**11. Safety back-ups**

146 Risk Management – Current Issues and Challenges

**10. Safety margins** 

In Professor Feynman's words:

<sup>30</sup>*Ibid*., p. 183. <sup>31</sup> *Ibid*., p. 183.

From the above example, one can generate the conclusion that whenever possible, when calculating risk, one should not calculate risk in any other way than from the conclusions generated from actual, real-life, past performance data. The lesson to be learned is that in risk assessment, past performance data, when available, must always be consulted. One should avoid guess work. Unless the risk estimates are based on past performance data as a data base, according to Professor Feynman, 'it's all tomfoolery'.30 There is no reason why we should not learn from the lessons of the *Challenger* disaster to generalize sound conclusions

Major General Kutnya, Director of Space Systems and Command Control, USAF, and Presidential Commission member, argued that the O-ring evidence was analogous to evidence that an airliner wing was about to fall off. Professor Feynman pointed out with respect to Diane Vaughan's contention that there was a 'safety factor of three', that because in previous cases, the O-ring had burned only one third of the way through, that did not prove that there was a safety factor of three. If we merge the O-ring and the airplane wing examples, the argument that General Kutnya, an Air Force General and Professor Feynman, a Professor of Physics, give is that if the wings of an aircraft have burned one-third of the way through, that did not mean that they had a two-thirds safety margin as Diane Vaughan, a sociologist with a Masters Degree in Sociology, thinks. If a part that is designed to hold back inflammatory gases is weakened by one-third, then its capacity to hold those gases back is diminished by one-third. In such a weakened state, the margin between its holding up and its caving in to the pressure of the gases is seriously undermined. It is not that it possesses a two-thirds safety margin; it is that one-third of its capacity is diminished. It may not be capable of standing up to a heavy load. Its safety margin at that point may be zero.

*If a bridge is designed to withstand a certain load … it may be designed for the materials used to actually stand up under three times the load … But if the expected load comes on to the new bridge and a crack appears in a beam, this is a failure of the design. The O-rings of the solid rocket boosters were not designed to erode. Erosion was a clue that something was wrong.* 

If we are to generalize from these arguments to future scenarios of risk assessment, we must be careful never to consider problems that develop as evidence that the design is still basically sound. Problems are danger signals, not signals that everything is fine. When safety is compromised, it does not signify that there is still a viable margin of safety. When safety is weakened, what we have left is not a state of safety conditions which are a little less

*Erosion was not something from which safety could be inferred.'31*

than perfect; we have conditions which are not safe.

concerning the method we should employ when engaging in risk assessment.

One must also be very careful when one considers safety back-ups. In engineering language, safety back-ups are referred to as redundancies. (It is important to take note of the difference in English language usage in the case of technical engineering terms and ordinary English language usage since, in the latter case, a redundancy is that which is unnecessary!) In the case of the *Challenger*, the back-up system was a secondary O-ring seal. The secondary seal was known also to be prone to failure. In effect, there was no secondary seal. Of course, if we are to consider the argument made above carefully, if the primary seal is unsafe, and the secondary seal is made from the same materials with the same design, how is it any safer? When examining any safety back-ups, one must be certain that the back-ups are not of the same faulty design as the technology that they are supposedly "backing-up". Since the Oring was considered to be at Criticality 1 (no back-up), it is thus not suprising that the secondary seal was not considered to be a back-up by this designation.

In addition, it must not be forgotten that initially all 14 engineers and managers unanimously voted against launching the *Challenger*. Such a vote of no confidence would be proof enough that all 14 engineers and managers had no confidence in the secondary seal. If, when Professor Feynman in his famous, improvised experiment during the televised hearings dropped a piece of the rubber O-ring into a glass of ice water obtained from a waiter, and demonstrated that it had no resiliency left to it at a freezing temperature and therefore could not expand to contain superhot inflammable gases, how would a second piece of the same rubber material be of any use? If one piece of rubber would not seal, why would another piece of the same rubber not also be stiff?32 There is no safety back-up if the materials of the back-up suffer from the same defect as the materials of the primary material they are supposedly backing-up.
