When we travel by air we take for granted that the sophisticated piece of equipment that is the modern aeroplane will probably be controlled by computer, and naturally suppose that there is a degree of redundancy or robustness in the system so that if the computer fails then there is another one ready to take over the control. The humans in the cockpit provide a last resort. The development of appropriately safe systems requires that the parallel control systems should be truly independent so that they are not likely to fail simultaneously. Robustness is thus about ensuring that safety can be maintained even when some elements of the system cease to operate. Such robustness is obviously extremely important in air travel, railways, nuclear installations, or chemical plants, where the consequences of failure are high in terms of human life or economic consequence but civil engineering systems are also frequently complex. Complex systems can produce unexpected modes of behaviour especially when novel technologies are being adopted. There is a human element in all systems, providing some overall control and an ability to react in critical circumstances. The human intervention is particularly important where all electronic or computer control systems are eliminated and the clock is ticking inexorably towards disaster.
Although ultimately whenever a structural failure occurs there is some purely mechanical explanation – some element of the structure was overloaded because some mode of response had been overlooked – there is often a significant human factor which must be considered. We may think that we fully understand the mechanical operation, but may neglect to ensure that the human elements are properly controlled. A requirement for robustness implies both that the damage consequent on the removal of a single element of the structure or system should not be disproportionate (mechanical or structural robustness) but also that the project should not be jeopardized by human failure (organizational robustness).
When Miss Hodge lit her gas cooker at 5:45am on 16 May 1968 in order to make a cup of tea, an explosion occurred because of a gas leak and she was disappointed to find that part of her flat on the 18th floor together with the whole of the rest of the corner of her 22 storey block of flats at Ronan Point in south London collapsed to the ground (see Figure 27). Ronan Point was one of many blocks of flats built as economically as possible to provide cheap housing for people moving to the big city or displaced by slum clearance schemes or as a replacement for housing destroyed in the Second World War bombing. Ronan Point had been constructed in 1966–8 using what seemed to be a very efficient form of construction in which individual precast concrete panels were brought in and lifted into place using cranes and then connected together in a modest sort of way along their edges. It was rather like a house of cards and, like a house of cards, when the explosion occurred (Miss Hodge had failed to notice the tell-tale smell of leaking gas) it all came down. Miss Hodge’s disappointment reflects our own disappointment that a single event like a kitchen gas leak should lead to such disproportionate consequences. She was fortunate to have survived the collapse dazed and slightly burnt – but four people died in their beds lower down the building as the concrete floors progressively collapsed.
27. The collapse of one corner of the block of flats at Ronan Point was an example of progressive failure and the absence of structural robustness
Ronan Point can be seen as a purely structural failure, a mode of response that had not been envisaged at the time the building had been designed. In the UK, the collapse at Ronan Point led to changes in building regulations to cover both disproportionate collapse and also to specify the explosive pressure increase which buildings should be able to survive. Calculations after the collapse confirmed that the pressure impulse caused by the gas explosion would have been easily able to push a wall panel on the 18th storey out from its weak connection with the floor panels above and below. Owners of existing buildings were required to re-examine their designs – in some cases retrospective strengthening was feasible, in others demolition was the only option. Ronan Point itself was initially strengthened after the collapse but eventually demolished in 1986, at which time it was discovered that quite a lot of the actual construction was substandard. Vigilance to ensure that the quality of construction meets the specification is part of the essential robustness of the organization of the realization stage of design.
Timothy McVeigh must have been rather pleased with the extent of the damage caused to the Alfred P. Murrah Federal Building in Oklahoma City by a single explosion of a truck packed with explosive on 19 April 1995. The organizers of the aircraft attacks on the twin towers of the World Trade Center on 11 September 2001 would have been similarly impressed by the extent of damage to neighbouring buildings as well as the total collapse of the two 110 storey towers. In both cases the volume of building damaged or destroyed was considerably larger than the volume affected by the initial blast or impact. Could a closer attention to the possibilities of progressive collapse resulting from the transfer of loads from structural elements that had been directly eliminated have saved more of the buildings and their occupants?
