sign in sign up
<<
Home , Vasa (ship), Vasa museum

focusprocess

Why the Sank: 10 Problems and Some Antidotes for Software Projects

Richard E. Fairley, Oregon Health and Sciences University Mary Jane Willshire, University of Portland

n 10 August 1628, the Royal Swedish Navy’s newest ship set sail on its maiden voyage. The Vasa sailed about 1,300 meters and then, in a light gust of wind, capsized in ’s harbor, los- O ing 53 lives. The ship was ’s most expensive project ever, and a total loss. This was a major national disaster—Sweden was at war with Poland and needed the ship for the war effort. A formal hearing the follow- ing month did not determine why the ship sank, and no one was blamed.

After initial salvage attempts, the ship unstable, are numerous and varied. Although In 1628, the Royal was largely forgotten until Anders Franzen we may never know the exact details sur- Swedish Navy located it in 1956.1 In 1961, 333 years af- rounding the Vasa, this article depicts our launched the Vasa. ter it sank, the Vasa was raised; it was so “most probable scenario” based on the ex- After only well preserved that it could float after the tensive and remarkably well-preserved docu- about 1,300 meters, gun portals were sealed and water and ments of the time, evidence collected during it sank. The authors mud were pumped from it. The sheltered visits to the , information from review the project’s harbor had protected the ship from storms, the referenced Web sites, and publications by and the ’s low salinity prevented those who have investigated the circum- problems, including worms from infesting and destroying the stances of the Vasa’s sinking. The problems why the ship was wooden vessel. Today it is housed in the encountered are as relevant to our modern- unstable and why it Vasa Museum (www.vasamuseet.se), near day attempts to build large, complex soft- was still launched. the site where it foundered.2 Figures 1 and ware systems as they were to the 17th-cen- They interpret the 2 show the restored ship and a recreation of tury art and craft of building . case in terms of its sinking. today’s large, Researchers have extensively analyzed the The Vasa story complex software Vasa and examined historical records con- The story of the Vasa unfolds as follows. projects and present cerning its construction. It sank, of course, Changing the shipbuilding orders some antidotes. because it was unstable. The reasons it was unstable, and launched when known to be On 16 January 1625, Sweden’s King Gus-

18 IEEE SOFTWARE Published by the IEEE Computer Society 0740-7459/03/$17.00 © 2003 IEEE tav II Adolf directed Admiral Fleming to sign a contract with the Stockholm ship builders Henrik and Arend Hybertsson to design and oversee construction of four ships. Henrik was the master shipwright, Arend the business manager. They subcontracted with shipbuilder Johan Isbrandsson to build the ships under their direction over a period of four years. Two smaller ships were to have about 108-foot ; the two larger ones, about 135-foot keels. Based on a series of ongoing and confusing changes the King ordered during the spring and summer of 1625, Henrik requested timbers be cut from the King’s forest for two 108-foot ships and one 135-foot ship. On 20 September, the Swedish Navy lost 10 ships in a devastating storm. The king then ordered that the two smaller ships be built first on an accelerated schedule to replace two of the lost ships. Construction of the Vasa began in early 1626 as a small, traditional ship; it was com- pleted two and a half years later as a large, in- novative ship, after undergoing numerous changes in requirements. On 30 November 1625, the King changed his order, requiring the two smaller ships to be 120 feet long so that they could carry more armament: 32 24-pound guns in a tra- ditional enclosed- configuration.1 (“24 Figure 1. The restored pounds” refers to the of the shot 111-foot using materials planned for Vasa, housed in fired by the . A 24-pounder weighed the bigger ship would be more expeditious Stockholm’s Vasa approximately 3,000 pounds.) Henrik inven- than laying a new 135-foot keel. Museum (model in toried materials and found that he had The evolution of architecture foreground, Vasa in enough timber to build one 111-foot ship from one to two enclosed gun decks in the background). and one 135-foot ship. Under the King’s di- early 1600s marked a change in warfare tac- rection, as conveyed by Admiral Fleming, tics that became commonplace in the late Henrik laid the keel for a 111-foot ship be- 1600s and 1700s. The objective became to cause it could be completed more quickly fire broadside volleys and sink the oppo- than the larger one. The records are unclear nent. Before that, warships fired initial can- as to whether the keel was initially laid for non volleys to cripple their opponent’s ship this size or initially for a 108-foot ship and so that they could board and seize it. To this then extended to 111 feet. end, earlier warships carried large numbers of soldiers (as many as 300). No specifications for the modified keel Although the contract with the Hy- After the Vasa’s 111-foot keel had been bertssons was revised (and has been pre- laid, King Gustav learned that Denmark served), no one has ever found specifications was building a large ship with two gun or crude sketches for either the 111-foot or decks. The King then ordered the Vasa to be 135-foot Vasa, and none of the related enlarged to 135 feet and include two en- (and well-preserved) documents mentions closed gun decks (see Figure 3). No one in such drawings. It is unlikely that anyone Sweden, including Henrik Hybertsson, had spent time preparing specifications, given ever built a ship with two enclosed gun the circumstances and schedule un- decks. Because of schedule pressure, the der which the Vasa was constructed. They shipbuilders thought that scaling up the probably would not have been prepared for

