Gulf spill a reminder of the value of redundant safety systems

Cleanup and containment efforts continue at the Gulf of Mexico site of the oil spill following the Deepwater Horizon explosion.
By David A. Fahrenthold
Washington Post Staff Writer
Thursday, June 17, 2010

Airliners can lose one engine and keep flying. Nuclear power plants have two cooling systems, in case one fails. In an explosion, coal mines must allow miners two paths to escape.

So why didn't BP have a working Plan B?

From previous accidents, engineers have learned the value of duplicate, even triplicate, safety systems. The oil industry says it was following that maxim: By regulation, it installed giant machines called "blowout preventers" on drill pipes, with powerful bolts to close off a leaking pipe.

But at the Deepwater Horizon drilling rig, something went wrong. The backup plan failed.

Now, engineers say, the Gulf of Mexico spill has become another depressing test case in the value of redundancy. And, as the investigation unspools, it might be adding a corollary to the lesson: Having a Plan B that won't work might be more dangerous than having no plan at all.

"How can you go back and drill in deep water if you cannot tell the public that the probability of this happening again is almost zero?" said Paul Bommer, a lecturer in petroleum engineering at the University of Texas. "Whatever you thought you had [to prevent a disaster], you didn't have."

This week, former Environmental Protection Agency administrator William K. Reilly -- chosen by President Obama as co-chairman of a national commission investigating the spill -- said he wants to change the "safety culture" of the offshore drilling industry. He said that he wanted to start a safety organization similar to one that has focused on improvements at nuclear plants.

"Once that blowout occurred and got away from people, and the well couldn't be managed, it's difficult to imagine any" cleanup that could keep up, Reilly said in a telephone interview Wednesday.

The idea of safety through redundancy -- engineers also call it "resilience" or "defense-in-depth" -- is familiar to anyone who has walked past an airliner's cockpit. There are two seats in there, two pilots.

Other examples abound: The space shuttle has two ways of lowering its landing gear. Nuclear plants have several layers of containment between their cores and the outside world. Some cars with electronic acceleration have two systems for measuring how hard the driver pushes on the pedal: If they conflict, the car is supposed to stop accelerating.

Over the weekend, redundancy saved the historic battleship USS Texas, a tourist attraction outside Houston. A pump burned out, water leaked in and a backup pump system helped stop the 96-year-old ship from sinking.

"If you have a fire, you don't want to -- at that point -- start buying firetrucks and training people," said Yossi Sheffi, the director of MIT's Engineering Systems Division. Much of the time fire trucks and firefighters sit waiting, but he said that's the cost of being prepared.

CONTINUED     1        >

© 2010 The Washington Post Company