S7 protocol and controller communications; and an external controller through the MPI I SIMATIC TC35T in order to achieve remote maintenance.

Does this look familiar from the Stuxnet worm?

We now have a devastating control system cyber incident (I do not believe was intentional) combined with the latest worm targeting this specific controller. Additionally, the control system protocols have no security and the control systems have remote access for maintenance. The Deepwater Horizon is not the only drilling rig with this configuration. This should make for a lively discussion in September. "



I wonder how long we'll have to wait for the results of the autopsy ? Too bad we don't get a play-by-play .

Thanks for posting this. More re: Stuxnet here.

Wired has a really good summary this morning.

Wired has a really good summary this morning.

That piece has been superbly written to be accessible to the layperson without dumbing the story down so far that it's nearly meaningless.

I like Wired too, most of the time, when I don't need to sift thru my thesaurus for every other word (what I like about TOD).

But as one commenter correctly pointed out, Osiraq is/was in IraQ, not IraN.
I could pass this off as just a typo, and Israel is suspect BUT, why didn't they also mention, not only did IraN bomb it, so did the U.S.?


And does no one suspect the oil rich Saudis? It isn't like they've never used there wealth to stymie alternative forms of energy - though I'm not aware they've directly bombed a nuclear facility or solar array... oops, am I CT'ing? Oh that's right. I'm on topic! never mind

The Homeland Security/counter-terrorism blogs I follow are speculating that the worm was targeted at Iran's nuclear reactor. This is based on the fact that it was written to target (and destroy) specific equipment that is known to be in that plant. (Of course the fact that the plant had some sort of technical failure that has effectively shut it down for the last couple of weeks is another reason for this speculation.)

BTW - people who have examined the worm have described this as a software version of a smart bomb. It was designed to kill one specific thing - and then only if a specific set of circumstances happened. In addition - the consensus of opinion seems to be that this worm was made by professionals in either an intelligence agency or one of the software companies.

It definitely seems to be able to exploit vulnerabilities in any SCADA system with Windows OS, which really puts many key infrastructures at risk. I'm following this one in the back pages.


I saw it crawling out of a crack in the well head... and it looked like it had a face, with eyes, and HAIR!

The utility geek's Corexit.

I think that Corexit caused the mutation of the Creeper virus into Stuxnet!!

Is nothing safe??


Latest Twit:

The Gulf was considered a DEAD ZONE, they added COREXIT (Fertilizer) for ALGAE Production of BIO

It rained here yesterday and I saw BUBBLES in the puddles.

He might be on to something. All he needs now is Farrakhan and his #19.

BeePeeOilDisaster's Theory
1 x 8 + 1 = 9
12 x 8 + 2 = 98
123 x 8 + 3 = 987
1234 x 8 + 4 = 9876
12345 x 8 + 5 = 98765
123456 x 8 + 6 = 987654
1234567 x 8 + 7 = 9876543
12345678 x 8 + 8 = 98765432
123456789 x 8 + 9 = 987654321

See http://en.wikipedia.org/wiki/Pi_(film)

Trailer: http://www.youtube.com/watch?v=oQ1sZSCz47w

Full movie: http://www.youtube.com/verify_age?next_url=http%3A//www.youtube.com/watc...

Good flick.

Oh, fabulous. I'd been wanting to see this; didn't know it was available on the Web. Thanks!

Hard to find now but Netflix has it on DVD (but not streaming).

Computers are only vulnerable to malevolent software if they are connected to a network or have software loaded to it. Surely the reactor control computer is not also used to browse the web.

Surely the reactor control computer is not also used to browse the web.

I certainly hope you're correct on this. But far too many process control systems are set up now for convenient remote monitoring & often intervention, which typically is cheapest/easiest by using the internet...

It's written to flash drives.

Nothing that a keyboard, mouse and screen extension cable and a hardened case cannot fix.

@ David.C

I certainly hope you're correct on this. But far too many process control systems are set up now for convenient remote monitoring & often intervention, which typically is cheapest/easiest by using the internet...


That takes stupid to a whole new scale.

I was on-site at a client's office yesterday who is a fairly significant law firm and one of the bigger firms in their area of practice in a major urban city. The remote log-in to their servers still has the default username "administrator" and their password is "pa$$word".

I seriously pissed off their IT manager by insisting he change it on the spot. I then advised the senior partner of the firm to fire the guy if he changed it back when I left.

It's well-known "id-ten-T" problem ("id10t" ;-)

On my down days, I wonder if this isn't the rule than the exception.

hmm. But I thought it was so simple no one would ever guess, and I was so sure the dollar signs would make it impossible to crack.

related. noticed a linked article within snakehead's Wired link above...
SCADA System’s Hard-Coded Password Circulated Online for Years

Thank you for bringing a very serious issue to the attention of that law firm.

If it helps, you may want to send him an email with the following:

Walmart hacked due to network Administrator account.

One excerpt from article says,
"Investigators found that the tool had been installed remotely by someone using a generic network administrator account."

Yep, looking more and more like "the rule than the exception."

USB thumb drive is the current suspect.

One of the more interesting speculations and disections: http://www.langner.com/en/index.htm

Ralph's analysis

Now that everybody is getting the picture let's try to make sense out of the findings. What do they tell us about the attack, the attackers, and the target?

1. This is sabotage. What we see is the manipulation of one specific process. The manipulations are hidden from the operators and maintenance engineers (we have the intercepts identified).

2. The attack involves heavy insider knowledge.

3. The attack combines an awful lot of skills -- just think about the multiple 0day vulnerabilities, the stolen certificates etc. This was assembled by a highly qualified team of experts, involving some with specific control system expertise. This is not some hacker sitting in the basement of his parents house. To me, it seems that the resources needed to stage this attack point to a nation state.

4. The target must be of extremely high value to the attacker.

5. The forensics that we are getting will ultimately point clearly to the attacked process -- and to the attackers. The attackers must know this. My conclusion is, they don't care. They don't fear going to jail.

6. Getting the forensics done is only a matter of time. Stuxnet is going to be the best studied piece of malware in history. We will even be able to do process forensics in the lab. Again, the attacker must know this. Therefore, the whole attack only makes sense within a very limited timeframe. After Stuxnet is analzyed, the attack won't work any more. It's a one-shot weapon. So we can conclude that the planned time of attack isn't somewhen next year. I must assume that the attack did already take place. I am also assuming that it was successful. So let's check where something blew up recently.

Another good analysis on Stuxnet http://www.digitalbond.com/index.php/2010/09/20/stuxnet-big-picture/


Stuxnet – Big Picture:

1. ICS-CERT Failed The Biggest Test Yet
2. Siemens: Hiding Info or Didn’t Know
3. Langner Communications and Symantec Were Stars
4. Nation State and Other Sophisticated Threat Actors Will Grow
5. Is Your System Already Compromised
6. Is Stuxnet All of the Attack? Or is it APT?

Chilling, but a must read.

Is Your System Already Compromised

obviously has serious implications for control systems using SCADA but not for general use PCs. MSE and presumably other AV programs have already incorporated detection algos. Also, Microsoft patches new Windows bug exploited by Stuxnet.

Yea, Stuxnet was a surgical strike apparently with PLC code targeting a specific system and configuration; general-use PCs were just the vector to deliver the attack. While, Stuxnet itself can be dealt with tactically, it is the style of the attack that is an eye-opener.

Also from Langner:

What this shows is that the 0day exploits were only of temporary use during the infiltration stage. Quite a luxury for such sophisticated exploits! After the weapon was in place, the main attack is executed on the controllers. At that point, where the rogue ladder logic is executed, it's all solid, reliable engineering -- attack engineering.

While not the target of this surgical strike, it is the overall vulnerability to this style of attack and the possbility of son-of-Stuxnet (and Stuxnet-inspired attack) that my SCADA clients (power generation and transmission) are looking at pretty seriously this month.

Falkenrath on Stuxnet on Bloomberg http://www.bloomberg.com/video/63225920/

Plus Christain Science Monitor "Stuxnet worm mystery: What's the cyber weapon after?": http://www.csmonitor.com/USA/2010/0924/Stuxnet-worm-mystery-What-s-the-c...

Wow ... might not have been Bushehr but Natanz, Iran's nuclear centrifuge facility (but just well-informed speculation so far). Note the part of the story about the news picture from inside the Bushehr plant last year that may red flagged that the nuclear plant was vulnerable to a cyberattack.

Falkenrath speculates on Isreal as the source; or, at least more likely than the US. Why send planes to bomb Natanz when you might do more damage completely without risk and not hard-and-fast way to prove just who did it.

Edit: please note that this is all just wild-ass guessing at this point and the Iranians aren't talking, yet.

Many years ago, AutoCad accidentally distributed an installation floppy that was compromised and infected computer during install.

It is very difficult to keep a Windows computer up to date with software registration, the latest software updates, patches and service packs without network and internet access. Also, computers not on internet can be infected from other computers on network thru email or network socket or port infiltration.

Yes, but what if you never updated? I have a friend that draws houses fine on a 15 year old version of Autocad that he refuses to update. His quote, "This is just a pencil and paper for me, why do I need a new pencil if this one works fine. If it breaks, I will deal with it then." I said,"How come you never became an IT manager, you would have been a legend." Of course, I know the issues that legacyware can cause, but he is one man on an unconnected PC. He also has a new PC he uses for everything else and he calls me weekly with problems on it.

Microsoft has products and prescriptive architectures to build update points behind the firewall or for use in non-Internet-connected LANs for just this purpose. However, many enterprises won't use well-known best practices and simply take the easy approach by opening holes in their firewalls so their users can get to Windows Update service via the Internet. Quick, yes; easy, yes; secure, no.

Even on stand-alone non-connected computers, any mounted media (disk, USB drive, thumb drive) can carry an threat/attack. A non-patched system just makes it easier and is more vunerable to a wider range of attacks.

My friend restricts physical access and he never patches. Why should he? Do you write code? Even with old source code, you often have to rewrite programs from scratch. Why? Because the compiler for the code that was written no longer exists and there is no such thing as completely 'portable' code. Even if you could get the old compilers, they often have issues with new operating systems. No sometimes it is recommended to run a machine until death then start over with new hardware and SOFTWARE including applications. If I patched my buddy's machine now, it would probably stop working.

Your buddy leaves me without words. LOL...

Anyway, I have real examples of what you say. I just started reviewing plans to upgrade Visual Studio 2008 to Visual Studio 2010. My review of another developer's initial analysis found a show-stopper to the upgrade. VS08 includes Crystal Reports IDE and plugins for creating .rpt files. VS10 does not include Crystal Reports. Further research found the company Business Objects that wrote VS08 Crystal Reports has been sold to SAP. VS10 has been out awhile now and SAP has a download for a "beta" version of Crystal Reports. That kind of version might be ok for home use, but it's not ok for a large corporation. Even though SAP is saying they will have production version available in November, I'm wondering if I should see writing on the wall and port reports to another IDE.

Another good example is Microsoft Vista. The company I work for never approved its use and I have never used it.

Another good example is Microsoft Vista. The company I work for never approved its use and I have never used it.

You beddah off, Brit. My Vista machine is out of service... good that I back up frequently.

I think I will scrub it and install Linux!


Bummer to hear about your problems with Vista. Don't get distressed about one product from Microsoft doomed for the dust bin of PC history. This happened to IBM's "peanut" computer and the Apple Lisa.

I used Redhat Linux years ago. There was a problem with hardware support and that included monitors. My hardware requirements are quite eccentric but I can't speak for yours. Try to verify whatever hardware you need will work with Linux before jumping down that path.

There may be others here who want to chime in with recent experiences with Linux. I would be curious to hear comments.

There may be others here who want to chime in with recent experiences with Linux. I would be curious to hear comments.

This is deeply off-topic for TOD but what the heck.

My first brush with Linux was Yggdrasil LGX in 1993. Currently I use RedHat and CentOS Linux for servers but I don't use Linux for the desktop. A lot of gadgets run Linux, My home NAS (Synology) runs Linux. My brick-sized small-office E-mail server is Linux, if you look deep enough, and is very good despite it's wacky name (Excito Bubba|2). My Windows 7 netbook has an instant-start web-browser/photos/music mode which is Linux. In all these cases Linux is pretty much completely hidden behind a pretty user-interface.

If you have old programs that won't work under new versions of Microsoft Windows, one way to prolong their use is to download a Virtual Machine program like VMware Workstation and install the old operating system as a guest operating system running inside your new operating system. Later versions of Windows and Linux often include VM but VMware give away free versions of their VMware Workstation and VMware server products. I've used the latter to run old versions of operating systems under modern Linux. This turned out to be surprisingly easy. the host operating system, Linux in my case, handles the latest hardware for which the old guest operating system has no drivers, VM software effectively makes new devices look like old ones through device emulation - this mainly applies to disks, monitors and network cards but not much else.

For desktop use I'd try Ubuntu Linux. You can temporarily run it from a "live" CD, without installing over your Windows hard disk. That lets you find out whether it can work with all your weird monitors and other peripherals.

Apologies to those who came to TOD to read about oil issues :-)

Posted from my laptop using Fedora 12.
Perhaps it does have a relevance as Windows is not suitable for critical systems and there are reports of 3 PCs on the DWH that liked to show the BSOD. Perhaps Transocean should look at using some form of Unix/Linux in such situations. If the specialist applications do not exist for the *nix platform then maybe there is negligence on the part of those companies in basing their apps on an unreliable operating system.


Note that the driller-chair computers having the BSOD issues were based on Windows NT, an operating system that was removed from sale in the mid 1990s; also, support for NT ended in 2004. The TO negligence, IMO, was operating critical system on an obsolete at-least-15-year-old un-supported OS. BTW, situations like this are usually the fault of the application software vendor who opts to NOT upgrade their software for newer operating systems.

TO might indeed have to s'plain’n to do about this aspect of their operations.

See the discussion at http://www.theoildrum.com/node/6773#comment-686941

However, I have a different take on the reliability issue in critical systems as you based on my own personal experience and 20 years of my own operational statistics. I find Windows just as good as anything and better than many in critical applications. I operate a large-scale international network using thousands of servers using Windows, Linux and Sun Unix in a strict five-9s life-line environment (covered by an SLA) with a heavy security regimine. More or less, the distribution of the number of OSs on servers is about equal. For our workstaions, about 80% our workstations are Windows, 3% Apple Mac and the balance various favors of Sun Unix and Linux.

Like all critical systems, everything is under real-time monitoring and management and we track performance and trouble tickets closely. I find Windows just as reliable as any OS in critical applications when all OSs are operated using well-know best practices and architectures.

BTW, the current trend is that the more modern versions of the MSFT OSs are becoming more hardened. My 64-bit systems are currently beating everything else in the network by clear margins (both servers and particularly the workstations). Becuase of that, all Win servers are 64-bit now and we'll remove the last of the WinXP in our workstations in Q4.

As the dominate OS in the marketplace, malware naturally targets Windows OSs most often. IMO, to their credit, MSFT is very responsive making fixes for exploits and malware. Based on my own tracking, at any given time MSFT OSs have only a small fraction of the unpatched issues when compared to the rest of the industry. Some of the biggest names in the industry have 10x the number of unpatched vulnerabilities when compared with MSFT.

I really don't want to start a religious war about OSs, but any OS can be exploited or can become unreliable unless operated according to its best practices; none are perfect and there are weaknesses in all of them.

My experiences as a software developer pretty much mirror what you are saying.

However I think that there is another aspect to this that is important - Linux/Unix has supported 64 bit memory models far longer than MS, and translating this to a server deployment means fewer Linux servers were needed for the same workload at least up until the time MS started offering good 64 bit systems. This translates to overall improved installation reliability even if the per instance reliability is equal.

There is a point about the BSOD issues on the rig that hasn't really been explored. The complaint was "an increasing number of BSOD incidents." The later commentary was more directed at issues of failing hardware, not software.

There is nothing whatsoever wrong about operating a system with 15 year old software. Indeed when you go to ultra reliable systems (i.e. phone exchanges) this is exactly what they do. If the software was working reliably 10 years ago, it will operate exactly as reliably now. So long as nothing else on the systems changes. We simply don't know what the software was, what it was interacting with, what it was connected to, nor what the maintenance regime was. It is extremely unlikely that this system was unique to DWH. One would imagine that every rig in the world operating the same system uses the same software and OS.

If the software was operating unchanged in a standalone system, the only possible reasons for increasing reliability problems are hardware related.

The biggest problem they will face is the lack of availability of new hardware that will run a legacy OS.

The legacy problem can be alleviated by running in a virtual environment. The hardware issue is very real. Many of the BSOD issues I have seen have been fixed by changing the Mother Board or RAM. However many of those problems were due to the abuse of system memory by the OS.


In BSOD failures, software and hardware issues are very typically linked and the increasing pattern is also very typical.

In telco CO applications, we run closed proprietary systems where the same manufacturer supplies all of the software that is matched, tested and even certified to the hardware they also supply. Older software is still supported and doesn't have the same end-of-life support problems. In such closed proprietary systems, age doesn't matter as much because a single manufacturer supplies a turnkey system of both hardware and software. BTW, don't assume that just because these COs are old that the software isn't maintained. We get regular updates for all of them along with in-depth technical support. If a card fails on an old system, I can get a certified replacement from the manufacturer within hours.

Of course, the price we pay Nortel for a DMS-100/200, it had better have a very long service life; one measured in decades.

However, with low-cost general-purpose PCs, end-of-life issues are far more critical because third-party open-platform peripheral suppliers stop supplying drivers that are tested and certified for OSs that are this far past their end-of-life.

In my experience, one of the main sources of BSOD in older Windows systems is poorly written/supported display-adapter drivers (not unheard of in new systems either - poor drivers are a major source of instability). Display adapters have a finite life. When you have to replace a failing/failed one, quality drivers simply aren't there for EOL OSs. If you're lucky enough to even find one, there is no guarantee that the driver is a 100% replacement. Typically, BSOD incidents start to increase.

Compound this same problem with all of the other peripheral drivers in a general-purpose PC and you don’t end up with much reliability. This is the linkage of hardware/software failures I mentioned above.

I had one NT application that was mission critical but the software developer had gone out of business. Replacement of this system wasn't going to be easy. It ran on 12 nodes in the network on 12 different clusters. To keep it reliably in the system, I bought plenty of spares ahead of time in 1997 to replace failed hardware and peripherals to buy us time to replace the application. Still, I evolved the app totally out of the system before the NT OS went EOL for support. EOL came before I ran out of spares but EOL became of final deadline as a best practice for our reliability standard. We simply won't operate unsupported software in a high-reliability application.

Edit: Indeed, this EOL OS problem could be a standard problem in the fleet and/or not even limited to TO. However, IMO, it is a reliability issue on a system that I understand to be critical to safety.

made by professionals in either an intelligence agency or one of the software companies

Hmmm. DARPA dear, whatchew kiddies been up to?

There are many other places I would look before DARPA; several of them not on these shores.

Richard Clarke's new book "Cyber War" dicusses the computer wars, now and in the future, in a non technical way.

Well, that was my first WAG, but on the basis of

(a) deference to your obviously-superior expertise

(b) my vague memories of harum-scarumness from DARPA as directed by Dick Cheney and his imps

(c) the point made so drolly by NobodySpecial (and quoted by SL a scroll or two below)

I'm entirely willing to concede my not-quite-a-theory.

The Mossad being the most obvious suspect, which others "not on these shores" make your list of possibles, bbf?

Israel would top my personal list-of-one.

The US, Great Briton, Germany, France, China could do it. I think only fear of blow-back would limit the US and EU; the political masters of each state might not lightly take the risk at this point (but might at some point if the only alternative was bombing.) I can't see a motivation for China.

I rule out the Russian Federation since they are principals in building the reactor.

This attack required more than very smart geeks; it also required industrial engineering expertise and some very, very good intelligence and likely some operatives to provide inside knowledge. This means someone with a very good intelligence service that could mount such an op and that narrows the field quite a bit.

Note my other posts about perhaps the reactor facility not being the target.

