Innovation and Catastrophic Risk

Why We Study Accidents: Complex System Accidents and Their Broader Security Implications

By Leah Walker on November 13, 2020

The result is a system that behaves in nonlinear, complicated, unpredictable, and even uncontrollable ways. Each agent often affects other agents in ways that simply cannot be anticipated. With a complex system, it is usually extremely difficult, if not impossible, to isolate individual causes and their effects, since the parts are all connected in a complex web. The element of chance, interacting randomly with the various agents, introduces even more complexity and disorder.

John F. Schmitt –Complexity, Global Politics, and National Security


Significant risk reduction can be achieved through understanding complexity and normal accidents. To take advantage of this, the Institute for Security and Technology is launching a project focused on Complex System Accidents and National Security. We will examine how countries respond to military and industrial accidents, to better understand the interplay between complex systems, and begin to anticipate means for greater national security risk reduction in the digital era. Over the next few months, we will release a series of essays focused on the historical analysis of a variety of different types of complex accidents. The choice of these particular case studies is to better understand military accidents in particular, the national reactions to them, and their broader impacts on strategy and force planning. Through this research and analysis, an increased understanding of these accidents will afford deeper insight into the vulnerabilities and risks that exist in the more technically advanced militaries of the 21st century and will give valuable foresight into the increasingly digitized, networked, and complicated systems of the future. The overall project will look at case studies for several nuclear powers, including the United States, France, Russia, China, and Pakistan.

Diving In: An Initial Look at Naval Accidents and Lessons Learned

On September 23rd 2020 the United States Navy released the first part of previously classified documents pertaining to the loss of the USS Thresher. Lost during deep diving trials in 1963, the Thresher, built to be the fastest and quietest submarine of the U.S. Navy, instead ended up as the origin of SUBSAFE, the program developed as a result to prevent further catastrophic naval accidents and submarine losses. The resulting legacy of the Thresher has been very successful: no SUBSAFE certified submarine has ever been lost, even during serious accidents, such as when the USS San Francisco ran into an underwater mountain.

SUBSAFE is a series of safety requirements that apply to the design, building, inspection, operation and maintenance of U.S. Navy submarines. Programs like SUBSAFE, that seek to reduce the likelihood of catastrophic errors in complex systems, are critically important for national security due to the incredible complexity of military systems. Even more so, the stability and reliability of these systems remains a significant priority due to the risks associated with readiness, credibility, signaling, and counterintelligence operations. The submarines and ships that make up naval fleets are vastly complicated , with aircraft carriers and submarines being particularly intricate and prone to both known and unknown failures. They are made up of multitudes of moving, fallible parts, each with a specific role and the potential for unknown interactions with other parts. Accidents in these systems can be devastating, and so learning from these is critical to preventing future mistakes and for protecting the integrity of a fleet. If complex system accidents are taken seriously and investigated thoroughly, conclusions can be drawn and changes can be made that may save lives and money in the future – and increase the credibility of a deterrent and demonstrate the implied threat posed by the fleet. A nation who consistently suffers accidents in a nation whose force will not be taken seriously. When the USS Forrestal was decimated by fire in 1967, the investigations following led to major redesigns of heavy carriers, better preparing them for fighting fires as well as solving issues in fire safety and hull design that had gone previously unnoticed – and in turn, adding to the increased perception of the reliability and credibility of these systems in the eyes of adversaries. 

It is not only the individual machines in the naval fleets, but also the naval fleets themselves that are complex systems. This reality is only increasingly the case as well, as militaries around the world embrace and incorporate new highly advanced, networked technologies. For example, the U.S. Chief of Naval Operations has just called for a service-wide tactical communications network, which would link existing ships, as the navy’s ever increasing fleet of unmanned vessels. In a future world of “mosaic warfare”, multitudes of military systems, themselves complex, will be joined into ever larger and complex systems of systems. The result of this scaling up of interconnectedness will be an increasing number of potential initial incidents – errors that then spiral into full blown accidents, such as a malfunctioning pump. If one small such problem occurs, the resulting shockwaves through the system could unexpectedly spiral. 

The navies of tomorrow will work in increasingly close international quarters, as well. Current geopolitics are driving expanding naval activity across the seas of the broader Indo-Pacific. Pakistan, India, and Japan continue to expand their navies, with Japan and Pakistan growing their submarine fleets and even Myanmar having acquired a submarine from India. China continues to rapidly grow its submarine fleet and submarine building capabilities, and continues to make progress on a third aircraft carrier, rapidly moving forward in building out the world’s largest blue-water navy. In mid-July of 2020, the United States had an unprecedented three aircraft carriers on patrol in the Pacific. This is all occurring before the anticipated development and deployment of vast numbers of unmanned surface and underwater systems in the coming decades. The volume of unmanned air vehicles we see today serves as a clear indication of increasingly clogged sea lanes over time – networked, complex, and bound for all variety of accidents.

