ShuttleFactor and BP Deepwater Horizon Oil Disaster by 9W2XR61


									 ShuttleFactor and BP Deepwater Horizon Oil Disaster

               I. Small, Zero and Negative Rockets-Like Safety Margins

            II. The Root Problem: Force Overshoots, Pressure Doesn’t


The scramble by the government, BP and the oil industry to produce the “temporary cap” that
stopped the dreadful surge of oil into the Gulf of Mexico and to “static kill” the Deepwater
Horizon oil well is reminiscent of the effort to save Apollo 13 exactly 40 years earlier. At the
time, I did stress analysis for satellite systems, including tanks similar to the one that exploded
on 13. I was asked then to evaluate the Apollo 13 incident for Comsat Labs. My extant
handwritten mathematical analysis of 1970 described a serious engineering mistake, which I
eventually called the “dynamic overshoot blunder.” I identified and eliminated the same mistake
in other systems. Ironically, the engineering blunder remains widespread in modern systems
and in engineering education. There is strong evidence that the same mistake played a role in
the Deepwater Horizon oil spill disaster. The enormity of the disaster demands that the decision
makers in the government, industry and academia recognize the “dynamic overshoot blunder”
and how this one mistake undermined many modern systems.
The epigraph to the ShuttleFactor page states that “Factor” is One Mistake that Produced A
Thousand Problems and Ruined the Space Program. Did the same ShuttleFactor fundamental
engineering mistake play a role in the Deepwater Horizon (DWH) oil well disaster? 3-Numbers
for the Blowout Preventer (BOP), the last line of defense for the oil well, which failed to stop the
oil from surging into the Gulf, were discussed in a Congressional Hearing on June 17, 2010.
The 3-Numbers show troubling facts that have not been reported before, e.g.,
   1.    The safety margin for the BP Deepwater Horizon BOP (25%) was smaller than
        the safety margin for the Space Shuttle (40%). This means that the operators,
        managers, inspectors and visitors on the Deepwater Horizon rig were exposed to
        greater risks than astronauts blasted into space.
   2.    The dynamic overshoot loads mentioned above indicate that the actual safety
        margins for the DWH BOP were negative, which explains the widely reported
        problems with the well and its eventual failure.

   3.    The new BOP design may not be adequate for safe operation.
These facts are discussed in detail in this Report, which will be useful to BP and the other oil-
drilling Contractors and to Investigators from the Congress, the National Commission, and
others. In addition to immediate engineering action to remedy technical shortcomings, the small,
zero and negative safety margins in deepwater oil systems may require temporary regulations
and deregulations to prevent similar disasters.
The first charge of the Executive Order 13543 of May 21, 2010 to the “National Commission on
the BP Deepwater Horizon Oil Spill and Offshore Drilling” states: 3(a) “examine the relevant
facts and circumstances concerning the root causes of the Deepwater Horizon oil disaster.” This
Report identifies strong candidate(s) for root causes of the disaster, which the National
Commission, the Congress, BP and others will find useful in their mission.

    Part I. Small, Zero and Negative Rockets-Like Safety
ShuttleFactor Numbers for BP DWH in Congressional Hearing

On June 17, 2010, the House Subcommittee (of the Energy and Commerce Committee) on
Oversight and Investigations held a daylong Hearing entitled, “The Role of BP in the Deepwater
Horizon Explosion and Oil Spill.” Members of the Congress asked many questions and the BP
CEO, Mr. Tony Hayward, gave answers. A colloquy between Congressman Charles Gonzalez
of Texas and Mr. Hayward revealed 3-Numbers that should have sent shock waves from the
Hearing room to the Gulf to the physics and engineering communities and to oil drilling
contractors and personnel. But, no one noticed. Simple arithmetic (a division, a subtraction and
a multiplication) reveals that the design of the Blowout Preventer on the Deepwater Horizon
and, very likely, on other rigs, was marginal.
First, here is the exchange that produced the 3-Numbers in the Congressional Hearing of June
2010. The following is taken from the Committee’s transcript:
                  Excerpts from Congressional Hearing of June 17, 2010
    The Chairman: You are testifying today before the Oversight and
Investigations Subcommittee, and the subcommittee has a special role to
examine the facts and determine what went wrong and to make
recommendations to prevent future spills. (Page 4)

    Mr. Gonzalez: Which then leads me to - - what do you think you’re
dealing with at that depth as far as pounds per square inch? (Page 181)

    Mr. Hayward: We know that we are dealing with a reservoir with a
pressure of around 11- - - between 11,000 and 12,000 pounds per square
inch. And we have a blowout preventer rated to 15,000 pounds per square
inch. I believe that’s correct.

    Mr. Gonzalez: I don’t know this. Cameron – I don’t know that it is
Cameron that builds these blowout preventers. That is a company that
someone told me that is - - and they are working on a 20,000 pounds-per-
square-inch-preventer. I mean, you’re aware of that?

    Mr. Hayward: I am, yes.

    Mr. Gonzalez: And they actually said this: While there is much
discussion and an ongoing effort to provide guidance for equipment
greater than 15,000 pounds per square inch, in the interest of expediency
it was decided within Cameron to apply current design codes and

    Why were you all looking at 20,000 pounds per square inch when you
believe what you already have at 15,000 exceeds what really is required?
(Page 182)

    Mr. Hayward: I think that – I’m not certain, but I think that is referring to
blowout preventers for reservoirs with even greater pressure.

    I do believe that one of the most important things to come from this
incident is the requirement for the industry to step back and redesign the
failsafe mechanism it uses to prevent accidents of this sort. We need a
        fundamental redesign of the blowout preventer. It is something that BP is
        going to take a very active role in. We have already begun that process
        with a number of academic institutions and a number of contractors in the
        industry. (Emphases added)

The 3-Numbers for the Blowout Preventer discussed in the Congressional Hearing are:
   1.    11,000 or 12,000 pounds per square inch (psi): This is the maximum pressure
        that the well experiences.

   2.    15,000 psi: This is the rated pressure, or the design pressure, for the Blowout

   3.    20,000 psi: This will be the rated (or design) pressure for new BOPs, which will
        be used by BP and the other oil-drilling contractors.
What do these numbers mean? At face value, the design load, 15,000 psi, which is greater than
the applied load, 12,000 psi, seems to indicate that all was well with the Blowout Preventer
before the accident. The rated or design load for the BOPs will be increased from 15,000 to
20,000 psi, thus making future oil wells safer. The swift change, which applies to BP and others,
only two months after the disaster, hints an industry-wide problem. Of course, the change will
make deepwater oil wells safer. Still, Congressman Gonzalez wondered, “Why were you all
looking at 20,000 pounds per square inch when you believe what you already have at 15,000
exceeds what really is required?” BP answered, “…to prevent accidents of this (DWH) sort. We
need a fundamental redesign of the blowout preventer.”
Somehow, the 3-Numbers appeared innocuous, although everyone seemed to agree that “a
fundamental redesign” was needed. The disturbing thing about the redesign is its magnitude, a
change of about 100%. This is to say that the strength of the New Blowout Preventers will be
DOUBLED! Normally, engineers try to limit mistakes to 1, 3, or 5%, and the goal is not to make
numerical mistakes at all. Errors of the order of 100% are dangerous and unacceptable. Anyone
familiar with our Shuttlefactor reports and Continuing Engineering Education Program,
“Anatomy of Failure Mechanisms in Modern Systems,” will instantly recognize the huge 100%
DOUBLED loads. If a 100% design change is required, then how safe or marginal were the
original BOPs?
There is more to the 3-Numbers, discussed in the Hearing, than meets the eye. The 3-Numbers
are similar to numbers repeatedly emphasized in the ShuttleFactor reports. Actually, there is an
eerie similarity between the Deepwater Horizon numbers and the Space Shuttle numbers, as
will be described later. The numbers explain many failures, disasters and tragedies in modern
systems, including, now, the Deepwater Horizon Oil Well disaster.

