The George W. Woodruff Annual Distinguished Lecture was established in 1990 to honor an engineer who has made an outstanding contribution to society and to provide a forum for that person to address the Georgia Tech community.

     Support for the lecture is made possible by a generous endowment made to the School by the late George W. Woodruff: an alumnus, influential businessman, civic leader, and philanthropist. It is the mission of the Woodruff School to provide the finest education possible so that our graduates can be leaders in society.

Distinguished Lecturer

Norman R. Augustine

     Norman R. Augustine is Chairman and Chief Executive Officer of Lockheed Martin Corporation. Mr. Augustine previously served as President of the Corporation, a position he assumed upon the merger of Lockheed and Martin Marietta in March 1995. Before the merger, Mr. Augustine served as Chairman and Chief Executive Officer of Martin Marietta Corporation from 1988-1995.

     Mr. Augustine is chairman of the Board of Governors of the American Red Cross, a past chairman of the NASA Space Systems and Technology Advisory Committee, past chairman of the Defense Science Board, and past chairman of the Aerospace Industries Association Board of Governors. He is also the former chairman of the Council of Trustees of the Association of the U.S. Army, and the former president of the Boy Scouts of America. He has been a member of the Air Force Scientific Advisory Board and has chaired advisory councils for Princeton University, the American University, and the Lincoln Laboratory of the Massachusetts Institute of Technology.

     Mr. Augustine is an Honorary Fellow and Past President of the American Institute of Aeronautics and Astronautics, a Fellow of the American Astronautical Society, an Honorary Fellow of the Society for Technical Communication, a Senior Member of the International Academy of Astronautics, a former chairman of the National Academy of Engineering, and a Fellow of the Institute of Electrical and Electronic Engineers.

     Mr. Augustine has four times received the Department of Defense's highest civilian award, the Distinguished Service Medal, and has also received the James Forrestal Memorial Award of the National Security Industrial Association, the Defense Meritorious Service Medal, the Army Distinguished Service Medal, and the Air Force Exceptional Service Medal.

     He received a bachelor's degree in aeronautical engineering (magna cum laude) in 1957 and a master's degree in 1959, both from Princeton University. He was elected to Phi Beta Kappa, Tau Beta Pi, and Sigma Xi. He holds ten honorary doctorate degrees and has authored or co-authored two books.

[Editor's Note: Mr. Augustine used slides to illustrate the points made in his lecture. Due to production limitations, the slides are not included here, but the text of his lecture has been adapted slightly to compensate for the lack of visual references.]

It is a great honor and privilege to be invited to deliver the 1996 Woodruff Distinguished Lecture, and thank you so much for that generous introduction. In all candor, I was hoping you would plug my book, Augustine's Laws. You left that one thing out. By the way, if any of you happen to have a copy, let me congratulate you on being a member of a very select, small group. I am told that among the most sought-after collector's items among literary enthusiasts are unsigned copies of my book. Shortly after the book was published, I received a letter from Laurence Peter of Peter Principle fame. He said that I had undermined his entire life's work ... having risen not one but two levels above my level of competence!

It is also a great pleasure to be here not only because of the contributions of the individual for whom the lecture is named but also to be here again at Georgia Tech. A number of my Lockheed Martin colleagues are Tech graduates, including our chief financial officer, the head of our mergers and acquisitions department, and the head of one of our major companies. So I do feel a great kinship with all of you.

Introduction

I thought this afternoon that I would address the weighty question, "Yes, but will it work in theory?" By that I mean that there are a lot of tough, real-world challenges engineers face that are not terribly elegant and that do not lend themselves to theoretical solutions. So I thought I would address some of those real-world challenges today because there are important lessons to be learned. These are the lessons that you don't get from parchment degrees. They are not lessons of great philosophical value. They are the lessons of scar tissue, the lessons of experience. And had I learned these lessons in school, I could have saved my employers literally billions of dollars over my career. Hopefully, you will find these lessons of some value in your careers.

First of all, let me take a step back in the profession of engineering. I like to think of our profession as beginning with the Structural Era, which was an era of great accomplishment dating back some 4,500 years to the construction of the pyramids. The era includes successes that even today seem remarkable, such as the building of the Roman aqueducts and the Taj Mahal, but also encompasses more modern feats such as the Eiffel Tower, the great dams, the great bridges, today's superhighways, and the "Chunnel" connecting England and France.

Following the Structural Era, engineering evolved into the Mechanical Era, where we have used machines to augment human muscle. Early examples would be the steamboat and the railroad. The automobile replaced the tried and true horse in many roles, and the airplane was one of the products of my field of aeronautical engineering. In this era, the culmination thus far would have to be the landing on the moon.

During this period of great accomplishment, there was a burgeoning new field that grew out of the Mechanical Era, and this was the Information Era - or, more precisely, the Electronic Era. The principal thrust of this era became one of helping to augment the human brain as well as human muscle. We have come a very long way from the first digital computer - the ENIAC - in 1946. With 18,000 vacuum tubes in one room and another room full of air conditioning equipment just to keep the machine cool, ENIAC was an astonishing piece of equipment. Technicians had full-time jobs running up and down the aisles just changing the vacuum tubes that had burned out.

A few short years after ENIAC, the transistor was invented, and after that scientists starting doing some amazing things with the sand that people had walked on for centuries and never thought much about. By virtue of the work of two friends of mine - and probably some of yours in this room - the common element silicon has truly revolutionized the world. We learned to build integrated circuits in many different shapes and different sizes with different functions, allowing us to carry around more computing power in our wristwatches today than existed in the entire world the year I graduated from college. Today, a bit of storage costs about 1/100th of one percent of what it cost just 25 years ago ... and the price is still plummeting. As George Heilmeier, CEO of Bellcore, has pointed out, "If the automotive industry had progressed at the same rate as the semiconductor industry, a Rolls Royce would cost only three dollars, and there would be no parking problem because automobiles would be one-quarter of an inch on a side!"

