Lessons in risk and reality


February 04, 2003

On Feb. 11, 1986, as the Presidential Commission on the Space Shuttle Challenger Accident was plowing through testimony on that January's shuttle disaster, a commission member asked for a glass of ice water.

Richard Feynman, a theoretical physicist and Nobel laureate, picked up a piece of the O-ring material used in the rocket booster, pinched the ends of it together and dropped it into the cold water. When he pulled it out, it failed to regain its shape.

In that one moment, Feynman brushed aside what he considered days of vague answers and bureaucratic muddle, dramatically illustrating a design flaw in the O-ring that led to the Challenger bursting into flames on takeoff Jan. 28, 1986.

The accident, 73 seconds into the flight, killed teacher Christa McAuliffe and six astronauts.

The commission found two causes:

The technical problem - the failure of the O-ring, when exposed to cold temperatures, to seal the joints between sections of the shuttle's rocket boosters.

Organizational mismanagement, which prevented a contractor's concerns about the O-ring from reaching and influencing the final decision-makers.

The commission, referred to as the Rogers Commission, after its chairman, former Secretary of State William P. Rogers, issued its report June 6, 1986.

Following are excerpts from Feynman's personal observations on the reliability of the shuttle, made in an appendix to the report:

It appears that there are enormous differences of opinion as to the probability of a failure with loss of vehicle and of human life. The estimates range from roughly 1 in 100 to 1 in 100,000. The higher [probability - 1 in 100] figures come from the working engineers, and the very low figures from management.

What are the causes and consequences of this lack of agreement? Since 1 part in 100,000 would imply that one could put a Shuttle up each day for 300 years expecting to lose only one, we could properly ask "What is the cause of management's fantastic faith in the machinery?"

... A more reasonable figure for the mature rockets might be 1 in 50. With special care in the selection of parts and in inspection, a figure of below 1 in 100 might be achieved but 1 in 1,000 is probably not attainable with today's technology. ...

NASA officials argue that the figure is much lower.

... They point out that these figures are for unmanned rockets, but since the Shuttle is a manned vehicle "the probability of mission success is necessarily very close to 1.0."

It is not very clear what this phrase means. Does it mean it is close to 1 or that it ought to be close to 1? They go on to explain "Historically this extremely high degree of mission success has given rise to a difference in philosophy between manned space flight programs and unmanned programs; i.e., numerical probability usage versus engineering judgment." ...

... It would appear that, for whatever purpose, be it for internal or external consumption, the management of NASA exaggerates the reliability of its product, to the point of fantasy. ...

The phenomenon of accepting for flight, seals that had shown erosion and blow-by in previous flights, is very clear. The Challenger flight is an excellent example. There are several references to flights that had gone before. The acceptance and success of these flights is taken as evidence of safety.

But erosion and blow-by are not what the design expected. They are warnings that something is wrong. The equipment is not operating as expected, and therefore there is a danger that it can operate with even wider deviations in this unexpected and not thoroughly understood way. The fact that this danger did not lead to a catastrophe before is no guarantee that it will not the next time, unless it is completely understood.

When playing Russian roulette the fact that the first shot got off safely is little comfort for the next. The origin and consequences of the erosion and blow-by were not understood. They did not occur equally on all flights and all joints; sometimes more, and sometimes less. Why not sometime, when whatever conditions determined it were right, still more leading to catastrophe?

In spite of these variations from case to case, officials behaved as if they understood it, giving apparently logical arguments to each other often depending on the "success" of previous flights. ...

The O-rings of the Solid Rocket Boosters were not designed to erode. Erosion was a clue that something was wrong. Erosion was not something from which safety can be inferred. There was no way, without full understanding, that one could have confidence that conditions the next time might not produce erosion three times more severe than the time before.

Nevertheless, officials fooled themselves into thinking they had such understanding and confidence, in spite of the peculiar variations from case to case. ...

Were the organization weaknesses that contributed to the accident confined to the Solid Rocket Booster sector or were they a more general characteristic of NASA?

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.