Last spring and summer, while oil gushed into the Gulf of Mexico, much of the news coverage following the fatal explosion on the drilling rig Deepwater Horizon focused on the blowout preventer located a mile below the surface. As its name denotes, the device's function was to prevent exactly the kind of blowout that did occur. It did not work properly because some pipe from the runaway well was forced upwards into the preventer and jammed the mechanism.
Over a 25-year period, a pre-accident survey had found blowout preventers on about 15,000 other wells had to be activated in an emergency only 11 times. Unfortunately, in five of those cases, the preventer failed, as it did in the Gulf. This 45 percent historical failure rate did not jibe with the 0.07 failure rate claimed during the government-mandated testing of blowout preventers.
Even as lax oversight and testing procedures were being called into question, the oil industry was using this low failure rate to argue for less frequent testing of the complex system of valves and rams that were the last line of defense against a blowout. It was estimated that reducing testing requirements could save oil companies almost $200 million per year.
A blowout preventer is also an expensive piece of equipment to maintain, with an estimated cost of $700 per minute incurred during the time that drilling had to be stopped while the device was disconnected, hauled to the surface, repaired, lowered back down, and reattached to the wellhead. The economics of the situation clearly argued against a conservative maintenance regimen and promoted a culture of risk-taking.
In the case of the oil company BP, whose Gulf operations were directed out of Houston, the culture that developed around deepwater drilling operations was not unlike that of another Houston-based technology. At the outset of the space shuttle program, the total-failure rate of shuttles was estimated by engineers to be 1 percent and by managers to be 0.001 percent. The Challenger accident proved the actual failure rate then to date to be 4 percent, and after the Columbia accident, it still stood at close to 2 percent. Repeated negative experiences with eroding O-rings and shedding insulation were not heeded as warnings. They were taken as signs of the robustness of the space vehicle and promoted a fault-tolerant culture that allowed for what has been called a "normalization of deviance."
Normalized deviance has also plagued the oil drilling industry, where at least some companies have allegedly let the financial bottom line dominate decision-making. Just as NASA managers were emboldened by two dozen successful shuttle flights before the accident with Challenger and, after the hiatus, another 87 successful missions before the disintegration of Columbia, so the low incidence of needing to call upon the blowout preventer in an emergency promoted a sense of bravado in the operation of offshore oil rigs.
Just reading Professor Petroski's post reminded me of watching those heart-wrenching images of oil gushing into the gulf and I'm glad it did. Truth is, once disasters like the BP oil spill or Japan's Fukushima are behind us (or at least out of sight in the media), the general public tends to forget and move on, which lets the corporate conglomerates get away with the human failure that Petroski's describes--the finger pointing and internal jockeying for where to place blame. Seems to me that dollars could have been well spent solving the mechanical problem--that is, redesigning or reengineering the blow-out preventor to operate more effectively no matter that it was a complex piece of machinery. Probably would have been far less painful to the bottom line then the PR and environmental recovery effort that befell them after the disaster.
Excellent analysis, and the Challenger example spotlights the psychological aspect of the "normalization of deviance" culture which works its way into the engineering mindset in situations where the failure rate has previously been so low that it's easy(easier) to coerce the engineers responsible for ensuring safety that things have been OK for so long, why should this time be any different. In any life situation, there's pressure to conform to the group, and that's exploited in situations such as those described here. That's why when the disastrous consequences come, they seem to be outliers, but in reality they're not and are to be expected.
It is interesting to draw parallels between the Space Shuttle and oil drilling. While deep water drilling is much more complex than most other drilling, the Shuttle is something altogether different and more complex. In the early days of rocket development, there were many failures. Then, expendables became very reliable, although there are still occasional failures. The thing that differentiates the Shuttle Program is that it invoives manned flight and that it was an attempt to present space flight as a routine, repeatable activity like airline travel. It most decidely is not. Between the high cost and high visibility of the program, failures are magnified. We accept far more danger when we drvie a car.
More people died in the Deep Horizon accident than in the Challenger accident. In addition, there was significant environmental damage in the oil rig disaster than in the Shuttle accident.
Another excellent article by Professor Petroski. In a couple of other recent threads on this site there has been some discussion of groupthink, and the kind of treatment which engineers who challenge it can expect.