On 28 July 1945, a B25 bomber aircraft was flown (presumably unintentionally – cloud level was very low) into the 79th storey of the Empire State Building in New York. Both engines became detached from the plane, one travelled right through the building and out the other side, the other went down a lift shaft. The steel structure of the building was so stiff that the effect of the aeroplane impact was rather small and damage was localized. The towers of the World Trade Center were designed with a much lighter structural form and the aircraft that crashed into them were considerably heavier than the B25. The fires resulting from the ignition of the aircraft fuel caused the steel floor trusses to soften and deform. The peripheral columns which were carrying the vertical loads from floors above were pulled in and then buckled and collapsed. The destruction of the fire protection to inner columns around the core of the buildings containing lifts and staircases also encouraged further structural damage from the heating. The towers survived the impacts but not the massive fires. But safety of a building under use, including adequate evacuation routes, is an expected element of its performance.
In the 1960s, London Heathrow Airport (the busiest in the world at the time) required a tunnel to connect two areas separated by active runways in order to be able to move cargo on the airside of the airport. There was no possibility of closing the runways for the period of construction. The vertical alignment was constrained by the confined geometry of the site at each end which determined both the length of the tunnel and the complexity of the approach road network. The material through which the tunnel was to be constructed with an internal diameter of 11 m, was a rather homogeneous London clay. While there was about 7 m of ground cover between the tunnel and the runways there was only potentially 1.2 m cover within the clay – the overlying water-bearing sands and gravels had to be avoided. This ratio of cover to tunnel diameter was regarded as daringly low – and by some dangerously low. The tunnel was excavated using a circular shield which was really just an evolution of the shield devised by Marc Isambard Brunel for construction of the Thames tunnel in the 1830s. The clay revealed by the advance of the shield was supported by a flexible lining ring of concrete segments, allowing the cross-section of the tunnel to change modestly, treating the ground and the concrete segments as partners in the support strategy for the tunnel (Figure 28). Even in a modestly deformed shape the lining ring has a smooth continuity which allows it to carry a circumferential force around the tunnel. Tunnelling inevitably requires removal of ground from the face with a tendency for the ground above and ahead of the tunnel to fall into the gap. The success of the tunnelling operation can be expressed in terms of the volume loss: the proportion of the volume of the tunnel which is unintentionally excavated causing settlement at the ground surface – the smaller this figure the better. The tunnel as built produced settlements no greater than 11 mm and the volume lost was a mere 0.25 per cent, thus confounding the sceptics. The airport continued operating throughout the period of construction. This must be seen as a successful civil engineering project.
28. The concrete lining of the Taipei metro is erected ring by ring as the tunnelling machine bores its way through the ground
By contrast, on 21 October 1994 a large hole opened up in the middle of Heathrow Airport as a result of a collapse that had occurred in the tunnels that were under construction at a depth of some 30 m for the creation of a subterranean station for the mainline Heathrow Express rail link from London Paddington to the Airport. The station tunnels were being constructed using a technique sometimes known as the ‘new Austrian tunnelling method’ (NATM) in which the clay in the tunnel was excavated in sections with each section being provided with temporary support using steel mesh and sprayed concrete until the full final cross-section of the tunnel could be created and a permanent lining installed. For a trial section of the Heathrow Express tunnel constructed away from the crucial parts of the airport, the volume loss had been around 4 per cent. This trial was carried out precisely to review the potential for unacceptable movements in the ground when NATM was used. The elements of NATM had been used for rock tunnel construction for many years around the world before the Austrians chose to ‘nationalize’ the process. The essence of NATM is that support is provided for the newly exposed ground in response to the observed deformation of the tunnel. In rock tunnels, the deformations are usually small and develop slowly. It is quite feasible to plan a range of different quantities of support which can be mobilized rapidly. Experience in tunnelling in other ground conditions using this reactive technique has not been so positive.
Station tunnels are very three-dimensional with access tunnels parallel to the running tunnels, with cross passages between the various tunnels, and escalator tunnels leading to the ground surface. Such intersecting three-dimensional tunnel geometries are inevitably more risky than two-dimensional tunnels of constant cross-section because the symmetry of the excavation is being broken and the lining ring which is very strong when it is complete and intact is weakened (like the incomplete egg-shell).
