When Systems Fail: From the Titanic to the Estonia
Karlene H. Roberts
Robert G. Bea
Organizational Dynamics, 2001, 29, 179-191
Executive Summary
Globally, we are designing increasing numbers of organizations and systems of
organizations that need to be continuously error free. This paper shows how
organizations are slow learners when it comes to developing strategies that might protect
them against errors. This is illustrated through examining three major catastrophes in a
single industry and one major success in another industry. While physical structural
(technological) incapacities contributed to the failures, five managerial building blocks
contributed as much or more. They are organizational structural failure, an emphasis on
efficiency as opposed to reliability, core competencies that turned into incompetencies,
lack of appropriate sensemaking, and lack of heedful interaction. Concluding remarks
point out issues managers of risk mitigating organizations need to incorporate into their
organizational cultural norms.
1
Managers often fail to realize how vulnerable their organizations are to fatal error.
That was certainly true of those managing Union Carbide's chemical plant at Bhopal, the
Exxon Valdez, Barings Bank's Singapore operation, the Space Shuttle Challenger, and
the U. S.Marine Corps low flying aviation activities in Italy.i These organizations did not
exhibit characteristics of high reliability organizations (HROs) in a world increasingly
demanding high reliability operations.
In a generation or two, the world will likely need thousands of high-reliability organizations, running not just nuclear power plants, space flight, and air traffic control, but also chemical plants, electrical grids, computer and telecommunication networks, financial networks, genetic engineering, nuclear-waste storage, and many other complex, hazardous technologies. Our ability to manage a technology, rather than our ability to conceive and build it, may become the limiting factor in many cases.ii
This limiting factor is now widely represented in many industries, not all of them
technologically complex. In numerous industries it is often said that eighty percent of the
events contributing to a disaster are human or organizational and only twenty percent are
design or other factors.iii When a catastrophic error occurs and an investigation is done it
usually focuses first on the engineering design and manufacturing components of the
incident. This is somewhat analogous to the drunk who looks for his lost keys under the
streetlight because that is where the light is. When findings from that approach are
limited the next step is to examine individual error, in order to name and blame the
culprit. The investigation usually ends here but this is almost never the whole story
because individual acts are embedded in systems that direct the individual’s behavior.
This situation probably exists because many designers and managers of systems
that can fail spectacularly have engineering backgrounds. However, there is a growing
2
social science literature concerned with managing HROs. This literature attempts to
identify managerial causes of failure and managerial failure prevention strategies.iv
Disaster’s Missing Building Blocks
Our research and that of others clearly indicates the many accidents that have
plagued and will plague organizations result from rapidly developing crises. Most of
these crises are unpredictable and develop so rapidly that implementing good decisions
seems to be impossible.v We identified five major building blocks that are necessary for
mitigating error but which often seem absent in disasters. Prudent managers need to
include them in systems that must be reliability enhancing.vi While we found all five of
them missing in a set of disasters we examined, perhaps including only a few of them
might have prevented the events.
Structural Failure
Most organizational catastrophes have physical structural problems. Engineers
operate with the philosophy that if they design and build the technology perfectly, error
will be avoided regardless of what people and organizations do. This may be a good
philosophical point but one we have never seen operate in reality.
What may be less obvious but possibly more important is that failure might be
successfully mitigated by implementing one or more organizational structural
processes.vii That we need to shift our attention from rational structural models of
organization that may be good enough to channel the energies of people in “garden
variety” organizations, to more flexible process models of organizations is evidenced by
the publication of more agile models of organizations in scholarly journals. These
models are responsive to the growing complexity and globalization of organizations, but
3
some may be equally adequate to the expanding need for organizations that must be
nearly error free all of the time.viii
Efficiency versus Reliability
One paradox in many organizations is that between the drive toward efficiency
and the drive toward reliability. By its very nature efficiency calls for reaching goals in
as cost effective and time efficient manner as possible. Most organizations try to do this
by downsizing, outsourcing and cutting costs wherever they can. On the other hand
reliability requires constant attention to process such as intra group behavior, intergroup
behavior, and communications; riveting attention to detail; cross training; paying
attention to interdependencies of people, their organizations and outside constituents; and
time consuming vigilance. Efficiency is obtained through rational decision making;
reliability is often achieved through trained intuition and in depth analyses.ix
Core Competencies and Incompetencies
Organizations can develop competencies that later turn into incompetencies.x
Core competencies are sets of skills, complementary assets and routines that provide the
basis for a firm’s competitive capacities and sustainable advantage. The literature on core
competencies includes the inherent assumption that their development corrects patterns of
incompetence. Furthermore, competencies are thought to be enhanced as they are applied
and shared. Organizational and institutional arrangements simultaneously structure
competence and incompetence creation by demanding certain behaviors thought to
accomplish some task.
