Figure 1: Miami Pedestrian Bridge Collapse (Source: OSHA)
- Failure of the northernmost nodal region of the 174-foot-long main span
- Calculation errors involving load and capacity
- Design, requirements verification/validation and oversight
- Trading safety margin for innovative aesthetics
- Design for resilience
- Understand failures from previous generations
- Encourage open discussions about failure-related lessons learned
- Understand failure factors before implementing Corrective Actions
- Avoid designing outside of proven engineering principles
As an engineer, how do you measure success? It depends on the beholder. If the design fulfills its basic function and, by doing so, simply continues to stand, people who mourned the failure of its predecessor and witnessed the suffering of some connected tragedy will be content. But a newer generation, having no such painful memories, may look upon proven designs with restless intent to improve them beyond simple durability. “In fact, prolonged success, whether it be in a space shuttle program or in the design and construction of parking garages, tends to lead to either complacency or change, both of which can ultimately lead to failure,” revealed Henry Petroski in the article “Things Happen.”
In the world of engineering, failure is a useful tool when lessons learned are properly applied to future designs. Failed structures help demonstrate what can and cannot be done, providing valuable lessons that help engineers push the boundaries of design. According to Petroski’s book “To Engineer Is Human,” “No one wants to learn by mistakes, but we cannot learn enough from successes to go beyond the state of the art.”
Historical Design Challenges
Starting with the genesis of pyramids and cathedrals, “To Engineer Is Human” describes a historical progression of designers pushing the limits of previous accomplishments. In the “pre-rational age of structural engineering,” designers relied on physical experimentation and “mid-construction correction” to achieve success.
With the start of the industrial revolution, railroad bridges were in demand with a focus on function rather than aesthetics. These bridges were required to carry heavier, faster trains across increasingly rugged terrain. According to Petroski, these railroad bridges required engineers to push the boundaries of engineering and technology but “presented benefits that made the risks of accidents along the way a risk worth taking.”
By the 19th and 20th centuries, designers started to use scientific calculations and methods during design. They also began to address structural failure versus success. “What the engineers of the nineteenth century developed and passed down to those of the twentieth century was the trial and error of mind over matter,” noted Petroski in “To Engineer Is Human.” “They learned how to calculate to obviate the failure of structural materials, but they did not learn how to calculate to obviate the failure of the mind.”
Designing new structures also brought about new engineering problems to solve. Othmar Ammann, the designer of the George Washington Bridge, revealed that resulting failures and casualties of breakthrough designs were considered “a price for human progress” that must be accepted (from “To Engineer Is Human”).
Modern Bridge Design Disasters
Figure 2: Tacoma Narrows Bridge Collapse (Source: Encyclopædia Britannica/Library of Congress)
Several modern bridge mishaps illustrate how design issues can lead to disaster. For example, in November 1940, the Tacoma Narrows Bridge collapsed in Washington. In “To Engineer Is Human,” Petroski revealed that designers didn’t anticipate the effects of 40+ mph crosswinds traversing the Puget Sound on the narrow bridge span, which was flexible to the effects of wind. According to Petroski, the designers should have learned from previous bridge failures involving wind and anticipated it as a risk during design. Following the collapse, experts were able to explain the mishap using the phenomenon of aerodynamic instability in suspension bridges, a behavior similar to how an airplane wing acts in the wind.
Another mishap occurred in July 1981 when a walkway spanning the atrium of the Hyatt Regency Kansas City hotel collapsed. According to Petroski (“To Engineer Is Human”), the support systems for this bridge were underdesigned. In fact, they were only 60% as strong as they should have been and could barely support their own weight. Even worse, the single load path made the walkway zero-fault tolerant. Petroski highlighted a lack of an alternate load path to support the “rerouted traffic of stress and strain.”
Fast-forward to March 2018 when a pedestrian bridge, part of the Florida International University (FIU) University City Prosperity Project, collapsed in Miami. Decades after the aforementioned mishaps, inaccurate assumptions made at the design level are still at the core of the problem. According to the National Transportation Safety Board (NTSB) investigation, engineers underestimated the loads the bridge would experience and overestimated the bridge’s nodal capacity. In addition, the bridge’s zero-fault-tolerant design offered no alternate load path when the northernmost nodal region failed.
Artemis Mission Safety and Risk Application
With the goal of returning astronauts to the Moon by 2024, the Artemis mission is pushing the boundaries of human exploration on an accelerated timeline. To ensure success, engineers and mission planners should avoid assessing mission safety and risk in the most optimistic way possible. Instead, they should beware of giving up safety margin for schedule compliance or design aesthetics when tests or experience (even from past generations) signal them to dig deeper.