How can failure of the tunnel be avoided? One route to reassurance will be to perform numerical analysis of the tunnel construction process with close simulation of all the stages of excavation and loading of the new structure. Computer analyses are popular because they appear simple to perform, even in three dimensions. However, such analyses can be no more reliable than the models of soil behaviour on which they are based and on the way in which the rugged detail of construction is translated into numerical instructions. Fully three-dimensional analyses are expensive and time consuming to perform and interpret.
Whatever one’s confidence in the numerical analysis it will obviously not be a bad idea to observe the tunnel while it is being constructed. Obvious things to observe include tunnel convergence – the change in the cross-section of the tunnel in different directions – and movements at the ground surface and existing buildings over the tunnel. All these things were indeed being observed at Heathrow together with movements of markers within the ground over and beside the tunnel; but observation is not of itself sufficient unless there is some structured strategy for dealing with the observations. At Heathrow, unfortunately the data were not interpreted until after the failure had occurred. It was then clear that significant and undesirable movements had been occurring and could have been detected at least two months before the failure. There was a lack of robustness in the organization of construction and a lack of appreciation of the reasons for the observations.
In fact, the Heathrow collapse was not the only tunnel collapse to have occurred in the 1990s while NATM with sprayed concrete support was being used for tunnel construction in clay. Similarly serious collapses occurred in 1993 during the construction of metro tunnels in clay in Sao Paolo, Brazil, in 1994 in Munich, and in 1991 and 1994 in Korea.
The so-called new Austrian tunnelling method can be regarded as a member of a class of observational methods of design in which the uncertain prior knowledge of the ground is accommodated by having a range of design solutions available which can be applied without delay as the actual response of the ground is observed, and the ‘ground model’ can be updated – for better or worse. In the context of tunnelling this would mean having a strategy of different degrees of support for the tunnel depending on the observed tendency of the exposed soil or rock to break up or move. It is obviously important that the solutions for dealing with conditions worse than expected should be available for immediate application. It is also clear that such a design procedure should only be used for situations which are robust and not brittle – that is, not likely to fail suddenly if conditions are unexpectedly but not implausibly bad. There must be the possibility of a considered (not rushed) response to the observations.
There are analogies between the uncertainty in the ground and the behavioural uncertainty of organizations involved in civil engineering construction. For many of the well-known failures that have occurred the final technical straw that causes the failure (the strength of the material is exceeded at a sufficient number of points that a mechanism of failure is able to develop) is accompanied by some organizational dysfunction. Measurement (observation) of organizational dysfunction is rather more difficult than the measurement of the settlement of a building or convergence of a tunnel. Qualitative scales could be envisaged assessing the state of morale, communication between the parties involved in construction, technical confidence, technical competence, and so on, of the team – with appropriate ideas for improvement available. The need for robustness of the components of the process of realization of the recovery of the Heathrow Express project was taken extremely seriously to ensure that all parties involved were clear about the potential risks and about the importance of observation of all contributory elements.
A successful civil engineering project is likely to have evident robustness in concept, technology and realization. A concept which is unclear, a technology in its infancy, and components of realization which lack coherence will all contribute to potential disaster.
Interstate 35W passes through the middle of Minneapolis crossing the Mississippi River on a steel trussed bridge, constructed in 1964–7. Although the bridge was rated as ‘structurally deficient’ in inspections in 2001 and 2005 its strengthening was not regarded as a high priority. However, on the morning of Wednesday 1 August 2007 the central span of the bridge collapsed suddenly: 13 people were killed. Investigation after the collapse revealed that the failure was probably triggered by fatigue failure of a gusset plate linking together several of the girders.
Fatigue is the term used to describe a failure which develops as a result of repeated loading – possibly over many thousands or millions of cycles. The crashes of Comet jet airliners in 1954 were discovered to be the result of crack growth from the corner of a window under the repeated cycles of loading caused by take-off, cabin pressurization, in-flight loading, and landing. Fatigue is the central theme of the Neville Shute book No highway, published in 1948 at a time when the phenomenon of fatigue – especially important for aircraft structures – was beginning to be understood.
