Engineering Risks and Failures: Lessons Learned from Environmental Disasters
Publication: Leadership and Management in Engineering
Volume 12, Issue 4
Abstract
Recent disasters have highlighted the difficulties in assessing and managing risks and the types of failure that can occur in extreme circumstances. The means of characterizing and preparing for disasters can vary widely, even among engineers. Thus, clarity is required in communicating how scientific principles are applied in preventing and responding to disasters. This paper discusses lessons learned from environmental and other disasters regarding risk assessment and management, including the role of perception, and five types of failure that may occur during a disaster: miscalculations, extraordinary natural circumstances, critical path, negligence, and inaccurate prediction of contingencies. Examples from past disasters are used to illustrate these concepts.
Recent disasters have highlighted the difficulties in assessing and managing risks and the types of failure that can occur in extreme circumstances. The means of characterizing and preparing for disasters can vary widely, even among engineers. Thus, clarity is required in communicating how scientific principles are applied in preventing and responding to disasters. This paper discusses lessons learned from environmental and other disasters regarding risk assessment and management, including the role of perception, and the types of failure that may occur during a disaster.
Defining Disasters
There are many definitions of the word disaster. We recently asked a number of engineering and science leaders to provide their operational definition of a disaster. Their definitions ranged in emphasis. Most agreed that disasters are low-probability events with high-value consequences. Furthermore, problems become disasters when risks that are not properly managed result in significant physical damage to human life, ecosystems, and materials. Most engineering managers also concurred that substantial financial losses accompany most disasters.
The legal definition of the word disaster in the Robert T. Stafford Disaster Relief and Emergency Assistance Act (PL 100-707; 42 U.S.C. Chap. 68) is also important to engineering managers because response and recovery often depend on public subsidies and loans. In the United States, for example, a major disaster is any natural catastrophe (including hurricane, tornado, storm, high water, wind-driven water, tidal wave, tsunami, earthquake, volcanic eruption, landslide, mudslide, snowstorm, or drought) or, regardless of cause, any fire, flood, or explosion, in any part of the United States, that in the determination of the U.S. president causes damage of sufficient severity and magnitude to warrant major disaster assistance under this legislation to supplement the efforts and available resources of states, local governments, and disaster relief organizations in alleviating the damage, loss, hardship, or suffering it causes (C. Dickey, personal communication, August 4, 2011).
Engineering leadership calls for attention to the anthropogenic aspects of a disaster—that is, the negative health or economic consequences of human decisions. According to one respondent, even natural disasters involve anthropogenic aspects. For example, this engineer noted, “if humans avoided building on fault lines, the world would not experience earthquake-generated disasters.” Likewise, if people avoided building in flood plains and other hydrologically inappropriate areas, flooding would not cause disasters. In other words, environmental phenomena occur within observable ranges. The environment provides constraints and opportunity.
A disaster can also be defined as the failure of engineers, construction managers, developers, planners, and other leaders to properly account for an environmental vulnerability. Although such a definition is harsh and strident, it is certainly a warning that engineers must be constantly aware of the first ethical canon of the profession: to hold paramount the safety, health, and welfare of the public, as articulated by the National Society of Professional Engineers (2003). This obligation includes avoiding, preparing for, and responding to any event, not just a disaster, that threatens the public health or the environment. This obligation also holds true for engineers designing, for example, a chemical plant to build in safeguards and to alert the owners of the plant and possibly those living nearby of potential dangers that operating the plant might pose. This was one of the glaring failures of the Bhopal, India, disaster. Perhaps the biggest air pollution disaster of all time occurred in Bhopal in 1984 when a toxic cloud drifted over the city from the Union Carbide pesticide plant. This gas leak killed many people and permanently injured tens of thousands more.
Most of our respondents focused on the damage wrought as the distinction between a disaster and a lesser problem. In addition to severity, a disaster has temporal thresholds; it causes long-term damage to the ecosystem and/or human population. The spatial and temporal scale of an event enters into its classification as a disaster, albeit in a relative way (Resnik and Vallero 2011). Obviously, an ecosystem that is not sufficiently elastic will experience irreversible and long-term harm more easily than a diverse and elastic system. If the system includes the only habitat of a threatened or endangered species, even an assault that is relatively localized may still cross the damage threshold and be deemed a disaster.
For problems that potentially affect large numbers of people or large geographic areas or that are otherwise substantial and irreversible, precaution is the basis for safety factors in engineering design. As shown in Fig. 1, near-field impacts can occur on a small scale (e.g., neighborhood) from a chemical spill or other emergency situation. Actions related to such events are usually risk based (e.g., removal of the contaminants, evacuation of potentially affected population, and remediation). At the other extreme, global climate change can result from chronic releases of greenhouse gases, with expansive, planetary impacts in direct proportion to significant changes in global climate (temperature increases in the troposphere and oceans, shifting biomes, sea level rise, and alterations in migratory patterns). Therefore, such consequences of large-scale disasters may best be prevented using precautionary approaches.
