Bad Product Design in “Bridge of Spies”

I watched the Steven Spielberg film Bridge of Spies a few days ago. It’s a thrilling story and a fascinating historical drama — but I was really disappointed in the product design of the U2 self-destruct mechanism.

The Way It Was

The triggering event for the film is the U2 spy incident: Francis Gary Powers was shot down over the Soviet Union while flying a spy mission in a U2 spy plane.

The film describes the extreme methods used to keep the U2 secret from the U.S.S.R., including a self-destruct mechanism for the plane and a suicide method for the pilot.

The film then shows those mechanisms failing. When a soviet surface-to-air missile damages the U2 Gary Powers is flying, he is thrown loose, and fails to trigger the plane’s self-destruct mechanism before exiting the plane.

This is poor product design.

(As portrayed in the film) The self-destruct mechanism has a switch with a safety cover, which makes sense given that you only want to destroy the plane under very specific circumstances. But it makes the security of the plane’s secrets far less than it could be.

The Way It Should Be

The U2 flies its missions at roughly seventy thousand feet. From a product design standpoint it would be far better to have the pilot arm the self-destruct mechanism after taking off but before the mission, and then automatically trigger the self-destruct at a decreased altitude — say, fifty thousand feet.

With the improved product design, Gary Powers would have had to intentionally de-arm the self-destruct mechanism at the end of each flight. In the actual incident, when the falling U2 hit fifty thousand feet, the self-destruct mechanism would have triggered automatically, and 70 seconds later the plane would self-destruct.

A marginal improvement would be to have the self-destruct mechanism automatically arm itself once it hit 60,000 feet on the way up. The pilot would still have to validate the arming, so there’s little to be gained there.

The manual self-destruct would still be available, so all existing use cases would be preserved.

There are a few unlikely scenarios where an automatic self-destruct mechanism would cause the loss of the pilot and plane. The most obvious would be if the pilot set the U2 on a downward course after realizing he was about to lose consciousness due to pressure loss. If things went just right under those circumstances, the pilot would regain consciousness before crashing and return safely with the plane.

There is no record of this ever happening, and it’s extremely unlikely for multiple reasons. Further, given the design goals, an extremely small probability of loss of pilot and plane against the (obviously, given history) much more likely failure of the self-destruct when needed, would have been an acceptable trade-off.

Product design always involves decisions that balance between competing goals. The default condition can have a huge impact on the overall product design, and always needs to be considered.