Fail-Safe
Thoughts on the Titan submersible catastrophe
Fail-safe (from Merriam-Webster):
1: incorporating some feature for automatically counteracting the effect of an anticipated possible source of failure
2: being or relating to a safeguard that prevents continuing on a bombing mission according to a preconceived plan
3: having no chance of failure : infallibly problem-free
Unless you’ve been living in a cave or remote location for the past week, you’ve probably heard about the private deep sea submersible Titan that ferried wealthy patrons to see the Titanic wreckage, which has now been confirmed as destroyed. My thoughts are with the families as they process the grief of losing their loved ones. While my intention is not to speak ill of the dead, I do think this is a story about hubris and greed, companies that launch products prematurely despite public safety hazards, and the claimed tension between safety and innovation.
What happened?
On Sunday June 18th, OceanGate launched the Titan submersible for its first dive of the season to the Titanic wreck site. About an hour and forty-five minutes into the 10-hour voyage the surface crew lost contact with the Titan. There were numerous possibilities for what could have gone wrong from a communications malfunction to getting lost to destruction of the submersible. The clock was ticking as the vessel only had a 96-hour reserve oxygen supply. Hoping that the people onboard were still alive, OceanGate, the Coast Guard, and an array of international naval organizations began a frantic search and rescue operation.
On Thursday June 22nd, the worst fears were confirmed: the US Coast Guard found a debris field with five fragments of the submersible less than 500 meters from the Titanic. All five people onboard were killed (likely instantly), including OceanGate CEO Stockton Rush, British explorer Hamish Harding, British-Pakistani businessman Shahzada Dawood and his 19 year old son Suleman, and Titanic expert Paul-Henri Nargeolet.
At a press conference, Coast Guard Rear Admiral Mauger explained:
“The debris is consistent with the catastrophic loss of the pressure chamber…upon this determination, we immediately notified the families on behalf of the United States Coast Guard and the entire unified command… I can only imagine what this has been like for them. And I hope that this discovery provides some solace during this difficult time.”
As the day wore on, news stories with additional details trickled out. The US Navy had detected sounds consistent with an explosion or implosion around the time communication was lost Sunday. However, without conclusive proof that is what happened they initiated a search operation until proven otherwise. Previous Titan voyagers provided details about questionable aspects of their trips to the press. Filmmaker and oceanographer James Cameron was interviewed on countless cable TV shows.
The conversation quickly shifted from grief to blame.
How did this happen? Could it have been avoided?
What went wrong?
Much has been made about how risky and dangerous exploring at the depths of the Titanic can be, and it is. But it has actually been visited successfully many times without incident. James Cameron has been down 33 times himself. The explorer Victor Vescovo has gone even further, having completed the “Five “Deeps” challenge, descending to the lowest parts of every ocean, including the Mariana Trench. So it is clearly possible to visit this depth of the ocean safely. It is all but certain the Titan tragedy stems directly from engineering design and manufacturing choices by Rush and OceanGate.
"We have submarines all over the world diving 12,000 to 20,000 feet every day of the year for research. We know very well how to build and how to design these machines and how to operate them safely."— Will Kohnen, chair of the Marine Technology Society's Submarine Committee; NPR interview
To be clear: I am not an engineer or expert in deep sea exploration, although as a certified scuba diver I have some basic understanding of about the physics of gas and water compression at depth. The technical details of what follows is a synthesis from my reading what actual experts have said about the likely failure points of the Titan.
Numerous design flaws in the Titan have been discussed. Some, like the fact that it was driven by a Logitech video game controller, are likely red-herrings, as even the US Navy uses X-box 360 controllers for their submarines (although my personal experience with Logitech wireless devices is poor battery life, flaky pairing, and overall poor quality). Others, like the fact that the viewing porthole was only rated to 1,300 meters—less than half of the 4,000 meter depth of the Titanic—may indeed have been plausible points of failure. But the most likely cause of the disaster is the unconventional hull shape and material, a carbon fiber tube.
Let’s talk about carbon fiber
First, a bit of background about oceanic water pressure: before scuba divers even jump in the pool for training they learn in their coursework that water pressure increases by one atmosphere every 10 meters you descend. That means at 4,000m where the Titanic wreckage sits the pressure is 400 times the air pressure at sea level, or roughly 6,000 psi. Resisting this mammoth pressure is the principal engineering challenge in designing any undersea vehicle.
