Like everyone else, I watched the news of the missing Titanic submarine with a mix of curiosity and horror. However, I also did so with a career of experience in designing and operating safe systems in dangerous environments. I don’t know a lot about submarines, but I do know a lot about safely designing pressure vessels. And a submarine is a pressure vessel.
I was inspired to write about this after watching an interview with my friend Brian O’Connor, son of Sandra Day O’Connor, the first female associate justice of the U.S. Supreme Court. Brian is an adventurer, and did his own dive to the Titanic wreckage some years ago. In the interview with a local TV station, Brian described his experience and some of the challenges the submarine’s passengers may face. You can see that interview at the link below.
I view this incident from the standpoint of someone who spent my career designing safe systems in the oil and gas industry. My comments here reflect that experience.
OceanGate CEO Stockton Rush, the co-owner of the submarine who was killed in the incident, once told a reporter that “at some point, safety is just pure waste.” There is actually some truth to that statement, but it can also be a very dangerous statement. Let me explain the difference.
There is a lot of science involved in designing safe systems. There are often known probabilities of catastrophic failures, and we weigh the consequences of those failures. Then, we make a determination whether to mitigate that risk.
Here is an example I sometimes use to illustrate that point. Let’s say you are designing a storage tank to hold a million gallons of gasoline in a refinery. You have to consider the kinds of things that could cause a catastrophic failure and fire to that tank. For example, lightning strike is a very real possibility. So, those tanks are grounded with this possibility in mind. That’s a reasonable mitigation against a catastrophic failure from a lightning strike.
But the tank could also be struck by a meteorite. However, the odds of this are very low, and the cost to try to mitigate against this would be astronomical. So, we mitigate against lightning strikes, but not the far more remote (but potentially more disastrous) consequences of a meteorite strike. This is what the OceanGate CEO probably meant when he said at some point safety is pure waste.
However, I have worked with people who might even view grounding a gasoline storage tank as pure waste. This is where that kind of thinking can be exceedingly dangerous. Spending a reasonable amount of money to protect against loss of life and property isn’t pure waste. It’s potentially saving lives.
A friend recently asked me if I could give some advice to his son, who is starting his career in process safety engineering. I told him to never forget that his role is critical, but will generally be underappreciated. He may save many lives in his career, and never even know it. That’s what should happen with a safe process design.
Safety always comes down to a cost/benefit analysis, but there can be very different viewpoints on whether the cost is worth the benefit. No company would spend a billion dollars to mitigate a potential one in a million chance of an incident that might kill one person.
But a company certainly better spend a million dollars to mitigate a potential one in a thousand chance that could kill 10 people. That’s what the cost/benefit analysis reflects. Failing to mitigate a potential incident with those odds and consequences could be construed as gross negligence.
Beyond the CEO’s general comment about safety being pure waste, there were some major red flags that have been reported about this submarine. The widely reported “off-the-shelf video game controller” doesn’t concern me nearly as much as the following two issues.
The big one that caught my attention was the pressure rating. As someone who has designed many pressure vessels, the pressure rating is critical. The viewport on the submarine was reportedly only built to a certified pressure of 1,300 meters, even though the submarine was intended to go down to 4,000 meters in depth. That’s the biggest red flag imaginable.
The CEO had been quoted as saying that life is about taking risks. It’s true that there is inherent risk in all aspects of our lives. But whereas you might escape harm if you fail to wear a seatbelt in your car, grossly exceeding a pressure rating is a surefire prescription for disaster. That’s like failing to wear your seatbelt while driving at high speeds in heavy traffic during a rainstorm. You are inviting disaster.
If I design a vessel to contain 450 pounds per square inch of pressure, and I try to raise the pressure to ten times that amount, I am being grossly negligent and will almost certainly cause a catastrophic failure (or, more likely trigger a relief valve if the vessel has been properly designed). When you grossly exceed design pressure, catastrophic failure can happen in an instant. If the reporting on the viewport is accurate, then the design pressure would have been grossly exceeded.
The other thing that triggered a red flag for me is that OceanGate reportedly had no intention of following DNV-GL (now just “DNV”) class rules. DNV is a Norwegian foundation that certifies all kinds of equipment. They are considered the gold standard for marine equipment.
I successfully went through DNV certification for a hydrogen production system I helped design for Proteum Energy. I also led the safety review for this design, and DNV was brought in to certify our work. They are very thorough, and they ensure that you have used the proper methodology and calculations on the design and all safety systems. This certification basically says “As far as we are able to determine, this is a safe system that reflects best design practices.”
Although certifications like this don’t provide ironclad protection against a catastrophic failure, you can at least be assured that there are no major design flaws that could lead to such a failure. This is the kind of certification that would ensure that a submarine designed to descend to 4,000 meters doesn’t have a viewport only designed to 1,300 meters.
Life certainly involves risk. But there’s a vast gulf between reasonable risk and recklessness. You will greatly enhance your chances of staying alive if you know the differences between the two.