4
Sensemaking
Sensemaking is literally the making sense of one’s situation. That people make
different senses of the same situation is well illustrated in eyewitness testimonies by
several people about the same event. There is often disagreement about what happened
because these people are making different senses about the same event.xi
The idea of retrospective sensemaking derives from Schutz’s (1967) analysis of “meaningful lived experience.” The key word in that phrase, lived, is stated in the past tense to capture the reality that people can know what they are doing only after they have done it…. Readers may object that their experience seldom has this quality of continual flow. Instead, experience as we know it exists in the form of distinct events. But the only way we get this impression is by stepping outside the stream of experience and directing attention to it.xii
Group Performance and Heedful Interaction
Reliable organizations are characterized by collective mental processes and social
conduct that are more fully developed than they are in organizations concerned primarily
with efficiency. In these settings people act heedfully. Collective mind is present when
people act as if being a member of a group entails producing a collective representation
of a social system of joint action by subordinating their individual actions or
contributions to that system.xiii A collective representation of the organization, its
processes and purposes is developed much as a hologram is developed. In the typical
high efficiency organization routines are carried out less thoughtfully than in high
reliability organizations.
The first defining property of group performance is that individuals create the social forces of group life when they act as if there were such forces…. The second defining property of group performance is that when people act as if there are social forces, they construct their actions (contribute) while envisaging a social system of joint actions (represent), and interrelate that constructed action with the system that is envisaged (subordinate).
5
The word “heed” captures an important set of qualities of mind that elude the more stark vocabulary of cognition. These nuances of heed are especially appropriate to our interest in systems preoccupied with failure-free performance. People act heedfully when they act more or less carefully, critically, consistently, purposefully, attentively, studiously, vigilantly, conscientiously, pertinaciously (Ryle, 1949:15). Heed adverbs attach qualities of the mind directly to performance….xiv
The rest of this paper illustrates the breakdown of these five building blocks
in three situations. This is followed by a demonstration of the optimal use of these
building blocks in a successful situation.
Down to the Sea in Ships
Some critics of the research on high reliability organizations (HROs) argue that
the findings from this work are only applicable to very large, technically complex
organizations. The commercial marine industry is focused on here for two reasons. First,
like many other industries, much of the industry operates equipment suffering from
geriatric problems and it is not a particularly technologically complex industry. Second,
Charles Perrow, in his seminal book, Normal Accidents, states that the entire industry is
an accident waiting to happen.xv The industry has many parts and failures. Oil tanker
spills are often brought to our attention. We hear little about bulk carrying operations,
where in fact the vast majority of the accidents occur (and a grounded bulk carrier filled
with cyanide can ruin the day for everything in the vicinity), and less about container
carriers on which we all rely.
The destruction of a modern passenger liner or one of the newly contrived river
gambling boats would no doubt bring a flurry of investigation about what went wrong
(because of the number of people involved) and legislation to fix it. It is probable that the
investigation would focus on finding an individual and/or mechanical culprit and would
6
miss all together the organizational issues involved. The September, 1999, engine room
fire aboard Carnival Cruise Line’s passenger ship Tropicale (which resulted in the ship
dead in the water with a tropical storm moving toward it) provides what should be an
early warning alert for the industry to examine itself more carefully.xvi All three of the
accidents we are about to discuss received enormous press attention and the last thing
most organizations want is that kind of CNN time. Accident investigations frequently try
to identify initiating, contributing and compounding causes. One initiating event is
usually associated with a number of contributing and compounding events. We focus on
those properties in our discussion.
The Titanic
The popularity of the movie, “The Titanic” brings to mind our first example.
Most of us are familiar with the Titanic tragedy in 1912. At the time she was the largest
and grandest ship, but her basic technology and construction were no different from any
other modern passenger ship. More then 1,500 lives were lost and the pride of the cruise
ship world went to the bottom of the Atlantic Ocean. We know about the proud captain
and crew, an unsinkable ship, the collision at night with an iceberg, and the half-filled
lifeboats. But do we understand why the ship was steaming at full speed through an ice
field, why the messages to slow down were never taken seriously, why the ship’s flawed
design and construction went unrecognized, and why there were insufficient preparations
for evacuation and life saving.
