What are the root and contributing causes of the accident in the Gulf? What could have and should have been done to prevent the accident? If the potential for the accident could not have been absolutely prevented, what could have and should have been done to mitigate the consequences of such an accident? And if actions were taken, why were they apparently not taken effectively? The nation deserves and still awaits answers to these questions.

Any enterprise that is engaged in activities with the potential for public and employee harm should be required to develop and implement quality and risk management systems to prevent events with intolerable effects. Such management systems would focus on analyzing the quality of hardware and process designs.

One such analytical system is failure mode and effects analysis (FMEA), which is particularly useful in analyzing the design quality of a hardware item—such as a blowout preventer. A short and simplistic description of the analytical method is as follows:

Each characteristic of the component is identified. For each characteristic, each mode of potential, credible failure is identified. For each credible mode of failure, the adverse effects of such failure are assessed. If any effect is intolerable, the design of the characteristic must be changed to eliminate the credible failure mode. If the design can’t be changed to eliminate the credible failure mode, something must be established to mitigate the effect of the failure—preferably something in the design, rather than in an operational procedure. (Care must be taken to identify credible failure modes that can exist due to the interaction of two or more characteristics in given states.)   

Another such analytical system is hazard-barrier-effects analysis, which is particularly useful in analyzing the quality of a process design—such as the process for positioning and installing a blowout preventer. Again, a brief and simplistic description of the analytical method is as follows: 

Each task in the process is identified in sequence. For each task, each of the “six Ms”—man, machine, material, method, measurement, and mother-nature (or man-made environment)—that may be operative in the task is identified. Any hazard related to each M is identified, and its potentially adverse effect is assessed. For intolerable effects, the process design must be changed to eliminate the potential hazard. If the hazard cannot be eliminated, multiple barriers must be established to prevent the human error that could activate the hazard, as well as multiple barriers to mitigate the hazard’s intolerable effects. (I don’t want to get too technical but again, care must be taken to identify hazards that can arise from the interaction of Ms.)

Another powerful analytical system is probabilistic risk analysis or probabilistic safety analysis. This analytical system is used to determine the ultimate effects or outcomes, called “end states,” and the probability of each, given some undesired initiating occurrence. For example, given the loss of the primary power source on a drilling rig, what are the possible outcomes or end states, and what is the probability of each? To answer such questions, event trees and fault trees are used. The event tree shows the hardware systems that would come into play to respond to the undesired initiating occurrence, and based on the success or failure of each responding hardware system, an end state arrives. The paths from the initiating occurrence through each responding hardware system, with either its successful or failed response to the end state, is called a “sequence.” Each sequence leads to an end state. Then a fault tree can be used to determine the probability of success or failure of each responding hardware system. Given the probability of success or failure of each responding hardware system, the probability of each end state can be determined. If an undesired end state has an unacceptably high probability, the design must be changed to lower the probability of that end state to an acceptable level. Are death and oil-spill end states with probabilities of greater than one in a million per year acceptable?   

Of course, in addition to management systems to ensure quality of design, there must be management systems to ensure quality of conformance to design.

Do oil companies have people who are qualified to establish and implement such quality and risk management systems, and are they voluntarily implementing such systems? If so, one must ask if they are being implemented with logic, rigor, and consistency. Res ipsa loquitur—“the thing speaks for itself.” In this case, do repeated events speak for themselves? When decision makers fail to recognize the need for such management systems (a knowledge-based error), or when they implement faulty management systems (a cognition-based error), or when they recognize the need but choose not to satisfy the need (a value-based error), they’re making human error. We must recognize that human error (e.g., reflexive-based error, condition-based error, skill-based error, and lapse-based error) extends upstream of the point at which the process was last touched—upstream of the point of the initiating error that occurs on the shop floor, in the field, or on the sea.

As certainly as it is not government’s role to engage in the oil business, it is government’s role to establish the rules of engagement. The government has failed to establish adequate rules of engagement in the oil sector—particularly with regard to rules for implementing quality and risk management systems with an emphasis on hardware and process design analyses.

The congressional committee addressing the oil industry regulatory issues would do well to invite expert testimony on this subject.

To listen to an audiocast that further explores this article topic, visit ASQ Weekly Audiocast —Ben Marguglio on BP Oil Spill.