LM.1943-5630.0000199/asset/a3ac54a0-8ab2-47ea-8602-3e8fce808de5/assets/images/large/figure1.jpg)
Another aspect of a disaster is how well it can be addressed within the normal range of infrastructures. In this sense, a disaster is any natural, accidental, or deliberate event that overwhelms the ability of local officials and responders to address the consequences using community resources. This definition is quite useful from an engineering management perspective. That is, even an event that fails to meet a physical threshold—for example, a relatively low Richter scale reading or slightly elevated concentrations of a toxic chemical—would be disastrous if infrastructure failures led to inordinate and unusual harm. For example, slightly elevated nitrate levels in drinking water would not be an immediate threat to adults but can be fatal to newborns as a result of methemoglobinemia. In fact, the effects of environmental disasters are seldom evenly distributed throughout an affected population. Usually, the effects are most dramatic in the most vulnerable subpopulations, including the very young, the very old, and the infirm.
An ecological disaster can be characterized as structural or functional. In a structural ecological disaster, an ecosystem’s components are substantially altered or destroyed, such as flooding that eliminates detritus or fires that destroy tree canopies, upsetting the ecosystem’s trophic status (i.e., decomposers, producers, and consumers). Ecological disasters lead to functional disasters, in which the ecosystem can no longer perform as it did before the disaster in terms of biological processes (e.g., photosynthesis, respiration, ion exchange), upsetting delicate balances in biodiversity and productivity. For example, ecological disasters frequently follow oil spills, such as the 2010 Deepwater Horizon oil spill in the Gulf of Mexico, and chemical and nuclear contamination events, such as the releases of dioxins, mercury, and cadmium from fires and explosions and of isotopes from the meltdowns at Chernobyl and core damage following the 2011 earthquake and tsunami in Japan.
Ecosystems are characterized using functional metrics such as productivity and species diversity. In the Gulf, biodiversity was threatened because the crude oil and even the cleaning substances could have differential effects on species, leading to changes in the food webs and potentially damaging the ocean and near-coastal ecosystems for decades. In toxic release disasters, biota exposed to contaminants experience ecological damage as polluting chemicals cycle through the environment. The damage can be direct—for example, the death of a sufficient number of sensitive species to alter the biodiversity—or indirect—for example, the bioconcentration of chemicals until the top predators fail to propagate. The damage can also indirectly affect human populations, such as through heavy metal concentrations in the food and water supplies.
Disaster Risk Assessment
The scale and complexity of a disaster affect engineering and policy decisions regarding future disasters. For example, continental- and planetary-scale problems such as acid rain and climate change may be treated as disasters even though the damage has not yet reached disaster thresholds. The so-called precautionary principle is called for when an activity threatens harm to human health, so that precautionary measures are taken even if some cause-and-effect relationships are not established scientifically. The concept was first articulated in 1992 as an outcome of the Earth Summit in Rio de Janeiro, Brazil (United Nations General Assembly 1992). Those engaging in behaviors that are building toward the disaster, rather than the public at large, have to prove that they are not contributing to the pending disaster (Goklany 2001).
The design, construction, and operation of industrial plants and other facilities can be inherently dangerous and pose a possible risk even if the checks and balances are heeded sufficiently. Engineering decisions may be driven more by uncertainty than by risk. That is, if the risk is sufficiently understood, designs can directly follow specifications based on the likelihood that populations will be exposed to a hazard (e.g., protection of 99.9% of a population likely to be exposed under a worst-case scenario). However, when the exposure is very uncertain, designs would require such large factors of safety that they would be infeasible economically, even if the technology and design exist. For example, certain facilities may need to be excluded completely from hazard zones due to inherently large risks, even if they are low probability. Considering the 2011 Fukushima nuclear disaster, for example, many engineers would prohibit the construction of even state-of-the-science nuclear facilities in tsunami zones.
