In 1986, the space shuttle Challenger exploded 73 seconds after liftoff. Following the disaster, a lengthy investigation ensued. It was known almost immediately that the cause of the disaster was due to failure of the "O" ring in the solid rocket booster. However, it wasn't until the completion of the investigation that the full scope and cause of the disaster was actually understood.
We can apply many of the same lessons of causation to understanding the Deepwater Horizon disaster in the Gulf of Mexico.
The Challenger disaster can be boiled down to the complexities of aerospace engineering and materials design. But the overarching cause of the Challenger disaster was due to NASA's approach to managing risk within a complex environment.
From the Wikipedia entry:
The Rogers Commission found that NASA's organizational culture and decision-making processes had been a key contributing factor to the accident. NASA managers had known that contractor Morton Thiokol's design of the SRBs contained a potentially catastrophic flaw in the O-rings since 1977, but they failed to address it properly. They also disregarded warnings from engineers about the dangers of launching posed by the low temperatures of that morning and had failed to adequately report these technical concerns to their superiors.
The Rogers Report noted among its findings the risk management approach taken by NASA:
- NASA and Thiokol accepted escalating risk apparently because they "got away with it last time." As Commissioner Feynman observed, the decision making was:
"a kind of Russian roulette ...
[The Shuttle] flies [with O-ring erosion] and nothing happens. Then it is suggested, therefore, that the risk is no longer so high for the next flights. We can lower our standards a little bit because we got away with it last time.... You got away with it but it shouldn't be done over and over again like that."
...
- A careful analysis of the flight history of O-ring performance would have revealed the correlation of O-ring damage and low temperature. Neither NASA nor Thiokol carried out such an analysis; consequently, they were unprepared to properly evaluate the risks of launching the 51-L mission in conditions more extreme than they had encountered before.
Looking at the highlighted findings of the Challenger disaster, how can we say that BP did not use the exact same risk management approach on the Deepwater Horizon.
The list of issues with the Deepwater Horizon disaster are numerous:
- Non-existent or substandard testing of the well-head seal.
- Failed batteries on the BOP.
- Lack of remote control or acoustic trigger mechanism on the BOP.
- Failed complete testing of the BOP.
- Prior accident in which the BOP was damaged.
- Lack of comprehensive response plan for a blowout at the operating depths.
- Evidence of extraordinary gas pressures.
- Evidence of gas pressure and leakage shortly before the blowout.
... and there are many more.
Each one of the issues should have been a warning sign in an industry where failed controls usually mean catastrophic disaster and death (e.g., Piper Alpha). But BP took risks and "got away with it." And just like NASA in the Challenger disaster, they "got away with it" over and over again, which let them take on more and more risk. And when they didn't get away with it in an extraordinary set of circumstances, they were so far out on the proverbial limb that the magnitude of the disaster was compounded over and over again.
How so? BP was partly able to get the permit to drill based on the likelihood of a spill and the distance from shore. The reasoning by MMS and BP was that undersea drilling did not entail extreme risks--after all, it had been going on for decades with precious few major incidents. Moreover, MMS and BP reasoned that if there was a spill, the rig was so far from shore that the spill would not threaten the environment.
But what didn't occur to them was that a spill significant enough to reach the shoreline would be of such size as to devastate a much wider swath of the environment than a spill from a rig closer to shore.
And to be clear, the focus of poor risk management is not solely on BP. MMS and the EPA continued to let BP get away with their shoddy risk management practices. There was the pipeline spill in Prudhoe Bay, AK. There was the refinery explosion in Texas. Each time, BP promised to increase safety. Each time, the EPA, MMS, and DoJ let them off with minimal penalties. MMS, the EPA, and the DoJ aided and abetted BP's poor risk management by letting them "get away with it."
I work in risk management, myself, so I know how difficult it can sometimes be to manage risk in a complex environment. Competing interests, probability tables, risk matrices, and even risk quantification all create a very ambiguous mix within which to make critical decisions.
If we go down the rabbit hole of any particular issue with the Deepwater Horizon, there are failures in the individual risk management processes. Typically, in identifying risk, the final risk assessment contains caveats or mitigating provisions relevant to the risk identified and the treatment prescribed. But compartmentalized risk assessments tend to shed the caveats and provisions of the risk treatment when the overall risk is bubbled up to the larger risk management view. And because the overall risk (catastrophic failure and disaster) is the compilation of many smaller threads of risk management, the overall risk is rarely (if ever) understood in proper context. We could likely apply the same failed risk management of BP and NASA to the White Star Line and the Titanic, or the implosion of the real estate market in the last few years.
But what gets me about this is not so much the risk management, or lack thereof. What gets me is that we have many, many disasters and catastrophes from which to learn. And almost all of them are the result of the same set of circumstances which brought us the Titanic and Challenger disasters or the seemingly endless economic crashes.
The lessons of disasters and their impact on risk management processes tend to be contained within a specific industry. The lessons of Titanic were applied to the ship-building industry and transoceanic navigation. The lessons of the Challenger disaster were applied to NASA's shuttle program. The lessons of financial meltdowns are rarely applied anywhere. We repeatedly fail to apply the larger lessons which are universal in scope. It is because of this that our focus on how to respond to the Deepwater Horizon disaster must also be universal.
The resulting reforms must not be limited to the oil and gas industry, the MMS, or the EPA. They must be applied universally, as overriding risk management principles. This is one of the primary reasons we have (or had) whistle-blower laws. No person or organization should be allowed to accept risk on its own when the impact will be shared by all of society. While the financial calculus of BP may make a decision an acceptable risk, they are in no position to address the financial calculus of those who would be impacted by their poor risk management.