Oil Spill Disaster
Home Natural Motion Universal Gravitation Cold Fusion Pulsing Thrust ShuttleFactor Challenger Studies STEMnP Oil Spill Disaster



Natural Motion
Universal Gravitation
Cold Fusion
Pulsing Thrust
Challenger Studies
Oil Spill Disaster


To be added:


Failure Mechanisms

Cosmic Life Line

Sci Study of UFOs

Solo Sapiens

Philosophy of Science

ShuttleFactor and BP Deepwater Horizon Oil Disaster

I. Small, Zero and Negative Rockets-Like Safety Margins

II. The Root Problem: Force Overshoots, Pressure Doesn’t

The swift design, construction and installation of the complex cap that stopped the rowdy Macondo oil well point to exceptional technology by the people involved. Engineers, however, are not immune from making mistakes that can undermine modern technology. The Deepwater Horizon (DWH) Blowout Preventer (BOP) data discussed in a June 17, 2010 Congressional Hearing revealed serious mistakes, in particular, the use of "small, zero and negative" safety margins, which could have undermined the safe and risk-free operation of the system. This is described in our Report, "Shuttlefactor and BP Deepwater Horizon Oil Disaster," below.

Our observation of the dangerous and unacceptable "small, zero and negative" safety margins were also confirmed by data uncovered in the August 12, 2010 Hearing of the National Academy of Engineering (NAE) Committee Analyzing Technical Causes of Gulf Oil Spill. This is discussed in our letters to the NAE and the House Energy and Commerce Committee - see below.

While the mistakes we describe are serious and fundamental, engineering solutions can be swiftly implemented. For example, proper operation and maintenance procedures can rectify many problems, in the short-term, while permanent solutions are implemented in the long-term. We hope our Reports will help to speed up solutions and to shorten the moratorium on oil operations.

Letter to the House Committee on Energy and Commerce

August 20, 2010

The Honorable Henry A. Waxman
The Honorable Bart Stupak
Committee on Energy and Commerce

Fax No. 1-202-225-2525
Total 3 Pages


Attached is a copy of my letter of August 18, 2010 to the Honorable Donald C. Winter, Chairman of the National Academy of Engineering Committee Analyzing Technical Causes of Gulf Oil Spill. The safety margins described in the letter illustrate the importance of my Report “Shuttlefactor and BP Deepwater Horizon Oil Disaster,” which was submitted to the Committee on August 13, 2010. In the NAE Hearing of August 12, 2010, experts from BOEM (formerly MMS) revealed that safety factors of 1.0 and 1.2 are normal in oil drilling systems. My Report emphasizes the use of safety margins, instead of safety factors. A safety factor of 1.0 means a safety margin of 0% (zero), or no safety margin at all. A safety factor of 1.2 means a safety margin of 20%, smaller than safety margins we use with rockets and satellites. As the above letter and my Report show, the actual safety margins used in Deepwater Horizon and other oil systems are negative.

It is not my intent to preempt the various distinguished investigations in progress. Regardless of “root causes” that will be uncovered in the ongoing investigations, zero and negative safety margins are clear signs of inadequate designs that could only lead to problematic operations and maintenance and eventual failures. I therefore strongly recommend that the Administration, the Congress and, especially, the Oil Contractors move swiftly on the issues described in my above Report and Letter.

Respectfully yours,

Ali F AbuTaha

Attachment: Letter to the Honorable Donald C. Winter, Chairman, NAE Committee

cc:        The Honorable Donald C. Winter, Chairman, NAE Committee
The Honorable Fred Bartlit, Chief Counsel, National Commission

Letter to the NAE Committee Analyzing Technical Causes of Gulf Oil Spill

August 18, 2010

The Honorable Donald C. Winter, Chairman
Committee Analyzing Technical Causes of Gulf Oil Spill

Dear Dr. Winter,

I urge your distinguished Committee to consider my input below in the effort to determine the probable root cause(s) of the Gulf Oil Spill disaster, to improve safety and reduce risks.

The Deepwater Horizon (DWH) data discussed in the June 17, 2010 Congressional Hearing with the BP CEO, Mr. Tony Hayward, revealed disturbing technical issues not noted before, e.g.,

  1. The “safety margins” for the Blowout Preventer (BOP) on DWH were smaller than safety margins used for manned rockets. Personnel on the Horizon rig were then exposed to greater risks than faced by astronauts launched into orbit – a serious technical issue.

  2. Adding dynamic loads, which are required by the Codes, to the loads discussed in the above Hearing indicates that the actual safety margins for the Horizon BOP were negative – a very serious technical issue.

  3. The New BOPs, which will be used by BP and the other Contractors, discussed in the Congressional Hearing will still have negative safety margins – unacceptable condition.

The above and related issues are described in my attached Report (pdf 90KB), “Shuttlefactor and BP Deepwater Horizon Oil Disaster.” The Report can also be found on our web site www.shuttlefactor.com in the “Oil Spill Disaster” web page. The Report was submitted to Congressional Committees, the National Commission, BOEM, BP, and others.

I saw a part of your Committee’s August 12 Hearing with BOEM (C-Span, Aug 17). The Committee uncovered other vital Numbers. The “safety factors” mentioned in the Hearing, e.g., 1.0, 1.2, 1.25, 1.5 and 1.75, also reveal disturbing technical issues and underscore the importance of my Report. Rather than write another Report to scrutinize these Numbers, I will briefly describe the significance of the safety factor Numbers.

  1. A “safety factor” of 1.0 was mentioned in the Hearing. Many non-technical people and engineering students may think that a full 1.0 safety factor is a safe and risk-free Number. But, when that Number is stated as a “safety margin,” it will be instantly recognized by everyone that the 1.0 safety factor means no safety margin at all.

A “safety factor” of 1.0 means a “safety margin” of 0%, [(1.0 – 1.0) x 100]. How did the 0% safety margin (or, 1.0 safety factor) come about? Who approved it? Who teaches that a 0% safety margin can be used in any modern system?

  1. Another “safety factor” mentioned in the Hearing was 1.2. Non-engineers may have to calculate the corresponding “safety margin,” e.g., [(1.2 – 1.0) x 100], or 20%, to recognize the significance of the Number. Is this important?

The safety margin for manned rockets is 40%. The safety margin for unmanned satellites is 25%. The problem here should be self-evident. Who allowed the use of 20% safety margins for vital, and obviously dangerous, oil drilling systems? How was the value determined? Did the engineers know that 20% safety margins exposed personnel on the Horizon rig to “greater” risks than faced by astronauts blasted into orbit?

Forty years ago, I conducted extensive comparative studies using the then new finite-element general-purpose computer programs, e.g., NASTRAN and ANSYS, analytical methods, and tests. The difference in answers did not allow us to reduce safety margins for satellites from 15 and 25% for yield and ultimate conditions to 5 and 15%. What specific engineering studies justified the use of 20% safety margins for the Horizon well? Are the same marginal designs used in other oil wells and oil refineries? What is the impact of the marginal designs on the national economy?

  1. Other safety factors mentioned in the Hearing are 1.25, 1.5 and 1.75. The corresponding safety margins are 25, 50 and 75% respectively. Are these “safety margins” safe and risk-free? The answer is a resounding NO, as described in my attached, and other, Reports.

Safety margins of 25, 50 and 75% may be sufficient for a capped, dormant and static oil well on the basis of Newton’s Action-Reaction Law. But operating oil wells are dynamic systems. What were the dynamic load factors (DLF) for the DWH BOP? What dynamic overshoot factors are used for other oil wells? The stiffness parameters for bolted, riveted or welded joints are well known, and the transient dynamic overshoot, or DLF, can be calculated using those parameters. Simple and advanced equations are given in our Shuttlefactor Reports. Even the seemingly adequate safety margins of 25, 50 and 75% (or safety factors of 1.25, 1.5 and 1.75) for oil wells are inadequate and unacceptable.

The findings of your Committee will be important, not only to safe and risk-free oil wells, but also to the economy, education (particularly, engineering which has not fared well recently) and the national security. I hope my Report(s) are useful.

The engineering paper I submitted to a journal on the subject 20 years ago caused many (non-technical) problems. I have no plans to submit other papers for publication. Please note, however, that my engineering studies of the problematic start-up transient dynamic overshoot conditions and pressure-activated systems (such as the DWH Blowout Preventer) were evaluated and approved in writing by top experts from ASME, ASTM, NRC, AAAS, DOD and academia 20 years ago. I will answer questions from the Committee and provide clarifications to any issue discussed in my reports.

Very truly yours,

Ali F. AbuTaha
Manassas, VA

ShuttleFactor and BP Deepwater Horizon Oil Disaster

I. Small, Zero and Negative Rockets-Like Safety Margins

II. The Root Problem: Force Overshoots, Pressure Doesn’t


The scramble by the government, BP and the oil industry to produce the “temporary cap” that stopped the dreadful surge of oil into the Gulf of Mexico and to “static kill” the Deepwater Horizon oil well is reminiscent of the effort to save Apollo 13 exactly 40 years earlier. At the time, I did stress analysis for satellite systems, including tanks similar to the one that exploded on 13. I was asked then to evaluate the Apollo 13 incident for Comsat Labs. My extant handwritten mathematical analysis of 1970 described a serious engineering mistake, which I eventually called the “dynamic overshoot blunder.” I identified and eliminated the same mistake in other systems. Ironically, the engineering blunder remains widespread in modern systems and in engineering education. There is strong evidence that the same mistake played a role in the Deepwater Horizon oil spill disaster. The enormity of the disaster demands that the decision makers in the government, industry and academia recognize the “dynamic overshoot blunder” and how this one mistake undermined many modern systems.