Historically, the most serious, catastrophic flaws occur at the design level. This applies to spacecraft as well as bridges. Like the engineers behind any significant structure, Artemis engineers will benefit the mission by reviewing previous space missions (Apollo and Soyuz), analyzing failures and applying key safety lessons learned.
The FIU bridge collapse has present-day lessons for NASA engineers related to design, requirements verification/validation and oversight.
Figure 3: Rendering of Bridge (North View) (Source: NTSB Highway Accident Report/FIU)
On March 15, 2018, a 174-foot-long bridge span from the FIU pedestrian bridge collapsed while it was under construction. The bridge fell 18.5 feet onto Southwest 8th Street, causing 950 tons of concrete and metal to fall on eight vehicles. The collapse injured 10 people and killed six others. Among the fatalities was one bridge worker and five vehicle occupants. Those injured included five bridge workers.
According to the NTSB Highway Accident Report, the bridge design had the following features:
Figure 4: Diagram of Vehicles at Time of Collapse (Vehicle Reference Numbers Included) (Source: NTSB Highway Accident Report)
- A 109-foot-tall upper pylon
- Ten diagonal steel pipes (with lights) connecting the canopy to the upper pylon
- Two staircases (one at the north end and a grand staircase at the south end)
- North and south elevators that went from the deck to the street level
- A 32-foot-wide concrete deck and an overhead concrete canopy connected vertically by a single row of concrete diagonal and vertical supports in the center
- A 16-foot-wide bridge canopy that was located 15 feet above the deck
Southwest 8th Street is an eight-lane roadway in Miami that includes four through travel lanes, one left-turn lane (eastbound) and three through travel lanes (westbound). At the time of the mishap, two westbound lanes below the north end of the bridge were closed to traffic. However, all five eastbound lanes and one westbound lane were open.
At the time of the collapse, a crew was in the process of “retensioning the post-tensioning rods within member 11, connecting the bridge canopy and the deck at the north end,” according to the NTSB Oct. 22, 2019, public meeting synopsis.
The NTSB Highway Accident Report provided the following chronological details regarding the mishap:
|Tensioning tendons and rods
||Concrete formwork removal
||First documentation of concrete cracking
|March 10 (morning)
||Self-Propelled Modular Transporter move of main span
|March 10 (afternoon)
||Detensioning of post-tensioning rods
||Significant progression of concrete cracking; cracking photographed
March 15 (Day of Mishap)
|8 a.m. (approximate)
||FIGG Bridge Engineers, Inc. (FIGG) Engineer of Record observes cracking
||FIGG meeting with FIU, Munilla Construction Management (MCM), Florida Department of Transportation (FDOT), and Bolton, Perez and Associates Consulting Engineers (Bolton, Perez)
|After 9 a.m.
||Retensioning of post-tensioning rods begins
||911 call made to police to report collapse
||Miami-Dade Fire Rescue dispatches units
||Police units from Miami-Dade Police Department and FIU Police Department arrive at the scene
||Support units from Florida Highway Patrol and Doral Police Department arrive at the scene
Figure 5: Image from In-Vehicle Mounted Video Camera Showing Full-Width Canopy Fracture and Deck Fracture Areas at North End (Pylon Pier) (Source: NTSB Highway Accident Report)
Figure 6: Image from In-Vehicle Mounted Video Camera Showing Main Span Completely Collapsed (Source: NTSB Highway Accident Report)
According to the NTSB synopsis, the triggering event of the bridge collapse was the failure of the “northernmost nodal region (11/12 node) of the 174-foot-long main span.” The same source listed the probable cause as calculation errors (involving load and capacity) made by FIGG in its “design of the main span truss member 11/12 nodal region and connection to the bridge deck.”
The NTSB synopsis identified several safety issue areas that helped contribute to the bridge collapse, including problems related to design, peer review and oversight of cracking. FIGG’s design philosophy as revealed by the company’s website also indicated the placement of appearance over other structural features.
Per the NTSB, as a concrete truss bridge, the FIGG design for FIU was possibly the first such design ever built of that material. During the design phase, FIGG underestimated the demand that loads would be placing on the nodal area. According to the NTSB synopsis, “This comparison found that the demand for the node was nearly twice what the design team had calculated.” FIGG also overestimated the node’s capacity to “resist shear (horizontal force) where the nodal region (11/12) was connected to the bridge deck.”
