Dr Richard Feynman (known not-exactly-accurately as "the guy who discovered 
the O-ring problem") wrote his own addition to the official report on the 
Challenger accident.  In it he warns that judging safety in terms of "Well 
it's worked so far" doesn't prove what it seems to.   A google on "feynman 
report challenger" turned up the report on the first hit.  The first two 
paragraphs follow:

  * * *

It appears that there are enormous differences of opinion as to the 
probability of a failure with loss of vehicle and of human life. The 
estimates range from roughly 1 in 100 to 1 in 100,000. The higher figures 
come from the working engineers, and the very low figures from management. 
What are the causes and consequences of this lack of agreement? Since 1 
part in 100,000 would imply that one could put a Shuttle up each day for 
300 years expecting to lose only one, we could properly ask "What is the 
cause of management's fantastic faith in the machinery?"

We have also found that certification criteria used in Flight Readiness 
Reviews often develop a gradually decreasing strictness. The argument that 
the same risk was flown before without failure is often accepted as an 
argument for the safety of accepting it again. Because of this, obvious 
weaknesses are accepted again and again, sometimes without a sufficiently 
serious attempt to remedy them, or to delay a flight because of their 
continued presence.

-- 
http://www.piclist.com PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist