Microsoft Word - 476hernandez.docx


CHEMICAL ENGINEERINGTRANSACTIONS 
 

VOL. 43, 2015 

A publication of 

The Italian Association 
of Chemical Engineering 
Online at www.aidic.it/cet 

Chief Editors:SauroPierucci, JiříJ. Klemeš 
Copyright © 2015, AIDIC ServiziS.r.l., 
ISBN 978-88-95608-34-1; ISSN 2283-9216                                                                               

 

STAMP Analysis of Deepwater Blowout Accident 
 

Rogério F. Pereiraa, Claudia R. V. Morgadob, Isaac J. A. L. Santosc, Paulo V. R. 
Carvalho*c 
aFederal University of Rio de Janeiro , Environmental Engineering Program, Brazil 
bFederal University of Rio de Janeiro, Polytechnic School - Poli, Brazil 
cNational Nuclear Energy Comission, Institute of Nuclear Engineering, Brazil 
paulov195617@gmail.com 
 
The aim of this study is modeling the main relationships among variables that influence the process safety of 
Petroleum exploration and production. To model these relationships we used the Systems-Theoretic Accident 
Model and Processes (STAMP) in the Deepwater Horizon accident occurred on April 20, 2010 in the Gulf of 
Mexico. A new holistic perspective based on systems theory, systems thinking, and resilience engineering 
brought by new analysis models like STAMP (Leveson, 2004) or  FRAM  (Hollnagel, 2012) is needed in complex 
socio-technical systems such as exploration and production of oil. It is a view which sees “human error is an 
effect of trouble deeper inside the system…[where] the focus of analysis must turn to the system in which people 
work: the design of equipment, the usefulness of procedures, the existence of goal conflicts and production 
pressure” (Dekker, 2007). STAMP incorporates three basic components: constraints, hierarchical levels of 
control, and process loops. Accidents are understood “in terms of why the controls that were in place did not 
prevent or detect maladaptive changes, that is, by identifying the safety constraints that were violated and 
determining why the controls were inadequate in enforcing them. The STAMP analysis of the Deepwater 
blowout, recognized by some authors as the largest accident in the oil history, illustrates the usefulness of the 
STAMP model to foster evaluation of the whole system and uncover useful levers for elimination of future loss 
potential, thereby making progress on process safety. 

1. Introduction 

Despite the recent global economic crisis, oil remains an important source of energy for economic development. 
However, due to its own strategic importance, sometimes production goals may conflict with the need to protect 
the environment, safety and well-being. As an attempt to establish constraints to ensure the productive oil 
exploration without threatening the health of people and the environment, the oil industry has developed guides 
and manuals focused on chemical process to assist in major disaster prevention challenge in complex oil 
exploration system (CCPS, 2007). The strategy of developing the oil industry in the aspects of chemical 
processes (OECD, 2008) is interesting to help improve knowledge about the processes. However, as "complex 
systems fail in complex ways”, a safety approach focused exclusively in chemical processes may be too 
reductionist, because accidents arise from the interaction between the technological and human variables. To 
cope with complexity is necessary that the accident prevention strategy prioritizes to understand the process as 
a whole and not be focused on specific human or technological aspects. The accident prevention strategy 
depends largely on the model chosen, because models help us to understand what happened and what to do 
to prevent future accidents (Lundberg et al. 2009). Unfortunately, there is no a complete model to represent 
perfectly the reality, but it is important that the choice of analysis model consider the complexity of the studied 
process and allow understand it comprehensively, considering their inter-relationships and sources of variation, 
and sometimes the combination of normal process variables leads to disproportionate consequences. 
 

                                

 
 

 

 
   

                                                  
DOI: 10.3303/CET1543385 

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Please cite this article as: Pereira R., Morgado C., Santos I., Rodrigues Carvalho P.V., 2015, Stamp analysis of deepwater blowout accident, 
Chemical Engineering Transactions, 43, 2305-2310  DOI: 10.3303/CET1543385

                                

 
 

 

 
   

                                                  
DOI: 10.3303/CET1543385 

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Please cite this article as: Pereira R., Morgado C., Santos I., Rodrigues Carvalho P.V., 2015, Stamp analysis of deepwater blowout accident, 
Chemical Engineering Transactions, 43, 2305-2310  DOI: 10.3303/CET1543385

2305



STAMP - Systems Theoretic Accident Modelling and Processes (Levenson, 2014)  has an approach based on 
systems thinking (Senge, 1990) and resilience engineering to deal with the complexity of the socio-technical 
system such as the exploration and production of oil. This research aims to show how STAMP can be used to 
analyse major accidents in oil industry. As a case study we utilize the Deepwater Horizon accident due to their 
importance to the oil industry (Graham et al. 2011), and the possibility of new combinations of variables and 
possible accidents in future similar cases. 