Israel has the motive, opportunity and capabilitiy; plus, they won't care about the blow back.

It's all speculation and guessing. This attack will never the traced with any degree of certainty.

Slick op, though; you have to give the devil his due. In these cases, somebody will let the cat out of the bag someday, long after the political sensitivity dampens down. Either that or it will become urban ledgend that Israel did it.

Israel makes intuitive sense for obvious reasons. However I'm unconvinced that most initial infections being found in Iran is significant, especially when a disinfo campaign can be reasonably expected.

North Korea hasn't been mentioned as a possible source but they have the capability.

North Korea certainly has an emerging cyber-warfare capability but I'm not sure they could mount the physical intelligence op outside of their sphere. Also, I don't see the North Koreas operating against Iran's interests.

Uh-huh, I'd think Natanz would be a higher priority than Bushehr just because centrifuges are harder to replace than reactors. For all sorts of reasons, I hope the Iranians rid themselves of this regime and, as a by-product, get word out about what happened here (if anything) ASAP. In the name of Neda and her peers, Amen.

Natanz might be better suited to the attack too.

From the CSM article:

Natanz has thousands of identical centrifuges and identical programmable logic controllers (PLCs), tiny computers for each centrifuge that oversee the centrifuge's temperature, control valves, operating speed, and flow of cooling water. Stuxnet's internal design would allow the malware to take over PLCs one after another, in a cookie-cutter fashion.

Iran's nuclear agency trying to stop computer worm

TEHRAN, Iran — Iranian media reports say the country's nuclear agency is trying to combat a complex computer worm that has affected industrial sites in Iran and is capable of taking over power plants.

I might have to correct myself about the speculative possibility of China's role in Stuxnet.

As people are having more time to analyze possible motivations, China's name is popping up in speculation.

BTW, just to re-state, this is still just speculation and guessing.

J.E. Dyer writes in http://hotair.com/greenroom/archives/2010/09/24/stuxnet-observations-on-...

Of the nations that could have pulled this off, however, there is one that might have a reason to target the three most-infected countries in particular, and that’s China. Although this week’s reports have all focused on the design of Stuxnet for industrial sabotage, it was clear in July that its design also suits it for industrial espionage. Some tenuous indications have been alluded to that suggest a Chinese link to the worm, but no concrete proof has been unearthed.

Further, he speculates:

So I am unconvinced right now by the argument that the US or Israel designed this thing to attack Iran’s nuclear program. It would make more sense if China designed it to gather and update information on Siemens controllers, and to serve under limited and specific conditions as an executioner. But if Iran was the main target of such a project, that suggests a whole set of fresh analytical factors in the China-Iran relationship.

And, an interesting twist:

Perhaps the target was not Iran’s nuclear industry but her oil and gas industry (Siemens controllers are widely used in the major components of the oil and gas industry, from pipeline and pumping control to refining).


That spreading network of economic influence – along with Siemens’ deepening connection to Russia’s global oil and gas operations – would be of particular significance to China above all other nations, since Beijing is a competitor for the same effective control of resources. If anything in this whole incident is in character for anyone, it would be China seeking to gather intelligence on, and to be in a position to disable at will, the vital industrial infrastructure of the other cutthroat Asian competitor for global resources.

DARPA's too busy building spy-bots.

Let's hope the US was not involved in this.

See my post up-thread about the Falkenrath video and the CSM story.

That is a very troubling potential security breach. Out of curiousity I went to take a looksy at what Siemens is selling. They have a PCI card called SIMATIC WinAC Slot PLC that plugs in the PC running Windows OS. The back of card has a connector for Profibus cable. The application normally used to access card is not needed and most programmers versed in C development on Windows platform can write software to use card. I just did a quick search for Security features and none were to be found. I could be wrong but I didn't see any way to protect the card from access by rogue software.

Even if the trojan compromised Windows, I don't know how it would identify what the Profibus attaches to although it could get a pretty good idea of the approximate physical location. And files on computer could be parsed for clues.

As a side note, the applications I write are protected with a Verisign certificate and the application and all its files are located in an encrypted folder. And interface to underlying executable code is also protected with certifcates. I doubt if anything is foolproof but it is certainly a step in right direction.

One of the interesting things about the sophistication of Stuxnet is that it appears to have been signed code.


One of the more interesting speculations and disections: http://www.langner.com/en/index.htm

Yes, it's interesting the trojan would sign its code with a certificate from a code signing authority given to Realtek. I found another website that showed the Realtek cert was created by VeriSign. A password is needed to use certificate so I'd be curious how that was obtained.

That makes me worry about the enterprise certificate I use because what can happen to Realtek can happen anywhere. Just yesterday, I had a software development manager ask me why we needed code signing certificates. Managers don't want to spend the time upgrading certificates from 1024 to 2048 bits as required by enterprise.

Breaking a passphrase on a cert is relativity easy todo, some kinda combination of a dictionary attack and/or brute force will work. Still need plenty of CPU time if its a long passphrase, but a small server farm will make quick work of that.

Can you back up what you are saying with a link to anyone who has accomplished what you are hypothesizing?

Please don't take me the wrong way. I am all ears to changing my certificate and password, say every three months, if warranted.

http://blogs.techrepublic.com.com/security/?p=342 explains the basic problems with passwords/passphases with todays CPU/GPU's.

A dual-core CPU can crack an 8 character password/passphrase in 61 days, a GPU in 3 days.

An NSA server farm isnt going to have much trouble with a passphrase on a cert, unless they used a very LONG passphrase.

Thanks. The article is very interesting.
One point of article is to use a strong password but even that is no guarantee. The point is a very fast computing device will try possible passwords until it gets a hit. If the actual password is at top of list it will get found within reasonable time period. If at bottom of list, it may not succeed. Strong passwords have a practical problem that isn't discussed. They usually can't be memorized so they are stored in documentation files somewhere on computer.

I didn't know the Nvidia GeForce 8 graphics card could be programmed with custom functions to do specialized processing such as verify a password. Also, today's computers are faster than the dual-core CPU mentioned in article. Dual 6-core CPU motherboards are reasonably priced.

Certificate password can be up to 128 characters long. It sounds like I need to start using a very long and strong password and store it on a different computer in an encrypted folder. Also, password should be changed as often as possible.

Oh, I found out something interesting about the Siemens PLC use of passwords. The master controller has a default password it uses to communicate with other controllers on bus. Although available, most installers just leave it set with factory default. Now that StuxNet is in news, installers naturally want to change that password. In the meantime, Siemens sent out an advisory stating do not change the default password in a running system. Evidently, they may have a problem with changing the password without disrupting controller communications if it is done at anytime other than initial install.

Brit: It sounds like I need to start using a very long and strong password and store it on a different computer in an encrypted folder

Or on a secure flash drive?

Flash drives are banned by corporate policy where I work. Even though a waiver can be obtained, my management would never approve a waiver.

This brings up a challenging issue for me. For the certificate to be stolen would mean the computer with certificate is compromised. If the only thing the malware can do is copy the file elsewhere to have its password broken, the storage of password is a moot issue. On the other hand, if the malware could intercept keypresses or clipboard changes, I'm not so sure if any solution is possible.

Managers don't want to spend the time upgrading

So sad, brit. I too see it every day.

I have always maintained that this attitude is where most computer/network/physical security breaches begin. Often, it's nothing more than laziness in many organizations.

We’ve talked about “failure of imagination” here in relation to DWH. Most security breaches are the poster child of this type of failure. The “it-can’t-happen-here” attitude is a sure sign that it will ceratainly happen.

Truly secure operations are possible (and not all that difficult, expensive or disruptive) but it does require the effort. Many (most??) managers don't understand security and few Boards of Directors are wise enough to make IT (and IT security) a strategic-level focus.

Even those organizations that do would probably still fall to a nation-state attack unless really on their toes.

Hopefully, this very sophisticated attack will cause people to realize that other attacks on process-control infrastructure of this nature are indeed possible. Understanding that attacks are possible is the first necessary step to prevention.

The company I work at probably has better security than most. All management talks the talk of tight security. I get a little emotional when I need to explain to management what the company policy is and why it is a good policy. All laptops/desktops are seeded from a single installation DVD that is updated quarterly and computer is replaced every 3 years. All primary business applications, OS related updates and most specialized applications are in Tivoli software distribution. For example, if someone needs dot net frameworks 3.5, I just spend a few minutes at the distribution website and within the hour they have it. Also, there is an enterprise architecture group that posts a website that shows roadmap and status of all reviewed applications as emerging, core, declining, not permitted or special purpose. Any apps not listed must be requested before they can be purchased.

I chuckled at some of the comments above about flash drives. Our computers have a Mcafee security application that prevents use of flash drives. A waiver approval is required if one needs this ability and these users are closely monitored. I know one employee with waiver approval who accidentally copied a file to flash drive that auditing group found offensive and the employee was immediately fired against the wishes of his manager.

Like you, I clearly see Stuxnet as a security breach that can happen in a different form in any company. I emailed information about this virus to a few managers I work with and also found the Zeus worm is suspected of stealing the private certificate. The certificate issue is a direct impact so I have more political leverage with it.

I'm not too worried about Stuxnet itself because Siemens is well aware of the problem and I'd expect has either fixed it or is in process of fixing it. Symantec's website has a great article about the details of Stuxnet.

There is a good discussion on Bruce Schneier's blog.


There is a good discussion on Bruce Schneier's blog.

Sounds like commenter Werner has been reading TOD:

You don't need a precision attack to cause mayhem. Very often, adding uncertainty to the existing procedures and weakening the safety measures leads to disaster before too long.

We know this from how real accidents happen. If people regularly ignore alarms or unusual readings because they're all false anyway, they won't catch the one warning of imminent disaster either. If people have to deviate from standard procedures and improvise all the time because of unreliable equipment, they make a lot more mistakes and the communication burden increases, encouraging even more mistakes.

Commenter NobodySpecial had a good line:

Can anyone think of another area of software development where you would say "my god this a work of breathtaking ingenuity and fiendish cunning - it could only have been written by a civil servant" !!

Here are summaries of the Stuxnet analysis so far:




Primary work from Symantec

Exploring Stuxnet’s PLC Infection Process

Stuxnet Introduces the First Known Rootkit for Industrial Control Systems

Stuxnet Before the .lnk File Vulnerability

Stux to be You

Primary work from Ralph Langner:

Stuxnet is a directed attack -- 'hack of the century'

General Reflections:

Stuxnet: Observations on a Worm

The facts about Stuxnet, the damage it is causing and how you could be affected

Blockbuster Worm Aimed for Infrastructure, But No Proof Iran Nukes Were Target

Security Experts: Possible Israeli Cyber Attack Sabotaged Iran’s Bushehr Reactor

German Cyber-Security Expert: Stuxnet’s Target, Natanz Reactor

Is Stuxnet the 'best' malware ever?

ACS Conference Day 2 June 21, 2010 - Stuxnet presentations and discussions

Stuxnet – Big Picture

This seems 1)lame and 2)dangerous. Wikileaks,

We are looking for a copy of Stuxnet for analysis. Please Direct Message us.

Stuxleak? ;-)

DEBKAfile sources add: Since August, American and UN nuclear watchdog sources have been reporting a slowdown in Iran's enrichment processing due to technical problems which have knocked out a large number of centrifuges and which its nuclear technicians have been unable to repair. It is estimated that at Natanz alone, 3,000 centrifuges have been idled.

Just my personal perception here (based on years of watching): DEBKAfile can be a great source, but I certainly suspect their impartiality because they're so close to Israeli intelligence. I.e., they tell us what Mossad and IDF want us to hear, in the way they want us to hear it.

Often valuable but always suspect.


USG claims it has no knowledge of who made Stuxnet. I found it surprising that Netanyahu and the other Israeli hawks quieted down so quickly when the reactor went online after "assurances" from President Obama.

Uh-huh. Things that make you go Hmm . . .

Twitterdrums: "Will Stuxnet Malware Be Used In False Flag Attack?"

Computerworld: Iran confirms massive Stuxnet infection of industrial systems

Also on Saturday, the Associated Press (AP) news service said that experts from Iran's nuclear energy agency met last Tuesday to plan how to remove Stuxnet from infected PCs. Citing the ISNA news agency, another Tehran-based organization, the AP said no victimized plants or facilities had been named.

Speculation about Stuxnet's likely target has focused on the Bushehr reactor. Saturday, the Web site of Iran's Atomic Energy Organization included a link to a lengthy Mehr story on Stuxnet.

That story noted that government officials said that "serious damage that caused damage and disablement" had been reported to officials.

I missed one link to Symantec on my list above:

Stuxnet P2P component

Looks like we'll get lots more info at VB2010.

VB2010 - the 20th Virus Bulletin International Conference - will take place 29 September to 1 October 2010 at the Westin Bayshore hotel, Vancouver, BC, Canada.


Most of the principal investigators are preparing full papers on Stuxnet for delivery. Two papers are official so far and apparently more will be added.


Last-minute paper: An indepth look into Stuxnet
Presentation during VB2010 by Liam O'Murchu (Symantec). (30 September 2010)

Last-minute paper: Unravelling Stuxnet
Presentation during VB2010 by Jeff Williams (Microsoft), Peter Ferrie (Microsoft), Alexander Gostev (Kasperksy Lab). (30 September 2010)

I also got word from another source that Ralph Langner is also preparing a paper.

Here are summaries of the Stuxnet analysis so far

Sorry if this question was addressed and I missed it...

Why was the worm dubbed "Stuxnet." Does the word have some relevance?

Also, any speculation about the "deadf007" line? Somebody somewhere suggested "Deadfoot" or "Deadfool" ("7" being Leetspeak for "T" and "L").

Searching brought up too many references to mention, but this one seemed especially relevant:

And just for fun:

I haven't seen anything definitive yet although I initially parsed it as "dead+foo+7" just out of habit of using "foo."

"deadfoot" is as good as any I've read.

Also, it may not have a "why."

M Onan,
The deadf007 is not an english word. It is a hexadecimal representation for 32 bits of data (the dw means double word). Valid characters are 0-9, a-f. There are 16 possible values for each character and each represents 4 bits. It is probably an integer and probably negative because the high bit is 1.

I read stuxnet was found in some of the filenames of trojan by labs analyzing it. Whoever created the files knows why it is named that way. Normally, filenames have something to do with application and they can be acronyms for the application. There's no way to know for sure. I once worked with a developer who loved classical music. Anything he named had something to do with old composers or music and nothing about the application or what it was doing.

The deadf007 is not an english word. It is a hexadecimal representation for 32 bits of data

I know it's not a word. It contains two zero's, a seven, and a DEADF, none of which, seperately or together, constitute a word : )

It's code. The question is: For what? I'm not a programmer, but I assume DEADF007 could be an invalid instruction? Then it could be a coded word inserted for the amusement of the hacker, or a magic debug value. Stuxnet is already known to contain some odd little bits, like a string in the rootkit driver that references Myrtle and Guava (and you say it also contains the "word" Stuxnet?)

If it's functional code, then we should know exactly what it does by now, and in which systems, right? Siemens must know. Why all the speculation?

(sorry about all the questions)

It is pretty common in low level code to create 32 bit constants that read as words. A very common habit is to fill uninitialized variables with such values. Probably the favorite such value is deadbeef. It is little more than a bit of geeky humor. The defining point is that it is eight letters long and only hexadecimal numbers. The most likely reason the value is present is that it is a hangover from debugging the code. Choice of the word likely little more than the sense of humor of the individual programmer. About all it does suggest is that the programmer is a native English speaker, and immersed in the culture of such use. That makes an Asian source less likely.

m onan,
Figuring out what stuxnet does won't be an easy task even for Siemens. It would be quicker and easier to figure out how to detect its presence and how to remove it. Code is written with many symbols that are converted into hex codes and only the hex codes are inserted into controller. The websites displaying the assembler are showing just the hex codes. Also, much of the malware code contains encrypted data. Someone will need to decrypt these areas to see what actual code is. This could be a very manual, laborious and time-consuming task.

I'll leave it to others to use deadf007 as a clue to identify the perp and I have no objections to that endeavor. I will only address it's technical purpose. The little I've read say it's used as a trigger to activate the malware. I haven't seen any articles explaining what causes the trigger to be returned. The block of malware code identified as FC1874 that returns the deadf007 may have the answer.

Ends in 007? Must be James Bond surely!

Guardian, Iran nuclear experts race to stop spread of Stuxnet computer worm

Iran believes virus spread from Russian laptops aims to shut down Bushehr nuclear plant

Maybe the Iranians didn't pay the bill.

Maybe the Iranians didn't pay the bill.

hehe, yes that covers one important motive area.
(or maybe, a Russian consultant was annoyed at 'underpayment' ? )

More puzzling, if we dismiss the payment leverage angle, is why ?

Sure Israel has a motive, but this is neither stealth, nor fatal attack.
- Unless it was launched as a marker, and was to seek & identify OTHER possible Nuclear sites ? That could be a worthwhile return on investment ?

Or, what about Iran themselves ? - if they are being closely monitored, and want to beat the drums and loosen that monitoring, what better way than to devise an 'attack' on foreign-sourced control systems ?. Feigning external attack is an age-old political ploy, and they can now deploy their own controllers, thus lowering monitoring ?

CNN, Wolf Blitzer reports that Iran's computers have been infested by "billions of vicious, radioactive, wriggling insects wearing camouflage" that gained access through cracks in the windows

News flash: BeePee sues Wolfy in federal court for stealing his shtick ;-)

Did Wolf say whether they have HAIR???

Wolf didn't mention that there was HAIR before he skipped off onto Brad Pitt and Zahara Marley going shopping together.

Web superbug seeking to access China

A sophisticated malicious computer software, or malware, described by security firms as a "new cyber-weapon," is attempting to infiltrate factory computers in China's pillar industries, threatening the country's national security, cyber experts warned Sunday.

Thanks, Gail for the reprieve, and thanks to Snakehead for asking her. Maybe we can just wing it.

Thanks very much. I learned a lot in the short time I have been here.

Questions for the pro's about the float collar problems:

1) Much higher load required to convert,

2) Lower flow resistance after conversion,

3) Much higher load required to burst (open) bottom plug.

Is it possible the float collar was inadvertently installed upside down? And if so, is it possible it would have failed catastrophically just above the top check valve?

A yes to the second question would mean most of the cement went up in the annulus leaving very little inside the casing at a level pretty much in line with the top of the oil reservoir.


You asked: Is it possible the float collar was inadvertently installed upside down?

In a word, no.

The top of the float collar has a female thread that mates with the male thread at the bottom of the casing joint above it. The bottom of the float collar has a male thread that mates with the female thread at the top of the casing joint below it.

You'd have to work at it to install the float collar upside down.

Not a pro,

Does anyone know why the Sedco 711 North Sea well was being displaced to an underbalanced condition?

To answer my own question...having read the wsj article in full I can now see that it was being prepared for production.

Steve - I didn't get a chance to read the article. So they had actually run producion tubing/packers and perforated the zone? And then they almost lost control? That's sounds rather odd. I'll try to read the whole piece today. It may be obvious to most but for those who missed the point: when you complete a well and put it on production it is the ultimate intentional underbalanced condition: producing. But you typically have well head control valve to handle the flow and not a BOP.

Rock, how's it going with your "patient"?

lotus - you had to ask, didn't you? LOL. Though nowhere near as tragic as the BP accident my simple little workover is truly turning into a nightmare. Though just a little bump in the road for the company it stands as a great example of how having very good procedures and smart boots on the ground won't make a damn bit of difference sometimes. That's the point I was making to Francis yesterday: sometimes you have to adlib almost from the start of an oil patch operation. The tubing I was going to simply pullout of the hole is so badly corroded I can only pull 60' or 80' per day. And it's costing me $24,000/day and I have to recover almost 10,000' of tubing. I might have to plug and abandon the well. It didn't have that much value left. And besides the costs some safety issues came up: the well head was leaking a small amount of NG at its base. Not really dangerous at the moment but it could become serious so that required additional expense to keep the job safe.