March/April 2003 IEEE SOFTWARE 19 135 feet was constrained by its existing keel, which contained the traditional three scarfs. He added a fourth scarf to lengthen the keel, but the resulting keel is thin in re- lation to its length, and its depth is quite shallow for a ship of this size. Hybertsson’s assistant, Hein Jacobsson, later said that the Vasa was built one foot, five inches wider than originally planned to accommodate the two gun decks. However, the keel was already laid, so they could make that change in width only in the upper parts of the ship. This raised the center of gravity and contributed to the Vasa’s insta- bility (sailing ships are extremely sensitive to the location of the center of gravity; a few centimeters can make a large difference). Also, those outfitting the ship for its first voyage found that the shallow keel did not provide enough space in the for the amount of ballast needed to stabilize a 135- foot ship. The keel’s thinness required extra Figure 2. A bracing timbers in the hold, further restrict- recreation of the the original 108-foot ship, because these ing the space available for ballast. Vasa disaster. types of ships had been routinely built for (photo by Hans many years and Hybertsson was an experi- Shifting armaments requirements Hammarskiöld) enced shipwright, working with an experi- The numbers and types of armaments to enced shipbuilder. Henrik Hybertsson prob- be carried by the scaled-up Vasa went through ably “scaled up” the dimensions of the a number of revisions. Initially, the 111-foot original 108-foot ship to meet the length and ship was to carry 32 24-pound guns. Then, breadth requirements of the 111-foot ship the 135-foot version was to carry 36 24- and then scaled those up for the 135-foot pound guns, 24 12-pound guns, eight 48- version of the Vasa. pound mortars, and 10 smaller guns. After How he scaled up the 111-foot Vasa to a series of further revisions, the Vasa was to Figure 3. The Vasa’s carry 30 24-pounders on the lower deck two gun decks. and 30 12-pounders on the upper deck. Fi- nally, the King ordered that the Vasa carry 64 24-pound guns—32 on each deck—plus several smaller guns (some documents state the required number as 60 24-pound guns). Mounting only 24-pound guns had the ad- vantage of providing more firepower and al- lowed standardization on one kind of ammu- nition, gun carriage, powder charge, and other fittings. However, the upper deck had to carry the added weight of the 24-pound guns in cramped space that had been built for 12- pound guns, further raising the ship’s center of gravity. In the end, the Vasa was launched with 48 24-pound guns (half on each deck), because the gun supplier’s manufacturing problems prevented delivery of more guns on schedule. Waiting for the additional guns would have interfered with the requirement

20 IEEE SOFTWARE http://computer.org/software Figure 4. The ship’s ornate, gilded carvings. to launch the ship as soon as possible. An- other indication of excessive schedule pres- sure is that the gun castings were of poor quality. They might well have malfunctioned (exploded) during a naval battle. Artisan shipbuilders constructed the Vasa’s rigging and outfitting without ex- plicit specifications or plans, in the tradi- tional manner that had evolved over many years. The King ordered that the ship be outfitted with hundreds of ornate, gilded, and painted carvings depicting Biblical, mythical, and historical themes (see Figure 4). The Vasa was meant to impress by out- doing the Danish ship being built; no cost was spared, making the Vasa the most ex- pensive ship of its time. However, the heavy oak carvings raised the center of gravity and further increased instability.

