Stardate 20020902.1133

(On Screen via long range sensors): Terry Oglesby is a structural engineer (a kind of civil engineer with a strong knowledge of mechanical engineering) and has been attending some seminars which include analysis of how the WTC towers failed and why they came down. He bridles at the fact that some laypeople are trying to actually blame the disaster on bad design.

I don't like that, either. People who think that have their heads up their asses.

But since Terry and I are both engineers, perhaps we understand the issues better. The laity have an unreasonable expectation about risk; they expect a guarantee of perfect safety. There isn't any such thing, and even if there were, it would cost more than you'd be willing to pay.

Engineering is about tradeoffs. The idea is to come up with reasonable compromises which result in something which is useful, safe, affordable and which can be produced before the need for it vanishes. Of course, all these are only partial. It will be useful, but you'll always find someone who wishes that it had more features. It will be safe, but not perfectly safe. It will be affordable, but it could always be cheaper. And you'll deliver it in a reasonable time frame, but sooner would be better.

Actually, there are a lot of other tradeoffs going on which are less evident, like tailoring the feature set of the project to the design team available, and making plans based on the kinds of components which are readily available. All engineering is a tradeoff.

Run any single one of those parameters to the rail and you make it impossible to complete. It's as simple as that. Define "affordable" as "free" and it can't be done. ("Paid for by someone else" isn't the same as "free".)

Define "acceptable delivery " as "five minutes from now" and you'll be disappointed. Define "safe" as "impossible for there to be any kind of failure" and the engineering process won't ever end.

When it comes to various kinds of structural engineering problems, safety is obviously a much bigger issue, and they pay a great deal of attention to it. Much of what they deal with is the ways in which external events can affect the safety of the structure.

Such events do not land on a bell curve. The proper model conceptually is that the more dangerous a threat, the less likely it is to happen. You can't use the same curve everywhere, obviously: the chance of a 10-inch rainstorm is much greater in the Amazon than in the center of the Sahara desert. But as a general rule, in any given area the more dangerous the threat, the less commonly it will take place.

Engineers refer to such threats on the basis of their probability. A few days ago I referred to "the thousand year storm" when I referred to how a typhoon named Frieda struck the area of Portland, OR in October 1962. Like in the Atlantic, most rotary storms in the Pacific form in tropical waters and then blow west, and they're most likely to strike Asia or the islands off the Asian coast. Having a typhoon strike Oregon is about as likely as having a hurricane strike Ireland. It just doesn't happen very often.

Calling that the "thousand year storm" doesn't mean that in 1962 Portland got its one, and now it's safe until 2962. Threats don't usually work that way. It's completely possible to get three thousand-year-storms on three successive winters. It's just that it's exceedingly unlikely.

Some threats actually are moderately periodic, most notably earthquakes and some volcanoes. Mount Saint Helens tends to enter an active period about every 100-150 years, and remain active for 5-15 years. (Although when that happens, the results may still be cataclysmic and unpredictable. No one expected the mountain to blow up in 1980.) But weather is not like that nor are most of the threats, and all you can do is speak in probabilities.

Engineers design to a safety tolerance; it's part of the requirements specified by the customer. The higher the tolerance, the longer it will take to design and the more expensive it will be to build. For the dams on the Columbia river, they design for the "ten thousand year flood". Those dams will survive the ten thousand year flood, but they won't survive the million year flood. It's true that if a dam fails, the results would be catastrophic. But a flood which is sufficiently bad to destroy those dams will cause so much other damage that the additional effects caused by dam failure will vanish in the noise. Making the dams any more resilient is pointless.

Let me describe the million year Columbia River flood to you. During the last ice age, advancing glaciers formed an ice dam in the Idaho panhandle which blocked off a large part of western Montana, allowing the waters there to accumulate and form a freshwater inland sea called Lake Missoula. At its largest it contained as much water as Lake Erie and Lake Ontario combined, some 500 cubic miles, all being held in place by glacial ice.

As the ice age came to an end and the glaciers retreated, eventually that ice dam weakened, and finally failed catastrophically, and the entire volume of Lake Missoula drained out in two weeks, one of the most catastrophic floods in geological history (but by no means