The Normalization of Deviance (part 1)

The wide-open bright blue winter skies of Florida and Texas were the backdrop for the two Space Shuttle disasters, events that doomed man’s first reusable orbital vehicle.??

On 28 January 1986, the Challenger was embarking on mission STS-51L when 73 seconds after launch it exploded.? The flight had attracted more public attention than normal as onboard was the first civilian to be launched to space, the teacher Christa McAuliffe, and 2.5 million excited elementary school students watching live from their schools became witness to an inexplicable horror.??

On 01 February 2003, 17 years after Challenger and while operating mission STS-107, the Columbia orbiter disintegrated as it re-entered the atmosphere over Texas.? The ferocity of the break-up was so severe that nearly 84,000 pieces of Columbia were eventually recovered from a 2,000 square mile area, but even this represented only 40% of the entire vehicle.?

These disasters occurred during different phases of flight and had different immediate causes.? But the underlying causes of the two accidents were fundamentally identical.??

For that reason, the Challenger & Columbia accidents provide professionals in the process safety, loss prevention and risk management fields with an incredibly valuable lesson as to how the ‘normalization of deviance’ in an organization can incubate disaster.

In this two-part article I explore those lessons and how we can build upon them to make our industrial organizations more robust to similar types of failure.

Space Shuttle Challenger

Roger Boisjoly?

Roger Boisjoly was a 47 year old engineer with Morton Thoikol, the manufacturer of the solid rocket boosters (SRBs) for the Space Shuttle.? He had spent his entire career in the aerospace industry working on everything from intercontinental ballistic missiles to the Apollo lunar lander.? Although he considered himself an introvert, previous employers had found him to be sometimes intemperate and emotional.? He was rigid in his engineering principles and had no qualms about calling out miscalculations and errors, even when they might prove inconvenient, expensive or embarrassing to others.??

In a previous job with Rockwell International, Roger had an encounter that profoundly shaped his attitude towards his work and his responsibilities as an engineer.??

One morning one of his engineering colleagues, a normally genial and cheerful man, was visibly distressed.? “He was in pretty bad shape, walking around in a sort of stupor. I thought he was on drugs” Boisjoly recalled.??

He soon found out that his distraught colleague had previously worked for an aerospace company working on the McDonnell-Douglas DC-10, the latest and most modern passenger aircraft.? The previous day a new Turkish Airlines DC-10 had crashed 11 minutes into a flight from Paris, with the loss of 346 souls.? It was discovered almost immediately that the plane had suffered an explosive decompression when the left rear cargo door blew off, rendering the aircraft completely uncontrollable.??

The cargo doors on the DC-10 were different to almost all other aircraft, in that they opened outwards in order to maximise the amount of cargo that could be carried.? But this created a new hazard; if the cargo door could be blown open by the pressure inside the cargo area if the latch were to fail during flight.? Roger Boisjoly’s disconsolate colleague had been one of the engineers involved in the door design, and had pushed for a redesign when the hazard was uncovered, but to no avail.? He even went as far as lobbying the Federal Aviation Administration (FAA) to deny certification to the plane, but without success.? Now, he blamed himself for not pushing harder. He blamed himself for the deaths of 346 people.

Roger Boisjoly became determined to not let the same thing happen again.

The Signal & The Noise

After the launch of the shuttle Discovery in January 1985, Roger made a regular trip to Florida to examine the SRBs that had been recovered from the Atlantic Ocean to be refurbished for the next launch.? When he shone a torch into one of the joints on a used SRB recovered and saw something that “made his heart hammer in his throat”.? The first of the two Viton O-rings that sealed the joint - intended to prevent superheated gases jetting out and exploding the shuttle’s main fuel tank - had been incinerated across almost one-third of its length.? He was astonished that Discovery hadn't exploded there and then on the launchpad.??

Boisjoly was convinced from that day that record low temperatures at the Cape (11 degC) had caused the synthetic rubber of the O-rings to shrink and harden in the cold, eliminating their sealing capabilities.? For several weeks Morton Thiokol engineers scrambled to find a scientific explanation for the observed O-ring damage - going through quality control records, testing retained samples of the fireproof putty that coated the inside of the SRB, interviewing technicians on the factory floor - but nothing anomalous was found.? The only thing remaining was what Roger had suspected all along…the cold.

