The OceanGate tragedy and why physics doesn't care about feelings
On 18 June 2023, the so-called Titan, a submersible operated by the company OceanGate and its CEO Stockton Rush, imploded while diving down to the Titanic shipwreck, killing all five individuals on board.
Following the tragedy the U.S. Coast Guard (CG) organized a series of public hearings with witnesses and experts, which revealed a variety of disturbing problems. Another investigation was conducted by the U.S. National Transportation Safety Board (NTSB), which recently published its final report focusing more on the technical aspects of the incident.
When I recently went down the OceanGate rabbithole I realized that several factors contributing to the tragedy are related to the lack of sound engineering principles, which I previously mentioned in one of my blog posts and which help me build high-quality software. The OceanGate tragedy is a fresh reminder of why sound engineering principles are essential, especially when it comes to structures whose failure can cause death and destruction.
Trade-offs and the failure of the pressure vessel
OceanGate's CEO Stockton Rush, who studied aerospace engineering at Princeton University, was convinced that Titan's pressure hull, which is the most critical part of a submersible, should be made out of carbon-fiber composite – a material that played a significant role in the engineering process and the collapse of the vessel.
Generally speaking, carbon-fiber composite involves a variety of advantages, one of which is that it can provide high strength at a fraction of the density and weight. For submersible expeditions, this would imply cheaper and easier launches and recoveries from the support vessel. Also, a lighter pressure hull implies less dead weight to offset with syntactic foam or buoyancy materials, which allows more room for passengers, a lower necessary total water displacement and a better vehicle balance. Moreover, a carbon-fiber pressure vessel can be manufactured at lower costs compared to other materials used for submersibles, such as titanium or steel.
However, these advantages come with significant trade-offs. In order to undestand these trade-offs, an important concept is the difference between tension and compression, which explains why carbon-fiber became the standard material in aviation and aerospace, but struggles in deep-diving submersibles.
A structure can be loaded in two opposite ways: tension, which pulls material apart and compression, which squeezes material inward. The pressure hull of an airplane is pressurized inside, which means that the cabin air pushes outward and stretches the hull. In aviation, carbon-fiber is a great material not only because it is very light, but also because fibers are extremely strong in tension.
In submersibles, however, the situation is reversed. At depth, water pressure pushes inward from all directions, which squeezes the hull and creates compressive stresses. And the pressure at the depth of the Titanic is extreme. While at sea level the atmospheric pressure is 14.7 pounds per square inch, at the depth of the Titanic water pressure is about 5,554.5 pounds per square inch.
Under these conditions fibers can micro-buckle, layers can delaminate and the resin matrix can crack. What makes things worse is that hidden damage in carbon-fiber composites can grow with every single dive, resulting in a limited life cycle of the pressure hull.
Metals are isotropic, which means that they have similar properties in all directions. By contrast, carbon-fiber, which is anisotropic, is strong along fiber directions but weak across them. For these reasons, submersibles tend to use steel or titanium as the standard material for their pressure hulls, which perform better under compression.
Another important difference between carbon-fiber and metals is that titanium and steel are ductile, which means that they bend slightly or yield locally before they fail, potentially providing an early warning sign. Composite material, however, are less ductile, as they fail through fiber fracture, delamination and matrix cracking, resulting in sudden instability and collapse. In other words, metals and their failure are much more predictable than carbon-fiber composites.
The decision over material selection, like most engineering decisions, requires the consideration of trade-offs and a careful balancing of advantages and disadvantages. Do the advantages of carbon-fiber really outweigh its flaws, especially under the extreme conditions of deep sea diving?
A carbon-fiber hull may allow you to build a cheaper, larger and lighter submersible than with steel or titanium, but the real question is whether that benefit is worth the risk of increased complexity and uncertainty under repeated deep-water compression loading.
The integrative approach of complex systems engineering
In addition to the concept of trade-offs, another important engineering principle is that complex systems require an integrative approach. When engineers design an airplane or a submersible, one of the main challenges is to integrate different imperfect systems and subsystems to produce a reliable emergent behavior.
Submersibles or airplanes consist of materials and physical structures, mechanical and hydraulic systems, electronics, software and more, all of which must be integrated. In doing so, engineers do not only think about how the individual systems work, but also about how they interact with each other.
As the CG hearings revealed, the engineering process at OceanGate suffered from a lack of complex systems thinking. Principal engineer Dave Dyer, who represented the Applied Physics Lab (APL) at the University of Washington and who was involved in the early stages of Titan’s development, testified that the APL was removed from the project because of a clash between different engineering mindsets.
As Dyer pointed out, "The part that I struggled with the most is, in my experience, when you have a system, you evaluate it as a system." But Tony Nissen, OceanGate's former Director of Engineering, "wanted to isolate those, he wanted to look at just the carbon-fiber hull, just the dome as individual components.“
In other words, complex systems must be designed and tested as a whole, with careful attention to how the individual parts interact. OceanGate ignored this principle and tested individual components without adequately testing the full pressure vessel combined with the titanium domes and other interfaces.
