HEADLINE: THE SHUTTLE INQUIRY: EXPLORING KEY WRECKAGE; NASA'S RISK ASSESSMENT ISN'T MOST RIGOROUS METHOD
BYLINE: By STUART DIAMOND
The National Aeronautics and Space Administration did not use the most thorough method of safety analysis available to pinpoint potential failures on the space shuttle Challenger, according to top present and former agency officials and risk experts.
That method, some of the outside experts said, would have been more likely to pinpoint all important problems in the shuttle's solid-fuel booster rockets, where a failure is a prime suspect in the explosion that destroyed the spacecraft on Jan. 28 and killed all seven members of its crew.
These outside experts are not making accusations that NASA's procedures led in some specific way to the disaster nor do they accuse the agency of failing in its duty to assure the crew's safety. But they do say that NASA's safety assessment methods are not the most rigorous, and some express concern about this.
The most thorough method of assessing safety, according to risk experts, employs extensive computer analysis to describe all possible catastrophes and then to trace back all the potential failure sequences that could cause those accidents. This very complex and costly ''fault tree analysis'' suggests ways to avoid those sequences.
Deciding Likelihood of Failure
NASA primarily relies on what experts say is a more limited approach. Instead of starting with catastrophes and tracing them back to individual pieces of equipment, the agency decides first which pieces of equipment are most likely to fail and then tries to prevent or mitigate their failure. In an interview yesterday Bill J. McCarty, who oversees safety analysis at NASA, said that ''I do not dispute'' that the agency's general safety assessment methods are less thorough than the best available. He said the agency employed the more rigorous method for less than 5 percent of the shuttle's hardware and operations because ''it is such a very extensive and time-consuming application.''
Fault trees are up to three times as expensive as the method of analysis generally employed by NASA, according to figures supplied by Dr. B. John Garrick, a widely known risk expert.
He said NASA's method presented the possibility of missing factors that could contribute to an accident. Dr. Garrick, who heads Pickard, Lowe & Garrick, a risk assessment firm in Newport Beach, Calif., said a full-blown fault tree analysis for the shuttle could have cost several million dollars.
Mr. McCarty said the fault tree method was not applied to the rocket boosters before the accident and is just now being used to check whether the agency missed any potential causes of failure. Nothing has turned up yet, he said, but the analysis is not finished.
They Stand Behind Methods
He and others in the agency stood behind their methods. ''We have done an excellent job in ferreting out the weaknesses,'' Mr. McCarty said.
Nevertheless, some of the foremost experts on risk said that NASA's method was more likely to miss critical failure sequences because it involves a lot of judgment in the beginning of the analysis. Those experts said the NASA method, called failure mode effects analysis, depends on those doing the study to know the system so well that they can make sound judgments in determining which components are most likely to fail.
Among those concerned about this F.M.E.A. method is Jerome F. Lederer, who was named NASA's director of manned space flight safety in 1967, after a fire killed three astronauts on the ground. ''A fault tree is a more thorough method of determining what can go wrong,'' said Mr. Lederer, who retired as NASA safety director in 1972 and is now an adjunct professor at the University of Southern California. ''You discover many more possibilities, many more routes that might lead to catastrophe.''
Mr. Lederer said F.M.E.A.'s were better used on simple systems with few sources of failure, while fault trees were better used ''on a complicated system like you have on the shuttle.''
Agency Chief Misspoke
On Sunday the Acting Administrator of NASA, William R. Graham, said on television that the agency has ''a very large structure called fault trees.''
But on Monday, Haggai Cohen, the agency's deputy chief engineer, said in an interview that Mr. Graham misspoke. In general, ''we do not do fault tree analysis,'' Mr. Cohen said. ''It was a bit of a misnomer the way he was talking about it.''
Mr. Cohen said NASA examines how failures in one hardware system can prompt failures in other areas. But various risk experts said such methods still fall short of fault trees.
''A fault tree analysis is much better than an F.M.E.A. in pinpointing the ways in which a booster burn-through might occur to ignite an external fuel tank,'' said William Hammer, an aeronautical engineer who specialized in missile safety for the Defense Department and has written three authoritative books on risk analysis.
Graham Statement Criticized
Mr. Hammer criticized a statement by Dr. Graham on Sunday that sensors were not placed on the boosters because the rockets were not considered susceptible to failure. ''You have to consider each part of the system susceptible to failure,'' Mr. Hammer said.
He said it appeared that NASA did not carry its safety analysis far enough in considering certain failures such as those in the boosters. He said a similar problem occurred in the nuclear power industry before the 1979 accident at Three Mile Island and in the chemical industry before the 1984 toxic gas leak in Bhopal, India.
Mr. Hammer, who is from Cerritos, Calif., said a belief that booster failure was very important could have led to specific and timely mitigating actions after the failure as well as preventive measures beforehand. For example, he said, there could have been provisions in design or operation for quickly detaching the problem booster from the shuttle orbiter that houses the crew, or a means to detach the orbiter from the rest of the assembly.
Mr. McCarty, who is the NASA manager of safety, reliability and quality assurance for the shuttle program, said, ''We definitely recognize that the solid rocket boosters are subject to failure'' and ''we recognized the additional risk that the program was undertaking by having them.''
No Provisions for Ejection
He said it was ''very difficult to comment'' on the notion that provision could have been made to detach the booster or orbiter in an emergency situation, because the accident investigation was not finished.
There are no provisions for aborting a shuttle flight until the solid boosters are jettisoned, ordinarily about two minutes into the flight. The Challenger accident occurred 75 seconds into the flight. In addition, there was no provision for ejection by the crew.
Another problem with failure analysis is that it does not sufficiently account for errors in design or by humans before takeoff, said C. O. Miller, the president of System Safety of McLean, Va., who is a consultant specializing in space engineering, human error and reliability. ''F.M.E.A.'s rarely account for instances where the basic design information is not correct,'' said Mr. Miller, who formerly directed the Bureau of Aviation Safety of the National Transportation Safety Board.
There have been suggestions in recent days that there were maintenance problems before takeoff, potential problems with the rocket booster design and other miscalculations.
Indeed, risk experts said the advantage of fault trees is that they better integrate all potential problems in a project: equipment failures, human failures, design failures. Some of those problems, including maintenance errors, have been suggested regarding the Challenger.
Ultimately, risk experts said, any safety analysis benefits from experience.
''It was easy to forget that this was not like a DC-9 with a billion hours
of experience,'' said Chris G. Whipple, a former president of the Society
for Risk Analysis. ''This is a dangerous enterprise.''