While Rush actually did have some engineering experience (unlike some of the characters I’ll discuss below), it was in the aeronautical sector. There are likely some similarities between aerospace and underwater vehicle design principles, but a major difference is the use of carbon fiber. Aerospace manufacturing makes frequent use of carbon fiber because it is ultra lightweight, low-cost, and very strong…in tension, or the force of pulling apart or expanding outward. However, carbon fiber is exceptionally poor at resisting compression, which is the critical factor in deep sea exploration. Worsening this flaw is the fact that any slight disruption in the alignment of fibers within the material can drastically impact its strength.
OceanGate itself noted that earlier iterations of their carbon fiber submersibles had hulls that showed evidence of “cyclic fatigue,” meaning degradations caused by repeated pressure changes over multiple trips. Passengers on previous voyages noted “cracking” sounds during descent. OceanGate’s own internal Director of Maritime Operations David Lochridge was concerned about this and demanded non-destructive tests to evaluate the integrity of these hulls, although these are difficult and expensive to perform. His requests were denied, and he was subsequently terminated and then sued.
One of the strategies OceanGate claimed would mitigate the risk of their novel hull material failing was an acoustic-based warning system that would sound before compromise and allow the pilot to drop weight ballasts and ascend. The problem with this is the insanely high pressure we discussed earlier—at 6,000 psi any microscopic defect would lead to rapid loss of structural integrity. Indeed, Lochridge estimated it might go off only milliseconds before an implosion.
Cutting corners
Why did Rush use this novel carbon fiber and oblong tube design for his submersible in the first place? Virtually all submersibles currently certified for use are sphere-shaped (much better at resisting pressure) and made of solid metal hulls (usually stainless steel or titanium) rather than composite materials. However, these only allow 1-2 people (occasionally up to 3) on board, rather than a half-dozen paying customers. Furthermore, these are already heavy vessels that require large, fuel-intensive ships and cranes to move, and making even larger vessels would probably be cost-prohibitive for a private tourism company. It is clear is that Rush was at least as much inspired by his desire to cut costs and make a commercially-viable service as he was for pushing the field farther.
The shortcuts didn’t stop there. Ballast weights were reportedly rusty scrap metal. He removed capture hooks from the outside of the vessel that would all but preclude a rescue mission. Rush even took out the voice communication system and relied solely on chat texts because he reportedly did not like being interrupted with constant check-ins from the surface.
There is a saying in the scuba community often attributed to Navy SEALs that “two is one, and one is none.” The idea is that in any dangerous situation there must be multiple fail-safe backups and contingencies. This is why there is a secondary air supply regulator in addition to the primary, both if it fails for the diver themself, and in case a fellow diver has an out-of-air emergency. Divers are taught to plan conservatively and to begin surfacing with around 1/3 of the air left in their tank in case of unforeseen delays or complications. Scuba equipment owned by dive shops and charters are subject to extensive regulations and must be periodically checked (obviously, you can own your own gear and choose to flout these rules if you have a death wish). Some seasoned divers even still wear mechanical watches as a backup to their digital dive computer in case it fails underwater.
In the end, this was a foreseeable disaster. Stockton Rush used a novel design and refused to have it properly tested and certified. His vessel lacked any reliable fail-safe mechanisms for hull compromise. And he ignored experts in the field who pleaded with him to change course. Like the Chernobyl incident from thirty years ago, penny-pinching in all the wrong places led to disaster:
Breaking the rules
“I'd like to be remembered as an innovator. I think it was General MacArthur who said, 'You're remembered for the rules you break,'" Rush said. "And I've broken some rules to make this. I think I've broken them with logic and good engineering behind me.”
— Stockton Rush
The Titan catastrophe is far from an isolated case of a rogue start-up founder entering an unfamiliar space and throwing caution to the wind in the name of innovation and progress. Think of Elon Musk releasing Full Self-Driving (FSD) mode into production Teslas, despite problematic behavior like hitting parked cars and erratic turns or acceleration. This is actually a strong parallel to OceanGate as Stockton Rush himself described his company as “SpaceX for the ocean.” For years Elon cited statistics that cars using his autopilot feature were safer than manual human drivers. However, those numbers have come under fire as non-representative and misleading at best. Reports of fatal and non-fatal accidents involving Teslas have piled up and regulators are starting to demand answers from the company.