The epigraph to the ShuttleFactor page states that “Factor” is One Mistake that Produced A Thousand Problems and Ruined the Space Program. Did the same ShuttleFactor fundamental engineering mistake play a role in the Deepwater Horizon (DWH) oil well disaster? 3-Numbers for the Blowout Preventer (BOP), the last line of defense for the oil well, which failed to stop the oil from surging into the Gulf, were discussed in a Congressional Hearing on June 17, 2010. The 3-Numbers show troubling facts that have not been reported before, e.g.,

1.        The safety margin for the BP Deepwater Horizon BOP (25%) was smaller than the safety margin for the Space Shuttle (40%). This means that the operators, managers, inspectors and visitors on the Deepwater Horizon rig were exposed to greater risks than astronauts blasted into space.

2.        The dynamic overshoot loads mentioned above indicate that the actual safety margins for the DWH BOP were negative, which explains the widely reported problems with the well and its eventual failure.

3.        The new BOP design may not be adequate for safe operation.

These facts are discussed in detail in this Report, which will be useful to BP and the other oil-drilling Contractors and to Investigators from the Congress, the National Commission, and others. In addition to immediate engineering action to remedy technical shortcomings, the small, zero and negative safety margins in deepwater oil systems may require temporary regulations and deregulations to prevent similar disasters.

The first charge of the Executive Order 13543 of May 21, 2010 to the “National Commission on the BP Deepwater Horizon Oil Spill and Offshore Drilling” states: 3(a) “examine the relevant facts and circumstances concerning the root causes of the Deepwater Horizon oil disaster.” This Report identifies strong candidate(s) for root causes of the disaster, which the National Commission, the Congress, BP and others will find useful in their mission.

Part I. Small, Zero and Negative Rockets-Like Safety Margins

ShuttleFactor Numbers for BP DWH in Congressional Hearing

On June 17, 2010, the House Subcommittee (of the Energy and Commerce Committee) on Oversight and Investigations held a daylong Hearing entitled, “The Role of BP in the Deepwater Horizon Explosion and Oil Spill.” Members of the Congress asked many questions and the BP CEO, Mr. Tony Hayward, gave answers. A colloquy between Congressman Charles Gonzalez of Texas and Mr. Hayward revealed 3-Numbers that should have sent shock waves from the Hearing room to the Gulf to the physics and engineering communities and to oil drilling contractors and personnel. But, no one noticed. Simple arithmetic (a division, a subtraction and a multiplication) reveals that the design of the Blowout Preventer on the Deepwater Horizon and, very likely, on other rigs, was marginal.

First, here is the exchange that produced the 3-Numbers in the Congressional Hearing of June 2010. The following is taken from the Committee’s transcript:

Excerpts from Congressional Hearing of June 17, 2010

The Chairman: You are testifying today before the Oversight and Investigations Subcommittee, and the subcommittee has a special role to examine the facts and determine what went wrong and to make recommendations to prevent future spills. (Page 4)

Mr. Gonzalez: Which then leads me to - - what do you think you’re dealing with at that depth as far as pounds per square inch? (Page 181)

Mr. Hayward: We know that we are dealing with a reservoir with a pressure of around 11- - - between 11,000 and 12,000 pounds per square inch. And we have a blowout preventer rated to 15,000 pounds per square inch. I believe that’s correct.

Mr. Gonzalez: I don’t know this. Cameron – I don’t know that it is Cameron that builds these blowout preventers. That is a company that someone told me that is - - and they are working on a 20,000 pounds-per-square-inch-preventer. I mean, you’re aware of that?

Mr. Hayward: I am, yes.

Mr. Gonzalez: And they actually said this: While there is much discussion and an ongoing effort to provide guidance for equipment greater than 15,000 pounds per square inch, in the interest of expediency it was decided within Cameron to apply current design codes and practices.

Why were you all looking at 20,000 pounds per square inch when you believe what you already have at 15,000 exceeds what really is required? (Page 182)

Mr. Hayward: I think that – I’m not certain, but I think that is referring to blowout preventers for reservoirs with even greater pressure.

I do believe that one of the most important things to come from this incident is the requirement for the industry to step back and redesign the failsafe mechanism it uses to prevent accidents of this sort. We need a fundamental redesign of the blowout preventer. It is something that BP is going to take a very active role in. We have already begun that process with a number of academic institutions and a number of contractors in the industry. (Emphases added)

The 3-Numbers for the Blowout Preventer discussed in the Congressional Hearing are:

1.        11,000 or 12,000 pounds per square inch (psi): This is the maximum pressure that the well experiences.

2.        15,000 psi: This is the rated pressure, or the design pressure, for the Blowout Preventer.

3.        20,000 psi: This will be the rated (or design) pressure for new BOPs, which will be used by BP and the other oil-drilling contractors.

What do these numbers mean? At face value, the design load, 15,000 psi, which is greater than the applied load, 12,000 psi, seems to indicate that all was well with the Blowout Preventer before the accident. The rated or design load for the BOPs will be increased from 15,000 to 20,000 psi, thus making future oil wells safer. The swift change, which applies to BP and others, only two months after the disaster, hints an industry-wide problem. Of course, the change will make deepwater oil wells safer. Still, Congressman Gonzalez wondered, “Why were you all looking at 20,000 pounds per square inch when you believe what you already have at 15,000 exceeds what really is required?” BP answered, “…to prevent accidents of this (DWH) sort. We need a fundamental redesign of the blowout preventer.”

Somehow, the 3-Numbers appeared innocuous, although everyone seemed to agree that “a fundamental redesign” was needed. The disturbing thing about the redesign is its magnitude, a change of about 100%. This is to say that the strength of the New Blowout Preventers will be DOUBLED! Normally, engineers try to limit mistakes to 1, 3, or 5%, and the goal is not to make numerical mistakes at all. Errors of the order of 100% are dangerous and unacceptable. Anyone familiar with our Shuttlefactor reports and Continuing Engineering Education Program, “Anatomy of Failure Mechanisms in Modern Systems,” will instantly recognize the huge 100% DOUBLED loads. If a 100% design change is required, then how safe or marginal were the original BOPs?

There is more to the 3-Numbers, discussed in the Hearing, than meets the eye. The 3-Numbers are similar to numbers repeatedly emphasized in the ShuttleFactor reports. Actually, there is an eerie similarity between the Deepwater Horizon numbers and the Space Shuttle numbers, as will be described later. The numbers explain many failures, disasters and tragedies in modern systems, including, now, the Deepwater Horizon Oil Well disaster.

BP DWH BOP: Very Marginal Design

Can you tell from the 3-Numbers discussed in the Congressional Hearing if the Blowout Preventer’s design was adequate or inadequate? If adequate, how adequate? And if inadequate, how inadequate? Some may say that since the rated load (15,000 psi) was greater than the applied load (12,000 psi), then the design was adequate! But, simple arithmetic shows that the design of the Blowout Preventer was inadequate – actually, very marginal.

Engineering is a precise art within tolerances. Engineers work with numbers. Numbers tell us how safe or risky is a system. We listen to guesses, guesstimates, and opinions, but we better do the required calculations. It was reported before the DWH disaster that the oil well was a “nightmare.” This received attention in the Congress, the media and elsewhere. But, how nightmarish was the well, and I mean numerically? How adequate, safe, marginal or risky was the Deepwater Horizon oil well, in general, and the Blowout Preventer, in particular - numerically? So far, these vital questions have not been answered. Let me show you how marginal were the design of the Blowout Preventer.

We need to know the safety margins for the Blowout Preventer. How do we get the safety margin? Simple. First, calculate the Factor of Safety (or Safety Factor) for the BOP, then subtract one, and then multiply by 100, simple arithmetical operations. The Safety Factor is the Rated Load divided by the Applied Load; both numbers were discussed in the Congressional Hearing (say, the 15,000 and 12,000 psi, respectively). Then,

Thousands of components of different materials and geometry make up the Deepwater Horizon oil well, and there are thousands of safety factors associated with the many parts, including, the BOP. Engineers can (should) easily interpret safety factors, but non-engineers might find the safety factors less than clear and unambiguous. Safety margins come to the rescue.

Calculating the safety margins is simple. Using the numbers discussed in the Congressional Hearing (15,000 and 12,000 psi), first calculate the safety factor or rated load/applied load or 15,000/12,000 (Answer 1.25), then subtract 1 (Answer 0.25), and then multiply by 100 (Answer 25%); that’s it, or,

The safety margin for the Blowout Preventer is about 25%. What does this mean? It means that the Blowout Preventer can withstand 25% greater loads than the maximum applied loads, or that if the engineers made mistakes of 25% or less, then there would be no failures, accidents or tragedy. But, this description leaves much to be desired, particularly, to non-engineers. Some experts might argue that the 25% safety margin is adequate. Can a legislator, judge, lawyer, investigator, or, even, executives of the oil companies determine how marginal was the DWH oil well?

