I think we are at a point, due to the nature of some of these mishaps, and through reflection, that we know we are able to improve on the way we work and take decisions to improve both operations and safety, by using newer technologies available to us now, that allow better and faster communication and decision making. Some of us have been continuously bringing these points up in conversation in different lights, drawing on our experience and diversity. I think what is important to know and do to make constructive progress in this direction, is to map human expertise from the various directions into such systems that allow the systems to recognize, identify, signal, and distribute the parameters that potentially lead into risk, so that they may be handled partially by the system and totally by the experts, so that any developing risk may be handled via process to re-direct the operations into a manageable risk scenario. Although, many good steps have been implemented in certain capacities, it is clear, that there is plenty left to do and much is left to be desired in current configurations of realtime and collaborative decision processes.

We were discussing an example on another thread, but what is important to keep in mind here, is that we can only automate to a certain level, and that humans need to be ultimately responsible for resolving any risk or danger that develops. Technology can really only help us to not overlook an event that is developing on several fronts, where it would normally take more than one person to notice, by bringing the information together from the different fronts, monitoring the combination of parameters, so that when a risk or danger develops, it is automatically recognized by the system, and then the system generates and distributes alerts and alarms to the "team" , whether they are found together or are distributed, to handle the situation. There are scenarios where such systems can be very useful in gaining time, where otherwise humans may still be squabbling between each other and explaining to each other, the system may deliver an undeniable flag to wave. There are cases where you have total system takeover and action, such as in a fire extinguishing system, where not only the danger is detected, but the action decision is also automated. At the well level or reservoir level, much more complicated scenarios may develop, and as much is due to subsurface conditions that we cannot normally see anyhow, for many safety processes, we are far more dependent on system detection. It should be said, that regulators are a different kettle of fish than operators. A single operator through its' own experience may develop a process and system that works very well, but is not in the business of sharing this development. Regulators while visiting such an operator may realize, oh, we should be doing this everywhere, and then they can recommend or develop standards. I find that these standards and regulating bodies are very instrumental in helping to assure

levels of quality on an industry-wide basis, but they will always lag a bit behind the operators as proprietary developments are often used competitively.

One common theme that is touched on, after reading through this thread, is distracted mainly by the "How?" and these are minor in my opinion. Once it is clear to the critical mass of people exactly what the most critical missing piece to assessment and communication of risk is, then, and only then, providence will move to make this happen. Garry was discussing, with me and many others, back a year or more ago as most present were in agreement of the missing piece and now Garry is bringing this notion back to discussion and it still isn't something everyone really wants to "stomach" because it is difficult and difficult things get "skipped over" until all of the easy things are proven to still lack the proper solution. The missing piece, in these most complex and dangerous drilling operations are ubiquitous access to summations of risk from individual "risk silos". Peter, back many comments prior, mentioned Montara and if anyone wants to go back to the Montara summary report produced and presented by PTTEP, it is easily presented that PTTEP agrees, and made recommendations and presented the need for a similar functioning system. Some on this thread are confusing Process Safety with Ella's original premise being Drilling Process Safety. While the concept is basically the same the unknowns in drilling make things more interactively complex as the earth model is tightly coupled with the containment system. This doesn't make things easier.Let's not redo the discussions that have already been done on that front. They are well documented and there is much written, by myself, on the subject. There are companies that have individuals that are sold on the concept and yet there are many more that have not implemented any system that accomplishes the lacking that many more see clearly exists. It is good to see Garry writing about the need for exactly this here a year later and frankly the state of the industry in these regards is exactly as anticipated. Every easy idea and schema will be developed before the more difficult needed ones will be adopted.

Ella let me answer your question. There are many very good comments that describe the process of assessing and accounting for risk and the proper procedures and need for diligence in doing so yet it is how the individual risk assessments and the "a priori" and "dynamic" risks are neurally connected to a "master" risk assessment in "real time" that is lacking still. The main reason is it is "too difficult". Look, the most important element in any enterprise is diligence and patience. All of the latest rounds of regulations, actually, are attempts to regulate "diligence" by prescribing actions that ensure it, yet there will always be "loopholes" in those

strivings. Over the last year, I've had the great opportunity to work with many people and companies on exactly this subject and I've seen that almost everyone agrees that this is the one most important thing to lend the situational awareness, spot anomalies to pre plan expectations and ability to respond safely to dynamic conditions we encounter regularly. We do not know all companies do privately yet publicly the efforts to this point lack ubiquitous, dynamic risk level assessments and broadcasting.Also, one comment on the commercial motive that tends to haste; it must be controlled. The same sentence in a book of ethics and morality says, "diligence leads to profit and haste leads to waste and ruin", and we can all see that play out in most accidents from stumbling to get to a toy by a child and cutting corners to get finished in industries. Point is regulators have known this for decades and through many rounds of disasters and try to prescribe formuli and red tape to ensure diligence and prevent haste and yet a better way is to mix in "goal orientation" and the goal should be to alert to people at all times the danger level because people tend to understand and take more caution during times when a "red flag" is raised and it prevents complacency likewise during times of a "green flag". Also gathering this information supplies formality to the type of communication and risk assessments needed on a constant dynamic basis in any enterprise. This simply remains lacking in ubiquitous forms.My suggestions are to go back and read Garry's 1st and 3rd comment. Garry repeated his 1st comment because everyone skipped over what he was saying and the same for his third comment. My first comment is the same as what Garry is saying. My suggestions are to focus on that, eliminating haste and ensuring diligence.

Prescribing how this is done, once this is accepted and focused on, will lead many to understand the need for situational awareness provided by summation of risk silos. With knowledge of this people tend to self regulate their haste and motivate themselves to diligence focused on the most important thing at every moment in time.

Wayne, my heart goes out to you. You mention, "commercial interests" and yet lets distinguish that not all commercial interests are necessarily lacking and yet only when they detract from diligence and lead to haste. Okay, so once we agree that the main focus should be on ensuring diligence and eliminating haste, we might also note that by definition diligence means a lack of haste or acting before needed precaution, etc. so let’s focus on mandating diligence. There are companies that are doing very well in this regard on their own using screening tools etc. to identify complex wells and using checklists on this to ensure that due diligence is performed. While there is still room for cutting corners by individual people this is less likely

and performance controls on individual task completion may also be utilized. In terms of mandating this, as of yet, the new CFRs and the Final Rule of the BSEE gets mixed reviews and perhaps a failing grade on a few items yet a passing grade on the well containment screening tool, etc. For example look at a regulation that would have ensured diligence on the Macondo incident. We might have many choices of specific guidelines to require due diligence yet let’s pick one that is most specific and say that a more diligent design, monitoring and assessment of the negative pressure test would have ensured that the engineer that would have designed the test would also have had to monitor the test, assess the pressures and ultimately certify that the test passed or failed. Right? That is diligence in a nutshell. Yet four years after Macondo the following regulations relating to that specific action read:According to the Final Rule the 30 CFR 250.423c reads(c) You must perform a negative pressure test on all wells that use a subsea BOP stack or wells with mudline suspension systems. The BSEE District Manager may require you to perform additional negative pressure tests on other casing strings or liners (e.g., intermediate casing string or liner) or on wells with a surface BOP stack.And 30 CFR 250.423c1 reads:(1) You must perform a negative pressure test on your final casing string or liner.So the mandate from BSEE doesn’t ensure diligence and yet mandates that the test be performed and without ensuring diligence the test itself remains dangerous.Also, there is no mandate on how to test the shoe as an operator may chose to test the liner without having tested the shoe first or simply placed a bridge plug on top of the shoe without any due diligence into how far above the shoe a bridge plug might safe to drill out not knowing if pressure from the shoe had leaked, risen, and brought the gas pressure below the bridge plug.Of course oral mandates might prevent that and yet the most effective way to manage diligence in this case is to require the test itself to be designed, monitored, assessed and certified by one engineer, that has immediate access to every bit of information, preferably the operations engineer assigned to construct the well.Why the resistance? No resistance? Then why the oversight? No, oversight? Then explain why it isn’t important to regulate diligence in these straight forward and less prescriptive ways that really are goal oriented regulations that are simply stating a goal, safe testing, and ensuring this happens.Keep in mind that these aforementioned issues are in addition to the glaring lacking of ubiquitous "risk silo" summations.These same exact things are repeats from the last four years of discussions on these same topics. Not complaining yet let's keep it real.

Peter: your comment elaborates the daunting task of communication and competence assurance among teams that are "risk silos", if you will.Good thing to focus on as you obviously are well aware of.The most important

thing to communicate is the key, in my opinion, and that is the risk level of each compartmental operation (risk silo i.e.. mud loggers, drilling crew, subsea engineering team, onshore design and operations teams, each piece of equipment or well bore barrier, etc.) to the maintenance of the barrier. Competence within each "risk silo" is assessed in the risk level. Communicating the risk level of each "silo" is achievable. Summing the contributions to the overall risk level that is communicated back to each "silo" is true communication and most helpful to situational awareness in which competency levels can then be tailored to match the current risk level, within each individual risk silo and triggering higher competence overall supervision and decision support levels as well.Otherwise, when the least competent individual is on the hitch during the highest risk you will see why his/her decision will be subject to higher probability of error. In a word, not tying competency levels to dynamic risk levels is "stupid". It should be done before the project begins so the vacation and well control school schedules of all can be synchronized with the pre planned estimate of the risk levels during the project. The Actual vs Pre Planned estimate make a good anomaly detection device as well.