A lack of redundancy in the load path of the bridge also contributed to the underlying safety issues related to the design. According to the NTSB synopsis, incorporating a safety factor greater than one would have helped prevent the collapse in accord with standard bridge design principles. The NTSB synopsis revealed that “the design firm incorrectly believed that the bridge had a redundant design.” According to the synopsis, “no design guidance exists discussing redundancy in concrete truss bridges.”
Figure 7: East View of Bridge Components (Source: NTSB Highway Accident Report)
Independent Peer Review of the Design
Figure 8: Diagram of Collapse Sequence, Facing East (Source: NTSB Highway Accident Report)
FIGG hired an independent engineering consultant to conduct an independent peer review of the design plans for the bridge. However, the NTSB synopsis revealed that the engineering consultant was “not qualified by the Florida Department of Transportation to conduct an independent peer review.”
The NTSB synopsis listed the following indications that the engineering consultant failed to perform a sufficient review of the bridge design:
- There was no evaluation of the connections of the nodes of the bridge truss to the bridge deck and canopy.
- There was no examination of the multiple stages of bridge construction.
- Although the engineering consultant recognized that he should have examined the nodes and stages, he revealed that “there was not enough budget or time to evaluate those factors.”
- Regarding external design review requirements, the NTSB synopsis revealed that “no specific guidelines call for nodes or construction stages to be included in independent bridge design reviews.”
Figure 9: Image Showing Cracks (3-4 Inches Deep) at Northern End of Precast Main Span on March 13 (Source: NTSB Highway Accident Report/MCM)
The NTSB considered the events surrounding the evaluation of and response to cracks forming in the bridge structure to be contributors to the underlying safety issues. According to the NTSB, cracks started to form as soon as the bridge had to support its own weight on site. The OSHA investigation report revealed that the cracks grew over an 18-day period. Workers took photos of the cracks and showed them to onsite engineers.
According to the NTSB synopsis, “The rate of premature concrete distress was clear evidence that the structure was progressing toward failure.” The New York Times revealed that “the cracks were 40 times as large as the maximum considered acceptable in a reinforced concrete bridge.”
The NTSB synopsis revealed that the bridge construction and inspection companies reported the cracks to the design firm and asked for guidance. How did the design firm respond? “The engineer of record at the design firm repeatedly indicated that the cracks were of no safety concern,” according to the NTSB synopsis. “On the day of the collapse, the firms met to discuss a plan by the engineer of record to remediate the cracks,” explained the NTSB synopsis. The retensioning of rods inside the structure was done without understanding why the cracks had appeared. Unfortunately, as workers were implementing the plan, the bridge collapsed.
Figure 10: Image Showing Cracks at Bottom of Diagonal Member 11 on March 15 (Source: NTSB Highway Accident Report/FIGG)
The NTSB further noted that the retensioning effort had begun without closing the road under the bridge, an action that could have saved the lives of the vehicle occupants who were killed during the collapse.
FIGG’s design philosophy is revealed by the following samples pulled from the company’s website:
- “Through all phases of a bridge project – from preliminary planning and laying out to designing a new structure to developing custom construction techniques – function, economy, efficiency and aesthetics are always the foremost criteria.”
- The company tagline has been “Creating Bridges as Art.”
- “Pleasing shapes come from excellent engineering with attention to detail and special emphasis on function and economy.”
FIGG’s website advertised artistry, aesthetics, revolutionary designs, cost efficiency and sustainability as goals rather than safety and reliability. Words about safety or reliability (e.g., safe, reliable, strong, sound, dependable, trustworthy, conservative, low risk, solid, careful, stable and robust) were missing from intention statements about the firm.
In 2019, FIGG, MCM (the builder) and most of the project subcontractors, with the exception of the independent engineering consultant, settled several civil lawsuits filed by victims and their families.
Following the mishap, The New York Times revealed, “FIGG, which has denied responsibility for the accident, maintained that the bridge would not have collapsed if the concrete truss at the center of the investigation had been built to specifications required by the Florida Department of Transportation.” “I don’t think I’ve ever seen one where there’s more finger-pointing between the parties,” revealed Robert Sumwalt, chairman of the NTSB, in the article. “Everyone shares a piece of this accident.”
According to a Miami Herald article, the NTSB made the following recommendations following the mishap:
- “The Florida Department of Transportation (FDOT) revise its manuals to require ‘qualified independent peer review’ for certain bridge structures to include reviews of design calculations.”
- “FDOT require local agencies to document structural cracks and immediately close the road and bridge when cracks occur.”
