The Chimera of Airline & Oil Drilling Industry Safety

At a Congressional hearing 15 June on the BP oil-drilling and ecological disaster in the Gulf of Mexico, a legislator declared that if the airline industry operated with the same sloppy standards as the oil industry – no functional blow out preventer, inadequate training of staff, failure of warning systems, history of less severe incidents where greater disaster was narrowly averted – no one would fly.

The lawmakers assailed the oil spill plans across the industry. Oil company executives representing Exxon Mobil, Chevron, ConocoPhillips, Shell Oil and BP looked on meekly as Congressmen charged their disaster response plans looked suspiciously alike, including references to nonexistent walruses in the Gulf of Mexico and a marine science expert who’d been dead for four years.

BP rig

The airline industry was held up as a model for the oil industry to emulate when it comes to safety.

China_Airlines082007_jet_explosion-6

One doubts many passengers (or Congressmen) are aware of the airline practice of operating an airplane for days with key safety equipment inoperative. Under the minimum equipment list (MEL), a weather radar, for example, can be inoperative for up to ten days and the airplane may still fly. For just about any safety system on the airplane, there is a grace period between when a system fails and when it must be repaired.

Worse, there is no upper limit on how many airplane systems can be inoperative under MEL and the airplane can still be dispatched for a passenger carrying flight. To put it rather technically, the set of all MEL outages is not enough to cancel a flight and get the airplane in for repairs.

A hearing with top airline executives to explore why the MEL was different for the same model airplane in service with two different airlines would be an interesting exercise in squirming and evasiveness.

The public’s enthusiasm to fly might be jolted by the obfuscations and self-serving rationales offered up by airline executives as to why maintenance procedures vary by airline..

The absence of key safety systems in the Deepwater Horizon blowout is similar to the MEL situation. The drillers were in a hurry (time pressure akin to schedule pressure in the airlines) so the decision was made to rush ahead without key safety systems (the equivalent of MEL).

One of these days, 80%-90% of MEL-excused items will combine into an airliner catastrophe.

It would be interesting to see the number of passengers refusing to fly if a green light/red light display were mounted on the cockpit bulkhead facing the boarding area in the cabin. The display would indicate the status of each MEL items, green for fully functional and red for inoperative. Imagine such a board with ten items, six of which have green lights on, four of which have red lights. How many passengers would continue to their seats? How many would raise questions? How many would turn around and get off the airplane?

Nor are passengers aware of the months or even years allowed under Federal Aviation Agency (FAA) practices to correct what are called “unsafe conditions,” which go far beyond MEL items. Under the airworthiness directive (AD) system, mandatory corrective action must be taken. AD’s cover everything from faulty checklist procedures to potential fuel vapor ignition sources, to windshield heater problems, to cracked engine parts, or anything else on the airplane where the FAA has determined that the problem poses an intolerable risk to the flying public. But the ADs are generous in the extreme in allowing airliners to operate with extant problems awaiting repair.

If the Minerals Management Service (MMS) has an equivalent to the AD process (doubtful, given its reputation for collusive coziness with the oil industry it “regulates”), compliance time may be as scandalously generous as that allowed by the FAA.

From the MEL the congressmen could look at maintenance, and ask why inspection and lubrication intervals were different for the same airplane at two carriers. Each airline has its maintenance program separately approved and inspected by the FAA. Recall the lubrication intervals approved for the elevator jackscrew on Alaska Airlines MD-80s, which meant the airplanes went years between lubrications. The crash of Alaska Flight 261 in January 2001 was the direct result of the failure to lubricate the jackscrew, which stripped its threads and failed. Subsequent inspection of other airlines’ MD-80 lubrication indicated that the largest fleet operator of MD-80’s, American Airlines, had rigorous lubrication schedules and procedures. American’s jackscrews were found to be in “like new” condition. But in the industry overall, the belated jackscrew maintenance inspections revealed that practices varied widely.

The “best practices” of one operator were not emulated by all. The FAA doctrine of “one level of safety” was compromised – a fiction, really – from the outset.

Similarly, the executives appearing before the House Energy and Commerce Committee hearing all outlined differing safety standards for oil drilling.

In neither the airline industry not the oil drilling industry are “best practices” adopted for application by all operators. Anarchy prevails, abetted by the government’s lax regulators.

The situation is worse for the oil drilling industry given the consequences. The FAA’s slack practices might result in an airliner or two crashing, but when the MMS fails to enforce regulations, the consequence is not only the 11 lives lost when the rig blew up, but hundreds of miles of coastland pollution, thousands of wildlife killed, and the deleterious effects of oil contamination persisting for decades.