Human Factors is classified by experts under the term Ergonomics, that is known by lay people as posture at their desk and how well we see our computer screens. Examples of ergonomics at work is using the term "Cockpit error" to replace "Pilot error", since a study of WWII pilots concluded that a small change in the position of an instrument in the cockpit of the air forces best pilots was causing them to crash. Similarly, the focus on giving individuals vital information in ubiquitous fashion, in our case, the current level of risk, is akin to having a well positioned gauge on an instrument panel that is essentially a "decision support panel", that all of us on the team are technically capable of understanding.Ella:I'm not a fan of a bridging document in the same breath as a ubiquitous all encompassing barrier risk level. A bridging document usually is only a statement of assignment of responsibilities and a risk level is an assessment of the current condition of the barrier.You and others have mentioned Montara root causes and I mentioned that the PTTEP final report had noted the need for a ubiquitous summation of risk silos in their report. Here is the link to the report: http://www.au.pttep.com/media/18761/building%20on%20the%20lessons%20of%20montara.pdfThe line of sight tool is their version of the "master" risk assessment of the barrier I'm referring to so it cannot be said that envisioning the need for this is something beyond any one company that needs to be developed as a "cross-industry initiative". Let it be clear that in discussions independent of the Montara report and before any knowledge of their conclusions that the need for a ubiquitous summation of risk level

of the barrier was noted as a primarily vital one. The PTTEP report simply became another confirmation of the same conclusion that almost every report hints at yet doesn't quite hit the nail on the head. Of course "In all labor there is profit, But mere talk leads only to want", so saying this is needed is different than actually doing anything. There are company(s) that have looked at the complexity of such a system and abandoned its development due to difficulty. That is human nature to abandon difficult tasks unless they are clearly recognized as being vitally necessary; a vision is created. Many times this isn't recognized until all the less vital, and difficult ideas are developed and found still lacking the affect of the more difficult and vital one.Clearly the "how?" is the needed process and is the difficulty and "why" is the needed outcome. The difference between diligence and haste is that diligence focuses on the process and the outcome, both, while haste focuses only on the outcome. That sole focus on outcome causes accidents. Performance control in commercial businesses management theory are usually only outcome based and in drilling this is the days versus depth curves. A "balanced" performance control in engineering management must include metrics for the process and the most vital of these is the health of the barriers since the process of drilling itself is simply the removal of natural barriers to flow of hydrocarbons and replacing them with man made conduits of flow control. So with that in mind the risk level before spud is essentially the risk of the natural barrier failing just under the rig, or practically zero barring a major earthquake and the earth opening up precisely there, yet once the well is spudded in deepwater drilling riderless, for instance, the risk level grows steadily, drops, increases, stays the same, etc. over the project timeline. This is a process performance metric and not an outcome performance metric. Just the term "process" is a step forward, however, since it signals that focus on "outcome" must be balanced with a focus on "process", yet "outcome" is equally important and in our case here the outcome we need must not be abandoned simply because the process is too difficult.

Good stuff Wayne you persevere and stick to your guns and keep ignoring detractors. Saying "the issue is bigger than 'process safety'", as a comment on a thread titled, "Process Safety", defines you and I like you for that specific panache. Being a staunch proponent of reason and protocol, I will go on record as saying the issue is process safety and particularly in ensuring that focus on outcome is always balanced with diligence and due process. Google "due process" and it is defined as: "1) NOTICE, generally written, but some courts have determined, in rare circumstances, other types of notice suffice. Notice should provide sufficient detail to fully inform the individual of the decision or activity that will have an effect on his/her rights or property or person." If I am working on a drilling rig this NOTICE

would be a RED FLAG if the risk was extremely high and this would give me the right as a human being to either, A. Make sure that the most competent people are on the job at that moment in time. B. Heighten my awareness C. Use equipment of the highest standards D. Run off (or catch the next boat in) if I think the people or equipment, on the job are not up to the task of operating at the high level of risk. Due process; do not forget that term for this issue in our industry. The broadcast of a ubiquitous summation of risk silos is exactly Due Process yet the assessments and summation must be done before any ubiquitous notice of "due process" can be done so we are already a couple of steps behind.Another term is "due diligence" and this strikes close to your stated battle against the profit motive yet I tell you capitalism isn't bad if there is due process and due diligence. Commercial interests in capitalism lead to a focus on profit and thus getting things done fast. Books of wisdom also say that "a man quick in his work will stand before kings!" yet the same book of wisdom says that "diligence leads to profit and haste to disaster". So really the issue goes back to the difference between haste and "quick in work" or alacrity. Clearly the quickness must be coupled with diligence or else it is haste. We all know this and see this in our everyday lives. We have an outcome in mind yet must focus diligently on the steps of the process in order to reach our goals. In fact then alacrity may be defined as a diligent focus on the job at hand, the process, if you will. So we come full circle the need for performance metrics to assess diligence. Google "due diligence" and you get alot of legal terminology and this definition:The theory behind due diligence holds that performing this type of investigation contributes significantly to informed decision making by enhancing the amount and quality of information available to decision makers and by ensuring that this information is systematically used to deliberate in a reflexive manner on the decision at hand and all its costs, benefits, and risks.You see now my determination to influence the discussion in the direction of "due process" and "due diligence"?

Peter Aird says: 7 year deepwater development study, more than 100 wells, the process failure safety facts based on loss control and not H&E devoid of safety as follows. Project facts. No one was hurt. (Zero) There was no spills ZERO There was no major traditional well related problems issues in terms well control ( no kicks, few losses issues), little wellbore instability, and very little stuck pipe. In fact no strings had to be backed off in any of these wells. So where were the issues? What was the safety related incidents/ accidents. ? Well there were 191 major non injury significant drilling operational related incident/ accident events. Every well being normalised with data managed in exactly the same way. Thus almost I.5 year of operating incident/ accident loss. (Big safety stuff!)

Where How many reports does current management process capture, do we think? <than 5 out of 191. So current process is concluded as fundamentally flawed, and this is for the big safety stuff. The S in "HSE' In addition there were another several hundred bottom tier drilling incident events in the daily stuff that resulted in about another years plus of loss. Of which less than 5% get catered for in STOP as intended because this is now a farcical card pr day for wearing your safety glasses etc. So let's ponder on this sad but true fact that any business that runs at 50 to 55% of incident accident loss. Cannot be considered healthy nor safe. This is my determination of real numbers when very simple loss control metrics are applied. Not what managers want to massage with meaningless NLTI facts and figures thT once below 1 per million man hrs is in fact now a random number so I informed. So This is fact and figures is for the relatively easy deepwater development wells. 55% of operations have the accidental potential to hurt someone. The fact that they did not come down to the responsible people who work at the coal face who really care about the real safety stuff and why no one got hurt. But we easily could have? So How much safer or not is the more complex wells? So until we measure safety more appropriately we are not going to improve anything The wheels will revolve vs evolve same as. Thus Safety is the the control of all accident loss. Accident*: people, process, plant, productivity/loss, environment. *95% of accidents that are fact non injury related. As this study concluded.

The above illustrates the need for TRUE INCIDENT reporting to combat the OUTCOME BIAS.

It has to be clear that Process Safety is ONLY well containment and barrier quality and that overall safety might need to be more clearly described as Process safety, personal safety, and project safety since if the derrick "craters" this isn't personal safety nor process safety and yet a group safety issue.Peter:You're right, of course, that measurements of key safety metrics don't apply to well containment and barrier issues and minimizing the process and yet focusing on the keys of the process with the use of a dedicated process engineer on duty every tour was an idea presented at last years offshore process safety conference. Andrew Hopkins, in his book, used the term "slacker" meaning this person's only duty was the barrier. This would be a "barrier engineer" (BE) and would be responsible for summation of the health of the barrier (or present risk level) at every moment in time and communicating this status back as a ubiquitous risk level giving further situational awareness to everyone on the project. The one response from Transocean after Macondo was that if they had been given clear notice of the increased risk they might have heightened

awareness and responded with more rigor and vigilance and this was also the conclusion of PTTEP at Montara leading to their devising the "Line of Sight Tool" as the solution.Incidentally, a BE and "BROADCAST" system meets the conspicuously absent discussion of what is owed to the personnel on the rig brought up by Peter and In my opinion it is indeed to help them and not burden them with RED TAPE perhaps simply designed to mitigate the "consciences" of regulators and other shore personnel, and if Due Process is the standard, allow for an accurate accounting and NOTICE of present risk presented in a ubiquitous, consistent, and accurate manner.All the talks of Standards in construction miss the point, standards must be kept, yet in construction any and all plans are executed with varying levels of success and equipment isn't always up to spec after installation and this affects the overall health of the barrier to flow. A "wet shoe" is an example of this. On the simplest operations the current health of the barrier is easily communicated across tours and crew changes and into stages of the procedure yet formalizing this as the primary duty of a BE is the key to due process and actually adding an element to an operation that helps and doesn't simply add layers of red tape that do not. The BE would be responsible for assessing the barrier and if a further test is needed to assess then this would be the duty of the BE. The risk level would be "ubiquitous". This means it would be broadcast to the entire team and present on the morning drilling report as a color and number for precision. In the most complex operations service companies could "tailor" personal, equipment and procedures to match risk level with competence level, equipment standards and procedural caution, with that information.

Ella: There is nothing "singular" nor "unidirectional" about summing risk and sharing its sum. The summation is "neural" and from every component of the project so there is nothing less singular and unidirectional than that; its all encompassing. The missing component is actually encompassing components of risk and sharing it with the project as a whole. Eventually this will be imposed if it isn't embraced. Simply look at the fallout from the deaths of the family in the Texas Panhandle from the H2S well that blewout. The rigs now must employ a system very nearly the same as a BROADCAST with a BE, ie. Flags of symbolic color must be flown on the rig that give DUE PROCESS and notify all that are on the location or even those that might drive up on the location unsuspecting of the level of clear and present danger and a dedicated H2S engineer. Rights to risk information is not a new concept nor is the energy industry exempt nor able to resist the trend because it adds safety. Really the problem is that not enough of us have sufficient grasp on the history of the industry to see the parallels to our current issues. Let's simply ignore the statement of "spreading risks" because the ultimate "spreading of risks" is socialization

of risks and ignoring risks and due process is simply an unacceptable form of socialization of risks. The due process of BROADCASTING risk level is a "Goal Oriented" prescriptive regulation. How the risk is summed is not prescribed. It was proven long ago by Emmanuel Kant that good will is required yet perhaps you start a discussion on how to enforce goodwill. That is your answer to how it is enforced. The current additional processes are "Process" prescriptions. This is red tape at its absolute worst!Consider the barrier a "dam". We're only talking about one engineer monitoring the status of the health of the "dam". Go to the Hoover Dam and ask them how many engineers they have on staff doing this exact thing. If there is a town built downstream you will see just how possible this is and that it is taken seriously and yet more importantly it is done. If you live below that "dam" you look up and see the color of the flag they are waving. This is Due Process and we could debate whether every human is due this yet we might all agree that people serving components of the bigger job benefit from situational awareness and so the project itself is safer because it shares risk information ubiquitously. I'm not sure how this cannot be accepted completely.