- “FIGG Bridge Engineers train its staff on proper calculations of shear force resistance.”
Applying Lessons to Current and Future NASA Missions
Figure 11: Apollo Water Landing Test Setup at Langley Research Center (Source: NASA; ID: LRC-1965-B701_P-03649)
During Apollo mission planning, the most dangerous risk involved the astronaut becoming stranded on the Moon. Back then, it was a groundbreaking task to build a rocket engine that could withstand harsh conditions characterized by high-intensity radiation, strong vibration and extreme cold. These elements could threaten the performance of the launch vehicle and overall mission safety.
To mitigate these risks, the Apollo mission team did everything possible to conduct adequate testing at Plum Brook Station’s vacuum facility and other sites. Even so, the team couldn’t simulate every possible condition.
To this day, with the exception of analytical modeling software, NASA hasn’t really changed its test facilities.
Two generations ago, Apollo critical systems had strict requirements for safety and reliability. For example, they had to be two-failure tolerant in order to be rated for human spaceflight. End-to-end testing allowed mission specialists to fix problems following unmanned test flights and resulted in very reliable space vehicles. However, end-to-end testing consumed considerable time and budget.
Also flown two generations ago, the Soyuz 1 mission illustrates the danger of moving forward with a mission in spite of alarming test results in order to meet an inflexible deadline. Soyuz 1 was targeted for the 50th anniversary of the Bolshevik Revolution in November 1967. Regardless of flight readiness, the Soviet Union planned to launch in accord with that anniversary.
Preflight testing revealed that the space vehicle wasn’t ready. Soyuz mission specialists reported multiple uncrewed test failures and design faults. However, Kremlin leaders deemed that the two end-to-end test flights were sufficient. After 13 orbits, Soyuz 1 returned to Earth. Because of parachute problems, the spacecraft hit the ground at 100 mph, killing the cosmonaut inside.
As discussed, the 2024 launch date for the Artemis mission is looming. With schedule pressures mounting, it would be very dangerous for engineers to disregard standard testing protocols just to meet the deadline. Thus, the question remains: Will the Orion landing system work when it’s time to launch away from the Moon?
It has been two generations — nearly 50 years — since the last Apollo mission. While NASA successfully completed numerous human spaceflight missions in the past, nearly all the employees who worked on the Apollo mission have left NASA.
As the Apollo generation departed, NASA and its major contractors began to test the rationale for two-failure tolerance. In analyzing how Russians built spacecraft, they investigated the approach of increasing the reliability of the spacecraft by making it extra thick and durable. Although the spacecraft would have zero-failure tolerance, the design could withstand tremendous pressure and stress.
Figure 12: Artemis I Orion at Kennedy Space Center (Source: NASA; ID: KSC-20200330-PH-NAS01_0002)
NASA faces certain limitations of test capabilities. Much of the end-to-end testing performed in the 1960s is considered too expensive. NASA currently performs mathematical simulations of conditions and stressors that the spaceflight system would likely encounter. In practice, however, it’s very difficult to capture all the variables, nuances and conditions that happen in real life.
Similar to bridge designers, the next generation of space vehicle designers may not advocate the need to make space vehicles as tough and resilient as previous generations. New space vehicle designers are working with customers who want attractive designs that are built quicker and cheaper than before. However, physical forces and environmental effects don’t favor aesthetics.
One example that illustrates the importance of balancing safety and mission schedule requirements involves the propellant system on the Orion Service Module (SM). Built by the European Space Agency, it was created as a zero-failure-tolerant system. According to the conference paper “Trends In Human Spaceflight: Failure Tolerance, High Reliability and Correlated Failure History,” “Early Orion requirements defaulted to two-failure tolerance, but later evolved to specify no less than single-failure tolerance with provisions for zero-failure tolerant exceptions pending MSERP [Orion Multi-Purpose Crew Vehicle Safety and Engineering Review Panel] and technical authority concurrence.”
In its Annual Report for 2016, the Aerospace Safety Advisory Panel discussed safety issues involving the design of valves on the SM propellant storage and delivery system. The report explained that “each of these valves has a seal that is zero-fault tolerant to leakage as well as a mini bellows that is also zero-fault tolerant to leakage.” If a leak occurs in a valve or bellow, the SM oxidizer or fuel will eventually leak out of the system, leaving the SM unable to control attitude or perform maneuvers and resulting in “a potentially catastrophic failure.”
