It should be the primary mission of all fire service leaders to examine our operational systems for unnecessary, tolerated risk and eliminate it where ever we find it.
January 28, 1986, dawned bitterly cold at the Kennedy Space Center in Florida. After years of planning and preparation and four delays, the shuttle Challenger (STS-51) was ready to go. The three main shuttle engines were fueled by 1.3 million pounds of liquid oxygen and 226,000 pounds of liquid hydrogen, stored in the huge external fuel tank to which the shuttle was attached.
Despite the three main engines combined 37 million horsepower, more, in fact much more, would be needed to lift Challenger off the pad and into its planned orbit 150 nautical miles above the earth. Attached to the shuttle and the fuel tank were the solid rocket boosters (SRBs) (see Illustration 1). The SRBs, nearly 15 stories high, burned a fuel consisting of aluminum and ammonium perchlorate. When ignited after the three main engines were running at full power, the SRBs added 5.3 million additional pounds of thrust, allowing the spacecraft to rapidly lift off and head downrange. Without the SRBs, the shuttle would simply sit on the pad since they provided 80 percent of the thrust for launch.
The SRBs were not without controversy or concern. Developed by Morton Thiokol, they were partially constructed in a plant in Utah and then shipped by rail to Cape Canaveral for final assembly. These rocket motors consisted of a number of sections, denoted as either field or factory units, based on whether or not they had been completed in Utah or Florida. Because of the size of the finished motor, it was too tall to be shipped as one single piece, so the various sections would be stacked inside the vehicle assembly building not far from launch pad.
The most controversial aspect of the SRB was the joint where a factory section was attached to a field section. The joint system included a tang and clevis connection, (see Illustration 2) a primary and secondary O-ring seal, and 177 steel bolts to hold each section together. On firing, the SRBs would ignite from top to bottom and for less than a second undergo a combination of bending and pressurization forces which placed stress on the joints. During this very brief period hot exhaust gases from the burning rocket fuel could theoretically leak through the joints and damage or destroy the SRB. Such an occurrence would constitute, in the language of NASA, a "criticality one" event because there was no backup or redundancy for that system and a loss of it could result in loss of the shuttle. From a crew safety standpoint, this would clearly be an unacceptable risk.
A fire service analogy of a criticality one event could be the acceptance and use of an aerial device, fire pump or personal protective equipment component where a failure during routine use would likely result in the injury or death of personnel. Other relevant examples include systems of operation, such as staffing, procedures, training and behavioral norms. When a failure occurs, a death, injury or exposure results.
Meeting Expectations
The space shuttle system was (and is) expensive to operate and maintain. In order to win approval for initial and subsequent funding, a clearly skeptical Congress had to be convinced by NASA and other interested parties that it was efficient, economical and widely usable for business purposes. In order to fulfill this promise the shuttle would have to evolve from a system that was effectively experimental to an operational mode. It would have to become a "quasi-competitive business operation." Inherent in that move would be a system that was reliable, redundant and safe. The shuttle was none of these things.
How often do public safety professionals market fire and EMS service models that are not reliable, safe or effectively operational with economic arguments that are false or misleading? Understaffed companies, inadequate communications structures, poorly trained personnel and substandard response equipment are often the outgrowth of such arguments with disastrous results for firefighters and citizens.
Theory Into Practice
As the history and experience of the space shuttle would clearly demonstrate, the possibility that hot exhaust gases could leak through the rocket sections during the ignition sequence was hardly theoretical. Such concerns emerged almost immediately. The solid rocket motors were used multiple times. After detaching from the shuttle they landed in the Atlantic Ocean where they were recovered, examined and then refurbished. Beginning with STS-2 and at least 10 times thereafter, there was clear and alarming evidence that under a variety of normal operating conditions, hot gases were leaking from the motor sections and impinging on and damaging the primary and occasionally, the secondary O-ring systems (see Field Joint Distress Table).
The failure of an SRB joint was a criticality one event which would result in the loss of the shuttle. Despite this fact, the reaction of many involved in the launch decision chain, including managers and engineers, was to examine the event, identify the cause and attendant risk and then accept that risk as normal. Since no catastrophic failure had occurred, only damage, often of increasing severity to an SRB joint, risk was both accumulated and tolerated. NASA continued to tolerate clearly unacceptable risk because they "got away with it last time."
One aspect of the post-NFPA 1500 (Standard on Fire Department Occupational Safety and Health) period in which we find ourselves is the continuing ability of the fire service to accept or tolerate unnecessary accumulated risk. Currently, the three primary sources of unwarranted aggregate risk (or potential criticality one events) are:
- Employment of firefighters with a cardiac condition (known or unknown)
- Dangerous operation of response vehicles by unqualified personnel
- Placing firefighters in a "forward" fire environment where civilian life safety is not a rational consideration
A Fateful Decision
January 25, 1986, was by far the coldest launch weather to date. An unseasonable cold snap had plunged pre-dawn temperatures into the mid-20's. The lowest previous launch temperature was 53 degrees F. Given the forecasted extremely low temperatures, some engineers, in fact, those with the most direct knowledge of the O-ring and joint problems, expressed alarm that the launch might go forward. They were gravely concerned that the frigid temperatures would reduce the ability of the O-rings to seal properly and retard the flow of hot gases through the joints.