When I worked in quality, I often encountered the argument, "We've accepted this out-of-spec condition before and everything worked out ok, so we might as well accept it now." My response was always, "If you're playing Russian roulette and you pull the trigger and no bullet comes out, does that mean no bullet will come out the next time you pull the trigger?"
Excellent point, Dave. I should note that I spoke with Roger Boisjoly after the Challenger disaster. (He was the one engineer who resisted going ahead with the launch, and lost his job as a result.) I also attended the first Washington, D.C. hearing of the Rogers Committee. That's the group where the late physicist Richard Feynman famously dipped an o-ring in ice water to show how brittle it became. I could go on; it was a fascinating experience.
Nice article. Seems to me that if the blowout perventer's actual performance included a real-world 45 percent failure rate -- even while tests indicated an 0.07 percent failure rate, this would be grounds to call a foul and look into whether the blowout preventer system was adequate protection against catastrophe. Is this an example of regulators asleep at the wheel?
Thanks for a great article. I agree with Rob, you'd think that it's the scarier real-world numbers that would be paid attention to, not what is supposedly the norm based on a few tests.
But the numbers also need to be related to actual people and actual harm, not thought about abstractly. If the statistical likelihood of something occurring is greater than zero and that occurrence has fatal results, then that risk is too high. For example, I once took a prescription medical for allergies that started getting bad press for fatal heart attacks. When discussing this with my doctor he said "but the risk is only 2%." Uh, right, but what if I'm in that 2%? No thanks.
The 45% failure rate is incredible and unacceptable, and I would think that the appropriate standards organizations could have a say in the future of blowout preventer systems designs.
The Columbia 'accident' may have been preventable; I think it was the book "Comm Check". Several engineers' / groups' concerns, if acted on, could have detected the damage.
The Challenger ' incident' was preventable. I think that was the book "The Challenger Launch Decision". The Shuttle operational limits were something like 40F to 99F. So when ice was observed on the vehicle, the engineers' recommendations against launch were well founded.
Before that was Apollo 1, when engineers argued against a 100% oxygen test, on top of many poor design features.
In each case, the advice of the engineers (experts) was ignored or over-ruled. I had much more respect for NASA before reading these books.
We all like perfection, but it is not achievable. So we developed methods to guess how close to perfection we are. These methods aren't perfect either.
In a world that's going green, industrial operations have a problem: Their processes involve materials that are potentially toxic, flammable, corrosive, or reactive. If improperly managed, this can precipitate dangerous health and environmental consequences.
An analysis of what’s needed to implement Design for Disassembly and Design for Recycling results in eight strategies engineers can use to design an intentional end-of-life stage into their products.
Government regulations, coupled with growing consumer sensitivity about data and identity theft, require that data storage organizations demonstrate proper protection and due diligence in protecting sensitive information stored inside datacenter enclosures.
When a crane doesn't have a monitoring system, crane owners schedule service every six months and simply scrap the parts they replace, even if a part has had little use and doesn't need replacing. This can cost thousands.
From Dell / Intel® New Paradigms in Design Work Scott Hamilton, vertical market strategist for Dell Precision workstations, 5/2/2013 3
Early in my career, I worked as a draftsman and remember the days of drawing on vellum with numbered pencils and Mylar with plastic lead. This was a fun experience in the sense that I ...
I've been using workstations for more than 10 years and love finding ways to get more performance from my system. With demanding professional applications that require more power each ...
A lasting memory from my first job as an engineer in an auto assembly plant is standing on hard concrete at six in the morning, vending-machine coffee clutched in hand, listening to ...
A quick look into the merger of two powerhouse 3D printing OEMs and the new leader in rapid prototyping solutions, Stratasys. The industrial revolution is now led by 3D printing and engineers are given the opportunity to fully maximize their design capabilities, reduce their time-to-market and functionally test prototypes cheaper, faster and easier. Bruce Bradshaw, Director of Marketing in North America, will explore the large product offering and variety of materials that will help CAD designers articulate their product design with actual, physical prototypes. This broadcast will dive deep into technical information including application specific stories from real world customers and their experiences with 3D printing. 3D Printing is
To save this item to your list of favorite Design News content so you can find it later in your Profile page, click the "Save It" button next to the item.
If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This
3 