First we examine the initiating cause of the accident.xvii Failure to see the iceberg
in time and turn the ship was certainly an initiating cause. The Titanic had received a
number of warnings of ice in the region, and although Captain E.J. Smith is known to
7
have seen ice, he did not alter his speed of about twenty-one knots. There are several
possible reasons for this. The captain’s overconfidence may have been contributed to by
the fact that visibility was good that night and the ship was believed to be unsinkable. As
important as the initiating causes were the contributing issues of excessive speed,
insufficient bulkheads, ignored warnings, and a new crew on a new ship. The
compounding causes that let the initiating causes escalate into a catastrophic ‘night to
remember’ ranged from insufficient evacuation procedures, equipment, and practice, to
ignored evacuation warnings. Even though the ship was supposed to be unsinkable, the
bulkheads were not arranged to prevent flooding.
In 1993, a team of architects and engineers issued a report stating that the Titanic
tragedy was caused not so much by collision with the iceberg as by the structural
weakness of the ship’s steel plates.xviii Low grade steel, such as that used on the Titanic is
subject to brittle fracture, breaking rather than bending in cold temperatures. A better
grade of steel might have better withstood collision.
The impact of the ship with the iceberg was barely felt and the gravity of the
situation was comprehended only gradually. Additional compounding causes included
great confusion in loading the lifeboats because no one had practiced for evacuation.
And there were only enough lifeboats for half the passengers. Furthermore, the officers
in charge of loading the boats were afraid that if they were fully loaded, either the boats
would buckle as they were being lowered or the cranes holding the boats over the side
would break, so they lowered them partially filled. Neither of these things would have
happened as both the boats and cranes had been tested.
8
It is likely that communication mishaps further compounded the situation and
contributed to unnecessary loss of life. The California had stopped for the night in the
ice less than twenty miles away. Her wireless operator had stopped working only fifteen
or twenty minutes before the Titanic tried to get through with a disaster call. The Titanic
did succeed in reaching the Carpathia, about fifty-eight miles away.
As a result of this disaster many new rules and laws were established to guarantee
safe operation and the availability of appropriate life saving equipment. There were new
rules about lifeboats and safety drills, shipping lanes were moved further south, and the
International Ice Patrol was established to monitor iceberg movement. New regulations
were also brought to bear on wireless communication. But no one really thought about
the management filigree within which all this takes place.
The Herald of Free Enterprise
The passenger and freight ferry, The Herald of Free Enterprise shows that the
lessons that could have been learned from the Titanic had not been learned by the
commercial shipping industry many years later. On a March evening in 1987, shortly
after 6:00 PM the ferry left the dock in the inner harbor of Zeebrugge in Belgium, en
route to Dover. The Ro-Ro (roll on – roll off) ferry was heavily loaded with cars and
other vehicles and four hundred fifty nine passengers. As the ferry left the dock, the
Captain, anxious to maintain his schedule, accelerated the ship. Captain David Leery
walked outside the wing of the bridge and watched the ship’s stern as she backed out of
her berth. Had he turned forward he would not have seen that the bow doors were open
because they were blocked from his view. There were also no door position displays on
the bridge. The open bow doors were the critical initiating event. There was also a
9
problem with the forward ballast tanks. The pumps had very limited capacity and often
took two hours to clear the water from the tanks. As a consequence the ship rode in a
nose down position for much of the voyage, a situation of particular concern in the North
Sea’s heavy swells.
Captain Leery, once again on the bridge, headed the ship toward the cold North
Sea and ordered the helmsman to pick up speed so they could slowly work their way to
twenty-two knots. But with each small increment in speed the bow wave rose closer and
closer to the door. When the Herald was a mile outside the breakwater she reached a
speed of fifteen knots and the first gallons of water rolled freely into the car hold. The
flow of seawater transformed into a solid and thick wall within ten seconds. The
inevitable happened within a minute and the massive weight shifted to the port side. The
captain and helmsman failed to realize what was going on until it was too late. The
8,000-ton ship sank. More than one hundred ninety passengers and crew died within
sight of the dock. Life saving measures onboard the vessel were, again, totally
inadequate.
Our evaluation of the causes of the event is based on investigations of the
tragedy.xix The initiating event was the failure to close the bow doors by a fatigued
operator asleep next to his bunk. The door operator had done this before but the problem
had been caught. Ship personnel repeatedly notified shore based management of the
problem. Why was the on-watch crewmember asleep? Due to the rapid turn around of
the ship and the demanding crew schedule, there was little time for rest. Thus, fatigue
exacerbated by poor management was the critical contributing event. When the ship
capsized it became very evident there were inadequate escape routes and facilities. The
10
cabinets containing life vests were locked to prevent theft. The critical compounding
events, then, were inadequate preparations and measures for emergencies.
