The Baltimore Bridge Collapse : Another Case of a Failed Management System ISO 55001:2024

By – Dr. IJ Arora

Can good management systems make organizations immune to disasters? The Baltimore bridge or simply the Bay Bridge or more precisely the Francis Scott Key Bridge that collapsed in 2023 because of the allision with the container vessel MV Dali is a tragedy, perhaps caused by the failure of several management systems, the ship, the port, the state and whoever else was involved.   

The National Transportation Safety Board (NTSB) investigation is ongoing, and will no doubt look at the part played by the MV Dali, its crew and operator. However, my thought is the MV Dali or other ships plying the waters by simple statistical probability were considered as a risk by the authorities. I mean there is the water channel, ships sailing in and out, and a bridge, there was likely to be an allision someday. Perhaps not a matter of if but when! Thus should the bridge have been safer and better designed, based on known and appreciated risks? After all, not all accidents can be completely avoided. However, each tragedy has lessons learnt as responsive action. The lessons become the data that drive risk identification and trends and, thus making the system proactive.  I am sure  the NTSB is considering all this. In the meantime, without going into the ongoing investigation, are there some basics which are common indications of failures of the system. Be it the Titan submersible, or the Boeing management system,  as an SME in  process-based process-based management systems I see a common cause; the failure of the system to  deliver conforming products and services. 

In this short article I want to discuss this bridge collapse in the context of the management system, considering ISO 9001:2015 generically and ISO 55001:2024 Asset Management System requirements specifically. Could simply designing a good system based on the standard have enabled the organization to better assess the associated risks? Perhaps they were assessed and justified as a low probability of occurrence. If that were the case, the discussion would be on prioritization of risks. ISO 55001 was first published in 2014. It was developed as a standalone standard for asset management, building upon the principles of ISO 9001 (quality management) and other relevant standards. 

I am aware that as of September 2024, the investigation into the Baltimore bridge collapse is still ongoing.  Therefore, while the exact cause of the collapse remains under investigation, we can consider several factors that could have contributed to the incident. MV Dali, experienced a series of electrical blackouts before the allision.  The vessel SMS (safety management system based on the ISM Code) implementation could be a factor. Bridge stability, its age and condition are I am sure are being investigated as a potential contributing factor. Then there is always human element.  There may have been errors on the part of the ship’s crew or bridge operators. Was the system designed to support them in such a scenario? What factors may have caused operators at all levels to perhaps not follow requirements, to justify the risks. The NTSB’s investigation will highlight a detailed analysis of the ship’s navigation systems, the bridge’s structural integrity, and the actions of the individuals involved in the reasons for this tragedy. Their final report will provide a comprehensive understanding of the incident and may include recommendations to prevent similar occurrences in the future. 

However, even at this stage we can agree that bridges in general are national assets. They are valuable infrastructure that provides essential services to communities. While it is not publicly known whether the State of Maryland specifically implemented ISO 55001 for its bridges, the principles and practices outlined in this standard could have been beneficial in managing the risks associated with the Baltimore bridge. The implementation of this standard and or even if the generic standard ISO 9001 were implemented the authorities could have performed: 

  • Risk Assessments: ISO 55001 requires organizations to conduct regular risk assessments to identify potential threats and vulnerabilities. A thorough assessment of the bridge’s condition, age, and traffic load could have helped identify potential risks and inform maintenance and repair decisions, as also change in procedures, protection of navigation channels and so on. 
  • Life Cycle Management: The standard emphasizes the importance of managing assets throughout their entire lifecycle, from planning and acquisition to maintenance and disposal. By following ISO 55001, the state could have developed a comprehensive plan for the bridge’s maintenance, upgrades, and eventual replacement. 
  • Performance Measurements: ISO 55001 requires organizations to establish measurable Objectives or Key Performance Indicators (KPIs) to measure the effectiveness of their asset management activities. This could have helped the state monitor the bridge’s condition and identify any signs of deterioration. 
  • Continual Improvement: The standard promotes a culture of continual improvement, encouraging organizations to learn from past experiences and make necessary adjustments to their asset management practices. 