Back to my point to Francis: BP could have had the best procedures/safe drilling practices in their pre-drill plan. But once the op starts an operator may find itself subject to a horrible situation due to a quick and faulty judgment by well site management. Sometimes there's an opportunity to check in with the office for a second opinion...sometimes not. And if there isn't time you hope you have a very good hand making that decision.

Criminey, Rocky. Way I figure it, if anyone could salvage this muthah, it'd be you, so if you can't, well -- Big Momma won this one. So I'm left to wish you complete safety and as much success as She'll allow.

lotus - my boots aren't on the ground out there now...way too muddy. Got a good coman out there but sometimes it just doesn't matter. Like the old joke: no...I don't need help holding onto that alligator...I need help letting go.

Hate leaving a million $'s of NG in the ground but it's probably not worth the money/risk to try to fix it. Boss gave me two more days to succeed our cut or losses.

Just another day in paradice.

"Sea Snot" Explosion Caused by Gulf Oil Spill?
Marine "snowstorm" possibly crippled base of Gulf of Mexico food chain.
Christine Dell'Amore
National Geographic News
Published September 23, 2010

The Gulf of Mexico oil spill sparked an explosion of sticky clumps of organic matter that scientists call sea snot, according to ongoing research.

The boom likely precipitated a sea-snot "blizzard" in Gulf (map) waters, researchers say. And as the clumps sank, they may have temporarily wiped out the base of the food chain in the spill region by scouring all small life from the water column.

From the article -

The sea snot explosion, it seems, has come and gone, though its effects may linger. The sea snot blizzard "probably will have a long-term impact," Passow said—though exactly how the blizzard will affect the Gulf is anyone's guess.

More science-free analysis from NatGeo.

Well, I learned one thing from the article, that the (or some of the) mucus is secreted by phytoplankton. Samantha Joye was speculating about a vast amount of mucus secreted by bacteria.

In the video linked below, there is a shot of pale goo on the water surface that looks similar to the material sampled by Smith Stag's chemist on Aug. 9, which he claimed tested positive for Korrekzit.

So there was supposedly a blizzard sometime in May, When did the spillcam go on the open web?

Mucus? Oh my.

The stuff is extracellular polysaccharide.


...but...but...I thought they were radioactive sea-monkeys...there goes that theory out the window..

I was familiar with sea snot & mats, but this :


..is just disturbing. Sea-boogers. Great. I have fed eels at reefs, swam with de barracuda, seen some things underwater that made me nervous, even almost lost my left eye to a Portuguese Man o' War,lol, but that..thing..ech. I can't imagine getting the urge to vomit underwater.

SH~Did you see all the sea-snot pictures from the ROV's in the Adriatic sea going back to 1999. I had never seen or heard of it until recently, but it looks like sea-snot has been an issue for a while now -they are hypothosizing it could be due to warmer water temps, and I know from taking the pool thermometer out every wknd here that we got up to 91 degrees water temp, it's just now down to 84-87 depending on the day.

Bless you, Gail, for fishing us out.

A law-professor friend alerted me to this:

I vividly remember the beginning of an English class in college when the professor (whom we called Dr. Death for reasons I don't recall now) detailed the staying power of the novel Frankenstein -- it had been reprinted X number of times, sold X copies, been translated into X languages, inspired X plays, X movies, X works of art. Then, Dr. Death said "Mary Shelley was 18 years old at the time. What have you done?"

This is how I feel when I think of Mark Zuckerberg, who is 26 and the youngest billionaire in the world. Because of this one fact, his young age, I was surprised to read today that he is giving away $100 million to the Newark public school system. (Zuckerberg did not go to school in NJ.) ... If you remember, another Harvard dropout named Bill Gates was also at one time the youngest billionaire, and received criticism for many years for not being philanthropic enough before creating his foundation.

So, is Zuckerberg just a much nicer person than Bill Gates? Or, could it be, that Zuckerberg is facing a PR problem? In a few days, a movie is going to open called The Social Network, which is going to paint a slightly younger Zuckerberg in a not-quite-flattering light. ... So, is it coincidental that Zuckerberg picks this week to make a super-generous gift to a cause (public education) no one can fault? ...

Next news, BP deals with its PR problem by bailing out California? Naw.

Carrying over, John Guide called to testify again Oct. 7.

From FT,

Brett Cocales, a BP drilling engineer, said in an e-mail on April 16: “Even if the hole is perfectly straight, a straight piece of pipe, even in tension, will not seek the perfect centre of the hole unless it has something to centralise it.’’

“But, who cares, it’s done, end of story,’’ Mr Cocales said. “Will probably be fine, and we’ll get a good cement job.’’

Mr Guide said he was concerned about adding the additional centralisers, and the equipment that went with them, at the last minute: “We are adding 45 pieces that can come off as a last minute addition … Also it will take 10 hours to install them … very concerned about using them.’’

Is it the consensus here that the centralizer issue is tangential to the blowout?

I believe the testimony was that the hole was fairly straight at the bottom and the six centralizer were placed across the formation. The annular gap from the lower part of the formation to the bottom of the production casing is less than 1/2 the minimum spacing recommended by API RP 65-2. The proof is in that there was no failure up the annulus.

Thus for there to be a failure down from the formation and up through the shoe track two things had to happen. The cement had to fail from the formation down through the annulus to the rat hole and then back up through the shoe track and float collar. Proof was the no oil in annulus detected by the relief well and the ROV video of the casing hanger with the 9 7/8" production casing still in place.

I still believe the change in axial loading due to the change from a positive pressure test and then to several attempts at a negative pressure tests are the primary cause. This led to microannulus formation down the outside of the casing. The real question is what caused the float and plug to fail? Did they fail to convert the float and the pressure buildup actually damaged the checks? Maybe a few of those articles on the Halliburton website about failure of floats (particularly ones that are not Halliburton's) may shed some light on this part. Bottom line is that this failure mechanism is a known risk.

The use of 6 centralizers versus the 21 centralizers is a red herring. I would wager a bet it has been thrown out there because it is the only way blame can be shifted to the BP engineers from a faulty cement design.

I can't say who was at fault. I don't know for sure no one does. But follow the evidence and do some calculations. Engineering will give us the best guess as to the root cause and the contributing factors.

just a thought, well, more of a rhetorical question. DE raises the question of a "microannulus formation" which raises the thought. What might be the change in diameter of the casing going from a pressure to contain the reservoir pressure to a substantially lower pressure during the negative test? Would that diameter change be enough to create teh microannulus?

Anything that might have happened regarding casing pressure during the negative test was going to happen anyway immediately following the negative test (when the well was displaced).

The whole point of the negative test was to find out what was going to happen when they lowered the hydrostatic pressure due to displacing to seawater.

The problem isn't that the negative test caused failure. The problem is they didn't do the test rigorously as they were supposed to do. If they had held the pressure low for 30 minutes as the test was designed it would have been obvious to everyone that the well lacked integrity.

Jinn, understood your point before I posted. But my question was about the possibility of enough diameter change during the transition from reservoir pressure to negative pressure enough to create a micro annulus. Simple question. I don't know enough about the casing dimensions, the specific steel nor the pressure differential to do the calculation reliably. My question was simply an extension of the point raised by DE.

Check API RP 65-2 Section 4 the section on mechanical properties and it specifically identifies this as a risk. Halliburton claims the nitrogen foaming makes the likelihood of microannulus formation and radial cracking during dehydration and curing less likely. But moving the pipe even after the cement has set can cause cracking. Bottom line is that Halliburton's Jesse Gagliano's testimony at the USCG/BOEMRE investigation was that the recombination test time to 500 lbf/ft (or did he say psi) was 34 hours. The negative pressure test was at 18 hours. BP's safety group and drilling VP has responded to my concerns reporting that the cement was up to near full strength by the time of the testing. However when I asked him for the source of that data they have not respond further.

My SPE books on advanced drilling also raise this as a possibility.

I don't think anyone on the rig was relying very much on the cement. The annulus was overbalanced and it had a 15000 PSI seal at the top. The production casing had 2 mechanical valves that should be able to prevent in-flow even with the cement failed. The integrity of the casing had been proven with the positive pressure test. If there was a concern about expansion and contraction of pipe affecting uncured cement then doing the positive test after 9 hours would be ill-advised. Halliburton doesn't think the pressure testing too early was a problem.

jinn - you and others know this well but for the rest: why wasn't the drill crew apparently very concerned about watching returns when they displaced? I'm sure some of the crew had some experience with DW wells which needed riser displacements before moving off the well. But even those hands had much more experience with more conventional wells...onshore and off. I mentioned a while back that in my 35 years I've never seen an operator concerned about the cmt job on a well they ran pipe on at TD AT THE TIME THEY MOVED THE DRILL RIG OFF. And I never had a well which had a neg test conducted. And for a simple reason: all these wells were left with fluid in the hole that balanced the well and prevented a blow out even if the cmt job didn't hold. The well was drilled and cased with a balanced mud system which was going to be left in the hole when the rig moved off. If there were a problem with the cmt the completion rig would deal with it when it moved on to complete the well.

So even if some of the hands understood about the well being unbalanced during riser displacement, they may have had a false sense of security not only because they were told they had a good test but that in almost all their other experiences it didn't matter too much to them if they did have good cmt or not: those wells weren't put into an unbalanced state and thus had no chance to kick.

Not sure what your point is. Kill weight alone won't keep a well safe. If there are no mechanical barriers in place then the mud weight all by itself isn't guaranteed to keep the well down. But I guess if you leave the bottom of the hole open and fill the casing with sufficiently weighted fluid it would probably give the rig ample time to pack up their gear and depart the scene - if that is what you are saying.

The DWH had done a positive test. One can guess that means the top plug on the shoe assembly was holding pressure. Assuming that guess is correct then yes if the mud weight was maintained high enough then that plug would stay pressed down tight and nothing would ever be able to get in.

jinn - A simple poitn: if a hand had left a 100 wells with the original drill mud in the cased hole instead of displacing it then he never really had much reason to worry about the cmt failing. And if he has also been on 10 DW wells where the cmt didn't fail when they displaced it would probably just reinforce his lack of concern for cmt integrety. Cmt quality would still just be a question for the completion hands. But how many hands now do you suspect won't be thinking long and hard about cmt integrety when they displace the riser?

Simple concept: the BP reservoir was 12.6 ppg. If the well bore was left with fluid with an equivalent BHP of 14.6 ppg how would it have flowed? Would you consider such a well safe at that point?

No well is ever safe IMHO given the ability to always do something stupid. I'm sure along the way you've seen some jackleg swabbed a balanced well in.

Your point lacks clarity in several ways.

First kill weight alone won't keep a will from flowing. If you put mud on top of hydrocarbons eventually the hydrocarbons will migrate up and you will lose your kill weight. You need an additional barrier - filter cake, cap, plug or something between the mud and hydrocarbons to work in conjunction with the fluid weight to prevent flow.

Second it just isn't practical to follow a rule of thumb that says there always needs to be sufficient weight to keep every well in over balance condition at all times . As an example take the Macondo well that had the BOP removed a couple weeks ago. I don't know what mud weight was in the well when the BOP was removed but it obviously wasn't enough to keep the well over-balanced, With only 8000 feet of pipe to fill you would need something like 25 ppg mud to have enough weight.

Third the DWH always displaced to seawater when they got to the end of a project so I can't see the value in speculating that maybe nobody on the rig was accustomed to the realities of displacing mud with seawater.

jinn -- So you've let overbalanced wells kick on you in the past? Speaking of lacking clarity: please explain how oil at 11,900 psi will flow out of a reservoir when the pressure in the well bore is over 13,000 psi. I've seen folks swab an overbalanced well in but that was because they reduced the ECD below reservoir pressure.

8,000' of hole to fill? We must be talking about two different wells. The Macondo had 13,000' of hole below the well head. That would take only 17.6 ppg to reach balance. A little heavier for safety sake would be advised, of course. Had BP left 17.8 ppg in the csg the well would not have kicked as long as they didn't swab it in.

Rock, I think jinn was talking about the 8000 ft. of hole during the BOP swap. Jinn just left out the 5000 ft. of cement below that.

edit: Good thing they didn't put 10,000 ft. of cement in the hole, they would have needed some 60 ppg mud to hold that down!

If they had followed your advice and simply filled the 13000 feet of casing with 17.6 ppg mud and then lifted off the BOP then yes that would have created the possibility of losing control of the well during the period the well head was open.

Instead of doing that they filled the bottom 5000 feet with cement. After doing that they only had 8000 feet of casing that could be filled with weighted fluid.

Now I understand jinn. OTOH I don't think I would be too worried about the well flowing with a 5,000' cmt plug in it. I was referring to the point in time when they just had the bottom plug and a 13,000' well bore above it. I think that’s where we got cross-threaded. At that time leaving the hole balanced would have been easy. But you also explained to me about needing to displace with sea water to set the equipment at the top of the liner. That would have required excessive MW but only if they didn’t set the additional cmt plug. I think this was your point earlier: had they set a cmt plug at 3,500' that additional barrier would have prevented the kick. With me being a cautious type I might have set two cmt plugs before displacing...it's only time and money. And a lot less time/money than dealing with a bad kick let alone a blow out, of course.

The 5000 feet of cement plug is just a theory. There is a lot of indirect evidence that supports that theory but there was no way at that point in time to know for sure where that cement went. And there was weeks of pressure testing to confirm that the plug that we believe to be theoretically 5000' was not going to fail.

I understand your point that they could have arranged it so that there was no possibility that there would be inflow even if the bottom hole assembly had no integrity. But wasn't this intended to be a functional producing oil well? If the only engineering design consideration was how to get the DWH off this well without any possible way for them to blow themselves up I'm sure lot's of things could have been arranged different.

It does look like they could have set the top plug first at 8367' before displacing any mud with seawater. I can only guess that the engineers wanted to establish the integrity of the bottom plug first then set the top plug. But if that was their concern it doesn't really appear to have been communicated to the rig. I think the crew was looking at plug at the bottom of the production casing was just as good as you believe the 5000' plug to be.

I don't think we have all the facts to really know what went wrong. It sounds like the last week or so of this well was a series of hasty revisions to the well plan. The casing design and cementing were all changed at the last minute because of unexpected developments. My suspicion is something important got lost in the shuffle.

The 5000 feet of cement plug is just a theory. There is a lot of indirect evidence that supports that theory but there was no way at that point in time to know for sure where that cement went. And there was weeks of pressure testing to confirm that the plug that we believe to be theoretically 5000' was not going to fail.

Thank you. Pressure testing with what mud weight? How much of it escaped? Where did it go? Did they mud up with a higher weight, sufficient to balance 13000 ft column in the end? No data available.

Deepwater Engineer,

I find this statement of yours confusing: Bottom line is that Halliburton's Jesse Gagliano's testimony at the USCG/BOEMRE investigation was that the recombination test time to 500 lbf/ft (or did he say psi) was 34 hours.

The linkage between Gagliano and "500" that I recall is this: TO's attorney asked Gagliano what compressive strength the cement should have for it to be safe to begin testing, and how long would it take to achieve that strength. Gagliano's answer was 500 psi, and that the test sample achieved that strength--under downhole temperature and pressure conditions--in 8hr 40min. He also indicated that the cement was considered set when it reached 50 psi, which took 8hr 12min for the same sample.

I must add that the attorney didn't specify foamed or un-foamed cement in his questioning, and that Gagliano was obviously reading from the 12 April test report for a sample of foamed cement that had a lower nitrogen component (12.98% by volume, downhole) than what was planned for the production casing cement (18-19%).


Thanks for the clarification. I remember testimony from an earlier period. I did not see all his tesitmony as our power in Houston went off. I had to drive home to catch the remainder of that days testimony. Now that it is available online I will rewatch what is full statement and Q&A was.

I did check the testimony and it was at 1:34:00 on the 8/24/10 Session 4 on CSPAN2. The response was that it was 8 hours 40 minutes based on the test using the location blend and the location water at reservoir temp and pressure. This was a critical test. However, Jesse asked Mr. Williams (TO Chief Electronic Tech's) Attorney Ronnie Penton if he wanted the foamed or non-foamed results which he did not respond to) The results he reported could have been either. Most likely the most favorable which I would assume is the unfoamed. This was used in the casing as the final plug and not in the annulus where the critical microannulus failure would have failed to provide formation zonal isolation. We need to get our hands on the Lab Test Slurry Pump Report Bates Number BP-HZN-MB-100172019 to be certain. Are these documents being provided to the public or is just the testimony?

D E,

See the BP DH Accident Investigation Report, Appendix J, (link below) to see why I assumed Gagliano was reading data from the 12 April test report for a sample of foamed cement. In reviewing the video, it looks like BP-HZN-MB-100172019 may have included data from this report, and perhaps from another for unfoamed cement.



Yes the report was for the foamed cement. Looks like the pressure testing was after the cement should have been safe for testing. I did review the Casing Review and find that one of the disturbing issues was that the top of cement in most of the surface and intermediate liners was 89 ft too low. They say this appears to be due to a miscalculation of the datum that appears to have double counted the distance from the kelly on the rig floor to mean sea level.

D E,

What document are you referring to when you say "Casing Review"?

I'm specifically wondering about your saying that the tops of cement for most of the various casing and liner strings were 89 feet too low. These were 89 feet too low with respect to what?


It was actually in "Appendix N: Mississippi Canyon 252 No. 1 (Macondo) Basis of Design Review." Page 13 Bullet point two on that page which stated:

"In Table 6 the first three strings have a top-of-cement (5,170 ft) that differs from the hanger depth (5,081 ft). In all likelihood the intent was to semenet these strings to the mudline (5,081 ft). The air gas from the rotary kelly bushing to mean sea level is 89 ft. Further note that 5,170 -5,081 - 89 ft. It appears that the air gap has been counted twice in setting the datum for calculations, resulting in the difference between the top-of-cement of the large diameter outer strings and the mudline. This discrepancy will have negligible effect on the design itself. For consistency, the numbers presented in Table 6 will be honored as if intended by the designer."

I am sorry but being a ranchowner I know BS when I smell it. As an engineer having an annular space that is filled with air versus cement makes a big differnece in the composite strength of the casings under the wellhead to support that wellhead and the bending moments that the BOP/LMRP stack experienced when the rig sank. This analysis should have been based on both the the actual "as-built" conditions and the original design not just "For consistency, the numbers presented in Table 6 will be honored as if intended by the designer." No wonder they were worried about well integrity. A Lower Annular Blowout Preventer that was derated to 5,000 psig rating, a Flex Joint that was only 5,000 psig rated and trying to shut in at over 9,200 psia pressure. Remember they used psi not psia as the pressures they provided during the well pressure integrity testing and monitoring. Basically to get psia have to add the ambient pressure which was not atmospheric but was 2,240 psig.

What I believe is really troubling is why they could not use their capping stack originally right after the failure. That is why I am assuming they could not contain all the oil within a few days. At the original reservoir pressure the wellhead shut in pressure would have been just below 10,000 psia. What if this had been a 15,000 psia reservoir or 20,000 psia. There are some of those out there being drilled with 15K BOPS and subsea trees.

At 20K how long would they have had to let it leak to get the reservoir pressure down to where they could have used the capping stack. That is why I believe a full Heavy Intervention vessel is need for any potential future "wild well". If anyone has seen the "lessons learned" presented by BP to date they would believe that the response that BP made was a state-of-the-art best-in-class response. As I said before I am a rancher and I know the smell of..... Rube Goldberg comes to mind. This was a political and facesaving response.

And now BP is joining the response with the other majors are proposing for Marine Well Containment and giving them this same equipment to deal with it. And apparently the government for all their protests and concerns about the feds being too close and not having their own assets to respond are satisfied to live with what was an inadequate response and allowed the largest oil spill in US history to be the response of the future. I guess since they claimed to be in charge of it the response was considered good. If that is true then Mr. Secretary of the Interior why do you still have a moritoriam in place.

Really makes me want to just retire to the farm.

D E,

Thanks for the Appendix N reference--it's one that I hadn't looked at.

