Manned Space Flight and Tolerating Risk: Part 1

The culture of NASA and its contractors, much like the fire service, had repeatedly identified systems and procedures which contributed to extreme risk. Because other launches occurred that did not result in catastrophe, despite the fact that critical system failure was both real and apparent, NASA tolerated the risk and turned a real failure into a false success, again and again. The solid rocket boosters were failing repeatedly but because the failure was partial and not catastrophic, it was considered normal and in fact, became not only acceptable, but commonplace.

The seven member crew of Challenger was strapped in and the main hatch was closed. The countdown proceeded and at 16:37:53 GMT, the three main engines ignited, burning for seven seconds as they developed maximum thrust. At 16:38:01, the solid rocket boosters ignited, the hold down bolts blew and Challenger lifted off the pad.

At .678 seconds after liftoff, a pad mounted camera showed puffs of smoke escaping from the field joint. The rubber O-rings had failed to seal properly in the frigid cold and hot gases were blowing through. The plume of smoke stopped after several seconds as apparently the melting O-ring rubber and combustion debris seemed to seal the hole. Challenger completed a pitch and roll program heading due east over the Atlantic and then throttled down and up again, all according to plan. As fate would have it, Challenger then suffered some of the most severe wind turbulence ever encountered during a shuttle launch. This resulted in the near maximum deflection of control surfaces and apparently dislodged the material plugging the leak. At 58.78 seconds after launch, cameras clearly show direct flame impingement on the external fuel tank.

At an altitude of 46,000 feet and 73 seconds after launch, the main fuel tank erupted in a massive fireball propelling the crew compartment up and away. It eventually free fell, striking the ocean surface. The range officers destroyed the still flying, but out of control, SRBs at 16:39:50 GMT.

The Aftermath
Much of Challenger, including the remains of the crew, was recovered. Several groups were appointed to investigate the disaster; hearings were held and recommendations were made.

Prior to the Challenger incident, NASA was regarded as expert in identifying and eliminating risk and also in integrating safety systems into their operations. The post accident findings concluded they had accomplished neither. The Rogers Commission, appointed by then President Reagan, was incredulous that safety was effectively absent as a force in NASA decision making. The Challenger disaster (at least) proved that you can successfully achieve the appearance of safety as a key operational component when it is wholly absent in practice.

Nothing better illustrates the failure of the safety culture at NASA than the testimony of Roger Boisjoly and Bob Lund, from Morton Thiokol. commenting on their concerns that launching Challenger the morning of January 26 would result in a catastrophe.

Roger Boisjoly:

"This was a meeting where the determination was to launch, and it was up to us to prove beyond a shadow of a doubt that it was not safe to do so. This is in total reverse to what the position usually is in a preflight conversation or a flight readiness review. It is usually exactly opposite that.

We were being put in a position to prove that we should not launch rather than being put in the position and prove that we had enough data to launch."

Bob Lund:

"We had to prove to them that we weren't ready, and so we got ourselves in the thought process that we were trying to find some way to prove to them it wouldn't work, and we were unable to do that. We couldn't prove absolutely that that motor wouldn't work."

It should be the primary mission of all fire service leaders (management, labor, officers, and firefighters) to examine our operational systems for unnecessary, tolerated risk and eliminate it where ever we find it.

Points for Consideration:

  1. Does your unit/company/department have the appearance of safety when it is really absent?
  2. How do you rate in an assessment of the three areas of aggregate risk?
    1. cardiac
    2. vehicle operations
    3. forward fire exposure
  3. When assessing an action from a safety perspective, are you asking if it is safe to do it, or do you instead have to prove why it is not safe to do it?