Fatigue cannot be avoided, and the rate of development of damage may not be easy to predict. It often requires careful techniques of inspection to identify the presence of incipient cracks which may eventually prove structurally devastating. Ultrasonic techniques may be able to detect small defects; the presence of a crack will tend to lower the stiffness of the structural element in which it is located and hence lower its natural frequency (just like tuning a piano). A highway bridge is subjected to various sources of repeated loading: daily and seasonal cycles of temperature variation as well as the dynamic loading from the axles of eight lanes of traffic. But the essence of robust structural design is that the loss of one element of a structure should not produce disproportionate consequences. In this case, the failure of one gusset plate led to a hurried attempt by the bridge structure to find other ways of carrying the loads, but the structure rapidly unzipped until its failure was inevitable. The failure was the result of the loss of strength of one element of the structure but it was also the result of a lack of appreciation of the non-robustness of the design and thus of the enhanced importance of regular careful inspections. Naturally, after the Minneapolis collapse many other bridges of similar design were subjected to particularly careful inspection.
Robustness of design becomes quite a broad concept which has to be concerned with the complete system – structural integrity, human behaviour in an emergency, building services (ventilation, smoke removal, information systems). Redundancy (duplication) is needed in all areas in order to withstand and contain moderate amounts of damage. This applies equally to a tall building under impact from aircraft and to a nuclear power station under a supposedly controlled emergency simulation.
The Fukushima nuclear power station in the Tohoku region of north-east Japan was badly damaged by the magnitude 9 earthquake and subsequent tsunami that devastated the area on 11 March 2011. Initial reports of the consequences of the earthquake concentrated on the general destruction caused by the combination of these two major natural disasters and there are many pictures of the devastation. However, as information about events at Fukushima emerged, it triggered reviews of nuclear safety around the world and released a wave of, not obviously rational, opposition to any future development of nuclear power.
That there was significant leakage of radioactivity might be put down to ‘bad luck’. After all, the probability of both a major earthquake and a major tsunami occurring at the same time might appear low. The earthquake automatically triggered a shut down of the three reactors of the six that were actually operating. Two of the six were closed for routine maintenance but all had fuel rods in place and all required continued cooling. The power station was protected by a 6 m high sea wall but this was insufficient to provide protection against the 14 m tsunami which arrived less than an hour after the earthquake. This flooded the generators and pumps and destroyed the emergency electrical supply and the connection to the external electrical grid. Without the pumps, the water cooling system could not be kept going and the radioactive cores overheated. Partial melt-down occurred in three reactors, fuel rods that should have been submerged became exposed because the water was boiling away, and holes formed in the base of the pressure vessels as a result of the high temperatures – as high as 2800°C within a few hours of the earthquake. Explosions occurred in the containment structures because of hydrogen leakage from the pressure vessels. There were delays in setting up an emergency seawater cooling system – absence of power, difficulty of access because of earthquake damage to roads —and it was known that the introduction of salt water would severely damage the reactor.
But ‘bad luck’ is not acceptable for sensitive installations such as nuclear power stations. And, of course, the two events are not uncorrelated (tsunamis are usually caused by earthquakes) so the probability that the two events could occur together must be considered quite high. The reactors at Fukushima are boiling water reactors designed by General Electric, which were brought into operation between 1971 and 1976. Given that the continuity of water cooling is essential for safe operation of the reactors, this should evidently be a central element of any overall plant safety plan. The possibility that all supplies of power for the coolant pumps could be destroyed is so serious that the design thresholds (earthquake acceleration, tsunami wave height, …) need to be set high.
But there are also suggestions that the regulatory environment at Fukushima was not entirely satisfactory. In 2002, the operating company, Tokyo Electric Power Company, admitted to having falsified safety records at Fukushima. There are suggestions of ‘regulatory capture’: where the regulator, supposedly acting in the public interest, advances the particular interests of the commercial sector that it should be regulating; and senior regulators take up highly paid posts in the industry that they were previously regulating.
It is certain, anyway, that the systems at Fukushima were insufficiently robust to cope with the disaster.