BP DWH BOP: Very Marginal Design

Can you tell from the 3-Numbers discussed in the Congressional Hearing if the Blowout
Preventer’s design was adequate or inadequate? If adequate, how adequate? And if
inadequate, how inadequate? Some may say that since the rated load (15,000 psi) was greater
than the applied load (12,000 psi), then the design was adequate! But, simple arithmetic shows
that the design of the Blowout Preventer was inadequate – actually, very marginal.
Engineering is a precise art within tolerances. Engineers work with numbers. Numbers tell us
how safe or risky is a system. We listen to guesses, guesstimates, and opinions, but we better
do the required calculations. It was reported before the DWH disaster that the oil well was a
“nightmare.” This received attention in the Congress, the media and elsewhere. But, how
nightmarish was the well, and I mean numerically? How adequate, safe, marginal or risky was
the Deepwater Horizon oil well, in general, and the Blowout Preventer, in particular -
numerically? So far, these vital questions have not been answered. Let me show you how
marginal were the design of the Blowout Preventer.
We need to know the safety margins for the Blowout Preventer. How do we get the safety
margin? Simple. First, calculate the Factor of Safety (or Safety Factor) for the BOP, then
subtract one, and then multiply by 100, simple arithmetical operations. The Safety Factor is the
Rated Load divided by the Applied Load; both numbers were discussed in the Congressional
Hearing (say, the 15,000 and 12,000 psi, respectively). Then,

Thousands of components of different materials and geometry make up the Deepwater Horizon
oil well, and there are thousands of safety factors associated with the many parts, including, the
BOP. Engineers can (should) easily interpret safety factors, but non-engineers might find the
safety factors less than clear and unambiguous. Safety margins come to the rescue.
Calculating the safety margins is simple. Using the numbers discussed in the Congressional
Hearing (15,000 and 12,000 psi), first calculate the safety factor or rated load/applied load or
15,000/12,000 (Answer 1.25), then subtract 1 (Answer 0.25), and then multiply by 100 (Answer
25%); that’s it, or,
The safety margin for the Blowout Preventer is about 25%. What does this mean? It means that
the Blowout Preventer can withstand 25% greater loads than the maximum applied loads, or
that if the engineers made mistakes of 25% or less, then there would be no failures, accidents
or tragedy. But, this description leaves much to be desired, particularly, to non-engineers. Some
experts might argue that the 25% safety margin is adequate. Can a legislator, judge, lawyer,
investigator, or, even, executives of the oil companies determine how marginal was the DWH oil
Protagoras wrote, “Man is the measure of all things.” We measure things; we use “measure” to
represent and comprehend things. To find out the adequacy or inadequacy of the DWH BOP
design, we need a measure. We must compare the BOP’s safety margins with other safety
margins with which we are familiar. I have selected for this purpose the Space Shuttle. Many
legislators are familiar with the difficulties encountered with the Space Shuttle for four decades.
And I don’t mean here only the Challenger and Columbia tragedies, but the many structural
failures experienced by that system over the years (see Shuttlefactor webpage). The legislators
are familiar with the great risks involved in space flight, and they have appropriated and
authorized great investments to mitigate the risks. The risks are dictated by the vicious
requirement for lightweight, or the lightest weight possible. The safety margins for the Space
Shuttle are widely known, e.g., 40% for ultimate strength. The derivation of the safety margin for
the DWH BOP is straightforward. We did it above with simple arithmetic: 25%. Here then is a
comparison of the safety margins used in the design of the Deepwater Horizon Blowout
Preventer and the design of the Space Shuttle:

  Table-1 Safety Margins for the Space Shuttle and DWH Blowout Preventer
                                                         Deepwater Horizon
                                         Space Shuttle
                                                         Blowout Preventer
                         Safety Margin       40%               25%

One glance at this Table shows the bad news in plain language to everyone. The Table gives
Legislators and Investigators a clear picture of the situation on hand. The Table gives clear-cut
input to ask incisive and decisive questions. I would like to know what questions the Members of
the Congress would have asked in light of the above simple Table, e.g.,
           Do you know that the safety margins for the DWH Blowout Preventer were
           smaller than the safety margins for the Space Shuttle?

           Did you know that the Deepwater Horizon personnel were exposed to greater
           risks than astronauts blasted into orbit?

           Are personnel on other rigs exposed to similar risks?

           How did this marginal design come about in the first place? etc.
After the June 17, 2010 Hearing, I tried to find out what the oil-drilling experts had to say about
the marginal design. I examined many studies and thousands of posts on the Internet.
Apparently, no one noticed it. No one processed the numbers mentioned in the Hearing by the
straightforward steps described above.
The fact that the pressure values discussed in the Congressional Hearing were general,
rounded or estimated values does not alter our estimates of the safety margins for the BOPs.
BP lists the Macondo oil well’s pressure at 11,900 psi, which is in the ballpark of the values
discussed in the Congress. The safety margin for this pressure value is 26%.

The Messy Picture

The design, construction, operation and maintenance of an oil well is more complicated than
described here or in thousands of papers and expert posts on the Internet. The 3-Numbers,
discussed in the Energy and Commerce Subcommittee, are only the beginning of a picture that
gets messy very quickly. From the pressure values discussed in the Hearing, engineers
calculate forces and other parameters that apply to thousands of components that make up the
system. The stress and strain in each component, subsystem and the whole system are
calculated. Many numbers are generated. Stress acts in tension, compression, shear, torsion
and bending, singly or in combination, in one-, two- or three-dimensions. The picture is further
complicated by non-linear effects, such as buckling, fatigue, material properties, metallurgical
considerations such as corrosion, failure modes and risks. I can go on with the daunting
processes that eventually lead to a productive deepwater oil well. Numbers are generated using
general-purpose-computer programs, analytically or experimentally. There are millions of
numbers that make up the design of a deepwater oil well, a space shuttle, a bridge, etc. The
numbers are proprietary to the contractors and subcontractors. It is impossible to share all the
numbers with investigators from the government, academia and the media. Even if the all
numbers were shared openly, investigators can be stumped. What do the numbers mean?
Policy and decision makers do not need the millions of numbers to get a clear picture of the
situation and to make thoughtful decisions. We saw above that discussing the three pressure
numbers (11,000, 15,000, and 20,000 psi) for the Deepwater Horizon oil well did not achieve
categorical conclusion(s) as to a likely cause of the disaster. Even the marginal design was not
noticed. The safety margins, however, give a clear picture. Clear-cut conclusions can be drawn
from the safety margin values.

Safety Margins: The Clear Picture

After noticing the 3-Numbers discussed in the Congressional Hearing, I checked other reports
on the Committees’ websites, and thousands of reports and posts by oil drilling experts,
educators and others. It turns out that the applied or maximum loads for DWH are more chaotic
than was discussed in the June 17 Hearing. Some experts write matter-of-factly of applied loads
of 13,000 and 13,500 psi and one expert refers to applied loads of 13,000 to 18,000 psi for the
BP Deepwater Horizon oil well. The 13,500 psi number is so close to the design pressure of
15,000 psi that the safety margins for this case are dangerously low. The 18,000 psi exceeds
the rated or design value! No safety margins at all. Red flags should be waving everywhere. Let
us calculate the safety margins for the above pressure numbers: Remember, to derive the
safety margins, (1) divide the rated (design) pressure by the applied pressure to obtain the
safety factor, (2) subtract 1 from the result, and (3) multiply by 100 to obtain the safety margins
in the last column.

     Table-2 Possible Safety Factors and Safety Margins for DWH Blowout
                       Rated Pressure   Applied Pressure   Safety Factor   Safety Margin
              Case 1     15,000 psi        11,000 psi          1.36             36%
              Case 2     15,000 psi        12,000 psi          1.25             25%
              Case 3     15,000 psi        13,000 psi          1.15             15%
              Case 4     15,000 psi        13,500 psi          1.11             11%
              Case 5     15,000 psi        18,000 psi          0.83            -17%

This, or similar, Table(s) should have been developed and shared with the Congress, the
Administration and others. Study the Table carefully. The first two rows contain the numbers
discussed by Messrs. Gonzalez and Hayward on June 17, 2010; and the last three rows are
numbers discussed by oil-drilling experts on the Internet, e.g., see “What caused the Deepwater
Horizon disaster?” The Oil Drum website, May 21, 2010, and other posts. Here are some
observations derived from the Table:
              Cases 1 and 2 (discussed in the Congressional Hearing) show that the
              design of the Blowout Preventer was more marginal than the design of the
              “manned” space shuttle system.

              Cases 3 and 4 show that the design of the BOP was as marginal as the
              design of unmanned satellites, i.e., there were greater risks for the oil well
              than allowed for “unmanned” spacecraft!

