Risky Business

In Goodbye to All That Robert Graves wrote that in W.W. I, young officers went through some distinct stages in their acclimatization to trench life. For the first couple months, the new man was a danger to himself. Ignorant of how things worked, he easily could walk in the wrong place at the wrong time and be injured or killed. Then, from around month three to six, the officer functioned well, armed with more knowledge but maintaining a healthy fear. The real problems came after the sixth month, when the officer now became a danger to others. The abnormal risks of trench life were now normal life for him, which influenced the officer to take stupid chances that foolishly cost lives–choices that the officer would not recognize as abnormally risky at all. Graves, of course, experienced this first hand as a young officer himself.

Diane Vaughn’s excellent The Challenger Launch Decision made me think of Graves’ remark. Ultimately I lacked the patience and technical familiarity to fully benefit from her magnificent analysis of the decision to launch the Challenger in January 1986. A sociologist by training, she still demonstrated a solid command of the technical information. But she focused not on what happened but the working cultures of engineers, managers, and NASA in general. The end result lends a great deal of complexity to our standard understanding.

After the tragedy, the standard understanding of the event went something like . . .

  • NASA faced unusual pressure to launch as part of their two pronged effort to 1) Advertise civilians in space (teacher Christa MaCualiffe), and 2) Be included in the President’s State of the Union address.
  • The unusually low temperatures created the possibility of the failure of the ‘O-Ring’ to seal. Design engineers noted this possibility and passed their concerns up the chain of command.
  • Design engineers indeed did initially recommend canceling or delaying the launch, but faced with strong pressure from NASA managers, changed their minds and approved the launch.

Events seemingly fit a Hollywood script–plucky engineers, lone dissenters faced down by The Man, with tragic results.

But Vaughn painstakingly points out that this narrative dramatically oversimplifies what happened.

First, the idea of risk . . .

Vaughn gives a helpful picture for us regarding perception of risk. Imagine a butcher shop, with its variety of saws, knives, etc. A two year old around said saws and knives would have no perception of any risk whatsoever. His mother would have an entirely different perspective. The butcher himself would have yet a third perspective. He understands the equipment, knows that it can be dangerous, but accommodates his life to work around and manage these risks. Without willingness to do so, he could not be a butcher at all.

So too, Vaughn reminds us that space flight remains extremely risky, at least relative to almost anything else our government undertakes. When the general public, unfamiliar with such risks, sees engineering reports that describe “possible” malfunctions (or some other such phrase) we react in ways that NASA personnel would not. To attempt to fly into space at all meant assuming a great deal of risk to begin with. That something might go wrong was perfectly obvious, the more relevant questions for NASA routinely ran along the lines of:

  • What is the likelihood of something going wrong?
  • Does this likelihood exceed the threshold of “acceptable risk?”
  • Why do you think it would go wrong? Is this a theory, or do you have testing data to back it up? If you have data, is that data conclusive or conjectural?

NASA had known for years about the problems with the solid rocket booster design and performance. They had known that what happened to the Challenger might possibly happen. The Solid Rocket Boosters (SRB’s) always worried NASA. They launched in spite of these concerns because, “we are in the business of launching rockets”–they routinely “pushed the envelope.” If you don’t want risks. then you don’t want to go space. No one thought the shuttle design perfect–far from it–but the shuttle was what they had to work with.

Vaughn suggests that NASA made the important decisions about the SRB’s years before the Challenger Launch, when they accepted a design that all knew had flaws, and then began a process of systematically normalizing these flaws. Bigger flaws then became smaller flaws, because the starting point itself had flaws built in.

Most Americans accept, however, that space travel has risks. What seemed abnormal and negligent were the events leading up to the launch. We had a launch in unusually low temperatures, a launch to which the SRB design engineers from Thiokol objected to the night before. They had fears that the rubber O-rings might not seal properly and allow too much explosive gas to escape at any temperature below 53 degrees. Of course this is exactly what happened.

But NASA managers strongly criticized Thiokol’s assessment and (seemingly) put pressure on them to change their opinion. Larry Mulloy stated, “My God, Thiokol–when do you want me to launch? Next April?” Another NASA manager, George Hardy, stated that he was “appalled” by their recommendation. Thiokol went back to confer among themselves and then reversed their position. The rest is tragedy, and on the face of it NASA seems horribly guilty.

Vaughn has plenty of criticism for NASA throughout her lengthy book. The book gives copious details about the budgetary issues, design choices, and the engineering culture that was NASA between the early days of shuttle development and January 1986. I will focus on the launch decision itself, because what made The Challenger Launch Decision such a great read for me is that by the end of it, I perceived these seemingly damning comments given above entirely differently. Vaughn devotes at least half of the book towards this end. NASA bears ultimate responsibility for the disaster, but Thiokol bears much of the blame as well. Events proved them right, but those that objected to the launch were not right for the right reasons, or perhaps, for reasons that the engineering culture of NASA would be able to hear and act upon.

Of course NASA had known of the the O-ring problems for years.

Thiokol’s stated position that the design flaws [of the SRB] are not desirable but acceptable.  Neither NASA or Thiokol expected the rubber O-ring sealing joints to be touched by hot gases of motor ignition, much less be partially burned.  However, as tests and flights confirmed damage to the sealing rings, the reaction was to consider the amount of damage “acceptable.” At no time did management recommend a redesign of the SRB . . . 

Presidential Commission Report on Challenger

From the beginning, a certain understanding of risk developed within NASA.

