**10. Safety margins**

Major General Kutnya, Director of Space Systems and Command Control, USAF, and Presidential Commission member, argued that the O-ring evidence was analogous to evidence that an airliner wing was about to fall off. Professor Feynman pointed out with respect to Diane Vaughan's contention that there was a 'safety factor of three', that because in previous cases, the O-ring had burned only one third of the way through, that did not prove that there was a safety factor of three. If we merge the O-ring and the airplane wing examples, the argument that General Kutnya, an Air Force General and Professor Feynman, a Professor of Physics, give is that if the wings of an aircraft have burned one-third of the way through, that did not mean that they had a two-thirds safety margin as Diane Vaughan, a sociologist with a Masters Degree in Sociology, thinks. If a part that is designed to hold back inflammatory gases is weakened by one-third, then its capacity to hold those gases back is diminished by one-third. In such a weakened state, the margin between its holding up and its caving in to the pressure of the gases is seriously undermined. It is not that it possesses a two-thirds safety margin; it is that one-third of its capacity is diminished. It may not be capable of standing up to a heavy load. Its safety margin at that point may be zero.

In Professor Feynman's words:

*If a bridge is designed to withstand a certain load … it may be designed for the materials used to actually stand up under three times the load … But if the expected load comes on to the new bridge and a crack appears in a beam, this is a failure of the design. The O-rings of the solid rocket boosters were not designed to erode. Erosion was a clue that something was wrong. Erosion was not something from which safety could be inferred.'31*

If we are to generalize from these arguments to future scenarios of risk assessment, we must be careful never to consider problems that develop as evidence that the design is still basically sound. Problems are danger signals, not signals that everything is fine. When safety is compromised, it does not signify that there is still a viable margin of safety. When safety is weakened, what we have left is not a state of safety conditions which are a little less than perfect; we have conditions which are not safe.

<sup>30</sup>*Ibid*., p. 183.

<sup>31</sup> *Ibid*., p. 183.