             Case 5 shows a negative safety margin for the Blowout Preventer: Outright
Let me describe why the safety margin concept is more useful than the safety factors,
particularly, to legislators and other government and business leaders. The safety factor for
Case 5 is +0.83 (plus 0.83). The engineer should instantly recognize that there is no safety
factor whatsoever in this Case, because the safety factor is less than 1. But, because the safety
factor is a positive value (+0.83), legislators and non-engineers may not instantly recognize that
this system is at great risk. The safety margin column, however, instantly reveals to technical
and non-technical people the vulnerability of Case 5: The safety margin is negative (-17%). Zero
“safety margin” means no safety margin at all. Of course, negative safety margins can be
The safety margin for the New Blowout Preventers appears to be more dependable. BP and the
other Contractors will use the new design. Is the design adequate? This is discussed further in
the next Sections.

     Table-3 Safety Factor and Safety Margin for New Blowout Preventers
                     Rated Pressure    Applied Pressure   Safety Factor   Safety Margin
                          20,000 psi      12,000 psi          1.67             67%

In summary: Calculate the safety margin. If the answer is negative, then you instantly know that
the system does not have safety margins at all and it is at risk. If the answer is a small value,
then compare it with other systems you know about, e.g., rockets, spacecraft, aircraft, trains,
etc. Of course, if a system does not have to fly (e.g., deepwater oil wells), then it is inappropriate
to use very small and risky safety margins.

Who Determines Safety Margins?

It is obvious from the above Tables that the design of the DWH BOP was marginal. What should
be the safety margins for deepwater oil wells? Who determines and approves safety margins?
You cannot legislate engineering safety margins. It takes detailed technical and commercial
considerations to develop acceptable and dependable values. A safety margin of 25% for the
Deepwater Horizon well is unacceptable. When I first calculated this value for the BOP, I
thought I made a mistake. There is no logic to support the selection of smaller safety margins
for oil wells than for manned rockets. There is no rationale to support safety margins equal to
those used for unmanned spacecraft. Small safety margins bring about huge problems in
installation, operation, maintenance, cost and management of modern systems.
The safety margins for the Space Shuttle are 25% for yield strength and 40% for ultimate
strength. The safety margins should be treated seriously in engineering and in technical
investigations. The margins tell us many things, e.g., (1) if the applied maximum load for the
Shuttle is exceeded by up to 25%, then no element should experience yielding, or plastic
deformation, or in plain language, permanent deformation. If the latter happens around moving
or reusable parts, problematic operation, maintenance and failures follow. The joint that failed
on the Challenger’s booster in 1986 was deformed plastically, or permanently, by about half an
inch from previous use. This is more than 10 times the “gap opening” in the joint that was
blamed for that disaster. The permanent deformation was 1000% greater than the gap opening
at lift-off. The yield strength in that joint was exceeded in previous missions. Numbers must be
presented to decision makers in meaningful forms that give a clear picture of a technical
situation. (2) If the applied load is exceeded by 40%, outright failure (at least on paper) follows.
Because lives are not at risk with satellites, we used smaller safety margins than the manned
systems, 15 and 25% for yield and ultimate strengths. In early 1970s, I was tasked to study the
feasibility of reducing these margins to 5 and 15% respectively. That would have given us badly
needed weight reductions. At the time, I tested metals, alloys, composites and other materials
for use in spacecraft, did extensive fatigue tests and analyses, examined metallurgical effects,
e.g., corrosion and hydrogen embrittlement, and I was responsible for the stress analysis of all
components and subsystems. The conclusion of my study was categorical: The 5 and 15%
safety margins involved great risks and were unacceptable. Other engineers were tasked to do
similar studies independently, and, apparently, we all arrived at the same conclusion. Our
recommendation was accepted. The point here is that safety margins for modern systems are
not determined in vacuum or in board rooms or in hasty meetings at BP or any other agency or
Executive Orders and Congressional Legislation are not the avenue to dictate what safety
margins can be used by different industries. But when the national interests and the national
security are at stake and when the data show categorical problems, then Directives and
Legislation may be necessary. It is sensible to regulate that safety margins for deep- and
shallow-water oil wells (and other terrestrial systems) must not be smaller than safety margins
used in manned rockets, unmanned satellites or aircraft. It is legitimate to outlaw negative safety
margins, particularly, where losses and damage as we have seen in the Gulf can happen.
These principles led me to take the negative safety margins in the Space Shuttle, the Hubble
Space Telescope and other important systems to the Administration, the Congress and even
the Courts 20 years ago; a recipe for personal disaster. That was done after effort to deal with
the issues failed with the space agency, the contractors, the professional organizations, the
universities, and the collective aerospace communities. There were no ambiguities in the
numbers then, and there are no ambiguities in the numbers now. The Chairman of the Energy
and Commerce Oversight and Investigations Subcommittee said, “…the subcommittee has a
special role to examine the facts and determine what went wrong and to make
recommendations to prevent future spills.” The engineering communities must expand and
expound our analysis of the safety margins used in oil drilling systems and make unequivocal
recommendations to the Administration, the Congress and others.
The Congress cannot be burdened with calculating safety margins for complex systems, such
as oil wells. Experts must. First-cut safety margins for the Deepwater Horizon are calculated
and tabulated in this Report. No company would make the seemingly reckless choices
described in this Report knowingly and maliciously. Doubling the safety margins, for example for
the Blowout Preventer, does not double the weight nor the size or the cost of the system. And
whatever costs involved will be quickly recovered from trouble-free operation and maintenance
and longer useful life from the equipment. It should be noted that smaller safety margins mean
tighter tolerances, which usually mean greater costs. It seems that cost was not the driving
factor in the selection of small safety margins for the DWH and other rigs.
Then, how did the small margins come about? In the 1950s-60s, engineering calculations were
made on yellow pads, on the back of envelopes and with slide rules. Precision of one or two
decimal points was the norm, and great achievements were made in many technical areas. By
the late 1960s, we could write a simple formatting line and get tons of numbers with precision of
6, 12 or more decimal points. This led some engineers to place blind confidence in very precise
computer-generated numbers. Accuracy went by the wayside. The evolution of the safety
margins used in oil-drilling systems must now be examined. What were the safety margins for
Blowout Preventers 30 years ago? 60 years ago? What drove the safety margins to the present
marginal, expensive and dangerous levels? The industry, regulators, professional groups and
academia must examine these questions and recommend appropriate “safety margins.”

