Oops: Understanding Failure
This essay originally appeared in the
London Review of Books, February 21, 2013. It is reprinted here with the kind permission of the author and the London Review of Books
Whenever you step on a bridge, every bit of your weight is being transferred — part to one shore, part to the other — down to the bedrock below. If the structure is to continue standing when it takes on a new load, every link in the system has to resist the burden, kilo for kilo. Your weight, technically a ‘live load’ (which is to say transient, as opposed to the resident ‘dead load’ of the structure itself), must be met by the strength designed into the bridge, whether it is a simple beam or arch, one of the myriad types of trusses, or a suspension bridge, either the traditional catenary or the more recent cable-stayed. Most often the bridge will succeed in bearing your weight. It’s rare that someone is individually responsible for a collapse.
My professor at architecture school, Peter Galdi, liked to talk about the Manhattan Bridge. It was then nearly a hundred years old; maintenance on the bridge had been deferred for decades; a thorough survey had been made of its soft spots. No one, Galdi told us, knew what was holding it up. Sure, there were those high towers and enormous anchorages, the skeins of cables and wires; there were trusses to prevent bending and twisting; trains were thundering over it every few minutes, as well as hundreds of cars, and the bridge was standing firm. But no one could tell you — because at that time we didn’t have the engineering mathematics to work out — the exact path that a given load was taking through the network of assembled steel and stone. It was certain that the loads, dead and live, were being resisted. As they are today and will be tomorrow. Until they’re not.
Another story Galdi liked to tell involved the design of a car park. He was once asked to determine the total load on such a structure and the strength of the materials needed to neutralise it. Simple statics: kids’ stuff. The car park was symmetrical so, following protocol and logic, he did the maths for half, intending to double the result when he was finished. But he forgot. The mistake was discovered instantly — he was laughed out of the conference room — but others are not. In 1999, having made the nearly ten-month interplanetary trip without mishap, the Mars Climate Orbiter burned up in the atmosphere on arrival. It was discovered later that engineers working for the contractor, Lockheed Martin, had programmed the software to give altitude data in imperial units, while those of its partner, NASA, had used metric — a three hundred million dollar oops. But no one died. And it is death or its prevention, more so even than money, that is the measure of engineering failure or success.
Fifty people are killed off in the first chapter of Henry Petroski’s To Forgive Design: Understanding Failure
when a plane crashes en route to Buffalo. Thirteen hundred or more died when the levees failed in New Orleans. The number of victims grows with each example: the earthquake in Haiti; the collapse of the World Trade Center; the fire on the Deepwater Horizon drilling rig. This is Petroski’s third book on engineering failure since 1985, and here he has chosen to examine failure in the widest professional and cultural sense, with the aim of preventing it, but also in an attempt to understand ‘the nature of failure itself’. Still, even without mentioning Chernobyl, the body count reaches five figures. It’s those deaths — and the habits of thought, the human bungling, the pressures within the profession and beyond it that cause a thing to break and fall, to explode, melt or burst — that we are asked to understand, and perhaps to forgive.
There’s a tradition in engineering of analysing deadly accidents in the consequence-free environment of the classroom to scare students into a higher degree of attention in their work. Since the 1920s, Canadian engineers have worn a ring on the little finger of their working hand as a reminder of their undertaking and the results of getting it wrong; the first rings, legend has it, were made from the remains of the Quebec Bridge after its humbling collapse in 1907. That failure, which happened before the bridge was completed, killed 75 workers and was directly attributed to engineers’ miscalculations of the weight of the enormous cantilevered span. The rings (before they were replaced by smooth stainless steel) were made of iron, left sharp and allowed to rust. Petroski celebrates the Canadian ‘iron ring tradition’ — which includes the reading of a poem written by Kipling for the bestowal ceremony, and its later, less poetic offshoot in the US — as a reminder to each engineer that his or her hand could be the one that draws the wrong line in a diagram, or computes the figures that prove inadequate to contend with gravity.
Conscientious engineers, with or without symbolic jewellery, are only part of the process. Whereas a fireman, a doctor or a heroic civilian can save a life in a glorious moment of independent action, engineering is embedded within and constrained by the world of money, business, profit and loss, and dependent for its success on culture, institutions, conventions, politics and art. Consider the case of the luge track built for the 2010 Winter Olympics at Whistler Mountain in British Columbia. The site was chosen in part because Whistler could provide a more reliable, faster frozen surface than the mountains at lower elevations closer to the home of the games in Vancouver. But the only space available at Whistler was narrower and steeper than the ideal. Olympic officials knew all along that it could result in record-setting — but dangerous — speeds. Several years later on the games’ first day, a young Georgian racer, Nodar Kumaritashvili, died on a practice run. It turned out that the track’s safety systems had been contracted out, in contrast to the usual practice, which may have resulted in the lack of padding on the column the victim collided with at turn 16. But Petroski also suggests that financial gain shaped the design. He quotes from a post-mortem in theWall Street Journal
: ‘The course’s dangers became part of its marketing.’ Kumaritashvili was killed by the bottom line.
A tight budget plus haste equals expediency: the wrong epoxy resin used to secure a concrete ceiling panel over a road in Boston’s Big Dig (one dead, one injured); the last-minute changes made to the hangers of a suspended walkway at the Hyatt Regency Hotel in Kansas City (114 dead). The Brooklyn Bridge stands today because John Roebling designed it to be six times stronger than it needed to be. So when Washington Roebling discovered, after his father’s death, that an unscrupulous supplier had introduced substandard wire into the cables, it was allowed to remain, as it only brought the safety factor down to five.
