The Factor of Safety

In the AI Story

The concept matters most where the stakes are highest. In aerospace, where every gram of excess mass costs fuel and range over millions of flight hours, the factor is driven as low as rigorous testing permits. In civil engineering, where consequences of failure include collapse of structures carrying hundreds or thousands of people, the factor is generous because the testing regime cannot match aerospace's precision and the failure consequences cannot be survived. The variation reflects a considered calibration between efficiency and the specific cost of being wrong in each domain — a calibration that is itself a form of accumulated professional judgment.

Petroski's deepest insight was that the factor of safety is not primarily about the known unknowns — the variable material properties, the measurement tolerances, the calculation approximations — though it accommodates these. It is primarily about the unknown unknowns: the failure modes the profession has not yet encountered, the conditions the codes do not yet specify, the phenomena whose existence has not yet been demonstrated. The factor is deliberately chosen to be large enough to absorb these unspecified conditions, because the engineer understands that every model is a simplification and the simplifications always omit something.

Optimization algorithms, by contrast, operate against specified constraints. The algorithm seeks the configuration that satisfies the specification with minimum excess. Every unit of excess material is waste from the algorithm's perspective because it does not serve the specified load requirements. The algorithm cannot represent what has not been specified, which means it cannot represent the margin for the unknown that the factor of safety embodies. The optimized design is exactly sufficient for the specification and dangerously insufficient for reality, because reality always includes conditions the specification did not list.

The Tacoma Narrows Bridge is Petroski's canonical illustration of this dynamic operating at pre-AI speed. Between 1920 and 1940, suspension bridge designers progressively reduced stiffening truss depth, optimizing for elegance and material efficiency. Each bridge stood. Each success confirmed the hypothesis that the margin could be reduced. The depth was not unnecessary — it was the factor of safety against aerodynamic phenomena the existing theory did not model. When the margin was eliminated at Tacoma Narrows in 1940, the forces that had always been present but always fallen within the margin had nowhere to go. The bridge destroyed itself. The lesson: optimization against current knowledge consumes the margin that protects against the next discovery.

Origin

The concept of safety factors in engineering predates Petroski by centuries, with formal treatment emerging in nineteenth-century structural engineering. What Petroski contributed was the reframing of the factor from technical parameter to epistemological commitment — the articulation, across To Engineer Is Human (1985), Design Paradigms (1994), and subsequent work, of why the excess is not waste. His treatment drew on the detailed case histories of structures where the factor had been inadequate (Tay Bridge, Quebec Bridge, Silver Bridge) and structures where it had been consumed by progressive optimization (Tacoma Narrows), deriving from these cases the general principle that the factor's essential function is to protect against conditions the engineer cannot specify in advance.

Key Ideas

The factor is a confession. It is engineering's institutionalized acknowledgment that the model is incomplete, the materials variable, the future unpredictable. Removing the factor does not make the design more accurate — it makes the acknowledgment absent.

Optimization operates against specifications, not against reality. The algorithm minimizes excess beyond what the specification demands. The factor of safety is, from the algorithm's perspective, excess. Its elimination produces a design that is efficient for the specified conditions and fragile against the unspecified ones.

The unknown cannot be a constraint. The factor of safety protects against conditions the engineer has not specified, and these conditions cannot be specified — if they could, they would not be unknown. The logical structure of optimization cannot represent the space the factor protects.

The factor is a moral commitment. It is the engineer's promise to the people inside the structure that she has acknowledged the limits of her knowledge and built protection against those limits. A tool that reduces this margin systematically reduces the promise, whether or not anyone intends it.

Debates & Critiques

Proponents of AI-optimized design argue that the factor of safety reflects historical ignorance that modern AI systems, with access to vastly more data and more sophisticated models, can legitimately reduce. The argument has merit within its scope: where AI genuinely improves the model's coverage, the factor can be reduced without loss of protection. The Petroski objection is that the AI's model improvement operates within the space of known failure modes. It does not extend the coverage to unknown modes, because unknown modes are not in the training data. The factor that protects against unknown modes cannot be reduced by improving the model, only by extending empirical validation — which takes decades of real-world testing the AI cannot accelerate. Reducing the factor on the strength of improved modeling within the known space is the precise error that produced every major engineering catastrophe in the historical record.