Abstract: Mathematical risk analysis was used in Apollo, but it gave unacceptably pessimistic resultsand was discontinued. Shuttle was designed without using risk analysis, under the assumptionthat good engineering would make it very safe. This approach led to an unnecessarily riskydesign, which directly led to the Shuttle tragedies. Although the Challenger disaster wasdirectly due to a mistaken launch decision, it might have been avoided by a safer design. Theultimate cause of the Shuttle tragedies wa…