Interestingly, the lessons from hydrologic events are not always heeded. For example, a tsunami is a hydrological event precipitated by a geophysical event. To a statistician, it may be no different, albeit more rare, than any other hydrological event. Thus, the statistician will consider the stochasticity of an event to see just how rare it is. However, a 100-year expectancy does not call for 100-year contingencies. Indeed, a 100-year flood has a 100-year recurrence interval of reaching a certain flood stage, based on historical data about precipitation and stream characteristics. For example, the probability of a river reaching a stage of 15 ft is calculated to occur once in 100 years. Thus, the odds of this flood occurring are 1% each year, so it would not be all that surprising to have such a rain event 3 years in a row or even more than once in a year (U.S. Geological Survey 2012). A contingency plan properly matched to this probability would also take into account the potential damage. Few would want to live with a 1% or even a 1 in 10,000 probability of one’s house burning down in a given year; they would implement aggressive safety factors to avoid fire. In fact, if the fire risk were that high, land use planners would hopefully require that no structures, or at least only less fire-prone structures, be allowed. It is quite common, however, for homes to be rebuilt near beaches and other vulnerable sites immediately after a hurricane.
This feature of statistical probability may account for the precautions that many engineers take when designing large-scale projects, even in the face of data supporting the safety of the project. For example, the news media have reported on several occasions that the track records of hydrofracturing and of pipelines from oil shale fields seem sufficient to proceed. Some of the concern with these safety extrapolations is the difference in scale and complexity. Indeed, other extraction techniques have been used, and thousands of miles of pipelines already traverse North America. However, the risks of these extraction and transport systems are not the same as those for previous systems, nor is a complete extrapolation from entirely similar precedents possible. The quandary of the precautionary principle for engineering leaders is that it calls for a margin of safety beyond what may directly be construed from science. Engineers may be uncomfortable with this shift in onus from having to prove that a harm exists to proving does not exist at the outset. However, proof that the harm does not exist is actually quite similar to other engineering requirements for ample margins of safety. Such an approach is nevertheless difficult because it usually calls for risk and benefit trade-offs, including less travel by individual vehicles and more reliance on mass transit, less suburban development, less reliance on fossil fuels, and even less risk taking, which could translate into less scientific advancement (Morris 2000).
Engineering decisions must rely on both sound science and quantifiable risk analysis. For example, the engineer designing a facility that uses a physical (e.g., nuclear energy), chemical (e.g., mercury), or biological (e.g., genetically modified bacteria) agent in any process must be aware that these agents could be released under some unforeseen malfunction of the plant. That is, one can never assume 100% containment. Plans to cope with extreme conditions must be built into the design. It is important when designing plants that the widest network of expertise is called on for advice. Such expert elicitation is increasingly used, especially in highly complex and multidisciplinary designs.
To scientists and engineers, at least, risk is a very straightforward and quantifiable concept: risk equals the probability of some adverse outcome. Risks are thus a function of probability and consequence (Lewis 1990). Consequence can take many forms. In the medical and environmental sciences, a consequence is called a “hazard.” Risk, then, is a function of the particular hazard and the chances of a person (or neighborhood, workplace, or population) being exposed to the hazard. In the environmental business, this hazard often takes the form of toxicity, although other public health and environmental hazards abound.
Role of Perception in Risk Management
Disasters are value laden. If, for example, a particular person places great value on a lake or wetland that has sustained serious damage, even if it is localized, that person would call its destruction a disaster. However, that person likely would not perceive as a disaster the destruction of an identical resource in an area he or she does not value, although he or she may well sympathize with others who value it. A big part of characterizing something as a disaster as opposed to a failure is how the public, or at least a substantial part of it, such as the media, perceives it. Failure occurs all the time. In fact, failure is inevitable. Failure becomes a disaster when events in time and space lead one to conclude that the effects were so severe that it reaches the level of a disaster. A failure could also be classified as a disaster if engineers made a miscalculation or left out some key information that led to a disaster. Such mistakes may lead to the public perception that the failure was disastrous even if it was less severe than a failure perceived as less preventable or even inevitable.
Sometimes a failure is not recognized as a disaster until long after it occurs. Environmental and public health disasters, for example, may not be noticed for decades. Chronic diseases such as cancer have long periods of separation between the first exposure to the causative agent and the onset of disease symptoms (i.e., the latency period). For example, asbestos workers were exposed for decades before signs of mesothelioma or lung cancer were diagnosed. Many factors, including insufficient study, underreporting of exposures and diseases, and the properties of a toxic agent, can also obscure links between cause and effect, such as the relatively recent linkages between childhood exposure to lead and neurological and developmental diseases.