A comment at “The Oil Drum” website (www.theoildrum.com/node/6543) specifically compares the oil drilling and airline industries:

“A cursory study of reports generated after the 1977 Ixtoc disaster, along with incident reports like the ones above. Lead me to believe that offshore drilling will always have a risk of catastrophic environmental failure. Saying otherwise is like saying commercial aviation aircraft will cease crashing to the ground tomorrow because we understand every possible failure and have the technology to counter every failure.

“The sad truth is the types of failures we face in offshore drilling are not completely understood. The list is certainly lengthy, but it is not complete. Surprises will happen. Usually, they are controllable and adjustments can be made in the future to compensate for them. That still leaves us with the analogy of the airliner falling from the sky. A single unanticipated failure, or a combination of failures, may have no solution. All aboard the airliner will die. Likewise, the well will leak for months.”

In the airline industry, unpleasant surprises are minimized (not eliminated) by analysis of potentially fatal combinations. The process is called “failure modes effects analysis” (FMEA). In the airline industry, these analyses are supposed to demonstrate that the probability of catastrophe is one in a billion. Virtually no airplanes in service live up to this standard, but one in 100 million has been demonstrated. Mechanical failure, human error, unforeseen environmental effects, and other real-world factors combine to yield a lower safety standard, but we start from a theoretical of one in a billion flight hours.

The oil drilling industry starts from a lower threshold: one in a million. When real world shortcomings reduce the standard further, the result is the history of lesser breaks, mechanical failures, and human confusion that preceded the Deepwater Horizon mega-blowout. That sad and scary history is fully documented at the website above.

The higher one in a billion standard might prompt the following to be examined:

The shear in the blowout preventer (BOP) is the last line of defense, physically cutting the drill pipe. It was not truly fail-safe. Just like critical flight controls feature two or three actuators, why weren’t there at least two functional shears? If one failed, the other would cut the riser. The comforting statistics caught up with the Deepwater Horizon, just like they did in the case of B737 rudder reversals, where a history of a hundred or more events finally culminated in a fatal crash. And that was with a one in a billion probability.

There are reports of low batteries (might not operate valves), questionable accumulator pressure (not sufficient to operate rams), and other alterations that were not fully documented. My bet is that when all mechanical failures are accounted for, the “on paper” risk of an uncontained blowout was not one in a million, but closer to one in a hundred or even one on ten.

Then there are contributing factors that should be familiar to airline industry accident investigators:

Inadequate training of staff for them to properly undertake the risks of their actions. This observation applies not only to the oil drilling industry, but to the regional airline industry, where accidents have resulted from poorly trained pilots.

The corruption of data in one incident caused the drilling rig to get invalid information about where it should be, causing it to move. Recall the corrupted airspeed data on Air France Flight 447, resulting in the airplane flying too fast in the “coffin corner” of the maneuvering envelope, going out of control and crashing into the Atlantic. Added automation can increase safety, but not when the automation is fed bum data. The automation can then become a killer.

The failure of warning systems (lights, etc.) that aren’t noticed when things are working normally, but which can bite when something actually does go wrong.

It is readily apparent that the BP blow-out resulted in short cuts – from design to operations – with little pretense of any risk avoidance whatsoever. Similar short cuts and their disastrous consequences have been seen in the airline industry.

The risks need to be assessed against the one in a billion probability of cascading failure, based on incidents and operational experience – not rosy, comforting assumptions about mechanical and human reliability. This observation applies to both the airline industry and the offshore oil drilling enterprise.

And the “best practices” identified at one operator need to be adopted by all operators. That’s where the federal regulators come in; they should force recalcitrant operators to adopt them or face termination of the federally issued operating license.

Former chairman Jim Hall of the National Transportation Safety Board was asked to comment on the lack of common “best practices” in both the airline and the offshore oil drilling industries. He offered a mouthful, but on close reading his comment is eminently sensible:

“With the increased dependency on technology and the many inter-related systems, the Federal Government needs to move from a regulatory structure of minimum standards to a structure of ‘best practices’ policed by independent investigative bodies with a more robust role in defining the best practices.”

The FAA and the MMS are capable of realistically defining the one in a billion safety calculation, and they are in a position to define and require the best practices that can support the realization of good operational safety. Neither agency currently demands these things to minimize the risk of catastrophe.