Good Times, bad Times

The New York Times has a big article about the Deepwater Horizon, the failure of regulatory agencies to recognize and act on the hazards associated with offshore drilling, and—most interesting to me—the safety device known as the “blind shear ram” that was the last line of defense against a spill. When a newspaper covers an engineering matter, it’s usually hit and miss. In this case, there are hits, misses, and one curious omission.

First, the big hit. The “interactive graphic”—which is quite graphic, but isn’t interactive in the least—that accompanies the article seems really well done. I don’t know the details of the blind shear ram, but I’m familiar with similar hydraulic devices, and the drawings seem reasonably accurate.

Two large rams squeeze a set of pincers together, slicing and breaking through the walls of the pipe to close it off and prevent the pressurized oil below from escaping. If you’ve been trying without success to understand earlier verbal descriptions of the device, go to the graphics page and look at all the drawings and the animation. They should clear up the confusion.

The misses, though, are bothersome. First, a small mistake that seems to be the product of sloppiness. The Times says these devices are called blind shear rams “because they close off wells like a window blind.” This is nonsense. The action of a blind shear ram is nothing like that of a window blind. Window blinds rotate as you pull the control cord; there’s no rotation whatsoever in a blind shear ram.

I don’t have much experience with the oil industry, but I do with other industries that use piping, and the word “blind” is used to denote a dead end in a pipe—think “blind alley.” That’s exactly what the blind shear ram is supposed to do: create a dead end in the vertical pipe to prevent a blowout.

Now, I’m certain that the Times reporters didn’t make up this “window blind” thing on their own. They were probably told that the blind shear ram shuts off the flow of oil like a window blind shuts off the flow of sunlight into a room, and that’s why the word “blind” is in its name. But they screwed up the explanation, either because they didn’t care or because they don’t themselves understand how a window blind works.

A more important miss is in the title of the piece: “Regulators Failed to Address Risks in Oil Rig Fail-Safe Device.” The term “fail-safe” has a specific meaning, and it’s not a synonym for “backup” or “safety,” as the Times seems to think. Fail-safe is a type of failure in which the system stops working but goes to a safe state. It’s not simply an add-on device that works to mitigate a failure; it’s an integral part of a system’s design.

George Westinghouse’s air brake system for railcars is the canonical fail-safe design in mechanical engineering. Most pneumatic systems are actuated by raising the pressure. Through a clever set of valves and accumulators, Westinghouse’s design turns this on its head, actuating the brakes by lowering the pressure. This was a brilliant design decision, because the most common and important failures in a pneumatic system are hose and tubing damage, valve and coupling leaks, and inadvertent line separations, all of which lead to lowered line pressure. Westinghouse’s genius was to get all of these failures to apply the brakes, shifting the system to a safe state.

Westinghouse’s brakes were a safety revolution in the railroad industry and made him an incredibly wealthy man. The basic idea is still used today, nearly 150 years later.

Compare the Westinghouse brake to the blind shear ram. If the blind shear ram loses pressure, the pincers won’t move and the pipe will not be blocked off. Instead of moving to a safe state, the system doesn’t move at all, and because the blind shear ram is the last line of defense, the rig is now in the “you’re fucked” state. Which is exactly what happened to the Deepwater Horizon.

To be sure, the main theme of the Times article is that the blind shear ram is an inadequately tested and unreliable system. But the article gives the impression that if only the blind shear ram had a more reliable shuttle valve, or a backup shuttle valve, or if there were an entire backup blind shear ram, the rig would have had a fail-safe device.

It wouldn’t.

Making those changes might have made the blind shear ram a more reliable piece of equipment, and it might have prevented this tragedy, but it wouldn’t have made it fail-safe. In using that terminology, the Times is succumbing to marketing from the oil industry.

And with regard to the blind shear ram’s reliability, there’s this passage, which many readers probably questioned and which should have been explained better.

The benefit of two shear rams was examined last year in a report to Transocean. It estimated that while a blowout preventer with a single blind shear ram was 99 percent reliable, having two shear rams increased that reliability to 99.32 percent.

A reliability increase from 99% to 99.32% doesn’t seem like much, given that you’re doubling the number of blind shear rams. There had to have been plenty of readers scratching their heads at that, wondering why the second blind shear ram doesn’t do a better job of increasing the reliability. The article doesn’t address this question at all, but we can.

First, recognize that, according to this study, the second blind shear ram would reduce the probability of failure of the system by 32%, from odds of 100 in 10,000 to 68 in 10,000. Put this way, the second blind shear ram seems more valuable.

Still, the reduction in failure probability isn’t what we might expect from those old standbys of probability theory: flipping coins or tossing dice. For example, the chance of rolling a one with a single die is 1 in 6, or 16.67%. If we add a second die, the chance of both coming up one is 1 in 36, or just 2.78% Why can’t we use the same multiplication rule when calculating the effect of a second blind shear ram? Why doesn’t it work out to 1 in 10,000, or 0.01%?

The answer is that, unlike coin tosses and dice rolls, the failures of two blind shear rams would not be statistically independent. The conditions that lead to failure in one ram can lead to failure in the other. This is especially true if the two rams are made to the same design or by the same manufacturer. An explosion, for example, that damages one of the hydraulic systems has a good chance of damaging the other. To get statistical independence, you’d need a completely different type of device as the backup to the blind shear ram.

I know that by focusing on the misses and the omission, I’ve given an unfairly negative impression of the article. I don’t think it’s a bad article; I think it’s quite good, especially for a newspaper article written by and for non-experts.

But whenever I see mistakes on topics I know something about, I wonder if the article has even more mistakes on topics I know nothing about.