The Velocity of Change

That extraordinary pace of change is what makes engineering so very exciting. The pace of progress in the aerospace field is further suggested by the fact that the famous first flight of the Wright Brothers could have taken place inside the large orange fuel tank that forms the structural backbone of the Space Shuttle. By the same token, Dr. Robert Goddard's early, famous rocket launch from a cabbage patch in Massachusetts reached a peak altitude of just one-half the height of the Apollo launch vehicle, while the launch vehicle was still standing on the pad.

The velocity of change is one of the things that makes it so difficult to project the future of engineering. As evidence, let me cite pronouncements of some of history's greatest intellects. I will warn you: Their prophecies weren't all that good. For example, Napoleon dismissed Robert Fulton's claim of a steam-powered ship: "What, sir, would you make a ship sail against the wind and currents by lighting a bonfire under her deck? I pray you excuse me. I have no time to listen to such nonsense."

Or consider the pronouncement of Dr. Dionysus Lardner, professor at University College in London, on the prospects of a new form of transportation: "Rail travel at high speed is not possible because passengers, unable to breathe, would die of asphyxia." Or hear the opinion of the commander of the army's cavalry in 1938, just before World War II: "We must not be misled to our detriment to assume that the untried machine can displace the proved and tried horse." Or listen to a great aviator speaking about the profession: "Flying machines will eventually be fast; they will be used in sport but they should not be thought of as commercial carriers."

Humankind has also made huge mistakes in the other direction, namely being overoptimistic. My favorite example is that of Mr. Lewyt of the Lewyt Home Appliance Company. In 1955, I was a sophomore in college, and this was his projection: "Nuclear-powered vacuum cleaners will be a reality within ten years."

Progress and Reversal

The trail of progress has never been smooth. It has often been accompanied by brief, but significant, reversals that had to be overcome. There is a classic observation that I think could be a great model for the entire field of engineering: "You canna expect to be baith grand and comfortable."

Some of these difficult reversals along the way, for example, stem from the notion that you should actually pay attention to the foundation of that upon which you are building. For example, there was the great engineering project, the Vasa, a grand sailing ship built in Sweden following engineering drawings personally approved by the king himself. The Vasa was built, and on the day it was to be launched, a huge crowd gathered at the harbor in Stockholm. Bands played and the Vasa went down the gangways, proceeded about 100 yards out into the harbor, rolled over, and sank. Which just shows that in spite of the playing of bands and having the king approve the drawings, the laws of nature still must be observed.

Then there are some engineering concepts that are fundamentally bad ideas - for example, the idea of building a dirigible three times the length of a 747 aircraft, filling it with hydrogen, and then allowing people to fly in it. Under the circumstances, the explosion and crash of the Hindenberg was almost inevitable. The amazing thing was that 68 people survived the ensuing conflagration.

Interdisciplinary Scar Tissue

Then there's the obvious lesson we've learned over the years about the importance of interdisciplinary studies. And this is a lesson that's becoming even more relevant as the engineering projects we design and build become ever more complex. Some of you may recall the classic example of the Tacoma Narrows Bridge, built over a deep gorge in Washington state, which performed beautifully - until the wind started to blow. That was when we discovered that aerodynamics actually has something to do with bridge building - much to the regret, of course, of those who designed the bridge - and the bridge collapsed in a most spectacular fashion.

Admittedly, sometimes we as engineers have been slow to learn. When a British Comet, the first commercial jet airliner, unexpectedly crashed, one scientist suggested that we needed to pay attention to a phenomenon called "metal fatigue." But it took three crashes in one year before the engineers could entertain the thought that such a thing could actually bring down such a technologically advanced piece of equipment. Eventually, engineers designing airliners learned to compensate for metal fatigue - and a thousand other factors - and today airline transportation is the safest way to travel.

Sadly, so many engineering lessons are learned as a result of serious failures, such as happened at Chernobyl. There, we learned the importance of having independent containers, and also of not having operators doing freelance experiments.

One of the key engineering lessons we've learned in terms of how to avoid these problems has to do with testing - and I'm going to return to this subject from time to time during my presentation. One of the first tests I became aware of with regard to an engineering project had to do with the building of the Crystal Palace in London in the last century. This was a marvelous engineering and architectural accomplishment, and, at the time, it was written up widely in the newspapers. The way it was tested, and I've taken this from a contemporary account, is as follows: "The first experiment was that of placing a dead load of about 42,000 pounds ... consisting of 300 workmen of the contractors, on the floor and the adjoining approaches."

Now that's known as the "incentive system," and it was an early version of the theory that the best parachute packers are those who themselves jump out of airplanes. That newspaper account carried a photograph and some additional information of another experiment at the Crystal Palace: "The fourth experiment - and that which may be considered the most severe test - was that of packing closely that same load of men, and causing them to jump up and down together for some time."

I hasten to add that you will note that the engineers did not participate in any of these tests.

The Lessons of Scar Tissue

So, with that as a quick scan of how we got to where we are today, what are some of the lessons that we should perhaps try to learn from these experiences? As I mentioned earlier, we need to leave the realm of theory and the realm of the classroom and go out into the cold, hard world, and into the school of hard knocks - and study scar tissue.

Most of this scar tissue is derived from projects with which, I have to say with some regret, I had some involvement - including some which occurred during my time as Assistant Secretary of the Army. Some of what I will describe, I'm happy to report, I didn't have anything to do with. Some of which I will describe, I got there after the fact to try to help figure out, as part of an advisory board, what had happened. I'm going to do this in the form of drawing management lessons from engineering examples. So let's launch; we've got a lot to cover.