Table 6 includes so much deviation from what was actually done that I question its utility. For starters the actual RKB to MSL distance was 75', not 89' so there's a built-in difference of 14' to deal with. The shoe depths differ by up 1020' (18" liner) from actual. Correspondingly, the actual TOC's are widely different from the depths in Table 6 (up to 2500' different for the 16" liner).

As for pressures, it's common practice--and the practice employed on the Macondo well--to simply write "psi", without a suffix. I think you'll find that the pressures you're talking about were all absolute pressures (psia), written "psi".

You made reference to "wells out there" being drilled with "15K BOPS". I assume you know that the rams used on the Macondo well BOP stack were Cameron Type TL, with a rated working pressure of 15 kpsi.


Edited to add "Cameron"

I don't think that they were talking about 6,000-7,000 psia after 89 days or they wouldn't have been tagging that well for completion. I modeled the well based on fluid properties that pretty closely matched what was released by BP in the appendices to the report. It would have shut in at the well head at just under 10,000 psia. By adding the static seawater pressure the reservoir and near well bore decline was about 750 psi over the 89 days it flowed. A reasonable drop for a reservoir above 100 MMBBL. I don't think that a 3,000 psi drop would be experienced. I just think they were playing games so that it was not obvious to those closely watching that they were encroaching on the hydrotest 50% overdesign pressure to shut off the flow.

D E,

You wrote: I don't think that they were talking about 6,000-7,000 psia after 89 days. . .

I'm forced to ask. Do you know what psia means?

It appeared to me that you did not when you wrote: Remember they used psi not psia as the pressures they provided during the well pressure integrity testing and monitoring. Basically to get psia have to add the ambient pressure which was not atmospheric but was 2,240 psig.

So I responded: As for pressures, it's common practice--and the practice employed on the Macondo well--to simply write "psi", without a suffix. I think you'll find that the pressures you're talking about were all absolute pressures (psia), written "psi". I put "absolute" in italics as a nudge.

Now that I've included your "2,240 psig" statement, I feel compelled to also comment that that pressure (the hydrostatic pressure at the mud line) is not a gauge pressure. It, too, is psia--but written "psi".



I've been enjoying your posts, thanks for the contribution.

Bit curious about this one though. I had a few quick goes over the last few months at modelling some of the reported data from macondo including

-  using a nodal analysis program to look at well inflow and outflow
-  using a material balance model to look at reservoir pressure drops
-  using a well test analysis package to look at the shape of the pressure build up curve when the well was shut in.

The available data is obviously sketchy, and there is a degree of futility in this, but nevertheless it seemed quite reasonable to me that there was, say, 1500psi pressure depletion in the reservoir based on some loose assumptions about the total amount produced and on a STOIIP of around 100 MMstb. 

Like chuckv I'd be quite sure that the 7000 psi SIWHP is absolute, not relative to a sea floor ambient. 

Thanks DE. That would then lead to the follow-on question (worse than a reporter) was the risk in this instance high enough, or conversely was that micro annulus large enough to flow?


I did some rough calculations using the maximum positive pressure differential of 3500 psi positive to the negative pressure test and calculated about a 2 foot of length change over the 13,000 ft of the production casing. About 1 foot of normal stretch when mud about same inside and outside the casing at 14 ppg or hung in air. No stretch for the pipe at the pressure to convert the float and two foot stretch for the negative test pressure. Diameter change based on appling poisson's ratio of about 0.3 and the ratio of the change in length to the overall length gives a change of 0.0002 inches. Overall swing in pressure would only give a 0.0003 inch change in diameter. As I said micro-annulus. However the movement of a foot each way and breaking the seal along the pipe reduces the cements ability to seal. If the float checks did not hold and the cement plug is not bonded to the sides of the pipe, reminds me of a loaded gun with the cement plug as the slug.

Thanks DE for the calc. It would seem that a micro gap of 1.5 ten thousandths is pretty small. Can we call that an ultra micro gap. But at 9 to 12k psia would be a reasonable and growing stream of fluid, unless it naturally plugs with grit from the reservoir, which would seem reasonable over a 5000 foot length. One might speculate then that this gap was self healing. But still an interesting concept.

The 5000 ft is in the current well abandonment. Were I saw the issue was with the original well T&A. I think there the cement was only between the plug and the float collar which was about 40 ft of cement. They shifted to a lagging non-N2 foamed cement for that volume. However, there is speculation in the BP report that N2 from a unstable foam broke out and may have created channels in the cement. What we haven't caccounted for as well is the changes that would have been taking place due to temperature as well. It would have caused additional expansion of the casing as well. It was interesting to how that there were several points in the range of 10,000 feet for the 16" casing (but don't hold me to that) that the safety factor fell below 1.0 on the Appendix N report.

I may be wrong on this but I was of the understanding that there was 5000 feet of cement at the bottom of the well. I was just looking at the BP schematics and the numbers seem to show 4965 feet of cement between the float collar and TOC. There was endless discussion of where the 3000 or 3500' of DP was located, in the cement or on top of the cement. Anyway one has to speculate how fast debris will collect in a 1.5 ten thousandth gap and naturally plug even with 11,900 psia pushing the debris.

Hi Jinn,

You've made this point many times and I'm afraid I still don't get it. I hope you can help me.

The point of the neg test was to drop the bottom hole pressure below reservoir pressure to see if fluids would flow into the well. 

They did this by inducing a reduced pressure downhole, then shutting the well in and waiting to see what happened. If the pressure stayed low, the test was passed (no fluids had entered). If the pressure rose, then fluids were entering and pressuring the bottom hole towards reservoir pressure again, and the test had failed. 

A reasonable interpretation (unless you have another one) of the rise in drillpipe pressure during the test is that the latter apparently occurred. 

So a negative test WAS performed and it was failed.

The fact that the test was conducted under shut-in conditions, and that the low pressure was not induced for a full 30mins is completely immaterial. If the test fails it is naturally self limiting (ie the pressure increases and reduces the differential). The half hour is simply an indication of the minimum time you should sit around watching the pressures, particularly in the success case. 

Conducting the test shut in is completely normal and the only way to do it safely in that it limits the size of the kick taken should the test fail. You previously asserted that they should have conducted the test with the well wide open; you are surely not suggesting that the hands wait for half an hour with the well flowing simply to demonstrate failure? 

They did this by inducing a reduced pressure downhole, then shutting the well in and waiting to see what happened.


That was a big mistake. Shutting the well in defeated the purpose of the test which was to observe if the well flowed. The problem with your theory that the pressure rise indicated flow is too many other possible explanations for why pressure increase such as leaking annulus or utubing of an incorrectly placed spacer. Remember Anderson said he had seen this before. Obviously he wasn't talking about well with failed integrity.
The integrity test they were supposed to be doing is to find out what happens when you put a column of seawater open to atmosphere at the top 8300' of the well.

The biggest problem problem with the negative test is the clear indication that they didn't get the test lined up correctly from the start. If they pumped spacer and then seawater they should have seen the DP pressure increase from zero to somewhere around 2400-2500 PSI as the seawater went down the drill pipe. At that point the pressure should start to decrease as the seawater goes around the bend to fill the upper casing and the u-tube becomes more in balance. Finally as the spacer is set where it is supposed to be the pressure should be at 1600 psi. That never happened and it is a pretty clear indication that the fluids were not where they were supposed to be.

And your concern about limiting the size of the kick is BS - the well isn't going to be shut-in when you are displacing to seawater so simulating the displacement to seawater with a shut in well is insanity. Everybody is standing around observing the well at this point. Later when they had hundreds of barrels of in-flow there was nobody paying attention. If you shut in the well then it only takes a tiny amount of in-flow to raise the pressure enough so the well is no longer under balance. And then after the pressure build up they spent the entire allotted time for the negative test observing well that isn't being tested.

Both Ezell and Harrell concluded that the first test was good. According to them the well during the test was rock steady. The crew believed that during that first test the hydrostaic pressure was holding at about 1200 PSI below what it was before the test started. Yes that is a negative test but it is not the integrity test that was contained in the APD.

The APD specified holding well at seawater gradient for 30 mins. They did not perform that test. When they were displacing the seawater the well was not going to be shut-in so it would be a goos idea to find out what is going to happen under those conditions in a way that allows you to simply open a valve to restore the well to an overbalanced condition.

Later when the well arrived at the point of becoming underbalanced the returns were being dumped overboard and no one had any idea how much was flowing.

Hmm. Well there's nothing there that makes me change my mind.

And your concern about limiting the size of the kick is BS

Ha ha ha ha ha! Frightening.

We'll have to agree to disagree on this one.

Let me ask you this. If the test failed a couple minutes after it started when the DP pressure increased to 1200 PSI what was the point of standing around for 25 minutes waiting for the test to complete?

Consider this they started at 2400 PSI they dropped the pressure to 1200 PSI and it held steady for the duration of the test. That is they were observing the well 1200 PSI less hydrostatic pressure than they started and it held steady. They saw no increase in pressure. Would that not be a good negative test according to your criteria?

You've lost me. I must be even dimmer than I thought.

During the crucial final test with the cement unit lined up to the kill line, the IBOP was closed on the DP with pressure bled to zero. The DP pressure rose to 1400 psi over a 31 minute period, in retrospect likely an indication of influx into the wellbore.

Confusion was clearly caused by the apparent lack of communication between drillpipe and kill line, and we could debate the ifs and buts around the pressure measurements until the cows come home.

The key point is that you have striven to give the impression that the hands never conducted a negative test, and I maintain that they did, regardless of the abnormalities in the data or the way that they interpreted it. There was nothing wrong with the general procedure they adopted. There would have been if they'd allowed the well to flow for 30 minutes as you suggest.

I'm afraid I'm done with this now.

Your understanding of the so-called second negative test is flawed. With the IBOP closed there is no pressure showing on the DP since the pressure sensor is above the IBOP valve. The pressure readings that were obtained in the second test are a bit of a mystery given that no clear description is available as to what valves were open and closed and where different fluids were positioned. Unless you have some clear description of how the plumbing and fluids were lined up for the second test your speculations about what pressure was on the drill string or anywhere down hole is just that, speculation.

It seems quite likely the rig crew's understanding of the what they were going to achieve is different than your understanding of what the goal and purpose of the test was. In other words, the evidence is not that they misinterpreted the results of the test. Perhaps, they correctly interpreted the results, but they just weren't testing what you think they were testing.

The negative test was set up to be run from 17:00-17:30
If they had the same understanding you claim to have they would not have waited around for 25 minutes with 1200 PSI on the Drill pipe.

The negative test was conducted by pumping seawater down the drill string. During this first test there was no involvement of the kill line. If you examine the pressure gradients and differentials for this test with respect to the hangar seal at the well head it becomes clear that this is indeed a test for that area of the well to seawater gradient. That is they dropped the pressure and held it to the same level that the hangar seal was going to see after the seawater displacement.

What that looks like to me is a test of the hangar seal and the results they got would be consistent with a good test if that is what they were intending to test. That is, they had tested the hangar seal to seawater gradient for half an hour and it remained static.

The issue that led to the second negative test was not the results of the first test. The issue that led to the second test was the BP men felt the first test did not comply with the APD which said that the test was to be monitored on the kill line.

We don't know exactly what the set-up for the second test was, but there is no evidence that the goal for the second test had changed from the first test.

As far letting the well flow - As far as I can tell they never set things up to do that safely. Looking at the first test I agree that would have been dangerous to do that with that set-up.

I believe sir you are exactly correct. I have never been able to get my arms around five components of the shoe track, the shoe, a plug, 40 ft. of cement the float collar and another plug all failing...hours after POB. Halli would have not rigged down their head if the last plug was not holding and at that BHT the cement below the float collar was getting hard quickly. I believe the 7 inch collapsed at or near the float collar and/or possilby and the base of the liner hanger as a result of pressure differential during the negative test. The micro annulus was in place, here she come. Is that possible?

I think the drilling crew on the DWH had thoughts similar to yours. They just didn't believe the Bottom hole assembly could possibly fail.

If the 7" casing was going to collapse during the negative test it would have collapsed anyway when they were displacing to seawater or when the well was completed and put into production.

The internal investigation of Halliburton has some important informations :

Test on 4/12 of 7”casing slurry :
0 psi compressive strength after 24 hours; needed 48 hours to reach compressive strength of 1590 psi
---Negative test started ~18 hours after pumped

16.7 ppgcement in shoe track over 14 ppgmud in open hole beneath the 7”shoe
---could fall out into the open hole

Was there contamination of the cement?
Wiper plug was run through two casing internal diameters
Potential for mud bypassing plug into cement
Circulated bottoms up only to the wellhead rather than to the surface
Potential cuttings in well bore
Potential non-homogeneous mud or gas content
---Could lead to cement channeling and flow path for formation fluids

Was there a problem with the float equipment?
There were 9 attempts to activate (IADCand BP daily report 4/19)
Double flapper type
Requires back pressure from annulus side to close
Less than 40 psi back pressure from annulus by calculation
---Potential to open while cement is setting
1stpositive test on casing against wiper plug at 10 hours set time–potential to slightly open flappers during cure time


Proof was the no oil in annulus detected by the relief well and the ROV video of the casing hanger with the 9 7/8" production casing still in place.


BP declaring "no oil in the annulus" proved nothing at all.

The question that is still unanswered is -> Was the spacer and oil that was pumped ahead of the cement (on April 19) still in the annulus or did the relief well find the mud that was pumped into that part of the well bore in August?

Have you seen any information/data that would answer that question?

Remember that John Wright is drilling the relief well and he is one of the best in the world. I have a lot of respoect for the guys at Boots and Coots, some which I have known for several years. However, I do wonder why BP has insisted on all their contractors to sign confidentiality non-disclosure agreements. I thought they were going to be transparent about this investigation?

Thanks, Gail, and TOD, for letting us keep on.

And thanks all who participate here and have taught me so much--at least enough to have a deep appreciation for a field of expertise I knew nothing about and for the subculture of the oil patch. And thanks especially to the funny people, for I have indeed LOLed. Many times. It has been a pleasure.


Mary Landrieu to block Jack Lew's nomination to serve as OMB chief

President Obama's pick to serve as head of the Office of Management and Budget looked headed for an easy Senate confirmation, until this afternoon, when Sen. Mary Landrieu (D-La.) announced she will place a hold on the nomination until the Obama administration lifts a moratorium on deep-water drilling in the Gulf of Mexico.

"Although Mr. Lew clearly possesses the expertise necessary to serve as one of the President's most important economic advisers, I found that he lacked sufficient concern for the host of economic challenges confronting the Gulf Coast," Landrieu wrote in a letter informing Senate Majority Leader Harry M. Reid of her decision....

Press Briefing by Federal On-Scene Coodinator Rear Admiral Paul Zukunft (9/21)

Many key questions remain unanswered. Of note, Paul Zukunft states there have been no authorized uses of Corexit since July 19th and any intended application requires his approval. Sam Walker with NOAA also answered questions. Various scientists and institutions were mentioned as participants in ecosystem accessment. Notably, Mandi and her institution were not mentioned. I'm not sure if others had seen another video of Mandi from a few days ago. Her emotional words continue with her in tears at one point in video.

Notably, Mandi and her institution were not mentioned.

Not by name, anyway. Samuel Walker said:

We’re also taking sediment cores on the sea floor itself and having those analyzed so we’re looking at things comprehensively. And as the Admiral has pointed out on numerous occasions as has NOAA’s administrator Dr. Lubchenco you know there are in fact places where oil still resides particularly in the near shore area where it’s being entrained in sediments, and so we’re very aware of those. We are also trying to look a little bit more comprehensively in the deep water based on some reports from academic vessels here in recent weeks.

And so we are responding to that we’re in contact with those University researchers and making sure that we’re going back and revisiting the same places.

The Admiral has pointed out
on numerous occasions
as has Dr Lubchencko
you know
there is
in fact
sedimented oil
and we're very aware of it

Just for pure curiosity I looked for pictures that would illustrate what the macondo flow would be if it were coming from a pipe. This is what I found for 1500 gpm which is ~50,000 bpd:

It did not look very impressive, so I looked for a picture what 80 Mbpd would look like , and found this,

...But you need FOUR of those to make up US consumption and 18 to make 80 Mbpd.

Curious, here's the video of that 1500 gpm flow (which equals the top flow of a Class A fire hydrant, BTW):

I've done the math on oil flow vs. dispersion, so I agree 1500 gpm is in the ballpark, but it's still a little surprising that thousands of square miles were slimed from this little flow.

I've done the math on oil flow vs. dispersion, so I agree 1500 gpm is in the ballpark, but it's still a little surprising that thousands of square miles were slimed from this little flow.

That's the point, equivalent of three generic 500 gpm lines and so much mess, this water must have been drained by a regular storm drain on a regular parking lot.

The other image is Upper Yosemite Falls during spring runoff.

I obviously missed something in 5th grade math class. But it might seem that 1500gpm X 60min/hr X 24hrs = 2,160,000 gallons per day, or 51,428 barrels / day, is not parking lot run off.

Depends on the lot.
However, some make lemonade with lemons.

Nice to see Pulaski Tennessee contribute something to America besides the KKK.

duck, it is parking lot runoff, that's the point of Canuck's post. Watch that video, the lot is not flooding. And yes, this is a good representation of the liquid flow out of the BOP, it's consistent with other sources. Or about 1.5 times this:

Oil on water can spread all the way out to a monomolecular film. Ben Franklin did a very famous experiment where he showed a teaspoonful of olive oil could cover at least an acre.


This video is quite wonderful.


Rather than the Kevin Costner solution of 190 state-of-the-art oil separtion vessels, a suggestion to the BOEMRE in the comments to their public hearings was that it is a better solution to not let the oil get into the water. Also suggested was to couple a hybrid of a 6th generation dp drillship with an FPSO capable of handling and flaring continuously for up to 120 days 200 MMSCFD and also separating and treating up to 100K BOPD. With 950K BBL of storage capacity it could go up to 10 days between offloads to "Jones Act" shuttle tankers or "ocean going barges". By having a drilling rig draw works full intervention is possible. Thus this vessel would be a Heavy Intervention Vessel.

The key is a HP internal completion and workover riser capable of full pressure containment. This would allow shut in if only a BOP is failed. If there is damage to the BOP stack or the casing by letting the well flow with no restriction then the relief well can be drilled. The rig draw works and riser provide a mechanism for lifting to disengage a marine riser LMRP with a failed marine riser.

The reason that BP could not put on the capping stack before they did is that they would have overpressured the LMRP flexjoint which was only rated for 5,000 psig. They pressured up the LMRP to a pressure that required utilization of the most of the overdesign margin (150%) that was needed to meet the original hydrotest on the Oil States Flexjoint. That is why I have concluded they had to continuously monitor the "well integrity" after shut in. Only thing that prevented pressure rupture of the flexjoint was the pressure depletion of the reservoir. Cutting the riser off should have allowed the LMRP to be pulled only they didn't try it again. Probably concerned they would not be able to get a HC connector from another marine riser and another BOP stack over the cut off pipes in the BOP stack.

They needed to have the ability to lift to intervene and pull the LMRP. Two ROVs would be installed on the Heavy Intervention Vessel. Key will be making sure that the LMRP can be removed or else Kevin may be right. Having Mud and Cementing capabiliiteis on the Intervention vessel would allow the well to be kill if intervention is possible.

Only problem is that the Feds aren't interested. I heard they rejected the white paper on cursery review. Said not needed now. I guess that they want to listen to only "Actors" and the Major Oil Companies. Don't confuse us with the facts and we don't listen to engineers. Only academians or scientist.... or is it money talks...

One last item. Since I noted that TOD was a correspondent at the Admiral's press conferences, can they qualify as Press Correspondent under a FOIA request. I would like someone to request all the white papers sent to the government team, who they were from and their ultimate disposition. I would like to make sure that credit is given where credit is due for the ideas that were implemented. i.e. have an independent assessment of which ideas were viable. Also the question needs to be asked as to who was evaluating the ideas? These white papers were specifically noted as being available for full disclosure. Are there ideas that were not implemented that should have been and could have shortened the spill duration? There is no reason the white papers and their related correspondence should not be subject to full disclosure under the Freedom of Information Act. Might say a lot about how this spill was handled.