The shipwright’s death factors for sailing ships were unknown, so Henrik Hybertsson became seriously ill ships’ captains had to learn their vessels’ in 1626 and died in 1627, one year before operational characteristics by trial-and- the Vasa was completed. During the year of error testing. The Vasa was the most spec- his illness, he shared project supervision tacular, but certainly not the only, ship to with Jacobsson and Isbrandsson, but ac- capsize during the 17th and 18th centuries. cording to historical records, project man- Measurements taken and calculations per- agement was weak. Division of responsibil- formed since 1961 indicate that the Vasa was ity was not clear and communication was so unstable that it would have capsized at a poor; because there were no detailed speci- heeling over of 10 degrees; it could not have fications, schedule milestones, or work plans, withstood the estimated wind gust of 8 knots it was difficult for Jacobsson to understand (9 miles per hour) that caused the ship to cap- and implement Hybertsson’s undocumented size.3 Recent calculations indicate the ship plans. Communication among Hybertsson, would have capsized in a breeze of 4 knots. Jacobsson, and Isbrandsson was poor. This That the wind was so light during the Vasa’s resulted in further delays in completing the initial (and final) cruise is verified by the ship. fact that the crew had to extend the sails Admiral Fleming made Jacobsson (Hy- by hand upon launch. Lieutenant Petter bertsson’s assistant) responsible for complet- Gierdsson testified at the formal inquiry ing the project after Hybertsson’s death. At held in September 1628: “The weather was this time and during the subsequent year, 400 not strong enough to pull out the sheets, al- people in five different groups worked on the though the blocks were well lubricated. hull, carvings, rigging, armaments, and bal- Therefore, they had to push the sheets out, lasting—apparently with little, if any, com- and one man was enough to hold a sheet.”4 munication or coordination among them. During the formal inquiry, several wit- This was the largest work ever engaged nesses commented that the Vasa was “heav- in a single project in Sweden up to that time. ier above than below,” but no one pursued There is no evidence that Jacobsson prepared the questions of how and why the Vasa had any documented plans after becoming re- become top-heavy. No one mentioned the sponsible for completing the ship. weight of the second deck, the guns, the carvings, or other equipment. In those days, No way to calculate stability, stiffness, or most people (including the experts) thought sailing characteristics that the higher and more impressive a war- Methods for calculating the center of ship, and the more and bigger the guns it gravity, heeling characteristics, and stability carried, the more indestructible it would be.