Conceptual Brilliance Doesn't Blind the Laws of Physics

Nature is a very honest judge, which quickly becomes apparent in the course of what might be called Housekeeping 101. The failure of Housekeeping 101 has cost billions of dollars in failures that I'm aware of - and certainly billions more that lie outside my experience. For example, a little bit of contamination on the grid of a storage tube caused a failure of a spacecraft. A little gold particle that shorted out two electric circuits on a tiny chip was smaller than the cross section of a human hair.

One of the most repeated causes of failure has nothing to do with theory or calculations. It has to do with this kind of problem: FOD, we call it in the aerospace industry, foreign object damage. Some years ago, I was involved in a jet engine development program when I was in the Pentagon. The contractor was having problems on the test stand of his new engine. The mechanics would work on it, and then they would forget and leave a screwdriver or a pair of pliers or a bolt on the inlet of the engine. They'd crank up the engine and it would blow up, which got to be very frustrating.

So the contractor's management put in a common-sense procedure: Before that engine on the test stand was fired up, an engineer must go inside the inlet with a flashlight and personally inspect it, come out, and personally sign the log that there was no foreign object inside. The very first time after they put that procedure in practice, the engine blew up. Guess what was left inside the engine? You got it: It was the flashlight.

The Devil Is in the Details

Which brings me to this lesson, for which I could give you more examples than you could stand in one afternoon. Let me give you a few. This is about a spacecraft that was launched a number of years ago. It had, of course, a guidance system, and in the guidance system there was a lot of software in the computer. There was a "failed Doppler radar test" sequence which was to be used only if the Doppler radar failed during the flight. Since this was an interplanetary mission, there was an infinite number of paths that one would have to go through to totally test this sequence, but it was tested as thoroughly as humanly possible. Once it had been launched and was in flight, not only did the Doppler radar fail, but it got into a sequence, a loop that had not been tested, and it turned out that in that loop there was a hyphen missing in one of the thousands of lines of software code. Because of that missing hyphen, the spacecraft took off on its own into interstellar space, and nobody will see it again until, perhaps, a future Star Trek movie encounters it.

Leave Nothing to Chance

Some years ago there was another spacecraft that, once it was in orbit, blew a fuse. One of the difficulties in my profession is that we don't have recalls like they have in Detroit, where you can recall the spacecraft back to Earth to fix it. In this case it happened to be near the Earth, so we had an astronaut go up to fix the fuse, the plan being to open a panel on the satellite and put in a replacement fuse. Bruce McCandless was the astronaut who was chosen to carry out the task. As a matter of fact, I remember the last thing I asked Bruce before he left on the Space Shuttle was whether that panel had standard or Phillips-head screws on it, and was he sure he had the right screwdriver? My question was unintentionally prophetic.

It turned out we did have a problem when the astronaut got to the satellite and tried to dock with it. He was using the Manned Maneuvering Unit (MMU), which allows an astronaut to move around freely in the weightlessness of space. The MMU had a docking device designed specially for that satellite, and we had practiced the procedure a zillion times on Earth. But when he actually got to the docking, he couldn't get the device to work. Fortunately, after manhandling the satellite, he was finally able to replace the fuse. But all the stuff we'd given him didn't help.

With Bruce safely back on the ground, we did a postmortem on the mission and tried to figure out why the MMU couldn't dock. We went back into the files. We always take photographs as we assemble these satellites. Using old "as-built" photographs, it showed that the assembler applied gold foil around most of the satellite for thermal reasons, attaching the gold foil with rivets. And the assembler, as luck would have it, apparently had no idea that one place he put a rivet was directly over the docking device, and so we were unable to dock. The message, of course, is "leave nothing to chance." We should have told the assembler where to put those rivets.

Murphy Was an Optimist

At the very first launch of the Space Shuttle, in 1981, there were millions of people watching on television, and there were an equally impressive number of people at Cape Canaveral awaiting the launch. Quite appropriately, the designers of the Shuttle had built great redundancy into the new craft, including a total of five computers - four general purpose computers and a back-up flight computer. The trick was that the timing on those computers had to be perfectly synchronized.

On the very first attempted launch of the Shuttle, they could not get the computers to synchronize. It was a dreadfully hot day, and most of us were standing around outside the control center in the blazing sun for five or six hours, while the engineers tried to figure out why the computers wouldn't cooperate. One engineer said all you have to do is unplug the computers and plug them in again and it'll work fine. Nobody was willing to accept that, but it turned out later he was correct. To the great credit of the scientists and engineers working the problem - and particularly to the appreciation of the astronauts onboard - the programmers didn't take the easy way out. They wanted to know why the computers would not synchronize.

After much discussion and review, the riddle was finally solved. What had happened? In the original configuration of the software, there was an event that had to be initiated and there was a one-second-long window during which this event could be initiated. There was a fifty-millisecond delay built in, and then the event would take place. If the event took place before 60.522 milliseconds from the end of the window, the sequence would work effortlessly. If the event was initiated after that point, the computer had been programmed to try it twice more - and then shut down because something obviously was wrong. That was the way it was designed to work.

For some reason - and I don't remember any longer what the reason was - the engineers "improved" the design. Boy, that's sudden death when engineers improve designs! Half the failures we've had in our lives have been because of that. The engineers, for some reason, decided to make the 50 milliseconds 80.26 milliseconds. And then they tested that in the system tests. By this point they had completed most of the systems tests, but they went back and re-tested this change. They did it several times, entered the sequence at random times, and everything worked just fine.