In an area already well frequented by significant volumes of merchant ships, the increase of naval craft (manned or unmanned) in the same operational area raises the chance of miscommunication, compounding accidents, and crashes. A technical failure or navigation error aboard one vessel can trigger a chain of events that may lead to it impacting another, whether it be merchant or military will increasingly become a matter of chance. As an example of an extreme possibility of such an accident, British and French submarines collided during NATO exercises in 2009, an accident involving two nuclear submarines. While brushed off by the two countries, the accident caused visible damage to the HMS Vanguard, and could have been much worse. In 2017 the USS John S McCain and the USS Fitzgerald, ships of the 7th fleet, were involved in two separate collisions with commercial vessels, which the Navy attributed, in part, to a lack of preparedness. But in the case of the USS John S McCain collision, there was also the problem of sailors misunderstanding the integrated bridge and navigation system (IBNS), accidentally transferring controls, an error that was misread as having lost control of the ship.

Close quarters at sea are not only concerning for the increased risk of collisions. Accidents always have compounding effects, and in close quarters, there is greater risk that the compounding effects might affect another system (such as another ship). In November of 1943 the destroyer USS William D. Porter was escorting the USS Iowa, aboard which was President Franklin D. Roosevelt. Anti-aircraft and torpedo drills were conducted to demonstrate the Iowa’s ability to defend herself. When the William D. Porter, however, went to simulate a torpedo launch at the Iowa, it accidentally launched a live torpedo. The ships were supposed to be in radio silence for fear of a U-boat attack, but after failed lamp signals, the William D. Porter broke radio silence to alert the Iowa to the incoming torpedo. The Iowa was able to avoid being hit, after a sharp turn. Disaster was averted because the two ships finally managed to communicate with each other, before the point at which the Iowa could no longer avoid the torpedo. This was greatly aided by the fact that these were ships of the same fleet, with established communications, and that the technology of World War II meant that there was enough time to warn the Iowa of the impending torpedo before it arrived. Imagine if an accidental launch happened in the South China sea, with an American torpedo hurtling towards a PLAN ship, at speeds far quicker than 1943 torpedoes. What if, disastrously, the torpedo hit the PLAN ship and suddenly an accident has the potential to cause a war, especially if China refuses to believe that such an occurrence was an accident. 

Because of the improved stealth capabilities in new classes of submarines, it is very likely that accidents can happen at sea, without knowledge of other actors at proximity. In these situations, accident mitigation strategies, not knowing that there are other submarines around, could cause great damage to those other submarines. For example, a hot running torpedo may need to be ejected, and a captain may believe that there are no other submarines in proximity that may be affected. Because of the silence of new submarines and the overarching complexity of the military ecosystem of the area of interest (for example, the South China Sea), it is completely possible that an ejected torpedo might turn into an attacking torpedo, an accident mitigation strategy turning into a deadly incident. Take for example, the NATO Eurofighter 2000 that, in 2018, accidentally fired an air-to-air missile near the Russian border. In a time of hostilities, such an accident could have been seriously escalatory. 

It is important to understand how countries react to accidents in peace time in order to better predict the repercussions of unintended incidents during wartime, as well as to understand the risk of escalation that comes with accidents in tense situations. A collision caused by an accident involving steering mechanisms between two submarines of close allies may not result in  geopolitical flare ups, but such a collision would likely be escalatory if it were to happen between rivals, especially if a country was looking for a reason to escalate, or if there was a loss of life. If country A suffers an accident that inadvertently harms its rival B, how does B know that it was an accident and not an intended consequence? Understanding the ways countries view accidents and responsibility is critical to informing reactions when accidents invariably happen. The United States and militaries across the world are fielding increasingly complex military systems. It is completely illogical and irresponsible to expect there not to be unexpected accidents, as that is the nature of complex systems. While accident risk can be reduced through safety measures and risk mitigation, it is impossible to prevent all accidents, as there are some accidents that we can never prevent. Thus, it is necessary to understand responses to accidents. So that when accidents strike, we can be a little less blinded by the fog of disaster.

“I shall proceed from the simple to the complex. But in war more than in any other subject we must begin by looking at the nature of the whole; for here more than elsewhere the part and the whole must always be thought of together.” 

— Carl von Clausewitz, On War