Re: What was the biggest problem for each of the 2 destroyed US space shuttles?

From: Jay Windley (webmaster_at_clavius.org)
Date: 09/15/04 

Date: Tue, 14 Sep 2004 19:18:26 -0600

"rk" <stellare@nospamplease.comcast.net> wrote in message
news:Xns9564C24D02DBArk@216.196.97.136...
|
| You have repeatedly stated that the level of proof required to
| not launch is equal to that required to launch.

I have repeatedly claimed that there is *qualitative* similarity between a
contention to launch and a contention not to launch in the sense that MSFC
wanted rationales in all cases, not just statements of belief. If you say
the presumption is not to launch and the burden of proof is on the "go" for
launch, this implies that no rationale is required to raise an issue that
would prevent a launch. My contention is that a rationale of some kind was
required. I consider it a separate argument whether such a rationale
*should* be required, and on that separate point I'm inclined to say that it
shouldn't be required beyond a statement of plausibility.

"You have to be able to show you've got a technical issue that is unsafe to
fly." (SRB chief engineer Jim Smith; Vaughan, p. 249)

| I disagree with that, it is more certainly not equal.

Yes, I'll have to concede to you on that. I mentioned at one point that
*more* evidence would be required to make the case for O-ring unsafety. I
didn't provide the right context, or at least I didn't provide it strongly
enough.

I mean that *more* evidence would be needed in order to rescind a prior
rationale, and I made that statement without regard to whether it was for or
against a launch. The key element in my thinking there was that you had to
provide a case strong enough to get over the ambiguity you will have created
simply by having changed your mind. Whether that applies to "more" or
"less" evidence in a quantitative sense isn't really what I had in mind.
The sole act of changing your mind makes people question you, and you had
better be prepared to dazzle them with a convincing case for your new
conclusion.

In the abstract it ought to be an easy thing. If you build up a rationale
against a presumption, rescinding it ought to be as easy as showing the flaw
in the rationale and letting the presumption re-assert itself. You don't
have to prove that the presumption is correct, and so in that sense you
don't have to make a greater case to rescind than to affirm. My only
remaining contention, then, is that I don't believe the dynamics of the
situation allowed for such an abstractly "easy" rescindment.

And at this point you might say, "That's what I've been trying to tell you
all along, you twit." Boisjoly's argument at *least* put the launch
authorization back in the gray area, and I agree that gray areas ought to be
decided on the side of stopping the launch. So how was that allowed to
happen? Was the screwup only on the eve of the launch? Or did things that
happened earlier contribute?

Moving on to what I consider a separate point, we bring in the notion of
justifying a delay versus justifying a launch. I agree fully that the
burden of proof ought to be on those who argue it's safe to launch. But I
don't believe that's an absolute -- which is to say, I don't believe that a
launch "constraint" (i.e., an absolute denial of launch authority) should be
granted with no rationale. And I'm not sure, but I think that's what Smith
is trying to say.

The barrier to delaying a launch on the basis of safety should be low, but
in my opinion not non-existent. I think someone else pointed out that if
that were the case, you'd never launch. The barrier to authorizing a launch
ought to be very high. And in my opinion it was not high enough in
Challenger's case. Why wasn't it?

So I hope I've picked apart what obviously came across as a confounded
assertion. I believe you've got to provide good arguments when you change
your mind. I believe that the correct presumption is for non-safety, and
that the onus is on those who want to fly. That said, this particular case
puts those two points in conflict. I think you have to demonstrate some
rationale for changing your mind and deciding not to fly, but on your side
you have the weight of the presumption that says ambiguous cases should be
decided on the side of not launching.

| In fact I will contend that it is not safe to work by your
| standards of balancing the evidence in such a fashion.

I will readily agree it is not safe to work if the design is assumed safe
and the burden of proof is on those who are tasked with proving it faulty.
I don't want to argue for a wholesale shift of the burden of proof. My
belief is that the presumption not to launch was not as purely presumptive
as it should be. And so there is some evidentiary hurdle that must be
cleared even to raise a launch constraint issue.

I do agree that the presumption is that something is broken, and it should
be proven to work before depending on it. But as Mary pointed out, you
can't ever prove that something is safe. You can only demonstrate that it
is not unsafe in any way you know how to predict. Boisjoly failed to
convince people that he could predict the behavior of the O-ring in cold
temperatures, even though we know he could. What went wrong? Yes, the
managers ignored him and others. But did they believe they were doing an
acceptable thing by that action? 

-- 
                                          |
The universe is not required to conform   |  Jay Windley
to the expectations of the ignorant.      |  webmaster @ clavius.org

Relevant Pages