I agree, it is impossible to say definitively whether ISO 55001 would have prevented the Baltimore bridge collapse. However, the principles and practices outlined in the standard could have helped to reduce the risk of such incidents. By adopting a systematic and proactive approach to asset management, organizations can improve the reliability and safety of their infrastructure. A systematic study must go beyond what the MV Dali contributed to the Baltimore bridge collapse, it is also important to consider the broader context and the potential contributions of other factors: 

  • Bridge Design and Maintenance: The age and condition of the bridge are likely to be factors in the investigation. Older infrastructure may be more susceptible to damage or failure, especially if it has not been adequately maintained or upgraded. 
  • Vessel Traffic: The frequency and intensity of vessel traffic in the area can also influence the risk of collisions. The bridge is in a busy shipping channel; therefore, the likelihood of incidents was higher. 
  • Safety Measures: The presence or absence of safety measures, such as buoys, warning systems, or restricted areas, can also impact the risk of collisions/allisions. This needs to be studied and are factors the authorities would know. 
  • Human Element and Factors: Errors on the part of both the ship’s crew and bridge operators can contribute to accidents. Factors such as fatigue, inexperience, or inadequate training may play a role. What led to these?  Error proofing, mistake proofing and FMEA (Failure Mode Effect & Analysis) are tools that could be part of the effective management system. 

Let us therefore consider ISO 55001 and the relevant clauses of the standard which could apply to the collapse of the Baltimore Bridge. 

Clause 4: Context of the Organization 

  • Clause 4.1: Understanding the external context, such as the age of the bridge, traffic volume, and environmental factors, is crucial for risk assessment. 
  • Clause 4.2: Identifying the needs and expectations of relevant interested parties, including the public, commuters, and regulatory bodies, is essential for effective asset management. 

Clause 6: Planning 

  • Clause 6.2.1: The bridge’s asset management plan should have included clear objectives for its maintenance, repair, and replacement. 
  • Clause 6.2.2: Specific objectives related to safety, reliability, and cost-effectiveness should have been established. 
  • Clause 6.2.3: Detailed planning for maintenance, inspections, and upgrades would have been necessary to ensure the bridge’s structural integrity. 

Clause 7: Support 

  • Clause 7.1: Adequate resources, including funding, personnel, and expertise, should have been allocated for bridge maintenance and inspection. 
  • Clause 7.2: Ensuring that personnel involved in bridge management have the necessary competence and training is essential. 
  • Clause 7.3: Raising awareness among all relevant stakeholders about the importance of bridge maintenance and safety is crucial. 

Clause 8: Operation and Maintenance 

  • Clause 8.1: Regular inspections and monitoring of the bridge’s condition would have helped identify potential problems early on. 
  • Clause 8.2: A well-defined maintenance schedule, including preventive and corrective maintenance, would have been necessary to address issues before they escalated. 

Clause 9: Performance Evaluation 

  • Clause 9.1: Establishing key performance indicators (KPIs) to measure the bridge’s performance, such as safety records, traffic flow, and maintenance costs, would have provided valuable insights. 
  • Clause 9.2: Regular monitoring and evaluation of these KPIs would have helped identify areas for improvement. 

Clause 10: Improvement 

  • Clause 10.2: The bridge’s management should have implemented a system for monitoring and measurement, including data collection and analysis. 
  • Clause 10.3: Predictive maintenance techniques could have been used to identify potential failures before they occurred. 

My objective of writing this article is to awaken this basic thought in organizations that by applying the principles of a standard, be it generic ISO 9001 or an industry specific standard or as in this case the asset management system standard ISO 55001, the organization (State of Maryland) could have strengthened its asset management practices and potentially mitigated the risks associated with the Baltimore bridge collapse. 

The above article was recently published in the Exemplar Global publication – ‘The Auditor’.

Are Medical Audits Improving Systems Or Only Driving Fixes? 

Is there a potential downside to medical audits wherein the audits are focused on finding and fixing problems? A recent discussion with a medical professional piqued my interest in the value of Medical Audits given that QMII, a subject matter expert in auditing, has ventured into the medical auditing field. This led to a conversation with a few additional healthcare professionals to understand a little more about medical audits, their findings and how organizations address them. My additional reading outlined a lack of effective systemic corrective action. In this article, I discuss some aspects of the medical audit process and what organizations can do to improve the process of audits and of implement corrective action.  