Fasolt: Soft sleep closed your eyes, while we were working to build your hall. Working hard, day and night, heavy stones we heaped up high; lofty towers, gates and doors, guard and keep, your castle walls secure. There stands what you ordered, shining bright in morning light. There’s your home; we want our wage!
Wotan: You’ve earned your reward; what wages are you asking?
Fasolt: The price was fixed, our bargain was made; have you so soon forgot? Freia, the fair one, Holda, the free one – your hall is built and Freia is ours.
Wotan: Plainly your work has blinded your wits. Ask some other wage: Freia cannot be sold.
Fasolt: What’s this now? Ha! Breaking your bond? Betraying your word? On your spear shaft, read what is graved; would you dare to break your bargain?
In Wagner’s opera, Rhinegold, the head of the gods, Wotan, has contracted with the giants Fasolt and Fafner to build his fine new palace, Valhalla. Naturally, having completed the construction as specified, they expect him to keep his side of the contract. Wotan tries to wriggle out of the contract, and the remainder of the Ring cycle of operas describes the consequences – in the end Fasolt and Fafner (among others) have been killed and Wotan (with the other gods) is destroyed along with his palace, Valhalla.
The need for properly drawn up contracts between the various parties involved in civil engineering projects is obvious: there are standard forms available. Lawyers have no trouble in spotting clauses which have been breached. Fasolt and Fafner have an open and shut case against Wotan which they then proceed to weaken by making a verbal agreement to an alternative payment. A god’s word is not necessarily his bond. For most of the projects that have been described we have seen a combination of a concept (an architectural scheme or a client outline) and an enabling technology (which might be detailed material understanding, or prior experience, or a daring visionary leap) and a realization (bringing together the several parties involved in design, financing, and construction). The division of responsibilities seems to lend itself to strict separation of contractual obligations. One suspects that Wotan gave the giants a pretty free hand to build his palace – the general problem definition was his, the technology and realization were left to them. The giants accepted a fixed price contract and it was up to them to look for ways in which they could save time and resources in order to maximize their profit while still meeting the specification that Wotan had given them. Perhaps, as in many complex publicly procured projects, there would have been constant changes to the detail of the design requirements which would have led to potential claims by Fasolt and Fafner for reimbursement beyond the original fixed price. But the possibilities of such claims are overtaken by operatic events.
The balance of responsibilities and assignment of risk has moved around through the ages. The three principal parties are the client who wants the project (and possibly a separate financier providing the necessary funding); the designer (engineer) who has to interpret the needs of the client into a form that will satisfy those needs and that can actually be constructed; and the constructor (or contractor) who will turn that design into the physical reality. Some of these roles may be combined: the Brunels were essentially both designer and constructor for the Thames tunnel since they not only knew exactly how the tunnel should look and be constructed but also engaged the labourers for that construction. Rennie was fully aware that, having designed the Bell Rock lighthouse, it was he who carried the risk of his chosen design failing to meet the requirements of the Northern Lighthouse Board; Stevenson was both design representative (resident engineer) and also manager of the construction itself (site agent). If failure had occurred as a result of poor workmanship rather than a fault in the design he would have had to assume some responsibility for not having taken adequate steps to assure the quality of the work. When things do go wrong – when costs escalate or construction methods have to be changed because the client has changed his mind or because the ground conditions are not quite what had been assumed – then insurance companies and lawyers try hard to ensure that the blame and the financial consequences do not end with their clients. Certain forms of contract may be more helpful than others. And in the present litigious world it is usually only the lawyers who can be guaranteed to win.
Civil engineering designers can enter the project organization at two distinct stages. The client will need to have some idea about the cost of the project before seeking a price from the constructor: a design which can turn the concept into reality is necessary. But if the full responsibility for realizing the project is passed to the constructor then it is reasonable for him to want to introduce his own designer and to seek more economical ways of meeting the client’s requirements: another design (and another designer) is required. A design and build contract merges the two design stages under the responsibility of the constructor. The client believes that he is proceeding with the project under full certainty of cost and schedule, and that all risk is placed firmly with the constructor who will price the work accordingly.
