Stockton Rush is dead: to begin with. There is no doubt whatever about that. He was killed in a spectacular implosion of the Titan submersible during a dive to the site of the wreck of the Titanic, on Father’s Day, 2023. This implosion is proof, beyond any reasonable rational doubt, that Stockton Rush’s engineering judgment was wrong.
[Note: I originally used the word “conceivable” instead of “reasonable,” but someone on LinkedIn made the point that sabotage is conceivable, and I agree that it is. The same commenter claims that the conceivability of sabotage means we must reserve judgment. Except by that logic we must also reserve judgment on the Hindenburg, the Vasa, or the Titanic itself. Maybe they all were caused by sabotage. We can’t be perfectly sure, right? In this case, I think judgment deferred is judgment evaded.]
This is relevant to us because if you are reading my blog you have an interest in the industry and culture of testing. We testers are often ridiculed or sneered at, patronized, or ignored, when we present evidence about risk. It has been reported that Rush fired a tester over a disagreement about risk and reasonable testing. There were lawsuits.
But he was wrong, and we know that not just because of the implosion, but also the circumstances surrounding it:
- The vessel was a one-of-a-kind prototype. (therefore: no comparable craft existed from which safety data could be obtained)
- The vessel had made no more than about 50 dives in its entire existence, and only five previous dives to the Titanic. (therefore: it was practically new, not old and worn out)
- The vessel was carrying civilian customers, including a 19-year old man who was not an engineer or even an engineering student. (therefore: people were on board who could not have been equipped to evaluate the engineering risks even under the best case scenario)
- Stockton Rush had been warned repeatedly by people in his own world. These warnings were rebuffed. (therefore: people who designed and used deep sea submersibles disagreed with him, not just random outsiders)
This vessel was not safe, and it was not even close to being safe. It was a bomb ready to detonate from its first dive. Although no one could have known for certain that it was as dangerous as it turned out to be, my point is that Rush’s claim that it was safe was at best an act of gross negligence, and at worst an act of fraud. Given that he perished in his own invention, I lean toward negligence caused by magical thinking.
Again, this is not just a feeling I have– we know that this is true. Titan is in pieces at the bottom of the ocean, because the ocean did crush it, because it was not strong enough to withstand the forces of the ocean and because its design did not permit any warning of failure. This was allowed to happen because its inventor falsely thought it was strong enough. He thought it was strong enough because he lacked evidence that it was weak. He lacked that evidence because he did not perform sufficient testing that might have given him that evidence. He didn’t perform that testing because it was expensive and time-consuming and because he falsely believed he had already mitigated the risks. He protected this false belief by systematically demeaning and dismissing qualified people who pointed out critical uncertainties.
He was wrong, now he’s gone. So what?
When knowledge is gained at the cost of peoples’ lives, it is moral and proper to share it wider and to learn it all the better for price paid. So, when I came across this post from Stockton Rush about the safety of Titan, I was moved to do write a post of my own in reply. With the cold objectivity of recent events in mind, some of the rhetorical tricks that he used are easier to answer.
The post addresses the questions of why the sub was not “classed,” which is to say certified.
Classing may be effective at filtering out unsatisfactory designers and builders, but the established standards do little to weed out subpar vessel operators – because classing agencies only focus on validating the physical vessel.
This is a non sequitur; a straw man fallacy. Yes, testing and certifying a physical vessel is not a guarantee against all forms of safety problems. But no one says that it is. What classing does is two-fold: it is a testing process meant to uncover safety problems of certain important kinds; and it is a form of social insurance that protects a company against accusations of gross negligence or reckless disregard for human life.
They do not ensure that operators adhere to proper operating procedures and decision-making processes – two areas that are much more important for mitigating risks at sea.
Perhaps that is true. But there is a very specific and important failure mode that has almost nothing to do with procedures and decision-making processes: the catastrophic and instantaneous implosion of a pressure hull at extreme depths. It is just that failure mode which is addressed by certifying the hull of a sub for the kinds of depths you want to explore.
The vast majority of marine (and aviation) accidents are a result of operator error, not mechanical failure. As a result, simply focusing on classing the vessel does not address the operational risks. Maintaining high-level operational safety requires constant, committed effort and a focused corporate culture – two things that OceanGate takes very seriously and that are not assessed during classification.
This is the fallacy of false choice. It’s not a matter of choosing whether to have a constant committed effort to safety OR to get your unique hull properly tested. Do both!
When OceanGate was founded the goal was to pursue the highest reasonable level of innovation in the design and operation of manned submersibles. By definition, innovation is outside of an already accepted system. However, this does not mean that OceanGate does meet standards where they apply, but it does mean that innovation often falls outside of the existing industry paradigm.
Stockton is engaging in the fallacy of equivocation, here. That’s when you change the meaning of key terms in the middle of your argument. First, he uses term innovation and claims that it means going outside an already accepted system. This is easy to agree with. To innovate is to do something new, and if it is new, then it can’t have been accepted yet, right? Yes, technically, that’s true. But then he applies that to safety standards, and implies that if we like innovation, we must therefore suspend safety standards because they don’t mean anything (i.e. “outside of the…paradigm”).
