Summary
Routinely, specialist software is used to perform tasks such as casing
design and directional collision-avoidance scans. If undetected, a serious
failure in the development or use of any one of these products could result in
loss of life or catastrophic environmental damage. Such an event would
jeopardize the oil company’s licence to operate (Thorogood 1994) and would
seriously damage the software vendor’s credibility.
The drilling- and well-services software industry has matured over the last
5 years. During this period we have witnessed many commercial and technical
changes, including further consolidation of the oil majors, the meteoric growth
of Web-based tools, and the increased complexity of the software and types of
wells being drilled. Commercial pressures also mean fewer resources are
available to perform these tasks. Unless managed, it is clear these changes
greatly increase the risk of a serious incident.
BP and Landmark have conducted a series of joint audits to gain a detailed
understanding of both the operator’s and software vendor’s working practices in
relation to this software. The paper contains a description of the conclusions
and actions arising from the audits. Desired improvements in testing, core
competencies, and independent verification were identified. Details of the
audit process are included to enable other parties to conduct similar audits
for themselves. The risks and potential loss imply that critical applications
should be managed formally as “safety-critical systems.” It is also concluded
that close collaboration between operators and software vendors is needed for
the management process to be effective.
Introduction
Following the merger of BP and Amoco in 1999, computer applications were
rationalized and the decision was taken to adopt the commercial applications
suite used in Amoco before the merger (Boykin et al. 1997). Arrangements were
made to retain key functionality from the systems that were to be phased out.
Plans were made to implement this common system across the newly formed
drilling- and well-services community. It was recognized that the change would
involve the conversion of large volumes of data and the retraining of more than
50% of the drilling- and well-services staff. Alignment of the software’s
functionality with the policies and procedures of the newly formed company was
a major consideration, and this, to a large extent, drove the pace of the
implementation.
Early in the roll out of the new software system, it was evident from user
comments that the training program was falling short of what was really
required. Other problems spanning all aspects of software, delivery, and use
emerged as work progressed. The observed gaps relating to the casing and tubing
design, directional, and well-control applications caused the greatest concern.
In an extreme case, an error in or misuse of this software could cause property
damage, an environmental disaster, or loss of life. Because of this, these
applications were referred to as safety-critical systems. The pore-pressure and
fracture-gradient application was added to this safety-critical-systems list
later in the process. In all cases, current systems were only eliminated after
implementation risks were deemed acceptable.
It was felt that the development, delivery, and use of these applications
should be conducted to a higher standard than other, less-critical
applications. A project was started in November 1999 to investigate the
treatment of these higher-risk software packages as safety-critical
systems.
© 2006. Society of Petroleum Engineers
View full textPDF
(
1,145 KB
)
History
- Original manuscript received:
30 March 2004
- Revised manuscript received:
10 November 2005
- Manuscript approved:
20 December 2005
- Version of record:
20 June 2006
View Cart