As luck would have it, all the tests were just fine, but on the very first flight when they entered the sequence, they randomly hit at the very tail end of the window. There was only one chance in 67 that this could happen, and as Murphy would have predicted, it had to happen on the first flight. As a result, the system shut down and we had to wait a full day to figure out what had gone wrong. So in spite of having all these computers to protect you and give you backup, it doesn't always work.

My personal favorite example of Murphy's ubiquitous presence occurred in a '69 Mustang that I bought when it was brand new. It's a gorgeous car. There was a 25-cent fuse in my Mustang, which the people who designed the car put in there to protect the wiring in case of a short circuit. Well, at one point I had a short circuit, and what happened was that the wiring harness melted, but the fuse was undamaged. I had to replace the entire wiring system, but the 25-cent fuse could be reused. No doubt somewhere Murphy was smiling over that one.

There's No Such Thing as a Random Failure

Every failure has a reason, a root cause. None of them are random. Here's an example: I happened to be working in the Pentagon during the war in Vietnam. We had a new system called a standard antiradiation missile. It fit under the wing of the A-6 aircraft, and it was designed to "home in" on the radar signal of an enemy unit shooting SA-2 missiles at our aircraft. It was tested extensively at White Sands Missile Range and shipped into the field quickly because we were losing a lot of airplanes.

Once the new missiles reached Vietnam, the pilots would get up over North Vietnam, an SA-2 would be launched at them, and they'd retaliate by launching our standard arm missile at the radar. After 16 seconds of flight, our missile would explode for no reason. This happened repeatedly, and we were baffled. So we brought the missiles back from Vietnam to White Sands, we launched them again, and they worked just great. We called in the FBI. We did everything we could think of to try and figure out what had happened. We found nothing wrong, so we sent some more missiles back to Vietnam for another try. Guess what? After 16 seconds of flight, they all blew up.

We decided to go back to Square One. We started with the assembly process at the factory, tracking every step to try to figure out what was different between the missiles that went to Vietnam and the ones that stayed here and were tested. Well, the principal difference was that the ones sent to Vietnam had a live warhead, whereas the test missiles were fitted with telemetry in place of the warhead. And to be sure we didn't mistakenly send the wrong missile to the wrong place, the General Dynamics factory workers put a sticker on the Vietnam-bound missiles - a sticker that said "Live Warhead." Applying that sticker seemed to be a pretty good idea, and it was the only substantive difference we could find between the two missiles.

Now, one of the engineers investigating this mystery started to get interested in that sticker and did some testing. He discovered that after 16 seconds of flight, the skin temperature of the missile at the location where they applied the sticker was equal to the debonding temperature of the glue used to adhere the sticker - a finding that was kind of interesting. Then somebody discovered that the sticker was aluminized, so that it would hold on in bad weather if it got wet. We then took a model of the missile, put it in a wind tunnel with the aluminum sticker on it, debonded the sticker, and then watched in astonishment as the sticker, due to a very strange air flow pattern, would fly up above the fin and pass through the guard beam on the fuse. The missile's arming mechanism, thinking it was seeing a target, would detonate. In tests, it happened again and again. The mystery was finally solved, and we were able to ship missiles to Vietnam that worked.

The next lesson is one I learned early on. It was my first day at work on a real job, and a bunch of executives came in to speak to us. I only remember one thing that was said that day, and I have found it to be true throughout my career. The one thing I remember from that encounter was the following admonition:

No Change Is a Small Change

One example, again very close to home, illustrates what a profound statement that was. The company I work for builds the Titan space launch vehicle. Some years ago, we adapted a Titan to put commercial payloads into orbit. This model was designed to carry two payloads - two spacecraft - within its large payload fairing, and hence was designed with two ports through which the wiring and umbilical cords were hooked up. Now, in this particular instance, there was going to be only one payload, albeit a very large one. The engineers had a choice of wiring the payload either through the front port or through the aft port.

As it happened, the engineer on the job chose the drawings to do the wiring through the front port, and the software was designed according to that choice. That engineer was then shifted to another project. About a year and a half later, another engineer was assigned to the project and observed, "That's kind of crazy. Why should we run wires 25 feet up the side of the launch vehicle? Why not plug into the aft port?" So he redlined the drawings, changed the configuration to "improve" it, and showed that the wiring should be plugged into the aft port. The only problem was that somewhere along the line, we had designed in an escape vent in our configuration control system, and the people who wrote the software wrote it to expect the input from the front port.

The launch day came, and the Titan flew beautifully. The giant vehicle separated at precisely the right moment, the second stage fired perfectly, and the vehicle attained the orbit just where it was supposed to be. Everything was fine. Then we sent the signal to separate the payload, and nothing happened. We couldn't separate it; nothing could be done. You might ask, "Why didn't the project team catch the problem during the systems testing that preceded the launch?" The reason for that presents another lesson of how things go wrong: The system tests used generic software instead of the actual flight software. The generic software, as we discovered later to our great regret, accepted input from either port, so the separation "worked" perfectly in theory since it wasn't particular with regard to which port gave the signal. This led to a $300 million lawsuit and kept our legal department happy for two years.

Another example - this one very tragic - of there being no such thing as a small change comes to mind. It has to do with the infamous elevated walkways in the Hyatt Regency Hotel in Kansas City. You will recall that one afternoon in 1981 a tea dance was being held in the atrium, and a large number of people were dancing on these walkways when the structures collapsed, killing 113 people.

How did this happen? The original design called for long, continuous rods with hanger connectors to hold up the walkways. When that design got to the workers who had to put it together, the workers were given the connectors and told that the top walkway was four stories up and the connectors were to be threaded to appropriate heights to hold the walkways in place. You can guess what the workers said about the engineer who designed that. No one wanted to put up scaffolding and spend two weeks threading connectors all the way up four stories. So on the spot, they decided to make a field change.