Hey DE, anyone is welcome to submit an FOIA request. See: http://www.fcc.gov/foia/#reqform

Where they get you is on the cost to reproduce the documents. The cost they charge $/page is a bit excessive. Impossible to know without being able to view what pages are needed. By giving you many pages you didn't really want they jack the price. But I believe legitimate press can get it for no cost.

Maybe try these folks, I will explore alternate avenues.


" All contractual and technical questions regarding the BAA must be submitted in writing to RDC-BAA-DHR@uscg.mil. "

...I could swear I saw a posted list of all the submissions somewhere's....

Got my check today. 3 times what I asked for. I am not sending the excess back. At least not until I pay my taxes next year.

I had been thinking about coming over your way for a cocktail or two -- now I know for SURE that I will be. You're buying, right? :)

Sassy~if you decide to, let me know and I will drive over too and we'll all get together (kinda like a small TOD IRL reunion). I went over when I was in GS one day and had a drink and fresh gulf shrimp, and he came here and snorkeled with me. We were actually trying to find some weathered tar near Ft. Pickens but were unsuccessful.

Got my check today. 3 times what I asked for

Dang, TF, happy times for you, but what does that tell about Feinberg's operation? Ulp. In this story, he owns that it's still not up to snuff ("We haven't processed all of the claims as quickly as we should have. I oversold this program at the beginning, and I'm paying the price for it"). I hope the wires didn't cross and present some neighbor of yours one-third the amount s/he asked for instead of your surplusage.

Well, glad to hear you're in tall cotton at l(e)ast.

Still waiting here. 30+ days so far and not a word.

Does you name appear when you look it up online? Does a status display? I went from no information to a form that displayed being processed. Then it showed claim paid. I got my check via FedEx less than 48 hours later. The FedEx guy shoved it under my door. Why did Feinberg use FedEx if they were just going to leave the packages anyhow? No signature required. It was a simple loss of income claim and I had tax forms. From initial GCCF claim to check in a week.

Still under review. Talked with them yesterday and was told that the paperwork had been looked at. Guess we are "waiting" for them to figure out how much they are paying or so they said. Also they aren't doing them by date. They got some kind of numbering system they are using, whatever that means. We got the tax returns, wage statements, yada yada. I take everything with a grain of salt regarding what they tell us.

I understand business claims have priority but they may takes weeks to get a determination. Typical government/insurance doublespeak.

I will be interested over the next few months to see what comes out of the BOP autopsy.

In the meantime, I'm curious what some of our resident TOD engineers think about what might be done to improve this device? No argument that using the BOP should not become necessary if mud is monitored, pressure tests properly done, etc. I look at a BOP in much the same way I look at a life jacket when I'm sea kayaking. I do my very best to avoid going for an unplanned swim (especially in my local cold water), however, "sh_t happens".

What are people's thoughts on the BOP of the future? Remote disconnect? More powerfull shear rams to cut pipe joints? Two sets of redundant shear rams? Being a geo type, this kind of hardware is way out of my knowledge base. I'm especially interesed in what our engineers think can be done, or should be done to improve BOP reliability?

Some thoughts from looking in from outside with different industry perspectives.

see what comes out of the BOP autopsy
Maybe the shears did cut as it looks more like a leak past failed seals. Perhaps a need to be able to inject a plugging compound straight after operation before a channel has time to grow.

Remote disconnect?
Shaped charge available on rescue boat to cut riser before drifting rig can damage BOP, might save the rig as well. Oil is going to get spilt anyway so why not try and reduce the damage and leave a usable length of riser on top of the BOP.

More powerfull shear rams to cut pipe joints?
One for Chu's guys to get their teeth into? Consult with other industries that use high power hydraulics or cut cold steel. Test different cutter profiles to get maximum cut. Can cut and seal operations be separated.

Two sets of redundant shear rams?
If you can't cut a joint you need to avoid it.

Being a geo type, this kind of hardware is way out of my knowledge base. I'm especially interesed in what our engineers think can be done, or should be done to improve BOP reliability?
Increase rated pressures, many operations were complicated by working near or above operating limits eg FlexJoint. Thorough hydraulic review including consultation with other industries. Add gated bypass flange(s) at top of BOP, above the rams and below the riser connection so that a take off pipe can be added and the top plugged. Improve bolt/wrench systems to facilitate ROV use of tools. Standardise connector systems so anyone else's BOP can be used in an emergency rather than waiting for just the right type to be available or part made up. More attention to ROV operations such as lead in cones to connectors to facilitate alignment. Put some BOPs on an old well and try different techniques/equipment and find out how to do things before TSHTF.


Shaped charge available on rescue boat to cut riser before drifting rig can damage BOP


That seems like an obvious plan of action. I can't see how that could ever be any worse than having the rig sink while still attached to the well. The coffer-dome put over the riser at shallower depth would probably work as a containment system. Unlatching the LMRP and dropping a working BOP on top of the failed BOP would also be a good possibility in that scenario.

According to "Toolpush," in deepwater plays off Brazil operators have to demonstrate that the shear rams will cut through a length of drillpipe, at depth, before they spud the well. This "Show Me" Rule seems like something that the MMS could immediately implement for the deepwater GOM.

Very simple. Apply API RP 17O. API RP 17O deals with design of a subsea High Integrity Pressure Protection System (HIPPS). It prescribes the level of required reliability, maintenance by qualified personnel. Redundant pressure monitoring devices with two out of three voting to insure that accurate indications are used to cause shutin. Also prohibits bypass or disabling key shutdown functions. In essence the function of the BOP is the same as a High Integrity Pressure Protection System. The issue was when the marine risers for deepwater drilling was designed, they were by necessity designed for a lower design pressure than the wellhead. Weighs too much to try to design for the full shut in wellhead pressure and just like a chain, piping is only as strong as its weakest element. As far back as 2001, I remember being told that the limiting factor was the flexjoint. The maximum pressure rating that Oil States has listed in their product brochure is for a 6,000 psig rated flex joint. Big difference: wellhead at 15,000 psi the riser at 2,000 - 3,000. Creates what we call a HP-LP interface.

Any sort of risk assessment would pay particular attention to this discrepancy. API RP 14C mandates that "relief" is required unless the piping system is designed for full containmment of the pressure. I believe the assupmption is that the marine riser is vented through the Mud Gas separator or diverter and the divert line much like a standard relief system. As long as a piping system cannot be isolated by a valve from the vent the entire system can take credit for the saem vent. The only issue is that there is no flare on these deepwater rigs or if there are they are limited for small drillstem tests. On Deepwater Horizon only a pair of vent stacks. Only good if the vapor is methane only which is lighter than air but anything heavier (ethane's density is about the same as air, propane, butanes, pentanes, hexanes and heavier are all heavier than air.) a combined stream of natural gas with too much of the propane and heavier falls like a waterfall from a vent ratehr than rising. On offshore production platforms these reliefs are handled by flaring assuring that all combustible gas is burned. However this leads to real issues on radiation and the affects on personnel and equipment. We still try to ensure that if a facility has a problem that we can shutdown the inlet flow and blowdown the facility in 15 miunutes.

Normally the weight of the drilling mud in the riser should keep the pressure at the surface must lower due to the higher static head. However once production fluid gets into the marine riser the expansion at this lighter fluid moves up the

The problem with the BOP appears to have been the hydraulic leaks. It would be possible that too low a pressure would lead to inability to fully shear the drill pipe. West Engineering identified this as an issue for the 5 1/2" S-125 or harder drill pipe in their report. If the HP hydraulic pressure was at 5,000 psi at the surface and the cylinder being operated subsea is open to the static hydraulic seawater pressure due to being exhausted direct to sea it will not have a full pressure differential of 5,000 psig. The stem used for the locking the cylinder in place affects the pressure as does the pressure beign exerted against the inside of the cylinder by the well fluid on the shear surface area. Bottom line if the differential pressure get below about 2,800 psi (don't hold me to that number but review the West Engineering report on the DOE website. It is an attachment to the 30 day safety report I believe.) Later when they tried to use ROV hotstabs to operate the shear rams the pressure in the wellbore may have kept them from building up enough differential to get it to still fully close. It was pretty obvious that there was dual flow paths, one up the drill pipe and one up the annulus of the BOP due to the difference in the coloration of the fluid coming out.

If the provisions of API RP 17O had been inferred the BOP could not have been continued to be used in the faulty state it was in. Inspection levels would have been higher. Higher reliability would have to have been assured. All the things that after the fact everyone now thinks is needed by new regulations. Rather trying to reinvent the wheel go through an new learning curve just use the well thought out proven industry practices that should work.

Probably the reason a HIPPS approach was not applied in the earlier days of Deepwater drilling when these vessels were first built was the MMS was not approving the use of a HIPPS system in the Gulf of Mexico. It was not until 2006 when they gave tentative approval to BP to use a HIPPS system in the Gulf. If the MMS wouldn't approve it I guess if they just avoid calling it a HIPPS they can avoid the MMS not allowing it to be used. Also allows drillers and opearators lower level of integrity and reliability assurance for BOPs.

It is a shame that the BOP was the last line of defense and did not work. Even the last line of defense has to be reliable.

I am extremely concerned that those of us that worked in the early days of deepwater drilling may have contributed to this failure by a simple "lesson learned" that was applied at the time. We argued that non-produced fluids should not be produced later to the production platform. Multiple instances of upsets caused by the additives added to oil based drilling muds when producted into a standard topsides production separation facility. We insisted that the drilling rigs clean up the well before leaving the site. I am certain this is why the oil based drilling mud was not left in the well and it was being displaced to seawater. If the mud had been left in the well, then the pressure at the bottom would have reasonable offset the formation pressure. The negative pressure test would not have been needed. The cement cap would have been able to seal the well. The completion rig and team could have dealt with any cement issues and possible done a squeeze to fix any problems.

This was not intentional and there was no malice. However, 11 men died as a result. This is a guilt we will have to carry with us for the rest of our lives. I only hope the families of those that paid the ultimate price for our ignorance will someday forgive us.

As I recall, over time there were a number of distinct "BOP" failures. Dead batteries in the Dead Man; the Hydraulic leak, later identified as a loose coupling on a hose; Shear unable to cut, suspected joint, or multiple pipes, and a damaged annulus gate.

Apparently API RP 170 does not require a mandatory safety stoppage if any failure occurs in the BOP. It seemed that the attitude was but there is enough redundancy in the BOP that we can keep going. The Battery issue looks to me like a single point full failure should the rig become disconnected, or lose communication with the BOP. Any of the ROVs should have spotted the hydraulic leak. The shear problem appears to have a number of issues: Joints and the potential under unusual conditions to have a second DR in the shear gate. Solutions: I agree with an earlier statement that two shears should be required spaced far enough apart to guarantee that one shear avoids the joint and second that the cutting capacity must be increased to be able to cut two DPs. Double shears provides extreme redundancy of basically the very last option to shut off a well and given that situation making the shear system very very robust should be a requirement. Finally the annular valves. One of the rig workers discovered rubber sections in the mud tray and took a piece to, I believe the Toolpusher, with the net result of no action. Which returns me full circle to a mandatory requirement in the regs to shut down ops if Damage or Malfunction conditions are detected in the BOP.

Finally, If the pressure rating cannot be improved to encompass the reservoir pressure then why can't the flex joint be moved to the very top of the assembly, or at least above the BOP such that it is never at risk in a shut down. I may have missed something on this. It escapes me as to why higher pressure designs cannot be constructed. Also In this case the flexjoint rating came into play because of the addition of the upper "bop".

EDIT ADDITION: A key point I did not know brought up By CHU. There was no way to read the position of any of the valves. I'll go out on a limb, but this is simply crazy on a piece of critical safety equipment. Geez, operate a function and then take a break to see if anything happened. As a first step the position of anyone of the gates / valves should at least be observable by a ROV but better yet, status readable back on the platform along with visible via a ROV should the platform become disconnected. Just go and look at the Shuttle Program and the ability to be able to read status of any valve on the system.

Several misunderstanding isn't in your statement.
1) API RP 17O has not applied, I am suggesting it should so the issues you cited would not in fact be applowed.
2) Annular BOPS are designed such that they are designed to allow for the drill pipe to be slipped through them but at certain sizes and pressure they may damage the rubber seals. A fact caused by the fact they have to be designed to handle both large casing be run through them and small drill pipe. The metal arms that push on the seal in some instances don't have enough clearance it too much pressure is exerted when trying to seal against large drill pipe that is moving and some of the rubber may get sheared. I am told a common occurance in annulars.
3)Flex joint has to be at bottom to handle the offset from slight movement of the DP drill ship and currents on the marine riser. Has to be at top of Lower Marine Riser from a purely physics standpoint.
4) The flexjoint pressure rating came into play because the Lower Marine Riser Package (which is part of the Marine Riser and is suppose to disconnect from the BOP and go with the marine riser when the rig does an emergency disconnect) did not function properly. By staying connected to the BOP with the drill pipe trapped in it after the marine riser fell kept the LMRP in compression and did not allow it to be disconnected after the rig sank. Cutting the pipe off above the marine riser adapter flange above the flexjoint was done so that only a minimum of drill pipe stub would be exposed and the connecting flange could be fitted over it. By leaving the LMRP with its lower pressure rated flexjoint and annular BOPs on the flexjoint became the weak link in the piping system. The government obviously approved lettign BP use the full hydrastatic test pressure of the flexjoint in a effort to stem the flow. Something engineers are not allowed to do under normal design conditions. I understand the risk and agree it was acceptable in this instance.
5) The issue is gettting the seal at the pressure differential of 10K-15K. The ID is larger than the BOP bore. At 18 5/8" bore the OD is fairly large at 5,000 psi differential. The tapered assembly is larger to handle the offset. Makes the ID of the seal area much larger than the 18 5/8". At 15 K a rough estimate is the the wall thickness may be as much as 1/2 the ID of the pipe. There are other issues such as the pressure required to keep the sealing surface of the seal and still allow the joint to swivel some with the marine riser pipe. If the swivel was not there think of what happens when you take a piece of metal and work it back and forth for enough cycles. It breaks. Just making things thicker is not as easy as it sounds. Affects lots of mechanical and structural properties and this has been the challenge to developing subsea equipment to handle the High Pressure and High Temperatures of the Deepwater. There are limits to what we can lift and handle form the surface so the trade offs have to be made. The annular BOP is nmot meant to stop fluids that are coming from the well. Its primary function was to keep muds in the marine riser from not spilling out into the ocean when the riser is disconnected form the Well or BOP. The variable pipe rams in the BOP stack are suppose to seal off the annular space in the BOP. They are rated for 15K.

Secretary Chu thinks that the nuclear industry is a good example of how the offshore should be designed. Many think that onshore plants are analogous to the offshore industry but most who have made the transition will tell you they are not. Once again it proves people who are ignorant don't know they are ignorant.

DE, you're right on API 170, I thought you were saying it did apply.
On the Annular, I have looked at the construction and understand the Iris concept of closure and it's ability to close on a variety of singular pipes. But given that they are regularly damaged then I will assert that they are under designed / engineered. When we find repetitive failure / damage in my arena of engineering work we generally call it foreseeable abuse and go to work to improve the design to avoid that outcome. Many in engineering see it acceptable to simply write a rule to "preclude" the application of the "abuse". I always demanded of my team that if we can see the event either in design review or field data that we fix the problem because in the end it will save field time and customer sat. So again I assert the annular is underdesigned.
More on the Annular: You assert Annular not intended to stop fluids coming from the well but to hold them in a disconnected riser / LMRP. While that is the prime purpose, if it is also designed to take pressure from both sides and is designed to avoid damage in normal use then I would assert that it has been designed for foreseeable abuse, and could form one more defense in a blowout situation and yes I do understand it wouldn't shut off the DP but would shut off the riser path. In the case of the Macondo it might seem that the annular should be able to hold against a down pressure in the range of 6k to 8k psi and an up pressure of 9k to 12k psi. A 1/3 differential. I would expect that it is easier to tame rising mud / oil / gas in the DP than in DP plus Riser. At least until the point of having to disconnect the riser and wanting to retain the mud. On the other hand I'm not clear why we would care about the mud during an emergency disconnect situation. My thinking on improving the annular was that it makes $ sense to try and upgrade the items that are already there and which we have experience with, rather than simply adding more stages. Hence can we improve the annular and make it bi-directional and much less damage prone.
Also, it might seem that in the condition of closing the riser with a full load of heavy mud, that the annular might see down forces in the range of 4k to 6k psi. In the case of the Macondo the up pressure

Flexjoint: Yes I knew it was at the bottom of the riser to take up rig motion. My comment was to move it up in the stack. As I mentioned in the previous post I misspoke on moving flexjoint up because I had a lapse in memory about there being an additional valve set, post applied, above the flex joint. Yes, as an engineer I am greatly familiar with metal fatigue.

Weight: I don't recall the exact weights of the BOB, LMRP or add on Valving. But I do remember that the weight on the hook when they were retrieving the BOP via a DS that it was 840klbs, and I think the rig was capable of well over 1Mlbs. If they had been pumping 16 ppg mud then the mud weight would have been ~600k pounds, plus the LMRP and Riser. A rather substantial pick for any rig.

Long response short: It is not clear exactly how to go about fixing the BOP to clear out all of the failure mechanisms in a highly reliable fashion, But there are many approaches available. The industry just has to collectively decide that a safer approach is highly desirable. I think there might be more appropriate skills in the space program than the Nuclear sector. Space like strong but light weight. Nuclear likes strong but who cares about weight.


DE, just a comment. You rely heavily on The API RP's I've noticed. Correct me if I'm off base but it would seem the RP's (Recommended Practice) are the same as Best Practice that was discussed elsewhere in the thread. I'm not knocking the RP's but I think I can safely say they do not take the place of performance oriented code "requirements". They certainly would be design or best practices guide but I would assert they cannot take the place of performance requirements, which should not specify distinct designs but only the outcome criteria. I would also assert that best practices and performance oriented code should not be mixed together else we have brakes applied to improvement.

I recognize the honor in your last sentences and I hope others do as well. All of us in the industry share in that responsibility and sense of guilt about this tragedy and about all good men that have perished in thousands of blowouts since the first string of cable tools went over the crown 120 years ago. We'll learn from this. We always have.

As an outsider to the industry, I may lack standing to Bravo what you two are saying, but heck with that.


DE - Great post. Along with trying to make life easier on the completion side by displacing with sea water I ran into a unique problem last January from leaving OBM in the hole. Re-entered a deep well in S. La. that had been abandoned in the deeper section with OBM left in place. A simple job: drill out the plug and circulate out that old OBM - a one day job for $25,000. About 2 weeks and $500,000 later we finally got the side track started. As best as I can describe it the OBM set up like an epoxy. Not only did I have to drill it out of the csg, I had over 60#'s of metal stuck to the csg wall by the OBM glue. At one point it was so bad I couldn't get 6.5" tool down a 9 5/8" csg. Prematurely set a whipstock. No one on the rig had ever seen it this bad. I learned a costly lesson: I'll never leave OBM in the bottom of a well for an extended period of time. I'll displace it but with a fluid of equal weight.

Reading through the BP report, what struck me was the number of failures in the BOP. There were multiple modes of operation, and redundant control systems. Almost nothing worked as it should.

I was reminded of reading an account of the nuclear accident at 3 Mile Island. Multiple failures of safety systems are often a feature of these kind of industrial accidents. There are well known problems with engineered safety systems of this type, especially if they are complicated and failure prone. When they are very rarely needed, they tend to be poorly maintained, and they tend to fail when they are needed.

