The Titanic Effect (Part I)

So why did the Titanic sink? The reasons behind this maritime disaster highlight how implicit and unstated design assumptions can introduce risk.

Contrary to popular belief the Titanic was never touted as being unsinkable before the disaster. However the design did comply with the Board of Trade (BOT) regulations for the control of flooding in the event of collision.

So why did the Titanic sink when other ships had suffered collisions with icebergs and survived?

SS Arizona after collision with an iceberg

To meet BOT regulations the design of the Titanic included 16 major watertight subdivisions, with the ship (in theory) being able to survive a collision at the juncture of any two watertight compartments.

The reason for this double compartment requirement is simply because the most likely scenario was considered to be a collision with another ship.

For the ‘target’ ship sub-dividing the hull into watertight compartments of a maximum size using watertight bulkheads carried up to to specific deck levels effectively addressed the post collision flooding hazard.

For the ‘bullet’ ship higher anti-collision bulkheads in the forepeak (set back outside the collision crush zone) addressed the risk of progressive flooding posed by a flooded bow compartment (1).

Icebergs being stationary were considered to only pose a risk of head on collision, with such a risk addressed implicitly in the existing anti-collision bulkhead design (2).

In fact this head on collision scenario had played out in real life with the 1879 collision of the SS Arizona with an iceberg.

As the Arizona’s collision had not resulted in loss of life, from the designers perspective compliance to the board of trade regulations provided a proven and adequate set of countermeasures to deal with the risk.

Titanic A & B anti-collision bulkheads

So what went wrong?

Quite simply the ship was not operated as the designers had assumed it would be. Rather than striking head on the ship struck a glancing blow down the side of the iceberg. Why? Because the officer of the watch gave the order to put the helm hard over and steer around the iceberg.

Had the Titanic simply put its engines to full astern and kept the iceberg dead ahead the collision would have been most likely survivable for the ship, given at a speed of 22 knots the impact of energy would be taken up by crushing the first 90 feet of the stem and likely leaving bulkhead B intact.

The problem of course was that the implicit assumption made by the Harland & Wolff design team was not communicated to the owners of the Titanic. Had that assumption been made explicit, for example as a recommendation on to how to deal with iceberg threats, then the risks of trying to steer round an iceberg at night and high speed might have been exposed. In this case the assumption introduced epistemic risk into the design.

Further increasing epistemic risk then existing BOT regulations actually allowed for a reduction in the number of lifeboats as the number of watertight subdivisions increased.

One could ask whether the result would have been different if the design team had asked themselves, ‘what would happen if our design hypothesis is violated?’ and from there looked at the ways in which such a violation could credibly occur.

Lessons for the present

Making credible assumptions is an essential part of engineering, however when the assumptions constrain the operation of a system for safety reasons that constraint needs to be explicitly communicated to the operators (3).

Likewise as responsible designers we also need to ask ourselves from time to time ‘What happens when my design assumption turns out to be wrong?’.

If we don’t then we run the risk of becoming another example of the Titanic Effect, where the severity of the accident is matched only by the strength of our prior belief that it would not occur.

We must remember that every assumption we make as engineers, however justified it may appear, carries the potential for epistemic risk.

Notes

1. Progressive flooding occurs when forward compartment flooding causes the ship to settle by the bows which brings the tops of subsequent watertight bulkhead below the flooding line.

2. In the case of Titanic these were incorporated into the first two watertight subdivisions (A & B in Fig 2 above). Given the stepped nature of bulkhead A bulkhead B was also raised in height to mitigate the increased risk of A bulkhead being compromised by a collision.

3. See for example the concept of an ‘Intent Specification’ as developed by Dr Nancy Leveson of MIT.