Risk perception is a crucial component of the public perception of a disaster. Different groups perceive the same facts differently. One group may see the facts as representing a problem that can easily be fixed, while another may perceive the same facts as representing an engineering or public health disaster. Engineers at the State University of New York, Stony Brook (2008), for example, recently compared U.S. transportation fatalities in 1992 and found that similar numbers of fatalities occurred from accidents involving airplanes (775), trains (755), and bicycles (722). To the public, however, air travel has often been considered higher risk than travel by train and certainly by bicycle. The researchers concluded that two factors drive this perception: (1) A single event leading to large loss of life attracts much media attention, and (2) people aboard a large aircraft have virtually no control over their situation. The increased anxiety provoked by highly visible failures and lack of control over outcomes leads to greater perceived risk. These factors also influence people’s definitions of environmental and public health events as disasters. Certain terms are terrifying, such as cancer, central nervous system dysfunction, toxins, and ominous-sounding chemical names such as dioxin, PCBs, vinyl chloride, and methyl mercury. In fact, chemical names in general elicit anxieties and increase perceived risk; for example, people typically find the word dihydromonoxide alarming until they are told that it is .
Actual risks may be much greater or much lesser than perceived risks. So how can technical facts be squared with public fears or apathy? As with so many engineering concepts, timing and scenarios are crucial. What may be the right manner of saying or writing something in one situation may not be so in another. Yet holding paramount the health, safety, and welfare of the public obligates engineers to communicate risks in a way that portrays them accurately. Abating exaggerated risks that are in fact quite low could mean implementing unnecessarily complicated and costly measures or even choosing an alternative that in the long run may be deleterious to the environment or public health.
The risk assessment and risk perception processes differ markedly, as shown in Table 1. Assessment relies on science-based criteria such as problem identification, data analysis, and risk characterization, including cost–benefit ratios. Perception relies on thought processes and includes such criteria as intuition, personal experiences, and personal preferences. Engineers tend to be more comfortable using risk assessment (middle column of Table 1), while the general public often uses personal preferences (right column). As evidence, before confronting overwhelming risk data to the contrary, many people believe that wearing safety belts presented a higher risk of fatality due to the difficulty of releasing oneself in an upturned or submerged vehicle. Nowadays, most people accept the data and readily use seat belts. In communicating risks, left-brained engineers must communicate with right-brained audiences. It can be done as long as preconceived and conventional approaches do not get in the way.
| Decision stage | Science-based criteria | Perception-based criteria |
|---|---|---|
| Identifying and characterizing risks | Application of laws of physics, chemistry, and biology and the derived sciences. | Extrapolations and extensions from personal experiences using various forms of reasoning, including intuition. |
| Usually, extrapolation of knowledge from the general to the specific (i.e., deductive reasoning). | ||
| Use of statistical inference and decision tools (e.g., Bayesian and classical statistics, computational methods, multicriteria decision analysis). | ||
| Predicting risks | Estimates of magnitude, frequency, and duration of exposure based on measurements and modeling applications. | Personal experience and dread based on news stories, personal conversations, and other nonscientific sources. |
| Subjective determination of risks and benefits. | ||
| Assessing and managing risks | Cost–benefit and risk–benefit analyses. | Application of age-dependent criteria (e.g., teenagers tend to be more risk tolerant) Personal experience and subjective means of assessing and managing risk. |
| Feasibility of risk management of options based on calculations of potential exposure and effects from hazards. | ||
| Inclusion of public health problems, ecosystem damage, and financial and welfare costs in cost estimation and damage assessment. |
During early scoping meetings for environmental studies, for example, engineers and scientists describe for the public the need for a study to be scientifically objective, to provide adequate quality assurance of the measurements, and to have a sound approach for testing hypotheses and handling data. They often go into such meetings expecting the subject matter to be straightforward and to provoke little concern or feedback. They are sometimes surprised, however, when people express concern about what they intend. For example, an audience member might ask what the engineers and scientists would do if they found something troubling during an investigation and whether they would begin interventions then and there. Engineers and scientists typically are not well prepared for these questions. We know that the data are not truly acceptable until they have been validated and interpreted, so we recommend patience until the data meet the scientific requirements for rigor. This response is not always met with approval.
In one memorable meeting, the neighborhood representatives opposed the methodical patient approach. At best, they thought we were naïve and, at worst, disingenuous about the local concerns. It seems that the concerns had been “studied” before, but little action had followed the studies. They had been told previously some of the same things they were being told at our meeting—essentially, “Trust us!” We were applying rigorous scientific processes (middle column of Table 1), which they had endured previously. Their concerns were explained by their experience and awareness (right column). As a result, we changed our flow charts to reflect the need to begin actions and interventions before project completion. In this case, at least, the compromise was acceptable to all parties.
Both lay groups and highly motivated and intelligent engineers and scientists have difficulty parsing perceived and real risks. Balancing risk assessment and risk perception is a major challenge in all projects. Disasters are highly stressful and uncertain, so misperceptions are almost guaranteed. Engineering leadership must incorporate ways to prevent and address such miscommunications.