II. The Root Problem: Force Overshoots, Pressure Doesn’t
Deepwater Horizon – ShuttleFactor Nexus

The Title and Introduction to this Report speak of a nexus between the BP Deepwater Horizon
oil well disaster and the ShuttleFactor studies. As the shuttlefactor webpage reports propose,
the “Factor” mistake has ruined our space program in the last four decades. The same mistake
has undermined the safety and dependability of other vital systems. How do the BP DWH BOP
numbers compare with the Space Shuttle numbers? A simple Table will bring out incredible
First, take the 3-Numbers for the DWH BOP discussed in the June 17 Congressional Hearing,
i.e., 11,000, 15,000 and 20,000 psi. The pressure numbers (pounds per square inch) can be
converted into force values to allow direct comparison. Pressure is equal to force (here, pounds)
divided by area (here, square inches). What is the force acting on a 1-square inch element in
the Blowout Preventer? For the applied load of 11,000 psi, the force is the pressure times the
area (11,000 lbs/in2 x 1 in2), or 11,000 pounds. The same procedure gives us the force for the
rated load (15,000 lbs) and the New BOP rated load (20,000 lbs).
Consider now the following Space Shuttle numbers. The three Space Shuttle Main Engines
(SSMEs) produce 1,125,000 pounds force at sea level at liftoff, which can be rounded to 1.1
million (1,100,000) lbs. The ultimate safety margin for the Shuttle is 40%; so, the approximate
rated load is 1,100,000 x 1.4  1.5M lbs (1,500,000 lbs). NASA used these and similar numbers
with great confidence since the start of the Space Shuttle program in 1972 with drastic
consequences. Do you see the uncanny similarity between the Blowout Preventer’s numbers
(11,000 and 15,000 lbs) and the Space Shuttle numbers (1,100,000 and 1,500,000 lbs)? But,
there is more.
How about the third number for the New Blowout Preventers, or the 20,000 lbs value? How did
this value for the New BOPs come about? Mr. Hayward said the move is “a fundamental
redesign of the blowout preventer.” Congressman Gonzalez mentioned a decision in the oil
industry, after the Gulf oil disaster, to “apply current design codes and practices.” The
engineering Codes require the use of a Dynamic Load Factor (DLF) in the design of systems
subjected to sudden loads, such as deepwater oil wells. The DLF is equivalent to our dynamic
overshoot factor. Does this mean that the oil industry did not use the required DLFs before the
Deepwater Horizon disaster? Let’s look at the Space Shuttle case.
Because the SSMEs start up very rapidly, the applied load (1.1M lbs) magnifies. The Shuttle
structures actually experience the magnified load, which I call “dynamic overshoot.” Calculating
the “dynamic overshoot” involves advanced mathematics, but it can be done.
After the Challenger tragedy in 1986, I calculated the actual maximum load (including the
dynamic overshoot) for the SSMEs at liftoff to be about 1.9M lbs. The numbers alarmed some
NASA managers and engineers who recommended immediate action. Other managers and
engineers were indifferent and dismissed the vital issue out of hand. After extensive search of
the massive record in the National Archives, I found out that the Shuttle engineers had actually
measured the maximum liftoff load to be about 1.9M lbs. The measurements were made before
the Challenger tragedy, and the engineers did not know how to interpret the “dynamic
overshoot,” which they called, “excess upward force.” The magnified loads for the more violent
boosters and other thrusters were also missing in shuttle design. In early 1987, an Officer from
DIA (Defense Intelligence Agency) suggested that some elements of my work were sensitive to
national security and advised (not commanded) discretion. From 1986-90, I shared the above
numbers only with NASA and DOD in closed-doors meetings. In 1990, I submitted a paper on
the subject for publication in a rockets journal. Everyone got upset, the paper was dismissed
and the engineering communities, including oil drilling and refinery industries, were kept in the
dark about a massive engineering mistake that could strike modern systems with drastic
consequences. You can read more about those events in
We now have 3-Numbers for the Space Shuttle: Applied load of 1.1M lbs, rated load of 1.5M lbs
and, maximum load (including startup dynamic magnification effect) of about 2M lbs, which is
rounded from the calculated and measured 1.9 or 1.95M lbs.
The nexus between the Deepwater Horizon 3-Numbers and the Space Shuttle 3-Numbers is
shown in Table-4. Do you see the startling link?

              Table-4 The Space Shuttle – Deepwater Horizon Nexus
                                                Deepwater Horizon
                                                                    Space Shuttle
                                                Blowout Preventer
                           Applied Load           11,000.00 lbs     1,100,000. lbs

                            Rated Load            15,000.00 lbs     1,500,000. lbs
                      Actual Max Liftoff Load                       2,000,000. lbs

                       New Max Rated Load         20,000.00 lbs

If you move the decimal point in the left column 2 places to the right, you will get the values in
the right column. If you move the decimal point in the right column 2 places to the left, you will
get the values in the left column. The Table is compelling. Engineering analysis is done with
symbols, e.g., La can be Applied Load, Lr, Rated Load, and Lm, Maximum Load. After
manipulating the symbols mathematically in many ways (without numbers), we substitute the
numbers to obtain final results. The analyses in the Shuttlefactor reports can be used to better
understand the DWH disaster. In particular, the start-up transient dynamic overshoot effects
must be included in any meaningful investigation.
Table-4 answers the question asked by Congressman Gonzalez: Why the 20,000 psi BOPs? Is
the DLF for the Blowout Preventers similar to the dynamic overshoot factor for the Space
Shuttle main engines? If this is the case, then the presentation to the Energy and Commerce
Subcommittee on June 17, 2010 should have stated that the applied load for the Deepwater
Horizon BOPs was 12,000 psi, the actual maximum load was 20,000 psi, and the design load
was 15,000 psi! Everyone would have instantly recognized the precarious situation. The Codes
that Mr. Gonzalez referenced require the use of a DLF of 2, when the actual DLF, or dynamic
overshoot, cannot be calculated or measured. The latter produces a more perilous situation.
Many engineers working on vital systems have not taken the dynamic overshoot, or DLF,
concepts seriously. In a rare exchange I had with the space community in 2007 (see
collectspace website), I discovered that senior rocket engineers who worked on the Space
Shuttle Solid Rocket Motors (SRMs), the expensive and canceled Advanced Solid Rocket
Motors (ASRMs), and the most recent expensive and canceled Ares rockets, still dismissed the
destructive dynamic effect out of hand. The sudden start-up of these rockets nearly DOUBLES
the effect of forces on the system, but those engineers don’t believe it, or probably, they cannot
calculate the overshoot effect. This explains why some people in the space community,
including prominent astronauts, a former NASA administrator and others, voiced disapproval of
the Administration’s decision to cancel the Constellation space program and its Ares rockets.
What the Obama Administration did here was to put an end to the meandering of the last four
decades. We don’t need 30 or 40 more years to discover that the transient dynamic overshoot
forces will limit the operation of the Ares-type rockets. Ironically, our aerospace engineers are
the best equipped to calculate and measure the transient dynamic overshoot effect, or DLFs.
Thoughtful science and engineering papers by these engineers can be of great help to other
industries, especially now, the oil industry.
Are the 20,000 psi New Blowout Preventers safe or risky? The nexus between the DWH case
and the Space Shuttle case gives disturbing answers. In the next Sections, we describe root
problems that could have led to the Deepwater Horizon disaster and to the difficulties
experienced with that well before the explosion.

The Real Problem
The Deepwater Horizon oil well, as other oil wells, was subjected to a variety of dynamic
conditions, e.g., quick start-ups, quick shutdowns, pulsating oil/gas flows, the familiar oil well
“kicks” and sudden actions by powerful hydraulic drives and cranes. The dynamic conditions
magnify the applied loads. When the dynamic effects are taken into account, it becomes clear
that the safety margin for the failed DWH Blowout Preventer was worse than calculated in Part I
(25%) and the safety margin for the New BOPs (67%) is not as good as it seems.
Some experts spoke about the possibility of resonance. This dynamic condition is well
understood by physicists and engineers. When the driving frequency in the well is matched by
the natural frequency of any component, resonance occurs. Resonance magnifies the stress in
a system (theoretically to infinity) leading to certain failure. Conjecture about resonance must be
supported with numerical evidence, which I have not seen for the Deepwater Horizon oil well to
The start-up transient dynamic condition, however, is not as clearly recognized in physics and
engineering; and this dynamic condition could have led to the many reported difficulties with the
oil well and the eventual failure of the Blowout Preventer. What was the dynamic overshoot for
different operational phases of the DWH Blowout Preventer? What was the dynamic load factor
(DLF) for any component on the Deepwater Horizon well and rig? How were the dynamic
transient conditions handled in the design or operation of the Blowout Preventer and other vital
hardware? These and related questions have not been asked, nor answered. The transient
dynamic loads may be the real problem that led to the Deepwater Horizon disaster.
Using bona fide data, I calculated the start-up transient dynamic overshoot for the Space Shuttle
Main Engines (SSMEs) to be 73% and for the Solid Rocket Boosters (SRBs) to be 97%. And
remember, the same dynamic overshoot for the SSMEs was actually measured, though not
understood, by NASA and the Contractors. Based on the pressure rise in nuclear power
reactors, the transient dynamic load is nearly doubled; i.e., the applied load is increased by
nearly 100%; but no one recognized the effect after TMI and Chernobyl. After our dismissed
1990 paper on transient dynamic effects, NASA selected a Dynamic Load Factor of 2 (Two) for
the Booster Separation Motors (BSMs) on the Space Shuttle, which exhibited structural damage
over the years – the applied load was DOUBLED outright. I had encountered, analyzed and
corrected the massive dynamic overshoot error in space systems, hydraulic drives, and other
modern systems for five decades. Yet, there is resistance in the physics and engineering
communities to recognize the problem and to institute open solutions. The enormity of the
Deepwater Horizon disaster demands immediate attention and action.
I can see the sudden rise and fall of pressure in the records of the Deepwater Horizon oil well,
but I do not have exact numbers to accurately calculate the dynamic overshoot, or DLF, or
transient response for this and other oil wells. Using the rise time and the stiffness of the
Blowout Preventer, the DLF can be easily calculated. Simple and advanced equations are given
in our reports. It should also be noted that measuring the dynamic overshoot is not simple, but it
can be done. At Shuttlefactor, we are available to work in strict confidence with the
Administration, the Congress, BP or other Contractors to evaluate, calculate and measure the
transient response for the oil wells, in general, and for the Blowout Preventers, in particular.
What is the Dynamic Load Factor (DLF) for the Blowout Preventers? The DLF is a muddled
concept. Although the DLF is included in the Codes, it remains vague. Somehow, the Codes are
troublesome to the engineers and, sometimes, the Codes are unknown. For example, I saw a
recent post on the Internet by an engineer who states that his (or her) company uses a Dynamic
Load Factor of 1.35, that his previous company used a DLF of 1.5 and that he heard that other
companies use a DLF of 2 (or a 100% dynamic overshoot). The engineer was asking for advice
from other engineers. Isn’t it the function of the Codes to tell the above and other engineers a
priori why DLFs of 1.35, 1.5 or 2 are used? Shouldn’t the engineers learn in school how to
calculate the DLFs for different systems?
Generally, it is recommended in engineering courses that if the engineer does not know the
dynamic factor, a DLF of 2 must be used. This is the origin of the expression that pokes fun at
rocket engineers, “the $64,000 question.” Remember, in Newton’s equation, F=ma, or F=mg, g
(acceleration) at sea level is about 32 ft/sec2 and double g (or 2g) is 64 ft/sec2, hence, the $64.
Until the actual dynamic overshoots, or dynamic load factors, are calculated and/or measured
for the Blowout Preventers, we can only guess the magnitude of the dynamic effect. According
to the Codes, however, when the magnification factors cannot be measured nor calculated, a
DLF of 2 (100% dynamic overshoot) should be used for the BOPs. The dynamic load factor for
the Deepwater Horizon oil well could be 1.5, 1.7 or 1.9, i.e., dynamic overshoots of 50, 70, or
90%. Let us apply these dynamic factors to the New Blowout Preventers and derive the
corresponding safety margins. Here, the rated or design load (20,000 psi) and the applied load
(12,000 psi) are the values discussed in the June 17 Congressional Hearing. While “pressure”
does not overshoot (see next Section), the safety margins calculated here are representative.