Way to go Peter! Everything you said needs to be carefully considered. You said it, "everything can be better measured but we choose not to". I'm still not sure how days versus depth data translates to anything other than the outcome performance controls we're used to and why the thinking that lead to problems will now lead to solutions. Rushmore offset data doesn't record barrier data and so how do we measure performance of control over the barrier when we are only reporting and measuring days versus depth and comments on a drilling report that give superficial and often wrong indicators of the health of the barrier e.g.. "bumped plug; cement job a success!" Yet again, however, most are once again pointing to the fact that in 100s of wells there is not one well control incident? Low incident high consequence is the nature of the beast. Its so easy to discount the danger and to overestimate the utility of processes and declare them as successful and useful by people at the top end of the triangle when the issue is low incident and high consequence. Its the same logic to las vegas; the truth is hidden in the obscurity of probability versus the propensity of constant streams of data from everyday operations. Hidden still are the brief moments when little things go awry and never make it on the morning report. Peter Aird talks about treating incidents as vital instead of just accidents since in only focusing on accidents we suffer the “outcome bias” since incidents suggested poor performance that simply avoided an “accident” or consequence due to luck or the percentages.

I've worked as a company man as well Peter, and yes, unless one has, the subtle challenges are not always appreciated while engineering designs and operations in the office. If the subject was not so serious the lack of recognition of the essence and vitality of constant and dynamic barrier assurance, and in the most complex operations, perhaps a dedicated barrier engineer (BE), would be humorous. It isn't so much that barrier assurance isn't on the minds of key personnel as much as it is that this should be communicated ubiquitously to everyone on the team, dynamically, to heighten awareness, and that in the most complex operations this begins to exceed the capabilities of informal assessments in the mind of one person that has other duties. This is situational awareness 101 and the human factors of cognitive overload and the due process of rights to risk information rolled into one. If the barrier assurance is thorough enough it may be summed into a risk level and combined with competency levels so that in times of highest risk the highest levels of competency and equipment Q/A may be utilized. Look, the formalizing of the barrier assurance measures itself will lend to begin gathering the data necessary to learn more about the weak links and also focus diligent attention where it is needed.

That is exactly it. That is the essence of all of the preaching. On the simplest projects this is all that is needed. On the most complex projects a formal gathering of "risk silos" in regards to the barrier need to be gathered and perhaps overseen by a dedicated BE, summed and reported ubiquitously back on the morning report and everywhere to everyone on the project in real time. The more this is done the better the data gathered and it improves. Triggers and alarms can be dealt with by SMEs appropriated and automatically, eventually (or not) as Garry was speaking of (that was esoteric to most at the time he stated it). When, where and if, a BE, is needed or any or all of this is automated and perhaps artificial intelligence added, is beside the point. This process starts by, as you say, getting this metric formally on the morning report. The quality, and completeness of the data will improve as the significance of this metric is seen. This has been done "between the ears" and needs to be formalized in the most complex operations and during changeovers, like tour changes, crew changes, etc. so why not formalize it and begin gathering data that will impact well containment and barrier quality during well construction?

Good night. It is nice to see this understanding in others. Of course the limit to the definition of process safety is mainly due to its inception in refineries where the only moving part that interacts with people is the fluid itself (with minor exceptions) and it is contained, until it isn't. On a drilling

rig, moving parts are everywhere and the safety of the "process", also then, becomes personal safety, well control, major hazards, etc. It is still assumed that we are talking of well control when we discuss process safety in drilling and so if that is the definition and scope, the barrier assurance metric is the right discussion and focus. Human factors are entangled in this metric in complex ways as well as equipment quality, and the risk in assessment of barrier quality and "commercial" resistance to costly testing (due diligence) to reduce its uncertainty. The first step, however, is in "funneling" the focus to this precise point. Once the focus is there, the situational awareness is there that supports better decisions and competency levels. Then advances in personal safety and major hazards are other components that result in more injuries and deaths and lost time, as Peter A. alludes to, can be developed in similar ways by gathering the right kind of information and sharing it. Once a metric is used and focused on, people of "good will", begin reporting it and gathering it and not before then. Its a bit of a "Catch 22", yet it's true, and achievable.

Ella: process flow diagrams are not something seen a lot in drilling and if at all yet perhaps there is a benefit in it since it would identify transitions (harboring risk derivative max/min values). I won't speak for everyone's opinion in the relationship between the company man and the OIM yet since the contractor and operator have had different procedures and ideas/opinions on well control procedures, BOPE configurations, etc. this relationship can be strained at the moments of highest risk and need for a definitive decision and consensus. While bridging documents hope to mitigate the majority of issues it doesn't address the dynamic nature of this relationship and the disparate risk silos that exist between the two autonomous organizations and communication lines. This is just one opinion; mine.

Well, yes, and supporting the decisions of the company man with supervisory levels dictated by dynamic risk level of the barrier, like having the engineer that designs the negative pressure test (very high risk potential) being required to "sign off" on it. Of course this is "pre-emptive" prevention and assignment and clarification of duties during well control is "reactive" mitigation, they both form two sides of a "bow-tie" safety diagram that still has room for improvement.

If anyone designs a negative test that, as you say, tests both the float shoe and the hanger seal in the well head housing, at the same time, like they did at Macondo, they're in trouble eventually and that isn't competent. They all, in a certain organization, did it like that to save time before and yet it was never competent. Its fine as long as everything holds and yet that isn't

really the point of a test now is it? To do both tests at once the drill pipe is miles off bottom. If that makes sense to anyone as the engineer, then yes it would be better to not have the engineer involved and there does need to be "a whole lot of discussion", because "help" has passed already. As far as with regulators, who would involve them in structuring our operational team and lines of communication? That was never suggested. The point is in supporting decisions better, not intrusively, and yet at moments when the guys on the rig are scratching their heads and need support (pretend this never happens all you want), the drilling engineer that designs and complicates a test that puts the barrier at immediate high risk is not observing the operations nor checking to make sure the guys on the rig understand and know what they are doing? The engineer that designed the test should know; right? If they don't who does? Does the engineering manager know? Yes, there does need to be a whole lot of discussion and yet with people that know what they are doing.

Ella: I watched it and provide my notes here in 2 parts in service. My apologies for using the term "guy" generically since I did this fast and didn't catch their names.There remains confusion as to Process Safety (Well Containment) and focusing on process performance controls in safety (includes personal, major hazards and well containment). I think there needs to be one single focus on Drilling Process Safety as Well Containment, and one single focus on process performance controls on major hazards and personal safety. The confusion is palpable watching the panel and in general in the industry and it is stifling to progress.Gaming safety measures. Middle managers with commercial focus using performance controls that are commercial outcome based rather than balanced with process performance controls and being diligence based metrics. If the metrics were truly effective there would be no “gaming” except by people harboring the dumbest of mindset.LTIs based on injury rates affects reporting.Process Safety Indicators instead of LTIs? Yet they suggest none.At 20:00 “I’m not convinced that we will not have another Macondo... I’m not convinced that a lot has changed... We need to get down to the ground and make people understand what the risks and how we manage them and engage them to avoid these events. The people…”Look, here we go again where guys are stated the need clearly and yet not hearing the answer that myself and BROADCAST, Garry, and now Peter see clearly as the answer; DUE PROCESS.Let’s look again at the definition of due process in the words the guy on the panel himself used: Gather the risks of the risk silos on the project=”what the risks are”. Assess and measure the risks=”how we manage them” Ubiquitously broadcast the risk level to create situational awareness, heightened awareness and matching competencies, supervisory levels, and equipment

standards=”engage them to avid these events.”At ~22:00 “I’m not sure we can legislate culture. I think we can legislate symptoms of culture.” I agree that he lawmakers cannot legislate culture unless they realize that certain formalities and actions create culture. Only then can the actions and formalities be required.23:55 personalizing consequences. The speaker implies that people in the office are too immune to consequences. This will continue as long as frontline workers take the blame for office laxities and informalities that offer no decision support, due diligence, nor due process to them.

One guy suggests that realizing the consequences will change things. I think he implies that things will change simply from the enormity of the disaster and its publicity as “what can happen”. Yet, we’ve seen this gets pushed from consciousness, ignored and people are hoping for this to get out of the spotlight like the LUSI Mud Volcano, Lake Peignor, etc. Thise are not studied as lessons learnable yet almost as laughable entertainment, years removed, or even as a dark family secret never to discuss. Deviance from procedure are only viewed from the consequences that stem from them. This is the outcome bias. Clearly true. This is what Peter Aird rightly speaks of often, thankfully. 30:15 Leaders are swamped with commercial interests. “Must educate middle managers from the top as to the benefits of safety measures.” Wow! This is a very telling statement. Everybody feels compelled to cheat because of the outcome bias that doesn’t punish deviance because of low incidence of high consequence per deviance. Again this is outcome bias. 33:20 “must develop procedures that allow for human error.” Yes! Just culture also means you cannot punish human error! “Creating the widest possible system”. Is he talking about a Just Culture. 35:00 Multitasking. What pressures were on those workers? Cognitive load that lead to cognitive errors in decisions. We must measure cognitive load and include this in the summation of risk silos. In this case each person is a “risk silo”. Each individual cognitive load increases this “silo risk level”. When summed this is communicated back. Individual cognitive loads are measured in the processed and then can be managed by splitting cognitive loads, adding competency etc. First it must be seen as important, gathered expertly, assessed, measured, summed, and ubiquitously broadcast back to “the people”. DUE PROCESS. 40:00 Major accident hazard management must be focused on. Nothing is ever finished and nothing is ever beyond criticism. Baloney! BROADCAST and due process is beyond criticism. They obviously have heard of neither. 42:00 “Complacency.” Complacency is mitigated by BROADCASTING risk. Isn’t this the reason for the Terror Alert System? And the Forest Fire Risk System? Yes! 45:00 Organizational change. It is the responsibility of those managing the organization to make sure the processes are in place. 48:00

different metrics for personal and process safety. Competency. Design. People. Procedures. Equipment flaws. Thinks they are inherently linked. They overlap. I agree. LTIs can be a gross filter for overall and personal cognitive load yet might be used against people in an Unjust Culture. 51:45 Make the people in the office accountable. True, so true. Yet prosecuting company men when every expert points to organizational systemic failure is not such a good start.