Failure
From a scientific and engineering perspective, disasters are failures, albeit very large ones. One thing fails. This failure leads to another failure. The failure cascade continues until it reaches catastrophic magnitude and extent. Some failures occur because of human error. Some occur because of human activities that make a system more vulnerable, and some occur in spite of valiant human interventions. Some failures are worsened by human ignorance, and some result from hubris and lack of respect for the power of nature. Some result from forces beyond the control of any engineering design, irrespective of size and ingenuity.
Engineers and other scientists loathe failure. But all designs fail at some point in time and under certain conditions. The distinction between a successful and unsuccessful design is a function of time. If what is designed performs as intended during its acceptable life span, it is a success. If not, it is a failure. A disastrous design is one that not only does not perform as intended, but also causes substantial harm when it fails.
Failures may occur in many forms and from many sources. A dam break or oil leak is an engineering failure, as is exposure to carcinogens in the air, water, and food. The former examples are more directly under the engineer’s span of control, whereas the latter are indirect results of failures, or second order engineering failures. Again, plans to cope with extreme conditions must be built into public designs.
Failures vary in kind, degree, and extent. Human-induced or human-contributed disasters can result from mistakes, mishaps, or misdeeds. The prefix mis- can connote that something has been poorly done, as in a mistake. It may also mean that an act leads to an accident because the original expectations were overtaken by events, as in a mishap. A mishap can occur as a result of not upholding the levels of technical competence called for in a field. Medical and engineering codes of ethics, for example, include tenets and principles related to competence, such as working only in one’s area of competence or specialty. Many of the problems related to the Bhopal disaster, for example, could have been avoided if the personnel on duty understood the chemistry of methyl isocyanate (MIC), knew the dangers of uncooled MIC and the reaction of MIC with water, and recognized danger signs of increased pressure and temperature in the MIC tank.
Finally, mis- can suggest that an act is immoral or ethically impermissible, as in a misdeed. Interestingly, the theological derivation for the word sin (Greek hamartano) means that when a person has missed the goal of moral goodness and ethical uprightness, that person has behaved immorally by failing to abide by an ethical principle, such as honesty or justice. Mistakes, mishaps, and misdeeds have contributed to disasters, either in their genesis or in the responses to them (Vallero 2010). The following sections discuss a few types of failure familiar to engineers, particularly with regard to their likelihood of contributing to a disaster.
Failure Type 1: Miscalculations
Sometimes engineers make mistakes and their works fail due to their own miscalculations—for example, when parentheses are not closed in computer code, leading to errors in predicting the pharmacokinetic behavior of a drug. Some failures occur when engineers do not correctly estimate the corrosivity that occurs during sterilization of devices (e.g., not properly accounting for fatigue of materials resulting from the high temperature and pressure of an autoclave). Such mistakes are completely avoidable if the physical sciences and mathematics are properly applied.
Disasters caused solely by miscalculations are rare, although there are instances in which a miscalculation that was caught in quality assurance/quality control indeed prevented a failure, some potentially disastrous. One such case involved William LeMessurier, a renowned structural engineer. He was a principal designer of the Citicorp Tower in Manhattan. The Citicorp tower was constructed using LeMessurier’s diagonal-bracing design that made the building, completed in 1977, unusually light for its size (National Academy of Engineering 2006). This technique also unfortunately increased the building’s tendency to sway in the wind, which was addressed by installing a tuned-mass damper (including a 400-ton concrete block floated on pressurized oil bearings) at the top. During construction, without apprising LeMessurier, contractors thought that welding was too expensive and decided instead to bolt the braces. When he became aware of the change, LeMessurier initially thought it posed no safety hazard. He changed his mind over the next month, however, when he saw new data indicating that the switch compounded another danger with potentially catastrophic consequences.
When LeMessurier recalculated the safety factor, taking account of the quartering winds and the actual construction of the building, he discovered that the tower, which he had intended to withstand a 1,000-year storm, was actually vulnerable to a 16-year storm. In other words, the tower could fail under meteorological conditions common in New York on average every 16 years. Thus, the miscalculation completely eliminated the factor of safety. The disaster was averted after LeMessurier notified Citicorp executives, among others. Soon after the recalculation, he oversaw the installation of metal chevrons welded over the bolted joints of the superstructure to restore the original factor of structural safety.
It is sometimes difficult to differentiate a miscalculation from negligence, given that competence is an element of ethical practice. As humans, however, engineers all make arithmetic errors at some point during their careers. The distinguishing features of unacceptable miscalculation are a high degree of carelessness and widespread and severe consequences. Even a small miscalculation is unacceptable if it has the potential either to be large in scale or to have long-lived negative consequences. At any scale, if the miscalculation leads to loss of life or substantial destruction of property, it violates the first canon of the engineering profession to hold paramount the public’s safety, health, and welfare.