The field change was, to a casual observer, a seemingly logical one - until you stopped to think about it a bit. Instead of a long, single rod extending through the walkways to the roof, the installers decided to cut the rods in half and suspend the top walkway from the roof and suspend the lower walkway from the one above it. A seemingly minor change, but when you think the matter through, you see that with the new design, the connectors supported not only its own walkway but everything suspended below it. Illustrating the problem a different way, it would be as if you had three people hanging on a rope, each supporting a walkway; that was the original design. After the change, the person at the top of the rope would be supporting the whole works. It was a marginal design to begin with, and what happened was a catastrophic failure that took the lives of 113 people. No change is a small change.

If It Involves Humans, Make It Foolproof

Many years ago, I became involved with a missile for which two contractors made the hardware. There were two major wiring harnesses that connected the separate units, and in the preflight check, it was discovered that the wiring harnesses were reversed. Finding this problem in the preflight check was the good news. The bad news was that the flight conductor gave the instruction to the contractors to reverse the wiring. You can guess what happened. Both contractors went back and reversed the wiring.

Speaking of making something foolproof ... the Pershing Missile had two large vehicles as part of its assembly. One was a launch vehicle, the other was the control vehicle with all the electronics. They were coupled by two huge wire bundles, which were about the size of someone's arm. The engineers who designed the system were thinking ahead. They said, "Gee, some soldier's probably going to reverse those wires by mistake," and so they designed it to make it foolproof. They made one of the wiring bundles a 16-pin connector and the other one an 18-pin connector. Foolproof? Not exactly. Somehow, the strongest soldier in the entire United States Army converted a 16-pin connector to an 18-pin connector. Outcome: Another failure.

When I described this incident to General Jack Dean, who at the time commanded the Army's development work, he told me I should have known that the definition of a typical U.S. soldier is a person who can be put on a perfectly barren desert, dressed only in a bathing suit, with nothing in their possession but an anvil, be left there overnight ... and when you come back the next morning, you will find that the soldier has broken the anvil.

Here's another example that makes the same point. The "Gimli Glider" was a 767 aircraft that ran out of fuel some 35,000 feet over the Canadian wilderness and had to make an emergency landing on an abandoned airstrip in Gimli. The question becomes: How do you run out of fuel and lose both engines on a 767? Actually, it turns out, it's fairly easy to do. The story began in Edmonton, where a mechanic boarded the aircraft to fix some problems with the cockpit instrumentation. He threw the circuit breakers so he could work on the problems. He was then distracted by being called to do something else, and he forgot to put the circuit breakers back in the "on" position.

When the pilot got on for a preflight check, not knowing the circuit breakers were off, he couldn't get any indication from the fuel gauges. He concluded the gauges were broken, and, after his mechanic checked with another mechanic, decided to use the standard back-up procedure for assessing how much fuel was needed. This involved taking a dipstick out to the fuel tanks in the wings, taking the readings, and then calculating the number of pounds of fuel onboard. The pilot and co-pilot took the readings twice to make sure they got the process right. The only problem was when they converted from kilograms to pounds ... you got it. They multiplied instead of divided, ran out of fuel, and then had to glide some 40 miles before they miraculously made a perfect, dead-stick landing in a place called Gimli.

In this case, Murphy must have been otherwise engaged. The pilot was an experienced glider pilot, so he was able to bring his experience to bear on putting the plane down - after all, the plane had only one chance to land. The only available landing strip was unused - unused, that is, except for the local kids who raced cars back and forth on this runway. As it turned out, while they were running their cars, to their amazement, a silent 767 started to land right in the middle of their race. They quickly moved out of the way, and fortunately no one was hurt.

To Err Is Human ... To Forgive Is Against Company Policy

This is a lesson I learned at a very early age. My first engineering responsibility when I got out of college had to do with an antiballistic missile called the Nike Zeus, which was an incredible machine for its day. It was way ahead of anything else around. It maneuvered outside the atmosphere, with a burnout velocity of Mach 10-plus. My job was fairly mundane. My job was to get it out of the hole in the ground it was launched from in one piece. Schematically, there was a long rail that went up the side of the launch cell that guided this super-fast missile out of the ground.

A couple of weeks before the launch, some of the structures people realized the aerodynamics from that rocket cell meant all the gas flow exhaust comes up and goes out backward out of the hole. So the missile starts out flying supersonically backward. A couple of seconds later, it's going Mach-4 forward. They discovered that the loads from that exhaust flow coming up from the cell would exceed the design of the rocket's fins and the fins would break off and probably rupture the rocket holder.

I was given the job, through aerodynamics, of redesigning the cell, doing what I could with the fins (but there was only a couple of weeks and we needed to launch) to see if there was a way to reduce the load on those fins so they wouldn't break off. I became kind of a hero, because with some tests and some analysis and some modifications to the fin design and also to the cell, we got it to where the loads on the fins were well within the allowable limits. But one thing that nobody seemed to be responsible for or think to check out was what those same loads were acting on the bolts that hold the missile to the rail as it was to slide up the rail and out of the cell. Because of that oversight, two 75-cent bolts failed ... and the whole thing blew higher than a kite. I thought my whole career was blown up with it. It was a very clear example of how well-trained experts can overlook something - and it's always a 75-cent bolt that gets you.