A turnkey project takes this further: the client engages a project management company which handles the supervision of all aspects of the design and construction and then hands to the client a fully operational facility. Such an organizational structure is attractive for complex projects such as the construction of a nuclear power station, or a major river crossing, or a chemical refinery, or a substantial stretch of railway line or motorway, where specialist subcontractors will come from a wide range of disparate areas. The cost will be set accordingly.
At the other extreme would be unit price contracts based on a list of the quantities of materials, labour, and equipment that will be required for the project. The basis for the estimate of the project price is clear but there is no incentive to seek more economic alternatives, and the constructor, by subtly raising the mobilization costs incurred in having equipment on site and reducing the actual unit costs of performing the work with this equipment (or vice versa, depending on his interpretation of the project) will naturally seek to improve his profitability.
As in many other areas of public life there is a conflict between the degree of trust and confidence that each party has in the other parties engaged in the project, and the detail of the liabilities actually specified in the contract – ‘passing the buck’ seems to be a natural human reaction to adverse events. The formal sharing of the consequences of uncertainty – positive or negative – will be largely a matter of contractual obligations. An organizational structure which assumed that everyone shared the common goal of an economically and functionally successful completion and which shared the risks and the benefits of cost savings among the partners would be attractive.
Can strict separation of the roles and assignment of the risks be justified? A client who wants financial certainty will try to place all possible risks onto the constructor. But having assumed all these risks, a constructor will price his work accordingly – if the risks do not materialize then the client will have ended up paying much more than necessary and the profit of the constructor will be correspondingly larger. A complete formal separation of designer and constructor removes the continuity of design which must be desirable in ensuring that the person building the project is fully aware of the assumptions that underpin the design and is continually looking for evidence of the possibilities that some of these assumptions may prove to have been violated.
Division of contractual responsibilities obviously implies corresponding liabilities. In that there remains a significant element of empiricism and experience in much civil engineering, there must be an associated route to making it a learning profession, learning from past failures to avoid a repetition of mistakes. Too often the concerns of the insurance companies and the lawyers working with the different parties result in settlements or apportionment of damages following a failure being made away from the public eye – thus losing, possibly for ever, the learning potential which exists quite independently of the legal decisions.
Some projects would clearly be regarded as failures – a dam bursts, a flood protection dyke is overtopped, a building or bridge collapses. In each case there is the possibility of a technical description of the processes leading to the failure – in the end the strength of the material in some location has been exceeded by the demands of the applied loads and the load carrying paths have been disrupted. But failure can also be financial or economic. Such failures are less evident: a project that costs considerably more than the original estimate has in some way failed to meet its expectations. A project that, once built, is quite unable to generate the revenue that was expected in order to justify the original capital outlay has also failed. Is the Sydney Opera House a success or a failure? It took 15 years to be built and cost 10 times the original estimates and has a shape and layout that in many ways hinder its function as a multiple centre for performing arts. On the other hand, it created an internationally instantly recognized icon which has had a huge public relations and touristic benefit for the city of Sydney. That uncostable benefit was not one of the criteria of the original design specification. Is the Channel Tunnel a success or a failure? It too cost much more than originally expected and took longer to build. For a whole range of reasons it has not been able to generate the income necessary to cover the costs of the original finance. There have been two serious fires in the tunnel which have severely weakened the tunnel lining and possibly come close to producing serious inundation. Is the Hoover Dam (or the Mangla Dam on the Indus River in Pakistan, or the Aswan Dam on the Nile, or the Three Gorges Dam in China) a success or a failure? The Hoover Dam has not collapsed, so technically it is a success. It has provided water for irrigation of land which would otherwise be desert – but in so doing has removed water from riparian farmers downstream where the agriculture was perhaps more sustainable in the long term. And the long distance pumping has demanded enormous amounts of energy. The silt which would originally have been carried down the Colorado River is held up behind the dam – and other dams on the river – so that the capacity of the retained reservoir has reduced. Long term irrigation leads to problems with salination of the soil, and the greatly reduced flow in the downstream river has a salt content which is too high for many of the uses to which the water would previously have been put. And one man’s reservoir (power generation, irrigation, flood prevention) is another man’s environmental despoliation. Engineering is always about choices – usually political choices – which imply the comparison in a single equation of quite incompatible and unmeasurable quantities.