Protagoras wrote, “Man is the measure of all things.” We measure things; we use “measure” to represent and comprehend things. To find out the adequacy or inadequacy of the DWH BOP design, we need a measure. We must compare the BOP’s safety margins with other safety margins with which we are familiar. I have selected for this purpose the Space Shuttle. Many legislators are familiar with the difficulties encountered with the Space Shuttle for four decades. And I don’t mean here only the Challenger and Columbia tragedies, but the many structural failures experienced by that system over the years (see Shuttlefactor webpage). The legislators are familiar with the great risks involved in space flight, and they have appropriated and authorized great investments to mitigate the risks. The risks are dictated by the vicious requirement for lightweight, or the lightest weight possible. The safety margins for the Space Shuttle are widely known, e.g., 40% for ultimate strength. The derivation of the safety margin for the DWH BOP is straightforward. We did it above with simple arithmetic: 25%. Here then is a comparison of the safety margins used in the design of the Deepwater Horizon Blowout Preventer and the design of the Space Shuttle:

Table-1 Safety Margins for the Space Shuttle and DWH Blowout Preventer


Space Shuttle

Deepwater Horizon

Blowout Preventer

Safety Margin



One glance at this Table shows the bad news in plain language to everyone. The Table gives Legislators and Investigators a clear picture of the situation on hand. The Table gives clear-cut input to ask incisive and decisive questions. I would like to know what questions the Members of the Congress would have asked in light of the above simple Table, e.g.,

·         Do you know that the safety margins for the DWH Blowout Preventer were smaller than the safety margins for the Space Shuttle?

·         Did you know that the Deepwater Horizon personnel were exposed to greater risks than astronauts blasted into orbit?

·         Are personnel on other rigs exposed to similar risks?

·         How did this marginal design come about in the first place? etc.

After the June 17, 2010 Hearing, I tried to find out what the oil-drilling experts had to say about the marginal design. I examined many studies and thousands of posts on the Internet. Apparently, no one noticed it. No one processed the numbers mentioned in the Hearing by the straightforward steps described above.

The fact that the pressure values discussed in the Congressional Hearing were general, rounded or estimated values does not alter our estimates of the safety margins for the BOPs. BP lists the Macondo oil well’s pressure at 11,900 psi, which is in the ballpark of the values discussed in the Congress. The safety margin for this pressure value is 26%.

The Messy Picture

The design, construction, operation and maintenance of an oil well is more complicated than described here or in thousands of papers and expert posts on the Internet. The 3-Numbers, discussed in the Energy and Commerce Subcommittee, are only the beginning of a picture that gets messy very quickly. From the pressure values discussed in the Hearing, engineers calculate forces and other parameters that apply to thousands of components that make up the system. The stress and strain in each component, subsystem and the whole system are calculated. Many numbers are generated. Stress acts in tension, compression, shear, torsion and bending, singly or in combination, in one-, two- or three-dimensions. The picture is further complicated by non-linear effects, such as buckling, fatigue, material properties, metallurgical considerations such as corrosion, failure modes and risks. I can go on with the daunting processes that eventually lead to a productive deepwater oil well. Numbers are generated using general-purpose-computer programs, analytically or experimentally. There are millions of numbers that make up the design of a deepwater oil well, a space shuttle, a bridge, etc. The numbers are proprietary to the contractors and subcontractors. It is impossible to share all the numbers with investigators from the government, academia and the media. Even if the all numbers were shared openly, investigators can be stumped. What do the numbers mean?

Policy and decision makers do not need the millions of numbers to get a clear picture of the situation and to make thoughtful decisions. We saw above that discussing the three pressure numbers (11,000, 15,000, and 20,000 psi) for the Deepwater Horizon oil well did not achieve categorical conclusion(s) as to a likely cause of the disaster. Even the marginal design was not noticed. The safety margins, however, give a clear picture. Clear-cut conclusions can be drawn from the safety margin values.

Safety Margins: The Clear Picture

After noticing the 3-Numbers discussed in the Congressional Hearing, I checked other reports on the Committees’ websites, and thousands of reports and posts by oil drilling experts, educators and others. It turns out that the applied or maximum loads for DWH are more chaotic than was discussed in the June 17 Hearing. Some experts write matter-of-factly of applied loads of 13,000 and 13,500 psi and one expert refers to applied loads of 13,000 to 18,000 psi for the BP Deepwater Horizon oil well. The 13,500 psi number is so close to the design pressure of 15,000 psi that the safety margins for this case are dangerously low. The 18,000 psi exceeds the rated or design value! No safety margins at all. Red flags should be waving everywhere. Let us calculate the safety margins for the above pressure numbers: Remember, to derive the safety margins, (1) divide the rated (design) pressure by the applied pressure to obtain the safety factor, (2) subtract 1 from the result, and (3) multiply by 100 to obtain the safety margins in the last column.

Table-2 Possible Safety Factors and Safety Margins for DWH Blowout Preventer


Rated Pressure

Applied Pressure

Safety Factor

Safety Margin

Case 1

15,000 psi

11,000 psi



Case 2

15,000 psi

12,000 psi



Case 3

15,000 psi

13,000 psi



Case 4

15,000 psi

13,500 psi



Case 5

15,000 psi

18,000 psi



This, or similar, Table(s) should have been developed and shared with the Congress, the Administration and others. Study the Table carefully. The first two rows contain the numbers discussed by Messrs. Gonzalez and Hayward on June 17, 2010; and the last three rows are numbers discussed by oil-drilling experts on the Internet, e.g., see “What caused the Deepwater Horizon disaster?” The Oil Drum website, May 21, 2010, and other posts. Here are some observations derived from the Table:

·         Cases 1 and 2 (discussed in the Congressional Hearing) show that the design of the Blowout Preventer was more marginal than the design of the “manned” space shuttle system.

·         Cases 3 and 4 show that the design of the BOP was as marginal as the design of unmanned satellites, i.e., there were greater risks for the oil well than allowed for “unmanned” spacecraft!

·         Case 5 shows a negative safety margin for the Blowout Preventer: Outright disaster.

Let me describe why the safety margin concept is more useful than the safety factors, particularly, to legislators and other government and business leaders. The safety factor for Case 5 is +0.83 (plus 0.83). The engineer should instantly recognize that there is no safety factor whatsoever in this Case, because the safety factor is less than 1. But, because the safety factor is a positive value (+0.83), legislators and non-engineers may not instantly recognize that this system is at great risk. The safety margin column, however, instantly reveals to technical and non-technical people the vulnerability of Case 5: The safety margin is negative (-17%). Zero “safety margin” means no safety margin at all. Of course, negative safety margins can be disastrous.

The safety margin for the New Blowout Preventers appears to be more dependable. BP and the other Contractors will use the new design. Is the design adequate? This is discussed further in the next Sections.

Table-3 Safety Factor and Safety Margin for New Blowout Preventers

Rated Pressure

Applied Pressure

Safety Factor

Safety Margin

20,000 psi

12,000 psi



In summary: Calculate the safety margin. If the answer is negative, then you instantly know that the system does not have safety margins at all and it is at risk. If the answer is a small value, then compare it with other systems you know about, e.g., rockets, spacecraft, aircraft, trains, etc. Of course, if a system does not have to fly (e.g., deepwater oil wells), then it is inappropriate to use very small and risky safety margins.

Who Determines Safety Margins?

It is obvious from the above Tables that the design of the DWH BOP was marginal. What should be the safety margins for deepwater oil wells? Who determines and approves safety margins? You cannot legislate engineering safety margins. It takes detailed technical and commercial considerations to develop acceptable and dependable values. A safety margin of 25% for the Deepwater Horizon well is unacceptable. When I first calculated this value for the BOP, I thought I made a mistake. There is no logic to support the selection of smaller safety margins for oil wells than for manned rockets. There is no rationale to support safety margins equal to those used for unmanned spacecraft. Small safety margins bring about huge problems in installation, operation, maintenance, cost and management of modern systems.

The safety margins for the Space Shuttle are 25% for yield strength and 40% for ultimate strength. The safety margins should be treated seriously in engineering and in technical investigations. The margins tell us many things, e.g., (1) if the applied maximum load for the Shuttle is exceeded by up to 25%, then no element should experience yielding, or plastic deformation, or in plain language, permanent deformation. If the latter happens around moving or reusable parts, problematic operation, maintenance and failures follow. The joint that failed on the Challenger’s booster in 1986 was deformed plastically, or permanently, by about half an inch from previous use. This is more than 10 times the “gap opening” in the joint that was blamed for that disaster. The permanent deformation was 1000% greater than the gap opening at lift-off. The yield strength in that joint was exceeded in previous missions. Numbers must be presented to decision makers in meaningful forms that give a clear picture of a technical situation. (2) If the applied load is exceeded by 40%, outright failure (at least on paper) follows.