Redundancy Doesn't Count ... Independent Redundancy Does

Here's an example that continues to amaze me. It concerned a Lockheed L-1011 jumbo jet flying from Miami to Nassau. The pilot got an oil warning light that there was no oil in one engine, so he shut the engine down. But there was a storm in Nassau and he didn't want to land in a storm with only two engines. So he turned around to fly back to Miami. He got another oil warning light, and then he got a third one right away. He only had three engines. He couldn't possibly believe all three engines had independent failures due to lack of oil, because they were three independent systems. He concluded that it was an instrumentation error, kept flying, finally managed to limp back to Miami, and just made it to the runway and landed safely.

By the way, this incident reminds me of the story where a fellow was flying on a large, four-engine airplane to Nassau. The pilot came on the intercom and announced, "We just lost an engine, but don't be worried, we'll just be delayed half an hour." A few minutes later, the pilot came on again and said, "We just lost a second engine, but this aircraft can fly without a problem so we'll be an hour late arriving." Not very long after, the pilot announced, "We just lost our third engine. We can still get there with one engine, but we'll now be an hour and a half late for our destination." The passenger, at this point highly agitated, turned to the person in the seat next to him and said, "My gosh! If this keeps up, we're going to be up here all night!"

A similar problem of losing engines one by one was the case with the L-1011. In each of the engines' oil systems, there was a chip detector to see if there were little metal bits to warn the pilot that something in the engine was coming apart. It was very well designed. I won't drag you through all the technical explanations, but the engineers had thought ahead. If a maintenance person had forgotten to put the chip detector in, it had a spring that would close the hole. The only thing the engineers didn't think of was that before the flight took off, the mechanic was given a new set of chip detectors to install, and he didn't notice that both washers on all three sets of chip detectors were missing. Once he had installed them, it didn't take long for the oil to leak out on all three engines. So whereas the engineers thought they had three totally independent systems, because of the process in maintaining the replacement components, it turned out they weren't independent at all.

Treasure Your Anomalies: They May Be Trying To Tell You Something

At one time, our company was making components for the Advanced Air-Launched Missile. It had a guidance package on printed circuit boards, which were being tested at our plant in Orlando for any vibration problems. At night, there was no power applied to the unit - no power anywhere, no batteries, nothing. One night, an engineer who happened to be working in the area thought he saw something on the oscilloscope; something "lit up" the display somehow. But he knew there was no power to the test unit. He couldn't understand how that could happen.

The next morning, he told the testing team that he was sure he had seen something. They checked it out, but everybody was convinced he was mistaken. With no power to the unit, it was not possible for there to be an electrical discharge that would show up on the display. He was sufficiently convinced he had seen something "kick out" of the guidance center that he hooked up a tape recorder to it. After a couple of days of monitoring, sure enough, he got a picture of something "kicking out." But there was no power. How does one get an electrical discharge when there is no power? The engineers went back and did a thorough analysis. It turns out that as vibration testing is done on these boards, they deflect, and as they deflect, they generate static electricity. Understandably, as they generate static electricity, every now and then, they will discharge. If that phenomenon had happened in flight, we would have lost the missile. Fortunately, this engineer was persistent. He believed the empirical evidence he observed, rather than its theoretical "impossibility."

A similar question was central to the construction of the Hubble Space Telescope, which our company assembled in Sunnyvale, California. The optics team, which was a co-prime contractor, ran extensive tests on the mirror. It was, without question, the most precise mirror that had ever been built of its size. Everybody was very proud of it. Unfortunately, in one of the critical tests, the result was supposed to be a precise pattern of parallel lines, but what the test actually showed was a myopic display of wavy and circular lines. With all the care and precision they had put into the project, the team couldn't imagine that they had actually built a mirror that badly flawed, and they were convinced there was something wrong with the tests. They ran another test and got the same result. Still, they were convinced that the problem was with the test and not with the mirror. In hindsight, the question we would have to ask is: Why did you bother to run a second test if you were just going to ignore the result? Nonetheless, the tests were ignored.

Years later, the Hubble was finally launched, and instead of producing beautifully precise pictures of space, it produced less than perfect pictures flawed by spherical aberrations. It looked like the tests were right after all. With some great engineering detective work, the board of inquiry worked backward and calculated that the pictures coming from Hubble, could be generated if there was a 1.3 millimeter error in a certain calibration process as the mirror was being built. They retrieved the original drawings, and they found that there was a metering rod used In the building of the mirror, which when used with a measuring light might have been misaligned by 1.3 millimeters, which by optical standards is like aiming for California but winding up in Georgia. It was a big error.

To complicate matters, there was a second factor involved. The mirror was covered with an antireflective coating - just in case something like this should happen - to be sure that there wouldn't be a misalignment. As luck would have it, the engineers went back to the storeroom, and for ten years the setup for the Hubble mirror was still sitting there, undisturbed from when it had been first used to align this system. And, sure enough, it was misaligned just enough so that the light beam would shine on top of that surface and give a misleading result. The upshot was that the team had inaccurately built the most precise mirror ever built. You'll recall that a few years after Hubble was launched, a crew from the Space Shuttle went up to the satellite, put a pair of high-tech corrective lenses on the optics on the telescope, and today Hubble is sending back spectacular pictures - better by far than any we've previously been able to achieve on Earth.

A final - and particularly tragic - example of not heeding a warning is the most famous of all: the Space Shuttle Challenger. On several flights in the early 1980s, the critical O-rings in the solid rocket boosters had come back singed, demonstrating that extremely hot gases were in danger of leaking through, which would have disastrous results. We should have paid more attention.