March/April 2003 IEEE SOFTWARE 21 Table 1 Ten software project problems and some antidotes Problem area Antidotes 1. Excessive schedule pressure Objective estimates munication, pressure from King Gustav to More resources launch the ship as soon as possible, the fact Better resources that the King was in Poland conducting a war Prioritized requirements campaign (and thus unavailable for consulta- Descoped requirements tion), and the fact that no one had any sug- Phased releases gestions for making the ship more stable. 2. Changing needs Iterative development Testimony at the formal hearing indi- Change control/baseline management cated that Jacobsson, the shipwright, and Is- 3. Lack of technical specifications Development of initial specifications brandsson, the shipbuilder, were not present Event-driven updating of specifications during the stability test and were unaware Baseline management of specifications of the outcome. The boatswain, Matsson, A designated software architect testified that Admiral Fleming had accused 4. Lack of a documented project plan Development of an initial plan him of carrying too much ballast, noting Periodic and event-driven updating that “the gunports are too close to the wa- Baseline management of the project plan ter!” Mattson then claimed to have an- A designated project manager swered, “God grant that the ship will stand 5. & 6. Excessive and secondary innovations Baseline control upright on her keel.” To which the Admiral Impact analysis replied, “The shipbuilder has built ships be- Continuous risk management fore and you should not be worried.”4 A designated software architect Whether Admiral Fleming and Captain 7. Requirements creep Initial requirements baseline Hannson intentionally withheld the stabil- Baseline management ity test results is a matter for speculation. Risk management The King had ordered that the Vasa be A designated software architect ready by 25 July and “if not, those respon- 8. Lack of scientific methods Prototyping sible would be subject to His Majesty’s dis- Incremental development grace.” The Vasa’s maiden voyage on 10 Au- Technical performance measurement gust was more than two weeks later. It was 9. Ignoring the obvious Back-of-the-envelope calculations reported that after the failed stability test, Assimilation of lessons learned Admiral Fleming lamented, “If only the King 10. Unethical behavior Ethical work environments and work cultures were here.”5 Personal adherence to a code of ethics Ten problem areas and their antidotes Many of the Vasa project’s problems The failed prelaunch stability test sound familiar to those who have grappled Captain Hannson (the ship’s captain) and with large software projects. Table 1 pres- a skeleton crew conducted a stability test in ents 10 problems from the Vasa project that the presence of Admiral Fleming during out- are also common to software projects, along fitting of the Vasa. The “lurch” test con- with some antidotes for software projects. sisted of having 30 men run from side to side amidship. After three traversals by the 1. Excessive schedule pressure men, the test was halted because the ship Many software projects, like the Vasa proj- was rocking so violently it was obvious it ect, are under excessive schedule pressure to would capsize if the test were not halted. meet a real or imagined need. According to The ship could not be stabilized because Fred Brooks, more software projects have there was no room to add ballast under the failed (“gone awry”) for lack of adequate hold’s floorboards (see Figure 5). In any calendar time than for all other reasons case, the additional weight would have combined.6 Excessive schedule pressure in placed the lower-deck gun portals near or software projects is caused by below the ship’s waterline. The Vasa was es- timated to be carrying about 120 tons of Truly pressing needs ballast; it would have needed more than Perceived needs that are not truly pressing twice that amount to stabilize. Changing of requirements without ad- That the Vasa was launched with known justing the schedule or the resources (see stability problems was the of poor com- Problem 2)

22 IEEE SOFTWARE http://computer.org/software Unrealistic schedules imposed on projects by outside Lack of realistic estimates based on ob- jective data

When schedule estimates are not based on objective data, software engineers have no basis for defending their estimates or for re- sisting imposed schedules. You can sometimes meet schedule requirements by increasing project resources, applying superior re- sources, descoping the (prioritized) require- ments, phasing releases, or some combina- tion of these antidotes.

2. Changing needs Some common reasons for changes to Figure 5. A cross software requirements include competitive section of the Vasa forces (as in the case of the Vasa), user needs grow to become large, innovative ones. In showing its shallow that evolve over time, changes in platform the Vasa’s case, verbal communication keel and its multiple and target technologies, and new insights might have compensated somewhat for the decks, including the gained during a project. There are two tech- lack of written specifications and a written two gun decks. niques for coping with changing software project plan. In the case of software proj- requirements: ects, initially developing and baselining re- quirements, even for a small, simple proj- Pursuing an iterative development strat- ect, is much easier (and less risky) than egy (for example, incremental, evolu- trying to “reverse-engineer” requirements tionary, agile, or spiral) later, when the project has crossed a com- Practicing baseline management plexity threshold that warrants developing technical specifications. You can use these techniques alone or to- gether. In the case of iterative development, 4. Lack of a documented project plan you can accommodate requirements changes Because its designers saw the Vasa as a based on priority within the constraints of small, familiar ship and because the project time, resources, and technology—any of team was experienced in building these which you can adjust as the project evolves. types of ships, they might have thought sys- When using baseline management, you ini- tematic planning was an unnecessary use of tially place the requirements under version time and resources. Software projects often control. Approved changes result in a new start under similar circumstances. As in the version of the requirements (a new base- case of requirements, evolving a baselined line), which is accompanied by adjustments project plan for an initially small project is to schedule, resources, technology, and much easier than trying to construct a proj- other factors as appropriate. The goal of ect plan later (when there is no time to do both approaches is to maintain, at all times, so). A software project plan must include a balance among requirements, schedule, resources, technology, and other factors Decomposition of the work to be done that might pose risks to successful delivery (that is, a work breakdown structure) of an acceptable product within the project Allocation of requirements to the work constraints. elements of the WBS An allocated schedule (for example, a 3. Lack of technical specifications milestone chart) Software projects, like the Vasa project, Allocation of resources to each schedule sometimes start as small, familiar activities increment for which technical specifications are Deliverable work products for each deemed unnecessary. These projects often schedule increment