However, there are exceptions. The inflatable slides that allow escape from aircraft accidents seem to work well enough when called upon. Aircraft also have emergency oxygen systems which drop down from the ceiling in the event of a depressurization of the fuselage. These usually work. When they have failed, planes have crashed due to everyone on board losing consciousness. (Helios Airways 552) So it does seem to be possible to produce engineered safety systems that will work reliably, but I think you need the right environment. Aircraft are very frequently inspected, and that is backed up by extensive government regulation. Aviation also monitors accidents and incidents on a world wide basis. If the offshore industry had done this, they would have realized that their BOPs were far less reliable than assumed. Are there accident reports available to government regulators that explain why other BOPs have failed in the past? If not, why not? I think that corporate entities, left to the own devices, will tend to under-maintain systems that are very rarely needed.

I would argue that there are two approaches. One is a system that is highly reliable and maintenance free. The airbag in your car is an example of this. The other is a system that is subject to regular testing by outside inspectors. Having to pass Government checks motivates companies to maintain their systems. Doing the necessary testing may well be expensive, and companies will complain about over-regulation. Engineers tend to focus on technological fixes, but paying attention to the human factors is vital if systems are to work when needed.

I think that off-shore oil needs to take a close look at the safety practices of aviation and the nuclear industry. I also hope that the nuclear industry will take a look at itself. Are there systems vital to the safety of nuclear plant which will perform as badly as Transocean's blowout preventer? How do they know that their systems will work? Are their assumptions for failure probabilities correct?

What people tend to forget because we have short memories is that the US used to regulate Oil & Gas very tightly. Price was controlled and if you wanted a higher price generally you had to justify anything higher. This was when Oil Companies tended to put much more investment in in house personnel, research, development, safety and accident prevention. All these costs were a justification for a higher price if you had a limited rate-of-return. However, the shift was to overseas for production because it could be found cheaper, get higher revenue and a more favorable tax regime. Then in 1973 there was an Arab Oil Embargo. The Arab world noting the US dependence on foreign oil decided to utilize it as a weapon against the US support of Israel. This lead to the formation of OPEC. Also in 1978 after a severe gas shortage in th Winter of 77' the goverment introduced the Natural Gas Policy Act which tried to gradually allow the price of gas to deregulate. It was based on the assumption that the price of oil would be $100/BBL by 2000. In about '79-'80 the Reagan Administration convinced us that deregulation of oil was the only way to break the dependence on foreign oil. It did lead to a resurgence in exploration and production both onshore and offshore in the US. In the early 90's after the debacle that the phased deregulation of natural gas by the NGPA made of the natural gas markets in the US, leading some regulated prices to go up over $10/MMBTU the US finally deregulated natural gas. What now influences the prices of energy are realistic changes in supply caused by issues related to natural phenomenon like Winter storms, Hurricanes like Rita and Katrina which devastated much of the US offshore infrastructure and drastically impacted our demand for offshore crude (aside from the occasional tweating by OPEC whose influence has been reduced some).

However at the same time radical changes were being made in the regulation of safety within the US. In th emid to late 90's a shift was made from prescriptive safety regulations to risk based safety regulations. The U.S. has seen an overall decrease in the accidents with the shift. However, it shifted much of the responsibility from the regulators to the industries. Now the cry is to shift everything back to a prescriptive regulator environment. Re-regulate the Oil and Gas Industry. Put prescriptive regualtions back in place. Operators cannot be trusted. This is not the answer. The asnwer is that a better understanding of the real risks involved must be made. Corporations who cannot responsibly operate must be culled and corporate officers who cannot properly balance the risk against the reward (whcih includes not injuring people or the environment) must be fired and if they injure or kill people be prosecuted. Bonuses must not be structured in such a manner as to encourage taking shortcuts that lead to short term profits at the cost of long term safety or environmental problems. Maybe a rule that retroactively taxes all who benefited from profits/bonuses paid attributable to taking shortcuts by recovering the profits/bonuses paid in a prior period if it leads to a fatal accident in the current period. Much like recovery in a bankruptcy proceeding by a trustee for prior payments paid in which no value is received.

Remember that those that do not study history and learn form its mistakes are destined to repeat it.

Now the cry is to shift everything back to a prescriptive regulator environment. Re-regulate the Oil and Gas Industry. Operators cannot be trusted. This is not the answer.

True enough, in part. In a fast changing technological environment, regulations will almost always lag behind what is actually happening in the field. This issue is exacerbated by the fact that there is a huge pay desparity between regulatory agencies and industry, hence most of the best and brightest will choose to work in industry. And indeed, some operators WILL cut corners, and cannot be trusted.

The asnwer is that a better understanding of the real risks involed must be made. Corporations who cannot responsibly operate must be culled and corporate officers who cannot properly balance the risk against the reward (whcih includes not injuring people or the environment) must be fired and if they injure or kill people be prosecuted.

The problem is, who other than government has the power to cull corportations who cannot responsibly operate? Some companies will always do a better, more responsible job. But in a fiercely competitive business, I'm sceptical that industry as a whole can or will really self regulate. Can we really expect Exxon to somehow force Fly By Night Oil Co. to conform to better standards?

To me the crux of the issue is to somehow meld industry technical expertise and best practices with government authority to force compliance. Most of us would probably agree that the agency formerly known as MMS didn't manage to do that. I don't know how we can do it better, but I think we should at least consider how other industries that are both high risk and highly technical, such as aviation, do it. Maybe they have nothing to teach us, but on the other hand, maybe they do.

I meant to add that the problem has both a technological aspect, and a management and control issue. On the technology side, we need to understand issues such as what kind of hardware improvements do we need for difficult environments (for example BOPs, etc) and what kind of test protocals are appropriate (neg pressure tests, etc).

On the management and control side, we need to understand when it is appropriate to have rigid procedures (things like checklists and sign offs), and what kind of chain of command we need (who is in charge), etc. Yet at the same time we need to understand when it is appropriate to let experienced, well qualified people on the scene make fast decisions. Good military organizations try to achieve a balance between rigid following of orders, and fast decisions by the guy on the spot.

I don't think there are any magic bullet the answers to all this, but I think we can learn to do better.

Well, I've said it before, so now I'll repeat. There is no reason that we can't write regulations for oil drilling that dictate levels of design for the various elements. For example the safety margin for pressure rating of a BOP relative to the reservoir pressure expected. The shear capability relative to materials, It must be able to x,y,z. We do this for construction all the time, and get along just fine. Including the variance process. Yes, construction contractors would like to have free reign but instead they have regulations that specify everything from deflection of a beam to amount of sway in a Skyscraper. What we don't want are regulations that specify a particular design, this is when regulations are always behind the technology. We need achievement style regs. And yes we need people on Rigs authorized to make instant decisions, during extenuating circumstances. In construction it is the registered engineers that can do a design, that is outside the expected envelope (by inspectors etc) but still achieves the particular achievement specification. Deflection less than 1/740 for particular applications. How the engineer achieves this goal is open. Not achieving the goal is not open. In my mind and view, drilling is simply another engineering arena and as such can be regulated via minimum goal regulations.

In general think we are saying the same thing. As Deepwater Engineer pointed out, we may already have something like minimum goals (API RP 65-2 Section 4 ??). I don't know jack about construction, but I wonder if one big difference is that drilling has a very dynamic aspect that must be accomodated? As DWH demonstrates, things can go very wrong very quickly on a drill rig. And the effects (long and short term) can extend well beyond those immediately involved. Another aspect that may be different in drilling is that we really never truely know what is going on down there, at least in the time frame that we need to know it. That's why several posters have suggested aviation as a better analogy. But maybe not, you tell me. I'm interested in your thoughts.

To me the real question is how we meld "minimum goal regulations", or "best practices", or whatever you wish to call it with effective oversight and enforcement. When an operator can specify protecting walruses on a spill plan for the GOM, and get away with it, we have a problem.

I do believe that there are a few currrent regulations that must be enforced. One is that only qualified personnel be allowed to make decisions that require technical knowledge. The only mechanism for doing that is the licensing of engineers. However, many states have so many exceptions that many unqualified can be allowed to practice with only company supervision. We do require doctors to be licensed and generally their decisions only affect one life. I have suggested to the regulators that the OCS needs an Offshore Engineer discipline that they need to consider. An API subcommittee consisting of industry experienced state licensed engineers would set the requirements for licensing and testing and the USCG /BOEMRE would be responsible for enforcement. It would be multi-discipline field.
This sort of parallels the approach that Alaska takes with respect to licensing with their multi-disciplinary "Cold Regions Training" that all disciplines must take to be licensed to practice engineering in Alaska.

Bottom line if you study DNV RP A-203 "Qualification of New Technology" it makes a good case that proven technology is not "proven" in a new environment. Requalification of previously proven technology when being applied in a new environment still requires testing to see if it is suitable in the new environment. Same holds true for technical personnel.

Finally the federal law (Submerged Lands Act) does state that if there is not a law with respect to civil and criminal laws that are in the adjoining coastal affected zone states, then the law in the adjoining coastal affected zone states apply. Since Macondo was in the Louisana affected zone area, the Louisiana law should have been the federal law in the area. Louisiana does not recognize an industry exemption for civil engineering.

If the federal government had enforced the law, the cement technical advisor, who in testimony claimed to have designed the cement job but admitted he was not licensed could not have done so unless he was. I really wonder if it would have made a difference if he had been licensed. Would he have protested more about the job going forward if he understood that his key duty was to the protect the safety of the public?

I am a licensed PE in multiple states. I have taken and passed both both the fundamentals and the a principles/practice exams tests. I have to take many times at my own expense and with my too few hours of vacation continuing education which includes mandatory ethics training. I can't speak for all PEs but for myself I can say I understand that responsibility to the public. It has cost me not one but several jobs because I did protest and it did result in the required change. I lost my job but the public was protected.

+100. And thank you.

Alaska_Geo, you're right I think we are close on agreement. And might I say I really enjoyed my several years in Fairbanks in the 60's. I agree that Drilling is very dynamic. Which is realated to my comment on Licensed PE's in the general category of Construction. I truly believe there must be "licensed" people on Rig at all times able to make the critical call when needed. Maybe the sea corollary is the Pilot guiding a ship to harbor. I certainly am not trying to make the case to the opposite. It is the design and critical machinery that must be driven from goal oriented performance minimum regulations. I may be wrong but are not the API's voluntary? If they are mandatory then we are even closer. But I don't believe they are mandatory. Construction / Building codes from a governmental body, are for the most part (yes there are anomalies in the codes) goal or performance based. Are mandatory and inspected by some gov't or gov't associated organization. If your plan doesn't conform, no construction permit. So bottom line it is clear that there must be a very very few people on the rig where the buck stops and it is those people who should have the "license" and possibly be designated in the "drilling code". Designation of the "buck stopper" would end the who's in charge question cold and relieve the contest between the OIM or Toolpusher and the Coman, i.e. it's one or the other but not both. It also stops the debate of who's on first! Again on harboring a ship, the buck stopper is the Pilot. Out on the open sea it's the captain (for ships).

As far as the melding::: Minimum performance goals are basically physical minimums, e.g. Bops will be pressure rated 30% above the maximum reservoir pressure expected. Obviously the next question is what is that pressure prediction based on and who is qualified to "stamp" the prediction. Back to the construction industry, it is the registered structural engineer for say the building steel. He stamps the drawings submitted to the enforcement agency certifying that he supports and approves the drawings etc. Only rarely, does he get reversed by the enforcement agency, but it does happen. Best practice could be included in the "drillin code" as non-mandatory guides. I would believe that every "licensed" drilling engineer might have his own view of "best Practices", just as every structural engineer might want to redesign that beam given his own biases, but the beam still has to conform to the performance specifications. In construction we have many manuals asserting best practice but they are totally outside the code and are more educational than anything. I would think that Best Practices are actually the forever changing and advancing part of technology that you don't really want to be part of the slow to change performance code. This is the part where we learned something on the last well that we want to incorporate in our future designs, procedures etc. And those new designs are just that but they still conform to the performance part of code.

One final comment:: When I refer to XYZ engineer I am talking about a person who holds as a minimum a BS in XYZ (a technical field) and then is further licensed by either the state or federal as a licensed professional engineer with stamp. At my company it was normal for some with out the BSXX to work themselves up to positions labeled "engineer" and in a very narrow vein they were qualified but simply not to the degree that a BSXX holder is. Now don't everyone shoot me for that view.

I don't think that for a bunch of skilled engineers sitting down to write the "code" should be a major deal, but then again lots and lots of folk owning steers in this deal and not wanting their particular steer to get gored. So there has to be both the "will and desire to write" and some relative isolation for the writers to do their job.

Deepwater Engineer, Awildduck, and other engineers:

Thanks to both of you for an interesting and important (as we move forward) dicussion. And thank you both for the seriousness with which you both obviously take your responsibilty!

From a personal perspective, I have two dogs in this fight. The DWH disaster does and will continue to have a huge impact on how we do our business, even up here, far from the Gulf. I make my living in the oil patch, and I would like to get in a few more years to pad my continuing decline into geezerdom. My other dog is that I've always been an outdoors person. Many of my co-workers consider me a closet greenie. Having spent many priceless days in PWS, I know how sick I felt when the Exxon Valdez spill happened. I rarely if ever spend any time on the Gulf Coast, but I can honestly say 'I feel your pain.'


I appreciate the kind words. I too am rapidly approaching what the industry calls the great shift change. I am also concerned about the "environment" as I own a small ranch raise cattle in my other full time job. I still work a day job in the industry.

Many of the plants I worked at which were built 50+ years ago could tolerate a good bit of corrosion to their steel structure and still be in little danger of structural failure. This was primarily due to the design engineers of the time using conservative factors of safety and lots of steel, one reason being the inexactness of the calculations.

Today's computer design programs allow the designer to get down to a nats eyelash the amount of steel used and remain within the codes. In order to compete in competitive bids the contractors design engineers have to do this. This makes it incumbent on the owner to pay for a more expensive coating system and to keep it maintained to limit rust especially in corrosive industrial environments. Offshore drilling rigs come to mind and I wonder how structurally sound they will be after years of salt water service.

Now there's a scary thought, ez.

I don't think that we need prescriptive regulations that tell oil companies how to build BOPs. I do think that we need prescriptive regulations that tell companies how to test and inspect their BOPs in realistic operational scenarios. We also need inspectors so that we know that bad test results will be accurately reported.

For example, Boeing is currently doing certification tests on its new airplane, the 787. FAA inspectors are riding on board the plane to observe the tests. When the plane goes into service, it will have a rigid maintenance program that specifies what has to be done when the airplane has accumulated a set number of flight hours. The FAA seems to have an effective system for ensuring that required maintenance does get performed, even though it is expensive. A 737 costs about $30-40 million, which I believe is similar to one of these deepwater BOPs.

Why not insist that the deadman function of the BOP is tested whenever a rig is preparing to leave the well? Disconnect the power and hydraulics just before the BOP is brought to the surface. When the BOP is recovered, then the government inspects it to ensure that the blind shear ram closed and that there is enough pressure in the hydraulics for it to have sheared a drill pipe. If the ram doesn't close the operator gets fined, and a report is published explaining why it failed.

My original point was that I think that operators can be trusted......to not do the necessary maintenance on systems which they almost never need. They all think they are above average, in the same way that most drivers think that they are above average.

In general, I think the offshore industry does a good job of controlling their wells. I read somewhere that BOPs are only used for real about once a year worldwide. However, when needed the BOP fails about 50% of the time. I think there is a lot of room for improvement here.

Schrodinger1, I don't think I was ever saying "prescriptive regulation......how to build BOPs." I was saying Prescriptive regulations on how BOPs must perform. There is a night and day difference. If the performance criteria is required then the how to achieve is left up to LICENSED engineers with approval of design by the code enforcing agency. Much of the debate on the malevolent GOM well has been will the real design please step forward and much debate over the correct design or the correct configuration of the BOP. But simply put there appears to be little "performance based code". As far as "licensed" is concerned I'm close to agreement with Deepwater Engineer but would probably go a bit farther in specifying underlying credentials for licensing.

The how of inspection can be as tight or as loose as needed to "guarantee" the performance aspects. BUT it must NOT be oppressive, because that is what leads full circle to 'no-enforcement' and that is somewhat a political call.

You talk about "why not insist.....is preparing to leave the well?" When the deadman should be tested can and should be part of the performance regs. Inspecting the inspection is again back to Oppressive? There must be a reliance on the appropriate people on the rig to do their "licensed" job, else no license and thus no job.

Still at it, RawStory's out to make a buck by scaring folks with a blockbuster,
Exclusive: Gulf oil dispersant contained extremely toxic carcinogen which happens to be 2-butoxyethanol, which the NJ Department of Health says “should be handled as a carcinogen with extreme caution.” Can you buy Simple Green in New Jersey?

Five minutes before reading this post, Snakehead, I thought to myself that I should acknowledge how much I appreciate your posts; I'll do that now: thank you.

I can buy Simple Green here in Louisiana, but I have the same difficulty with this comparison that I do with BP putting Klondike Bars on their open house tables to show that these chemicals are benign and in everything. Do you drink Simple Green? Marinate your shrimp in it? Huff on the bottle? :)

I know what you're saying, I get it, but there's a huge difference between purposefully using a product and potentially (because it seems no one really knows) getting dosed with it. I know you know that, too, but I just had to say it out loud.

Thanks again.

I know tarballs laugh at Simple Green. I had to go to a car pressure wash to clean my boots.

Best thing we found for removing tar balls we got on South Padre & later on Mustang Island after Ixtopa blowout was baby oil.

I thought to myself that I should acknowledge how much I appreciate your posts; I'll do that now: thank you

Enthusiastically co-signed!

Another blockbuster :

"One of the latest reports is that there are entire Louisiana communities where people are bleeding internally.
It is tragically naive to think that the Gulf region aerial pesticide spraying will stop before the mission is complete.
The major agency holding the key to halt the genocide, ..."


WOW ! GENOCIDE ! How shocking !
This oil spill had and will have great impacts to the entire environment.
And a lot of things are covered due to different interests.
But this kind of scaremongering does a disservice to the clarification of the real impacts.

there's a huge difference between purposefully using a product and potentially (because it seems no one really knows) getting dosed with it.

Sure - but that difference isn't at all realistic is it?

non-toxic, biodegradable, non-hazardous, nonflammable, non-corrosive

- http://www.simplegreen.com/products_family.php

Ingestion: may cause stomach or intestinal upset if swallowed (due to detersive properties) ... Carcinogens: no ingredients are listed by OSHA, IARC or NTP as known or suspected carcinogens

- http://www.simplegreen.com/pdfs/MSDS_EN-US_AllPurposeCleaner-Pad.pdf

It seems to me that little Johnnie swallowing a bottle of Simple Green is probably going to expose him to hugely more 2-butoxyethonal than any probable scenario involving small trace quantities of Corexit in seawater or from seawater spray blown inland.

Can anyone explain how use of Corexit offshore could expose folk going about their normal lives onshore to hugely greater quantities of 2-butoxyethonal than they would normally encounter merely from being in a house where someone regularly cleans with commonplace household cleaning products?

Same way everybody had Satanic ritual abuse surrounding them in the 80s and early 90s.

Corexit rain. Corexit in the wind. Corexit dropped from the sky inland on a guy watering his lawn. Corexit used for population control. It's pure evil.

Quick trip around this morning's Twitterdome:
ALL KINDS of sea birds PARALYZED and DEAD near SARASOTA, FL — Doctors raise DISPERSANT
scientists say corexit makes #BPoilspill more toxic than if left untreated!
State: Corexit 9527A butoxyethanol should be handled as a carcinogen.
100k fish R showin up dead & scientist don't know y? Corexit was used in Gulf oil spill & is TOXIC.
Corexit — NO safe level of exposure say scientists /this is stuff BP PUT IN YOUR FOOD
FDA and NOAA have no test to test Gulf shrimp 4 COREXIT.
"Corexit is 4 times as toxic as oil. Add oil = 10X as toxic."
Thousands of People Along the Gulf Coast Suffer “BP Crud”
40 million gallons of corexit... horrible. No wonder the fish are being found dead.
GULF EVACUATION ALERT: Mass genocide confirmed VOC in North American atmosphere. Europe? #BP #COREXIT
A local vet suspects BP Oil and/or Corexit is killing and sickening swans in Tampa. Samples sent to labs for testing

I am not, mind you, saying RawStory deserves redemption for its performance here, but a friend just sent me a link that tends in that direction . . .



