The reasons behind this maritime disaster highlight how unstated design assumptions can introduce risk
Contrary to popular belief the Titanic was never touted as being unsinkable before the disaster. The design did in fact comply with the Board of Trade (BOT) regulations for the control of flooding in the event of collision. So why did the Titanic sink when other ships had suffered collisions, one even with an iceberg, and survived?
To meet BOT regulations the design of the Titanic included 16 major watertight subdivisions, with the ship (in theory) being able to survive a collision at the juncture of any two watertight compartments. The reason for this double compartment requirement is simply because the most likely scenario was considered by the BoT to be a collision with another ship.
For the ‘target’ or struck ship sub-dividing the hull into watertight compartments of a maximum size using watertight bulkheads carried up to to specific deck levels effectively addressed the post collision flooding hazard. In the case of the striking ship higher anti-collision bulkheads in the forepeak set back outside the collision crush zone addressed the risk of progressive flooding posed by a flooded bow compartment (1).
Icebergs being stationary were considered (assumed) to only pose a risk of head on collision, with such a risk addressed implicitly in the existing anti-collision bulkhead design (2). To reinforce this assumption when in 1879 the SS Arizona collided head on with an iceberg this is exactly what happened.
As the Arizona’s collision had not resulted in loss of life, from the designers perspective compliance to the board of trade regulations provided a proven and adequate set of countermeasures to deal with the risk of iceberg collision.
So what went wrong? Quite simply the ship was not operated as the designers had assumed it would be. Rather than striking head on the ship struck a glancing blow down the side of the iceberg. Why? Because the officer of the watch gave the order to put the helm hard over and steer around the iceberg.
Had the Titanic simply put its engines to full astern and kept the iceberg dead ahead the collision would have been most likely survivable for the ship, given at a speed of 22 knots the impact of energy would be taken up by crushing the first 90 feet of the stem and likely leaving bulkhead B intact.
The problem of course was that the implicit assumption made by the Harland & Wolff design team was not communicated to the owners of the Titanic. Had that assumption been made explicit, for example as a recommendation on to how to deal with iceberg threats, then the risks of trying to steer round an iceberg at night and high speed might have been exposed. In this case the undocumented assumption introduced a degree of ontological risk into the design.
To further increase the risk the then existing BOT regulations actually allowed for a reduction in the number of lifeboats as the number of watertight sub-divisions increased.
One could ask whether the result would have been different if the design team had asked themselves, ‘what would happen if our design hypothesis (3) was violated?’ and from there looked at the ways in which such a violation could credibly occur.
Lessons for the present
Making credible assumptions is an essential part of engineering, however when the assumptions constrain the operation of a system for safety reasons that constraint needs to be explicitly communicated to the operators (3). Likewise as responsible designers we also need to ask ourselves from time to time ‘What happens when my design assumption turns out to be wrong?’.
If we do neither then we run the risk of becoming another example of the Titanic Effect, where the severity of the accident is matched only by the strength of our prior belief that it would not occur.
1. Progressive flooding occurs when forward compartment flooding causes the ship to settle by the bows which brings the tops of subsequent watertight bulkhead below the flooding line.
2. In the case of Titanic these were incorporated into the first two watertight subdivisions (A & B in Fig 2 above). Given the stepped nature of bulkhead A bulkhead B was also raised in height to mitigate the increased risk of A bulkhead being compromised by a collision.
3. A prediction that states how a specific design will result in a specific outcome. A design hypothesis should also clearly articulate the assumptions upon which it based. In this case the design hypothesis might be expressed as, “the Titanic’s existing BoT anti-collision bulkheads in the stem will provide sufficient protection from flooding as a result of collision with an iceberg. This protection is based on the assumption of a collision bow on to the iceberg at no greater than 20 knots closing speed.”.