April 6, 2012

A couple of weeks ago, two other engineers and I were given a tour of a late-1920s mansion outside Detroit. To reach the second floor, we decided to take the vintage elevator. As it descended toward us, it sounded like a cage being rattled by a large animal. Our guide cheerfully told us not to worry; the suspect elevator had been well-maintained and was “absolutely safe.”

My fellow engineers and I exchanged looks. We know that nothing is absolutely safe.

On the 100th anniversary of the Titanic’s sinking, it’s worth remembering that safety is and always will be relative. Though lifeboat drills have proliferated since 1912, catastrophes still occur. We can’t simply blame the engineers when things go wrong because, no matter how well they plan, things don’t always go according to plan.

The Titanic is a great example. The ship’s owner, the White Star Line, convinced itself and potential passengers that the new vessel was “unsinkable,” but no good engineer should have agreed. Engineers must weigh safety against other features. The Titanic, like all designs, was a compromise.

A century later, it’s easy to second- (or third- or fourth- or fifth-) guess the planning of this enormous ship. Conflicts between those who design large technological systems and those who pay for them are resolved by negotiation, a process that doesn’t guarantee safety. Thomas Andrews, the Titanic’s designer who went down with the ship, wanted bigger bulkheads — watertight walls that separate parts of a ship below decks — and more lifeboats, but White Star wouldn’t provide them. The Titanic did have the then-legally required number of lifeboats, but Andrews knew that it was far too few. One row of lifeboats was even removed before sailing to preserve one deck’s view.

Meanwhile, the Titanic’s bulkheads were not tall enough to compartmentalize the ship under all circumstances. It could have withstood a head-on collision with an iceberg, but not a hole along its side that flooded multiple compartments.

Of course, that’s exactly what happened. So much water rushed into the forward compartments that the Titanic’s bow dipped. Water cascaded sternward over the tops of the bulkheads and filled compartments further back, sinking the ship. The bulkheads were a fatal flaw.

Had the Titanic not sunk, competing steamship lines may have wanted to one-up White Star by building still larger ships with fewer lifeboats and bulkheads (which restrict passenger movement), resulting in even more dangerous vessels. The sinking provided a wake-up call that fundamentally changed maritime regulation, including the establishment of an International Ice Patrol. Stronger ships outfitted with enough lifeboats to accommodate passengers and crew became the norm. Overall safety was improved by tragedy.

Today, cruise ships larger than the Titanic have safety and navigation features, such as sonar and radar, that were unavailable to the Titanic’s designers. Yet the Costa Concordia, the vessel operated by a subsidiary of Carnival Corp. that ran aground in January off the coast of Italy, had obvious vulnerabilities that modern technology couldn’t eliminate. The hull of a vessel so massive could still be ripped apart by a collision with a jagged underwater rock, for example. Everything, even a steel hull, has its breaking point.

With advanced navigation devices giving a captain and his crew constant information about impending obstacles, huge rocks should be easily avoidable. However, on the Concordia, it appears that captain Francesco Schettino could have been emboldened by the very safety features that were supposed to protect his passengers.

He drives a ship like a Ferrari,” one crew member said.

Schettino sailed a more dangerous course than was advisable, exposing his ship to greater-than-expected risks. But state-of-the-art ships the size of the Concordia had navigated shallow waters before. Why couldn’t he?

Unfortunately, the Concordia could not steer clear of submerged rocks in time. Its hull was torn open, and the vessel listed badly to starboard. Schettino’s decision to drop anchor only made the problem worse, as did a 45-minute delay in deploying lifeboats.

We call the fates of the Titanic and the Concordia — as well as those of the space shuttles Challenger and Columbia — “accidents.” Foreseeing such undesirable events is what engineers are expected to do. However, design trade-offs leave technological systems open to failings once predicted, but later forgotten.

Companies selling a product play down its vulnerability and emphasize its robustness. But only after technology leaves the dock is it really tested. For human operators in control of a supposedly infallible system, complacency and overconfidence can take over, and caution may be thrown to the wind. Schettino allegedly wasn’t wearing his glasses before the Concordia went down and couldn’t read the radar clearly. No ship can be saved from a carefree captain.

Outside Detroit, we three engineers had a rough ride to the mansion’s second floor. The elevator started with a jerk and stopped with a greater one. At the tour’s conclusion, we rode the elevator back down, this time paying little attention to the racket. After just one trip, we were accustomed to the machine’s idiosyncrasies; we ignored the elevator’s perceived weaknesses and just asked it to take us where we wanted to go.

How quickly we forget lessons learned.

outlook@washpost.com

Henry Petroski is the Aleksandar S. Vesic professor of civil engineering and a professor of history at Duke University. He is the author of “To Forgive Design: Understanding Failure.”

Read more from Outlook, friend us on Facebook, and follow us on Twitter.