Gotta love these outright lies.

The carcinogenicity classification of 2-butoxyethanol is IARC class 3.

From Wikpedia:

"Substances, mixtures and exposure circumstances in this list have been classified by the IARC as Group 3: The agent (mixture or exposure circumstance) is not classifiable as to its carcinogenicity to humans. This category is used most commonly for agents, mixtures and exposure circumstances for which the evidence of carcinogenicity is inadequate in humans and inadequate or limited in experimental animals. Exceptionally, agents (mixtures) for which the evidence of carcinogenicity is inadequate in humans but sufficient in experimental animals may be placed in this category when there is strong evidence that the mechanism of carcinogenicity in experimental animals does not operate in humans. Agents, mixtures and exposure circumstances that do not fall into any other group are also placed in this category."

There are lots of 2-butoxyethanol containing products including Simple Green for sale in NJ.

I have no idea why the NJ data sheet lists it as a carcinogen - there is no data to support that.

I found some other interesting factoids when researching this - for example 2-butoxyethanol is considered to be low aquatic toxicity because the fish LD50s are quite high.

Hey! We agree on something.

Chu said BP could have saved "about 10 days of angst" if there had been instruments on the blowout preventer — a piece of equipment designed to seal the drill pipe in the event of an explosion — that would have signaled whether its valves were closed. Blowout preventers throughout the industry lack such devices, he said.

It also would have helped to have multiple systems to measure pressure, he said.

I'd add a pressure gauge would be nice too! At the very least it would give the ROV fans something to look at.

It seems that the ROV had some success in operating the shear ram, but it lacked a big enough hydraulic accumulator of its own to do a proper job. So equip your ROV with a nice Parker one (they are a good customer of mine) of its own. Maybe you set up a bypass system to allow all the power for the actuation of the rams to be delivered externally from the ROV. With enough rams, you get redundancy working for you, hopefully at least one will work. And you will at the least slow down the flow and decrease the pressure differential across the flex joint to ambient, given the flex joint seems to be a weak link.

You probably could also use a hot stab capability for an external kill line to facilitate a top kill. Use some of Rockman's Galena mud for a well assassin's bullet.

Make the old Macondo 252 "eat lead".

Okay class, time for some more fifth grade science!

If you want to control a leak, which would be a more useful tool?

A) Jack & Jill's pail

B) Peter of Haarlem's finger?

Are there multiple " elastomeric annular bodies " throughout the whole BOP stack, or only in the annular preventers ? ~107


I thought that was destroyed :

" He discovered chunks of rubber in the drilling fluid. He thought it was important enough to gather this double handful of chunks of rubber and bring them into the driller shack. I recall asking the supervisor if this was out of the ordinary. And he says, "Oh, it's no big deal." And I thought, "How can it be not a big deal? There's chunks of our seal is now missing."

In the pictures RockyPaloma put up it looks to be fairly intact, considering..


What other component would rubber chunks have come from ?

There was never any reason to believe that the annular preventer was destroyed. The rubber that was found probably came from the preventer - however the preventer is designed to take some significant level of this punishment. The preventer is designed to be able to close on an open hole - i.e. it doesn't need a drill pipe to close on to create a seal. There is a quite large amount of rubber in the seal. The bit in the diagram linked - 111 - packer unit bore - is the bit that seals. These devices are large - and there is a lot of rubber. The stripping event that gets everyone worried was probably about a damaging as doing a couple of burnouts in your car. Leaves some rubber on the road, but doesn't destroy the tires.

OK, lets try to put this to rest once and for all. Taken from the Cameron manual for the annular preventer. This is document TC9009 from their support documents. (Many documents require a login to access, but quite a lot of interesting ones don't)


Section V - Operations


B. Stripping Pipe Through the Closed BOP


d. Keep the packer lubricated while stripping to prevent excessive wear. Do not move dry pipe through the packer, except in an emergency.

e. When stripping out of the hole, leakage of well fluid (if other than dry gas) will provide adequate lubrication.

f. When stripping into the well, apply lubricant to the pipe, and especially to the tool joints or couplings. Suitable lubricants, in order of preference, are:
1) oil
2) oil-base drilling mud
3) water-base drilling mud
4) water with gel
5) plain water


i. If the packer is closed tightly enough to eliminate all leakage, packer wear will be greatly increased. The graph below shows the approximate closing pressure required to seal a given bore pressure when stripping.

j. As a new packer begins to wear during stripping, sealing is improved, and the closing pressure required to seal on pipe will decrease. For this reason, closing pressure should be reduced as often as is necessary to maintain slight
leakage for lubrication of the packer.

k. When the packer has become severely worn during stripping, leakage will begin to increase. When
leakage cannot be controlled by increasing the closing pressure, the packer is nearly worn out, and arrangements should be made to replace the packer.

Note - stripping is normal operations. Wear is expected. Only when the preventer has been seen to be unable to seal at all is it worn out. The preventer was used in normal operations and was sealing after the stripping event that the 60 minutes show was so worried about. It was clearly within normal operating parameters, and the stripping event that it was subjcted to was not outside its design limits.

Case closed.

Well, I never saw the 60 minutes show, don't have TV, but thanks for the explanation. As far as pounding the gavel on this one, I am still interested in following the forensic examination,( has it started yet ?), so for me it's not really case closed.

I never saw the 60 minutes show, don't have TV

Isaac, ask The Google to fix you up with it at CBSNews online (it's in several segments).

Here is the Mike Williams interview (two modes).

60 Minutes - BP disaster - Deepwater Horizon survivor Mike Williams pt 1
60 Minutes - BP disaster - Deepwater Horizon survivor Mike Williams pt 2
60 Minutes - BP disaster - Deepwater Horizon survivor Mike Williams pt 3
60 Minutes - BP disaster - Deepwater Horizon survivor Mike Williams pt 4

Mike Williams on 60 minutes http://www.youtube.com/watch?v=0onXmlFgF8I

Good work, NRD. I was too rushed to supply these this morning, so thanks for making it right.

The videos are not available any more because of infringement of a copyright.

They (Part I & Part II ) of Mike William's interview on "60 Minutes" are still available at CBS.


Gail, may I make a suggestion. There is still impact in the area. Perhaps this could evolve to a recovery or maybe a moratorium post.

Open thread, take it there.

Any beach cleanup happening? BP cut 0ff P2S a couple days ago.

Yes, there is some cleanup happening, but I have yet to see that current team in action. Here is the latest Ben Raine's story.

Oil lingering in waters off Alabama, Mississippi and Florida beaches
A good deal of oil remains in the shallow waters closest to the beaches in Mississippi, Alabama and Florida, according to a federal team using shovels and snorkeling gear to survey the coastline for submerged oil.
The team found tarballs washing ashore with every wave Wednesday morning in the Bon Secour National Wildlife Refuge. And just off the beach, in about 3 feet of water, the team found bands of oil buried under 4 or 5 inches of clean sand


Edit: I am shocked by this one. Ben Raines has 23 followers on the al.com website. TinFoilHatGuy has 21 and growing. I am not bragging, I am saddened by the indifference.

You won't be seeing P2S in action. My understanding is that they were the primary hire for cleanup in Alabama and Florida.

Effective Sunday, September 19, P2S's beach cleanup work has come to an end. This includes the Qualified Community Responder program, which involved providing job opportunities for local, unemployed residents of counties directly impacted by the oil.

What did the Yucatan Peninsula do to anger God? First Chicxulub and now it seems they have had several major storms over the last decade. It is such a beautiful place.



Seriously, man, didn't you see the movie??? ;-)

FDA Update, Seafood, by State

EPA Coastal Water Sampling

EPA's surface water samples collected September 10-11 and 13-14, 2010 along the Gulf coast did not reveal elevated levels of chemicals usually found in oil.

Analysis of water samples collected along the Gulf Coast September 10-12, 2010 did not detect levels of dispersant chemicals above the reporting limit.

I just ran across Dr. Robert Bea again, fractured salt formations leading to seeps, etc. A catalog of oil industry "experts" discredited by DWH hasn't been compiled but I think it'd be fairly long.

Since this thread is going to be shut down I'll announce two IRC channels dedicated to the gulf oil spill. I set these channels up in August anticipating a time when discussion here would end and discussion on #theoildrum is too restrictive and adolescent in nature in my opinion. I also wanted to separate discussion of well operations from discussion of cleanup aspects. I believe it's a natural divding line many people prefer.

These channels are on DALNet. I chose DALNet because it has full user and channel registration.

#Gulfoilspill - Deepwater Horizon disaster - Well operations.

#Gulfoilspillimpact - Deepwater Horizon disaster - Cleanup aspects.

Webpage for both channels is channels.dal.net/gulfoilspillimpact

I will be logged in much of the time but will be afk much of the time. With the well being P&Aed I'm losing interest like other people are.

The main issues I had with #theoildrum were meaningless irelevant discussion being allowed and relevant discussion being prohibited because it's not about ROV operations.

These channels allow full range of relevant discussion, technical - scientific - economic - political.

When I am there meaningless irrelevant discussion will get people quieted as a warning, and kicked / banned if they don't heed the warning.

When I am there personal attacks are not allowed period. Someone making a personal attack will be kicked the first time as a warning and banned the second time, no appeal. People need to learn to keep their comments on the discusssion and off other people. Attack someone's comments all you want, but don't cross that line and attack them personally.

In full agreement about #theoildrum, and I'm sure that there are numerous tech/engineer people who will appreciate their own channel. I hope that it doesn't cause a wholesale tech bailout from TOD.

I don't see why the DWH thread has to die. For that matter, starting up a new thread after ~400, the first three posts could be Tech, Other Related and OT which could work assuming people stay in their lanes. It's been messy here but I'm staying. Since I can't contribute engineering insight, that's probably okay with you.

Sorry, Dude,
But you should look at TOD as a guide of how to do a forum correctly...

If you haven't figured it out by now, you never will!

previous thread http://www.theoildrum.com/node/6975#comment-724196 --by rovman
"My ROVs may have slipped from the limelight back to their murky depths, but I'll stick around."

Not so fast! I just spotted one guarding a Subsea Evidence Basket Recovery at about 200'.
Wonder what's in it.
Seen a suspicious looking shrimp, but Oly2 didn't flinch, it could've been a dead shrimp.

Good article about oysters in Louisiana waters and the impending spratfall (great word!) or lack of. The locale is east of the river, not far from the MR-Gulf Outlet canal.


About the nesting site of the Kemp's Ridleys in Mexico with some interesting detail and a good picture. Includes some questionable notions about the spill.


Oh yeah, "spratfall" is wonderful! The rest of the info there is more promising (long-term anyhow) than I might have hoped too, so fingers crost. Thanks, Gobbet.

Lotus, we probably won't even notice the bulge when it gets to Louisiana, the Mississippi is huge down here, not so much up near its source.

A bacterium walked into a bar. The bartender said, "We don't serve bacteria in this place." The bacterium said, "But I work here - I'm staph."

LOL... Respect Bacteria... Its sometimes the only culture some people have!

The bartender replies " Get outta here, I'm tellin' ya', you and that amoeba you rode in on before I call the bouncer out here, I lichen him to be a fungi, but you are getting under my skin."

wah wah wah


Doan nobody shoot the messenger, okay?


On criteria including "corporate economic, environmental and social performance, assessing issues such as corporate governance, risk management, branding, climate change mitigation, supply chain standards and labor practices,” BP's been thrown out of the Dow Jones Sustainability Index.

Who's taking BP's place? Halliburton. And who else is on there? Nalco.

Just though y'all'd like to know . . .

lotus - just checked the mail...no invitation for the Rockman. Monday for sure. LOL

Thank you Gail! I was steeling myself for the wistful and quiet, desperate feeling of the dissolution and separation from the blow out group here.Alas! A reprieve! Thanks again! Heh! Heh!

Press Briefing by Federal On-Scene Coodinator Rear Admiral Paul Zukunft (9/24)
This includes Q&A with David Valentine:

They are missing the opportunity to educate reporters and readers about the inevitability of residue, the inevitability of sedimentation, and the kinds of hazards that sedimented residue may or may not pose. There are too many comments that play into the phony "hunt for the missing oil" meme.

Janet Baran of NOAA has encouraging words about inshore sediments, but she ought to be emphasizing that there is some tar, otherwise people will think she is lying: "Much of the near shore sediment sampling is already completed, and the indicators we're getting from there so far is a lack of presence of oil in the sediment."

Quantum's topic of why some waters are still closed to fishing came up:

Reporter: If the protocol for reopening fishing areas is the evaluation of oil movement, oil in the water column, sheen on the water and the seafood assessment, why are so many square miles still closed? Does that mean that the seafood is tainted or there's oil in the water?

Paul Zukunft: No, right now we're waiting to get a representational sample for a number of fish species in those federal waters that remain closed. We do have a number of vessels that are out there with NOAA observers on there to actually catch those fish and then run those through the laboratory results. And so that is actually part of the process to get those areas reopened.
But the key part is having a representational sample.

There was a pretty smart question about whether intermediate breakdown products are being tested for, and the answer seems to be "no, but that's OK":

David Valentine: The compounds that are being analyzed for are the standard toxic compounds that are known in oil. And these include the polycyclic aromatic hydrocarbons as well as other hydrocarbon components within oil. The issue of breakdown products is a very tricky one, and it moves into the academic realm, which I'm always happy to talk about, because I'm a geochemist, and that's what I do for a living. But it's – you know it's really insider talk, insider speak. A lot of it – and the bottom line is that – so the kinds of breakdown products that we're talking about tend to be fairly low on concentration. These are intermediates or terminal products. And they're not – they're very difficult things to analyze, and they tend to be at very low concentration. Personally, we are trying to look for those at very trace levels. That's one of the things that my research entails. But it's not, to my knowledge, part of the standard plan, because these compounds tend to be very, very low in concentration.

Baran adds, "We have a live mission log at NOAA.gov where we have blogs from all of our vessels that are out, giving live updates on what they're finding. And also, if you would like to see the sampling location data and results, you can go to GeoPlatform.gov." Here are the blogs:

Thanks for more good work, Gobbie. (I don't want to think about how much we'd have missed out on here without you.)

Zukunft said, "I have the best of science here surrounding me just as we did, when we did that relief well, which was a feat – quite a feat onto itself to be able to intercept that well from three miles away, a seven-inch casing intercepting a seven-inch casing." You know, that phrasing blew me away as no other description of the intersect has -- so simple and vivid. Day-am. Science or magic?

Thanks, lotus, but I've gained here so much more than I've brought.

Here's a new whale shark link for you, but no definite information about mortality. At least they are still being spotted [heh] in the northern Gulf. Also Ben Raines mentioned seeing some a week or so ago.


And on oil still showing up around the delta, & cleanup progress:


The article suggests this oil has been in the vicinity for a long time, which seems more plausible than "still coming ashore."

From your NatGeo link:

Sightings of sharks near Florida's Gulf coast have led to speculation that the sharks and other large marine species may have been displaced by the oil and moved on to a more pristine neighborhood.

During the summer months following the oil spill, Mote scientists began chronicling repeated near-shore observations of large marine animals, such as whale sharks, that are typically found in far deeper waters out near the eastern Gulf's continental shelf.

"This summer unusually high numbers and species of sharks were here on the West Florida Shelf, and that includes whale sharks in much larger numbers than we are accustomed to seeing," Hueter said.

Those animals may have headed east to escape the oil, though no one can say for sure.

Good move, Team Speckled!

Astonishing isn't it?

The first time I saw something remotely like this was on a trip to the Grand Canyon in 1987. They chose to install a new water line from the river to the visitor centre via a hole drilled from the rim to the base of the canyon rather than a surface pipeline.

One of the directional drilling companies stepped into the breech and filmed it as a PR stunt. They started drilling about a mile back from the rim, and popped the bit through a circle painted on the rock face way down below. I was gobsmacked.

I ended up in the industry and many years later I'm still amazed by the technology.

I was gobsmacked ... and many years later I'm still amazed by the technology

Yes, bignerd, "gobsmacked" is exactly the word I want. But what amazes/gobsmacks me even more than the technology is the imagination that accounts for it. You know, as we see here on TOD, there are all kinds of intelligence at play in the world. But the kind that envisions and then produces the machines and processes to pull off miracles like your Grand Canyon story and John Wright's #41 -- well, that's so foreign to anything I understand, all I can do is marvel, jaw-dropped. Cor blimey.

bignerd, they used an air and mist fluid with modified mud drilling gear? Cool.

Pix from GSM here: http://www.gsm-inc.com/gallery_gc.php
Abstract with details here: http://www.onepetro.org/mslib/servlet/onepetropreview?id=00016169&soc=SPE

Cool! I hadn' heard anything about that. Thanx for sharing.

That was it! Thanks for the links OFB.

I like the understatement of :

"The visibility and accessibility of the exit point afforded an opportunity to compare downhole surveying techniques with surface systems of known and verifiable accuracy."

And then there is the classic :

"Drilling problems encountered included: loss of circulation, fractures, solution cavities, severe torque and drag, severe drill string damage, hole cleaning, and sealing and cementing of an open-ended annulus."

BP has another scientific study to worry about:

-average of 56,000 bbl/day from 4/22 to 6/3 (+-21%)
-average of 68,000 bbl/day after riser removal (+-19%)
-44 million barrels released into ocean (+-20%)

AP reports this study confirms earlier government estimate.

Locals blame Transocean and BP for oil spill

As the Swiss-based drilling contractor Transocean prepares to release its report into the Gulf of Mexico disaster, swissinfo.ch takes a stroll along the Florida coast.

Anger and suspicion are the main emotions one encounters in Pensacola, a small port in western Florida, where inhabitants feel that British oil giant BP and Transocean share responsibility for the catastrophe.

Business owners, public officials say claims process inequitable

Business owners and public officials in Baldwin County say they are alarmed by reports of employees receiving more money for oil spill claims than owners of the businesses they work for.

It is just another aspect of their biggest problem with Ken Feinberg’s Gulf Coast Claims Facility — that business owners near Baldwin County’s once-lucrative beaches get checks that cover only a fraction of losses suffered after the oil spill began keeping tourists at bay.

Well maybe they are getting the short end of the stick but let us think about something. Let's say I own a restaurant that had to close. No employees to pay and minimal variable expenses. Feinburg uses tax forms. Unfortunately the tax system is setup to cheat. I have owned a business before. You do not pay yourself very much and you get to avoid excessive triple taxes. When you have a problem like this however, there is nothing else to go on. Most business owners I have talked with expect a percentage of gross receipts. I am not sure what is fair but I know there are arguments for many different methods.

Nice little (if somewhat self-serving) summary re: the blind shear ram headscratcher.

I wonder if that random collection of words pisses off oilfield guys as much as this random collection of words pisses me off as a former ASE Master. Sheesh.

It would seem that the single vs dual BSR question provides the near perfect (is anything perfect) case for performance code. See the discussion up-thread with Deepwater Engineer and Alaska_Geo. Here is a case where the perf. requirement might be "too be able to sever all casing and drill strings in the event of a catastrophic event and guarantee with '100'% (well maybe 99.44%) probability of shutting in the well". Obviously, you are able to "guarantee" severing the pipes with a single large enough shear even if a joint should be in the shear, but not if the hyd. fail on the first shear. Therefore, to reach the higher probability a second shear would be required, and shear capability might be the providence of the licensed designer. In the present it was essentially left up to the $ arguement between two companies, one of which was essentially subservient to the other. Not a good plan from a performance or ultimate safety point of view.

Нужное дело, хорошие статьи, но спамеры лютуют, вот и я отписался

Вы не говорите по России, змея?


Но я знаю, спам, когда я это вижу.

ЛОЛ, snake, but I think it was just a polite goodbye from someone who expected a higher signal to rant ratio here.

Or it could have been a message from the other side.