There are various types of medical audits including clinical audits, billing/coding audits, financial audits, operational audits and compliance audits. While there are regulations, protocols and standards against which these audits are conducted, in many cases, industry-best practices are also used as audit criteria. This brings subjectivity into the audit as ‘best practices’ knowledge may vary from auditor to auditor based on their experience. Auditing to an auditor’s experience has a major drawback not just in the medical industry but in all industries. It takes the auditors away from requirements which then results in biased inputs to the leadership that may be inaccurate.  This also leaves the auditee (the organization being audited) on the receiving end of findings for which there are no certain requirements. That is, they may make changes to their system based on the finding of one auditor only to find that another auditor objects to the very actions they implemented based on the previous auditor. 

Medical Audits and Recommendations 

In medical audits, it is common practice for auditors to provide recommendations to address findings. These recommendations are based on experience and industry-best practices. In ISO audits this is not allowed. In most industries, including the healthcare industry, there is no obligation to act upon any of the recommendations of an auditor. However, if auditors are perceived to be in a position of authority, then there is an underlying implication that the audit recommendation must be implemented. This is for fear of the nonconformity occurring again only for someone to say, “the auditor told you what to do and no action was taken”. This then also implies, audits do not delve deeply enough to identify systemic weaknesses within the processes or the workflow. 

In speaking with the medical professionals within my professional circle of friends, it was surprising to hear that in many cases the personnel being asked to address the audit findings are unaware of any root cause analysis methodologies nor have they been given any formal training in the subject. Further, they are not clear about what a CAPA is but do know that they need to provide some action to close out the finding. In such cases, is it then fair to expect effective corrective action? Perhaps, the lack of effective corrective actions perpetuated the need for auditor recommendations! 

Without proper training, it is but natural for personnel responding to audit findings to default to the recommendations of the auditor and implement those actions prescribed by the auditor as the corrective action in and of itself. Sadly, in such cases the root cause of the issue goes unaddressed. Sometimes such cases may lie in inadequate resources, technology or even lack of guidance/policy from leaders. While the aim of the audits is to identify where the process may require additional controls, all for providing better healthcare for the patient, the outcome may only be a band-aid. 

What can be done to change this? 

While change may not come overnight, there are a few key steps that can be taken to improve the audit process overall right up until corrective action and meet the end goal of providing better healthcare.  

Auditor training – Auditors must be trained to remain objective through the audit process, to focus on the requirements (criteria) of their audit, to focus on factual evidence and objectively assess it (yes, no experience!). Further they must understand the implications of providing recommendations and thus not provide any recommendations. The auditors are but to focus on assessing the effectiveness of the corrective action plan submitted and verifying the effectiveness of actions taken.  

Root Cause Analysis Training – Healthcare organizations must invest in providing their personnel with training in the different root cause analysis methodologies and how to apply it to identify the root cause(s) of a problem.  

Reinforcing that Recommendations need not be accepted/addressed – Organizations must be professional to build the courage to stand up to auditors and not accept recommendations. Auditors do not know all facets of the process from the short sample of the organization they witness. If their “advice” in the recommendations is wrong/ineffective, who then pays the price? 

Auditor Selection – ISO 19011 provides guidance on the behaviors and skills that an auditor should exhibit, and these are applicable to an auditor selected to conduct any type of audit. Auditors must be evaluated periodically to ensure they are remaining objective through an audit and working to identify the effectiveness of controls and adequacy of resources in assessing if the overall objectives have been met. To learn more about how QMII can support your organization’s audit process, click here

Julius DeSilva, Senior Vice-President

Excellence in Auditing Presented by Dr. IJ Arora for Exemplar Global

“How Auditing Helps Prevent Tragedy,” presented by Dr. IJ Arora with Wendy Edwards (Project Director of Exemplar Global) at the Exemplar Global’s Excellence in Auditing Expo!

Click the link here to understand the critical role auditing plays in averting potential disasters. Whether you’re in risk management, quality assurance, or simply interested in safety and security, this discussion offers valuable perspectives and actionable takeaways.

Link to the Presentation

Responsibly Implementing Artificial Intelligence

Artificial Intelligence (AI) entered our lives stealthily and not before long has become an integral part of all we do. From choosing a playlist, to self-driving cars, to providing service desk support to name a few. Some people have openly embraced AI while others approach it more cautiously afraid of the domination and ‘rise of the machines. Along with the opportunities that AI presents, also come risks and therefore responsibility. ISO in December of 2023 published a management system standard, ISO/IEC 42001, that provides a framework for organizations looking to use a process-based approach to managing risks and opportunities associated with use of Artificial Intelligence.