These discussions and safety in complex operations on the rig, in general, suffer from not seeing the forest for the trees. A good question to ask is "what is the one concept that would make the biggest impact that should be enacted first", and the question has already been answered on this thread, yet not universally seen because of the myriad of other ideas, concepts and comments.

Let's take that further and discuss that the one action that would prevent unbridled commercial interest from encroaching on the safe decision space and the due process of protecting crews by giving them notice of current levels of risk that may affect them, as pulling performance metrics from the risk of the process. The diligence needed to do this is the "due diligence", and the act itself is the "due process"; both missing in the latest tragedies. If you already understand the one subject I've discussed for three years then you do not need to read on because it is the same thing.A good question to ask is "what is the one thing that would make the biggest impact, that should be worked on first". In answering this, the issues that have been brought up incessantly can be recalled and the one thing that makes the most difference applied. The list includes using process performance controls in addition to commercial performance controls, protecting crews, heightening situational awareness, assessing risks carefully (due diligence) and giving notice to crews (due process), assessing, measuring and managing the risk of the engineering design below reasonable levels, compliance with "Right to Risk Information", apropriating competency to the risk level of the project, and being able to regulate this behavior. First the question, "how can this be done?". This is in essence assessing the process for the risk and then broadcasting this neurally gathered risk information back as a ubiquitous risk level. The forest (overall risk of failure of the barrier) cannot be seen because of the trees (individual silos of risk in every, individual comprising the human barrier, tangible component comprising the wellbore, the earth geomechanical reality, and deviation of risk assessed in planning from those that exist after implementation, the disparate experiential data from tours, crew changes, etc. and the decisions being made based on this disintegrated vastness of data). We do this in less complicated situations

and operations, between our ears in many areas of the rig and in life in general yet the difference is that in some projects these "risk silos" extend beyond the view and perception of one person and therefore must be "summed" and returned to the individual. I'm not an HSEQ professional, yet a drilling engineer, I'm more interested in getting clients to utilize this concept than developing it and profiting from this, because it will make things safer and we have many children as well.The actual concept is that of a "forest", the ubiquitous summation of risk silos, and the "trees", the risk silos.

We do in fact need to "DO" something because at this point it is only talk and that is really nothing! The answer to each of your questions as to "gaming", "why no one has process safety indicators", and why the regulators "have not even contemplated this", is because this tool doesn't exist except between the ears of those of us that have considered this. Human beings devise solutions that match the tools we have in our toolbox. This is the great practical nature of human beings. If the tool isn't appropriate or does not work, and yet is "required", it will be "gamed". If the most appropriate tool to solve every issue doesn't exist then many less appropriate tools will be thought of and utilized in the place of that one tool, with lesser results. This is THE human factor and based on the great human attribute of action, NOW!

Let's also consider that compliance to standards, procedures, best practices or even better judgment suffers from "drifting" into poor practices because of the nature of low incident major consequence events that only happen a small percentage of the time they are possible because humans cover imperfections, perfectly as a team, a large percentage of the time. A lot of the reason for this is that crew and others involved suffer from the numbing effect of being alert over the course of a long project because of the long extended periods of time spent at an actual low risk. There needs. This is in essence suffering from the effect of "crying wolf". The incessant calls to safety from the C Office, universally and in our industry in general creates this "false alarm effect", over time since these accidents never happen for most projects, crews, and are by definition, "low incident/high consequence". Read: Cry Wolf: The Psychology of False Alarms By S. Breznitz It basically negates the desired effect of keeping crews, and even engineers, GnG and even supervisors and upper level managers alert to the moments when risk IS highest. There needs to be a distinction between moments of low risk and high risk or the deadening effect of insensitivity to moments of highest risk, or the "false alarm effect", because of the lack of ubiquitous broadcast of current risk levels.

Garry: QA requires QC and QC requires measuring quality. Q of commercial performance gives QAQC of commercial risk and Q of well containment gives QAQC of barriers to assure well containment. Just making sure the focus remains on "what" to measure in process safety. To be clear, it is the risk to the barriers that constitutes their quality and the risk to "well containment". This is the most vital measurement of the process of disturbing and replacing a perfectly good natural barrier to hydrocarbon blowout, with our man made one called a well and the process called drilling and constructing a well. Risk is the one parameter that MUST be dynamically assessed during this process and then shared back ubiquitously to every component. Look for another parameter more important if you must yet you will eventually find your way back.Also, back to the focus on the "false alarm effect" is the psychology of the Signal Detection Theory (SDT). This theory is honored by True Due Process and Due Diligence of well containment, that broadcast of ubiquitous summation of myriad risk silos offers.Here it is on wikipedia in service to this focused discussion: http://en.wikipedia.org/wiki/Detection_theoryPeter: Key word "overridden". If the CEO adopts this measure there is no need to override. Influence is by definition needed. Who will lead the way, the "leaders", or the regulators? If I was the CEO I would definitely not enjoy being overridden I think.Peter: Yes! Thanks for the support and allow me to refine your great thought that we need to replace "what if" questions with, "what do you have in place if", to "we need to complete that question with "what is the summation of risks of what we have in place if". We must assess the landscape and THEN MEASURE, yet not measure indiscriminate parameters and yet specifically measure the risk to the barriers. And, not only measure that yet, then communicate it back, as you completely agree with and understand is the due process and situational awareness that appropriates further decisions of many parameters that are a self reinforcing positive "feedback" loop of refinement and improvement.

Garry: first, in regards to your previous comment, a good sign of a "coherent" conceptual system is that its components match the overall system in design. In this BROADCAST system the overall FLAG bears the exact same data and due diligence as each component "FLAG" of the system. It displays each parameter of assessment of a coherent "scalable" system. The overall due diligence matches the due diligence of each component and broadcasting the assessment IS due process, situational awareness and a positive feedback loop of learning, situational competency and improvement.In regards to tectonics, of course, this is true and we are painfully aware of the community reactions to the Youngstown induced seismicity and the deadly, induced earthquake in Russia years back, also the reverse is true in blaming an earthquake,

subjectively, for the LUSI mud volcano that is ongoing. Points to lack of due diligence and process and also good will. If an engineer brought up earthquake induction as a line item risk he/she would probably be putting his/her office into boxes before a geomechanic would be summoned and has that lack of knowledge, understanding and due diligence changed at all?Peter: perhaps good teamwork starts with Kantian good will, then builds with knowledge, wisdom and understanding and focus and scope, and stays together with courage facing these types of problems; not earthquakes yet ill will, lack of focus, narrow scope and fear. Yet, probably most often because people are busy, dutifully and extremely competently, working in each of these component systems to consider for the amount of time it takes to understand these concepts and the due process that would enhance their designs and executions. Low incidence events allow selfish attitudes that suggest "this isn't my problem let the people alive in 100 years deal with the 100 year event".

It's scalable and transferable to major hazards and personal safety and almost every industry (a sign of a general lacking in patterns of communication especially within interactive complex and tightly coupled systems and it's appropriateness). The fact that it uniquely meets standards of due diligence, due process and its inherent premise of "the right to risk information" (standards in other industries), is another sign that it is a lacking that should be rectified now internally rather than imposed thusly "overriding" corporate management and its sovereignty. Like traveling to the moon, "not because it is easy yet because it is hard", we should encourage this, "because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one which we intend to" succeed (besides making things safer and providing several basic and "Just Culture" concepts/human rights along the way). Thank you for your continuing consultation and wisdom.

Peter once again is making the sense that we all should be on this issue of really defining risk necessarily and there is no room to agree with you more on the need to change the corporate mindset of being locked in to reporting useless, or incomplete numbers. Desiring, even expecting to someday have an epiphany of change, but not willing to change the mindset or the culture of locked-in reporting to achieve it. Nor are they willing to ask the hard questions in order to uncover what must be done. If you look carefully at exactly what is the distinction between "incidents" and "accidents", you can began to understand that incidents are "triggers" to consequence that can be either mitigated or not. Looking at those number can be used to build conclusions of ratios of accidents to incidents

according to a pattern developed by Frank Bird, as you've related before. Also, the subtle distinction that looking at incidents before accidents is that this extracts the random, and probabilistic nature of consequences out of the overall "risk" equation and focuses closely at it. I've pointed this out here before and you are zooming in on it and that is the need to understand the equation of risk more closely. The actual formula for risk. Most people miss the opportunity to learn and utilize better metrics by doing this simply act of zooming into the details of a big billion dollar subject. Peter, the reason it isn't done is probably, velleity, and lack of hands on experience. HSE isn't used to drilling hands getting involved in designing actual reported metrics in a big way. RISK = EXPOSURE X VULNERABILITY x PROBABILITY because CONSEQUENCES = EXPOSURE X VULNERABILITY , the equation is often seen as RISK = PROBABILITY x CONSEQUENCES, and wrongly spoken ("Probably won't happen") of and even thought of as simply RISK = PROBABILITY, and clearly, because the reporting of useless numbers to hazard recognition is so universally omnipresent, breaking this formula down and really knowing the details is rarely done. If it was done then there would be the focus of EXPOSURE and VULNERABILITY, which is exactly what Peter Aird, an actual drilling person, continues to point out with less response to its validity than should be happening. A system that gathers information related to EXPOSURE and VULNERABILITY of the barrier will gather "true" risks not clouded by OUTCOME BIAS. Reporting the exposure and vulnerability of the barrier (and other hazards in general HSE and MAE), is the start, and summing this and broadcasting it back to small teams working on components of the bigger project as a whole is Due Process and adds situational awareness that makes the rig a safer place to work and is defined as Process Safety and yet summing the exposure and vulnerability to HSE and Major hazards can be done in this same way as the broadcasting of risk levels to well containment I've been proposing. The information people need is their exposure and vulnerability to hazards and "Rights to risk information" is something many industries think of as due process and human rights and situational awareness experts think of as common sense in mitigating risk. First things first in order to analyze exposure and vulnerability to hazards the incidents need to be reported and not simply the ones that lead to accidents that are of the level currently reported.

