The Challenger Launch Decision: Risky Technology, Culture, and Deviance at NASA. - book reviews

Administrative Science Quarterly,  June, 1997  by Scott D. Sagan

Tags: NASA

• E-mail
• Print
• Link

Diane Vaughan's The Challenger Launch Decision is a brilliant and disturbing book. It is brilliant in both conception and execution; it is disturbing because of the pessimistic lesson provided to all organizations that operate with hazardous technologies. "While good management and organizational design may reduce accidents in certain systems," Vaughan starkly concludes, "they can never prevent them" (p. 416).

This book sets out to challenge the conventional wisdom about the Challenger accident: the widespread view that "production pressures" to meet launch schedules led managers to violate the internal NASA rules designed to ensure that a catastrophic accident did not occur. This common wisdom - encouraged by the report of the Rogers Commission on the Challenger accident - is perversely comforting, for it suggests that if we try harder, organize more intelligently, and follow rules more closely, similar accidents can be prevented in the future. Vaughan presents this story, clearly and forcefully, in chapter 1 and then tears it apart, piece by piece, throughout the rest of the book. Her detailed ethnography of the decision-making process compellingly demonstrates that the key decision makers in this tragic story were indeed following the rules at NASA: the decision-making rules had been designed to create a rational risk assessment procedure, engineers and managers analyzed, discussed, and reported on possible O-ring weakness before the launch and then followed official procedures throughout the final teleconference on the night before the catastrophe. What Vaughan shows is how these rules ruled out certain kinds of arguments and evidence: the last-minute opposition to the launch presented by the Morton Thiokol engineers was ineffective because they lacked hard engineering data to "prove" their argument that the cold temperatures that morning in Florida would lead to an O-ring failure. Moreover, as Vaughan notes, Marshall Space Center and Thiokol engineers believed that even in the "worst case" event that the primary O-ring failed, the secondary O-ring in the joint would seal and prevent a catastrophe. Under such conditions, the launch was considered an acceptable risk.

What Went Wrong?

This central insight - about a false faith placed in the effects of redundancy - is strongly supportive of normal-accidents theory, as Vaughan recognizes. According to the high-reliability theory scholars, who are more optimistic about the ability of organizations to operate hazardous technologies, the use of redundancy is crucial, since backup components can compensate for failures in each other's performance. Redundancy theory in engineering, after all, shows how even relatively unreliable components, if independent and connected in a parallel manner, can lead to significant increases in overall system reliability. This is the beauty of redundancy: it enables organizations to make, in John von Neumann's phrase, "reliable systems out of unreliable parts" (as quoted in Bendor, 1985: 295). It should therefore come as no surprise that the use of great redundancy is common in nuclear power plants, critical computer software, aircraft carriers, and air traffic control systems.

One of the dangers of redundancy, however, as described in The Limits of Safety, is that "when redundancy makes the system appear more safe, operators often take advantage of such improvements to move to higher and more dangerous production levels" (Sagan, 1993: 40). This "offsetting behavior" phenomenon has been witnessed in a variety of personal settings, where individuals seek to be both safe and efficient. For example, the introduction of seat belts and airbags does not appear to have led to reductions in fatality rates in automobile accidents, suggesting that consumers may drive faster and more recklessly, canceling the potential safety benefits of redundant safety devices (see Peltzman, 1975; Peterson, Hoffer, and Millner, 1995). Similarly, the literature on consumer product safety has suggested that parents' offsetting behavior has countered the potential benefits of "child resistant" safety caps on drug bottles. The Food and Drug Administration's 1972 regulations requiring child-resistant caps has led to an increase in accidental poisoning: busy parents too often leave drug bottles on the bathroom counter, ignoring or misunderstanding the probabilities that some bottles will be left open or that small children will be able to open the caps and will then ingest the drugs inside (Viscusi, 1992).

The Challenger Accident Revisited

Diane Vaughan's study is the most stunning example available of this offsetting behavior taking place inside what appeared to be an organization with especially high standards for reliability and safety. In the years before the Challenger launch, organizational decision makers carefully pursued safety and redundancy but did not fully understand how increased production (in this case, launching in cold temperatures) could reduce the reliability of more than one redundant safety component. Seeking to gain the benefits of redundancy, designers placed two O-rings in the critical rocket booster joint. The primary O-ring and the secondary O-ring were originally listed as "Criticality 1R" items in the NASA engineers' jargon: "criticality 1" because the item's failure would produce loss of life or vehicle and "R" because the items were considered fully independent or redundant. When Marshall Space Flight Center engineers produced data showing that if one assumed multiple worst-case conditions (what were called WOW conditions, or worst-on-worst conditions) both O-rings could fail simultaneously, the rings were officially relabeled C1 items (that is, redundant but not fully independent), requiring that the booster either be redesigned, because the fail-safe criteria was not met, or that an official waiver be granted. After prolonged study and negotiations, the waiver was granted, because the likelihood of multiple failures during the critical seconds during a launch was considered exceedingly low. In part this was because the O-ring problem was considered "self-limiting": when hot gasses blew through a leak in the primary O-ring, it would push the secondary O-ring in the other direction and seal the joint at the critical moment in the launch (pp. 156-158).