It is easy in retrospect to say that the Deepwater Horizon accident did not have to happen. The design of the blowout preventer should arguably have anticipated that a difficult-to-control well might cause the well pipe to be propelled upwards and buckle and so present a far-from-ideal piping geometry for the so-called blind shear rams in the blowout preventer to deal with.
There evidently were warnings that the well being drilled was a difficult one to control, and there were reported irregularities in the condition and status of safety devices and warning systems on the rig. However, instead of these precursors of failure being heeded, they were ignored or accepted as business as usual. In the wake of the spill, BP, Transocean (the rig's owner-operator), and the contractor Halliburton argued among themselves about who was responsible for the accident.
The presence of the blowout preventer provided a sense of backup security, in that it presumably could be called upon to control the well should anything go drastically wrong on the rig. This proved to place unwarranted confidence in an unreliable piece of complex machinery. The relative liability of the companies involved in the drilling operation gone amok will no doubt continue for some time to be argued among managers, lawyers, and regulators, and the final outcome is likely to be a financial settlement that will not get to the heart of the matter. What appears to be clear about the technical, economic, regulatory, and environmental tragedy is that the root cause of the Deepwater Horizon oil spill was at least as much a human problem as a mechanical one.
Just reading Professor Petroski's post reminded me of watching those heart-wrenching images of oil gushing into the gulf and I'm glad it did. Truth is, once disasters like the BP oil spill or Japan's Fukushima are behind us (or at least out of sight in the media), the general public tends to forget and move on, which lets the corporate conglomerates get away with the human failure that Petroski's describes--the finger pointing and internal jockeying for where to place blame. Seems to me that dollars could have been well spent solving the mechanical problem--that is, redesigning or reengineering the blow-out preventor to operate more effectively no matter that it was a complex piece of machinery. Probably would have been far less painful to the bottom line then the PR and environmental recovery effort that befell them after the disaster.
Excellent analysis, and the Challenger example spotlights the psychological aspect of the "normalization of deviance" culture which works its way into the engineering mindset in situations where the failure rate has previously been so low that it's easy(easier) to coerce the engineers responsible for ensuring safety that things have been OK for so long, why should this time be any different. In any life situation, there's pressure to conform to the group, and that's exploited in situations such as those described here. That's why when the disastrous consequences come, they seem to be outliers, but in reality they're not and are to be expected.
It is interesting to draw parallels between the Space Shuttle and oil drilling. While deep water drilling is much more complex than most other drilling, the Shuttle is something altogether different and more complex. In the early days of rocket development, there were many failures. Then, expendables became very reliable, although there are still occasional failures. The thing that differentiates the Shuttle Program is that it invoives manned flight and that it was an attempt to present space flight as a routine, repeatable activity like airline travel. It most decidely is not. Between the high cost and high visibility of the program, failures are magnified. We accept far more danger when we drvie a car.
More people died in the Deep Horizon accident than in the Challenger accident. In addition, there was significant environmental damage in the oil rig disaster than in the Shuttle accident.
Another excellent article by Professor Petroski. In a couple of other recent threads on this site there has been some discussion of groupthink, and the kind of treatment which engineers who challenge it can expect.
When I worked in quality, I often encountered the argument, "We've accepted this out-of-spec condition before and everything worked out ok, so we might as well accept it now." My response was always, "If you're playing Russian roulette and you pull the trigger and no bullet comes out, does that mean no bullet will come out the next time you pull the trigger?"
Excellent point, Dave. I should note that I spoke with Roger Boisjoly after the Challenger disaster. (He was the one engineer who resisted going ahead with the launch, and lost his job as a result.) I also attended the first Washington, D.C. hearing of the Rogers Committee. That's the group where the late physicist Richard Feynman famously dipped an o-ring in ice water to show how brittle it became. I could go on; it was a fascinating experience.
Nice article. Seems to me that if the blowout perventer's actual performance included a real-world 45 percent failure rate -- even while tests indicated an 0.07 percent failure rate, this would be grounds to call a foul and look into whether the blowout preventer system was adequate protection against catastrophe. Is this an example of regulators asleep at the wheel?
Thanks for a great article. I agree with Rob, you'd think that it's the scarier real-world numbers that would be paid attention to, not what is supposedly the norm based on a few tests.
But the numbers also need to be related to actual people and actual harm, not thought about abstractly. If the statistical likelihood of something occurring is greater than zero and that occurrence has fatal results, then that risk is too high. For example, I once took a prescription medical for allergies that started getting bad press for fatal heart attacks. When discussing this with my doctor he said "but the risk is only 2%." Uh, right, but what if I'm in that 2%? No thanks.
The 45% failure rate is incredible and unacceptable, and I would think that the appropriate standards organizations could have a say in the future of blowout preventer systems designs.
The Columbia 'accident' may have been preventable; I think it was the book "Comm Check". Several engineers' / groups' concerns, if acted on, could have detected the damage.
The Challenger ' incident' was preventable. I think that was the book "The Challenger Launch Decision". The Shuttle operational limits were something like 40F to 99F. So when ice was observed on the vehicle, the engineers' recommendations against launch were well founded.
Before that was Apollo 1, when engineers argued against a 100% oxygen test, on top of many poor design features.
In each case, the advice of the engineers (experts) was ignored or over-ruled. I had much more respect for NASA before reading these books.
We all like perfection, but it is not achievable. So we developed methods to guess how close to perfection we are. These methods aren't perfect either.
An analysis of whats needed to implement Design for Disassembly and Design for Recycling results in eight strategies engineers can use to design an intentional end-of-life stage into their products.
Government regulations, coupled with growing consumer sensitivity about data and identity theft, require that data storage organizations demonstrate proper protection and due diligence in protecting sensitive information stored inside datacenter enclosures.
When a crane doesn't have a monitoring system, crane owners schedule service every six months and simply scrap the parts they replace, even if a part has had little use and doesn't need replacing. This can cost thousands.
From Dell / Intel® New Paradigms in Design Work Scott Hamilton, vertical market strategist for Dell Precision workstations, 5/2/2013 3
Early in my career, I worked as a draftsman and remember the days of drawing on vellum with numbered pencils and Mylar with plastic lead. This was a fun experience in the sense that I ...
I've been using workstations for more than 10 years and love finding ways to get more performance from my system. With demanding professional applications that require more power each ...
A lasting memory from my first job as an engineer in an auto assembly plant is standing on hard concrete at six in the morning, vending-machine coffee clutched in hand, listening to ...
A quick look into the merger of two powerhouse 3D printing OEMs and the new leader in rapid prototyping solutions, Stratasys. The industrial revolution is now led by 3D printing and engineers are given the opportunity to fully maximize their design capabilities, reduce their time-to-market and functionally test prototypes cheaper, faster and easier. Bruce Bradshaw, Director of Marketing in North America, will explore the large product offering and variety of materials that will help CAD designers articulate their product design with actual, physical prototypes. This broadcast will dive deep into technical information including application specific stories from real world customers and their experiences with 3D printing. 3D Printing is
To save this item to your list of favorite Design News content so you can find it later in your Profile page, click the "Save It" button next to the item.
If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This
9 
