Set Aside That Optimism If We Want to Avoid Disaster

That the catastrophe at Valdez would occur sooner or later, that the response of Exxon, of state and federal authorities to such a tragedy would be hopelessly inadequate, were virtually guaranteed.

A captain who tested legally drunk, an unlicensed third mate at the helm and the absence of an effective procedure for coping with the spill were the immediate causes of the tragedy, yet explanations that go no further than specific circumstances miss the point. These were no more than consequences of decisions made earlier, no more than manifestations of an underlying problem that conditioned the accident, the very same that attended the destruction of Challenger. Quite simply, the root cause of the Valdez disaster was optimism.

Our organizations, both public and private, are afflicted with a management philosophy that focuses on success and economic efficiency. Yet the one fact we can know for sure about all organizations and all human beings is that they will make mistakes--errors will occur. Many will be nuisances, easily disregarded. But, as Valdez and the Challenger disaster sadly attest, all too frequently the consequences of those errors are more than we can afford to bear.

When we do seek to improve our organizations, recommendations usually focus on increasing efficiency and “managing for success.” It is hard to find design proposals deriving from searches to uncover potential for error. Our tendency is, alas, to the contrary: We suppress error and punish the bearers of bad news. For reasons of efficiency, we strip redundancies from our organizations, the very features that protect against error. Engineers know better: In mechanical and electronic systems, the principles of error detection, correction and protection have been enshrined as key values, the latter typically implemented through redundant systems--as in dual braking for cars, multiple controls for aircraft, etc. These systems are reliable precisely because their designers were pessimists.

In the absence of failure, we can, over a period of time, easily come to believe that failure will not occur. The more time since the last failure of a particular organization, the more likely it is that we will lower our estimated probabilities of future failures. A “law of increasing optimism” seems to take hold. In concert with pressures for economic efficiency, such optimism diminishes our willingness to search out and reduce the potential for error and to devise and implement mechanisms to protect against the effects of those failures we cannot prevent.

Even where potential failures have been identified and their effects estimated (such information was contained in the contingency plan for Valdez) and protective mechanisms established, it is enormously difficult to maintain them continuously. At Valdez, a 24-hour emergency oil-spill response team was in place--until 1981, that is. It was then eliminated because those in authority felt that a “diminishing risk” did not warrant the expense of such a team. The contingency plan remains, but no resources were allocated (the plan calls for volunteers and private boats to do much of the cleanup). State officials and local residents only briefly opposed the elimination of the response team. This suggests that they, too, are subject to the law of increasing optimism.

When people believe that because nothing has gone wrong, nothing will go wrong, they court disaster. There is noise in every system and in every design. If this fact is ignored, nature soon reminds us of our folly.

In the last few years have we not seen enough preventable failures--from the collapse of an elevated walkway at a hotel in Kansas City to Three Mile Island to Bhopal, Challenger and now Valdez? In the best of all possible worlds such failures would signal and occasion the need for a fundamental change in our management strategies. We would proceed to failure-avoidance management, which, it can be shown, produces success.

To avoid such disasters is to set aside the optimism of prevailing management wisdom and recognize that nothing can forever operate at design point. It is this type of permission that prompts that steady search for error, persistent fault analysis and those appropriate doses of redundancy that reduce the potential for error and simultaneously allow for the correction of those that will inevitably occur.

The law of increasing optimism tells us that it is difficult to sustain this posture. But if we don’t, the Exxons of the world will continue to take newspaper ads apologizing for Valdez debacles. Small consolation, this is, to the environment, to sea life and to fishermen.