2. Models of Accidents and Risks in the Oil Industry 

The accidents and risk models usually used in the oil exploration and production industry are based on the 
principle that accidents occur through well-defined and linked events, which generate an unwanted result. 
According to this model it is possible to identify one or more causes as root, which would be responsible for 
triggering the unwanted event. The traditional tools of risk and accident analysis in the oil and gas industry, as 
HAZOP, FMEA, fault tree and "Bow Tie" are based on Chain of events or variations of this. The chain of events 
models are very useful for technical systems, however when we include possible human error and recombination 
and feedbacks over time, we turn this model inappropriate. In the context of complex systems, identify the event 
generator also becomes a very subjective activity, since the system is dynamic, varying combinations and 
creating new ones over time. Sometimes we identify human error as the cause event, when in fact we have 
difficulty in identifying the factors that shaped the behaviour. As the current models of the oil industry are based 
on chains of events, it is also difficult to include organizational and systemic factors in the current analysis, since 
the causality of these factors is not linear and direct. To face these limitations of current models, models like 
STAMP (Leveson, 2004) and the Functional Resonance Analysis Method - FRAM (Hollnagel, 2012,) were 
developed and applied in different complex systems, such as aviation (De Carvalho, 2011).  

3. Systems Thinking and Resilience Engineering 

The difficulty in understanding the process as a whole by reductionist methods becomes even more difficult 
when we deal with complex problems, where there is great interaction among variables and many possible 
combinations, including interactions between human and technological activities over time. Adding to the 
complexity of human decisions, microprocessor-based and software systems control the process itself, making 
very complex and difficult the understanding of the process models therein. The research of (Senge, 1990) uses 
the words of physicist David Bohm to define the strategy to see a whole by studying the parts in a complex 
system, in which according to Bohm, would not have utility as it would be as pick up the pieces of a broken 
mirror to see a true picture. The system thinking is the discipline of seeking to understand the whole and 
combinations thereof without isolating the parties, because they alone are not important to understand the 
whole. Pioneering research in this area were developed by many researchers such Bertalanffy (1969) and 
Forrester (1961), and methods such as System Dynamics (Sterman, 2000) were developed, as a way of 
representing the inter-relationship of variables by control and feedback loops. The system dynamics models 
have received applications in resilience engineering (Salzano et al. 2014) and safety assessments (Samadi & 
Garbolino, 2012) due to its holistic vision 
  
Resilience engineering (RE) is the ability of a process to maintain control over a variable despite the inherent 
variability (Leveson, 2011). The main concept here is not to focus only on failure, because the process is 
adapting itself to variations over time, and the failure only occurs when the adaptations are not appropriate. For 
RE, we need to understand the aspects that enable adaptation, and studying only the failures do not allow us 
to understand it. Therefore accidents cannot be viewed as the result of specific events that fails, but as a control 
problem (Leveson, 2004). According to STAMP, variability exists and it is intrinsic to the process. However, the 
controls must be robust enough to keep the processes running even with the imposed variability. In this sense, 
safety would be the ability to keep the process running even within the normal process variations, and not as 
the absence of accidents and incidents. The example of Deepwater Horizon Blowout helps us to justify this 
approach. According to Graham and colleagues (2011) the platform was more than 7 years without the 
occurrence of lost time accidents when a lack of well control generated one of the biggest accident in the history 
of oil.  

4. Deepwater Horizon Blowout 

The Deepwater Horizon blowout occurred on April 20, 2010, around 21h, when the Deepwater Horizon rig 
exploded in the Gulf of Mexico. Deepwater Horizon was owned by Transocean and operated company in the 
service of BP - British Petroleum. This accident was recognized by many researchers as one of the largest 
environmental accidents in the history of oil. A set of decisions that preceded the explosion of April 20 resulted 

2306



in the death of 11 workers and left 17 wounded. The Well leaked for 87 days causing immeasurable 
environmental impacts (Graham et al., 2011). In order to understand the accident and what a blowout represent 
for the oil industry, it is necessary to understand some basic principles of the exploitation process, which we 
explain briefly below. Obviously we do not intend to exhaust the topic. 
 