What is AI system?

As defined by ISO/IEC 22989 and artificial intelligence system is and engineered system that generates outputs such as content, forecasts, recommendations, or decisions for a given set of human-defined objectives. Artificial intelligence can then further be broken down into various subcategories from weak AI to strong AI. There are also various associated terms that are used within the industry that wall within the realm of Artificial Intelligence systems. These include Autonomous AI system, Machine Learning, and Cognitive Computing to name a few.

An integrated standard approach

In structuring the standard ISO/IEC follows the harmonized 10 clause structure that is applicable to standards such as ISO 9001 and ISO 45001. This will make it easy for organizations seeking to integrate the requirements into their existing management system. Like other ISO management system standards, ISO/IEC 42001 is not prescriptive within the standard clauses. It does however, similar to ISO/IEC 27001 include an Annex of controls that must be considered and that must be justified when not applicable. Annex A has a total of 38 controls that are split among the 10 control objectives. As a risk-based standard it requires organizations to conduct an impact analysis, conduct a risk assessment and then implement controls to treat the risk to an acceptable level.

ISO/IEC 42001 control areas

The 10 control areas of Annex A intend to:

  • Provide management commitment and direction
  • Establish organizational accountability
  • Determine and provide resources
  • Assess the AI system impacts
  • Provide a framework for managing the AI system life cycle
  • Control data used within AI systems
  • Provide a framework for communication with interested parties
  • Ensure responsible use of AI systems
  • Mange relationships

ISO/IEC 42001 also makes reference to the NIST Risk Management Framework, developed to better manage risks to individuals, organizations, and society associated with artificial intelligence (AI).

Next Steps for Companies seeking to align to ISO/IEC 42001

If your organization is seeking to demonstrate a responsible use of AI systems and choosing to align with the ISO /IEC 42001 framework, the next steps would be to:

  1. Conduct as “As-Is” assessment – Identify what controls and resources are already in place within the existing management system.
  2. Conduct an Impact Assessment – Annex A controls provide a structure of how to achieve this and Annex B provides further guidance. This requirement supports the requirements of the EU AI Act. Inputs to the assessment will come from an understanding of the organizational context and the needs of the interested parties.
  3. Conduct a Risk Assessment – to identify potential risks and opportunities for users and society. The assessment should include the implication for deploying AI systems.
  4. Develop Risk Treatment Controls – Identify measures that the organization will implement to mitigate the risks to an acceptable level and then a plan to ensure the effectiveness of controls implemented.
  5. Implement and monitor the controls and system, with an aim to driving continual improvement and ensuring the responsible use of AI.

To learn more about how QMII can support your implementation of ISO/IEC 42001 reach out to QMII solutions team at info@qmii.com or call us at +1 (888) 357-9001.

-By Julius DeSilva, Senior Vice-President

10 Steps to Safeguard Maritime Property from Cybersecurity Threats

IJ Arora, Ph.D

Cybersecurity threats have become a pressing concern in the modern era due to our lives becoming increasingly dependent on computerization. However, with the convenience of technology comes vulnerability to malicious attacks. The maritime industry, with a growing reliance on technology, faces significant cybersecurity threats. Dr. Jekyll and Mr. Hyde (i.e., good and bad) exist and have always existed. Protecting against cyberattacks is crucial to ensuring the industry’s stability and security.

Understanding cybersecurity in the maritime industry

Cybersecurity in the maritime sector involves safeguarding systems, information, and assets from unauthorized access, disruptions, or manipulations. The industry’s growing reliance on technology, including networks controlling essential functions like navigation and communication, makes it an attractive target for cybercriminals. To maintain business continuity, it is crucial that companies assess their current cybersecurity posture and act to proactively improve it. The maritime industry supports trade and the economy at large, so a cyberattack can have broader consequences beyond just affecting a single vessel or company. For this reason, the intent of the attackers might be broader than simply affecting a specific entity for ransom.