066-38-0219 November 4, 1887 December 1, 1967 80 years NY 11598 (Woodmere, Nassau County)


Okay, think I got that part . . .

구글 번역 스팸 아르

Google translations are spam, claims my Google translator...

Slinking back into lurkerdom....

Do you speak Korean?

Nope. I just use the Google Translate addon for firefox...I used to hang around Japanese forums a bit reading news about Manga a bit...and got pretty handy with it (and how to interpret mangled translations). They've really improved it a lot this last year.

They've really improved it a lot this last year

True dat -- nowadays I can generally stay upright while laughing at their renditions, whereas earlier they invariably sent me to the flo'.

Heh-lo there, sport!

Mainstream Rag Forced To Issue Apology
As post-publication fact-chect reveals that articles written by partisan internet hacks tend to be inaccurate

Mr. Gingrich described Mr. D’Souza’s theory as “stunningly insightful,” while an editor at The Columbia Journalism Review called it, “the worst kind of smear journalism.”

One of the most contentious points in Mr. D’Souza’s article was his citation of a transaction by the Export-Import Bank of the United States to finance offshore drilling in Brazil, a deal Mr. D’Souza believes indicates Mr. Obama is more concerned with helping countries that formerly were the domains of colonial powers, rather than Americans.


Brazil Loan Helps U.S. Manufacturers

Printed in The Wall Street Journal, page A12, August 21, 2009

Petrobas looks like a popular investment. From today's Drumbeat:

...the final amount to be raised would probably be 70 billion dollars, Brazil's Finance Minister Guido Mantega said. If that is confirmed, the capitalization would indeed be the biggest on record, exceeding the amount raised in 1987 by the public share offering of Japan's Nippon Telephone and Telegraph Corp...

From the NYT story:

... A note written by Kevin Varney, the senior vice president and chief of staff of the bank, and posted in the comments section of Mr. D’Souza’s blog — and verified by a spokesman for the bank — criticized Mr. D’Souza for not contacting the bank before publication.

“I received a call yesterday from Nathan Verdi, a fact checker at Forbes, who was calling to fact check your article after it was published. (Is this how journalism works now?)”

In an interview, Mr. Varney explained that the transaction “was begun in 2008 with career staffers and approved in 2009 by five Bush-appointed board members.” Furthermore, he said a transaction like the Brazilian one — which provided loan guarantees for Petrobras to purchase drilling and safety equipment from United States manufacturers — did not even rise to the level of presidential awareness.

Mr. Varney said that to cite the deal as evidence of “an anticolonial, Kenyan ideology” on the part of Mr. Obama is “preposterous, it’s false and it’s wrong.”

Yo, "Preposterous," "False," and "Wrong" are Dinesh D'Souza's middle names.

Please forgive, but this whole incident and our predicament reminds me of a quote.

"Only, thank God, men have done learned how to forget quick, what they ain't brave enough to try to cure."

Standing O for that one, rc. Thanks.

sorry lotus, but i am an old man and do not understand your message. please forgive.


edit: Standing ovation. Wheel of Fortune

Wheel of Fortune?

Skill used to solve. Based on hangman ;)

Excuse me, rc. I was giving you and Faulkner a standing ovation.

Thanks lotus. But I just read it. The engineers and techies have navigated TOD and its readers through this mess, but we always have to turn to the poets, even though they sometimes write prose, for the real lessons of our trials. Too bad we will so soon forget. The story of Gilgamesh tells us that fighting the common fate of humans is futile and diminishes life's joys.

Aha. From a "rube cretin," we get Faulkner and Gilgamesh.

Take a lesson, chirren: "old" don't matter a whit if you can stay whimsical.

Aha, a lotus of the Blue variety.



The first Chilean mine rescue capsule arrives on site and shows that people with more than 35cm waist can get in.


Feds establish downtown bunker to build criminal, civil cases against BP in Gulf oil spill

Maryland is hungry for Louisiana crabs, but Louisiana can't deliver

BP Says Company's Oil Spill Study Had Limitations

MACONDO – Things will never be the same again

and lastly, the most recent Twittergasm, "Corexit being used 'as we speak' — 'Sprayed directly into inland waters'" referring to yet another FOSL bag of garbage, attributed to "Toxicologist Dr. Riki Ott interview, Ring of Fire (Mike Papanatonio, Esq.), September 25, 2010".

My law-prof friend who calls Papantonio "a very successful ambulance chaser" probably wouldn't be surprised that he's unfamiliar with the actual facts.

Note to SL (among others): snakehead's first link includes one of those boffo T-P graphics overviewing the helluva-lot that’ll be going on in court.

Apparently Rikki Ott has done honorable work in Alaska in the past, but she's talking like a nutter nowadays. The first time I saw her interviewed on the Maddow show this June, I thought she sounded too angry to be a trustworthy voice. (That doesn't mean she can't be right about some things; she may well be.)

Hi Gail and all, RE STUXNET
I do not comment much, although I have been a follower of this forum more or less since inception. As the GOM BP disaster has elucitated there are many systemic issues in regard to personnel safety and environmental factors in our high energy industrial processes. My children have senior technical positions in those extractive industries. I worry about them and their children, obviously.
This new targeted computer worm threatens all of us not just my sons and their children. I believe, there is a good case for the TOD to invite a leading expert to post on this topic.

I found an interesting seminar that presents the impact of Stuxnet on all industrial control users and manufacturers and is conducted by industry experts. It is called, "The Stuxnet Worm: Reality check for automation system security (71 minutes)"

The worm can be turned. The oil industry is a big target with both the refineries and rigs at risk. See the discussion about BSOD above, I would worry about how safe the IT infrastructure is, within the industry. They do not seem to be keeping up with maintenance up updates. Discussion would be very on topic IMHO.


There are a number of products that are claimed to be able to prevent endpoint systems from being infected. Industrial Defender HIPS Manager, CoreTrace's BOUNCER, etc. For that matter, Microsoft Security Essentials and several other garden variety AVs now detect and prevent entry by W32.Stuxnet. What the next generation will do is anybody's guess; it's an ongoing war.

Here is what appears to be tremendously good news--story and delightful video by Ben Raines. A UNC researcher who has been seining grass beds in the Gulf for five years says the year's crop of young fish and shrimp looks good in MS, AL, and FL waters.

There were pinfish, pipefish, blowfish, starfish, stargazers, mahara, anchovies and white perch. The crabs included spider, grass, mud and blue. Buried in the grass and algae were thousands of amphipods — the bugs of the marine world — and shrimp smaller than a grain of rice. But the stars of the show were the snapper and other gamefish. Tiny lane snapper, smaller than a house key, were mirror-perfect images of their much larger parents. It was the same with speckled trout, as small as an inch long.
. . . .
We can only talk about the young fish that colonize the grass beds,” he said, “but those species look like they are in good shape.”
. . . .
Fodrie said, “We’ve seen more speckled trout in Grand Bay than we’ve ever seen anywhere else along the coast. There are literally millions of speckled trout in the water. The ones we’ve cut open have been eating a ton of shrimp. The snapper have been eating little worms, crustaceans, shrimp and even really small fish.”


Terrific, Gob. Wonderful to hear Ben sounding that encouraged. (Great rhythm in that first sentence you quote, huh? Rattled it off to my cats, and they commenced to dance.)

Nasty stingrayses, wants to hurt Gobbet.

They mean. Fling 'em back fast! (With a shovel.)

Please, if you enjoy Ben Raines' work and support his continued position as the Mobile Press Register's Environmental reporter, sign up and follow him on http://www.al.com . As of last check he only had 23 followers and I had 21. In my opinion from following him there for months, he is worth trying to keep around. Also if you feel compelled to leave a comment pro or con, the locals do really appreciate at the concern that YOU and the other good folks show for our area and the GOM as a whole. Thanks.

Website claiming that the Lead Safety Officer at Port Fourchon, LA alleges that fake HAZWOPER certificates were used during the cleanup. There's also a disturbing video about sharks possibly feeding on bodies and other allegations.

I don't see anything there that suggests sharks. Does anybody? Might be something like a school of big jacks on a ball of bait.

But it's easy to imagine widespread abuse and fraud among the contractors recruiting poor folks to do cleanup work.

Could be sharks, could be big jacks, who knows. "[W]e were not allowed to share even minimal amount of information [about personal protective equipment] with the workers." If the documentation is legitimate, BP's civil liability risk may have just gone up.

Who knows? Me. No shark fins, no shark noses, a bunch of quick medium-sized pops spread out over an area 10' wide or more. It's a school of medium-sized predatory fish of some kind.

That doesn't look like sharks to me either but we're looking at a mediocre quality video through a zoom on a cam that's jumping around relative to what it's looking at. The video, whether or not the observers think it's sharks eating bodies, shouldn't trump the rest of content.

He provided me with documentation of everything he chronicled to me, but unfortunately, it’s too much to post here. Trust me when I tell you there are pages and pages of forms, photos, slide shows, certificates, you name it.

We-ell . . . even if the whole lot is "too much to post here," a representative sample or three would suffice.

A lot of this is plausible, but the suggestion that enough human tissue remained after that two-day all-out crematorium to interest sea critters -- huh-uh, that one completely fails the straight-face test. What a scurvy claim.

Sharks - rubbish. Just a ball of fish in the water probably being surrounded by predators. We see it all the time with shoals of yellow-fin.


War of words heats up:
Bloomberg, Sep 26, 2010
BP Ignored `Red Flags' Before Gulf Well Blowout, Halliburton Official Says

A Halliburton Co. executive disputed BP Plc’s allegation that the company’s cement job let oil and gas flow up to the Deepwater Horizon drilling rig, contributing to the blowout in the Gulf of Mexico.

Thomas Roth, vice president of cementing for Houston-based Halliburton, said today that BP’s well design was to blame for the explosion that led to the biggest U.S. oil spill.

Experts question BP's take on Gulf oil spill

2:37 P.M. — WASHINGTON — Engineering experts probing the Gulf of Mexico oil spill exposed holes Sunday in BP’s internal investigation as the company was questioned for the first time in public about its findings.

page 2 of 2:
"One wanted to know whether a device designed to shut off an engine when its starts to rev — as it would in the presence of gas — failed. BP said it didn’t know if the device worked or not."

I'm betting the device was disabled, on purpose. I'm also betting these devices haven't improved.
They always malfunctioned at the worst time and I used to yank these off (back in my younger days.....) and throw them in the pit. All the rigs I've ran had manual emergency fuel/air shutoff - hit it and run like HEdoubleL!

And what did Halliburton have to say? Or do we have to wait for the report with the committee's preliminary findings to be published at the end of October?

You can listen to all of today's proceedings at


Cool! Thanks Mphi.

I wonder if anyone has any more thoughts on the sequence of events that led to the failed BOP being pulled without the expected drillpipe suspended beneath?

In their accident investigation report, BP provided some interesting insights into what they interpreted about ram and drill pipe positions from available data up until shortly before the BOP was removed and investigated. This includes :

- analysis of ram hydraulics, and modelling of pressure transients in the wellbore during BOP operation
- results of the X-ray and gamma ray imaging they did of the BOP rams shortly after the sinking
- interpretation of the pressure drops they measured across the various rams with the well flowing
- findings from the cut riser section raised to surface with severed drillpipe therein
- interpretation from the pipe segments they viewed within the BOP stacks using cameras during the fishing operation

See the following, around page 164 (you need the full report which is a 13MB pdf download), which contains some fascinating photographs


Their theory as I understand it is that :

- the lower annular preventer was activated during the blowout but probably didn't seal fully
- one or more of the VBRs was probably also closed by the hands and probably did seal the annulus off prior to the explosions at around 21.46 on the 20th
- hydrocarbons that had already made it into the annulus vented to cause the explosion
- following the explosion, rig drift likely stripped the drill pipe through the sealing VBR possibly damaging it
- in addition, with the IBOP not closed to shut-in the drill pipe itself, failure of surface equipment may also have allowed a leak path through the drill string to feed the flames
- high velocity flow past the leaking lower annular preventer caused serious erosion of the drillpipe just beside a tool joint (see interesting photos)
- the BSR was finally activated by ROV with the well flowing at high rate around 3 hours before the rig sank at around 10am on the 22nd but failed to seal the well
- during rig drift the eroded section of pipe had been pulled up 25 ft into the riser where it fractured (potentially during the sinking) allowing the string above to fall back down side by side and lodge near the upper annular
- a single pipe was thus present through the BOP with a tool joint potentially just below the BSR
- pressure measurements taken prior to top kill attempts in May also suggested closure but leakage of the VBRs

Some of this appears fairly conjectural, but I do now partially understand BPs comments around the fragility of the drillpipe during the fishing operations.

What we know that BP didn't is that the BSR had completely severed the pipe, as had the casing shear (though who knows when the latter was activated). And pipe was visible above the upper VBR so the string must have been held up by a tool joint above one of the VBRs.

I'm still quite surprised by the appearance of the flow from the exposed drillpipe section when the riser was removed; it cann't have been directly linked to the wellbore below, but must have been funelling flow nevertheless.

Do we assume that erosion of the pipe via high velocity flow across a leaking VBR caused the pipe to drop some time during the 3 months of flow?

Will be interesting to see what they pulled out of the VBRs.

When the marine riser was cut off after the attempt at a top kill there clearly was a difference in the flow up the drill pipe and up the annulus around the drill pipe. I stongly suspect based on my modeling that the flow was low enough that in the annulus mud settled out. But up the drill pipe the velocity was so high as to coninue to carry mud out. The velocity below the drill pipe was high enough to cause turbulence and bring some of the mud up. The convincing video was when one of the ROVs did a 180 around the cut off pipe and there was a chocolate milk colored flow about 90& width of the cut off marine rise. That shot was perpendicular to the cut the shears made which flattened the drill pipe. As the ROV rotated to the perpendicular view in line with the shear clamp, the lighter colored flow narrowed and it was obviuos it was flowing up from the drill pipe. Outside the flow from the drill pipe was showing more gas breakout. This would be expected since very little gas would tend to enter the drill pipe and more would gravitate to the annular restriction. Erosion may have played a part in the pipe falling from the BOP as a flow restriction through the VBR woudl have had some long term effect as the annular flow was significant. May not have take much to make it break off when the BOP was lifted. May have done so before the Female part of the HC connector cleared the the end of the male part.

Just a hypothesis though. No data to support.

I guess my point is that prior to the bop inspection I think many including myself imagined from the velocity of the flow through it that the drillpipe extended through the bop to the wellbore beneath. 

Post inspection it became clear that both the BSR and CSR had completely severed the pipe so that the overlapping blades were obstructing the internal bore of the BOP and flow was via eroded channels around the blades.

Hard to explain the observed flow from the dp then.

Also interesting that the effectiveness of the BSR was so compromised by it's activation under flowing conditions, I hadn't really thought of this as a failure risk before. 

The Hackers Behind Stuxnet

While we don’t know who the attackers are yet, they did leave a clue. The project string “b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb” appears in one of their drivers. Guava belongs to the myrtus plant family. Why guava or myrtus? Let the speculation begin.

A Silent Attack, but Not a Subtle One

“Proliferation is a real problem, and no country is prepared to deal with it,” said Melissa Hathaway, a former United States national cybersecurity coordinator. The widespread availability of the attack techniques revealed by the software has set off alarms among industrial control specialists, she said: “All of these guys are scared to death. We have about 90 days to fix this before some hacker begins using it.”

The ability of Stuxnet to infiltrate these systems will “require a complete reassessment” of security systems and processes, starting with federal technology standards and nuclear regulations, said Joe Weiss, a specialist in the security of industrial control systems who is managing partner at Applied Control Solutions in Cupertino, Calif.

Only technical stuff from me...

It may be helpful to take a small step back and define something about programming for those not versed in subject. When writing a program, an option called debug is turned on. This option is normally left on until program is complete. When complete, the option is turned off and the source code is recompiled/relinked to produce output files that are distributed elsewhere. During debug phase, additional mapping files are created that contain information mapping source text to output binary executing code. These mapping files, with the file extension .pdb, are used to help IDE to run program one line at a time or run until a marked line is reached or many other helpful options that aid the verification that program runs as expected. The source code file and debug (mapping) file have the same base name and the file extension is changed. The base name is normally named to describe the functionality of the code within the file. For example, drillpipe could be used as a name that defines data and functionality for code that stores data or operates upon data specific to a drillpipe. However, the name can also be a metaphor or acronym representing functionality or even just a pet name that the programmer enjoys.

Normally, many source files are used with each file performing its unique set of tasks. The overall purpose of these tasks is called the project. The naming of the project is similar to naming of source code file and is left to discretion of programmer. For example, the project name oilrig could be used for an application that displays information about an oilrig and drillpipe would be one of many source files.

With that said,
myrtus is the project name and guava is a source code filename. I don't think the application is about fruits, so these words are either metaphors, acronyms or pet words. The other names in project string are automatically created by compiler and indicate compiler option settings.

Edit: typo corrected

The well is still leaking, looks they they tried caulking the mudline or something. Even though it is out of focus you can see a stream coming up by the ends of the yellow stripes.


Good view of a steady stream hitting the wellhead.


Another stream hitting the wellhead.


Caulk? Yeah that's the ticket. Well, just don't look at it. If you don't see it, then it doesn't exist, right? *winks*

Going through the al.com site and came across this Ben Raines photo. This is an unusual specimen. A Stargazer. WTH I read on wiki where this little guy is related to the famed denizen of the deep the angler fish. Uses electrical impulses to disable. Good thing the hand is covered in neoprene. Clickable photo.

Good thing the hand is covered in neoprene

I'll say. That fish looks pissed.

Baby fish show up in big numbers despite Gulf of Mexico oil spill (with video, photos)
Seems Ben was inundated with sea life during his trip. The Pipefish and the little Burrfish are way cool. I am going to naively assume they returned these guys or used them for vital research. Sorry SpongeBob. Thanks for the comment.

You just can't top that guy's type of in depth coverage and detailed analysis. If BPOD doesn't get a Pulitzer I'm protesting.

If BPOD doesn't get a Pulitzer I'm protesting

Damn straight, Mainerd. (But I'm gathering some bandannas for ya to cry into, just in case.)

Good AP update: Chile's Trapped Miners Get Brad Pitt, Not Nintendo

Boy, did they (relatively speaking) luck out:

The collapse happened just as the men were gathered for lunch in the refuge — a space about 12 feet by 12 feet (four meters by four meters) with a fortified ceiling nearly 15 feet (4.5 meters) high that normally doubles as a dining room in the lower reaches of the mine. Any sooner or later, and some of the miners probably would have been crushed.

When the dust finally settled about five days later, they could see they were trapped in a large open space, about 1,200 feet (360 meters) long, that runs up the corkscrew-shaped shaft to another workshop about 2,000 feet (600 meters) underground. The space had several mining vehicles with battery and engine power, a chemical toilet and industrial water, which together with their meager emergency food supply enabled them to survive with no help from the outside world.

The Guardian describes their training for the escape:

The men are expected to be rescued next month. If the current three rescue operations fail, a ... fallback plan calls for the men to climb up ladders for hundreds of feet unaided, a physical feat so daunting that a personal trainer has been hired for the men.

Jean Christophe Romagnoli, an adviser to the Chilean armed forces and professional athletes, has spent the past two week training the men in preparation for more strenuous gym classes. "They have a two kilometre stretch of tunnels. The men are walking the tunnels and some are jogging. We are using US army fitness training, so the men sing while they jog." ...

Once the rescue tunnel is complete, two people will first be lowered into the hole. "A miner and a paramedic with rescue training," said Dr Jaime Manalich, the Chilean health minister, as he outlined the schedule of what he described as a 500-person rescue operation.

Once lowered into the hole, the paramedic will administer medications and intravenous hydration to the men. Sedatives will be used if necessary to calm the men before the dramatic ride to the surface. ...

A maximum of two members a family will be allowed to visit briefly as soon as each man is pulled to safety.

Sooooo, which wom[a/e]n will greet Sr. Barrios (and will [she/they] have been frisked and he sedated)? Stay tuned . . .