According to (Skalle, 2012), the oil exploitation process begins in prospection, in which are placed seismic 
surveys to detail of the rock formations and location of potential oil reserves. Based on seismic studies, the well 
is designed and begins the drilling work. The drilling is performed with rotating drills, which arrive with other 
equipment needed in the drilling location aboard a large vessel - rig. To perform the drilling a drilling fluid is 
injected into the well during drilling. The drilling fluid has the functions of cooling the drill, to clean the well and 
retain hydrocarbons within the formation. To avoid oil invasion into the well, the drilling fluid must be dense 
enough, but cannot be too dense in order to not fracture the rock formation. After each drilling step is performed 
the completion. The completion is performed by introducing a steel tube into the well and cementing of the space 
between the tube and the well wall. A security device called Blowout Prevention or BOP is placed at the 
wellhead. This device has the function to seal the well and disconnect the platform in an emergency situation. 
When there is a hydrocarbon invasion to the well, is called kick. If the kick is not controlled by drilling fluid or the 
BOP, the well becomes out of control and this is called a Blowout. 
 
The ccident investigation report (BP, 2010) shows the following steps as the events predecessors: 
• One day before the accident was performed cementing of the well by pumping a lightweight cement paste to 
prevent oil from invading the well. The foam of cement would need to take to reduce the pressure of the cement 
column on the formation. Later the research team identified the cement as a probable cause of the accident. 
• The research team concluded that further hydrocarbons invaded the well through cement job,  
• The negative pressure test was accepted despite well integrity was not identified properly. After testing, the 
crew realized that identified differences in pressure values were due to "a bladder effect." 
• Unknown hydrocarbon flow was raising. 
• The response actions to oil invasion failed. The first control measures were close the BOP and divert the fluids 
coming out of the riser to the mud gas separator instead of for the bypass line to the sea. 
• Forwarding for the gas separator and the mud resulted in the release of gas to the platform. 
• The fire systems and gas not prevented ignition of hydrocarbons 
• BOP failed attempt to seal the well. 

5. STAMP 

Using STAMP, we do not seek specific component failures. The goal of the method is to understand how the 
control structure could not detect the variation and fix the process to ensure proper operation. The component 
failure is covered by the method, but by understanding the control structure. The real objective of accident 
investigation is not to seek human or technological component that failed, but to understand the process to 
prevent future accidents. It is reasonable that understanding the control loops and feedback can be established 
a process model that allows to adapt the changes when they occur. STAMP not intend to provide any 
quantitative result, because any probabilistic analysis would be based on past data or would not be enough to 
represent the variability and process adjustments over time According to the method, the safety constrains could 
be strengthened through controls, which use feedback mechanisms and seek to ensure system safety observing 
changes and readjusting control when necessary. The hierarchical control means it is possible to establish levels 
of control, in which the lower levels are closer to the physical structure where the accident occurs. Each level 
has mechanisms to enhance the security Constrains of the levels below and have feedback to evaluate whether 
Constrains imposed are being successful or failing. For the control actions are possible, the level each controller 
establishes a process model, which allows the identification of how the process should behave when applied to 
control constrains (Leveson, 2004) seeing accidents as control problem, we have the following classifications 
possible failures: 

I. Inadequate Enforcement of Constrains (Control Action) 
II. Inadequate execution of control action 

III. Inadequate or missing feedback 
 

6. CAST 

The STAMP model for accident investigation is known as CAST - Causal Analysis using System Theory. To be 
able to understand accidents by applying the cast method are performed the steps of figure 1(Leveson, 2011). 

2307



 
 
Figure 1: Steps from STAMP analysis using CAST 

6.1 Identify system hazard violated and the system safety design constraints  

The first step is to identify the hazard and the applicable constraints. In this case, hazard is unintentional invasion 
of hydrocarbons in the well and the constriction is to prevent unintentional flow of hydrocarbons to the well.  

6.2  Construct the Safety Control Structure as It Was Designed to work  

The next step for the accident investigation is the construction of the control structure, including control loops 
and feedback, considering the way it was built to work.  Figure 2 shows the control structure (control loops and 
feedback), as it was constructed to work in accordance with STAMP and the accident description  (Graham et 
al. 2011). The controls have the function of enforce the constraints and feedback to allow the adaptation to 
changes. Within each process, it is also defined a control model that allows to act in the process, according to 
the feedback received. 
 