Some of the engineers at the time were very aware that this was a big problem. Engineering reports from Thiokol personnel prior to the launch of the Challenger were using language very untypical of engineers, demonstrating that they were trying to alert others to the seriousness of the problem. One, for example, was an interoffice memo that said, "HELP!" in capital letters. "The seal task force is constantly being delayed by every possible means. People are quoting policies and systems without work around. We don't know how to run the development program. We've got a problem with the seals." Nobody listened to the engineers in that case. And you'll recall that on January 28, 1986, just as the solid rocket boosters on the Challenger were lit, they began to leak through immediately, producing the tragic ending we have all seen so many times on television. So, treasure your anomalies; they may be warning signals.

The Difference Between a Great Manager and a Good Manager Is Reserves

With virtually all of the problems I've discussed, we find people who are operating under pressures related to time or money or both. Under such circumstances, there is a tendency to err on the side of whatever keeps the project on time or on budget - and this can be disastrous, as demonstrated by the Kansas City hotel walkways and the Challenger events. I believe that any program breaking new ground must have the reserves of money, schedule, and technical approaches to deal with unexpected contingencies. One always wants to be prepared for the unknown, and building reserves into the program is the real-world approach to assuring that this is done. By the way, one of the best examples I know of regarding reserves was the photograph I came across some time ago which showed an early airplane with a pilot who was thinking ahead: His plane had landing wheels both on the bottom of the plane - and on the top. That's what I call being prepared for the unexpected.

Ethics Are Absolute

A word about engineering ethics. Engineers do encounter ethical issues fairly often. One important case stands out in my mind, one which was recently written up in the New Yorker magazine. The subject of that article was the Citicorp Center building in New York, a 716-foot-tall skyscraper which was built with an innovative bracing system that allowed the building to rest on four massive columns. The building met all New York City building codes, including those relating to wind forces. After it was finished, the engineer in charge of the structural design decided to use more sophisticated testing procedures to assess the building's ability to withstand unusual wind forces. The tests showed that Citicorp Center might, in fact, be subject to failure in quartering winds of the type that might occur once every 16 years. Since he was the only person with this knowledge, he had a choice: Say nothing and hope that such a storm with such severe winds did not occur, or admit his findings to the building's owner, possibly be sued, embarrass himself and his company, and even face bankruptcy. He did exactly the right thing: He took his findings to Citicorp's executives and pointed out the problem.

Happily, it was found that structural corrections could be made to the building which weren't terribly expensive, the changes began immediately, and both the building and the engineer emerged relatively unblemished by the entire matter. But as the article pointed out, the engineer was lucky in two important regards: One, there was a newspaper strike in New York during this entire period of time, and the other was that Hurricane Ella, which was off Cape Hatteras and headed toward Manhattan, at the last minute veered out to sea.

Nature Is Not Belligerent ... Just Fiercely Independent

My favorite example of this lesson was the incident which occurred at a wind tunnel operated by NASA. The high-pressure gas bottles on one end of the tunnel were inadvertently overpressurized, and a part of the assembly exploded. There were pieces of pipe lying all around the tunnel, mostly confined to the area of the explosion - except for one huge piece of pipe, which for some reason, and it can't be understood, took off and flew over th e entire building complex and landed precisely ... on the only car in the parking lot in front of the building. The car belonged to the base commander.

So that's kind of a quick once-through on the lessons of scar tissue. If any of you have ever read Winnie the Pooh, you will recall that the first lines of chapter one sum up everything I have been talking about: "Here is Edward Bear, coming downstairs now, bump, bump, bump, on the back of his head, behind Christopher Robin. It is, as far as he knows, the only way of coming downstairs, but sometimes he feels that there really is another way ... if only he could stop bumping for a moment and think of it."

My hope is that my remarks this afternoon during the Woodruff Lecture might help you avoid some of the bumps along the way as you encounter the challenges - and rewards - of engineering. Thank you again for letting me be with you.

Question and Answer Session [edited]

Q. You talked about reserves. During the times when funding is not readily available, how do you reserve the human skills of engineering and the like for the longer term?

A. We have the good fortune in our company to have such a variety of exciting things going on. Our first effort is to put people on paid projects that involve that kind of work. Our backup is to perform research or augment the research we would otherwise be doing, or to do in-house development of new products that we're doing on our own. That will support a number of people. We spend about a billion dollars a year on the latter category, from our own money that we spend at our discretion. Even at that, there's obviously a finite limit to what you can do. We also try every year to hire - even when circumstances are somewhat grim - a certain number of new college graduates just to keep bringing in new blood for the longer term. Those are some of the kinds of things we do, and we worry about this issue a lot. It's a significant problem in the industry today, I believe.

Q. There was a TV program some years ago that addressed the fact that some of the great developments were found almost by accident. To what extent do you think you can plan progress - as opposed to taking advantage, sort of synergistically, of events that just occur?

A. I'm a great believer in the notion that you cannot plan scientific breakthroughs. You can certainly plan most engineering projects, and you have to, particularly if you leave reserves, because you can statistically account for uncertainties in most cases. I can think of many examples and I'm sure you can too, where there was an accident that led to a great opportunity. Alexander Fleming discovered penicillin because somebody didn't adequately clean a microscope slide. In World War II, they needed material to use on the grid of a vacuum tube, and somebody discovered, absolutely by accident, that such a material was being used in a paint factory not far away to make paint. Apparently, an artificial sweetener was found by accident when a scientist doing an experi-ment put a cigarette down on a counter; when he put it in his mouth again, it tasted sweet. Something on the counter had caused the sweetness, and he went on to discover that it was saccharin. One of the projects I worked on was the Nike Zeus missile, which I discussed earlier. We were having a problem getting it to fly. We had all the smart aerodynamicists in the corporation working on it. The clue we got was because a mechanic put a part on backward in the wind tunnel . That gave us the key to understand what was going on. I think many breakthroughs are still waiting to be discovered, particularly in the basic research areas. The whole idea is to be smart enough to recognize those breakthroughs when they present themselves. That's the challenge. My career has been just one huge accident after another. There would have been no way I could have planned it and probably trying to do so would have wrecked it.