Then there’s the example of Elizabeth Holmes and her Theranos blood testing device that defied principles of microfluidics and laboratory chemistry, and was soon proven to be faulty (if not an outright fraud). Stanford medical school professor Dr. Phyllis Gardner explained to Holmes why her device wouldn’t work and tried to warn others, but it fell on deaf ears amidst the hype and billions in investment dollars. Even though Holmes was later convicted of fraud and sentenced to prison, she essentially only faced consequences for lying to her investors, not hurting patients who received inaccurate lab results.
We are seeing it again with companies rushing to push out AI products without appropriate guardrails, like large language model chatbots that recommend depressed patients kill themselves. Microsoft’s Bing chatbot was released early to compete with ChatGPT, yet it demonstrates unsettling behavior like suggesting that NYTimes tech journalist Kevin Roose leave his wife for the AI program. Medical start-ups are beginning to use AI in radiology applications despite lingering questions about their accuracy.
There are a number of common themes in these stories:
Refusal to disclose key aspects of how their technology works
Claiming that as outsiders they know more than experts in the field
Denying analysis that a specific technology is impossible, unsafe, or both
Insisting that their product cannot be assessed by current standards
Attacking critics and whistleblowers
Put more bluntly: cutting corners and bullshitting.
In some ways, this is the standard Silicon Valley playbook of fake it ‘till you make it. Venture Capitalist Reid Hoffman, who is the founder of LinkedIn and a fellow member of the ‘PayPal mafia’ like Elon, often says “If you are not embarrassed by the first version of your product, you've launched too late.” It’s certainly true that you can strive so hard for perfection that you infinitely delay a solid product. However, there has to be an understanding that products where public safety is on the line—like medical devices, vehicles, and software that controls peoples’ lives—are not the same as a social networking site or a payment company.
In an interview several years ago, Stockton Rush provided his view of innovation:
"You know, at some point, safety just is pure waste. I mean if you just want to be safe, don't get out of bed, don't get in your car, don't do anything. At some point, you're going to take some risk, and it really is a risk/reward question. I think I can do this just as safely by breaking the rules."
— Stockton Rush
The other view is that “many regulations are written in blood,” meaning many rules are in place only because of previous tragedies.
It is also a false choice to pit innovation against safety. We know that we can innovate safely! Insisting that cars have seatbelts and shatter-proof windshields did not slow down advancements in car engines or chassis. NASA launched astronauts into space 50 years ago with far-less advanced technology than we have today, but they did it hand-in-hand with experts, incremental progress, and extensive safety testing. (The most infamous space disaster, the Challenger explosion, was notably due to a design flaw pointed out by an internal engineer who was ignored because of groupthink and denial). More recently, we were able to create effective covid-19 vaccines using totally novel mRNA technology in rapid time while still verifying it was safe through the established clinical trial approvals process.
It is up to all of us—from regulators to politicians, to lawyers and the scientific community, to us in the general public—to speak up and call bullshit when we see companies or individuals rushing ahead with questionable technology. This isn’t the first time a brash founder has put commercial interests ahead of the public, and I don’t think it will be the last. I can only hope we learn from the Titan and other failed businesses that harmed people before the next one arrives.
https://www.nytimes.com/2023/06/28/opinion/titanic-titan-oceangate-innovation.html
This Op-Ed just published today in the NYT expands on the theme of innovation vs safety and discusses the history of public-private partnerships developing the first viable submersibles in the 1960s
I enjoyed your article. One of the most ironic parallels I can think of is the sinking of the Titanic itself. Now, I’m not an engineer, but my understanding is that walls separating individual bulkheads of the “watertight” Titanic only extended a few feet above the water line, so that if the ship pitched forward, the water flowed freely from one compartment to the next. There’s also the obvious shortage of life boats and materials that did not perform well on a cold night at high speed, akin to the various shortcuts taken with this sub.