Later that year the British Court of Inquiry found the accident was attributable to
the assistant boatswain who failed to close the doors, the chief officer who failed to check
up on him, and the captain who never should have left port without being certain the
doors were closed. The Court did state that the company, Townsend Thoreson, was guilty
of running a generally “sloppy” operation. Blame was assigned and new rules were put in
place to make sure the accident never happened again. Again, the management
framework within which the accident happened went unscathed. And the next accident
was already incubating. By October the memory of the greatest British peacetime sea
disaster since the sinking of the Titanic had faded. There were five reports of channel
ferries getting underway with their doors open. Between 1975 and 1986 sixteen incidents
of bow damage to passenger ferries operating in the Baltics were observed.xx
The Estonia
During the 1970s and early 1980s the two major shipping groups in the Baltic Sea
began to lower prices, cut costs, and transform their ferries into floating hotels with
casinos, night clubs, and shopping malls. Transforming ferries into palaces of
entertainment does not remind passengers and crewmembers of the potential risks
involved in sea travel. The crews were structured to focus on achieving high efficiency
and economies of scale through standardization, specialization and routinized
decentralization.
Early one spring evening in 1994, the passenger ferry Estonia left its home port
and steamed toward its next port, Stockholm, into the teeth of a Baltic Sea storm. Noises
11
from the front of the ship were ignored. The captain headed the ship directly into the
waves (3 to 4 meters high) and into an increasingly strong wind. Suddenly the Estonia
began to list and fill with water. The ship left port at 1915 hours and sailed normally
until about 0100 hours. On the bridge the master noted that she was rolling and that they
were one hour behind schedule despite having all engines running. Shortly before 0100,
during his scheduled rounds on the car deck the seaman on watch heard a metallic bang.
The master attempted to find the sound but none of the orders given or actions taken by
him or the crew was out of the ordinary. Further observations of the noise were made at
about 0105 by passengers and off duty crew members. When the seaman reported water
on the deck it was news to the bridge. At 0115 the third engineer saw an enormous
inflow on his monitor. He didn’t report this to the bridge because he assumed the bridge
had the same picture. And he didn’t slow the ship down because he was waiting for
orders from the bridge.xxi In fact, the engines automatically shut down and he tried to
restart them. The officers on the bridge probably didn’t look at the monitor.
The visor separated from the bow at about 0115. As a result the ramp was pulled
fully open allowing water to rush in. The distress message traffic started from Estonia at
0122 hours and the last one was at 01:29. 27. The ship disappeared from the radar screens
of other ships in the area at about 0150 hours. The Estonia was among the largest bow
design ferries, and experience with similar designs was limited. The stability criteria for a
ship like the Estonia were laid down in the international declaration, SOLAS 90.
According to SOLAS, in case of visor damage the ship's design would give sufficient
protection against capsizing in waves with a significant height of less than 1.5 meters.
12
The crew work schedule was two weeks on and two weeks off. This crew was in
the thirteenth of a fourteen-day cycle. It was relatively inexperienced. That night, except
for the short time the captain was on the bridge and during the time the storm was
increasing, the ship's responsibility was in the hands of the first through the fourth mates.
The shift from 0100 to 0600 was in the hands of the second and fourth mates, with
respectively two and a half and one and a half years of experience. These men were not
trained to deal with heavy weather. The life boat orders were not given until five minutes
after the list developed and the time available for evacuation was between ten and twenty
minutes.
Again, based on the official inquiry we evaluated the initiating, contributing, and
compounding events that resulted in this catastrophe.xxii Initiating events were the failure
to monitor the bow doors and the inadequate design of those doors (redundant but not
damage tolerant closure latches). Contributing events were again, fatigue and poor
management. Compounding events were inadequate life saving measures. Many of the
events and factors are similar to if not identical with those of the Titanic and Herald of
Free Enterprise
The Absence of the Building Blocks
Structural Failure
The physical structural problems in the three incidents are obvious. The bulkhead
problems and the use of low grade steel on the Titanic, a ship design that prevented the
bow doors from being visible and the inadequacy of the forward ballast tanks on the
Herald of Free Enterprise, and the inadequate bow design on the Estonia, are all physical
structural culprits and precisely the kinds of culprits accident investigations unearth.
13
Organizational structural properties that are often overlooked by managers and
were overlooked in these cases abound. In the case of the Titanic had the captain
believed his ship was standing into harm’s way he might have been able to reorganize his
crew into work teams to effectively evacuate passengers. Pre voyage crew training
should have been done, and included practice at re configuring crew teams to meet
changing conditions.