Politics is another perennial enemy of good design. Or, rather, another factor that a forward-thinking engineer must add into his or her margins. But what engineer could know, when calculating the innumerable stresses on the space shuttle, that in 1986 one of them might be made to blast off on a January morning at temperatures cold enough to surpass the tolerance of the O-rings sealing its external booster rockets, because the Reagan administration had been quietly pushing for the spectacle to coincide with the president’s State of the Union speech? Petroski doesn’t mention that long-rumoured aspect of the Challenger
disaster. Instead he uses it as an example of the kind of thing that can go wrong at the interface between public funding and public relations. Managers at Nasa had claimed the programme would have a success rate of 99.999 per cent. Petroski cites Richard Feynman, who, observing that this implied the space agency ‘could put up a shuttle each day for three hundred years expecting to lose only one’, asked: ‘What is the cause of management’s fantastic faith in the machinery?’ It wasn’t shared by engineers closer to the machines. After a test burn of the rockets one of them estimated a failure rate of 4 per cent; in the event, Challenger
broke up on the 25th launch.
Petroski also discusses the failure of the Tacoma Narrows Bridge. No one died (no humans, at least: a dog got trapped in an abandoned car), but because the convulsions prior to its collapse were spectacular, and caught on film, it is among the most famous of all structural disasters. The bridge was too thin relative to its length, and when it was subjected to sustained high winds a few months after opening in 1940, it began to move, went into a galloping resonance, twisted asymmetrically, loaded its cable supports beyond their tolerances, and fell. Leon Moisseiff, the chief engineer, who also designed the clunky but resilient Manhattan Bridge, drew up the Tacoma Narrows as he did in part for artistic reasons; before it failed he called it ‘the most beautiful bridge in the world’. It was the beauty of a design culture seeking the sleek and the fine as an expression of an insurgent modernism, and of America’s rising technological prominence. So, along with the wind and gravity, a politicised trend in aesthetics was to blame: style brought down the Tacoma Narrows (and killed the dog).
Throughout Petroski’s book we see engineers exhibiting the same unnerving tendency to be influenced, and compromised, by the mundane. Engineers are sometimes enchanted by beauty and pay a price for it; they can be pressed for time or cash, bossed around by those who control the clock and the purse; and they can forget what they once knew. Petroski estimates that it takes thirty years, the span of a single professional generation, for the failure encountered within the working life of a cohort to be forgotten. This is the cycle the iron ring tradition was intended to break. Still, we see the same mistakes, the same short cuts, the same temptations, the same disasters, repeating over time. The deadly collapse of the Dee Bridge in 1847, which dropped a train into the river, can be traced to the use of an ornamental filigree cast into the iron beams — a lesson that had gone down the memory hole well before Moisseiff chose beauty over function at Tacoma Narrows. Norman Foster’s Millennium Bridge over the Thames underwent resonant swaying on its opening day because pedestrians were falling unwittingly into sync as they walked across it. That mode of potential failure was once so well known that signs urging soldiers to break step were routinely posted at river crossings. The bridge was modified and no one was hurt (for which I am grateful, as I was a component of the poorly predicted live load that day).
If innovation is bound to have lethal consequences, why innovate? Petroski, as an engineer himself (he recounts some of his own experiences with failure as a student), can’t be expected to argue for the alternative: that we might stick to refining what we have, what we know will work. The only way to ensure perfect safety would be to stop progress as we now define it, but the desire for progress is irresistible. If we want to get somewhere faster, somewhere previously unreachable, or higher, or simply better, we are going to have to accept the inevitability of a certain amount of death.
One of Petroski’s aims is to encourage the habit of looking beyond the performance of a given construction in concrete and steel to the context in which the products of engineering are used. Ideally, as well as assessing the aerodynamics of a pilot’s plane, we would also consider the height and firmness of her pillow the night before she flies. A full evaluation of the viability of a design must take account of the societal arrangements in which it operates. And here it all falls apart. Will there be a majority on the city council in twenty years ready to pay for much needed maintenance on the bridge we open today? Will charismatic advocates be on hand when the hard case needs to be made? It is by no means certain that a century or two in the future there will be men and women of sufficient skill and wisdom to tend, without cutting corners, to the structures we’ve handed down to them. There may be a reason the Iroquois, source of the popular edict to consider the impact our decisions will have on seven generations, never left fragile bridges and towers (and dams and power plants) for their descendants to care for. Every built thing has an expiration date.
The number of failures waiting to happen dwarfs the number of realised failures. Given enough time, every bridge will fall, every building will collapse, every ship will sink, every circuit will fry, every gallon of oil will leak, every nuclear plant will give its site a fatal dose, air and water spreading the effects far and wide. We can understand failure, but certain designs beggar forgiveness. Today, in an earthquake and tsunami-damaged reactor building at the Fukushima Daiichi plant, there is a pool of spent fuel rods harbouring, experts say, enough radioactive material to poison the entire northern hemisphere, teetering one hundred feet up at the top of a compromised structure. Why so high? Because it made it easier to swap out the rods: a bold engineering decision made decades ago.
Knowing what we know and remembering what we’ve seen of disaster and loss, the prudent engineer would never sign off on a set of drawings, or give the OK to break ground. He would sit at his desk, fiddling with his iron ring. Make nothing new: it’s the only rational response to the certainty of eventual collapse. In his dark moment of the soul, he might discover all over again his terror of gravity. We may now have discovered, in the Higgs field, what gives things their mass, an achievement made possible by the capacity of engineers to form materials into structures, tools and devices as sophisticated as particle accelerators. But we still don’t understand what gives things their weight. And weight is the unrelenting enemy. When engineers fail, it is most often because they imagine they can beat gravity with their training, their calculations. But deep down they must know they never can.