Current challenges in maritime cybersecurity

Before delving into the 10 essential steps to fortify against cyberthreats, it’s crucial to acknowledge the prevalent challenges faced by the maritime industry, which include:

  • Business continuity disruption due to breaches
  • Lack of comprehensive response plans
  • Growing reliance on automation
  • Insufficient awareness
  • Vulnerabilities in cloud computing
  • Rise in phishing and social engineering attacks
  • Internal threats and attacks

Controlling both information technology and operational technology systems is critical to fortifying cybersecurity. Various systems within the small passenger-vessel sector are susceptible to cyberthreats, including bridge systems, access control systems, passenger servicing and management systems, and communication systems.

The 10 steps

When addressing cybersecurity, organizations must consider protecting information itself as well as the asset on which that information is stored. Control of both information technology (IT) and operational technology (OT) systems is critical to fortifying cybersecurity. Additionally, management must consider the confidentiality, integrity, and availability of information and how these three aspects may potentially be compromised.

Step 1: Leadership commitment

Leaders must drive the need for cybersecurity and ensure that it is baked in (not buttoned on) to processes. They need to engage the workforce to contribute to the system. To do this, they can:

  • Appoint a cybersecurity manager to ensure accountability and garner buy-in.
  • Make cybersecurity integral to business processes and consider risks vs. rewards.

Step 2: Use a system framework

Employ the plan, do, check, act (PDCA) cycle as the foundation for a robust cybersecurity approach. This is also the approach prescribed by the Passenger Vessel Association (PVA) safety management system (SMS) framework.

  • Develop and regularly update cybersecurity policies aligning with organizational needs and threat landscape changes.
  • Identify clear roles and responsibilities for all concerned with cybersecurity aspects of the SMS.

Step 3: Contextualize risk

  • Consider the broader context of operations, trade patterns, technology, and legislative factors.
  • Identify stakeholders, online networks, assets, critical components, and business-sensitive information.

Step 4: Risk assessment (3D framework)

Leaving hazards in uncertain states is a drawback for proper risk assessment. It is the responsibility of leadership to convert uncertainty into clearly defined risks within the context of the organization and then prioritize those risks.

  • Organizations must assess hazards in terms of probability, severity, and the likelihood of detection.
  • Risks should be prioritized with consideration given toward confidentiality, integrity, and the availability of information.

Step 5: Build controls into processes

Controls can be split into various categories, including administrative, physical, human, and technological. In some cases one control may suffice, but for the most part a combination of controls must be applied. Identified controls should be implemented based on the feasibility rule, meaning that although they may look good in a vacuum, ease of implementation must be considered. Information security should be a part of everything the organization does—not an add-on. This includes:

  • Implementing technical security controls like firewalls and intrusion-detection systems.
  • Adopting a layered security approach (i.e., “defense in depth”) to effectively mitigate against various threats. This entails creating multiple barriers to prevent access to information—physical, passwords, firewalls, VPNs etc.

Step 6: Maintain basic measures

Basic safety measures are easy to implement and, for the most part, they are cost-effective. This can include cybersecurity awareness training for personnel, physical security, and password security. Below are a few more, although this is not an exhaustive list:

  • Keep hardware and software updated.
  • Enable automated antivirus and anti-malware updates.
  • Limit administrator privileges and control removable media.
  • Avoid public network connections without a VPN.
  • Regularly backup and test information-restoration capabilities.

Step 7: Employee awareness

It is important to make employees aware of the need for good cybersecurity protocols. Employees are often the weakest link in the security chain. Statistics show that almost 36 percent of data breaches are caused by employee negligence. Immediate actions organization can take include:

  • Educate employees on cybersecurity best practices to minimize human error.
  • Train personnel to identify phishing attacks and report incidents promptly.

Step 8: Emergency preparedness

No organization is immune to cyberattacks. It is important to have a plan in place for responding to attacks quickly and effectively. The plan should include steps for mitigating the damage, containing the attack, and investigating the incident. You can use ISO 22301: 2019, “Business continuity,” to develop this plan.

  • Your plan should include comprehensive processes for responding to cyberattacks swiftly and efficiently, including reporting mechanisms.
  • Test and improve your business continuity plan regularly.

Step 9: Assess effectiveness

The check stage of the PDCA cycle is vital to instill confidence in the effectiveness of the organization’s cybersecurity measures.