Because lives are not at risk with satellites, we used smaller safety margins than the manned systems, 15 and 25% for yield and ultimate strengths. In early 1970s, I was tasked to study the feasibility of reducing these margins to 5 and 15% respectively. That would have given us badly needed weight reductions. At the time, I tested metals, alloys, composites and other materials for use in spacecraft, did extensive fatigue tests and analyses, examined metallurgical effects, e.g., corrosion and hydrogen embrittlement, and I was responsible for the stress analysis of all components and subsystems. The conclusion of my study was categorical: The 5 and 15% safety margins involved great risks and were unacceptable. Other engineers were tasked to do similar studies independently, and, apparently, we all arrived at the same conclusion. Our recommendation was accepted. The point here is that safety margins for modern systems are not determined in vacuum or in board rooms or in hasty meetings at BP or any other agency or company.

Executive Orders and Congressional Legislation are not the avenue to dictate what safety margins can be used by different industries. But when the national interests and the national security are at stake and when the data show categorical problems, then Directives and Legislation may be necessary. It is sensible to regulate that safety margins for deep- and shallow-water oil wells (and other terrestrial systems) must not be smaller than safety margins used in manned rockets, unmanned satellites or aircraft. It is legitimate to outlaw negative safety margins, particularly, where losses and damage as we have seen in the Gulf can happen. These principles led me to take the negative safety margins in the Space Shuttle, the Hubble Space Telescope and other important systems to the Administration, the Congress and even the Courts 20 years ago; a recipe for personal disaster. That was done after effort to deal with the issues failed with the space agency, the contractors, the professional organizations, the universities, and the collective aerospace communities. There were no ambiguities in the numbers then, and there are no ambiguities in the numbers now. The Chairman of the Energy and Commerce Oversight and Investigations Subcommittee said, “…the subcommittee has a special role to examine the facts and determine what went wrong and to make recommendations to prevent future spills.” The engineering communities must expand and expound our analysis of the safety margins used in oil drilling systems and make unequivocal recommendations to the Administration, the Congress and others.

The Congress cannot be burdened with calculating safety margins for complex systems, such as oil wells. Experts must. First-cut safety margins for the Deepwater Horizon are calculated and tabulated in this Report. No company would make the seemingly reckless choices described in this Report knowingly and maliciously. Doubling the safety margins, for example for the Blowout Preventer, does not double the weight nor the size or the cost of the system. And whatever costs involved will be quickly recovered from trouble-free operation and maintenance and longer useful life from the equipment. It should be noted that smaller safety margins mean tighter tolerances, which usually mean greater costs. It seems that cost was not the driving factor in the selection of small safety margins for the DWH and other rigs.

Then, how did the small margins come about? In the 1950s-60s, engineering calculations were made on yellow pads, on the back of envelopes and with slide rules. Precision of one or two decimal points was the norm, and great achievements were made in many technical areas. By the late 1960s, we could write a simple formatting line and get tons of numbers with precision of 6, 12 or more decimal points. This led some engineers to place blind confidence in very precise computer-generated numbers. Accuracy went by the wayside. The evolution of the safety margins used in oil-drilling systems must now be examined. What were the safety margins for Blowout Preventers 30 years ago? 60 years ago? What drove the safety margins to the present marginal, expensive and dangerous levels? The industry, regulators, professional groups and academia must examine these questions and recommend appropriate “safety margins.”

II. The Root Problem: Force Overshoots, Pressure Doesn’t

Deepwater Horizon – ShuttleFactor Nexus

The Title and Introduction to this Report speak of a nexus between the BP Deepwater Horizon oil well disaster and the ShuttleFactor studies. As the shuttlefactor webpage reports propose, the “Factor” mistake has ruined our space program in the last four decades. The same mistake has undermined the safety and dependability of other vital systems. How do the BP DWH BOP numbers compare with the Space Shuttle numbers? A simple Table will bring out incredible similarities.

First, take the 3-Numbers for the DWH BOP discussed in the June 17 Congressional Hearing, i.e., 11,000, 15,000 and 20,000 psi. The pressure numbers (pounds per square inch) can be converted into force values to allow direct comparison. Pressure is equal to force (here, pounds) divided by area (here, square inches). What is the force acting on a 1-square inch element in the Blowout Preventer? For the applied load of 11,000 psi, the force is the pressure times the area (11,000 lbs/in2 x 1 in2), or 11,000 pounds. The same procedure gives us the force for the rated load (15,000 lbs) and the New BOP rated load (20,000 lbs).

Consider now the following Space Shuttle numbers. The three Space Shuttle Main Engines (SSMEs) produce 1,125,000 pounds force at sea level at liftoff, which can be rounded to 1.1 million (1,100,000) lbs. The ultimate safety margin for the Shuttle is 40%; so, the approximate rated load is 1,100,000 x 1.4 » 1.5M lbs (1,500,000 lbs). NASA used these and similar numbers with great confidence since the start of the Space Shuttle program in 1972 with drastic consequences. Do you see the uncanny similarity between the Blowout Preventer’s numbers (11,000 and 15,000 lbs) and the Space Shuttle numbers (1,100,000 and 1,500,000 lbs)? But, there is more.

How about the third number for the New Blowout Preventers, or the 20,000 lbs value? How did this value for the New BOPs come about? Mr. Hayward said the move is “a fundamental redesign of the blowout preventer.” Congressman Gonzalez mentioned a decision in the oil industry, after the Gulf oil disaster, to “apply current design codes and practices.” The engineering Codes require the use of a Dynamic Load Factor (DLF) in the design of systems subjected to sudden loads, such as deepwater oil wells. The DLF is equivalent to our dynamic overshoot factor. Does this mean that the oil industry did not use the required DLFs before the Deepwater Horizon disaster? Let’s look at the Space Shuttle case.

Because the SSMEs start up very rapidly, the applied load (1.1M lbs) magnifies. The Shuttle structures actually experience the magnified load, which I call “dynamic overshoot.” Calculating the “dynamic overshoot” involves advanced mathematics, but it can be done.

After the Challenger tragedy in 1986, I calculated the actual maximum load (including the dynamic overshoot) for the SSMEs at liftoff to be about 1.9M lbs. The numbers alarmed some NASA managers and engineers who recommended immediate action. Other managers and engineers were indifferent and dismissed the vital issue out of hand. After extensive search of the massive record in the National Archives, I found out that the Shuttle engineers had actually measured the maximum liftoff load to be about 1.9M lbs. The measurements were made before the Challenger tragedy, and the engineers did not know how to interpret the “dynamic overshoot,” which they called, “excess upward force.” The magnified loads for the more violent boosters and other thrusters were also missing in shuttle design. In early 1987, an Officer from DIA (Defense Intelligence Agency) suggested that some elements of my work were sensitive to national security and advised (not commanded) discretion. From 1986-90, I shared the above numbers only with NASA and DOD in closed-doors meetings. In 1990, I submitted a paper on the subject for publication in a rockets journal. Everyone got upset, the paper was dismissed and the engineering communities, including oil drilling and refinery industries, were kept in the dark about a massive engineering mistake that could strike modern systems with drastic consequences. You can read more about those events in Shuttlefactor.com.

We now have 3-Numbers for the Space Shuttle: Applied load of 1.1M lbs, rated load of 1.5M lbs and, maximum load (including startup dynamic magnification effect) of about 2M lbs, which is rounded from the calculated and measured 1.9 or 1.95M lbs.

The nexus between the Deepwater Horizon 3-Numbers and the Space Shuttle 3-Numbers is shown in Table-4. Do you see the startling link?

Table-4 The Space Shuttle – Deepwater Horizon Nexus


Deepwater Horizon

Blowout Preventer

Space Shuttle

Applied Load

11,000.00 lbs

1,100,000. lbs

Rated Load

15,000.00 lbs

1,500,000. lbs

Actual Max Liftoff Load

New Max Rated Load

20,000.00 lbs

2,000,000. lbs

If you move the decimal point in the left column 2 places to the right, you will get the values in the right column. If you move the decimal point in the right column 2 places to the left, you will get the values in the left column. The Table is compelling. Engineering analysis is done with symbols, e.g., La can be Applied Load, Lr, Rated Load, and Lm, Maximum Load. After manipulating the symbols mathematically in many ways (without numbers), we substitute the numbers to obtain final results. The analyses in the Shuttlefactor reports can be used to better understand the DWH disaster. In particular, the start-up transient dynamic overshoot effects must be included in any meaningful investigation.

Table-4 answers the question asked by Congressman Gonzalez: Why the 20,000 psi BOPs? Is the DLF for the Blowout Preventers similar to the dynamic overshoot factor for the Space Shuttle main engines? If this is the case, then the presentation to the Energy and Commerce Subcommittee on June 17, 2010 should have stated that the applied load for the Deepwater Horizon BOPs was 12,000 psi, the actual maximum load was 20,000 psi, and the design load was 15,000 psi! Everyone would have instantly recognized the precarious situation. The Codes that Mr. Gonzalez referenced require the use of a DLF of 2, when the actual DLF, or dynamic overshoot, cannot be calculated or measured. The latter produces a more perilous situation.