March/April 2003 IEEE SOFTWARE 23 Plans for acquiring software from ven- to software projects. Fundamental techniques dors and open sources for maintaining control of software projects In modern Plans for managing subcontractors are developing initial documentation and A risk management plan consistently updating requirements and society, the role A clear statement of authorities and plans to maintain an acceptable balance of engineering responsibilities7 among requirements, schedule, and resources is to provide as the project evolves. Often-heard excuses You can document the project plan for a for failure to establish initial project docu- systems and small software project in a few pages and mentation are lack of sufficient knowledge products that then expand it as the project grows. to do so and the belief that “everything will change anyway, so why plan?” You should enhance the 5. Excessive innovation develop initial requirements and plans to material In To Engineer Is Human, Henry Pet- the extent possible in the face of imperfect aspects of roski observes that engineering projects knowledge, with the expectation that they often fail when people attempt innova- will change and with procedures in place to human life, thus tions beyond the state of the art.8 Software evolve them systematically. Failure to update making life projects are always innovative to some ex- initial requirements and plans periodically, and tent because replicating existing software, as events require, is often the result of a per- easier, safer, unlike replicating physical artifacts, is a triv- ception that there is not enough time to do more secure, ial process. Software projects are conducted so (“never enough time to do it right, but al- to develop new systems “from scratch” and ways time to redo it”). This perception, in and more to produce new versions of existing systems, turn, comes from insufficient procedures for enjoyable. but not to replicate software. To control ex- managing requirements and plans on a con- cessive innovation in software projects, you tinuing basis and a lack of appreciation for can apply the following techniques: the risks thus created.

Baseline control of working documents 8. Lack of scientific methods (for instance, requirements, project plans, Because software has no physical proper- design documents, test plans, and ties, you cannot calculate many traditional source code) engineering parameters for software (at Impact analysis of proposed changes least, at this time). Unlike physical artifacts Continuous risk management such as the Vasa, however, you can build a software system in small, incremental steps 6. Secondary innovations and monitor the evolution of technical pa- Reasons for secondary innovations in rameters such as memory usage, perform- software projects include the need to ac- ance, safety, security, and reliability as the commodate the constraints of the technolo- system evolves. gies used, the addition of derived require- ments to support primary requirements and 9. Ignoring the obvious changes to them, and innovations based on In the case of the Vasa, the lurch test the developers’ creative impulses. As in the demonstrated that the ship was dangerously Vasa’s case, these secondary requirements unstable. There was no room for additional can overwhelm a software project. In addi- ballast. If there had been room, the added tion to the techniques mentioned for con- weight would have placed the lower gun trolling Problem 5, you should assign re- portals below the waterline. Although we sponsibility and give authority to a designated lack scientific methods in many software en- software architect to maintain the software gineering areas, we can often avoid foresee- product’s vision and integrity, which is an ad- able disasters by performing a few, often ditional antidote for many other problems.7 quite simple, “back of the envelope” calcu- lations. If, for example, a certain transac- 7. Requirements creep tion processing system must process 1,000 It seems that no one was aware of the transactions per second and if each transac- overall impact of the changes made to the tion requires four complex queries, the sys- Vasa during the two and a half years of con- tem must process 4,000 complex queries per struction. This can (and does) easily happen second, including the time required for con-

24 IEEE SOFTWARE http://computer.org/software About the Authors

Richard E. Fairley is a professor of computer science and associate dean of the OGI School of Science & Engineering of the Oregon Health & Science University. He also participates in the Oregon Master of Software Engineering program, which is offered collaboratively by text switching among transactions (that is, four Oregon universities. His research interests include requirements engineering, software ar- 250 microseconds per context switch and chitecture, software process engineering, estimation, measurement and control of software transaction). Accounting for system laten- projects, risk management, and software engineering education. He is a member of the IEEE Computer Society and ACM. Contact him at the OGI School of Science and Eng., 20000 NW cies might show the envisioned system to be Walker Rd., Beaverton, OR 97006; [email protected]. infeasible.