Stay away from vibe engineering
One of the main mottos of Silicon Valley has been „Move fast and break things“ – a phrase that reflects the innovative spirit of the tech industry. Based on the testimonies of several witnesses, Stockton Rush was attracted to this motto and believed that safety standards stood in the way of innovation. In the submersible industry, however, moving fast and breaking things can result in death and destruction.
Over decades engineers have carefully developed principles, rules and standards that represent the accumulated knowledge of thousands of engineers, gradually increasing the safety of submersibles or airplanes. This doesn't mean that there is no room for innovation, but the introduction of a new material or a new design requires proper testing, especially when it comes to critical components such as the pressure vessel.
As the NTSB concluded in its final report, one critical failure of OceanGate, which likely contributed to the collapse of the pressure vessel, was the lack of a Plan-Do-Check-Act (PDCA) process – a framework outlined in ISO quality guidelines. In general, PDCA describes an engineering loop consisting of an iterative engineering and quality process. In the planning phase, engineers define factors such as requirements, risks, materials, performance targets, inspection methods and testing strategies.
In the Do-phase, engineers build prototypes, run tests and collect data, before in the Check-phase the results of the tests are compared to the expectations. In the Act-phase, the design will be improved based on the findings of the check-phase, before the entire cycle will be repeated.
OceanGate's former Director of Engineering Tony Nissen stated in his CG testimony that the company was not able to successfully test one prototype before moving on to the full scale submersible. OceanGate built and tested two one-third scaled models of the carbon-fiber hull and both models imploded earlier than they had hoped for. Instead of continuing on prototype development until a model can reliably sustain the expected pressure, the company simply skipped ahead and built the final pressure vessel that was later used to dive down to the Titanic.
Moreover, the NTSB report and witnesses at the CG hearings stated that OceanGate's engineering process lacked additional risk assessment methodologies, such as a sound hazard analysis. OceanGate also bypassed standard certification procedures, which basically provide independent design scrutiny, testing oversight and external verification by qualified third parties and which are normally expected for life-critical systems.
This is not serious engineering. You do not sacrifice the safety of human lives for the sake of innovation while ignoring sound engineering procedures, standards, rules and external verification procedures.
The role of monitoring and data modelling
Perhaps one of the most disturbing engineering decisions made by OceanGate was its reliance on accoustic sensors consisting of circumferential and longitudinal strain gages that were supposed to monitor cracking in the carbon-fiber hull and provide real-time information about the state of the pressure vessel.
There are many problems with this approach. The most obvious one is that the very need for such a system should indicate that the underlying engineering concept may already be flawed. Every dive of the Titan reportedly recorded dozens of acoustic emission signals and displayed a yellow warning if the number exceeded 30 cracks and a red warning if it exceeded 50. As the final report by the NTSB revealed, hit counts were not accumulated between successive dives and hits on the surface were not counted at all. The problem here is that carbon-fiber pressure vessels deteriorate over time.
Even if cumulative damage is considered, how does one determine the threshold at which the hull must be retired? To establish a reliable threshold, engineers would need to test dozens, if not hundreds, of carbon-fiber vessels manufactured by the same process and cylindric design until failure, calculate averages and variances and add a large margin of error.
OceanGate did not gather sufficient data from their previous pressure hulls to extrapolate a threshold and to justify a high confidence. Data had been collected only from a small number of previous pressure vessels, all of which were manufactured using a different method. Given the tiny sample size and inconsistent manufacturing processes, the monitoring and warning system was unreliable from the start.
Final remarks and conclusion
The flawed engineering process at OceanGate was one of the main factors shaping the path to disaster. However, engineering errors alone do not fully explain the tragedy. It seems that these errors were intertwined with Stockton Rush's psychology.
In this respect, there are striking parallels with the British sailor Donald Crowhurst, who entered the 1968 Golden Globe Race with an unproven vessel and a growing gap between ambition and reality. In both cases, image and aspiration overtook sound technical judgment. Stockton Rush ignored the importance of sound engineering principles, such as:
- Engineering trade-offs have to be balanced in the right way. Lightweight innovation does not erase material limitations.
- Complex systems must be tested as systems and require an integrative approach.
- Prototypes, testing and data collection are important aspects of sound engineering and innovation.
- Monitoring cannot replace sound design, as sensors are not substitutes for the structural integrity.
- Standards and engineering rules exist for a reason and encode the accumulated knowledge and experience of thousands of engineers.
- Certifications are also important because they provide independent external verification of engineering designs by qualified experts.
The OceanGate tragedy is the ultimate reminder that physical laws do not care about confidence or ambition. It is a testament to the necessity of sound engineering principles. Those principles allow us to learn from the mistakes of others and from the hard-won lessons derived from them without falling into the same errors and traps.
While this article focuses on the engineering lessons of the disaster, I would also like to express my sincere condolences to the families and loved ones of the deceased. I admire their strive for exploration and I hope they may rest in peace.