As we noted previously the bow doors on the Herald of Free Enterprise were
designed in such a way that they could not be seen from the ship’s bridge and no
monitors of their position were on the bridge. In addition to the lack of bow door
monitors, it was not unusual for such ferries to sail through the harbor with their doors
open. The two vehicle decks of these ferries filled with vehicle exhaust during loading
and it was necessary to clear the air in the expansive holds. Some captains viewed this as
a potential hazard and had voiced their concerns with management. But they were part of
a rigid management structure that may not have heard them, and if they did ignored them.
A flexible organizational structure that deals with passenger safety first appears to have
been non existent.
In the case of the Estonia the organizational structural problem is clear. While
standardization, specialization, and routinization are good strategies for operating
organizations faced with benign and unchanging circumstances, they are very poor
strategies if the organizations must face new, unexpected contingencies. This is well
illustrated in that the engineer failed to report the water on the deck to the bridge and
failed to turn the engines off. Under routinization it was appropriate for him to think the
captain would tell him what to do.
14
We contend that the physical structural failure in all of these events could have
been dealt with to help avoid catastrophe or at least aid damage control by attending to
organizational structural processes in ways that made them more flexible and able to
respond to rapidly changing conditions. The same is true with regard to the absence of the
other four building blocks.
Efficiency versus Reliability
While The Titanic was a ship of grandeur her management had skimped on at
least two things – high quality steel and lifeboats. Skimping this way cuts costs. While
regulations at the time did not say she needed lifeboats to accommodate every passenger,
more lifeboats may have helped. Because the new crew was on a new ship it is highly
unlikely that sufficient training or melding together as a truly interdependent crew had
occurred. There was no emergency evacuation training, and cross training certainly didn’t
occur. The captain’s vision that his ship was virtually unsinkable and his desire to meet
his schedule probably resulted in a rational view that it was safe to sail at top speed
through icy waters. Certainly vigilance was lacking. The watch standers the night of the
accident were working without binoculars and did not see the iceberg until it was a
quarter of a mile away. The ship was unable to communicate with the ship closest to it.
All of these are aspects of efficiency, not reliability.
Vigilance was lacking, too, on the Herald of Free Enterprise. The fatigued
operator failed to close the bow door. The operator was asleep because of the pressures
for tight schedules brought to bear by the company. The company and the operator
interacted in such a way to cause the dramatic accident. The company was going for
efficiency but the situation called for reliability.
15
The Estonia exhibits similar problems. Again, the bridge crew was relatively
inexperienced. Vigilance was entirely lacking on the bridge, particularly at the time of the
crew shift change. It is probable that a bridge monitor showed exactly what was
happening but the crew failed to see it. The engineer failed to communicate the flooding
situation to the bridge after he became aware of it. The decisions made on the bridge
appear to have been rational responses to a situation that did not exist. It is possible a
more experienced crew could have ferreted out what was really going on. Management
of the Estonia had made explicit efforts to make her as efficient as possible through
structuring.
Core Competencies and Incompetencies
Core competencies developed as a part of being a master of a ship for The White
Star Line ultimately contributed to the Titanic disaster. The captain was very
experienced at sailing passenger ships in icy waters. He took his training and everything
he perceived about his situation and operated his ship in what he thought was a safe
manner. When the ship identified the oncoming iceberg one seemingly prudent thing to
do was to run the ship away from it, which the captain did resulting in the ship grazing
the iceberg. However, it is possible that if the captain had sailed the ship directly into the
iceberg it would not have broken up.xxiii A ship driving axiom is that if you know you are
going to hit something it is best to steer into it because the stem is structurally the
strongest part of a ship. A seemingly prudent thing to do in one situation may not have
been prudent in another. The captain probably didn’t think he was going to hit the
iceberg until it was too late to invoke this particular ship-driving axiom.
16
In both the Herald of Free Enterprise and Estonia situations as the ships began to
come into harms way crewmembers engaged in behaviors appropriate in normal
situations but entirely inappropriate to the situation they were in. In the case of the
Herald of Free Enterprise it was appropriate to gain speed in a situation in which the bow
doors were closed. Aboard the Estonia the engineer tried to “correct” an engine shutdown
that was an automatic safety feature. And he failed to inform the bridge of his situation.
The competence that turned into an incompetence is his assumption the bridge was
responding to the situation based on what people there could see and his appropriate role
was to wait for orders.
Sensemaking
Poor sensemaking is illustrated in all three of our shipping examples. In all three
cases the people in charge failed to realize they were sailing into harm’s way. The
captain of the Titanic thought his ship could withstand the potential perils of the icy
shipping lanes. After the collision people aboard didn’t realize there was trouble because
they barely felt the collision. A correct picture of how to handle the lifeboats did not
form in the minds of the officers charged with handling them.