Garry: It isn't difficult to distinguish between a high risk area for induced seismicity and low risk as you know. The formula is simple and involves the Young's Modulus (S), the slip length (fault movement) and the rupture area. All of the above are limited in sedimentary basins because S is very small in sand and claystone compared to granite that we do not drill. Also,

slip length and rupture area are large in granite and small in sedimentary basins because large rupture areas are possible in granite and not in buried sedimentary rock. Also, the potential for large tectonic movements is relegated to seismic hotspots that align with bigger crustal plate tectonics. Generally as engineers we are in a "sandbox" that is devoid of these types of "seismic hazards" yet the due diligence must be done initially and shaking Grandma's chandelier is going to stir up interesting discussions that we must foresee and not mitigate with "pizza coupons" and think we are winning friends and influencing people.Piezoelectricity isn't studied in the realm of our petroleum business because we don't drill granite that contains the quartz (in massive quantities). Some extremely open minded individuals (a euphemism?) ask the question similar to "lightening" as to whether it strikes down or up? Does the earthquake light originate in the granite and move to the heavens or vice versa? Any further layer of discussion becomes unacceptable to less robust mental and emotional structures. Are they, and our petroleum basins, easily disturbed? Yes, in some cases, like drilling in Gazli and the "Hayward" fault (double entendre intended) or other seismic hotspot. This is a general question only valid to specifics. Not giving a project at least a cursory scan of the seismic potential is reckless. When thinking of seismicity being of the magnitude to disturb, this must include the most sensitive souls living among us especially if their fears are unfounded. Many oil companies have learned this lesson the hard way by dealing with the present state of opposition presented by escalating protests to "minor" induced seismicity. A well was drilled in the GOM that induced fault movement and that case isn't the only one; it happens yet a fault in sand isn't the same as one in granite and plate tectonics does not have a movement "seam" in the GOM so there is a small limit to a potential "slip" length. It can however broach a conduit to flow to the surface and loss of well containment in specific cases.Ella: Clearly the "bad players" with ill will and intent to circumvent rules, laws, codes and regulations that work need "overridden". Focus on performance controls based only on traditional commercial interests taught at MBA schools in due time leads to motive for "gaming" the system and staffing drilling teams with people that will focus on TASK and not PEOPLE and the bottom line of money and ease of reporting, rather than diligence that costs money.The goal orientation of regulators would be the right first step and not prescriptive measures mainly because how can regulators step up and claim they know the right prescriptions after centuries of not knowing, understanding and proclaiming the need for communicating the value in measuring exposure and vulnerability to hazards and the due process of summing these risks and broadcasting them back to all people on the project? The answer is they cannot and proclaiming to be an amateur is not a strength of either the government nor the leaders in

industry. We have problems admitting that we are less than expert. This is no way to begin to improve. We need an open and humble mindset and the will to move beyond mere velleity.Signal Detection Theory says Noise prevents the detection of signals. Process case is counterintuitive since noise is "the trees" and the signal is "the forest", and the risk of the sum of individual risks, due process, is eliminating the "noise" of "silence" and "complexity".

Bassey, it is agreed that the scope of process safety can be extended to any process included in the life cycle of petroleum delivery to our customers yet my expertise extends only to the drilling process and that is the most common association at this time focused on the drilling disasters, yet it is noticed that these concepts transfers to the bigger science and the lesser disciplines as well. So, in regards to any definition of process safety, it is time to re-engineer the metrics of risk and more importantly to communicate in terms of the details of risk to make situational awareness omnipresent and accessible to all that have the right to risk information according to due process. This isn't about human rights its about acknowledging that people make our systems safer and giving people the right information will make our systems safer still. Furthermore, this distinction is in the myriad quality and quantity of information there is in a project that might be thought important to communicate between individuals, teams, units, companies, etc. working on a project. Risk IS the key information that contains the most vital information available to share. The confusion begins because of the multitude of information that is mistaken as equal to or more important than communicating risk. The metrics of risk are re-engineered by studying exposure and vulnerability that equal consequence only a percentage of the time because humans are perfect a certain percentage of the time. This is the part of human error that people do not understand. We do not understand that our drilling systems are imperfect and only become perfect part of the time because of the efforts of people. People are adaptable and react to solve problems that our systems create all of the time because our systems are constantly in a state of wear and tear and disrepair and unable to detect problems and yet we do make them work perfectly most of the time despite the 50% incident rate Peter represents as being the truth. Because of human intervention our EXPOSURE to opportunities of injury, accident, and damage, Wayne, is constant and yet our VULNERABILITY is limited yet can be minimized even further if we report, study and respond to this reality (this is Peter A's assertion). There is a built in probability that normal human error will prevent a person from stepping in and stopping a failed physical component and people are more VULNERABLE at certain times. During vulnerable times of high cognitive load and complexity, adding

support in decision making can decrease the probability of bad decisions. So metrics to determine those moments would in fact be support metrics for decision making. This is artificial intelligence's place in the human barrier preventing uncontrolled flows and also personal safety and major hazards. RISK to the human barrier is indeed about decision making and the details of vulnerability and exposure to cognitive loads just as risk to the physical barriers is about the vulnerability and exposure to loads from the earth. The world is better off with money Wayne because it allows us to communicate and trade with others and have dominion in the world. These type innovations are better developed in the free market because competitive influences refine better than well funded projects without the constraints of competitive pressure. The government regulators, Ella, simply must keep the market truly free and fair to prevent the socialization of risks and once this practice is firmly established and carried forward for many years, corporations will innovate these "better" systems because of commercial reasons and therefore good will nor loftier motivations become irrelevant. In that case, Ella, CEOs can choose the systems they adopt yet all costs of all risks will be internalized and an inextricable profit motive can be the driver. No "overridden" prescriptive regulations needed. Earthquake risk is internalized Garry.

Bassey: It's clear not everyone is paying attention to the degree necessary to understand how we manage the status quo, yet there are many that are expressing the desire to know more. By measuring vulnerability and exposure and creating situational awareness of current and dynamic risk levels (status quo) each individual involved manages his/her own risk and team's appropriate competence, supervisory levels and equipment to match the levels of vulnerability and exposure to hazards. Its like the US Forest Service's National Fire Danger Rating System (NFDRS). The NFDRS is a system that allows fire managers to estimate today's or tomorrow's fire danger for a given area. It combines the effects of existing and expected states of selected fire danger factors into one or more qualitative or numeric indices that reflect an area's fire protection needs. It links an organization's readiness level (or pre-planned fire suppression actions) to the potential fire problems of the day. Knowledge of these levels can help forest visitors make decisions about whether or not to have a campfire or ride their OHV in a grassy area. Homeowners may choose to postpone burning a debris pile if they are aware of the fire danger level for that day. Contractors working in the forest may consider extra precautions when using equipment that might produce sparks. In some cases, the National Forest may even restrict certain activities based on the fire danger levels. Key words, "It links an organization's readiness level to the potential fire problems of the day". For our most interactively complex and tightly

coupled projects this would be first assessing the potential problems of the day and broadcasting this ubiquitously to everyone on the project that then tailors their readiness level (situational awareness) to the current level of risk. In this system the diligent assessment and communication in terms of vulnerability and exposure to hazards becomes routine and thus managed. This is DUE PROCESS. This same type system is MANDATORY for H2S because of the drilling in the Texas panhandle that killed an entire family. We need to study and learn from our industry's vast history and integrate the lessons learned into dangerous operations. It's interesting that otherwise brilliant people in our industry run like their hair is on fire from new things and even the most simple, effective and clever concepts that add value quickly to the status quo. The english translation of the latin, "status quo", is "current situation". Before we can change the status quo we must assess it, measure it and then we can manage to improve it. We assess the vulnerabilities and exposures of every component that comprises the status quo; measure; sum, then present this back clearly and omnipresently to all, as "the status quo" or "current situation". This is situational awareness, or status quo management 101. We are in essence making the status quo apparent to all so we either make changes or realize none are necessary. People do not really protect the status quo yet we are often simply not sufficiently aware of its scope, breadth and components and people are rightfully careful not to change things we do not sufficiently know and understand.

The solution has not changed in years and yet the presentation of any solution is always the challenge and a learning process. More than one operator has already embraced the postulates, one, more than two years ago. There is nothing more than presenting a system to an operator, that needs to be done, because the government cannot "make" a company do anything well except balk like donkeys. The regulators should not get involved because adding process and red tape makes things more dangerous because it adds to the workload indiscriminately since each operator is different and knows best how to operate within its leases with its personnel and particular issues. All regulators need to do is internalize the risks on each operator and ensure the operator has the means to be accountable for every risk it takes. The solutions to manage complexity and its risks will develop, and improve to the extent that the regulators stay out of prescriptions and simply do the one thing they should and that is internalize risks and, for the detail oriented, this means every consequence. Insurance was invented 5000 years ago and insurers "encourage" operator accountability to utilize preventative due diligence, and due process or else they go out of business. The largest organizations likely self insure and national companies can do practically anything they

determine suits them best yet they are accountable to their countrymen and neighboring countries, if consequences extend beyond their boundaries. Sorry to disappoint anybody that sees adventure, or utility, in spending money in academic research, government and NGOs, yet this isn't quantum physics, this is simple reasoning and collecting the interest on principal invested in people we already work with and employ. The basic concept is easily custom tailored to any company and if anyone needs help doing this (my rate is fair) they can certainly contact me because explaining this is becoming easier and easier.