Many engineers working on vital systems have not taken the dynamic overshoot, or DLF, concepts seriously. In a rare exchange I had with the space community in 2007 (see collectspace website), I discovered that senior rocket engineers who worked on the Space Shuttle Solid Rocket Motors (SRMs), the expensive and canceled Advanced Solid Rocket Motors (ASRMs), and the most recent expensive and canceled Ares rockets, still dismissed the destructive dynamic effect out of hand. The sudden start-up of these rockets nearly DOUBLES the effect of forces on the system, but those engineers don’t believe it, or probably, they cannot calculate the overshoot effect. This explains why some people in the space community, including prominent astronauts, a former NASA administrator and others, voiced disapproval of the Administration’s decision to cancel the Constellation space program and its Ares rockets. What the Obama Administration did here was to put an end to the meandering of the last four decades. We don’t need 30 or 40 more years to discover that the transient dynamic overshoot forces will limit the operation of the Ares-type rockets. Ironically, our aerospace engineers are the best equipped to calculate and measure the transient dynamic overshoot effect, or DLFs. Thoughtful science and engineering papers by these engineers can be of great help to other industries, especially now, the oil industry.

Are the 20,000 psi New Blowout Preventers safe or risky? The nexus between the DWH case and the Space Shuttle case gives disturbing answers. In the next Sections, we describe root problems that could have led to the Deepwater Horizon disaster and to the difficulties experienced with that well before the explosion.

The Real Problem

The Deepwater Horizon oil well, as other oil wells, was subjected to a variety of dynamic conditions, e.g., quick start-ups, quick shutdowns, pulsating oil/gas flows, the familiar oil well “kicks” and sudden actions by powerful hydraulic drives and cranes. The dynamic conditions magnify the applied loads. When the dynamic effects are taken into account, it becomes clear that the safety margin for the failed DWH Blowout Preventer was worse than calculated in Part I (25%) and the safety margin for the New BOPs (67%) is not as good as it seems.

Some experts spoke about the possibility of resonance. This dynamic condition is well understood by physicists and engineers. When the driving frequency in the well is matched by the natural frequency of any component, resonance occurs. Resonance magnifies the stress in a system (theoretically to infinity) leading to certain failure. Conjecture about resonance must be supported with numerical evidence, which I have not seen for the Deepwater Horizon oil well to date.

The start-up transient dynamic condition, however, is not as clearly recognized in physics and engineering; and this dynamic condition could have led to the many reported difficulties with the oil well and the eventual failure of the Blowout Preventer. What was the dynamic overshoot for different operational phases of the DWH Blowout Preventer? What was the dynamic load factor (DLF) for any component on the Deepwater Horizon well and rig? How were the dynamic transient conditions handled in the design or operation of the Blowout Preventer and other vital hardware? These and related questions have not been asked, nor answered. The transient dynamic loads may be the real problem that led to the Deepwater Horizon disaster.

Using bona fide data, I calculated the start-up transient dynamic overshoot for the Space Shuttle Main Engines (SSMEs) to be 73% and for the Solid Rocket Boosters (SRBs) to be 97%. And remember, the same dynamic overshoot for the SSMEs was actually measured, though not understood, by NASA and the Contractors. Based on the pressure rise in nuclear power reactors, the transient dynamic load is nearly doubled; i.e., the applied load is increased by nearly 100%; but no one recognized the effect after TMI and Chernobyl. After our dismissed 1990 paper on transient dynamic effects, NASA selected a Dynamic Load Factor of 2 (Two) for the Booster Separation Motors (BSMs) on the Space Shuttle, which exhibited structural damage over the years – the applied load was DOUBLED outright. I had encountered, analyzed and corrected the massive dynamic overshoot error in space systems, hydraulic drives, and other modern systems for five decades. Yet, there is resistance in the physics and engineering communities to recognize the problem and to institute open solutions. The enormity of the Deepwater Horizon disaster demands immediate attention and action.

I can see the sudden rise and fall of pressure in the records of the Deepwater Horizon oil well, but I do not have exact numbers to accurately calculate the dynamic overshoot, or DLF, or transient response for this and other oil wells. Using the rise time and the stiffness of the Blowout Preventer, the DLF can be easily calculated. Simple and advanced equations are given in our reports. It should also be noted that measuring the dynamic overshoot is not simple, but it can be done. At Shuttlefactor, we are available to work in strict confidence with the Administration, the Congress, BP or other Contractors to evaluate, calculate and measure the transient response for the oil wells, in general, and for the Blowout Preventers, in particular.

What is the Dynamic Load Factor (DLF) for the Blowout Preventers? The DLF is a muddled concept. Although the DLF is included in the Codes, it remains vague. Somehow, the Codes are troublesome to the engineers and, sometimes, the Codes are unknown. For example, I saw a recent post on the Internet by an engineer who states that his (or her) company uses a Dynamic Load Factor of 1.35, that his previous company used a DLF of 1.5 and that he heard that other companies use a DLF of 2 (or a 100% dynamic overshoot). The engineer was asking for advice from other engineers. Isn’t it the function of the Codes to tell the above and other engineers a priori why DLFs of 1.35, 1.5 or 2 are used? Shouldn’t the engineers learn in school how to calculate the DLFs for different systems?

Generally, it is recommended in engineering courses that if the engineer does not know the dynamic factor, a DLF of 2 must be used. This is the origin of the expression that pokes fun at rocket engineers, “the $64,000 question.” Remember, in Newton’s equation, F=ma, or F=mg, g (acceleration) at sea level is about 32 ft/sec2 and double g (or 2g) is 64 ft/sec2, hence, the $64.

Until the actual dynamic overshoots, or dynamic load factors, are calculated and/or measured for the Blowout Preventers, we can only guess the magnitude of the dynamic effect. According to the Codes, however, when the magnification factors cannot be measured nor calculated, a DLF of 2 (100% dynamic overshoot) should be used for the BOPs. The dynamic load factor for the Deepwater Horizon oil well could be 1.5, 1.7 or 1.9, i.e., dynamic overshoots of 50, 70, or 90%. Let us apply these dynamic factors to the New Blowout Preventers and derive the corresponding safety margins. Here, the rated or design load (20,000 psi) and the applied load (12,000 psi) are the values discussed in the June 17 Congressional Hearing. While “pressure” does not overshoot (see next Section), the safety margins calculated here are representative.

Table-5 Safety Margins for the New Blowout Preventers with Dynamic Loads

Rated Pressure

Applied Pressure

Dynamic Load Factor


Maximum Load

Safety Margin

20,000 psi

12,000 psi


18,000 psi

11 %

20,000 psi

12,000 psi


20,400 psi

-2 %

20,000 psi

12,000 psi


22,800 psi

-12 %

At best, the safety margin for the New Blowout Preventer will be 11%, much smaller than the safety margins used with manned rockets! Very likely, the New Blowout Preventers will have negative safety margins – invitation to disaster. We said earlier that the Congress cannot legislate safety margins, but it must act when the safety margins for deepwater oil wells are smaller than the safety margins used for manned and unmanned spacecraft. The Congress must also act when the safety margins for such critical systems are negative.

Applying the above Dynamic Load Factors to the Blowout Preventer that failed on the Deepwater Horizon oil well and using the pressure loads discussed in the June 17 Congressional Hearing (12,000 and 15,000 psi), the safety margins for the failed BOP were –17%, -26% and –34%, respectively; all negative values. This indicates that the start-up transient dynamic overshoot was the most likely cause of the Gulf disaster. Based on extensive personal experience with modern engineering systems, these negative safety margins can also explain the problems encountered with the Deepwater Horizon well before the accident.

More seriously, if the DLF for the Blowout Preventers is, say, 1.7, then the New BOPs may not be adequate at all. For example, using the applied pressure of 12,000 psi, the maximum applied load will be (12,000 psi x 1.7) 20,400 psi, which exceeds the rated load for the New BOPs (20,000 psi) discussed in the Congressional Hearing. This means that the safety margins for the New BOPs will be negative! What then? Should the rated (or design) load for the New BOPs be, say, 25,000 psi? The safety margin for this case is about 22%, again smaller than the safety margin used with the manned Space Shuttle! The evaluation must not stop here. If the oil Companies cannot calculate or measure the DLF for the oil wells, then the Codes require the use of a DLF of 2, e.g., as NASA did with the BSMs mentioned earlier. The maximum loads for a Deepwater Horizon-like well must then be 24,000 psi (2 x 12,000 psi). In this case, a Blowout Preventer with a rated or design load of 30,000 psi will still have smaller safety margins (25%) than manned rockets. The numbers mentioned here are not number games; the numbers directly affect the safety and risks of oil wells.

The start-up transient dynamic overshoot effect is a real problem with deepwater oil wells, and the Investigators must examine this aspect very carefully. Other important technical issues that apply to the DWH investigations can be found in our Shuttlefactor and other reports.