 
Figure 2: The Deepwater Horizon Control Structure. 

6.3 For each component, determine if it fulfilled its responsibilities or provided inadequate control  

The third step is to define for each main component of the control structure, the safety responsibility, the 
inadequate control action, the context, and why the failure occur, as shown in Table 1. The steps 4, 5 e 6 of 
CAST are the evaluation of results considering the context in which the decision was made and possible failures 
on mental models. The model (figure 2) and table of responsibilities show that difficulties in enforce the 

Identify system 
hazard violated 
and the system 
safety design 
constraints 

Construct the 
Safety Control 
Structure as It 

was Designed to 
work 

For each 
component, 

determine if it 
fulfilled its 

responsibilities 
or provided 
inadequate 

control 

Evaluate the 
context of 

decisions were 
taken and 
possible 

migration to 
higher risks

Consider 
Dynamics and 
Migration to 
higher risks

Evaluate lack of 
enforcement of 

safety 
constrains 

Congres s  and
Legislator

Minerals Management
Service (MMS)

Concess ionary

Transocean
Halliburton

Driller /
Mudlogger

sensorActuator

well

Computerized
systems

Operator

Government reports, Lobbies,
hearings and open meetings,

reports of accidents
legislation

CFRs (Regulation / Law),
Fines, Penalties,

Permissions, Surveillance

Accidents / Incidents reports,
Operational Reports, update,
Change Reports, Complaints

Contractual requirements,
Procedures, Audits, Safety

Policy

Operational reports,
problem reports, audity

reports

Operational reports,
problem reports, audity

reports

Safety police,
procedures, resources

Work
Instructions

Change requests, reports
of audits, reports problems

Operational
Reports

Work Instructions
Change requests, reports

of audits, reports of
problems

Work
Instructions

Work
Instructions

Contractual requirements,
Procedures, Audits, Safety

Policy

Change requests, reports
of audits, reports

problems

2308



constraints at higher levels of the hierarchy may reduce the resilience of the lower levels, because they also fail 
to enforce similar constrains on their levels, and this behaviour pattern passes to the lower levels.  

Table1: Responsibility and Control Conditions 

Component Safety Responsibility  Inadequate Control 
Action  

 

Context in 
which the 

decision was 
made  

 

Process failure or 
mental model  

 

Driller / 
Mudddloger 

Ensure wellintegrity, To 
evaluate the information 

flow / pressure and 
operate in accordance 

with the procedures 
Operate well in 

accordance with the 
agenda management 

platform, Kicks detect and 
control during drilling, 

Incorrect 
interpretation of 

signals from 
sensors, 

misdirection of the 
well stream to the 
gas separators / 
mud, BOP failed 
when triggered 

shift change, 
delays in 

scheduled 
activities for the 

platform, 
pressure to 

reduce costs, 
lack of formal 
procedure for 

analyzing 
pressure 

information for 
tests 

 
Incorrect 

understanding that 
the pressure 
difference of 
information 

identified in tests 
were caused by 
"bladder effect." 

Platform 
Management 

Ensure the rig agenda of 
compliance with, establish 
controls according to well 

conditions, operate in 
accordance with the work 
plan established by BP 

and Contracted 
Apply the BP security 

policies, 
To ensure the structural 
integrity of the platform 

There was no 
provision of formal 

procedure for 
analyzing pressure 
information of the 

tests, working 
standards not 

assured operation 
of the BOP, 

cementing team 
release without 

conducting integrity 
tests,  

 

Shift change, 
delays in 

scheduled 
activities for the 

platform, 
pressure to 

reduce costs,  
 

Incorrect 
understanding that 

the pressure 
difference of 
information 

identified in tests 
were caused by 
"bladder effect." 
Understanding 
that were not 

needed 
cementation tests 

by Halliburton 

Concessionary  

Establish the drilling 
program, attend 

legislation send operating 
information to MMS, 

establish the work plan in 
accordance with the 
drilling conditions, 

evaluate suppliers, verify 
compliance with 

procedures, provide 
resources, conduct 

training, monitor 
operations, establish 

policy safety.  