If we agree that innovation means doing something new, does that require us to agree that established safety standards and practices don’t apply? No! It means that people who innovate in the area of life-critical systems have an extra high burden of testing and analysis if they want their innovation to be accepted by society. If the existing standards don’t apply, then you must invest in new and better standards. You can’t just flout the whole process! Well, of course you can flout it, but you can’t call that reasonable engineering.
While classing agencies are willing to pursue the certification of new and innovative designs and ideas, they often have a multi-year approval cycle due to a lack of pre-existing standards, especially, for example, in the case of many of OceanGate’s innovations, such as carbon fiber pressure vessels and a real-time (RTM) hull health monitoring system. Bringing an outside entity up to speed on every innovation before it is put into real-world testing is anathema to rapid innovation.
This is all true. What it means is that rapid innovation in life critical systems might be possible in creating a prototype. But when it comes to bringing a safe product to market, you may have to go slow. That’s because there may be no comparable engineering data or relevant engineering experience that could make rapid certification possible.
One way around this is to dramatically over-engineer your product. The first iron bridges used a lot more iron than later ones (e.g. the Britannia Tubular Bridge). Stockton could have designed a sub to withstand 24,000 foot depths (twice as deep as Titanic lies), but that would have been incredibly bulky and expensive. The whole point of innovating was to create a large deep diving submersible for a price he could afford.
For example, Space X, Blue Origin and Virgin Galactic all rely on experienced inside experts to oversee the daily operations, testing, and validation versus bringing in outsiders who need to first be educated before being qualified to ‘validate’ any innovations.
Inside knowledge is important. But it comes along with a loss of critical distance. Critical distance is the difference between two ways of thinking. Insiders tend to think alike. They share the same incentives. They bond against the pressures of the outside world. Extended close contact in a team is toxic to critical distance. And that means people who are supposed to be thinking about safety have a hard time making that case– their hearts aren’t in it, and their minds too readily accept the prevailing opinion.
If you want good testing, you must cultivate critical distance. You need outsiders for that. You need testers who work under a different incentive structure than the builders do. You need testers who are rewarded when they find trouble.
As an interim step in the path to classification, we are working with a premier classing agency to validate Titan’s dive test plan. A licensed marine surveyor will witness a successful dive to 4000 meters, inspect the vessel before and after the dive, and provide a Statement of Fact attesting to the completion of the dive test plan.
That’s it? That’s not enough testing! We know this for four reasons at least. One is that industry experts strongly objected to this, and urged the company to obtain proper certification, regardless of any other reason I may suggest. A second reason is that you must test beyond the depths that you intend to routinely operate. Engineering requires an added safety factor, especially when there is so much we don’t know about the behavior of the unique carbon-fiber hull. A third reason is that they should really test to the point of destruction if they want a hope of understanding the full dynamics of the hull. Finally, there is this reason: we know the implosion occurred despite the sub not even being near the depth for which it was built. It had already been deeper, some number of times (although not more than 50 times total, in its entire existence). Yet it imploded. This proves that the hull either always had a substantial probability of failing, even at shallower depths, or that it had been degraded by previous dives in ways that turned out to have been invisible.
In addition to designing and building an innovative carbon fiber hull, our team has also developed and incorporated many other elements and procedures into our operations to mitigate risks.
OceanGate’s submersibles are the only known vessels to use real-time (RTM) hull health monitoring. With this RTM system, we can determine if the hull is compromised well before situations become life-threatening, and safely return to the surface. This innovative safety system is not currently covered by any classing agency.
No other submersible currently utilizes real-time monitoring to monitor hull health during a dive. We want to know why. Classed subs are only required to undergo depth validation every three years, whereas our RTM system validates the integrity of the hull on each and every dive.
The efficacy of the RTM system had also not been tested! To fully test such a system, you have to bring the hull to a failure point and verify the monitoring system performs its job. They never did that, because we already know they never tested the hull to failure.
And the other thing we know is that the RTM system either failed to detect the weakening of the hull, or else the operators of the vessel didn’t pay attention to it.
Our risk assessment team looks at the entire expedition and completes a detailed, quantified risk assessment for each dive. The risk assessment takes into account 25 specific factors that can influence a dive outcome. Using that information, a dive plan is written to mitigate against these known risks. These risk factors include things like weather forecast, sea state, sub maintenance, crew fatigue, predicted currents, dive site experience, recent dive history, schedule expectations, crew experience, and more. In this assessment, the actual operational risks are almost always concentrated on the surface operations not the subsea performance of the submersible.
None of that mitigates the risk of implosion of an untested hull. This is like touting the safety deck chairs on the Titanic.
Meanwhile, the hull did implode.
One Good Way to Wake People Up To the Importance of Testing…
…is to die. Factory safety, fire codes, railway safety systems, aircraft safety, have all famously and grimly improved directly as a result of mass death.
We testers must collect stories of disasters, big and small, so we can wake our clients up to risks around us. We must tell these stories. The best ones for you will happen within your own company. Record them. Safety culture is one part folklore.
It wasn’t wrong to innovate. It was wrong to bring paying customers into an under-tested vessel without disclosing the full history of the safety debate, at the very least. It was wrong to throw up a smokescreen about innovation and total risk management as if that has anything to do with the unaddressed risk of sudden implosion.
There are always risks in life. That’s not the issue. The issue is willful ignorance and irresponsible behavior.