Miscalculation can also result from miscommunication, as in the well-publicized Mars orbiter disaster of 1999, which cost the National Aeronautics and Space Administration (NASA) $125 million. One engineering team used metric units while another used U.S. customary units for a key spacecraft operation. As a result, information was not transferred from the Mars Climate Orbiter spacecraft team at Colorado and the mission navigation team in California. As noted in the report,
“‘People sometimes make errors,’ said Edward Weiler, NASA’s associate administrator for space science in a written statement. ‘The problem here was not the error, it was the failure of NASA’s systems engineering, and the checks and balances in our processes to detect the error. That’s why we lost the spacecraft.’” (NASA 1999)
Failure Type 2: Extraordinary Natural Circumstances
Failure can occur when factors of safety are exceeded because of extraordinary natural occurrences. Engineers can, with fair accuracy, predict the probability of failure due to natural forces such as wind loads, and they design the structures for some maximum loading, but these natural forces can be exceeded. Engineers design for an acceptably low probability of failure, not for 100% safety and zero risk. However, tolerances and design specifications must be defined as explicitly as possible. The housing stock in parts of Florida, for example, has been found not to meet standards that most structural engineers would consider necessary in hurricane zones. Hence, hurricane disasters have been exacerbated by an improper match of building codes (or at least adherence to those codes) to environmental conditions. The same goes for possible tsunami damage, in spite of the recent earthquake in Japan.
The tolerances and factors of safety have to match the consequences. A failure rate of 1% may be acceptable for a household compost pile, but it is grossly inadequate for bioreactor performance. And the failure rate of devices may spike dramatically during an extreme natural event (e.g., power surges during storms). Equipment failure is but one of the factors that lead to uncontrolled environmental releases. Conditional probabilities of failure should be known. That way, backup systems can be established in the event of extreme natural events like hurricanes, earthquakes, and tornados. If appropriate, contingency planning and design considerations are factored into operations; the engineer’s device may still fail, but the failure would be considered reasonable under the extreme circumstances.
Failure Type 3: Critical Path
No engineer can predict all of the possible failure modes of every structure or other engineered device, and unforeseen situations can occur. A classic, microbial case is the Holy Cross College football team hepatitis outbreak in 1969 (Morse et al. 1972). A confluence of events occurred that resulted in drinking water becoming contaminated when the hepatitis virus entered the water system. Predictive modeling would not likely be very good at predicting such rare outcomes, because intensive modeling would probably be based on high value scenarios, such as those with relatively high risks associated with agents and conditions that had previously led to an adverse outcome.
In this case, a water pipe connecting the college football field with the town passed through a golf course. Children had opened a water spigot on the golf course, splashed around in the pool they created, and apparently discharged the hepatitis virus into the water. A low pressure was created in the pipe when a house caught fire and water was pumped out of the water pipes. This low pressure sucked the hepatitis-contaminated water into the water pipe. The next morning, the Holy Cross football team drank water from the contaminated water line, and many came down with hepatitis. The case is memorable because it was so highly unlikely—a combination of circumstances that were impossible to predict. Nevertheless, the job of engineers is to do just that: to try to predict the unpredictable and thereby to protect the health, safety, and welfare of the public.
In this example, engineers failed but were not blamed for the failure because such a set of factors had not previously led to an adverse action. If the public or their peers agree that the synergies, antagonisms, and conditional probabilities of the outcome could not reasonably have been predicted, the engineer is likely to be forgiven. However, if a reasonable person deems that a competent engineer should have predicted the outcome, the engineer is to that extent held accountable.
Indeed, there is always a need to consider risks by analogy, especially when related to complex biological systems. Many complex situations are so dynamic and multifaceted that there is never an exact precedent for the events and outcomes for any real-world scenario. For example, every bioremediation project will differ from every other such project, but there are analogous situations related to previous projects that can be applied to a particular project. Are the same strains of microbes being used? Are the physical conditions (e.g., soil texture) and biological conditions (e.g., microbial ecology, plant root systems, ambient temperatures, daily season variabilities) similar to those in previous studies? Are structurally similar compounds being degraded? Are the volumes and concentrations of wastes similar?
Failure Type 4: Negligence
Engineers also have to protect the public from its members’ own carelessness. The case of the woman trying to open a 2-L soda bottle by turning the aluminum cap the wrong way with a pipe wrench and having the cap fly off and into her eye is a famous example of unpredictable ignorance. She sued for damages and won, with the jury agreeing that the design engineers should have foreseen such an occurrence. (The new plastic caps have interrupted threads that cannot be stripped by turning in the wrong direction.)