He - and his engineering colleagues that now believed in his hypothesis - lobbied the management at Morton Thiokol and NASA to stop any future launches where the temperature was below 11 degC, to fund tests into O-ring performance at low temperatures and to commit to a long-term fix should those tests prove conclusive.? But they were rejected.? Carried up through the long review process in a series of presentations to the NASA hierarchy, the O-ring issue was distilled down to a single bullet-point comment;

CONDITION IS NOT DESIRABLE, BUT IS ACCEPTABLE.

A Voice Cries Out In The Wilderness

Roger Boisjoly could not - would not - let this go.??

He formed an unofficial five-man task force to find a permanent solution to the O-ring issues.? Convinced of the need to move quickly, they sketched out 30 different potential new designs for sealing the SRB joints, the best of which were printed and distributed to management.? But no response came.??

Apprehension that a disaster caused by the seals - and his potential responsibility for it - tormented him daily, making it hard to concentrate; he had not yet forgotten the victims of Flight 981. At last, Boisjoly decided to put his fears on the record. On the final Wednesday of July 1985, he sat down and wrote an internal memo addressed to Morton Thiokol management (see below).?

The letter concluded “It is my honest and very real fear that if we do not take immediate action... we stand in jeopardy of losing a flight”.

The letter stimulated some activity.? The unofficial task force was made official and a two-day conference was organised at the NASA Marshall Space Flight Center.? But Boisjoly was soon disappointed.? The members of the task force found it almost impossible to get anything done, hamstrung by bureaucracy and an inability to buy the equipment they needed to conduct tests without going through the bidding process required of any government contractor.? They seemed to be generating more paperwork than test results.??

“I give up trying to get something done in this place,” he wrote in his diary.

Left Out In The Cold

The STS-51L mission had suffered a number of delays from its initial scheduled launch date in early January 1986, and its latest target was the morning of 28 January.? A cold front had swept down from the Canadian arctic, and the forecast for the night of 27 January predicted a temperature of -5 degC; it would be the coldest night in Florida history.

When Roger Boisjoly heard that the weather at the Cape would be far colder even than the freeze he had witnessed the previous January, he was astonished. He told his colleagues that no one in their right mind would fire the shuttle boosters in temperatures lower than they had witnessed the year before; the launch must be stopped.?

If you have even a cursory knowledge of the Challenger disaster, you will know that what followed was an infamous teleconference between Morton Thiokol and NASA where Roger made a desperate attempt to convince the management of both organisations that the shuttle launch should be postponed.? He initially had the backing of his Morton Thiokol management, who supported a ‘no go’ position in front of NASA.? But that would change.

After Roger had outlined his case, the program manager at NASA, Larry Mulloy, tore into him and into Thoikol.? He attacked the lack of data which was used to link temperature and O-ring performance, pointed out inconsistencies in their reasoning, and that their last-minute change of heart amounted to the creation of a new set of launch commit criteria.? He finished with the immortal line “My God, Thiokol, when do you expect me to launch—next April?”.

Under pressure, Morton Thiokol management buckled and reversed their position, to the astonishment of their engineers, especially Roger Boisjoly.? He grabbed one of the photographs of the damaged O-rings from the Discovery launch the previous year and slapped it down on the conference room table and began shouting as he tried to make the executives see what he had seen that day in January 1985: the coal-black soot here; the evidence of heat on the secondary seal here; the arrows he had drawn, showing the path of superheated gas here and here. But it was no use. Spent and defeated, fearing he was moments away from losing his job, he sat down.

The Challenger would take-off from a launchpad covered in icicles, and ascend into the freezing air for 73 seconds before superheated gas blowing through the O-rings at the aft field joint of the right solid rocket booster caused the break-up of the vehicle.?

The Investigation

The Rogers Commission, which investigated the Challenger disaster, eventually uncovered both the initiating cause - the failed O-rings - and the underlying causes - which included inadequate concern over technical deviations, a silent safety programme, and schedule pressure.? In the five years that the space shuttle had been operational prior to Challenger, the window of tolerated risk inside NASA and among its contractors kept getting wider and wider.