The Root Problem

How could the dangerous condition(s) described above come about in a modern system, such as the Deepwater Horizon oil well? Some have suggested that the oil drilling industry can learn a thing or two from the aerospace industry. My study of the oil drilling and refinery analyses and calculations indicates a robust and mature engineering community. I had also seen this from drilling and refinery engineers from ARAMCO and elsewhere and in engineers who attended my Continuing Engineering Education Program, “Anatomy of Failure Mechanisms in Modern Systems,” twenty years ago. The start-up transient dynamic conditions were discussed in the Program.

There is a root problem associated with the transient dynamic loads. Based on this Report, experts from BP, the government and elsewhere may rush to study the pressure-time traces for the Deepwater Horizon and other oil wells; looking for the dynamic overshoot. The problem is that the experts will not find the dynamic overshoots in the “pressure-time” traces. The alarming problem is that the experts might dismiss the issue out of hand, as had other experts done before. The “root problem” requires further clarification and discussion.

The theory of elasticity is one of the most intricate and advanced theories in engineering. Thousands of complex equations are derived from the simple spring-mass equation, genereally known as Hooke’s Law, after the 17th century Dr. Robert Hooke. All modern engineering systems are designed using Hooke’s Law. Even modern physics is almost entirely based on Hooke’s Law, e.g., the simple harmonic oscillator which is modeled using the familiar equation F = kx, where F is force, k is spring constant and x is displacement. When developing the equations for pressure vessels, such as used in shuttle engines and boosters and in Blowout Preventers, the pressure (psi) is set to equal the stress (psi), and the complex equations are then derived. The theory of elasticity does not take into account two vital factors: (1) The pressure does not overshoot; (2) the force and stress overshoot. A real life example is warranted.

Twenty years ago, the launch of the Hubble Space Telescope was delayed two weeks while my contention that the same transient errors described in this Report could damage the Hubble. Top Officials from the White House and the NASA Administrator traveled from Washington, DC to the Johnson Space Center in Huston to hear rebuttal from other engineers. I was not consulted before, during or after the trip, and the Telescope was launched over my objections. As everyone now knows, we almost lost the Hubble, and the cost to fix the telescope was enormous. I eventually found out the rebuttal of the other engineers. That rebuttal revealed the root problem in the aerospace industry and, now, in the oil drilling industry. Just read the words of the Director of the Johnson Space Center, in a letter to me on October 13, 1992:

“Chamber pressure is intentionally controlled to prevent overshoot greater than 2 percent above rated thrust level during the approximate 5-Second Space Shuttle main engine start transient.”

You can see the root problem from my response to NASA, November 23, 1992:

Either the overshoot is less than 2 (two) percent, as you assert, or it is greater than 70%, as I have stated. The difference is so enormous and consequential that it must be resolved. The significant disparity in our positions is the result of confusion, which I will explain.

This sentence reveals the extent of the confusion. It is correct to say that the “thrust” overshoots at start-up, but it is absolutely incorrect to say that the “chamber pressure” also overshoots. The pressure does not overshoot during start-up transients. It merely fluctuates! Let me explain.

By mistakenly believing that the “chamber pressure,” which does not overshoot, is the measure of the overshoot, your experts have mixed up the input and the output, or the cause and the effect.

The pressure in the main combustion chamber rises to between 3,200 and 3,300 psi (3,283 psi). This pressure rises rapidly in the combustion chamber producing, as I claim, dynamic overshoot forces of 73% that strike the shuttle assembly with vengeance. But, the NASA engineers produced “pressure-time” traces in which they prevented “overshoot greater than 2 percent.” Do you see the massive difference between 2% and 73%? The difference is greater than the safety margins used to design the Space Shuttle. Such big differences in systems with small safety margins can only result in massive failures. Do you see the mix-up? Notice that the NASA director uses the word “overshoot” with the word “pressure.” What everyone failed to realize then was that pressure “fluctuates,” but that it “does not overshoot.” What does it mean to say that the “pressure” does not overshoot? The primary numbers used so far in the investigation of the Deepwater Horizon disaster and in the design of the New Blowout Preventers are pressure numbers. Does this make a difference?

An inflated balloon or a tire explodes when subjected to great pressure. A balloon or a Blowout Preventer does not fail because of the pressure acting in a direction perpendicular to the walls. The balloon or the Blowout Preventer fail because of the stress that stretches the wall membrane beyond the ultimate strength of the material used. Every engineer knows that the membranes can be modeled as springs stretched to failure. For demonstration purposes, all the complicated equations of elasticity can be reduced to a mass hanging on a simple slinky spring, or a weight released on an old bathroom weight scale, supermarket scale or postal weight scale. It is essential to recognize the difference between pressure that acts perpendicular to the walls of a pressure vessel, and force or stress, which pulls and stretches the material of the vessel to failure. The Deepwater Horizon investigators will not find evidence of “dynamic overshoot” in the many pressure-time traces for the Blowout Preventers. Further explanation is useful.

Consider a simple example used ad nauseam in the Shuttlefactor reports: A 100-lbs lady steps suddenly onto an old bathroom weight scale from zero height. For an ideal spring in the scale and no impediments (no air resistance, friction, etc. like Galileo’s pendulums which oscillate to the original height), the dial will register 200-lbs: The weight of the lady, 100 lbs, and a dynamic overshoot of 100 lbs. With a slo-mo camera, one can clearly see the dial move from 0 to 50, 100, 150, and finally 200 lbs. If the area of the lady’s feet is 10 square inches, then the pressure on the weight scale will be 10 pounds per square inch (10 psi). The pressure is equal to the force divided by the area. Now, think about it. While the dial on the scale moves from 0 to 200 lbs, the pressure on the weight scale remains constant, i.e., 10 psi. Of course, if the lady’s weight changes with time, then the lady’s weight fluctuates with time and the applied pressure fluctuates accordingly. If the weight of the lady fluctuates, say, 2%, like the chamber pressure in the SSMEs, then her weight varies between 98 and 102 lbs. The sudden transient dynamic overshoot effect on the weight scale, however, will vary between 196 and 204 lbs. Do you see the difference? To say that the chamber pressure in the SSMEs is controlled to less than 2% is the same as saying that the weight of the lady is controlled to less than 2%. In engineering, we are supposed to design the weight scale or the Blowout Preventer, not the lady. These seemingly mind boggling and upsetting examples are treated in detail in the Shuttlefactor reports.

It should be noted that NASA did not deliberately measure the 73% dynamic overshoot resulting from the start-up of the SSMEs in 1982. The engineers did not say; let’s measure the dynamic overshoot for the SSMEs. They were unaware that the destructive effect exists. The engineers were measuring the strain in the holddown posts of the boosters. It was only when they converted the strain readouts to forces that they noticed and reported the “excess upward force.” The strain measurements were made after serious damage was noted in the Mobile Launch Platform, then in the Aft Skirt of the boosters, then in the Aft Segments of the boosters. The launch platform was strengthened, then the Aft Skirt was strengthened, then stiffener rings were added to the Aft Segments. Do you see a trend here? Not realizing the dynamic overshoot effect, the rogue loads were being chased upwards on the boosters. The next station for the “excess upward force” was the joint that failed on Challenger. BP and the other Contractors must guard against such oversight, and the Investigators must recognize these facts to avert future disasters.

Reports on the Deepwater Horizon disaster include many pressure values, but no mention of the transient dynamic effects! The discussion with Mr. Tony Hayward in the June 17 Hearing included only pressure values. There was no discussion of the sizable “dynamic transient effects.” I should point out that the dynamic overshoot effect was not mentioned anywhere in the tens of thousands of pages shared with the Presidential Commission that investigated the Space Shuttle Challenger tragedy in 1986, even though the stealthy effect was previously measured.

Is the devastating dynamic overshoot effect a one-man show? At the risk of sounding like Gorgias writing “an encomium on Helen” (of Troy) to get that woman off the hook with the Athenians, here is a short encomium on our Program “Anatomy of Failure Mechanisms” and the “dynamic overshoot” studies. Critique from engineers, including engineers from the oil industry, who studied the transient dynamic overshoot with us in 1990, as briefly described in this Report, include:

Thought provoking course

I can’t believe how much I understood

Excellent course for all --- engineering fields

Outstanding --- very rewarding

Content was very good but time was too short

Excellent – the use of other examples was outstanding

This was very informative and will influence critical thinking for sure

I discussed the root problem identified in this Report with many top experts over the years. Consider the following excerpt from our Shuttlefactor Report (Section 8.5 Flawed Transient Analysis):

When I discussed the problem at length with the distinguished Professor from MIT Eugene Covert, a Presidential Commissioner on the Challenger Accident, the professor endorsed my observations. Engineering students learn design in one part of the curricula and they then learn the transient analysis in another part. Somehow, the two interrelated subjects remain disjointed in the student’s mind. The MIT Professor summed it up to me like this, “You can lead a horse to the water, but you cannot make it drink.”