  • Conduct regular cybersecurity assessments, including third-party evaluations for objectivity.
  • Evaluate assets, vulnerabilities, IT/OT risks, physical access, and breach potentials.

Step 10: Continual improvement

  • Embrace continual improvement through the PDCA cycle to maintain vigilance.
  • Invest in training personnel on cybersecurity standards like ISO 27001.

Conclusion

Taking cybersecurity seriously and implementing these 10 steps can significantly mitigate the risk of cyberattacks. Begin the process by conducting a gap assessment using a qualified person to assess where your system currently stands and what actions need to be taken.

Your action plan should identify risks, gaps, and the controls needed. These controls can easily be integrated into the existing safety management system. Investing in cybersecurity today will better prepare your organization to manage future risks. Leadership involvement is crucial, and these steps serve as a solid foundation to effectively fortify cybersecurity measures.

About the author

Inderjit (IJ) Arora, Ph.D., is the President and CEO of QMII. He serves as a team leader for consulting, advising, auditing, and training regarding management systems. He has conducted many courses for the United States Coast Guard and is a popular speaker at several universities and forums on management systems. Arora is a Master Mariner who holds a Ph.D., a master’s degree, an MBA, and has a 33-year record of achievement in the military, mercantile marine, and civilian industry.

Above article is featured in the following:-

Foghorn Magazine

Exemplar Global Publication “The Auditor”

Controlling Sub-Sea Infrastructure


The recent implosion of the Titan, a sub-sea submersible used for taking elite, high-paying tourists to see the wreck of the Titanic, brought the safety protocols of both vessels into focus. There were no statutory requirements for regulating the Titan and neither were there any when the Titanic sank in 1912! As a reactive measure, the maritime community came up with the Safety of Life at Sea (SOLAS) Convention soon after the sinking of the Titanic. Ironically, after the Titan submersible imploded, we have come to realize there are no requirements covering this vessel. Perhaps with time, the involved counties will react.

The question is, why was nothing done proactively? Tourists go up in hot air balloons all the time. Is there any statutory requirement that these tourist companies must meet? Is there even a requirement to have a management system in place so that these companies work systematically, appreciate the risks in the context of the organization, and plan their operations keeping risks in mind? It is true that entrepreneurs do not like regulations and consider requirements a hindrance in a free business environment. And yet the Titanic, which was declared to be “unsinkable,” did, in fact, sink! In the United States, the domestic towing vessel industry functioned without statutory requirements until recently. The industry avoided regulation, but tragedies occurred, and now the industry is regulated under the U.S. regulatory framework. A process-based management system is the best systematic structure to produce conforming products and services, ensure continual improvement, and implement the statutory requirements if available.

The intent of this article is to proactively start a discussion on the need for regulating sub-sea infrastructure to reduce its affect on the marine transportation system. The phrase “sub-sea infrastructure” refers to equipment and technology placed on or anchored to the ocean floor. This infrastructure may include, but is not limited to, cables for telecommunication, cables for power transmission, pipelines for transmission of fluids, and other stationary equipment for scientific research.

The growth of sub-sea infrastructure is a global phenomenon. As an example, is in the interest of all nations, and particularly here in United States, to promote wind farms, which are a source of renewable energy. When these wind farms are placed in selected geographical locations along the continental shelf, they need sub-sea cables. But are there any laws controlling the systematic development of the industry to enable an effective marine transportation system and its protection of maritime community interests and environmental interests? Is there a central agency responsible for this coordination to allow for a balanced approach to risks? The amount of cabling piling up needs management and oversight.

Sub-sea infrastructure, the definition of the problem

Numerous industries have a stake in sub-sea infrastructure. Examples include oil and gas, telecommunications, fishing, scientific research, and perhaps military/defense applications such as sonar and other arrays and obstacles. This infrastructure is a requirement, but it also faces various challenges including those that can lead to accidents, environmental damage, and possible breaches in national security. All these bring out very significant concerns related to sub-sea infrastructure and the lack of comprehensive and globally accepted standards, requirements, obligations, and assurance mechanisms. It is not that organizations such as the United States Coast Guard, the National Oceanic and Atmospheric Administration, the Bureau of Safety and Environmental Enforcement, the U.S. Army Corps of Engineers, the Environmental Protection Agency, and other federal and state agencies do not look at these issues.