As in all previous space programs, certain residual risks have been accepted by management.  These residual, or acceptable risks, which remain after all feasible corrective actions have been taken, have been thoroughly reviewed . . . 

The conclusion of this review is that there is no single hazard nor combination of hazards that should be considered a constraint to launch.  All phases of Shuttle development and operations are continually being monitored to ensure that the aggregate risk remains acceptable.

Space Shuttle Safety Assessment Report, 1981

Before the Challenger, NASA had 24 successful launches in different kinds of weather. Yes, the O-rings would always be damaged, but that damage stayed within the bounds of “acceptable” wear and tear.

Vaughn collected a great deal of documentation and first hand testimony to describe what happened on the fateful eve of the disaster. NASA had several critiques of Thiokol’s recommendation to postpone the Challenger launch.

The 53 Degree Limit

As mentioned above, on the night before the launch SRB designers Thiokol declared that they could not recommend any launch when the outside temperature dropped below 53 degrees.

For NASA, this posed some terrible problems.

Whether [NASA’s Richard Mulloy’s] choice of words was a precise as perhaps it could have been, it was certainly a valid point, because the vehicle was designed to launch year-round.  Thiokol was proposing significant changes to the whole shuttle program on the eve of launch.  

NASA Engineer Larry Wear

The implications of trying to live with the 53 degree [limit] were incredible.  And coming in the night before the launch on such a weak basis was just–I couldn’t understand it.  

NASA Engineer Bill Riehl

And from Richard Mulloy, of the “launch next April!?” comment:

There are currently no launch criteria for joint temperature.  What you are proposing to do is to create a new launch criteria [not backed up by data], after we have successfully flown 24 launches with the existing criteria.  With the new criteria we may not be able to launch until April.  

I was frustrated.  Their analysis was dumb.  The data said one thing, the recommendation another.  Their 53 degree limit did not solve the technical issue, which was–what temperature did the joint need to be, [not what temperature it was outside]?

I find Mulloy’s point about joint temperature rather than outside temperature most crucial. Also, the Challenger launch had already been delayed several times, and on some of the other proposed launch days the temperature was below 53 degrees. None of the postponements were based on temperature, and Thiokol never raised this objection at any time before. The launch was scheduled for January 27, when it was 37 degrees out, and postponed, but not for cold temperatures. Again, Thiokol failed to raise temperature objections January 27. Thiokol engineer Jack Kapp admitted that,

Most of the concerns we presented . . . we had a very difficult time having enough data to quantify the effects we had talked about.  A lot was based on engineering “feel.”

It seems unreasonable to me to ask that the NASA cancel a launch and completely revise launch criteria based on “feel.” In fact, in the various O-ring tests, the worst damage the equipment had ever sustained came on a day of high outside temperature. Thus, no data existed to show that low temperatures had a conclusive impact on the ability of the O-ring to seal. And yet, NASA said they would have canceled the launch had Thiokol stuck to their guns.

George Hardy, of the “appalled” comment, also stated according to many witnesses that he would not launch against designer advice, and also said, “For God’s sake, don’t let me make a dumb mistake.” If Thiokol truly thought they were on to something, they failed to state their case in a way that could convince NASA or even convince themselves beyond the standard nerves everyone has for a launch. They had no data. They had a “feeling.”

Now of course–they were right about this feeling! This adds to the Challenger tragedy. They had a hunch, but could not translate that hunch in a way that could lead to meaningful action. NASA would have listened to them, but Thiokol could not speak in a way they–or even themselves–could understand. Canceling would have meant that

  • New launch protocols would have been introduced without any real data to back it up
  • The number of shuttle launches planned would have to be drastically reduced
  • NASA management would have to have a reason for the cancellation to their bosses, and would have been asked to base it on a “feeling.”

To cancel the launch would have essentially upended the entirety of NASA’s culture. This is exactly what should have happened. But Vaughn wants us to see that, all things considered, it is not reasonable for us to expect that either Thiokol (which did reverse their recommendation to cancel) or NASA to do this. We do not have a Hollywood script with heroes and villains. The Challenger astronauts died not at the hands of craven management, but as part of something much larger. Vaughn’s analysis shows us that questions we should ask in the aftermath of the tragedy are much more complicated than we might have thought. Once an organization establishes a culture, some decisions almost seem to get made automatically.

Vaughn wrote her book in 1996, and if anyone at NASA read it, it had no impact. We may remember the destruction of the Columbia in 2003 upon re-entry. It’s heat shielding was very likely damaged upon launching when insulation foam from the external tank dislodged during liftoff and struck the left wing. The tank needed insulation to keep the fuel cold enough, but it routinely dislodged during launch, as we might expect given so much thrust and vibration. Unfortunately, this time a large piece dislodged and struck the shuttle in a vulnerable spot during liftoff under the left wing. Columbia lost control and disintegrated upon re-entry. The official investigation into the crash stated that,

Cultural traits and organizational practices were allowed to develop . . . and reliance on past successes [served] as a substitute for sound engineering practices. Organizational barriers prevented communication of critical safety information.

Some might take solace in the fact that NASA’s culture of risk appears to have changed. In their partnership with Space-X, for example, their criteria holds Space-X to a 1 fatality for every 230 launches. Some applaud this reform. But others find this impossible–how can NASA hold Space-X to a standard that no space program at any time and place have ever been accountable to? How much risk must we accept to make progress?