The one thing in common that will do the most is responsibility and accountability and the best way to ensure this is to hold them accountable. Government has a mandate, handcuffs and guns for those that refuse yet don't use the handcuffs before the accidents.

We want to know the regulator's role in process safety and see ambivalent motivations as the reason process risks are ignored and this is the truth and see the motive to be safe at all costs as the proper motivation and also see that the competing motive to make a profit is the problem and again this is true UNLESS the motive to be safe is merged into the profit motive. This is integrating disparate motivations and the job of the government and its only job that must be done. This is the only way to solve ambivalent motivations and is integrity. This one thing every project has in common must be the only focus of government regulators. The one thing in common is that every project has risk of consequences and every company that expects to keep the profit of the best consequences must be forced to pay the cost of the worst and allowing even one to declare bankruptcy and avoid paying consequences IS FAILURE TO REGULATE because that allows companies to SOCIALIZE RISKS AS MITIGATION FOR WORST CASE SCENARIOS and incentivize a "loophole". Government regulators have courts, laws, judges, prosecutors, law enforcement officers, guns, handcuffs and the duty to use this power to ensure that any company that does business in every country pays for, or has the means to, pay for these worst case scenario consequences and not the expertise to tell operators how to drill wells step by step with prescriptions because they will never know any operator's business better than the people operating their business. This is common sense that gets distorted by not breaking this down carefully and looking at it and thinking about it. The reason all of the risks were not mitigated and such a poor accounting of the status quo of risks in operations related to the barrier to the worst case scenario were done in the past is the fault of the

government in allowing companies to present the worst case scenario risks as being ridiculously low and portraying them in an mockingly negligent light. This is well documented in the "Buffalo Report" and every competent study on the tragedy of Macondo because this is the root cause. Free market forces work and yet markets are not free if all of the costs are not appropriated yet tax payers are left to pay the bill and families to mourn the dead. Delivering petroleum involves complexity and risk and yet we do make imperfect systems work perfectly in terms of containing the well most of the time because these worst case events are very low incident yet high consequence. Companies are in business because of ability to accept risk yet given a "loophole", MANY WILL TAKE IT. An operator will think of low probability as the risk itself and think, "well, if it blows out, we're out of business yet it 'probably won't happen'". The government regulator must enforce the worst case scenario and enforce means to pay it. An operator accepts risk and can be nearsighted and think to socialize the consequences of the very, tiny chance that an event would completely bankrupt the company. The regulator's ONLY JOB is to ensure this is not allowed to happen. If this one thing is done and the regulator stops prescribing every step and additional processes our business would spend the money to innovate, develop and mitigate. The government needs to only do the main thing it must do and that is hold people accountable to the whole of society and hold companies accountable to the whole of their consequences. They could do this in many ways yet they didn't do it before Macondo. Clarke (1999) called fantasy documents the permits to drill offshore before Macondo listing walruses, sea otters, sea lions, and seals under “sensitive biological ecosystems" that might be affected by the worst case scenario and yet listed the risk as very small. The probability was very small and yet not the consequences and therefore risk was huge. The government HAD ONE JOB TO DO. Macondo was the consequence of government regulator failure to do the one job it had to do.

The government ensured ignorance by allowing risks to be socialized, and allowed risks to be socialized by not regulating that upper limits on possible consequences are set properly and the means to pay the costs for them enforced. Ignorance socializes risk if the government allows it to happen. Socialization of risks is defined as having the poor pay for the mistakes of the rich. Socialization of risks is allowing ignorance instead of mitigation. It is a loophole that allows ignorance in place of mitigation. Ignorance as a mitigation stops innovations, development and improvements before they ever have a chance to begin. Socializing risks is a crime just like robbery only on a bigger scale. The government exists and is given its mandate to enforce laws to prevent this. This is the one job government regulators MUST do.

People with the courage, morality and mental energy to actually do the right thing and standup to proclaim what the government must do are as Einstein said, "...are met with violent opposition…".

There is a time for everything, and the time to point a finger even, and in the discussion of what the regulator needs to do and does not need to be involved in, saying the regulator has one thing it must do, has to be said. While we may be the government and the government may be us, Bassey, this still must be said clearly and with courage, not in the spirit of blame and yet clinically, to clarify the mechanism of change that a clear message from the regulator sends. If the regulator mandates accountability and responsibility then accountability and responsibility will be the rule in the industry. If the regulator ignores the operators presenting the worst case and presents a "fantasy document", then ignorance will be perpetuated in the industry and this is exactly the reality of the last twenty years. The logic is simply that the message was one of ignorance. We do agree that the latest tragedy was responded to correctly by both the company and the government. The responsibility of the oil company involved was the kind of accountability that we need more of and to be clear is required of every company that wants the license to operate. The logic of ignorance, however, was set in motion by allowing ignorance to exist instead of accountability and we must clinically point the finger to see exactly how this happened and not be squeamish for a moment in time. It is necessary. When anybody stands up on his/her hind legs and says the one thing that must be done the natural reaction of those still on all fours is to claim that this person is trying to make a name for him or herself yet this is the reaction that most prophets receive at first and yet they really are giving information to save society. We must stand upright with courage and speak with the spirit of the 5th amendment. It must be clear that there are still things that must be said before action is taken. The government must continue to ensure accountability undiluted with unrelated prescriptions.The government ensured ignorance by allowing risks to be socialized, and allowed risks to be socialized by not regulating upper values on possible consequences and means to pay worst consequence costs. Ignorance socializes risk if the government allows it to happen. Socialization of risks is defined as having the poor pay for the mistakes of the rich and all to pay for only the bad consequences of one and yet allows the one to receive all of the good consequences that all do not share in. Socialization of risks is allowing ignorance instead of mitigation. It is a loophole that allows ignorance in place of mitigation. Ignorance as a mitigation stops innovations, development and improvements before they ever have a chance to begin. Socializing risks is a crime just like robbery only on a

bigger scale. The government exists and is given its mandate to enforce laws to prevent this. This is the one job government regulators MUST do.Do not misconstrue an implication of a particular president in the government of the US in my comments. The truth is the current administration started out by announcing an intent to allow drilling in Florida! The disaster put an end to that quickly because the current administration was not aware of how lax the MMS was and didn't understand the "fantasy" that the companies were allowed to present as the worst case scenario, yet acted quickly to ensure that the one job the government must do in any viable country is to enforce accountability and justice, and this was and is still being done.We cannot be squeamish in looking at this issue and getting this one thing right. Let's not pretend this was gotten right in the past or is a sure thing to keep getting right in the future and let's not discount its importance or cower in the implications of how important being honest and accountable is to innovation and safety in our processes. If we do not now we will be running chasing after less vital things with no success forever.

This is the one thing that needs to be said and yet small operators cringe at hearing yet think of other industries and if we allowed say, toxic waste operators to operate in our communities near our children that didn't have the means to pay for contaminating our children. Not ensuring they have insurance or the means to pay worst consequences means allowing them to "ignore" this risk and consequence altogether. This is allowing them to operate without accountability. This is not holding people to consequences and this is criminal. This concept is JUSTICE 101.

This is the most common concept that no one wants to talk about and I proclaimed it and others will try to point the finger at me and say I'm just being critical or trying to make a name for myself because they are afraid of the implications of accountability. The truth is accountability leads to lower costs yet people are afraid to be held accountable. People want others to stop at the stop sign yet want the police to let us roll right through without ticketing us. Its selfish human nature at work and we need to rise above this. We cannot let this message be diluted. Justice and accountability are a four way stop. We must, and all others must, stop. This is for the common good. These are the basics that we must get right yet people want to skip over this foundation of justice because its uncomfortable. 11 people just died and that was real uncomfortable. Wake up.

Med Seghair: Precisely! That summarizes my last comments except the regulator has to be accountable and responsible if there is any hope of

regulating accountability and responsibility. The problem with regulators reaching out to industry for help is precisely that they are now in a problematic relationship. This is the reason that the mode of regulator dialogue has to be in certain terms. The terms must be exactly what the regulator is managing. And the reason the regulator must communicate in solely risk and not in prescribing step by step procedures is that exactly the wrong relationship with the operators is created; namely one in which the regulator must be subservient to the higher knowledge and understanding the operator will always have on their own properties. The regulator must be measuring exposure and vulnerability to hazards, which is precisely the status quo of risk, and only this if it has any hope of actually regulating. Only then will the regulator avoid the relationship where it is relegated to 'ask the industrialist' for help. Great point Med. Vince: That is exactly it! The difference between a Just Culture mentality and the mindset of human understanding and humility knows the exact opposite is true. FRONT LINE WORKERS ARE NOT BUMBLING IDIOTS as so often portrayed in the wrong culture you complain of and yet our drilling rigs and equipment and systems are IMPERFECT and only BECOME PERFECT BECAUSE OF THE HUMANS THAT ADAPT and make these systems perfect. When mistakes happen they usually point to a new improvement needed in the imperfect system to be added by people working in that system and if we simply blame the people without looking situationally at the imperfect system they were working in we do not adapt the system to improve it. The difference is the wrong culture fails because of the fundamental attribute error when accidents may point to failures in their beloved management systems they would like everyone to see as perfect yet it indeed isn't. This is disgusting. We need to judge everyone according to situational attribution judgment and not the fundamental attributes. This is common sense in human factor engineering. First before we improve workers interactions with imperfect and rigid systems we must hold operators completely accountable and responsible for them and ENSURE THE RISKS ARE PROPERLY MEASURED AND THE OPERATOR HAS THE MEANS TO PAY THEM SO THE COMMERCIAL VIABILITY LOGS THE TRUE RISK AND THEREFORE ASSIGNS ENGINEERS TO TRULY MITIGATE THEM FOR COMMERCIAL REASONS. The means can be self insurance or outside insurance or even escrow. No company wants to hear this and most people will deny this needs to be done because we go many decades even without these low incident, high consequence disasters, yet if we truly want companies to assign assets to recognize, measure and mitigate/manage risks there is nothing better than putting the potential consequences in jeopardy for all of the commercial managers to see. No one wants to do this, even me as a business owner, because our wealth is in jeopardy yet in instances where we jeopardize the wealth of others, like

in the fisheries of the GOM etc. this is justice and the right thing to do and also it makes our industry spend money on engineers, etc. that need to mitigate these risks through engineering, science and innovation. If not we will be spending money on employing people that will simply keep their mouths shut and let us all believe the fantasy and simply throw front line people to the sharks periodically and that is disgusting and not why any of us got college degrees, a heart, and a soul for doing the right things and making a true career and not simply feeding at the "slop" like hogs. Wayne: STAY FOCUSED. What is beyond me is how we all acknowledge we need to manage risk better and then quickly scatter our minds into prescribing other things. Simply measure risk.