 Table-5 Safety Margins for the New Blowout Preventers with Dynamic Loads
                                             Dynamic Load Factor   Maximum Load
         Rated Pressure   Applied Pressure                                        Safety Margin
           20,000 psi        12,000 psi              1.5             18,000 psi       11 %
           20,000 psi        12,000 psi              1.7             20,400 psi       -2 %
           20,000 psi        12,000 psi              1.9             22,800 psi      -12 %

At best, the safety margin for the New Blowout Preventer will be 11%, much smaller than the
safety margins used with manned rockets! Very likely, the New Blowout Preventers will have
negative safety margins – invitation to disaster. We said earlier that the Congress cannot
legislate safety margins, but it must act when the safety margins for deepwater oil wells are
smaller than the safety margins used for manned and unmanned spacecraft. The Congress
must also act when the safety margins for such critical systems are negative.
Applying the above Dynamic Load Factors to the Blowout Preventer that failed on the
Deepwater Horizon oil well and using the pressure loads discussed in the June 17
Congressional Hearing (12,000 and 15,000 psi), the safety margins for the failed BOP were –
17%, -26% and –34%, respectively; all negative values. This indicates that the start-up transient
dynamic overshoot was the most likely cause of the Gulf disaster. Based on extensive personal
experience with modern engineering systems, these negative safety margins can also explain
the problems encountered with the Deepwater Horizon well before the accident.
More seriously, if the DLF for the Blowout Preventers is, say, 1.7, then the New BOPs may not
be adequate at all. For example, using the applied pressure of 12,000 psi, the maximum applied
load will be (12,000 psi x 1.7) 20,400 psi, which exceeds the rated load for the New BOPs
(20,000 psi) discussed in the Congressional Hearing. This means that the safety margins for the
New BOPs will be negative! What then? Should the rated (or design) load for the New BOPs be,
say, 25,000 psi? The safety margin for this case is about 22%, again smaller than the safety
margin used with the manned Space Shuttle! The evaluation must not stop here. If the oil
Companies cannot calculate or measure the DLF for the oil wells, then the Codes require the
use of a DLF of 2, e.g., as NASA did with the BSMs mentioned earlier. The maximum loads for
a Deepwater Horizon-like well must then be 24,000 psi (2 x 12,000 psi). In this case, a Blowout
Preventer with a rated or design load of 30,000 psi will still have smaller safety margins (25%)
than manned rockets. The numbers mentioned here are not number games; the numbers
directly affect the safety and risks of oil wells.
The start-up transient dynamic overshoot effect is a real problem with deepwater oil wells, and
the Investigators must examine this aspect very carefully. Other important technical issues that
apply to the DWH investigations can be found in our Shuttlefactor and other reports.

The Root Problem

How could the dangerous condition(s) described above come about in a modern system, such
as the Deepwater Horizon oil well? Some have suggested that the oil drilling industry can learn
a thing or two from the aerospace industry. My study of the oil drilling and refinery analyses and
calculations indicates a robust and mature engineering community. I had also seen this from
drilling and refinery engineers from ARAMCO and elsewhere and in engineers who attended my
Continuing Engineering Education Program, “Anatomy of Failure Mechanisms in Modern
Systems,” twenty years ago. The start-up transient dynamic conditions were discussed in the
There is a root problem associated with the transient dynamic loads. Based on this Report,
experts from BP, the government and elsewhere may rush to study the pressure-time traces for
the Deepwater Horizon and other oil wells; looking for the dynamic overshoot. The problem is
that the experts will not find the dynamic overshoots in the “pressure-time” traces. The alarming
problem is that the experts might dismiss the issue out of hand, as had other experts done
before. The “root problem” requires further clarification and discussion.
The theory of elasticity is one of the most intricate and advanced theories in engineering.
Thousands of complex equations are derived from the simple spring-mass equation, genereally
known as Hooke’s Law, after the 17th century Dr. Robert Hooke. All modern engineering
systems are designed using Hooke’s Law. Even modern physics is almost entirely based on
Hooke’s Law, e.g., the simple harmonic oscillator which is modeled using the familiar equation F
= kx, where F is force, k is spring constant and x is displacement. When developing the
equations for pressure vessels, such as used in shuttle engines and boosters and in Blowout
Preventers, the pressure (psi) is set to equal the stress (psi), and the complex equations are
then derived. The theory of elasticity does not take into account two vital factors: (1) The
pressure does not overshoot; (2) the force and stress overshoot. A real life example is
Twenty years ago, the launch of the Hubble Space Telescope was delayed two weeks while my
contention that the same transient errors described in this Report could damage the Hubble.
Top Officials from the White House and the NASA Administrator traveled from Washington, DC
to the Johnson Space Center in Huston to hear rebuttal from other engineers. I was not
consulted before, during or after the trip, and the Telescope was launched over my objections.
As everyone now knows, we almost lost the Hubble, and the cost to fix the telescope was
enormous. I eventually found out the rebuttal of the other engineers. That rebuttal revealed the
root problem in the aerospace industry and, now, in the oil drilling industry. Just read the words
of the Director of the Johnson Space Center, in a letter to me on October 13, 1992:
       “Chamber pressure is intentionally controlled to prevent overshoot greater
       than 2 percent above rated thrust level during the approximate 5-Second
       Space Shuttle main engine start transient.”

You can see the root problem from my response to NASA, November 23, 1992:
       Either the overshoot is less than 2 (two) percent, as you assert, or it is
       greater than 70%, as I have stated. The difference is so enormous and
       consequential that it must be resolved. The significant disparity in our
       positions is the result of confusion, which I will explain.

       This sentence reveals the extent of the confusion. It is correct to say that
       the “thrust” overshoots at start-up, but it is absolutely incorrect to say that
          the “chamber pressure” also overshoots. The pressure does not overshoot
          during start-up transients. It merely fluctuates! Let me explain.

          By mistakenly believing that the “chamber pressure,” which does not
          overshoot, is the measure of the overshoot, your experts have mixed up
          the input and the output, or the cause and the effect.