In the case of the Herald of Free Enterprise, poor sensemaking about what needs
to be in place to insure safety characterizes the assistant boatswain and the person
checking up on him. If other ships were regularly sailing from the harbor with bow doors
open the captain’s sense that this was appropriate was at least consistent with the
behavior aboard other ships. If many were doing this it must be ok.
Transforming ferries into floating hotels certainly does not help convey the
appropriate sense of the need for reliability and safety at sea. The master on Estonia’s
17
bridge had exactly the wrong picture of what was transpiring. Even when evidence of
danger was clearly on the bridge’s monitors he and his crew failed to perceive it. The
situation with the engineer shows even more clearly the absence of appropriate
sensemaking. He had pictures of water. Despite that information he tried to override an
automatic engine shut down.
Group Performance and Heedful Interaction
Aboard the Titanic with her new crew on the new ship it was probably impossible
for heedful interactions or the quality of groupness to develop in such a short time. As
was the case aboard all three ships the organization processes became untied from one
another. The organization could not operate as a heedful mind in which participants are
sensitive to different parts of the unfolding events and able to bind them together
seamlessly across people. The watch standers were not heedful. The captain paid little
or no attention to warnings about ice and was sailing too fast for the conditions. Heedful
relations among people were not built in through emergency evacuation drills. After the
ship struck the iceberg neither the passengers nor the crew acted as an organized group in
a heedful way. They failed to subordinate their activities to the needs of the system. The
California also behaved in a less than heedful way. Radio operators stopped monitoring
the radios and thus left the ship insensitive to behaviors around it.
The behavior of the assistant boatswain on the Herald of Free Enterprise is a
classic example of a person opting out of group interaction and a collective mind. Many
catastrophes happen because people who are important to safe operations leave the stage.
In this case the chief officer also failed to be a part of the collective mind. Heedful
relatedness was missing all together. Perhaps the inexperience of the crew contributed to
18
this. Lack of heedfulness was probably inherent to the organizational structure of the
ship.
In the atmosphere of fun and frolic, as existed on the Estonia, it is probably
extremely difficult to develop the careful, heedful, interrelating required to operate a huge
passenger ship. That it didn’t exist is obvious. If it had the engineer’s activities would
have been more tightly tied to the captain’s and he would have been sensitive to
appropriate steps that needed to be taken when he saw the water on the monitor. One
characteristic of heedful interactions is that everyone in a situation has an approximately
correct picture of the situation and is able to draw from his or her repertoire appropriate
scripts and schemas to guide behavior. In all three situations the pictures drawn in the
minds of the major players were useless.
Using the Building Blocks
That the building blocks focused on here, when used, can reduce the magnitude of
a developing crisis is illustrated by our final example. This example is drawn from the
commercial airline industry, an industry used as a model of risk mitigation
implementation by other industries.
In 1989 United AirLines Flight 232 out of Denver headed for Chicago radioed the
company maintenance facility in San Francisco after an engine explosion resulted in the
loss of hydraulic power. The explosion was due to a fracture in the metal fan disc induced
during its production by ALCOA eighteen years earlier. The maintenance facility had no
solution to the problem because its personnel did not believe such a problem could
develop. In addition, McDonnell-Douglas, the designer and builder of the DC-10, had
not planned for a total hydraulic failure of the plane. Moreover, because the plane was so
19
large the forces required to control it were beyond the manual control of a single
individual and the aircraft was not equipped with a manual backup to the flight controls.
The captain was informed by a flight attendant that a check pilot was aboard the
aircraft. He invited the pilot to the cockpit and together with the second officer and
engineer they worked as a team to manually land the plane, and accepted suggestions and
direction from air traffic controllers. In turn, ground controllers contacted Sioux City
emergency response organizations to insure their readiness to handle damage and victims
when the aircraft touched down.
United has replicated the incident a number of times in its DC-10 simulator at
Denver. The outcome is never as good as the one Captain Al Hanes provided in the
actual situation (111 people died and 185 survived).xxiv In actuality everyone on the
flight should have died. The incident is heralded as a miracle in the airline industry.
A physical structural failure caused the accident. But the key to the event’s
success lies in what the captain and crew did. This accident provides evidence of the
utility of flexible organizational structures in reliability enhancing organizations.xxv Here,
the captain literally changed the structure of his aircrew, supplementing it with additional
physical resources for maneuvering the plane as well as the knowledge resource the
additional pilot brought with him. He also opened the flight crew structural process to
inputs from ground based flight controllers and maintenance personnel. These efforts
contributed to greater organizational malleability.