Peter: the proper role of the regulator in a system that works is completely understood and there is no difference in suggestions previously and your statement above as long as the details of the "safety case" are exposures and vulnerabilities summed into risk along the timeline of the project activities. Calling the projection of the risk during every point in time of the process of drilling and completing done before the well is drilled in the planning and permitting phase the "safety case" is nothing different from previous descriptions of the need for BROADCAST and FORECAST of dynamic status quo of risk. The point is the "Safety Case" must be "risk based" and not "mitigation based", the former is like treating the disease and the later is like treating symptoms only. The "safety case" or pre drill summation of risks projected on a timeline, is the part of the BROADCAST system, explained for the last two years, called FORECAST, and FORECAST, is compared against the actual summation of the individual components of risk dynamically, BROADCAST, and variances between the risk FORECAST and the actual BROADCAST, will suggest the risks are under the level suggested in pre-planning or above and perhaps the regulator can step in. The actual comparing of the two has been called SIMULCAST. How is the regulator to know the risk is in or out of control if the dynamic risk status quo is not measured and broadcast to everyone including to the regulator? The added benefit is in broadcasting this back to EVERYONE, and not simply back to the regulator, as this adds situational awareness. Yet, keep in mind, that people's ideas of the "SAFETY CASE" can vary. If the regulator is just analyzing the operators list of risks and mitigations and saying, "this is safe", and the regulator simply agrees without the risk being summed from individual risk components along the timeline of the project activities then the variance will not be detected in real time. If it is, then this is doing exactly as a FORECAST and BROADCAST of the status quo of risk accomplishes. The subtle details of a useful "safety case" and a worthless and even distracting "safety case" is the absence of levels of risk as a function of

time both in the pre drill and operational phases.It is okay to call for the safety case only if the safety case forecasts the risk along the timeline and then risk is summed and broadcast ubiquitously during the project to everyone on the team AND the regulator and the broadcast is SIMULCAST to compare against the forecast during the event. There is a plethora of agreement now to the basic presentation of the need to broadcast the due process, due diligence, (broadcast of the status quo of risk diligently measured and summed from every component of vulnerability and exposure in the system), and comparing these to those forecasted at the beginning of the project as in "safety case" regulating. FORECAST, BROADCAST, and SIMULCAST. Still, how diligently this is done will be determined by the level of accountability to possible consequences are enforced, and yet how the operator, perceived they will be enforced. That is the role of the regulator that has been worse than misunderstood; it had been absent.With all of that being said we do owe Peter recognition for bringing the Safety Case nomenclature to the role of the regulator to the discussion because using the model of ubiquitously broadcast summations of risk for the operational phase and comparing this to the FORECAST of summations of risk along the projected timeline (which is the SAFETY CASE), the regulator can spot variances of the only parameter that matters in terms of possibility to prevent and that is by measuring exposures and vulnerability and variances to mitigation plans developed in the design phase by designing engineers, GnG, etc. This is exactly "Safety Case Regulation" and therefore there is no problem whatsoever in calling it this from here and now foreword. Thanks.

Part 2 Now the part of the "safety case" that is not sufficient without added details is diligence in assessing risk. The discussion around "safety case" regulation is that the risk is created by the operator and thus must be managed by the operator. YES! How could anyone disagree! And furthermore, the regulator can compare reality to claims made in the "safety case". Yes, yet when does the regulator audit and compare? Shouldn't this be done dynamically, and all of the time? YES! How could anyone disagree? Yet the operator must have incentive to go to all of that trouble which by definition is DILIGENCE. The part of the "safety case" that isn't discussed is that the diligence of the assessment of the risk created by the operator is determined by whom? The regulator? The regulator, we may all begin to recognize and agree is naturally deficient of all of the details that go into assessing risk for specific details of specific projects, for instance, the degree of certainty of a pore pressure analysis through the hydrocarbon bearing zone assessed by the operators GnG squad. So the proficiency of the "safety case", without the added detail of "due diligence", is limited similarly to the state of our safety before Macondo; the true risk of

the process can be ignored if the operator thinks it can "game" the system of rating risk and it can and has proved this for as long as our industry has existed. Fantasy documents? Self assessing risk to ecosystems as minor and then realizing $billions in damage? There were many more the same yet only one that suffered the actually low probability consequence. That point must be well understood. The point is due diligence in the risk assessment must be done and how can this be regulated. We do not have to go back through the last 10 comments about Due Diligence being a STRONG FUNCTION of ACCOUNTABILITY to the WORST CASE CONSEQUENCES, yet let's repeat that DUE DILIGENCE IS A STRONG FUNCTION of ACCOUNTABILITY to the WORST CASE CONSEQUENCES! The "Safety Case" is meaningless without the "Due Diligence" that must be enforced by every operator knowing that EVERY ADVERSE CONSEQUENCE WILL BE PRIVATIZED and NOT EVEN PARTIALLY SOCIALIZED and THIS FACT along with the fact that the Macondo consequences are in the $BILLIONS and perhaps might reach the $100BILLIONS and the government is going to enforce this on the operators that are unlike BP? BP did this and should be given every single amount of praise for integrity in honoring its accountability and yet before Macondo was every operator thinking this level of accountability would be enforced? NO. If you do not understand this then this is a missing piece of the overall lessons to learn. Does anyone know for sure that the government isn't now engaging in "LEMON SOCIALISM", "CORPORATE CRONYISM", and "RISK SOCIALISM", by allowing operators with less than $100BILLION dollars in assets to operate in situations that could possibly result in similarly bad consequences as the operator that was able to pay the cost of the worst case consequences? We all cry bloody murder about BAIL OUTS and TOO BIG TO FAIL and this lemon socialism rightfully so since due diligence is a strong function to the accountability to the sum of all bad consequences possible. This is the due diligence that must be balanced with the dynamic risk based "safety case" to be any safer at all than any safety measures we've felt were safer that have come before.This isn't easy yet getting only part of this right is how we've gotten this completely wrong in the past. Partly right is completely wrong. Einstein said, "The modes of thought that brought on these problems will not solve them". Due diligence AND due process are required. Just due process isn't going to work and only due diligence isn't going to work as much as both of them together and yet in my book due diligence is more important than due process yet both are needed.

This is the due diligence that must be balanced with the dynamic risk based "safety case" to be any safer at all than any safety measures we've felt were safer that have come before.This isn't easy yet getting only part of

this right is how we've gotten this completely wrong in the past. Partly right is completely wrong. Einstein said, "The modes of thought that brought on these problems will not solve them".Due diligence AND due process are required. Just due process isn't going to work and only due diligence isn't going to work as much as both of them together.

Diligence is directly proportional to accountability. Adding accountability adds diligence. Due diligence and due process must be balanced together. Adding due process to everyone enables due diligence by everyone. Without due process even the most diligent will be unaware of the total risk of the system that consists of all of its components. With this being clear we must have due diligence and yet to have due diligence we must have due process and before anyone has an incentive to either due diligence or due process they must first be accountable to the worst possible consequence. Focus on “means testing” which in its most strict form is “means in escrow” or “means in insurance” and then due diligence and due process and that is the Mighty Triumvirate. A simple and close to home example of means testing and insurance is making sure that a moving company moving the contents of your household has the “means” to pay for the replacement of its entirety if the truck(s) is(are) stolen or burn in (a) fire(s). The difference between moving insurance is that catastrophic well containment events jeopardize 100s of lives which are worth more than the contents of each persons home and thousands of families that exist because of the invaded ecosystem that is having risk added to it in order to enrich a sole operatorship that may consist of several operators yet they will not share in the good consequences of profit with those same families that subsist in the ecosystem they invade with risk.