Their unease resulted in a series of teleconferences between personnel at Morton Thiokol in Utah, at the Marshall Space Flight Center in Huntsville, AL and in Florida. Morton Thiokol, led by their engineers, recommended against the launch at such a cold temperature. NASA managers, some in senior positions, were unhappy with the Morton Thiokol decision but unwilling to overrule a contractor regarding their system. NASA managers were under pressure to launch. One stated that he was appalled at the Morton Thiokol position and another asked "Are we supposed to wait until April?"
This caused a stir in Utah and Morton Thiokol asked for a recess in the conference call, which was granted. Offline, Morton Thiokol managers and engineers debated their position. Finally, Morton Thiokol managers, stating that it was time to make a management decision, as opposed to an engineering decision, excluded the engineers and voted to revise their earlier position and instead recommend launching. They returned to the conference call and relayed their new position. Clearly focused on concerns other than crew safety, they allowed external pressures to overturn the correct assessments of seasoned, experienced professionals.
While STS-51 had received what would be a fatal green light as far as the SRBs were concerned, cold weather was also causing other problems on the pad. Large amounts of water are needed at launch to protect the shuttle and launch facilities from engine exhaust gases and dynamic forces. This water is provided at the launch pad by way of above ground piping which was in danger of freezing and bursting. The time-honored solution to this problem was to allow the pipes to drip continuously through the night. The result was no burst pipes but a launch service structure and other areas sheathed in ice. This included the path the astronauts would need to traverse in the event of an emergency evacuation. The ice, in the opinion of a shuttle contractor in California, posed unknown risks to the space craft. Chunks of ice knocked loose during ignition or as the orbiter left the pad could strike it, causing catastrophic damage. Despite these concerns, the launch was a go.
Culture
The culture of NASA and its contractors, much like the fire service, had repeatedly identified systems and procedures which contributed to extreme risk. Because other launches occurred that did not result in catastrophe, despite the fact that critical system failure was both real and apparent, NASA tolerated the risk and turned a real failure into a false success, again and again. The solid rocket boosters were failing repeatedly but because the failure was partial and not catastrophic, it was considered normal and in fact, became not only acceptable, but commonplace.
The seven member crew of Challenger was strapped in and the main hatch was closed. The countdown proceeded and at 16:37:53 GMT, the three main engines ignited, burning for seven seconds as they developed maximum thrust. At 16:38:01, the solid rocket boosters ignited, the hold down bolts blew and Challenger lifted off the pad.
At .678 seconds after liftoff, a pad mounted camera showed puffs of smoke escaping from the field joint. The rubber O-rings had failed to seal properly in the frigid cold and hot gases were blowing through. The plume of smoke stopped after several seconds as apparently the melting O-ring rubber and combustion debris seemed to seal the hole. Challenger completed a pitch and roll program heading due east over the Atlantic and then throttled down and up again, all according to plan. As fate would have it, Challenger then suffered some of the most severe wind turbulence ever encountered during a shuttle launch. This resulted in the near maximum deflection of control surfaces and apparently dislodged the material plugging the leak. At 58.78 seconds after launch, cameras clearly show direct flame impingement on the external fuel tank.
At an altitude of 46,000 feet and 73 seconds after launch, the main fuel tank erupted in a massive fireball propelling the crew compartment up and away. It eventually free fell, striking the ocean surface. The range officers destroyed the still flying, but out of control, SRBs at 16:39:50 GMT.
The Aftermath
Much of Challenger, including the remains of the crew, was recovered. Several groups were appointed to investigate the disaster; hearings were held and recommendations were made.
Prior to the Challenger incident, NASA was regarded as expert in identifying and eliminating risk and also in integrating safety systems into their operations. The post accident findings concluded they had accomplished neither. The Rogers Commission, appointed by then President Reagan, was incredulous that safety was effectively absent as a force in NASA decision making. The Challenger disaster (at least) proved that you can successfully achieve the appearance of safety as a key operational component when it is wholly absent in practice.
Nothing better illustrates the failure of the safety culture at NASA than the testimony of Roger Boisjoly and Bob Lund, from Morton Thiokol. commenting on their concerns that launching Challenger the morning of January 26 would result in a catastrophe.
Roger Boisjoly:
"This was a meeting where the determination was to launch, and it was up to us to prove beyond a shadow of a doubt that it was not safe to do so. This is in total reverse to what the position usually is in a preflight conversation or a flight readiness review. It is usually exactly opposite that.
We were being put in a position to prove that we should not launch rather than being put in the position and prove that we had enough data to launch."
Bob Lund:
"We had to prove to them that we weren't ready, and so we got ourselves in the thought process that we were trying to find some way to prove to them it wouldn't work, and we were unable to do that. We couldn't prove absolutely that that motor wouldn't work."
It should be the primary mission of all fire service leaders (management, labor, officers, and firefighters) to examine our operational systems for unnecessary, tolerated risk and eliminate it where ever we find it.
Points for Consideration:
- Does your unit/company/department have the appearance of safety when it is really absent?
- How do you rate in an assessment of the three areas of aggregate risk?
- cardiac
- vehicle operations
- forward fire exposure
- When assessing an action from a safety perspective, are you asking if it is safe to do it, or do you instead have to prove why it is not safe to do it?
ERIC LAMAR lives and works in Washington, D.C. He has been involved in the fire service for 30 years. To read Eric's complete biography and view his archived articles, click here. You can reach Eric by e-mail at [email protected]..
