Tip of the Week #128                   Tip Index

Go to the Prior Tip  Car Loan Interest Rate Calculation
Go to the Next Tip  $3.29 million Watermelon: Fun with IRR
Return to MaxValue Home Page

To Forgive Design: Understanding Failure by Henry Petroski

2012, Belknap Press of Harvard U. Press, Cambridge, MA, and London, 410p. (last 50 p. are notes and indexes) At this writing, available for US$16.83 on Amazon.com.

Petroski is Professor of Civil Engineering and Professor of History at Duke University.

He is perhaps best known for his earlier book, To Engineer is Human: The role of Failure in Successful Design (1992 paperback version; at this writing, available for US$10.74 on Amazon.com).

Prof. Petrosky has credentials. I’ve seen his name and earlier book mentioned frequently across the years. 

Theme: Engineers should study and frequently consider failure. This is not only about engineers. Designers of all types can benefit from failures, including but not limited to software, business modeling, organizations, instruction, and women’s apparel (wardrobe malfunction J).
 
Petrosky’s background and special interest is in bridge design, so there’s much discussion about bridges. The Takoma Narrows bridge collapse (1940, Washington State) is a standout example. A videos of the bridge’s gyrations before collapse is easily found on the Internet (e.g. YouTube) and well-worth watching.

While bridges are interesting enough, Petrosky thankfully mentions other notable disasters such as:

• Challenger space shuttle
• Boston’s Big Dig tunnel project (famously over-budget, over-time, and 3600 leaks to be repaired)
• Kansas City Hyatt Regency walkway collapse
• BP’s Macondo well blowout (involving the Deepwater Horizon drillship), which he discuss in remarkable detail, p. 275-301

Sometimes failure—controlled failure—is intended. Several example designs for failure are:

• Almost any situation where material is acted upon by a tool requires failure of the material.
• Perforated coupon sheets, such as postage stamp pages—no tool required
• Crumple zones in cars
• Buildings, nuclear plants, and bridges that can be taken down at end of life.

Why engineering failures? Following are three major causes from the book.

Design Changes

• As-built is often different from as-designed.
• Engineers typically extend or “improve” previous designs, often without fully understanding the assumptions that went into the prior designs.
• A builder may take fabrication shortcuts, substitute materials, and limit inspections and testing.
• Humans, as part of the system, do not perform as intended.

Making any change to a system that has worked should be a red flag. Beware unintended consequences. For example, software updates—in part to fix bugs—often introduce new bugs.

Major bridge disasters seem to occur every 30 years or so. This is about once every professional generation. Because some space projects require decades, NASA makes an effort to write very detailed reports so that future engineers do not have to “figure out what steps we took and why we took them (p. 341).”
(NASA is the U.S. National Aeronautics and Space Administration.)

Insufficient Attention to Odd Behaviors and Near-Misses

The book has many instances of early warnings not being investigated, including:

• Space Shuttle experiencing a history of O-ring erosion and pieces of foam breaking away during launches.
• Cracks or erosion in a structure appearing or more extensive than expected
• "…the (Silver Bridge’s) tremendous population of pigeons (abandoning) their home” the day before the collapse (1926, p. 161).

Situations Not Considered in the Design

• Unintended use, such as a higher volume and traffic and greater loads.
  Anticipating possible future improvement needs can be considered at original design time in a “value of flexibility” analysis, a popular topic in decision analysis.
• Delivered materials and work not up to specification (e.g., quality of steel; concrete or  epoxy strength; weld quality)
• Unscrupulous suppliers and inspectors
  
  “An engineer who has not been educated as a spy or detective is no match for a rascal.” (Washington Roebling quoted, p. 15)
  
• Non-functional equipment or design elements
• Weather extremes outside anticipated bounds
• Inspections and maintenance are not performed as specified in the design.
• Operators may execute actions that are contrary to what is needed at the moment.
   
  Organizational conditions, throughout the asset life-cycle, may exhibit behaviors or practices leading to the production and acceptance of what proved to be faulty mechanism.

Sometimes, a failure mode involves science principles unknown at the time. Metal fatigue was unknown until the latter 1800s. It took perhaps 70 years more to understand fatigue reasonably-well and to routinely consider fatigue in design. Meanwhile, railway axels kept breaking, and bridges fell down (p. 110-121). And this continues. A German high-speed train was destroyed in 1998 due to a fatigue failure of a wheel. In 2000 a train in Great Britain was derailed because fatigue destroyed the track.
 
Trade-Offs in Decision Making

Petrosky’s first design textbook in college (Shigley's Mechanical Engineering Design, now in its 9th edition) began “To design is to make decisions.” Later it added “Decisions are always compromises.” (p. 245)

He acknowledges multi-criteria decision making. He recounts decisions about design that were driven by cost, schedule, performance (from a purely functionality perspective), aesthetics, area economics, and politics.

“While structures can be designed to resist every possible and imaginable onslaught, judgments have to be made about whether that is practical and affordable (p. 75).”

“And the design “invariably (needs) to take into account and weigh, implicitly or explicitly, the cost and affordability of fail-safe improvements against the value of human life (p. 76).”

Petrosky’s Recommendations

“Because we are human and by nature fallible we can count on bad things continuing to occur, often when we least expect them (p. 4).”

He offers several recommendations:

• “Each engineer’s work (should be) expected to be consistent and transparent so that another engineer can check it—by following its assumptions, logic, and computations—for inadvertent errors (p. 30).” And, of course, the work check should be done.
  
  “Engineers, like everyone else, can always manage to find new ways to miscalculate or overlook some detail (p. 219).
  
  Quoting dam engineer Ralph Peck, “Nine out of ten recent failures occurred not because of inadequacies in the state of the art, but because of oversights that could and should have been avoided (p. 347).”

• Build-in means of detecting and inspective for failure (e.g., corrosion in hidden suspension cables, p. 132; smart bridge technology, p. 231)
• Pay attention to unintended behavior, such as excessive or premature wear.
• Complex systems have interrelated factors and provide a multitude of possible failure paths. Design from the bottom up, testing each component rather than waiting to test the entire system.
• Be aware that risk estimates are often optimistic. NASA management believed (Pre-Challenger) that the chance of losing a Space Shuttle was about 1 in 100,000 flights, while some practicing engineers placed the odds at 1 in 100 or so. Attempt to anchor probability assessments to experience with same or similar systems.
   
  Physicist Richard Feynman was a somewhat rogue member of the investigation team on the “Presidential Commission on the Space Shuttle Challenger Accident.” On this and the prior bullet, I found interesting reading at these links:
  http://history.nasa.gov/rogersrep/v2appf.htm and
  http://en.wikipedia.org/wiki/Rogers_Commission_Report

To Forgive Design is an interesting book. Think all persons doing "design" work should read about failures, and this book is a good place to start.

—John Schuyler, May 2013

Copyright \A9 2013 by John R. Schuyler. All rights reserved. Permission to copy with reproduction of this notice.