Vince: You don't need phased out you need due process & this is organizational failure not human failure. Heinrich’s Safety Triangle suffers from generality where specificity is vital and yet highlights the need to look at the precursors to consequences, probability & risk & that is vulnerability & exposure to hazards. Heinrich's triangle takes all of the incident information from the industry in every region with all of the myriad nuances & differences & rolls out the stats of number of incidents that lead to minor accidents, that lead to accidents, etc. This is not the level of diligence we are looking for yet it does show that there is a relationship between vulnerability (V) and exposure (E) (incidents) & consequences (C) (accidents) & probability (P) because we discussed 20 comments before about the exact formula C = E X HAZARD X V and how this relates to RISK = P(x) X C & the P(x) = P(E) + P (V). These are the details of risks that can only be assessed & measured with diligence & the bigger picture safety of well containment & its hazard & the V & E of each individual on

the overall team at the rig & the people living & surviving on the ecosystem this rig is adding risk to. In the case of the drilling & completion process safety the Vs & Es to hazards are beyond the capacity & capability of one individual & therefore each individual needs these vulnerabilities & exposures diligently gathered, assessed, monitored, summed & measured & then broadcast back to them because each individual is able to adapt to make the system resilient if each individual is given this risk information, & in fact in many industries the individual has the legal right to this risk information & the due process laws afford this to them.In other words its a complex function that needs diligence. As your pointing out that individual safety where you work has been using the "safety case" the well containment hazard & MAE can benefit from this as well yet to the degree that the details are diligently assessed according to vulnerabilities and exposures this safety case will either be useful or simply distracting & adding to complacency by giving assurance where there should be alarm.The new BSEE rules enforce recognition of worst case consequences & this is definite improvement. The well design must withstand shut in or cap and flow of this worst case discharge & yet the Macondo well did withstand that & it wasn't the problem because the problem was that the vulnerabilities and the exposures to the hazard were not summed, assessed and broadcast back to the various teams that would have added heightened awareness and more diligent scrutiny to the tests, and procedures, etc. had they been. Enforcing recognition of worst case consequences is only the beginning & doesn't ensure diligence in operational awareness of dynamic risk levels unless the commercial risk is in jeopardy & the commercial managers thusly allocate the financial resources to make sure the operations team allocated a person(s) to gather all of the risk silos, sum them & broadcast them back. Privatized consequences is political and not guaranteed.If the regulator doesn’t study the “safety case” diligently to notice Walruses, Sea Lions, & Sea Otters in the GOM & balk, then who is to protect all of us from the lack of diligence or competence in the government? Yet if the regulator simply “means tests” the operator to pay all of the possible worst case scenario consequences, then even if the regulator cannot legislate nor enforce “good will” nor “honesty”, “intent”, nor “competence”, it takes to get the correct estimates of risk from the operator & proper handling of operations, it can simply transfer sufficient funds from escrow to clean up the mess and compensate the harmed & repair the damage. If the possible damage ever gets to the point that it cannot be repaired, isn’t that a “RED FLAG” to not permit the project?

An example of the subtle difference between the parameter that regulators must use in "safety case" regulating & the ones they use now is illustrated

with your comment Vince. You said, now the regulator asks the operator to: " • Show how you determined what is required to complete this safely. • Show me your procedure for xxx… • How did you learn this? • What do you do if it goes wrong? " This use of "safety case" is "mitigation based" & it must be "risk based" & even further detailed it must be "vulnerability & exposure based". The first bullet point: "• Show how you determined what is required to complete this safely." The definition of a mitigation is = 'what is required to complete this safely' Keeping track of mitigations is not "vulnerability & exposure & thus risk based" This won't work. The second bullet point: "• Show me your procedure for xxx…" Again, a procedure is only a mitigation & tracking mitigations communicates no useful dynamic parameter that only conveyance of risk based vulnerability & exposure does. The third bullet point: "• How did you learn this?" What? Are they simply trying to see if you had an accident? If the safety case was built around pre-drill diligence in identifying vulnerabilities & exposures that comprise risk this question becomes irrelevant & distracting. We are more interested in pre-cursors to incidents which are pre-cursors to accidents. The fourth bullet point: "• What do you do if it goes wrong?" This is simply suggesting we "pile" one mitigation on top of another mitigation & extreme mitigation based safety case which is not affective in the least to detecting pre-cursor signals (vulnerabilities & exposures) to incidents yet is treating the right side of the "bow tie" & is reactionary & not helpful in improving & adding robust innovations to our processes, yet is responsible for piling mitigations on top of mitigations, processes on top of processes & red tape on top of red tape. The victim is DUE PROCESS because the rig workers ARE NOT NOTIFIED OF THE UNDERLYING VULNERABILITIES AND EXPOSURES that the layer upon layer of mitigations is hiding. This is trying to keep the well from blowing out by piling swiss cheese on top of it. Keep in mind that this "mitigation based" "safety case" may work better for personal safety issues than process safety issues, they both are much better when they are "risk based" "safety cases" that monitor vulnerability & exposure levels rather than as a general comment on mitigations along a project activity timeline with no way to notice when vulnerabilities and exposures have overlapped at any moment in time during operations. All mitigations, in that case, could be judged as "100%" yet the vulnerabilities and exposures to hazards of every component in the system can unexpectedly overlap leading to unsafe levels even though the quality and quantity of mitigations is at "safety case" levels. An example of a "vulnerability and exposure based safety case" is the "yellow hat" that evolved because there were no mitigations better than "due process" given to all of the fellow workers of their exposure to this vulnerability. Each worker sees the "yellow hat" (due process) and creates a unique mitigation specific for the exact moment in time and the myriad of activities that could

be happening. Prescribing multiple on top of multiple mitigations is a recipe for prescriptive cognitive overload. This example holds true in the broader cases. We need due process afforded vulnerability and exposure based dynamic safety case regulating and the due diligence created by ensuring accountability by means testing operators to the cost of all of the worst possible consequences (well designs are now prescribed to mitigate). This protects the vulnerable and creates an automatic, dynamic mitigation that each individual is afforded in heightened awareness to the hazard.

PeterXPeter: Its okay to disregard my comments since they are basically in addressing prevention by measuring vulnerability and your comments are basically noticing incidents/accidents/failures/stresses, after the fact. In a proper safety program both sides of the "bow tie" are needed in the mix. One comment, however, mitigations based getting this data voluntarily is encouraged and even if that impossibility (to regulate with the incentivization of "gaming" or not disclosing numbers as status quo) is achieved, on an industry scale, its data that can be reacted to and not prevented; ie. symptoms and not the case; unawareness of high vulnerabilities and exposures. Sure do the mitigation side as well as the awareness side yet the mitigations must originate from the awareness afforded. Using the Swiss Cheese Model its my understanding that your focus is on what gets through the holes of the cheese and my focus is on the locations and size of the holes and interactions between the holes and the vulnerabilities, exposure and risk this creates. Mitigations follow metrics of the cumulative vulnerabilities. This is again mainly with well containment in mind which is what it is assumed process safety defines and not slips, trips and falls. Using unrelated indicators to suggest the level of vulnerability to well containment events is seen as wishful thinking as it is likely unrelated and again mitigating and not preventing. This isn't disparaging mitigation and yet is only continuing a balanced focus on a mix of prevention and mitigation concepts.

Vince: "Reducing the exposure to that risk." Should read, "reducing the exposure to that hazard". Subtle difference between hazard and risk. A hurricane is a hazard and yet one about to hit South Carolina isn't a risk to Houston. The nature of risk is your true question since you ask what is acceptable and unacceptable and we answered this awhile back. Ask a guy if it is okay that he will lose an arm yet be highly paid! Due process is informing him that he will be vulnerable to this hazard so he can either try another job or heighten his/her awareness and likely be safer because of it, yet unless a guy trips over a gold brick in the road he will likely have to add risk in exchange for a reward even if the only risk is wasting time. In terms of risk to others living in the area around our projects? The worst

possible consequence must be diligently and honestly assessed and if this consequence exceeds the capacity or capability of the operator to mitigate financially then the risk is too great because then further damage is spread to taxpayers in the form of socialization of risk. Also, if the worst case consequences to individual workers is beyond their willingness to accept then again...The key point is that the public and the individual workers have the right to the risk information and yet has the operator even thought of this information in regards to well containment or is it being measured diligently and how to enforce that is the topic we discuss here. There is no reward without risk unless you discover the La Brea tar pits on your land like Jed Clampett. We go to a spot on earth that we can drill through natural barriers to blowout and disaster and remove them. We add risk to every ecosystem we work in, usually we add risk where there originally was none. That is the oil business in safety terms. That is likely every business in safety terms. We are mitigators of the very risk we create and yet my duty is to point out that we must broadcast the status quo of our vulnerabilities as we ourselves change them and that the groups as a whole doesn't have the risk information that each individual has and the individual does not have the risk information of the system as a whole unless this is actively provided. First step is to realize it adds value.Peter: Weaknesses would be classified as a form of vulnerability that is exposed to some degree of stress being physical, mechanical, or chemical, and over some period of time and yes the "holes" in the "cheese" must be located, tracked, measured, summed and broadcast in order to add due process that gives the human preventative of heightened awareness necessary to design actions according to levels of vulnerability that is missing without these measures. Mitigations are not prescribed yet are designed dynamically by those involved that know exactly what they are doing and now have the information they need; knowledge of the key parameter of the system at every moment in time. This is like the "yellow hat". The government doesn't tell us step by step what to do around less experienced workers that expose us to their foibles yet gives us the risk information we need to deliberate over the proper mitigation at that moment considering our current activity and cognitive load. The "yellow hat" isn't the "hole in the cheese" the "yellow hat"'s situation in the context of the current activity in relation to each individual that is "entangled" with him/her, that is the "hole in the cheese". This treats the worker as a "situational attribute" and not a "fundamental attribute" or else the "yellow hat" is simply an invitation to mock the fellow instead of carefully observing the situations the "yellow hat" works and moves through.This same pattern of logic, intuition and due process and situation attributional focus holds for process safety and the vulnerability of the barrier in well containment as it does for personal safety as the "yellow hat" example.

Risk is when we know the range of possible consequences and probabilities of hazards occurring and uncertainty is when we don’t. Uncertainty is a lack of any of the components necessary to assess anything. Hazards are best defined, perhaps, by “stress, perturbation or uncertainty”. Vulnerability is thus exposure to hazards. Risk is the probability of the occurrence of a hazard x the coping systems vulnerability (resilience or lack thereof makes vulnerability a variable) x exposure to the hazard (as a function of coping systems) / resilience (internal risk of failure of the coping systems). This is a very complicated differential equation. The problem is that in the geomechanical model we make we experience all three and it becomes impossible to assess risk yet we can still project worst case consequences necessary to insure against socializing them and yet because we drill through moments of uncertain risk we must assess, measure, sum, and broadcast another parameter and that is vulnerability in order to factor in uncertainty without the lose of quality that risk suffers because of the lack of the probability variable during moments of uncertainty.

R = f(P,V,E,R) = ( P x V x E ) / R