The pressure in the main combustion chamber rises to between 3,200 and 3,300 psi (3,283 psi).
This pressure rises rapidly in the combustion chamber producing, as I claim, dynamic overshoot
forces of 73% that strike the shuttle assembly with vengeance. But, the NASA engineers
produced “pressure-time” traces in which they prevented “overshoot greater than 2 percent.” Do
you see the massive difference between 2% and 73%? The difference is greater than the safety
margins used to design the Space Shuttle. Such big differences in systems with small safety
margins can only result in massive failures. Do you see the mix-up? Notice that the NASA
director uses the word “overshoot” with the word “pressure.” What everyone failed to realize
then was that pressure “fluctuates,” but that it “does not overshoot.” What does it mean to say
that the “pressure” does not overshoot? The primary numbers used so far in the investigation of
the Deepwater Horizon disaster and in the design of the New Blowout Preventers are pressure
numbers. Does this make a difference?
An inflated balloon or a tire explodes when subjected to great pressure. A balloon or a Blowout
Preventer does not fail because of the pressure acting in a direction perpendicular to the walls.
The balloon or the Blowout Preventer fail because of the stress that stretches the wall
membrane beyond the ultimate strength of the material used. Every engineer knows that the
membranes can be modeled as springs stretched to failure. For demonstration purposes, all the
complicated equations of elasticity can be reduced to a mass hanging on a simple slinky spring,
or a weight released on an old bathroom weight scale, supermarket scale or postal weight
scale. It is essential to recognize the difference between pressure that acts perpendicular to the
walls of a pressure vessel, and force or stress, which pulls and stretches the material of the
vessel to failure. The Deepwater Horizon investigators will not find evidence of “dynamic
overshoot” in the many pressure-time traces for the Blowout Preventers. Further explanation is
Consider a simple example used ad nauseam in the Shuttlefactor reports: A 100-lbs lady steps
suddenly onto an old bathroom weight scale from zero height. For an ideal spring in the scale
and no impediments (no air resistance, friction, etc. like Galileo’s pendulums which oscillate to
the original height), the dial will register 200-lbs: The weight of the lady, 100 lbs, and a dynamic
overshoot of 100 lbs. With a slo-mo camera, one can clearly see the dial move from 0 to 50,
100, 150, and finally 200 lbs. If the area of the lady’s feet is 10 square inches, then the pressure
on the weight scale will be 10 pounds per square inch (10 psi). The pressure is equal to the
force divided by the area. Now, think about it. While the dial on the scale moves from 0 to 200
lbs, the pressure on the weight scale remains constant, i.e., 10 psi. Of course, if the lady’s
weight changes with time, then the lady’s weight fluctuates with time and the applied pressure
fluctuates accordingly. If the weight of the lady fluctuates, say, 2%, like the chamber pressure in
the SSMEs, then her weight varies between 98 and 102 lbs. The sudden transient dynamic
overshoot effect on the weight scale, however, will vary between 196 and 204 lbs. Do you see
the difference? To say that the chamber pressure in the SSMEs is controlled to less than 2% is
the same as saying that the weight of the lady is controlled to less than 2%. In engineering, we
are supposed to design the weight scale or the Blowout Preventer, not the lady. These
seemingly mind boggling and upsetting examples are treated in detail in the Shuttlefactor
It should be noted that NASA did not deliberately measure the 73% dynamic overshoot resulting
from the start-up of the SSMEs in 1982. The engineers did not say; let’s measure the dynamic
overshoot for the SSMEs. They were unaware that the destructive effect exists. The engineers
were measuring the strain in the holddown posts of the boosters. It was only when they
converted the strain readouts to forces that they noticed and reported the “excess upward
force.” The strain measurements were made after serious damage was noted in the Mobile
Launch Platform, then in the Aft Skirt of the boosters, then in the Aft Segments of the boosters.
The launch platform was strengthened, then the Aft Skirt was strengthened, then stiffener rings
were added to the Aft Segments. Do you see a trend here? Not realizing the dynamic overshoot
effect, the rogue loads were being chased upwards on the boosters. The next station for the
“excess upward force” was the joint that failed on Challenger. BP and the other Contractors
must guard against such oversight, and the Investigators must recognize these facts to avert
future disasters.
Reports on the Deepwater Horizon disaster include many pressure values, but no mention of
the transient dynamic effects! The discussion with Mr. Tony Hayward in the June 17 Hearing
included only pressure values. There was no discussion of the sizable “dynamic transient
effects.” I should point out that the dynamic overshoot effect was not mentioned anywhere in the
tens of thousands of pages shared with the Presidential Commission that investigated the
Space Shuttle Challenger tragedy in 1986, even though the stealthy effect was previously
Is the devastating dynamic overshoot effect a one-man show? At the risk of sounding like
Gorgias writing “an encomium on Helen” (of Troy) to get that woman off the hook with the
Athenians, here is a short encomium on our Program “Anatomy of Failure Mechanisms” and the
“dynamic overshoot” studies. Critique from engineers, including engineers from the oil industry,
who studied the transient dynamic overshoot with us in 1990, as briefly described in this Report,
       Thought provoking course

       I can’t believe how much I understood

       Excellent course for all --- engineering fields

       Outstanding --- very rewarding

       Content was very good but time was too short

       Excellent – the use of other examples was outstanding

       This was very informative and will influence critical thinking for sure

I discussed the root problem identified in this Report with many top experts over the years.
Consider the following excerpt from our Shuttlefactor Report (Section 8.5 Flawed Transient
       When I discussed the problem at length with the distinguished Professor
       from MIT Eugene Covert, a Presidential Commissioner on the Challenger
       Accident, the professor endorsed my observations. Engineering students
       learn design in one part of the curricula and they then learn the transient
       analysis in another part. Somehow, the two interrelated subjects remain
       disjointed in the student’s mind. The MIT Professor summed it up to me
       like this, “You can lead a horse to the water, but you cannot make it drink.”

My transient dynamic overshoot studies, particularly for pressure-activated systems such as the
Blowout Preventer, were carefully reviewed and approved by some of our top experts, including
a world expert on transient conditions who helped to eliminate the dynamic overshoot effect
from electrical and electronic equipment since the 1940’s, a chairman of the dynamics
committee in a national aerospace engineering organization, a professor emeritus who became
the director of the National Science Foundation, a chief scientist with the Air Force, and other
nationally recognized experts. Yet, our Program was canceled in 1990 after interference from
the space agency and other offices in the government. Detractors, unfamiliar with the details of
our work or the dynamic load factor concept, dismissed our studies in 2003 and 2005, after the
Columbia tragedy and the new approach to the space program.
The root problem is not only a BP or industry problem; it is also an education problem. Some
universities were reluctant to pursue the problem at my urging, lest they lose government funds
for other research. How can that be? It was government funding in the 1940s that allowed the
universities to effectively research the vibration resonance phenomenon after the unforeseen
failure of the Tacoma Narrows Bridge and the unexpected fracture of steel in the Liberty Ships
after World War II. We used those findings effectively in space systems. Those federal funded
studies led to economic prosperity in the 1950s and 60s and made possible the Mercury,
Gemini, Apollo and other marvelous space achievements. The two systems cited above were
beset by “mysterious loads,” of unknown origin to the scientists and engineers of the time. I
have been advocating for decades now that other mysterious loads, that stagnated the Space
Shuttle and the space program and caused many disasters, are the result of the mysterious
phenomena associated with the transient dynamic loads. We urge all the Investigators of the
Deepwater Horizon disaster to objectively evaluate the “root problems” described in this Report.
The “root problem” presented in this Report and the above opinions of top experts should be
considered by the Deepwater Horizon Investigators to avert future disasters. We cannot afford
another oil spill disaster. Our economy cannot tolerate inadequate engineering from the best
engineers in the world.

Excerpts from Shuttlefactor and the Deepwater Horizon Disaster

The root problem is not only a BP problem. It is an industry-wide problem. The problem is
widespread in other industries as well. The small safety margins calculated in this Report show
these facts. The problem must be wiped out from engineering and science education and from
engineering and science practice. We give here some excerpts from our Shuttlefactor reports,
which apply to the disaster on hand, the Deepwater Horizon oil spill disaster. As you read the
following excerpts, think about the technical details of the Gulf oil disaster and try to find
analogies and parallels.
From: The Problem with the Space Shuttle and the Space Program, (1992, 2000, 2003):
      It is common knowledge that when an electrical switch is turned on, “surge
      current” flows in circuits. The surge current consists of the applied current
      plus a momentary transient component known as the “dynamic
      overshoot.” The maximum start-up transient current can be double the
      applied current. Unless included in design, surge currents can trip circuit
      breakers, blow fuses or damage electronics and electrical devices. It has
      not been recognized before that a similar effect occurs in physical-
      mechanical systems, such as, rockets, including the Space Shuttle [and,
      now, deepwater oil wells].