Over the years United has built into its organization and continually trained flight
crews strategies of crew resource leadership (CRL), as a core competency. It changes
CRL training components as it finds new things that contribute to better aviation safety.
20
Hanes capitalized on this competency and, in fact, UAL uses tapes of Hanes and his
colleagues talking about the accident in their current training. The competency was
appropriate to the situation.
Hanes had no idea what had happened except that he had lost hydraulic power.
An inherent aspect of United’s crew leadership training is a focus on group decision
making. Hanes and his crew together developed a picture of the situation they were in
based on previous experience with aircraft hydraulic systems, the terrain around them,
etc., engaging in good sensemaking that allowed them to make good decisions. They
were greatly helped by a regional FAA center and by information coming from the
airport tower at Sioux City. Finally, Hanes brought many people into the group, all of
whom performed roles for which they were trained, in such a way that people
subordinated their individual actions to the system and produced a correct collective
representation of their situation.
Conclusion
Here we illustrate, through the use of three examples of organizational calamity
and one heralded example of organizational success, the importance of five building
blocks that can mitigate catastrophe. We also showed the inability of an industry to learn
from its errors. As evidenced by the direction taken by most accident investigations
errors are often buried in the technology in use. But they are also buried in our five
building blocks; rigid organizational structure, the drive toward efficiency as opposed to
reliability, core competencies that turn into incompetencies, failures in sensemaking, and
the absence of heedful interaction in group behavior.
21
In thinking about enhancing reliability and mitigating risks in organizations
managers need to develop corporate norms that:
• Recognize that technological failures often happen and look beyond them for other potential inputs to catastrophic consequences
• Build into the organization fluid structures or the ability to override hierarchical
bureaucratic structures with more fluid structures as conditions change • Help managers recognize what constitutes changing conditions • Develop mind-sets against embracing efficiency models of organization and instead
introduce mechanisms for increasing reliability • Identify core competencies and ferret out possible situations in which these may turn
into incompetencies • Help managers recognize the different interpretations (sensemaking) people in
different organizational roles bring to events (have them role play witnesses to an event so they learn to question their perceptions)
• Train and develop organizational members to engage in group development and
heedful interactions. Such interactions require that people care about the fate of those around them.
i See, Shrivastava, P. 1987. Bhopal: Anatomy of a crisis. Cambridge, MA: Ballinger;
Davidson, A. 1990. In the wake of the Exxon Valdez. San Francisco: Sierra Club; and
Keeble, J. 1991. Out of the channel: The Exxon Valdez oil spill in Prince William Sound.
New York: Harper-Collins; Leeson, N. 1996. Rogue Trader: How I Brought Down
Barings Bank and Shook the Financial World. Boston: Little Brown; Vaughan, D. 1996.
The Challenger Launch Decision: Risky Technology, Culture, and Deviance at NASA.
Chicago: University of Chicago Press.
22
ii Pool, R. 1997. Beyond engineering: How society shapes technology. New York: Oxford
University Press.
iii See, for example Bea, R.G. 1995. The role of human error in design, construction and
reliability of marine structures. Ship Structure Committee Report SSC-378, Washington,
D.C.
iv See, for example, La Porte, T.R. and Consolini, P. 1991. Working in practice but not
in theory: Theoretical challenges of high reliability organizations. Journal of Public
Administration Research and Theory, 1, 19-47; Roberts, K.H. 1990. Some characteristics
of high reliability organizations. Organization Science, 1, 160-177; Rochlin, G.I. 1989.
Informal organizational networking as a crisis avoidance strategy: U.S. Naval flight
operations as a case study. Industrial Crisis Quarterly, 3, 159-176; Sagan, S. 1993. The
limits of safety: Organizations, accidents, and nuclear weapons. Princeton, NJ: Princeton
University Press; Weick, K.E. 1987. Organizational culture as a source of high reliability.
California Management Review, 29, 116-136.
v See M.S. Bogner, (Ed.) 1994. Human error in medicine. Hillsdale, NJ: Lawrence
Erlbaum; Lagadec, P 1991. Preventing chaos in a crisis. London: McGraw Hill;
Pauchant, T.S. Mitroff, I.I. 1992. Transforming the crisis prone organization. San
Francisco: Jossey Bass; Perrow, op. cit.; Turner, B.M. 1978. Man made disasters.
London: Wyckham; Vaughan, op. cit.
vi James Reason provides a dynamic model of accident causation. The model shows a
trajectory of accident opportunity penetrating several defense systems. Reason, J. 1990.
Human error. Cambridge, Cambridge University Press; See also, Reason , J. 1997.