Nevertheless, it remains a concern that there is no single agency or overarching requirement to provide a framework to the industry on harmonized implementation of requirements. This lack of harmonization can mean inconsistencies in design, installation, and maintenance practices which may not address risks uniformly. This can generate consequential risks, leading to increased accidents, mechanical failures, and costs to the industry and the nation.

Recent tragedies and accidents

Recent tragedies and accidents involving sub-sea infrastructure have been limited, and yet must not lead to complacency by the agencies involved. The few that have occurred indicate the challenges and trends pointing to the need for proactive requirements. The recent tragedies include:

  • Deepwater Horizon. The potential consequences and challenges inherent in deep-water oil drilling were brought out by the Deepwater Horizon tragedy in 2010. The oil rig explosion in the Gulf of Mexico caused a massive oil spill and resulted in the loss of 11 lives. Although not technically a sub-sea incident, it highlighted a series of failures in design, maintenance, and company oversight—all factors pointing to the importance of robust safety standards and requirements, and the implementation thereof. The Deepwater Horizon incident was not directly related to sub-sea infrastructure; however, it heightened the risks associated with offshore oil and gas production and the potential for catastrophic environmental damage.
  • Nord Stream 1 and Nord Stream 2. Occurring in September 2022, the damage to these gas pipelines in the Baltic Sea highlighted concerns around sub-sea infrastructure. These pipelines transport natural gas from Russia to Europe; in this incident, they sustained multiple leaks. The exact cause of the damage is unclear, though deliberate sabotage was suspected and is still under investigation. Regardless of the ultimate findings, this incident exposed the vulnerabilities of sub-sea infrastructure to sabotage, and the potential for significant environmental and economic consequences are real. Intentional attacks to the sub-sea infrastructure have the potential for widespread disruption of energy supplies. Apart from the Nord Stream, there have been other sub-sea incidents affecting the gas and oil industry. In 2021 a fire broke out on a sub-sea production control umbilical off the coast of Brazil, causing significant damage to the underwater equipment and resulting in a major oil spill.
  • English Channel Internet Disruption. In 2021, a ship dragging its anchor on the seabed in the English Channel cut the three main internet cables to the Channel Islands. Although this only resulted in slower broadband speeds in this instance, there remains the possibility that it could have resulted in a complete outage.

Looking ahead

These incidents represent leading indicators of a tragedy in the making should proactive action not be taken. The critical importance of safety for sub-sea infrastructure underscores the need for a more comprehensive and rigorous approach to standards and assurance. Industry stakeholders together with regulatory bodies within the United States and global organizations such as the International Maritime Organization must work together to establish a harmonized set of safety standards, implement robust assurance mechanisms, and foster a culture of safety throughout the sub-sea industry.

The increasing reliance on sub-sea infrastructure for various industries (including wind farms) necessitates a proactive approach to safety and risk management. There is definitely a need to invest in research and development to enhance the resilience and monitoring capability of sub-sea infrastructure. The various companies in the sub-sea industry are holding their proprietary information close to the vest. This is understandable. However, these organizations are in competition with totalitarian governments, in which control of business practices is the exclusive dominion of the state. It is necessary to enhance transparency and information-sharing among industry stakeholders to facilitate better risk assessment and incident prevention.

Conclusion

Promoting a culture of safety that prioritizes risk identification, risk mitigation, and continual improvement is essential. There is no common ISO standard for sub-sea management systems. Of course, ISO 9001 is interpretable and can be used as the basis for now. Environmental protection is a challenge for a developing industry, and as such, even greater urgency is needed for statutory requirements encompassing all aspects of stakeholder interests, the marine industry in general, and the protection of the environment for generations to come.

Marine transportation remains the most important way for goods to be shipped across the world, as approximately 80 percent of the world’s goods are transported by ships. Vessels need a place to anchor in normal operating conditions as also in emergencies. A crowded seabed in harbors makes this a challenge for the entire maritime industry.

Without adequate and effective regulatory oversight, it may be too late to take action once cables and other sub-sea equipment have already been laid. Further, multiple agencies regulating the same aspects of the industry can potentially lead to bureaucratic delays.  There is therefore an urgent need to create a single statutory body to regulate the sub-sea infrastructure industry, which will greatly benefit all parties invested in the maritime transportation system.

Exemplar Global Publication “The Auditor”