Significantly changing the propellant system immediately would push the launch schedule too far into the future. Thus, mission specialists decided to use the current propellant system design for the first two crewed flights, with improvements to the failure tolerance of the valve seals, bellows and sensors. Before launching additional crewed flights, the propulsion system will be upgraded to provide additional robustness as well as a parallel propulsion feed system. According to the Aerospace Safety Advisory Panel, “NASA TAs [Technical Authorities] and the crew office agreed with this decision as the appropriate path forward resulting in acceptable risk for propellant leaks on the first two crewed flights (EM-2 and EM-3) and further risk reduction for EM-4 and subsequent missions.” This compromise will not be the last in future tradeoffs involving cost, schedule, technical factors and other risks.
This generation of engineers can break from historical failure trends by keeping designs as simple as possible, performing rigorous testing under flight conditions and respecting the unforgiving physics of deep space travel.
How to Successfully Learn From Failure
In “To Engineer is Human,” Petroski provides the following guidelines for learning from failure:
- Focus on failure more than success. This helps reeducate engineers on the load limits and structural design. According to Petroski, “No matter how ingenious or attractive his conception may appear in his imagination or on paper, if a designer overlooks just one way in which his structure may fail, all may be for naught.”
- Coach and mentor less-experienced engineers to share experiences and lessons learned. Forgotten failures are more likely to lead to repeated mistakes.
- Encourage open discussions about lessons learned from past failures. This helps isolate “weak links” in design.
- Catch the potential for disaster in the blueprint stage. This helps prevent being caught by surprise later.
- Remember that implementing corrective measures during design and construction can contribute to successful outcomes. Thus, do not associate the discovery of weaknesses or imperfections with guaranteed failure.
- Don’t design outside of proven engineering principles. Pushing engineering and design boundaries too far and/or too soon can increase risk.
In addition, design engineers should beware of the 30-year rule when it comes to the frequency of failure. According to Petroski’s article “Patterns of Failure,” failures tend to occur in a “historically cyclic fashion.” In fact, he noted that “a major bridge failure occurred about once every 30 years between the middle of the 19th century and 1970, a pattern first noted by civil engineer Paul Sibly.” He highlighted “the case histories of 19th- and 20th-century bridges” as demonstrations of “the 30-year pattern.”
Regarding the Miami pedestrian bridge mishap, The New York Times published this statement by MCM: “This is the first time in our over three decades of operation that we have ever experienced anything like this tragic accident.”
Questions for Discussion
- Does your organization have a process in place to research past failures related to current projects and apply lessons learned?
- Does your organization encourage open discussions about past failures?
- How do you usually identify potential weak links in the design phase?
- How do you ensure that your design exists safely within proven engineering principles?
- How does your organization maintain a balance between state-of-the-art endeavors and safe, proven designs?
- How does your organization encourage inexperienced engineers to remain cautious about potential dangers related to past mishaps?
- Petroski, Henry: Things Happen. Mechanical Engineering, 134(03), pp. 38-41, March 1, 2012.
- Petroski, Henry: To Engineer Is Human. Vintage Books, New York, April 1992.
- NTSB: Highway Accident Report: Pedestrian Bridge Collapse Over SW 8th Street Miami, Florida. NTSB/HAR-19/02, PB2019-101363, Notation 59567, March 15, 2018.
- National Transportation Safety Board Public Meeting of October 22, 2019, Pedestrian Bridge Collapse Over SW 8th Street Miami, Florida. HWY18MH009, Oct. 22, 2019.
- Ayub, Mohammad: Investigation of March 15, 2018 Pedestrian Bridge Collapse at Florida International University, Miami, FL. U.S. Department of Labor Occupational Safety and Health Administration Directorate of Construction, July 2019.
- Mazzei, Patricia: Flawed Design, Lax Oversight Led to ‘Astounding’ Miami Bridge Collapse. The New York Times, Oct. 22, 2019.
- FIGG: https://www.figgbridge.com/ Accessed Jan. 16, 2020.
- Ocasio, Bianca: After FIU bridge collapse, feds say FDOT needs to close roads in future if cracks occur. Miami Herald, Nov. 13, 2019.
- Green, Carrie, et al.: Trends In Human Spaceflight: Failure Tolerance, High Reliability and Correlated Failure History. GRC-E-DAA-TN68045, May 15, 2019.
- Sanders, Patricia, et al.: Annual Report for 2016. Aerospace Safety Advisory Panel, Jan. 11, 2017.
- Petroski, Henry: Patterns of Failure. MODERN STEEL CONSTRUCTION, July 2006.