Managing the risks of organizational accidents. London: Ashgate.
23
vii See, for example, Bacharach, S.B. Bamberger, P. and Sonnenstuhl, W.J. 1996. The
organization transformation process: The micropolitcs of dissonance reduction and the
alignment of logics of action. Administrative Science Quarterly, 41, 477-506; Rapert,
M.I. and Wren, B.M. 1998. Reconsidering organizational structure: A dual perspective of
frameworks and processes. Journal of Management Issues, 10, 287-302; Roberts, K.H.
1992. Structuring to facilitate migrating decisions in reliability enhancing organizations.
In L. Gomez-Mehia and M.W. Lawless (Eds.) Top management and effective leadership
in high technology firms. Greenwich, CT: JAI Press, 3,171-192.; Volberda, H.W. 1996.
Toward the flexible form: How to remain vital in hypercompetitive environments.
Organization Science, 7, 359-374.
viii See for example, Bahrami, H. 1992. The emerging flexible organization: Perspectives
from Silicon Valley. California Management Review, 34, 33-52; Ciborra, C.U. 1996.
The platform organization: Reconsidering strategies, structures and surprises.
Organization Science, 7, 103-118.etc
ix See, for example, Barrett, F.J. 1998. Creativity and improvisation in jazz and
organizations: Implications for organizational learning. Organization Science, 9, 605-
622; Weick, K.E. 1987. Organization culture as a source of high reliability. California
Management Review, 29, 116-136; Zuboff, S. 1988. In the age of the smart machine: The
future of work and power. New York: Basic Books.
x For a provocative discussion of this see Rerup, C. 1998. Balancing competence and
incompetence creation onboard Estonia: Developing collective mind and learned
ignorance in high efficiency organizations. Working paper. Prahalad and Hamel argue
for the development of corporate core competencies in Prahalad, C.K. and Hamel, G.
24
1990. The core competence of the corporation. Harvard Business Review, May-June, 79-
91. Ott and Shafritz define organizational incompetence in Ott, S. and Shafritz, J.M.
1994. Towards a definition of organizational incompetence: A neglected variable in
organizational theory. Public Administration Review, 54, 370-377.
xi See Weick, K.E. 1995. Sensemaking in organizations. Thousand Oaks, CA: Sage. A
nice example of this is the 1996 movie, "Courage under Fire."
xii Weick, op.cit. Sensemaking. Schutz, A. 1967. The phenomenology of the social
world. Evanston, Ill: Northwestern University Press.
xiii See Weick and Roberts, op. cit..
xiv Weick and Roberts op. cit. p. 361-363; Ryle, G. 1987. The concept of mind. Chicago:
University of Chicago Press.
xv Perrow, op. cit. xvi This is particularly true since the mishap followed so closely on the heels of the fire
aboard the same cruise lines' passenger ship Ecstasy.
xvii See Lord, W. 1955. A Night to Remember. NY: Holt, Rineholt and Winston;
Marcus, G. 1969. The maiden voyage. NY: Viking Press; Wade, W.C. 1979. The Titanic:
The end of a dream. NY: Rawson Wade.
xviii Broad, W.J. 1993. New ideas on Titanic sinking faults steel as main culprit. New
York Times, September 16.
xix See, for example Boniface, D.E. and Bea, R.G. 1996. Assessing the risks of
countermeasures for human and organizational error. Proceedings, Society of naval
architects and marine engineers. Annual Meeting, New York; Department of Transport,
25
Formal investigation, MV Herald of Free Enterprise, Report of Court No 8074, (Her
Majesty’s Stationary Office, London, 1987).
xx This is reported in Rerup op. cit.
xxi One of the authors was told about a fire in a nursing home in the United States. When
the fire investigators made their investigation they found the dead patients in the affected
area sitting on their beds in the middle of the night fully dressed. They determined that
the patients had been instructed that in case of an emergency they were to prepare to
evacuate and wait to be rescued. Karl Weick, in his study of the South Canyon Fire in
Colorado found that the firemen who were killed failed to remove their equipment and
flee. One can maintain a sense of security when doing what one does in a more “normal”
situation. Hanging on to the tools of one’s trade is a way to do this. See Weick, K.E.
1996. Drop your tools: An allegory for organizational studies. Administrative Science
Quarterly, 41, 301-313.
xxii This is reported in Rerup op. cit.
xxiii Pellegrino, C. 1988. Her name, Titanic. New York: Avon.
xxiv For an absorbing account of the accident see, Dee, E. 1990. Souls on Board. (Sioux
City: Loess Hills Press.
xxv See also, Weick and Roberts, op. cit.
26