My transient dynamic overshoot studies, particularly for pressure-activated systems such as the Blowout Preventer, were carefully reviewed and approved by some of our top experts, including a world expert on transient conditions who helped to eliminate the dynamic overshoot effect from electrical and electronic equipment since the 1940’s, a chairman of the dynamics committee in a national aerospace engineering organization, a professor emeritus who became the director of the National Science Foundation, a chief scientist with the Air Force, and other nationally recognized experts. Yet, our Program was canceled in 1990 after interference from the space agency and other offices in the government. Detractors, unfamiliar with the details of our work or the dynamic load factor concept, dismissed our studies in 2003 and 2005, after the Columbia tragedy and the new approach to the space program.

The root problem is not only a BP or industry problem; it is also an education problem. Some universities were reluctant to pursue the problem at my urging, lest they lose government funds for other research. How can that be? It was government funding in the 1940s that allowed the universities to effectively research the vibration resonance phenomenon after the unforeseen failure of the Tacoma Narrows Bridge and the unexpected fracture of steel in the Liberty Ships after World War II. We used those findings effectively in space systems. Those federal funded studies led to economic prosperity in the 1950s and 60s and made possible the Mercury, Gemini, Apollo and other marvelous space achievements. The two systems cited above were beset by “mysterious loads,” of unknown origin to the scientists and engineers of the time. I have been advocating for decades now that other mysterious loads, that stagnated the Space Shuttle and the space program and caused many disasters, are the result of the mysterious phenomena associated with the transient dynamic loads. We urge all the Investigators of the Deepwater Horizon disaster to objectively evaluate the “root problems” described in this Report.

The “root problem” presented in this Report and the above opinions of top experts should be considered by the Deepwater Horizon Investigators to avert future disasters. We cannot afford another oil spill disaster. Our economy cannot tolerate inadequate engineering from the best engineers in the world.

Excerpts from Shuttlefactor and the Deepwater Horizon Disaster

The root problem is not only a BP problem. It is an industry-wide problem. The problem is widespread in other industries as well. The small safety margins calculated in this Report show these facts. The problem must be wiped out from engineering and science education and from engineering and science practice. We give here some excerpts from our Shuttlefactor reports, which apply to the disaster on hand, the Deepwater Horizon oil spill disaster. As you read the following excerpts, think about the technical details of the Gulf oil disaster and try to find analogies and parallels.

From: The Problem with the Space Shuttle and the Space Program, (1992, 2000, 2003):

It is common knowledge that when an electrical switch is turned on, “surge current” flows in circuits. The surge current consists of the applied current plus a momentary transient component known as the “dynamic overshoot.” The maximum start-up transient current can be double the applied current. Unless included in design, surge currents can trip circuit breakers, blow fuses or damage electronics and electrical devices. It has not been recognized before that a similar effect occurs in physical-mechanical systems, such as, rockets, including the Space Shuttle [and, now, deepwater oil wells].

The deep roots of the “dynamic overshoot” mistake are discussed in this Report. The discussion includes scientific, technical, educational, historical, philosophical, psychological and political elements of the design blunder. The Report shows (1) how some engineers are completely unaware of the “surge” effect in physical systems, (2) how some engineers miscalculated and mishandled the effect in Shuttle design, (3) how the engineers actually measured the correct “surge forces” in the Shuttle in 1982, but did not even realize the meaning of the correct measurement, (4) how Newton’s Action-Reaction Law is at the root of the problem, (5) how scientists and engineers mistakenly and regularly equate the cause and effect, input and output, action and reaction, and forcing function and transient response in mechanical start-up transient situations, and (6) how relying nearly exclusively on pressure measurements (which do not show the “surge” effect), physicists and rocket engineers repeatedly fell into the tricky “dynamic overshoot” trap, with drastic results. (p. 104: Conclusion and Recommendations)

From: The Correct Way to Handle Transient Loads, May 19, 1993:

Early in the century, the explosion of temperamental boilers killed people and destroyed industrial and residential centers. Halfway through the century, jet powered aircraft crashed unexpectedly, killing people and causing considerable losses. In the beginning of the space program, the hallmark of rockets was the huge explosions soon after ignition and the destruction of valuable payloads and launch facilities. Then there were the nuclear reactor incidents: Three Mile Island (TMI) which frightened a large community and a nation, and Chernobyl which devastated communities and shocked the world. What these systems have in common is that they are pressure-activated, and the mechanical engineer plays the central role in their design, construction, operation, safety, and reliability. Where are we today?

Have we (mechanical engineers) overlooked something fundamental in our work? The answer is a resounding yes. One basic error has undermined the safety, reliability and economy of important systems throughout the century.

There is a serious error that occurs frequently in the design of rockets, spacecraft, aircraft, nuclear reactors and other pressure-activated [now, the Deepwater Horizon Blowout Preventers and related hardware] systems. The error is fundamental in nature and it consists of confusing the forcing function for the response, or the cause for the effect, in transient conditions.

Consider the following situation which happens millions of times every day. The pressure in a combustion chamber [e.g. the Deepwater Horizon Blowout Preventer] rises rapidly to a maximum steady-state value, Po, as shown in Fig. 1. What is the maximum design load? What is the maximum stress?

At this rate, we are not going to Mars; we are not going back to the Moon; and we will hardly make it to low earth orbit; which is where we are today [1993]. Something is fundamentally wrong in mechanical engineering. Something is fundamentally wrong in the mechanical engineering curricula and textbooks. A radical change in mechanical engineering education and practice must take place to remedy the fundamental oversight.”

From: Message to ASME Dynamics and Extreme Loads Section, May 20, 1993:

Pages 543 and 575 (from two different papers): Figs. 9 and 1, respectively, show how the existing Computer Codes (TRAC-PIA, TRAC PD2, etc.) track the measured pressure build-up, or causal parameter, or transient forcing function, in time. There is no response, or desired effect. Remember, the response cannot be in pressure units.

Similar curves are very popular in aerospace systems. Actually, they are the only kind available for rocket engines and motors, jet engines, etc. The measured pressure very nearly tracks some computer predictions. Well of course they should. The two are the same parameter! The only way that the response can track the forcing function so closely is when the forcing function is applied very very slowly. The pressure build-up in the two figures above happens in less than 10-milliseconds. This is almost a perfect, or ideal, unit-step-function!

I recommend that you do not accept the common clichés: We know about transients; We always take the forcing function and derive the response; etc. If the forcing function and the response look like the curves shown in the enclosures, then the transient is not understood, let alone derived.

Yet, not one single paper presented a true “transient response.” I emphasize again that a pressure measurement shown to be similar to some computer code, or vice versa, is not a transient analysis. It is the same parameter shown to equal itself, which it should.

The transient loading conditions are indeed vital, and treating these conditions correctly is urgently and immediately needed.

The dynamic transient problems in nuclear reactors have been treated very seriously after Three Mile Island, and there are many papers by worldwide experts on the subject. The Proceedings I mentioned above, and several others, and textbooks on Reactor Dosimetry, Design, and Standardization all compare the pressure build-up, as measured with (sensitive) pressure transducers, with the analytical or computer code predictions of the same pressure build-up. This is like measuring the input, and then predicting it; or vice versa…

It is not enough that we know about forcing functions, transient responses, and how to do the transient analysis. The transient analysis must be done correctly. In most cases, it has not.

From: Safety of Nuclear Power Reactors in Transient Conditions, June 3, 1993:

…a clear distinction must be made between the pressure (cause) in a vessel, and the stress (effect) in the materials that make up the vessel.

The problem is trivial, but it is not obvious, though it is very important.

You are thinking in terms of pressure fluctuations, which you call in your letter “pressure overshoot.” This is a central part of the problem. The pressure does not overshoot. My weight does not magnify when I step suddenly on a weight scale… there is a distinct difference between the pressure fluctuation and the force overshoot. These differences have not been taught at the undergraduate or other levels.

The above excerpts, and reports, further clarify the root problem in engineering practice and education, which could have played a major role in the Deepwater Horizon disaster. Here are some observations that apply to the Deepwater Horizon disaster and investigations:

1.        Only pressure values have been considered in the DWH investigations so far.

2.        Pressure fluctuates, but it does not overshoot.

3.        The pressure transient studies apply to the Blowout Preventers, tanks, pipes and related hardware.

4.        The dynamic load magnifications do not show up in pressure measurements and special calculations and measurements are required to catch the rogue loads.

5.        No dynamic overshoots, or Dynamic Load Factors, have been reported for the Deepwater Horizon oil well, especially for the Blowout Preventers.

6.        The transient dynamic loads are the second most important factors in design after the applied pressure values discussed in the June Congressional Hearing. The transient loads can equal the applied loads themselves.

Why Don’t They All Fail?

Why don’t all the Blowout Preventers on all oil wells fail, if what I am saying about the small and negative safety margins is true? Why doesn’t every Shuttle mission explode if the dynamic overshoot I propose exceeds the built-in safety margins for that system? These are valid questions. In the case of the Space Shuttle, pundits dismissed my concerns as “crying wolf;” after all, mission after mission didn’t explode. Dismissing the concerns raised in this Report indicates naivety in engineering design.

Careful examination of the history of oil drilling and refinery systems reveals hundreds of serious accidents, thousands of failures and many operation and maintenance problems. The problems reported with the DWH oil well and its BOP before the disaster are not peculiar to that system alone. Other rigs have had similar problems, perhaps to a different magnitude and frequency. In engineering, the objective is not limited to not killing people. It is also important that systems be effective and profitable. Identifying root causes is a primary challenge to BP and the other oil Contractors and to the Deepwater Horizon oil spill Investigators.