In the design of water treatment plants, engineers are taught to design them so that it is easy to do the right thing and very difficult to do the wrong thing, called making the treatment plant “operator proof.” Pipes are color coded, valves that should not be opened or closed are locked, and walking distances to areas of high operator maintenance are minimized and protected. Standard operating procedures (SOPs) are crucial in any operation that involves repeated actions and a flow of activities. Hospitals, laboratories, factories, schools, and other institutions rely on SOPs. One of the standard operating procedures in a flour mill or aluminum grinding factory, for example, is to ensure that surfaces are not covered with powder. A relaxation of that rule could lead to the powder being dislodged, filling the airspace, and coming into contact with a hot source or spark, which could easily result in a conflagration. When SOPs are not followed, risks increase. Systems engineers recognize that if something can be done incorrectly, sooner or later it will. Engineers must strive to minimize such possibilities.
Risk is a function of time because it is a part of the exposure equation; that is, the more time one spends in contact with a hazard, the greater the exposure. In contrast, reliability is the extent to which something can be trusted. A system, process, or item is reliable as long as it performs the designed function under the specified conditions during a certain time period. In most engineering applications, reliability means that what we design will not fail prematurely. Or, stated more positively, reliability is the mathematical expression of success; that is, reliability is the probability that a system that is in operation at time 0 () will still be operating at the end of its designed life, or time (). As such, it is also a measure of engineering accountability. People in neighborhoods near a hazardous facility want to know if it will work and will not fail, especially true for facilities that may affect the environment, such as mining and drilling operations and power plants. Likewise, when environmental cleanup is being proposed, people want to know how certain the engineers are that the cleanup will be successful.
Using scientific information is requisite to characterizing disasters, but only when considered within spatial and temporal contexts. For example, a levee or dam experiences failure when flow rates reach cubic meters per second, as in the catastrophic failures in New Orleans during and in the wake of Hurricane Katrina. Conversely, a hazardous waste landfill failure may be reached when flow across a barrier exceeds a few cubic centimeters per decade. Flow is a determinant in both disasters, but at different orders of magnitude. Thus, a disaster resulting from failure caused by negligence is determined by temporal dimensions. If an outcome such as pollution of a drinking water supply occurs in a day, it may well be deemed a disaster, but if the same level of pollution is reached in a decade, it may be deemed an environmental problem, but not a disaster. Of course, if this is one’s only water supply, as soon as the problem is uncovered it becomes a disaster to that person. In fact, it could be deemed worse than a sudden-onset disaster because one realizes that one has been exposed for a long time. This was the case in some of the infamous toxic disasters of the 1970s, notably the Love Canal incident.
Love Canal is an example of a cascade of failures. The exposures of people to harmful remnant waste constituents buried in a neighborhood in Niagara Falls, New York, from the 1950s to the 1970s followed a complicated series of events brought about by military, commercial, and civilian government decisions. Some of these decisions were outright travesties and breaches of public trust. Others may have been made in ignorance (or even benevolence, such as the construction of a school on donated land, which tragically led to the exposure of children to dangerous chemicals). But the bottom line is that people were exposed to toxic substances. Cancer, reproductive toxicity, neurological disorders, and other health consequences resulted from the exposures, regardless of the intent of the decision maker. Neither the public nor attorneys and company shareholders can accept ignorance as an excuse for designs and operations that lead to hazardous waste–related exposures and risks. Love Canal highlights the need in all communities to improve communications and to have available channels to receive complaints and direct information to the right authority. Furthermore, these channels should be well publicized, and whistleblowers should be encouraged and their comments and plights taken seriously and investigated. If such a system had been in place, many disasters, including Bhopal, Love Canal, the Minamata mercury poisoning outbreak of the 1950s and 1960s in Japan, and even the 2011 Fukushima nuclear accident could have been avoided, or at least the extent of damage lessened.
For engineers, the concept of negligence changed with the terrorist attacks of September 11, 2001. The 21st-century engineer is expected to add a higher level of scrutiny and to be forward thinking and proactive in designing ways to protect the health, safety, and welfare of the public from acts of intentional harm. It had not occurred to most engineers that they have a responsibility to protect people from those who want to intentionally harm them or to destroy public facilities. This has been a common expectation of military engineers, but it is a totally new failure mode that must now be considered in civil, chemical, mechanical, aerospace, and other civilian engineering disciplines. Biomedical and environmental engineers must also consider such contingencies because public health and environmental damage may be direct (e.g., threats to air and water) or may ensue as a result of intentional design and operational failures (e.g., collapsed structures that rupture tanks that, in turn, release contaminants). Such failures can be considered to be “intentional accidents,” or failures resulting from intentional actions (Pfatteicher 2002).