10. Unethical behavior Mary Jane Willshire is an associate professor of computer science in the Electrical Engineering and Computer Science Department at the University of Portland, where she In modern society, the role of engineering teaches courses and conducts research in software engineering, human-computer interfaces, is to provide systems and products that en- and database technology. She is a member of the IEEE, ACM, Association for Women in Sci- ence, and Society of Women Engineers. Contact her at the School of Engineering, Univ. of Port- hance the material aspects of human life, land, 5000 N. Willamette Blvd., Portland, OR 97203-5798; [email protected]. thus making life easier, safer, more secure, and more enjoyable. Technological innova- tion often involves ethical considerations. In the Vasa’s case, the goal was to make Swe- den more secure for its citizens and to bring glory to the country. At the last moment, when it became obvious the ship was not On a positive note, large, two-deck war- seaworthy, those with authority to stop the ships were subsequently built and sailed launch did not do so. during the latter 17th and the 18th and 19th In our time, software engineers should centuries. In the same way, we can now, first serve the public; second, be advocates with reasonable confidence of success, build for the customers and users of their prod- larger and more complex software-intensive ucts; and third, act in the interest of their systems than in the past. employers, in a manner that is consistent with the public interest. Software engineers should “accept full responsibility for their Acknowledgment work” and “approve software only if they The reviewers and editor offered many valuable have a well-founded belief that it is safe, recommendations for improvements to this article’s initial draft. Photos by permission of the Vasa Museum. meets specifications, passes appropriate tests, and does not diminish quality of life, diminish privacy, or harm the environment. References The ultimate effect of the work should be to 1. A. Franzen, The Warship Vasa: and Ma- 9 the public good.” Every software engineer rine , 6th ed., Norstedt & Soners Forlag, should be familiar with and adhere to a Stockholm, 1974. 2. The Royal Ship Vasa, http://home.swipnet.se/~w-70853/ code of ethics. WASAe.htm. 3. C. Borgenstam and A. Sandstrom, Why Vasa Capsized, AB Grafisk Press, Stockholm, Sweden, 1995. 4. The Story of the Royal Swedish Man-of-War Vasa, multi- media documentary, VyKett AB, Stockholm, Sweden, 1999; available (in English) on floppy disk by email in- quiry to the Vasa Museum at [email protected]. able 1 presents only some of the 5. A. Wahlgren, The Warship Vasa, a documentary film, Vasa Museum, Stockholm, Sweden, 1996; available (in many possible antidotes for soft- English) on a VCR tape by email inquiry to the Vasa ware projects. Some antidotes listed Museum at [email protected]. T 6. F. Brooks, The Mythical Man-Month, Addison-Wesley, in one problem area apply equally to other Boston, 1995. problem areas. For the sake of brevity, we 7. IEEE Std. 1058-1998, Standard for Software Project leave elaboration of Table 1 to readers. Management Plans, IEEE, Piscataway, N.J., 1998. According to the formal Vasa hearing’s 8. Henry Petroski, To Engineer Is Human: The Role of Failure in Successful Design, Vintage Books, New York, transcript, no one asked how or why the 71992. ship had become unstable or why it was 9. Software Engineering Code of Ethics and Professional Practice, IEEE Computer Society and ACM Joint Task launched with known stability problems. Force on Software Engineering Ethics and Professional The failure of this line of inquiry is perhaps Practices, 1999, http://computer.org/tab/code11.htm. the most compelling problem from the Vasa case study, as is our often-observed, present- day failure to learn from our mistakes in For more information on this or any other computing topic, please visit software engineering. our Digital Library at http://computer.org/publications/dlib.

March/April 2003 IEEE SOFTWARE 25