The great, lurching NASA bureaucracy that had delivered so much in the ‘60s had not adapted to the scaled-down budgets and pro-privatization attitudes of the ’70s and ’80s. So rockets that had serious flaws were marked safe for human flight. The burden of proof in flight-readiness reviews seemed to shift in the period before Challenger, from having to show that a given flight was safe to proceed to having to convincingly demonstrate that it wasn’t - as shown in that disastrous meeting the night before launch, when Morton Thiokol could not make its data prove that the launch would fail.

After Roger Boisjoly testified in front of the commission he was ostracised by many of his colleagues at Morton Thiokol, as they feared it would lead to the cancelling of the NASA contract and the loss of their jobs.? He left his job some months later, tormented by thoughts that he hadn’t done enough to save the crew of the Challenger.? He never worked in aerospace again.

My Own Experience

I hovered over my colleague from the Process Safety team at the refinery, with a combination of impatience and menace.??

He had about three years more experience than I, but hadn’t made the same ‘progress’ up through the company and had been more-or-less shuffled sideways until he ended up in the safety function.? I had recently been promoted to Operations Supervisor for the conversion complex on the refinery, and had received some disturbing information from an Inspection Engineer that morning, and now I stood in the Process Safety office with the air of someone who wanted to be out of there immediately.??

Periodic ultrasonic thickness measurements carried out on a normally static section of piping which took Light Cat Naphtha (LCN) from the FCCU Main Fractionator to a Merox sweeting unit showed extremely thin areas on the bottom side of the pipe.? There was no upstream valve to isolate this routing.? The obvious solution was to immediately shut down the plant, but the ethos at the time was that we were not paid to do the obvious; we were paid to get creative.

Whilst I was normally a fairly level headed and congenial person, my newly acquired status as an Operations Supervisor seemed to have been messing with my ego during working hours.? I was expected to ‘get things done’ and so I automatically adopted the persona that was associated with just that.? So when I took the LCN rundown line issue to the Process Safety Engineer for the required independent risk assessment, I was none-too-pleased when his conclusion was the obvious one.? “Based on this data, there is a Category 1 risk” he said, not without merit.? But that meant an immediate shutdown, which - to my mind - was a position of surrender, the equivalent of throwing your hands up and walking away.

So I asked him to come with me down to the plant.? We examined the zone around the line, which my Operators were already starting to barrier off to exclude unnecessary personnel from the area.? Importantly, I then took him to my office - not his - to continue our work on the risk assessment.? In came my boss, plus a few old hands from the Operations team, and the case was made that both the assessment of probability and consequences of a leak were too conservative.? Shutting down unnecessarily would cost a bomb.? The air hung heavy with the unspoken question for the Process Safety Engineer; “do you want to be responsible for this financial loss?”.??

It wasn’t too long before the assessment was ‘revised’, the risk now coming out as a Category 2, and we would plan an intervention within 3 weeks to put in an upstream isolation valve and replace the thinned pipe section.? And that we did.? And I got plenty of pats on the back for avoiding the immediate shutdown.? No one looked at the risk assessment ever again.?

It was only well after the fact that I recognised how poorly I behaved in that case.? But what was more concerning was that I was doing exactly what was expected of me.? ‘Managing across functions’ in order to get results, ‘encouraging creativity and adaptability to resolve issues’.? I thought I was ‘constructively influencing decisions and actions in situations without formal authority’.? All of these were attributes expected from an Operations Supervisor.? But, in truth, I was just being an intimidating a**hole.

Conclusion

When Diane Vaughn coined the term ‘normalization of deviance’ in a book about her experience working on the Challenger investigation committee, she could have been referring to my case.? In our organization we followed all the written rules - this was not a case where any procedure was broken - but we also followed ‘other rules’.? These ‘other rules’ were the social and cultural norms in our organization, where being bullish with respect to the plant was the done thing, where continuing to run with issues and anomalies was normal - so long as nothing bad happened.??

We need to recognise when acceptable risk criteria is being eroded, and intervene before it becomes the norm. For like the game of musical chairs, one day the music will stop.? It is only a matter of time.

For anyone interested in delving deeper into the Challenger story, I highly recommend Adam Higginbotham's fantastic book Challenger: A True Story of Heroism and Disaster on the Edge of Space.