Re: What was the biggest problem for each of the 2 destroyed US space shuttles?

From: Jay Windley (webmaster_at_clavius.org)
Date: 09/13/04 

Date: Sun, 12 Sep 2004 23:02:40 -0600

"rk" <stellare@NOSPAMPLEASE.erols.com> wrote in message
news:Xns9562E9CE4AB01rk@216.196.97.136...
| Jay Windley wrote:
|
| > In terms of engineering you have the normalization of deviance...
|
| Perhaps that's the way you make judgements. I don't and many others
| don't. And that's not a standard policy in aerospace where root
| cause analysis and worst-case analyses are standard policy.

Yes, I agree. In the case of SRB failure analysis, I don't believe the root
cause analysis and worst-case analysis went far enough.

The root cause for erosion and blowby was never traced back to the
unexpected joint rotation. That is, it was never considered serious enough
to stop flying while the rotation was corrected in order to make the joints
behave as expected.

The worst-case analysis for the joint behavior was based on too little
empirical evidence and an incomplete mathematical model that unfortunately
fit what data they had.

Now when I talk about the normalization of deviance, I intend that to
indicate how people in general approach deviance. Engineers do that too if
they do not remain consistently rigorous. I believe some of that happened
in the Challenger SRB case. I believe the steps the engineers took to
assure themselves that they understood the joint behavior, were insufficient
and acted instead to wrongly convince them that the SRB joint was safe to
fly. "Safe to fly" and "working as desired" are not necessarily the same
thing.

| There are specifications and requirements. And blow by and erosion do not
| meet specifications.

That is correct. My point, in a nutshell, is to ask why engineers did not
recognize unacceptable joint behavior much earlier and stop recommending
continued flights.

The statements I have read from Boisjoly and other engineers involved with
the joint is that they did not consider the a priori specifications to be as
important to their decision making as the experience with the joint that
they were acquiring through test and actual flight.

Thiokol went to their O-ring subcontractors and asked whether joint rotation
and O-ring extrusion would still work. The subcontractor said, basically,
you guys go out and test it and make sure you know how the O-rings behave in
your specific application -- we can't help you. Thiokol went to conventions
with seal experts and asked the same questions and got the same basic
answers: test it yourselves and rely on your developed in-house knowledge.

We do this at my company too. We have all the data sheets for all the
components that we use. We also do our own testing to see how these
components behave in our specific applications. The original manufacturers
don't necessarily care about our application and don't necessarily provide
appropriate testing. We have three engineers whose sole job is to
accumulate in-house expertise on stuff we get from vendors.

As part of the assurance that the rings would seat properly, they were
tested at increasingly higher test pressures on the pad. They knew that
doing this would increase the chances of blow-by and erosion, and the
empirical data confirmed it. In short, they believed they understood what
was causing the erosion, and they didn't consider it a flight risk. And
they thought they had a good handle on the effects of blow-by and erosion.
Several times they justified their "go" recommendations to MSFC by the same
technical rationale: redundancy, experience base, and the belief that the
O-ring displacement was a self-limiting behavior that would never last
beyond the early stages of the ignition transient.

| <Jay writes about learning by doing>
|
| Really? Have a cite for this?

Yes, but not handy this evening. Will it be okay if I wait until I get to
my office on Monday and can provide those citations?

| I would expect that the Shuttle is designed to requirements
| and specifications. Not that the requirements and specifications
| are written based on observed behavior.

That is my expectation too, but it's more accurate to summarize my belief by
saying that the day-to-day operation of a complex technology is governed
more by information gleaned through experience than by the original
specifications and pre-established rules. Yes, I'll provide a citation for
this too. It's essentially the whole basis for the system of launch
constraints and waivers at NASA. These mechanisms are designed to make
problems visible so that they can receive the proper attention.

| And I'll for a cite for this theory of yours that there is no pre-existing
| sense of right, wrong, safe, or broken for anomalies for the Shuttle.

I think you're asking me for a citation here as well, and I'll provide it
when I have my library handy. But I think you're going a bit farther with
the statement than I perhaps intended, or perhaps I'm going too far. You
still have the original requirements and expectations, and they still have
value, but they are examined and perhaps modified as new information about
safety and behavior becomes available. The requirements are written not
knowing exactly how things will work when built. That's why the NASA system
at the time provided methods for writing rationales for changing the
original rules.

It's not a matter of throwing out the original rules, or not having original
rules. It's a matter of weighing experience with those rules and deciding
which is best to pay attention to.

| Here's an interesting example and perhaps make this post worth
| reading, from Ken Iliff's _From Runway to Orbit_:

Fascinating reading; thank you. I don't mean to suggest that all deviance
is or ought to be ignored. But I believe that in some cases it is, and the
rationales given for re-evaluating expectations is often spot-on, and often
short-sighted. If something goes contrary to expectations, you seek to
understand that anomaly -- characterize and quantify it.

| > Institutionally you also have the complacence of some who rely on that
| > past experience as if it were some sort of Bible. The managers around
| > Challenger were complacent because the engineers had assured them
| > everything was under control.
|
| No, the engineers and SRB manager were telling them not to launch.
Period.

I think we're talking about two different time frames. From 1978-1985, when
the SRB joint was exhibiting various forms of improper operation, everyone
involved with the joint was assuring those in charge that although
anomalous, the joint behavior was well enough understood that it did not
pose a flight safety issue and that a sufficient safety margin still existed
even in the face of blow-by and erosion.

Then the eve of the launch, the recommendation was not to launch based on an
argument that turned out not to be supported by the data Thiokol presented.
I sense that the difference in perception was less about the fact that
Thiokol had reversed their opinion and more about the fact that Thiokol had
shifted from a long-standing and carefully rationalized position to one that
was purely emotional and was actually counter-indicated by the data.

Something seriously broke the eve of the launch. I can't deny that. But I
think it *began* breaking years before that night, as launch after launch
was approved in the face of a joint that was clearly not behaving as it
should. I want to examine those elements of the decision too because I
think they tell a more useful story about how to make space travel safer. 

-- 
                                          |
The universe is not required to conform   |  Jay Windley
to the expectations of the ignorant.      |  webmaster @ clavius.org