It is not the intent of this Report to spread panic or fear about the massive transient dynamic overshoot error, particularly now, in deepwater oil wells. Careful examination of our reports shows that some steps have been taken by experts in many industries to counter the effect, though the phenomenon is not clearly recognized. In addition to the meager safety margins described in this Report, modern systems have sizable built-in margins, which prevent widespread disasters. Let me say a few words about “why don’t they all fail?”

Several factors make it possible for systems to survive well beyond the safety margins. One of the factors is the “minimum material property” criterion used in design. Consider a steel grade used in the Blowout Preventers or the Space Shuttle. When testing random samples for a project, it is found that the strength of the samples falls between 100,000 and 120,000 psi. The average strength of this steel is 110,000 psi. In design, we always use the minimum material property, 100,000 psi, and not the average strength, 110,000 psi. If we use the latter, then we’d hope and pray that all the steel used in our project has greater strength than the average; but we know from tests that that is not the case. And so, many parts are stronger than stated on paper. The minimum material property criterion increases the safety margins. Also, modern design tools use the finite-element mathematical method. When we encounter the choice between a marginal or a conservative approach, we always use the conservative solution, which increases the safety margins for real systems over the computer models. Sometimes, the geometry of the parts dictates the use of more material, where it is not needed; this increases the safety margins. Also, the DWH Blowout Preventers and the Shuttle were strengthened over time to ameliorate damage or difficulties observed during tests or operation. In short, there are several factors that increase the safety margins of a system beyond the calculated values. It is then possible that the actual safety margin for the DWH Blowout Preventer was 70–90%, and not our calculated 25%! The same is true of the Space Shuttle. It is the built-in safety margins described here which allowed the Blowout Preventer to survive beyond the 15,000 psi design load and the Space Shuttle to survive beyond the 1.5M lbs rated lift-off load.

So, if the real strengths of the Blowout Preventer and the Space Shuttle at liftoff were about 19,000 psi and 1.9M lbs (and not 15,000 psi and 1.5M lbs), respectively, then, unknowingly, the extra safety margins got used up by the start-up transient dynamic overshoot effect. These systems then operated seemingly successfully only because of the above built-in safety margins. BP and the other Contractors must guard against this: The transient dynamic loads can use up the extra strength in the New Blowout Preventers, leaving the BOPs with nearly 0, or no, safety margins.

It must be emphasized that engineers and managers must not use the above contributors to extra safety to justify the use of small safety margins. The extra safety margins can only be considered in cases of emergency. One cannot say that the safety margin for the Blowout Preventer is 25%, but that the real safety margin may be 90%. Strictly, the safety margins are the values we calculated earlier in this Report, based on the data discussed in the Congressional Hearing of June 17, 2010.

Here is a relevant real life experience. In 1976, I was asked to find solutions to problems with the first international satellite tracking antennas that had operated for nearly 8 years then. The technical record (in boxes) for the antennas in Maine, Hawaii, Italy and Australia was massive. I had the boxes moved into my office 4-6 boxes at a time. Over the years, many engineers were tasked to solve the problems. The studies conducted were elaborate and dealt with intricate electrical, electronic, hydraulic, mechanical and structural aspects of the system; which I will skip here. I finally spent time with the operation and maintenance personnel in Andover, Maine, who described to me the problems they had with the antenna for so many years. These people were forthcoming, especially when they realized that I was trying to find out what was wrong with the antenna, and not what was wrong with them or the way they operated or maintained the system. The antenna experienced distinct resonance in one frequency, which was disabled from the first day the antenna was put into operation! The antenna was driven by two powerful hydraulic drives, which were the state-of-the-art then. The valves in the hydraulic drives leaked incessantly. That alone produced difficult procedures that went beyond anything anticipated in the original documents. The valves had to be replaced frequently, which was messy, disruptive to operation and expensive. A few tests revealed that the antenna was badly unbalanced. When a satellite was acquired over the horizon, the antenna locked on the satellite and the hydraulic drives began to drive the antenna. A command applied a sudden force to move the antenna a small step, the unbalanced weight then pushed back on the drives, then another command, a small motion, etc. The sudden and repeated force magnified the forces acting on the antenna and the hydraulic drives. The dynamic overshoot nearly doubled the loads on the hydraulic drives. The engineers did not recognize the dynamic overshoot effect in these systems for 8 years, and the original safety margins for the antennas were meaningless. The antennas and the hydraulic drives worked for years, but with great difficulty and problems.

I developed a straightforward solution and a small contract with a local company resolved the problems. The leaks in the hydraulic drives stopped completely. The resonance condition disappeared. All modes of tracking improved dramatically. Afterwards, the valves did not require the disruptive and expensive replacements. The operation and maintenance supervisors were giddy about it, and they wrote letters of appreciation to headquarters. There are important points here that apply to the DWH case. By failing to recognize the dynamic overshoot problem, the managers and engineers suspected the hydraulic drives’ problems to lie with the Operators. For years, many steps were taken, but none of them solved the root problem. It is true that operators can sometimes do things that can aggravate the safety of a system. However, if a massive design error, such as the transient dynamic overshoot effect, is built into a system, the resulting erratic behavior of the system can force the operators to do things that aggravate a difficult situation. If the engineers don’t know about the destructive transient dynamic effect, how are the operators to know about it? The DWH investigations should go beyond the details of what the operators on the rig did, or didn’t do, before the explosion. The inquiries should also look into why the operators did, or didn’t do, certain tasks. Valves leaked before and after the DWH explosion. Were the leaks the result of actions by the operators or did the leaks result from excessive loads, as can be produced by the little-recognized transient dynamic conditions? One massive mistake, such as the transient dynamic overshoot, can lurk in a system for years causing problems and difficulties, but not outright disasters.

Failure Modes and Effects Analysis (FMEA) and Failure Modes, Effects and Criticality Analysis (FMECA) are used to evaluate risks in modern systems and to investigate major failures. These methods develop formidable fault trees that can include thousands of ways in which a system can fail. Identifying “root causes” can eliminate many failure modes in one swoop. In the case of the above tracking antenna problems, many failure modes were crossed out by fixing one problem, the transient dynamic overshoot problem. Chasing thousands of problems identified in FMEAs and FMECAs can be expensive and wasteful, and the effort may not lead to clear-cut findings and root causes. When the engineers do not know about the magnified dynamic loads, as described in our reports, then the rest of an organization can become helpless trying to fight ghosts. The unknown magnified forces acting on the Space Shuttle were called for a long time “mysterious loads” in the media. It did not occur to the managers and operators that the systemic problems with the Shuttle were potentially caused by one massive mistake, very likely, the same mistake that befell the Deepwater Horizon oil well.


Based on data discussed in the June 17, 2010 Congressional Hearing, this Report shows that the safety margins for the Deepwater Horizon Blowout Preventer were smaller than safety margins used with manned rockets, e.g., the Space Shuttle. Personnel on the rig were then exposed to greater risks than faced by astronauts launched into space. It is also shown that the BOP safety margins could have been as small as safety margins used in unmanned satellites. Both conditions are dangerous and unacceptable. The small safety margins could explain the difficulties encountered with the Macondo oil well before the explosion. Furthermore, it is shown that the Dynamic Load Factor (DLF), which is required by the Codes, was not considered in the design or so far in the investigation of the DWH disaster. The pressure values discussed in the above Hearing must be considered static, and not dynamic, values, i.e., the static pressure values are not the actual maximum loads. Taking the DLF, or transient dynamic overshoot, loads into account reveals that the safety margins for the Deepwater Horizon oil well were negative, which could explain the eventual failure of the Blowout Preventer. Also, it is shown that, when taking the DLFs into account, the New Blowout Preventers are still marginal. The subject of this Report has been controversial in aerospace and other industries for decades. The author has encountered, analyzed and corrected the rogue dynamic transient condition many times in space and terrestrial systems for half a century. The enormity of losses and damage caused by the Deepwater Horizon oil well explosion demands scrutiny of all possible “root causes.” We propose that our treatise be considered among the possible “root causes” of the disaster. Engineering Codes and education must be amended in light of the evidence presented in our Reports. Temporary regulations and deregulations may have to be instituted to allow the collective vital oil industry and other industries to bring facilities and equipment to acceptable safety standards.

Other important issues relating to the safety and risks in oil wells and other systems can be found in our website, shuttlefactor.com. This Report will be expanded when more valid numbers become available.

Again, at Shuttlefactor, we are available to work in strict confidence with the Administration, the Congress, BP or other Contractors to evaluate, calculate and measure the transient response for the oil wells, in general, and for the Blowout Preventers, in particular.

For comments, inquiries or questions, Ali F. AbuTaha can be reached at: aabutaha(at)shuttlefactor(dot)com.

Ali F. AbuTaha
Manassas, VA

Back to Top

Home ]

Comments or Questions; send mail to: info@shuttlefactor.com
Copyright © 2010 Ali F. AbuTaha