      The deep roots of the “dynamic overshoot” mistake are discussed in this
      Report. The discussion includes scientific, technical, educational,
      historical, philosophical, psychological and political elements of the design
      blunder. The Report shows (1) how some engineers are completely
      unaware of the “surge” effect in physical systems, (2) how some engineers
      miscalculated and mishandled the effect in Shuttle design, (3) how the
      engineers actually measured the correct “surge forces” in the Shuttle in
      1982, but did not even realize the meaning of the correct measurement,
      (4) how Newton’s Action-Reaction Law is at the root of the problem, (5)
      how scientists and engineers mistakenly and regularly equate the           CAUSE

      and   EFFECT, INPUT     and   OUTPUT, ACTION     and   REACTION,   and   FORCING

      FUNCTION      and    TRANSIENT RESPONSE     in mechanical start-up transient
      situations,    and    (6)   how   relying   nearly   exclusively   on    pressure
      measurements (which do not show the “surge” effect), physicists and
      rocket engineers repeatedly fell into the tricky “dynamic overshoot” trap,
      with drastic results. (p. 104: Conclusion and Recommendations)

From: The Correct Way to Handle Transient Loads, May 19, 1993:
      Early in the century, the explosion of temperamental boilers killed people
      and destroyed industrial and residential centers. Halfway through the
      century, jet powered aircraft crashed unexpectedly, killing people and
      causing considerable losses. In the beginning of the space program, the
hallmark of rockets was the huge explosions soon after ignition and the
destruction of valuable payloads and launch facilities. Then there were the
nuclear reactor incidents: Three Mile Island (TMI) which frightened a large
community and a nation, and Chernobyl which devastated communities
and shocked the world. What these systems have in common is that they
are pressure-activated, and the mechanical engineer plays the central role
in their design, construction, operation, safety, and reliability. Where are
we today?

Have we (mechanical engineers) overlooked something fundamental in
our work? The answer is a resounding yes. One basic error has
undermined the safety, reliability and economy of important systems
throughout the century.

There is a serious error that occurs frequently in the design of rockets,
spacecraft, aircraft, nuclear reactors and other pressure-activated [now,
the Deepwater Horizon Blowout Preventers and related hardware]
systems. The error is fundamental in nature and it consists of confusing
the forcing function for the response, or the cause for the effect, in
transient conditions.

Consider the following situation which happens millions of times every
day. The pressure in a combustion chamber [e.g. the Deepwater Horizon
Blowout Preventer] rises rapidly to a maximum steady-state value, Po, as
shown in Fig. 1. What is the maximum design load? What is the maximum

At this rate, we are not going to Mars; we are not going back to the Moon;
and we will hardly make it to low earth orbit; which is where we are today
[1993]. Something is fundamentally wrong in mechanical engineering.
Something is fundamentally wrong in the mechanical engineering curricula
and textbooks. A radical change in mechanical engineering education and
practice must take place to remedy the fundamental oversight.”
From: Message to ASME Dynamics and Extreme Loads Section, May 20, 1993:
      Pages 543 and 575 (from two different papers): Figs. 9 and 1,
      respectively, show how the existing Computer Codes (TRAC-PIA, TRAC
      PD2, etc.) track the measured pressure build-up, or causal parameter, or
      transient forcing function, in time. There is no response, or desired effect.
      Remember, the response cannot be in pressure units.

      Similar curves are very popular in aerospace systems. Actually, they are
      the only kind available for rocket engines and motors, jet engines, etc. The
      measured pressure very nearly tracks some computer predictions. Well of
      course they should. The two are the same parameter! The only way that
      the response can track the forcing function so closely is when the forcing
      function is applied very very slowly. The pressure build-up in the two
      figures above happens in less than 10-milliseconds. This is almost a
      perfect, or ideal, unit-step-function!

      I recommend that you do not accept the common clichés: We know about
      transients; We always take the forcing function and derive the response;
      etc. If the forcing function and the response look like the curves shown in
      the enclosures, then the transient is not understood, let alone derived.

      Yet, not one single paper presented a true “transient response.” I
      emphasize again that a pressure measurement shown to be similar to
      some computer code, or vice versa, is not a transient analysis. It is the
      same parameter shown to equal itself, which it should.

      The transient loading conditions are indeed vital, and treating these
      conditions correctly is urgently and immediately needed.

      The dynamic transient problems in nuclear reactors have been treated
      very seriously after Three Mile Island, and there are many papers by
      worldwide experts on the subject. The Proceedings I mentioned above,
      and several others, and textbooks on Reactor Dosimetry, Design, and
      Standardization all compare the pressure build-up, as measured with
       (sensitive) pressure transducers, with the analytical or computer code
       predictions of the same pressure build-up. This is like measuring the input,
       and then predicting it; or vice versa…

       It is not enough that we know about forcing functions, transient responses,
       and how to do the transient analysis. The transient analysis must be done
       correctly. In most cases, it has not.

From: Safety of Nuclear Power Reactors in Transient Conditions, June 3, 1993:
       …a clear distinction must be made between the pressure (cause) in a
       vessel, and the stress (effect) in the materials that make up the vessel.

       The problem is trivial, but it not obvious, though it is very important.

       You are thinking in terms of pressure fluctuations, which you call in your
       letter “pressure overshoot.” This is a central part of the problem. The
       pressure does not overshoot. My weight does not magnify when I step
       suddenly on a weight scale… there is a distinct difference between the
       pressure fluctuation and the force overshoot. These differences have not
       been taught at the undergraduate or other levels.

The above excerpts, and reports, further clarify the root problem in engineering practice and
education, which could have played a major role in the Deepwater Horizon disaster. Here are
some observations that apply to the Deepwater Horizon disaster and investigations:
       1.    Only pressure values have been considered in the DWH investigations so

       2.    Pressure fluctuates, but it does not overshoot.
       3.    The pressure transient studies apply to the Blowout Preventers, tanks, pipes
            and related hardware.
       4.    The dynamic load magnifications do not show up in pressure measurements
            and special calculations and measurements are required to catch the rogue
       5.    No dynamic overshoots, or Dynamic Load Factors, have been reported for
            the Deepwater Horizon oil well, especially for the Blowout Preventers.
       6.    The transient dynamic loads are the second most important factors in design
            after the applied pressure values discussed in the June Congressional
            Hearing. The transient loads can equal the applied loads themselves.

Why Don’t They All Fail?

