Salon has a disturbing article describing what may have happened on the Deepwater Horizon before the Gulf oil spill. It's an interesting account of possible failures that led to the disaster and full of lessons for any team that needs to react quickly and effectively to emergencies.
One item particularly caught my eye. According to this account, the accident might have been prevented if workers hadn't delayed engaging a disconnect switch:
Steve Bertone, the chief engineer for Transocean, wrote in his witness statement that he ran up the bridge and heard the captain screaming at a worker for pressing the distress button. Bertone turned to Pleasant, who was manning the emergency disconnect system, and asked whether it had been engaged.
Pleasant told Bertone that he needed approval first, according to Bertone's sworn statement. Another manager tried to give the go-ahead, but someone else from Transocean said the order needed to come from the rig's offshore installation manager.
Ultimately who gave the order is a matter of dispute. Donald Vidrine, well site leader for BP, said he did it. But Bertone said it was Jimmy Harrell of Transocean.
By the time the workers obtained the approval and got started, Pleasant said he "got all the electronic signals but no flow on meters," meaning hydraulic fluid wasn't flowing to close the valves on the blowout preventer.
A distress button and emergency disconnect system might be considered part of an andon system, a Lean tool that allows line level workers to signal for help, and if necessary, stop production in order to correct a defect or problem. The traditional "andon cord" in a Toyota factory could be pulled by any worker to request help from a team leader. Buffer spacing was built into the line to allow for problem solving, but if the issue couldn't be resolved quickly, the line would stop.
But on the Deepwater Horizon there may not have been enough buffer between the initial signal for help and the time to shut down the operation completely. Salon also quotes an engineer on when workers may signal for help:
Gene Beck, a petroleum engineer at Texas A&M at College Station, said companies typically have criteria that allow any worker to engage the system if problems get bad enough.
The ambiguity of what constitutes "bad enough" might prevent workers from engaging the system in time. If there's insufficient buffer in the process, workers will be reluctant to signal for help, knowing it will halt production. And if the organization lacks a culture of respect (e.g. screaming at workers for hitting a distress button), employees may be unwilling to risk making those sorts of decisions, even when their own lives are at risk. Tragically, that may have been the case here.