Failure Type 5: Inaccurate Prediction of Contingencies
Every time something fails, whether a manufactured product (e.g., medical implant) or a constructed facility (e.g., dam), it is viewed as an engineering failure. Engineers historically have been called on to predict the problems that can occur and to design so as to minimize these adverse outcomes, protecting people from design errors, natural forces, unforeseen events, and ignorance or carelessness.
When a disaster occurs, proper channels of information and, above all, an honest, upfront appraisal of its possible consequences are needed. It is always better to err on the side of providing too much information than to attempt to conceal critical information.
Conclusion
Disasters are characterized in many ways. Perceptions about a disaster’s causes and risks can cloud our understanding and analyses of disasters. Once engineers and managers are aware of what constitutes a disaster and what types of failure lead to disasters, we are in a better position to reduce the chances of disasters occurring and to respond appropriately when they do occur. With this information, we are also in a better position to reduce the harm resulting from future disasters. The engineers and scientists involved in designing plants or structures must ensure that all plans are discussed with as wide a group of consultants as possible, and all potential malfunctioning of the plant or structure should be taken into account and be made public. Moreover, once a facility begins operations, personnel should be trained to understand the processes involved and to cope with extreme situations as they arise. Communication is vital within a facility between designers and operators, workers and management, and designers and managers on one hand, and on the other, between neighbors and the general public, who too often in the past have borne the brunt of failed processes and structures.
References
Araujo, R., Vallero, D., and Suter, G. (2006). “Human and ecological exposure science: Divergence and rapprochement.” Int. Conf. on Environmental Epidemiology and Exposure, French Agency for Environmental and Occupational Health Safety, Paris.
Goklany, I. (2001). The precautionary principle, Cato Institute, Washington, D.C.
Lewis, H. W. (1990). “Technological risk.” Chapter 5, The assessment of risk, W. W. Norton, New York.
Morris, J. (2000). Rethinking risk and the precautionary principle, Butterworth Heinemann, Burlington, MA.
Morse, L. J., Bryan, J. A., Hurley, J. P., Murphy, J. F., O’Brien, T. F., and Wacker, T. F. (1972). “The Holy Cross football team hepatitis outbreak.” J. Am. Med. Assoc., 219(6), 706–708.
National Academy of Engineering. (2006). “Part 3: The discovery of the change from welds to bolts.” Online Ethics Center for Engineering and Research, Washington, D.C. 〈http://www.onlineethics.org/cms/8896.aspx〉 (Nov. 2, 2011).
National Aeronautics and Space Administration. (1999). “Mars climate orbiter team finds likely cause of loss.” Release 99-113. 〈http://mars.jpl.nasa.gov/msp98/news/mco990930.html〉 (Jan. 17, 2012).
National Society of Professional Engineers (NSPE). (2003). “NSPE code of ethics for engineers.” Alexandria, VA. 〈http://www.nspe.org/ethics/eh1-code.asp〉 (Aug. 21, 2005).
Pfatteicher, S. (2002). “Learning from failure: Terrorism and ethics in engineering education.” IEEE Technol. Soc. Mag., 21(2), 8–12, 21.
Resnik, D. B., and Vallero, D. A. (2011). “Geoengineering: An idea whose time has come?” J. Earth Sci. Clim. Change, S1, 1–9.
State University of New York, Stony Brook. (2008). “Engineering disasters and learning from failure.” 〈http://www.matscieng.sunysb.edu/disaster/〉 (Apr. 10, 2012).
United Nations General Assembly. (1992). “Rio declaration on environment and development, Principle 15.”, United Nations Department of Economic and Social Affairs, Geneva.
U.S. Geological Survey. (2012). “Floods: Recurrence intervals and 100-year floods.” 〈http://ga.water.usgs.gov/edu/100yearflood.html〉 (Jan. 17, 2012).
Vallero, D. (2010). Environmental biotechnology: A biosystems approach, Elsevier Academic Press, Burlington, MA.
Biographies
Daniel A. Vallero is adjunct professor of engineering ethics, Pratt School of Engineering, Duke University, Durham, NC. He can be contacted at [email protected].
Trevor M. Letcher is emeritus professor of chemistry, University of KwaZulu–Natal, Durban, South Africa.
Information & Authors
Information
Published In
Leadership and Management in Engineering
Volume 12 • Issue 4 • October 2012
Pages: 199 - 209
Copyright
© 2012 American Society of Civil Engineers.
History
Received: Jan 18, 2012
Accepted: Jun 8, 2012
Published online: Sep 14, 2012
Published in print: Oct 1, 2012
Authors
Metrics & Citations
Metrics
Citations
Download citation
If you have the appropriate software installed, you can download article citation data to the citation manager of your choice. Simply select your manager software from the list below and click Download.