Failure in meeting 
the CFRs of MMS, 
no standards for 

integrity tests  

Delays in 
scheduled 

activities for the 
platform, 

Pressure to 
reduce costs,  

Anti-regulatory 
culture  

Mineral 
Management 

Service - MMS 
MMS  

Oversee the 
concessionaire, 
provide 
authorizations for 
changes, provide 
regulation to the 
sector  

There are no 
regulation to the 
specificities of 

deepwater 
BOP tests 

released with 
divergent 

requirements of 
where it would 

be applied  

 

 

2309



7. Conclusions 

Application of CAST for analysis of the Deepwater Horizon accident indicates that STAMP provides a different 
analytical approach for accident analysis, more focused on controls and ways on how they may fail. The results 
show that many of the decisions that contributed to the accident were perfectly acceptable when isolated, but 
the fragmented view did not allow the understanding of the impacts of individual decisions may bring to the 
overall system, changing decision patterns over the time. The analysis also indicates that there was an 
asynchronous evolution of the control structure and the oil industry of the United States, when comparing safety 
and production processes. This asynchronous evolution allowed the industry to migrate to deeper waters for 
higher production, but the safety controls do not adapt at the same rate. This result is particularly important 
because asynchronous developments can be repeated in situations of scenarios changes, as exploitation in the 
pre salt, or quick changes in oil prices. 
The evolution of the MMS compared with industry lets also observe that the lack of reinforcement of BOP 
constrains may have to cause failures at physical level with the use of BOPs not suitable for deep waters. 
 
Acknowledgements 

The authors would like to acknowledge FAPERJ, ANP, FINEP and MCTI for support to this research. 
 

References 

Bertalanffy, L. Von,1969,. General System Theory: Foundations, Development, Applications. (Penguin 
University Books, Ed.) (1st ed., p. 296). New York: George Braziller Inc. 

BP, British Petroleum ,2010, Deepwater Horizon Accident Investigation Report (p. 192). Houston: British 
Petroleum.  

CCPS, Center for Chemical and Process Engineering ,2007,. Guidelines for risk based process safety (1st 
ed., p. 768). Hoboken: John Wiley & Sons Inc. 

De Carvalho, P. V. R. , 2011, The use of Functional Resonance Analysis Method (FRAM) in a mid-air collision 
to understand some characteristics of the air traffic management system resilience. Reliability 
Engineering & System Safety, 96(11), 1482–1498.  

Dekker, S. , 2007, Just culture: balancing safety and accountability. Ashgate Publishing Limited (1st ed., Vol. 
1, p. 166). Burlington: Ashgate Publishing Limited. 

Forrester, J. W.,1961, Industrial Dynamics (1st ed., p. 484). Cambridge: The M.I.T. Press.ISBN 1614275335 
Graham, B., Reilly, W. K., Beinecke, F., & Boesch, D. F. ,2011,. Deepwater - The Gulf Oil Disaster and the 

Future of Offshore Drilling. library of congress (p. 398). Washington, DC. 
Hollnagel, E. ,2012, FRAM: The Functional Resonance Analysis Method (1st ed., p. 154). Farnham: Ashgate 

Publishing Limited. 
Leveson, N. ,2004,. A new accident model for engineering safer systems. Safety Science, 42(4), 237–270. 
Leveson, N. ,2011,. Engineering a Safer World (1st ed., p. 555). Cambridge: Library of Congress. 
Lundberg, J., Rollenhagen, C., and Hollnagel, E., 2009, What-You-Look-For-Is-What-You-Find – The 

consequences of underlying accident models in eight accident investigation manuals. Safety Science  
47 (10), 1297–1311. 

OECD. ,2008,. Guidance on Developing Safety Performance Indicator. (O. for economic cooperation and 
Development, Ed.) Second Edi., p. 156. Paris. 

Salzano, E., Di, M., Gallo, M., & Oropallo, E. ,2014,. The application of System Dynamics to industrial plants in 
the perspective of Process Resilience Engineering. Chemical Engineering Transactions, 36, 457–462.  

Samadi, J., & Garbolino, E. , 2012,. Dynamic analysis of safety performance indicators for Co2 capture, 
transport and storage activities. Chemical Engineering Transactions, 26, 147–152.  

Senge, P. M. ,1990,. The Fifth Discipline. (Doubleday, Ed.) (1st ed., p. 412). New York: Library of Congress. 
Skalle, P. ,2012,. Pressure control during oil well drilling (4th ed., p. 145). Bookboon.  
Sterman, J. D. ,2000,. Business Dynamics - Systems Thinking and Modeling for a Complex World (1st ed., p. 

1008). Cambridge: McGraw-Hill/Irwin. 
  
 

2310