Why don’t all the Blowout Preventers on all oil wells fail, if what I am saying about the small and
negative safety margins is true? Why doesn’t every Shuttle mission explode if the dynamic
overshoot I propose exceeds the built-in safety margins for that system? These are valid
questions. In the case of the Space Shuttle, pundits dismissed my concerns as “crying wolf;”
after all, mission after mission didn’t explode. Dismissing the concerns raised in this Report
indicates naivety in engineering design.
Careful examination of the history of oil drilling and refinery systems reveals hundreds of serious
accidents, thousands of failures and many operation and maintenance problems. The problems
reported with the DWH oil well and its BOP before the disaster are not peculiar to that system
alone. Other rigs have had similar problems, perhaps to a different magnitude and frequency. In
engineering, the objective is not limited to not killing people. It is also important that systems be
effective and profitable. Identifying root causes is a primary challenge to BP and the other oil
Contractors and to the Deepwater Horizon oil spill Investigators.
It is not the intent of this Report to spread panic or fear about the massive transient dynamic
overshoot error, particularly now, in deepwater oil wells. Careful examination of our reports
shows that some steps have been taken by experts in many industries to counter the effect,
though the phenomenon is not clearly recognized. In addition to the meager safety margins
described in this Report, modern systems have sizable built-in margins, which prevent
widespread disasters. Let me say a few words about “why don’t they all fail?”
Several factors make it possible for systems to survive well beyond the safety margins. One of
the factors is the “minimum material property” criterion used in design. Consider a steel grade
used in the Blowout Preventers or the Space Shuttle. When testing random samples for a
project, it is found that the strength of the samples falls between 100,000 and 120,000 psi. The
average strength of this steel is 110,000 psi. In design, we always use the minimum material
property, 100,000 psi, and not the average strength, 110,000 psi. If we use the latter, then we’d
hope and pray that all the steel used in our project has greater strength than the average; but
we know from tests that that is not the case. And so, many parts are stronger than stated on
paper. The minimum material property criterion increases the safety margins. Also, modern
design tools use the finite-element mathematical method. When we encounter the choice
between a marginal or a conservative approach, we always use the conservative solution, which
increases the safety margins for real systems over the computer models. Sometimes, the
geometry of the parts dictates the use of more material, where it is not needed; this increases
the safety margins. Also, the DWH Blowout Preventers and the Shuttle were strengthened over
time to ameliorate damage or difficulties observed during tests or operation. In short, there are
several factors that increase the safety margins of a system beyond the calculated values. It is
then possible that the actual safety margin for the DWH Blowout Preventer was 70–90%, and
not our calculated 25%! The same is true of the Space Shuttle. It is the built-in safety margins
described here which allowed the Blowout Preventer to survive beyond the 15,000 psi design
load and the Space Shuttle to survive beyond the 1.5M lbs rated lift-off load.
So, if the real strengths of the Blowout Preventer and the Space Shuttle at liftoff were about
19,000 psi and 1.9M lbs (and not 15,000 psi and 1.5M lbs), respectively, then, unknowingly, the
extra safety margins got used up by the start-up transient dynamic overshoot effect. These
systems then operated seemingly successfully only because of the above built-in safety
margins. BP and the other Contractors must guard against this: The transient dynamic loads
can use up the extra strength in the New Blowout Preventers, leaving the BOPs with nearly 0, or
no, safety margins.
It must be emphasized that engineers and managers must not use the above contributors to
extra safety to justify the use of small safety margins. The extra safety margins can only be
considered in cases of emergency. One cannot say that the safety margin for the Blowout
Preventer is 25%, but that the real safety margin may be 90%. Strictly, the safety margins are
the values we calculated earlier in this Report, based on the data discussed in the
Congressional Hearing of June 17, 2010.
Here is a relevant real life experience. In 1976, I was asked to find solutions to problems with
the first international satellite tracking antennas that had operated for nearly 8 years then. The
technical record (in boxes) for the antennas in Maine, Hawaii, Italy and Australia was massive. I
had the boxes moved into my office 4-6 boxes at a time. Over the years, many engineers were
tasked to solve the problems. The studies conducted were elaborate and dealt with intricate
electrical, electronic, hydraulic, mechanical and structural aspects of the system; which I will
skip here. I finally spent time with the operation and maintenance personnel in Andover, Maine,
who described to me the problems they had with the antenna for so many years. These people
were forthcoming, especially when they realized that I was trying to find out what was wrong
with the antenna, and not what was wrong with them or the way they operated or maintained the
system. The antenna experienced distinct resonance in one frequency, which was disabled from
the first day the antenna was put into operation! The antenna was driven by two powerful
hydraulic drives, which were the state-of-the-art then. The valves in the hydraulic drives leaked
incessantly. That alone produced difficult procedures that went beyond anything anticipated in
the original documents. The valves had to be replaced frequently, which was messy, disruptive
to operation and expensive. A few tests revealed that the antenna was badly unbalanced. When
a satellite was acquired over the horizon, the antenna locked on the satellite and the hydraulic
drives began to drive the antenna. A command applied a sudden force to move the antenna a
small step, the unbalanced weight then pushed back on the drives, then another command, a
small motion, etc. The sudden and repeated force magnified the forces acting on the antenna
and the hydraulic drives. The dynamic overshoot nearly doubled the loads on the hydraulic
drives. The engineers did not recognize the dynamic overshoot effect in these systems for 8
years, and the original safety margins for the antennas were meaningless. The antennas and
the hydraulic drives worked for years, but with great difficulty and problems.
I developed a straightforward solution and a small contract with a local company resolved the
problems. The leaks in the hydraulic drives stopped completely. The resonance condition
disappeared. All modes of tracking improved dramatically. Afterwards, the valves did not require
the disruptive and expensive replacements. The operation and maintenance supervisors were
giddy about it, and they wrote letters of appreciation to headquarters. There are important points
here that apply to the DWH case. By failing to recognize the dynamic overshoot problem, the
managers and engineers suspected the hydraulic drives’ problems to lie with the Operators. For
years, many steps were taken, but none of them solved the root problem. It is true that
operators can sometimes do things that can aggravate the safety of a system. However, if a
massive design error, such as the transient dynamic overshoot effect, is built into a system, the
resulting erratic behavior of the system can force the operators to do things that aggravate a
difficult situation. If the engineers don’t know about the destructive transient dynamic effect, how
are the operators to know about it? The DWH investigations should go beyond the details of
what the operators on the rig did, or didn’t do, before the explosion. The inquiries should also
look into why the operators did, or didn’t do, certain tasks. Valves leaked before and after the
DWH explosion. Were the leaks the result of actions by the operators or did the leaks result
from excessive loads, as can be produced by the little-recognized transient dynamic conditions?
One massive mistake, such as the transient dynamic overshoot, can lurk in a system for years
causing problems and difficulties, but not outright disasters.
Failure Modes and Effects Analysis (FMEA) and Failure Modes, Effects and Criticality Analysis
(FMECA) are used to evaluate risks in modern systems and to investigate major failures. These
methods develop formidable fault trees that can include thousands of ways in which a system
can fail. Identifying “root causes” can eliminate many failure modes in one swoop. In the case of
the above tracking antenna problems, many failure modes were crossed out by fixing one
problem, the transient dynamic overshoot problem. Chasing thousands of problems identified in
FMEAs and FMECAs can be expensive and wasteful, and the effort may not lead to clear-cut
findings and root causes. When the engineers do not know about the magnified dynamic loads,
as described in our reports, then the rest of an organization can become helpless trying to fight
ghosts. The unknown magnified forces acting on the Space Shuttle were called for a long time
“mysterious loads” in the media. It did not occur to the managers and operators that the
systemic problems with the Shuttle were potentially caused by one massive mistake, very likely,
the same mistake that befell the Deepwater Horizon oil well.


Based on data discussed in the June 17, 2010 Congressional Hearing, this Report shows that
the safety margins for the Deepwater Horizon Blowout Preventer were smaller than safety
margins used with manned rockets, e.g., the Space Shuttle. Personnel on the rig were then
exposed to greater risks than faced by astronauts launched into space. It is also shown that the
BOP safety margins could have been as small as safety margins used in unmanned satellites.
Both conditions are dangerous and unacceptable. The small safety margins could explain the
difficulties encountered with the Macondo oil well before the explosion. Furthermore, it is shown
that the Dynamic Load Factor (DLF), which is required by the Codes, was not considered in the
design or so far in the investigation of the DWH disaster. The pressure values discussed in the
above Hearing must be considered static, and not dynamic, values, i.e., the static pressure
values are not the actual maximum loads. Taking the DLF, or transient dynamic overshoot,
loads into account reveals that the safety margins for the Deepwater Horizon oil well were
negative, which could explain the eventual failure of the Blowout Preventer. Also, it is shown
that, when taking the DLFs into account, the New Blowout Preventers are still marginal. The
subject of this Report has been controversial in aerospace and other industries for decades.
The author has encountered, analyzed and corrected the rogue dynamic transient condition
many times in space and terrestrial systems for half a century. The enormity of losses and
damage caused by the Deepwater Horizon oil well explosion demands scrutiny of all possible
“root causes.” We propose that our treatise be considered among the possible “root causes” of
the disaster. Engineering Codes and education must be amended in light of the evidence
presented in our Reports. Temporary regulations and deregulations may have to be instituted to
allow the collective vital oil industry and other industries to bring facilities and equipment to
acceptable safety standards.
Other important issues relating to the safety and risks in oil wells and other systems can be
found in our website, This Report will be expanded when more valid numbers
become available.
Again, at Shuttlefactor, we are available to work in strict confidence with the Administration, the
Congress, BP or other Contractors to evaluate, calculate and measure the transient response
for the oil wells, in general, and for the Blowout Preventers, in particular.
For comments, inquiries or questions, Ali F. AbuTaha can be reached at:


Ali                                           F.                                        AbuTaha
Manassas, VA

To top