Q. Traditionally, in the past, engineers tended to stay with one company throughout their careers. Today, that'sless true. How do you arm yourself to deal with an environment where technology changes and jobs change?

A. It is true that not many people will stay with one company throughout their careers. If you look at all industries in America today, the average person changes jobs about every seven years. As it turns out, in most places in the world, the average is not much more than that, even in some places that have reputations for [employees] staying forever. Furthermore, if you happen to be in technology, as the question implies, the changes we are seeing are enormous. Hardly anybody I work with is still working in the area they studied in college. I'm an aerodynamicist and our company is basically an electronics company - not entirely, but to a large degree. My advice is when you're in college, study the fundamentals because they don't change. Second, when you get out, keep studying all your life, because if you don't, you'll be passed by in no time at all. Third, pick a darn good company to join. Don't pick it because of the job they offer you, pick it because you think it's a good company for a career. The company I happened to start out with when I got my first job offers was by far the lowest-paying job offer I got, but I thought it was a good company and that maybe I'd have a better future there. So I would really emphasize that. The last thing I'd say is to focus on what you're doing today and don't plan too much for the next job. The next job tends to take care of itself if you're doing a good job at what you're doing today. A fellow who used to be our company's president once said, "Treat every job as if it were the last job you were ever going to have before you retire, and do it just as well as you possibly can."

Q. How do you feel about the space program, particularly international cooperation? For example, the Russians. Do you think they'll be a participant in the space station such as it was planned a decade ago?

A. Most of the space activities, the really large manned human space activities, make such great financial demands that it seems likely to me that they will be international programs, not only for financial reasons but probably also for political reasons. The current space station is being built and will go into orbit roughly on schedule and it will be an international space station. If you talk about the next big "human in space" project, which in my judgment will be sending humans to Mars, there's a high likelihood that it will be an international program for the reasons I've cited. With regard to the Russians, our company has a partnership with Krunichev Industries in Russia. We use our launch vehicles and their launch vehicles and sell packages to put spacecraft into orbit using either our vehicle or the other's as a backup. We basically are partners with the Russians and they do a great job. They do things very differently from the way we do. We've learned a lot from them, and I think they've learned some things from us. I think that's the way of the future. It's a real cultural shock for somebody who went through the Cold War as I did - ten years in the Pentagon and half a dozen jobs there preparing to defend our country - to sit down with the very Russians who were designing the systems that you were worried about, and they're now your partners. Surprisingly, we've become good friends and we visit their facilities and they visit ours. And it leads to some very interesting things. I think it's a great thing. It builds alliances between people around the world.

A few weeks ago, we were at dinner one evening with our Russian partners in another transaction. These were people that I had not known. It appeared no one could speak English because they had an interpreter and there was no English spoken all evening. These were all people who had come out of the Russian military over the years. During the course of the dinner, one of them said, through the interpreter, that they had wanted to build a launch site in the western hemisphere, down south, somewhere south of us, but our State Department had interfered and stopped it. By chance, one of our retired vice presidents was sitting next to me who used to be the deputy director of the CIA. I turned to him and whispered, "Yeah, they tried that once before and it didn't work then either." Well, all of the Russians burst out laughing. It turns out they understood every word we were saying. We've had a lot of fun laughing about things like that, but we have seen extraordinary change over the years. So I think we'll see more of that. It's a global world with global engineering.

One final thought: You know if you're a lawyer, most of the lawyers that you compete with for clients are the lawyers down the street from you. If you're a doctor, the doctors you compete with are mostly within a few miles of where you live. But if you're an engineer, you compete with engineers all around the world every day. If they're writing software in India, they can zap it back over here in a fraction of a second by satellite. Engineering is the global profession if there ever was one. That makes it great, but it also makes it very competitive. I congratulate all of you, and again, thanks for letting me be a part of your day.

1997 Woodruff Distinguished Lecture To Be Given By: Charles M. Vest

Charles M. Vest, the fifteenth President of the Massachusetts Institute of Technology and Professor of Mechanical Engineering, will present the annual Woodruff Distinguished Lecture on April 24, 1997 at Georgia Tech. His topic will be "What We Don't Know: Challenges for the Next Generation."

Dr. Vest has set three strategies for maintaining and enhancing the excellence of MIT: identifying the most critical emerging directions in education and research, providing a strong financial base for MIT's programs, and improving the value and efficiency of services in support of these programs. As a member of the faculty at MIT, his research interests are in the thermal sciences and in the engineering applications of lasers and coherent optics.

Dr. Vest serves as a member of the President's Committee of Advisors on Science and Technology, the Executive Committee of the Council on Competitiveness, the Massachusetts Governor's Task Force on Economic Growth and Technology, and the National Research Council Board on Engineering Education. He was also chairman of the President's Advisory Committee on the Redesign of the Space Station.

Dr. Vest earned his B.S.E. degree in mechanical engineering in 1963 from West Virginia University, and both his M.S.E. and Ph.D. degrees from the University of Michigan in 1994 and 1967, respectively. He joined that university's mechanical engineering faculty in 1968. Prior to taking office at MIT in 1990, Dr. Vest was Provost and Vice President for Academic Affairs of the University of Michigan.

The George W. Woodruff School of Mechanical Engineering is the oldest and second largest of eight divisions of the college of Engineering at Georgia Tech. The school offers academic and research programs in mechanical engineering, nuclear and radiological engineering, and health physics.

For additional information about the Woodruff School, contact Ward O. Winer, Regents' Professor and Chair at: